xref: /openbmc/linux/net/bluetooth/hci_event.c (revision 236a9bf2)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4    Copyright 2023 NXP
5 
6    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
7 
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License version 2 as
10    published by the Free Software Foundation;
11 
12    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 
21    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23    SOFTWARE IS DISCLAIMED.
24 */
25 
26 /* Bluetooth HCI event handling. */
27 
28 #include <asm/unaligned.h>
29 #include <linux/crypto.h>
30 #include <crypto/algapi.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "hci_debugfs.h"
38 #include "hci_codec.h"
39 #include "a2mp.h"
40 #include "amp.h"
41 #include "smp.h"
42 #include "msft.h"
43 #include "eir.h"
44 
45 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
46 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
47 
48 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
49 
50 /* Handle HCI Event packets */
51 
52 static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
53 			     u8 ev, size_t len)
54 {
55 	void *data;
56 
57 	data = skb_pull_data(skb, len);
58 	if (!data)
59 		bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
60 
61 	return data;
62 }
63 
64 static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
65 			     u16 op, size_t len)
66 {
67 	void *data;
68 
69 	data = skb_pull_data(skb, len);
70 	if (!data)
71 		bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
72 
73 	return data;
74 }
75 
76 static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
77 				u8 ev, size_t len)
78 {
79 	void *data;
80 
81 	data = skb_pull_data(skb, len);
82 	if (!data)
83 		bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
84 
85 	return data;
86 }
87 
88 static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
89 				struct sk_buff *skb)
90 {
91 	struct hci_ev_status *rp = data;
92 
93 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
94 
95 	/* It is possible that we receive Inquiry Complete event right
96 	 * before we receive Inquiry Cancel Command Complete event, in
97 	 * which case the latter event should have status of Command
98 	 * Disallowed (0x0c). This should not be treated as error, since
99 	 * we actually achieve what Inquiry Cancel wants to achieve,
100 	 * which is to end the last Inquiry session.
101 	 */
102 	if (rp->status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
103 		bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
104 		rp->status = 0x00;
105 	}
106 
107 	if (rp->status)
108 		return rp->status;
109 
110 	clear_bit(HCI_INQUIRY, &hdev->flags);
111 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
112 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
113 
114 	hci_dev_lock(hdev);
115 	/* Set discovery state to stopped if we're not doing LE active
116 	 * scanning.
117 	 */
118 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
119 	    hdev->le_scan_type != LE_SCAN_ACTIVE)
120 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
121 	hci_dev_unlock(hdev);
122 
123 	hci_conn_check_pending(hdev);
124 
125 	return rp->status;
126 }
127 
128 static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
129 			      struct sk_buff *skb)
130 {
131 	struct hci_ev_status *rp = data;
132 
133 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
134 
135 	if (rp->status)
136 		return rp->status;
137 
138 	hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
139 
140 	return rp->status;
141 }
142 
143 static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
144 				   struct sk_buff *skb)
145 {
146 	struct hci_ev_status *rp = data;
147 
148 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
149 
150 	if (rp->status)
151 		return rp->status;
152 
153 	hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
154 
155 	hci_conn_check_pending(hdev);
156 
157 	return rp->status;
158 }
159 
160 static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
161 					struct sk_buff *skb)
162 {
163 	struct hci_ev_status *rp = data;
164 
165 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
166 
167 	return rp->status;
168 }
169 
170 static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
171 				struct sk_buff *skb)
172 {
173 	struct hci_rp_role_discovery *rp = data;
174 	struct hci_conn *conn;
175 
176 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
177 
178 	if (rp->status)
179 		return rp->status;
180 
181 	hci_dev_lock(hdev);
182 
183 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
184 	if (conn)
185 		conn->role = rp->role;
186 
187 	hci_dev_unlock(hdev);
188 
189 	return rp->status;
190 }
191 
192 static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
193 				  struct sk_buff *skb)
194 {
195 	struct hci_rp_read_link_policy *rp = data;
196 	struct hci_conn *conn;
197 
198 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
199 
200 	if (rp->status)
201 		return rp->status;
202 
203 	hci_dev_lock(hdev);
204 
205 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
206 	if (conn)
207 		conn->link_policy = __le16_to_cpu(rp->policy);
208 
209 	hci_dev_unlock(hdev);
210 
211 	return rp->status;
212 }
213 
214 static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
215 				   struct sk_buff *skb)
216 {
217 	struct hci_rp_write_link_policy *rp = data;
218 	struct hci_conn *conn;
219 	void *sent;
220 
221 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
222 
223 	if (rp->status)
224 		return rp->status;
225 
226 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
227 	if (!sent)
228 		return rp->status;
229 
230 	hci_dev_lock(hdev);
231 
232 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
233 	if (conn)
234 		conn->link_policy = get_unaligned_le16(sent + 2);
235 
236 	hci_dev_unlock(hdev);
237 
238 	return rp->status;
239 }
240 
241 static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
242 				      struct sk_buff *skb)
243 {
244 	struct hci_rp_read_def_link_policy *rp = data;
245 
246 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
247 
248 	if (rp->status)
249 		return rp->status;
250 
251 	hdev->link_policy = __le16_to_cpu(rp->policy);
252 
253 	return rp->status;
254 }
255 
256 static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
257 				       struct sk_buff *skb)
258 {
259 	struct hci_ev_status *rp = data;
260 	void *sent;
261 
262 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
263 
264 	if (rp->status)
265 		return rp->status;
266 
267 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
268 	if (!sent)
269 		return rp->status;
270 
271 	hdev->link_policy = get_unaligned_le16(sent);
272 
273 	return rp->status;
274 }
275 
276 static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
277 {
278 	struct hci_ev_status *rp = data;
279 
280 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
281 
282 	clear_bit(HCI_RESET, &hdev->flags);
283 
284 	if (rp->status)
285 		return rp->status;
286 
287 	/* Reset all non-persistent flags */
288 	hci_dev_clear_volatile_flags(hdev);
289 
290 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
291 
292 	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
293 	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
294 
295 	memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
296 	hdev->adv_data_len = 0;
297 
298 	memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
299 	hdev->scan_rsp_data_len = 0;
300 
301 	hdev->le_scan_type = LE_SCAN_PASSIVE;
302 
303 	hdev->ssp_debug_mode = 0;
304 
305 	hci_bdaddr_list_clear(&hdev->le_accept_list);
306 	hci_bdaddr_list_clear(&hdev->le_resolv_list);
307 
308 	return rp->status;
309 }
310 
311 static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
312 				      struct sk_buff *skb)
313 {
314 	struct hci_rp_read_stored_link_key *rp = data;
315 	struct hci_cp_read_stored_link_key *sent;
316 
317 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
318 
319 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
320 	if (!sent)
321 		return rp->status;
322 
323 	if (!rp->status && sent->read_all == 0x01) {
324 		hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
325 		hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
326 	}
327 
328 	return rp->status;
329 }
330 
331 static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
332 					struct sk_buff *skb)
333 {
334 	struct hci_rp_delete_stored_link_key *rp = data;
335 	u16 num_keys;
336 
337 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
338 
339 	if (rp->status)
340 		return rp->status;
341 
342 	num_keys = le16_to_cpu(rp->num_keys);
343 
344 	if (num_keys <= hdev->stored_num_keys)
345 		hdev->stored_num_keys -= num_keys;
346 	else
347 		hdev->stored_num_keys = 0;
348 
349 	return rp->status;
350 }
351 
352 static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
353 				  struct sk_buff *skb)
354 {
355 	struct hci_ev_status *rp = data;
356 	void *sent;
357 
358 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
359 
360 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
361 	if (!sent)
362 		return rp->status;
363 
364 	hci_dev_lock(hdev);
365 
366 	if (hci_dev_test_flag(hdev, HCI_MGMT))
367 		mgmt_set_local_name_complete(hdev, sent, rp->status);
368 	else if (!rp->status)
369 		memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
370 
371 	hci_dev_unlock(hdev);
372 
373 	return rp->status;
374 }
375 
376 static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
377 				 struct sk_buff *skb)
378 {
379 	struct hci_rp_read_local_name *rp = data;
380 
381 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
382 
383 	if (rp->status)
384 		return rp->status;
385 
386 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
387 	    hci_dev_test_flag(hdev, HCI_CONFIG))
388 		memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
389 
390 	return rp->status;
391 }
392 
393 static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
394 				   struct sk_buff *skb)
395 {
396 	struct hci_ev_status *rp = data;
397 	void *sent;
398 
399 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
400 
401 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
402 	if (!sent)
403 		return rp->status;
404 
405 	hci_dev_lock(hdev);
406 
407 	if (!rp->status) {
408 		__u8 param = *((__u8 *) sent);
409 
410 		if (param == AUTH_ENABLED)
411 			set_bit(HCI_AUTH, &hdev->flags);
412 		else
413 			clear_bit(HCI_AUTH, &hdev->flags);
414 	}
415 
416 	if (hci_dev_test_flag(hdev, HCI_MGMT))
417 		mgmt_auth_enable_complete(hdev, rp->status);
418 
419 	hci_dev_unlock(hdev);
420 
421 	return rp->status;
422 }
423 
424 static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
425 				    struct sk_buff *skb)
426 {
427 	struct hci_ev_status *rp = data;
428 	__u8 param;
429 	void *sent;
430 
431 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
432 
433 	if (rp->status)
434 		return rp->status;
435 
436 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
437 	if (!sent)
438 		return rp->status;
439 
440 	param = *((__u8 *) sent);
441 
442 	if (param)
443 		set_bit(HCI_ENCRYPT, &hdev->flags);
444 	else
445 		clear_bit(HCI_ENCRYPT, &hdev->flags);
446 
447 	return rp->status;
448 }
449 
450 static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
451 				   struct sk_buff *skb)
452 {
453 	struct hci_ev_status *rp = data;
454 	__u8 param;
455 	void *sent;
456 
457 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
458 
459 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
460 	if (!sent)
461 		return rp->status;
462 
463 	param = *((__u8 *) sent);
464 
465 	hci_dev_lock(hdev);
466 
467 	if (rp->status) {
468 		hdev->discov_timeout = 0;
469 		goto done;
470 	}
471 
472 	if (param & SCAN_INQUIRY)
473 		set_bit(HCI_ISCAN, &hdev->flags);
474 	else
475 		clear_bit(HCI_ISCAN, &hdev->flags);
476 
477 	if (param & SCAN_PAGE)
478 		set_bit(HCI_PSCAN, &hdev->flags);
479 	else
480 		clear_bit(HCI_PSCAN, &hdev->flags);
481 
482 done:
483 	hci_dev_unlock(hdev);
484 
485 	return rp->status;
486 }
487 
488 static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
489 				  struct sk_buff *skb)
490 {
491 	struct hci_ev_status *rp = data;
492 	struct hci_cp_set_event_filter *cp;
493 	void *sent;
494 
495 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
496 
497 	if (rp->status)
498 		return rp->status;
499 
500 	sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
501 	if (!sent)
502 		return rp->status;
503 
504 	cp = (struct hci_cp_set_event_filter *)sent;
505 
506 	if (cp->flt_type == HCI_FLT_CLEAR_ALL)
507 		hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
508 	else
509 		hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
510 
511 	return rp->status;
512 }
513 
514 static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
515 				   struct sk_buff *skb)
516 {
517 	struct hci_rp_read_class_of_dev *rp = data;
518 
519 	if (WARN_ON(!hdev))
520 		return HCI_ERROR_UNSPECIFIED;
521 
522 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
523 
524 	if (rp->status)
525 		return rp->status;
526 
527 	memcpy(hdev->dev_class, rp->dev_class, 3);
528 
529 	bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
530 		   hdev->dev_class[1], hdev->dev_class[0]);
531 
532 	return rp->status;
533 }
534 
535 static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
536 				    struct sk_buff *skb)
537 {
538 	struct hci_ev_status *rp = data;
539 	void *sent;
540 
541 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
542 
543 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
544 	if (!sent)
545 		return rp->status;
546 
547 	hci_dev_lock(hdev);
548 
549 	if (!rp->status)
550 		memcpy(hdev->dev_class, sent, 3);
551 
552 	if (hci_dev_test_flag(hdev, HCI_MGMT))
553 		mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
554 
555 	hci_dev_unlock(hdev);
556 
557 	return rp->status;
558 }
559 
560 static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
561 				    struct sk_buff *skb)
562 {
563 	struct hci_rp_read_voice_setting *rp = data;
564 	__u16 setting;
565 
566 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
567 
568 	if (rp->status)
569 		return rp->status;
570 
571 	setting = __le16_to_cpu(rp->voice_setting);
572 
573 	if (hdev->voice_setting == setting)
574 		return rp->status;
575 
576 	hdev->voice_setting = setting;
577 
578 	bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
579 
580 	if (hdev->notify)
581 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
582 
583 	return rp->status;
584 }
585 
586 static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
587 				     struct sk_buff *skb)
588 {
589 	struct hci_ev_status *rp = data;
590 	__u16 setting;
591 	void *sent;
592 
593 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
594 
595 	if (rp->status)
596 		return rp->status;
597 
598 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
599 	if (!sent)
600 		return rp->status;
601 
602 	setting = get_unaligned_le16(sent);
603 
604 	if (hdev->voice_setting == setting)
605 		return rp->status;
606 
607 	hdev->voice_setting = setting;
608 
609 	bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
610 
611 	if (hdev->notify)
612 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
613 
614 	return rp->status;
615 }
616 
617 static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
618 					struct sk_buff *skb)
619 {
620 	struct hci_rp_read_num_supported_iac *rp = data;
621 
622 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
623 
624 	if (rp->status)
625 		return rp->status;
626 
627 	hdev->num_iac = rp->num_iac;
628 
629 	bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
630 
631 	return rp->status;
632 }
633 
634 static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
635 				struct sk_buff *skb)
636 {
637 	struct hci_ev_status *rp = data;
638 	struct hci_cp_write_ssp_mode *sent;
639 
640 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
641 
642 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
643 	if (!sent)
644 		return rp->status;
645 
646 	hci_dev_lock(hdev);
647 
648 	if (!rp->status) {
649 		if (sent->mode)
650 			hdev->features[1][0] |= LMP_HOST_SSP;
651 		else
652 			hdev->features[1][0] &= ~LMP_HOST_SSP;
653 	}
654 
655 	if (!rp->status) {
656 		if (sent->mode)
657 			hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
658 		else
659 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
660 	}
661 
662 	hci_dev_unlock(hdev);
663 
664 	return rp->status;
665 }
666 
667 static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
668 				  struct sk_buff *skb)
669 {
670 	struct hci_ev_status *rp = data;
671 	struct hci_cp_write_sc_support *sent;
672 
673 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
674 
675 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
676 	if (!sent)
677 		return rp->status;
678 
679 	hci_dev_lock(hdev);
680 
681 	if (!rp->status) {
682 		if (sent->support)
683 			hdev->features[1][0] |= LMP_HOST_SC;
684 		else
685 			hdev->features[1][0] &= ~LMP_HOST_SC;
686 	}
687 
688 	if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
689 		if (sent->support)
690 			hci_dev_set_flag(hdev, HCI_SC_ENABLED);
691 		else
692 			hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
693 	}
694 
695 	hci_dev_unlock(hdev);
696 
697 	return rp->status;
698 }
699 
700 static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
701 				    struct sk_buff *skb)
702 {
703 	struct hci_rp_read_local_version *rp = data;
704 
705 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
706 
707 	if (rp->status)
708 		return rp->status;
709 
710 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
711 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
712 		hdev->hci_ver = rp->hci_ver;
713 		hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
714 		hdev->lmp_ver = rp->lmp_ver;
715 		hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
716 		hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
717 	}
718 
719 	return rp->status;
720 }
721 
722 static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
723 				   struct sk_buff *skb)
724 {
725 	struct hci_rp_read_enc_key_size *rp = data;
726 	struct hci_conn *conn;
727 	u16 handle;
728 	u8 status = rp->status;
729 
730 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
731 
732 	handle = le16_to_cpu(rp->handle);
733 
734 	hci_dev_lock(hdev);
735 
736 	conn = hci_conn_hash_lookup_handle(hdev, handle);
737 	if (!conn) {
738 		status = 0xFF;
739 		goto done;
740 	}
741 
742 	/* While unexpected, the read_enc_key_size command may fail. The most
743 	 * secure approach is to then assume the key size is 0 to force a
744 	 * disconnection.
745 	 */
746 	if (status) {
747 		bt_dev_err(hdev, "failed to read key size for handle %u",
748 			   handle);
749 		conn->enc_key_size = 0;
750 	} else {
751 		conn->enc_key_size = rp->key_size;
752 		status = 0;
753 
754 		if (conn->enc_key_size < hdev->min_enc_key_size) {
755 			/* As slave role, the conn->state has been set to
756 			 * BT_CONNECTED and l2cap conn req might not be received
757 			 * yet, at this moment the l2cap layer almost does
758 			 * nothing with the non-zero status.
759 			 * So we also clear encrypt related bits, and then the
760 			 * handler of l2cap conn req will get the right secure
761 			 * state at a later time.
762 			 */
763 			status = HCI_ERROR_AUTH_FAILURE;
764 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
765 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
766 		}
767 	}
768 
769 	hci_encrypt_cfm(conn, status);
770 
771 done:
772 	hci_dev_unlock(hdev);
773 
774 	return status;
775 }
776 
777 static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
778 				     struct sk_buff *skb)
779 {
780 	struct hci_rp_read_local_commands *rp = data;
781 
782 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
783 
784 	if (rp->status)
785 		return rp->status;
786 
787 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
788 	    hci_dev_test_flag(hdev, HCI_CONFIG))
789 		memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
790 
791 	return rp->status;
792 }
793 
794 static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
795 					   struct sk_buff *skb)
796 {
797 	struct hci_rp_read_auth_payload_to *rp = data;
798 	struct hci_conn *conn;
799 
800 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
801 
802 	if (rp->status)
803 		return rp->status;
804 
805 	hci_dev_lock(hdev);
806 
807 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
808 	if (conn)
809 		conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
810 
811 	hci_dev_unlock(hdev);
812 
813 	return rp->status;
814 }
815 
816 static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
817 					    struct sk_buff *skb)
818 {
819 	struct hci_rp_write_auth_payload_to *rp = data;
820 	struct hci_conn *conn;
821 	void *sent;
822 
823 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
824 
825 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
826 	if (!sent)
827 		return rp->status;
828 
829 	hci_dev_lock(hdev);
830 
831 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
832 	if (!conn) {
833 		rp->status = 0xff;
834 		goto unlock;
835 	}
836 
837 	if (!rp->status)
838 		conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
839 
840 unlock:
841 	hci_dev_unlock(hdev);
842 
843 	return rp->status;
844 }
845 
846 static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
847 				     struct sk_buff *skb)
848 {
849 	struct hci_rp_read_local_features *rp = data;
850 
851 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
852 
853 	if (rp->status)
854 		return rp->status;
855 
856 	memcpy(hdev->features, rp->features, 8);
857 
858 	/* Adjust default settings according to features
859 	 * supported by device. */
860 
861 	if (hdev->features[0][0] & LMP_3SLOT)
862 		hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
863 
864 	if (hdev->features[0][0] & LMP_5SLOT)
865 		hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
866 
867 	if (hdev->features[0][1] & LMP_HV2) {
868 		hdev->pkt_type  |= (HCI_HV2);
869 		hdev->esco_type |= (ESCO_HV2);
870 	}
871 
872 	if (hdev->features[0][1] & LMP_HV3) {
873 		hdev->pkt_type  |= (HCI_HV3);
874 		hdev->esco_type |= (ESCO_HV3);
875 	}
876 
877 	if (lmp_esco_capable(hdev))
878 		hdev->esco_type |= (ESCO_EV3);
879 
880 	if (hdev->features[0][4] & LMP_EV4)
881 		hdev->esco_type |= (ESCO_EV4);
882 
883 	if (hdev->features[0][4] & LMP_EV5)
884 		hdev->esco_type |= (ESCO_EV5);
885 
886 	if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
887 		hdev->esco_type |= (ESCO_2EV3);
888 
889 	if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
890 		hdev->esco_type |= (ESCO_3EV3);
891 
892 	if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
893 		hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
894 
895 	return rp->status;
896 }
897 
898 static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
899 					 struct sk_buff *skb)
900 {
901 	struct hci_rp_read_local_ext_features *rp = data;
902 
903 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
904 
905 	if (rp->status)
906 		return rp->status;
907 
908 	if (hdev->max_page < rp->max_page) {
909 		if (test_bit(HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2,
910 			     &hdev->quirks))
911 			bt_dev_warn(hdev, "broken local ext features page 2");
912 		else
913 			hdev->max_page = rp->max_page;
914 	}
915 
916 	if (rp->page < HCI_MAX_PAGES)
917 		memcpy(hdev->features[rp->page], rp->features, 8);
918 
919 	return rp->status;
920 }
921 
922 static u8 hci_cc_read_flow_control_mode(struct hci_dev *hdev, void *data,
923 					struct sk_buff *skb)
924 {
925 	struct hci_rp_read_flow_control_mode *rp = data;
926 
927 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
928 
929 	if (rp->status)
930 		return rp->status;
931 
932 	hdev->flow_ctl_mode = rp->mode;
933 
934 	return rp->status;
935 }
936 
937 static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
938 				  struct sk_buff *skb)
939 {
940 	struct hci_rp_read_buffer_size *rp = data;
941 
942 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
943 
944 	if (rp->status)
945 		return rp->status;
946 
947 	hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
948 	hdev->sco_mtu  = rp->sco_mtu;
949 	hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
950 	hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
951 
952 	if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
953 		hdev->sco_mtu  = 64;
954 		hdev->sco_pkts = 8;
955 	}
956 
957 	hdev->acl_cnt = hdev->acl_pkts;
958 	hdev->sco_cnt = hdev->sco_pkts;
959 
960 	BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
961 	       hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
962 
963 	return rp->status;
964 }
965 
966 static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
967 			      struct sk_buff *skb)
968 {
969 	struct hci_rp_read_bd_addr *rp = data;
970 
971 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
972 
973 	if (rp->status)
974 		return rp->status;
975 
976 	if (test_bit(HCI_INIT, &hdev->flags))
977 		bacpy(&hdev->bdaddr, &rp->bdaddr);
978 
979 	if (hci_dev_test_flag(hdev, HCI_SETUP))
980 		bacpy(&hdev->setup_addr, &rp->bdaddr);
981 
982 	return rp->status;
983 }
984 
985 static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
986 					 struct sk_buff *skb)
987 {
988 	struct hci_rp_read_local_pairing_opts *rp = data;
989 
990 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
991 
992 	if (rp->status)
993 		return rp->status;
994 
995 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
996 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
997 		hdev->pairing_opts = rp->pairing_opts;
998 		hdev->max_enc_key_size = rp->max_key_size;
999 	}
1000 
1001 	return rp->status;
1002 }
1003 
1004 static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
1005 					 struct sk_buff *skb)
1006 {
1007 	struct hci_rp_read_page_scan_activity *rp = data;
1008 
1009 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1010 
1011 	if (rp->status)
1012 		return rp->status;
1013 
1014 	if (test_bit(HCI_INIT, &hdev->flags)) {
1015 		hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1016 		hdev->page_scan_window = __le16_to_cpu(rp->window);
1017 	}
1018 
1019 	return rp->status;
1020 }
1021 
1022 static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1023 					  struct sk_buff *skb)
1024 {
1025 	struct hci_ev_status *rp = data;
1026 	struct hci_cp_write_page_scan_activity *sent;
1027 
1028 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1029 
1030 	if (rp->status)
1031 		return rp->status;
1032 
1033 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1034 	if (!sent)
1035 		return rp->status;
1036 
1037 	hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1038 	hdev->page_scan_window = __le16_to_cpu(sent->window);
1039 
1040 	return rp->status;
1041 }
1042 
1043 static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1044 				     struct sk_buff *skb)
1045 {
1046 	struct hci_rp_read_page_scan_type *rp = data;
1047 
1048 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1049 
1050 	if (rp->status)
1051 		return rp->status;
1052 
1053 	if (test_bit(HCI_INIT, &hdev->flags))
1054 		hdev->page_scan_type = rp->type;
1055 
1056 	return rp->status;
1057 }
1058 
1059 static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1060 				      struct sk_buff *skb)
1061 {
1062 	struct hci_ev_status *rp = data;
1063 	u8 *type;
1064 
1065 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1066 
1067 	if (rp->status)
1068 		return rp->status;
1069 
1070 	type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1071 	if (type)
1072 		hdev->page_scan_type = *type;
1073 
1074 	return rp->status;
1075 }
1076 
1077 static u8 hci_cc_read_data_block_size(struct hci_dev *hdev, void *data,
1078 				      struct sk_buff *skb)
1079 {
1080 	struct hci_rp_read_data_block_size *rp = data;
1081 
1082 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1083 
1084 	if (rp->status)
1085 		return rp->status;
1086 
1087 	hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
1088 	hdev->block_len = __le16_to_cpu(rp->block_len);
1089 	hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
1090 
1091 	hdev->block_cnt = hdev->num_blocks;
1092 
1093 	BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
1094 	       hdev->block_cnt, hdev->block_len);
1095 
1096 	return rp->status;
1097 }
1098 
1099 static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1100 			    struct sk_buff *skb)
1101 {
1102 	struct hci_rp_read_clock *rp = data;
1103 	struct hci_cp_read_clock *cp;
1104 	struct hci_conn *conn;
1105 
1106 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1107 
1108 	if (rp->status)
1109 		return rp->status;
1110 
1111 	hci_dev_lock(hdev);
1112 
1113 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1114 	if (!cp)
1115 		goto unlock;
1116 
1117 	if (cp->which == 0x00) {
1118 		hdev->clock = le32_to_cpu(rp->clock);
1119 		goto unlock;
1120 	}
1121 
1122 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1123 	if (conn) {
1124 		conn->clock = le32_to_cpu(rp->clock);
1125 		conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1126 	}
1127 
1128 unlock:
1129 	hci_dev_unlock(hdev);
1130 	return rp->status;
1131 }
1132 
1133 static u8 hci_cc_read_local_amp_info(struct hci_dev *hdev, void *data,
1134 				     struct sk_buff *skb)
1135 {
1136 	struct hci_rp_read_local_amp_info *rp = data;
1137 
1138 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1139 
1140 	if (rp->status)
1141 		return rp->status;
1142 
1143 	hdev->amp_status = rp->amp_status;
1144 	hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
1145 	hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
1146 	hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
1147 	hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
1148 	hdev->amp_type = rp->amp_type;
1149 	hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
1150 	hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
1151 	hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
1152 	hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
1153 
1154 	return rp->status;
1155 }
1156 
1157 static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1158 				       struct sk_buff *skb)
1159 {
1160 	struct hci_rp_read_inq_rsp_tx_power *rp = data;
1161 
1162 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1163 
1164 	if (rp->status)
1165 		return rp->status;
1166 
1167 	hdev->inq_tx_power = rp->tx_power;
1168 
1169 	return rp->status;
1170 }
1171 
1172 static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1173 					     struct sk_buff *skb)
1174 {
1175 	struct hci_rp_read_def_err_data_reporting *rp = data;
1176 
1177 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1178 
1179 	if (rp->status)
1180 		return rp->status;
1181 
1182 	hdev->err_data_reporting = rp->err_data_reporting;
1183 
1184 	return rp->status;
1185 }
1186 
1187 static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1188 					      struct sk_buff *skb)
1189 {
1190 	struct hci_ev_status *rp = data;
1191 	struct hci_cp_write_def_err_data_reporting *cp;
1192 
1193 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1194 
1195 	if (rp->status)
1196 		return rp->status;
1197 
1198 	cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1199 	if (!cp)
1200 		return rp->status;
1201 
1202 	hdev->err_data_reporting = cp->err_data_reporting;
1203 
1204 	return rp->status;
1205 }
1206 
1207 static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1208 				struct sk_buff *skb)
1209 {
1210 	struct hci_rp_pin_code_reply *rp = data;
1211 	struct hci_cp_pin_code_reply *cp;
1212 	struct hci_conn *conn;
1213 
1214 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1215 
1216 	hci_dev_lock(hdev);
1217 
1218 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1219 		mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1220 
1221 	if (rp->status)
1222 		goto unlock;
1223 
1224 	cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1225 	if (!cp)
1226 		goto unlock;
1227 
1228 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1229 	if (conn)
1230 		conn->pin_length = cp->pin_len;
1231 
1232 unlock:
1233 	hci_dev_unlock(hdev);
1234 	return rp->status;
1235 }
1236 
1237 static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1238 				    struct sk_buff *skb)
1239 {
1240 	struct hci_rp_pin_code_neg_reply *rp = data;
1241 
1242 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1243 
1244 	hci_dev_lock(hdev);
1245 
1246 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1247 		mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1248 						 rp->status);
1249 
1250 	hci_dev_unlock(hdev);
1251 
1252 	return rp->status;
1253 }
1254 
1255 static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1256 				     struct sk_buff *skb)
1257 {
1258 	struct hci_rp_le_read_buffer_size *rp = data;
1259 
1260 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1261 
1262 	if (rp->status)
1263 		return rp->status;
1264 
1265 	hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1266 	hdev->le_pkts = rp->le_max_pkt;
1267 
1268 	hdev->le_cnt = hdev->le_pkts;
1269 
1270 	BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1271 
1272 	return rp->status;
1273 }
1274 
1275 static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1276 					struct sk_buff *skb)
1277 {
1278 	struct hci_rp_le_read_local_features *rp = data;
1279 
1280 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1281 
1282 	if (rp->status)
1283 		return rp->status;
1284 
1285 	memcpy(hdev->le_features, rp->features, 8);
1286 
1287 	return rp->status;
1288 }
1289 
1290 static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1291 				      struct sk_buff *skb)
1292 {
1293 	struct hci_rp_le_read_adv_tx_power *rp = data;
1294 
1295 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1296 
1297 	if (rp->status)
1298 		return rp->status;
1299 
1300 	hdev->adv_tx_power = rp->tx_power;
1301 
1302 	return rp->status;
1303 }
1304 
1305 static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1306 				    struct sk_buff *skb)
1307 {
1308 	struct hci_rp_user_confirm_reply *rp = data;
1309 
1310 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1311 
1312 	hci_dev_lock(hdev);
1313 
1314 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1315 		mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1316 						 rp->status);
1317 
1318 	hci_dev_unlock(hdev);
1319 
1320 	return rp->status;
1321 }
1322 
1323 static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1324 					struct sk_buff *skb)
1325 {
1326 	struct hci_rp_user_confirm_reply *rp = data;
1327 
1328 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1329 
1330 	hci_dev_lock(hdev);
1331 
1332 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1333 		mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1334 						     ACL_LINK, 0, rp->status);
1335 
1336 	hci_dev_unlock(hdev);
1337 
1338 	return rp->status;
1339 }
1340 
1341 static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1342 				    struct sk_buff *skb)
1343 {
1344 	struct hci_rp_user_confirm_reply *rp = data;
1345 
1346 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1347 
1348 	hci_dev_lock(hdev);
1349 
1350 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1351 		mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1352 						 0, rp->status);
1353 
1354 	hci_dev_unlock(hdev);
1355 
1356 	return rp->status;
1357 }
1358 
1359 static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1360 					struct sk_buff *skb)
1361 {
1362 	struct hci_rp_user_confirm_reply *rp = data;
1363 
1364 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1365 
1366 	hci_dev_lock(hdev);
1367 
1368 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1369 		mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1370 						     ACL_LINK, 0, rp->status);
1371 
1372 	hci_dev_unlock(hdev);
1373 
1374 	return rp->status;
1375 }
1376 
1377 static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1378 				     struct sk_buff *skb)
1379 {
1380 	struct hci_rp_read_local_oob_data *rp = data;
1381 
1382 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1383 
1384 	return rp->status;
1385 }
1386 
1387 static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1388 					 struct sk_buff *skb)
1389 {
1390 	struct hci_rp_read_local_oob_ext_data *rp = data;
1391 
1392 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1393 
1394 	return rp->status;
1395 }
1396 
1397 static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1398 				    struct sk_buff *skb)
1399 {
1400 	struct hci_ev_status *rp = data;
1401 	bdaddr_t *sent;
1402 
1403 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1404 
1405 	if (rp->status)
1406 		return rp->status;
1407 
1408 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1409 	if (!sent)
1410 		return rp->status;
1411 
1412 	hci_dev_lock(hdev);
1413 
1414 	bacpy(&hdev->random_addr, sent);
1415 
1416 	if (!bacmp(&hdev->rpa, sent)) {
1417 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1418 		queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1419 				   secs_to_jiffies(hdev->rpa_timeout));
1420 	}
1421 
1422 	hci_dev_unlock(hdev);
1423 
1424 	return rp->status;
1425 }
1426 
1427 static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1428 				    struct sk_buff *skb)
1429 {
1430 	struct hci_ev_status *rp = data;
1431 	struct hci_cp_le_set_default_phy *cp;
1432 
1433 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1434 
1435 	if (rp->status)
1436 		return rp->status;
1437 
1438 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1439 	if (!cp)
1440 		return rp->status;
1441 
1442 	hci_dev_lock(hdev);
1443 
1444 	hdev->le_tx_def_phys = cp->tx_phys;
1445 	hdev->le_rx_def_phys = cp->rx_phys;
1446 
1447 	hci_dev_unlock(hdev);
1448 
1449 	return rp->status;
1450 }
1451 
1452 static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1453 					    struct sk_buff *skb)
1454 {
1455 	struct hci_ev_status *rp = data;
1456 	struct hci_cp_le_set_adv_set_rand_addr *cp;
1457 	struct adv_info *adv;
1458 
1459 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1460 
1461 	if (rp->status)
1462 		return rp->status;
1463 
1464 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1465 	/* Update only in case the adv instance since handle 0x00 shall be using
1466 	 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1467 	 * non-extended adverting.
