xref: /openbmc/linux/net/bluetooth/hci_event.c (revision 3ca3af7d)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI event handling. */
26 
27 #include <asm/unaligned.h>
28 
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32 
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
35 #include "a2mp.h"
36 #include "amp.h"
37 #include "smp.h"
38 #include "msft.h"
39 #include "eir.h"
40 
41 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
42 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
43 
44 #define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
45 
46 /* Handle HCI Event packets */
47 
48 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
49 				  u8 *new_status)
50 {
51 	__u8 status = *((__u8 *) skb->data);
52 
53 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
54 
55 	/* It is possible that we receive Inquiry Complete event right
56 	 * before we receive Inquiry Cancel Command Complete event, in
57 	 * which case the latter event should have status of Command
58 	 * Disallowed (0x0c). This should not be treated as error, since
59 	 * we actually achieve what Inquiry Cancel wants to achieve,
60 	 * which is to end the last Inquiry session.
61 	 */
62 	if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
63 		bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
64 		status = 0x00;
65 	}
66 
67 	*new_status = status;
68 
69 	if (status)
70 		return;
71 
72 	clear_bit(HCI_INQUIRY, &hdev->flags);
73 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
74 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
75 
76 	hci_dev_lock(hdev);
77 	/* Set discovery state to stopped if we're not doing LE active
78 	 * scanning.
79 	 */
80 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
81 	    hdev->le_scan_type != LE_SCAN_ACTIVE)
82 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
83 	hci_dev_unlock(hdev);
84 
85 	hci_conn_check_pending(hdev);
86 }
87 
88 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
89 {
90 	__u8 status = *((__u8 *) skb->data);
91 
92 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
93 
94 	if (status)
95 		return;
96 
97 	hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
98 }
99 
100 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
101 {
102 	__u8 status = *((__u8 *) skb->data);
103 
104 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
105 
106 	if (status)
107 		return;
108 
109 	hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
110 
111 	hci_conn_check_pending(hdev);
112 }
113 
114 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
115 					  struct sk_buff *skb)
116 {
117 	BT_DBG("%s", hdev->name);
118 }
119 
120 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
121 {
122 	struct hci_rp_role_discovery *rp = (void *) skb->data;
123 	struct hci_conn *conn;
124 
125 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126 
127 	if (rp->status)
128 		return;
129 
130 	hci_dev_lock(hdev);
131 
132 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133 	if (conn)
134 		conn->role = rp->role;
135 
136 	hci_dev_unlock(hdev);
137 }
138 
139 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140 {
141 	struct hci_rp_read_link_policy *rp = (void *) skb->data;
142 	struct hci_conn *conn;
143 
144 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
145 
146 	if (rp->status)
147 		return;
148 
149 	hci_dev_lock(hdev);
150 
151 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
152 	if (conn)
153 		conn->link_policy = __le16_to_cpu(rp->policy);
154 
155 	hci_dev_unlock(hdev);
156 }
157 
158 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
159 {
160 	struct hci_rp_write_link_policy *rp = (void *) skb->data;
161 	struct hci_conn *conn;
162 	void *sent;
163 
164 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
165 
166 	if (rp->status)
167 		return;
168 
169 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
170 	if (!sent)
171 		return;
172 
173 	hci_dev_lock(hdev);
174 
175 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
176 	if (conn)
177 		conn->link_policy = get_unaligned_le16(sent + 2);
178 
179 	hci_dev_unlock(hdev);
180 }
181 
182 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
183 					struct sk_buff *skb)
184 {
185 	struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
186 
187 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
188 
189 	if (rp->status)
190 		return;
191 
192 	hdev->link_policy = __le16_to_cpu(rp->policy);
193 }
194 
195 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
196 					 struct sk_buff *skb)
197 {
198 	__u8 status = *((__u8 *) skb->data);
199 	void *sent;
200 
201 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
202 
203 	if (status)
204 		return;
205 
206 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
207 	if (!sent)
208 		return;
209 
210 	hdev->link_policy = get_unaligned_le16(sent);
211 }
212 
213 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
214 {
215 	__u8 status = *((__u8 *) skb->data);
216 
217 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
218 
219 	clear_bit(HCI_RESET, &hdev->flags);
220 
221 	if (status)
222 		return;
223 
224 	/* Reset all non-persistent flags */
225 	hci_dev_clear_volatile_flags(hdev);
226 
227 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
228 
229 	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
230 	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
231 
232 	memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
233 	hdev->adv_data_len = 0;
234 
235 	memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
236 	hdev->scan_rsp_data_len = 0;
237 
238 	hdev->le_scan_type = LE_SCAN_PASSIVE;
239 
240 	hdev->ssp_debug_mode = 0;
241 
242 	hci_bdaddr_list_clear(&hdev->le_accept_list);
243 	hci_bdaddr_list_clear(&hdev->le_resolv_list);
244 }
245 
246 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
247 					struct sk_buff *skb)
248 {
249 	struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
250 	struct hci_cp_read_stored_link_key *sent;
251 
252 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
253 
254 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
255 	if (!sent)
256 		return;
257 
258 	if (!rp->status && sent->read_all == 0x01) {
259 		hdev->stored_max_keys = rp->max_keys;
260 		hdev->stored_num_keys = rp->num_keys;
261 	}
262 }
263 
264 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
265 					  struct sk_buff *skb)
266 {
267 	struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
268 
269 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
270 
271 	if (rp->status)
272 		return;
273 
274 	if (rp->num_keys <= hdev->stored_num_keys)
275 		hdev->stored_num_keys -= rp->num_keys;
276 	else
277 		hdev->stored_num_keys = 0;
278 }
279 
280 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
281 {
282 	__u8 status = *((__u8 *) skb->data);
283 	void *sent;
284 
285 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
286 
287 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
288 	if (!sent)
289 		return;
290 
291 	hci_dev_lock(hdev);
292 
293 	if (hci_dev_test_flag(hdev, HCI_MGMT))
294 		mgmt_set_local_name_complete(hdev, sent, status);
295 	else if (!status)
296 		memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
297 
298 	hci_dev_unlock(hdev);
299 }
300 
301 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
302 {
303 	struct hci_rp_read_local_name *rp = (void *) skb->data;
304 
305 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
306 
307 	if (rp->status)
308 		return;
309 
310 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
311 	    hci_dev_test_flag(hdev, HCI_CONFIG))
312 		memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
313 }
314 
315 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
316 {
317 	__u8 status = *((__u8 *) skb->data);
318 	void *sent;
319 
320 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
321 
322 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
323 	if (!sent)
324 		return;
325 
326 	hci_dev_lock(hdev);
327 
328 	if (!status) {
329 		__u8 param = *((__u8 *) sent);
330 
331 		if (param == AUTH_ENABLED)
332 			set_bit(HCI_AUTH, &hdev->flags);
333 		else
334 			clear_bit(HCI_AUTH, &hdev->flags);
335 	}
336 
337 	if (hci_dev_test_flag(hdev, HCI_MGMT))
338 		mgmt_auth_enable_complete(hdev, status);
339 
340 	hci_dev_unlock(hdev);
341 }
342 
343 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
344 {
345 	__u8 status = *((__u8 *) skb->data);
346 	__u8 param;
347 	void *sent;
348 
349 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
350 
351 	if (status)
352 		return;
353 
354 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
355 	if (!sent)
356 		return;
357 
358 	param = *((__u8 *) sent);
359 
360 	if (param)
361 		set_bit(HCI_ENCRYPT, &hdev->flags);
362 	else
363 		clear_bit(HCI_ENCRYPT, &hdev->flags);
364 }
365 
366 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
367 {
368 	__u8 status = *((__u8 *) skb->data);
369 	__u8 param;
370 	void *sent;
371 
372 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
373 
374 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
375 	if (!sent)
376 		return;
377 
378 	param = *((__u8 *) sent);
379 
380 	hci_dev_lock(hdev);
381 
382 	if (status) {
383 		hdev->discov_timeout = 0;
384 		goto done;
385 	}
386 
387 	if (param & SCAN_INQUIRY)
388 		set_bit(HCI_ISCAN, &hdev->flags);
389 	else
390 		clear_bit(HCI_ISCAN, &hdev->flags);
391 
392 	if (param & SCAN_PAGE)
393 		set_bit(HCI_PSCAN, &hdev->flags);
394 	else
395 		clear_bit(HCI_PSCAN, &hdev->flags);
396 
397 done:
398 	hci_dev_unlock(hdev);
399 }
400 
401 static void hci_cc_set_event_filter(struct hci_dev *hdev, struct sk_buff *skb)
402 {
403 	__u8 status = *((__u8 *)skb->data);
404 	struct hci_cp_set_event_filter *cp;
405 	void *sent;
406 
407 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
408 
409 	if (status)
410 		return;
411 
412 	sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
413 	if (!sent)
414 		return;
415 
416 	cp = (struct hci_cp_set_event_filter *)sent;
417 
418 	if (cp->flt_type == HCI_FLT_CLEAR_ALL)
419 		hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
420 	else
421 		hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
422 }
423 
424 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
425 {
426 	struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
427 
428 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
429 
430 	if (rp->status)
431 		return;
432 
433 	memcpy(hdev->dev_class, rp->dev_class, 3);
434 
435 	BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
436 	       hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
437 }
438 
439 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
440 {
441 	__u8 status = *((__u8 *) skb->data);
442 	void *sent;
443 
444 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
445 
446 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
447 	if (!sent)
448 		return;
449 
450 	hci_dev_lock(hdev);
451 
452 	if (status == 0)
453 		memcpy(hdev->dev_class, sent, 3);
454 
455 	if (hci_dev_test_flag(hdev, HCI_MGMT))
456 		mgmt_set_class_of_dev_complete(hdev, sent, status);
457 
458 	hci_dev_unlock(hdev);
459 }
460 
461 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
462 {
463 	struct hci_rp_read_voice_setting *rp = (void *) skb->data;
464 	__u16 setting;
465 
466 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
467 
468 	if (rp->status)
469 		return;
470 
471 	setting = __le16_to_cpu(rp->voice_setting);
472 
473 	if (hdev->voice_setting == setting)
474 		return;
475 
476 	hdev->voice_setting = setting;
477 
478 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
479 
480 	if (hdev->notify)
481 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
482 }
483 
484 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
485 				       struct sk_buff *skb)
486 {
487 	__u8 status = *((__u8 *) skb->data);
488 	__u16 setting;
489 	void *sent;
490 
491 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
492 
493 	if (status)
494 		return;
495 
496 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
497 	if (!sent)
498 		return;
499 
500 	setting = get_unaligned_le16(sent);
501 
502 	if (hdev->voice_setting == setting)
503 		return;
504 
505 	hdev->voice_setting = setting;
506 
507 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
508 
509 	if (hdev->notify)
510 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
511 }
512 
513 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
514 					  struct sk_buff *skb)
515 {
516 	struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
517 
518 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
519 
520 	if (rp->status)
521 		return;
522 
523 	hdev->num_iac = rp->num_iac;
524 
525 	BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
526 }
527 
528 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
529 {
530 	__u8 status = *((__u8 *) skb->data);
531 	struct hci_cp_write_ssp_mode *sent;
532 
533 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
534 
535 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
536 	if (!sent)
537 		return;
538 
539 	hci_dev_lock(hdev);
540 
541 	if (!status) {
542 		if (sent->mode)
543 			hdev->features[1][0] |= LMP_HOST_SSP;
544 		else
545 			hdev->features[1][0] &= ~LMP_HOST_SSP;
546 	}
547 
548 	if (hci_dev_test_flag(hdev, HCI_MGMT))
549 		mgmt_ssp_enable_complete(hdev, sent->mode, status);
550 	else if (!status) {
551 		if (sent->mode)
552 			hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
553 		else
554 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
555 	}
556 
557 	hci_dev_unlock(hdev);
558 }
559 
560 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
561 {
562 	u8 status = *((u8 *) skb->data);
563 	struct hci_cp_write_sc_support *sent;
564 
565 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
566 
567 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
568 	if (!sent)
569 		return;
570 
571 	hci_dev_lock(hdev);
572 
573 	if (!status) {
574 		if (sent->support)
575 			hdev->features[1][0] |= LMP_HOST_SC;
576 		else
577 			hdev->features[1][0] &= ~LMP_HOST_SC;
578 	}
579 
580 	if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
581 		if (sent->support)
582 			hci_dev_set_flag(hdev, HCI_SC_ENABLED);
583 		else
584 			hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
585 	}
586 
587 	hci_dev_unlock(hdev);
588 }
589 
590 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
591 {
592 	struct hci_rp_read_local_version *rp = (void *) skb->data;
593 
594 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
595 
596 	if (rp->status)
597 		return;
598 
599 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
600 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
601 		hdev->hci_ver = rp->hci_ver;
602 		hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
603 		hdev->lmp_ver = rp->lmp_ver;
604 		hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
605 		hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
606 	}
607 }
608 
609 static void hci_cc_read_local_commands(struct hci_dev *hdev,
610 				       struct sk_buff *skb)
611 {
612 	struct hci_rp_read_local_commands *rp = (void *) skb->data;
613 
614 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
615 
616 	if (rp->status)
617 		return;
618 
619 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
620 	    hci_dev_test_flag(hdev, HCI_CONFIG))
621 		memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
622 }
623 
624 static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev,
625 					     struct sk_buff *skb)
626 {
627 	struct hci_rp_read_auth_payload_to *rp = (void *)skb->data;
628 	struct hci_conn *conn;
629 
630 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
631 
632 	if (rp->status)
633 		return;
634 
635 	hci_dev_lock(hdev);
636 
637 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
638 	if (conn)
639 		conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
640 
641 	hci_dev_unlock(hdev);
642 }
643 
644 static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev,
645 					      struct sk_buff *skb)
646 {
647 	struct hci_rp_write_auth_payload_to *rp = (void *)skb->data;
648 	struct hci_conn *conn;
649 	void *sent;
650 
651 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
652 
653 	if (rp->status)
654 		return;
655 
656 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
657 	if (!sent)
658 		return;
659 
660 	hci_dev_lock(hdev);
661 
662 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
663 	if (conn)
664 		conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
665 
666 	hci_dev_unlock(hdev);
667 }
668 
669 static void hci_cc_read_local_features(struct hci_dev *hdev,
670 				       struct sk_buff *skb)
671 {
672 	struct hci_rp_read_local_features *rp = (void *) skb->data;
673 
674 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
675 
676 	if (rp->status)
677 		return;
678 
679 	memcpy(hdev->features, rp->features, 8);
680 
681 	/* Adjust default settings according to features
682 	 * supported by device. */
683 
684 	if (hdev->features[0][0] & LMP_3SLOT)
685 		hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
686 
687 	if (hdev->features[0][0] & LMP_5SLOT)
688 		hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
689 
690 	if (hdev->features[0][1] & LMP_HV2) {
691 		hdev->pkt_type  |= (HCI_HV2);
692 		hdev->esco_type |= (ESCO_HV2);
693 	}
694 
695 	if (hdev->features[0][1] & LMP_HV3) {
696 		hdev->pkt_type  |= (HCI_HV3);
697 		hdev->esco_type |= (ESCO_HV3);
698 	}
699 
700 	if (lmp_esco_capable(hdev))
701 		hdev->esco_type |= (ESCO_EV3);
702 
703 	if (hdev->features[0][4] & LMP_EV4)
704 		hdev->esco_type |= (ESCO_EV4);
705 
706 	if (hdev->features[0][4] & LMP_EV5)
707 		hdev->esco_type |= (ESCO_EV5);
708 
709 	if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
710 		hdev->esco_type |= (ESCO_2EV3);
711 
712 	if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
713 		hdev->esco_type |= (ESCO_3EV3);
714 
715 	if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
716 		hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
717 }
718 
719 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
720 					   struct sk_buff *skb)
721 {
722 	struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
723 
724 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
725 
726 	if (rp->status)
727 		return;
728 
729 	if (hdev->max_page < rp->max_page)
730 		hdev->max_page = rp->max_page;
731 
732 	if (rp->page < HCI_MAX_PAGES)
733 		memcpy(hdev->features[rp->page], rp->features, 8);
734 }
735 
736 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
737 					  struct sk_buff *skb)
738 {
739 	struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
740 
741 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
742 
743 	if (rp->status)
744 		return;
745 
746 	hdev->flow_ctl_mode = rp->mode;
747 }
748 
749 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
750 {
751 	struct hci_rp_read_buffer_size *rp = (void *) skb->data;
752 
753 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
754 
755 	if (rp->status)
756 		return;
757 
758 	hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
759 	hdev->sco_mtu  = rp->sco_mtu;
760 	hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
761 	hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
762 
763 	if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
764 		hdev->sco_mtu  = 64;
765 		hdev->sco_pkts = 8;
766 	}
767 
