xref: /openbmc/linux/net/bluetooth/hci_event.c (revision 2f0f2441b4a10948e2ec042b48fef13680387f7c)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI event handling. */
26 
27 #include <asm/unaligned.h>
28 
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32 
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
35 #include "a2mp.h"
36 #include "amp.h"
37 #include "smp.h"
38 
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
41 
42 /* Handle HCI Event packets */
43 
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
45 {
46 	__u8 status = *((__u8 *) skb->data);
47 
48 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
49 
50 	if (status)
51 		return;
52 
53 	clear_bit(HCI_INQUIRY, &hdev->flags);
54 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
56 
57 	hci_dev_lock(hdev);
58 	/* Set discovery state to stopped if we're not doing LE active
59 	 * scanning.
60 	 */
61 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 	    hdev->le_scan_type != LE_SCAN_ACTIVE)
63 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
64 	hci_dev_unlock(hdev);
65 
66 	hci_conn_check_pending(hdev);
67 }
68 
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
70 {
71 	__u8 status = *((__u8 *) skb->data);
72 
73 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
74 
75 	if (status)
76 		return;
77 
78 	hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
79 }
80 
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
82 {
83 	__u8 status = *((__u8 *) skb->data);
84 
85 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
86 
87 	if (status)
88 		return;
89 
90 	hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
91 
92 	hci_conn_check_pending(hdev);
93 }
94 
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
96 					  struct sk_buff *skb)
97 {
98 	BT_DBG("%s", hdev->name);
99 }
100 
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
102 {
103 	struct hci_rp_role_discovery *rp = (void *) skb->data;
104 	struct hci_conn *conn;
105 
106 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
107 
108 	if (rp->status)
109 		return;
110 
111 	hci_dev_lock(hdev);
112 
113 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
114 	if (conn)
115 		conn->role = rp->role;
116 
117 	hci_dev_unlock(hdev);
118 }
119 
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
121 {
122 	struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 	struct hci_conn *conn;
124 
125 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126 
127 	if (rp->status)
128 		return;
129 
130 	hci_dev_lock(hdev);
131 
132 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133 	if (conn)
134 		conn->link_policy = __le16_to_cpu(rp->policy);
135 
136 	hci_dev_unlock(hdev);
137 }
138 
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140 {
141 	struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 	struct hci_conn *conn;
143 	void *sent;
144 
145 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
146 
147 	if (rp->status)
148 		return;
149 
150 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 	if (!sent)
152 		return;
153 
154 	hci_dev_lock(hdev);
155 
156 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
157 	if (conn)
158 		conn->link_policy = get_unaligned_le16(sent + 2);
159 
160 	hci_dev_unlock(hdev);
161 }
162 
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
164 					struct sk_buff *skb)
165 {
166 	struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
167 
168 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
169 
170 	if (rp->status)
171 		return;
172 
173 	hdev->link_policy = __le16_to_cpu(rp->policy);
174 }
175 
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
177 					 struct sk_buff *skb)
178 {
179 	__u8 status = *((__u8 *) skb->data);
180 	void *sent;
181 
182 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
183 
184 	if (status)
185 		return;
186 
187 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
188 	if (!sent)
189 		return;
190 
191 	hdev->link_policy = get_unaligned_le16(sent);
192 }
193 
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
195 {
196 	__u8 status = *((__u8 *) skb->data);
197 
198 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
199 
200 	clear_bit(HCI_RESET, &hdev->flags);
201 
202 	if (status)
203 		return;
204 
205 	/* Reset all non-persistent flags */
206 	hci_dev_clear_volatile_flags(hdev);
207 
208 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
209 
210 	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
212 
213 	memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 	hdev->adv_data_len = 0;
215 
216 	memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 	hdev->scan_rsp_data_len = 0;
218 
219 	hdev->le_scan_type = LE_SCAN_PASSIVE;
220 
221 	hdev->ssp_debug_mode = 0;
222 
223 	hci_bdaddr_list_clear(&hdev->le_white_list);
224 	hci_bdaddr_list_clear(&hdev->le_resolv_list);
225 }
226 
227 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
228 					struct sk_buff *skb)
229 {
230 	struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
231 	struct hci_cp_read_stored_link_key *sent;
232 
233 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
234 
235 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
236 	if (!sent)
237 		return;
238 
239 	if (!rp->status && sent->read_all == 0x01) {
240 		hdev->stored_max_keys = rp->max_keys;
241 		hdev->stored_num_keys = rp->num_keys;
242 	}
243 }
244 
245 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
246 					  struct sk_buff *skb)
247 {
248 	struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
249 
250 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
251 
252 	if (rp->status)
253 		return;
254 
255 	if (rp->num_keys <= hdev->stored_num_keys)
256 		hdev->stored_num_keys -= rp->num_keys;
257 	else
258 		hdev->stored_num_keys = 0;
259 }
260 
261 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
262 {
263 	__u8 status = *((__u8 *) skb->data);
264 	void *sent;
265 
266 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
267 
268 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
269 	if (!sent)
270 		return;
271 
272 	hci_dev_lock(hdev);
273 
274 	if (hci_dev_test_flag(hdev, HCI_MGMT))
275 		mgmt_set_local_name_complete(hdev, sent, status);
276 	else if (!status)
277 		memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
278 
279 	hci_dev_unlock(hdev);
280 }
281 
282 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
283 {
284 	struct hci_rp_read_local_name *rp = (void *) skb->data;
285 
286 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
287 
288 	if (rp->status)
289 		return;
290 
291 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
292 	    hci_dev_test_flag(hdev, HCI_CONFIG))
293 		memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
294 }
295 
296 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
297 {
298 	__u8 status = *((__u8 *) skb->data);
299 	void *sent;
300 
301 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
302 
303 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
304 	if (!sent)
305 		return;
306 
307 	hci_dev_lock(hdev);
308 
309 	if (!status) {
310 		__u8 param = *((__u8 *) sent);
311 
312 		if (param == AUTH_ENABLED)
313 			set_bit(HCI_AUTH, &hdev->flags);
314 		else
315 			clear_bit(HCI_AUTH, &hdev->flags);
316 	}
317 
318 	if (hci_dev_test_flag(hdev, HCI_MGMT))
319 		mgmt_auth_enable_complete(hdev, status);
320 
321 	hci_dev_unlock(hdev);
322 }
323 
324 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
325 {
326 	__u8 status = *((__u8 *) skb->data);
327 	__u8 param;
328 	void *sent;
329 
330 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
331 
332 	if (status)
333 		return;
334 
335 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
336 	if (!sent)
337 		return;
338 
339 	param = *((__u8 *) sent);
340 
341 	if (param)
342 		set_bit(HCI_ENCRYPT, &hdev->flags);
343 	else
344 		clear_bit(HCI_ENCRYPT, &hdev->flags);
345 }
346 
347 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
348 {
349 	__u8 status = *((__u8 *) skb->data);
350 	__u8 param;
351 	void *sent;
352 
353 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
354 
355 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
356 	if (!sent)
357 		return;
358 
359 	param = *((__u8 *) sent);
360 
361 	hci_dev_lock(hdev);
362 
363 	if (status) {
364 		hdev->discov_timeout = 0;
365 		goto done;
366 	}
367 
368 	if (param & SCAN_INQUIRY)
369 		set_bit(HCI_ISCAN, &hdev->flags);
370 	else
371 		clear_bit(HCI_ISCAN, &hdev->flags);
372 
373 	if (param & SCAN_PAGE)
374 		set_bit(HCI_PSCAN, &hdev->flags);
375 	else
376 		clear_bit(HCI_PSCAN, &hdev->flags);
377 
378 done:
379 	hci_dev_unlock(hdev);
380 }
381 
382 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
383 {
384 	struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
385 
386 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
387 
388 	if (rp->status)
389 		return;
390 
391 	memcpy(hdev->dev_class, rp->dev_class, 3);
392 
393 	BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
394 	       hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
395 }
396 
397 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
398 {
399 	__u8 status = *((__u8 *) skb->data);
400 	void *sent;
401 
402 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
403 
404 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
405 	if (!sent)
406 		return;
407 
408 	hci_dev_lock(hdev);
409 
410 	if (status == 0)
411 		memcpy(hdev->dev_class, sent, 3);
412 
413 	if (hci_dev_test_flag(hdev, HCI_MGMT))
414 		mgmt_set_class_of_dev_complete(hdev, sent, status);
415 
416 	hci_dev_unlock(hdev);
417 }
418 
419 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
420 {
421 	struct hci_rp_read_voice_setting *rp = (void *) skb->data;
422 	__u16 setting;
423 
424 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
425 
426 	if (rp->status)
427 		return;
428 
429 	setting = __le16_to_cpu(rp->voice_setting);
430 
431 	if (hdev->voice_setting == setting)
432 		return;
433 
434 	hdev->voice_setting = setting;
435 
436 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
437 
438 	if (hdev->notify)
439 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
440 }
441 
442 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
443 				       struct sk_buff *skb)
444 {
445 	__u8 status = *((__u8 *) skb->data);
446 	__u16 setting;
447 	void *sent;
448 
449 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
450 
451 	if (status)
452 		return;
453 
454 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
455 	if (!sent)
456 		return;
457 
458 	setting = get_unaligned_le16(sent);
459 
460 	if (hdev->voice_setting == setting)
461 		return;
462 
463 	hdev->voice_setting = setting;
464 
465 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
466 
467 	if (hdev->notify)
468 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
469 }
470 
471 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
472 					  struct sk_buff *skb)
473 {
474 	struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
475 
476 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
477 
478 	if (rp->status)
479 		return;
480 
481 	hdev->num_iac = rp->num_iac;
482 
483 	BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
484 }
485 
486 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
487 {
488 	__u8 status = *((__u8 *) skb->data);
489 	struct hci_cp_write_ssp_mode *sent;
490 
491 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
492 
493 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
494 	if (!sent)
495 		return;
496 
497 	hci_dev_lock(hdev);
498 
499 	if (!status) {
500 		if (sent->mode)
501 			hdev->features[1][0] |= LMP_HOST_SSP;
502 		else
503 			hdev->features[1][0] &= ~LMP_HOST_SSP;
504 	}
505 
506 	if (hci_dev_test_flag(hdev, HCI_MGMT))
507 		mgmt_ssp_enable_complete(hdev, sent->mode, status);
508 	else if (!status) {
509 		if (sent->mode)
510 			hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
511 		else
512 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
513 	}
514 
515 	hci_dev_unlock(hdev);
516 }
517 
518 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
519 {
520 	u8 status = *((u8 *) skb->data);
521 	struct hci_cp_write_sc_support *sent;
522 
523 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
524 
525 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
526 	if (!sent)
527 		return;
528 
529 	hci_dev_lock(hdev);
530 
531 	if (!status) {
532 		if (sent->support)
533 			hdev->features[1][0] |= LMP_HOST_SC;
534 		else
535 			hdev->features[1][0] &= ~LMP_HOST_SC;
536 	}
537 
538 	if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
539 		if (sent->support)
540 			hci_dev_set_flag(hdev, HCI_SC_ENABLED);
541 		else
542 			hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
543 	}
544 
545 	hci_dev_unlock(hdev);
546 }
547 
548 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
549 {
550 	struct hci_rp_read_local_version *rp = (void *) skb->data;
551 
552 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
553 
554 	if (rp->status)
555 		return;
556 
557 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
558 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
559 		hdev->hci_ver = rp->hci_ver;
560 		hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
561 		hdev->lmp_ver = rp->lmp_ver;
562 		hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
563 		hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
564 	}
565 }
566 
567 static void hci_cc_read_local_commands(struct hci_dev *hdev,
568 				       struct sk_buff *skb)
569 {
570 	struct hci_rp_read_local_commands *rp = (void *) skb->data;
571 
572 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
573 
574 	if (rp->status)
575 		return;
576 
577 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
578 	    hci_dev_test_flag(hdev, HCI_CONFIG))
579 		memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
580 }
581 
582 static void hci_cc_read_local_features(struct hci_dev *hdev,
583 				       struct sk_buff *skb)
584 {
585 	struct hci_rp_read_local_features *rp = (void *) skb->data;
586 
587 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
588 
589 	if (rp->status)
590 		return;
591 
592 	memcpy(hdev->features, rp->features, 8);
593 
594 	/* Adjust default settings according to features
595 	 * supported by device. */
596 
597 	if (hdev->features[0][0] & LMP_3SLOT)
598 		hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
599 
600 	if (hdev->features[0][0] & LMP_5SLOT)
601 		hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
602 
603 	if (hdev->features[0][1] & LMP_HV2) {
604 		hdev->pkt_type  |= (HCI_HV2);
605 		hdev->esco_type |= (ESCO_HV2);
606 	}
607 
608 	if (hdev->features[0][1] & LMP_HV3) {
609 		hdev->pkt_type  |= (HCI_HV3);
610 		hdev->esco_type |= (ESCO_HV3);
611 	}
612 
613 	if (lmp_esco_capable(hdev))
614 		hdev->esco_type |= (ESCO_EV3);
615 
616 	if (hdev->features[0][4] & LMP_EV4)
617 		hdev->esco_type |= (ESCO_EV4);
618 
619 	if (hdev->features[0][4] & LMP_EV5)
620 		hdev->esco_type |= (ESCO_EV5);
621 
622 	if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
623 		hdev->esco_type |= (ESCO_2EV3);
624 
625 	if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
626 		hdev->esco_type |= (ESCO_3EV3);
627 
628 	if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
629 		hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
630 }
631 
632 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
633 					   struct sk_buff *skb)
634 {
635 	struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
636 
637 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
638 
639 	if (rp->status)
640 		return;
641 
642 	if (hdev->max_page < rp->max_page)
643 		hdev->max_page = rp->max_page;
644 
645 	if (rp->page < HCI_MAX_PAGES)
646 		memcpy(hdev->features[rp->page], rp->features, 8);
647 }
648 
649 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
650 					  struct sk_buff *skb)
651 {
652 	struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
653 
654 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
655 
656 	if (rp->status)
657 		return;
658 
659 	hdev->flow_ctl_mode = rp->mode;
660 }
661 
662 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
663 {
664 	struct hci_rp_read_buffer_size *rp = (void *) skb->data;
665 
666 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
667 
668 	if (rp->status)
669 		return;
670 
671 	hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
672 	hdev->sco_mtu  = rp->sco_mtu;
673 	hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
674 	hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
675 
676 	if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
677 		hdev->sco_mtu  = 64;
678 		hdev->sco_pkts = 8;
679 	}
680 
681 	hdev->acl_cnt = hdev->acl_pkts;
682 	hdev->sco_cnt = hdev->sco_pkts;
683 
684 	BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
685 	       hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
686 }
687 
688 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
689 {
690 	struct hci_rp_read_bd_addr *rp = (void *) skb->data;
691 
692 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
693 
694 	if (rp->status)
695 		return;
696 
697 	if (test_bit(HCI_INIT, &hdev->flags))
698 		bacpy(&hdev->bdaddr, &rp->bdaddr);
699 
700 	if (hci_dev_test_flag(hdev, HCI_SETUP))
701 		bacpy(&hdev->setup_addr, &rp->bdaddr);
702 }
703 
704 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
705 					   struct sk_buff *skb)
706 {
707 	struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
708 
709 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
710 
711 	if (rp->status)
712 		return;
713 
714 	if (test_bit(HCI_INIT, &hdev->flags)) {
715 		hdev->page_scan_interval = __le16_to_cpu(rp->interval);
716 		hdev->page_scan_window = __le16_to_cpu(rp->window);
717 	}
718 }
719 
720 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
721 					    struct sk_buff *skb)
722 {
723 	u8 status = *((u8 *) skb->data);
724 	struct hci_cp_write_page_scan_activity *sent;
725 
726 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
727 
728 	if (status)
729 		return;
730 
731 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
732 	if (!sent)
733 		return;
734 
735 	hdev->page_scan_interval = __le16_to_cpu(sent->interval);
736 	hdev->page_scan_window = __le16_to_cpu(sent->window);
737 }
738 
739 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
740 					   struct sk_buff *skb)
741 {
742 	struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
743 
744 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
745 
746 	if (rp->status)
747 		return;
748 
749 	if (test_bit(HCI_INIT, &hdev->flags))
750 		hdev->page_scan_type = rp->type;
751 }
752 
753 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
754 					struct sk_buff *skb)
755 {
756 	u8 status = *((u8 *) skb->data);
757 	u8 *type;
758 
759 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
760 
761 	if (status)
762 		return;
763 
764 	type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
765 	if (type)
766 		hdev->page_scan_type = *type;
767 }
768 
769 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
770 					struct sk_buff *skb)
771 {
772 	struct hci_rp_read_data_block_size *rp = (void *) skb->data;
773 
774 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
775 
776 	if (rp->status)
777 		return;
778 
779 	hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
780 	hdev->block_len = __le16_to_cpu(rp->block_len);
781 	hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
782 
783 	hdev->block_cnt = hdev->num_blocks;
784 
785 	BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
786 	       hdev->block_cnt, hdev->block_len);
787 }
788 
789 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
790 {
791 	struct hci_rp_read_clock *rp = (void *) skb->data;
792 	struct hci_cp_read_clock *cp;
793 	struct hci_conn *conn;
794 
795 	BT_DBG("%s", hdev->name);
796 
797 	if (skb->len < sizeof(*rp))
798 		return;
799 
800 	if (rp->status)
801 		return;
802 
803 	hci_dev_lock(hdev);
804 
805 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
806 	if (!cp)
807 		goto unlock;
808 
809 	if (cp->which == 0x00) {
810 		hdev->clock = le32_to_cpu(rp->clock);
811 		goto unlock;
812 	}
813 
814 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
815 	if (conn) {
816 		conn->clock = le32_to_cpu(rp->clock);
817 		conn->clock_accuracy = le16_to_cpu(rp->accuracy);
818 	}
819 
820 unlock:
821 	hci_dev_unlock(hdev);
822 }
823 
824 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
825 				       struct sk_buff *skb)
826 {
827 	struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
828 
829 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
830 
831 	if (rp->status)
832 		return;
833 
834 	hdev->amp_status = rp->amp_status;
835 	hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
836 	hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
837 	hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
838 	hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
839 	hdev->amp_type = rp->amp_type;
840 	hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
841 	hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
842 	hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
843 	hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
844 }
845 
846 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
847 					 struct sk_buff *skb)
848 {
849 	struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
850 
851 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
852 
853 	if (rp->status)
854 		return;
855 
856 	hdev->inq_tx_power = rp->tx_power;
857 }
858 
859 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
860 {
861 	struct hci_rp_pin_code_reply *rp = (void *) skb->data;
862 	struct hci_cp_pin_code_reply *cp;
863 	struct hci_conn *conn;
864 
865 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
866 
867 	hci_dev_lock(hdev);
868 
869 	if (hci_dev_test_flag(hdev, HCI_MGMT))
870 		mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
871 
872 	if (rp->status)
873 		goto unlock;
874 
875 	cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
876 	if (!cp)
877 		goto unlock;
878 
879 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
880 	if (conn)
881 		conn->pin_length = cp->pin_len;
882 
883 unlock:
884 	hci_dev_unlock(hdev);
885 }
886 
887 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
888 {
889 	struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
890 
891 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
892 
893 	hci_dev_lock(hdev);
894 
895 	if (hci_dev_test_flag(hdev, HCI_MGMT))
896 		mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
897 						 rp->status);
898 
899 	hci_dev_unlock(hdev);
900 }
901 
902 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
903 				       struct sk_buff *skb)
904 {
905 	struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
906 
907 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
908 
909 	if (rp->status)
910 		return;
911 
912 	hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
913 	hdev->le_pkts = rp->le_max_pkt;
914 
915 	hdev->le_cnt = hdev->le_pkts;
916 
917 	BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
918 }
919 
920 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
921 					  struct sk_buff *skb)
922 {
923 	struct hci_rp_le_read_local_features *rp = (void *) skb->data;
924 
925 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
926 
927 	if (rp->status)
928 		return;
929 
930 	memcpy(hdev->le_features, rp->features, 8);
931 }
932 
933 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
934 					struct sk_buff *skb)
935 {
936 	struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
937 
938 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
939 
940 	if (rp->status)
941 		return;
942 
943 	hdev->adv_tx_power = rp->tx_power;
944 }
945 
946 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
947 {
948 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
949 
950 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
951 
952 	hci_dev_lock(hdev);
953 
954 	if (hci_dev_test_flag(hdev, HCI_MGMT))
955 		mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
956 						 rp->status);
957 
958 	hci_dev_unlock(hdev);
959 }
960 
961 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
962 					  struct sk_buff *skb)
963 {
964 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
965 
966 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
967 
968 	hci_dev_lock(hdev);
969 
970 	if (hci_dev_test_flag(hdev, HCI_MGMT))
971 		mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
972 						     ACL_LINK, 0, rp->status);
973 
974 	hci_dev_unlock(hdev);
975 }
976 
977 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
978 {
979 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
980 
981 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
982 
983 	hci_dev_lock(hdev);
984 
985 	if (hci_dev_test_flag(hdev, HCI_MGMT))
986 		mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
987 						 0, rp->status);
988 
989 	hci_dev_unlock(hdev);
990 }
991 
992 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
993 					  struct sk_buff *skb)
994 {
995 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
996 
997 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
998 
999 	hci_dev_lock(hdev);
1000 
1001 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1002 		mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1003 						     ACL_LINK, 0, rp->status);
1004 
1005 	hci_dev_unlock(hdev);
1006 }
1007 
1008 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1009 				       struct sk_buff *skb)
1010 {
1011 	struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1012 
1013 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1014 }
1015 
1016 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1017 					   struct sk_buff *skb)
1018 {
1019 	struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1020 
1021 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1022 }
1023 
1024 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1025 {
1026 	__u8 status = *((__u8 *) skb->data);
1027 	bdaddr_t *sent;
1028 
1029 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1030 
1031 	if (status)
1032 		return;
1033 
1034 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1035 	if (!sent)
1036 		return;
1037 
1038 	hci_dev_lock(hdev);
1039 
1040 	bacpy(&hdev->random_addr, sent);
1041 
1042 	hci_dev_unlock(hdev);
1043 }
1044 
1045 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1046 {
1047 	__u8 status = *((__u8 *) skb->data);
1048 	struct hci_cp_le_set_default_phy *cp;
1049 
1050 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1051 
1052 	if (status)
1053 		return;
1054 
1055 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1056 	if (!cp)
1057 		return;
1058 
1059 	hci_dev_lock(hdev);
1060 
1061 	hdev->le_tx_def_phys = cp->tx_phys;
1062 	hdev->le_rx_def_phys = cp->rx_phys;
1063 
1064 	hci_dev_unlock(hdev);
1065 }
1066 
1067 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1068                                               struct sk_buff *skb)
1069 {
1070 	__u8 status = *((__u8 *) skb->data);
1071 	struct hci_cp_le_set_adv_set_rand_addr *cp;
1072 	struct adv_info *adv_instance;
1073 
1074 	if (status)
1075 		return;
1076 
1077 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1078 	if (!cp)
1079 		return;
1080 
1081 	hci_dev_lock(hdev);
1082 
1083 	if (!hdev->cur_adv_instance) {
1084 		/* Store in hdev for instance 0 (Set adv and Directed advs) */
1085 		bacpy(&hdev->random_addr, &cp->bdaddr);
1086 	} else {
1087 		adv_instance = hci_find_adv_instance(hdev,
1088 						     hdev->cur_adv_instance);
1089 		if (adv_instance)
1090 			bacpy(&adv_instance->random_addr, &cp->bdaddr);
1091 	}
1092 
1093 	hci_dev_unlock(hdev);
1094 }
1095 
1096 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1097 {
1098 	__u8 *sent, status = *((__u8 *) skb->data);
1099 
1100 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1101 
1102 	if (status)
1103 		return;
1104 
1105 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1106 	if (!sent)
1107 		return;
1108 
1109 	hci_dev_lock(hdev);
1110 
1111 	/* If we're doing connection initiation as peripheral. Set a
1112 	 * timeout in case something goes wrong.