1468 	 */
1469 	if (!cp || !cp->handle)
1470 		return rp->status;
1471 
1472 	hci_dev_lock(hdev);
1473 
1474 	adv = hci_find_adv_instance(hdev, cp->handle);
1475 	if (adv) {
1476 		bacpy(&adv->random_addr, &cp->bdaddr);
1477 		if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1478 			adv->rpa_expired = false;
1479 			queue_delayed_work(hdev->workqueue,
1480 					   &adv->rpa_expired_cb,
1481 					   secs_to_jiffies(hdev->rpa_timeout));
1482 		}
1483 	}
1484 
1485 	hci_dev_unlock(hdev);
1486 
1487 	return rp->status;
1488 }
1489 
1490 static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1491 				   struct sk_buff *skb)
1492 {
1493 	struct hci_ev_status *rp = data;
1494 	u8 *instance;
1495 	int err;
1496 
1497 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1498 
1499 	if (rp->status)
1500 		return rp->status;
1501 
1502 	instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1503 	if (!instance)
1504 		return rp->status;
1505 
1506 	hci_dev_lock(hdev);
1507 
1508 	err = hci_remove_adv_instance(hdev, *instance);
1509 	if (!err)
1510 		mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1511 					 *instance);
1512 
1513 	hci_dev_unlock(hdev);
1514 
1515 	return rp->status;
1516 }
1517 
1518 static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1519 				   struct sk_buff *skb)
1520 {
1521 	struct hci_ev_status *rp = data;
1522 	struct adv_info *adv, *n;
1523 	int err;
1524 
1525 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1526 
1527 	if (rp->status)
1528 		return rp->status;
1529 
1530 	if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1531 		return rp->status;
1532 
1533 	hci_dev_lock(hdev);
1534 
1535 	list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1536 		u8 instance = adv->instance;
1537 
1538 		err = hci_remove_adv_instance(hdev, instance);
1539 		if (!err)
1540 			mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1541 						 hdev, instance);
1542 	}
1543 
1544 	hci_dev_unlock(hdev);
1545 
1546 	return rp->status;
1547 }
1548 
1549 static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1550 					struct sk_buff *skb)
1551 {
1552 	struct hci_rp_le_read_transmit_power *rp = data;
1553 
1554 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1555 
1556 	if (rp->status)
1557 		return rp->status;
1558 
1559 	hdev->min_le_tx_power = rp->min_le_tx_power;
1560 	hdev->max_le_tx_power = rp->max_le_tx_power;
1561 
1562 	return rp->status;
1563 }
1564 
1565 static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1566 				     struct sk_buff *skb)
1567 {
1568 	struct hci_ev_status *rp = data;
1569 	struct hci_cp_le_set_privacy_mode *cp;
1570 	struct hci_conn_params *params;
1571 
1572 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1573 
1574 	if (rp->status)
1575 		return rp->status;
1576 
1577 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1578 	if (!cp)
1579 		return rp->status;
1580 
1581 	hci_dev_lock(hdev);
1582 
1583 	params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1584 	if (params)
1585 		WRITE_ONCE(params->privacy_mode, cp->mode);
1586 
1587 	hci_dev_unlock(hdev);
1588 
1589 	return rp->status;
1590 }
1591 
1592 static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1593 				   struct sk_buff *skb)
1594 {
1595 	struct hci_ev_status *rp = data;
1596 	__u8 *sent;
1597 
1598 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1599 
1600 	if (rp->status)
1601 		return rp->status;
1602 
1603 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1604 	if (!sent)
1605 		return rp->status;
1606 
1607 	hci_dev_lock(hdev);
1608 
1609 	/* If we're doing connection initiation as peripheral. Set a
1610 	 * timeout in case something goes wrong.
1611 	 */
1612 	if (*sent) {
1613 		struct hci_conn *conn;
1614 
1615 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1616 
1617 		conn = hci_lookup_le_connect(hdev);
1618 		if (conn)
1619 			queue_delayed_work(hdev->workqueue,
1620 					   &conn->le_conn_timeout,
1621 					   conn->conn_timeout);
1622 	} else {
1623 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1624 	}
1625 
1626 	hci_dev_unlock(hdev);
1627 
1628 	return rp->status;
1629 }
1630 
1631 static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1632 				       struct sk_buff *skb)
1633 {
1634 	struct hci_cp_le_set_ext_adv_enable *cp;
1635 	struct hci_cp_ext_adv_set *set;
1636 	struct adv_info *adv = NULL, *n;
1637 	struct hci_ev_status *rp = data;
1638 
1639 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1640 
1641 	if (rp->status)
1642 		return rp->status;
1643 
1644 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1645 	if (!cp)
1646 		return rp->status;
1647 
1648 	set = (void *)cp->data;
1649 
1650 	hci_dev_lock(hdev);
1651 
1652 	if (cp->num_of_sets)
1653 		adv = hci_find_adv_instance(hdev, set->handle);
1654 
1655 	if (cp->enable) {
1656 		struct hci_conn *conn;
1657 
1658 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1659 
1660 		if (adv && !adv->periodic)
1661 			adv->enabled = true;
1662 
1663 		conn = hci_lookup_le_connect(hdev);
1664 		if (conn)
1665 			queue_delayed_work(hdev->workqueue,
1666 					   &conn->le_conn_timeout,
1667 					   conn->conn_timeout);
1668 	} else {
1669 		if (cp->num_of_sets) {
1670 			if (adv)
1671 				adv->enabled = false;
1672 
1673 			/* If just one instance was disabled check if there are
1674 			 * any other instance enabled before clearing HCI_LE_ADV
1675 			 */
1676 			list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1677 						 list) {
1678 				if (adv->enabled)
1679 					goto unlock;
1680 			}
1681 		} else {
1682 			/* All instances shall be considered disabled */
1683 			list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1684 						 list)
1685 				adv->enabled = false;
1686 		}
1687 
1688 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1689 	}
1690 
1691 unlock:
1692 	hci_dev_unlock(hdev);
1693 	return rp->status;
1694 }
1695 
1696 static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1697 				   struct sk_buff *skb)
1698 {
1699 	struct hci_cp_le_set_scan_param *cp;
1700 	struct hci_ev_status *rp = data;
1701 
1702 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1703 
1704 	if (rp->status)
1705 		return rp->status;
1706 
1707 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1708 	if (!cp)
1709 		return rp->status;
1710 
1711 	hci_dev_lock(hdev);
1712 
1713 	hdev->le_scan_type = cp->type;
1714 
1715 	hci_dev_unlock(hdev);
1716 
1717 	return rp->status;
1718 }
1719 
1720 static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1721 				       struct sk_buff *skb)
1722 {
1723 	struct hci_cp_le_set_ext_scan_params *cp;
1724 	struct hci_ev_status *rp = data;
1725 	struct hci_cp_le_scan_phy_params *phy_param;
1726 
1727 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1728 
1729 	if (rp->status)
1730 		return rp->status;
1731 
1732 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1733 	if (!cp)
1734 		return rp->status;
1735 
1736 	phy_param = (void *)cp->data;
1737 
1738 	hci_dev_lock(hdev);
1739 
1740 	hdev->le_scan_type = phy_param->type;
1741 
1742 	hci_dev_unlock(hdev);
1743 
1744 	return rp->status;
1745 }
1746 
1747 static bool has_pending_adv_report(struct hci_dev *hdev)
1748 {
1749 	struct discovery_state *d = &hdev->discovery;
1750 
1751 	return bacmp(&d->last_adv_addr, BDADDR_ANY);
1752 }
1753 
1754 static void clear_pending_adv_report(struct hci_dev *hdev)
1755 {
1756 	struct discovery_state *d = &hdev->discovery;
1757 
1758 	bacpy(&d->last_adv_addr, BDADDR_ANY);
1759 	d->last_adv_data_len = 0;
1760 }
1761 
1762 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1763 				     u8 bdaddr_type, s8 rssi, u32 flags,
1764 				     u8 *data, u8 len)
1765 {
1766 	struct discovery_state *d = &hdev->discovery;
1767 
1768 	if (len > max_adv_len(hdev))
1769 		return;
1770 
1771 	bacpy(&d->last_adv_addr, bdaddr);
1772 	d->last_adv_addr_type = bdaddr_type;
1773 	d->last_adv_rssi = rssi;
1774 	d->last_adv_flags = flags;
1775 	memcpy(d->last_adv_data, data, len);
1776 	d->last_adv_data_len = len;
1777 }
1778 
1779 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1780 {
1781 	hci_dev_lock(hdev);
1782 
1783 	switch (enable) {
1784 	case LE_SCAN_ENABLE:
1785 		hci_dev_set_flag(hdev, HCI_LE_SCAN);
1786 		if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1787 			clear_pending_adv_report(hdev);
1788 		if (hci_dev_test_flag(hdev, HCI_MESH))
1789 			hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1790 		break;
1791 
1792 	case LE_SCAN_DISABLE:
1793 		/* We do this here instead of when setting DISCOVERY_STOPPED
1794 		 * since the latter would potentially require waiting for
1795 		 * inquiry to stop too.
1796 		 */
1797 		if (has_pending_adv_report(hdev)) {
1798 			struct discovery_state *d = &hdev->discovery;
1799 
1800 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1801 					  d->last_adv_addr_type, NULL,
1802 					  d->last_adv_rssi, d->last_adv_flags,
1803 					  d->last_adv_data,
1804 					  d->last_adv_data_len, NULL, 0, 0);
1805 		}
1806 
1807 		/* Cancel this timer so that we don't try to disable scanning
1808 		 * when it's already disabled.
1809 		 */
1810 		cancel_delayed_work(&hdev->le_scan_disable);
1811 
1812 		hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1813 
1814 		/* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1815 		 * interrupted scanning due to a connect request. Mark
1816 		 * therefore discovery as stopped.
1817 		 */
1818 		if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1819 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1820 		else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1821 			 hdev->discovery.state == DISCOVERY_FINDING)
1822 			queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1823 
1824 		break;
1825 
1826 	default:
1827 		bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1828 			   enable);
1829 		break;
1830 	}
1831 
1832 	hci_dev_unlock(hdev);
1833 }
1834 
1835 static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1836 				    struct sk_buff *skb)
1837 {
1838 	struct hci_cp_le_set_scan_enable *cp;
1839 	struct hci_ev_status *rp = data;
1840 
1841 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1842 
1843 	if (rp->status)
1844 		return rp->status;
1845 
1846 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1847 	if (!cp)
1848 		return rp->status;
1849 
1850 	le_set_scan_enable_complete(hdev, cp->enable);
1851 
1852 	return rp->status;
1853 }
1854 
1855 static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1856 					struct sk_buff *skb)
1857 {
1858 	struct hci_cp_le_set_ext_scan_enable *cp;
1859 	struct hci_ev_status *rp = data;
1860 
1861 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1862 
1863 	if (rp->status)
1864 		return rp->status;
1865 
1866 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1867 	if (!cp)
1868 		return rp->status;
1869 
1870 	le_set_scan_enable_complete(hdev, cp->enable);
1871 
1872 	return rp->status;
1873 }
1874 
1875 static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1876 				      struct sk_buff *skb)
1877 {
1878 	struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1879 
1880 	bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1881 		   rp->num_of_sets);
1882 
1883 	if (rp->status)
1884 		return rp->status;
1885 
1886 	hdev->le_num_of_adv_sets = rp->num_of_sets;
1887 
1888 	return rp->status;
1889 }
1890 
1891 static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1892 					  struct sk_buff *skb)
1893 {
1894 	struct hci_rp_le_read_accept_list_size *rp = data;
1895 
1896 	bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1897 
1898 	if (rp->status)
1899 		return rp->status;
1900 
1901 	hdev->le_accept_list_size = rp->size;
1902 
1903 	return rp->status;
1904 }
1905 
1906 static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1907 				      struct sk_buff *skb)
1908 {
1909 	struct hci_ev_status *rp = data;
1910 
1911 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1912 
1913 	if (rp->status)
1914 		return rp->status;
1915 
1916 	hci_dev_lock(hdev);
1917 	hci_bdaddr_list_clear(&hdev->le_accept_list);
1918 	hci_dev_unlock(hdev);
1919 
1920 	return rp->status;
1921 }
1922 
1923 static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1924 				       struct sk_buff *skb)
1925 {
1926 	struct hci_cp_le_add_to_accept_list *sent;
1927 	struct hci_ev_status *rp = data;
1928 
1929 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1930 
1931 	if (rp->status)
1932 		return rp->status;
1933 
1934 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1935 	if (!sent)
1936 		return rp->status;
1937 
1938 	hci_dev_lock(hdev);
1939 	hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1940 			    sent->bdaddr_type);
1941 	hci_dev_unlock(hdev);
1942 
1943 	return rp->status;
1944 }
1945 
1946 static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1947 					 struct sk_buff *skb)
1948 {
1949 	struct hci_cp_le_del_from_accept_list *sent;
1950 	struct hci_ev_status *rp = data;
1951 
1952 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1953 
1954 	if (rp->status)
1955 		return rp->status;
1956 
1957 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1958 	if (!sent)
1959 		return rp->status;
1960 
1961 	hci_dev_lock(hdev);
1962 	hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1963 			    sent->bdaddr_type);
1964 	hci_dev_unlock(hdev);
1965 
1966 	return rp->status;
1967 }
1968 
1969 static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1970 					  struct sk_buff *skb)
1971 {
1972 	struct hci_rp_le_read_supported_states *rp = data;
1973 
1974 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1975 
1976 	if (rp->status)
1977 		return rp->status;
1978 
1979 	memcpy(hdev->le_states, rp->le_states, 8);
1980 
1981 	return rp->status;
1982 }
1983 
1984 static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1985 				      struct sk_buff *skb)
1986 {
1987 	struct hci_rp_le_read_def_data_len *rp = data;
1988 
1989 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1990 
1991 	if (rp->status)
1992 		return rp->status;
1993 
1994 	hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1995 	hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1996 
1997 	return rp->status;
1998 }
1999 
2000 static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
2001 				       struct sk_buff *skb)
2002 {
2003 	struct hci_cp_le_write_def_data_len *sent;
2004 	struct hci_ev_status *rp = data;
2005 
2006 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2007 
2008 	if (rp->status)
2009 		return rp->status;
2010 
2011 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
2012 	if (!sent)
2013 		return rp->status;
2014 
2015 	hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
2016 	hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
2017 
2018 	return rp->status;
2019 }
2020 
2021 static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
2022 				       struct sk_buff *skb)
2023 {
2024 	struct hci_cp_le_add_to_resolv_list *sent;
2025 	struct hci_ev_status *rp = data;
2026 
2027 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2028 
2029 	if (rp->status)
2030 		return rp->status;
2031 
2032 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
2033 	if (!sent)
2034 		return rp->status;
2035 
2036 	hci_dev_lock(hdev);
2037 	hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2038 				sent->bdaddr_type, sent->peer_irk,
2039 				sent->local_irk);
2040 	hci_dev_unlock(hdev);
2041 
2042 	return rp->status;
2043 }
2044 
2045 static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
2046 					 struct sk_buff *skb)
2047 {
2048 	struct hci_cp_le_del_from_resolv_list *sent;
2049 	struct hci_ev_status *rp = data;
2050 
2051 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2052 
2053 	if (rp->status)
2054 		return rp->status;
2055 
2056 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2057 	if (!sent)
2058 		return rp->status;
2059 
2060 	hci_dev_lock(hdev);
2061 	hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2062 			    sent->bdaddr_type);
2063 	hci_dev_unlock(hdev);
2064 
2065 	return rp->status;
2066 }
2067 
2068 static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2069 				      struct sk_buff *skb)
2070 {
2071 	struct hci_ev_status *rp = data;
2072 
2073 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2074 
2075 	if (rp->status)
2076 		return rp->status;
2077 
2078 	hci_dev_lock(hdev);
2079 	hci_bdaddr_list_clear(&hdev->le_resolv_list);
2080 	hci_dev_unlock(hdev);
2081 
2082 	return rp->status;
2083 }
2084 
2085 static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2086 					  struct sk_buff *skb)
2087 {
2088 	struct hci_rp_le_read_resolv_list_size *rp = data;
2089 
2090 	bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2091 
2092 	if (rp->status)
2093 		return rp->status;
2094 
2095 	hdev->le_resolv_list_size = rp->size;
2096 
2097 	return rp->status;
2098 }
2099 
2100 static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2101 					       struct sk_buff *skb)
2102 {
2103 	struct hci_ev_status *rp = data;
2104 	__u8 *sent;
2105 
2106 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2107 
2108 	if (rp->status)
2109 		return rp->status;
2110 
2111 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2112 	if (!sent)
2113 		return rp->status;
2114 
2115 	hci_dev_lock(hdev);
2116 
2117 	if (*sent)
2118 		hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2119 	else
2120 		hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2121 
2122 	hci_dev_unlock(hdev);
2123 
2124 	return rp->status;
2125 }
2126 
2127 static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2128 				      struct sk_buff *skb)
2129 {
2130 	struct hci_rp_le_read_max_data_len *rp = data;
2131 
2132 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2133 
2134 	if (rp->status)
2135 		return rp->status;
2136 
2137 	hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2138 	hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2139 	hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2140 	hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2141 
2142 	return rp->status;
2143 }
2144 
2145 static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2146 					 struct sk_buff *skb)
2147 {
2148 	struct hci_cp_write_le_host_supported *sent;
2149 	struct hci_ev_status *rp = data;
2150 
2151 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2152 
2153 	if (rp->status)
2154 		return rp->status;
2155 
2156 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2157 	if (!sent)
2158 		return rp->status;
2159 
2160 	hci_dev_lock(hdev);
2161 
2162 	if (sent->le) {
2163 		hdev->features[1][0] |= LMP_HOST_LE;
2164 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2165 	} else {
2166 		hdev->features[1][0] &= ~LMP_HOST_LE;
2167 		hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2168 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2169 	}
2170 
2171 	if (sent->simul)
2172 		hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2173 	else
2174 		hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2175 
2176 	hci_dev_unlock(hdev);
2177 
2178 	return rp->status;
2179 }
2180 
2181 static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2182 			       struct sk_buff *skb)
2183 {
2184 	struct hci_cp_le_set_adv_param *cp;
2185 	struct hci_ev_status *rp = data;
2186 
2187 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2188 
2189 	if (rp->status)
2190 		return rp->status;
2191 
2192 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2193 	if (!cp)
2194 		return rp->status;
2195 
2196 	hci_dev_lock(hdev);
2197 	hdev->adv_addr_type = cp->own_address_type;
2198 	hci_dev_unlock(hdev);
2199 
2200 	return rp->status;
2201 }
2202 
2203 static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
2204 				   struct sk_buff *skb)
2205 {
2206 	struct hci_rp_le_set_ext_adv_params *rp = data;
2207 	struct hci_cp_le_set_ext_adv_params *cp;
2208 	struct adv_info *adv_instance;
2209 
2210 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2211 
2212 	if (rp->status)
2213 		return rp->status;
2214 
2215 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
2216 	if (!cp)
2217 		return rp->status;
2218 
2219 	hci_dev_lock(hdev);
2220 	hdev->adv_addr_type = cp->own_addr_type;
2221 	if (!cp->handle) {
2222 		/* Store in hdev for instance 0 */
2223 		hdev->adv_tx_power = rp->tx_power;
2224 	} else {
2225 		adv_instance = hci_find_adv_instance(hdev, cp->handle);
2226 		if (adv_instance)
2227 			adv_instance->tx_power = rp->tx_power;
2228 	}
2229 	/* Update adv data as tx power is known now */
2230 	hci_update_adv_data(hdev, cp->handle);
2231 
2232 	hci_dev_unlock(hdev);
2233 
2234 	return rp->status;
2235 }
2236 
2237 static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2238 			   struct sk_buff *skb)
2239 {
2240 	struct hci_rp_read_rssi *rp = data;
2241 	struct hci_conn *conn;
2242 
2243 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2244 
2245 	if (rp->status)
2246 		return rp->status;
2247 
2248 	hci_dev_lock(hdev);
2249 
2250 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2251 	if (conn)
2252 		conn->rssi = rp->rssi;
2253 
2254 	hci_dev_unlock(hdev);
2255 
2256 	return rp->status;
2257 }
2258 
2259 static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2260 			       struct sk_buff *skb)
2261 {
2262 	struct hci_cp_read_tx_power *sent;
2263 	struct hci_rp_read_tx_power *rp = data;
2264 	struct hci_conn *conn;
2265 
2266 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2267 
2268 	if (rp->status)
2269 		return rp->status;
2270 
2271 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2272 	if (!sent)
2273 		return rp->status;
2274 
2275 	hci_dev_lock(hdev);
2276 
2277 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2278 	if (!conn)
2279 		goto unlock;
2280 
2281 	switch (sent->type) {
2282 	case 0x00:
2283 		conn->tx_power = rp->tx_power;
2284 		break;
2285 	case 0x01:
2286 		conn->max_tx_power = rp->tx_power;
2287 		break;
2288 	}
2289 
2290 unlock:
2291 	hci_dev_unlock(hdev);
2292 	return rp->status;
2293 }
2294 
2295 static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2296 				      struct sk_buff *skb)
2297 {
2298 	struct hci_ev_status *rp = data;
2299 	u8 *mode;
2300 
2301 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2302 
2303 	if (rp->status)
2304 		return rp->status;
2305 
2306 	mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2307 	if (mode)
2308 		hdev->ssp_debug_mode = *mode;
2309 
2310 	return rp->status;
2311 }
2312 
2313 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2314 {
2315 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2316 
2317 	if (status) {
2318 		hci_conn_check_pending(hdev);
2319 		return;
2320 	}
2321 
2322 	if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2323 		set_bit(HCI_INQUIRY, &hdev->flags);
2324 }
2325 
2326 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2327 {
2328 	struct hci_cp_create_conn *cp;
2329 	struct hci_conn *conn;
2330 
2331 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2332 
2333 	cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2334 	if (!cp)
2335 		return;
2336 
2337 	hci_dev_lock(hdev);
2338 
2339 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2340 
2341 	bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2342 
2343 	if (status) {
2344 		if (conn && conn->state == BT_CONNECT) {
2345 			if (status != 0x0c || conn->attempt > 2) {
2346 				conn->state = BT_CLOSED;
2347 				hci_connect_cfm(conn, status);
2348 				hci_conn_del(conn);
2349 			} else
2350 				conn->state = BT_CONNECT2;
2351 		}
2352 	} else {
2353 		if (!conn) {
2354 			conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2355 						  HCI_ROLE_MASTER);
2356 			if (!conn)
2357 				bt_dev_err(hdev, "no memory for new connection");
2358 		}
2359 	}
2360 
2361 	hci_dev_unlock(hdev);
2362 }
2363 
2364 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2365 {
2366 	struct hci_cp_add_sco *cp;
2367 	struct hci_conn *acl;
2368 	struct hci_link *link;
2369 	__u16 handle;
2370 
2371 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2372 
2373 	if (!status)
2374 		return;
2375 
2376 	cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2377 	if (!cp)
2378 		return;
2379 
2380 	handle = __le16_to_cpu(cp->handle);
2381 
2382 	bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2383 
2384 	hci_dev_lock(hdev);
2385 
2386 	acl = hci_conn_hash_lookup_handle(hdev, handle);
2387 	if (acl) {
2388 		link = list_first_entry_or_null(&acl->link_list,
2389 						struct hci_link, list);
2390 		if (link && link->conn) {
2391 			link->conn->state = BT_CLOSED;
2392 
2393 			hci_connect_cfm(link->conn, status);
2394 			hci_conn_del(link->conn);
2395 		}
2396 	}
2397 
2398 	hci_dev_unlock(hdev);
2399 }
2400 
2401 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2402 {
2403 	struct hci_cp_auth_requested *cp;
2404 	struct hci_conn *conn;
2405 
2406 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2407 
2408 	if (!status)
2409 		return;
2410 
2411 	cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2412 	if (!cp)
2413 		return;
2414 
2415 	hci_dev_lock(hdev);
2416 
2417 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2418 	if (conn) {
2419 		if (conn->state == BT_CONFIG) {
2420 			hci_connect_cfm(conn, status);
2421 			hci_conn_drop(conn);
2422 		}
2423 	}
2424 
2425 	hci_dev_unlock(hdev);
2426 }
2427 
2428 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2429 {
2430 	struct hci_cp_set_conn_encrypt *cp;
2431 	struct hci_conn *conn;
2432 
2433 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2434 
2435 	if (!status)
2436 		return;
2437 
2438 	cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2439 	if (!cp)
2440 		return;
2441 
2442 	hci_dev_lock(hdev);
2443 
2444 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2445 	if (conn) {
2446 		if (conn->state == BT_CONFIG) {
2447 			hci_connect_cfm(conn, status);
2448 			hci_conn_drop(conn);
2449 		}
2450 	}
2451 
2452 	hci_dev_unlock(hdev);
2453 }
2454 
2455 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2456 				    struct hci_conn *conn)
2457 {
2458 	if (conn->state != BT_CONFIG || !conn->out)
2459 		return 0;
2460 
2461 	if (conn->pending_sec_level == BT_SECURITY_SDP)
2462 		return 0;
2463 
2464 	/* Only request authentication for SSP connections or non-SSP
2465 	 * devices with sec_level MEDIUM or HIGH or if MITM protection
2466 	 * is requested.