768 	hdev->acl_cnt = hdev->acl_pkts;
769 	hdev->sco_cnt = hdev->sco_pkts;
770 
771 	BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
772 	       hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
773 }
774 
775 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
776 {
777 	struct hci_rp_read_bd_addr *rp = (void *) skb->data;
778 
779 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
780 
781 	if (rp->status)
782 		return;
783 
784 	if (test_bit(HCI_INIT, &hdev->flags))
785 		bacpy(&hdev->bdaddr, &rp->bdaddr);
786 
787 	if (hci_dev_test_flag(hdev, HCI_SETUP))
788 		bacpy(&hdev->setup_addr, &rp->bdaddr);
789 }
790 
791 static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev,
792 					   struct sk_buff *skb)
793 {
794 	struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data;
795 
796 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
797 
798 	if (rp->status)
799 		return;
800 
801 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
802 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
803 		hdev->pairing_opts = rp->pairing_opts;
804 		hdev->max_enc_key_size = rp->max_key_size;
805 	}
806 }
807 
808 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
809 					   struct sk_buff *skb)
810 {
811 	struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
812 
813 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
814 
815 	if (rp->status)
816 		return;
817 
818 	if (test_bit(HCI_INIT, &hdev->flags)) {
819 		hdev->page_scan_interval = __le16_to_cpu(rp->interval);
820 		hdev->page_scan_window = __le16_to_cpu(rp->window);
821 	}
822 }
823 
824 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
825 					    struct sk_buff *skb)
826 {
827 	u8 status = *((u8 *) skb->data);
828 	struct hci_cp_write_page_scan_activity *sent;
829 
830 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
831 
832 	if (status)
833 		return;
834 
835 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
836 	if (!sent)
837 		return;
838 
839 	hdev->page_scan_interval = __le16_to_cpu(sent->interval);
840 	hdev->page_scan_window = __le16_to_cpu(sent->window);
841 }
842 
843 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
844 					   struct sk_buff *skb)
845 {
846 	struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
847 
848 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
849 
850 	if (rp->status)
851 		return;
852 
853 	if (test_bit(HCI_INIT, &hdev->flags))
854 		hdev->page_scan_type = rp->type;
855 }
856 
857 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
858 					struct sk_buff *skb)
859 {
860 	u8 status = *((u8 *) skb->data);
861 	u8 *type;
862 
863 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
864 
865 	if (status)
866 		return;
867 
868 	type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
869 	if (type)
870 		hdev->page_scan_type = *type;
871 }
872 
873 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
874 					struct sk_buff *skb)
875 {
876 	struct hci_rp_read_data_block_size *rp = (void *) skb->data;
877 
878 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
879 
880 	if (rp->status)
881 		return;
882 
883 	hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
884 	hdev->block_len = __le16_to_cpu(rp->block_len);
885 	hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
886 
887 	hdev->block_cnt = hdev->num_blocks;
888 
889 	BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
890 	       hdev->block_cnt, hdev->block_len);
891 }
892 
893 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
894 {
895 	struct hci_rp_read_clock *rp = (void *) skb->data;
896 	struct hci_cp_read_clock *cp;
897 	struct hci_conn *conn;
898 
899 	BT_DBG("%s", hdev->name);
900 
901 	if (skb->len < sizeof(*rp))
902 		return;
903 
904 	if (rp->status)
905 		return;
906 
907 	hci_dev_lock(hdev);
908 
909 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
910 	if (!cp)
911 		goto unlock;
912 
913 	if (cp->which == 0x00) {
914 		hdev->clock = le32_to_cpu(rp->clock);
915 		goto unlock;
916 	}
917 
918 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
919 	if (conn) {
920 		conn->clock = le32_to_cpu(rp->clock);
921 		conn->clock_accuracy = le16_to_cpu(rp->accuracy);
922 	}
923 
924 unlock:
925 	hci_dev_unlock(hdev);
926 }
927 
928 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
929 				       struct sk_buff *skb)
930 {
931 	struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
932 
933 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
934 
935 	if (rp->status)
936 		return;
937 
938 	hdev->amp_status = rp->amp_status;
939 	hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
940 	hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
941 	hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
942 	hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
943 	hdev->amp_type = rp->amp_type;
944 	hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
945 	hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
946 	hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
947 	hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
948 }
949 
950 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
951 					 struct sk_buff *skb)
952 {
953 	struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
954 
955 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
956 
957 	if (rp->status)
958 		return;
959 
960 	hdev->inq_tx_power = rp->tx_power;
961 }
962 
963 static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev,
964 					       struct sk_buff *skb)
965 {
966 	struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data;
967 
968 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969 
970 	if (rp->status)
971 		return;
972 
973 	hdev->err_data_reporting = rp->err_data_reporting;
974 }
975 
976 static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev,
977 						struct sk_buff *skb)
978 {
979 	__u8 status = *((__u8 *)skb->data);
980 	struct hci_cp_write_def_err_data_reporting *cp;
981 
982 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
983 
984 	if (status)
985 		return;
986 
987 	cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
988 	if (!cp)
989 		return;
990 
991 	hdev->err_data_reporting = cp->err_data_reporting;
992 }
993 
994 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
995 {
996 	struct hci_rp_pin_code_reply *rp = (void *) skb->data;
997 	struct hci_cp_pin_code_reply *cp;
998 	struct hci_conn *conn;
999 
1000 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1001 
1002 	hci_dev_lock(hdev);
1003 
1004 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1005 		mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1006 
1007 	if (rp->status)
1008 		goto unlock;
1009 
1010 	cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1011 	if (!cp)
1012 		goto unlock;
1013 
1014 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1015 	if (conn)
1016 		conn->pin_length = cp->pin_len;
1017 
1018 unlock:
1019 	hci_dev_unlock(hdev);
1020 }
1021 
1022 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
1023 {
1024 	struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
1025 
1026 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1027 
1028 	hci_dev_lock(hdev);
1029 
1030 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1031 		mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1032 						 rp->status);
1033 
1034 	hci_dev_unlock(hdev);
1035 }
1036 
1037 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
1038 				       struct sk_buff *skb)
1039 {
1040 	struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
1041 
1042 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1043 
1044 	if (rp->status)
1045 		return;
1046 
1047 	hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1048 	hdev->le_pkts = rp->le_max_pkt;
1049 
1050 	hdev->le_cnt = hdev->le_pkts;
1051 
1052 	BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1053 }
1054 
1055 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
1056 					  struct sk_buff *skb)
1057 {
1058 	struct hci_rp_le_read_local_features *rp = (void *) skb->data;
1059 
1060 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1061 
1062 	if (rp->status)
1063 		return;
1064 
1065 	memcpy(hdev->le_features, rp->features, 8);
1066 }
1067 
1068 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
1069 					struct sk_buff *skb)
1070 {
1071 	struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
1072 
1073 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1074 
1075 	if (rp->status)
1076 		return;
1077 
1078 	hdev->adv_tx_power = rp->tx_power;
1079 }
1080 
1081 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
1082 {
1083 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1084 
1085 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1086 
1087 	hci_dev_lock(hdev);
1088 
1089 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1090 		mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1091 						 rp->status);
1092 
1093 	hci_dev_unlock(hdev);
1094 }
1095 
1096 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
1097 					  struct sk_buff *skb)
1098 {
1099 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1100 
1101 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1102 
1103 	hci_dev_lock(hdev);
1104 
1105 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1106 		mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1107 						     ACL_LINK, 0, rp->status);
1108 
1109 	hci_dev_unlock(hdev);
1110 }
1111 
1112 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1113 {
1114 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1115 
1116 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1117 
1118 	hci_dev_lock(hdev);
1119 
1120 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1121 		mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1122 						 0, rp->status);
1123 
1124 	hci_dev_unlock(hdev);
1125 }
1126 
1127 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1128 					  struct sk_buff *skb)
1129 {
1130 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1131 
1132 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1133 
1134 	hci_dev_lock(hdev);
1135 
1136 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1137 		mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1138 						     ACL_LINK, 0, rp->status);
1139 
1140 	hci_dev_unlock(hdev);
1141 }
1142 
1143 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1144 				       struct sk_buff *skb)
1145 {
1146 	struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1147 
1148 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1149 }
1150 
1151 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1152 					   struct sk_buff *skb)
1153 {
1154 	struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1155 
1156 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1157 }
1158 
1159 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1160 {
1161 	__u8 status = *((__u8 *) skb->data);
1162 	bdaddr_t *sent;
1163 
1164 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1165 
1166 	if (status)
1167 		return;
1168 
1169 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1170 	if (!sent)
1171 		return;
1172 
1173 	hci_dev_lock(hdev);
1174 
1175 	bacpy(&hdev->random_addr, sent);
1176 
1177 	if (!bacmp(&hdev->rpa, sent)) {
1178 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1179 		queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1180 				   secs_to_jiffies(hdev->rpa_timeout));
1181 	}
1182 
1183 	hci_dev_unlock(hdev);
1184 }
1185 
1186 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1187 {
1188 	__u8 status = *((__u8 *) skb->data);
1189 	struct hci_cp_le_set_default_phy *cp;
1190 
1191 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1192 
1193 	if (status)
1194 		return;
1195 
1196 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1197 	if (!cp)
1198 		return;
1199 
1200 	hci_dev_lock(hdev);
1201 
1202 	hdev->le_tx_def_phys = cp->tx_phys;
1203 	hdev->le_rx_def_phys = cp->rx_phys;
1204 
1205 	hci_dev_unlock(hdev);
1206 }
1207 
1208 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1209                                               struct sk_buff *skb)
1210 {
1211 	__u8 status = *((__u8 *) skb->data);
1212 	struct hci_cp_le_set_adv_set_rand_addr *cp;
1213 	struct adv_info *adv;
1214 
1215 	if (status)
1216 		return;
1217 
1218 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1219 	/* Update only in case the adv instance since handle 0x00 shall be using
1220 	 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1221 	 * non-extended adverting.
1222 	 */
1223 	if (!cp || !cp->handle)
1224 		return;
1225 
1226 	hci_dev_lock(hdev);
1227 
1228 	adv = hci_find_adv_instance(hdev, cp->handle);
1229 	if (adv) {
1230 		bacpy(&adv->random_addr, &cp->bdaddr);
1231 		if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1232 			adv->rpa_expired = false;
1233 			queue_delayed_work(hdev->workqueue,
1234 					   &adv->rpa_expired_cb,
1235 					   secs_to_jiffies(hdev->rpa_timeout));
1236 		}
1237 	}
1238 
1239 	hci_dev_unlock(hdev);
1240 }
1241 
1242 static void hci_cc_le_read_transmit_power(struct hci_dev *hdev,
1243 					  struct sk_buff *skb)
1244 {
1245 	struct hci_rp_le_read_transmit_power *rp = (void *)skb->data;
1246 
1247 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1248 
1249 	if (rp->status)
1250 		return;
1251 
1252 	hdev->min_le_tx_power = rp->min_le_tx_power;
1253 	hdev->max_le_tx_power = rp->max_le_tx_power;
1254 }
1255 
1256 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1257 {
1258 	__u8 *sent, status = *((__u8 *) skb->data);
1259 
1260 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1261 
1262 	if (status)
1263 		return;
1264 
1265 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1266 	if (!sent)
1267 		return;
1268 
1269 	hci_dev_lock(hdev);
1270 
1271 	/* If we're doing connection initiation as peripheral. Set a
1272 	 * timeout in case something goes wrong.
1273 	 */
1274 	if (*sent) {
1275 		struct hci_conn *conn;
1276 
1277 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1278 
1279 		conn = hci_lookup_le_connect(hdev);
1280 		if (conn)
1281 			queue_delayed_work(hdev->workqueue,
1282 					   &conn->le_conn_timeout,
1283 					   conn->conn_timeout);
1284 	} else {
1285 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1286 	}
1287 
1288 	hci_dev_unlock(hdev);
1289 }
1290 
1291 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1292 					 struct sk_buff *skb)
1293 {
1294 	struct hci_cp_le_set_ext_adv_enable *cp;
1295 	struct hci_cp_ext_adv_set *set;
1296 	__u8 status = *((__u8 *) skb->data);
1297 	struct adv_info *adv = NULL, *n;
1298 
1299 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1300 
1301 	if (status)
1302 		return;
1303 
1304 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1305 	if (!cp)
1306 		return;
1307 
1308 	set = (void *)cp->data;
1309 
1310 	hci_dev_lock(hdev);
1311 
1312 	if (cp->num_of_sets)
1313 		adv = hci_find_adv_instance(hdev, set->handle);
1314 
1315 	if (cp->enable) {
1316 		struct hci_conn *conn;
1317 
1318 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1319 
1320 		if (adv)
1321 			adv->enabled = true;
1322 
1323 		conn = hci_lookup_le_connect(hdev);
1324 		if (conn)
1325 			queue_delayed_work(hdev->workqueue,
1326 					   &conn->le_conn_timeout,
1327 					   conn->conn_timeout);
1328 	} else {
1329 		if (adv) {
1330 			adv->enabled = false;
1331 			/* If just one instance was disabled check if there are
1332 			 * any other instance enabled before clearing HCI_LE_ADV
1333 			 */
1334 			list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1335 						 list) {
1336 				if (adv->enabled)
1337 					goto unlock;
1338 			}
1339 		} else {
1340 			/* All instances shall be considered disabled */
1341 			list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1342 						 list)
1343 				adv->enabled = false;
1344 		}
1345 
1346 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1347 	}
1348 
1349 unlock:
1350 	hci_dev_unlock(hdev);
1351 }
1352 
1353 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1354 {
1355 	struct hci_cp_le_set_scan_param *cp;
1356 	__u8 status = *((__u8 *) skb->data);
1357 
1358 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1359 
1360 	if (status)
1361 		return;
1362 
1363 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1364 	if (!cp)
1365 		return;
1366 
1367 	hci_dev_lock(hdev);
1368 
1369 	hdev->le_scan_type = cp->type;
1370 
1371 	hci_dev_unlock(hdev);
1372 }
1373 
1374 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1375 					 struct sk_buff *skb)
1376 {
1377 	struct hci_cp_le_set_ext_scan_params *cp;
1378 	__u8 status = *((__u8 *) skb->data);
1379 	struct hci_cp_le_scan_phy_params *phy_param;
1380 
1381 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1382 
1383 	if (status)
1384 		return;
1385 
1386 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1387 	if (!cp)
1388 		return;
1389 
1390 	phy_param = (void *)cp->data;
1391 
1392 	hci_dev_lock(hdev);
1393 
1394 	hdev->le_scan_type = phy_param->type;
1395 
1396 	hci_dev_unlock(hdev);
1397 }
1398 
1399 static bool has_pending_adv_report(struct hci_dev *hdev)
1400 {
1401 	struct discovery_state *d = &hdev->discovery;
1402 
1403 	return bacmp(&d->last_adv_addr, BDADDR_ANY);
1404 }
1405 
1406 static void clear_pending_adv_report(struct hci_dev *hdev)
1407 {
1408 	struct discovery_state *d = &hdev->discovery;
1409 
1410 	bacpy(&d->last_adv_addr, BDADDR_ANY);
1411 	d->last_adv_data_len = 0;
1412 }
1413 
1414 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1415 				     u8 bdaddr_type, s8 rssi, u32 flags,
1416 				     u8 *data, u8 len)
1417 {
1418 	struct discovery_state *d = &hdev->discovery;
1419 
1420 	if (len > HCI_MAX_AD_LENGTH)
1421 		return;
1422 
1423 	bacpy(&d->last_adv_addr, bdaddr);
1424 	d->last_adv_addr_type = bdaddr_type;
1425 	d->last_adv_rssi = rssi;
1426 	d->last_adv_flags = flags;
1427 	memcpy(d->last_adv_data, data, len);
1428 	d->last_adv_data_len = len;
1429 }
1430 
1431 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1432 {
1433 	hci_dev_lock(hdev);
1434 
1435 	switch (enable) {
1436 	case LE_SCAN_ENABLE:
1437 		hci_dev_set_flag(hdev, HCI_LE_SCAN);
1438 		if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1439 			clear_pending_adv_report(hdev);
1440 		break;
1441 
1442 	case LE_SCAN_DISABLE:
1443 		/* We do this here instead of when setting DISCOVERY_STOPPED
1444 		 * since the latter would potentially require waiting for
1445 		 * inquiry to stop too.
1446 		 */
1447 		if (has_pending_adv_report(hdev)) {
1448 			struct discovery_state *d = &hdev->discovery;
1449 
1450 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1451 					  d->last_adv_addr_type, NULL,
1452 					  d->last_adv_rssi, d->last_adv_flags,
1453 					  d->last_adv_data,
1454 					  d->last_adv_data_len, NULL, 0);
1455 		}
1456 
1457 		/* Cancel this timer so that we don't try to disable scanning
1458 		 * when it's already disabled.
1459 		 */
1460 		cancel_delayed_work(&hdev->le_scan_disable);
1461 
1462 		hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1463 
1464 		/* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1465 		 * interrupted scanning due to a connect request. Mark
1466 		 * therefore discovery as stopped. If this was not
1467 		 * because of a connect request advertising might have
1468 		 * been disabled because of active scanning, so
1469 		 * re-enable it again if necessary.