1113 	 */
1114 	if (*sent) {
1115 		struct hci_conn *conn;
1116 
1117 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1118 
1119 		conn = hci_lookup_le_connect(hdev);
1120 		if (conn)
1121 			queue_delayed_work(hdev->workqueue,
1122 					   &conn->le_conn_timeout,
1123 					   conn->conn_timeout);
1124 	} else {
1125 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1126 	}
1127 
1128 	hci_dev_unlock(hdev);
1129 }
1130 
1131 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1132 					 struct sk_buff *skb)
1133 {
1134 	struct hci_cp_le_set_ext_adv_enable *cp;
1135 	__u8 status = *((__u8 *) skb->data);
1136 
1137 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1138 
1139 	if (status)
1140 		return;
1141 
1142 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1143 	if (!cp)
1144 		return;
1145 
1146 	hci_dev_lock(hdev);
1147 
1148 	if (cp->enable) {
1149 		struct hci_conn *conn;
1150 
1151 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1152 
1153 		conn = hci_lookup_le_connect(hdev);
1154 		if (conn)
1155 			queue_delayed_work(hdev->workqueue,
1156 					   &conn->le_conn_timeout,
1157 					   conn->conn_timeout);
1158 	} else {
1159 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1160 	}
1161 
1162 	hci_dev_unlock(hdev);
1163 }
1164 
1165 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1166 {
1167 	struct hci_cp_le_set_scan_param *cp;
1168 	__u8 status = *((__u8 *) skb->data);
1169 
1170 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1171 
1172 	if (status)
1173 		return;
1174 
1175 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1176 	if (!cp)
1177 		return;
1178 
1179 	hci_dev_lock(hdev);
1180 
1181 	hdev->le_scan_type = cp->type;
1182 
1183 	hci_dev_unlock(hdev);
1184 }
1185 
1186 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1187 					 struct sk_buff *skb)
1188 {
1189 	struct hci_cp_le_set_ext_scan_params *cp;
1190 	__u8 status = *((__u8 *) skb->data);
1191 	struct hci_cp_le_scan_phy_params *phy_param;
1192 
1193 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1194 
1195 	if (status)
1196 		return;
1197 
1198 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1199 	if (!cp)
1200 		return;
1201 
1202 	phy_param = (void *)cp->data;
1203 
1204 	hci_dev_lock(hdev);
1205 
1206 	hdev->le_scan_type = phy_param->type;
1207 
1208 	hci_dev_unlock(hdev);
1209 }
1210 
1211 static bool has_pending_adv_report(struct hci_dev *hdev)
1212 {
1213 	struct discovery_state *d = &hdev->discovery;
1214 
1215 	return bacmp(&d->last_adv_addr, BDADDR_ANY);
1216 }
1217 
1218 static void clear_pending_adv_report(struct hci_dev *hdev)
1219 {
1220 	struct discovery_state *d = &hdev->discovery;
1221 
1222 	bacpy(&d->last_adv_addr, BDADDR_ANY);
1223 	d->last_adv_data_len = 0;
1224 }
1225 
1226 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1227 				     u8 bdaddr_type, s8 rssi, u32 flags,
1228 				     u8 *data, u8 len)
1229 {
1230 	struct discovery_state *d = &hdev->discovery;
1231 
1232 	bacpy(&d->last_adv_addr, bdaddr);
1233 	d->last_adv_addr_type = bdaddr_type;
1234 	d->last_adv_rssi = rssi;
1235 	d->last_adv_flags = flags;
1236 	memcpy(d->last_adv_data, data, len);
1237 	d->last_adv_data_len = len;
1238 }
1239 
1240 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1241 {
1242 	hci_dev_lock(hdev);
1243 
1244 	switch (enable) {
1245 	case LE_SCAN_ENABLE:
1246 		hci_dev_set_flag(hdev, HCI_LE_SCAN);
1247 		if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1248 			clear_pending_adv_report(hdev);
1249 		break;
1250 
1251 	case LE_SCAN_DISABLE:
1252 		/* We do this here instead of when setting DISCOVERY_STOPPED
1253 		 * since the latter would potentially require waiting for
1254 		 * inquiry to stop too.
1255 		 */
1256 		if (has_pending_adv_report(hdev)) {
1257 			struct discovery_state *d = &hdev->discovery;
1258 
1259 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1260 					  d->last_adv_addr_type, NULL,
1261 					  d->last_adv_rssi, d->last_adv_flags,
1262 					  d->last_adv_data,
1263 					  d->last_adv_data_len, NULL, 0);
1264 		}
1265 
1266 		/* Cancel this timer so that we don't try to disable scanning
1267 		 * when it's already disabled.
1268 		 */
1269 		cancel_delayed_work(&hdev->le_scan_disable);
1270 
1271 		hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1272 
1273 		/* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1274 		 * interrupted scanning due to a connect request. Mark
1275 		 * therefore discovery as stopped. If this was not
1276 		 * because of a connect request advertising might have
1277 		 * been disabled because of active scanning, so
1278 		 * re-enable it again if necessary.
1279 		 */
1280 		if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1281 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1282 		else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1283 			 hdev->discovery.state == DISCOVERY_FINDING)
1284 			hci_req_reenable_advertising(hdev);
1285 
1286 		break;
1287 
1288 	default:
1289 		bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1290 			   enable);
1291 		break;
1292 	}
1293 
1294 	hci_dev_unlock(hdev);
1295 }
1296 
1297 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1298 				      struct sk_buff *skb)
1299 {
1300 	struct hci_cp_le_set_scan_enable *cp;
1301 	__u8 status = *((__u8 *) skb->data);
1302 
1303 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1304 
1305 	if (status)
1306 		return;
1307 
1308 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1309 	if (!cp)
1310 		return;
1311 
1312 	le_set_scan_enable_complete(hdev, cp->enable);
1313 }
1314 
1315 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1316 				      struct sk_buff *skb)
1317 {
1318 	struct hci_cp_le_set_ext_scan_enable *cp;
1319 	__u8 status = *((__u8 *) skb->data);
1320 
1321 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1322 
1323 	if (status)
1324 		return;
1325 
1326 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1327 	if (!cp)
1328 		return;
1329 
1330 	le_set_scan_enable_complete(hdev, cp->enable);
1331 }
1332 
1333 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1334 				      struct sk_buff *skb)
1335 {
1336 	struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1337 
1338 	BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1339 	       rp->num_of_sets);
1340 
1341 	if (rp->status)
1342 		return;
1343 
1344 	hdev->le_num_of_adv_sets = rp->num_of_sets;
1345 }
1346 
1347 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1348 					   struct sk_buff *skb)
1349 {
1350 	struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1351 
1352 	BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1353 
1354 	if (rp->status)
1355 		return;
1356 
1357 	hdev->le_white_list_size = rp->size;
1358 }
1359 
1360 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1361 				       struct sk_buff *skb)
1362 {
1363 	__u8 status = *((__u8 *) skb->data);
1364 
1365 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1366 
1367 	if (status)
1368 		return;
1369 
1370 	hci_bdaddr_list_clear(&hdev->le_white_list);
1371 }
1372 
1373 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1374 					struct sk_buff *skb)
1375 {
1376 	struct hci_cp_le_add_to_white_list *sent;
1377 	__u8 status = *((__u8 *) skb->data);
1378 
1379 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1380 
1381 	if (status)
1382 		return;
1383 
1384 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1385 	if (!sent)
1386 		return;
1387 
1388 	hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1389 			   sent->bdaddr_type);
1390 }
1391 
1392 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1393 					  struct sk_buff *skb)
1394 {
1395 	struct hci_cp_le_del_from_white_list *sent;
1396 	__u8 status = *((__u8 *) skb->data);
1397 
1398 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1399 
1400 	if (status)
1401 		return;
1402 
1403 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1404 	if (!sent)
1405 		return;
1406 
1407 	hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1408 			    sent->bdaddr_type);
1409 }
1410 
1411 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1412 					    struct sk_buff *skb)
1413 {
1414 	struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1415 
1416 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1417 
1418 	if (rp->status)
1419 		return;
1420 
1421 	memcpy(hdev->le_states, rp->le_states, 8);
1422 }
1423 
1424 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1425 					struct sk_buff *skb)
1426 {
1427 	struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1428 
1429 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1430 
1431 	if (rp->status)
1432 		return;
1433 
1434 	hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1435 	hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1436 }
1437 
1438 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1439 					 struct sk_buff *skb)
1440 {
1441 	struct hci_cp_le_write_def_data_len *sent;
1442 	__u8 status = *((__u8 *) skb->data);
1443 
1444 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1445 
1446 	if (status)
1447 		return;
1448 
1449 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1450 	if (!sent)
1451 		return;
1452 
1453 	hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1454 	hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1455 }
1456 
1457 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,
1458 					 struct sk_buff *skb)
1459 {
1460 	struct hci_cp_le_add_to_resolv_list *sent;
1461 	__u8 status = *((__u8 *) skb->data);
1462 
1463 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1464 
1465 	if (status)
1466 		return;
1467 
1468 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1469 	if (!sent)
1470 		return;
1471 
1472 	hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1473 				sent->bdaddr_type, sent->peer_irk,
1474 				sent->local_irk);
1475 }
1476 
1477 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,
1478 					  struct sk_buff *skb)
1479 {
1480 	struct hci_cp_le_del_from_resolv_list *sent;
1481 	__u8 status = *((__u8 *) skb->data);
1482 
1483 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1484 
1485 	if (status)
1486 		return;
1487 
1488 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1489 	if (!sent)
1490 		return;
1491 
1492 	hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1493 			    sent->bdaddr_type);
1494 }
1495 
1496 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1497 				       struct sk_buff *skb)
1498 {
1499 	__u8 status = *((__u8 *) skb->data);
1500 
1501 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1502 
1503 	if (status)
1504 		return;
1505 
1506 	hci_bdaddr_list_clear(&hdev->le_resolv_list);
1507 }
1508 
1509 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1510 					   struct sk_buff *skb)
1511 {
1512 	struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1513 
1514 	BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1515 
1516 	if (rp->status)
1517 		return;
1518 
1519 	hdev->le_resolv_list_size = rp->size;
1520 }
1521 
1522 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1523 						struct sk_buff *skb)
1524 {
1525 	__u8 *sent, status = *((__u8 *) skb->data);
1526 
1527 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1528 
1529 	if (status)
1530 		return;
1531 
1532 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1533 	if (!sent)
1534 		return;
1535 
1536 	hci_dev_lock(hdev);
1537 
1538 	if (*sent)
1539 		hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1540 	else
1541 		hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1542 
1543 	hci_dev_unlock(hdev);
1544 }
1545 
1546 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1547 					struct sk_buff *skb)
1548 {
1549 	struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1550 
1551 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1552 
1553 	if (rp->status)
1554 		return;
1555 
1556 	hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1557 	hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1558 	hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1559 	hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1560 }
1561 
1562 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1563 					   struct sk_buff *skb)
1564 {
1565 	struct hci_cp_write_le_host_supported *sent;
1566 	__u8 status = *((__u8 *) skb->data);
1567 
1568 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1569 
1570 	if (status)
1571 		return;
1572 
1573 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1574 	if (!sent)
1575 		return;
1576 
1577 	hci_dev_lock(hdev);
1578 
1579 	if (sent->le) {
1580 		hdev->features[1][0] |= LMP_HOST_LE;
1581 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1582 	} else {
1583 		hdev->features[1][0] &= ~LMP_HOST_LE;
1584 		hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1585 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1586 	}
1587 
1588 	if (sent->simul)
1589 		hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1590 	else
1591 		hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1592 
1593 	hci_dev_unlock(hdev);
1594 }
1595 
1596 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1597 {
1598 	struct hci_cp_le_set_adv_param *cp;
1599 	u8 status = *((u8 *) skb->data);
1600 
1601 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1602 
1603 	if (status)
1604 		return;
1605 
1606 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1607 	if (!cp)
1608 		return;
1609 
1610 	hci_dev_lock(hdev);
1611 	hdev->adv_addr_type = cp->own_address_type;
1612 	hci_dev_unlock(hdev);
1613 }
1614 
1615 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1616 {
1617 	struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1618 	struct hci_cp_le_set_ext_adv_params *cp;
1619 	struct adv_info *adv_instance;
1620 
1621 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1622 
1623 	if (rp->status)
1624 		return;
1625 
1626 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1627 	if (!cp)
1628 		return;
1629 
1630 	hci_dev_lock(hdev);
1631 	hdev->adv_addr_type = cp->own_addr_type;
1632 	if (!hdev->cur_adv_instance) {
1633 		/* Store in hdev for instance 0 */
1634 		hdev->adv_tx_power = rp->tx_power;
1635 	} else {
1636 		adv_instance = hci_find_adv_instance(hdev,
1637 						     hdev->cur_adv_instance);
1638 		if (adv_instance)
1639 			adv_instance->tx_power = rp->tx_power;
1640 	}
1641 	/* Update adv data as tx power is known now */
1642 	hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1643 	hci_dev_unlock(hdev);
1644 }
1645 
1646 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1647 {
1648 	struct hci_rp_read_rssi *rp = (void *) skb->data;
1649 	struct hci_conn *conn;
1650 
1651 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1652 
1653 	if (rp->status)
1654 		return;
1655 
1656 	hci_dev_lock(hdev);
1657 
1658 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1659 	if (conn)
1660 		conn->rssi = rp->rssi;
1661 
1662 	hci_dev_unlock(hdev);
1663 }
1664 
1665 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1666 {
1667 	struct hci_cp_read_tx_power *sent;
1668 	struct hci_rp_read_tx_power *rp = (void *) skb->data;
1669 	struct hci_conn *conn;
1670 
1671 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1672 
1673 	if (rp->status)
1674 		return;
1675 
1676 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1677 	if (!sent)
1678 		return;
1679 
1680 	hci_dev_lock(hdev);
1681 
1682 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1683 	if (!conn)
1684 		goto unlock;
1685 
1686 	switch (sent->type) {
1687 	case 0x00:
1688 		conn->tx_power = rp->tx_power;
1689 		break;
1690 	case 0x01:
1691 		conn->max_tx_power = rp->tx_power;
1692 		break;
1693 	}
1694 
1695 unlock:
1696 	hci_dev_unlock(hdev);
1697 }
1698 
1699 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1700 {
1701 	u8 status = *((u8 *) skb->data);
1702 	u8 *mode;
1703 
1704 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1705 
1706 	if (status)
1707 		return;
1708 
1709 	mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1710 	if (mode)
1711 		hdev->ssp_debug_mode = *mode;
1712 }
1713 
1714 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1715 {
1716 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1717 
1718 	if (status) {
1719 		hci_conn_check_pending(hdev);
1720 		return;
1721 	}
1722 
1723 	set_bit(HCI_INQUIRY, &hdev->flags);
1724 }
1725 
1726 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1727 {
1728 	struct hci_cp_create_conn *cp;
1729 	struct hci_conn *conn;
1730 
1731 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1732 
1733 	cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1734 	if (!cp)
1735 		return;
1736 
1737 	hci_dev_lock(hdev);
1738 
1739 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1740 
1741 	BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1742 
1743 	if (status) {
1744 		if (conn && conn->state == BT_CONNECT) {
1745 			if (status != 0x0c || conn->attempt > 2) {
1746 				conn->state = BT_CLOSED;
1747 				hci_connect_cfm(conn, status);
1748 				hci_conn_del(conn);
1749 			} else
1750 				conn->state = BT_CONNECT2;
1751 		}
1752 	} else {
1753 		if (!conn) {
1754 			conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1755 					    HCI_ROLE_MASTER);
1756 			if (!conn)
1757 				bt_dev_err(hdev, "no memory for new connection");
1758 		}
1759 	}
1760 
1761 	hci_dev_unlock(hdev);
1762 }
1763 
1764 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1765 {
1766 	struct hci_cp_add_sco *cp;
1767 	struct hci_conn *acl, *sco;
1768 	__u16 handle;
1769 
1770 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1771 
1772 	if (!status)
1773 		return;
1774 
1775 	cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1776 	if (!cp)
1777 		return;
1778 
1779 	handle = __le16_to_cpu(cp->handle);
1780 
1781 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1782 
1783 	hci_dev_lock(hdev);
1784 
1785 	acl = hci_conn_hash_lookup_handle(hdev, handle);
1786 	if (acl) {
1787 		sco = acl->link;
1788 		if (sco) {
1789 			sco->state = BT_CLOSED;
1790 
1791 			hci_connect_cfm(sco, status);
1792 			hci_conn_del(sco);
1793 		}
1794 	}
1795 
1796 	hci_dev_unlock(hdev);
1797 }
1798 
1799 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1800 {
1801 	struct hci_cp_auth_requested *cp;
1802 	struct hci_conn *conn;
1803 
1804 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1805 
1806 	if (!status)
1807 		return;
1808 
1809 	cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1810 	if (!cp)
1811 		return;
1812 
1813 	hci_dev_lock(hdev);
1814 
1815 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1816 	if (conn) {
1817 		if (conn->state == BT_CONFIG) {
1818 			hci_connect_cfm(conn, status);
1819 			hci_conn_drop(conn);
1820 		}
1821 	}
1822 
1823 	hci_dev_unlock(hdev);
1824 }
1825 
1826 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1827 {
1828 	struct hci_cp_set_conn_encrypt *cp;
1829 	struct hci_conn *conn;
1830 
1831 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1832 
1833 	if (!status)
1834 		return;
1835 
1836 	cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1837 	if (!cp)
1838 		return;
1839 
1840 	hci_dev_lock(hdev);
1841 
1842 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1843 	if (conn) {
1844 		if (conn->state == BT_CONFIG) {
1845 			hci_connect_cfm(conn, status);
1846 			hci_conn_drop(conn);
1847 		}
1848 	}
1849 
1850 	hci_dev_unlock(hdev);
1851 }
1852 
1853 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1854 				    struct hci_conn *conn)
1855 {
1856 	if (conn->state != BT_CONFIG || !conn->out)
1857 		return 0;
1858 
1859 	if (conn->pending_sec_level == BT_SECURITY_SDP)
1860 		return 0;
1861 
1862 	/* Only request authentication for SSP connections or non-SSP
1863 	 * devices with sec_level MEDIUM or HIGH or if MITM protection
1864 	 * is requested.
