xref: /openbmc/linux/net/bluetooth/hci_event.c (revision 2359ccdd)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI event handling. */
26 
27 #include <asm/unaligned.h>
28 
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32 
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
35 #include "a2mp.h"
36 #include "amp.h"
37 #include "smp.h"
38 
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
41 
42 /* Handle HCI Event packets */
43 
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
45 {
46 	__u8 status = *((__u8 *) skb->data);
47 
48 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
49 
50 	if (status)
51 		return;
52 
53 	clear_bit(HCI_INQUIRY, &hdev->flags);
54 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
56 
57 	hci_dev_lock(hdev);
58 	/* Set discovery state to stopped if we're not doing LE active
59 	 * scanning.
60 	 */
61 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 	    hdev->le_scan_type != LE_SCAN_ACTIVE)
63 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
64 	hci_dev_unlock(hdev);
65 
66 	hci_conn_check_pending(hdev);
67 }
68 
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
70 {
71 	__u8 status = *((__u8 *) skb->data);
72 
73 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
74 
75 	if (status)
76 		return;
77 
78 	hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
79 }
80 
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
82 {
83 	__u8 status = *((__u8 *) skb->data);
84 
85 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
86 
87 	if (status)
88 		return;
89 
90 	hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
91 
92 	hci_conn_check_pending(hdev);
93 }
94 
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
96 					  struct sk_buff *skb)
97 {
98 	BT_DBG("%s", hdev->name);
99 }
100 
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
102 {
103 	struct hci_rp_role_discovery *rp = (void *) skb->data;
104 	struct hci_conn *conn;
105 
106 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
107 
108 	if (rp->status)
109 		return;
110 
111 	hci_dev_lock(hdev);
112 
113 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
114 	if (conn)
115 		conn->role = rp->role;
116 
117 	hci_dev_unlock(hdev);
118 }
119 
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
121 {
122 	struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 	struct hci_conn *conn;
124 
125 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126 
127 	if (rp->status)
128 		return;
129 
130 	hci_dev_lock(hdev);
131 
132 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133 	if (conn)
134 		conn->link_policy = __le16_to_cpu(rp->policy);
135 
136 	hci_dev_unlock(hdev);
137 }
138 
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140 {
141 	struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 	struct hci_conn *conn;
143 	void *sent;
144 
145 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
146 
147 	if (rp->status)
148 		return;
149 
150 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 	if (!sent)
152 		return;
153 
154 	hci_dev_lock(hdev);
155 
156 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
157 	if (conn)
158 		conn->link_policy = get_unaligned_le16(sent + 2);
159 
160 	hci_dev_unlock(hdev);
161 }
162 
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
164 					struct sk_buff *skb)
165 {
166 	struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
167 
168 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
169 
170 	if (rp->status)
171 		return;
172 
173 	hdev->link_policy = __le16_to_cpu(rp->policy);
174 }
175 
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
177 					 struct sk_buff *skb)
178 {
179 	__u8 status = *((__u8 *) skb->data);
180 	void *sent;
181 
182 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
183 
184 	if (status)
185 		return;
186 
187 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
188 	if (!sent)
189 		return;
190 
191 	hdev->link_policy = get_unaligned_le16(sent);
192 }
193 
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
195 {
196 	__u8 status = *((__u8 *) skb->data);
197 
198 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
199 
200 	clear_bit(HCI_RESET, &hdev->flags);
201 
202 	if (status)
203 		return;
204 
205 	/* Reset all non-persistent flags */
206 	hci_dev_clear_volatile_flags(hdev);
207 
208 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
209 
210 	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
212 
213 	memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 	hdev->adv_data_len = 0;
215 
216 	memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 	hdev->scan_rsp_data_len = 0;
218 
219 	hdev->le_scan_type = LE_SCAN_PASSIVE;
220 
221 	hdev->ssp_debug_mode = 0;
222 
223 	hci_bdaddr_list_clear(&hdev->le_white_list);
224 }
225 
226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
227 					struct sk_buff *skb)
228 {
229 	struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230 	struct hci_cp_read_stored_link_key *sent;
231 
232 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
233 
234 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
235 	if (!sent)
236 		return;
237 
238 	if (!rp->status && sent->read_all == 0x01) {
239 		hdev->stored_max_keys = rp->max_keys;
240 		hdev->stored_num_keys = rp->num_keys;
241 	}
242 }
243 
244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
245 					  struct sk_buff *skb)
246 {
247 	struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
248 
249 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250 
251 	if (rp->status)
252 		return;
253 
254 	if (rp->num_keys <= hdev->stored_num_keys)
255 		hdev->stored_num_keys -= rp->num_keys;
256 	else
257 		hdev->stored_num_keys = 0;
258 }
259 
260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
261 {
262 	__u8 status = *((__u8 *) skb->data);
263 	void *sent;
264 
265 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
266 
267 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
268 	if (!sent)
269 		return;
270 
271 	hci_dev_lock(hdev);
272 
273 	if (hci_dev_test_flag(hdev, HCI_MGMT))
274 		mgmt_set_local_name_complete(hdev, sent, status);
275 	else if (!status)
276 		memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
277 
278 	hci_dev_unlock(hdev);
279 }
280 
281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
282 {
283 	struct hci_rp_read_local_name *rp = (void *) skb->data;
284 
285 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
286 
287 	if (rp->status)
288 		return;
289 
290 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291 	    hci_dev_test_flag(hdev, HCI_CONFIG))
292 		memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
293 }
294 
295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
296 {
297 	__u8 status = *((__u8 *) skb->data);
298 	void *sent;
299 
300 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
301 
302 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
303 	if (!sent)
304 		return;
305 
306 	hci_dev_lock(hdev);
307 
308 	if (!status) {
309 		__u8 param = *((__u8 *) sent);
310 
311 		if (param == AUTH_ENABLED)
312 			set_bit(HCI_AUTH, &hdev->flags);
313 		else
314 			clear_bit(HCI_AUTH, &hdev->flags);
315 	}
316 
317 	if (hci_dev_test_flag(hdev, HCI_MGMT))
318 		mgmt_auth_enable_complete(hdev, status);
319 
320 	hci_dev_unlock(hdev);
321 }
322 
323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
324 {
325 	__u8 status = *((__u8 *) skb->data);
326 	__u8 param;
327 	void *sent;
328 
329 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
330 
331 	if (status)
332 		return;
333 
334 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
335 	if (!sent)
336 		return;
337 
338 	param = *((__u8 *) sent);
339 
340 	if (param)
341 		set_bit(HCI_ENCRYPT, &hdev->flags);
342 	else
343 		clear_bit(HCI_ENCRYPT, &hdev->flags);
344 }
345 
346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
347 {
348 	__u8 status = *((__u8 *) skb->data);
349 	__u8 param;
350 	void *sent;
351 
352 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
353 
354 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
355 	if (!sent)
356 		return;
357 
358 	param = *((__u8 *) sent);
359 
360 	hci_dev_lock(hdev);
361 
362 	if (status) {
363 		hdev->discov_timeout = 0;
364 		goto done;
365 	}
366 
367 	if (param & SCAN_INQUIRY)
368 		set_bit(HCI_ISCAN, &hdev->flags);
369 	else
370 		clear_bit(HCI_ISCAN, &hdev->flags);
371 
372 	if (param & SCAN_PAGE)
373 		set_bit(HCI_PSCAN, &hdev->flags);
374 	else
375 		clear_bit(HCI_PSCAN, &hdev->flags);
376 
377 done:
378 	hci_dev_unlock(hdev);
379 }
380 
381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
382 {
383 	struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
384 
385 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
386 
387 	if (rp->status)
388 		return;
389 
390 	memcpy(hdev->dev_class, rp->dev_class, 3);
391 
392 	BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393 	       hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
394 }
395 
396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
397 {
398 	__u8 status = *((__u8 *) skb->data);
399 	void *sent;
400 
401 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
402 
403 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
404 	if (!sent)
405 		return;
406 
407 	hci_dev_lock(hdev);
408 
409 	if (status == 0)
410 		memcpy(hdev->dev_class, sent, 3);
411 
412 	if (hci_dev_test_flag(hdev, HCI_MGMT))
413 		mgmt_set_class_of_dev_complete(hdev, sent, status);
414 
415 	hci_dev_unlock(hdev);
416 }
417 
418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
419 {
420 	struct hci_rp_read_voice_setting *rp = (void *) skb->data;
421 	__u16 setting;
422 
423 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
424 
425 	if (rp->status)
426 		return;
427 
428 	setting = __le16_to_cpu(rp->voice_setting);
429 
430 	if (hdev->voice_setting == setting)
431 		return;
432 
433 	hdev->voice_setting = setting;
434 
435 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
436 
437 	if (hdev->notify)
438 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
439 }
440 
441 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
442 				       struct sk_buff *skb)
443 {
444 	__u8 status = *((__u8 *) skb->data);
445 	__u16 setting;
446 	void *sent;
447 
448 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
449 
450 	if (status)
451 		return;
452 
453 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
454 	if (!sent)
455 		return;
456 
457 	setting = get_unaligned_le16(sent);
458 
459 	if (hdev->voice_setting == setting)
460 		return;
461 
462 	hdev->voice_setting = setting;
463 
464 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
465 
466 	if (hdev->notify)
467 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
468 }
469 
470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
471 					  struct sk_buff *skb)
472 {
473 	struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
474 
475 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
476 
477 	if (rp->status)
478 		return;
479 
480 	hdev->num_iac = rp->num_iac;
481 
482 	BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
483 }
484 
485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
486 {
487 	__u8 status = *((__u8 *) skb->data);
488 	struct hci_cp_write_ssp_mode *sent;
489 
490 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
491 
492 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
493 	if (!sent)
494 		return;
495 
496 	hci_dev_lock(hdev);
497 
498 	if (!status) {
499 		if (sent->mode)
500 			hdev->features[1][0] |= LMP_HOST_SSP;
501 		else
502 			hdev->features[1][0] &= ~LMP_HOST_SSP;
503 	}
504 
505 	if (hci_dev_test_flag(hdev, HCI_MGMT))
506 		mgmt_ssp_enable_complete(hdev, sent->mode, status);
507 	else if (!status) {
508 		if (sent->mode)
509 			hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
510 		else
511 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
512 	}
513 
514 	hci_dev_unlock(hdev);
515 }
516 
517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
518 {
519 	u8 status = *((u8 *) skb->data);
520 	struct hci_cp_write_sc_support *sent;
521 
522 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
523 
524 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
525 	if (!sent)
526 		return;
527 
528 	hci_dev_lock(hdev);
529 
530 	if (!status) {
531 		if (sent->support)
532 			hdev->features[1][0] |= LMP_HOST_SC;
533 		else
534 			hdev->features[1][0] &= ~LMP_HOST_SC;
535 	}
536 
537 	if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
538 		if (sent->support)
539 			hci_dev_set_flag(hdev, HCI_SC_ENABLED);
540 		else
541 			hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
542 	}
543 
544 	hci_dev_unlock(hdev);
545 }
546 
547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
548 {
549 	struct hci_rp_read_local_version *rp = (void *) skb->data;
550 
551 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
552 
553 	if (rp->status)
554 		return;
555 
556 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
558 		hdev->hci_ver = rp->hci_ver;
559 		hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560 		hdev->lmp_ver = rp->lmp_ver;
561 		hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562 		hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
563 	}
564 }
565 
566 static void hci_cc_read_local_commands(struct hci_dev *hdev,
567 				       struct sk_buff *skb)
568 {
569 	struct hci_rp_read_local_commands *rp = (void *) skb->data;
570 
571 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
572 
573 	if (rp->status)
574 		return;
575 
576 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577 	    hci_dev_test_flag(hdev, HCI_CONFIG))
578 		memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
579 }
580 
581 static void hci_cc_read_local_features(struct hci_dev *hdev,
582 				       struct sk_buff *skb)
583 {
584 	struct hci_rp_read_local_features *rp = (void *) skb->data;
585 
586 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
587 
588 	if (rp->status)
589 		return;
590 
591 	memcpy(hdev->features, rp->features, 8);
592 
593 	/* Adjust default settings according to features
594 	 * supported by device. */
595 
596 	if (hdev->features[0][0] & LMP_3SLOT)
597 		hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
598 
599 	if (hdev->features[0][0] & LMP_5SLOT)
600 		hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
601 
602 	if (hdev->features[0][1] & LMP_HV2) {
603 		hdev->pkt_type  |= (HCI_HV2);
604 		hdev->esco_type |= (ESCO_HV2);
605 	}
606 
607 	if (hdev->features[0][1] & LMP_HV3) {
608 		hdev->pkt_type  |= (HCI_HV3);
609 		hdev->esco_type |= (ESCO_HV3);
610 	}
611 
612 	if (lmp_esco_capable(hdev))
613 		hdev->esco_type |= (ESCO_EV3);
614 
615 	if (hdev->features[0][4] & LMP_EV4)
616 		hdev->esco_type |= (ESCO_EV4);
617 
618 	if (hdev->features[0][4] & LMP_EV5)
619 		hdev->esco_type |= (ESCO_EV5);
620 
621 	if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622 		hdev->esco_type |= (ESCO_2EV3);
623 
624 	if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625 		hdev->esco_type |= (ESCO_3EV3);
626 
627 	if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628 		hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
629 }
630 
631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
632 					   struct sk_buff *skb)
633 {
634 	struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
635 
636 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
637 
638 	if (rp->status)
639 		return;
640 
641 	if (hdev->max_page < rp->max_page)
642 		hdev->max_page = rp->max_page;
643 
644 	if (rp->page < HCI_MAX_PAGES)
645 		memcpy(hdev->features[rp->page], rp->features, 8);
646 }
647 
648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
649 					  struct sk_buff *skb)
650 {
651 	struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
652 
653 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
654 
655 	if (rp->status)
656 		return;
657 
658 	hdev->flow_ctl_mode = rp->mode;
659 }
660 
661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
662 {
663 	struct hci_rp_read_buffer_size *rp = (void *) skb->data;
664 
665 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
666 
667 	if (rp->status)
668 		return;
669 
670 	hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
671 	hdev->sco_mtu  = rp->sco_mtu;
672 	hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673 	hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
674 
675 	if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
676 		hdev->sco_mtu  = 64;
677 		hdev->sco_pkts = 8;
678 	}
679 
680 	hdev->acl_cnt = hdev->acl_pkts;
681 	hdev->sco_cnt = hdev->sco_pkts;
682 
683 	BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684 	       hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
685 }
686 
687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
688 {
689 	struct hci_rp_read_bd_addr *rp = (void *) skb->data;
690 
691 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
692 
693 	if (rp->status)
694 		return;
695 
696 	if (test_bit(HCI_INIT, &hdev->flags))
697 		bacpy(&hdev->bdaddr, &rp->bdaddr);
698 
699 	if (hci_dev_test_flag(hdev, HCI_SETUP))
700 		bacpy(&hdev->setup_addr, &rp->bdaddr);
701 }
702 
703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
704 					   struct sk_buff *skb)
705 {
706 	struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
707 
708 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
709 
710 	if (rp->status)
711 		return;
712 
713 	if (test_bit(HCI_INIT, &hdev->flags)) {
714 		hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715 		hdev->page_scan_window = __le16_to_cpu(rp->window);
716 	}
717 }
718 
719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
720 					    struct sk_buff *skb)
721 {
722 	u8 status = *((u8 *) skb->data);
723 	struct hci_cp_write_page_scan_activity *sent;
724 
725 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
726 
727 	if (status)
728 		return;
729 
730 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
731 	if (!sent)
732 		return;
733 
734 	hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735 	hdev->page_scan_window = __le16_to_cpu(sent->window);
736 }
737 
738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
739 					   struct sk_buff *skb)
740 {
741 	struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
742 
743 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
744 
745 	if (rp->status)
746 		return;
747 
748 	if (test_bit(HCI_INIT, &hdev->flags))
749 		hdev->page_scan_type = rp->type;
750 }
751 
752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
753 					struct sk_buff *skb)
754 {
755 	u8 status = *((u8 *) skb->data);
756 	u8 *type;
757 
758 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
759 
760 	if (status)
761 		return;
762 
763 	type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
764 	if (type)
765 		hdev->page_scan_type = *type;
766 }
767 
768 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
769 					struct sk_buff *skb)
770 {
771 	struct hci_rp_read_data_block_size *rp = (void *) skb->data;
772 
773 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
774 
775 	if (rp->status)
776 		return;
777 
778 	hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779 	hdev->block_len = __le16_to_cpu(rp->block_len);
780 	hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
781 
782 	hdev->block_cnt = hdev->num_blocks;
783 
784 	BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785 	       hdev->block_cnt, hdev->block_len);
786 }
787 
788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
789 {
790 	struct hci_rp_read_clock *rp = (void *) skb->data;
791 	struct hci_cp_read_clock *cp;
792 	struct hci_conn *conn;
793 
794 	BT_DBG("%s", hdev->name);
795 
796 	if (skb->len < sizeof(*rp))
797 		return;
798 
799 	if (rp->status)
800 		return;
801 
802 	hci_dev_lock(hdev);
803 
804 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
805 	if (!cp)
806 		goto unlock;
807 
808 	if (cp->which == 0x00) {
809 		hdev->clock = le32_to_cpu(rp->clock);
810 		goto unlock;
811 	}
812 
813 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
814 	if (conn) {
815 		conn->clock = le32_to_cpu(rp->clock);
816 		conn->clock_accuracy = le16_to_cpu(rp->accuracy);
817 	}
818 
819 unlock:
820 	hci_dev_unlock(hdev);
821 }
822 
823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
824 				       struct sk_buff *skb)
825 {
826 	struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
827 
828 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
829 
830 	if (rp->status)
831 		return;
832 
833 	hdev->amp_status = rp->amp_status;
834 	hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835 	hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836 	hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837 	hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838 	hdev->amp_type = rp->amp_type;
839 	hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840 	hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841 	hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842 	hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
843 }
844 
845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
846 					 struct sk_buff *skb)
847 {
848 	struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
849 
850 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
851 
852 	if (rp->status)
853 		return;
854 
855 	hdev->inq_tx_power = rp->tx_power;
856 }
857 
858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
859 {
860 	struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861 	struct hci_cp_pin_code_reply *cp;
862 	struct hci_conn *conn;
863 
864 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
865 
866 	hci_dev_lock(hdev);
867 
868 	if (hci_dev_test_flag(hdev, HCI_MGMT))
869 		mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
870 
871 	if (rp->status)
872 		goto unlock;
873 
874 	cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
875 	if (!cp)
876 		goto unlock;
877 
878 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
879 	if (conn)
880 		conn->pin_length = cp->pin_len;
881 
882 unlock:
883 	hci_dev_unlock(hdev);
884 }
885 
886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
887 {
888 	struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
889 
890 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
891 
892 	hci_dev_lock(hdev);
893 
894 	if (hci_dev_test_flag(hdev, HCI_MGMT))
895 		mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
896 						 rp->status);
897 
898 	hci_dev_unlock(hdev);
899 }
900 
901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
902 				       struct sk_buff *skb)
903 {
904 	struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
905 
906 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
907 
908 	if (rp->status)
909 		return;
910 
911 	hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912 	hdev->le_pkts = rp->le_max_pkt;
913 
914 	hdev->le_cnt = hdev->le_pkts;
915 
916 	BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
917 }
918 
919 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
920 					  struct sk_buff *skb)
921 {
922 	struct hci_rp_le_read_local_features *rp = (void *) skb->data;
923 
924 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
925 
926 	if (rp->status)
927 		return;
928 
929 	memcpy(hdev->le_features, rp->features, 8);
930 }
931 
932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
933 					struct sk_buff *skb)
934 {
935 	struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
936 
937 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
938 
939 	if (rp->status)
940 		return;
941 
942 	hdev->adv_tx_power = rp->tx_power;
943 }
944 
945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
946 {
947 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
948 
949 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
950 
951 	hci_dev_lock(hdev);
952 
953 	if (hci_dev_test_flag(hdev, HCI_MGMT))
954 		mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
955 						 rp->status);
956 
957 	hci_dev_unlock(hdev);
958 }
959 
960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
961 					  struct sk_buff *skb)
962 {
963 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
964 
965 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
966 
967 	hci_dev_lock(hdev);
968 
969 	if (hci_dev_test_flag(hdev, HCI_MGMT))
970 		mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971 						     ACL_LINK, 0, rp->status);
972 
973 	hci_dev_unlock(hdev);
974 }
975 
976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
977 {
978 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
979 
980 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
981 
982 	hci_dev_lock(hdev);
983 
984 	if (hci_dev_test_flag(hdev, HCI_MGMT))
985 		mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
986 						 0, rp->status);
987 
988 	hci_dev_unlock(hdev);
989 }
990 
991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
992 					  struct sk_buff *skb)
993 {
994 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
995 
996 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
997 
998 	hci_dev_lock(hdev);
999 
1000 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 		mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002 						     ACL_LINK, 0, rp->status);
1003 
1004 	hci_dev_unlock(hdev);
1005 }
1006 
1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008 				       struct sk_buff *skb)
1009 {
1010 	struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1011 
1012 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1013 }
1014 
1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016 					   struct sk_buff *skb)
1017 {
1018 	struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1019 
1020 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1021 }
1022 
1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1024 {
1025 	__u8 status = *((__u8 *) skb->data);
1026 	bdaddr_t *sent;
1027 
1028 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1029 
1030 	if (status)
1031 		return;
1032 
1033 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1034 	if (!sent)
1035 		return;
1036 
1037 	hci_dev_lock(hdev);
1038 
1039 	bacpy(&hdev->random_addr, sent);
1040 
1041 	hci_dev_unlock(hdev);
1042 }
1043 
1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1045 {
1046 	__u8 *sent, status = *((__u8 *) skb->data);
1047 
1048 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1049 
1050 	if (status)
1051 		return;
1052 
1053 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1054 	if (!sent)
1055 		return;
1056 
1057 	hci_dev_lock(hdev);
1058 
1059 	/* If we're doing connection initiation as peripheral. Set a
1060 	 * timeout in case something goes wrong.