1470 		 */
1471 		if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1472 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1473 		else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1474 			 hdev->discovery.state == DISCOVERY_FINDING)
1475 			hci_req_reenable_advertising(hdev);
1476 
1477 		break;
1478 
1479 	default:
1480 		bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1481 			   enable);
1482 		break;
1483 	}
1484 
1485 	hci_dev_unlock(hdev);
1486 }
1487 
1488 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1489 				      struct sk_buff *skb)
1490 {
1491 	struct hci_cp_le_set_scan_enable *cp;
1492 	__u8 status = *((__u8 *) skb->data);
1493 
1494 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1495 
1496 	if (status)
1497 		return;
1498 
1499 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1500 	if (!cp)
1501 		return;
1502 
1503 	le_set_scan_enable_complete(hdev, cp->enable);
1504 }
1505 
1506 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1507 				      struct sk_buff *skb)
1508 {
1509 	struct hci_cp_le_set_ext_scan_enable *cp;
1510 	__u8 status = *((__u8 *) skb->data);
1511 
1512 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1513 
1514 	if (status)
1515 		return;
1516 
1517 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1518 	if (!cp)
1519 		return;
1520 
1521 	le_set_scan_enable_complete(hdev, cp->enable);
1522 }
1523 
1524 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1525 				      struct sk_buff *skb)
1526 {
1527 	struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1528 
1529 	BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1530 	       rp->num_of_sets);
1531 
1532 	if (rp->status)
1533 		return;
1534 
1535 	hdev->le_num_of_adv_sets = rp->num_of_sets;
1536 }
1537 
1538 static void hci_cc_le_read_accept_list_size(struct hci_dev *hdev,
1539 					    struct sk_buff *skb)
1540 {
1541 	struct hci_rp_le_read_accept_list_size *rp = (void *)skb->data;
1542 
1543 	BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1544 
1545 	if (rp->status)
1546 		return;
1547 
1548 	hdev->le_accept_list_size = rp->size;
1549 }
1550 
1551 static void hci_cc_le_clear_accept_list(struct hci_dev *hdev,
1552 					struct sk_buff *skb)
1553 {
1554 	__u8 status = *((__u8 *) skb->data);
1555 
1556 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1557 
1558 	if (status)
1559 		return;
1560 
1561 	hci_bdaddr_list_clear(&hdev->le_accept_list);
1562 }
1563 
1564 static void hci_cc_le_add_to_accept_list(struct hci_dev *hdev,
1565 					 struct sk_buff *skb)
1566 {
1567 	struct hci_cp_le_add_to_accept_list *sent;
1568 	__u8 status = *((__u8 *) skb->data);
1569 
1570 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1571 
1572 	if (status)
1573 		return;
1574 
1575 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1576 	if (!sent)
1577 		return;
1578 
1579 	hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1580 			    sent->bdaddr_type);
1581 }
1582 
1583 static void hci_cc_le_del_from_accept_list(struct hci_dev *hdev,
1584 					   struct sk_buff *skb)
1585 {
1586 	struct hci_cp_le_del_from_accept_list *sent;
1587 	__u8 status = *((__u8 *) skb->data);
1588 
1589 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1590 
1591 	if (status)
1592 		return;
1593 
1594 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1595 	if (!sent)
1596 		return;
1597 
1598 	hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1599 			    sent->bdaddr_type);
1600 }
1601 
1602 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1603 					    struct sk_buff *skb)
1604 {
1605 	struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1606 
1607 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1608 
1609 	if (rp->status)
1610 		return;
1611 
1612 	memcpy(hdev->le_states, rp->le_states, 8);
1613 }
1614 
1615 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1616 					struct sk_buff *skb)
1617 {
1618 	struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1619 
1620 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1621 
1622 	if (rp->status)
1623 		return;
1624 
1625 	hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1626 	hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1627 }
1628 
1629 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1630 					 struct sk_buff *skb)
1631 {
1632 	struct hci_cp_le_write_def_data_len *sent;
1633 	__u8 status = *((__u8 *) skb->data);
1634 
1635 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1636 
1637 	if (status)
1638 		return;
1639 
1640 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1641 	if (!sent)
1642 		return;
1643 
1644 	hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1645 	hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1646 }
1647 
1648 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,
1649 					 struct sk_buff *skb)
1650 {
1651 	struct hci_cp_le_add_to_resolv_list *sent;
1652 	__u8 status = *((__u8 *) skb->data);
1653 
1654 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1655 
1656 	if (status)
1657 		return;
1658 
1659 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1660 	if (!sent)
1661 		return;
1662 
1663 	hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1664 				sent->bdaddr_type, sent->peer_irk,
1665 				sent->local_irk);
1666 }
1667 
1668 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,
1669 					  struct sk_buff *skb)
1670 {
1671 	struct hci_cp_le_del_from_resolv_list *sent;
1672 	__u8 status = *((__u8 *) skb->data);
1673 
1674 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1675 
1676 	if (status)
1677 		return;
1678 
1679 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1680 	if (!sent)
1681 		return;
1682 
1683 	hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1684 			    sent->bdaddr_type);
1685 }
1686 
1687 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1688 				       struct sk_buff *skb)
1689 {
1690 	__u8 status = *((__u8 *) skb->data);
1691 
1692 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1693 
1694 	if (status)
1695 		return;
1696 
1697 	hci_bdaddr_list_clear(&hdev->le_resolv_list);
1698 }
1699 
1700 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1701 					   struct sk_buff *skb)
1702 {
1703 	struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1704 
1705 	BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1706 
1707 	if (rp->status)
1708 		return;
1709 
1710 	hdev->le_resolv_list_size = rp->size;
1711 }
1712 
1713 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1714 						struct sk_buff *skb)
1715 {
1716 	__u8 *sent, status = *((__u8 *) skb->data);
1717 
1718 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1719 
1720 	if (status)
1721 		return;
1722 
1723 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1724 	if (!sent)
1725 		return;
1726 
1727 	hci_dev_lock(hdev);
1728 
1729 	if (*sent)
1730 		hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1731 	else
1732 		hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1733 
1734 	hci_dev_unlock(hdev);
1735 }
1736 
1737 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1738 					struct sk_buff *skb)
1739 {
1740 	struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1741 
1742 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1743 
1744 	if (rp->status)
1745 		return;
1746 
1747 	hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1748 	hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1749 	hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1750 	hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1751 }
1752 
1753 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1754 					   struct sk_buff *skb)
1755 {
1756 	struct hci_cp_write_le_host_supported *sent;
1757 	__u8 status = *((__u8 *) skb->data);
1758 
1759 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1760 
1761 	if (status)
1762 		return;
1763 
1764 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1765 	if (!sent)
1766 		return;
1767 
1768 	hci_dev_lock(hdev);
1769 
1770 	if (sent->le) {
1771 		hdev->features[1][0] |= LMP_HOST_LE;
1772 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1773 	} else {
1774 		hdev->features[1][0] &= ~LMP_HOST_LE;
1775 		hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1776 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1777 	}
1778 
1779 	if (sent->simul)
1780 		hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1781 	else
1782 		hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1783 
1784 	hci_dev_unlock(hdev);
1785 }
1786 
1787 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1788 {
1789 	struct hci_cp_le_set_adv_param *cp;
1790 	u8 status = *((u8 *) skb->data);
1791 
1792 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1793 
1794 	if (status)
1795 		return;
1796 
1797 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1798 	if (!cp)
1799 		return;
1800 
1801 	hci_dev_lock(hdev);
1802 	hdev->adv_addr_type = cp->own_address_type;
1803 	hci_dev_unlock(hdev);
1804 }
1805 
1806 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1807 {
1808 	struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1809 	struct hci_cp_le_set_ext_adv_params *cp;
1810 	struct adv_info *adv_instance;
1811 
1812 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1813 
1814 	if (rp->status)
1815 		return;
1816 
1817 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1818 	if (!cp)
1819 		return;
1820 
1821 	hci_dev_lock(hdev);
1822 	hdev->adv_addr_type = cp->own_addr_type;
1823 	if (!cp->handle) {
1824 		/* Store in hdev for instance 0 */
1825 		hdev->adv_tx_power = rp->tx_power;
1826 	} else {
1827 		adv_instance = hci_find_adv_instance(hdev, cp->handle);
1828 		if (adv_instance)
1829 			adv_instance->tx_power = rp->tx_power;
1830 	}
1831 	/* Update adv data as tx power is known now */
1832 	hci_req_update_adv_data(hdev, cp->handle);
1833 
1834 	hci_dev_unlock(hdev);
1835 }
1836 
1837 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1838 {
1839 	struct hci_rp_read_rssi *rp = (void *) skb->data;
1840 	struct hci_conn *conn;
1841 
1842 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1843 
1844 	if (rp->status)
1845 		return;
1846 
1847 	hci_dev_lock(hdev);
1848 
1849 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1850 	if (conn)
1851 		conn->rssi = rp->rssi;
1852 
1853 	hci_dev_unlock(hdev);
1854 }
1855 
1856 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1857 {
1858 	struct hci_cp_read_tx_power *sent;
1859 	struct hci_rp_read_tx_power *rp = (void *) skb->data;
1860 	struct hci_conn *conn;
1861 
1862 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1863 
1864 	if (rp->status)
1865 		return;
1866 
1867 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1868 	if (!sent)
1869 		return;
1870 
1871 	hci_dev_lock(hdev);
1872 
1873 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1874 	if (!conn)
1875 		goto unlock;
1876 
1877 	switch (sent->type) {
1878 	case 0x00:
1879 		conn->tx_power = rp->tx_power;
1880 		break;
1881 	case 0x01:
1882 		conn->max_tx_power = rp->tx_power;
1883 		break;
1884 	}
1885 
1886 unlock:
1887 	hci_dev_unlock(hdev);
1888 }
1889 
1890 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1891 {
1892 	u8 status = *((u8 *) skb->data);
1893 	u8 *mode;
1894 
1895 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1896 
1897 	if (status)
1898 		return;
1899 
1900 	mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1901 	if (mode)
1902 		hdev->ssp_debug_mode = *mode;
1903 }
1904 
1905 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1906 {
1907 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1908 
1909 	if (status) {
1910 		hci_conn_check_pending(hdev);
1911 		return;
1912 	}
1913 
1914 	set_bit(HCI_INQUIRY, &hdev->flags);
1915 }
1916 
1917 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1918 {
1919 	struct hci_cp_create_conn *cp;
1920 	struct hci_conn *conn;
1921 
1922 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1923 
1924 	cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1925 	if (!cp)
1926 		return;
1927 
1928 	hci_dev_lock(hdev);
1929 
1930 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1931 
1932 	BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1933 
1934 	if (status) {
1935 		if (conn && conn->state == BT_CONNECT) {
1936 			if (status != 0x0c || conn->attempt > 2) {
1937 				conn->state = BT_CLOSED;
1938 				hci_connect_cfm(conn, status);
1939 				hci_conn_del(conn);
1940 			} else
1941 				conn->state = BT_CONNECT2;
1942 		}
1943 	} else {
1944 		if (!conn) {
1945 			conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1946 					    HCI_ROLE_MASTER);
1947 			if (!conn)
1948 				bt_dev_err(hdev, "no memory for new connection");
1949 		}
1950 	}
1951 
1952 	hci_dev_unlock(hdev);
1953 }
1954 
1955 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1956 {
1957 	struct hci_cp_add_sco *cp;
1958 	struct hci_conn *acl, *sco;
1959 	__u16 handle;
1960 
1961 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1962 
1963 	if (!status)
1964 		return;
1965 
1966 	cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1967 	if (!cp)
1968 		return;
1969 
1970 	handle = __le16_to_cpu(cp->handle);
1971 
1972 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1973 
1974 	hci_dev_lock(hdev);
1975 
1976 	acl = hci_conn_hash_lookup_handle(hdev, handle);
1977 	if (acl) {
1978 		sco = acl->link;
1979 		if (sco) {
1980 			sco->state = BT_CLOSED;
1981 
1982 			hci_connect_cfm(sco, status);
1983 			hci_conn_del(sco);
1984 		}
1985 	}
1986 
1987 	hci_dev_unlock(hdev);
1988 }
1989 
1990 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1991 {
1992 	struct hci_cp_auth_requested *cp;
1993 	struct hci_conn *conn;
1994 
1995 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1996 
1997 	if (!status)
1998 		return;
1999 
2000 	cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2001 	if (!cp)
2002 		return;
2003 
2004 	hci_dev_lock(hdev);
2005 
2006 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2007 	if (conn) {
2008 		if (conn->state == BT_CONFIG) {
2009 			hci_connect_cfm(conn, status);
2010 			hci_conn_drop(conn);
2011 		}
2012 	}
2013 
2014 	hci_dev_unlock(hdev);
2015 }
2016 
2017 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2018 {
2019 	struct hci_cp_set_conn_encrypt *cp;
2020 	struct hci_conn *conn;
2021 
2022 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2023 
2024 	if (!status)
2025 		return;
2026 
2027 	cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2028 	if (!cp)
2029 		return;
2030 
2031 	hci_dev_lock(hdev);
2032 
2033 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2034 	if (conn) {
2035 		if (conn->state == BT_CONFIG) {
2036 			hci_connect_cfm(conn, status);
2037 			hci_conn_drop(conn);
2038 		}
2039 	}
2040 
2041 	hci_dev_unlock(hdev);
2042 }
2043 
2044 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2045 				    struct hci_conn *conn)
2046 {
2047 	if (conn->state != BT_CONFIG || !conn->out)
2048 		return 0;
2049 
2050 	if (conn->pending_sec_level == BT_SECURITY_SDP)
2051 		return 0;
2052 
2053 	/* Only request authentication for SSP connections or non-SSP
2054 	 * devices with sec_level MEDIUM or HIGH or if MITM protection
2055 	 * is requested.
2056 	 */
2057 	if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2058 	    conn->pending_sec_level != BT_SECURITY_FIPS &&
2059 	    conn->pending_sec_level != BT_SECURITY_HIGH &&
2060 	    conn->pending_sec_level != BT_SECURITY_MEDIUM)
2061 		return 0;
2062 
2063 	return 1;
2064 }
2065 
2066 static int hci_resolve_name(struct hci_dev *hdev,
2067 				   struct inquiry_entry *e)
2068 {
2069 	struct hci_cp_remote_name_req cp;
2070 
2071 	memset(&cp, 0, sizeof(cp));
2072 
2073 	bacpy(&cp.bdaddr, &e->data.bdaddr);
2074 	cp.pscan_rep_mode = e->data.pscan_rep_mode;
2075 	cp.pscan_mode = e->data.pscan_mode;
2076 	cp.clock_offset = e->data.clock_offset;
2077 
2078 	return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2079 }
2080 
2081 static bool hci_resolve_next_name(struct hci_dev *hdev)
2082 {
2083 	struct discovery_state *discov = &hdev->discovery;
2084 	struct inquiry_entry *e;
2085 
2086 	if (list_empty(&discov->resolve))
2087 		return false;
2088 
2089 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2090 	if (!e)
2091 		return false;
2092 
2093 	if (hci_resolve_name(hdev, e) == 0) {
2094 		e->name_state = NAME_PENDING;
2095 		return true;
2096 	}
2097 
2098 	return false;
2099 }
2100 
2101 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2102 				   bdaddr_t *bdaddr, u8 *name, u8 name_len)
2103 {
2104 	struct discovery_state *discov = &hdev->discovery;
2105 	struct inquiry_entry *e;
2106 
2107 	/* Update the mgmt connected state if necessary. Be careful with
2108 	 * conn objects that exist but are not (yet) connected however.
2109 	 * Only those in BT_CONFIG or BT_CONNECTED states can be
2110 	 * considered connected.
2111 	 */
2112 	if (conn &&
2113 	    (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
2114 	    !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2115 		mgmt_device_connected(hdev, conn, name, name_len);
2116 
2117 	if (discov->state == DISCOVERY_STOPPED)
2118 		return;
2119 
2120 	if (discov->state == DISCOVERY_STOPPING)
2121 		goto discov_complete;
2122 
2123 	if (discov->state != DISCOVERY_RESOLVING)
2124 		return;
2125 
2126 	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2127 	/* If the device was not found in a list of found devices names of which
2128 	 * are pending. there is no need to continue resolving a next name as it
2129 	 * will be done upon receiving another Remote Name Request Complete
2130 	 * Event */
2131 	if (!e)
2132 		return;
2133 
2134 	list_del(&e->list);
2135 	if (name) {
2136 		e->name_state = NAME_KNOWN;
2137 		mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
2138 				 e->data.rssi, name, name_len);
2139 	} else {
2140 		e->name_state = NAME_NOT_KNOWN;
2141 	}
2142 
2143 	if (hci_resolve_next_name(hdev))
2144 		return;
2145 
2146 discov_complete:
2147 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2148 }
2149 
2150 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2151 {
2152 	struct hci_cp_remote_name_req *cp;
2153 	struct hci_conn *conn;
2154 
2155 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2156 
2157 	/* If successful wait for the name req complete event before
2158 	 * checking for the need to do authentication */
2159 	if (!status)
2160 		return;
2161 
2162 	cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2163 	if (!cp)
2164 		return;
2165 
2166 	hci_dev_lock(hdev);
2167 
2168 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2169 
2170 	if (hci_dev_test_flag(hdev, HCI_MGMT))
2171 		hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2172 
2173 	if (!conn)
2174 		goto unlock;
2175 
2176 	if (!hci_outgoing_auth_needed(hdev, conn))
2177 		goto unlock;
2178 
2179 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2180 		struct hci_cp_auth_requested auth_cp;
2181 
2182 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2183 
2184 		auth_cp.handle = __cpu_to_le16(conn->handle);
2185 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2186 			     sizeof(auth_cp), &auth_cp);
2187 	}
2188 
2189 unlock:
2190 	hci_dev_unlock(hdev);
2191 }
2192 
2193 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2194 {
2195 	struct hci_cp_read_remote_features *cp;
2196 	struct hci_conn *conn;
2197 
2198 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2199 
2200 	if (!status)
2201 		return;
2202 
2203 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2204 	if (!cp)
2205 		return;
2206 
2207 	hci_dev_lock(hdev);
2208 
2209 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2210 	if (conn) {
2211 		if (conn->state == BT_CONFIG) {
2212 			hci_connect_cfm(conn, status);
2213 			hci_conn_drop(conn);
2214 		}
2215 	}
2216 
2217 	hci_dev_unlock(hdev);
2218 }
2219 
2220 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2221 {
2222 	struct hci_cp_read_remote_ext_features *cp;
2223 	struct hci_conn *conn;
2224 
2225 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2226 
2227 	if (!status)
2228 		return;
2229 
2230 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2231 	if (!cp)
2232 		return;
2233 
2234 	hci_dev_lock(hdev);
2235 
2236 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2237 	if (conn) {
2238 		if (conn->state == BT_CONFIG) {
2239 			hci_connect_cfm(conn, status);
2240 			hci_conn_drop(conn);
2241 		}
2242 	}
2243 
2244 	hci_dev_unlock(hdev);
2245 }
2246 
2247 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2248 {
2249 	struct hci_cp_setup_sync_conn *cp;
2250 	struct hci_conn *acl, *sco;
2251 	__u16 handle;
2252 
2253 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2254 
2255 	if (!status)
2256 		return;
2257 
2258 	cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2259 	if (!cp)
2260 		return;
2261 
2262 	handle = __le16_to_cpu(cp->handle);
2263 
2264 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2265 
2266 	hci_dev_lock(hdev);
2267 
2268 	acl = hci_conn_hash_lookup_handle(hdev, handle);
2269 	if (acl) {
2270 		sco = acl->link;
2271 		if (sco) {
2272 			sco->state = BT_CLOSED;
2273 
2274 			hci_connect_cfm(sco, status);
2275 			hci_conn_del(sco);
2276 		}
2277 	}
2278 
2279 	hci_dev_unlock(hdev);
2280 }
2281 
2282 static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2283 {
2284 	struct hci_cp_enhanced_setup_sync_conn *cp;
2285 	struct hci_conn *acl, *sco;
2286 	__u16 handle;
2287 
2288 	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2289 
2290 	if (!status)
2291 		return;
2292 
2293 	cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2294 	if (!cp)
2295 		return;
2296 
2297 	handle = __le16_to_cpu(cp->handle);
2298 
2299 	bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2300 
2301 	hci_dev_lock(hdev);
2302 
2303 	acl = hci_conn_hash_lookup_handle(hdev, handle);
2304 	if (acl) {
2305 		sco = acl->link;
2306 		if (sco) {
2307 			sco->state = BT_CLOSED;
2308 
2309 			hci_connect_cfm(sco, status);
2310 			hci_conn_del(sco);
2311 		}
2312 	}
2313 
2314 	hci_dev_unlock(hdev);
2315 }
2316 
2317 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2318 {
2319 	struct hci_cp_sniff_mode *cp;
2320 	struct hci_conn *conn;
2321 
2322 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2323 
2324 	if (!status)
2325 		return;
2326 
2327 	cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2328 	if (!cp)
2329 		return;
2330 
2331 	hci_dev_lock(hdev);
2332 
2333 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2334 	if (conn) {
2335 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2336 
2337 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2338 			hci_sco_setup(conn, status);
2339 	}
2340 
2341 	hci_dev_unlock(hdev);
2342 }
2343 
2344 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2345 {
2346 	struct hci_cp_exit_sniff_mode *cp;
2347 	struct hci_conn *conn;
2348 
2349 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2350 
2351 	if (!status)
2352 		return;
2353 
2354 	cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2355 	if (!cp)
2356 		return;
2357 
2358 	hci_dev_lock(hdev);
2359 
2360 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2361 	if (conn) {
2362 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2363 
2364 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2365 			hci_sco_setup(conn, status);
2366 	}
2367 
2368 	hci_dev_unlock(hdev);
2369 }
2370 
2371 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2372 {
2373 	struct hci_cp_disconnect *cp;
2374 	struct hci_conn *conn;
2375 
2376 	if (!status)
2377 		return;
2378 
2379 	cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2380 	if (!cp)
2381 		return;
2382 
2383 	hci_dev_lock(hdev);
2384 
2385 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2386 	if (conn) {
2387 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2388 				       conn->dst_type, status);
2389 
2390 		if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2391 			hdev->cur_adv_instance = conn->adv_instance;
2392 			hci_req_reenable_advertising(hdev);
2393 		}
2394 
2395 		/* If the disconnection failed for any reason, the upper layer
2396 		 * does not retry to disconnect in current implementation.
2397 		 * Hence, we need to do some basic cleanup here and re-enable
2398 		 * advertising if necessary.
2399 		 */
2400 		hci_conn_del(conn);
2401 	}
2402 
2403 	hci_dev_unlock(hdev);
2404 }
2405 
2406 static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2407 {
2408 	/* When using controller based address resolution, then the new
2409 	 * address types 0x02 and 0x03 are used. These types need to be
2410 	 * converted back into either public address or random address type
2411 	 */
2412 	switch (type) {
2413 	case ADDR_LE_DEV_PUBLIC_RESOLVED:
2414 		if (resolved)
2415 			*resolved = true;
2416 		return ADDR_LE_DEV_PUBLIC;
2417 	case ADDR_LE_DEV_RANDOM_RESOLVED:
2418 		if (resolved)
2419 			*resolved = true;
2420 		return ADDR_LE_DEV_RANDOM;
2421 	}
2422 
2423 	if (resolved)
2424 		*resolved = false;
2425 	return type;
2426 }
2427 
2428 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2429 			      u8 peer_addr_type, u8 own_address_type,
2430 			      u8 filter_policy)
2431 {
2432 	struct hci_conn *conn;
2433 
2434 	conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2435 				       peer_addr_type);
2436 	if (!conn)
2437 		return;
2438 
2439 	own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2440 
2441 	/* Store the initiator and responder address information which
2442 	 * is needed for SMP. These values will not change during the
2443 	 * lifetime of the connection.