1865 	 */
1866 	if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1867 	    conn->pending_sec_level != BT_SECURITY_FIPS &&
1868 	    conn->pending_sec_level != BT_SECURITY_HIGH &&
1869 	    conn->pending_sec_level != BT_SECURITY_MEDIUM)
1870 		return 0;
1871 
1872 	return 1;
1873 }
1874 
1875 static int hci_resolve_name(struct hci_dev *hdev,
1876 				   struct inquiry_entry *e)
1877 {
1878 	struct hci_cp_remote_name_req cp;
1879 
1880 	memset(&cp, 0, sizeof(cp));
1881 
1882 	bacpy(&cp.bdaddr, &e->data.bdaddr);
1883 	cp.pscan_rep_mode = e->data.pscan_rep_mode;
1884 	cp.pscan_mode = e->data.pscan_mode;
1885 	cp.clock_offset = e->data.clock_offset;
1886 
1887 	return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1888 }
1889 
1890 static bool hci_resolve_next_name(struct hci_dev *hdev)
1891 {
1892 	struct discovery_state *discov = &hdev->discovery;
1893 	struct inquiry_entry *e;
1894 
1895 	if (list_empty(&discov->resolve))
1896 		return false;
1897 
1898 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1899 	if (!e)
1900 		return false;
1901 
1902 	if (hci_resolve_name(hdev, e) == 0) {
1903 		e->name_state = NAME_PENDING;
1904 		return true;
1905 	}
1906 
1907 	return false;
1908 }
1909 
1910 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1911 				   bdaddr_t *bdaddr, u8 *name, u8 name_len)
1912 {
1913 	struct discovery_state *discov = &hdev->discovery;
1914 	struct inquiry_entry *e;
1915 
1916 	/* Update the mgmt connected state if necessary. Be careful with
1917 	 * conn objects that exist but are not (yet) connected however.
1918 	 * Only those in BT_CONFIG or BT_CONNECTED states can be
1919 	 * considered connected.
1920 	 */
1921 	if (conn &&
1922 	    (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1923 	    !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1924 		mgmt_device_connected(hdev, conn, 0, name, name_len);
1925 
1926 	if (discov->state == DISCOVERY_STOPPED)
1927 		return;
1928 
1929 	if (discov->state == DISCOVERY_STOPPING)
1930 		goto discov_complete;
1931 
1932 	if (discov->state != DISCOVERY_RESOLVING)
1933 		return;
1934 
1935 	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1936 	/* If the device was not found in a list of found devices names of which
1937 	 * are pending. there is no need to continue resolving a next name as it
1938 	 * will be done upon receiving another Remote Name Request Complete
1939 	 * Event */
1940 	if (!e)
1941 		return;
1942 
1943 	list_del(&e->list);
1944 	if (name) {
1945 		e->name_state = NAME_KNOWN;
1946 		mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1947 				 e->data.rssi, name, name_len);
1948 	} else {
1949 		e->name_state = NAME_NOT_KNOWN;
1950 	}
1951 
1952 	if (hci_resolve_next_name(hdev))
1953 		return;
1954 
1955 discov_complete:
1956 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1957 }
1958 
1959 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1960 {
1961 	struct hci_cp_remote_name_req *cp;
1962 	struct hci_conn *conn;
1963 
1964 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1965 
1966 	/* If successful wait for the name req complete event before
1967 	 * checking for the need to do authentication */
1968 	if (!status)
1969 		return;
1970 
1971 	cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1972 	if (!cp)
1973 		return;
1974 
1975 	hci_dev_lock(hdev);
1976 
1977 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1978 
1979 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1980 		hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1981 
1982 	if (!conn)
1983 		goto unlock;
1984 
1985 	if (!hci_outgoing_auth_needed(hdev, conn))
1986 		goto unlock;
1987 
1988 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1989 		struct hci_cp_auth_requested auth_cp;
1990 
1991 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1992 
1993 		auth_cp.handle = __cpu_to_le16(conn->handle);
1994 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1995 			     sizeof(auth_cp), &auth_cp);
1996 	}
1997 
1998 unlock:
1999 	hci_dev_unlock(hdev);
2000 }
2001 
2002 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2003 {
2004 	struct hci_cp_read_remote_features *cp;
2005 	struct hci_conn *conn;
2006 
2007 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2008 
2009 	if (!status)
2010 		return;
2011 
2012 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2013 	if (!cp)
2014 		return;
2015 
2016 	hci_dev_lock(hdev);
2017 
2018 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2019 	if (conn) {
2020 		if (conn->state == BT_CONFIG) {
2021 			hci_connect_cfm(conn, status);
2022 			hci_conn_drop(conn);
2023 		}
2024 	}
2025 
2026 	hci_dev_unlock(hdev);
2027 }
2028 
2029 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2030 {
2031 	struct hci_cp_read_remote_ext_features *cp;
2032 	struct hci_conn *conn;
2033 
2034 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2035 
2036 	if (!status)
2037 		return;
2038 
2039 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2040 	if (!cp)
2041 		return;
2042 
2043 	hci_dev_lock(hdev);
2044 
2045 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2046 	if (conn) {
2047 		if (conn->state == BT_CONFIG) {
2048 			hci_connect_cfm(conn, status);
2049 			hci_conn_drop(conn);
2050 		}
2051 	}
2052 
2053 	hci_dev_unlock(hdev);
2054 }
2055 
2056 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2057 {
2058 	struct hci_cp_setup_sync_conn *cp;
2059 	struct hci_conn *acl, *sco;
2060 	__u16 handle;
2061 
2062 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2063 
2064 	if (!status)
2065 		return;
2066 
2067 	cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2068 	if (!cp)
2069 		return;
2070 
2071 	handle = __le16_to_cpu(cp->handle);
2072 
2073 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2074 
2075 	hci_dev_lock(hdev);
2076 
2077 	acl = hci_conn_hash_lookup_handle(hdev, handle);
2078 	if (acl) {
2079 		sco = acl->link;
2080 		if (sco) {
2081 			sco->state = BT_CLOSED;
2082 
2083 			hci_connect_cfm(sco, status);
2084 			hci_conn_del(sco);
2085 		}
2086 	}
2087 
2088 	hci_dev_unlock(hdev);
2089 }
2090 
2091 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2092 {
2093 	struct hci_cp_sniff_mode *cp;
2094 	struct hci_conn *conn;
2095 
2096 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2097 
2098 	if (!status)
2099 		return;
2100 
2101 	cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2102 	if (!cp)
2103 		return;
2104 
2105 	hci_dev_lock(hdev);
2106 
2107 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2108 	if (conn) {
2109 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2110 
2111 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2112 			hci_sco_setup(conn, status);
2113 	}
2114 
2115 	hci_dev_unlock(hdev);
2116 }
2117 
2118 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2119 {
2120 	struct hci_cp_exit_sniff_mode *cp;
2121 	struct hci_conn *conn;
2122 
2123 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2124 
2125 	if (!status)
2126 		return;
2127 
2128 	cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2129 	if (!cp)
2130 		return;
2131 
2132 	hci_dev_lock(hdev);
2133 
2134 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2135 	if (conn) {
2136 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2137 
2138 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2139 			hci_sco_setup(conn, status);
2140 	}
2141 
2142 	hci_dev_unlock(hdev);
2143 }
2144 
2145 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2146 {
2147 	struct hci_cp_disconnect *cp;
2148 	struct hci_conn *conn;
2149 
2150 	if (!status)
2151 		return;
2152 
2153 	cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2154 	if (!cp)
2155 		return;
2156 
2157 	hci_dev_lock(hdev);
2158 
2159 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2160 	if (conn)
2161 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2162 				       conn->dst_type, status);
2163 
2164 	hci_dev_unlock(hdev);
2165 }
2166 
2167 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2168 			      u8 peer_addr_type, u8 own_address_type,
2169 			      u8 filter_policy)
2170 {
2171 	struct hci_conn *conn;
2172 
2173 	conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2174 				       peer_addr_type);
2175 	if (!conn)
2176 		return;
2177 
2178 	/* Store the initiator and responder address information which
2179 	 * is needed for SMP. These values will not change during the
2180 	 * lifetime of the connection.
2181 	 */
2182 	conn->init_addr_type = own_address_type;
2183 	if (own_address_type == ADDR_LE_DEV_RANDOM)
2184 		bacpy(&conn->init_addr, &hdev->random_addr);
2185 	else
2186 		bacpy(&conn->init_addr, &hdev->bdaddr);
2187 
2188 	conn->resp_addr_type = peer_addr_type;
2189 	bacpy(&conn->resp_addr, peer_addr);
2190 
2191 	/* We don't want the connection attempt to stick around
2192 	 * indefinitely since LE doesn't have a page timeout concept
2193 	 * like BR/EDR. Set a timer for any connection that doesn't use
2194 	 * the white list for connecting.
2195 	 */
2196 	if (filter_policy == HCI_LE_USE_PEER_ADDR)
2197 		queue_delayed_work(conn->hdev->workqueue,
2198 				   &conn->le_conn_timeout,
2199 				   conn->conn_timeout);
2200 }
2201 
2202 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2203 {
2204 	struct hci_cp_le_create_conn *cp;
2205 
2206 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2207 
2208 	/* All connection failure handling is taken care of by the
2209 	 * hci_le_conn_failed function which is triggered by the HCI
2210 	 * request completion callbacks used for connecting.
2211 	 */
2212 	if (status)
2213 		return;
2214 
2215 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2216 	if (!cp)
2217 		return;
2218 
2219 	hci_dev_lock(hdev);
2220 
2221 	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2222 			  cp->own_address_type, cp->filter_policy);
2223 
2224 	hci_dev_unlock(hdev);
2225 }
2226 
2227 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2228 {
2229 	struct hci_cp_le_ext_create_conn *cp;
2230 
2231 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2232 
2233 	/* All connection failure handling is taken care of by the
2234 	 * hci_le_conn_failed function which is triggered by the HCI
2235 	 * request completion callbacks used for connecting.
2236 	 */
2237 	if (status)
2238 		return;
2239 
2240 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2241 	if (!cp)
2242 		return;
2243 
2244 	hci_dev_lock(hdev);
2245 
2246 	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2247 			  cp->own_addr_type, cp->filter_policy);
2248 
2249 	hci_dev_unlock(hdev);
2250 }
2251 
2252 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2253 {
2254 	struct hci_cp_le_read_remote_features *cp;
2255 	struct hci_conn *conn;
2256 
2257 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2258 
2259 	if (!status)
2260 		return;
2261 
2262 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2263 	if (!cp)
2264 		return;
2265 
2266 	hci_dev_lock(hdev);
2267 
2268 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2269 	if (conn) {
2270 		if (conn->state == BT_CONFIG) {
2271 			hci_connect_cfm(conn, status);
2272 			hci_conn_drop(conn);
2273 		}
2274 	}
2275 
2276 	hci_dev_unlock(hdev);
2277 }
2278 
2279 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2280 {
2281 	struct hci_cp_le_start_enc *cp;
2282 	struct hci_conn *conn;
2283 
2284 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2285 
2286 	if (!status)
2287 		return;
2288 
2289 	hci_dev_lock(hdev);
2290 
2291 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2292 	if (!cp)
2293 		goto unlock;
2294 
2295 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2296 	if (!conn)
2297 		goto unlock;
2298 
2299 	if (conn->state != BT_CONNECTED)
2300 		goto unlock;
2301 
2302 	hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2303 	hci_conn_drop(conn);
2304 
2305 unlock:
2306 	hci_dev_unlock(hdev);
2307 }
2308 
2309 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2310 {
2311 	struct hci_cp_switch_role *cp;
2312 	struct hci_conn *conn;
2313 
2314 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2315 
2316 	if (!status)
2317 		return;
2318 
2319 	cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2320 	if (!cp)
2321 		return;
2322 
2323 	hci_dev_lock(hdev);
2324 
2325 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2326 	if (conn)
2327 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2328 
2329 	hci_dev_unlock(hdev);
2330 }
2331 
2332 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2333 {
2334 	__u8 status = *((__u8 *) skb->data);
2335 	struct discovery_state *discov = &hdev->discovery;
2336 	struct inquiry_entry *e;
2337 
2338 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2339 
2340 	hci_conn_check_pending(hdev);
2341 
2342 	if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2343 		return;
2344 
2345 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2346 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
2347 
2348 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2349 		return;
2350 
2351 	hci_dev_lock(hdev);
2352 
2353 	if (discov->state != DISCOVERY_FINDING)
2354 		goto unlock;
2355 
2356 	if (list_empty(&discov->resolve)) {
2357 		/* When BR/EDR inquiry is active and no LE scanning is in
2358 		 * progress, then change discovery state to indicate completion.
2359 		 *
2360 		 * When running LE scanning and BR/EDR inquiry simultaneously
2361 		 * and the LE scan already finished, then change the discovery
2362 		 * state to indicate completion.
2363 		 */
2364 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2365 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2366 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2367 		goto unlock;
2368 	}
2369 
2370 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2371 	if (e && hci_resolve_name(hdev, e) == 0) {
2372 		e->name_state = NAME_PENDING;
2373 		hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2374 	} else {
2375 		/* When BR/EDR inquiry is active and no LE scanning is in
2376 		 * progress, then change discovery state to indicate completion.
2377 		 *
2378 		 * When running LE scanning and BR/EDR inquiry simultaneously
2379 		 * and the LE scan already finished, then change the discovery
2380 		 * state to indicate completion.
2381 		 */
2382 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2383 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2384 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2385 	}
2386 
2387 unlock:
2388 	hci_dev_unlock(hdev);
2389 }
2390 
2391 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2392 {
2393 	struct inquiry_data data;
2394 	struct inquiry_info *info = (void *) (skb->data + 1);
2395 	int num_rsp = *((__u8 *) skb->data);
2396 
2397 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2398 
2399 	if (!num_rsp)
2400 		return;
2401 
2402 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2403 		return;
2404 
2405 	hci_dev_lock(hdev);
2406 
2407 	for (; num_rsp; num_rsp--, info++) {
2408 		u32 flags;
2409 
2410 		bacpy(&data.bdaddr, &info->bdaddr);
2411 		data.pscan_rep_mode	= info->pscan_rep_mode;
2412 		data.pscan_period_mode	= info->pscan_period_mode;
2413 		data.pscan_mode		= info->pscan_mode;
2414 		memcpy(data.dev_class, info->dev_class, 3);
2415 		data.clock_offset	= info->clock_offset;
2416 		data.rssi		= HCI_RSSI_INVALID;
2417 		data.ssp_mode		= 0x00;
2418 
2419 		flags = hci_inquiry_cache_update(hdev, &data, false);
2420 
2421 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2422 				  info->dev_class, HCI_RSSI_INVALID,
2423 				  flags, NULL, 0, NULL, 0);
2424 	}
2425 
2426 	hci_dev_unlock(hdev);
2427 }
2428 
2429 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2430 {
2431 	struct hci_ev_conn_complete *ev = (void *) skb->data;
2432 	struct hci_conn *conn;
2433 
2434 	BT_DBG("%s", hdev->name);
2435 
2436 	hci_dev_lock(hdev);
2437 
2438 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2439 	if (!conn) {
2440 		if (ev->link_type != SCO_LINK)
2441 			goto unlock;
2442 
2443 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2444 		if (!conn)
2445 			goto unlock;
2446 
2447 		conn->type = SCO_LINK;
2448 	}
2449 
2450 	if (!ev->status) {
2451 		conn->handle = __le16_to_cpu(ev->handle);
2452 
2453 		if (conn->type == ACL_LINK) {
2454 			conn->state = BT_CONFIG;
2455 			hci_conn_hold(conn);
2456 
2457 			if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2458 			    !hci_find_link_key(hdev, &ev->bdaddr))
2459 				conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2460 			else
2461 				conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2462 		} else
2463 			conn->state = BT_CONNECTED;
2464 
2465 		hci_debugfs_create_conn(conn);
2466 		hci_conn_add_sysfs(conn);
2467 
2468 		if (test_bit(HCI_AUTH, &hdev->flags))
2469 			set_bit(HCI_CONN_AUTH, &conn->flags);
2470 
2471 		if (test_bit(HCI_ENCRYPT, &hdev->flags))
2472 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2473 
2474 		/* Get remote features */
2475 		if (conn->type == ACL_LINK) {
2476 			struct hci_cp_read_remote_features cp;
2477 			cp.handle = ev->handle;
2478 			hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2479 				     sizeof(cp), &cp);
2480 
2481 			hci_req_update_scan(hdev);
2482 		}
2483 
2484 		/* Set packet type for incoming connection */
2485 		if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2486 			struct hci_cp_change_conn_ptype cp;
2487 			cp.handle = ev->handle;
2488 			cp.pkt_type = cpu_to_le16(conn->pkt_type);
2489 			hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2490 				     &cp);
2491 		}
2492 	} else {
2493 		conn->state = BT_CLOSED;
2494 		if (conn->type == ACL_LINK)
2495 			mgmt_connect_failed(hdev, &conn->dst, conn->type,
2496 					    conn->dst_type, ev->status);
2497 	}
2498 
2499 	if (conn->type == ACL_LINK)
2500 		hci_sco_setup(conn, ev->status);
2501 
2502 	if (ev->status) {
2503 		hci_connect_cfm(conn, ev->status);
2504 		hci_conn_del(conn);
2505 	} else if (ev->link_type != ACL_LINK)
2506 		hci_connect_cfm(conn, ev->status);
2507 
2508 unlock:
2509 	hci_dev_unlock(hdev);
2510 
2511 	hci_conn_check_pending(hdev);
2512 }
2513 
2514 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2515 {
2516 	struct hci_cp_reject_conn_req cp;
2517 
2518 	bacpy(&cp.bdaddr, bdaddr);
2519 	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2520 	hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2521 }
2522 
2523 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2524 {
2525 	struct hci_ev_conn_request *ev = (void *) skb->data;
2526 	int mask = hdev->link_mode;
2527 	struct inquiry_entry *ie;
2528 	struct hci_conn *conn;
2529 	__u8 flags = 0;
2530 
2531 	BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2532 	       ev->link_type);
2533 
2534 	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2535 				      &flags);
2536 
2537 	if (!(mask & HCI_LM_ACCEPT)) {
2538 		hci_reject_conn(hdev, &ev->bdaddr);
2539 		return;
2540 	}
2541 
2542 	if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2543 				   BDADDR_BREDR)) {
2544 		hci_reject_conn(hdev, &ev->bdaddr);
2545 		return;
2546 	}
2547 
2548 	/* Require HCI_CONNECTABLE or a whitelist entry to accept the
2549 	 * connection. These features are only touched through mgmt so
2550 	 * only do the checks if HCI_MGMT is set.