2467 	 */
2468 	if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2469 	    conn->pending_sec_level != BT_SECURITY_FIPS &&
2470 	    conn->pending_sec_level != BT_SECURITY_HIGH &&
2471 	    conn->pending_sec_level != BT_SECURITY_MEDIUM)
2472 		return 0;
2473 
2474 	return 1;
2475 }
2476 
2477 static int hci_resolve_name(struct hci_dev *hdev,
2478 				   struct inquiry_entry *e)
2479 {
2480 	struct hci_cp_remote_name_req cp;
2481 
2482 	memset(&cp, 0, sizeof(cp));
2483 
2484 	bacpy(&cp.bdaddr, &e->data.bdaddr);
2485 	cp.pscan_rep_mode = e->data.pscan_rep_mode;
2486 	cp.pscan_mode = e->data.pscan_mode;
2487 	cp.clock_offset = e->data.clock_offset;
2488 
2489 	return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2490 }
2491 
2492 static bool hci_resolve_next_name(struct hci_dev *hdev)
2493 {
2494 	struct discovery_state *discov = &hdev->discovery;
2495 	struct inquiry_entry *e;
2496 
2497 	if (list_empty(&discov->resolve))
2498 		return false;
2499 
2500 	/* We should stop if we already spent too much time resolving names. */
2501 	if (time_after(jiffies, discov->name_resolve_timeout)) {
2502 		bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2503 		return false;
2504 	}
2505 
2506 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2507 	if (!e)
2508 		return false;
2509 
2510 	if (hci_resolve_name(hdev, e) == 0) {
2511 		e->name_state = NAME_PENDING;
2512 		return true;
2513 	}
2514 
2515 	return false;
2516 }
2517 
2518 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2519 				   bdaddr_t *bdaddr, u8 *name, u8 name_len)
2520 {
2521 	struct discovery_state *discov = &hdev->discovery;
2522 	struct inquiry_entry *e;
2523 
2524 	/* Update the mgmt connected state if necessary. Be careful with
2525 	 * conn objects that exist but are not (yet) connected however.
2526 	 * Only those in BT_CONFIG or BT_CONNECTED states can be
2527 	 * considered connected.
2528 	 */
2529 	if (conn &&
2530 	    (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2531 	    !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2532 		mgmt_device_connected(hdev, conn, name, name_len);
2533 
2534 	if (discov->state == DISCOVERY_STOPPED)
2535 		return;
2536 
2537 	if (discov->state == DISCOVERY_STOPPING)
2538 		goto discov_complete;
2539 
2540 	if (discov->state != DISCOVERY_RESOLVING)
2541 		return;
2542 
2543 	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2544 	/* If the device was not found in a list of found devices names of which
2545 	 * are pending. there is no need to continue resolving a next name as it
2546 	 * will be done upon receiving another Remote Name Request Complete
2547 	 * Event */
2548 	if (!e)
2549 		return;
2550 
2551 	list_del(&e->list);
2552 
2553 	e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2554 	mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2555 			 name, name_len);
2556 
2557 	if (hci_resolve_next_name(hdev))
2558 		return;
2559 
2560 discov_complete:
2561 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2562 }
2563 
2564 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2565 {
2566 	struct hci_cp_remote_name_req *cp;
2567 	struct hci_conn *conn;
2568 
2569 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2570 
2571 	/* If successful wait for the name req complete event before
2572 	 * checking for the need to do authentication */
2573 	if (!status)
2574 		return;
2575 
2576 	cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2577 	if (!cp)
2578 		return;
2579 
2580 	hci_dev_lock(hdev);
2581 
2582 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2583 
2584 	if (hci_dev_test_flag(hdev, HCI_MGMT))
2585 		hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2586 
2587 	if (!conn)
2588 		goto unlock;
2589 
2590 	if (!hci_outgoing_auth_needed(hdev, conn))
2591 		goto unlock;
2592 
2593 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2594 		struct hci_cp_auth_requested auth_cp;
2595 
2596 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2597 
2598 		auth_cp.handle = __cpu_to_le16(conn->handle);
2599 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2600 			     sizeof(auth_cp), &auth_cp);
2601 	}
2602 
2603 unlock:
2604 	hci_dev_unlock(hdev);
2605 }
2606 
2607 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2608 {
2609 	struct hci_cp_read_remote_features *cp;
2610 	struct hci_conn *conn;
2611 
2612 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2613 
2614 	if (!status)
2615 		return;
2616 
2617 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2618 	if (!cp)
2619 		return;
2620 
2621 	hci_dev_lock(hdev);
2622 
2623 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2624 	if (conn) {
2625 		if (conn->state == BT_CONFIG) {
2626 			hci_connect_cfm(conn, status);
2627 			hci_conn_drop(conn);
2628 		}
2629 	}
2630 
2631 	hci_dev_unlock(hdev);
2632 }
2633 
2634 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2635 {
2636 	struct hci_cp_read_remote_ext_features *cp;
2637 	struct hci_conn *conn;
2638 
2639 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2640 
2641 	if (!status)
2642 		return;
2643 
2644 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2645 	if (!cp)
2646 		return;
2647 
2648 	hci_dev_lock(hdev);
2649 
2650 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2651 	if (conn) {
2652 		if (conn->state == BT_CONFIG) {
2653 			hci_connect_cfm(conn, status);
2654 			hci_conn_drop(conn);
2655 		}
2656 	}
2657 
2658 	hci_dev_unlock(hdev);
2659 }
2660 
2661 static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2662 				       __u8 status)
2663 {
2664 	struct hci_conn *acl;
2665 	struct hci_link *link;
2666 
2667 	bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2668 
2669 	hci_dev_lock(hdev);
2670 
2671 	acl = hci_conn_hash_lookup_handle(hdev, handle);
2672 	if (acl) {
2673 		link = list_first_entry_or_null(&acl->link_list,
2674 						struct hci_link, list);
2675 		if (link && link->conn) {
2676 			link->conn->state = BT_CLOSED;
2677 
2678 			hci_connect_cfm(link->conn, status);
2679 			hci_conn_del(link->conn);
2680 		}
2681 	}
2682 
2683 	hci_dev_unlock(hdev);
2684 }
2685 
2686 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2687 {
2688 	struct hci_cp_setup_sync_conn *cp;
2689 
2690 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2691 
2692 	if (!status)
2693 		return;
2694 
2695 	cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2696 	if (!cp)
2697 		return;
2698 
2699 	hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2700 }
2701 
2702 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2703 {
2704 	struct hci_cp_enhanced_setup_sync_conn *cp;
2705 
2706 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2707 
2708 	if (!status)
2709 		return;
2710 
2711 	cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2712 	if (!cp)
2713 		return;
2714 
2715 	hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2716 }
2717 
2718 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2719 {
2720 	struct hci_cp_sniff_mode *cp;
2721 	struct hci_conn *conn;
2722 
2723 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2724 
2725 	if (!status)
2726 		return;
2727 
2728 	cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2729 	if (!cp)
2730 		return;
2731 
2732 	hci_dev_lock(hdev);
2733 
2734 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2735 	if (conn) {
2736 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2737 
2738 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2739 			hci_sco_setup(conn, status);
2740 	}
2741 
2742 	hci_dev_unlock(hdev);
2743 }
2744 
2745 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2746 {
2747 	struct hci_cp_exit_sniff_mode *cp;
2748 	struct hci_conn *conn;
2749 
2750 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2751 
2752 	if (!status)
2753 		return;
2754 
2755 	cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2756 	if (!cp)
2757 		return;
2758 
2759 	hci_dev_lock(hdev);
2760 
2761 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2762 	if (conn) {
2763 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2764 
2765 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2766 			hci_sco_setup(conn, status);
2767 	}
2768 
2769 	hci_dev_unlock(hdev);
2770 }
2771 
2772 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2773 {
2774 	struct hci_cp_disconnect *cp;
2775 	struct hci_conn_params *params;
2776 	struct hci_conn *conn;
2777 	bool mgmt_conn;
2778 
2779 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2780 
2781 	/* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2782 	 * otherwise cleanup the connection immediately.
2783 	 */
2784 	if (!status && !hdev->suspended)
2785 		return;
2786 
2787 	cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2788 	if (!cp)
2789 		return;
2790 
2791 	hci_dev_lock(hdev);
2792 
2793 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2794 	if (!conn)
2795 		goto unlock;
2796 
2797 	if (status) {
2798 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2799 				       conn->dst_type, status);
2800 
2801 		if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2802 			hdev->cur_adv_instance = conn->adv_instance;
2803 			hci_enable_advertising(hdev);
2804 		}
2805 
2806 		/* Inform sockets conn is gone before we delete it */
2807 		hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2808 
2809 		goto done;
2810 	}
2811 
2812 	mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2813 
2814 	if (conn->type == ACL_LINK) {
2815 		if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2816 			hci_remove_link_key(hdev, &conn->dst);
2817 	}
2818 
2819 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2820 	if (params) {
2821 		switch (params->auto_connect) {
2822 		case HCI_AUTO_CONN_LINK_LOSS:
2823 			if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2824 				break;
2825 			fallthrough;
2826 
2827 		case HCI_AUTO_CONN_DIRECT:
2828 		case HCI_AUTO_CONN_ALWAYS:
2829 			hci_pend_le_list_del_init(params);
2830 			hci_pend_le_list_add(params, &hdev->pend_le_conns);
2831 			break;
2832 
2833 		default:
2834 			break;
2835 		}
2836 	}
2837 
2838 	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2839 				 cp->reason, mgmt_conn);
2840 
2841 	hci_disconn_cfm(conn, cp->reason);
2842 
2843 done:
2844 	/* If the disconnection failed for any reason, the upper layer
2845 	 * does not retry to disconnect in current implementation.
2846 	 * Hence, we need to do some basic cleanup here and re-enable
2847 	 * advertising if necessary.
2848 	 */
2849 	hci_conn_del(conn);
2850 unlock:
2851 	hci_dev_unlock(hdev);
2852 }
2853 
2854 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2855 {
2856 	/* When using controller based address resolution, then the new
2857 	 * address types 0x02 and 0x03 are used. These types need to be
2858 	 * converted back into either public address or random address type
2859 	 */
2860 	switch (type) {
2861 	case ADDR_LE_DEV_PUBLIC_RESOLVED:
2862 		if (resolved)
2863 			*resolved = true;
2864 		return ADDR_LE_DEV_PUBLIC;
2865 	case ADDR_LE_DEV_RANDOM_RESOLVED:
2866 		if (resolved)
2867 			*resolved = true;
2868 		return ADDR_LE_DEV_RANDOM;
2869 	}
2870 
2871 	if (resolved)
2872 		*resolved = false;
2873 	return type;
2874 }
2875 
2876 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2877 			      u8 peer_addr_type, u8 own_address_type,
2878 			      u8 filter_policy)
2879 {
2880 	struct hci_conn *conn;
2881 
2882 	conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2883 				       peer_addr_type);
2884 	if (!conn)
2885 		return;
2886 
2887 	own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2888 
2889 	/* Store the initiator and responder address information which
2890 	 * is needed for SMP. These values will not change during the
2891 	 * lifetime of the connection.
2892 	 */
2893 	conn->init_addr_type = own_address_type;
2894 	if (own_address_type == ADDR_LE_DEV_RANDOM)
2895 		bacpy(&conn->init_addr, &hdev->random_addr);
2896 	else
2897 		bacpy(&conn->init_addr, &hdev->bdaddr);
2898 
2899 	conn->resp_addr_type = peer_addr_type;
2900 	bacpy(&conn->resp_addr, peer_addr);
2901 }
2902 
2903 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2904 {
2905 	struct hci_cp_le_create_conn *cp;
2906 
2907 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2908 
2909 	/* All connection failure handling is taken care of by the
2910 	 * hci_conn_failed function which is triggered by the HCI
2911 	 * request completion callbacks used for connecting.
2912 	 */
2913 	if (status)
2914 		return;
2915 
2916 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2917 	if (!cp)
2918 		return;
2919 
2920 	hci_dev_lock(hdev);
2921 
2922 	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2923 			  cp->own_address_type, cp->filter_policy);
2924 
2925 	hci_dev_unlock(hdev);
2926 }
2927 
2928 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2929 {
2930 	struct hci_cp_le_ext_create_conn *cp;
2931 
2932 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2933 
2934 	/* All connection failure handling is taken care of by the
2935 	 * hci_conn_failed function which is triggered by the HCI
2936 	 * request completion callbacks used for connecting.
2937 	 */
2938 	if (status)
2939 		return;
2940 
2941 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2942 	if (!cp)
2943 		return;
2944 
2945 	hci_dev_lock(hdev);
2946 
2947 	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2948 			  cp->own_addr_type, cp->filter_policy);
2949 
2950 	hci_dev_unlock(hdev);
2951 }
2952 
2953 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2954 {
2955 	struct hci_cp_le_read_remote_features *cp;
2956 	struct hci_conn *conn;
2957 
2958 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2959 
2960 	if (!status)
2961 		return;
2962 
2963 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2964 	if (!cp)
2965 		return;
2966 
2967 	hci_dev_lock(hdev);
2968 
2969 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2970 	if (conn) {
2971 		if (conn->state == BT_CONFIG) {
2972 			hci_connect_cfm(conn, status);
2973 			hci_conn_drop(conn);
2974 		}
2975 	}
2976 
2977 	hci_dev_unlock(hdev);
2978 }
2979 
2980 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2981 {
2982 	struct hci_cp_le_start_enc *cp;
2983 	struct hci_conn *conn;
2984 
2985 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2986 
2987 	if (!status)
2988 		return;
2989 
2990 	hci_dev_lock(hdev);
2991 
2992 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2993 	if (!cp)
2994 		goto unlock;
2995 
2996 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2997 	if (!conn)
2998 		goto unlock;
2999 
3000 	if (conn->state != BT_CONNECTED)
3001 		goto unlock;
3002 
3003 	hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3004 	hci_conn_drop(conn);
3005 
3006 unlock:
3007 	hci_dev_unlock(hdev);
3008 }
3009 
3010 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
3011 {
3012 	struct hci_cp_switch_role *cp;
3013 	struct hci_conn *conn;
3014 
3015 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
3016 
3017 	if (!status)
3018 		return;
3019 
3020 	cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
3021 	if (!cp)
3022 		return;
3023 
3024 	hci_dev_lock(hdev);
3025 
3026 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
3027 	if (conn)
3028 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3029 
3030 	hci_dev_unlock(hdev);
3031 }
3032 
3033 static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
3034 				     struct sk_buff *skb)
3035 {
3036 	struct hci_ev_status *ev = data;
3037 	struct discovery_state *discov = &hdev->discovery;
3038 	struct inquiry_entry *e;
3039 
3040 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3041 
3042 	hci_conn_check_pending(hdev);
3043 
3044 	if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
3045 		return;
3046 
3047 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3048 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
3049 
3050 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3051 		return;
3052 
3053 	hci_dev_lock(hdev);
3054 
3055 	if (discov->state != DISCOVERY_FINDING)
3056 		goto unlock;
3057 
3058 	if (list_empty(&discov->resolve)) {
3059 		/* When BR/EDR inquiry is active and no LE scanning is in
3060 		 * progress, then change discovery state to indicate completion.
3061 		 *
3062 		 * When running LE scanning and BR/EDR inquiry simultaneously
3063 		 * and the LE scan already finished, then change the discovery
3064 		 * state to indicate completion.
3065 		 */
3066 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3067 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3068 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3069 		goto unlock;
3070 	}
3071 
3072 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
3073 	if (e && hci_resolve_name(hdev, e) == 0) {
3074 		e->name_state = NAME_PENDING;
3075 		hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
3076 		discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
3077 	} else {
3078 		/* When BR/EDR inquiry is active and no LE scanning is in
3079 		 * progress, then change discovery state to indicate completion.
3080 		 *
3081 		 * When running LE scanning and BR/EDR inquiry simultaneously
3082 		 * and the LE scan already finished, then change the discovery
3083 		 * state to indicate completion.
3084 		 */
3085 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
3086 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
3087 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3088 	}
3089 
3090 unlock:
3091 	hci_dev_unlock(hdev);
3092 }
3093 
3094 static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3095 				   struct sk_buff *skb)
3096 {
3097 	struct hci_ev_inquiry_result *ev = edata;
3098 	struct inquiry_data data;
3099 	int i;
3100 
3101 	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3102 			     flex_array_size(ev, info, ev->num)))
3103 		return;
3104 
3105 	bt_dev_dbg(hdev, "num %d", ev->num);
3106 
3107 	if (!ev->num)
3108 		return;
3109 
3110 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3111 		return;
3112 
3113 	hci_dev_lock(hdev);
3114 
3115 	for (i = 0; i < ev->num; i++) {
3116 		struct inquiry_info *info = &ev->info[i];
3117 		u32 flags;
3118 
3119 		bacpy(&data.bdaddr, &info->bdaddr);
3120 		data.pscan_rep_mode	= info->pscan_rep_mode;
3121 		data.pscan_period_mode	= info->pscan_period_mode;
3122 		data.pscan_mode		= info->pscan_mode;
3123 		memcpy(data.dev_class, info->dev_class, 3);
3124 		data.clock_offset	= info->clock_offset;
3125 		data.rssi		= HCI_RSSI_INVALID;
3126 		data.ssp_mode		= 0x00;
3127 
3128 		flags = hci_inquiry_cache_update(hdev, &data, false);
3129 
3130 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3131 				  info->dev_class, HCI_RSSI_INVALID,
3132 				  flags, NULL, 0, NULL, 0, 0);
3133 	}
3134 
3135 	hci_dev_unlock(hdev);
3136 }
3137 
3138 static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3139 				  struct sk_buff *skb)
3140 {
3141 	struct hci_ev_conn_complete *ev = data;
3142 	struct hci_conn *conn;
3143 	u8 status = ev->status;
3144 
3145 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
3146 
3147 	hci_dev_lock(hdev);
3148 
3149 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3150 	if (!conn) {
3151 		/* In case of error status and there is no connection pending
3152 		 * just unlock as there is nothing to cleanup.
3153 		 */
3154 		if (ev->status)
3155 			goto unlock;
3156 
3157 		/* Connection may not exist if auto-connected. Check the bredr
3158 		 * allowlist to see if this device is allowed to auto connect.
3159 		 * If link is an ACL type, create a connection class
3160 		 * automatically.
3161 		 *
3162 		 * Auto-connect will only occur if the event filter is
3163 		 * programmed with a given address. Right now, event filter is
3164 		 * only used during suspend.
3165 		 */
3166 		if (ev->link_type == ACL_LINK &&
3167 		    hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3168 						      &ev->bdaddr,
3169 						      BDADDR_BREDR)) {
3170 			conn = hci_conn_add_unset(hdev, ev->link_type,
3171 						  &ev->bdaddr, HCI_ROLE_SLAVE);
3172 			if (!conn) {
3173 				bt_dev_err(hdev, "no memory for new conn");
3174 				goto unlock;
3175 			}
3176 		} else {
3177 			if (ev->link_type != SCO_LINK)
3178 				goto unlock;
3179 
3180 			conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3181 						       &ev->bdaddr);
3182 			if (!conn)
3183 				goto unlock;
3184 
3185 			conn->type = SCO_LINK;
3186 		}
3187 	}
3188 
3189 	/* The HCI_Connection_Complete event is only sent once per connection.
3190 	 * Processing it more than once per connection can corrupt kernel memory.
3191 	 *
3192 	 * As the connection handle is set here for the first time, it indicates
3193 	 * whether the connection is already set up.
3194 	 */
3195 	if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3196 		bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3197 		goto unlock;
3198 	}
3199 
3200 	if (!status) {
3201 		status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3202 		if (status)
3203 			goto done;
3204 
3205 		if (conn->type == ACL_LINK) {
3206 			conn->state = BT_CONFIG;
3207 			hci_conn_hold(conn);
3208 
3209 			if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3210 			    !hci_find_link_key(hdev, &ev->bdaddr))
3211 				conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3212 			else
3213 				conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3214 		} else
3215 			conn->state = BT_CONNECTED;
3216 
3217 		hci_debugfs_create_conn(conn);
3218 		hci_conn_add_sysfs(conn);
3219 
3220 		if (test_bit(HCI_AUTH, &hdev->flags))
3221 			set_bit(HCI_CONN_AUTH, &conn->flags);
3222 
3223 		if (test_bit(HCI_ENCRYPT, &hdev->flags))
3224 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3225 
3226 		/* Get remote features */
3227 		if (conn->type == ACL_LINK) {
3228 			struct hci_cp_read_remote_features cp;
3229 			cp.handle = ev->handle;
3230 			hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3231 				     sizeof(cp), &cp);
3232 
3233 			hci_update_scan(hdev);
3234 		}
3235 
3236 		/* Set packet type for incoming connection */
3237 		if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3238 			struct hci_cp_change_conn_ptype cp;
3239 			cp.handle = ev->handle;
3240 			cp.pkt_type = cpu_to_le16(conn->pkt_type);
3241 			hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3242 				     &cp);
3243 		}
3244 	}
3245 
3246 	if (conn->type == ACL_LINK)
3247 		hci_sco_setup(conn, ev->status);
3248 
3249 done:
3250 	if (status) {
3251 		hci_conn_failed(conn, status);
3252 	} else if (ev->link_type == SCO_LINK) {
3253 		switch (conn->setting & SCO_AIRMODE_MASK) {
3254 		case SCO_AIRMODE_CVSD:
3255 			if (hdev->notify)
3256 				hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3257 			break;
3258 		}
3259 
3260 		hci_connect_cfm(conn, status);
3261 	}
3262 
3263 unlock:
3264 	hci_dev_unlock(hdev);
3265 
3266 	hci_conn_check_pending(hdev);
3267 }
3268 
3269 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3270 {
3271 	struct hci_cp_reject_conn_req cp;
3272 
3273 	bacpy(&cp.bdaddr, bdaddr);
3274 	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3275 	hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3276 }
3277 
3278 static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3279 				 struct sk_buff *skb)
3280 {
3281 	struct hci_ev_conn_request *ev = data;
3282 	int mask = hdev->link_mode;
3283 	struct inquiry_entry *ie;
3284 	struct hci_conn *conn;
3285 	__u8 flags = 0;
3286 
3287 	bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3288 
3289 	/* Reject incoming connection from device with same BD ADDR against
3290 	 * CVE-2020-26555
3291 	 */
3292 	if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3293 		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3294 			   &ev->bdaddr);
3295 		hci_reject_conn(hdev, &ev->bdaddr);
3296 		return;
3297 	}
3298 
3299 	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3300 				      &flags);
3301 
3302 	if (!(mask & HCI_LM_ACCEPT)) {
3303 		hci_reject_conn(hdev, &ev->bdaddr);
3304 		return;
3305 	}
3306 
3307 	hci_dev_lock(hdev);
3308 
3309 	if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3310 				   BDADDR_BREDR)) {
3311 		hci_reject_conn(hdev, &ev->bdaddr);
3312 		goto unlock;
3313 	}
3314 
3315 	/* Require HCI_CONNECTABLE or an accept list entry to accept the
3316 	 * connection. These features are only touched through mgmt so
3317 	 * only do the checks if HCI_MGMT is set.