2444 	 */
2445 	conn->init_addr_type = own_address_type;
2446 	if (own_address_type == ADDR_LE_DEV_RANDOM)
2447 		bacpy(&conn->init_addr, &hdev->random_addr);
2448 	else
2449 		bacpy(&conn->init_addr, &hdev->bdaddr);
2450 
2451 	conn->resp_addr_type = peer_addr_type;
2452 	bacpy(&conn->resp_addr, peer_addr);
2453 
2454 	/* We don't want the connection attempt to stick around
2455 	 * indefinitely since LE doesn't have a page timeout concept
2456 	 * like BR/EDR. Set a timer for any connection that doesn't use
2457 	 * the accept list for connecting.
2458 	 */
2459 	if (filter_policy == HCI_LE_USE_PEER_ADDR)
2460 		queue_delayed_work(conn->hdev->workqueue,
2461 				   &conn->le_conn_timeout,
2462 				   conn->conn_timeout);
2463 }
2464 
2465 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2466 {
2467 	struct hci_cp_le_create_conn *cp;
2468 
2469 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2470 
2471 	/* All connection failure handling is taken care of by the
2472 	 * hci_le_conn_failed function which is triggered by the HCI
2473 	 * request completion callbacks used for connecting.
2474 	 */
2475 	if (status)
2476 		return;
2477 
2478 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2479 	if (!cp)
2480 		return;
2481 
2482 	hci_dev_lock(hdev);
2483 
2484 	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2485 			  cp->own_address_type, cp->filter_policy);
2486 
2487 	hci_dev_unlock(hdev);
2488 }
2489 
2490 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2491 {
2492 	struct hci_cp_le_ext_create_conn *cp;
2493 
2494 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2495 
2496 	/* All connection failure handling is taken care of by the
2497 	 * hci_le_conn_failed function which is triggered by the HCI
2498 	 * request completion callbacks used for connecting.
2499 	 */
2500 	if (status)
2501 		return;
2502 
2503 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2504 	if (!cp)
2505 		return;
2506 
2507 	hci_dev_lock(hdev);
2508 
2509 	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2510 			  cp->own_addr_type, cp->filter_policy);
2511 
2512 	hci_dev_unlock(hdev);
2513 }
2514 
2515 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2516 {
2517 	struct hci_cp_le_read_remote_features *cp;
2518 	struct hci_conn *conn;
2519 
2520 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2521 
2522 	if (!status)
2523 		return;
2524 
2525 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2526 	if (!cp)
2527 		return;
2528 
2529 	hci_dev_lock(hdev);
2530 
2531 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2532 	if (conn) {
2533 		if (conn->state == BT_CONFIG) {
2534 			hci_connect_cfm(conn, status);
2535 			hci_conn_drop(conn);
2536 		}
2537 	}
2538 
2539 	hci_dev_unlock(hdev);
2540 }
2541 
2542 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2543 {
2544 	struct hci_cp_le_start_enc *cp;
2545 	struct hci_conn *conn;
2546 
2547 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2548 
2549 	if (!status)
2550 		return;
2551 
2552 	hci_dev_lock(hdev);
2553 
2554 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2555 	if (!cp)
2556 		goto unlock;
2557 
2558 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2559 	if (!conn)
2560 		goto unlock;
2561 
2562 	if (conn->state != BT_CONNECTED)
2563 		goto unlock;
2564 
2565 	hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2566 	hci_conn_drop(conn);
2567 
2568 unlock:
2569 	hci_dev_unlock(hdev);
2570 }
2571 
2572 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2573 {
2574 	struct hci_cp_switch_role *cp;
2575 	struct hci_conn *conn;
2576 
2577 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2578 
2579 	if (!status)
2580 		return;
2581 
2582 	cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2583 	if (!cp)
2584 		return;
2585 
2586 	hci_dev_lock(hdev);
2587 
2588 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2589 	if (conn)
2590 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2591 
2592 	hci_dev_unlock(hdev);
2593 }
2594 
2595 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2596 {
2597 	__u8 status = *((__u8 *) skb->data);
2598 	struct discovery_state *discov = &hdev->discovery;
2599 	struct inquiry_entry *e;
2600 
2601 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2602 
2603 	hci_conn_check_pending(hdev);
2604 
2605 	if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2606 		return;
2607 
2608 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2609 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
2610 
2611 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2612 		return;
2613 
2614 	hci_dev_lock(hdev);
2615 
2616 	if (discov->state != DISCOVERY_FINDING)
2617 		goto unlock;
2618 
2619 	if (list_empty(&discov->resolve)) {
2620 		/* When BR/EDR inquiry is active and no LE scanning is in
2621 		 * progress, then change discovery state to indicate completion.
2622 		 *
2623 		 * When running LE scanning and BR/EDR inquiry simultaneously
2624 		 * and the LE scan already finished, then change the discovery
2625 		 * state to indicate completion.
2626 		 */
2627 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2628 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2629 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2630 		goto unlock;
2631 	}
2632 
2633 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2634 	if (e && hci_resolve_name(hdev, e) == 0) {
2635 		e->name_state = NAME_PENDING;
2636 		hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2637 	} else {
2638 		/* When BR/EDR inquiry is active and no LE scanning is in
2639 		 * progress, then change discovery state to indicate completion.
2640 		 *
2641 		 * When running LE scanning and BR/EDR inquiry simultaneously
2642 		 * and the LE scan already finished, then change the discovery
2643 		 * state to indicate completion.
2644 		 */
2645 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2646 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2647 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2648 	}
2649 
2650 unlock:
2651 	hci_dev_unlock(hdev);
2652 }
2653 
2654 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2655 {
2656 	struct inquiry_data data;
2657 	struct inquiry_info *info = (void *) (skb->data + 1);
2658 	int num_rsp = *((__u8 *) skb->data);
2659 
2660 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2661 
2662 	if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
2663 		return;
2664 
2665 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2666 		return;
2667 
2668 	hci_dev_lock(hdev);
2669 
2670 	for (; num_rsp; num_rsp--, info++) {
2671 		u32 flags;
2672 
2673 		bacpy(&data.bdaddr, &info->bdaddr);
2674 		data.pscan_rep_mode	= info->pscan_rep_mode;
2675 		data.pscan_period_mode	= info->pscan_period_mode;
2676 		data.pscan_mode		= info->pscan_mode;
2677 		memcpy(data.dev_class, info->dev_class, 3);
2678 		data.clock_offset	= info->clock_offset;
2679 		data.rssi		= HCI_RSSI_INVALID;
2680 		data.ssp_mode		= 0x00;
2681 
2682 		flags = hci_inquiry_cache_update(hdev, &data, false);
2683 
2684 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2685 				  info->dev_class, HCI_RSSI_INVALID,
2686 				  flags, NULL, 0, NULL, 0);
2687 	}
2688 
2689 	hci_dev_unlock(hdev);
2690 }
2691 
2692 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2693 {
2694 	struct hci_ev_conn_complete *ev = (void *) skb->data;
2695 	struct hci_conn *conn;
2696 
2697 	BT_DBG("%s", hdev->name);
2698 
2699 	hci_dev_lock(hdev);
2700 
2701 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2702 	if (!conn) {
2703 		/* Connection may not exist if auto-connected. Check the bredr
2704 		 * allowlist to see if this device is allowed to auto connect.
2705 		 * If link is an ACL type, create a connection class
2706 		 * automatically.
2707 		 *
2708 		 * Auto-connect will only occur if the event filter is
2709 		 * programmed with a given address. Right now, event filter is
2710 		 * only used during suspend.
2711 		 */
2712 		if (ev->link_type == ACL_LINK &&
2713 		    hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
2714 						      &ev->bdaddr,
2715 						      BDADDR_BREDR)) {
2716 			conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2717 					    HCI_ROLE_SLAVE);
2718 			if (!conn) {
2719 				bt_dev_err(hdev, "no memory for new conn");
2720 				goto unlock;
2721 			}
2722 		} else {
2723 			if (ev->link_type != SCO_LINK)
2724 				goto unlock;
2725 
2726 			conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
2727 						       &ev->bdaddr);
2728 			if (!conn)
2729 				goto unlock;
2730 
2731 			conn->type = SCO_LINK;
2732 		}
2733 	}
2734 
2735 	if (!ev->status) {
2736 		conn->handle = __le16_to_cpu(ev->handle);
2737 
2738 		if (conn->type == ACL_LINK) {
2739 			conn->state = BT_CONFIG;
2740 			hci_conn_hold(conn);
2741 
2742 			if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2743 			    !hci_find_link_key(hdev, &ev->bdaddr))
2744 				conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2745 			else
2746 				conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2747 		} else
2748 			conn->state = BT_CONNECTED;
2749 
2750 		hci_debugfs_create_conn(conn);
2751 		hci_conn_add_sysfs(conn);
2752 
2753 		if (test_bit(HCI_AUTH, &hdev->flags))
2754 			set_bit(HCI_CONN_AUTH, &conn->flags);
2755 
2756 		if (test_bit(HCI_ENCRYPT, &hdev->flags))
2757 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2758 
2759 		/* Get remote features */
2760 		if (conn->type == ACL_LINK) {
2761 			struct hci_cp_read_remote_features cp;
2762 			cp.handle = ev->handle;
2763 			hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2764 				     sizeof(cp), &cp);
2765 
2766 			hci_req_update_scan(hdev);
2767 		}
2768 
2769 		/* Set packet type for incoming connection */
2770 		if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2771 			struct hci_cp_change_conn_ptype cp;
2772 			cp.handle = ev->handle;
2773 			cp.pkt_type = cpu_to_le16(conn->pkt_type);
2774 			hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2775 				     &cp);
2776 		}
2777 	} else {
2778 		conn->state = BT_CLOSED;
2779 		if (conn->type == ACL_LINK)
2780 			mgmt_connect_failed(hdev, &conn->dst, conn->type,
2781 					    conn->dst_type, ev->status);
2782 	}
2783 
2784 	if (conn->type == ACL_LINK)
2785 		hci_sco_setup(conn, ev->status);
2786 
2787 	if (ev->status) {
2788 		hci_connect_cfm(conn, ev->status);
2789 		hci_conn_del(conn);
2790 	} else if (ev->link_type == SCO_LINK) {
2791 		switch (conn->setting & SCO_AIRMODE_MASK) {
2792 		case SCO_AIRMODE_CVSD:
2793 			if (hdev->notify)
2794 				hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
2795 			break;
2796 		}
2797 
2798 		hci_connect_cfm(conn, ev->status);
2799 	}
2800 
2801 unlock:
2802 	hci_dev_unlock(hdev);
2803 
2804 	hci_conn_check_pending(hdev);
2805 }
2806 
2807 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2808 {
2809 	struct hci_cp_reject_conn_req cp;
2810 
2811 	bacpy(&cp.bdaddr, bdaddr);
2812 	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2813 	hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2814 }
2815 
2816 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2817 {
2818 	struct hci_ev_conn_request *ev = (void *) skb->data;
2819 	int mask = hdev->link_mode;
2820 	struct inquiry_entry *ie;
2821 	struct hci_conn *conn;
2822 	__u8 flags = 0;
2823 
2824 	BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2825 	       ev->link_type);
2826 
2827 	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2828 				      &flags);
2829 
2830 	if (!(mask & HCI_LM_ACCEPT)) {
2831 		hci_reject_conn(hdev, &ev->bdaddr);
2832 		return;
2833 	}
2834 
2835 	if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
2836 				   BDADDR_BREDR)) {
2837 		hci_reject_conn(hdev, &ev->bdaddr);
2838 		return;
2839 	}
2840 
2841 	/* Require HCI_CONNECTABLE or an accept list entry to accept the
2842 	 * connection. These features are only touched through mgmt so
2843 	 * only do the checks if HCI_MGMT is set.
2844 	 */
2845 	if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2846 	    !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2847 	    !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
2848 					       BDADDR_BREDR)) {
2849 		hci_reject_conn(hdev, &ev->bdaddr);
2850 		return;
2851 	}
2852 
2853 	/* Connection accepted */
2854 
2855 	hci_dev_lock(hdev);
2856 
2857 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2858 	if (ie)
2859 		memcpy(ie->data.dev_class, ev->dev_class, 3);
2860 
2861 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2862 			&ev->bdaddr);
2863 	if (!conn) {
2864 		conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2865 				    HCI_ROLE_SLAVE);
2866 		if (!conn) {
2867 			bt_dev_err(hdev, "no memory for new connection");
2868 			hci_dev_unlock(hdev);
2869 			return;
2870 		}
2871 	}
2872 
2873 	memcpy(conn->dev_class, ev->dev_class, 3);
2874 
2875 	hci_dev_unlock(hdev);
2876 
2877 	if (ev->link_type == ACL_LINK ||
2878 	    (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2879 		struct hci_cp_accept_conn_req cp;
2880 		conn->state = BT_CONNECT;
2881 
2882 		bacpy(&cp.bdaddr, &ev->bdaddr);
2883 
2884 		if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2885 			cp.role = 0x00; /* Become central */
2886 		else
2887 			cp.role = 0x01; /* Remain peripheral */
2888 
2889 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2890 	} else if (!(flags & HCI_PROTO_DEFER)) {
2891 		struct hci_cp_accept_sync_conn_req cp;
2892 		conn->state = BT_CONNECT;
2893 
2894 		bacpy(&cp.bdaddr, &ev->bdaddr);
2895 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
2896 
2897 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2898 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2899 		cp.max_latency    = cpu_to_le16(0xffff);
2900 		cp.content_format = cpu_to_le16(hdev->voice_setting);
2901 		cp.retrans_effort = 0xff;
2902 
2903 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2904 			     &cp);
2905 	} else {
2906 		conn->state = BT_CONNECT2;
2907 		hci_connect_cfm(conn, 0);
2908 	}
2909 }
2910 
2911 static u8 hci_to_mgmt_reason(u8 err)
2912 {
2913 	switch (err) {
2914 	case HCI_ERROR_CONNECTION_TIMEOUT:
2915 		return MGMT_DEV_DISCONN_TIMEOUT;
2916 	case HCI_ERROR_REMOTE_USER_TERM:
2917 	case HCI_ERROR_REMOTE_LOW_RESOURCES:
2918 	case HCI_ERROR_REMOTE_POWER_OFF:
2919 		return MGMT_DEV_DISCONN_REMOTE;
2920 	case HCI_ERROR_LOCAL_HOST_TERM:
2921 		return MGMT_DEV_DISCONN_LOCAL_HOST;
2922 	default:
2923 		return MGMT_DEV_DISCONN_UNKNOWN;
2924 	}
2925 }
2926 
2927 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2928 {
2929 	struct hci_ev_disconn_complete *ev = (void *) skb->data;
2930 	u8 reason;
2931 	struct hci_conn_params *params;
2932 	struct hci_conn *conn;
2933 	bool mgmt_connected;
2934 
2935 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2936 
2937 	hci_dev_lock(hdev);
2938 
2939 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2940 	if (!conn)
2941 		goto unlock;
2942 
2943 	if (ev->status) {
2944 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2945 				       conn->dst_type, ev->status);
2946 		goto unlock;
2947 	}
2948 
2949 	conn->state = BT_CLOSED;
2950 
2951 	mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2952 
2953 	if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2954 		reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2955 	else
2956 		reason = hci_to_mgmt_reason(ev->reason);
2957 
2958 	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2959 				reason, mgmt_connected);
2960 
2961 	if (conn->type == ACL_LINK) {
2962 		if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2963 			hci_remove_link_key(hdev, &conn->dst);
2964 
2965 		hci_req_update_scan(hdev);
2966 	}
2967 
2968 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2969 	if (params) {
2970 		switch (params->auto_connect) {
2971 		case HCI_AUTO_CONN_LINK_LOSS:
2972 			if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2973 				break;
2974 			fallthrough;
2975 
2976 		case HCI_AUTO_CONN_DIRECT:
2977 		case HCI_AUTO_CONN_ALWAYS:
2978 			list_del_init(&params->action);
2979 			list_add(&params->action, &hdev->pend_le_conns);
2980 			hci_update_background_scan(hdev);
2981 			break;
2982 
2983 		default:
2984 			break;
2985 		}
2986 	}
2987 
2988 	hci_disconn_cfm(conn, ev->reason);
2989 
2990 	/* The suspend notifier is waiting for all devices to disconnect so
2991 	 * clear the bit from pending tasks and inform the wait queue.
2992 	 */
2993 	if (list_empty(&hdev->conn_hash.list) &&
2994 	    test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) {
2995 		wake_up(&hdev->suspend_wait_q);
2996 	}
2997 
2998 	/* Re-enable advertising if necessary, since it might
2999 	 * have been disabled by the connection. From the
3000 	 * HCI_LE_Set_Advertise_Enable command description in
3001 	 * the core specification (v4.0):
3002 	 * "The Controller shall continue advertising until the Host
3003 	 * issues an LE_Set_Advertise_Enable command with
3004 	 * Advertising_Enable set to 0x00 (Advertising is disabled)
3005 	 * or until a connection is created or until the Advertising
3006 	 * is timed out due to Directed Advertising."