2551 	 */
2552 	if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2553 	    !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2554 	    !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2555 				    BDADDR_BREDR)) {
2556 		    hci_reject_conn(hdev, &ev->bdaddr);
2557 		    return;
2558 	}
2559 
2560 	/* Connection accepted */
2561 
2562 	hci_dev_lock(hdev);
2563 
2564 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2565 	if (ie)
2566 		memcpy(ie->data.dev_class, ev->dev_class, 3);
2567 
2568 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2569 			&ev->bdaddr);
2570 	if (!conn) {
2571 		conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2572 				    HCI_ROLE_SLAVE);
2573 		if (!conn) {
2574 			bt_dev_err(hdev, "no memory for new connection");
2575 			hci_dev_unlock(hdev);
2576 			return;
2577 		}
2578 	}
2579 
2580 	memcpy(conn->dev_class, ev->dev_class, 3);
2581 
2582 	hci_dev_unlock(hdev);
2583 
2584 	if (ev->link_type == ACL_LINK ||
2585 	    (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2586 		struct hci_cp_accept_conn_req cp;
2587 		conn->state = BT_CONNECT;
2588 
2589 		bacpy(&cp.bdaddr, &ev->bdaddr);
2590 
2591 		if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2592 			cp.role = 0x00; /* Become master */
2593 		else
2594 			cp.role = 0x01; /* Remain slave */
2595 
2596 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2597 	} else if (!(flags & HCI_PROTO_DEFER)) {
2598 		struct hci_cp_accept_sync_conn_req cp;
2599 		conn->state = BT_CONNECT;
2600 
2601 		bacpy(&cp.bdaddr, &ev->bdaddr);
2602 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
2603 
2604 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2605 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2606 		cp.max_latency    = cpu_to_le16(0xffff);
2607 		cp.content_format = cpu_to_le16(hdev->voice_setting);
2608 		cp.retrans_effort = 0xff;
2609 
2610 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2611 			     &cp);
2612 	} else {
2613 		conn->state = BT_CONNECT2;
2614 		hci_connect_cfm(conn, 0);
2615 	}
2616 }
2617 
2618 static u8 hci_to_mgmt_reason(u8 err)
2619 {
2620 	switch (err) {
2621 	case HCI_ERROR_CONNECTION_TIMEOUT:
2622 		return MGMT_DEV_DISCONN_TIMEOUT;
2623 	case HCI_ERROR_REMOTE_USER_TERM:
2624 	case HCI_ERROR_REMOTE_LOW_RESOURCES:
2625 	case HCI_ERROR_REMOTE_POWER_OFF:
2626 		return MGMT_DEV_DISCONN_REMOTE;
2627 	case HCI_ERROR_LOCAL_HOST_TERM:
2628 		return MGMT_DEV_DISCONN_LOCAL_HOST;
2629 	default:
2630 		return MGMT_DEV_DISCONN_UNKNOWN;
2631 	}
2632 }
2633 
2634 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2635 {
2636 	struct hci_ev_disconn_complete *ev = (void *) skb->data;
2637 	u8 reason;
2638 	struct hci_conn_params *params;
2639 	struct hci_conn *conn;
2640 	bool mgmt_connected;
2641 	u8 type;
2642 
2643 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2644 
2645 	hci_dev_lock(hdev);
2646 
2647 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2648 	if (!conn)
2649 		goto unlock;
2650 
2651 	if (ev->status) {
2652 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2653 				       conn->dst_type, ev->status);
2654 		goto unlock;
2655 	}
2656 
2657 	conn->state = BT_CLOSED;
2658 
2659 	mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2660 
2661 	if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2662 		reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2663 	else
2664 		reason = hci_to_mgmt_reason(ev->reason);
2665 
2666 	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2667 				reason, mgmt_connected);
2668 
2669 	if (conn->type == ACL_LINK) {
2670 		if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2671 			hci_remove_link_key(hdev, &conn->dst);
2672 
2673 		hci_req_update_scan(hdev);
2674 	}
2675 
2676 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2677 	if (params) {
2678 		switch (params->auto_connect) {
2679 		case HCI_AUTO_CONN_LINK_LOSS:
2680 			if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2681 				break;
2682 			/* Fall through */
2683 
2684 		case HCI_AUTO_CONN_DIRECT:
2685 		case HCI_AUTO_CONN_ALWAYS:
2686 			list_del_init(&params->action);
2687 			list_add(&params->action, &hdev->pend_le_conns);
2688 			hci_update_background_scan(hdev);
2689 			break;
2690 
2691 		default:
2692 			break;
2693 		}
2694 	}
2695 
2696 	type = conn->type;
2697 
2698 	hci_disconn_cfm(conn, ev->reason);
2699 	hci_conn_del(conn);
2700 
2701 	/* Re-enable advertising if necessary, since it might
2702 	 * have been disabled by the connection. From the
2703 	 * HCI_LE_Set_Advertise_Enable command description in
2704 	 * the core specification (v4.0):
2705 	 * "The Controller shall continue advertising until the Host
2706 	 * issues an LE_Set_Advertise_Enable command with
2707 	 * Advertising_Enable set to 0x00 (Advertising is disabled)
2708 	 * or until a connection is created or until the Advertising
2709 	 * is timed out due to Directed Advertising."
2710 	 */
2711 	if (type == LE_LINK)
2712 		hci_req_reenable_advertising(hdev);
2713 
2714 unlock:
2715 	hci_dev_unlock(hdev);
2716 }
2717 
2718 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2719 {
2720 	struct hci_ev_auth_complete *ev = (void *) skb->data;
2721 	struct hci_conn *conn;
2722 
2723 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2724 
2725 	hci_dev_lock(hdev);
2726 
2727 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2728 	if (!conn)
2729 		goto unlock;
2730 
2731 	if (!ev->status) {
2732 		clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2733 
2734 		if (!hci_conn_ssp_enabled(conn) &&
2735 		    test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2736 			bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2737 		} else {
2738 			set_bit(HCI_CONN_AUTH, &conn->flags);
2739 			conn->sec_level = conn->pending_sec_level;
2740 		}
2741 	} else {
2742 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2743 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2744 
2745 		mgmt_auth_failed(conn, ev->status);
2746 	}
2747 
2748 	clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2749 	clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2750 
2751 	if (conn->state == BT_CONFIG) {
2752 		if (!ev->status && hci_conn_ssp_enabled(conn)) {
2753 			struct hci_cp_set_conn_encrypt cp;
2754 			cp.handle  = ev->handle;
2755 			cp.encrypt = 0x01;
2756 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2757 				     &cp);
2758 		} else {
2759 			conn->state = BT_CONNECTED;
2760 			hci_connect_cfm(conn, ev->status);
2761 			hci_conn_drop(conn);
2762 		}
2763 	} else {
2764 		hci_auth_cfm(conn, ev->status);
2765 
2766 		hci_conn_hold(conn);
2767 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2768 		hci_conn_drop(conn);
2769 	}
2770 
2771 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2772 		if (!ev->status) {
2773 			struct hci_cp_set_conn_encrypt cp;
2774 			cp.handle  = ev->handle;
2775 			cp.encrypt = 0x01;
2776 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2777 				     &cp);
2778 		} else {
2779 			clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2780 			hci_encrypt_cfm(conn, ev->status, 0x00);
2781 		}
2782 	}
2783 
2784 unlock:
2785 	hci_dev_unlock(hdev);
2786 }
2787 
2788 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2789 {
2790 	struct hci_ev_remote_name *ev = (void *) skb->data;
2791 	struct hci_conn *conn;
2792 
2793 	BT_DBG("%s", hdev->name);
2794 
2795 	hci_conn_check_pending(hdev);
2796 
2797 	hci_dev_lock(hdev);
2798 
2799 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2800 
2801 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2802 		goto check_auth;
2803 
2804 	if (ev->status == 0)
2805 		hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2806 				       strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2807 	else
2808 		hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2809 
2810 check_auth:
2811 	if (!conn)
2812 		goto unlock;
2813 
2814 	if (!hci_outgoing_auth_needed(hdev, conn))
2815 		goto unlock;
2816 
2817 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2818 		struct hci_cp_auth_requested cp;
2819 
2820 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2821 
2822 		cp.handle = __cpu_to_le16(conn->handle);
2823 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2824 	}
2825 
2826 unlock:
2827 	hci_dev_unlock(hdev);
2828 }
2829 
2830 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2831 				       u16 opcode, struct sk_buff *skb)
2832 {
2833 	const struct hci_rp_read_enc_key_size *rp;
2834 	struct hci_conn *conn;
2835 	u16 handle;
2836 
2837 	BT_DBG("%s status 0x%02x", hdev->name, status);
2838 
2839 	if (!skb || skb->len < sizeof(*rp)) {
2840 		bt_dev_err(hdev, "invalid read key size response");
2841 		return;
2842 	}
2843 
2844 	rp = (void *)skb->data;
2845 	handle = le16_to_cpu(rp->handle);
2846 
2847 	hci_dev_lock(hdev);
2848 
2849 	conn = hci_conn_hash_lookup_handle(hdev, handle);
2850 	if (!conn)
2851 		goto unlock;
2852 
2853 	/* If we fail to read the encryption key size, assume maximum
2854 	 * (which is the same we do also when this HCI command isn't
2855 	 * supported.
2856 	 */
2857 	if (rp->status) {
2858 		bt_dev_err(hdev, "failed to read key size for handle %u",
2859 			   handle);
2860 		conn->enc_key_size = HCI_LINK_KEY_SIZE;
2861 	} else {
2862 		conn->enc_key_size = rp->key_size;
2863 	}
2864 
2865 	if (conn->state == BT_CONFIG) {
2866 		conn->state = BT_CONNECTED;
2867 		hci_connect_cfm(conn, 0);
2868 		hci_conn_drop(conn);
2869 	} else {
2870 		u8 encrypt;
2871 
2872 		if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2873 			encrypt = 0x00;
2874 		else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2875 			encrypt = 0x02;
2876 		else
2877 			encrypt = 0x01;
2878 
2879 		hci_encrypt_cfm(conn, 0, encrypt);
2880 	}
2881 
2882 unlock:
2883 	hci_dev_unlock(hdev);
2884 }
2885 
2886 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2887 {
2888 	struct hci_ev_encrypt_change *ev = (void *) skb->data;
2889 	struct hci_conn *conn;
2890 
2891 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2892 
2893 	hci_dev_lock(hdev);
2894 
2895 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2896 	if (!conn)
2897 		goto unlock;
2898 
2899 	if (!ev->status) {
2900 		if (ev->encrypt) {
2901 			/* Encryption implies authentication */
2902 			set_bit(HCI_CONN_AUTH, &conn->flags);
2903 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2904 			conn->sec_level = conn->pending_sec_level;
2905 
2906 			/* P-256 authentication key implies FIPS */
2907 			if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2908 				set_bit(HCI_CONN_FIPS, &conn->flags);
2909 
2910 			if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2911 			    conn->type == LE_LINK)
2912 				set_bit(HCI_CONN_AES_CCM, &conn->flags);
2913 		} else {
2914 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2915 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2916 		}
2917 	}
2918 
2919 	/* We should disregard the current RPA and generate a new one
2920 	 * whenever the encryption procedure fails.
2921 	 */
2922 	if (ev->status && conn->type == LE_LINK) {
2923 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2924 		hci_adv_instances_set_rpa_expired(hdev, true);
2925 	}
2926 
2927 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2928 
2929 	if (ev->status && conn->state == BT_CONNECTED) {
2930 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2931 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2932 
2933 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2934 		hci_conn_drop(conn);
2935 		goto unlock;
2936 	}
2937 
2938 	/* In Secure Connections Only mode, do not allow any connections
2939 	 * that are not encrypted with AES-CCM using a P-256 authenticated
2940 	 * combination key.
2941 	 */
2942 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2943 	    (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2944 	     conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2945 		hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2946 		hci_conn_drop(conn);
2947 		goto unlock;
2948 	}
2949 
2950 	/* Try reading the encryption key size for encrypted ACL links */
2951 	if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2952 		struct hci_cp_read_enc_key_size cp;
2953 		struct hci_request req;
2954 
2955 		/* Only send HCI_Read_Encryption_Key_Size if the
2956 		 * controller really supports it. If it doesn't, assume
2957 		 * the default size (16).
2958 		 */
2959 		if (!(hdev->commands[20] & 0x10)) {
2960 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
2961 			goto notify;
2962 		}
2963 
2964 		hci_req_init(&req, hdev);
2965 
2966 		cp.handle = cpu_to_le16(conn->handle);
2967 		hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2968 
2969 		if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2970 			bt_dev_err(hdev, "sending read key size failed");
2971 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
2972 			goto notify;
2973 		}
2974 
2975 		goto unlock;
2976 	}
2977 
2978 notify:
2979 	if (conn->state == BT_CONFIG) {
2980 		if (!ev->status)
2981 			conn->state = BT_CONNECTED;
2982 
2983 		hci_connect_cfm(conn, ev->status);
2984 		hci_conn_drop(conn);
2985 	} else
2986 		hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2987 
2988 unlock:
2989 	hci_dev_unlock(hdev);
2990 }
2991 
2992 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2993 					     struct sk_buff *skb)
2994 {
2995 	struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2996 	struct hci_conn *conn;
2997 
2998 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2999 
3000 	hci_dev_lock(hdev);
3001 
3002 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3003 	if (conn) {
3004 		if (!ev->status)
3005 			set_bit(HCI_CONN_SECURE, &conn->flags);
3006 
3007 		clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3008 
3009 		hci_key_change_cfm(conn, ev->status);
3010 	}
3011 
3012 	hci_dev_unlock(hdev);
3013 }
3014 
3015 static void hci_remote_features_evt(struct hci_dev *hdev,
3016 				    struct sk_buff *skb)
3017 {
3018 	struct hci_ev_remote_features *ev = (void *) skb->data;
3019 	struct hci_conn *conn;
3020 
3021 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3022 
3023 	hci_dev_lock(hdev);
3024 
3025 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3026 	if (!conn)
3027 		goto unlock;
3028 
3029 	if (!ev->status)
3030 		memcpy(conn->features[0], ev->features, 8);
3031 
3032 	if (conn->state != BT_CONFIG)
3033 		goto unlock;
3034 
3035 	if (!ev->status && lmp_ext_feat_capable(hdev) &&
3036 	    lmp_ext_feat_capable(conn)) {
3037 		struct hci_cp_read_remote_ext_features cp;
3038 		cp.handle = ev->handle;
3039 		cp.page = 0x01;
3040 		hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3041 			     sizeof(cp), &cp);
3042 		goto unlock;
3043 	}
3044 
3045 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3046 		struct hci_cp_remote_name_req cp;
3047 		memset(&cp, 0, sizeof(cp));
3048 		bacpy(&cp.bdaddr, &conn->dst);
3049 		cp.pscan_rep_mode = 0x02;
3050 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3051 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3052 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
3053 
3054 	if (!hci_outgoing_auth_needed(hdev, conn)) {
3055 		conn->state = BT_CONNECTED;
3056 		hci_connect_cfm(conn, ev->status);
3057 		hci_conn_drop(conn);
3058 	}
3059 
3060 unlock:
3061 	hci_dev_unlock(hdev);
3062 }
3063 
3064 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3065 				 u16 *opcode, u8 *status,
3066 				 hci_req_complete_t *req_complete,
3067 				 hci_req_complete_skb_t *req_complete_skb)
3068 {
3069 	struct hci_ev_cmd_complete *ev = (void *) skb->data;
3070 
3071 	*opcode = __le16_to_cpu(ev->opcode);
3072 	*status = skb->data[sizeof(*ev)];
3073 
3074 	skb_pull(skb, sizeof(*ev));
3075 
3076 	switch (*opcode) {
3077 	case HCI_OP_INQUIRY_CANCEL:
3078 		hci_cc_inquiry_cancel(hdev, skb);
3079 		break;
3080 
3081 	case HCI_OP_PERIODIC_INQ:
3082 		hci_cc_periodic_inq(hdev, skb);
3083 		break;
3084 
3085 	case HCI_OP_EXIT_PERIODIC_INQ:
3086 		hci_cc_exit_periodic_inq(hdev, skb);
3087 		break;
3088 
3089 	case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3090 		hci_cc_remote_name_req_cancel(hdev, skb);
3091 		break;
3092 
3093 	case HCI_OP_ROLE_DISCOVERY:
3094 		hci_cc_role_discovery(hdev, skb);
3095 		break;
3096 
3097 	case HCI_OP_READ_LINK_POLICY:
3098 		hci_cc_read_link_policy(hdev, skb);
3099 		break;
3100 
3101 	case HCI_OP_WRITE_LINK_POLICY:
3102 		hci_cc_write_link_policy(hdev, skb);
3103 		break;
3104 
3105 	case HCI_OP_READ_DEF_LINK_POLICY:
3106 		hci_cc_read_def_link_policy(hdev, skb);
3107 		break;
3108 
3109 	case HCI_OP_WRITE_DEF_LINK_POLICY:
3110 		hci_cc_write_def_link_policy(hdev, skb);
3111 		break;
3112 
3113 	case HCI_OP_RESET:
3114 		hci_cc_reset(hdev, skb);
3115 		break;
3116 
3117 	case HCI_OP_READ_STORED_LINK_KEY:
3118 		hci_cc_read_stored_link_key(hdev, skb);
3119 		break;
3120 
3121 	case HCI_OP_DELETE_STORED_LINK_KEY:
3122 		hci_cc_delete_stored_link_key(hdev, skb);
3123 		break;
3124 
3125 	case HCI_OP_WRITE_LOCAL_NAME:
3126 		hci_cc_write_local_name(hdev, skb);
3127 		break;
3128 
3129 	case HCI_OP_READ_LOCAL_NAME:
3130 		hci_cc_read_local_name(hdev, skb);
3131 		break;
3132 
3133 	case HCI_OP_WRITE_AUTH_ENABLE:
3134 		hci_cc_write_auth_enable(hdev, skb);
3135 		break;
3136 
3137 	case HCI_OP_WRITE_ENCRYPT_MODE:
3138 		hci_cc_write_encrypt_mode(hdev, skb);
3139 		break;
3140 
3141 	case HCI_OP_WRITE_SCAN_ENABLE:
3142 		hci_cc_write_scan_enable(hdev, skb);
3143 		break;
3144 
3145 	case HCI_OP_READ_CLASS_OF_DEV:
3146 		hci_cc_read_class_of_dev(hdev, skb);
3147 		break;
3148 
3149 	case HCI_OP_WRITE_CLASS_OF_DEV:
3150 		hci_cc_write_class_of_dev(hdev, skb);
3151 		break;
3152 
3153 	case HCI_OP_READ_VOICE_SETTING:
3154 		hci_cc_read_voice_setting(hdev, skb);
3155 		break;
3156 
3157 	case HCI_OP_WRITE_VOICE_SETTING:
3158 		hci_cc_write_voice_setting(hdev, skb);
3159 		break;
3160 
3161 	case HCI_OP_READ_NUM_SUPPORTED_IAC:
3162 		hci_cc_read_num_supported_iac(hdev, skb);
3163 		break;
3164 
3165 	case HCI_OP_WRITE_SSP_MODE:
3166 		hci_cc_write_ssp_mode(hdev, skb);
3167 		break;
3168 
3169 	case HCI_OP_WRITE_SC_SUPPORT:
3170 		hci_cc_write_sc_support(hdev, skb);
3171 		break;
3172 
3173 	case HCI_OP_READ_LOCAL_VERSION:
3174 		hci_cc_read_local_version(hdev, skb);
3175 		break;
3176 
3177 	case HCI_OP_READ_LOCAL_COMMANDS:
3178 		hci_cc_read_local_commands(hdev, skb);
3179 		break;
3180 
3181 	case HCI_OP_READ_LOCAL_FEATURES:
3182 		hci_cc_read_local_features(hdev, skb);
3183 		break;
3184 
3185 	case HCI_OP_READ_LOCAL_EXT_FEATURES:
3186 		hci_cc_read_local_ext_features(hdev, skb);
3187 		break;
3188 
3189 	case HCI_OP_READ_BUFFER_SIZE:
3190 		hci_cc_read_buffer_size(hdev, skb);
3191 		break;
3192 
3193 	case HCI_OP_READ_BD_ADDR:
3194 		hci_cc_read_bd_addr(hdev, skb);
3195 		break;
3196 
3197 	case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3198 		hci_cc_read_page_scan_activity(hdev, skb);
3199 		break;
3200 
3201 	case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3202 		hci_cc_write_page_scan_activity(hdev, skb);
3203 		break;
3204 
3205 	case HCI_OP_READ_PAGE_SCAN_TYPE:
3206 		hci_cc_read_page_scan_type(hdev, skb);
3207 		break;
3208 
3209 	case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3210 		hci_cc_write_page_scan_type(hdev, skb);
3211 		break;
3212 
3213 	case HCI_OP_READ_DATA_BLOCK_SIZE:
3214 		hci_cc_read_data_block_size(hdev, skb);
3215 		break;