3318 	 */
3319 	if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3320 	    !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3321 	    !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3322 					       BDADDR_BREDR)) {
3323 		hci_reject_conn(hdev, &ev->bdaddr);
3324 		goto unlock;
3325 	}
3326 
3327 	/* Connection accepted */
3328 
3329 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3330 	if (ie)
3331 		memcpy(ie->data.dev_class, ev->dev_class, 3);
3332 
3333 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3334 			&ev->bdaddr);
3335 	if (!conn) {
3336 		conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3337 					  HCI_ROLE_SLAVE);
3338 		if (!conn) {
3339 			bt_dev_err(hdev, "no memory for new connection");
3340 			goto unlock;
3341 		}
3342 	}
3343 
3344 	memcpy(conn->dev_class, ev->dev_class, 3);
3345 
3346 	hci_dev_unlock(hdev);
3347 
3348 	if (ev->link_type == ACL_LINK ||
3349 	    (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3350 		struct hci_cp_accept_conn_req cp;
3351 		conn->state = BT_CONNECT;
3352 
3353 		bacpy(&cp.bdaddr, &ev->bdaddr);
3354 
3355 		if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3356 			cp.role = 0x00; /* Become central */
3357 		else
3358 			cp.role = 0x01; /* Remain peripheral */
3359 
3360 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3361 	} else if (!(flags & HCI_PROTO_DEFER)) {
3362 		struct hci_cp_accept_sync_conn_req cp;
3363 		conn->state = BT_CONNECT;
3364 
3365 		bacpy(&cp.bdaddr, &ev->bdaddr);
3366 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
3367 
3368 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
3369 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
3370 		cp.max_latency    = cpu_to_le16(0xffff);
3371 		cp.content_format = cpu_to_le16(hdev->voice_setting);
3372 		cp.retrans_effort = 0xff;
3373 
3374 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3375 			     &cp);
3376 	} else {
3377 		conn->state = BT_CONNECT2;
3378 		hci_connect_cfm(conn, 0);
3379 	}
3380 
3381 	return;
3382 unlock:
3383 	hci_dev_unlock(hdev);
3384 }
3385 
3386 static u8 hci_to_mgmt_reason(u8 err)
3387 {
3388 	switch (err) {
3389 	case HCI_ERROR_CONNECTION_TIMEOUT:
3390 		return MGMT_DEV_DISCONN_TIMEOUT;
3391 	case HCI_ERROR_REMOTE_USER_TERM:
3392 	case HCI_ERROR_REMOTE_LOW_RESOURCES:
3393 	case HCI_ERROR_REMOTE_POWER_OFF:
3394 		return MGMT_DEV_DISCONN_REMOTE;
3395 	case HCI_ERROR_LOCAL_HOST_TERM:
3396 		return MGMT_DEV_DISCONN_LOCAL_HOST;
3397 	default:
3398 		return MGMT_DEV_DISCONN_UNKNOWN;
3399 	}
3400 }
3401 
3402 static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3403 				     struct sk_buff *skb)
3404 {
3405 	struct hci_ev_disconn_complete *ev = data;
3406 	u8 reason;
3407 	struct hci_conn_params *params;
3408 	struct hci_conn *conn;
3409 	bool mgmt_connected;
3410 
3411 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3412 
3413 	hci_dev_lock(hdev);
3414 
3415 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3416 	if (!conn)
3417 		goto unlock;
3418 
3419 	if (ev->status) {
3420 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3421 				       conn->dst_type, ev->status);
3422 		goto unlock;
3423 	}
3424 
3425 	conn->state = BT_CLOSED;
3426 
3427 	mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3428 
3429 	if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3430 		reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3431 	else
3432 		reason = hci_to_mgmt_reason(ev->reason);
3433 
3434 	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3435 				reason, mgmt_connected);
3436 
3437 	if (conn->type == ACL_LINK) {
3438 		if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3439 			hci_remove_link_key(hdev, &conn->dst);
3440 
3441 		hci_update_scan(hdev);
3442 	}
3443 
3444 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3445 	if (params) {
3446 		switch (params->auto_connect) {
3447 		case HCI_AUTO_CONN_LINK_LOSS:
3448 			if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3449 				break;
3450 			fallthrough;
3451 
3452 		case HCI_AUTO_CONN_DIRECT:
3453 		case HCI_AUTO_CONN_ALWAYS:
3454 			hci_pend_le_list_del_init(params);
3455 			hci_pend_le_list_add(params, &hdev->pend_le_conns);
3456 			hci_update_passive_scan(hdev);
3457 			break;
3458 
3459 		default:
3460 			break;
3461 		}
3462 	}
3463 
3464 	hci_disconn_cfm(conn, ev->reason);
3465 
3466 	/* Re-enable advertising if necessary, since it might
3467 	 * have been disabled by the connection. From the
3468 	 * HCI_LE_Set_Advertise_Enable command description in
3469 	 * the core specification (v4.0):
3470 	 * "The Controller shall continue advertising until the Host
3471 	 * issues an LE_Set_Advertise_Enable command with
3472 	 * Advertising_Enable set to 0x00 (Advertising is disabled)
3473 	 * or until a connection is created or until the Advertising
3474 	 * is timed out due to Directed Advertising."
3475 	 */
3476 	if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3477 		hdev->cur_adv_instance = conn->adv_instance;
3478 		hci_enable_advertising(hdev);
3479 	}
3480 
3481 	hci_conn_del(conn);
3482 
3483 unlock:
3484 	hci_dev_unlock(hdev);
3485 }
3486 
3487 static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3488 				  struct sk_buff *skb)
3489 {
3490 	struct hci_ev_auth_complete *ev = data;
3491 	struct hci_conn *conn;
3492 
3493 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3494 
3495 	hci_dev_lock(hdev);
3496 
3497 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3498 	if (!conn)
3499 		goto unlock;
3500 
3501 	if (!ev->status) {
3502 		clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3503 		set_bit(HCI_CONN_AUTH, &conn->flags);
3504 		conn->sec_level = conn->pending_sec_level;
3505 	} else {
3506 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3507 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3508 
3509 		mgmt_auth_failed(conn, ev->status);
3510 	}
3511 
3512 	clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3513 
3514 	if (conn->state == BT_CONFIG) {
3515 		if (!ev->status && hci_conn_ssp_enabled(conn)) {
3516 			struct hci_cp_set_conn_encrypt cp;
3517 			cp.handle  = ev->handle;
3518 			cp.encrypt = 0x01;
3519 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3520 				     &cp);
3521 		} else {
3522 			conn->state = BT_CONNECTED;
3523 			hci_connect_cfm(conn, ev->status);
3524 			hci_conn_drop(conn);
3525 		}
3526 	} else {
3527 		hci_auth_cfm(conn, ev->status);
3528 
3529 		hci_conn_hold(conn);
3530 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3531 		hci_conn_drop(conn);
3532 	}
3533 
3534 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3535 		if (!ev->status) {
3536 			struct hci_cp_set_conn_encrypt cp;
3537 			cp.handle  = ev->handle;
3538 			cp.encrypt = 0x01;
3539 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3540 				     &cp);
3541 		} else {
3542 			clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3543 			hci_encrypt_cfm(conn, ev->status);
3544 		}
3545 	}
3546 
3547 unlock:
3548 	hci_dev_unlock(hdev);
3549 }
3550 
3551 static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3552 				struct sk_buff *skb)
3553 {
3554 	struct hci_ev_remote_name *ev = data;
3555 	struct hci_conn *conn;
3556 
3557 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3558 
3559 	hci_conn_check_pending(hdev);
3560 
3561 	hci_dev_lock(hdev);
3562 
3563 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3564 
3565 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3566 		goto check_auth;
3567 
3568 	if (ev->status == 0)
3569 		hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3570 				       strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3571 	else
3572 		hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3573 
3574 check_auth:
3575 	if (!conn)
3576 		goto unlock;
3577 
3578 	if (!hci_outgoing_auth_needed(hdev, conn))
3579 		goto unlock;
3580 
3581 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3582 		struct hci_cp_auth_requested cp;
3583 
3584 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3585 
3586 		cp.handle = __cpu_to_le16(conn->handle);
3587 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3588 	}
3589 
3590 unlock:
3591 	hci_dev_unlock(hdev);
3592 }
3593 
3594 static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3595 				   struct sk_buff *skb)
3596 {
3597 	struct hci_ev_encrypt_change *ev = data;
3598 	struct hci_conn *conn;
3599 
3600 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3601 
3602 	hci_dev_lock(hdev);
3603 
3604 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3605 	if (!conn)
3606 		goto unlock;
3607 
3608 	if (!ev->status) {
3609 		if (ev->encrypt) {
3610 			/* Encryption implies authentication */
3611 			set_bit(HCI_CONN_AUTH, &conn->flags);
3612 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3613 			conn->sec_level = conn->pending_sec_level;
3614 
3615 			/* P-256 authentication key implies FIPS */
3616 			if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3617 				set_bit(HCI_CONN_FIPS, &conn->flags);
3618 
3619 			if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3620 			    conn->type == LE_LINK)
3621 				set_bit(HCI_CONN_AES_CCM, &conn->flags);
3622 		} else {
3623 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3624 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3625 		}
3626 	}
3627 
3628 	/* We should disregard the current RPA and generate a new one
3629 	 * whenever the encryption procedure fails.
3630 	 */
3631 	if (ev->status && conn->type == LE_LINK) {
3632 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3633 		hci_adv_instances_set_rpa_expired(hdev, true);
3634 	}
3635 
3636 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3637 
3638 	/* Check link security requirements are met */
3639 	if (!hci_conn_check_link_mode(conn))
3640 		ev->status = HCI_ERROR_AUTH_FAILURE;
3641 
3642 	if (ev->status && conn->state == BT_CONNECTED) {
3643 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3644 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3645 
3646 		/* Notify upper layers so they can cleanup before
3647 		 * disconnecting.
3648 		 */
3649 		hci_encrypt_cfm(conn, ev->status);
3650 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3651 		hci_conn_drop(conn);
3652 		goto unlock;
3653 	}
3654 
3655 	/* Try reading the encryption key size for encrypted ACL links */
3656 	if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3657 		struct hci_cp_read_enc_key_size cp;
3658 
3659 		/* Only send HCI_Read_Encryption_Key_Size if the
3660 		 * controller really supports it. If it doesn't, assume
3661 		 * the default size (16).
3662 		 */
3663 		if (!(hdev->commands[20] & 0x10)) {
3664 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
3665 			goto notify;
3666 		}
3667 
3668 		cp.handle = cpu_to_le16(conn->handle);
3669 		if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
3670 				 sizeof(cp), &cp)) {
3671 			bt_dev_err(hdev, "sending read key size failed");
3672 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
3673 			goto notify;
3674 		}
3675 
3676 		goto unlock;
3677 	}
3678 
3679 	/* Set the default Authenticated Payload Timeout after
3680 	 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3681 	 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3682 	 * sent when the link is active and Encryption is enabled, the conn
3683 	 * type can be either LE or ACL and controller must support LMP Ping.
3684 	 * Ensure for AES-CCM encryption as well.
3685 	 */
3686 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3687 	    test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3688 	    ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3689 	     (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3690 		struct hci_cp_write_auth_payload_to cp;
3691 
3692 		cp.handle = cpu_to_le16(conn->handle);
3693 		cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3694 		if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3695 				 sizeof(cp), &cp))
3696 			bt_dev_err(hdev, "write auth payload timeout failed");
3697 	}
3698 
3699 notify:
3700 	hci_encrypt_cfm(conn, ev->status);
3701 
3702 unlock:
3703 	hci_dev_unlock(hdev);
3704 }
3705 
3706 static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3707 					     struct sk_buff *skb)
3708 {
3709 	struct hci_ev_change_link_key_complete *ev = data;
3710 	struct hci_conn *conn;
3711 
3712 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3713 
3714 	hci_dev_lock(hdev);
3715 
3716 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3717 	if (conn) {
3718 		if (!ev->status)
3719 			set_bit(HCI_CONN_SECURE, &conn->flags);
3720 
3721 		clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3722 
3723 		hci_key_change_cfm(conn, ev->status);
3724 	}
3725 
3726 	hci_dev_unlock(hdev);
3727 }
3728 
3729 static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3730 				    struct sk_buff *skb)
3731 {
3732 	struct hci_ev_remote_features *ev = data;
3733 	struct hci_conn *conn;
3734 
3735 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3736 
3737 	hci_dev_lock(hdev);
3738 
3739 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3740 	if (!conn)
3741 		goto unlock;
3742 
3743 	if (!ev->status)
3744 		memcpy(conn->features[0], ev->features, 8);
3745 
3746 	if (conn->state != BT_CONFIG)
3747 		goto unlock;
3748 
3749 	if (!ev->status && lmp_ext_feat_capable(hdev) &&
3750 	    lmp_ext_feat_capable(conn)) {
3751 		struct hci_cp_read_remote_ext_features cp;
3752 		cp.handle = ev->handle;
3753 		cp.page = 0x01;
3754 		hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3755 			     sizeof(cp), &cp);
3756 		goto unlock;
3757 	}
3758 
3759 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3760 		struct hci_cp_remote_name_req cp;
3761 		memset(&cp, 0, sizeof(cp));
3762 		bacpy(&cp.bdaddr, &conn->dst);
3763 		cp.pscan_rep_mode = 0x02;
3764 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3765 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3766 		mgmt_device_connected(hdev, conn, NULL, 0);
3767 
3768 	if (!hci_outgoing_auth_needed(hdev, conn)) {
3769 		conn->state = BT_CONNECTED;
3770 		hci_connect_cfm(conn, ev->status);
3771 		hci_conn_drop(conn);
3772 	}
3773 
3774 unlock:
3775 	hci_dev_unlock(hdev);
3776 }
3777 
3778 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3779 {
3780 	cancel_delayed_work(&hdev->cmd_timer);
3781 
3782 	rcu_read_lock();
3783 	if (!test_bit(HCI_RESET, &hdev->flags)) {
3784 		if (ncmd) {
3785 			cancel_delayed_work(&hdev->ncmd_timer);
3786 			atomic_set(&hdev->cmd_cnt, 1);
3787 		} else {
3788 			if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3789 				queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3790 						   HCI_NCMD_TIMEOUT);
3791 		}
3792 	}
3793 	rcu_read_unlock();
3794 }
3795 
3796 static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3797 					struct sk_buff *skb)
3798 {
3799 	struct hci_rp_le_read_buffer_size_v2 *rp = data;
3800 
3801 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3802 
3803 	if (rp->status)
3804 		return rp->status;
3805 
3806 	hdev->le_mtu   = __le16_to_cpu(rp->acl_mtu);
3807 	hdev->le_pkts  = rp->acl_max_pkt;
3808 	hdev->iso_mtu  = __le16_to_cpu(rp->iso_mtu);
3809 	hdev->iso_pkts = rp->iso_max_pkt;
3810 
3811 	hdev->le_cnt  = hdev->le_pkts;
3812 	hdev->iso_cnt = hdev->iso_pkts;
3813 
3814 	BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3815 	       hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3816 
3817 	return rp->status;
3818 }
3819 
3820 static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3821 {
3822 	struct hci_conn *conn, *tmp;
3823 
3824 	lockdep_assert_held(&hdev->lock);
3825 
3826 	list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3827 		if (conn->type != ISO_LINK || !bacmp(&conn->dst, BDADDR_ANY) ||
3828 		    conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3829 			continue;
3830 
3831 		if (HCI_CONN_HANDLE_UNSET(conn->handle))
3832 			hci_conn_failed(conn, status);
3833 	}
3834 }
3835 
3836 static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3837 				   struct sk_buff *skb)
3838 {
3839 	struct hci_rp_le_set_cig_params *rp = data;
3840 	struct hci_cp_le_set_cig_params *cp;
3841 	struct hci_conn *conn;
3842 	u8 status = rp->status;
3843 	bool pending = false;
3844 	int i;
3845 
3846 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3847 
3848 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3849 	if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3850 			    rp->cig_id != cp->cig_id)) {
3851 		bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3852 		status = HCI_ERROR_UNSPECIFIED;
3853 	}
3854 
3855 	hci_dev_lock(hdev);
3856 
3857 	/* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3858 	 *
3859 	 * If the Status return parameter is non-zero, then the state of the CIG
3860 	 * and its CIS configurations shall not be changed by the command. If
3861 	 * the CIG did not already exist, it shall not be created.
3862 	 */
3863 	if (status) {
3864 		/* Keep current configuration, fail only the unbound CIS */
3865 		hci_unbound_cis_failed(hdev, rp->cig_id, status);
3866 		goto unlock;
3867 	}
3868 
3869 	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3870 	 *
3871 	 * If the Status return parameter is zero, then the Controller shall
3872 	 * set the Connection_Handle arrayed return parameter to the connection
3873 	 * handle(s) corresponding to the CIS configurations specified in
3874 	 * the CIS_IDs command parameter, in the same order.
3875 	 */
3876 	for (i = 0; i < rp->num_handles; ++i) {
3877 		conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3878 						cp->cis[i].cis_id);
3879 		if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3880 			continue;
3881 
3882 		if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3883 			continue;
3884 
3885 		if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3886 			continue;
3887 
3888 		if (conn->state == BT_CONNECT)
3889 			pending = true;
3890 	}
3891 
3892 unlock:
3893 	if (pending)
3894 		hci_le_create_cis_pending(hdev);
3895 
3896 	hci_dev_unlock(hdev);
3897 
3898 	return rp->status;
3899 }
3900 
3901 static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3902 				   struct sk_buff *skb)
3903 {
3904 	struct hci_rp_le_setup_iso_path *rp = data;
3905 	struct hci_cp_le_setup_iso_path *cp;
3906 	struct hci_conn *conn;
3907 
3908 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3909 
3910 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3911 	if (!cp)
3912 		return rp->status;
3913 
3914 	hci_dev_lock(hdev);
3915 
3916 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3917 	if (!conn)
3918 		goto unlock;
3919 
3920 	if (rp->status) {
3921 		hci_connect_cfm(conn, rp->status);
3922 		hci_conn_del(conn);
3923 		goto unlock;
3924 	}
3925 
3926 	switch (cp->direction) {
3927 	/* Input (Host to Controller) */
3928 	case 0x00:
3929 		/* Only confirm connection if output only */
3930 		if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
3931 			hci_connect_cfm(conn, rp->status);
3932 		break;
3933 	/* Output (Controller to Host) */
3934 	case 0x01:
3935 		/* Confirm connection since conn->iso_qos is always configured
3936 		 * last.
3937 		 */
3938 		hci_connect_cfm(conn, rp->status);
3939 		break;
3940 	}
3941 
3942 unlock:
3943 	hci_dev_unlock(hdev);
3944 	return rp->status;
3945 }
3946 
3947 static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
3948 {
3949 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
3950 }
3951 
3952 static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
3953 				   struct sk_buff *skb)
3954 {
3955 	struct hci_ev_status *rp = data;
3956 	struct hci_cp_le_set_per_adv_params *cp;
3957 
3958 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3959 
3960 	if (rp->status)
3961 		return rp->status;
3962 
3963 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
3964 	if (!cp)
3965 		return rp->status;
3966 
3967 	/* TODO: set the conn state */
3968 	return rp->status;
3969 }
3970 
3971 static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
3972 				       struct sk_buff *skb)
3973 {
3974 	struct hci_ev_status *rp = data;
3975 	struct hci_cp_le_set_per_adv_enable *cp;
3976 	struct adv_info *adv = NULL, *n;
3977 	u8 per_adv_cnt = 0;
3978 
3979 	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3980 
3981 	if (rp->status)
3982 		return rp->status;
3983 
3984 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
3985 	if (!cp)
3986 		return rp->status;
3987 
3988 	hci_dev_lock(hdev);
3989 
3990 	adv = hci_find_adv_instance(hdev, cp->handle);
3991 
3992 	if (cp->enable) {
3993 		hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
3994 
3995 		if (adv)
3996 			adv->enabled = true;
3997 	} else {
3998 		/* If just one instance was disabled check if there are
3999 		 * any other instance enabled before clearing HCI_LE_PER_ADV.
4000 		 * The current periodic adv instance will be marked as
4001 		 * disabled once extended advertising is also disabled.
4002 		 */
4003 		list_for_each_entry_safe(adv, n, &hdev->adv_instances,
4004 					 list) {
4005 			if (adv->periodic && adv->enabled)
4006 				per_adv_cnt++;
4007 		}
4008 
4009 		if (per_adv_cnt > 1)
4010 			goto unlock;
4011 
4012 		hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
4013 	}
4014 
4015 unlock:
4016 	hci_dev_unlock(hdev);
4017 
4018 	return rp->status;
4019 }
4020 
4021 #define HCI_CC_VL(_op, _func, _min, _max) \
4022 { \
4023 	.op = _op, \
4024 	.func = _func, \
4025 	.min_len = _min, \
4026 	.max_len = _max, \
4027 }
4028 
4029 #define HCI_CC(_op, _func, _len) \
4030 	HCI_CC_VL(_op, _func, _len, _len)
4031 
4032 #define HCI_CC_STATUS(_op, _func) \
4033 	HCI_CC(_op, _func, sizeof(struct hci_ev_status))
4034 
4035 static const struct hci_cc {
4036 	u16  op;
4037 	u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
4038 	u16  min_len;
4039 	u16  max_len;
4040 } hci_cc_table[] = {
4041 	HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
4042 	HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
4043 	HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4044 	HCI_CC_STATUS(HCI_OP_REMOTE_NAME_REQ_CANCEL,
4045 		      hci_cc_remote_name_req_cancel),
4046 	HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4047 	       sizeof(struct hci_rp_role_discovery)),
4048 	HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4049 	       sizeof(struct hci_rp_read_link_policy)),
4050 	HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4051 	       sizeof(struct hci_rp_write_link_policy)),
4052 	HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4053 	       sizeof(struct hci_rp_read_def_link_policy)),
4054 	HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4055 		      hci_cc_write_def_link_policy),
4056 	HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4057 	HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4058 	       sizeof(struct hci_rp_read_stored_link_key)),
4059 	HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4060 	       sizeof(struct hci_rp_delete_stored_link_key)),
4061 	HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4062 	HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4063 	       sizeof(struct hci_rp_read_local_name)),
4064 	HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4065 	HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4066 	HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4067 	HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4068 	HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4069 	       sizeof(struct hci_rp_read_class_of_dev)),
4070 	HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4071 	HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4072 	       sizeof(struct hci_rp_read_voice_setting)),
4073 	HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4074 	HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4075 	       sizeof(struct hci_rp_read_num_supported_iac)),
4076 	HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4077 	HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4078 	HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4079 	       sizeof(struct hci_rp_read_auth_payload_to)),
4080 	HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4081 	       sizeof(struct hci_rp_write_auth_payload_to)),
4082 	HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4083 	       sizeof(struct hci_rp_read_local_version)),
4084 	HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4085 	       sizeof(struct hci_rp_read_local_commands)),
4086 	HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4087 	       sizeof(struct hci_rp_read_local_features)),
4088 	HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4089 	       sizeof(struct hci_rp_read_local_ext_features)),
4090 	HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4091 	       sizeof(struct hci_rp_read_buffer_size)),
4092 	HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4093 	       sizeof(struct hci_rp_read_bd_addr)),
4094 	HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4095 	       sizeof(struct hci_rp_read_local_pairing_opts)),
4096 	HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4097 	       sizeof(struct hci_rp_read_page_scan_activity)),
4098 	HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4099 		      hci_cc_write_page_scan_activity),
4100 	HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4101 	       sizeof(struct hci_rp_read_page_scan_type)),
4102 	HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4103 	HCI_CC(HCI_OP_READ_DATA_BLOCK_SIZE, hci_cc_read_data_block_size,
4104 	       sizeof(struct hci_rp_read_data_block_size)),
4105 	HCI_CC(HCI_OP_READ_FLOW_CONTROL_MODE, hci_cc_read_flow_control_mode,
4106 	       sizeof(struct hci_rp_read_flow_control_mode)),
4107 	HCI_CC(HCI_OP_READ_LOCAL_AMP_INFO, hci_cc_read_local_amp_info,
4108 	       sizeof(struct hci_rp_read_local_amp_info)),
4109 	HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4110 	       sizeof(struct hci_rp_read_clock)),
4111 	HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4112 	       sizeof(struct hci_rp_read_enc_key_size)),
4113 	HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4114 	       sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4115 	HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4116 	       hci_cc_read_def_err_data_reporting,
4117 	       sizeof(struct hci_rp_read_def_err_data_reporting)),
4118 	HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4119 		      hci_cc_write_def_err_data_reporting),
4120 	HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4121 	       sizeof(struct hci_rp_pin_code_reply)),
4122 	HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4123 	       sizeof(struct hci_rp_pin_code_neg_reply)),
4124 	HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4125 	       sizeof(struct hci_rp_read_local_oob_data)),
4126 	HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4127 	       sizeof(struct hci_rp_read_local_oob_ext_data)),
4128 	HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4129 	       sizeof(struct hci_rp_le_read_buffer_size)),
4130 	HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4131 	       sizeof(struct hci_rp_le_read_local_features)),
4132 	HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4133 	       sizeof(struct hci_rp_le_read_adv_tx_power)),
4134 	HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4135 	       sizeof(struct hci_rp_user_confirm_reply)),
4136 	HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4137 	       sizeof(struct hci_rp_user_confirm_reply)),
4138 	HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4139 	       sizeof(struct hci_rp_user_confirm_reply)),
4140 	HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4141 	       sizeof(struct hci_rp_user_confirm_reply)),
4142 	HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4143 	HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4144 	HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4145 	HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4146 	HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4147 	       hci_cc_le_read_accept_list_size,
4148 	       sizeof(struct hci_rp_le_read_accept_list_size)),
4149 	HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4150 	HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4151 		      hci_cc_le_add_to_accept_list),
4152 	HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4153 		      hci_cc_le_del_from_accept_list),
4154 	HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4155 	       sizeof(struct hci_rp_le_read_supported_states)),
4156 	HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4157 	       sizeof(struct hci_rp_le_read_def_data_len)),
4158 	HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4159 		      hci_cc_le_write_def_data_len),
4160 	HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4161 		      hci_cc_le_add_to_resolv_list),
4162 	HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4163 		      hci_cc_le_del_from_resolv_list),
4164 	HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4165 		      hci_cc_le_clear_resolv_list),
4166 	HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4167 	       sizeof(struct hci_rp_le_read_resolv_list_size)),
4168 	HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4169 		      hci_cc_le_set_addr_resolution_enable),
4170 	HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4171 	       sizeof(struct hci_rp_le_read_max_data_len)),
4172 	HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4173 		      hci_cc_write_le_host_supported),
4174 	HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4175 	HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4176 	       sizeof(struct hci_rp_read_rssi)),
4177 	HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4178 	       sizeof(struct hci_rp_read_tx_power)),
4179 	HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4180 	HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4181 		      hci_cc_le_set_ext_scan_param),
4182 	HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4183 		      hci_cc_le_set_ext_scan_enable),
4184 	HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4185 	HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4186 	       hci_cc_le_read_num_adv_sets,
4187 	       sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4188 	HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
4189 	       sizeof(struct hci_rp_le_set_ext_adv_params)),
4190 	HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4191 		      hci_cc_le_set_ext_adv_enable),
4192 	HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4193 		      hci_cc_le_set_adv_set_random_addr),
4194 	HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4195 	HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4196 	HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4197 	HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4198 		      hci_cc_le_set_per_adv_enable),
4199 	HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4200 	       sizeof(struct hci_rp_le_read_transmit_power)),
4201 	HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4202 	HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4203 	       sizeof(struct hci_rp_le_read_buffer_size_v2)),
4204 	HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4205 		  sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4206 	HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4207 	       sizeof(struct hci_rp_le_setup_iso_path)),
4208 };
4209 
4210 static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4211 		      struct sk_buff *skb)
4212 {
4213 	void *data;
4214 
4215 	if (skb->len < cc->min_len) {
4216 		bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4217 			   cc->op, skb->len, cc->min_len);
4218 		return HCI_ERROR_UNSPECIFIED;
4219 	}
4220 
4221 	/* Just warn if the length is over max_len size it still be possible to
4222 	 * partially parse the cc so leave to callback to decide if that is
4223 	 * acceptable.
4224 	 */
4225 	if (skb->len > cc->max_len)
4226 		bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4227 			    cc->op, skb->len, cc->max_len);
4228 
4229 	data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4230 	if (!data)
4231 		return HCI_ERROR_UNSPECIFIED;
4232 
4233 	return cc->func(hdev, data, skb);
4234 }
4235 
4236 static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4237 				 struct sk_buff *skb, u16 *opcode, u8 *status,
4238 				 hci_req_complete_t *req_complete,
4239 				 hci_req_complete_skb_t *req_complete_skb)
4240 {
4241 	struct hci_ev_cmd_complete *ev = data;
4242 	int i;
4243 
4244 	*opcode = __le16_to_cpu(ev->opcode);
4245 
4246 	bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4247 
4248 	for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4249 		if (hci_cc_table[i].op == *opcode) {
4250 			*status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4251 			break;
4252 		}
4253 	}
4254 
4255 	if (i == ARRAY_SIZE(hci_cc_table)) {
4256 		/* Unknown opcode, assume byte 0 contains the status, so
4257 		 * that e.g. __hci_cmd_sync() properly returns errors
4258 		 * for vendor specific commands send by HCI drivers.
4259 		 * If a vendor doesn't actually follow this convention we may
4260 		 * need to introduce a vendor CC table in order to properly set
4261 		 * the status.