1061 	 */
1062 	if (*sent) {
1063 		struct hci_conn *conn;
1064 
1065 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1066 
1067 		conn = hci_lookup_le_connect(hdev);
1068 		if (conn)
1069 			queue_delayed_work(hdev->workqueue,
1070 					   &conn->le_conn_timeout,
1071 					   conn->conn_timeout);
1072 	} else {
1073 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1074 	}
1075 
1076 	hci_dev_unlock(hdev);
1077 }
1078 
1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1080 {
1081 	struct hci_cp_le_set_scan_param *cp;
1082 	__u8 status = *((__u8 *) skb->data);
1083 
1084 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1085 
1086 	if (status)
1087 		return;
1088 
1089 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1090 	if (!cp)
1091 		return;
1092 
1093 	hci_dev_lock(hdev);
1094 
1095 	hdev->le_scan_type = cp->type;
1096 
1097 	hci_dev_unlock(hdev);
1098 }
1099 
1100 static bool has_pending_adv_report(struct hci_dev *hdev)
1101 {
1102 	struct discovery_state *d = &hdev->discovery;
1103 
1104 	return bacmp(&d->last_adv_addr, BDADDR_ANY);
1105 }
1106 
1107 static void clear_pending_adv_report(struct hci_dev *hdev)
1108 {
1109 	struct discovery_state *d = &hdev->discovery;
1110 
1111 	bacpy(&d->last_adv_addr, BDADDR_ANY);
1112 	d->last_adv_data_len = 0;
1113 }
1114 
1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116 				     u8 bdaddr_type, s8 rssi, u32 flags,
1117 				     u8 *data, u8 len)
1118 {
1119 	struct discovery_state *d = &hdev->discovery;
1120 
1121 	bacpy(&d->last_adv_addr, bdaddr);
1122 	d->last_adv_addr_type = bdaddr_type;
1123 	d->last_adv_rssi = rssi;
1124 	d->last_adv_flags = flags;
1125 	memcpy(d->last_adv_data, data, len);
1126 	d->last_adv_data_len = len;
1127 }
1128 
1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130 				      struct sk_buff *skb)
1131 {
1132 	struct hci_cp_le_set_scan_enable *cp;
1133 	__u8 status = *((__u8 *) skb->data);
1134 
1135 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1136 
1137 	if (status)
1138 		return;
1139 
1140 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1141 	if (!cp)
1142 		return;
1143 
1144 	hci_dev_lock(hdev);
1145 
1146 	switch (cp->enable) {
1147 	case LE_SCAN_ENABLE:
1148 		hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149 		if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150 			clear_pending_adv_report(hdev);
1151 		break;
1152 
1153 	case LE_SCAN_DISABLE:
1154 		/* We do this here instead of when setting DISCOVERY_STOPPED
1155 		 * since the latter would potentially require waiting for
1156 		 * inquiry to stop too.
1157 		 */
1158 		if (has_pending_adv_report(hdev)) {
1159 			struct discovery_state *d = &hdev->discovery;
1160 
1161 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162 					  d->last_adv_addr_type, NULL,
1163 					  d->last_adv_rssi, d->last_adv_flags,
1164 					  d->last_adv_data,
1165 					  d->last_adv_data_len, NULL, 0);
1166 		}
1167 
1168 		/* Cancel this timer so that we don't try to disable scanning
1169 		 * when it's already disabled.
1170 		 */
1171 		cancel_delayed_work(&hdev->le_scan_disable);
1172 
1173 		hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1174 
1175 		/* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176 		 * interrupted scanning due to a connect request. Mark
1177 		 * therefore discovery as stopped. If this was not
1178 		 * because of a connect request advertising might have
1179 		 * been disabled because of active scanning, so
1180 		 * re-enable it again if necessary.
1181 		 */
1182 		if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184 		else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185 			 hdev->discovery.state == DISCOVERY_FINDING)
1186 			hci_req_reenable_advertising(hdev);
1187 
1188 		break;
1189 
1190 	default:
1191 		bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1192 			   cp->enable);
1193 		break;
1194 	}
1195 
1196 	hci_dev_unlock(hdev);
1197 }
1198 
1199 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1200 					   struct sk_buff *skb)
1201 {
1202 	struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1203 
1204 	BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1205 
1206 	if (rp->status)
1207 		return;
1208 
1209 	hdev->le_white_list_size = rp->size;
1210 }
1211 
1212 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1213 				       struct sk_buff *skb)
1214 {
1215 	__u8 status = *((__u8 *) skb->data);
1216 
1217 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1218 
1219 	if (status)
1220 		return;
1221 
1222 	hci_bdaddr_list_clear(&hdev->le_white_list);
1223 }
1224 
1225 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1226 					struct sk_buff *skb)
1227 {
1228 	struct hci_cp_le_add_to_white_list *sent;
1229 	__u8 status = *((__u8 *) skb->data);
1230 
1231 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1232 
1233 	if (status)
1234 		return;
1235 
1236 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1237 	if (!sent)
1238 		return;
1239 
1240 	hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1241 			   sent->bdaddr_type);
1242 }
1243 
1244 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1245 					  struct sk_buff *skb)
1246 {
1247 	struct hci_cp_le_del_from_white_list *sent;
1248 	__u8 status = *((__u8 *) skb->data);
1249 
1250 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1251 
1252 	if (status)
1253 		return;
1254 
1255 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1256 	if (!sent)
1257 		return;
1258 
1259 	hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1260 			    sent->bdaddr_type);
1261 }
1262 
1263 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1264 					    struct sk_buff *skb)
1265 {
1266 	struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1267 
1268 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1269 
1270 	if (rp->status)
1271 		return;
1272 
1273 	memcpy(hdev->le_states, rp->le_states, 8);
1274 }
1275 
1276 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1277 					struct sk_buff *skb)
1278 {
1279 	struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1280 
1281 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1282 
1283 	if (rp->status)
1284 		return;
1285 
1286 	hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1287 	hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1288 }
1289 
1290 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1291 					 struct sk_buff *skb)
1292 {
1293 	struct hci_cp_le_write_def_data_len *sent;
1294 	__u8 status = *((__u8 *) skb->data);
1295 
1296 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1297 
1298 	if (status)
1299 		return;
1300 
1301 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1302 	if (!sent)
1303 		return;
1304 
1305 	hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1306 	hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1307 }
1308 
1309 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1310 					struct sk_buff *skb)
1311 {
1312 	struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1313 
1314 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1315 
1316 	if (rp->status)
1317 		return;
1318 
1319 	hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1320 	hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1321 	hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1322 	hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1323 }
1324 
1325 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1326 					   struct sk_buff *skb)
1327 {
1328 	struct hci_cp_write_le_host_supported *sent;
1329 	__u8 status = *((__u8 *) skb->data);
1330 
1331 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1332 
1333 	if (status)
1334 		return;
1335 
1336 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1337 	if (!sent)
1338 		return;
1339 
1340 	hci_dev_lock(hdev);
1341 
1342 	if (sent->le) {
1343 		hdev->features[1][0] |= LMP_HOST_LE;
1344 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1345 	} else {
1346 		hdev->features[1][0] &= ~LMP_HOST_LE;
1347 		hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1348 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1349 	}
1350 
1351 	if (sent->simul)
1352 		hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1353 	else
1354 		hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1355 
1356 	hci_dev_unlock(hdev);
1357 }
1358 
1359 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1360 {
1361 	struct hci_cp_le_set_adv_param *cp;
1362 	u8 status = *((u8 *) skb->data);
1363 
1364 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1365 
1366 	if (status)
1367 		return;
1368 
1369 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1370 	if (!cp)
1371 		return;
1372 
1373 	hci_dev_lock(hdev);
1374 	hdev->adv_addr_type = cp->own_address_type;
1375 	hci_dev_unlock(hdev);
1376 }
1377 
1378 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1379 {
1380 	struct hci_rp_read_rssi *rp = (void *) skb->data;
1381 	struct hci_conn *conn;
1382 
1383 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1384 
1385 	if (rp->status)
1386 		return;
1387 
1388 	hci_dev_lock(hdev);
1389 
1390 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1391 	if (conn)
1392 		conn->rssi = rp->rssi;
1393 
1394 	hci_dev_unlock(hdev);
1395 }
1396 
1397 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1398 {
1399 	struct hci_cp_read_tx_power *sent;
1400 	struct hci_rp_read_tx_power *rp = (void *) skb->data;
1401 	struct hci_conn *conn;
1402 
1403 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1404 
1405 	if (rp->status)
1406 		return;
1407 
1408 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1409 	if (!sent)
1410 		return;
1411 
1412 	hci_dev_lock(hdev);
1413 
1414 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1415 	if (!conn)
1416 		goto unlock;
1417 
1418 	switch (sent->type) {
1419 	case 0x00:
1420 		conn->tx_power = rp->tx_power;
1421 		break;
1422 	case 0x01:
1423 		conn->max_tx_power = rp->tx_power;
1424 		break;
1425 	}
1426 
1427 unlock:
1428 	hci_dev_unlock(hdev);
1429 }
1430 
1431 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1432 {
1433 	u8 status = *((u8 *) skb->data);
1434 	u8 *mode;
1435 
1436 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1437 
1438 	if (status)
1439 		return;
1440 
1441 	mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1442 	if (mode)
1443 		hdev->ssp_debug_mode = *mode;
1444 }
1445 
1446 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1447 {
1448 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1449 
1450 	if (status) {
1451 		hci_conn_check_pending(hdev);
1452 		return;
1453 	}
1454 
1455 	set_bit(HCI_INQUIRY, &hdev->flags);
1456 }
1457 
1458 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1459 {
1460 	struct hci_cp_create_conn *cp;
1461 	struct hci_conn *conn;
1462 
1463 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1464 
1465 	cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1466 	if (!cp)
1467 		return;
1468 
1469 	hci_dev_lock(hdev);
1470 
1471 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1472 
1473 	BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1474 
1475 	if (status) {
1476 		if (conn && conn->state == BT_CONNECT) {
1477 			if (status != 0x0c || conn->attempt > 2) {
1478 				conn->state = BT_CLOSED;
1479 				hci_connect_cfm(conn, status);
1480 				hci_conn_del(conn);
1481 			} else
1482 				conn->state = BT_CONNECT2;
1483 		}
1484 	} else {
1485 		if (!conn) {
1486 			conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1487 					    HCI_ROLE_MASTER);
1488 			if (!conn)
1489 				bt_dev_err(hdev, "no memory for new connection");
1490 		}
1491 	}
1492 
1493 	hci_dev_unlock(hdev);
1494 }
1495 
1496 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1497 {
1498 	struct hci_cp_add_sco *cp;
1499 	struct hci_conn *acl, *sco;
1500 	__u16 handle;
1501 
1502 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1503 
1504 	if (!status)
1505 		return;
1506 
1507 	cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1508 	if (!cp)
1509 		return;
1510 
1511 	handle = __le16_to_cpu(cp->handle);
1512 
1513 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1514 
1515 	hci_dev_lock(hdev);
1516 
1517 	acl = hci_conn_hash_lookup_handle(hdev, handle);
1518 	if (acl) {
1519 		sco = acl->link;
1520 		if (sco) {
1521 			sco->state = BT_CLOSED;
1522 
1523 			hci_connect_cfm(sco, status);
1524 			hci_conn_del(sco);
1525 		}
1526 	}
1527 
1528 	hci_dev_unlock(hdev);
1529 }
1530 
1531 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1532 {
1533 	struct hci_cp_auth_requested *cp;
1534 	struct hci_conn *conn;
1535 
1536 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1537 
1538 	if (!status)
1539 		return;
1540 
1541 	cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1542 	if (!cp)
1543 		return;
1544 
1545 	hci_dev_lock(hdev);
1546 
1547 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1548 	if (conn) {
1549 		if (conn->state == BT_CONFIG) {
1550 			hci_connect_cfm(conn, status);
1551 			hci_conn_drop(conn);
1552 		}
1553 	}
1554 
1555 	hci_dev_unlock(hdev);
1556 }
1557 
1558 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1559 {
1560 	struct hci_cp_set_conn_encrypt *cp;
1561 	struct hci_conn *conn;
1562 
1563 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1564 
1565 	if (!status)
1566 		return;
1567 
1568 	cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1569 	if (!cp)
1570 		return;
1571 
1572 	hci_dev_lock(hdev);
1573 
1574 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1575 	if (conn) {
1576 		if (conn->state == BT_CONFIG) {
1577 			hci_connect_cfm(conn, status);
1578 			hci_conn_drop(conn);
1579 		}
1580 	}
1581 
1582 	hci_dev_unlock(hdev);
1583 }
1584 
1585 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1586 				    struct hci_conn *conn)
1587 {
1588 	if (conn->state != BT_CONFIG || !conn->out)
1589 		return 0;
1590 
1591 	if (conn->pending_sec_level == BT_SECURITY_SDP)
1592 		return 0;
1593 
1594 	/* Only request authentication for SSP connections or non-SSP
1595 	 * devices with sec_level MEDIUM or HIGH or if MITM protection
1596 	 * is requested.
1597 	 */
1598 	if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1599 	    conn->pending_sec_level != BT_SECURITY_FIPS &&
1600 	    conn->pending_sec_level != BT_SECURITY_HIGH &&
1601 	    conn->pending_sec_level != BT_SECURITY_MEDIUM)
1602 		return 0;
1603 
1604 	return 1;
1605 }
1606 
1607 static int hci_resolve_name(struct hci_dev *hdev,
1608 				   struct inquiry_entry *e)
1609 {
1610 	struct hci_cp_remote_name_req cp;
1611 
1612 	memset(&cp, 0, sizeof(cp));
1613 
1614 	bacpy(&cp.bdaddr, &e->data.bdaddr);
1615 	cp.pscan_rep_mode = e->data.pscan_rep_mode;
1616 	cp.pscan_mode = e->data.pscan_mode;
1617 	cp.clock_offset = e->data.clock_offset;
1618 
1619 	return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1620 }
1621 
1622 static bool hci_resolve_next_name(struct hci_dev *hdev)
1623 {
1624 	struct discovery_state *discov = &hdev->discovery;
1625 	struct inquiry_entry *e;
1626 
1627 	if (list_empty(&discov->resolve))
1628 		return false;
1629 
1630 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1631 	if (!e)
1632 		return false;
1633 
1634 	if (hci_resolve_name(hdev, e) == 0) {
1635 		e->name_state = NAME_PENDING;
1636 		return true;
1637 	}
1638 
1639 	return false;
1640 }
1641 
1642 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1643 				   bdaddr_t *bdaddr, u8 *name, u8 name_len)
1644 {
1645 	struct discovery_state *discov = &hdev->discovery;
1646 	struct inquiry_entry *e;
1647 
1648 	/* Update the mgmt connected state if necessary. Be careful with
1649 	 * conn objects that exist but are not (yet) connected however.
1650 	 * Only those in BT_CONFIG or BT_CONNECTED states can be
1651 	 * considered connected.