3216 
3217 	case HCI_OP_READ_FLOW_CONTROL_MODE:
3218 		hci_cc_read_flow_control_mode(hdev, skb);
3219 		break;
3220 
3221 	case HCI_OP_READ_LOCAL_AMP_INFO:
3222 		hci_cc_read_local_amp_info(hdev, skb);
3223 		break;
3224 
3225 	case HCI_OP_READ_CLOCK:
3226 		hci_cc_read_clock(hdev, skb);
3227 		break;
3228 
3229 	case HCI_OP_READ_INQ_RSP_TX_POWER:
3230 		hci_cc_read_inq_rsp_tx_power(hdev, skb);
3231 		break;
3232 
3233 	case HCI_OP_PIN_CODE_REPLY:
3234 		hci_cc_pin_code_reply(hdev, skb);
3235 		break;
3236 
3237 	case HCI_OP_PIN_CODE_NEG_REPLY:
3238 		hci_cc_pin_code_neg_reply(hdev, skb);
3239 		break;
3240 
3241 	case HCI_OP_READ_LOCAL_OOB_DATA:
3242 		hci_cc_read_local_oob_data(hdev, skb);
3243 		break;
3244 
3245 	case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3246 		hci_cc_read_local_oob_ext_data(hdev, skb);
3247 		break;
3248 
3249 	case HCI_OP_LE_READ_BUFFER_SIZE:
3250 		hci_cc_le_read_buffer_size(hdev, skb);
3251 		break;
3252 
3253 	case HCI_OP_LE_READ_LOCAL_FEATURES:
3254 		hci_cc_le_read_local_features(hdev, skb);
3255 		break;
3256 
3257 	case HCI_OP_LE_READ_ADV_TX_POWER:
3258 		hci_cc_le_read_adv_tx_power(hdev, skb);
3259 		break;
3260 
3261 	case HCI_OP_USER_CONFIRM_REPLY:
3262 		hci_cc_user_confirm_reply(hdev, skb);
3263 		break;
3264 
3265 	case HCI_OP_USER_CONFIRM_NEG_REPLY:
3266 		hci_cc_user_confirm_neg_reply(hdev, skb);
3267 		break;
3268 
3269 	case HCI_OP_USER_PASSKEY_REPLY:
3270 		hci_cc_user_passkey_reply(hdev, skb);
3271 		break;
3272 
3273 	case HCI_OP_USER_PASSKEY_NEG_REPLY:
3274 		hci_cc_user_passkey_neg_reply(hdev, skb);
3275 		break;
3276 
3277 	case HCI_OP_LE_SET_RANDOM_ADDR:
3278 		hci_cc_le_set_random_addr(hdev, skb);
3279 		break;
3280 
3281 	case HCI_OP_LE_SET_ADV_ENABLE:
3282 		hci_cc_le_set_adv_enable(hdev, skb);
3283 		break;
3284 
3285 	case HCI_OP_LE_SET_SCAN_PARAM:
3286 		hci_cc_le_set_scan_param(hdev, skb);
3287 		break;
3288 
3289 	case HCI_OP_LE_SET_SCAN_ENABLE:
3290 		hci_cc_le_set_scan_enable(hdev, skb);
3291 		break;
3292 
3293 	case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3294 		hci_cc_le_read_white_list_size(hdev, skb);
3295 		break;
3296 
3297 	case HCI_OP_LE_CLEAR_WHITE_LIST:
3298 		hci_cc_le_clear_white_list(hdev, skb);
3299 		break;
3300 
3301 	case HCI_OP_LE_ADD_TO_WHITE_LIST:
3302 		hci_cc_le_add_to_white_list(hdev, skb);
3303 		break;
3304 
3305 	case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3306 		hci_cc_le_del_from_white_list(hdev, skb);
3307 		break;
3308 
3309 	case HCI_OP_LE_READ_SUPPORTED_STATES:
3310 		hci_cc_le_read_supported_states(hdev, skb);
3311 		break;
3312 
3313 	case HCI_OP_LE_READ_DEF_DATA_LEN:
3314 		hci_cc_le_read_def_data_len(hdev, skb);
3315 		break;
3316 
3317 	case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3318 		hci_cc_le_write_def_data_len(hdev, skb);
3319 		break;
3320 
3321 	case HCI_OP_LE_ADD_TO_RESOLV_LIST:
3322 		hci_cc_le_add_to_resolv_list(hdev, skb);
3323 		break;
3324 
3325 	case HCI_OP_LE_DEL_FROM_RESOLV_LIST:
3326 		hci_cc_le_del_from_resolv_list(hdev, skb);
3327 		break;
3328 
3329 	case HCI_OP_LE_CLEAR_RESOLV_LIST:
3330 		hci_cc_le_clear_resolv_list(hdev, skb);
3331 		break;
3332 
3333 	case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3334 		hci_cc_le_read_resolv_list_size(hdev, skb);
3335 		break;
3336 
3337 	case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3338 		hci_cc_le_set_addr_resolution_enable(hdev, skb);
3339 		break;
3340 
3341 	case HCI_OP_LE_READ_MAX_DATA_LEN:
3342 		hci_cc_le_read_max_data_len(hdev, skb);
3343 		break;
3344 
3345 	case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3346 		hci_cc_write_le_host_supported(hdev, skb);
3347 		break;
3348 
3349 	case HCI_OP_LE_SET_ADV_PARAM:
3350 		hci_cc_set_adv_param(hdev, skb);
3351 		break;
3352 
3353 	case HCI_OP_READ_RSSI:
3354 		hci_cc_read_rssi(hdev, skb);
3355 		break;
3356 
3357 	case HCI_OP_READ_TX_POWER:
3358 		hci_cc_read_tx_power(hdev, skb);
3359 		break;
3360 
3361 	case HCI_OP_WRITE_SSP_DEBUG_MODE:
3362 		hci_cc_write_ssp_debug_mode(hdev, skb);
3363 		break;
3364 
3365 	case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3366 		hci_cc_le_set_ext_scan_param(hdev, skb);
3367 		break;
3368 
3369 	case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3370 		hci_cc_le_set_ext_scan_enable(hdev, skb);
3371 		break;
3372 
3373 	case HCI_OP_LE_SET_DEFAULT_PHY:
3374 		hci_cc_le_set_default_phy(hdev, skb);
3375 		break;
3376 
3377 	case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3378 		hci_cc_le_read_num_adv_sets(hdev, skb);
3379 		break;
3380 
3381 	case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3382 		hci_cc_set_ext_adv_param(hdev, skb);
3383 		break;
3384 
3385 	case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3386 		hci_cc_le_set_ext_adv_enable(hdev, skb);
3387 		break;
3388 
3389 	case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3390 		hci_cc_le_set_adv_set_random_addr(hdev, skb);
3391 		break;
3392 
3393 	default:
3394 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3395 		break;
3396 	}
3397 
3398 	if (*opcode != HCI_OP_NOP)
3399 		cancel_delayed_work(&hdev->cmd_timer);
3400 
3401 	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3402 		atomic_set(&hdev->cmd_cnt, 1);
3403 
3404 	hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3405 			     req_complete_skb);
3406 
3407 	if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3408 		bt_dev_err(hdev,
3409 			   "unexpected event for opcode 0x%4.4x", *opcode);
3410 		return;
3411 	}
3412 
3413 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3414 		queue_work(hdev->workqueue, &hdev->cmd_work);
3415 }
3416 
3417 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3418 			       u16 *opcode, u8 *status,
3419 			       hci_req_complete_t *req_complete,
3420 			       hci_req_complete_skb_t *req_complete_skb)
3421 {
3422 	struct hci_ev_cmd_status *ev = (void *) skb->data;
3423 
3424 	skb_pull(skb, sizeof(*ev));
3425 
3426 	*opcode = __le16_to_cpu(ev->opcode);
3427 	*status = ev->status;
3428 
3429 	switch (*opcode) {
3430 	case HCI_OP_INQUIRY:
3431 		hci_cs_inquiry(hdev, ev->status);
3432 		break;
3433 
3434 	case HCI_OP_CREATE_CONN:
3435 		hci_cs_create_conn(hdev, ev->status);
3436 		break;
3437 
3438 	case HCI_OP_DISCONNECT:
3439 		hci_cs_disconnect(hdev, ev->status);
3440 		break;
3441 
3442 	case HCI_OP_ADD_SCO:
3443 		hci_cs_add_sco(hdev, ev->status);
3444 		break;
3445 
3446 	case HCI_OP_AUTH_REQUESTED:
3447 		hci_cs_auth_requested(hdev, ev->status);
3448 		break;
3449 
3450 	case HCI_OP_SET_CONN_ENCRYPT:
3451 		hci_cs_set_conn_encrypt(hdev, ev->status);
3452 		break;
3453 
3454 	case HCI_OP_REMOTE_NAME_REQ:
3455 		hci_cs_remote_name_req(hdev, ev->status);
3456 		break;
3457 
3458 	case HCI_OP_READ_REMOTE_FEATURES:
3459 		hci_cs_read_remote_features(hdev, ev->status);
3460 		break;
3461 
3462 	case HCI_OP_READ_REMOTE_EXT_FEATURES:
3463 		hci_cs_read_remote_ext_features(hdev, ev->status);
3464 		break;
3465 
3466 	case HCI_OP_SETUP_SYNC_CONN:
3467 		hci_cs_setup_sync_conn(hdev, ev->status);
3468 		break;
3469 
3470 	case HCI_OP_SNIFF_MODE:
3471 		hci_cs_sniff_mode(hdev, ev->status);
3472 		break;
3473 
3474 	case HCI_OP_EXIT_SNIFF_MODE:
3475 		hci_cs_exit_sniff_mode(hdev, ev->status);
3476 		break;
3477 
3478 	case HCI_OP_SWITCH_ROLE:
3479 		hci_cs_switch_role(hdev, ev->status);
3480 		break;
3481 
3482 	case HCI_OP_LE_CREATE_CONN:
3483 		hci_cs_le_create_conn(hdev, ev->status);
3484 		break;
3485 
3486 	case HCI_OP_LE_READ_REMOTE_FEATURES:
3487 		hci_cs_le_read_remote_features(hdev, ev->status);
3488 		break;
3489 
3490 	case HCI_OP_LE_START_ENC:
3491 		hci_cs_le_start_enc(hdev, ev->status);
3492 		break;
3493 
3494 	case HCI_OP_LE_EXT_CREATE_CONN:
3495 		hci_cs_le_ext_create_conn(hdev, ev->status);
3496 		break;
3497 
3498 	default:
3499 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3500 		break;
3501 	}
3502 
3503 	if (*opcode != HCI_OP_NOP)
3504 		cancel_delayed_work(&hdev->cmd_timer);
3505 
3506 	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3507 		atomic_set(&hdev->cmd_cnt, 1);
3508 
3509 	/* Indicate request completion if the command failed. Also, if
3510 	 * we're not waiting for a special event and we get a success
3511 	 * command status we should try to flag the request as completed
3512 	 * (since for this kind of commands there will not be a command
3513 	 * complete event).
3514 	 */
3515 	if (ev->status ||
3516 	    (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3517 		hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3518 				     req_complete_skb);
3519 
3520 	if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3521 		bt_dev_err(hdev,
3522 			   "unexpected event for opcode 0x%4.4x", *opcode);
3523 		return;
3524 	}
3525 
3526 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3527 		queue_work(hdev->workqueue, &hdev->cmd_work);
3528 }
3529 
3530 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3531 {
3532 	struct hci_ev_hardware_error *ev = (void *) skb->data;
3533 
3534 	hdev->hw_error_code = ev->code;
3535 
3536 	queue_work(hdev->req_workqueue, &hdev->error_reset);
3537 }
3538 
3539 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3540 {
3541 	struct hci_ev_role_change *ev = (void *) skb->data;
3542 	struct hci_conn *conn;
3543 
3544 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3545 
3546 	hci_dev_lock(hdev);
3547 
3548 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3549 	if (conn) {
3550 		if (!ev->status)
3551 			conn->role = ev->role;
3552 
3553 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3554 
3555 		hci_role_switch_cfm(conn, ev->status, ev->role);
3556 	}
3557 
3558 	hci_dev_unlock(hdev);
3559 }
3560 
3561 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3562 {
3563 	struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3564 	int i;
3565 
3566 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3567 		bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3568 		return;
3569 	}
3570 
3571 	if (skb->len < sizeof(*ev) ||
3572 	    skb->len < struct_size(ev, handles, ev->num_hndl)) {
3573 		BT_DBG("%s bad parameters", hdev->name);
3574 		return;
3575 	}
3576 
3577 	BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3578 
3579 	for (i = 0; i < ev->num_hndl; i++) {
3580 		struct hci_comp_pkts_info *info = &ev->handles[i];
3581 		struct hci_conn *conn;
3582 		__u16  handle, count;
3583 
3584 		handle = __le16_to_cpu(info->handle);
3585 		count  = __le16_to_cpu(info->count);
3586 
3587 		conn = hci_conn_hash_lookup_handle(hdev, handle);
3588 		if (!conn)
3589 			continue;
3590 
3591 		conn->sent -= count;
3592 
3593 		switch (conn->type) {
3594 		case ACL_LINK:
3595 			hdev->acl_cnt += count;
3596 			if (hdev->acl_cnt > hdev->acl_pkts)
3597 				hdev->acl_cnt = hdev->acl_pkts;
3598 			break;
3599 
3600 		case LE_LINK:
3601 			if (hdev->le_pkts) {
3602 				hdev->le_cnt += count;
3603 				if (hdev->le_cnt > hdev->le_pkts)
3604 					hdev->le_cnt = hdev->le_pkts;
3605 			} else {
3606 				hdev->acl_cnt += count;
3607 				if (hdev->acl_cnt > hdev->acl_pkts)
3608 					hdev->acl_cnt = hdev->acl_pkts;
3609 			}
3610 			break;
3611 
3612 		case SCO_LINK:
3613 			hdev->sco_cnt += count;
3614 			if (hdev->sco_cnt > hdev->sco_pkts)
3615 				hdev->sco_cnt = hdev->sco_pkts;
3616 			break;
3617 
3618 		default:
3619 			bt_dev_err(hdev, "unknown type %d conn %p",
3620 				   conn->type, conn);
3621 			break;
3622 		}
3623 	}
3624 
3625 	queue_work(hdev->workqueue, &hdev->tx_work);
3626 }
3627 
3628 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3629 						 __u16 handle)
3630 {
3631 	struct hci_chan *chan;
3632 
3633 	switch (hdev->dev_type) {
3634 	case HCI_PRIMARY:
3635 		return hci_conn_hash_lookup_handle(hdev, handle);
3636 	case HCI_AMP:
3637 		chan = hci_chan_lookup_handle(hdev, handle);
3638 		if (chan)
3639 			return chan->conn;
3640 		break;
3641 	default:
3642 		bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3643 		break;
3644 	}
3645 
3646 	return NULL;
3647 }
3648 
3649 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3650 {
3651 	struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3652 	int i;
3653 
3654 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3655 		bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3656 		return;
3657 	}
3658 
3659 	if (skb->len < sizeof(*ev) ||
3660 	    skb->len < struct_size(ev, handles, ev->num_hndl)) {
3661 		BT_DBG("%s bad parameters", hdev->name);
3662 		return;
3663 	}
3664 
3665 	BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3666 	       ev->num_hndl);
3667 
3668 	for (i = 0; i < ev->num_hndl; i++) {
3669 		struct hci_comp_blocks_info *info = &ev->handles[i];
3670 		struct hci_conn *conn = NULL;
3671 		__u16  handle, block_count;
3672 
3673 		handle = __le16_to_cpu(info->handle);
3674 		block_count = __le16_to_cpu(info->blocks);
3675 
3676 		conn = __hci_conn_lookup_handle(hdev, handle);
3677 		if (!conn)
3678 			continue;
3679 
3680 		conn->sent -= block_count;
3681 
3682 		switch (conn->type) {
3683 		case ACL_LINK:
3684 		case AMP_LINK:
3685 			hdev->block_cnt += block_count;
3686 			if (hdev->block_cnt > hdev->num_blocks)
3687 				hdev->block_cnt = hdev->num_blocks;
3688 			break;
3689 
3690 		default:
3691 			bt_dev_err(hdev, "unknown type %d conn %p",
3692 				   conn->type, conn);
3693 			break;
3694 		}
3695 	}
3696 
3697 	queue_work(hdev->workqueue, &hdev->tx_work);
3698 }
3699 
3700 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3701 {
3702 	struct hci_ev_mode_change *ev = (void *) skb->data;
3703 	struct hci_conn *conn;
3704 
3705 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3706 
3707 	hci_dev_lock(hdev);
3708 
3709 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3710 	if (conn) {
3711 		conn->mode = ev->mode;
3712 
3713 		if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3714 					&conn->flags)) {
3715 			if (conn->mode == HCI_CM_ACTIVE)
3716 				set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3717 			else
3718 				clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3719 		}
3720 
3721 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3722 			hci_sco_setup(conn, ev->status);
3723 	}
3724 
3725 	hci_dev_unlock(hdev);
3726 }
3727 
3728 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3729 {
3730 	struct hci_ev_pin_code_req *ev = (void *) skb->data;
3731 	struct hci_conn *conn;
3732 
3733 	BT_DBG("%s", hdev->name);
3734 
3735 	hci_dev_lock(hdev);
3736 
3737 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3738 	if (!conn)
3739 		goto unlock;
3740 
3741 	if (conn->state == BT_CONNECTED) {
3742 		hci_conn_hold(conn);
3743 		conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3744 		hci_conn_drop(conn);
3745 	}
3746 
3747 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3748 	    !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3749 		hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3750 			     sizeof(ev->bdaddr), &ev->bdaddr);
3751 	} else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3752 		u8 secure;
3753 
3754 		if (conn->pending_sec_level == BT_SECURITY_HIGH)
3755 			secure = 1;
3756 		else
3757 			secure = 0;
3758 
3759 		mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3760 	}
3761 
3762 unlock:
3763 	hci_dev_unlock(hdev);
3764 }
3765 
3766 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3767 {
3768 	if (key_type == HCI_LK_CHANGED_COMBINATION)
3769 		return;
3770 
3771 	conn->pin_length = pin_len;
3772 	conn->key_type = key_type;
3773 
3774 	switch (key_type) {
3775 	case HCI_LK_LOCAL_UNIT:
3776 	case HCI_LK_REMOTE_UNIT:
3777 	case HCI_LK_DEBUG_COMBINATION:
3778 		return;
3779 	case HCI_LK_COMBINATION:
3780 		if (pin_len == 16)
3781 			conn->pending_sec_level = BT_SECURITY_HIGH;
3782 		else
3783 			conn->pending_sec_level = BT_SECURITY_MEDIUM;
3784 		break;
3785 	case HCI_LK_UNAUTH_COMBINATION_P192:
3786 	case HCI_LK_UNAUTH_COMBINATION_P256:
3787 		conn->pending_sec_level = BT_SECURITY_MEDIUM;
3788 		break;
3789 	case HCI_LK_AUTH_COMBINATION_P192:
3790 		conn->pending_sec_level = BT_SECURITY_HIGH;
3791 		break;
3792 	case HCI_LK_AUTH_COMBINATION_P256:
3793 		conn->pending_sec_level = BT_SECURITY_FIPS;
3794 		break;
3795 	}
3796 }
3797 
3798 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3799 {
3800 	struct hci_ev_link_key_req *ev = (void *) skb->data;
3801 	struct hci_cp_link_key_reply cp;
3802 	struct hci_conn *conn;
3803 	struct link_key *key;
3804 
3805 	BT_DBG("%s", hdev->name);
3806 
3807 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3808 		return;
3809 
3810 	hci_dev_lock(hdev);
3811 
3812 	key = hci_find_link_key(hdev, &ev->bdaddr);
3813 	if (!key) {
3814 		BT_DBG("%s link key not found for %pMR", hdev->name,
3815 		       &ev->bdaddr);
3816 		goto not_found;
3817 	}
3818 
3819 	BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3820 	       &ev->bdaddr);
3821 
3822 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3823 	if (conn) {
3824 		clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3825 
3826 		if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3827 		     key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3828 		    conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3829 			BT_DBG("%s ignoring unauthenticated key", hdev->name);
3830 			goto not_found;
3831 		}
3832 
3833 		if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3834 		    (conn->pending_sec_level == BT_SECURITY_HIGH ||
3835 		     conn->pending_sec_level == BT_SECURITY_FIPS)) {
3836 			BT_DBG("%s ignoring key unauthenticated for high security",
3837 			       hdev->name);
3838 			goto not_found;
3839 		}
3840 
3841 		conn_set_key(conn, key->type, key->pin_len);
3842 	}
3843 
3844 	bacpy(&cp.bdaddr, &ev->bdaddr);
3845 	memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3846 
3847 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3848 
3849 	hci_dev_unlock(hdev);
3850 
3851 	return;
3852 
3853 not_found:
3854 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3855 	hci_dev_unlock(hdev);
3856 }
3857 
3858 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3859 {
3860 	struct hci_ev_link_key_notify *ev = (void *) skb->data;
3861 	struct hci_conn *conn;
3862 	struct link_key *key;
3863 	bool persistent;
3864 	u8 pin_len = 0;
3865 
3866 	BT_DBG("%s", hdev->name);
3867 
3868 	hci_dev_lock(hdev);
3869 
3870 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3871 	if (!conn)
3872 		goto unlock;
3873 
3874 	hci_conn_hold(conn);
3875 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3876 	hci_conn_drop(conn);
3877 
3878 	set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3879 	conn_set_key(conn, ev->key_type, conn->pin_length);
3880 
3881 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3882 		goto unlock;
3883 
3884 	key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3885 			        ev->key_type, pin_len, &persistent);
3886 	if (!key)
3887 		goto unlock;
3888 
3889 	/* Update connection information since adding the key will have
3890 	 * fixed up the type in the case of changed combination keys.
3891 	 */
3892 	if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3893 		conn_set_key(conn, key->type, key->pin_len);
3894 
3895 	mgmt_new_link_key(hdev, key, persistent);
3896 
3897 	/* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3898 	 * is set. If it's not set simply remove the key from the kernel
3899 	 * list (we've still notified user space about it but with
3900 	 * store_hint being 0).