4262 		 */
4263 		*status = skb->data[0];
4264 	}
4265 
4266 	handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4267 
4268 	hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4269 			     req_complete_skb);
4270 
4271 	if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4272 		bt_dev_err(hdev,
4273 			   "unexpected event for opcode 0x%4.4x", *opcode);
4274 		return;
4275 	}
4276 
4277 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4278 		queue_work(hdev->workqueue, &hdev->cmd_work);
4279 }
4280 
4281 static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4282 {
4283 	struct hci_cp_le_create_cis *cp;
4284 	bool pending = false;
4285 	int i;
4286 
4287 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
4288 
4289 	if (!status)
4290 		return;
4291 
4292 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4293 	if (!cp)
4294 		return;
4295 
4296 	hci_dev_lock(hdev);
4297 
4298 	/* Remove connection if command failed */
4299 	for (i = 0; cp->num_cis; cp->num_cis--, i++) {
4300 		struct hci_conn *conn;
4301 		u16 handle;
4302 
4303 		handle = __le16_to_cpu(cp->cis[i].cis_handle);
4304 
4305 		conn = hci_conn_hash_lookup_handle(hdev, handle);
4306 		if (conn) {
4307 			if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4308 					       &conn->flags))
4309 				pending = true;
4310 			conn->state = BT_CLOSED;
4311 			hci_connect_cfm(conn, status);
4312 			hci_conn_del(conn);
4313 		}
4314 	}
4315 
4316 	if (pending)
4317 		hci_le_create_cis_pending(hdev);
4318 
4319 	hci_dev_unlock(hdev);
4320 }
4321 
4322 #define HCI_CS(_op, _func) \
4323 { \
4324 	.op = _op, \
4325 	.func = _func, \
4326 }
4327 
4328 static const struct hci_cs {
4329 	u16  op;
4330 	void (*func)(struct hci_dev *hdev, __u8 status);
4331 } hci_cs_table[] = {
4332 	HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4333 	HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4334 	HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4335 	HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4336 	HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4337 	HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4338 	HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4339 	HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4340 	HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4341 	       hci_cs_read_remote_ext_features),
4342 	HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4343 	HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4344 	       hci_cs_enhanced_setup_sync_conn),
4345 	HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4346 	HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4347 	HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4348 	HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4349 	HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4350 	HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4351 	HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4352 	HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4353 	HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4354 };
4355 
4356 static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4357 			       struct sk_buff *skb, u16 *opcode, u8 *status,
4358 			       hci_req_complete_t *req_complete,
4359 			       hci_req_complete_skb_t *req_complete_skb)
4360 {
4361 	struct hci_ev_cmd_status *ev = data;
4362 	int i;
4363 
4364 	*opcode = __le16_to_cpu(ev->opcode);
4365 	*status = ev->status;
4366 
4367 	bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4368 
4369 	for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4370 		if (hci_cs_table[i].op == *opcode) {
4371 			hci_cs_table[i].func(hdev, ev->status);
4372 			break;
4373 		}
4374 	}
4375 
4376 	handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4377 
4378 	/* Indicate request completion if the command failed. Also, if
4379 	 * we're not waiting for a special event and we get a success
4380 	 * command status we should try to flag the request as completed
4381 	 * (since for this kind of commands there will not be a command
4382 	 * complete event).
4383 	 */
4384 	if (ev->status || (hdev->sent_cmd && !hci_skb_event(hdev->sent_cmd))) {
4385 		hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4386 				     req_complete_skb);
4387 		if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4388 			bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4389 				   *opcode);
4390 			return;
4391 		}
4392 	}
4393 
4394 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4395 		queue_work(hdev->workqueue, &hdev->cmd_work);
4396 }
4397 
4398 static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4399 				   struct sk_buff *skb)
4400 {
4401 	struct hci_ev_hardware_error *ev = data;
4402 
4403 	bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4404 
4405 	hdev->hw_error_code = ev->code;
4406 
4407 	queue_work(hdev->req_workqueue, &hdev->error_reset);
4408 }
4409 
4410 static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4411 				struct sk_buff *skb)
4412 {
4413 	struct hci_ev_role_change *ev = data;
4414 	struct hci_conn *conn;
4415 
4416 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4417 
4418 	hci_dev_lock(hdev);
4419 
4420 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4421 	if (conn) {
4422 		if (!ev->status)
4423 			conn->role = ev->role;
4424 
4425 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4426 
4427 		hci_role_switch_cfm(conn, ev->status, ev->role);
4428 	}
4429 
4430 	hci_dev_unlock(hdev);
4431 }
4432 
4433 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4434 				  struct sk_buff *skb)
4435 {
4436 	struct hci_ev_num_comp_pkts *ev = data;
4437 	int i;
4438 
4439 	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4440 			     flex_array_size(ev, handles, ev->num)))
4441 		return;
4442 
4443 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
4444 		bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
4445 		return;
4446 	}
4447 
4448 	bt_dev_dbg(hdev, "num %d", ev->num);
4449 
4450 	for (i = 0; i < ev->num; i++) {
4451 		struct hci_comp_pkts_info *info = &ev->handles[i];
4452 		struct hci_conn *conn;
4453 		__u16  handle, count;
4454 
4455 		handle = __le16_to_cpu(info->handle);
4456 		count  = __le16_to_cpu(info->count);
4457 
4458 		conn = hci_conn_hash_lookup_handle(hdev, handle);
4459 		if (!conn)
4460 			continue;
4461 
4462 		conn->sent -= count;
4463 
4464 		switch (conn->type) {
4465 		case ACL_LINK:
4466 			hdev->acl_cnt += count;
4467 			if (hdev->acl_cnt > hdev->acl_pkts)
4468 				hdev->acl_cnt = hdev->acl_pkts;
4469 			break;
4470 
4471 		case LE_LINK:
4472 			if (hdev->le_pkts) {
4473 				hdev->le_cnt += count;
4474 				if (hdev->le_cnt > hdev->le_pkts)
4475 					hdev->le_cnt = hdev->le_pkts;
4476 			} else {
4477 				hdev->acl_cnt += count;
4478 				if (hdev->acl_cnt > hdev->acl_pkts)
4479 					hdev->acl_cnt = hdev->acl_pkts;
4480 			}
4481 			break;
4482 
4483 		case SCO_LINK:
4484 			hdev->sco_cnt += count;
4485 			if (hdev->sco_cnt > hdev->sco_pkts)
4486 				hdev->sco_cnt = hdev->sco_pkts;
4487 			break;
4488 
4489 		case ISO_LINK:
4490 			if (hdev->iso_pkts) {
4491 				hdev->iso_cnt += count;
4492 				if (hdev->iso_cnt > hdev->iso_pkts)
4493 					hdev->iso_cnt = hdev->iso_pkts;
4494 			} else if (hdev->le_pkts) {
4495 				hdev->le_cnt += count;
4496 				if (hdev->le_cnt > hdev->le_pkts)
4497 					hdev->le_cnt = hdev->le_pkts;
4498 			} else {
4499 				hdev->acl_cnt += count;
4500 				if (hdev->acl_cnt > hdev->acl_pkts)
4501 					hdev->acl_cnt = hdev->acl_pkts;
4502 			}
4503 			break;
4504 
4505 		default:
4506 			bt_dev_err(hdev, "unknown type %d conn %p",
4507 				   conn->type, conn);
4508 			break;
4509 		}
4510 	}
4511 
4512 	queue_work(hdev->workqueue, &hdev->tx_work);
4513 }
4514 
4515 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4516 						 __u16 handle)
4517 {
4518 	struct hci_chan *chan;
4519 
4520 	switch (hdev->dev_type) {
4521 	case HCI_PRIMARY:
4522 		return hci_conn_hash_lookup_handle(hdev, handle);
4523 	case HCI_AMP:
4524 		chan = hci_chan_lookup_handle(hdev, handle);
4525 		if (chan)
4526 			return chan->conn;
4527 		break;
4528 	default:
4529 		bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
4530 		break;
4531 	}
4532 
4533 	return NULL;
4534 }
4535 
4536 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, void *data,
4537 				    struct sk_buff *skb)
4538 {
4539 	struct hci_ev_num_comp_blocks *ev = data;
4540 	int i;
4541 
4542 	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_BLOCKS,
4543 			     flex_array_size(ev, handles, ev->num_hndl)))
4544 		return;
4545 
4546 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
4547 		bt_dev_err(hdev, "wrong event for mode %d",
4548 			   hdev->flow_ctl_mode);
4549 		return;
4550 	}
4551 
4552 	bt_dev_dbg(hdev, "num_blocks %d num_hndl %d", ev->num_blocks,
4553 		   ev->num_hndl);
4554 
4555 	for (i = 0; i < ev->num_hndl; i++) {
4556 		struct hci_comp_blocks_info *info = &ev->handles[i];
4557 		struct hci_conn *conn = NULL;
4558 		__u16  handle, block_count;
4559 
4560 		handle = __le16_to_cpu(info->handle);
4561 		block_count = __le16_to_cpu(info->blocks);
4562 
4563 		conn = __hci_conn_lookup_handle(hdev, handle);
4564 		if (!conn)
4565 			continue;
4566 
4567 		conn->sent -= block_count;
4568 
4569 		switch (conn->type) {
4570 		case ACL_LINK:
4571 		case AMP_LINK:
4572 			hdev->block_cnt += block_count;
4573 			if (hdev->block_cnt > hdev->num_blocks)
4574 				hdev->block_cnt = hdev->num_blocks;
4575 			break;
4576 
4577 		default:
4578 			bt_dev_err(hdev, "unknown type %d conn %p",
4579 				   conn->type, conn);
4580 			break;
4581 		}
4582 	}
4583 
4584 	queue_work(hdev->workqueue, &hdev->tx_work);
4585 }
4586 
4587 static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4588 				struct sk_buff *skb)
4589 {
4590 	struct hci_ev_mode_change *ev = data;
4591 	struct hci_conn *conn;
4592 
4593 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4594 
4595 	hci_dev_lock(hdev);
4596 
4597 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4598 	if (conn) {
4599 		conn->mode = ev->mode;
4600 
4601 		if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4602 					&conn->flags)) {
4603 			if (conn->mode == HCI_CM_ACTIVE)
4604 				set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4605 			else
4606 				clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4607 		}
4608 
4609 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4610 			hci_sco_setup(conn, ev->status);
4611 	}
4612 
4613 	hci_dev_unlock(hdev);
4614 }
4615 
4616 static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4617 				     struct sk_buff *skb)
4618 {
4619 	struct hci_ev_pin_code_req *ev = data;
4620 	struct hci_conn *conn;
4621 
4622 	bt_dev_dbg(hdev, "");
4623 
4624 	hci_dev_lock(hdev);
4625 
4626 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4627 	if (!conn)
4628 		goto unlock;
4629 
4630 	if (conn->state == BT_CONNECTED) {
4631 		hci_conn_hold(conn);
4632 		conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4633 		hci_conn_drop(conn);
4634 	}
4635 
4636 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4637 	    !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4638 		hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4639 			     sizeof(ev->bdaddr), &ev->bdaddr);
4640 	} else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4641 		u8 secure;
4642 
4643 		if (conn->pending_sec_level == BT_SECURITY_HIGH)
4644 			secure = 1;
4645 		else
4646 			secure = 0;
4647 
4648 		mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4649 	}
4650 
4651 unlock:
4652 	hci_dev_unlock(hdev);
4653 }
4654 
4655 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4656 {
4657 	if (key_type == HCI_LK_CHANGED_COMBINATION)
4658 		return;
4659 
4660 	conn->pin_length = pin_len;
4661 	conn->key_type = key_type;
4662 
4663 	switch (key_type) {
4664 	case HCI_LK_LOCAL_UNIT:
4665 	case HCI_LK_REMOTE_UNIT:
4666 	case HCI_LK_DEBUG_COMBINATION:
4667 		return;
4668 	case HCI_LK_COMBINATION:
4669 		if (pin_len == 16)
4670 			conn->pending_sec_level = BT_SECURITY_HIGH;
4671 		else
4672 			conn->pending_sec_level = BT_SECURITY_MEDIUM;
4673 		break;
4674 	case HCI_LK_UNAUTH_COMBINATION_P192:
4675 	case HCI_LK_UNAUTH_COMBINATION_P256:
4676 		conn->pending_sec_level = BT_SECURITY_MEDIUM;
4677 		break;
4678 	case HCI_LK_AUTH_COMBINATION_P192:
4679 		conn->pending_sec_level = BT_SECURITY_HIGH;
4680 		break;
4681 	case HCI_LK_AUTH_COMBINATION_P256:
4682 		conn->pending_sec_level = BT_SECURITY_FIPS;
4683 		break;
4684 	}
4685 }
4686 
4687 static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4688 				     struct sk_buff *skb)
4689 {
4690 	struct hci_ev_link_key_req *ev = data;
4691 	struct hci_cp_link_key_reply cp;
4692 	struct hci_conn *conn;
4693 	struct link_key *key;
4694 
4695 	bt_dev_dbg(hdev, "");
4696 
4697 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4698 		return;
4699 
4700 	hci_dev_lock(hdev);
4701 
4702 	key = hci_find_link_key(hdev, &ev->bdaddr);
4703 	if (!key) {
4704 		bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4705 		goto not_found;
4706 	}
4707 
4708 	bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4709 
4710 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4711 	if (conn) {
4712 		clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4713 
4714 		if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4715 		     key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4716 		    conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4717 			bt_dev_dbg(hdev, "ignoring unauthenticated key");
4718 			goto not_found;
4719 		}
4720 
4721 		if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4722 		    (conn->pending_sec_level == BT_SECURITY_HIGH ||
4723 		     conn->pending_sec_level == BT_SECURITY_FIPS)) {
4724 			bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4725 			goto not_found;
4726 		}
4727 
4728 		conn_set_key(conn, key->type, key->pin_len);
4729 	}
4730 
4731 	bacpy(&cp.bdaddr, &ev->bdaddr);
4732 	memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4733 
4734 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4735 
4736 	hci_dev_unlock(hdev);
4737 
4738 	return;
4739 
4740 not_found:
4741 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4742 	hci_dev_unlock(hdev);
4743 }
4744 
4745 static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4746 				    struct sk_buff *skb)
4747 {
4748 	struct hci_ev_link_key_notify *ev = data;
4749 	struct hci_conn *conn;
4750 	struct link_key *key;
4751 	bool persistent;
4752 	u8 pin_len = 0;
4753 
4754 	bt_dev_dbg(hdev, "");
4755 
4756 	hci_dev_lock(hdev);
4757 
4758 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4759 	if (!conn)
4760 		goto unlock;
4761 
4762 	/* Ignore NULL link key against CVE-2020-26555 */
4763 	if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4764 		bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4765 			   &ev->bdaddr);
4766 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4767 		hci_conn_drop(conn);
4768 		goto unlock;
4769 	}
4770 
4771 	hci_conn_hold(conn);
4772 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4773 	hci_conn_drop(conn);
4774 
4775 	set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4776 	conn_set_key(conn, ev->key_type, conn->pin_length);
4777 
4778 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4779 		goto unlock;
4780 
4781 	key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4782 			        ev->key_type, pin_len, &persistent);
4783 	if (!key)
4784 		goto unlock;
4785 
4786 	/* Update connection information since adding the key will have
4787 	 * fixed up the type in the case of changed combination keys.
4788 	 */
4789 	if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4790 		conn_set_key(conn, key->type, key->pin_len);
4791 
4792 	mgmt_new_link_key(hdev, key, persistent);
4793 
4794 	/* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4795 	 * is set. If it's not set simply remove the key from the kernel
4796 	 * list (we've still notified user space about it but with
4797 	 * store_hint being 0).
4798 	 */
4799 	if (key->type == HCI_LK_DEBUG_COMBINATION &&
4800 	    !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4801 		list_del_rcu(&key->list);
4802 		kfree_rcu(key, rcu);
4803 		goto unlock;
4804 	}
4805 
4806 	if (persistent)
4807 		clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4808 	else
4809 		set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4810 
4811 unlock:
4812 	hci_dev_unlock(hdev);
4813 }
4814 
4815 static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4816 				 struct sk_buff *skb)
4817 {
4818 	struct hci_ev_clock_offset *ev = data;
4819 	struct hci_conn *conn;
4820 
4821 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4822 
4823 	hci_dev_lock(hdev);
4824 
4825 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4826 	if (conn && !ev->status) {
4827 		struct inquiry_entry *ie;
4828 
4829 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4830 		if (ie) {
4831 			ie->data.clock_offset = ev->clock_offset;
4832 			ie->timestamp = jiffies;
4833 		}
4834 	}
4835 
4836 	hci_dev_unlock(hdev);
4837 }
4838 
4839 static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4840 				    struct sk_buff *skb)
4841 {
4842 	struct hci_ev_pkt_type_change *ev = data;
4843 	struct hci_conn *conn;
4844 
4845 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4846 
4847 	hci_dev_lock(hdev);
4848 
4849 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4850 	if (conn && !ev->status)
4851 		conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4852 
4853 	hci_dev_unlock(hdev);
4854 }
4855 
4856 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4857 				   struct sk_buff *skb)
4858 {
4859 	struct hci_ev_pscan_rep_mode *ev = data;
4860 	struct inquiry_entry *ie;
4861 
4862 	bt_dev_dbg(hdev, "");
4863 
4864 	hci_dev_lock(hdev);
4865 
4866 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4867 	if (ie) {
4868 		ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4869 		ie->timestamp = jiffies;
4870 	}
4871 
4872 	hci_dev_unlock(hdev);
4873 }
4874 
4875 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4876 					     struct sk_buff *skb)
4877 {
4878 	struct hci_ev_inquiry_result_rssi *ev = edata;
4879 	struct inquiry_data data;
4880 	int i;
4881 
4882 	bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4883 
4884 	if (!ev->num)
4885 		return;
4886 
4887 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4888 		return;
4889 
4890 	hci_dev_lock(hdev);
4891 
4892 	if (skb->len == array_size(ev->num,
4893 				   sizeof(struct inquiry_info_rssi_pscan))) {
4894 		struct inquiry_info_rssi_pscan *info;
4895 
4896 		for (i = 0; i < ev->num; i++) {
4897 			u32 flags;
4898 
4899 			info = hci_ev_skb_pull(hdev, skb,
4900 					       HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4901 					       sizeof(*info));
4902 			if (!info) {
4903 				bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4904 					   HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4905 				goto unlock;
4906 			}
4907 
4908 			bacpy(&data.bdaddr, &info->bdaddr);
4909 			data.pscan_rep_mode	= info->pscan_rep_mode;
4910 			data.pscan_period_mode	= info->pscan_period_mode;
4911 			data.pscan_mode		= info->pscan_mode;
4912 			memcpy(data.dev_class, info->dev_class, 3);
4913 			data.clock_offset	= info->clock_offset;
4914 			data.rssi		= info->rssi;
4915 			data.ssp_mode		= 0x00;
4916 
4917 			flags = hci_inquiry_cache_update(hdev, &data, false);
4918 
4919 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4920 					  info->dev_class, info->rssi,
4921 					  flags, NULL, 0, NULL, 0, 0);
4922 		}
4923 	} else if (skb->len == array_size(ev->num,
4924 					  sizeof(struct inquiry_info_rssi))) {
4925 		struct inquiry_info_rssi *info;
4926 
4927 		for (i = 0; i < ev->num; i++) {
4928 			u32 flags;
4929 
4930 			info = hci_ev_skb_pull(hdev, skb,
4931 					       HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4932 					       sizeof(*info));
4933 			if (!info) {
4934 				bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4935 					   HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4936 				goto unlock;
4937 			}
4938 
4939 			bacpy(&data.bdaddr, &info->bdaddr);
4940 			data.pscan_rep_mode	= info->pscan_rep_mode;
4941 			data.pscan_period_mode	= info->pscan_period_mode;
4942 			data.pscan_mode		= 0x00;
4943 			memcpy(data.dev_class, info->dev_class, 3);
4944 			data.clock_offset	= info->clock_offset;
4945 			data.rssi		= info->rssi;
4946 			data.ssp_mode		= 0x00;
4947 
4948 			flags = hci_inquiry_cache_update(hdev, &data, false);
4949 
4950 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4951 					  info->dev_class, info->rssi,
4952 					  flags, NULL, 0, NULL, 0, 0);
4953 		}
4954 	} else {
4955 		bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4956 			   HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4957 	}
4958 unlock:
4959 	hci_dev_unlock(hdev);
4960 }
4961 
4962 static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4963 					struct sk_buff *skb)
4964 {
4965 	struct hci_ev_remote_ext_features *ev = data;
4966 	struct hci_conn *conn;
4967 
4968 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4969 
4970 	hci_dev_lock(hdev);
4971 
4972 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4973 	if (!conn)
4974 		goto unlock;
4975 
4976 	if (ev->page < HCI_MAX_PAGES)
4977 		memcpy(conn->features[ev->page], ev->features, 8);
4978 
4979 	if (!ev->status && ev->page == 0x01) {
4980 		struct inquiry_entry *ie;
4981 
4982 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4983 		if (ie)
4984 			ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4985 
4986 		if (ev->features[0] & LMP_HOST_SSP) {
4987 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4988 		} else {
4989 			/* It is mandatory by the Bluetooth specification that
4990 			 * Extended Inquiry Results are only used when Secure
4991 			 * Simple Pairing is enabled, but some devices violate
4992 			 * this.
4993 			 *
4994 			 * To make these devices work, the internal SSP
4995 			 * enabled flag needs to be cleared if the remote host
4996 			 * features do not indicate SSP support */
4997 			clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4998 		}
4999 
5000 		if (ev->features[0] & LMP_HOST_SC)
5001 			set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
5002 	}
5003 
5004 	if (conn->state != BT_CONFIG)
5005 		goto unlock;
5006 
5007 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
5008 		struct hci_cp_remote_name_req cp;
5009 		memset(&cp, 0, sizeof(cp));
5010 		bacpy(&cp.bdaddr, &conn->dst);
5011 		cp.pscan_rep_mode = 0x02;
5012 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
5013 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5014 		mgmt_device_connected(hdev, conn, NULL, 0);
5015 
5016 	if (!hci_outgoing_auth_needed(hdev, conn)) {
5017 		conn->state = BT_CONNECTED;
5018 		hci_connect_cfm(conn, ev->status);
5019 		hci_conn_drop(conn);
5020 	}
5021 
5022 unlock:
5023 	hci_dev_unlock(hdev);
5024 }
5025 
5026 static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
5027 				       struct sk_buff *skb)
5028 {
5029 	struct hci_ev_sync_conn_complete *ev = data;
5030 	struct hci_conn *conn;
5031 	u8 status = ev->status;
5032 
5033 	switch (ev->link_type) {
5034 	case SCO_LINK:
5035 	case ESCO_LINK:
5036 		break;
5037 	default:
5038 		/* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
5039 		 * for HCI_Synchronous_Connection_Complete is limited to
5040 		 * either SCO or eSCO
5041 		 */
5042 		bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
5043 		return;
5044 	}
5045 
5046 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
5047 
5048 	hci_dev_lock(hdev);
5049 
5050 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
5051 	if (!conn) {
5052 		if (ev->link_type == ESCO_LINK)
5053 			goto unlock;
5054 
5055 		/* When the link type in the event indicates SCO connection
5056 		 * and lookup of the connection object fails, then check
5057 		 * if an eSCO connection object exists.
5058 		 *
5059 		 * The core limits the synchronous connections to either
5060 		 * SCO or eSCO. The eSCO connection is preferred and tried
5061 		 * to be setup first and until successfully established,
5062 		 * the link type will be hinted as eSCO.
5063 		 */
5064 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
5065 		if (!conn)
5066 			goto unlock;
5067 	}
5068 
5069 	/* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
5070 	 * Processing it more than once per connection can corrupt kernel memory.
5071 	 *
5072 	 * As the connection handle is set here for the first time, it indicates
5073 	 * whether the connection is already set up.
5074 	 */
5075 	if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5076 		bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
5077 		goto unlock;
5078 	}
5079 
5080 	switch (status) {
5081 	case 0x00:
5082 		status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
5083 		if (status) {
5084 			conn->state = BT_CLOSED;
5085 			break;
5086 		}
5087 
5088 		conn->state  = BT_CONNECTED;
5089 		conn->type   = ev->link_type;
5090 
5091 		hci_debugfs_create_conn(conn);
5092 		hci_conn_add_sysfs(conn);
5093 		break;
5094 
5095 	case 0x10:	/* Connection Accept Timeout */
5096 	case 0x0d:	/* Connection Rejected due to Limited Resources */
5097 	case 0x11:	/* Unsupported Feature or Parameter Value */
5098 	case 0x1c:	/* SCO interval rejected */
5099 	case 0x1a:	/* Unsupported Remote Feature */
5100 	case 0x1e:	/* Invalid LMP Parameters */
5101 	case 0x1f:	/* Unspecified error */
5102 	case 0x20:	/* Unsupported LMP Parameter value */
5103 		if (conn->out) {
5104 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
5105 					(hdev->esco_type & EDR_ESCO_MASK);
5106 			if (hci_setup_sync(conn, conn->parent->handle))
5107 				goto unlock;
5108 		}
5109 		fallthrough;
5110 
5111 	default:
5112 		conn->state = BT_CLOSED;
5113 		break;
5114 	}
5115 
5116 	bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5117 	/* Notify only in case of SCO over HCI transport data path which
5118 	 * is zero and non-zero value shall be non-HCI transport data path
5119 	 */
5120 	if (conn->codec.data_path == 0 && hdev->notify) {
5121 		switch (ev->air_mode) {
5122 		case 0x02:
5123 			hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5124 			break;
5125 		case 0x03:
5126 			hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5127 			break;
5128 		}
5129 	}
5130 
5131 	hci_connect_cfm(conn, status);
5132 	if (status)
5133 		hci_conn_del(conn);
5134 
5135 unlock:
5136 	hci_dev_unlock(hdev);
5137 }
5138 
5139 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5140 {
5141 	size_t parsed = 0;
5142 
5143 	while (parsed < eir_len) {
5144 		u8 field_len = eir[0];
5145 
5146 		if (field_len == 0)
5147 			return parsed;
5148 
5149 		parsed += field_len + 1;
5150 		eir += field_len + 1;
5151 	}
5152 
5153 	return eir_len;
5154 }
5155 
5156 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5157 					    struct sk_buff *skb)
5158 {
5159 	struct hci_ev_ext_inquiry_result *ev = edata;
5160 	struct inquiry_data data;
5161 	size_t eir_len;
5162 	int i;
5163 
5164 	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5165 			     flex_array_size(ev, info, ev->num)))
5166 		return;
5167 
5168 	bt_dev_dbg(hdev, "num %d", ev->num);
5169 
5170 	if (!ev->num)
5171 		return;
5172 
5173 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5174 		return;
5175 
5176 	hci_dev_lock(hdev);
5177 
5178 	for (i = 0; i < ev->num; i++) {
5179 		struct extended_inquiry_info *info = &ev->info[i];
5180 		u32 flags;
5181 		bool name_known;
5182 
5183 		bacpy(&data.bdaddr, &info->bdaddr);
5184 		data.pscan_rep_mode	= info->pscan_rep_mode;
5185 		data.pscan_period_mode	= info->pscan_period_mode;
5186 		data.pscan_mode		= 0x00;
5187 		memcpy(data.dev_class, info->dev_class, 3);
5188 		data.clock_offset	= info->clock_offset;
5189 		data.rssi		= info->rssi;
5190 		data.ssp_mode		= 0x01;
5191 
5192 		if (hci_dev_test_flag(hdev, HCI_MGMT))
5193 			name_known = eir_get_data(info->data,
5194 						  sizeof(info->data),
5195 						  EIR_NAME_COMPLETE, NULL);
5196 		else
5197 			name_known = true;
5198 
5199 		flags = hci_inquiry_cache_update(hdev, &data, name_known);
5200 
5201 		eir_len = eir_get_length(info->data, sizeof(info->data));
5202 
5203 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5204 				  info->dev_class, info->rssi,
5205 				  flags, info->data, eir_len, NULL, 0, 0);
5206 	}
5207 
5208 	hci_dev_unlock(hdev);
5209 }
5210 
5211 static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5212 					 struct sk_buff *skb)
5213 {
5214 	struct hci_ev_key_refresh_complete *ev = data;
5215 	struct hci_conn *conn;
5216 
5217 	bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5218 		   __le16_to_cpu(ev->handle));
5219 
5220 	hci_dev_lock(hdev);
5221 
5222 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5223 	if (!conn)
5224 		goto unlock;
5225 
5226 	/* For BR/EDR the necessary steps are taken through the
5227 	 * auth_complete event.