1652 	 */
1653 	if (conn &&
1654 	    (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1655 	    !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1656 		mgmt_device_connected(hdev, conn, 0, name, name_len);
1657 
1658 	if (discov->state == DISCOVERY_STOPPED)
1659 		return;
1660 
1661 	if (discov->state == DISCOVERY_STOPPING)
1662 		goto discov_complete;
1663 
1664 	if (discov->state != DISCOVERY_RESOLVING)
1665 		return;
1666 
1667 	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1668 	/* If the device was not found in a list of found devices names of which
1669 	 * are pending. there is no need to continue resolving a next name as it
1670 	 * will be done upon receiving another Remote Name Request Complete
1671 	 * Event */
1672 	if (!e)
1673 		return;
1674 
1675 	list_del(&e->list);
1676 	if (name) {
1677 		e->name_state = NAME_KNOWN;
1678 		mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1679 				 e->data.rssi, name, name_len);
1680 	} else {
1681 		e->name_state = NAME_NOT_KNOWN;
1682 	}
1683 
1684 	if (hci_resolve_next_name(hdev))
1685 		return;
1686 
1687 discov_complete:
1688 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1689 }
1690 
1691 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1692 {
1693 	struct hci_cp_remote_name_req *cp;
1694 	struct hci_conn *conn;
1695 
1696 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1697 
1698 	/* If successful wait for the name req complete event before
1699 	 * checking for the need to do authentication */
1700 	if (!status)
1701 		return;
1702 
1703 	cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1704 	if (!cp)
1705 		return;
1706 
1707 	hci_dev_lock(hdev);
1708 
1709 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1710 
1711 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1712 		hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1713 
1714 	if (!conn)
1715 		goto unlock;
1716 
1717 	if (!hci_outgoing_auth_needed(hdev, conn))
1718 		goto unlock;
1719 
1720 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1721 		struct hci_cp_auth_requested auth_cp;
1722 
1723 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1724 
1725 		auth_cp.handle = __cpu_to_le16(conn->handle);
1726 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1727 			     sizeof(auth_cp), &auth_cp);
1728 	}
1729 
1730 unlock:
1731 	hci_dev_unlock(hdev);
1732 }
1733 
1734 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1735 {
1736 	struct hci_cp_read_remote_features *cp;
1737 	struct hci_conn *conn;
1738 
1739 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1740 
1741 	if (!status)
1742 		return;
1743 
1744 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1745 	if (!cp)
1746 		return;
1747 
1748 	hci_dev_lock(hdev);
1749 
1750 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1751 	if (conn) {
1752 		if (conn->state == BT_CONFIG) {
1753 			hci_connect_cfm(conn, status);
1754 			hci_conn_drop(conn);
1755 		}
1756 	}
1757 
1758 	hci_dev_unlock(hdev);
1759 }
1760 
1761 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1762 {
1763 	struct hci_cp_read_remote_ext_features *cp;
1764 	struct hci_conn *conn;
1765 
1766 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1767 
1768 	if (!status)
1769 		return;
1770 
1771 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1772 	if (!cp)
1773 		return;
1774 
1775 	hci_dev_lock(hdev);
1776 
1777 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1778 	if (conn) {
1779 		if (conn->state == BT_CONFIG) {
1780 			hci_connect_cfm(conn, status);
1781 			hci_conn_drop(conn);
1782 		}
1783 	}
1784 
1785 	hci_dev_unlock(hdev);
1786 }
1787 
1788 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1789 {
1790 	struct hci_cp_setup_sync_conn *cp;
1791 	struct hci_conn *acl, *sco;
1792 	__u16 handle;
1793 
1794 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1795 
1796 	if (!status)
1797 		return;
1798 
1799 	cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1800 	if (!cp)
1801 		return;
1802 
1803 	handle = __le16_to_cpu(cp->handle);
1804 
1805 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1806 
1807 	hci_dev_lock(hdev);
1808 
1809 	acl = hci_conn_hash_lookup_handle(hdev, handle);
1810 	if (acl) {
1811 		sco = acl->link;
1812 		if (sco) {
1813 			sco->state = BT_CLOSED;
1814 
1815 			hci_connect_cfm(sco, status);
1816 			hci_conn_del(sco);
1817 		}
1818 	}
1819 
1820 	hci_dev_unlock(hdev);
1821 }
1822 
1823 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1824 {
1825 	struct hci_cp_sniff_mode *cp;
1826 	struct hci_conn *conn;
1827 
1828 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1829 
1830 	if (!status)
1831 		return;
1832 
1833 	cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1834 	if (!cp)
1835 		return;
1836 
1837 	hci_dev_lock(hdev);
1838 
1839 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1840 	if (conn) {
1841 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1842 
1843 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1844 			hci_sco_setup(conn, status);
1845 	}
1846 
1847 	hci_dev_unlock(hdev);
1848 }
1849 
1850 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1851 {
1852 	struct hci_cp_exit_sniff_mode *cp;
1853 	struct hci_conn *conn;
1854 
1855 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1856 
1857 	if (!status)
1858 		return;
1859 
1860 	cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1861 	if (!cp)
1862 		return;
1863 
1864 	hci_dev_lock(hdev);
1865 
1866 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1867 	if (conn) {
1868 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1869 
1870 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1871 			hci_sco_setup(conn, status);
1872 	}
1873 
1874 	hci_dev_unlock(hdev);
1875 }
1876 
1877 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1878 {
1879 	struct hci_cp_disconnect *cp;
1880 	struct hci_conn *conn;
1881 
1882 	if (!status)
1883 		return;
1884 
1885 	cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1886 	if (!cp)
1887 		return;
1888 
1889 	hci_dev_lock(hdev);
1890 
1891 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1892 	if (conn)
1893 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1894 				       conn->dst_type, status);
1895 
1896 	hci_dev_unlock(hdev);
1897 }
1898 
1899 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1900 {
1901 	struct hci_cp_le_create_conn *cp;
1902 	struct hci_conn *conn;
1903 
1904 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1905 
1906 	/* All connection failure handling is taken care of by the
1907 	 * hci_le_conn_failed function which is triggered by the HCI
1908 	 * request completion callbacks used for connecting.
1909 	 */
1910 	if (status)
1911 		return;
1912 
1913 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1914 	if (!cp)
1915 		return;
1916 
1917 	hci_dev_lock(hdev);
1918 
1919 	conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr,
1920 				       cp->peer_addr_type);
1921 	if (!conn)
1922 		goto unlock;
1923 
1924 	/* Store the initiator and responder address information which
1925 	 * is needed for SMP. These values will not change during the
1926 	 * lifetime of the connection.
1927 	 */
1928 	conn->init_addr_type = cp->own_address_type;
1929 	if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1930 		bacpy(&conn->init_addr, &hdev->random_addr);
1931 	else
1932 		bacpy(&conn->init_addr, &hdev->bdaddr);
1933 
1934 	conn->resp_addr_type = cp->peer_addr_type;
1935 	bacpy(&conn->resp_addr, &cp->peer_addr);
1936 
1937 	/* We don't want the connection attempt to stick around
1938 	 * indefinitely since LE doesn't have a page timeout concept
1939 	 * like BR/EDR. Set a timer for any connection that doesn't use
1940 	 * the white list for connecting.
1941 	 */
1942 	if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1943 		queue_delayed_work(conn->hdev->workqueue,
1944 				   &conn->le_conn_timeout,
1945 				   conn->conn_timeout);
1946 
1947 unlock:
1948 	hci_dev_unlock(hdev);
1949 }
1950 
1951 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1952 {
1953 	struct hci_cp_le_read_remote_features *cp;
1954 	struct hci_conn *conn;
1955 
1956 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1957 
1958 	if (!status)
1959 		return;
1960 
1961 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1962 	if (!cp)
1963 		return;
1964 
1965 	hci_dev_lock(hdev);
1966 
1967 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1968 	if (conn) {
1969 		if (conn->state == BT_CONFIG) {
1970 			hci_connect_cfm(conn, status);
1971 			hci_conn_drop(conn);
1972 		}
1973 	}
1974 
1975 	hci_dev_unlock(hdev);
1976 }
1977 
1978 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1979 {
1980 	struct hci_cp_le_start_enc *cp;
1981 	struct hci_conn *conn;
1982 
1983 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1984 
1985 	if (!status)
1986 		return;
1987 
1988 	hci_dev_lock(hdev);
1989 
1990 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1991 	if (!cp)
1992 		goto unlock;
1993 
1994 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1995 	if (!conn)
1996 		goto unlock;
1997 
1998 	if (conn->state != BT_CONNECTED)
1999 		goto unlock;
2000 
2001 	hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2002 	hci_conn_drop(conn);
2003 
2004 unlock:
2005 	hci_dev_unlock(hdev);
2006 }
2007 
2008 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2009 {
2010 	struct hci_cp_switch_role *cp;
2011 	struct hci_conn *conn;
2012 
2013 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2014 
2015 	if (!status)
2016 		return;
2017 
2018 	cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2019 	if (!cp)
2020 		return;
2021 
2022 	hci_dev_lock(hdev);
2023 
2024 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2025 	if (conn)
2026 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2027 
2028 	hci_dev_unlock(hdev);
2029 }
2030 
2031 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2032 {
2033 	__u8 status = *((__u8 *) skb->data);
2034 	struct discovery_state *discov = &hdev->discovery;
2035 	struct inquiry_entry *e;
2036 
2037 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2038 
2039 	hci_conn_check_pending(hdev);
2040 
2041 	if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2042 		return;
2043 
2044 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2045 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
2046 
2047 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2048 		return;
2049 
2050 	hci_dev_lock(hdev);
2051 
2052 	if (discov->state != DISCOVERY_FINDING)
2053 		goto unlock;
2054 
2055 	if (list_empty(&discov->resolve)) {
2056 		/* When BR/EDR inquiry is active and no LE scanning is in
2057 		 * progress, then change discovery state to indicate completion.
2058 		 *
2059 		 * When running LE scanning and BR/EDR inquiry simultaneously
2060 		 * and the LE scan already finished, then change the discovery
2061 		 * state to indicate completion.
2062 		 */
2063 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2064 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2065 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2066 		goto unlock;
2067 	}
2068 
2069 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2070 	if (e && hci_resolve_name(hdev, e) == 0) {
2071 		e->name_state = NAME_PENDING;
2072 		hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2073 	} else {
2074 		/* When BR/EDR inquiry is active and no LE scanning is in
2075 		 * progress, then change discovery state to indicate completion.
2076 		 *
2077 		 * When running LE scanning and BR/EDR inquiry simultaneously
2078 		 * and the LE scan already finished, then change the discovery
2079 		 * state to indicate completion.
2080 		 */
2081 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2082 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2083 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2084 	}
2085 
2086 unlock:
2087 	hci_dev_unlock(hdev);
2088 }
2089 
2090 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2091 {
2092 	struct inquiry_data data;
2093 	struct inquiry_info *info = (void *) (skb->data + 1);
2094 	int num_rsp = *((__u8 *) skb->data);
2095 
2096 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2097 
2098 	if (!num_rsp)
2099 		return;
2100 
2101 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2102 		return;
2103 
2104 	hci_dev_lock(hdev);
2105 
2106 	for (; num_rsp; num_rsp--, info++) {
2107 		u32 flags;
2108 
2109 		bacpy(&data.bdaddr, &info->bdaddr);
2110 		data.pscan_rep_mode	= info->pscan_rep_mode;
2111 		data.pscan_period_mode	= info->pscan_period_mode;
2112 		data.pscan_mode		= info->pscan_mode;
2113 		memcpy(data.dev_class, info->dev_class, 3);
2114 		data.clock_offset	= info->clock_offset;
2115 		data.rssi		= HCI_RSSI_INVALID;
2116 		data.ssp_mode		= 0x00;
2117 
2118 		flags = hci_inquiry_cache_update(hdev, &data, false);
2119 
2120 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2121 				  info->dev_class, HCI_RSSI_INVALID,
2122 				  flags, NULL, 0, NULL, 0);
2123 	}
2124 
2125 	hci_dev_unlock(hdev);
2126 }
2127 
2128 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2129 {
2130 	struct hci_ev_conn_complete *ev = (void *) skb->data;
2131 	struct hci_conn *conn;
2132 
2133 	BT_DBG("%s", hdev->name);
2134 
2135 	hci_dev_lock(hdev);
2136 
2137 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2138 	if (!conn) {
2139 		if (ev->link_type != SCO_LINK)
2140 			goto unlock;
2141 
2142 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2143 		if (!conn)
2144 			goto unlock;
2145 
2146 		conn->type = SCO_LINK;
2147 	}
2148 
2149 	if (!ev->status) {
2150 		conn->handle = __le16_to_cpu(ev->handle);
2151 
2152 		if (conn->type == ACL_LINK) {
2153 			conn->state = BT_CONFIG;
2154 			hci_conn_hold(conn);
2155 
2156 			if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2157 			    !hci_find_link_key(hdev, &ev->bdaddr))
2158 				conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2159 			else
2160 				conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2161 		} else
2162 			conn->state = BT_CONNECTED;
2163 
2164 		hci_debugfs_create_conn(conn);
2165 		hci_conn_add_sysfs(conn);
2166 
2167 		if (test_bit(HCI_AUTH, &hdev->flags))
2168 			set_bit(HCI_CONN_AUTH, &conn->flags);
2169 
2170 		if (test_bit(HCI_ENCRYPT, &hdev->flags))
2171 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2172 
2173 		/* Get remote features */
2174 		if (conn->type == ACL_LINK) {
2175 			struct hci_cp_read_remote_features cp;
2176 			cp.handle = ev->handle;
2177 			hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2178 				     sizeof(cp), &cp);
2179 
2180 			hci_req_update_scan(hdev);
2181 		}
2182 
2183 		/* Set packet type for incoming connection */
2184 		if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2185 			struct hci_cp_change_conn_ptype cp;
2186 			cp.handle = ev->handle;
2187 			cp.pkt_type = cpu_to_le16(conn->pkt_type);
2188 			hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2189 				     &cp);
2190 		}
2191 	} else {
2192 		conn->state = BT_CLOSED;
2193 		if (conn->type == ACL_LINK)
2194 			mgmt_connect_failed(hdev, &conn->dst, conn->type,
2195 					    conn->dst_type, ev->status);
2196 	}
2197 
2198 	if (conn->type == ACL_LINK)
2199 		hci_sco_setup(conn, ev->status);
2200 
2201 	if (ev->status) {
2202 		hci_connect_cfm(conn, ev->status);
2203 		hci_conn_del(conn);
2204 	} else if (ev->link_type != ACL_LINK)
2205 		hci_connect_cfm(conn, ev->status);
2206 
2207 unlock:
2208 	hci_dev_unlock(hdev);
2209 
2210 	hci_conn_check_pending(hdev);
2211 }
2212 
2213 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2214 {
2215 	struct hci_cp_reject_conn_req cp;
2216 
2217 	bacpy(&cp.bdaddr, bdaddr);
2218 	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2219 	hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2220 }
2221 
2222 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2223 {
2224 	struct hci_ev_conn_request *ev = (void *) skb->data;
2225 	int mask = hdev->link_mode;
2226 	struct inquiry_entry *ie;
2227 	struct hci_conn *conn;
2228 	__u8 flags = 0;
2229 
2230 	BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2231 	       ev->link_type);
2232 
2233 	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2234 				      &flags);
2235 
2236 	if (!(mask & HCI_LM_ACCEPT)) {
2237 		hci_reject_conn(hdev, &ev->bdaddr);
2238 		return;
2239 	}
2240 
2241 	if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2242 				   BDADDR_BREDR)) {
2243 		hci_reject_conn(hdev, &ev->bdaddr);
2244 		return;
2245 	}
2246 
2247 	/* Require HCI_CONNECTABLE or a whitelist entry to accept the
2248 	 * connection. These features are only touched through mgmt so
2249 	 * only do the checks if HCI_MGMT is set.
2250 	 */
2251 	if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2252 	    !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2253 	    !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2254 				    BDADDR_BREDR)) {
2255 		    hci_reject_conn(hdev, &ev->bdaddr);
2256 		    return;
2257 	}
2258 
2259 	/* Connection accepted */
2260 
2261 	hci_dev_lock(hdev);
2262 
2263 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2264 	if (ie)
2265 		memcpy(ie->data.dev_class, ev->dev_class, 3);
2266 
2267 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2268 			&ev->bdaddr);
2269 	if (!conn) {
2270 		conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2271 				    HCI_ROLE_SLAVE);
2272 		if (!conn) {
2273 			bt_dev_err(hdev, "no memory for new connection");
2274 			hci_dev_unlock(hdev);
2275 			return;
2276 		}
2277 	}
2278 
2279 	memcpy(conn->dev_class, ev->dev_class, 3);
2280 
2281 	hci_dev_unlock(hdev);
2282 
2283 	if (ev->link_type == ACL_LINK ||
2284 	    (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2285 		struct hci_cp_accept_conn_req cp;
2286 		conn->state = BT_CONNECT;
2287 
2288 		bacpy(&cp.bdaddr, &ev->bdaddr);
2289 
2290 		if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2291 			cp.role = 0x00; /* Become master */
2292 		else
2293 			cp.role = 0x01; /* Remain slave */
2294 
2295 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2296 	} else if (!(flags & HCI_PROTO_DEFER)) {
2297 		struct hci_cp_accept_sync_conn_req cp;
2298 		conn->state = BT_CONNECT;
2299 
2300 		bacpy(&cp.bdaddr, &ev->bdaddr);
2301 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
2302 
2303 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2304 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2305 		cp.max_latency    = cpu_to_le16(0xffff);
2306 		cp.content_format = cpu_to_le16(hdev->voice_setting);
2307 		cp.retrans_effort = 0xff;
2308 
2309 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2310 			     &cp);
2311 	} else {
2312 		conn->state = BT_CONNECT2;
2313 		hci_connect_cfm(conn, 0);
2314 	}
2315 }
2316 
2317 static u8 hci_to_mgmt_reason(u8 err)
2318 {
2319 	switch (err) {
2320 	case HCI_ERROR_CONNECTION_TIMEOUT:
2321 		return MGMT_DEV_DISCONN_TIMEOUT;
2322 	case HCI_ERROR_REMOTE_USER_TERM:
2323 	case HCI_ERROR_REMOTE_LOW_RESOURCES:
2324 	case HCI_ERROR_REMOTE_POWER_OFF:
2325 		return MGMT_DEV_DISCONN_REMOTE;
2326 	case HCI_ERROR_LOCAL_HOST_TERM:
2327 		return MGMT_DEV_DISCONN_LOCAL_HOST;
2328 	default:
2329 		return MGMT_DEV_DISCONN_UNKNOWN;
2330 	}
2331 }
2332 
2333 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2334 {
2335 	struct hci_ev_disconn_complete *ev = (void *) skb->data;
2336 	u8 reason;
2337 	struct hci_conn_params *params;
2338 	struct hci_conn *conn;
2339 	bool mgmt_connected;
2340 	u8 type;
2341 
2342 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2343 
2344 	hci_dev_lock(hdev);
2345 
2346 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2347 	if (!conn)
2348 		goto unlock;
2349 
2350 	if (ev->status) {
2351 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2352 				       conn->dst_type, ev->status);
2353 		goto unlock;
2354 	}
2355 
2356 	conn->state = BT_CLOSED;
2357 
2358 	mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2359 
2360 	if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2361 		reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2362 	else
2363 		reason = hci_to_mgmt_reason(ev->reason);
2364 
2365 	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2366 				reason, mgmt_connected);
2367 
2368 	if (conn->type == ACL_LINK) {
2369 		if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2370 			hci_remove_link_key(hdev, &conn->dst);
2371 
2372 		hci_req_update_scan(hdev);
2373 	}
2374 
2375 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2376 	if (params) {
2377 		switch (params->auto_connect) {
2378 		case HCI_AUTO_CONN_LINK_LOSS:
2379 			if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2380 				break;
2381 			/* Fall through */
2382 
2383 		case HCI_AUTO_CONN_DIRECT:
2384 		case HCI_AUTO_CONN_ALWAYS:
2385 			list_del_init(&params->action);
2386 			list_add(&params->action, &hdev->pend_le_conns);
2387 			hci_update_background_scan(hdev);
2388 			break;
2389 
2390 		default:
2391 			break;
2392 		}
2393 	}
2394 
2395 	type = conn->type;
2396 
2397 	hci_disconn_cfm(conn, ev->reason);
2398 	hci_conn_del(conn);
2399 
2400 	/* Re-enable advertising if necessary, since it might
2401 	 * have been disabled by the connection. From the
2402 	 * HCI_LE_Set_Advertise_Enable command description in
2403 	 * the core specification (v4.0):
2404 	 * "The Controller shall continue advertising until the Host
2405 	 * issues an LE_Set_Advertise_Enable command with
2406 	 * Advertising_Enable set to 0x00 (Advertising is disabled)
2407 	 * or until a connection is created or until the Advertising
2408 	 * is timed out due to Directed Advertising."