3901 	 */
3902 	if (key->type == HCI_LK_DEBUG_COMBINATION &&
3903 	    !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3904 		list_del_rcu(&key->list);
3905 		kfree_rcu(key, rcu);
3906 		goto unlock;
3907 	}
3908 
3909 	if (persistent)
3910 		clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3911 	else
3912 		set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3913 
3914 unlock:
3915 	hci_dev_unlock(hdev);
3916 }
3917 
3918 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3919 {
3920 	struct hci_ev_clock_offset *ev = (void *) skb->data;
3921 	struct hci_conn *conn;
3922 
3923 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3924 
3925 	hci_dev_lock(hdev);
3926 
3927 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3928 	if (conn && !ev->status) {
3929 		struct inquiry_entry *ie;
3930 
3931 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3932 		if (ie) {
3933 			ie->data.clock_offset = ev->clock_offset;
3934 			ie->timestamp = jiffies;
3935 		}
3936 	}
3937 
3938 	hci_dev_unlock(hdev);
3939 }
3940 
3941 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3942 {
3943 	struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3944 	struct hci_conn *conn;
3945 
3946 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3947 
3948 	hci_dev_lock(hdev);
3949 
3950 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3951 	if (conn && !ev->status)
3952 		conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3953 
3954 	hci_dev_unlock(hdev);
3955 }
3956 
3957 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3958 {
3959 	struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3960 	struct inquiry_entry *ie;
3961 
3962 	BT_DBG("%s", hdev->name);
3963 
3964 	hci_dev_lock(hdev);
3965 
3966 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3967 	if (ie) {
3968 		ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3969 		ie->timestamp = jiffies;
3970 	}
3971 
3972 	hci_dev_unlock(hdev);
3973 }
3974 
3975 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3976 					     struct sk_buff *skb)
3977 {
3978 	struct inquiry_data data;
3979 	int num_rsp = *((__u8 *) skb->data);
3980 
3981 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3982 
3983 	if (!num_rsp)
3984 		return;
3985 
3986 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3987 		return;
3988 
3989 	hci_dev_lock(hdev);
3990 
3991 	if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3992 		struct inquiry_info_with_rssi_and_pscan_mode *info;
3993 		info = (void *) (skb->data + 1);
3994 
3995 		for (; num_rsp; num_rsp--, info++) {
3996 			u32 flags;
3997 
3998 			bacpy(&data.bdaddr, &info->bdaddr);
3999 			data.pscan_rep_mode	= info->pscan_rep_mode;
4000 			data.pscan_period_mode	= info->pscan_period_mode;
4001 			data.pscan_mode		= info->pscan_mode;
4002 			memcpy(data.dev_class, info->dev_class, 3);
4003 			data.clock_offset	= info->clock_offset;
4004 			data.rssi		= info->rssi;
4005 			data.ssp_mode		= 0x00;
4006 
4007 			flags = hci_inquiry_cache_update(hdev, &data, false);
4008 
4009 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4010 					  info->dev_class, info->rssi,
4011 					  flags, NULL, 0, NULL, 0);
4012 		}
4013 	} else {
4014 		struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4015 
4016 		for (; num_rsp; num_rsp--, info++) {
4017 			u32 flags;
4018 
4019 			bacpy(&data.bdaddr, &info->bdaddr);
4020 			data.pscan_rep_mode	= info->pscan_rep_mode;
4021 			data.pscan_period_mode	= info->pscan_period_mode;
4022 			data.pscan_mode		= 0x00;
4023 			memcpy(data.dev_class, info->dev_class, 3);
4024 			data.clock_offset	= info->clock_offset;
4025 			data.rssi		= info->rssi;
4026 			data.ssp_mode		= 0x00;
4027 
4028 			flags = hci_inquiry_cache_update(hdev, &data, false);
4029 
4030 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4031 					  info->dev_class, info->rssi,
4032 					  flags, NULL, 0, NULL, 0);
4033 		}
4034 	}
4035 
4036 	hci_dev_unlock(hdev);
4037 }
4038 
4039 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4040 					struct sk_buff *skb)
4041 {
4042 	struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4043 	struct hci_conn *conn;
4044 
4045 	BT_DBG("%s", hdev->name);
4046 
4047 	hci_dev_lock(hdev);
4048 
4049 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4050 	if (!conn)
4051 		goto unlock;
4052 
4053 	if (ev->page < HCI_MAX_PAGES)
4054 		memcpy(conn->features[ev->page], ev->features, 8);
4055 
4056 	if (!ev->status && ev->page == 0x01) {
4057 		struct inquiry_entry *ie;
4058 
4059 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4060 		if (ie)
4061 			ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4062 
4063 		if (ev->features[0] & LMP_HOST_SSP) {
4064 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4065 		} else {
4066 			/* It is mandatory by the Bluetooth specification that
4067 			 * Extended Inquiry Results are only used when Secure
4068 			 * Simple Pairing is enabled, but some devices violate
4069 			 * this.
4070 			 *
4071 			 * To make these devices work, the internal SSP
4072 			 * enabled flag needs to be cleared if the remote host
4073 			 * features do not indicate SSP support */
4074 			clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4075 		}
4076 
4077 		if (ev->features[0] & LMP_HOST_SC)
4078 			set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4079 	}
4080 
4081 	if (conn->state != BT_CONFIG)
4082 		goto unlock;
4083 
4084 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4085 		struct hci_cp_remote_name_req cp;
4086 		memset(&cp, 0, sizeof(cp));
4087 		bacpy(&cp.bdaddr, &conn->dst);
4088 		cp.pscan_rep_mode = 0x02;
4089 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4090 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4091 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
4092 
4093 	if (!hci_outgoing_auth_needed(hdev, conn)) {
4094 		conn->state = BT_CONNECTED;
4095 		hci_connect_cfm(conn, ev->status);
4096 		hci_conn_drop(conn);
4097 	}
4098 
4099 unlock:
4100 	hci_dev_unlock(hdev);
4101 }
4102 
4103 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4104 				       struct sk_buff *skb)
4105 {
4106 	struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4107 	struct hci_conn *conn;
4108 
4109 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4110 
4111 	hci_dev_lock(hdev);
4112 
4113 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4114 	if (!conn) {
4115 		if (ev->link_type == ESCO_LINK)
4116 			goto unlock;
4117 
4118 		/* When the link type in the event indicates SCO connection
4119 		 * and lookup of the connection object fails, then check
4120 		 * if an eSCO connection object exists.
4121 		 *
4122 		 * The core limits the synchronous connections to either
4123 		 * SCO or eSCO. The eSCO connection is preferred and tried
4124 		 * to be setup first and until successfully established,
4125 		 * the link type will be hinted as eSCO.
4126 		 */
4127 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4128 		if (!conn)
4129 			goto unlock;
4130 	}
4131 
4132 	switch (ev->status) {
4133 	case 0x00:
4134 		conn->handle = __le16_to_cpu(ev->handle);
4135 		conn->state  = BT_CONNECTED;
4136 		conn->type   = ev->link_type;
4137 
4138 		hci_debugfs_create_conn(conn);
4139 		hci_conn_add_sysfs(conn);
4140 		break;
4141 
4142 	case 0x10:	/* Connection Accept Timeout */
4143 	case 0x0d:	/* Connection Rejected due to Limited Resources */
4144 	case 0x11:	/* Unsupported Feature or Parameter Value */
4145 	case 0x1c:	/* SCO interval rejected */
4146 	case 0x1a:	/* Unsupported Remote Feature */
4147 	case 0x1f:	/* Unspecified error */
4148 	case 0x20:	/* Unsupported LMP Parameter value */
4149 		if (conn->out) {
4150 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4151 					(hdev->esco_type & EDR_ESCO_MASK);
4152 			if (hci_setup_sync(conn, conn->link->handle))
4153 				goto unlock;
4154 		}
4155 		/* fall through */
4156 
4157 	default:
4158 		conn->state = BT_CLOSED;
4159 		break;
4160 	}
4161 
4162 	hci_connect_cfm(conn, ev->status);
4163 	if (ev->status)
4164 		hci_conn_del(conn);
4165 
4166 unlock:
4167 	hci_dev_unlock(hdev);
4168 }
4169 
4170 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4171 {
4172 	size_t parsed = 0;
4173 
4174 	while (parsed < eir_len) {
4175 		u8 field_len = eir[0];
4176 
4177 		if (field_len == 0)
4178 			return parsed;
4179 
4180 		parsed += field_len + 1;
4181 		eir += field_len + 1;
4182 	}
4183 
4184 	return eir_len;
4185 }
4186 
4187 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4188 					    struct sk_buff *skb)
4189 {
4190 	struct inquiry_data data;
4191 	struct extended_inquiry_info *info = (void *) (skb->data + 1);
4192 	int num_rsp = *((__u8 *) skb->data);
4193 	size_t eir_len;
4194 
4195 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4196 
4197 	if (!num_rsp)
4198 		return;
4199 
4200 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4201 		return;
4202 
4203 	hci_dev_lock(hdev);
4204 
4205 	for (; num_rsp; num_rsp--, info++) {
4206 		u32 flags;
4207 		bool name_known;
4208 
4209 		bacpy(&data.bdaddr, &info->bdaddr);
4210 		data.pscan_rep_mode	= info->pscan_rep_mode;
4211 		data.pscan_period_mode	= info->pscan_period_mode;
4212 		data.pscan_mode		= 0x00;
4213 		memcpy(data.dev_class, info->dev_class, 3);
4214 		data.clock_offset	= info->clock_offset;
4215 		data.rssi		= info->rssi;
4216 		data.ssp_mode		= 0x01;
4217 
4218 		if (hci_dev_test_flag(hdev, HCI_MGMT))
4219 			name_known = eir_get_data(info->data,
4220 						  sizeof(info->data),
4221 						  EIR_NAME_COMPLETE, NULL);
4222 		else
4223 			name_known = true;
4224 
4225 		flags = hci_inquiry_cache_update(hdev, &data, name_known);
4226 
4227 		eir_len = eir_get_length(info->data, sizeof(info->data));
4228 
4229 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4230 				  info->dev_class, info->rssi,
4231 				  flags, info->data, eir_len, NULL, 0);
4232 	}
4233 
4234 	hci_dev_unlock(hdev);
4235 }
4236 
4237 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4238 					 struct sk_buff *skb)
4239 {
4240 	struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4241 	struct hci_conn *conn;
4242 
4243 	BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4244 	       __le16_to_cpu(ev->handle));
4245 
4246 	hci_dev_lock(hdev);
4247 
4248 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4249 	if (!conn)
4250 		goto unlock;
4251 
4252 	/* For BR/EDR the necessary steps are taken through the
4253 	 * auth_complete event.
4254 	 */
4255 	if (conn->type != LE_LINK)
4256 		goto unlock;
4257 
4258 	if (!ev->status)
4259 		conn->sec_level = conn->pending_sec_level;
4260 
4261 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4262 
4263 	if (ev->status && conn->state == BT_CONNECTED) {
4264 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4265 		hci_conn_drop(conn);
4266 		goto unlock;
4267 	}
4268 
4269 	if (conn->state == BT_CONFIG) {
4270 		if (!ev->status)
4271 			conn->state = BT_CONNECTED;
4272 
4273 		hci_connect_cfm(conn, ev->status);
4274 		hci_conn_drop(conn);
4275 	} else {
4276 		hci_auth_cfm(conn, ev->status);
4277 
4278 		hci_conn_hold(conn);
4279 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4280 		hci_conn_drop(conn);
4281 	}
4282 
4283 unlock:
4284 	hci_dev_unlock(hdev);
4285 }
4286 
4287 static u8 hci_get_auth_req(struct hci_conn *conn)
4288 {
4289 	/* If remote requests no-bonding follow that lead */
4290 	if (conn->remote_auth == HCI_AT_NO_BONDING ||
4291 	    conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4292 		return conn->remote_auth | (conn->auth_type & 0x01);
4293 
4294 	/* If both remote and local have enough IO capabilities, require
4295 	 * MITM protection
4296 	 */
4297 	if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4298 	    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4299 		return conn->remote_auth | 0x01;
4300 
4301 	/* No MITM protection possible so ignore remote requirement */
4302 	return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4303 }
4304 
4305 static u8 bredr_oob_data_present(struct hci_conn *conn)
4306 {
4307 	struct hci_dev *hdev = conn->hdev;
4308 	struct oob_data *data;
4309 
4310 	data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4311 	if (!data)
4312 		return 0x00;
4313 
4314 	if (bredr_sc_enabled(hdev)) {
4315 		/* When Secure Connections is enabled, then just
4316 		 * return the present value stored with the OOB
4317 		 * data. The stored value contains the right present
4318 		 * information. However it can only be trusted when
4319 		 * not in Secure Connection Only mode.
4320 		 */
4321 		if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4322 			return data->present;
4323 
4324 		/* When Secure Connections Only mode is enabled, then
4325 		 * the P-256 values are required. If they are not
4326 		 * available, then do not declare that OOB data is
4327 		 * present.
4328 		 */
4329 		if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4330 		    !memcmp(data->hash256, ZERO_KEY, 16))
4331 			return 0x00;
4332 
4333 		return 0x02;
4334 	}
4335 
4336 	/* When Secure Connections is not enabled or actually
4337 	 * not supported by the hardware, then check that if
4338 	 * P-192 data values are present.
4339 	 */
4340 	if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4341 	    !memcmp(data->hash192, ZERO_KEY, 16))
4342 		return 0x00;
4343 
4344 	return 0x01;
4345 }
4346 
4347 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4348 {
4349 	struct hci_ev_io_capa_request *ev = (void *) skb->data;
4350 	struct hci_conn *conn;
4351 
4352 	BT_DBG("%s", hdev->name);
4353 
4354 	hci_dev_lock(hdev);
4355 
4356 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4357 	if (!conn)
4358 		goto unlock;
4359 
4360 	hci_conn_hold(conn);
4361 
4362 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4363 		goto unlock;
4364 
4365 	/* Allow pairing if we're pairable, the initiators of the
4366 	 * pairing or if the remote is not requesting bonding.
4367 	 */
4368 	if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4369 	    test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4370 	    (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4371 		struct hci_cp_io_capability_reply cp;
4372 
4373 		bacpy(&cp.bdaddr, &ev->bdaddr);
4374 		/* Change the IO capability from KeyboardDisplay
4375 		 * to DisplayYesNo as it is not supported by BT spec. */
4376 		cp.capability = (conn->io_capability == 0x04) ?
4377 				HCI_IO_DISPLAY_YESNO : conn->io_capability;
4378 
4379 		/* If we are initiators, there is no remote information yet */
4380 		if (conn->remote_auth == 0xff) {
4381 			/* Request MITM protection if our IO caps allow it
4382 			 * except for the no-bonding case.
4383 			 */
4384 			if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4385 			    conn->auth_type != HCI_AT_NO_BONDING)
4386 				conn->auth_type |= 0x01;
4387 		} else {
4388 			conn->auth_type = hci_get_auth_req(conn);
4389 		}
4390 
4391 		/* If we're not bondable, force one of the non-bondable
4392 		 * authentication requirement values.
4393 		 */
4394 		if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4395 			conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4396 
4397 		cp.authentication = conn->auth_type;
4398 		cp.oob_data = bredr_oob_data_present(conn);
4399 
4400 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4401 			     sizeof(cp), &cp);
4402 	} else {
4403 		struct hci_cp_io_capability_neg_reply cp;
4404 
4405 		bacpy(&cp.bdaddr, &ev->bdaddr);
4406 		cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4407 
4408 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4409 			     sizeof(cp), &cp);
4410 	}
4411 
4412 unlock:
4413 	hci_dev_unlock(hdev);
4414 }
4415 
4416 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4417 {
4418 	struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4419 	struct hci_conn *conn;
4420 
4421 	BT_DBG("%s", hdev->name);
4422 
4423 	hci_dev_lock(hdev);
4424 
4425 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4426 	if (!conn)
4427 		goto unlock;
4428 
4429 	conn->remote_cap = ev->capability;
4430 	conn->remote_auth = ev->authentication;
4431 
4432 unlock:
4433 	hci_dev_unlock(hdev);
4434 }
4435 
4436 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4437 					 struct sk_buff *skb)
4438 {
4439 	struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4440 	int loc_mitm, rem_mitm, confirm_hint = 0;
4441 	struct hci_conn *conn;
4442 
4443 	BT_DBG("%s", hdev->name);
4444 
4445 	hci_dev_lock(hdev);
4446 
4447 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4448 		goto unlock;
4449 
4450 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4451 	if (!conn)
4452 		goto unlock;
4453 
4454 	loc_mitm = (conn->auth_type & 0x01);
4455 	rem_mitm = (conn->remote_auth & 0x01);
4456 
4457 	/* If we require MITM but the remote device can't provide that
4458 	 * (it has NoInputNoOutput) then reject the confirmation
4459 	 * request. We check the security level here since it doesn't
4460 	 * necessarily match conn->auth_type.
4461 	 */
4462 	if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4463 	    conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4464 		BT_DBG("Rejecting request: remote device can't provide MITM");
4465 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4466 			     sizeof(ev->bdaddr), &ev->bdaddr);
4467 		goto unlock;
4468 	}
4469 
4470 	/* If no side requires MITM protection; auto-accept */
4471 	if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4472 	    (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4473 
4474 		/* If we're not the initiators request authorization to
4475 		 * proceed from user space (mgmt_user_confirm with
4476 		 * confirm_hint set to 1). The exception is if neither
4477 		 * side had MITM or if the local IO capability is
4478 		 * NoInputNoOutput, in which case we do auto-accept
4479 		 */
4480 		if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4481 		    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4482 		    (loc_mitm || rem_mitm)) {
4483 			BT_DBG("Confirming auto-accept as acceptor");
4484 			confirm_hint = 1;
4485 			goto confirm;
4486 		}
4487 
4488 		BT_DBG("Auto-accept of user confirmation with %ums delay",
4489 		       hdev->auto_accept_delay);
4490 
4491 		if (hdev->auto_accept_delay > 0) {
4492 			int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4493 			queue_delayed_work(conn->hdev->workqueue,
4494 					   &conn->auto_accept_work, delay);
4495 			goto unlock;
4496 		}
4497 
4498 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4499 			     sizeof(ev->bdaddr), &ev->bdaddr);
4500 		goto unlock;
4501 	}
4502 
4503 confirm:
4504 	mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4505 				  le32_to_cpu(ev->passkey), confirm_hint);
4506 
4507 unlock:
4508 	hci_dev_unlock(hdev);
4509 }
4510 
4511 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4512 					 struct sk_buff *skb)
4513 {
4514 	struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4515 
4516 	BT_DBG("%s", hdev->name);
4517 
4518 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4519 		mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4520 }
4521 
4522 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4523 					struct sk_buff *skb)
4524 {
4525 	struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4526 	struct hci_conn *conn;
4527 
4528 	BT_DBG("%s", hdev->name);
4529 
4530 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4531 	if (!conn)
4532 		return;
4533 
4534 	conn->passkey_notify = __le32_to_cpu(ev->passkey);
4535 	conn->passkey_entered = 0;
4536 
4537 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4538 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4539 					 conn->dst_type, conn->passkey_notify,
4540 					 conn->passkey_entered);
4541 }
4542 
4543 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4544 {
4545 	struct hci_ev_keypress_notify *ev = (void *) skb->data;
4546 	struct hci_conn *conn;
4547 
4548 	BT_DBG("%s", hdev->name);
4549 
4550 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4551 	if (!conn)
4552 		return;
4553 
4554 	switch (ev->type) {
4555 	case HCI_KEYPRESS_STARTED:
4556 		conn->passkey_entered = 0;
4557 		return;
4558 
4559 	case HCI_KEYPRESS_ENTERED:
4560 		conn->passkey_entered++;
4561 		break;
4562 
4563 	case HCI_KEYPRESS_ERASED:
4564 		conn->passkey_entered--;
4565 		break;
4566 
4567 	case HCI_KEYPRESS_CLEARED:
4568 		conn->passkey_entered = 0;
4569 		break;
4570 
4571 	case HCI_KEYPRESS_COMPLETED:
4572 		return;
4573 	}
4574 
4575 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4576 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4577 					 conn->dst_type, conn->passkey_notify,
4578 					 conn->passkey_entered);
4579 }
4580 
4581 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4582 					 struct sk_buff *skb)
4583 {
4584 	struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4585 	struct hci_conn *conn;
4586 
4587 	BT_DBG("%s", hdev->name);
4588 
4589 	hci_dev_lock(hdev);
4590 
4591 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4592 	if (!conn)
4593 		goto unlock;
4594 
4595 	/* Reset the authentication requirement to unknown */
4596 	conn->remote_auth = 0xff;
4597 
4598 	/* To avoid duplicate auth_failed events to user space we check
4599 	 * the HCI_CONN_AUTH_PEND flag which will be set if we
4600 	 * initiated the authentication. A traditional auth_complete
4601 	 * event gets always produced as initiator and is also mapped to
4602 	 * the mgmt_auth_failed event */
4603 	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4604 		mgmt_auth_failed(conn, ev->status);
4605 
4606 	hci_conn_drop(conn);
4607 
4608 unlock:
4609 	hci_dev_unlock(hdev);
4610 }
4611 
4612 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4613 					 struct sk_buff *skb)
4614 {
4615 	struct hci_ev_remote_host_features *ev = (void *) skb->data;
4616 	struct inquiry_entry *ie;
4617 	struct hci_conn *conn;
4618 
4619 	BT_DBG("%s", hdev->name);
4620 
4621 	hci_dev_lock(hdev);
4622 
4623 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4624 	if (conn)
4625 		memcpy(conn->features[1], ev->features, 8);
4626 
4627 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4628 	if (ie)
4629 		ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4630 
4631 	hci_dev_unlock(hdev);
4632 }
4633 
4634 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4635 					    struct sk_buff *skb)
4636 {
4637 	struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4638 	struct oob_data *data;
4639 
4640 	BT_DBG("%s", hdev->name);
4641 
4642 	hci_dev_lock(hdev);
4643 
4644 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4645 		goto unlock;
4646 
4647 	data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4648 	if (!data) {
4649 		struct hci_cp_remote_oob_data_neg_reply cp;
4650 
4651 		bacpy(&cp.bdaddr, &ev->bdaddr);
4652 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4653 			     sizeof(cp), &cp);
4654 		goto unlock;
4655 	}
4656 
4657 	if (bredr_sc_enabled(hdev)) {
4658 		struct hci_cp_remote_oob_ext_data_reply cp;
4659 
4660 		bacpy(&cp.bdaddr, &ev->bdaddr);
4661 		if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4662 			memset(cp.hash192, 0, sizeof(cp.hash192));
4663 			memset(cp.rand192, 0, sizeof(cp.rand192));
4664 		} else {
4665 			memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4666 			memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4667 		}
4668 		memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4669 		memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4670 
4671 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4672 			     sizeof(cp), &cp);
4673 	} else {
4674 		struct hci_cp_remote_oob_data_reply cp;
4675 
4676 		bacpy(&cp.bdaddr, &ev->bdaddr);
4677 		memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4678 		memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4679 
4680 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4681 			     sizeof(cp), &cp);
4682 	}
4683 
4684 unlock:
4685 	hci_dev_unlock(hdev);
4686 }
4687 
4688 #if IS_ENABLED(CONFIG_BT_HS)
4689 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4690 {
4691 	struct hci_ev_channel_selected *ev = (void *)skb->data;
4692 	struct hci_conn *hcon;
4693 
4694 	BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4695 
4696 	skb_pull(skb, sizeof(*ev));
4697 
4698 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4699 	if (!hcon)
4700 		return;
4701 
4702 	amp_read_loc_assoc_final_data(hdev, hcon);
4703 }
4704 
4705 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4706 				      struct sk_buff *skb)
4707 {
4708 	struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4709 	struct hci_conn *hcon, *bredr_hcon;
4710 
4711 	BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4712 	       ev->status);
4713 
4714 	hci_dev_lock(hdev);
4715 
4716 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4717 	if (!hcon) {
4718 		hci_dev_unlock(hdev);
4719 		return;
4720 	}
4721 
4722 	if (ev->status) {
4723 		hci_conn_del(hcon);
4724 		hci_dev_unlock(hdev);
4725 		return;
4726 	}
4727 
4728 	bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4729 
4730 	hcon->state = BT_CONNECTED;
4731 	bacpy(&hcon->dst, &bredr_hcon->dst);
4732 
4733 	hci_conn_hold(hcon);
4734 	hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4735 	hci_conn_drop(hcon);
4736 
4737 	hci_debugfs_create_conn(hcon);
4738 	hci_conn_add_sysfs(hcon);
4739 
4740 	amp_physical_cfm(bredr_hcon, hcon);
4741 
4742 	hci_dev_unlock(hdev);
4743 }
4744 
4745 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4746 {
4747 	struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4748 	struct hci_conn *hcon;
4749 	struct hci_chan *hchan;
4750 	struct amp_mgr *mgr;
4751 
4752 	BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4753 	       hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4754 	       ev->status);
4755 
4756 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4757 	if (!hcon)
4758 		return;
4759 
4760 	/* Create AMP hchan */
4761 	hchan = hci_chan_create(hcon);
4762 	if (!hchan)
4763 		return;
4764 
4765 	hchan->handle = le16_to_cpu(ev->handle);
4766 
4767 	BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4768 
4769 	mgr = hcon->amp_mgr;
4770 	if (mgr && mgr->bredr_chan) {
4771 		struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4772 
4773 		l2cap_chan_lock(bredr_chan);
4774 
4775 		bredr_chan->conn->mtu = hdev->block_mtu;
4776 		l2cap_logical_cfm(bredr_chan, hchan, 0);
4777 		hci_conn_hold(hcon);
4778 
4779 		l2cap_chan_unlock(bredr_chan);
4780 	}
4781 }
4782 
4783 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4784 					     struct sk_buff *skb)
4785 {
4786 	struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4787 	struct hci_chan *hchan;
4788 
4789 	BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4790 	       le16_to_cpu(ev->handle), ev->status);
4791 
4792 	if (ev->status)
4793 		return;
4794 
4795 	hci_dev_lock(hdev);
4796 
4797 	hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4798 	if (!hchan)
4799 		goto unlock;
4800 
4801 	amp_destroy_logical_link(hchan, ev->reason);
4802 
4803 unlock:
4804 	hci_dev_unlock(hdev);
4805 }
4806 
4807 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4808 					     struct sk_buff *skb)
4809 {
4810 	struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4811 	struct hci_conn *hcon;
4812 
4813 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4814 
4815 	if (ev->status)
4816 		return;
4817 
4818 	hci_dev_lock(hdev);
4819 
4820 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4821 	if (hcon) {
4822 		hcon->state = BT_CLOSED;
4823 		hci_conn_del(hcon);
4824 	}
4825 
4826 	hci_dev_unlock(hdev);
4827 }
4828 #endif
4829 
4830 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
4831 			bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
4832 			u16 interval, u16 latency, u16 supervision_timeout)
4833 {
4834 	struct hci_conn_params *params;
4835 	struct hci_conn *conn;
4836 	struct smp_irk *irk;
4837 	u8 addr_type;
4838 
4839 	hci_dev_lock(hdev);
4840 
4841 	/* All controllers implicitly stop advertising in the event of a
4842 	 * connection, so ensure that the state bit is cleared.