5228 	 */
5229 	if (conn->type != LE_LINK)
5230 		goto unlock;
5231 
5232 	if (!ev->status)
5233 		conn->sec_level = conn->pending_sec_level;
5234 
5235 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5236 
5237 	if (ev->status && conn->state == BT_CONNECTED) {
5238 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5239 		hci_conn_drop(conn);
5240 		goto unlock;
5241 	}
5242 
5243 	if (conn->state == BT_CONFIG) {
5244 		if (!ev->status)
5245 			conn->state = BT_CONNECTED;
5246 
5247 		hci_connect_cfm(conn, ev->status);
5248 		hci_conn_drop(conn);
5249 	} else {
5250 		hci_auth_cfm(conn, ev->status);
5251 
5252 		hci_conn_hold(conn);
5253 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5254 		hci_conn_drop(conn);
5255 	}
5256 
5257 unlock:
5258 	hci_dev_unlock(hdev);
5259 }
5260 
5261 static u8 hci_get_auth_req(struct hci_conn *conn)
5262 {
5263 	/* If remote requests no-bonding follow that lead */
5264 	if (conn->remote_auth == HCI_AT_NO_BONDING ||
5265 	    conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5266 		return conn->remote_auth | (conn->auth_type & 0x01);
5267 
5268 	/* If both remote and local have enough IO capabilities, require
5269 	 * MITM protection
5270 	 */
5271 	if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5272 	    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5273 		return conn->remote_auth | 0x01;
5274 
5275 	/* No MITM protection possible so ignore remote requirement */
5276 	return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5277 }
5278 
5279 static u8 bredr_oob_data_present(struct hci_conn *conn)
5280 {
5281 	struct hci_dev *hdev = conn->hdev;
5282 	struct oob_data *data;
5283 
5284 	data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5285 	if (!data)
5286 		return 0x00;
5287 
5288 	if (bredr_sc_enabled(hdev)) {
5289 		/* When Secure Connections is enabled, then just
5290 		 * return the present value stored with the OOB
5291 		 * data. The stored value contains the right present
5292 		 * information. However it can only be trusted when
5293 		 * not in Secure Connection Only mode.
5294 		 */
5295 		if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5296 			return data->present;
5297 
5298 		/* When Secure Connections Only mode is enabled, then
5299 		 * the P-256 values are required. If they are not
5300 		 * available, then do not declare that OOB data is
5301 		 * present.
5302 		 */
5303 		if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5304 		    !crypto_memneq(data->hash256, ZERO_KEY, 16))
5305 			return 0x00;
5306 
5307 		return 0x02;
5308 	}
5309 
5310 	/* When Secure Connections is not enabled or actually
5311 	 * not supported by the hardware, then check that if
5312 	 * P-192 data values are present.
5313 	 */
5314 	if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5315 	    !crypto_memneq(data->hash192, ZERO_KEY, 16))
5316 		return 0x00;
5317 
5318 	return 0x01;
5319 }
5320 
5321 static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5322 				    struct sk_buff *skb)
5323 {
5324 	struct hci_ev_io_capa_request *ev = data;
5325 	struct hci_conn *conn;
5326 
5327 	bt_dev_dbg(hdev, "");
5328 
5329 	hci_dev_lock(hdev);
5330 
5331 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5332 	if (!conn || !hci_conn_ssp_enabled(conn))
5333 		goto unlock;
5334 
5335 	hci_conn_hold(conn);
5336 
5337 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5338 		goto unlock;
5339 
5340 	/* Allow pairing if we're pairable, the initiators of the
5341 	 * pairing or if the remote is not requesting bonding.
5342 	 */
5343 	if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5344 	    test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5345 	    (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5346 		struct hci_cp_io_capability_reply cp;
5347 
5348 		bacpy(&cp.bdaddr, &ev->bdaddr);
5349 		/* Change the IO capability from KeyboardDisplay
5350 		 * to DisplayYesNo as it is not supported by BT spec. */
5351 		cp.capability = (conn->io_capability == 0x04) ?
5352 				HCI_IO_DISPLAY_YESNO : conn->io_capability;
5353 
5354 		/* If we are initiators, there is no remote information yet */
5355 		if (conn->remote_auth == 0xff) {
5356 			/* Request MITM protection if our IO caps allow it
5357 			 * except for the no-bonding case.
5358 			 */
5359 			if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5360 			    conn->auth_type != HCI_AT_NO_BONDING)
5361 				conn->auth_type |= 0x01;
5362 		} else {
5363 			conn->auth_type = hci_get_auth_req(conn);
5364 		}
5365 
5366 		/* If we're not bondable, force one of the non-bondable
5367 		 * authentication requirement values.
5368 		 */
5369 		if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5370 			conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5371 
5372 		cp.authentication = conn->auth_type;
5373 		cp.oob_data = bredr_oob_data_present(conn);
5374 
5375 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5376 			     sizeof(cp), &cp);
5377 	} else {
5378 		struct hci_cp_io_capability_neg_reply cp;
5379 
5380 		bacpy(&cp.bdaddr, &ev->bdaddr);
5381 		cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5382 
5383 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5384 			     sizeof(cp), &cp);
5385 	}
5386 
5387 unlock:
5388 	hci_dev_unlock(hdev);
5389 }
5390 
5391 static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5392 				  struct sk_buff *skb)
5393 {
5394 	struct hci_ev_io_capa_reply *ev = data;
5395 	struct hci_conn *conn;
5396 
5397 	bt_dev_dbg(hdev, "");
5398 
5399 	hci_dev_lock(hdev);
5400 
5401 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5402 	if (!conn)
5403 		goto unlock;
5404 
5405 	conn->remote_cap = ev->capability;
5406 	conn->remote_auth = ev->authentication;
5407 
5408 unlock:
5409 	hci_dev_unlock(hdev);
5410 }
5411 
5412 static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5413 					 struct sk_buff *skb)
5414 {
5415 	struct hci_ev_user_confirm_req *ev = data;
5416 	int loc_mitm, rem_mitm, confirm_hint = 0;
5417 	struct hci_conn *conn;
5418 
5419 	bt_dev_dbg(hdev, "");
5420 
5421 	hci_dev_lock(hdev);
5422 
5423 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5424 		goto unlock;
5425 
5426 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5427 	if (!conn)
5428 		goto unlock;
5429 
5430 	loc_mitm = (conn->auth_type & 0x01);
5431 	rem_mitm = (conn->remote_auth & 0x01);
5432 
5433 	/* If we require MITM but the remote device can't provide that
5434 	 * (it has NoInputNoOutput) then reject the confirmation
5435 	 * request. We check the security level here since it doesn't
5436 	 * necessarily match conn->auth_type.
5437 	 */
5438 	if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5439 	    conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5440 		bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5441 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5442 			     sizeof(ev->bdaddr), &ev->bdaddr);
5443 		goto unlock;
5444 	}
5445 
5446 	/* If no side requires MITM protection; auto-accept */
5447 	if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5448 	    (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5449 
5450 		/* If we're not the initiators request authorization to
5451 		 * proceed from user space (mgmt_user_confirm with
5452 		 * confirm_hint set to 1). The exception is if neither
5453 		 * side had MITM or if the local IO capability is
5454 		 * NoInputNoOutput, in which case we do auto-accept
5455 		 */
5456 		if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5457 		    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5458 		    (loc_mitm || rem_mitm)) {
5459 			bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5460 			confirm_hint = 1;
5461 			goto confirm;
5462 		}
5463 
5464 		/* If there already exists link key in local host, leave the
5465 		 * decision to user space since the remote device could be
5466 		 * legitimate or malicious.
5467 		 */
5468 		if (hci_find_link_key(hdev, &ev->bdaddr)) {
5469 			bt_dev_dbg(hdev, "Local host already has link key");
5470 			confirm_hint = 1;
5471 			goto confirm;
5472 		}
5473 
5474 		BT_DBG("Auto-accept of user confirmation with %ums delay",
5475 		       hdev->auto_accept_delay);
5476 
5477 		if (hdev->auto_accept_delay > 0) {
5478 			int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5479 			queue_delayed_work(conn->hdev->workqueue,
5480 					   &conn->auto_accept_work, delay);
5481 			goto unlock;
5482 		}
5483 
5484 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5485 			     sizeof(ev->bdaddr), &ev->bdaddr);
5486 		goto unlock;
5487 	}
5488 
5489 confirm:
5490 	mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5491 				  le32_to_cpu(ev->passkey), confirm_hint);
5492 
5493 unlock:
5494 	hci_dev_unlock(hdev);
5495 }
5496 
5497 static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5498 					 struct sk_buff *skb)
5499 {
5500 	struct hci_ev_user_passkey_req *ev = data;
5501 
5502 	bt_dev_dbg(hdev, "");
5503 
5504 	if (hci_dev_test_flag(hdev, HCI_MGMT))
5505 		mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5506 }
5507 
5508 static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5509 					struct sk_buff *skb)
5510 {
5511 	struct hci_ev_user_passkey_notify *ev = data;
5512 	struct hci_conn *conn;
5513 
5514 	bt_dev_dbg(hdev, "");
5515 
5516 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5517 	if (!conn)
5518 		return;
5519 
5520 	conn->passkey_notify = __le32_to_cpu(ev->passkey);
5521 	conn->passkey_entered = 0;
5522 
5523 	if (hci_dev_test_flag(hdev, HCI_MGMT))
5524 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5525 					 conn->dst_type, conn->passkey_notify,
5526 					 conn->passkey_entered);
5527 }
5528 
5529 static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5530 				    struct sk_buff *skb)
5531 {
5532 	struct hci_ev_keypress_notify *ev = data;
5533 	struct hci_conn *conn;
5534 
5535 	bt_dev_dbg(hdev, "");
5536 
5537 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5538 	if (!conn)
5539 		return;
5540 
5541 	switch (ev->type) {
5542 	case HCI_KEYPRESS_STARTED:
5543 		conn->passkey_entered = 0;
5544 		return;
5545 
5546 	case HCI_KEYPRESS_ENTERED:
5547 		conn->passkey_entered++;
5548 		break;
5549 
5550 	case HCI_KEYPRESS_ERASED:
5551 		conn->passkey_entered--;
5552 		break;
5553 
5554 	case HCI_KEYPRESS_CLEARED:
5555 		conn->passkey_entered = 0;
5556 		break;
5557 
5558 	case HCI_KEYPRESS_COMPLETED:
5559 		return;
5560 	}
5561 
5562 	if (hci_dev_test_flag(hdev, HCI_MGMT))
5563 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5564 					 conn->dst_type, conn->passkey_notify,
5565 					 conn->passkey_entered);
5566 }
5567 
5568 static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5569 					 struct sk_buff *skb)
5570 {
5571 	struct hci_ev_simple_pair_complete *ev = data;
5572 	struct hci_conn *conn;
5573 
5574 	bt_dev_dbg(hdev, "");
5575 
5576 	hci_dev_lock(hdev);
5577 
5578 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5579 	if (!conn || !hci_conn_ssp_enabled(conn))
5580 		goto unlock;
5581 
5582 	/* Reset the authentication requirement to unknown */
5583 	conn->remote_auth = 0xff;
5584 
5585 	/* To avoid duplicate auth_failed events to user space we check
5586 	 * the HCI_CONN_AUTH_PEND flag which will be set if we
5587 	 * initiated the authentication. A traditional auth_complete
5588 	 * event gets always produced as initiator and is also mapped to
5589 	 * the mgmt_auth_failed event */
5590 	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5591 		mgmt_auth_failed(conn, ev->status);
5592 
5593 	hci_conn_drop(conn);
5594 
5595 unlock:
5596 	hci_dev_unlock(hdev);
5597 }
5598 
5599 static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5600 					 struct sk_buff *skb)
5601 {
5602 	struct hci_ev_remote_host_features *ev = data;
5603 	struct inquiry_entry *ie;
5604 	struct hci_conn *conn;
5605 
5606 	bt_dev_dbg(hdev, "");
5607 
5608 	hci_dev_lock(hdev);
5609 
5610 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5611 	if (conn)
5612 		memcpy(conn->features[1], ev->features, 8);
5613 
5614 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5615 	if (ie)
5616 		ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5617 
5618 	hci_dev_unlock(hdev);
5619 }
5620 
5621 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5622 					    struct sk_buff *skb)
5623 {
5624 	struct hci_ev_remote_oob_data_request *ev = edata;
5625 	struct oob_data *data;
5626 
5627 	bt_dev_dbg(hdev, "");
5628 
5629 	hci_dev_lock(hdev);
5630 
5631 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5632 		goto unlock;
5633 
5634 	data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5635 	if (!data) {
5636 		struct hci_cp_remote_oob_data_neg_reply cp;
5637 
5638 		bacpy(&cp.bdaddr, &ev->bdaddr);
5639 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5640 			     sizeof(cp), &cp);
5641 		goto unlock;
5642 	}
5643 
5644 	if (bredr_sc_enabled(hdev)) {
5645 		struct hci_cp_remote_oob_ext_data_reply cp;
5646 
5647 		bacpy(&cp.bdaddr, &ev->bdaddr);
5648 		if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5649 			memset(cp.hash192, 0, sizeof(cp.hash192));
5650 			memset(cp.rand192, 0, sizeof(cp.rand192));
5651 		} else {
5652 			memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5653 			memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5654 		}
5655 		memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5656 		memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5657 
5658 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5659 			     sizeof(cp), &cp);
5660 	} else {
5661 		struct hci_cp_remote_oob_data_reply cp;
5662 
5663 		bacpy(&cp.bdaddr, &ev->bdaddr);
5664 		memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5665 		memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5666 
5667 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5668 			     sizeof(cp), &cp);
5669 	}
5670 
5671 unlock:
5672 	hci_dev_unlock(hdev);
5673 }
5674 
5675 #if IS_ENABLED(CONFIG_BT_HS)
5676 static void hci_chan_selected_evt(struct hci_dev *hdev, void *data,
5677 				  struct sk_buff *skb)
5678 {
5679 	struct hci_ev_channel_selected *ev = data;
5680 	struct hci_conn *hcon;
5681 
5682 	bt_dev_dbg(hdev, "handle 0x%2.2x", ev->phy_handle);
5683 
5684 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5685 	if (!hcon)
5686 		return;
5687 
5688 	amp_read_loc_assoc_final_data(hdev, hcon);
5689 }
5690 
5691 static void hci_phy_link_complete_evt(struct hci_dev *hdev, void *data,
5692 				      struct sk_buff *skb)
5693 {
5694 	struct hci_ev_phy_link_complete *ev = data;
5695 	struct hci_conn *hcon, *bredr_hcon;
5696 
5697 	bt_dev_dbg(hdev, "handle 0x%2.2x status 0x%2.2x", ev->phy_handle,
5698 		   ev->status);
5699 
5700 	hci_dev_lock(hdev);
5701 
5702 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5703 	if (!hcon)
5704 		goto unlock;
5705 
5706 	if (!hcon->amp_mgr)
5707 		goto unlock;
5708 
5709 	if (ev->status) {
5710 		hci_conn_del(hcon);
5711 		goto unlock;
5712 	}
5713 
5714 	bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5715 
5716 	hcon->state = BT_CONNECTED;
5717 	bacpy(&hcon->dst, &bredr_hcon->dst);
5718 
5719 	hci_conn_hold(hcon);
5720 	hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5721 	hci_conn_drop(hcon);
5722 
5723 	hci_debugfs_create_conn(hcon);
5724 	hci_conn_add_sysfs(hcon);
5725 
5726 	amp_physical_cfm(bredr_hcon, hcon);
5727 
5728 unlock:
5729 	hci_dev_unlock(hdev);
5730 }
5731 
5732 static void hci_loglink_complete_evt(struct hci_dev *hdev, void *data,
5733 				     struct sk_buff *skb)
5734 {
5735 	struct hci_ev_logical_link_complete *ev = data;
5736 	struct hci_conn *hcon;
5737 	struct hci_chan *hchan;
5738 	struct amp_mgr *mgr;
5739 
5740 	bt_dev_dbg(hdev, "log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5741 		   le16_to_cpu(ev->handle), ev->phy_handle, ev->status);
5742 
5743 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5744 	if (!hcon)
5745 		return;
5746 
5747 	/* Create AMP hchan */
5748 	hchan = hci_chan_create(hcon);
5749 	if (!hchan)
5750 		return;
5751 
5752 	hchan->handle = le16_to_cpu(ev->handle);
5753 	hchan->amp = true;
5754 
5755 	BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5756 
5757 	mgr = hcon->amp_mgr;
5758 	if (mgr && mgr->bredr_chan) {
5759 		struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5760 
5761 		l2cap_chan_lock(bredr_chan);
5762 
5763 		bredr_chan->conn->mtu = hdev->block_mtu;
5764 		l2cap_logical_cfm(bredr_chan, hchan, 0);
5765 		hci_conn_hold(hcon);
5766 
5767 		l2cap_chan_unlock(bredr_chan);
5768 	}
5769 }
5770 
5771 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, void *data,
5772 					     struct sk_buff *skb)
5773 {
5774 	struct hci_ev_disconn_logical_link_complete *ev = data;
5775 	struct hci_chan *hchan;
5776 
5777 	bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x",
5778 		   le16_to_cpu(ev->handle), ev->status);
5779 
5780 	if (ev->status)
5781 		return;
5782 
5783 	hci_dev_lock(hdev);
5784 
5785 	hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5786 	if (!hchan || !hchan->amp)
5787 		goto unlock;
5788 
5789 	amp_destroy_logical_link(hchan, ev->reason);
5790 
5791 unlock:
5792 	hci_dev_unlock(hdev);
5793 }
5794 
5795 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev, void *data,
5796 					     struct sk_buff *skb)
5797 {
5798 	struct hci_ev_disconn_phy_link_complete *ev = data;
5799 	struct hci_conn *hcon;
5800 
5801 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5802 
5803 	if (ev->status)
5804 		return;
5805 
5806 	hci_dev_lock(hdev);
5807 
5808 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5809 	if (hcon && hcon->type == AMP_LINK) {
5810 		hcon->state = BT_CLOSED;
5811 		hci_disconn_cfm(hcon, ev->reason);
5812 		hci_conn_del(hcon);
5813 	}
5814 
5815 	hci_dev_unlock(hdev);
5816 }
5817 #endif
5818 
5819 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5820 				u8 bdaddr_type, bdaddr_t *local_rpa)
5821 {
5822 	if (conn->out) {
5823 		conn->dst_type = bdaddr_type;
5824 		conn->resp_addr_type = bdaddr_type;
5825 		bacpy(&conn->resp_addr, bdaddr);
5826 
5827 		/* Check if the controller has set a Local RPA then it must be
5828 		 * used instead or hdev->rpa.
5829 		 */
5830 		if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5831 			conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5832 			bacpy(&conn->init_addr, local_rpa);
5833 		} else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5834 			conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5835 			bacpy(&conn->init_addr, &conn->hdev->rpa);
5836 		} else {
5837 			hci_copy_identity_address(conn->hdev, &conn->init_addr,
5838 						  &conn->init_addr_type);
5839 		}
5840 	} else {
5841 		conn->resp_addr_type = conn->hdev->adv_addr_type;
5842 		/* Check if the controller has set a Local RPA then it must be
5843 		 * used instead or hdev->rpa.
5844 		 */
5845 		if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5846 			conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5847 			bacpy(&conn->resp_addr, local_rpa);
5848 		} else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5849 			/* In case of ext adv, resp_addr will be updated in
5850 			 * Adv Terminated event.
5851 			 */
5852 			if (!ext_adv_capable(conn->hdev))
5853 				bacpy(&conn->resp_addr,
5854 				      &conn->hdev->random_addr);
5855 		} else {
5856 			bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5857 		}
5858 
5859 		conn->init_addr_type = bdaddr_type;
5860 		bacpy(&conn->init_addr, bdaddr);
5861 
5862 		/* For incoming connections, set the default minimum
5863 		 * and maximum connection interval. They will be used
5864 		 * to check if the parameters are in range and if not
5865 		 * trigger the connection update procedure.
5866 		 */
5867 		conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5868 		conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5869 	}
5870 }
5871 
5872 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5873 				 bdaddr_t *bdaddr, u8 bdaddr_type,
5874 				 bdaddr_t *local_rpa, u8 role, u16 handle,
5875 				 u16 interval, u16 latency,
5876 				 u16 supervision_timeout)
5877 {
5878 	struct hci_conn_params *params;
5879 	struct hci_conn *conn;
5880 	struct smp_irk *irk;
5881 	u8 addr_type;
5882 
5883 	hci_dev_lock(hdev);
5884 
5885 	/* All controllers implicitly stop advertising in the event of a
5886 	 * connection, so ensure that the state bit is cleared.
5887 	 */
5888 	hci_dev_clear_flag(hdev, HCI_LE_ADV);
5889 
5890 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5891 	if (!conn) {
5892 		/* In case of error status and there is no connection pending
5893 		 * just unlock as there is nothing to cleanup.
5894 		 */
5895 		if (status)
5896 			goto unlock;
5897 
5898 		conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
5899 		if (!conn) {
5900 			bt_dev_err(hdev, "no memory for new connection");
5901 			goto unlock;
5902 		}
5903 
5904 		conn->dst_type = bdaddr_type;
5905 
5906 		/* If we didn't have a hci_conn object previously
5907 		 * but we're in central role this must be something
5908 		 * initiated using an accept list. Since accept list based
5909 		 * connections are not "first class citizens" we don't
5910 		 * have full tracking of them. Therefore, we go ahead
5911 		 * with a "best effort" approach of determining the
5912 		 * initiator address based on the HCI_PRIVACY flag.
5913 		 */
5914 		if (conn->out) {
5915 			conn->resp_addr_type = bdaddr_type;
5916 			bacpy(&conn->resp_addr, bdaddr);
5917 			if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5918 				conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5919 				bacpy(&conn->init_addr, &hdev->rpa);
5920 			} else {
5921 				hci_copy_identity_address(hdev,
5922 							  &conn->init_addr,
5923 							  &conn->init_addr_type);
5924 			}
5925 		}
5926 	} else {
5927 		cancel_delayed_work(&conn->le_conn_timeout);
5928 	}
5929 
5930 	/* The HCI_LE_Connection_Complete event is only sent once per connection.
5931 	 * Processing it more than once per connection can corrupt kernel memory.
5932 	 *
5933 	 * As the connection handle is set here for the first time, it indicates
5934 	 * whether the connection is already set up.
5935 	 */
5936 	if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5937 		bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5938 		goto unlock;
5939 	}
5940 
5941 	le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5942 
5943 	/* Lookup the identity address from the stored connection
5944 	 * address and address type.
5945 	 *
5946 	 * When establishing connections to an identity address, the
5947 	 * connection procedure will store the resolvable random
5948 	 * address first. Now if it can be converted back into the
5949 	 * identity address, start using the identity address from
5950 	 * now on.
5951 	 */
5952 	irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5953 	if (irk) {
5954 		bacpy(&conn->dst, &irk->bdaddr);
5955 		conn->dst_type = irk->addr_type;
5956 	}
5957 
5958 	conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5959 
5960 	/* All connection failure handling is taken care of by the
5961 	 * hci_conn_failed function which is triggered by the HCI
5962 	 * request completion callbacks used for connecting.
5963 	 */
5964 	if (status || hci_conn_set_handle(conn, handle))
5965 		goto unlock;
5966 
5967 	/* Drop the connection if it has been aborted */
5968 	if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
5969 		hci_conn_drop(conn);
5970 		goto unlock;
5971 	}
5972 
5973 	if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5974 		addr_type = BDADDR_LE_PUBLIC;
5975 	else
5976 		addr_type = BDADDR_LE_RANDOM;
5977 
5978 	/* Drop the connection if the device is blocked */
5979 	if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5980 		hci_conn_drop(conn);
5981 		goto unlock;
5982 	}
5983 
5984 	if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5985 		mgmt_device_connected(hdev, conn, NULL, 0);
5986 
5987 	conn->sec_level = BT_SECURITY_LOW;
5988 	conn->state = BT_CONFIG;
5989 
5990 	/* Store current advertising instance as connection advertising instance
5991 	 * when sotfware rotation is in use so it can be re-enabled when
5992 	 * disconnected.
5993 	 */
5994 	if (!ext_adv_capable(hdev))
5995 		conn->adv_instance = hdev->cur_adv_instance;
5996 
5997 	conn->le_conn_interval = interval;
5998 	conn->le_conn_latency = latency;
5999 	conn->le_supv_timeout = supervision_timeout;
6000 
6001 	hci_debugfs_create_conn(conn);
6002 	hci_conn_add_sysfs(conn);
6003 
6004 	/* The remote features procedure is defined for central
6005 	 * role only. So only in case of an initiated connection
6006 	 * request the remote features.
6007 	 *
6008 	 * If the local controller supports peripheral-initiated features
6009 	 * exchange, then requesting the remote features in peripheral
6010 	 * role is possible. Otherwise just transition into the
6011 	 * connected state without requesting the remote features.
6012 	 */
6013 	if (conn->out ||
6014 	    (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
6015 		struct hci_cp_le_read_remote_features cp;
6016 
6017 		cp.handle = __cpu_to_le16(conn->handle);
6018 
6019 		hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
6020 			     sizeof(cp), &cp);
6021 
6022 		hci_conn_hold(conn);
6023 	} else {
6024 		conn->state = BT_CONNECTED;
6025 		hci_connect_cfm(conn, status);
6026 	}
6027 
6028 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
6029 					   conn->dst_type);
6030 	if (params) {
6031 		hci_pend_le_list_del_init(params);
6032 		if (params->conn) {
6033 			hci_conn_drop(params->conn);
6034 			hci_conn_put(params->conn);
6035 			params->conn = NULL;
6036 		}
6037 	}
6038 
6039 unlock:
6040 	hci_update_passive_scan(hdev);
6041 	hci_dev_unlock(hdev);
6042 }
6043 
6044 static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
6045 				     struct sk_buff *skb)
6046 {
6047 	struct hci_ev_le_conn_complete *ev = data;
6048 
6049 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6050 
6051 	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6052 			     NULL, ev->role, le16_to_cpu(ev->handle),
6053 			     le16_to_cpu(ev->interval),
6054 			     le16_to_cpu(ev->latency),
6055 			     le16_to_cpu(ev->supervision_timeout));
6056 }
6057 
6058 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
6059 					 struct sk_buff *skb)
6060 {
6061 	struct hci_ev_le_enh_conn_complete *ev = data;
6062 
6063 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6064 
6065 	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
6066 			     &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
6067 			     le16_to_cpu(ev->interval),
6068 			     le16_to_cpu(ev->latency),
6069 			     le16_to_cpu(ev->supervision_timeout));
6070 }
6071 
6072 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
6073 				    struct sk_buff *skb)
6074 {
6075 	struct hci_evt_le_ext_adv_set_term *ev = data;
6076 	struct hci_conn *conn;
6077 	struct adv_info *adv, *n;
6078 
6079 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6080 
6081 	/* The Bluetooth Core 5.3 specification clearly states that this event
6082 	 * shall not be sent when the Host disables the advertising set. So in
6083 	 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
6084 	 *
6085 	 * When the Host disables an advertising set, all cleanup is done via
6086 	 * its command callback and not needed to be duplicated here.
6087 	 */
6088 	if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
6089 		bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
6090 		return;
6091 	}
6092 
6093 	hci_dev_lock(hdev);
6094 
6095 	adv = hci_find_adv_instance(hdev, ev->handle);
6096 
6097 	if (ev->status) {
6098 		if (!adv)
6099 			goto unlock;
6100 
6101 		/* Remove advertising as it has been terminated */
6102 		hci_remove_adv_instance(hdev, ev->handle);
6103 		mgmt_advertising_removed(NULL, hdev, ev->handle);
6104 
6105 		list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
6106 			if (adv->enabled)
6107 				goto unlock;
6108 		}
6109 
6110 		/* We are no longer advertising, clear HCI_LE_ADV */
6111 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
6112 		goto unlock;
6113 	}
6114 
6115 	if (adv)
6116 		adv->enabled = false;
6117 
6118 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
6119 	if (conn) {
6120 		/* Store handle in the connection so the correct advertising
6121 		 * instance can be re-enabled when disconnected.