3007 	 */
3008 	if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3009 		hdev->cur_adv_instance = conn->adv_instance;
3010 		hci_req_reenable_advertising(hdev);
3011 	}
3012 
3013 	hci_conn_del(conn);
3014 
3015 unlock:
3016 	hci_dev_unlock(hdev);
3017 }
3018 
3019 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3020 {
3021 	struct hci_ev_auth_complete *ev = (void *) skb->data;
3022 	struct hci_conn *conn;
3023 
3024 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3025 
3026 	hci_dev_lock(hdev);
3027 
3028 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3029 	if (!conn)
3030 		goto unlock;
3031 
3032 	if (!ev->status) {
3033 		clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3034 
3035 		if (!hci_conn_ssp_enabled(conn) &&
3036 		    test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
3037 			bt_dev_info(hdev, "re-auth of legacy device is not possible.");
3038 		} else {
3039 			set_bit(HCI_CONN_AUTH, &conn->flags);
3040 			conn->sec_level = conn->pending_sec_level;
3041 		}
3042 	} else {
3043 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3044 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3045 
3046 		mgmt_auth_failed(conn, ev->status);
3047 	}
3048 
3049 	clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3050 	clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
3051 
3052 	if (conn->state == BT_CONFIG) {
3053 		if (!ev->status && hci_conn_ssp_enabled(conn)) {
3054 			struct hci_cp_set_conn_encrypt cp;
3055 			cp.handle  = ev->handle;
3056 			cp.encrypt = 0x01;
3057 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3058 				     &cp);
3059 		} else {
3060 			conn->state = BT_CONNECTED;
3061 			hci_connect_cfm(conn, ev->status);
3062 			hci_conn_drop(conn);
3063 		}
3064 	} else {
3065 		hci_auth_cfm(conn, ev->status);
3066 
3067 		hci_conn_hold(conn);
3068 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3069 		hci_conn_drop(conn);
3070 	}
3071 
3072 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3073 		if (!ev->status) {
3074 			struct hci_cp_set_conn_encrypt cp;
3075 			cp.handle  = ev->handle;
3076 			cp.encrypt = 0x01;
3077 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3078 				     &cp);
3079 		} else {
3080 			clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3081 			hci_encrypt_cfm(conn, ev->status);
3082 		}
3083 	}
3084 
3085 unlock:
3086 	hci_dev_unlock(hdev);
3087 }
3088 
3089 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
3090 {
3091 	struct hci_ev_remote_name *ev = (void *) skb->data;
3092 	struct hci_conn *conn;
3093 
3094 	BT_DBG("%s", hdev->name);
3095 
3096 	hci_conn_check_pending(hdev);
3097 
3098 	hci_dev_lock(hdev);
3099 
3100 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3101 
3102 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3103 		goto check_auth;
3104 
3105 	if (ev->status == 0)
3106 		hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3107 				       strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3108 	else
3109 		hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3110 
3111 check_auth:
3112 	if (!conn)
3113 		goto unlock;
3114 
3115 	if (!hci_outgoing_auth_needed(hdev, conn))
3116 		goto unlock;
3117 
3118 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3119 		struct hci_cp_auth_requested cp;
3120 
3121 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3122 
3123 		cp.handle = __cpu_to_le16(conn->handle);
3124 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3125 	}
3126 
3127 unlock:
3128 	hci_dev_unlock(hdev);
3129 }
3130 
3131 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
3132 				       u16 opcode, struct sk_buff *skb)
3133 {
3134 	const struct hci_rp_read_enc_key_size *rp;
3135 	struct hci_conn *conn;
3136 	u16 handle;
3137 
3138 	BT_DBG("%s status 0x%02x", hdev->name, status);
3139 
3140 	if (!skb || skb->len < sizeof(*rp)) {
3141 		bt_dev_err(hdev, "invalid read key size response");
3142 		return;
3143 	}
3144 
3145 	rp = (void *)skb->data;
3146 	handle = le16_to_cpu(rp->handle);
3147 
3148 	hci_dev_lock(hdev);
3149 
3150 	conn = hci_conn_hash_lookup_handle(hdev, handle);
3151 	if (!conn)
3152 		goto unlock;
3153 
3154 	/* While unexpected, the read_enc_key_size command may fail. The most
3155 	 * secure approach is to then assume the key size is 0 to force a
3156 	 * disconnection.
3157 	 */
3158 	if (rp->status) {
3159 		bt_dev_err(hdev, "failed to read key size for handle %u",
3160 			   handle);
3161 		conn->enc_key_size = 0;
3162 	} else {
3163 		conn->enc_key_size = rp->key_size;
3164 	}
3165 
3166 	hci_encrypt_cfm(conn, 0);
3167 
3168 unlock:
3169 	hci_dev_unlock(hdev);
3170 }
3171 
3172 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3173 {
3174 	struct hci_ev_encrypt_change *ev = (void *) skb->data;
3175 	struct hci_conn *conn;
3176 
3177 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3178 
3179 	hci_dev_lock(hdev);
3180 
3181 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3182 	if (!conn)
3183 		goto unlock;
3184 
3185 	if (!ev->status) {
3186 		if (ev->encrypt) {
3187 			/* Encryption implies authentication */
3188 			set_bit(HCI_CONN_AUTH, &conn->flags);
3189 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3190 			conn->sec_level = conn->pending_sec_level;
3191 
3192 			/* P-256 authentication key implies FIPS */
3193 			if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3194 				set_bit(HCI_CONN_FIPS, &conn->flags);
3195 
3196 			if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3197 			    conn->type == LE_LINK)
3198 				set_bit(HCI_CONN_AES_CCM, &conn->flags);
3199 		} else {
3200 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3201 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3202 		}
3203 	}
3204 
3205 	/* We should disregard the current RPA and generate a new one
3206 	 * whenever the encryption procedure fails.
3207 	 */
3208 	if (ev->status && conn->type == LE_LINK) {
3209 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3210 		hci_adv_instances_set_rpa_expired(hdev, true);
3211 	}
3212 
3213 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3214 
3215 	/* Check link security requirements are met */
3216 	if (!hci_conn_check_link_mode(conn))
3217 		ev->status = HCI_ERROR_AUTH_FAILURE;
3218 
3219 	if (ev->status && conn->state == BT_CONNECTED) {
3220 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3221 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3222 
3223 		/* Notify upper layers so they can cleanup before
3224 		 * disconnecting.
3225 		 */
3226 		hci_encrypt_cfm(conn, ev->status);
3227 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3228 		hci_conn_drop(conn);
3229 		goto unlock;
3230 	}
3231 
3232 	/* Try reading the encryption key size for encrypted ACL links */
3233 	if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3234 		struct hci_cp_read_enc_key_size cp;
3235 		struct hci_request req;
3236 
3237 		/* Only send HCI_Read_Encryption_Key_Size if the
3238 		 * controller really supports it. If it doesn't, assume
3239 		 * the default size (16).
3240 		 */
3241 		if (!(hdev->commands[20] & 0x10)) {
3242 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
3243 			goto notify;
3244 		}
3245 
3246 		hci_req_init(&req, hdev);
3247 
3248 		cp.handle = cpu_to_le16(conn->handle);
3249 		hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3250 
3251 		if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
3252 			bt_dev_err(hdev, "sending read key size failed");
3253 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
3254 			goto notify;
3255 		}
3256 
3257 		goto unlock;
3258 	}
3259 
3260 	/* Set the default Authenticated Payload Timeout after
3261 	 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3262 	 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3263 	 * sent when the link is active and Encryption is enabled, the conn
3264 	 * type can be either LE or ACL and controller must support LMP Ping.
3265 	 * Ensure for AES-CCM encryption as well.
3266 	 */
3267 	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3268 	    test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3269 	    ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3270 	     (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3271 		struct hci_cp_write_auth_payload_to cp;
3272 
3273 		cp.handle = cpu_to_le16(conn->handle);
3274 		cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3275 		hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3276 			     sizeof(cp), &cp);
3277 	}
3278 
3279 notify:
3280 	hci_encrypt_cfm(conn, ev->status);
3281 
3282 unlock:
3283 	hci_dev_unlock(hdev);
3284 }
3285 
3286 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3287 					     struct sk_buff *skb)
3288 {
3289 	struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
3290 	struct hci_conn *conn;
3291 
3292 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3293 
3294 	hci_dev_lock(hdev);
3295 
3296 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3297 	if (conn) {
3298 		if (!ev->status)
3299 			set_bit(HCI_CONN_SECURE, &conn->flags);
3300 
3301 		clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3302 
3303 		hci_key_change_cfm(conn, ev->status);
3304 	}
3305 
3306 	hci_dev_unlock(hdev);
3307 }
3308 
3309 static void hci_remote_features_evt(struct hci_dev *hdev,
3310 				    struct sk_buff *skb)
3311 {
3312 	struct hci_ev_remote_features *ev = (void *) skb->data;
3313 	struct hci_conn *conn;
3314 
3315 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3316 
3317 	hci_dev_lock(hdev);
3318 
3319 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3320 	if (!conn)
3321 		goto unlock;
3322 
3323 	if (!ev->status)
3324 		memcpy(conn->features[0], ev->features, 8);
3325 
3326 	if (conn->state != BT_CONFIG)
3327 		goto unlock;
3328 
3329 	if (!ev->status && lmp_ext_feat_capable(hdev) &&
3330 	    lmp_ext_feat_capable(conn)) {
3331 		struct hci_cp_read_remote_ext_features cp;
3332 		cp.handle = ev->handle;
3333 		cp.page = 0x01;
3334 		hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3335 			     sizeof(cp), &cp);
3336 		goto unlock;
3337 	}
3338 
3339 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3340 		struct hci_cp_remote_name_req cp;
3341 		memset(&cp, 0, sizeof(cp));
3342 		bacpy(&cp.bdaddr, &conn->dst);
3343 		cp.pscan_rep_mode = 0x02;
3344 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3345 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3346 		mgmt_device_connected(hdev, conn, NULL, 0);
3347 
3348 	if (!hci_outgoing_auth_needed(hdev, conn)) {
3349 		conn->state = BT_CONNECTED;
3350 		hci_connect_cfm(conn, ev->status);
3351 		hci_conn_drop(conn);
3352 	}
3353 
3354 unlock:
3355 	hci_dev_unlock(hdev);
3356 }
3357 
3358 static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3359 {
3360 	cancel_delayed_work(&hdev->cmd_timer);
3361 
3362 	if (!test_bit(HCI_RESET, &hdev->flags)) {
3363 		if (ncmd) {
3364 			cancel_delayed_work(&hdev->ncmd_timer);
3365 			atomic_set(&hdev->cmd_cnt, 1);
3366 		} else {
3367 			schedule_delayed_work(&hdev->ncmd_timer,
3368 					      HCI_NCMD_TIMEOUT);
3369 		}
3370 	}
3371 }
3372 
3373 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3374 				 u16 *opcode, u8 *status,
3375 				 hci_req_complete_t *req_complete,
3376 				 hci_req_complete_skb_t *req_complete_skb)
3377 {
3378 	struct hci_ev_cmd_complete *ev = (void *) skb->data;
3379 
3380 	*opcode = __le16_to_cpu(ev->opcode);
3381 	*status = skb->data[sizeof(*ev)];
3382 
3383 	skb_pull(skb, sizeof(*ev));
3384 
3385 	switch (*opcode) {
3386 	case HCI_OP_INQUIRY_CANCEL:
3387 		hci_cc_inquiry_cancel(hdev, skb, status);
3388 		break;
3389 
3390 	case HCI_OP_PERIODIC_INQ:
3391 		hci_cc_periodic_inq(hdev, skb);
3392 		break;
3393 
3394 	case HCI_OP_EXIT_PERIODIC_INQ:
3395 		hci_cc_exit_periodic_inq(hdev, skb);
3396 		break;
3397 
3398 	case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3399 		hci_cc_remote_name_req_cancel(hdev, skb);
3400 		break;
3401 
3402 	case HCI_OP_ROLE_DISCOVERY:
3403 		hci_cc_role_discovery(hdev, skb);
3404 		break;
3405 
3406 	case HCI_OP_READ_LINK_POLICY:
3407 		hci_cc_read_link_policy(hdev, skb);
3408 		break;
3409 
3410 	case HCI_OP_WRITE_LINK_POLICY:
3411 		hci_cc_write_link_policy(hdev, skb);
3412 		break;
3413 
3414 	case HCI_OP_READ_DEF_LINK_POLICY:
3415 		hci_cc_read_def_link_policy(hdev, skb);
3416 		break;
3417 
3418 	case HCI_OP_WRITE_DEF_LINK_POLICY:
3419 		hci_cc_write_def_link_policy(hdev, skb);
3420 		break;
3421 
3422 	case HCI_OP_RESET:
3423 		hci_cc_reset(hdev, skb);
3424 		break;
3425 
3426 	case HCI_OP_READ_STORED_LINK_KEY:
3427 		hci_cc_read_stored_link_key(hdev, skb);
3428 		break;
3429 
3430 	case HCI_OP_DELETE_STORED_LINK_KEY:
3431 		hci_cc_delete_stored_link_key(hdev, skb);
3432 		break;
3433 
3434 	case HCI_OP_WRITE_LOCAL_NAME:
3435 		hci_cc_write_local_name(hdev, skb);
3436 		break;
3437 
3438 	case HCI_OP_READ_LOCAL_NAME:
3439 		hci_cc_read_local_name(hdev, skb);
3440 		break;
3441 
3442 	case HCI_OP_WRITE_AUTH_ENABLE:
3443 		hci_cc_write_auth_enable(hdev, skb);
3444 		break;
3445 
3446 	case HCI_OP_WRITE_ENCRYPT_MODE:
3447 		hci_cc_write_encrypt_mode(hdev, skb);
3448 		break;
3449 
3450 	case HCI_OP_WRITE_SCAN_ENABLE:
3451 		hci_cc_write_scan_enable(hdev, skb);
3452 		break;
3453 
3454 	case HCI_OP_SET_EVENT_FLT:
3455 		hci_cc_set_event_filter(hdev, skb);
3456 		break;
3457 
3458 	case HCI_OP_READ_CLASS_OF_DEV:
3459 		hci_cc_read_class_of_dev(hdev, skb);
3460 		break;
3461 
3462 	case HCI_OP_WRITE_CLASS_OF_DEV:
3463 		hci_cc_write_class_of_dev(hdev, skb);
3464 		break;
3465 
3466 	case HCI_OP_READ_VOICE_SETTING:
3467 		hci_cc_read_voice_setting(hdev, skb);
3468 		break;
3469 
3470 	case HCI_OP_WRITE_VOICE_SETTING:
3471 		hci_cc_write_voice_setting(hdev, skb);
3472 		break;
3473 
3474 	case HCI_OP_READ_NUM_SUPPORTED_IAC:
3475 		hci_cc_read_num_supported_iac(hdev, skb);
3476 		break;
3477 
3478 	case HCI_OP_WRITE_SSP_MODE:
3479 		hci_cc_write_ssp_mode(hdev, skb);
3480 		break;
3481 
3482 	case HCI_OP_WRITE_SC_SUPPORT:
3483 		hci_cc_write_sc_support(hdev, skb);
3484 		break;
3485 
3486 	case HCI_OP_READ_AUTH_PAYLOAD_TO:
3487 		hci_cc_read_auth_payload_timeout(hdev, skb);
3488 		break;
3489 
3490 	case HCI_OP_WRITE_AUTH_PAYLOAD_TO:
3491 		hci_cc_write_auth_payload_timeout(hdev, skb);
3492 		break;
3493 
3494 	case HCI_OP_READ_LOCAL_VERSION:
3495 		hci_cc_read_local_version(hdev, skb);
3496 		break;
3497 
3498 	case HCI_OP_READ_LOCAL_COMMANDS:
3499 		hci_cc_read_local_commands(hdev, skb);
3500 		break;
3501 
3502 	case HCI_OP_READ_LOCAL_FEATURES:
3503 		hci_cc_read_local_features(hdev, skb);
3504 		break;
3505 
3506 	case HCI_OP_READ_LOCAL_EXT_FEATURES:
3507 		hci_cc_read_local_ext_features(hdev, skb);
3508 		break;
3509 
3510 	case HCI_OP_READ_BUFFER_SIZE:
3511 		hci_cc_read_buffer_size(hdev, skb);
3512 		break;
3513 
3514 	case HCI_OP_READ_BD_ADDR:
3515 		hci_cc_read_bd_addr(hdev, skb);
3516 		break;
3517 
3518 	case HCI_OP_READ_LOCAL_PAIRING_OPTS:
3519 		hci_cc_read_local_pairing_opts(hdev, skb);
3520 		break;
3521 
3522 	case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3523 		hci_cc_read_page_scan_activity(hdev, skb);
3524 		break;
3525 
3526 	case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3527 		hci_cc_write_page_scan_activity(hdev, skb);
3528 		break;
3529 
3530 	case HCI_OP_READ_PAGE_SCAN_TYPE:
3531 		hci_cc_read_page_scan_type(hdev, skb);
3532 		break;
3533 
3534 	case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3535 		hci_cc_write_page_scan_type(hdev, skb);
3536 		break;
3537 
3538 	case HCI_OP_READ_DATA_BLOCK_SIZE:
3539 		hci_cc_read_data_block_size(hdev, skb);
3540 		break;
3541 
3542 	case HCI_OP_READ_FLOW_CONTROL_MODE:
3543 		hci_cc_read_flow_control_mode(hdev, skb);
3544 		break;
3545 
3546 	case HCI_OP_READ_LOCAL_AMP_INFO:
3547 		hci_cc_read_local_amp_info(hdev, skb);
3548 		break;
3549 
3550 	case HCI_OP_READ_CLOCK:
3551 		hci_cc_read_clock(hdev, skb);
3552 		break;
3553 
3554 	case HCI_OP_READ_INQ_RSP_TX_POWER:
3555 		hci_cc_read_inq_rsp_tx_power(hdev, skb);
3556 		break;
3557 
3558 	case HCI_OP_READ_DEF_ERR_DATA_REPORTING:
3559 		hci_cc_read_def_err_data_reporting(hdev, skb);
3560 		break;
3561 
3562 	case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING:
3563 		hci_cc_write_def_err_data_reporting(hdev, skb);
3564 		break;
3565 
3566 	case HCI_OP_PIN_CODE_REPLY:
3567 		hci_cc_pin_code_reply(hdev, skb);
3568 		break;
3569 
3570 	case HCI_OP_PIN_CODE_NEG_REPLY:
3571 		hci_cc_pin_code_neg_reply(hdev, skb);
3572 		break;
3573 
3574 	case HCI_OP_READ_LOCAL_OOB_DATA:
3575 		hci_cc_read_local_oob_data(hdev, skb);
3576 		break;
3577 
3578 	case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3579 		hci_cc_read_local_oob_ext_data(hdev, skb);
3580 		break;
3581 
3582 	case HCI_OP_LE_READ_BUFFER_SIZE:
3583 		hci_cc_le_read_buffer_size(hdev, skb);
3584 		break;
3585 
3586 	case HCI_OP_LE_READ_LOCAL_FEATURES:
3587 		hci_cc_le_read_local_features(hdev, skb);
3588 		break;
3589 
3590 	case HCI_OP_LE_READ_ADV_TX_POWER:
3591 		hci_cc_le_read_adv_tx_power(hdev, skb);
3592 		break;
3593 
3594 	case HCI_OP_USER_CONFIRM_REPLY:
3595 		hci_cc_user_confirm_reply(hdev, skb);
3596 		break;
3597 
3598 	case HCI_OP_USER_CONFIRM_NEG_REPLY:
3599 		hci_cc_user_confirm_neg_reply(hdev, skb);
3600 		break;
3601 
3602 	case HCI_OP_USER_PASSKEY_REPLY:
3603 		hci_cc_user_passkey_reply(hdev, skb);
3604 		break;
3605 
3606 	case HCI_OP_USER_PASSKEY_NEG_REPLY:
3607 		hci_cc_user_passkey_neg_reply(hdev, skb);
3608 		break;
3609 
3610 	case HCI_OP_LE_SET_RANDOM_ADDR:
3611 		hci_cc_le_set_random_addr(hdev, skb);
3612 		break;
3613 
3614 	case HCI_OP_LE_SET_ADV_ENABLE:
3615 		hci_cc_le_set_adv_enable(hdev, skb);
3616 		break;
3617 
3618 	case HCI_OP_LE_SET_SCAN_PARAM:
3619 		hci_cc_le_set_scan_param(hdev, skb);
3620 		break;
3621 
3622 	case HCI_OP_LE_SET_SCAN_ENABLE:
3623 		hci_cc_le_set_scan_enable(hdev, skb);
3624 		break;
3625 
3626 	case HCI_OP_LE_READ_ACCEPT_LIST_SIZE:
3627 		hci_cc_le_read_accept_list_size(hdev, skb);
3628 		break;
3629 
3630 	case HCI_OP_LE_CLEAR_ACCEPT_LIST:
3631 		hci_cc_le_clear_accept_list(hdev, skb);
3632 		break;
3633 
3634 	case HCI_OP_LE_ADD_TO_ACCEPT_LIST:
3635 		hci_cc_le_add_to_accept_list(hdev, skb);
3636 		break;
3637 
3638 	case HCI_OP_LE_DEL_FROM_ACCEPT_LIST:
3639 		hci_cc_le_del_from_accept_list(hdev, skb);
3640 		break;
3641 
3642 	case HCI_OP_LE_READ_SUPPORTED_STATES:
3643 		hci_cc_le_read_supported_states(hdev, skb);
3644 		break;
3645 
3646 	case HCI_OP_LE_READ_DEF_DATA_LEN:
3647 		hci_cc_le_read_def_data_len(hdev, skb);
3648 		break;
3649 
3650 	case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3651 		hci_cc_le_write_def_data_len(hdev, skb);
3652 		break;
3653 
3654 	case HCI_OP_LE_ADD_TO_RESOLV_LIST:
3655 		hci_cc_le_add_to_resolv_list(hdev, skb);
3656 		break;
3657 
3658 	case HCI_OP_LE_DEL_FROM_RESOLV_LIST:
3659 		hci_cc_le_del_from_resolv_list(hdev, skb);
3660 		break;
3661 
3662 	case HCI_OP_LE_CLEAR_RESOLV_LIST:
3663 		hci_cc_le_clear_resolv_list(hdev, skb);
3664 		break;
3665 
3666 	case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3667 		hci_cc_le_read_resolv_list_size(hdev, skb);
3668 		break;
3669 
3670 	case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3671 		hci_cc_le_set_addr_resolution_enable(hdev, skb);
3672 		break;
3673 
3674 	case HCI_OP_LE_READ_MAX_DATA_LEN:
3675 		hci_cc_le_read_max_data_len(hdev, skb);
3676 		break;
3677 
3678 	case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3679 		hci_cc_write_le_host_supported(hdev, skb);
3680 		break;
3681 
3682 	case HCI_OP_LE_SET_ADV_PARAM:
3683 		hci_cc_set_adv_param(hdev, skb);
3684 		break;
3685 
3686 	case HCI_OP_READ_RSSI:
3687 		hci_cc_read_rssi(hdev, skb);
3688 		break;
3689 
3690 	case HCI_OP_READ_TX_POWER:
3691 		hci_cc_read_tx_power(hdev, skb);
3692 		break;
3693 
3694 	case HCI_OP_WRITE_SSP_DEBUG_MODE:
3695 		hci_cc_write_ssp_debug_mode(hdev, skb);
3696 		break;
3697 
3698 	case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3699 		hci_cc_le_set_ext_scan_param(hdev, skb);
3700 		break;
3701 
3702 	case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3703 		hci_cc_le_set_ext_scan_enable(hdev, skb);
3704 		break;
3705 
3706 	case HCI_OP_LE_SET_DEFAULT_PHY:
3707 		hci_cc_le_set_default_phy(hdev, skb);
3708 		break;
3709 
3710 	case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3711 		hci_cc_le_read_num_adv_sets(hdev, skb);
3712 		break;
3713 
3714 	case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3715 		hci_cc_set_ext_adv_param(hdev, skb);
3716 		break;
3717 
3718 	case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3719 		hci_cc_le_set_ext_adv_enable(hdev, skb);
3720 		break;
3721 
3722 	case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3723 		hci_cc_le_set_adv_set_random_addr(hdev, skb);
3724 		break;
3725 
3726 	case HCI_OP_LE_READ_TRANSMIT_POWER:
3727 		hci_cc_le_read_transmit_power(hdev, skb);
3728 		break;
3729 
3730 	default:
3731 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3732 		break;
3733 	}
3734 
3735 	handle_cmd_cnt_and_timer(hdev, ev->ncmd);
3736 
3737 	hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3738 			     req_complete_skb);
3739 
3740 	if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3741 		bt_dev_err(hdev,
3742 			   "unexpected event for opcode 0x%4.4x", *opcode);
3743 		return;
3744 	}
3745 
3746 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3747 		queue_work(hdev->workqueue, &hdev->cmd_work);
3748 }
3749 
3750 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3751 			       u16 *opcode, u8 *status,
3752 			       hci_req_complete_t *req_complete,
3753 			       hci_req_complete_skb_t *req_complete_skb)
3754 {
3755 	struct hci_ev_cmd_status *ev = (void *) skb->data;
3756 
3757 	skb_pull(skb, sizeof(*ev));
3758 
3759 	*opcode = __le16_to_cpu(ev->opcode);
3760 	*status = ev->status;
3761 
3762 	switch (*opcode) {
3763 	case HCI_OP_INQUIRY:
3764 		hci_cs_inquiry(hdev, ev->status);
3765 		break;
3766 
3767 	case HCI_OP_CREATE_CONN:
3768 		hci_cs_create_conn(hdev, ev->status);
3769 		break;
3770 
3771 	case HCI_OP_DISCONNECT:
3772 		hci_cs_disconnect(hdev, ev->status);
3773 		break;
3774 
3775 	case HCI_OP_ADD_SCO:
3776 		hci_cs_add_sco(hdev, ev->status);
3777 		break;
3778 
3779 	case HCI_OP_AUTH_REQUESTED:
3780 		hci_cs_auth_requested(hdev, ev->status);
3781 		break;
3782 
3783 	case HCI_OP_SET_CONN_ENCRYPT:
3784 		hci_cs_set_conn_encrypt(hdev, ev->status);
3785 		break;
3786 
3787 	case HCI_OP_REMOTE_NAME_REQ:
3788 		hci_cs_remote_name_req(hdev, ev->status);
3789 		break;
3790 
3791 	case HCI_OP_READ_REMOTE_FEATURES:
3792 		hci_cs_read_remote_features(hdev, ev->status);
3793 		break;
3794 
3795 	case HCI_OP_READ_REMOTE_EXT_FEATURES:
3796 		hci_cs_read_remote_ext_features(hdev, ev->status);
3797 		break;
3798 
3799 	case HCI_OP_SETUP_SYNC_CONN:
3800 		hci_cs_setup_sync_conn(hdev, ev->status);
3801 		break;
3802 
3803 	case HCI_OP_ENHANCED_SETUP_SYNC_CONN:
3804 		hci_cs_enhanced_setup_sync_conn(hdev, ev->status);
3805 		break;
3806 
3807 	case HCI_OP_SNIFF_MODE:
3808 		hci_cs_sniff_mode(hdev, ev->status);
3809 		break;
3810 
3811 	case HCI_OP_EXIT_SNIFF_MODE:
3812 		hci_cs_exit_sniff_mode(hdev, ev->status);
3813 		break;
3814 
3815 	case HCI_OP_SWITCH_ROLE:
3816 		hci_cs_switch_role(hdev, ev->status);
3817 		break;
3818 
3819 	case HCI_OP_LE_CREATE_CONN:
3820 		hci_cs_le_create_conn(hdev, ev->status);
3821 		break;
3822 
3823 	case HCI_OP_LE_READ_REMOTE_FEATURES:
3824 		hci_cs_le_read_remote_features(hdev, ev->status);
3825 		break;
3826 
3827 	case HCI_OP_LE_START_ENC:
3828 		hci_cs_le_start_enc(hdev, ev->status);
3829 		break;
3830 
3831 	case HCI_OP_LE_EXT_CREATE_CONN:
3832 		hci_cs_le_ext_create_conn(hdev, ev->status);
3833 		break;
3834 
3835 	default:
3836 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3837 		break;
3838 	}
3839 
3840 	handle_cmd_cnt_and_timer(hdev, ev->ncmd);
3841 
3842 	/* Indicate request completion if the command failed. Also, if
3843 	 * we're not waiting for a special event and we get a success
3844 	 * command status we should try to flag the request as completed
3845 	 * (since for this kind of commands there will not be a command
3846 	 * complete event).
3847 	 */
3848 	if (ev->status ||
3849 	    (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3850 		hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3851 				     req_complete_skb);
3852 
3853 	if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3854 		bt_dev_err(hdev,
3855 			   "unexpected event for opcode 0x%4.4x", *opcode);
3856 		return;
3857 	}
3858 
3859 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3860 		queue_work(hdev->workqueue, &hdev->cmd_work);
3861 }
3862 
3863 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3864 {
3865 	struct hci_ev_hardware_error *ev = (void *) skb->data;
3866 
3867 	hdev->hw_error_code = ev->code;
3868 
3869 	queue_work(hdev->req_workqueue, &hdev->error_reset);
3870 }
3871 
3872 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3873 {
3874 	struct hci_ev_role_change *ev = (void *) skb->data;
3875 	struct hci_conn *conn;
3876 
3877 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3878 
3879 	hci_dev_lock(hdev);
3880 
3881 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3882 	if (conn) {
3883 		if (!ev->status)
3884 			conn->role = ev->role;
3885 
3886 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3887 
3888 		hci_role_switch_cfm(conn, ev->status, ev->role);
3889 	}
3890 
3891 	hci_dev_unlock(hdev);
3892 }
3893 
3894 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3895 {
3896 	struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3897 	int i;
3898 
3899 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3900 		bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3901 		return;
3902 	}
3903 
3904 	if (skb->len < sizeof(*ev) ||
3905 	    skb->len < struct_size(ev, handles, ev->num_hndl)) {
3906 		BT_DBG("%s bad parameters", hdev->name);
3907 		return;
3908 	}
3909 
3910 	BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3911 
3912 	for (i = 0; i < ev->num_hndl; i++) {
3913 		struct hci_comp_pkts_info *info = &ev->handles[i];
3914 		struct hci_conn *conn;
3915 		__u16  handle, count;
3916 
3917 		handle = __le16_to_cpu(info->handle);
3918 		count  = __le16_to_cpu(info->count);
3919 
3920 		conn = hci_conn_hash_lookup_handle(hdev, handle);
3921 		if (!conn)
3922 			continue;
3923 
3924 		conn->sent -= count;
3925 
3926 		switch (conn->type) {
3927 		case ACL_LINK:
3928 			hdev->acl_cnt += count;
3929 			if (hdev->acl_cnt > hdev->acl_pkts)
3930 				hdev->acl_cnt = hdev->acl_pkts;
3931 			break;
3932 
3933 		case LE_LINK:
3934 			if (hdev->le_pkts) {
3935 				hdev->le_cnt += count;
3936 				if (hdev->le_cnt > hdev->le_pkts)
3937 					hdev->le_cnt = hdev->le_pkts;
3938 			} else {
3939 				hdev->acl_cnt += count;
3940 				if (hdev->acl_cnt > hdev->acl_pkts)
3941 					hdev->acl_cnt = hdev->acl_pkts;
3942 			}
3943 			break;
3944 
3945 		case SCO_LINK:
3946 			hdev->sco_cnt += count;
3947 			if (hdev->sco_cnt > hdev->sco_pkts)
3948 				hdev->sco_cnt = hdev->sco_pkts;
3949 			break;
3950 
3951 		default:
3952 			bt_dev_err(hdev, "unknown type %d conn %p",
3953 				   conn->type, conn);
3954 			break;
3955 		}
3956 	}
3957 
3958 	queue_work(hdev->workqueue, &hdev->tx_work);
3959 }
3960 
3961 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3962 						 __u16 handle)
3963 {
3964 	struct hci_chan *chan;
3965 
3966 	switch (hdev->dev_type) {
3967 	case HCI_PRIMARY:
3968 		return hci_conn_hash_lookup_handle(hdev, handle);
3969 	case HCI_AMP:
3970 		chan = hci_chan_lookup_handle(hdev, handle);
3971 		if (chan)
3972 			return chan->conn;
3973 		break;
3974 	default:
3975 		bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3976 		break;
3977 	}
3978 
3979 	return NULL;
3980 }
3981 
3982 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3983 {
3984 	struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3985 	int i;
3986 
3987 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3988 		bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3989 		return;
3990 	}
3991 
3992 	if (skb->len < sizeof(*ev) ||
3993 	    skb->len < struct_size(ev, handles, ev->num_hndl)) {
3994 		BT_DBG("%s bad parameters", hdev->name);
3995 		return;
3996 	}
3997 
3998 	BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3999 	       ev->num_hndl);
4000 
4001 	for (i = 0; i < ev->num_hndl; i++) {
4002 		struct hci_comp_blocks_info *info = &ev->handles[i];
4003 		struct hci_conn *conn = NULL;
4004 		__u16  handle, block_count;
4005 
4006 		handle = __le16_to_cpu(info->handle);
4007 		block_count = __le16_to_cpu(info->blocks);
4008 
4009 		conn = __hci_conn_lookup_handle(hdev, handle);
4010 		if (!conn)
4011 			continue;
4012 
4013 		conn->sent -= block_count;
4014 
4015 		switch (conn->type) {
4016 		case ACL_LINK:
4017 		case AMP_LINK:
4018 			hdev->block_cnt += block_count;
4019 			if (hdev->block_cnt > hdev->num_blocks)
4020 				hdev->block_cnt = hdev->num_blocks;
4021 			break;
4022 
4023 		default:
4024 			bt_dev_err(hdev, "unknown type %d conn %p",
4025 				   conn->type, conn);
4026 			break;
4027 		}
4028 	}
4029 
4030 	queue_work(hdev->workqueue, &hdev->tx_work);
4031 }
4032 
4033 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4034 {
4035 	struct hci_ev_mode_change *ev = (void *) skb->data;
4036 	struct hci_conn *conn;
4037 
4038 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4039 
4040 	hci_dev_lock(hdev);
4041 
4042 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4043 	if (conn) {
4044 		conn->mode = ev->mode;
4045 
4046 		if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4047 					&conn->flags)) {
4048 			if (conn->mode == HCI_CM_ACTIVE)
4049 				set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4050 			else
4051 				clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4052 		}
4053 
4054 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4055 			hci_sco_setup(conn, ev->status);
4056 	}
4057 
4058 	hci_dev_unlock(hdev);
4059 }
4060 
4061 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4062 {
4063 	struct hci_ev_pin_code_req *ev = (void *) skb->data;
4064 	struct hci_conn *conn;
4065 
4066 	BT_DBG("%s", hdev->name);
4067 
4068 	hci_dev_lock(hdev);
4069 
4070 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4071 	if (!conn)
4072 		goto unlock;
4073 
4074 	if (conn->state == BT_CONNECTED) {
4075 		hci_conn_hold(conn);
4076 		conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4077 		hci_conn_drop(conn);
4078 	}
4079 
4080 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4081 	    !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4082 		hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4083 			     sizeof(ev->bdaddr), &ev->bdaddr);
4084 	} else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4085 		u8 secure;
4086 
4087 		if (conn->pending_sec_level == BT_SECURITY_HIGH)
4088 			secure = 1;
4089 		else
4090 			secure = 0;
4091 
4092 		mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4093 	}
4094 
4095 unlock:
4096 	hci_dev_unlock(hdev);
4097 }
4098 
4099 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4100 {
4101 	if (key_type == HCI_LK_CHANGED_COMBINATION)
4102 		return;
4103 
4104 	conn->pin_length = pin_len;
4105 	conn->key_type = key_type;
4106 
4107 	switch (key_type) {
4108 	case HCI_LK_LOCAL_UNIT:
4109 	case HCI_LK_REMOTE_UNIT:
4110 	case HCI_LK_DEBUG_COMBINATION:
4111 		return;
4112 	case HCI_LK_COMBINATION:
4113 		if (pin_len == 16)
4114 			conn->pending_sec_level = BT_SECURITY_HIGH;
4115 		else
4116 			conn->pending_sec_level = BT_SECURITY_MEDIUM;
4117 		break;
4118 	case HCI_LK_UNAUTH_COMBINATION_P192:
4119 	case HCI_LK_UNAUTH_COMBINATION_P256:
4120 		conn->pending_sec_level = BT_SECURITY_MEDIUM;
4121 		break;
4122 	case HCI_LK_AUTH_COMBINATION_P192:
4123 		conn->pending_sec_level = BT_SECURITY_HIGH;
4124 		break;
4125 	case HCI_LK_AUTH_COMBINATION_P256:
4126 		conn->pending_sec_level = BT_SECURITY_FIPS;
4127 		break;
4128 	}
4129 }
4130 
4131 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4132 {
4133 	struct hci_ev_link_key_req *ev = (void *) skb->data;
4134 	struct hci_cp_link_key_reply cp;
4135 	struct hci_conn *conn;
4136 	struct link_key *key;
4137 
4138 	BT_DBG("%s", hdev->name);
4139 
4140 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4141 		return;
4142 
4143 	hci_dev_lock(hdev);
4144 
4145 	key = hci_find_link_key(hdev, &ev->bdaddr);
4146 	if (!key) {
4147 		BT_DBG("%s link key not found for %pMR", hdev->name,
4148 		       &ev->bdaddr);
4149 		goto not_found;
4150 	}
4151 
4152 	BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
4153 	       &ev->bdaddr);
4154 
4155 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4156 	if (conn) {
4157 		clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4158 
4159 		if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4160 		     key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4161 		    conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4162 			BT_DBG("%s ignoring unauthenticated key", hdev->name);
4163 			goto not_found;
4164 		}
4165 
4166 		if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4167 		    (conn->pending_sec_level == BT_SECURITY_HIGH ||
4168 		     conn->pending_sec_level == BT_SECURITY_FIPS)) {
4169 			BT_DBG("%s ignoring key unauthenticated for high security",
4170 			       hdev->name);
4171 			goto not_found;
4172 		}
4173 
4174 		conn_set_key(conn, key->type, key->pin_len);
4175 	}
4176 
4177 	bacpy(&cp.bdaddr, &ev->bdaddr);
4178 	memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4179 
4180 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4181 
4182 	hci_dev_unlock(hdev);
4183 
4184 	return;
4185 
4186 not_found:
4187 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4188 	hci_dev_unlock(hdev);
4189 }
4190 
4191 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4192 {
4193 	struct hci_ev_link_key_notify *ev = (void *) skb->data;
4194 	struct hci_conn *conn;
4195 	struct link_key *key;
4196 	bool persistent;
4197 	u8 pin_len = 0;
4198 
4199 	BT_DBG("%s", hdev->name);
4200 
4201 	hci_dev_lock(hdev);
4202 
4203 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4204 	if (!conn)
4205 		goto unlock;
4206 
4207 	hci_conn_hold(conn);
4208 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4209 	hci_conn_drop(conn);
4210 
4211 	set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4212 	conn_set_key(conn, ev->key_type, conn->pin_length);
4213 
4214 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4215 		goto unlock;
4216 
4217 	key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4218 			        ev->key_type, pin_len, &persistent);
4219 	if (!key)
4220 		goto unlock;
4221 
4222 	/* Update connection information since adding the key will have
4223 	 * fixed up the type in the case of changed combination keys.
4224 	 */
4225 	if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4226 		conn_set_key(conn, key->type, key->pin_len);
4227 
4228 	mgmt_new_link_key(hdev, key, persistent);
4229 
4230 	/* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4231 	 * is set. If it's not set simply remove the key from the kernel
4232 	 * list (we've still notified user space about it but with
4233 	 * store_hint being 0).