4843 	 */
4844 	hci_dev_clear_flag(hdev, HCI_LE_ADV);
4845 
4846 	conn = hci_lookup_le_connect(hdev);
4847 	if (!conn) {
4848 		conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
4849 		if (!conn) {
4850 			bt_dev_err(hdev, "no memory for new connection");
4851 			goto unlock;
4852 		}
4853 
4854 		conn->dst_type = bdaddr_type;
4855 
4856 		/* If we didn't have a hci_conn object previously
4857 		 * but we're in master role this must be something
4858 		 * initiated using a white list. Since white list based
4859 		 * connections are not "first class citizens" we don't
4860 		 * have full tracking of them. Therefore, we go ahead
4861 		 * with a "best effort" approach of determining the
4862 		 * initiator address based on the HCI_PRIVACY flag.
4863 		 */
4864 		if (conn->out) {
4865 			conn->resp_addr_type = bdaddr_type;
4866 			bacpy(&conn->resp_addr, bdaddr);
4867 			if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4868 				conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4869 				bacpy(&conn->init_addr, &hdev->rpa);
4870 			} else {
4871 				hci_copy_identity_address(hdev,
4872 							  &conn->init_addr,
4873 							  &conn->init_addr_type);
4874 			}
4875 		}
4876 	} else {
4877 		cancel_delayed_work(&conn->le_conn_timeout);
4878 	}
4879 
4880 	if (!conn->out) {
4881 		/* Set the responder (our side) address type based on
4882 		 * the advertising address type.
4883 		 */
4884 		conn->resp_addr_type = hdev->adv_addr_type;
4885 		if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
4886 			/* In case of ext adv, resp_addr will be updated in
4887 			 * Adv Terminated event.
4888 			 */
4889 			if (!ext_adv_capable(hdev))
4890 				bacpy(&conn->resp_addr, &hdev->random_addr);
4891 		} else {
4892 			bacpy(&conn->resp_addr, &hdev->bdaddr);
4893 		}
4894 
4895 		conn->init_addr_type = bdaddr_type;
4896 		bacpy(&conn->init_addr, bdaddr);
4897 
4898 		/* For incoming connections, set the default minimum
4899 		 * and maximum connection interval. They will be used
4900 		 * to check if the parameters are in range and if not
4901 		 * trigger the connection update procedure.
4902 		 */
4903 		conn->le_conn_min_interval = hdev->le_conn_min_interval;
4904 		conn->le_conn_max_interval = hdev->le_conn_max_interval;
4905 	}
4906 
4907 	/* Lookup the identity address from the stored connection
4908 	 * address and address type.
4909 	 *
4910 	 * When establishing connections to an identity address, the
4911 	 * connection procedure will store the resolvable random
4912 	 * address first. Now if it can be converted back into the
4913 	 * identity address, start using the identity address from
4914 	 * now on.
4915 	 */
4916 	irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4917 	if (irk) {
4918 		bacpy(&conn->dst, &irk->bdaddr);
4919 		conn->dst_type = irk->addr_type;
4920 	}
4921 
4922 	if (status) {
4923 		hci_le_conn_failed(conn, status);
4924 		goto unlock;
4925 	}
4926 
4927 	if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4928 		addr_type = BDADDR_LE_PUBLIC;
4929 	else
4930 		addr_type = BDADDR_LE_RANDOM;
4931 
4932 	/* Drop the connection if the device is blocked */
4933 	if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4934 		hci_conn_drop(conn);
4935 		goto unlock;
4936 	}
4937 
4938 	if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4939 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
4940 
4941 	conn->sec_level = BT_SECURITY_LOW;
4942 	conn->handle = handle;
4943 	conn->state = BT_CONFIG;
4944 
4945 	conn->le_conn_interval = interval;
4946 	conn->le_conn_latency = latency;
4947 	conn->le_supv_timeout = supervision_timeout;
4948 
4949 	hci_debugfs_create_conn(conn);
4950 	hci_conn_add_sysfs(conn);
4951 
4952 	/* The remote features procedure is defined for master
4953 	 * role only. So only in case of an initiated connection
4954 	 * request the remote features.
4955 	 *
4956 	 * If the local controller supports slave-initiated features
4957 	 * exchange, then requesting the remote features in slave
4958 	 * role is possible. Otherwise just transition into the
4959 	 * connected state without requesting the remote features.
4960 	 */
4961 	if (conn->out ||
4962 	    (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4963 		struct hci_cp_le_read_remote_features cp;
4964 
4965 		cp.handle = __cpu_to_le16(conn->handle);
4966 
4967 		hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4968 			     sizeof(cp), &cp);
4969 
4970 		hci_conn_hold(conn);
4971 	} else {
4972 		conn->state = BT_CONNECTED;
4973 		hci_connect_cfm(conn, status);
4974 	}
4975 
4976 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4977 					   conn->dst_type);
4978 	if (params) {
4979 		list_del_init(&params->action);
4980 		if (params->conn) {
4981 			hci_conn_drop(params->conn);
4982 			hci_conn_put(params->conn);
4983 			params->conn = NULL;
4984 		}
4985 	}
4986 
4987 unlock:
4988 	hci_update_background_scan(hdev);
4989 	hci_dev_unlock(hdev);
4990 }
4991 
4992 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4993 {
4994 	struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4995 
4996 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4997 
4998 	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
4999 			     ev->role, le16_to_cpu(ev->handle),
5000 			     le16_to_cpu(ev->interval),
5001 			     le16_to_cpu(ev->latency),
5002 			     le16_to_cpu(ev->supervision_timeout));
5003 }
5004 
5005 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5006 					 struct sk_buff *skb)
5007 {
5008 	struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5009 
5010 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5011 
5012 	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5013 			     ev->role, le16_to_cpu(ev->handle),
5014 			     le16_to_cpu(ev->interval),
5015 			     le16_to_cpu(ev->latency),
5016 			     le16_to_cpu(ev->supervision_timeout));
5017 }
5018 
5019 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5020 {
5021 	struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5022 	struct hci_conn *conn;
5023 
5024 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5025 
5026 	if (ev->status)
5027 		return;
5028 
5029 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5030 	if (conn) {
5031 		struct adv_info *adv_instance;
5032 
5033 		if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5034 			return;
5035 
5036 		if (!hdev->cur_adv_instance) {
5037 			bacpy(&conn->resp_addr, &hdev->random_addr);
5038 			return;
5039 		}
5040 
5041 		adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
5042 		if (adv_instance)
5043 			bacpy(&conn->resp_addr, &adv_instance->random_addr);
5044 	}
5045 }
5046 
5047 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5048 					    struct sk_buff *skb)
5049 {
5050 	struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5051 	struct hci_conn *conn;
5052 
5053 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5054 
5055 	if (ev->status)
5056 		return;
5057 
5058 	hci_dev_lock(hdev);
5059 
5060 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5061 	if (conn) {
5062 		conn->le_conn_interval = le16_to_cpu(ev->interval);
5063 		conn->le_conn_latency = le16_to_cpu(ev->latency);
5064 		conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5065 	}
5066 
5067 	hci_dev_unlock(hdev);
5068 }
5069 
5070 /* This function requires the caller holds hdev->lock */
5071 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5072 					      bdaddr_t *addr,
5073 					      u8 addr_type, u8 adv_type,
5074 					      bdaddr_t *direct_rpa)
5075 {
5076 	struct hci_conn *conn;
5077 	struct hci_conn_params *params;
5078 
5079 	/* If the event is not connectable don't proceed further */
5080 	if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5081 		return NULL;
5082 
5083 	/* Ignore if the device is blocked */
5084 	if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
5085 		return NULL;
5086 
5087 	/* Most controller will fail if we try to create new connections
5088 	 * while we have an existing one in slave role.
5089 	 */
5090 	if (hdev->conn_hash.le_num_slave > 0)
5091 		return NULL;
5092 
5093 	/* If we're not connectable only connect devices that we have in
5094 	 * our pend_le_conns list.
5095 	 */
5096 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5097 					   addr_type);
5098 	if (!params)
5099 		return NULL;
5100 
5101 	if (!params->explicit_connect) {
5102 		switch (params->auto_connect) {
5103 		case HCI_AUTO_CONN_DIRECT:
5104 			/* Only devices advertising with ADV_DIRECT_IND are
5105 			 * triggering a connection attempt. This is allowing
5106 			 * incoming connections from slave devices.
5107 			 */
5108 			if (adv_type != LE_ADV_DIRECT_IND)
5109 				return NULL;
5110 			break;
5111 		case HCI_AUTO_CONN_ALWAYS:
5112 			/* Devices advertising with ADV_IND or ADV_DIRECT_IND
5113 			 * are triggering a connection attempt. This means
5114 			 * that incoming connectioms from slave device are
5115 			 * accepted and also outgoing connections to slave
5116 			 * devices are established when found.
5117 			 */
5118 			break;
5119 		default:
5120 			return NULL;
5121 		}
5122 	}
5123 
5124 	conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5125 			      HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
5126 			      direct_rpa);
5127 	if (!IS_ERR(conn)) {
5128 		/* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5129 		 * by higher layer that tried to connect, if no then
5130 		 * store the pointer since we don't really have any
5131 		 * other owner of the object besides the params that
5132 		 * triggered it. This way we can abort the connection if
5133 		 * the parameters get removed and keep the reference
5134 		 * count consistent once the connection is established.
5135 		 */
5136 
5137 		if (!params->explicit_connect)
5138 			params->conn = hci_conn_get(conn);
5139 
5140 		return conn;
5141 	}
5142 
5143 	switch (PTR_ERR(conn)) {
5144 	case -EBUSY:
5145 		/* If hci_connect() returns -EBUSY it means there is already
5146 		 * an LE connection attempt going on. Since controllers don't
5147 		 * support more than one connection attempt at the time, we
5148 		 * don't consider this an error case.
5149 		 */
5150 		break;
5151 	default:
5152 		BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5153 		return NULL;
5154 	}
5155 
5156 	return NULL;
5157 }
5158 
5159 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5160 			       u8 bdaddr_type, bdaddr_t *direct_addr,
5161 			       u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
5162 {
5163 	struct discovery_state *d = &hdev->discovery;
5164 	struct smp_irk *irk;
5165 	struct hci_conn *conn;
5166 	bool match;
5167 	u32 flags;
5168 	u8 *ptr, real_len;
5169 
5170 	switch (type) {
5171 	case LE_ADV_IND:
5172 	case LE_ADV_DIRECT_IND:
5173 	case LE_ADV_SCAN_IND:
5174 	case LE_ADV_NONCONN_IND:
5175 	case LE_ADV_SCAN_RSP:
5176 		break;
5177 	default:
5178 		bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5179 				       "type: 0x%02x", type);
5180 		return;
5181 	}
5182 
5183 	/* Find the end of the data in case the report contains padded zero
5184 	 * bytes at the end causing an invalid length value.
5185 	 *
5186 	 * When data is NULL, len is 0 so there is no need for extra ptr
5187 	 * check as 'ptr < data + 0' is already false in such case.
5188 	 */
5189 	for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5190 		if (ptr + 1 + *ptr > data + len)
5191 			break;
5192 	}
5193 
5194 	real_len = ptr - data;
5195 
5196 	/* Adjust for actual length */
5197 	if (len != real_len) {
5198 		bt_dev_err_ratelimited(hdev, "advertising data len corrected");
5199 		len = real_len;
5200 	}
5201 
5202 	/* If the direct address is present, then this report is from
5203 	 * a LE Direct Advertising Report event. In that case it is
5204 	 * important to see if the address is matching the local
5205 	 * controller address.
5206 	 */
5207 	if (direct_addr) {
5208 		/* Only resolvable random addresses are valid for these
5209 		 * kind of reports and others can be ignored.
5210 		 */
5211 		if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5212 			return;
5213 
5214 		/* If the controller is not using resolvable random
5215 		 * addresses, then this report can be ignored.
5216 		 */
5217 		if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5218 			return;
5219 
5220 		/* If the local IRK of the controller does not match
5221 		 * with the resolvable random address provided, then
5222 		 * this report can be ignored.
5223 		 */
5224 		if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5225 			return;
5226 	}
5227 
5228 	/* Check if we need to convert to identity address */
5229 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5230 	if (irk) {
5231 		bdaddr = &irk->bdaddr;
5232 		bdaddr_type = irk->addr_type;
5233 	}
5234 
5235 	/* Check if we have been requested to connect to this device.
5236 	 *
5237 	 * direct_addr is set only for directed advertising reports (it is NULL
5238 	 * for advertising reports) and is already verified to be RPA above.
5239 	 */
5240 	conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5241 								direct_addr);
5242 	if (conn && type == LE_ADV_IND) {
5243 		/* Store report for later inclusion by
5244 		 * mgmt_device_connected
5245 		 */
5246 		memcpy(conn->le_adv_data, data, len);
5247 		conn->le_adv_data_len = len;
5248 	}
5249 
5250 	/* Passive scanning shouldn't trigger any device found events,
5251 	 * except for devices marked as CONN_REPORT for which we do send
5252 	 * device found events.
5253 	 */
5254 	if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5255 		if (type == LE_ADV_DIRECT_IND)
5256 			return;
5257 
5258 		if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5259 					       bdaddr, bdaddr_type))
5260 			return;
5261 
5262 		if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5263 			flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5264 		else
5265 			flags = 0;
5266 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5267 				  rssi, flags, data, len, NULL, 0);
5268 		return;
5269 	}
5270 
5271 	/* When receiving non-connectable or scannable undirected
5272 	 * advertising reports, this means that the remote device is
5273 	 * not connectable and then clearly indicate this in the
5274 	 * device found event.
5275 	 *
5276 	 * When receiving a scan response, then there is no way to
5277 	 * know if the remote device is connectable or not. However
5278 	 * since scan responses are merged with a previously seen
5279 	 * advertising report, the flags field from that report
5280 	 * will be used.
5281 	 *
5282 	 * In the really unlikely case that a controller get confused
5283 	 * and just sends a scan response event, then it is marked as
5284 	 * not connectable as well.
5285 	 */
5286 	if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5287 	    type == LE_ADV_SCAN_RSP)
5288 		flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5289 	else
5290 		flags = 0;
5291 
5292 	/* If there's nothing pending either store the data from this
5293 	 * event or send an immediate device found event if the data
5294 	 * should not be stored for later.
5295 	 */
5296 	if (!has_pending_adv_report(hdev)) {
5297 		/* If the report will trigger a SCAN_REQ store it for
5298 		 * later merging.
5299 		 */
5300 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5301 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5302 						 rssi, flags, data, len);
5303 			return;
5304 		}
5305 
5306 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5307 				  rssi, flags, data, len, NULL, 0);
5308 		return;
5309 	}
5310 
5311 	/* Check if the pending report is for the same device as the new one */
5312 	match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5313 		 bdaddr_type == d->last_adv_addr_type);
5314 
5315 	/* If the pending data doesn't match this report or this isn't a
5316 	 * scan response (e.g. we got a duplicate ADV_IND) then force
5317 	 * sending of the pending data.
5318 	 */
5319 	if (type != LE_ADV_SCAN_RSP || !match) {
5320 		/* Send out whatever is in the cache, but skip duplicates */
5321 		if (!match)
5322 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5323 					  d->last_adv_addr_type, NULL,
5324 					  d->last_adv_rssi, d->last_adv_flags,
5325 					  d->last_adv_data,
5326 					  d->last_adv_data_len, NULL, 0);
5327 
5328 		/* If the new report will trigger a SCAN_REQ store it for
5329 		 * later merging.
5330 		 */
5331 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5332 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5333 						 rssi, flags, data, len);
5334 			return;
5335 		}
5336 
5337 		/* The advertising reports cannot be merged, so clear
5338 		 * the pending report and send out a device found event.
5339 		 */
5340 		clear_pending_adv_report(hdev);
5341 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5342 				  rssi, flags, data, len, NULL, 0);
5343 		return;
5344 	}
5345 
5346 	/* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5347 	 * the new event is a SCAN_RSP. We can therefore proceed with
5348 	 * sending a merged device found event.