2409 	 */
2410 	if (type == LE_LINK)
2411 		hci_req_reenable_advertising(hdev);
2412 
2413 unlock:
2414 	hci_dev_unlock(hdev);
2415 }
2416 
2417 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2418 {
2419 	struct hci_ev_auth_complete *ev = (void *) skb->data;
2420 	struct hci_conn *conn;
2421 
2422 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2423 
2424 	hci_dev_lock(hdev);
2425 
2426 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2427 	if (!conn)
2428 		goto unlock;
2429 
2430 	if (!ev->status) {
2431 		clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2432 
2433 		if (!hci_conn_ssp_enabled(conn) &&
2434 		    test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2435 			bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2436 		} else {
2437 			set_bit(HCI_CONN_AUTH, &conn->flags);
2438 			conn->sec_level = conn->pending_sec_level;
2439 		}
2440 	} else {
2441 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2442 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2443 
2444 		mgmt_auth_failed(conn, ev->status);
2445 	}
2446 
2447 	clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2448 	clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2449 
2450 	if (conn->state == BT_CONFIG) {
2451 		if (!ev->status && hci_conn_ssp_enabled(conn)) {
2452 			struct hci_cp_set_conn_encrypt cp;
2453 			cp.handle  = ev->handle;
2454 			cp.encrypt = 0x01;
2455 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2456 				     &cp);
2457 		} else {
2458 			conn->state = BT_CONNECTED;
2459 			hci_connect_cfm(conn, ev->status);
2460 			hci_conn_drop(conn);
2461 		}
2462 	} else {
2463 		hci_auth_cfm(conn, ev->status);
2464 
2465 		hci_conn_hold(conn);
2466 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2467 		hci_conn_drop(conn);
2468 	}
2469 
2470 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2471 		if (!ev->status) {
2472 			struct hci_cp_set_conn_encrypt cp;
2473 			cp.handle  = ev->handle;
2474 			cp.encrypt = 0x01;
2475 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2476 				     &cp);
2477 		} else {
2478 			clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2479 			hci_encrypt_cfm(conn, ev->status, 0x00);
2480 		}
2481 	}
2482 
2483 unlock:
2484 	hci_dev_unlock(hdev);
2485 }
2486 
2487 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2488 {
2489 	struct hci_ev_remote_name *ev = (void *) skb->data;
2490 	struct hci_conn *conn;
2491 
2492 	BT_DBG("%s", hdev->name);
2493 
2494 	hci_conn_check_pending(hdev);
2495 
2496 	hci_dev_lock(hdev);
2497 
2498 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2499 
2500 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2501 		goto check_auth;
2502 
2503 	if (ev->status == 0)
2504 		hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2505 				       strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2506 	else
2507 		hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2508 
2509 check_auth:
2510 	if (!conn)
2511 		goto unlock;
2512 
2513 	if (!hci_outgoing_auth_needed(hdev, conn))
2514 		goto unlock;
2515 
2516 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2517 		struct hci_cp_auth_requested cp;
2518 
2519 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2520 
2521 		cp.handle = __cpu_to_le16(conn->handle);
2522 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2523 	}
2524 
2525 unlock:
2526 	hci_dev_unlock(hdev);
2527 }
2528 
2529 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2530 				       u16 opcode, struct sk_buff *skb)
2531 {
2532 	const struct hci_rp_read_enc_key_size *rp;
2533 	struct hci_conn *conn;
2534 	u16 handle;
2535 
2536 	BT_DBG("%s status 0x%02x", hdev->name, status);
2537 
2538 	if (!skb || skb->len < sizeof(*rp)) {
2539 		bt_dev_err(hdev, "invalid read key size response");
2540 		return;
2541 	}
2542 
2543 	rp = (void *)skb->data;
2544 	handle = le16_to_cpu(rp->handle);
2545 
2546 	hci_dev_lock(hdev);
2547 
2548 	conn = hci_conn_hash_lookup_handle(hdev, handle);
2549 	if (!conn)
2550 		goto unlock;
2551 
2552 	/* If we fail to read the encryption key size, assume maximum
2553 	 * (which is the same we do also when this HCI command isn't
2554 	 * supported.
2555 	 */
2556 	if (rp->status) {
2557 		bt_dev_err(hdev, "failed to read key size for handle %u",
2558 			   handle);
2559 		conn->enc_key_size = HCI_LINK_KEY_SIZE;
2560 	} else {
2561 		conn->enc_key_size = rp->key_size;
2562 	}
2563 
2564 	if (conn->state == BT_CONFIG) {
2565 		conn->state = BT_CONNECTED;
2566 		hci_connect_cfm(conn, 0);
2567 		hci_conn_drop(conn);
2568 	} else {
2569 		u8 encrypt;
2570 
2571 		if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2572 			encrypt = 0x00;
2573 		else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2574 			encrypt = 0x02;
2575 		else
2576 			encrypt = 0x01;
2577 
2578 		hci_encrypt_cfm(conn, 0, encrypt);
2579 	}
2580 
2581 unlock:
2582 	hci_dev_unlock(hdev);
2583 }
2584 
2585 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2586 {
2587 	struct hci_ev_encrypt_change *ev = (void *) skb->data;
2588 	struct hci_conn *conn;
2589 
2590 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2591 
2592 	hci_dev_lock(hdev);
2593 
2594 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2595 	if (!conn)
2596 		goto unlock;
2597 
2598 	if (!ev->status) {
2599 		if (ev->encrypt) {
2600 			/* Encryption implies authentication */
2601 			set_bit(HCI_CONN_AUTH, &conn->flags);
2602 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2603 			conn->sec_level = conn->pending_sec_level;
2604 
2605 			/* P-256 authentication key implies FIPS */
2606 			if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2607 				set_bit(HCI_CONN_FIPS, &conn->flags);
2608 
2609 			if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2610 			    conn->type == LE_LINK)
2611 				set_bit(HCI_CONN_AES_CCM, &conn->flags);
2612 		} else {
2613 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2614 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2615 		}
2616 	}
2617 
2618 	/* We should disregard the current RPA and generate a new one
2619 	 * whenever the encryption procedure fails.
2620 	 */
2621 	if (ev->status && conn->type == LE_LINK)
2622 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2623 
2624 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2625 
2626 	if (ev->status && conn->state == BT_CONNECTED) {
2627 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2628 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2629 
2630 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2631 		hci_conn_drop(conn);
2632 		goto unlock;
2633 	}
2634 
2635 	/* In Secure Connections Only mode, do not allow any connections
2636 	 * that are not encrypted with AES-CCM using a P-256 authenticated
2637 	 * combination key.
2638 	 */
2639 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2640 	    (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2641 	     conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2642 		hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2643 		hci_conn_drop(conn);
2644 		goto unlock;
2645 	}
2646 
2647 	/* Try reading the encryption key size for encrypted ACL links */
2648 	if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2649 		struct hci_cp_read_enc_key_size cp;
2650 		struct hci_request req;
2651 
2652 		/* Only send HCI_Read_Encryption_Key_Size if the
2653 		 * controller really supports it. If it doesn't, assume
2654 		 * the default size (16).
2655 		 */
2656 		if (!(hdev->commands[20] & 0x10)) {
2657 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
2658 			goto notify;
2659 		}
2660 
2661 		hci_req_init(&req, hdev);
2662 
2663 		cp.handle = cpu_to_le16(conn->handle);
2664 		hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2665 
2666 		if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2667 			bt_dev_err(hdev, "sending read key size failed");
2668 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
2669 			goto notify;
2670 		}
2671 
2672 		goto unlock;
2673 	}
2674 
2675 notify:
2676 	if (conn->state == BT_CONFIG) {
2677 		if (!ev->status)
2678 			conn->state = BT_CONNECTED;
2679 
2680 		hci_connect_cfm(conn, ev->status);
2681 		hci_conn_drop(conn);
2682 	} else
2683 		hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2684 
2685 unlock:
2686 	hci_dev_unlock(hdev);
2687 }
2688 
2689 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2690 					     struct sk_buff *skb)
2691 {
2692 	struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2693 	struct hci_conn *conn;
2694 
2695 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2696 
2697 	hci_dev_lock(hdev);
2698 
2699 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2700 	if (conn) {
2701 		if (!ev->status)
2702 			set_bit(HCI_CONN_SECURE, &conn->flags);
2703 
2704 		clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2705 
2706 		hci_key_change_cfm(conn, ev->status);
2707 	}
2708 
2709 	hci_dev_unlock(hdev);
2710 }
2711 
2712 static void hci_remote_features_evt(struct hci_dev *hdev,
2713 				    struct sk_buff *skb)
2714 {
2715 	struct hci_ev_remote_features *ev = (void *) skb->data;
2716 	struct hci_conn *conn;
2717 
2718 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2719 
2720 	hci_dev_lock(hdev);
2721 
2722 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2723 	if (!conn)
2724 		goto unlock;
2725 
2726 	if (!ev->status)
2727 		memcpy(conn->features[0], ev->features, 8);
2728 
2729 	if (conn->state != BT_CONFIG)
2730 		goto unlock;
2731 
2732 	if (!ev->status && lmp_ext_feat_capable(hdev) &&
2733 	    lmp_ext_feat_capable(conn)) {
2734 		struct hci_cp_read_remote_ext_features cp;
2735 		cp.handle = ev->handle;
2736 		cp.page = 0x01;
2737 		hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2738 			     sizeof(cp), &cp);
2739 		goto unlock;
2740 	}
2741 
2742 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2743 		struct hci_cp_remote_name_req cp;
2744 		memset(&cp, 0, sizeof(cp));
2745 		bacpy(&cp.bdaddr, &conn->dst);
2746 		cp.pscan_rep_mode = 0x02;
2747 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2748 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2749 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
2750 
2751 	if (!hci_outgoing_auth_needed(hdev, conn)) {
2752 		conn->state = BT_CONNECTED;
2753 		hci_connect_cfm(conn, ev->status);
2754 		hci_conn_drop(conn);
2755 	}
2756 
2757 unlock:
2758 	hci_dev_unlock(hdev);
2759 }
2760 
2761 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2762 				 u16 *opcode, u8 *status,
2763 				 hci_req_complete_t *req_complete,
2764 				 hci_req_complete_skb_t *req_complete_skb)
2765 {
2766 	struct hci_ev_cmd_complete *ev = (void *) skb->data;
2767 
2768 	*opcode = __le16_to_cpu(ev->opcode);
2769 	*status = skb->data[sizeof(*ev)];
2770 
2771 	skb_pull(skb, sizeof(*ev));
2772 
2773 	switch (*opcode) {
2774 	case HCI_OP_INQUIRY_CANCEL:
2775 		hci_cc_inquiry_cancel(hdev, skb);
2776 		break;
2777 
2778 	case HCI_OP_PERIODIC_INQ:
2779 		hci_cc_periodic_inq(hdev, skb);
2780 		break;
2781 
2782 	case HCI_OP_EXIT_PERIODIC_INQ:
2783 		hci_cc_exit_periodic_inq(hdev, skb);
2784 		break;
2785 
2786 	case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2787 		hci_cc_remote_name_req_cancel(hdev, skb);
2788 		break;
2789 
2790 	case HCI_OP_ROLE_DISCOVERY:
2791 		hci_cc_role_discovery(hdev, skb);
2792 		break;
2793 
2794 	case HCI_OP_READ_LINK_POLICY:
2795 		hci_cc_read_link_policy(hdev, skb);
2796 		break;
2797 
2798 	case HCI_OP_WRITE_LINK_POLICY:
2799 		hci_cc_write_link_policy(hdev, skb);
2800 		break;
2801 
2802 	case HCI_OP_READ_DEF_LINK_POLICY:
2803 		hci_cc_read_def_link_policy(hdev, skb);
2804 		break;
2805 
2806 	case HCI_OP_WRITE_DEF_LINK_POLICY:
2807 		hci_cc_write_def_link_policy(hdev, skb);
2808 		break;
2809 
2810 	case HCI_OP_RESET:
2811 		hci_cc_reset(hdev, skb);
2812 		break;
2813 
2814 	case HCI_OP_READ_STORED_LINK_KEY:
2815 		hci_cc_read_stored_link_key(hdev, skb);
2816 		break;
2817 
2818 	case HCI_OP_DELETE_STORED_LINK_KEY:
2819 		hci_cc_delete_stored_link_key(hdev, skb);
2820 		break;
2821 
2822 	case HCI_OP_WRITE_LOCAL_NAME:
2823 		hci_cc_write_local_name(hdev, skb);
2824 		break;
2825 
2826 	case HCI_OP_READ_LOCAL_NAME:
2827 		hci_cc_read_local_name(hdev, skb);
2828 		break;
2829 
2830 	case HCI_OP_WRITE_AUTH_ENABLE:
2831 		hci_cc_write_auth_enable(hdev, skb);
2832 		break;
2833 
2834 	case HCI_OP_WRITE_ENCRYPT_MODE:
2835 		hci_cc_write_encrypt_mode(hdev, skb);
2836 		break;
2837 
2838 	case HCI_OP_WRITE_SCAN_ENABLE:
2839 		hci_cc_write_scan_enable(hdev, skb);
2840 		break;
2841 
2842 	case HCI_OP_READ_CLASS_OF_DEV:
2843 		hci_cc_read_class_of_dev(hdev, skb);
2844 		break;
2845 
2846 	case HCI_OP_WRITE_CLASS_OF_DEV:
2847 		hci_cc_write_class_of_dev(hdev, skb);
2848 		break;
2849 
2850 	case HCI_OP_READ_VOICE_SETTING:
2851 		hci_cc_read_voice_setting(hdev, skb);
2852 		break;
2853 
2854 	case HCI_OP_WRITE_VOICE_SETTING:
2855 		hci_cc_write_voice_setting(hdev, skb);
2856 		break;
2857 
2858 	case HCI_OP_READ_NUM_SUPPORTED_IAC:
2859 		hci_cc_read_num_supported_iac(hdev, skb);
2860 		break;
2861 
2862 	case HCI_OP_WRITE_SSP_MODE:
2863 		hci_cc_write_ssp_mode(hdev, skb);
2864 		break;
2865 
2866 	case HCI_OP_WRITE_SC_SUPPORT:
2867 		hci_cc_write_sc_support(hdev, skb);
2868 		break;
2869 
2870 	case HCI_OP_READ_LOCAL_VERSION:
2871 		hci_cc_read_local_version(hdev, skb);
2872 		break;
2873 
2874 	case HCI_OP_READ_LOCAL_COMMANDS:
2875 		hci_cc_read_local_commands(hdev, skb);
2876 		break;
2877 
2878 	case HCI_OP_READ_LOCAL_FEATURES:
2879 		hci_cc_read_local_features(hdev, skb);
2880 		break;
2881 
2882 	case HCI_OP_READ_LOCAL_EXT_FEATURES:
2883 		hci_cc_read_local_ext_features(hdev, skb);
2884 		break;
2885 
2886 	case HCI_OP_READ_BUFFER_SIZE:
2887 		hci_cc_read_buffer_size(hdev, skb);
2888 		break;
2889 
2890 	case HCI_OP_READ_BD_ADDR:
2891 		hci_cc_read_bd_addr(hdev, skb);
2892 		break;
2893 
2894 	case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2895 		hci_cc_read_page_scan_activity(hdev, skb);
2896 		break;
2897 
2898 	case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2899 		hci_cc_write_page_scan_activity(hdev, skb);
2900 		break;
2901 
2902 	case HCI_OP_READ_PAGE_SCAN_TYPE:
2903 		hci_cc_read_page_scan_type(hdev, skb);
2904 		break;
2905 
2906 	case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2907 		hci_cc_write_page_scan_type(hdev, skb);
2908 		break;
2909 
2910 	case HCI_OP_READ_DATA_BLOCK_SIZE:
2911 		hci_cc_read_data_block_size(hdev, skb);
2912 		break;
2913 
2914 	case HCI_OP_READ_FLOW_CONTROL_MODE:
2915 		hci_cc_read_flow_control_mode(hdev, skb);
2916 		break;
2917 
2918 	case HCI_OP_READ_LOCAL_AMP_INFO:
2919 		hci_cc_read_local_amp_info(hdev, skb);
2920 		break;
2921 
2922 	case HCI_OP_READ_CLOCK:
2923 		hci_cc_read_clock(hdev, skb);
2924 		break;
2925 
2926 	case HCI_OP_READ_INQ_RSP_TX_POWER:
2927 		hci_cc_read_inq_rsp_tx_power(hdev, skb);
2928 		break;
2929 
2930 	case HCI_OP_PIN_CODE_REPLY:
2931 		hci_cc_pin_code_reply(hdev, skb);
2932 		break;
2933 
2934 	case HCI_OP_PIN_CODE_NEG_REPLY:
2935 		hci_cc_pin_code_neg_reply(hdev, skb);
2936 		break;
2937 
2938 	case HCI_OP_READ_LOCAL_OOB_DATA:
2939 		hci_cc_read_local_oob_data(hdev, skb);
2940 		break;
2941 
2942 	case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2943 		hci_cc_read_local_oob_ext_data(hdev, skb);
2944 		break;
2945 
2946 	case HCI_OP_LE_READ_BUFFER_SIZE:
2947 		hci_cc_le_read_buffer_size(hdev, skb);
2948 		break;
2949 
2950 	case HCI_OP_LE_READ_LOCAL_FEATURES:
2951 		hci_cc_le_read_local_features(hdev, skb);
2952 		break;
2953 
2954 	case HCI_OP_LE_READ_ADV_TX_POWER:
2955 		hci_cc_le_read_adv_tx_power(hdev, skb);
2956 		break;
2957 
2958 	case HCI_OP_USER_CONFIRM_REPLY:
2959 		hci_cc_user_confirm_reply(hdev, skb);
2960 		break;
2961 
2962 	case HCI_OP_USER_CONFIRM_NEG_REPLY:
2963 		hci_cc_user_confirm_neg_reply(hdev, skb);
2964 		break;
2965 
2966 	case HCI_OP_USER_PASSKEY_REPLY:
2967 		hci_cc_user_passkey_reply(hdev, skb);
2968 		break;
2969 
2970 	case HCI_OP_USER_PASSKEY_NEG_REPLY:
2971 		hci_cc_user_passkey_neg_reply(hdev, skb);
2972 		break;
2973 
2974 	case HCI_OP_LE_SET_RANDOM_ADDR:
2975 		hci_cc_le_set_random_addr(hdev, skb);
2976 		break;
2977 
2978 	case HCI_OP_LE_SET_ADV_ENABLE:
2979 		hci_cc_le_set_adv_enable(hdev, skb);
2980 		break;
2981 
2982 	case HCI_OP_LE_SET_SCAN_PARAM:
2983 		hci_cc_le_set_scan_param(hdev, skb);
2984 		break;
2985 
2986 	case HCI_OP_LE_SET_SCAN_ENABLE:
2987 		hci_cc_le_set_scan_enable(hdev, skb);
2988 		break;
2989 
2990 	case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2991 		hci_cc_le_read_white_list_size(hdev, skb);
2992 		break;
2993 
2994 	case HCI_OP_LE_CLEAR_WHITE_LIST:
2995 		hci_cc_le_clear_white_list(hdev, skb);
2996 		break;
2997 
2998 	case HCI_OP_LE_ADD_TO_WHITE_LIST:
2999 		hci_cc_le_add_to_white_list(hdev, skb);
3000 		break;
3001 
3002 	case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3003 		hci_cc_le_del_from_white_list(hdev, skb);
3004 		break;
3005 
3006 	case HCI_OP_LE_READ_SUPPORTED_STATES:
3007 		hci_cc_le_read_supported_states(hdev, skb);
3008 		break;
3009 
3010 	case HCI_OP_LE_READ_DEF_DATA_LEN:
3011 		hci_cc_le_read_def_data_len(hdev, skb);
3012 		break;
3013 
3014 	case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3015 		hci_cc_le_write_def_data_len(hdev, skb);
3016 		break;
3017 
3018 	case HCI_OP_LE_READ_MAX_DATA_LEN:
3019 		hci_cc_le_read_max_data_len(hdev, skb);
3020 		break;
3021 
3022 	case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3023 		hci_cc_write_le_host_supported(hdev, skb);
3024 		break;
3025 
3026 	case HCI_OP_LE_SET_ADV_PARAM:
3027 		hci_cc_set_adv_param(hdev, skb);
3028 		break;
3029 
3030 	case HCI_OP_READ_RSSI:
3031 		hci_cc_read_rssi(hdev, skb);
3032 		break;
3033 
3034 	case HCI_OP_READ_TX_POWER:
3035 		hci_cc_read_tx_power(hdev, skb);
3036 		break;
3037 
3038 	case HCI_OP_WRITE_SSP_DEBUG_MODE:
3039 		hci_cc_write_ssp_debug_mode(hdev, skb);
3040 		break;
3041 
3042 	default:
3043 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3044 		break;
3045 	}
3046 
3047 	if (*opcode != HCI_OP_NOP)
3048 		cancel_delayed_work(&hdev->cmd_timer);
3049 
3050 	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3051 		atomic_set(&hdev->cmd_cnt, 1);
3052 
3053 	hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3054 			     req_complete_skb);
3055 
3056 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3057 		queue_work(hdev->workqueue, &hdev->cmd_work);
3058 }
3059 
3060 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3061 			       u16 *opcode, u8 *status,
3062 			       hci_req_complete_t *req_complete,
3063 			       hci_req_complete_skb_t *req_complete_skb)
3064 {
3065 	struct hci_ev_cmd_status *ev = (void *) skb->data;
3066 
3067 	skb_pull(skb, sizeof(*ev));
3068 
3069 	*opcode = __le16_to_cpu(ev->opcode);
3070 	*status = ev->status;
3071 
3072 	switch (*opcode) {
3073 	case HCI_OP_INQUIRY:
3074 		hci_cs_inquiry(hdev, ev->status);
3075 		break;
3076 
3077 	case HCI_OP_CREATE_CONN:
3078 		hci_cs_create_conn(hdev, ev->status);
3079 		break;
3080 
3081 	case HCI_OP_DISCONNECT:
3082 		hci_cs_disconnect(hdev, ev->status);
3083 		break;
3084 
3085 	case HCI_OP_ADD_SCO:
3086 		hci_cs_add_sco(hdev, ev->status);
3087 		break;
3088 
3089 	case HCI_OP_AUTH_REQUESTED:
3090 		hci_cs_auth_requested(hdev, ev->status);
3091 		break;
3092 
3093 	case HCI_OP_SET_CONN_ENCRYPT:
3094 		hci_cs_set_conn_encrypt(hdev, ev->status);
3095 		break;
3096 
3097 	case HCI_OP_REMOTE_NAME_REQ:
3098 		hci_cs_remote_name_req(hdev, ev->status);
3099 		break;
3100 
3101 	case HCI_OP_READ_REMOTE_FEATURES:
3102 		hci_cs_read_remote_features(hdev, ev->status);
3103 		break;
3104 
3105 	case HCI_OP_READ_REMOTE_EXT_FEATURES:
3106 		hci_cs_read_remote_ext_features(hdev, ev->status);
3107 		break;
3108 
3109 	case HCI_OP_SETUP_SYNC_CONN:
3110 		hci_cs_setup_sync_conn(hdev, ev->status);
3111 		break;
3112 
3113 	case HCI_OP_SNIFF_MODE:
3114 		hci_cs_sniff_mode(hdev, ev->status);
3115 		break;
3116 
3117 	case HCI_OP_EXIT_SNIFF_MODE:
3118 		hci_cs_exit_sniff_mode(hdev, ev->status);
3119 		break;
3120 
3121 	case HCI_OP_SWITCH_ROLE:
3122 		hci_cs_switch_role(hdev, ev->status);
3123 		break;
3124 
3125 	case HCI_OP_LE_CREATE_CONN:
3126 		hci_cs_le_create_conn(hdev, ev->status);
3127 		break;
3128 
3129 	case HCI_OP_LE_READ_REMOTE_FEATURES:
3130 		hci_cs_le_read_remote_features(hdev, ev->status);
3131 		break;
3132 
3133 	case HCI_OP_LE_START_ENC:
3134 		hci_cs_le_start_enc(hdev, ev->status);
3135 		break;
3136 
3137 	default:
3138 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3139 		break;
3140 	}
3141 
3142 	if (*opcode != HCI_OP_NOP)
3143 		cancel_delayed_work(&hdev->cmd_timer);
3144 
3145 	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3146 		atomic_set(&hdev->cmd_cnt, 1);
3147 
3148 	/* Indicate request completion if the command failed. Also, if
3149 	 * we're not waiting for a special event and we get a success
3150 	 * command status we should try to flag the request as completed
3151 	 * (since for this kind of commands there will not be a command
3152 	 * complete event).
3153 	 */
3154 	if (ev->status ||
3155 	    (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3156 		hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3157 				     req_complete_skb);
3158 
3159 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3160 		queue_work(hdev->workqueue, &hdev->cmd_work);
3161 }
3162 
3163 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3164 {
3165 	struct hci_ev_hardware_error *ev = (void *) skb->data;
3166 
3167 	hdev->hw_error_code = ev->code;
3168 
3169 	queue_work(hdev->req_workqueue, &hdev->error_reset);
3170 }
3171 
3172 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3173 {
3174 	struct hci_ev_role_change *ev = (void *) skb->data;
3175 	struct hci_conn *conn;
3176 
3177 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3178 
3179 	hci_dev_lock(hdev);
3180 
3181 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3182 	if (conn) {
3183 		if (!ev->status)
3184 			conn->role = ev->role;
3185 
3186 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3187 
3188 		hci_role_switch_cfm(conn, ev->status, ev->role);
3189 	}
3190 
3191 	hci_dev_unlock(hdev);
3192 }
3193 
3194 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3195 {
3196 	struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3197 	int i;
3198 
3199 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3200 		bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3201 		return;
3202 	}
3203 
3204 	if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3205 	    ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3206 		BT_DBG("%s bad parameters", hdev->name);
3207 		return;
3208 	}
3209 
3210 	BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3211 
3212 	for (i = 0; i < ev->num_hndl; i++) {
3213 		struct hci_comp_pkts_info *info = &ev->handles[i];
3214 		struct hci_conn *conn;
3215 		__u16  handle, count;
3216 
3217 		handle = __le16_to_cpu(info->handle);
3218 		count  = __le16_to_cpu(info->count);
3219 
3220 		conn = hci_conn_hash_lookup_handle(hdev, handle);
3221 		if (!conn)
3222 			continue;
3223 
3224 		conn->sent -= count;
3225 
3226 		switch (conn->type) {
3227 		case ACL_LINK:
3228 			hdev->acl_cnt += count;
3229 			if (hdev->acl_cnt > hdev->acl_pkts)
3230 				hdev->acl_cnt = hdev->acl_pkts;
3231 			break;
3232 
3233 		case LE_LINK:
3234 			if (hdev->le_pkts) {
3235 				hdev->le_cnt += count;
3236 				if (hdev->le_cnt > hdev->le_pkts)
3237 					hdev->le_cnt = hdev->le_pkts;
3238 			} else {
3239 				hdev->acl_cnt += count;
3240 				if (hdev->acl_cnt > hdev->acl_pkts)
3241 					hdev->acl_cnt = hdev->acl_pkts;
3242 			}
3243 			break;
3244 
3245 		case SCO_LINK:
3246 			hdev->sco_cnt += count;
3247 			if (hdev->sco_cnt > hdev->sco_pkts)
3248 				hdev->sco_cnt = hdev->sco_pkts;
3249 			break;
3250 
3251 		default:
3252 			bt_dev_err(hdev, "unknown type %d conn %p",
3253 				   conn->type, conn);
3254 			break;
3255 		}
3256 	}
3257 
3258 	queue_work(hdev->workqueue, &hdev->tx_work);
3259 }
3260 
3261 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3262 						 __u16 handle)
3263 {
3264 	struct hci_chan *chan;
3265 
3266 	switch (hdev->dev_type) {
3267 	case HCI_PRIMARY:
3268 		return hci_conn_hash_lookup_handle(hdev, handle);
3269 	case HCI_AMP:
3270 		chan = hci_chan_lookup_handle(hdev, handle);
3271 		if (chan)
3272 			return chan->conn;
3273 		break;
3274 	default:
3275 		bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3276 		break;
3277 	}
3278 
3279 	return NULL;
3280 }
3281 
3282 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3283 {
3284 	struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3285 	int i;
3286 
3287 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3288 		bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3289 		return;
3290 	}
3291 
3292 	if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3293 	    ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3294 		BT_DBG("%s bad parameters", hdev->name);
3295 		return;
3296 	}
3297 
3298 	BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3299 	       ev->num_hndl);
3300 
3301 	for (i = 0; i < ev->num_hndl; i++) {
3302 		struct hci_comp_blocks_info *info = &ev->handles[i];
3303 		struct hci_conn *conn = NULL;
3304 		__u16  handle, block_count;
3305 
3306 		handle = __le16_to_cpu(info->handle);
3307 		block_count = __le16_to_cpu(info->blocks);
3308 
3309 		conn = __hci_conn_lookup_handle(hdev, handle);
3310 		if (!conn)
3311 			continue;
3312 
3313 		conn->sent -= block_count;
3314 
3315 		switch (conn->type) {
3316 		case ACL_LINK:
3317 		case AMP_LINK:
3318 			hdev->block_cnt += block_count;
3319 			if (hdev->block_cnt > hdev->num_blocks)
3320 				hdev->block_cnt = hdev->num_blocks;
3321 			break;
3322 
3323 		default:
3324 			bt_dev_err(hdev, "unknown type %d conn %p",
3325 				   conn->type, conn);
3326 			break;
3327 		}
3328 	}
3329 
3330 	queue_work(hdev->workqueue, &hdev->tx_work);
3331 }
3332 
3333 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3334 {
3335 	struct hci_ev_mode_change *ev = (void *) skb->data;
3336 	struct hci_conn *conn;
3337 
3338 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3339 
3340 	hci_dev_lock(hdev);
3341 
3342 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3343 	if (conn) {
3344 		conn->mode = ev->mode;
3345 
3346 		if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3347 					&conn->flags)) {
3348 			if (conn->mode == HCI_CM_ACTIVE)
3349 				set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3350 			else
3351 				clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3352 		}
3353 
3354 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3355 			hci_sco_setup(conn, ev->status);
3356 	}
3357 
3358 	hci_dev_unlock(hdev);
3359 }
3360 
3361 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3362 {
3363 	struct hci_ev_pin_code_req *ev = (void *) skb->data;
3364 	struct hci_conn *conn;
3365 
3366 	BT_DBG("%s", hdev->name);
3367 
3368 	hci_dev_lock(hdev);
3369 
3370 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3371 	if (!conn)
3372 		goto unlock;
3373 
3374 	if (conn->state == BT_CONNECTED) {
3375 		hci_conn_hold(conn);
3376 		conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3377 		hci_conn_drop(conn);
3378 	}
3379 
3380 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3381 	    !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3382 		hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3383 			     sizeof(ev->bdaddr), &ev->bdaddr);
3384 	} else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3385 		u8 secure;
3386 
3387 		if (conn->pending_sec_level == BT_SECURITY_HIGH)
3388 			secure = 1;
3389 		else
3390 			secure = 0;
3391 
3392 		mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3393 	}
3394 
3395 unlock:
3396 	hci_dev_unlock(hdev);
3397 }
3398 
3399 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3400 {
3401 	if (key_type == HCI_LK_CHANGED_COMBINATION)
3402 		return;
3403 
3404 	conn->pin_length = pin_len;
3405 	conn->key_type = key_type;
3406 
3407 	switch (key_type) {
3408 	case HCI_LK_LOCAL_UNIT:
3409 	case HCI_LK_REMOTE_UNIT:
3410 	case HCI_LK_DEBUG_COMBINATION:
3411 		return;
3412 	case HCI_LK_COMBINATION:
3413 		if (pin_len == 16)
3414 			conn->pending_sec_level = BT_SECURITY_HIGH;
3415 		else
3416 			conn->pending_sec_level = BT_SECURITY_MEDIUM;
3417 		break;
3418 	case HCI_LK_UNAUTH_COMBINATION_P192:
3419 	case HCI_LK_UNAUTH_COMBINATION_P256:
3420 		conn->pending_sec_level = BT_SECURITY_MEDIUM;
3421 		break;
3422 	case HCI_LK_AUTH_COMBINATION_P192:
3423 		conn->pending_sec_level = BT_SECURITY_HIGH;
3424 		break;
3425 	case HCI_LK_AUTH_COMBINATION_P256:
3426 		conn->pending_sec_level = BT_SECURITY_FIPS;
3427 		break;
3428 	}
3429 }
3430 
3431 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3432 {
3433 	struct hci_ev_link_key_req *ev = (void *) skb->data;
3434 	struct hci_cp_link_key_reply cp;
3435 	struct hci_conn *conn;
3436 	struct link_key *key;
3437 
3438 	BT_DBG("%s", hdev->name);
3439 
3440 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3441 		return;
3442 
3443 	hci_dev_lock(hdev);
3444 
3445 	key = hci_find_link_key(hdev, &ev->bdaddr);
3446 	if (!key) {
3447 		BT_DBG("%s link key not found for %pMR", hdev->name,
3448 		       &ev->bdaddr);
3449 		goto not_found;
3450 	}
3451 
3452 	BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3453 	       &ev->bdaddr);
3454 
3455 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3456 	if (conn) {
3457 		clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3458 
3459 		if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3460 		     key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3461 		    conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3462 			BT_DBG("%s ignoring unauthenticated key", hdev->name);
3463 			goto not_found;
3464 		}
3465 
3466 		if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3467 		    (conn->pending_sec_level == BT_SECURITY_HIGH ||
3468 		     conn->pending_sec_level == BT_SECURITY_FIPS)) {
3469 			BT_DBG("%s ignoring key unauthenticated for high security",
3470 			       hdev->name);
3471 			goto not_found;
3472 		}
3473 
3474 		conn_set_key(conn, key->type, key->pin_len);
3475 	}
3476 
3477 	bacpy(&cp.bdaddr, &ev->bdaddr);
3478 	memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3479 
3480 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3481 
3482 	hci_dev_unlock(hdev);
3483 
3484 	return;
3485 
3486 not_found:
3487 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3488 	hci_dev_unlock(hdev);
3489 }
3490 
3491 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3492 {
3493 	struct hci_ev_link_key_notify *ev = (void *) skb->data;
3494 	struct hci_conn *conn;
3495 	struct link_key *key;
3496 	bool persistent;
3497 	u8 pin_len = 0;
3498 
3499 	BT_DBG("%s", hdev->name);
3500 
3501 	hci_dev_lock(hdev);
3502 
3503 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3504 	if (!conn)
3505 		goto unlock;
3506 
3507 	hci_conn_hold(conn);
3508 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3509 	hci_conn_drop(conn);
3510 
3511 	set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3512 	conn_set_key(conn, ev->key_type, conn->pin_length);
3513 
3514 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3515 		goto unlock;
3516 
3517 	key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3518 			        ev->key_type, pin_len, &persistent);
3519 	if (!key)
3520 		goto unlock;
3521 
3522 	/* Update connection information since adding the key will have
3523 	 * fixed up the type in the case of changed combination keys.
3524 	 */
3525 	if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3526 		conn_set_key(conn, key->type, key->pin_len);
3527 
3528 	mgmt_new_link_key(hdev, key, persistent);
3529 
3530 	/* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3531 	 * is set. If it's not set simply remove the key from the kernel
3532 	 * list (we've still notified user space about it but with
3533 	 * store_hint being 0).