4234 	 */
4235 	if (key->type == HCI_LK_DEBUG_COMBINATION &&
4236 	    !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4237 		list_del_rcu(&key->list);
4238 		kfree_rcu(key, rcu);
4239 		goto unlock;
4240 	}
4241 
4242 	if (persistent)
4243 		clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4244 	else
4245 		set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4246 
4247 unlock:
4248 	hci_dev_unlock(hdev);
4249 }
4250 
4251 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
4252 {
4253 	struct hci_ev_clock_offset *ev = (void *) skb->data;
4254 	struct hci_conn *conn;
4255 
4256 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4257 
4258 	hci_dev_lock(hdev);
4259 
4260 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4261 	if (conn && !ev->status) {
4262 		struct inquiry_entry *ie;
4263 
4264 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4265 		if (ie) {
4266 			ie->data.clock_offset = ev->clock_offset;
4267 			ie->timestamp = jiffies;
4268 		}
4269 	}
4270 
4271 	hci_dev_unlock(hdev);
4272 }
4273 
4274 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
4275 {
4276 	struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4277 	struct hci_conn *conn;
4278 
4279 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4280 
4281 	hci_dev_lock(hdev);
4282 
4283 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4284 	if (conn && !ev->status)
4285 		conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4286 
4287 	hci_dev_unlock(hdev);
4288 }
4289 
4290 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
4291 {
4292 	struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
4293 	struct inquiry_entry *ie;
4294 
4295 	BT_DBG("%s", hdev->name);
4296 
4297 	hci_dev_lock(hdev);
4298 
4299 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4300 	if (ie) {
4301 		ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4302 		ie->timestamp = jiffies;
4303 	}
4304 
4305 	hci_dev_unlock(hdev);
4306 }
4307 
4308 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4309 					     struct sk_buff *skb)
4310 {
4311 	struct inquiry_data data;
4312 	int num_rsp = *((__u8 *) skb->data);
4313 
4314 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4315 
4316 	if (!num_rsp)
4317 		return;
4318 
4319 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4320 		return;
4321 
4322 	hci_dev_lock(hdev);
4323 
4324 	if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
4325 		struct inquiry_info_with_rssi_and_pscan_mode *info;
4326 		info = (void *) (skb->data + 1);
4327 
4328 		if (skb->len < num_rsp * sizeof(*info) + 1)
4329 			goto unlock;
4330 
4331 		for (; num_rsp; num_rsp--, info++) {
4332 			u32 flags;
4333 
4334 			bacpy(&data.bdaddr, &info->bdaddr);
4335 			data.pscan_rep_mode	= info->pscan_rep_mode;
4336 			data.pscan_period_mode	= info->pscan_period_mode;
4337 			data.pscan_mode		= info->pscan_mode;
4338 			memcpy(data.dev_class, info->dev_class, 3);
4339 			data.clock_offset	= info->clock_offset;
4340 			data.rssi		= info->rssi;
4341 			data.ssp_mode		= 0x00;
4342 
4343 			flags = hci_inquiry_cache_update(hdev, &data, false);
4344 
4345 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4346 					  info->dev_class, info->rssi,
4347 					  flags, NULL, 0, NULL, 0);
4348 		}
4349 	} else {
4350 		struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4351 
4352 		if (skb->len < num_rsp * sizeof(*info) + 1)
4353 			goto unlock;
4354 
4355 		for (; num_rsp; num_rsp--, info++) {
4356 			u32 flags;
4357 
4358 			bacpy(&data.bdaddr, &info->bdaddr);
4359 			data.pscan_rep_mode	= info->pscan_rep_mode;
4360 			data.pscan_period_mode	= info->pscan_period_mode;
4361 			data.pscan_mode		= 0x00;
4362 			memcpy(data.dev_class, info->dev_class, 3);
4363 			data.clock_offset	= info->clock_offset;
4364 			data.rssi		= info->rssi;
4365 			data.ssp_mode		= 0x00;
4366 
4367 			flags = hci_inquiry_cache_update(hdev, &data, false);
4368 
4369 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4370 					  info->dev_class, info->rssi,
4371 					  flags, NULL, 0, NULL, 0);
4372 		}
4373 	}
4374 
4375 unlock:
4376 	hci_dev_unlock(hdev);
4377 }
4378 
4379 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4380 					struct sk_buff *skb)
4381 {
4382 	struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4383 	struct hci_conn *conn;
4384 
4385 	BT_DBG("%s", hdev->name);
4386 
4387 	hci_dev_lock(hdev);
4388 
4389 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4390 	if (!conn)
4391 		goto unlock;
4392 
4393 	if (ev->page < HCI_MAX_PAGES)
4394 		memcpy(conn->features[ev->page], ev->features, 8);
4395 
4396 	if (!ev->status && ev->page == 0x01) {
4397 		struct inquiry_entry *ie;
4398 
4399 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4400 		if (ie)
4401 			ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4402 
4403 		if (ev->features[0] & LMP_HOST_SSP) {
4404 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4405 		} else {
4406 			/* It is mandatory by the Bluetooth specification that
4407 			 * Extended Inquiry Results are only used when Secure
4408 			 * Simple Pairing is enabled, but some devices violate
4409 			 * this.
4410 			 *
4411 			 * To make these devices work, the internal SSP
4412 			 * enabled flag needs to be cleared if the remote host
4413 			 * features do not indicate SSP support */
4414 			clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4415 		}
4416 
4417 		if (ev->features[0] & LMP_HOST_SC)
4418 			set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4419 	}
4420 
4421 	if (conn->state != BT_CONFIG)
4422 		goto unlock;
4423 
4424 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4425 		struct hci_cp_remote_name_req cp;
4426 		memset(&cp, 0, sizeof(cp));
4427 		bacpy(&cp.bdaddr, &conn->dst);
4428 		cp.pscan_rep_mode = 0x02;
4429 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4430 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4431 		mgmt_device_connected(hdev, conn, NULL, 0);
4432 
4433 	if (!hci_outgoing_auth_needed(hdev, conn)) {
4434 		conn->state = BT_CONNECTED;
4435 		hci_connect_cfm(conn, ev->status);
4436 		hci_conn_drop(conn);
4437 	}
4438 
4439 unlock:
4440 	hci_dev_unlock(hdev);
4441 }
4442 
4443 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4444 				       struct sk_buff *skb)
4445 {
4446 	struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4447 	struct hci_conn *conn;
4448 	unsigned int notify_evt;
4449 
4450 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4451 
4452 	hci_dev_lock(hdev);
4453 
4454 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4455 	if (!conn) {
4456 		if (ev->link_type == ESCO_LINK)
4457 			goto unlock;
4458 
4459 		/* When the link type in the event indicates SCO connection
4460 		 * and lookup of the connection object fails, then check
4461 		 * if an eSCO connection object exists.
4462 		 *
4463 		 * The core limits the synchronous connections to either
4464 		 * SCO or eSCO. The eSCO connection is preferred and tried
4465 		 * to be setup first and until successfully established,
4466 		 * the link type will be hinted as eSCO.
4467 		 */
4468 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4469 		if (!conn)
4470 			goto unlock;
4471 	}
4472 
4473 	switch (ev->status) {
4474 	case 0x00:
4475 		/* The synchronous connection complete event should only be
4476 		 * sent once per new connection. Receiving a successful
4477 		 * complete event when the connection status is already
4478 		 * BT_CONNECTED means that the device is misbehaving and sent
4479 		 * multiple complete event packets for the same new connection.
4480 		 *
4481 		 * Registering the device more than once can corrupt kernel
4482 		 * memory, hence upon detecting this invalid event, we report
4483 		 * an error and ignore the packet.
4484 		 */
4485 		if (conn->state == BT_CONNECTED) {
4486 			bt_dev_err(hdev, "Ignoring connect complete event for existing connection");
4487 			goto unlock;
4488 		}
4489 
4490 		conn->handle = __le16_to_cpu(ev->handle);
4491 		conn->state  = BT_CONNECTED;
4492 		conn->type   = ev->link_type;
4493 
4494 		hci_debugfs_create_conn(conn);
4495 		hci_conn_add_sysfs(conn);
4496 		break;
4497 
4498 	case 0x10:	/* Connection Accept Timeout */
4499 	case 0x0d:	/* Connection Rejected due to Limited Resources */
4500 	case 0x11:	/* Unsupported Feature or Parameter Value */
4501 	case 0x1c:	/* SCO interval rejected */
4502 	case 0x1a:	/* Unsupported Remote Feature */
4503 	case 0x1e:	/* Invalid LMP Parameters */
4504 	case 0x1f:	/* Unspecified error */
4505 	case 0x20:	/* Unsupported LMP Parameter value */
4506 		if (conn->out) {
4507 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4508 					(hdev->esco_type & EDR_ESCO_MASK);
4509 			if (hci_setup_sync(conn, conn->link->handle))
4510 				goto unlock;
4511 		}
4512 		fallthrough;
4513 
4514 	default:
4515 		conn->state = BT_CLOSED;
4516 		break;
4517 	}
4518 
4519 	bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
4520 
4521 	switch (ev->air_mode) {
4522 	case 0x02:
4523 		notify_evt = HCI_NOTIFY_ENABLE_SCO_CVSD;
4524 		break;
4525 	case 0x03:
4526 		notify_evt = HCI_NOTIFY_ENABLE_SCO_TRANSP;
4527 		break;
4528 	}
4529 
4530 	/* Notify only in case of SCO over HCI transport data path which
4531 	 * is zero and non-zero value shall be non-HCI transport data path
4532 	 */
4533 	if (conn->codec.data_path == 0) {
4534 		if (hdev->notify)
4535 			hdev->notify(hdev, notify_evt);
4536 	}
4537 
4538 	hci_connect_cfm(conn, ev->status);
4539 	if (ev->status)
4540 		hci_conn_del(conn);
4541 
4542 unlock:
4543 	hci_dev_unlock(hdev);
4544 }
4545 
4546 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4547 {
4548 	size_t parsed = 0;
4549 
4550 	while (parsed < eir_len) {
4551 		u8 field_len = eir[0];
4552 
4553 		if (field_len == 0)
4554 			return parsed;
4555 
4556 		parsed += field_len + 1;
4557 		eir += field_len + 1;
4558 	}
4559 
4560 	return eir_len;
4561 }
4562 
4563 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4564 					    struct sk_buff *skb)
4565 {
4566 	struct inquiry_data data;
4567 	struct extended_inquiry_info *info = (void *) (skb->data + 1);
4568 	int num_rsp = *((__u8 *) skb->data);
4569 	size_t eir_len;
4570 
4571 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4572 
4573 	if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
4574 		return;
4575 
4576 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4577 		return;
4578 
4579 	hci_dev_lock(hdev);
4580 
4581 	for (; num_rsp; num_rsp--, info++) {
4582 		u32 flags;
4583 		bool name_known;
4584 
4585 		bacpy(&data.bdaddr, &info->bdaddr);
4586 		data.pscan_rep_mode	= info->pscan_rep_mode;
4587 		data.pscan_period_mode	= info->pscan_period_mode;
4588 		data.pscan_mode		= 0x00;
4589 		memcpy(data.dev_class, info->dev_class, 3);
4590 		data.clock_offset	= info->clock_offset;
4591 		data.rssi		= info->rssi;
4592 		data.ssp_mode		= 0x01;
4593 
4594 		if (hci_dev_test_flag(hdev, HCI_MGMT))
4595 			name_known = eir_get_data(info->data,
4596 						  sizeof(info->data),
4597 						  EIR_NAME_COMPLETE, NULL);
4598 		else
4599 			name_known = true;
4600 
4601 		flags = hci_inquiry_cache_update(hdev, &data, name_known);
4602 
4603 		eir_len = eir_get_length(info->data, sizeof(info->data));
4604 
4605 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4606 				  info->dev_class, info->rssi,
4607 				  flags, info->data, eir_len, NULL, 0);
4608 	}
4609 
4610 	hci_dev_unlock(hdev);
4611 }
4612 
4613 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4614 					 struct sk_buff *skb)
4615 {
4616 	struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4617 	struct hci_conn *conn;
4618 
4619 	BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4620 	       __le16_to_cpu(ev->handle));
4621 
4622 	hci_dev_lock(hdev);
4623 
4624 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4625 	if (!conn)
4626 		goto unlock;
4627 
4628 	/* For BR/EDR the necessary steps are taken through the
4629 	 * auth_complete event.
4630 	 */
4631 	if (conn->type != LE_LINK)
4632 		goto unlock;
4633 
4634 	if (!ev->status)
4635 		conn->sec_level = conn->pending_sec_level;
4636 
4637 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4638 
4639 	if (ev->status && conn->state == BT_CONNECTED) {
4640 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4641 		hci_conn_drop(conn);
4642 		goto unlock;
4643 	}
4644 
4645 	if (conn->state == BT_CONFIG) {
4646 		if (!ev->status)
4647 			conn->state = BT_CONNECTED;
4648 
4649 		hci_connect_cfm(conn, ev->status);
4650 		hci_conn_drop(conn);
4651 	} else {
4652 		hci_auth_cfm(conn, ev->status);
4653 
4654 		hci_conn_hold(conn);
4655 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4656 		hci_conn_drop(conn);
4657 	}
4658 
4659 unlock:
4660 	hci_dev_unlock(hdev);
4661 }
4662 
4663 static u8 hci_get_auth_req(struct hci_conn *conn)
4664 {
4665 	/* If remote requests no-bonding follow that lead */
4666 	if (conn->remote_auth == HCI_AT_NO_BONDING ||
4667 	    conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4668 		return conn->remote_auth | (conn->auth_type & 0x01);
4669 
4670 	/* If both remote and local have enough IO capabilities, require
4671 	 * MITM protection
4672 	 */
4673 	if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4674 	    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4675 		return conn->remote_auth | 0x01;
4676 
4677 	/* No MITM protection possible so ignore remote requirement */
4678 	return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4679 }
4680 
4681 static u8 bredr_oob_data_present(struct hci_conn *conn)
4682 {
4683 	struct hci_dev *hdev = conn->hdev;
4684 	struct oob_data *data;
4685 
4686 	data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4687 	if (!data)
4688 		return 0x00;
4689 
4690 	if (bredr_sc_enabled(hdev)) {
4691 		/* When Secure Connections is enabled, then just
4692 		 * return the present value stored with the OOB
4693 		 * data. The stored value contains the right present
4694 		 * information. However it can only be trusted when
4695 		 * not in Secure Connection Only mode.
4696 		 */
4697 		if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4698 			return data->present;
4699 
4700 		/* When Secure Connections Only mode is enabled, then
4701 		 * the P-256 values are required. If they are not
4702 		 * available, then do not declare that OOB data is
4703 		 * present.
4704 		 */
4705 		if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4706 		    !memcmp(data->hash256, ZERO_KEY, 16))
4707 			return 0x00;
4708 
4709 		return 0x02;
4710 	}
4711 
4712 	/* When Secure Connections is not enabled or actually
4713 	 * not supported by the hardware, then check that if
4714 	 * P-192 data values are present.
4715 	 */
4716 	if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4717 	    !memcmp(data->hash192, ZERO_KEY, 16))
4718 		return 0x00;
4719 
4720 	return 0x01;
4721 }
4722 
4723 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4724 {
4725 	struct hci_ev_io_capa_request *ev = (void *) skb->data;
4726 	struct hci_conn *conn;
4727 
4728 	BT_DBG("%s", hdev->name);
4729 
4730 	hci_dev_lock(hdev);
4731 
4732 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4733 	if (!conn)
4734 		goto unlock;
4735 
4736 	hci_conn_hold(conn);
4737 
4738 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4739 		goto unlock;
4740 
4741 	/* Allow pairing if we're pairable, the initiators of the
4742 	 * pairing or if the remote is not requesting bonding.
4743 	 */
4744 	if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4745 	    test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4746 	    (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4747 		struct hci_cp_io_capability_reply cp;
4748 
4749 		bacpy(&cp.bdaddr, &ev->bdaddr);
4750 		/* Change the IO capability from KeyboardDisplay
4751 		 * to DisplayYesNo as it is not supported by BT spec. */
4752 		cp.capability = (conn->io_capability == 0x04) ?
4753 				HCI_IO_DISPLAY_YESNO : conn->io_capability;
4754 
4755 		/* If we are initiators, there is no remote information yet */
4756 		if (conn->remote_auth == 0xff) {
4757 			/* Request MITM protection if our IO caps allow it
4758 			 * except for the no-bonding case.
4759 			 */
4760 			if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4761 			    conn->auth_type != HCI_AT_NO_BONDING)
4762 				conn->auth_type |= 0x01;
4763 		} else {
4764 			conn->auth_type = hci_get_auth_req(conn);
4765 		}
4766 
4767 		/* If we're not bondable, force one of the non-bondable
4768 		 * authentication requirement values.
4769 		 */
4770 		if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4771 			conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4772 
4773 		cp.authentication = conn->auth_type;
4774 		cp.oob_data = bredr_oob_data_present(conn);
4775 
4776 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4777 			     sizeof(cp), &cp);
4778 	} else {
4779 		struct hci_cp_io_capability_neg_reply cp;
4780 
4781 		bacpy(&cp.bdaddr, &ev->bdaddr);
4782 		cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4783 
4784 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4785 			     sizeof(cp), &cp);
4786 	}
4787 
4788 unlock:
4789 	hci_dev_unlock(hdev);
4790 }
4791 
4792 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4793 {
4794 	struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4795 	struct hci_conn *conn;
4796 
4797 	BT_DBG("%s", hdev->name);
4798 
4799 	hci_dev_lock(hdev);
4800 
4801 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4802 	if (!conn)
4803 		goto unlock;
4804 
4805 	conn->remote_cap = ev->capability;
4806 	conn->remote_auth = ev->authentication;
4807 
4808 unlock:
4809 	hci_dev_unlock(hdev);
4810 }
4811 
4812 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4813 					 struct sk_buff *skb)
4814 {
4815 	struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4816 	int loc_mitm, rem_mitm, confirm_hint = 0;
4817 	struct hci_conn *conn;
4818 
4819 	BT_DBG("%s", hdev->name);
4820 
4821 	hci_dev_lock(hdev);
4822 
4823 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4824 		goto unlock;
4825 
4826 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4827 	if (!conn)
4828 		goto unlock;
4829 
4830 	loc_mitm = (conn->auth_type & 0x01);
4831 	rem_mitm = (conn->remote_auth & 0x01);
4832 
4833 	/* If we require MITM but the remote device can't provide that
4834 	 * (it has NoInputNoOutput) then reject the confirmation
4835 	 * request. We check the security level here since it doesn't
4836 	 * necessarily match conn->auth_type.
4837 	 */
4838 	if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4839 	    conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4840 		BT_DBG("Rejecting request: remote device can't provide MITM");
4841 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4842 			     sizeof(ev->bdaddr), &ev->bdaddr);
4843 		goto unlock;
4844 	}
4845 
4846 	/* If no side requires MITM protection; auto-accept */
4847 	if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4848 	    (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4849 
4850 		/* If we're not the initiators request authorization to
4851 		 * proceed from user space (mgmt_user_confirm with
4852 		 * confirm_hint set to 1). The exception is if neither
4853 		 * side had MITM or if the local IO capability is
4854 		 * NoInputNoOutput, in which case we do auto-accept
4855 		 */
4856 		if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4857 		    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4858 		    (loc_mitm || rem_mitm)) {
4859 			BT_DBG("Confirming auto-accept as acceptor");
4860 			confirm_hint = 1;
4861 			goto confirm;
4862 		}
4863 
4864 		/* If there already exists link key in local host, leave the
4865 		 * decision to user space since the remote device could be
4866 		 * legitimate or malicious.