6122 		 */
6123 		conn->adv_instance = ev->handle;
6124 
6125 		if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
6126 		    bacmp(&conn->resp_addr, BDADDR_ANY))
6127 			goto unlock;
6128 
6129 		if (!ev->handle) {
6130 			bacpy(&conn->resp_addr, &hdev->random_addr);
6131 			goto unlock;
6132 		}
6133 
6134 		if (adv)
6135 			bacpy(&conn->resp_addr, &adv->random_addr);
6136 	}
6137 
6138 unlock:
6139 	hci_dev_unlock(hdev);
6140 }
6141 
6142 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
6143 					    struct sk_buff *skb)
6144 {
6145 	struct hci_ev_le_conn_update_complete *ev = data;
6146 	struct hci_conn *conn;
6147 
6148 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6149 
6150 	if (ev->status)
6151 		return;
6152 
6153 	hci_dev_lock(hdev);
6154 
6155 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6156 	if (conn) {
6157 		conn->le_conn_interval = le16_to_cpu(ev->interval);
6158 		conn->le_conn_latency = le16_to_cpu(ev->latency);
6159 		conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
6160 	}
6161 
6162 	hci_dev_unlock(hdev);
6163 }
6164 
6165 /* This function requires the caller holds hdev->lock */
6166 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
6167 					      bdaddr_t *addr,
6168 					      u8 addr_type, bool addr_resolved,
6169 					      u8 adv_type)
6170 {
6171 	struct hci_conn *conn;
6172 	struct hci_conn_params *params;
6173 
6174 	/* If the event is not connectable don't proceed further */
6175 	if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
6176 		return NULL;
6177 
6178 	/* Ignore if the device is blocked or hdev is suspended */
6179 	if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
6180 	    hdev->suspended)
6181 		return NULL;
6182 
6183 	/* Most controller will fail if we try to create new connections
6184 	 * while we have an existing one in peripheral role.
6185 	 */
6186 	if (hdev->conn_hash.le_num_peripheral > 0 &&
6187 	    (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
6188 	     !(hdev->le_states[3] & 0x10)))
6189 		return NULL;
6190 
6191 	/* If we're not connectable only connect devices that we have in
6192 	 * our pend_le_conns list.
6193 	 */
6194 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
6195 					   addr_type);
6196 	if (!params)
6197 		return NULL;
6198 
6199 	if (!params->explicit_connect) {
6200 		switch (params->auto_connect) {
6201 		case HCI_AUTO_CONN_DIRECT:
6202 			/* Only devices advertising with ADV_DIRECT_IND are
6203 			 * triggering a connection attempt. This is allowing
6204 			 * incoming connections from peripheral devices.
6205 			 */
6206 			if (adv_type != LE_ADV_DIRECT_IND)
6207 				return NULL;
6208 			break;
6209 		case HCI_AUTO_CONN_ALWAYS:
6210 			/* Devices advertising with ADV_IND or ADV_DIRECT_IND
6211 			 * are triggering a connection attempt. This means
6212 			 * that incoming connections from peripheral device are
6213 			 * accepted and also outgoing connections to peripheral
6214 			 * devices are established when found.
6215 			 */
6216 			break;
6217 		default:
6218 			return NULL;
6219 		}
6220 	}
6221 
6222 	conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
6223 			      BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
6224 			      HCI_ROLE_MASTER);
6225 	if (!IS_ERR(conn)) {
6226 		/* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
6227 		 * by higher layer that tried to connect, if no then
6228 		 * store the pointer since we don't really have any
6229 		 * other owner of the object besides the params that
6230 		 * triggered it. This way we can abort the connection if
6231 		 * the parameters get removed and keep the reference
6232 		 * count consistent once the connection is established.
6233 		 */
6234 
6235 		if (!params->explicit_connect)
6236 			params->conn = hci_conn_get(conn);
6237 
6238 		return conn;
6239 	}
6240 
6241 	switch (PTR_ERR(conn)) {
6242 	case -EBUSY:
6243 		/* If hci_connect() returns -EBUSY it means there is already
6244 		 * an LE connection attempt going on. Since controllers don't
6245 		 * support more than one connection attempt at the time, we
6246 		 * don't consider this an error case.
6247 		 */
6248 		break;
6249 	default:
6250 		BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
6251 		return NULL;
6252 	}
6253 
6254 	return NULL;
6255 }
6256 
6257 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6258 			       u8 bdaddr_type, bdaddr_t *direct_addr,
6259 			       u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
6260 			       bool ext_adv, bool ctl_time, u64 instant)
6261 {
6262 	struct discovery_state *d = &hdev->discovery;
6263 	struct smp_irk *irk;
6264 	struct hci_conn *conn;
6265 	bool match, bdaddr_resolved;
6266 	u32 flags;
6267 	u8 *ptr;
6268 
6269 	switch (type) {
6270 	case LE_ADV_IND:
6271 	case LE_ADV_DIRECT_IND:
6272 	case LE_ADV_SCAN_IND:
6273 	case LE_ADV_NONCONN_IND:
6274 	case LE_ADV_SCAN_RSP:
6275 		break;
6276 	default:
6277 		bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6278 				       "type: 0x%02x", type);
6279 		return;
6280 	}
6281 
6282 	if (len > max_adv_len(hdev)) {
6283 		bt_dev_err_ratelimited(hdev,
6284 				       "adv larger than maximum supported");
6285 		return;
6286 	}
6287 
6288 	/* Find the end of the data in case the report contains padded zero
6289 	 * bytes at the end causing an invalid length value.
6290 	 *
6291 	 * When data is NULL, len is 0 so there is no need for extra ptr
6292 	 * check as 'ptr < data + 0' is already false in such case.
6293 	 */
6294 	for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6295 		if (ptr + 1 + *ptr > data + len)
6296 			break;
6297 	}
6298 
6299 	/* Adjust for actual length. This handles the case when remote
6300 	 * device is advertising with incorrect data length.
6301 	 */
6302 	len = ptr - data;
6303 
6304 	/* If the direct address is present, then this report is from
6305 	 * a LE Direct Advertising Report event. In that case it is
6306 	 * important to see if the address is matching the local
6307 	 * controller address.
6308 	 */
6309 	if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr) {
6310 		direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6311 						  &bdaddr_resolved);
6312 
6313 		/* Only resolvable random addresses are valid for these
6314 		 * kind of reports and others can be ignored.
6315 		 */
6316 		if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6317 			return;
6318 
6319 		/* If the controller is not using resolvable random
6320 		 * addresses, then this report can be ignored.
6321 		 */
6322 		if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
6323 			return;
6324 
6325 		/* If the local IRK of the controller does not match
6326 		 * with the resolvable random address provided, then
6327 		 * this report can be ignored.
6328 		 */
6329 		if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6330 			return;
6331 	}
6332 
6333 	/* Check if we need to convert to identity address */
6334 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6335 	if (irk) {
6336 		bdaddr = &irk->bdaddr;
6337 		bdaddr_type = irk->addr_type;
6338 	}
6339 
6340 	bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6341 
6342 	/* Check if we have been requested to connect to this device.
6343 	 *
6344 	 * direct_addr is set only for directed advertising reports (it is NULL
6345 	 * for advertising reports) and is already verified to be RPA above.
6346 	 */
6347 	conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6348 				     type);
6349 	if (!ext_adv && conn && type == LE_ADV_IND &&
6350 	    len <= max_adv_len(hdev)) {
6351 		/* Store report for later inclusion by
6352 		 * mgmt_device_connected
6353 		 */
6354 		memcpy(conn->le_adv_data, data, len);
6355 		conn->le_adv_data_len = len;
6356 	}
6357 
6358 	if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6359 		flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6360 	else
6361 		flags = 0;
6362 
6363 	/* All scan results should be sent up for Mesh systems */
6364 	if (hci_dev_test_flag(hdev, HCI_MESH)) {
6365 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6366 				  rssi, flags, data, len, NULL, 0, instant);
6367 		return;
6368 	}
6369 
6370 	/* Passive scanning shouldn't trigger any device found events,
6371 	 * except for devices marked as CONN_REPORT for which we do send
6372 	 * device found events, or advertisement monitoring requested.
6373 	 */
6374 	if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6375 		if (type == LE_ADV_DIRECT_IND)
6376 			return;
6377 
6378 		if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6379 					       bdaddr, bdaddr_type) &&
6380 		    idr_is_empty(&hdev->adv_monitors_idr))
6381 			return;
6382 
6383 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6384 				  rssi, flags, data, len, NULL, 0, 0);
6385 		return;
6386 	}
6387 
6388 	/* When receiving a scan response, then there is no way to
6389 	 * know if the remote device is connectable or not. However
6390 	 * since scan responses are merged with a previously seen
6391 	 * advertising report, the flags field from that report
6392 	 * will be used.
6393 	 *
6394 	 * In the unlikely case that a controller just sends a scan
6395 	 * response event that doesn't match the pending report, then
6396 	 * it is marked as a standalone SCAN_RSP.
6397 	 */
6398 	if (type == LE_ADV_SCAN_RSP)
6399 		flags = MGMT_DEV_FOUND_SCAN_RSP;
6400 
6401 	/* If there's nothing pending either store the data from this
6402 	 * event or send an immediate device found event if the data
6403 	 * should not be stored for later.
6404 	 */
6405 	if (!ext_adv &&	!has_pending_adv_report(hdev)) {
6406 		/* If the report will trigger a SCAN_REQ store it for
6407 		 * later merging.
6408 		 */
6409 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
6410 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6411 						 rssi, flags, data, len);
6412 			return;
6413 		}
6414 
6415 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6416 				  rssi, flags, data, len, NULL, 0, 0);
6417 		return;
6418 	}
6419 
6420 	/* Check if the pending report is for the same device as the new one */
6421 	match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6422 		 bdaddr_type == d->last_adv_addr_type);
6423 
6424 	/* If the pending data doesn't match this report or this isn't a
6425 	 * scan response (e.g. we got a duplicate ADV_IND) then force
6426 	 * sending of the pending data.
6427 	 */
6428 	if (type != LE_ADV_SCAN_RSP || !match) {
6429 		/* Send out whatever is in the cache, but skip duplicates */
6430 		if (!match)
6431 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6432 					  d->last_adv_addr_type, NULL,
6433 					  d->last_adv_rssi, d->last_adv_flags,
6434 					  d->last_adv_data,
6435 					  d->last_adv_data_len, NULL, 0, 0);
6436 
6437 		/* If the new report will trigger a SCAN_REQ store it for
6438 		 * later merging.
6439 		 */
6440 		if (!ext_adv && (type == LE_ADV_IND ||
6441 				 type == LE_ADV_SCAN_IND)) {
6442 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6443 						 rssi, flags, data, len);
6444 			return;
6445 		}
6446 
6447 		/* The advertising reports cannot be merged, so clear
6448 		 * the pending report and send out a device found event.
6449 		 */
6450 		clear_pending_adv_report(hdev);
6451 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6452 				  rssi, flags, data, len, NULL, 0, 0);
6453 		return;
6454 	}
6455 
6456 	/* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6457 	 * the new event is a SCAN_RSP. We can therefore proceed with
6458 	 * sending a merged device found event.
6459 	 */
6460 	mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6461 			  d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6462 			  d->last_adv_data, d->last_adv_data_len, data, len, 0);
6463 	clear_pending_adv_report(hdev);
6464 }
6465 
6466 static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6467 				  struct sk_buff *skb)
6468 {
6469 	struct hci_ev_le_advertising_report *ev = data;
6470 	u64 instant = jiffies;
6471 
6472 	if (!ev->num)
6473 		return;
6474 
6475 	hci_dev_lock(hdev);
6476 
6477 	while (ev->num--) {
6478 		struct hci_ev_le_advertising_info *info;
6479 		s8 rssi;
6480 
6481 		info = hci_le_ev_skb_pull(hdev, skb,
6482 					  HCI_EV_LE_ADVERTISING_REPORT,
6483 					  sizeof(*info));
6484 		if (!info)
6485 			break;
6486 
6487 		if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6488 					info->length + 1))
6489 			break;
6490 
6491 		if (info->length <= max_adv_len(hdev)) {
6492 			rssi = info->data[info->length];
6493 			process_adv_report(hdev, info->type, &info->bdaddr,
6494 					   info->bdaddr_type, NULL, 0, rssi,
6495 					   info->data, info->length, false,
6496 					   false, instant);
6497 		} else {
6498 			bt_dev_err(hdev, "Dropping invalid advertising data");
6499 		}
6500 	}
6501 
6502 	hci_dev_unlock(hdev);
6503 }
6504 
6505 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6506 {
6507 	if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6508 		switch (evt_type) {
6509 		case LE_LEGACY_ADV_IND:
6510 			return LE_ADV_IND;
6511 		case LE_LEGACY_ADV_DIRECT_IND:
6512 			return LE_ADV_DIRECT_IND;
6513 		case LE_LEGACY_ADV_SCAN_IND:
6514 			return LE_ADV_SCAN_IND;
6515 		case LE_LEGACY_NONCONN_IND:
6516 			return LE_ADV_NONCONN_IND;
6517 		case LE_LEGACY_SCAN_RSP_ADV:
6518 		case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6519 			return LE_ADV_SCAN_RSP;
6520 		}
6521 
6522 		goto invalid;
6523 	}
6524 
6525 	if (evt_type & LE_EXT_ADV_CONN_IND) {
6526 		if (evt_type & LE_EXT_ADV_DIRECT_IND)
6527 			return LE_ADV_DIRECT_IND;
6528 
6529 		return LE_ADV_IND;
6530 	}
6531 
6532 	if (evt_type & LE_EXT_ADV_SCAN_RSP)
6533 		return LE_ADV_SCAN_RSP;
6534 
6535 	if (evt_type & LE_EXT_ADV_SCAN_IND)
6536 		return LE_ADV_SCAN_IND;
6537 
6538 	if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
6539 	    evt_type & LE_EXT_ADV_DIRECT_IND)
6540 		return LE_ADV_NONCONN_IND;
6541 
6542 invalid:
6543 	bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6544 			       evt_type);
6545 
6546 	return LE_ADV_INVALID;
6547 }
6548 
6549 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6550 				      struct sk_buff *skb)
6551 {
6552 	struct hci_ev_le_ext_adv_report *ev = data;
6553 	u64 instant = jiffies;
6554 
6555 	if (!ev->num)
6556 		return;
6557 
6558 	hci_dev_lock(hdev);
6559 
6560 	while (ev->num--) {
6561 		struct hci_ev_le_ext_adv_info *info;
6562 		u8 legacy_evt_type;
6563 		u16 evt_type;
6564 
6565 		info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6566 					  sizeof(*info));
6567 		if (!info)
6568 			break;
6569 
6570 		if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6571 					info->length))
6572 			break;
6573 
6574 		evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6575 		legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6576 		if (legacy_evt_type != LE_ADV_INVALID) {
6577 			process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6578 					   info->bdaddr_type, NULL, 0,
6579 					   info->rssi, info->data, info->length,
6580 					   !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6581 					   false, instant);
6582 		}
6583 	}
6584 
6585 	hci_dev_unlock(hdev);
6586 }
6587 
6588 static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6589 {
6590 	struct hci_cp_le_pa_term_sync cp;
6591 
6592 	memset(&cp, 0, sizeof(cp));
6593 	cp.handle = handle;
6594 
6595 	return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6596 }
6597 
6598 static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data,
6599 					    struct sk_buff *skb)
6600 {
6601 	struct hci_ev_le_pa_sync_established *ev = data;
6602 	int mask = hdev->link_mode;
6603 	__u8 flags = 0;
6604 	struct hci_conn *pa_sync;
6605 
6606 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6607 
6608 	hci_dev_lock(hdev);
6609 
6610 	hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6611 
6612 	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ISO_LINK, &flags);
6613 	if (!(mask & HCI_LM_ACCEPT)) {
6614 		hci_le_pa_term_sync(hdev, ev->handle);
6615 		goto unlock;
6616 	}
6617 
6618 	if (!(flags & HCI_PROTO_DEFER))
6619 		goto unlock;
6620 
6621 	if (ev->status) {
6622 		/* Add connection to indicate the failed PA sync event */
6623 		pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
6624 					     HCI_ROLE_SLAVE);
6625 
6626 		if (!pa_sync)
6627 			goto unlock;
6628 
6629 		set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6630 
6631 		/* Notify iso layer */
6632 		hci_connect_cfm(pa_sync, ev->status);
6633 	}
6634 
6635 unlock:
6636 	hci_dev_unlock(hdev);
6637 }
6638 
6639 static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6640 				      struct sk_buff *skb)
6641 {
6642 	struct hci_ev_le_per_adv_report *ev = data;
6643 	int mask = hdev->link_mode;
6644 	__u8 flags = 0;
6645 
6646 	bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6647 
6648 	hci_dev_lock(hdev);
6649 
6650 	mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
6651 	if (!(mask & HCI_LM_ACCEPT))
6652 		hci_le_pa_term_sync(hdev, ev->sync_handle);
6653 
6654 	hci_dev_unlock(hdev);
6655 }
6656 
6657 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6658 					    struct sk_buff *skb)
6659 {
6660 	struct hci_ev_le_remote_feat_complete *ev = data;
6661 	struct hci_conn *conn;
6662 
6663 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6664 
6665 	hci_dev_lock(hdev);
6666 
6667 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6668 	if (conn) {
6669 		if (!ev->status)
6670 			memcpy(conn->features[0], ev->features, 8);
6671 
6672 		if (conn->state == BT_CONFIG) {
6673 			__u8 status;
6674 
6675 			/* If the local controller supports peripheral-initiated
6676 			 * features exchange, but the remote controller does
6677 			 * not, then it is possible that the error code 0x1a
6678 			 * for unsupported remote feature gets returned.
6679 			 *
6680 			 * In this specific case, allow the connection to
6681 			 * transition into connected state and mark it as
6682 			 * successful.
6683 			 */
6684 			if (!conn->out && ev->status == 0x1a &&
6685 			    (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6686 				status = 0x00;
6687 			else
6688 				status = ev->status;
6689 
6690 			conn->state = BT_CONNECTED;
6691 			hci_connect_cfm(conn, status);
6692 			hci_conn_drop(conn);
6693 		}
6694 	}
6695 
6696 	hci_dev_unlock(hdev);
6697 }
6698 
6699 static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6700 				   struct sk_buff *skb)
6701 {
6702 	struct hci_ev_le_ltk_req *ev = data;
6703 	struct hci_cp_le_ltk_reply cp;
6704 	struct hci_cp_le_ltk_neg_reply neg;
6705 	struct hci_conn *conn;
6706 	struct smp_ltk *ltk;
6707 
6708 	bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6709 
6710 	hci_dev_lock(hdev);
6711 
6712 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6713 	if (conn == NULL)
6714 		goto not_found;
6715 
6716 	ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6717 	if (!ltk)
6718 		goto not_found;
6719 
6720 	if (smp_ltk_is_sc(ltk)) {
6721 		/* With SC both EDiv and Rand are set to zero */
6722 		if (ev->ediv || ev->rand)
6723 			goto not_found;
6724 	} else {
6725 		/* For non-SC keys check that EDiv and Rand match */
6726 		if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6727 			goto not_found;
6728 	}
6729 
6730 	memcpy(cp.ltk, ltk->val, ltk->enc_size);
6731 	memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6732 	cp.handle = cpu_to_le16(conn->handle);
6733 
6734 	conn->pending_sec_level = smp_ltk_sec_level(ltk);
6735 
6736 	conn->enc_key_size = ltk->enc_size;
6737 
6738 	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6739 
6740 	/* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6741 	 * temporary key used to encrypt a connection following
6742 	 * pairing. It is used during the Encrypted Session Setup to
6743 	 * distribute the keys. Later, security can be re-established
6744 	 * using a distributed LTK.
6745 	 */
6746 	if (ltk->type == SMP_STK) {
6747 		set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6748 		list_del_rcu(&ltk->list);
6749 		kfree_rcu(ltk, rcu);
6750 	} else {
6751 		clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6752 	}
6753 
6754 	hci_dev_unlock(hdev);
6755 
6756 	return;
6757 
6758 not_found:
6759 	neg.handle = ev->handle;
6760 	hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6761 	hci_dev_unlock(hdev);
6762 }
6763 
6764 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6765 				      u8 reason)
6766 {
6767 	struct hci_cp_le_conn_param_req_neg_reply cp;
6768 
6769 	cp.handle = cpu_to_le16(handle);
6770 	cp.reason = reason;
6771 
6772 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6773 		     &cp);
6774 }
6775 
6776 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6777 					     struct sk_buff *skb)
6778 {
6779 	struct hci_ev_le_remote_conn_param_req *ev = data;
6780 	struct hci_cp_le_conn_param_req_reply cp;
6781 	struct hci_conn *hcon;
6782 	u16 handle, min, max, latency, timeout;
6783 
6784 	bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6785 
6786 	handle = le16_to_cpu(ev->handle);
6787 	min = le16_to_cpu(ev->interval_min);
6788 	max = le16_to_cpu(ev->interval_max);
6789 	latency = le16_to_cpu(ev->latency);
6790 	timeout = le16_to_cpu(ev->timeout);
6791 
6792 	hcon = hci_conn_hash_lookup_handle(hdev, handle);
6793 	if (!hcon || hcon->state != BT_CONNECTED)
6794 		return send_conn_param_neg_reply(hdev, handle,
6795 						 HCI_ERROR_UNKNOWN_CONN_ID);
6796 
6797 	if (hci_check_conn_params(min, max, latency, timeout))
6798 		return send_conn_param_neg_reply(hdev, handle,
6799 						 HCI_ERROR_INVALID_LL_PARAMS);
6800 
6801 	if (hcon->role == HCI_ROLE_MASTER) {
6802 		struct hci_conn_params *params;
6803 		u8 store_hint;
6804 
6805 		hci_dev_lock(hdev);
6806 
6807 		params = hci_conn_params_lookup(hdev, &hcon->dst,
6808 						hcon->dst_type);
6809 		if (params) {
6810 			params->conn_min_interval = min;
6811 			params->conn_max_interval = max;
6812 			params->conn_latency = latency;
6813 			params->supervision_timeout = timeout;
6814 			store_hint = 0x01;
6815 		} else {
6816 			store_hint = 0x00;
6817 		}
6818 
6819 		hci_dev_unlock(hdev);
6820 
6821 		mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6822 				    store_hint, min, max, latency, timeout);
6823 	}
6824 
6825 	cp.handle = ev->handle;
6826 	cp.interval_min = ev->interval_min;
6827 	cp.interval_max = ev->interval_max;
6828 	cp.latency = ev->latency;
6829 	cp.timeout = ev->timeout;
6830 	cp.min_ce_len = 0;
6831 	cp.max_ce_len = 0;
6832 
6833 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6834 }
6835 
6836 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6837 					 struct sk_buff *skb)
6838 {
6839 	struct hci_ev_le_direct_adv_report *ev = data;
6840 	u64 instant = jiffies;
6841 	int i;
6842 
6843 	if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6844 				flex_array_size(ev, info, ev->num)))
6845 		return;
6846 
6847 	if (!ev->num)
6848 		return;
6849 
6850 	hci_dev_lock(hdev);
6851 
6852 	for (i = 0; i < ev->num; i++) {
6853 		struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6854 
6855 		process_adv_report(hdev, info->type, &info->bdaddr,
6856 				   info->bdaddr_type, &info->direct_addr,
6857 				   info->direct_addr_type, info->rssi, NULL, 0,
6858 				   false, false, instant);
6859 	}
6860 
6861 	hci_dev_unlock(hdev);
6862 }
6863 
6864 static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6865 				  struct sk_buff *skb)
6866 {
6867 	struct hci_ev_le_phy_update_complete *ev = data;
6868 	struct hci_conn *conn;
6869 
6870 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6871 
6872 	if (ev->status)
6873 		return;
6874 
6875 	hci_dev_lock(hdev);
6876 
6877 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6878 	if (!conn)
6879 		goto unlock;
6880 
6881 	conn->le_tx_phy = ev->tx_phy;
6882 	conn->le_rx_phy = ev->rx_phy;
6883 
6884 unlock:
6885 	hci_dev_unlock(hdev);
6886 }
6887 
6888 static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
6889 					struct sk_buff *skb)
6890 {
6891 	struct hci_evt_le_cis_established *ev = data;
6892 	struct hci_conn *conn;
6893 	struct bt_iso_qos *qos;
6894 	bool pending = false;
6895 	u16 handle = __le16_to_cpu(ev->handle);
6896 
6897 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6898 
6899 	hci_dev_lock(hdev);
6900 
6901 	conn = hci_conn_hash_lookup_handle(hdev, handle);
6902 	if (!conn) {
6903 		bt_dev_err(hdev,
6904 			   "Unable to find connection with handle 0x%4.4x",
6905 			   handle);
6906 		goto unlock;
6907 	}
6908 
6909 	if (conn->type != ISO_LINK) {
6910 		bt_dev_err(hdev,
6911 			   "Invalid connection link type handle 0x%4.4x",
6912 			   handle);
6913 		goto unlock;
6914 	}
6915 
6916 	qos = &conn->iso_qos;
6917 
6918 	pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
6919 
6920 	/* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
6921 	qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
6922 	qos->ucast.out.interval = qos->ucast.in.interval;
6923 
6924 	switch (conn->role) {
6925 	case HCI_ROLE_SLAVE:
6926 		/* Convert Transport Latency (us) to Latency (msec) */
6927 		qos->ucast.in.latency =
6928 			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6929 					  1000);
6930 		qos->ucast.out.latency =
6931 			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6932 					  1000);
6933 		qos->ucast.in.sdu = le16_to_cpu(ev->c_mtu);
6934 		qos->ucast.out.sdu = le16_to_cpu(ev->p_mtu);
6935 		qos->ucast.in.phy = ev->c_phy;
6936 		qos->ucast.out.phy = ev->p_phy;
6937 		break;
6938 	case HCI_ROLE_MASTER:
6939 		/* Convert Transport Latency (us) to Latency (msec) */
6940 		qos->ucast.out.latency =
6941 			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6942 					  1000);
6943 		qos->ucast.in.latency =
6944 			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6945 					  1000);
6946 		qos->ucast.out.sdu = le16_to_cpu(ev->c_mtu);
6947 		qos->ucast.in.sdu = le16_to_cpu(ev->p_mtu);
6948 		qos->ucast.out.phy = ev->c_phy;
6949 		qos->ucast.in.phy = ev->p_phy;
6950 		break;
6951 	}
6952 
6953 	if (!ev->status) {
6954 		conn->state = BT_CONNECTED;
6955 		hci_debugfs_create_conn(conn);
6956 		hci_conn_add_sysfs(conn);
6957 		hci_iso_setup_path(conn);
6958 		goto unlock;
6959 	}
6960 
6961 	conn->state = BT_CLOSED;
6962 	hci_connect_cfm(conn, ev->status);
6963 	hci_conn_del(conn);
6964 
6965 unlock:
6966 	if (pending)
6967 		hci_le_create_cis_pending(hdev);
6968 
6969 	hci_dev_unlock(hdev);
6970 }
6971 
6972 static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
6973 {
6974 	struct hci_cp_le_reject_cis cp;
6975 
6976 	memset(&cp, 0, sizeof(cp));
6977 	cp.handle = handle;
6978 	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
6979 	hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
6980 }
6981 
6982 static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
6983 {
6984 	struct hci_cp_le_accept_cis cp;
6985 
6986 	memset(&cp, 0, sizeof(cp));
6987 	cp.handle = handle;
6988 	hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
6989 }
6990 
6991 static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
6992 			       struct sk_buff *skb)
6993 {
6994 	struct hci_evt_le_cis_req *ev = data;
6995 	u16 acl_handle, cis_handle;
6996 	struct hci_conn *acl, *cis;
6997 	int mask;
6998 	__u8 flags = 0;
6999 
7000 	acl_handle = __le16_to_cpu(ev->acl_handle);
7001 	cis_handle = __le16_to_cpu(ev->cis_handle);
7002 
7003 	bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
7004 		   acl_handle, cis_handle, ev->cig_id, ev->cis_id);
7005 
7006 	hci_dev_lock(hdev);
7007 
7008 	acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
7009 	if (!acl)
7010 		goto unlock;
7011 
7012 	mask = hci_proto_connect_ind(hdev, &acl->dst, ISO_LINK, &flags);
7013 	if (!(mask & HCI_LM_ACCEPT)) {
7014 		hci_le_reject_cis(hdev, ev->cis_handle);
7015 		goto unlock;
7016 	}
7017 
7018 	cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
7019 	if (!cis) {
7020 		cis = hci_conn_add(hdev, ISO_LINK, &acl->dst, HCI_ROLE_SLAVE,
7021 				   cis_handle);
7022 		if (!cis) {
7023 			hci_le_reject_cis(hdev, ev->cis_handle);
7024 			goto unlock;
7025 		}
7026 	}
7027 
7028 	cis->iso_qos.ucast.cig = ev->cig_id;
7029 	cis->iso_qos.ucast.cis = ev->cis_id;
7030 
7031 	if (!(flags & HCI_PROTO_DEFER)) {
7032 		hci_le_accept_cis(hdev, ev->cis_handle);
7033 	} else {
7034 		cis->state = BT_CONNECT2;
7035 		hci_connect_cfm(cis, 0);
7036 	}
7037 
7038 unlock:
7039 	hci_dev_unlock(hdev);
7040 }
7041 
7042 static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
7043 {
7044 	u8 handle = PTR_UINT(data);
7045 
7046 	return hci_le_terminate_big_sync(hdev, handle,
7047 					 HCI_ERROR_LOCAL_HOST_TERM);
7048 }
7049 
7050 static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
7051 					   struct sk_buff *skb)
7052 {
7053 	struct hci_evt_le_create_big_complete *ev = data;
7054 	struct hci_conn *conn;
7055 	__u8 i = 0;
7056 
7057 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
7058 
7059 	if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
7060 				flex_array_size(ev, bis_handle, ev->num_bis)))
7061 		return;
7062 
7063 	hci_dev_lock(hdev);
7064 	rcu_read_lock();
7065 
7066 	/* Connect all BISes that are bound to the BIG */
7067 	list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
7068 		if (bacmp(&conn->dst, BDADDR_ANY) ||
7069 		    conn->type != ISO_LINK ||
7070 		    conn->iso_qos.bcast.big != ev->handle)
7071 			continue;
7072 
7073 		if (hci_conn_set_handle(conn,
7074 					__le16_to_cpu(ev->bis_handle[i++])))
7075 			continue;
7076 
7077 		if (!ev->status) {
7078 			conn->state = BT_CONNECTED;
7079 			set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
7080 			rcu_read_unlock();
7081 			hci_debugfs_create_conn(conn);
7082 			hci_conn_add_sysfs(conn);
7083 			hci_iso_setup_path(conn);
7084 			rcu_read_lock();
7085 			continue;
7086 		}
7087 
7088 		hci_connect_cfm(conn, ev->status);
7089 		rcu_read_unlock();
7090 		hci_conn_del(conn);
7091 		rcu_read_lock();
7092 	}
7093 
7094 	rcu_read_unlock();
7095 
7096 	if (!ev->status && !i)
7097 		/* If no BISes have been connected for the BIG,
7098 		 * terminate. This is in case all bound connections
7099 		 * have been closed before the BIG creation
7100 		 * has completed.