3534 	 */
3535 	if (key->type == HCI_LK_DEBUG_COMBINATION &&
3536 	    !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3537 		list_del_rcu(&key->list);
3538 		kfree_rcu(key, rcu);
3539 		goto unlock;
3540 	}
3541 
3542 	if (persistent)
3543 		clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3544 	else
3545 		set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3546 
3547 unlock:
3548 	hci_dev_unlock(hdev);
3549 }
3550 
3551 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3552 {
3553 	struct hci_ev_clock_offset *ev = (void *) skb->data;
3554 	struct hci_conn *conn;
3555 
3556 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3557 
3558 	hci_dev_lock(hdev);
3559 
3560 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3561 	if (conn && !ev->status) {
3562 		struct inquiry_entry *ie;
3563 
3564 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3565 		if (ie) {
3566 			ie->data.clock_offset = ev->clock_offset;
3567 			ie->timestamp = jiffies;
3568 		}
3569 	}
3570 
3571 	hci_dev_unlock(hdev);
3572 }
3573 
3574 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3575 {
3576 	struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3577 	struct hci_conn *conn;
3578 
3579 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3580 
3581 	hci_dev_lock(hdev);
3582 
3583 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3584 	if (conn && !ev->status)
3585 		conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3586 
3587 	hci_dev_unlock(hdev);
3588 }
3589 
3590 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3591 {
3592 	struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3593 	struct inquiry_entry *ie;
3594 
3595 	BT_DBG("%s", hdev->name);
3596 
3597 	hci_dev_lock(hdev);
3598 
3599 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3600 	if (ie) {
3601 		ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3602 		ie->timestamp = jiffies;
3603 	}
3604 
3605 	hci_dev_unlock(hdev);
3606 }
3607 
3608 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3609 					     struct sk_buff *skb)
3610 {
3611 	struct inquiry_data data;
3612 	int num_rsp = *((__u8 *) skb->data);
3613 
3614 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3615 
3616 	if (!num_rsp)
3617 		return;
3618 
3619 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3620 		return;
3621 
3622 	hci_dev_lock(hdev);
3623 
3624 	if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3625 		struct inquiry_info_with_rssi_and_pscan_mode *info;
3626 		info = (void *) (skb->data + 1);
3627 
3628 		for (; num_rsp; num_rsp--, info++) {
3629 			u32 flags;
3630 
3631 			bacpy(&data.bdaddr, &info->bdaddr);
3632 			data.pscan_rep_mode	= info->pscan_rep_mode;
3633 			data.pscan_period_mode	= info->pscan_period_mode;
3634 			data.pscan_mode		= info->pscan_mode;
3635 			memcpy(data.dev_class, info->dev_class, 3);
3636 			data.clock_offset	= info->clock_offset;
3637 			data.rssi		= info->rssi;
3638 			data.ssp_mode		= 0x00;
3639 
3640 			flags = hci_inquiry_cache_update(hdev, &data, false);
3641 
3642 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3643 					  info->dev_class, info->rssi,
3644 					  flags, NULL, 0, NULL, 0);
3645 		}
3646 	} else {
3647 		struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3648 
3649 		for (; num_rsp; num_rsp--, info++) {
3650 			u32 flags;
3651 
3652 			bacpy(&data.bdaddr, &info->bdaddr);
3653 			data.pscan_rep_mode	= info->pscan_rep_mode;
3654 			data.pscan_period_mode	= info->pscan_period_mode;
3655 			data.pscan_mode		= 0x00;
3656 			memcpy(data.dev_class, info->dev_class, 3);
3657 			data.clock_offset	= info->clock_offset;
3658 			data.rssi		= info->rssi;
3659 			data.ssp_mode		= 0x00;
3660 
3661 			flags = hci_inquiry_cache_update(hdev, &data, false);
3662 
3663 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3664 					  info->dev_class, info->rssi,
3665 					  flags, NULL, 0, NULL, 0);
3666 		}
3667 	}
3668 
3669 	hci_dev_unlock(hdev);
3670 }
3671 
3672 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3673 					struct sk_buff *skb)
3674 {
3675 	struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3676 	struct hci_conn *conn;
3677 
3678 	BT_DBG("%s", hdev->name);
3679 
3680 	hci_dev_lock(hdev);
3681 
3682 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3683 	if (!conn)
3684 		goto unlock;
3685 
3686 	if (ev->page < HCI_MAX_PAGES)
3687 		memcpy(conn->features[ev->page], ev->features, 8);
3688 
3689 	if (!ev->status && ev->page == 0x01) {
3690 		struct inquiry_entry *ie;
3691 
3692 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3693 		if (ie)
3694 			ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3695 
3696 		if (ev->features[0] & LMP_HOST_SSP) {
3697 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3698 		} else {
3699 			/* It is mandatory by the Bluetooth specification that
3700 			 * Extended Inquiry Results are only used when Secure
3701 			 * Simple Pairing is enabled, but some devices violate
3702 			 * this.
3703 			 *
3704 			 * To make these devices work, the internal SSP
3705 			 * enabled flag needs to be cleared if the remote host
3706 			 * features do not indicate SSP support */
3707 			clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3708 		}
3709 
3710 		if (ev->features[0] & LMP_HOST_SC)
3711 			set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3712 	}
3713 
3714 	if (conn->state != BT_CONFIG)
3715 		goto unlock;
3716 
3717 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3718 		struct hci_cp_remote_name_req cp;
3719 		memset(&cp, 0, sizeof(cp));
3720 		bacpy(&cp.bdaddr, &conn->dst);
3721 		cp.pscan_rep_mode = 0x02;
3722 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3723 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3724 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
3725 
3726 	if (!hci_outgoing_auth_needed(hdev, conn)) {
3727 		conn->state = BT_CONNECTED;
3728 		hci_connect_cfm(conn, ev->status);
3729 		hci_conn_drop(conn);
3730 	}
3731 
3732 unlock:
3733 	hci_dev_unlock(hdev);
3734 }
3735 
3736 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3737 				       struct sk_buff *skb)
3738 {
3739 	struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3740 	struct hci_conn *conn;
3741 
3742 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3743 
3744 	hci_dev_lock(hdev);
3745 
3746 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3747 	if (!conn) {
3748 		if (ev->link_type == ESCO_LINK)
3749 			goto unlock;
3750 
3751 		/* When the link type in the event indicates SCO connection
3752 		 * and lookup of the connection object fails, then check
3753 		 * if an eSCO connection object exists.
3754 		 *
3755 		 * The core limits the synchronous connections to either
3756 		 * SCO or eSCO. The eSCO connection is preferred and tried
3757 		 * to be setup first and until successfully established,
3758 		 * the link type will be hinted as eSCO.
3759 		 */
3760 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3761 		if (!conn)
3762 			goto unlock;
3763 	}
3764 
3765 	switch (ev->status) {
3766 	case 0x00:
3767 		conn->handle = __le16_to_cpu(ev->handle);
3768 		conn->state  = BT_CONNECTED;
3769 		conn->type   = ev->link_type;
3770 
3771 		hci_debugfs_create_conn(conn);
3772 		hci_conn_add_sysfs(conn);
3773 		break;
3774 
3775 	case 0x10:	/* Connection Accept Timeout */
3776 	case 0x0d:	/* Connection Rejected due to Limited Resources */
3777 	case 0x11:	/* Unsupported Feature or Parameter Value */
3778 	case 0x1c:	/* SCO interval rejected */
3779 	case 0x1a:	/* Unsupported Remote Feature */
3780 	case 0x1f:	/* Unspecified error */
3781 	case 0x20:	/* Unsupported LMP Parameter value */
3782 		if (conn->out) {
3783 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3784 					(hdev->esco_type & EDR_ESCO_MASK);
3785 			if (hci_setup_sync(conn, conn->link->handle))
3786 				goto unlock;
3787 		}
3788 		/* fall through */
3789 
3790 	default:
3791 		conn->state = BT_CLOSED;
3792 		break;
3793 	}
3794 
3795 	hci_connect_cfm(conn, ev->status);
3796 	if (ev->status)
3797 		hci_conn_del(conn);
3798 
3799 unlock:
3800 	hci_dev_unlock(hdev);
3801 }
3802 
3803 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3804 {
3805 	size_t parsed = 0;
3806 
3807 	while (parsed < eir_len) {
3808 		u8 field_len = eir[0];
3809 
3810 		if (field_len == 0)
3811 			return parsed;
3812 
3813 		parsed += field_len + 1;
3814 		eir += field_len + 1;
3815 	}
3816 
3817 	return eir_len;
3818 }
3819 
3820 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3821 					    struct sk_buff *skb)
3822 {
3823 	struct inquiry_data data;
3824 	struct extended_inquiry_info *info = (void *) (skb->data + 1);
3825 	int num_rsp = *((__u8 *) skb->data);
3826 	size_t eir_len;
3827 
3828 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3829 
3830 	if (!num_rsp)
3831 		return;
3832 
3833 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3834 		return;
3835 
3836 	hci_dev_lock(hdev);
3837 
3838 	for (; num_rsp; num_rsp--, info++) {
3839 		u32 flags;
3840 		bool name_known;
3841 
3842 		bacpy(&data.bdaddr, &info->bdaddr);
3843 		data.pscan_rep_mode	= info->pscan_rep_mode;
3844 		data.pscan_period_mode	= info->pscan_period_mode;
3845 		data.pscan_mode		= 0x00;
3846 		memcpy(data.dev_class, info->dev_class, 3);
3847 		data.clock_offset	= info->clock_offset;
3848 		data.rssi		= info->rssi;
3849 		data.ssp_mode		= 0x01;
3850 
3851 		if (hci_dev_test_flag(hdev, HCI_MGMT))
3852 			name_known = eir_get_data(info->data,
3853 						  sizeof(info->data),
3854 						  EIR_NAME_COMPLETE, NULL);
3855 		else
3856 			name_known = true;
3857 
3858 		flags = hci_inquiry_cache_update(hdev, &data, name_known);
3859 
3860 		eir_len = eir_get_length(info->data, sizeof(info->data));
3861 
3862 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3863 				  info->dev_class, info->rssi,
3864 				  flags, info->data, eir_len, NULL, 0);
3865 	}
3866 
3867 	hci_dev_unlock(hdev);
3868 }
3869 
3870 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3871 					 struct sk_buff *skb)
3872 {
3873 	struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3874 	struct hci_conn *conn;
3875 
3876 	BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3877 	       __le16_to_cpu(ev->handle));
3878 
3879 	hci_dev_lock(hdev);
3880 
3881 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3882 	if (!conn)
3883 		goto unlock;
3884 
3885 	/* For BR/EDR the necessary steps are taken through the
3886 	 * auth_complete event.
3887 	 */
3888 	if (conn->type != LE_LINK)
3889 		goto unlock;
3890 
3891 	if (!ev->status)
3892 		conn->sec_level = conn->pending_sec_level;
3893 
3894 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3895 
3896 	if (ev->status && conn->state == BT_CONNECTED) {
3897 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3898 		hci_conn_drop(conn);
3899 		goto unlock;
3900 	}
3901 
3902 	if (conn->state == BT_CONFIG) {
3903 		if (!ev->status)
3904 			conn->state = BT_CONNECTED;
3905 
3906 		hci_connect_cfm(conn, ev->status);
3907 		hci_conn_drop(conn);
3908 	} else {
3909 		hci_auth_cfm(conn, ev->status);
3910 
3911 		hci_conn_hold(conn);
3912 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3913 		hci_conn_drop(conn);
3914 	}
3915 
3916 unlock:
3917 	hci_dev_unlock(hdev);
3918 }
3919 
3920 static u8 hci_get_auth_req(struct hci_conn *conn)
3921 {
3922 	/* If remote requests no-bonding follow that lead */
3923 	if (conn->remote_auth == HCI_AT_NO_BONDING ||
3924 	    conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3925 		return conn->remote_auth | (conn->auth_type & 0x01);
3926 
3927 	/* If both remote and local have enough IO capabilities, require
3928 	 * MITM protection
3929 	 */
3930 	if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3931 	    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3932 		return conn->remote_auth | 0x01;
3933 
3934 	/* No MITM protection possible so ignore remote requirement */
3935 	return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3936 }
3937 
3938 static u8 bredr_oob_data_present(struct hci_conn *conn)
3939 {
3940 	struct hci_dev *hdev = conn->hdev;
3941 	struct oob_data *data;
3942 
3943 	data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3944 	if (!data)
3945 		return 0x00;
3946 
3947 	if (bredr_sc_enabled(hdev)) {
3948 		/* When Secure Connections is enabled, then just
3949 		 * return the present value stored with the OOB
3950 		 * data. The stored value contains the right present
3951 		 * information. However it can only be trusted when
3952 		 * not in Secure Connection Only mode.
3953 		 */
3954 		if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3955 			return data->present;
3956 
3957 		/* When Secure Connections Only mode is enabled, then
3958 		 * the P-256 values are required. If they are not
3959 		 * available, then do not declare that OOB data is
3960 		 * present.
3961 		 */
3962 		if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3963 		    !memcmp(data->hash256, ZERO_KEY, 16))
3964 			return 0x00;
3965 
3966 		return 0x02;
3967 	}
3968 
3969 	/* When Secure Connections is not enabled or actually
3970 	 * not supported by the hardware, then check that if
3971 	 * P-192 data values are present.
3972 	 */
3973 	if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3974 	    !memcmp(data->hash192, ZERO_KEY, 16))
3975 		return 0x00;
3976 
3977 	return 0x01;
3978 }
3979 
3980 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3981 {
3982 	struct hci_ev_io_capa_request *ev = (void *) skb->data;
3983 	struct hci_conn *conn;
3984 
3985 	BT_DBG("%s", hdev->name);
3986 
3987 	hci_dev_lock(hdev);
3988 
3989 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3990 	if (!conn)
3991 		goto unlock;
3992 
3993 	hci_conn_hold(conn);
3994 
3995 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3996 		goto unlock;
3997 
3998 	/* Allow pairing if we're pairable, the initiators of the
3999 	 * pairing or if the remote is not requesting bonding.
4000 	 */
4001 	if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4002 	    test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4003 	    (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4004 		struct hci_cp_io_capability_reply cp;
4005 
4006 		bacpy(&cp.bdaddr, &ev->bdaddr);
4007 		/* Change the IO capability from KeyboardDisplay
4008 		 * to DisplayYesNo as it is not supported by BT spec. */
4009 		cp.capability = (conn->io_capability == 0x04) ?
4010 				HCI_IO_DISPLAY_YESNO : conn->io_capability;
4011 
4012 		/* If we are initiators, there is no remote information yet */
4013 		if (conn->remote_auth == 0xff) {
4014 			/* Request MITM protection if our IO caps allow it
4015 			 * except for the no-bonding case.
4016 			 */
4017 			if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4018 			    conn->auth_type != HCI_AT_NO_BONDING)
4019 				conn->auth_type |= 0x01;
4020 		} else {
4021 			conn->auth_type = hci_get_auth_req(conn);
4022 		}
4023 
4024 		/* If we're not bondable, force one of the non-bondable
4025 		 * authentication requirement values.
4026 		 */
4027 		if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4028 			conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4029 
4030 		cp.authentication = conn->auth_type;
4031 		cp.oob_data = bredr_oob_data_present(conn);
4032 
4033 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4034 			     sizeof(cp), &cp);
4035 	} else {
4036 		struct hci_cp_io_capability_neg_reply cp;
4037 
4038 		bacpy(&cp.bdaddr, &ev->bdaddr);
4039 		cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4040 
4041 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4042 			     sizeof(cp), &cp);
4043 	}
4044 
4045 unlock:
4046 	hci_dev_unlock(hdev);
4047 }
4048 
4049 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4050 {
4051 	struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4052 	struct hci_conn *conn;
4053 
4054 	BT_DBG("%s", hdev->name);
4055 
4056 	hci_dev_lock(hdev);
4057 
4058 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4059 	if (!conn)
4060 		goto unlock;
4061 
4062 	conn->remote_cap = ev->capability;
4063 	conn->remote_auth = ev->authentication;
4064 
4065 unlock:
4066 	hci_dev_unlock(hdev);
4067 }
4068 
4069 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4070 					 struct sk_buff *skb)
4071 {
4072 	struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4073 	int loc_mitm, rem_mitm, confirm_hint = 0;
4074 	struct hci_conn *conn;
4075 
4076 	BT_DBG("%s", hdev->name);
4077 
4078 	hci_dev_lock(hdev);
4079 
4080 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4081 		goto unlock;
4082 
4083 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4084 	if (!conn)
4085 		goto unlock;
4086 
4087 	loc_mitm = (conn->auth_type & 0x01);
4088 	rem_mitm = (conn->remote_auth & 0x01);
4089 
4090 	/* If we require MITM but the remote device can't provide that
4091 	 * (it has NoInputNoOutput) then reject the confirmation
4092 	 * request. We check the security level here since it doesn't
4093 	 * necessarily match conn->auth_type.