5349 	 */
5350 	mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5351 			  d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5352 			  d->last_adv_data, d->last_adv_data_len, data, len);
5353 	clear_pending_adv_report(hdev);
5354 }
5355 
5356 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5357 {
5358 	u8 num_reports = skb->data[0];
5359 	void *ptr = &skb->data[1];
5360 
5361 	hci_dev_lock(hdev);
5362 
5363 	while (num_reports--) {
5364 		struct hci_ev_le_advertising_info *ev = ptr;
5365 		s8 rssi;
5366 
5367 		if (ev->length <= HCI_MAX_AD_LENGTH) {
5368 			rssi = ev->data[ev->length];
5369 			process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5370 					   ev->bdaddr_type, NULL, 0, rssi,
5371 					   ev->data, ev->length);
5372 		} else {
5373 			bt_dev_err(hdev, "Dropping invalid advertising data");
5374 		}
5375 
5376 		ptr += sizeof(*ev) + ev->length + 1;
5377 	}
5378 
5379 	hci_dev_unlock(hdev);
5380 }
5381 
5382 static u8 ext_evt_type_to_legacy(u16 evt_type)
5383 {
5384 	if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5385 		switch (evt_type) {
5386 		case LE_LEGACY_ADV_IND:
5387 			return LE_ADV_IND;
5388 		case LE_LEGACY_ADV_DIRECT_IND:
5389 			return LE_ADV_DIRECT_IND;
5390 		case LE_LEGACY_ADV_SCAN_IND:
5391 			return LE_ADV_SCAN_IND;
5392 		case LE_LEGACY_NONCONN_IND:
5393 			return LE_ADV_NONCONN_IND;
5394 		case LE_LEGACY_SCAN_RSP_ADV:
5395 		case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5396 			return LE_ADV_SCAN_RSP;
5397 		}
5398 
5399 		BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5400 				   evt_type);
5401 
5402 		return LE_ADV_INVALID;
5403 	}
5404 
5405 	if (evt_type & LE_EXT_ADV_CONN_IND) {
5406 		if (evt_type & LE_EXT_ADV_DIRECT_IND)
5407 			return LE_ADV_DIRECT_IND;
5408 
5409 		return LE_ADV_IND;
5410 	}
5411 
5412 	if (evt_type & LE_EXT_ADV_SCAN_RSP)
5413 		return LE_ADV_SCAN_RSP;
5414 
5415 	if (evt_type & LE_EXT_ADV_SCAN_IND)
5416 		return LE_ADV_SCAN_IND;
5417 
5418 	if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5419 	    evt_type & LE_EXT_ADV_DIRECT_IND)
5420 		return LE_ADV_NONCONN_IND;
5421 
5422 	BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5423 				   evt_type);
5424 
5425 	return LE_ADV_INVALID;
5426 }
5427 
5428 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5429 {
5430 	u8 num_reports = skb->data[0];
5431 	void *ptr = &skb->data[1];
5432 
5433 	hci_dev_lock(hdev);
5434 
5435 	while (num_reports--) {
5436 		struct hci_ev_le_ext_adv_report *ev = ptr;
5437 		u8 legacy_evt_type;
5438 		u16 evt_type;
5439 
5440 		evt_type = __le16_to_cpu(ev->evt_type);
5441 		legacy_evt_type = ext_evt_type_to_legacy(evt_type);
5442 		if (legacy_evt_type != LE_ADV_INVALID) {
5443 			process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5444 					   ev->bdaddr_type, NULL, 0, ev->rssi,
5445 					   ev->data, ev->length);
5446 		}
5447 
5448 		ptr += sizeof(*ev) + ev->length;
5449 	}
5450 
5451 	hci_dev_unlock(hdev);
5452 }
5453 
5454 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5455 					    struct sk_buff *skb)
5456 {
5457 	struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5458 	struct hci_conn *conn;
5459 
5460 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5461 
5462 	hci_dev_lock(hdev);
5463 
5464 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5465 	if (conn) {
5466 		if (!ev->status)
5467 			memcpy(conn->features[0], ev->features, 8);
5468 
5469 		if (conn->state == BT_CONFIG) {
5470 			__u8 status;
5471 
5472 			/* If the local controller supports slave-initiated
5473 			 * features exchange, but the remote controller does
5474 			 * not, then it is possible that the error code 0x1a
5475 			 * for unsupported remote feature gets returned.
5476 			 *
5477 			 * In this specific case, allow the connection to
5478 			 * transition into connected state and mark it as
5479 			 * successful.
5480 			 */
5481 			if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5482 			    !conn->out && ev->status == 0x1a)
5483 				status = 0x00;
5484 			else
5485 				status = ev->status;
5486 
5487 			conn->state = BT_CONNECTED;
5488 			hci_connect_cfm(conn, status);
5489 			hci_conn_drop(conn);
5490 		}
5491 	}
5492 
5493 	hci_dev_unlock(hdev);
5494 }
5495 
5496 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5497 {
5498 	struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5499 	struct hci_cp_le_ltk_reply cp;
5500 	struct hci_cp_le_ltk_neg_reply neg;
5501 	struct hci_conn *conn;
5502 	struct smp_ltk *ltk;
5503 
5504 	BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5505 
5506 	hci_dev_lock(hdev);
5507 
5508 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5509 	if (conn == NULL)
5510 		goto not_found;
5511 
5512 	ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5513 	if (!ltk)
5514 		goto not_found;
5515 
5516 	if (smp_ltk_is_sc(ltk)) {
5517 		/* With SC both EDiv and Rand are set to zero */
5518 		if (ev->ediv || ev->rand)
5519 			goto not_found;
5520 	} else {
5521 		/* For non-SC keys check that EDiv and Rand match */
5522 		if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5523 			goto not_found;
5524 	}
5525 
5526 	memcpy(cp.ltk, ltk->val, ltk->enc_size);
5527 	memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5528 	cp.handle = cpu_to_le16(conn->handle);
5529 
5530 	conn->pending_sec_level = smp_ltk_sec_level(ltk);
5531 
5532 	conn->enc_key_size = ltk->enc_size;
5533 
5534 	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5535 
5536 	/* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5537 	 * temporary key used to encrypt a connection following
5538 	 * pairing. It is used during the Encrypted Session Setup to
5539 	 * distribute the keys. Later, security can be re-established
5540 	 * using a distributed LTK.
5541 	 */
5542 	if (ltk->type == SMP_STK) {
5543 		set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5544 		list_del_rcu(&ltk->list);
5545 		kfree_rcu(ltk, rcu);
5546 	} else {
5547 		clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5548 	}
5549 
5550 	hci_dev_unlock(hdev);
5551 
5552 	return;
5553 
5554 not_found:
5555 	neg.handle = ev->handle;
5556 	hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5557 	hci_dev_unlock(hdev);
5558 }
5559 
5560 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5561 				      u8 reason)
5562 {
5563 	struct hci_cp_le_conn_param_req_neg_reply cp;
5564 
5565 	cp.handle = cpu_to_le16(handle);
5566 	cp.reason = reason;
5567 
5568 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5569 		     &cp);
5570 }
5571 
5572 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5573 					     struct sk_buff *skb)
5574 {
5575 	struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5576 	struct hci_cp_le_conn_param_req_reply cp;
5577 	struct hci_conn *hcon;
5578 	u16 handle, min, max, latency, timeout;
5579 
5580 	handle = le16_to_cpu(ev->handle);
5581 	min = le16_to_cpu(ev->interval_min);
5582 	max = le16_to_cpu(ev->interval_max);
5583 	latency = le16_to_cpu(ev->latency);
5584 	timeout = le16_to_cpu(ev->timeout);
5585 
5586 	hcon = hci_conn_hash_lookup_handle(hdev, handle);
5587 	if (!hcon || hcon->state != BT_CONNECTED)
5588 		return send_conn_param_neg_reply(hdev, handle,
5589 						 HCI_ERROR_UNKNOWN_CONN_ID);
5590 
5591 	if (hci_check_conn_params(min, max, latency, timeout))
5592 		return send_conn_param_neg_reply(hdev, handle,
5593 						 HCI_ERROR_INVALID_LL_PARAMS);
5594 
5595 	if (hcon->role == HCI_ROLE_MASTER) {
5596 		struct hci_conn_params *params;
5597 		u8 store_hint;
5598 
5599 		hci_dev_lock(hdev);
5600 
5601 		params = hci_conn_params_lookup(hdev, &hcon->dst,
5602 						hcon->dst_type);
5603 		if (params) {
5604 			params->conn_min_interval = min;
5605 			params->conn_max_interval = max;
5606 			params->conn_latency = latency;
5607 			params->supervision_timeout = timeout;
5608 			store_hint = 0x01;
5609 		} else{
5610 			store_hint = 0x00;
5611 		}
5612 
5613 		hci_dev_unlock(hdev);
5614 
5615 		mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5616 				    store_hint, min, max, latency, timeout);
5617 	}
5618 
5619 	cp.handle = ev->handle;
5620 	cp.interval_min = ev->interval_min;
5621 	cp.interval_max = ev->interval_max;
5622 	cp.latency = ev->latency;
5623 	cp.timeout = ev->timeout;
5624 	cp.min_ce_len = 0;
5625 	cp.max_ce_len = 0;
5626 
5627 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5628 }
5629 
5630 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5631 					 struct sk_buff *skb)
5632 {
5633 	u8 num_reports = skb->data[0];
5634 	void *ptr = &skb->data[1];
5635 
5636 	hci_dev_lock(hdev);
5637 
5638 	while (num_reports--) {
5639 		struct hci_ev_le_direct_adv_info *ev = ptr;
5640 
5641 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5642 				   ev->bdaddr_type, &ev->direct_addr,
5643 				   ev->direct_addr_type, ev->rssi, NULL, 0);
5644 
5645 		ptr += sizeof(*ev);
5646 	}
5647 
5648 	hci_dev_unlock(hdev);
5649 }
5650 
5651 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5652 {
5653 	struct hci_ev_le_meta *le_ev = (void *) skb->data;
5654 
5655 	skb_pull(skb, sizeof(*le_ev));
5656 
5657 	switch (le_ev->subevent) {
5658 	case HCI_EV_LE_CONN_COMPLETE:
5659 		hci_le_conn_complete_evt(hdev, skb);
5660 		break;
5661 
5662 	case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5663 		hci_le_conn_update_complete_evt(hdev, skb);
5664 		break;
5665 
5666 	case HCI_EV_LE_ADVERTISING_REPORT:
5667 		hci_le_adv_report_evt(hdev, skb);
5668 		break;
5669 
5670 	case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5671 		hci_le_remote_feat_complete_evt(hdev, skb);
5672 		break;
5673 
5674 	case HCI_EV_LE_LTK_REQ:
5675 		hci_le_ltk_request_evt(hdev, skb);
5676 		break;
5677 
5678 	case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5679 		hci_le_remote_conn_param_req_evt(hdev, skb);
5680 		break;
5681 
5682 	case HCI_EV_LE_DIRECT_ADV_REPORT:
5683 		hci_le_direct_adv_report_evt(hdev, skb);
5684 		break;
5685 
5686 	case HCI_EV_LE_EXT_ADV_REPORT:
5687 		hci_le_ext_adv_report_evt(hdev, skb);
5688 		break;
5689 
5690 	case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
5691 		hci_le_enh_conn_complete_evt(hdev, skb);
5692 		break;
5693 
5694 	case HCI_EV_LE_EXT_ADV_SET_TERM:
5695 		hci_le_ext_adv_term_evt(hdev, skb);
5696 		break;
5697 
5698 	default:
5699 		break;
5700 	}
5701 }
5702 
5703 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5704 				 u8 event, struct sk_buff *skb)
5705 {
5706 	struct hci_ev_cmd_complete *ev;
5707 	struct hci_event_hdr *hdr;
5708 
5709 	if (!skb)
5710 		return false;
5711 
5712 	if (skb->len < sizeof(*hdr)) {
5713 		bt_dev_err(hdev, "too short HCI event");
5714 		return false;
5715 	}
5716 
5717 	hdr = (void *) skb->data;
5718 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
5719 
5720 	if (event) {
5721 		if (hdr->evt != event)
5722 			return false;
5723 		return true;
5724 	}
5725 
5726 	/* Check if request ended in Command Status - no way to retreive
5727 	 * any extra parameters in this case.
5728 	 */
5729 	if (hdr->evt == HCI_EV_CMD_STATUS)
5730 		return false;
5731 
5732 	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5733 		bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5734 			   hdr->evt);
5735 		return false;
5736 	}
5737 
5738 	if (skb->len < sizeof(*ev)) {
5739 		bt_dev_err(hdev, "too short cmd_complete event");
5740 		return false;
5741 	}
5742 
5743 	ev = (void *) skb->data;
5744 	skb_pull(skb, sizeof(*ev));
5745 
5746 	if (opcode != __le16_to_cpu(ev->opcode)) {
5747 		BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5748 		       __le16_to_cpu(ev->opcode));
5749 		return false;
5750 	}
5751 
5752 	return true;
5753 }
5754 
5755 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5756 {
5757 	struct hci_event_hdr *hdr = (void *) skb->data;
5758 	hci_req_complete_t req_complete = NULL;
5759 	hci_req_complete_skb_t req_complete_skb = NULL;
5760 	struct sk_buff *orig_skb = NULL;
5761 	u8 status = 0, event = hdr->evt, req_evt = 0;
5762 	u16 opcode = HCI_OP_NOP;
5763 
5764 	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5765 		struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5766 		opcode = __le16_to_cpu(cmd_hdr->opcode);
5767 		hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5768 				     &req_complete_skb);
5769 		req_evt = event;
5770 	}
5771 
5772 	/* If it looks like we might end up having to call
5773 	 * req_complete_skb, store a pristine copy of the skb since the
5774 	 * various handlers may modify the original one through
5775 	 * skb_pull() calls, etc.
5776 	 */
5777 	if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5778 	    event == HCI_EV_CMD_COMPLETE)
5779 		orig_skb = skb_clone(skb, GFP_KERNEL);
5780 
5781 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
5782 
5783 	switch (event) {
5784 	case HCI_EV_INQUIRY_COMPLETE:
5785 		hci_inquiry_complete_evt(hdev, skb);
5786 		break;
5787 
5788 	case HCI_EV_INQUIRY_RESULT:
5789 		hci_inquiry_result_evt(hdev, skb);
5790 		break;
5791 
5792 	case HCI_EV_CONN_COMPLETE:
5793 		hci_conn_complete_evt(hdev, skb);
5794 		break;
5795 
5796 	case HCI_EV_CONN_REQUEST:
5797 		hci_conn_request_evt(hdev, skb);
5798 		break;
5799 
5800 	case HCI_EV_DISCONN_COMPLETE:
5801 		hci_disconn_complete_evt(hdev, skb);
5802 		break;
5803 
5804 	case HCI_EV_AUTH_COMPLETE:
5805 		hci_auth_complete_evt(hdev, skb);
5806 		break;
5807 
5808 	case HCI_EV_REMOTE_NAME:
5809 		hci_remote_name_evt(hdev, skb);
5810 		break;
5811 
5812 	case HCI_EV_ENCRYPT_CHANGE:
5813 		hci_encrypt_change_evt(hdev, skb);
5814 		break;
5815 
5816 	case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5817 		hci_change_link_key_complete_evt(hdev, skb);
5818 		break;
5819 
5820 	case HCI_EV_REMOTE_FEATURES:
5821 		hci_remote_features_evt(hdev, skb);
5822 		break;
5823 
5824 	case HCI_EV_CMD_COMPLETE:
5825 		hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5826 				     &req_complete, &req_complete_skb);
5827 		break;
5828 
5829 	case HCI_EV_CMD_STATUS:
5830 		hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5831 				   &req_complete_skb);
5832 		break;
5833 
5834 	case HCI_EV_HARDWARE_ERROR:
5835 		hci_hardware_error_evt(hdev, skb);
5836 		break;
5837 
5838 	case HCI_EV_ROLE_CHANGE:
5839 		hci_role_change_evt(hdev, skb);
5840 		break;
5841 
5842 	case HCI_EV_NUM_COMP_PKTS:
5843 		hci_num_comp_pkts_evt(hdev, skb);
5844 		break;
5845 
5846 	case HCI_EV_MODE_CHANGE:
5847 		hci_mode_change_evt(hdev, skb);
5848 		break;
5849 
5850 	case HCI_EV_PIN_CODE_REQ:
5851 		hci_pin_code_request_evt(hdev, skb);
5852 		break;
5853 
5854 	case HCI_EV_LINK_KEY_REQ:
5855 		hci_link_key_request_evt(hdev, skb);
5856 		break;
5857 
5858 	case HCI_EV_LINK_KEY_NOTIFY:
5859 		hci_link_key_notify_evt(hdev, skb);
5860 		break;
5861 
5862 	case HCI_EV_CLOCK_OFFSET:
5863 		hci_clock_offset_evt(hdev, skb);
5864 		break;
5865 
5866 	case HCI_EV_PKT_TYPE_CHANGE:
5867 		hci_pkt_type_change_evt(hdev, skb);
5868 		break;
5869 
5870 	case HCI_EV_PSCAN_REP_MODE:
5871 		hci_pscan_rep_mode_evt(hdev, skb);
5872 		break;
5873 
5874 	case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5875 		hci_inquiry_result_with_rssi_evt(hdev, skb);
5876 		break;
5877 
5878 	case HCI_EV_REMOTE_EXT_FEATURES:
5879 		hci_remote_ext_features_evt(hdev, skb);
5880 		break;
5881 
5882 	case HCI_EV_SYNC_CONN_COMPLETE:
5883 		hci_sync_conn_complete_evt(hdev, skb);
5884 		break;
5885 
5886 	case HCI_EV_EXTENDED_INQUIRY_RESULT:
5887 		hci_extended_inquiry_result_evt(hdev, skb);
5888 		break;
5889 
5890 	case HCI_EV_KEY_REFRESH_COMPLETE:
5891 		hci_key_refresh_complete_evt(hdev, skb);
5892 		break;
5893 
5894 	case HCI_EV_IO_CAPA_REQUEST:
5895 		hci_io_capa_request_evt(hdev, skb);
5896 		break;
5897 
5898 	case HCI_EV_IO_CAPA_REPLY:
5899 		hci_io_capa_reply_evt(hdev, skb);
5900 		break;
5901 
5902 	case HCI_EV_USER_CONFIRM_REQUEST:
5903 		hci_user_confirm_request_evt(hdev, skb);
5904 		break;
5905 
5906 	case HCI_EV_USER_PASSKEY_REQUEST:
5907 		hci_user_passkey_request_evt(hdev, skb);
5908 		break;
5909 
5910 	case HCI_EV_USER_PASSKEY_NOTIFY:
5911 		hci_user_passkey_notify_evt(hdev, skb);
5912 		break;
5913 
5914 	case HCI_EV_KEYPRESS_NOTIFY:
5915 		hci_keypress_notify_evt(hdev, skb);
5916 		break;
5917 
5918 	case HCI_EV_SIMPLE_PAIR_COMPLETE:
5919 		hci_simple_pair_complete_evt(hdev, skb);
5920 		break;
5921 
5922 	case HCI_EV_REMOTE_HOST_FEATURES:
5923 		hci_remote_host_features_evt(hdev, skb);
5924 		break;
5925 
5926 	case HCI_EV_LE_META:
5927 		hci_le_meta_evt(hdev, skb);
5928 		break;
5929 
5930 	case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5931 		hci_remote_oob_data_request_evt(hdev, skb);
5932 		break;
5933 
5934 #if IS_ENABLED(CONFIG_BT_HS)
5935 	case HCI_EV_CHANNEL_SELECTED:
5936 		hci_chan_selected_evt(hdev, skb);
5937 		break;
5938 
5939 	case HCI_EV_PHY_LINK_COMPLETE:
5940 		hci_phy_link_complete_evt(hdev, skb);
5941 		break;
5942 
5943 	case HCI_EV_LOGICAL_LINK_COMPLETE:
5944 		hci_loglink_complete_evt(hdev, skb);
5945 		break;
5946 
5947 	case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5948 		hci_disconn_loglink_complete_evt(hdev, skb);
5949 		break;
5950 
5951 	case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5952 		hci_disconn_phylink_complete_evt(hdev, skb);
5953 		break;
5954 #endif
5955 
5956 	case HCI_EV_NUM_COMP_BLOCKS:
5957 		hci_num_comp_blocks_evt(hdev, skb);
5958 		break;
5959 
5960 	default:
5961 		BT_DBG("%s event 0x%2.2x", hdev->name, event);
5962 		break;
5963 	}
5964 
5965 	if (req_complete) {
5966 		req_complete(hdev, status, opcode);
5967 	} else if (req_complete_skb) {
5968 		if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5969 			kfree_skb(orig_skb);
5970 			orig_skb = NULL;
5971 		}
5972 		req_complete_skb(hdev, status, opcode, orig_skb);
5973 	}
5974 
5975 	kfree_skb(orig_skb);
5976 	kfree_skb(skb);
5977 	hdev->stat.evt_rx++;
5978 }
5979