7101 		 */
7102 		hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
7103 				   UINT_PTR(ev->handle), NULL);
7104 
7105 	hci_dev_unlock(hdev);
7106 }
7107 
7108 static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
7109 					    struct sk_buff *skb)
7110 {
7111 	struct hci_evt_le_big_sync_estabilished *ev = data;
7112 	struct hci_conn *bis;
7113 	struct hci_conn *pa_sync;
7114 	int i;
7115 
7116 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
7117 
7118 	if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7119 				flex_array_size(ev, bis, ev->num_bis)))
7120 		return;
7121 
7122 	hci_dev_lock(hdev);
7123 
7124 	if (!ev->status) {
7125 		pa_sync = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
7126 		if (pa_sync)
7127 			/* Also mark the BIG sync established event on the
7128 			 * associated PA sync hcon
7129 			 */
7130 			set_bit(HCI_CONN_BIG_SYNC, &pa_sync->flags);
7131 	}
7132 
7133 	for (i = 0; i < ev->num_bis; i++) {
7134 		u16 handle = le16_to_cpu(ev->bis[i]);
7135 		__le32 interval;
7136 
7137 		bis = hci_conn_hash_lookup_handle(hdev, handle);
7138 		if (!bis) {
7139 			bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
7140 					   HCI_ROLE_SLAVE, handle);
7141 			if (!bis)
7142 				continue;
7143 		}
7144 
7145 		if (ev->status != 0x42)
7146 			/* Mark PA sync as established */
7147 			set_bit(HCI_CONN_PA_SYNC, &bis->flags);
7148 
7149 		bis->iso_qos.bcast.big = ev->handle;
7150 		memset(&interval, 0, sizeof(interval));
7151 		memcpy(&interval, ev->latency, sizeof(ev->latency));
7152 		bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
7153 		/* Convert ISO Interval (1.25 ms slots) to latency (ms) */
7154 		bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
7155 		bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
7156 
7157 		if (!ev->status) {
7158 			set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7159 			hci_iso_setup_path(bis);
7160 		}
7161 	}
7162 
7163 	/* In case BIG sync failed, notify each failed connection to
7164 	 * the user after all hci connections have been added
7165 	 */
7166 	if (ev->status)
7167 		for (i = 0; i < ev->num_bis; i++) {
7168 			u16 handle = le16_to_cpu(ev->bis[i]);
7169 
7170 			bis = hci_conn_hash_lookup_handle(hdev, handle);
7171 
7172 			set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7173 			hci_connect_cfm(bis, ev->status);
7174 		}
7175 
7176 	hci_dev_unlock(hdev);
7177 }
7178 
7179 static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7180 					   struct sk_buff *skb)
7181 {
7182 	struct hci_evt_le_big_info_adv_report *ev = data;
7183 	int mask = hdev->link_mode;
7184 	__u8 flags = 0;
7185 	struct hci_conn *pa_sync;
7186 
7187 	bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7188 
7189 	hci_dev_lock(hdev);
7190 
7191 	mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags);
7192 	if (!(mask & HCI_LM_ACCEPT)) {
7193 		hci_le_pa_term_sync(hdev, ev->sync_handle);
7194 		goto unlock;
7195 	}
7196 
7197 	if (!(flags & HCI_PROTO_DEFER))
7198 		goto unlock;
7199 
7200 	pa_sync = hci_conn_hash_lookup_pa_sync_handle
7201 			(hdev,
7202 			le16_to_cpu(ev->sync_handle));
7203 
7204 	if (pa_sync)
7205 		goto unlock;
7206 
7207 	/* Add connection to indicate the PA sync event */
7208 	pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY,
7209 				     HCI_ROLE_SLAVE);
7210 
7211 	if (!pa_sync)
7212 		goto unlock;
7213 
7214 	pa_sync->sync_handle = le16_to_cpu(ev->sync_handle);
7215 	set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags);
7216 
7217 	/* Notify iso layer */
7218 	hci_connect_cfm(pa_sync, 0x00);
7219 
7220 unlock:
7221 	hci_dev_unlock(hdev);
7222 }
7223 
7224 #define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7225 [_op] = { \
7226 	.func = _func, \
7227 	.min_len = _min_len, \
7228 	.max_len = _max_len, \
7229 }
7230 
7231 #define HCI_LE_EV(_op, _func, _len) \
7232 	HCI_LE_EV_VL(_op, _func, _len, _len)
7233 
7234 #define HCI_LE_EV_STATUS(_op, _func) \
7235 	HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7236 
7237 /* Entries in this table shall have their position according to the subevent
7238  * opcode they handle so the use of the macros above is recommend since it does
7239  * attempt to initialize at its proper index using Designated Initializers that
7240  * way events without a callback function can be ommited.
7241  */
7242 static const struct hci_le_ev {
7243 	void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7244 	u16  min_len;
7245 	u16  max_len;
7246 } hci_le_ev_table[U8_MAX + 1] = {
7247 	/* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7248 	HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7249 		  sizeof(struct hci_ev_le_conn_complete)),
7250 	/* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7251 	HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7252 		     sizeof(struct hci_ev_le_advertising_report),
7253 		     HCI_MAX_EVENT_SIZE),
7254 	/* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7255 	HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7256 		  hci_le_conn_update_complete_evt,
7257 		  sizeof(struct hci_ev_le_conn_update_complete)),
7258 	/* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7259 	HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7260 		  hci_le_remote_feat_complete_evt,
7261 		  sizeof(struct hci_ev_le_remote_feat_complete)),
7262 	/* [0x05 = HCI_EV_LE_LTK_REQ] */
7263 	HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7264 		  sizeof(struct hci_ev_le_ltk_req)),
7265 	/* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7266 	HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7267 		  hci_le_remote_conn_param_req_evt,
7268 		  sizeof(struct hci_ev_le_remote_conn_param_req)),
7269 	/* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7270 	HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7271 		  hci_le_enh_conn_complete_evt,
7272 		  sizeof(struct hci_ev_le_enh_conn_complete)),
7273 	/* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7274 	HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7275 		     sizeof(struct hci_ev_le_direct_adv_report),
7276 		     HCI_MAX_EVENT_SIZE),
7277 	/* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7278 	HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7279 		  sizeof(struct hci_ev_le_phy_update_complete)),
7280 	/* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7281 	HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7282 		     sizeof(struct hci_ev_le_ext_adv_report),
7283 		     HCI_MAX_EVENT_SIZE),
7284 	/* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7285 	HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7286 		  hci_le_pa_sync_estabilished_evt,
7287 		  sizeof(struct hci_ev_le_pa_sync_established)),
7288 	/* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7289 	HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7290 				 hci_le_per_adv_report_evt,
7291 				 sizeof(struct hci_ev_le_per_adv_report),
7292 				 HCI_MAX_EVENT_SIZE),
7293 	/* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7294 	HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7295 		  sizeof(struct hci_evt_le_ext_adv_set_term)),
7296 	/* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7297 	HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_estabilished_evt,
7298 		  sizeof(struct hci_evt_le_cis_established)),
7299 	/* [0x1a = HCI_EVT_LE_CIS_REQ] */
7300 	HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7301 		  sizeof(struct hci_evt_le_cis_req)),
7302 	/* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7303 	HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7304 		     hci_le_create_big_complete_evt,
7305 		     sizeof(struct hci_evt_le_create_big_complete),
7306 		     HCI_MAX_EVENT_SIZE),
7307 	/* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABILISHED] */
7308 	HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABILISHED,
7309 		     hci_le_big_sync_established_evt,
7310 		     sizeof(struct hci_evt_le_big_sync_estabilished),
7311 		     HCI_MAX_EVENT_SIZE),
7312 	/* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7313 	HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7314 		     hci_le_big_info_adv_report_evt,
7315 		     sizeof(struct hci_evt_le_big_info_adv_report),
7316 		     HCI_MAX_EVENT_SIZE),
7317 };
7318 
7319 static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7320 			    struct sk_buff *skb, u16 *opcode, u8 *status,
7321 			    hci_req_complete_t *req_complete,
7322 			    hci_req_complete_skb_t *req_complete_skb)
7323 {
7324 	struct hci_ev_le_meta *ev = data;
7325 	const struct hci_le_ev *subev;
7326 
7327 	bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7328 
7329 	/* Only match event if command OGF is for LE */
7330 	if (hdev->sent_cmd &&
7331 	    hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) == 0x08 &&
7332 	    hci_skb_event(hdev->sent_cmd) == ev->subevent) {
7333 		*opcode = hci_skb_opcode(hdev->sent_cmd);
7334 		hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7335 				     req_complete_skb);
7336 	}
7337 
7338 	subev = &hci_le_ev_table[ev->subevent];
7339 	if (!subev->func)
7340 		return;
7341 
7342 	if (skb->len < subev->min_len) {
7343 		bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7344 			   ev->subevent, skb->len, subev->min_len);
7345 		return;
7346 	}
7347 
7348 	/* Just warn if the length is over max_len size it still be
7349 	 * possible to partially parse the event so leave to callback to
7350 	 * decide if that is acceptable.
7351 	 */
7352 	if (skb->len > subev->max_len)
7353 		bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7354 			    ev->subevent, skb->len, subev->max_len);
7355 	data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7356 	if (!data)
7357 		return;
7358 
7359 	subev->func(hdev, data, skb);
7360 }
7361 
7362 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7363 				 u8 event, struct sk_buff *skb)
7364 {
7365 	struct hci_ev_cmd_complete *ev;
7366 	struct hci_event_hdr *hdr;
7367 
7368 	if (!skb)
7369 		return false;
7370 
7371 	hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7372 	if (!hdr)
7373 		return false;
7374 
7375 	if (event) {
7376 		if (hdr->evt != event)
7377 			return false;
7378 		return true;
7379 	}
7380 
7381 	/* Check if request ended in Command Status - no way to retrieve
7382 	 * any extra parameters in this case.
7383 	 */
7384 	if (hdr->evt == HCI_EV_CMD_STATUS)
7385 		return false;
7386 
7387 	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7388 		bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7389 			   hdr->evt);
7390 		return false;
7391 	}
7392 
7393 	ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7394 	if (!ev)
7395 		return false;
7396 
7397 	if (opcode != __le16_to_cpu(ev->opcode)) {
7398 		BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7399 		       __le16_to_cpu(ev->opcode));
7400 		return false;
7401 	}
7402 
7403 	return true;
7404 }
7405 
7406 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7407 				  struct sk_buff *skb)
7408 {
7409 	struct hci_ev_le_advertising_info *adv;
7410 	struct hci_ev_le_direct_adv_info *direct_adv;
7411 	struct hci_ev_le_ext_adv_info *ext_adv;
7412 	const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7413 	const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7414 
7415 	hci_dev_lock(hdev);
7416 
7417 	/* If we are currently suspended and this is the first BT event seen,
7418 	 * save the wake reason associated with the event.
7419 	 */
7420 	if (!hdev->suspended || hdev->wake_reason)
7421 		goto unlock;
7422 
7423 	/* Default to remote wake. Values for wake_reason are documented in the
7424 	 * Bluez mgmt api docs.
7425 	 */
7426 	hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7427 
7428 	/* Once configured for remote wakeup, we should only wake up for
7429 	 * reconnections. It's useful to see which device is waking us up so
7430 	 * keep track of the bdaddr of the connection event that woke us up.
7431 	 */
7432 	if (event == HCI_EV_CONN_REQUEST) {
7433 		bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7434 		hdev->wake_addr_type = BDADDR_BREDR;
7435 	} else if (event == HCI_EV_CONN_COMPLETE) {
7436 		bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7437 		hdev->wake_addr_type = BDADDR_BREDR;
7438 	} else if (event == HCI_EV_LE_META) {
7439 		struct hci_ev_le_meta *le_ev = (void *)skb->data;
7440 		u8 subevent = le_ev->subevent;
7441 		u8 *ptr = &skb->data[sizeof(*le_ev)];
7442 		u8 num_reports = *ptr;
7443 
7444 		if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7445 		     subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7446 		     subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7447 		    num_reports) {
7448 			adv = (void *)(ptr + 1);
7449 			direct_adv = (void *)(ptr + 1);
7450 			ext_adv = (void *)(ptr + 1);
7451 
7452 			switch (subevent) {
7453 			case HCI_EV_LE_ADVERTISING_REPORT:
7454 				bacpy(&hdev->wake_addr, &adv->bdaddr);
7455 				hdev->wake_addr_type = adv->bdaddr_type;
7456 				break;
7457 			case HCI_EV_LE_DIRECT_ADV_REPORT:
7458 				bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7459 				hdev->wake_addr_type = direct_adv->bdaddr_type;
7460 				break;
7461 			case HCI_EV_LE_EXT_ADV_REPORT:
7462 				bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7463 				hdev->wake_addr_type = ext_adv->bdaddr_type;
7464 				break;
7465 			}
7466 		}
7467 	} else {
7468 		hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7469 	}
7470 
7471 unlock:
7472 	hci_dev_unlock(hdev);
7473 }
7474 
7475 #define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7476 [_op] = { \
7477 	.req = false, \
7478 	.func = _func, \
7479 	.min_len = _min_len, \
7480 	.max_len = _max_len, \
7481 }
7482 
7483 #define HCI_EV(_op, _func, _len) \
7484 	HCI_EV_VL(_op, _func, _len, _len)
7485 
7486 #define HCI_EV_STATUS(_op, _func) \
7487 	HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7488 
7489 #define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7490 [_op] = { \
7491 	.req = true, \
7492 	.func_req = _func, \
7493 	.min_len = _min_len, \
7494 	.max_len = _max_len, \
7495 }
7496 
7497 #define HCI_EV_REQ(_op, _func, _len) \
7498 	HCI_EV_REQ_VL(_op, _func, _len, _len)
7499 
7500 /* Entries in this table shall have their position according to the event opcode
7501  * they handle so the use of the macros above is recommend since it does attempt
7502  * to initialize at its proper index using Designated Initializers that way
7503  * events without a callback function don't have entered.
7504  */
7505 static const struct hci_ev {
7506 	bool req;
7507 	union {
7508 		void (*func)(struct hci_dev *hdev, void *data,
7509 			     struct sk_buff *skb);
7510 		void (*func_req)(struct hci_dev *hdev, void *data,
7511 				 struct sk_buff *skb, u16 *opcode, u8 *status,
7512 				 hci_req_complete_t *req_complete,
7513 				 hci_req_complete_skb_t *req_complete_skb);
7514 	};
7515 	u16  min_len;
7516 	u16  max_len;
7517 } hci_ev_table[U8_MAX + 1] = {
7518 	/* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7519 	HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7520 	/* [0x02 = HCI_EV_INQUIRY_RESULT] */
7521 	HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7522 		  sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7523 	/* [0x03 = HCI_EV_CONN_COMPLETE] */
7524 	HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7525 	       sizeof(struct hci_ev_conn_complete)),
7526 	/* [0x04 = HCI_EV_CONN_REQUEST] */
7527 	HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7528 	       sizeof(struct hci_ev_conn_request)),
7529 	/* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7530 	HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7531 	       sizeof(struct hci_ev_disconn_complete)),
7532 	/* [0x06 = HCI_EV_AUTH_COMPLETE] */
7533 	HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7534 	       sizeof(struct hci_ev_auth_complete)),
7535 	/* [0x07 = HCI_EV_REMOTE_NAME] */
7536 	HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7537 	       sizeof(struct hci_ev_remote_name)),
7538 	/* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7539 	HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7540 	       sizeof(struct hci_ev_encrypt_change)),
7541 	/* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7542 	HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7543 	       hci_change_link_key_complete_evt,
7544 	       sizeof(struct hci_ev_change_link_key_complete)),
7545 	/* [0x0b = HCI_EV_REMOTE_FEATURES] */
7546 	HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7547 	       sizeof(struct hci_ev_remote_features)),
7548 	/* [0x0e = HCI_EV_CMD_COMPLETE] */
7549 	HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7550 		      sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7551 	/* [0x0f = HCI_EV_CMD_STATUS] */
7552 	HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7553 		   sizeof(struct hci_ev_cmd_status)),
7554 	/* [0x10 = HCI_EV_CMD_STATUS] */
7555 	HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7556 	       sizeof(struct hci_ev_hardware_error)),
7557 	/* [0x12 = HCI_EV_ROLE_CHANGE] */
7558 	HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7559 	       sizeof(struct hci_ev_role_change)),
7560 	/* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7561 	HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7562 		  sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7563 	/* [0x14 = HCI_EV_MODE_CHANGE] */
7564 	HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7565 	       sizeof(struct hci_ev_mode_change)),
7566 	/* [0x16 = HCI_EV_PIN_CODE_REQ] */
7567 	HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7568 	       sizeof(struct hci_ev_pin_code_req)),
7569 	/* [0x17 = HCI_EV_LINK_KEY_REQ] */
7570 	HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7571 	       sizeof(struct hci_ev_link_key_req)),
7572 	/* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7573 	HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7574 	       sizeof(struct hci_ev_link_key_notify)),
7575 	/* [0x1c = HCI_EV_CLOCK_OFFSET] */
7576 	HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7577 	       sizeof(struct hci_ev_clock_offset)),
7578 	/* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7579 	HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7580 	       sizeof(struct hci_ev_pkt_type_change)),
7581 	/* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7582 	HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7583 	       sizeof(struct hci_ev_pscan_rep_mode)),
7584 	/* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7585 	HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7586 		  hci_inquiry_result_with_rssi_evt,
7587 		  sizeof(struct hci_ev_inquiry_result_rssi),
7588 		  HCI_MAX_EVENT_SIZE),
7589 	/* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7590 	HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7591 	       sizeof(struct hci_ev_remote_ext_features)),
7592 	/* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7593 	HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7594 	       sizeof(struct hci_ev_sync_conn_complete)),
7595 	/* [0x2d = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7596 	HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7597 		  hci_extended_inquiry_result_evt,
7598 		  sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7599 	/* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7600 	HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7601 	       sizeof(struct hci_ev_key_refresh_complete)),
7602 	/* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7603 	HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7604 	       sizeof(struct hci_ev_io_capa_request)),
7605 	/* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7606 	HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7607 	       sizeof(struct hci_ev_io_capa_reply)),
7608 	/* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7609 	HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7610 	       sizeof(struct hci_ev_user_confirm_req)),
7611 	/* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7612 	HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7613 	       sizeof(struct hci_ev_user_passkey_req)),
7614 	/* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7615 	HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7616 	       sizeof(struct hci_ev_remote_oob_data_request)),
7617 	/* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7618 	HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7619 	       sizeof(struct hci_ev_simple_pair_complete)),
7620 	/* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7621 	HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7622 	       sizeof(struct hci_ev_user_passkey_notify)),
7623 	/* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7624 	HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7625 	       sizeof(struct hci_ev_keypress_notify)),
7626 	/* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7627 	HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7628 	       sizeof(struct hci_ev_remote_host_features)),
7629 	/* [0x3e = HCI_EV_LE_META] */
7630 	HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7631 		      sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7632 #if IS_ENABLED(CONFIG_BT_HS)
7633 	/* [0x40 = HCI_EV_PHY_LINK_COMPLETE] */
7634 	HCI_EV(HCI_EV_PHY_LINK_COMPLETE, hci_phy_link_complete_evt,
7635 	       sizeof(struct hci_ev_phy_link_complete)),
7636 	/* [0x41 = HCI_EV_CHANNEL_SELECTED] */
7637 	HCI_EV(HCI_EV_CHANNEL_SELECTED, hci_chan_selected_evt,
7638 	       sizeof(struct hci_ev_channel_selected)),
7639 	/* [0x42 = HCI_EV_DISCONN_PHY_LINK_COMPLETE] */
7640 	HCI_EV(HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE,
7641 	       hci_disconn_loglink_complete_evt,
7642 	       sizeof(struct hci_ev_disconn_logical_link_complete)),
7643 	/* [0x45 = HCI_EV_LOGICAL_LINK_COMPLETE] */
7644 	HCI_EV(HCI_EV_LOGICAL_LINK_COMPLETE, hci_loglink_complete_evt,
7645 	       sizeof(struct hci_ev_logical_link_complete)),
7646 	/* [0x46 = HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE] */
7647 	HCI_EV(HCI_EV_DISCONN_PHY_LINK_COMPLETE,
7648 	       hci_disconn_phylink_complete_evt,
7649 	       sizeof(struct hci_ev_disconn_phy_link_complete)),
7650 #endif
7651 	/* [0x48 = HCI_EV_NUM_COMP_BLOCKS] */
7652 	HCI_EV(HCI_EV_NUM_COMP_BLOCKS, hci_num_comp_blocks_evt,
7653 	       sizeof(struct hci_ev_num_comp_blocks)),
7654 	/* [0xff = HCI_EV_VENDOR] */
7655 	HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7656 };
7657 
7658 static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7659 			   u16 *opcode, u8 *status,
7660 			   hci_req_complete_t *req_complete,
7661 			   hci_req_complete_skb_t *req_complete_skb)
7662 {
7663 	const struct hci_ev *ev = &hci_ev_table[event];
7664 	void *data;
7665 
7666 	if (!ev->func)
7667 		return;
7668 
7669 	if (skb->len < ev->min_len) {
7670 		bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7671 			   event, skb->len, ev->min_len);
7672 		return;
7673 	}
7674 
7675 	/* Just warn if the length is over max_len size it still be
7676 	 * possible to partially parse the event so leave to callback to
7677 	 * decide if that is acceptable.
7678 	 */
7679 	if (skb->len > ev->max_len)
7680 		bt_dev_warn_ratelimited(hdev,
7681 					"unexpected event 0x%2.2x length: %u > %u",
7682 					event, skb->len, ev->max_len);
7683 
7684 	data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7685 	if (!data)
7686 		return;
7687 
7688 	if (ev->req)
7689 		ev->func_req(hdev, data, skb, opcode, status, req_complete,
7690 			     req_complete_skb);
7691 	else
7692 		ev->func(hdev, data, skb);
7693 }
7694 
7695 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7696 {
7697 	struct hci_event_hdr *hdr = (void *) skb->data;
7698 	hci_req_complete_t req_complete = NULL;
7699 	hci_req_complete_skb_t req_complete_skb = NULL;
7700 	struct sk_buff *orig_skb = NULL;
7701 	u8 status = 0, event, req_evt = 0;
7702 	u16 opcode = HCI_OP_NOP;
7703 
7704 	if (skb->len < sizeof(*hdr)) {
7705 		bt_dev_err(hdev, "Malformed HCI Event");
7706 		goto done;
7707 	}
7708 
7709 	kfree_skb(hdev->recv_event);
7710 	hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7711 
7712 	event = hdr->evt;
7713 	if (!event) {
7714 		bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7715 			    event);
7716 		goto done;
7717 	}
7718 
7719 	/* Only match event if command OGF is not for LE */
7720 	if (hdev->sent_cmd &&
7721 	    hci_opcode_ogf(hci_skb_opcode(hdev->sent_cmd)) != 0x08 &&
7722 	    hci_skb_event(hdev->sent_cmd) == event) {
7723 		hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->sent_cmd),
7724 				     status, &req_complete, &req_complete_skb);
7725 		req_evt = event;
7726 	}
7727 
7728 	/* If it looks like we might end up having to call
7729 	 * req_complete_skb, store a pristine copy of the skb since the
7730 	 * various handlers may modify the original one through
7731 	 * skb_pull() calls, etc.
7732 	 */
7733 	if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7734 	    event == HCI_EV_CMD_COMPLETE)
7735 		orig_skb = skb_clone(skb, GFP_KERNEL);
7736 
7737 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
7738 
7739 	/* Store wake reason if we're suspended */
7740 	hci_store_wake_reason(hdev, event, skb);
7741 
7742 	bt_dev_dbg(hdev, "event 0x%2.2x", event);
7743 
7744 	hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7745 		       &req_complete_skb);
7746 
7747 	if (req_complete) {
7748 		req_complete(hdev, status, opcode);
7749 	} else if (req_complete_skb) {
7750 		if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7751 			kfree_skb(orig_skb);
7752 			orig_skb = NULL;
7753 		}
7754 		req_complete_skb(hdev, status, opcode, orig_skb);
7755 	}
7756 
7757 done:
7758 	kfree_skb(orig_skb);
7759 	kfree_skb(skb);
7760 	hdev->stat.evt_rx++;
7761 }
7762