4094 	 */
4095 	if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4096 	    conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4097 		BT_DBG("Rejecting request: remote device can't provide MITM");
4098 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4099 			     sizeof(ev->bdaddr), &ev->bdaddr);
4100 		goto unlock;
4101 	}
4102 
4103 	/* If no side requires MITM protection; auto-accept */
4104 	if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4105 	    (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4106 
4107 		/* If we're not the initiators request authorization to
4108 		 * proceed from user space (mgmt_user_confirm with
4109 		 * confirm_hint set to 1). The exception is if neither
4110 		 * side had MITM or if the local IO capability is
4111 		 * NoInputNoOutput, in which case we do auto-accept
4112 		 */
4113 		if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4114 		    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4115 		    (loc_mitm || rem_mitm)) {
4116 			BT_DBG("Confirming auto-accept as acceptor");
4117 			confirm_hint = 1;
4118 			goto confirm;
4119 		}
4120 
4121 		BT_DBG("Auto-accept of user confirmation with %ums delay",
4122 		       hdev->auto_accept_delay);
4123 
4124 		if (hdev->auto_accept_delay > 0) {
4125 			int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4126 			queue_delayed_work(conn->hdev->workqueue,
4127 					   &conn->auto_accept_work, delay);
4128 			goto unlock;
4129 		}
4130 
4131 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4132 			     sizeof(ev->bdaddr), &ev->bdaddr);
4133 		goto unlock;
4134 	}
4135 
4136 confirm:
4137 	mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4138 				  le32_to_cpu(ev->passkey), confirm_hint);
4139 
4140 unlock:
4141 	hci_dev_unlock(hdev);
4142 }
4143 
4144 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4145 					 struct sk_buff *skb)
4146 {
4147 	struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4148 
4149 	BT_DBG("%s", hdev->name);
4150 
4151 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4152 		mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4153 }
4154 
4155 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4156 					struct sk_buff *skb)
4157 {
4158 	struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4159 	struct hci_conn *conn;
4160 
4161 	BT_DBG("%s", hdev->name);
4162 
4163 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4164 	if (!conn)
4165 		return;
4166 
4167 	conn->passkey_notify = __le32_to_cpu(ev->passkey);
4168 	conn->passkey_entered = 0;
4169 
4170 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4171 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4172 					 conn->dst_type, conn->passkey_notify,
4173 					 conn->passkey_entered);
4174 }
4175 
4176 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4177 {
4178 	struct hci_ev_keypress_notify *ev = (void *) skb->data;
4179 	struct hci_conn *conn;
4180 
4181 	BT_DBG("%s", hdev->name);
4182 
4183 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4184 	if (!conn)
4185 		return;
4186 
4187 	switch (ev->type) {
4188 	case HCI_KEYPRESS_STARTED:
4189 		conn->passkey_entered = 0;
4190 		return;
4191 
4192 	case HCI_KEYPRESS_ENTERED:
4193 		conn->passkey_entered++;
4194 		break;
4195 
4196 	case HCI_KEYPRESS_ERASED:
4197 		conn->passkey_entered--;
4198 		break;
4199 
4200 	case HCI_KEYPRESS_CLEARED:
4201 		conn->passkey_entered = 0;
4202 		break;
4203 
4204 	case HCI_KEYPRESS_COMPLETED:
4205 		return;
4206 	}
4207 
4208 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4209 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4210 					 conn->dst_type, conn->passkey_notify,
4211 					 conn->passkey_entered);
4212 }
4213 
4214 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4215 					 struct sk_buff *skb)
4216 {
4217 	struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4218 	struct hci_conn *conn;
4219 
4220 	BT_DBG("%s", hdev->name);
4221 
4222 	hci_dev_lock(hdev);
4223 
4224 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4225 	if (!conn)
4226 		goto unlock;
4227 
4228 	/* Reset the authentication requirement to unknown */
4229 	conn->remote_auth = 0xff;
4230 
4231 	/* To avoid duplicate auth_failed events to user space we check
4232 	 * the HCI_CONN_AUTH_PEND flag which will be set if we
4233 	 * initiated the authentication. A traditional auth_complete
4234 	 * event gets always produced as initiator and is also mapped to
4235 	 * the mgmt_auth_failed event */
4236 	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4237 		mgmt_auth_failed(conn, ev->status);
4238 
4239 	hci_conn_drop(conn);
4240 
4241 unlock:
4242 	hci_dev_unlock(hdev);
4243 }
4244 
4245 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4246 					 struct sk_buff *skb)
4247 {
4248 	struct hci_ev_remote_host_features *ev = (void *) skb->data;
4249 	struct inquiry_entry *ie;
4250 	struct hci_conn *conn;
4251 
4252 	BT_DBG("%s", hdev->name);
4253 
4254 	hci_dev_lock(hdev);
4255 
4256 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4257 	if (conn)
4258 		memcpy(conn->features[1], ev->features, 8);
4259 
4260 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4261 	if (ie)
4262 		ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4263 
4264 	hci_dev_unlock(hdev);
4265 }
4266 
4267 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4268 					    struct sk_buff *skb)
4269 {
4270 	struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4271 	struct oob_data *data;
4272 
4273 	BT_DBG("%s", hdev->name);
4274 
4275 	hci_dev_lock(hdev);
4276 
4277 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4278 		goto unlock;
4279 
4280 	data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4281 	if (!data) {
4282 		struct hci_cp_remote_oob_data_neg_reply cp;
4283 
4284 		bacpy(&cp.bdaddr, &ev->bdaddr);
4285 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4286 			     sizeof(cp), &cp);
4287 		goto unlock;
4288 	}
4289 
4290 	if (bredr_sc_enabled(hdev)) {
4291 		struct hci_cp_remote_oob_ext_data_reply cp;
4292 
4293 		bacpy(&cp.bdaddr, &ev->bdaddr);
4294 		if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4295 			memset(cp.hash192, 0, sizeof(cp.hash192));
4296 			memset(cp.rand192, 0, sizeof(cp.rand192));
4297 		} else {
4298 			memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4299 			memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4300 		}
4301 		memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4302 		memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4303 
4304 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4305 			     sizeof(cp), &cp);
4306 	} else {
4307 		struct hci_cp_remote_oob_data_reply cp;
4308 
4309 		bacpy(&cp.bdaddr, &ev->bdaddr);
4310 		memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4311 		memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4312 
4313 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4314 			     sizeof(cp), &cp);
4315 	}
4316 
4317 unlock:
4318 	hci_dev_unlock(hdev);
4319 }
4320 
4321 #if IS_ENABLED(CONFIG_BT_HS)
4322 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4323 {
4324 	struct hci_ev_channel_selected *ev = (void *)skb->data;
4325 	struct hci_conn *hcon;
4326 
4327 	BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4328 
4329 	skb_pull(skb, sizeof(*ev));
4330 
4331 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4332 	if (!hcon)
4333 		return;
4334 
4335 	amp_read_loc_assoc_final_data(hdev, hcon);
4336 }
4337 
4338 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4339 				      struct sk_buff *skb)
4340 {
4341 	struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4342 	struct hci_conn *hcon, *bredr_hcon;
4343 
4344 	BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4345 	       ev->status);
4346 
4347 	hci_dev_lock(hdev);
4348 
4349 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4350 	if (!hcon) {
4351 		hci_dev_unlock(hdev);
4352 		return;
4353 	}
4354 
4355 	if (ev->status) {
4356 		hci_conn_del(hcon);
4357 		hci_dev_unlock(hdev);
4358 		return;
4359 	}
4360 
4361 	bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4362 
4363 	hcon->state = BT_CONNECTED;
4364 	bacpy(&hcon->dst, &bredr_hcon->dst);
4365 
4366 	hci_conn_hold(hcon);
4367 	hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4368 	hci_conn_drop(hcon);
4369 
4370 	hci_debugfs_create_conn(hcon);
4371 	hci_conn_add_sysfs(hcon);
4372 
4373 	amp_physical_cfm(bredr_hcon, hcon);
4374 
4375 	hci_dev_unlock(hdev);
4376 }
4377 
4378 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4379 {
4380 	struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4381 	struct hci_conn *hcon;
4382 	struct hci_chan *hchan;
4383 	struct amp_mgr *mgr;
4384 
4385 	BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4386 	       hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4387 	       ev->status);
4388 
4389 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4390 	if (!hcon)
4391 		return;
4392 
4393 	/* Create AMP hchan */
4394 	hchan = hci_chan_create(hcon);
4395 	if (!hchan)
4396 		return;
4397 
4398 	hchan->handle = le16_to_cpu(ev->handle);
4399 
4400 	BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4401 
4402 	mgr = hcon->amp_mgr;
4403 	if (mgr && mgr->bredr_chan) {
4404 		struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4405 
4406 		l2cap_chan_lock(bredr_chan);
4407 
4408 		bredr_chan->conn->mtu = hdev->block_mtu;
4409 		l2cap_logical_cfm(bredr_chan, hchan, 0);
4410 		hci_conn_hold(hcon);
4411 
4412 		l2cap_chan_unlock(bredr_chan);
4413 	}
4414 }
4415 
4416 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4417 					     struct sk_buff *skb)
4418 {
4419 	struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4420 	struct hci_chan *hchan;
4421 
4422 	BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4423 	       le16_to_cpu(ev->handle), ev->status);
4424 
4425 	if (ev->status)
4426 		return;
4427 
4428 	hci_dev_lock(hdev);
4429 
4430 	hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4431 	if (!hchan)
4432 		goto unlock;
4433 
4434 	amp_destroy_logical_link(hchan, ev->reason);
4435 
4436 unlock:
4437 	hci_dev_unlock(hdev);
4438 }
4439 
4440 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4441 					     struct sk_buff *skb)
4442 {
4443 	struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4444 	struct hci_conn *hcon;
4445 
4446 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4447 
4448 	if (ev->status)
4449 		return;
4450 
4451 	hci_dev_lock(hdev);
4452 
4453 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4454 	if (hcon) {
4455 		hcon->state = BT_CLOSED;
4456 		hci_conn_del(hcon);
4457 	}
4458 
4459 	hci_dev_unlock(hdev);
4460 }
4461 #endif
4462 
4463 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4464 {
4465 	struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4466 	struct hci_conn_params *params;
4467 	struct hci_conn *conn;
4468 	struct smp_irk *irk;
4469 	u8 addr_type;
4470 
4471 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4472 
4473 	hci_dev_lock(hdev);
4474 
4475 	/* All controllers implicitly stop advertising in the event of a
4476 	 * connection, so ensure that the state bit is cleared.
4477 	 */
4478 	hci_dev_clear_flag(hdev, HCI_LE_ADV);
4479 
4480 	conn = hci_lookup_le_connect(hdev);
4481 	if (!conn) {
4482 		conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4483 		if (!conn) {
4484 			bt_dev_err(hdev, "no memory for new connection");
4485 			goto unlock;
4486 		}
4487 
4488 		conn->dst_type = ev->bdaddr_type;
4489 
4490 		/* If we didn't have a hci_conn object previously
4491 		 * but we're in master role this must be something
4492 		 * initiated using a white list. Since white list based
4493 		 * connections are not "first class citizens" we don't
4494 		 * have full tracking of them. Therefore, we go ahead
4495 		 * with a "best effort" approach of determining the
4496 		 * initiator address based on the HCI_PRIVACY flag.
4497 		 */
4498 		if (conn->out) {
4499 			conn->resp_addr_type = ev->bdaddr_type;
4500 			bacpy(&conn->resp_addr, &ev->bdaddr);
4501 			if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4502 				conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4503 				bacpy(&conn->init_addr, &hdev->rpa);
4504 			} else {
4505 				hci_copy_identity_address(hdev,
4506 							  &conn->init_addr,
4507 							  &conn->init_addr_type);
4508 			}
4509 		}
4510 	} else {
4511 		cancel_delayed_work(&conn->le_conn_timeout);
4512 	}
4513 
4514 	if (!conn->out) {
4515 		/* Set the responder (our side) address type based on
4516 		 * the advertising address type.
4517 		 */
4518 		conn->resp_addr_type = hdev->adv_addr_type;
4519 		if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4520 			bacpy(&conn->resp_addr, &hdev->random_addr);
4521 		else
4522 			bacpy(&conn->resp_addr, &hdev->bdaddr);
4523 
4524 		conn->init_addr_type = ev->bdaddr_type;
4525 		bacpy(&conn->init_addr, &ev->bdaddr);
4526 
4527 		/* For incoming connections, set the default minimum
4528 		 * and maximum connection interval. They will be used
4529 		 * to check if the parameters are in range and if not
4530 		 * trigger the connection update procedure.
4531 		 */
4532 		conn->le_conn_min_interval = hdev->le_conn_min_interval;
4533 		conn->le_conn_max_interval = hdev->le_conn_max_interval;
4534 	}
4535 
4536 	/* Lookup the identity address from the stored connection
4537 	 * address and address type.
4538 	 *
4539 	 * When establishing connections to an identity address, the
4540 	 * connection procedure will store the resolvable random
4541 	 * address first. Now if it can be converted back into the
4542 	 * identity address, start using the identity address from
4543 	 * now on.
4544 	 */
4545 	irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4546 	if (irk) {
4547 		bacpy(&conn->dst, &irk->bdaddr);
4548 		conn->dst_type = irk->addr_type;
4549 	}
4550 
4551 	if (ev->status) {
4552 		hci_le_conn_failed(conn, ev->status);
4553 		goto unlock;
4554 	}
4555 
4556 	if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4557 		addr_type = BDADDR_LE_PUBLIC;
4558 	else
4559 		addr_type = BDADDR_LE_RANDOM;
4560 
4561 	/* Drop the connection if the device is blocked */
4562 	if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4563 		hci_conn_drop(conn);
4564 		goto unlock;
4565 	}
4566 
4567 	if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4568 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
4569 
4570 	conn->sec_level = BT_SECURITY_LOW;
4571 	conn->handle = __le16_to_cpu(ev->handle);
4572 	conn->state = BT_CONFIG;
4573 
4574 	conn->le_conn_interval = le16_to_cpu(ev->interval);
4575 	conn->le_conn_latency = le16_to_cpu(ev->latency);
4576 	conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4577 
4578 	hci_debugfs_create_conn(conn);
4579 	hci_conn_add_sysfs(conn);
4580 
4581 	if (!ev->status) {
4582 		/* The remote features procedure is defined for master
4583 		 * role only. So only in case of an initiated connection
4584 		 * request the remote features.
4585 		 *
4586 		 * If the local controller supports slave-initiated features
4587 		 * exchange, then requesting the remote features in slave
4588 		 * role is possible. Otherwise just transition into the
4589 		 * connected state without requesting the remote features.
4590 		 */
4591 		if (conn->out ||
4592 		    (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4593 			struct hci_cp_le_read_remote_features cp;
4594 
4595 			cp.handle = __cpu_to_le16(conn->handle);
4596 
4597 			hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4598 				     sizeof(cp), &cp);
4599 
4600 			hci_conn_hold(conn);
4601 		} else {
4602 			conn->state = BT_CONNECTED;
4603 			hci_connect_cfm(conn, ev->status);
4604 		}
4605 	} else {
4606 		hci_connect_cfm(conn, ev->status);
4607 	}
4608 
4609 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4610 					   conn->dst_type);
4611 	if (params) {
4612 		list_del_init(&params->action);
4613 		if (params->conn) {
4614 			hci_conn_drop(params->conn);
4615 			hci_conn_put(params->conn);
4616 			params->conn = NULL;
4617 		}
4618 	}
4619 
4620 unlock:
4621 	hci_update_background_scan(hdev);
4622 	hci_dev_unlock(hdev);
4623 }
4624 
4625 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4626 					    struct sk_buff *skb)
4627 {
4628 	struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4629 	struct hci_conn *conn;
4630 
4631 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4632 
4633 	if (ev->status)
4634 		return;
4635 
4636 	hci_dev_lock(hdev);
4637 
4638 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4639 	if (conn) {
4640 		conn->le_conn_interval = le16_to_cpu(ev->interval);
4641 		conn->le_conn_latency = le16_to_cpu(ev->latency);
4642 		conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4643 	}
4644 
4645 	hci_dev_unlock(hdev);
4646 }
4647 
4648 /* This function requires the caller holds hdev->lock */
4649 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4650 					      bdaddr_t *addr,
4651 					      u8 addr_type, u8 adv_type,
4652 					      bdaddr_t *direct_rpa)
4653 {
4654 	struct hci_conn *conn;
4655 	struct hci_conn_params *params;
4656 
4657 	/* If the event is not connectable don't proceed further */
4658 	if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4659 		return NULL;
4660 
4661 	/* Ignore if the device is blocked */
4662 	if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4663 		return NULL;
4664 
4665 	/* Most controller will fail if we try to create new connections
4666 	 * while we have an existing one in slave role.
4667 	 */
4668 	if (hdev->conn_hash.le_num_slave > 0)
4669 		return NULL;
4670 
4671 	/* If we're not connectable only connect devices that we have in
4672 	 * our pend_le_conns list.
4673 	 */
4674 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4675 					   addr_type);
4676 	if (!params)
4677 		return NULL;
4678 
4679 	if (!params->explicit_connect) {
4680 		switch (params->auto_connect) {
4681 		case HCI_AUTO_CONN_DIRECT:
4682 			/* Only devices advertising with ADV_DIRECT_IND are
4683 			 * triggering a connection attempt. This is allowing
4684 			 * incoming connections from slave devices.
4685 			 */
4686 			if (adv_type != LE_ADV_DIRECT_IND)
4687 				return NULL;
4688 			break;
4689 		case HCI_AUTO_CONN_ALWAYS:
4690 			/* Devices advertising with ADV_IND or ADV_DIRECT_IND
4691 			 * are triggering a connection attempt. This means
4692 			 * that incoming connectioms from slave device are
4693 			 * accepted and also outgoing connections to slave
4694 			 * devices are established when found.
4695 			 */
4696 			break;
4697 		default:
4698 			return NULL;
4699 		}
4700 	}
4701 
4702 	conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4703 			      HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
4704 			      direct_rpa);
4705 	if (!IS_ERR(conn)) {
4706 		/* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4707 		 * by higher layer that tried to connect, if no then
4708 		 * store the pointer since we don't really have any
4709 		 * other owner of the object besides the params that
4710 		 * triggered it. This way we can abort the connection if
4711 		 * the parameters get removed and keep the reference
4712 		 * count consistent once the connection is established.
4713 		 */
4714 
4715 		if (!params->explicit_connect)
4716 			params->conn = hci_conn_get(conn);
4717 
4718 		return conn;
4719 	}
4720 
4721 	switch (PTR_ERR(conn)) {
4722 	case -EBUSY:
4723 		/* If hci_connect() returns -EBUSY it means there is already
4724 		 * an LE connection attempt going on. Since controllers don't
4725 		 * support more than one connection attempt at the time, we
4726 		 * don't consider this an error case.
4727 		 */
4728 		break;
4729 	default:
4730 		BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4731 		return NULL;
4732 	}
4733 
4734 	return NULL;
4735 }
4736 
4737 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4738 			       u8 bdaddr_type, bdaddr_t *direct_addr,
4739 			       u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4740 {
4741 	struct discovery_state *d = &hdev->discovery;
4742 	struct smp_irk *irk;
4743 	struct hci_conn *conn;
4744 	bool match;
4745 	u32 flags;
4746 	u8 *ptr, real_len;
4747 
4748 	switch (type) {
4749 	case LE_ADV_IND:
4750 	case LE_ADV_DIRECT_IND:
4751 	case LE_ADV_SCAN_IND:
4752 	case LE_ADV_NONCONN_IND:
4753 	case LE_ADV_SCAN_RSP:
4754 		break;
4755 	default:
4756 		bt_dev_err_ratelimited(hdev, "unknown advertising packet "
4757 				       "type: 0x%02x", type);
4758 		return;
4759 	}
4760 
4761 	/* Find the end of the data in case the report contains padded zero
4762 	 * bytes at the end causing an invalid length value.
4763 	 *
4764 	 * When data is NULL, len is 0 so there is no need for extra ptr
4765 	 * check as 'ptr < data + 0' is already false in such case.
4766 	 */
4767 	for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
4768 		if (ptr + 1 + *ptr > data + len)
4769 			break;
4770 	}
4771 
4772 	real_len = ptr - data;
4773 
4774 	/* Adjust for actual length */
4775 	if (len != real_len) {
4776 		bt_dev_err_ratelimited(hdev, "advertising data len corrected");
4777 		len = real_len;
4778 	}
4779 
4780 	/* If the direct address is present, then this report is from
4781 	 * a LE Direct Advertising Report event. In that case it is
4782 	 * important to see if the address is matching the local
4783 	 * controller address.
4784 	 */
4785 	if (direct_addr) {
4786 		/* Only resolvable random addresses are valid for these
4787 		 * kind of reports and others can be ignored.
4788 		 */
4789 		if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4790 			return;
4791 
4792 		/* If the controller is not using resolvable random
4793 		 * addresses, then this report can be ignored.
4794 		 */
4795 		if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4796 			return;
4797 
4798 		/* If the local IRK of the controller does not match
4799 		 * with the resolvable random address provided, then
4800 		 * this report can be ignored.
4801 		 */
4802 		if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4803 			return;
4804 	}
4805 
4806 	/* Check if we need to convert to identity address */
4807 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4808 	if (irk) {
4809 		bdaddr = &irk->bdaddr;
4810 		bdaddr_type = irk->addr_type;
4811 	}
4812 
4813 	/* Check if we have been requested to connect to this device.
4814 	 *
4815 	 * direct_addr is set only for directed advertising reports (it is NULL
4816 	 * for advertising reports) and is already verified to be RPA above.
4817 	 */
4818 	conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
4819 								direct_addr);
4820 	if (conn && type == LE_ADV_IND) {
4821 		/* Store report for later inclusion by
4822 		 * mgmt_device_connected
4823 		 */
4824 		memcpy(conn->le_adv_data, data, len);
4825 		conn->le_adv_data_len = len;
4826 	}
4827 
4828 	/* Passive scanning shouldn't trigger any device found events,
4829 	 * except for devices marked as CONN_REPORT for which we do send
4830 	 * device found events.
4831 	 */
4832 	if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4833 		if (type == LE_ADV_DIRECT_IND)
4834 			return;
4835 
4836 		if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4837 					       bdaddr, bdaddr_type))
4838 			return;
4839 
4840 		if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4841 			flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4842 		else
4843 			flags = 0;
4844 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4845 				  rssi, flags, data, len, NULL, 0);
4846 		return;
4847 	}
4848 
4849 	/* When receiving non-connectable or scannable undirected
4850 	 * advertising reports, this means that the remote device is
4851 	 * not connectable and then clearly indicate this in the
4852 	 * device found event.
4853 	 *
4854 	 * When receiving a scan response, then there is no way to
4855 	 * know if the remote device is connectable or not. However
4856 	 * since scan responses are merged with a previously seen
4857 	 * advertising report, the flags field from that report
4858 	 * will be used.
4859 	 *
4860 	 * In the really unlikely case that a controller get confused
4861 	 * and just sends a scan response event, then it is marked as
4862 	 * not connectable as well.
4863 	 */
4864 	if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4865 	    type == LE_ADV_SCAN_RSP)
4866 		flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4867 	else
4868 		flags = 0;
4869 
4870 	/* If there's nothing pending either store the data from this
4871 	 * event or send an immediate device found event if the data
4872 	 * should not be stored for later.
4873 	 */
4874 	if (!has_pending_adv_report(hdev)) {
4875 		/* If the report will trigger a SCAN_REQ store it for
4876 		 * later merging.
4877 		 */
4878 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4879 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4880 						 rssi, flags, data, len);
4881 			return;
4882 		}
4883 
4884 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4885 				  rssi, flags, data, len, NULL, 0);
4886 		return;
4887 	}
4888 
4889 	/* Check if the pending report is for the same device as the new one */
4890 	match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4891 		 bdaddr_type == d->last_adv_addr_type);
4892 
4893 	/* If the pending data doesn't match this report or this isn't a
4894 	 * scan response (e.g. we got a duplicate ADV_IND) then force
4895 	 * sending of the pending data.
4896 	 */
4897 	if (type != LE_ADV_SCAN_RSP || !match) {
4898 		/* Send out whatever is in the cache, but skip duplicates */
4899 		if (!match)
4900 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4901 					  d->last_adv_addr_type, NULL,
4902 					  d->last_adv_rssi, d->last_adv_flags,
4903 					  d->last_adv_data,
4904 					  d->last_adv_data_len, NULL, 0);
4905 
4906 		/* If the new report will trigger a SCAN_REQ store it for
4907 		 * later merging.
4908 		 */
4909 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4910 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4911 						 rssi, flags, data, len);
4912 			return;
4913 		}
4914 
4915 		/* The advertising reports cannot be merged, so clear
4916 		 * the pending report and send out a device found event.
4917 		 */
4918 		clear_pending_adv_report(hdev);
4919 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4920 				  rssi, flags, data, len, NULL, 0);
4921 		return;
4922 	}
4923 
4924 	/* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4925 	 * the new event is a SCAN_RSP. We can therefore proceed with
4926 	 * sending a merged device found event.
4927 	 */
4928 	mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4929 			  d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4930 			  d->last_adv_data, d->last_adv_data_len, data, len);
4931 	clear_pending_adv_report(hdev);
4932 }
4933 
4934 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4935 {
4936 	u8 num_reports = skb->data[0];
4937 	void *ptr = &skb->data[1];
4938 
4939 	hci_dev_lock(hdev);
4940 
4941 	while (num_reports--) {
4942 		struct hci_ev_le_advertising_info *ev = ptr;
4943 		s8 rssi;
4944 
4945 		rssi = ev->data[ev->length];
4946 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4947 				   ev->bdaddr_type, NULL, 0, rssi,
4948 				   ev->data, ev->length);
4949 
4950 		ptr += sizeof(*ev) + ev->length + 1;
4951 	}
4952 
4953 	hci_dev_unlock(hdev);
4954 }
4955 
4956 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4957 					    struct sk_buff *skb)
4958 {
4959 	struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4960 	struct hci_conn *conn;
4961 
4962 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4963 
4964 	hci_dev_lock(hdev);
4965 
4966 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4967 	if (conn) {
4968 		if (!ev->status)
4969 			memcpy(conn->features[0], ev->features, 8);
4970 
4971 		if (conn->state == BT_CONFIG) {
4972 			__u8 status;
4973 
4974 			/* If the local controller supports slave-initiated
4975 			 * features exchange, but the remote controller does
4976 			 * not, then it is possible that the error code 0x1a
4977 			 * for unsupported remote feature gets returned.
4978 			 *
4979 			 * In this specific case, allow the connection to
4980 			 * transition into connected state and mark it as
4981 			 * successful.
4982 			 */
4983 			if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4984 			    !conn->out && ev->status == 0x1a)
4985 				status = 0x00;
4986 			else
4987 				status = ev->status;
4988 
4989 			conn->state = BT_CONNECTED;
4990 			hci_connect_cfm(conn, status);
4991 			hci_conn_drop(conn);
4992 		}
4993 	}
4994 
4995 	hci_dev_unlock(hdev);
4996 }
4997 
4998 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4999 {
5000 	struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5001 	struct hci_cp_le_ltk_reply cp;
5002 	struct hci_cp_le_ltk_neg_reply neg;
5003 	struct hci_conn *conn;
5004 	struct smp_ltk *ltk;
5005 
5006 	BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5007 
5008 	hci_dev_lock(hdev);
5009 
5010 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5011 	if (conn == NULL)
5012 		goto not_found;
5013 
5014 	ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5015 	if (!ltk)
5016 		goto not_found;
5017 
5018 	if (smp_ltk_is_sc(ltk)) {
5019 		/* With SC both EDiv and Rand are set to zero */
5020 		if (ev->ediv || ev->rand)
5021 			goto not_found;
5022 	} else {
5023 		/* For non-SC keys check that EDiv and Rand match */
5024 		if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5025 			goto not_found;
5026 	}
5027 
5028 	memcpy(cp.ltk, ltk->val, ltk->enc_size);
5029 	memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5030 	cp.handle = cpu_to_le16(conn->handle);
5031 
5032 	conn->pending_sec_level = smp_ltk_sec_level(ltk);
5033 
5034 	conn->enc_key_size = ltk->enc_size;
5035 
5036 	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5037 
5038 	/* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5039 	 * temporary key used to encrypt a connection following
5040 	 * pairing. It is used during the Encrypted Session Setup to
5041 	 * distribute the keys. Later, security can be re-established
5042 	 * using a distributed LTK.
5043 	 */
5044 	if (ltk->type == SMP_STK) {
5045 		set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5046 		list_del_rcu(&ltk->list);
5047 		kfree_rcu(ltk, rcu);
5048 	} else {
5049 		clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5050 	}
5051 
5052 	hci_dev_unlock(hdev);
5053 
5054 	return;
5055 
5056 not_found:
5057 	neg.handle = ev->handle;
5058 	hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5059 	hci_dev_unlock(hdev);
5060 }
5061 
5062 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5063 				      u8 reason)
5064 {
5065 	struct hci_cp_le_conn_param_req_neg_reply cp;
5066 
5067 	cp.handle = cpu_to_le16(handle);
5068 	cp.reason = reason;
5069 
5070 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5071 		     &cp);
5072 }
5073 
5074 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5075 					     struct sk_buff *skb)
5076 {
5077 	struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5078 	struct hci_cp_le_conn_param_req_reply cp;
5079 	struct hci_conn *hcon;
5080 	u16 handle, min, max, latency, timeout;
5081 
5082 	handle = le16_to_cpu(ev->handle);
5083 	min = le16_to_cpu(ev->interval_min);
5084 	max = le16_to_cpu(ev->interval_max);
5085 	latency = le16_to_cpu(ev->latency);
5086 	timeout = le16_to_cpu(ev->timeout);
5087 
5088 	hcon = hci_conn_hash_lookup_handle(hdev, handle);
5089 	if (!hcon || hcon->state != BT_CONNECTED)
5090 		return send_conn_param_neg_reply(hdev, handle,
5091 						 HCI_ERROR_UNKNOWN_CONN_ID);
5092 
5093 	if (hci_check_conn_params(min, max, latency, timeout))
5094 		return send_conn_param_neg_reply(hdev, handle,
5095 						 HCI_ERROR_INVALID_LL_PARAMS);
5096 
5097 	if (hcon->role == HCI_ROLE_MASTER) {
5098 		struct hci_conn_params *params;
5099 		u8 store_hint;
5100 
5101 		hci_dev_lock(hdev);
5102 
5103 		params = hci_conn_params_lookup(hdev, &hcon->dst,
5104 						hcon->dst_type);
5105 		if (params) {
5106 			params->conn_min_interval = min;
5107 			params->conn_max_interval = max;
5108 			params->conn_latency = latency;
5109 			params->supervision_timeout = timeout;
5110 			store_hint = 0x01;
5111 		} else{
5112 			store_hint = 0x00;
5113 		}
5114 
5115 		hci_dev_unlock(hdev);
5116 
5117 		mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5118 				    store_hint, min, max, latency, timeout);
5119 	}
5120 
5121 	cp.handle = ev->handle;
5122 	cp.interval_min = ev->interval_min;
5123 	cp.interval_max = ev->interval_max;
5124 	cp.latency = ev->latency;
5125 	cp.timeout = ev->timeout;
5126 	cp.min_ce_len = 0;
5127 	cp.max_ce_len = 0;
5128 
5129 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5130 }
5131 
5132 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5133 					 struct sk_buff *skb)
5134 {
5135 	u8 num_reports = skb->data[0];
5136 	void *ptr = &skb->data[1];
5137 
5138 	hci_dev_lock(hdev);
5139 
5140 	while (num_reports--) {
5141 		struct hci_ev_le_direct_adv_info *ev = ptr;
5142 
5143 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5144 				   ev->bdaddr_type, &ev->direct_addr,
5145 				   ev->direct_addr_type, ev->rssi, NULL, 0);
5146 
5147 		ptr += sizeof(*ev);
5148 	}
5149 
5150 	hci_dev_unlock(hdev);
5151 }
5152 
5153 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5154 {
5155 	struct hci_ev_le_meta *le_ev = (void *) skb->data;
5156 
5157 	skb_pull(skb, sizeof(*le_ev));
5158 
5159 	switch (le_ev->subevent) {
5160 	case HCI_EV_LE_CONN_COMPLETE:
5161 		hci_le_conn_complete_evt(hdev, skb);
5162 		break;
5163 
5164 	case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5165 		hci_le_conn_update_complete_evt(hdev, skb);
5166 		break;
5167 
5168 	case HCI_EV_LE_ADVERTISING_REPORT:
5169 		hci_le_adv_report_evt(hdev, skb);
5170 		break;
5171 
5172 	case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5173 		hci_le_remote_feat_complete_evt(hdev, skb);
5174 		break;
5175 
5176 	case HCI_EV_LE_LTK_REQ:
5177 		hci_le_ltk_request_evt(hdev, skb);
5178 		break;
5179 
5180 	case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5181 		hci_le_remote_conn_param_req_evt(hdev, skb);
5182 		break;
5183 
5184 	case HCI_EV_LE_DIRECT_ADV_REPORT:
5185 		hci_le_direct_adv_report_evt(hdev, skb);
5186 		break;
5187 
5188 	default:
5189 		break;
5190 	}
5191 }
5192 
5193 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5194 				 u8 event, struct sk_buff *skb)
5195 {
5196 	struct hci_ev_cmd_complete *ev;
5197 	struct hci_event_hdr *hdr;
5198 
5199 	if (!skb)
5200 		return false;
5201 
5202 	if (skb->len < sizeof(*hdr)) {
5203 		bt_dev_err(hdev, "too short HCI event");
5204 		return false;
5205 	}
5206 
5207 	hdr = (void *) skb->data;
5208 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
5209 
5210 	if (event) {
5211 		if (hdr->evt != event)
5212 			return false;
5213 		return true;
5214 	}
5215 
5216 	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5217 		bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5218 			   hdr->evt);
5219 		return false;
5220 	}
5221 
5222 	if (skb->len < sizeof(*ev)) {
5223 		bt_dev_err(hdev, "too short cmd_complete event");
5224 		return false;
5225 	}
5226 
5227 	ev = (void *) skb->data;
5228 	skb_pull(skb, sizeof(*ev));
5229 
5230 	if (opcode != __le16_to_cpu(ev->opcode)) {
5231 		BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5232 		       __le16_to_cpu(ev->opcode));
5233 		return false;
5234 	}
5235 
5236 	return true;
5237 }
5238 
5239 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5240 {
5241 	struct hci_event_hdr *hdr = (void *) skb->data;
5242 	hci_req_complete_t req_complete = NULL;
5243 	hci_req_complete_skb_t req_complete_skb = NULL;
5244 	struct sk_buff *orig_skb = NULL;
5245 	u8 status = 0, event = hdr->evt, req_evt = 0;
5246 	u16 opcode = HCI_OP_NOP;
5247 
5248 	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5249 		struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5250 		opcode = __le16_to_cpu(cmd_hdr->opcode);
5251 		hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5252 				     &req_complete_skb);
5253 		req_evt = event;
5254 	}
5255 
5256 	/* If it looks like we might end up having to call
5257 	 * req_complete_skb, store a pristine copy of the skb since the
5258 	 * various handlers may modify the original one through
5259 	 * skb_pull() calls, etc.
5260 	 */
5261 	if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5262 	    event == HCI_EV_CMD_COMPLETE)
5263 		orig_skb = skb_clone(skb, GFP_KERNEL);
5264 
5265 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
5266 
5267 	switch (event) {
5268 	case HCI_EV_INQUIRY_COMPLETE:
5269 		hci_inquiry_complete_evt(hdev, skb);
5270 		break;
5271 
5272 	case HCI_EV_INQUIRY_RESULT:
5273 		hci_inquiry_result_evt(hdev, skb);
5274 		break;
5275 
5276 	case HCI_EV_CONN_COMPLETE:
5277 		hci_conn_complete_evt(hdev, skb);
5278 		break;
5279 
5280 	case HCI_EV_CONN_REQUEST:
5281 		hci_conn_request_evt(hdev, skb);
5282 		break;
5283 
5284 	case HCI_EV_DISCONN_COMPLETE:
5285 		hci_disconn_complete_evt(hdev, skb);
5286 		break;
5287 
5288 	case HCI_EV_AUTH_COMPLETE:
5289 		hci_auth_complete_evt(hdev, skb);
5290 		break;
5291 
5292 	case HCI_EV_REMOTE_NAME:
5293 		hci_remote_name_evt(hdev, skb);
5294 		break;
5295 
5296 	case HCI_EV_ENCRYPT_CHANGE:
5297 		hci_encrypt_change_evt(hdev, skb);
5298 		break;
5299 
5300 	case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5301 		hci_change_link_key_complete_evt(hdev, skb);
5302 		break;
5303 
5304 	case HCI_EV_REMOTE_FEATURES:
5305 		hci_remote_features_evt(hdev, skb);
5306 		break;
5307 
5308 	case HCI_EV_CMD_COMPLETE:
5309 		hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5310 				     &req_complete, &req_complete_skb);
5311 		break;
5312 
5313 	case HCI_EV_CMD_STATUS:
5314 		hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5315 				   &req_complete_skb);
5316 		break;
5317 
5318 	case HCI_EV_HARDWARE_ERROR:
5319 		hci_hardware_error_evt(hdev, skb);
5320 		break;
5321 
5322 	case HCI_EV_ROLE_CHANGE:
5323 		hci_role_change_evt(hdev, skb);
5324 		break;
5325 
5326 	case HCI_EV_NUM_COMP_PKTS:
5327 		hci_num_comp_pkts_evt(hdev, skb);
5328 		break;
5329 
5330 	case HCI_EV_MODE_CHANGE:
5331 		hci_mode_change_evt(hdev, skb);
5332 		break;
5333 
5334 	case HCI_EV_PIN_CODE_REQ:
5335 		hci_pin_code_request_evt(hdev, skb);
5336 		break;
5337 
5338 	case HCI_EV_LINK_KEY_REQ:
5339 		hci_link_key_request_evt(hdev, skb);
5340 		break;
5341 
5342 	case HCI_EV_LINK_KEY_NOTIFY:
5343 		hci_link_key_notify_evt(hdev, skb);
5344 		break;
5345 
5346 	case HCI_EV_CLOCK_OFFSET:
5347 		hci_clock_offset_evt(hdev, skb);
5348 		break;
5349 
5350 	case HCI_EV_PKT_TYPE_CHANGE:
5351 		hci_pkt_type_change_evt(hdev, skb);
5352 		break;
5353 
5354 	case HCI_EV_PSCAN_REP_MODE:
5355 		hci_pscan_rep_mode_evt(hdev, skb);
5356 		break;
5357 
5358 	case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5359 		hci_inquiry_result_with_rssi_evt(hdev, skb);
5360 		break;
5361 
5362 	case HCI_EV_REMOTE_EXT_FEATURES:
5363 		hci_remote_ext_features_evt(hdev, skb);
5364 		break;
5365 
5366 	case HCI_EV_SYNC_CONN_COMPLETE:
5367 		hci_sync_conn_complete_evt(hdev, skb);
5368 		break;
5369 
5370 	case HCI_EV_EXTENDED_INQUIRY_RESULT:
5371 		hci_extended_inquiry_result_evt(hdev, skb);
5372 		break;
5373 
5374 	case HCI_EV_KEY_REFRESH_COMPLETE:
5375 		hci_key_refresh_complete_evt(hdev, skb);
5376 		break;
5377 
5378 	case HCI_EV_IO_CAPA_REQUEST:
5379 		hci_io_capa_request_evt(hdev, skb);
5380 		break;
5381 
5382 	case HCI_EV_IO_CAPA_REPLY:
5383 		hci_io_capa_reply_evt(hdev, skb);
5384 		break;
5385 
5386 	case HCI_EV_USER_CONFIRM_REQUEST:
5387 		hci_user_confirm_request_evt(hdev, skb);
5388 		break;
5389 
5390 	case HCI_EV_USER_PASSKEY_REQUEST:
5391 		hci_user_passkey_request_evt(hdev, skb);
5392 		break;
5393 
5394 	case HCI_EV_USER_PASSKEY_NOTIFY:
5395 		hci_user_passkey_notify_evt(hdev, skb);
5396 		break;
5397 
5398 	case HCI_EV_KEYPRESS_NOTIFY:
5399 		hci_keypress_notify_evt(hdev, skb);
5400 		break;
5401 
5402 	case HCI_EV_SIMPLE_PAIR_COMPLETE:
5403 		hci_simple_pair_complete_evt(hdev, skb);
5404 		break;
5405 
5406 	case HCI_EV_REMOTE_HOST_FEATURES:
5407 		hci_remote_host_features_evt(hdev, skb);
5408 		break;
5409 
5410 	case HCI_EV_LE_META:
5411 		hci_le_meta_evt(hdev, skb);
5412 		break;
5413 
5414 	case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5415 		hci_remote_oob_data_request_evt(hdev, skb);
5416 		break;
5417 
5418 #if IS_ENABLED(CONFIG_BT_HS)
5419 	case HCI_EV_CHANNEL_SELECTED:
5420 		hci_chan_selected_evt(hdev, skb);
5421 		break;
5422 
5423 	case HCI_EV_PHY_LINK_COMPLETE:
5424 		hci_phy_link_complete_evt(hdev, skb);
5425 		break;
5426 
5427 	case HCI_EV_LOGICAL_LINK_COMPLETE:
5428 		hci_loglink_complete_evt(hdev, skb);
5429 		break;
5430 
5431 	case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5432 		hci_disconn_loglink_complete_evt(hdev, skb);
5433 		break;
5434 
5435 	case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5436 		hci_disconn_phylink_complete_evt(hdev, skb);
5437 		break;
5438 #endif
5439 
5440 	case HCI_EV_NUM_COMP_BLOCKS:
5441 		hci_num_comp_blocks_evt(hdev, skb);
5442 		break;
5443 
5444 	default:
5445 		BT_DBG("%s event 0x%2.2x", hdev->name, event);
5446 		break;
5447 	}
5448 
5449 	if (req_complete) {
5450 		req_complete(hdev, status, opcode);
5451 	} else if (req_complete_skb) {
5452 		if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5453 			kfree_skb(orig_skb);
5454 			orig_skb = NULL;
5455 		}
5456 		req_complete_skb(hdev, status, opcode, orig_skb);
5457 	}
5458 
5459 	kfree_skb(orig_skb);
5460 	kfree_skb(skb);
5461 	hdev->stat.evt_rx++;
5462 }
5463