4867 		 */
4868 		if (hci_find_link_key(hdev, &ev->bdaddr)) {
4869 			bt_dev_dbg(hdev, "Local host already has link key");
4870 			confirm_hint = 1;
4871 			goto confirm;
4872 		}
4873 
4874 		BT_DBG("Auto-accept of user confirmation with %ums delay",
4875 		       hdev->auto_accept_delay);
4876 
4877 		if (hdev->auto_accept_delay > 0) {
4878 			int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4879 			queue_delayed_work(conn->hdev->workqueue,
4880 					   &conn->auto_accept_work, delay);
4881 			goto unlock;
4882 		}
4883 
4884 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4885 			     sizeof(ev->bdaddr), &ev->bdaddr);
4886 		goto unlock;
4887 	}
4888 
4889 confirm:
4890 	mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4891 				  le32_to_cpu(ev->passkey), confirm_hint);
4892 
4893 unlock:
4894 	hci_dev_unlock(hdev);
4895 }
4896 
4897 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4898 					 struct sk_buff *skb)
4899 {
4900 	struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4901 
4902 	BT_DBG("%s", hdev->name);
4903 
4904 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4905 		mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4906 }
4907 
4908 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4909 					struct sk_buff *skb)
4910 {
4911 	struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4912 	struct hci_conn *conn;
4913 
4914 	BT_DBG("%s", hdev->name);
4915 
4916 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4917 	if (!conn)
4918 		return;
4919 
4920 	conn->passkey_notify = __le32_to_cpu(ev->passkey);
4921 	conn->passkey_entered = 0;
4922 
4923 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4924 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4925 					 conn->dst_type, conn->passkey_notify,
4926 					 conn->passkey_entered);
4927 }
4928 
4929 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4930 {
4931 	struct hci_ev_keypress_notify *ev = (void *) skb->data;
4932 	struct hci_conn *conn;
4933 
4934 	BT_DBG("%s", hdev->name);
4935 
4936 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4937 	if (!conn)
4938 		return;
4939 
4940 	switch (ev->type) {
4941 	case HCI_KEYPRESS_STARTED:
4942 		conn->passkey_entered = 0;
4943 		return;
4944 
4945 	case HCI_KEYPRESS_ENTERED:
4946 		conn->passkey_entered++;
4947 		break;
4948 
4949 	case HCI_KEYPRESS_ERASED:
4950 		conn->passkey_entered--;
4951 		break;
4952 
4953 	case HCI_KEYPRESS_CLEARED:
4954 		conn->passkey_entered = 0;
4955 		break;
4956 
4957 	case HCI_KEYPRESS_COMPLETED:
4958 		return;
4959 	}
4960 
4961 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4962 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4963 					 conn->dst_type, conn->passkey_notify,
4964 					 conn->passkey_entered);
4965 }
4966 
4967 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4968 					 struct sk_buff *skb)
4969 {
4970 	struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4971 	struct hci_conn *conn;
4972 
4973 	BT_DBG("%s", hdev->name);
4974 
4975 	hci_dev_lock(hdev);
4976 
4977 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4978 	if (!conn)
4979 		goto unlock;
4980 
4981 	/* Reset the authentication requirement to unknown */
4982 	conn->remote_auth = 0xff;
4983 
4984 	/* To avoid duplicate auth_failed events to user space we check
4985 	 * the HCI_CONN_AUTH_PEND flag which will be set if we
4986 	 * initiated the authentication. A traditional auth_complete
4987 	 * event gets always produced as initiator and is also mapped to
4988 	 * the mgmt_auth_failed event */
4989 	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4990 		mgmt_auth_failed(conn, ev->status);
4991 
4992 	hci_conn_drop(conn);
4993 
4994 unlock:
4995 	hci_dev_unlock(hdev);
4996 }
4997 
4998 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4999 					 struct sk_buff *skb)
5000 {
5001 	struct hci_ev_remote_host_features *ev = (void *) skb->data;
5002 	struct inquiry_entry *ie;
5003 	struct hci_conn *conn;
5004 
5005 	BT_DBG("%s", hdev->name);
5006 
5007 	hci_dev_lock(hdev);
5008 
5009 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5010 	if (conn)
5011 		memcpy(conn->features[1], ev->features, 8);
5012 
5013 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5014 	if (ie)
5015 		ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5016 
5017 	hci_dev_unlock(hdev);
5018 }
5019 
5020 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
5021 					    struct sk_buff *skb)
5022 {
5023 	struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
5024 	struct oob_data *data;
5025 
5026 	BT_DBG("%s", hdev->name);
5027 
5028 	hci_dev_lock(hdev);
5029 
5030 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5031 		goto unlock;
5032 
5033 	data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5034 	if (!data) {
5035 		struct hci_cp_remote_oob_data_neg_reply cp;
5036 
5037 		bacpy(&cp.bdaddr, &ev->bdaddr);
5038 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5039 			     sizeof(cp), &cp);
5040 		goto unlock;
5041 	}
5042 
5043 	if (bredr_sc_enabled(hdev)) {
5044 		struct hci_cp_remote_oob_ext_data_reply cp;
5045 
5046 		bacpy(&cp.bdaddr, &ev->bdaddr);
5047 		if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5048 			memset(cp.hash192, 0, sizeof(cp.hash192));
5049 			memset(cp.rand192, 0, sizeof(cp.rand192));
5050 		} else {
5051 			memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5052 			memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5053 		}
5054 		memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5055 		memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5056 
5057 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5058 			     sizeof(cp), &cp);
5059 	} else {
5060 		struct hci_cp_remote_oob_data_reply cp;
5061 
5062 		bacpy(&cp.bdaddr, &ev->bdaddr);
5063 		memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5064 		memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5065 
5066 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5067 			     sizeof(cp), &cp);
5068 	}
5069 
5070 unlock:
5071 	hci_dev_unlock(hdev);
5072 }
5073 
5074 #if IS_ENABLED(CONFIG_BT_HS)
5075 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
5076 {
5077 	struct hci_ev_channel_selected *ev = (void *)skb->data;
5078 	struct hci_conn *hcon;
5079 
5080 	BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
5081 
5082 	skb_pull(skb, sizeof(*ev));
5083 
5084 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5085 	if (!hcon)
5086 		return;
5087 
5088 	amp_read_loc_assoc_final_data(hdev, hcon);
5089 }
5090 
5091 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
5092 				      struct sk_buff *skb)
5093 {
5094 	struct hci_ev_phy_link_complete *ev = (void *) skb->data;
5095 	struct hci_conn *hcon, *bredr_hcon;
5096 
5097 	BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
5098 	       ev->status);
5099 
5100 	hci_dev_lock(hdev);
5101 
5102 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5103 	if (!hcon)
5104 		goto unlock;
5105 
5106 	if (!hcon->amp_mgr)
5107 		goto unlock;
5108 
5109 	if (ev->status) {
5110 		hci_conn_del(hcon);
5111 		goto unlock;
5112 	}
5113 
5114 	bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5115 
5116 	hcon->state = BT_CONNECTED;
5117 	bacpy(&hcon->dst, &bredr_hcon->dst);
5118 
5119 	hci_conn_hold(hcon);
5120 	hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
5121 	hci_conn_drop(hcon);
5122 
5123 	hci_debugfs_create_conn(hcon);
5124 	hci_conn_add_sysfs(hcon);
5125 
5126 	amp_physical_cfm(bredr_hcon, hcon);
5127 
5128 unlock:
5129 	hci_dev_unlock(hdev);
5130 }
5131 
5132 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5133 {
5134 	struct hci_ev_logical_link_complete *ev = (void *) skb->data;
5135 	struct hci_conn *hcon;
5136 	struct hci_chan *hchan;
5137 	struct amp_mgr *mgr;
5138 
5139 	BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5140 	       hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
5141 	       ev->status);
5142 
5143 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5144 	if (!hcon)
5145 		return;
5146 
5147 	/* Create AMP hchan */
5148 	hchan = hci_chan_create(hcon);
5149 	if (!hchan)
5150 		return;
5151 
5152 	hchan->handle = le16_to_cpu(ev->handle);
5153 	hchan->amp = true;
5154 
5155 	BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5156 
5157 	mgr = hcon->amp_mgr;
5158 	if (mgr && mgr->bredr_chan) {
5159 		struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5160 
5161 		l2cap_chan_lock(bredr_chan);
5162 
5163 		bredr_chan->conn->mtu = hdev->block_mtu;
5164 		l2cap_logical_cfm(bredr_chan, hchan, 0);
5165 		hci_conn_hold(hcon);
5166 
5167 		l2cap_chan_unlock(bredr_chan);
5168 	}
5169 }
5170 
5171 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
5172 					     struct sk_buff *skb)
5173 {
5174 	struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
5175 	struct hci_chan *hchan;
5176 
5177 	BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
5178 	       le16_to_cpu(ev->handle), ev->status);
5179 
5180 	if (ev->status)
5181 		return;
5182 
5183 	hci_dev_lock(hdev);
5184 
5185 	hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5186 	if (!hchan || !hchan->amp)
5187 		goto unlock;
5188 
5189 	amp_destroy_logical_link(hchan, ev->reason);
5190 
5191 unlock:
5192 	hci_dev_unlock(hdev);
5193 }
5194 
5195 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
5196 					     struct sk_buff *skb)
5197 {
5198 	struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
5199 	struct hci_conn *hcon;
5200 
5201 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5202 
5203 	if (ev->status)
5204 		return;
5205 
5206 	hci_dev_lock(hdev);
5207 
5208 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5209 	if (hcon) {
5210 		hcon->state = BT_CLOSED;
5211 		hci_conn_del(hcon);
5212 	}
5213 
5214 	hci_dev_unlock(hdev);
5215 }
5216 #endif
5217 
5218 static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5219 				u8 bdaddr_type, bdaddr_t *local_rpa)
5220 {
5221 	if (conn->out) {
5222 		conn->dst_type = bdaddr_type;
5223 		conn->resp_addr_type = bdaddr_type;
5224 		bacpy(&conn->resp_addr, bdaddr);
5225 
5226 		/* Check if the controller has set a Local RPA then it must be
5227 		 * used instead or hdev->rpa.
5228 		 */
5229 		if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5230 			conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5231 			bacpy(&conn->init_addr, local_rpa);
5232 		} else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5233 			conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5234 			bacpy(&conn->init_addr, &conn->hdev->rpa);
5235 		} else {
5236 			hci_copy_identity_address(conn->hdev, &conn->init_addr,
5237 						  &conn->init_addr_type);
5238 		}
5239 	} else {
5240 		conn->resp_addr_type = conn->hdev->adv_addr_type;
5241 		/* Check if the controller has set a Local RPA then it must be
5242 		 * used instead or hdev->rpa.
5243 		 */
5244 		if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5245 			conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5246 			bacpy(&conn->resp_addr, local_rpa);
5247 		} else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5248 			/* In case of ext adv, resp_addr will be updated in
5249 			 * Adv Terminated event.
5250 			 */
5251 			if (!ext_adv_capable(conn->hdev))
5252 				bacpy(&conn->resp_addr,
5253 				      &conn->hdev->random_addr);
5254 		} else {
5255 			bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5256 		}
5257 
5258 		conn->init_addr_type = bdaddr_type;
5259 		bacpy(&conn->init_addr, bdaddr);
5260 
5261 		/* For incoming connections, set the default minimum
5262 		 * and maximum connection interval. They will be used
5263 		 * to check if the parameters are in range and if not
5264 		 * trigger the connection update procedure.
5265 		 */
5266 		conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5267 		conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5268 	}
5269 }
5270 
5271 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5272 				 bdaddr_t *bdaddr, u8 bdaddr_type,
5273 				 bdaddr_t *local_rpa, u8 role, u16 handle,
5274 				 u16 interval, u16 latency,
5275 				 u16 supervision_timeout)
5276 {
5277 	struct hci_conn_params *params;
5278 	struct hci_conn *conn;
5279 	struct smp_irk *irk;
5280 	u8 addr_type;
5281 
5282 	hci_dev_lock(hdev);
5283 
5284 	/* All controllers implicitly stop advertising in the event of a
5285 	 * connection, so ensure that the state bit is cleared.
5286 	 */
5287 	hci_dev_clear_flag(hdev, HCI_LE_ADV);
5288 
5289 	conn = hci_lookup_le_connect(hdev);
5290 	if (!conn) {
5291 		conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
5292 		if (!conn) {
5293 			bt_dev_err(hdev, "no memory for new connection");
5294 			goto unlock;
5295 		}
5296 
5297 		conn->dst_type = bdaddr_type;
5298 
5299 		/* If we didn't have a hci_conn object previously
5300 		 * but we're in central role this must be something
5301 		 * initiated using an accept list. Since accept list based
5302 		 * connections are not "first class citizens" we don't
5303 		 * have full tracking of them. Therefore, we go ahead
5304 		 * with a "best effort" approach of determining the
5305 		 * initiator address based on the HCI_PRIVACY flag.
5306 		 */
5307 		if (conn->out) {
5308 			conn->resp_addr_type = bdaddr_type;
5309 			bacpy(&conn->resp_addr, bdaddr);
5310 			if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5311 				conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5312 				bacpy(&conn->init_addr, &hdev->rpa);
5313 			} else {
5314 				hci_copy_identity_address(hdev,
5315 							  &conn->init_addr,
5316 							  &conn->init_addr_type);
5317 			}
5318 		}
5319 	} else {
5320 		cancel_delayed_work(&conn->le_conn_timeout);
5321 	}
5322 
5323 	le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5324 
5325 	/* Lookup the identity address from the stored connection
5326 	 * address and address type.
5327 	 *
5328 	 * When establishing connections to an identity address, the
5329 	 * connection procedure will store the resolvable random
5330 	 * address first. Now if it can be converted back into the
5331 	 * identity address, start using the identity address from
5332 	 * now on.
5333 	 */
5334 	irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5335 	if (irk) {
5336 		bacpy(&conn->dst, &irk->bdaddr);
5337 		conn->dst_type = irk->addr_type;
5338 	}
5339 
5340 	conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5341 
5342 	if (status) {
5343 		hci_le_conn_failed(conn, status);
5344 		goto unlock;
5345 	}
5346 
5347 	if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5348 		addr_type = BDADDR_LE_PUBLIC;
5349 	else
5350 		addr_type = BDADDR_LE_RANDOM;
5351 
5352 	/* Drop the connection if the device is blocked */
5353 	if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5354 		hci_conn_drop(conn);
5355 		goto unlock;
5356 	}
5357 
5358 	if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
5359 		mgmt_device_connected(hdev, conn, NULL, 0);
5360 
5361 	conn->sec_level = BT_SECURITY_LOW;
5362 	conn->handle = handle;
5363 	conn->state = BT_CONFIG;
5364 
5365 	/* Store current advertising instance as connection advertising instance
5366 	 * when sotfware rotation is in use so it can be re-enabled when
5367 	 * disconnected.
5368 	 */
5369 	if (!ext_adv_capable(hdev))
5370 		conn->adv_instance = hdev->cur_adv_instance;
5371 
5372 	conn->le_conn_interval = interval;
5373 	conn->le_conn_latency = latency;
5374 	conn->le_supv_timeout = supervision_timeout;
5375 
5376 	hci_debugfs_create_conn(conn);
5377 	hci_conn_add_sysfs(conn);
5378 
5379 	/* The remote features procedure is defined for central
5380 	 * role only. So only in case of an initiated connection
5381 	 * request the remote features.
5382 	 *
5383 	 * If the local controller supports peripheral-initiated features
5384 	 * exchange, then requesting the remote features in peripheral
5385 	 * role is possible. Otherwise just transition into the
5386 	 * connected state without requesting the remote features.
5387 	 */
5388 	if (conn->out ||
5389 	    (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
5390 		struct hci_cp_le_read_remote_features cp;
5391 
5392 		cp.handle = __cpu_to_le16(conn->handle);
5393 
5394 		hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5395 			     sizeof(cp), &cp);
5396 
5397 		hci_conn_hold(conn);
5398 	} else {
5399 		conn->state = BT_CONNECTED;
5400 		hci_connect_cfm(conn, status);
5401 	}
5402 
5403 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5404 					   conn->dst_type);
5405 	if (params) {
5406 		list_del_init(&params->action);
5407 		if (params->conn) {
5408 			hci_conn_drop(params->conn);
5409 			hci_conn_put(params->conn);
5410 			params->conn = NULL;
5411 		}
5412 	}
5413 
5414 unlock:
5415 	hci_update_background_scan(hdev);
5416 	hci_dev_unlock(hdev);
5417 }
5418 
5419 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5420 {
5421 	struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5422 
5423 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5424 
5425 	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5426 			     NULL, ev->role, le16_to_cpu(ev->handle),
5427 			     le16_to_cpu(ev->interval),
5428 			     le16_to_cpu(ev->latency),
5429 			     le16_to_cpu(ev->supervision_timeout));
5430 }
5431 
5432 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5433 					 struct sk_buff *skb)
5434 {
5435 	struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5436 
5437 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5438 
5439 	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5440 			     &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
5441 			     le16_to_cpu(ev->interval),
5442 			     le16_to_cpu(ev->latency),
5443 			     le16_to_cpu(ev->supervision_timeout));
5444 
5445 	if (use_ll_privacy(hdev) &&
5446 	    hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY) &&
5447 	    hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION))
5448 		hci_req_disable_address_resolution(hdev);
5449 }
5450 
5451 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5452 {
5453 	struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5454 	struct hci_conn *conn;
5455 	struct adv_info *adv;
5456 
5457 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5458 
5459 	adv = hci_find_adv_instance(hdev, ev->handle);
5460 
5461 	if (ev->status) {
5462 		if (!adv)
5463 			return;
5464 
5465 		/* Remove advertising as it has been terminated */
5466 		hci_remove_adv_instance(hdev, ev->handle);
5467 		mgmt_advertising_removed(NULL, hdev, ev->handle);
5468 
5469 		return;
5470 	}
5471 
5472 	if (adv)
5473 		adv->enabled = false;
5474 
5475 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5476 	if (conn) {
5477 		/* Store handle in the connection so the correct advertising
5478 		 * instance can be re-enabled when disconnected.
5479 		 */
5480 		conn->adv_instance = ev->handle;
5481 
5482 		if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
5483 		    bacmp(&conn->resp_addr, BDADDR_ANY))
5484 			return;
5485 
5486 		if (!ev->handle) {
5487 			bacpy(&conn->resp_addr, &hdev->random_addr);
5488 			return;
5489 		}
5490 
5491 		if (adv)
5492 			bacpy(&conn->resp_addr, &adv->random_addr);
5493 	}
5494 }
5495 
5496 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5497 					    struct sk_buff *skb)
5498 {
5499 	struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5500 	struct hci_conn *conn;
5501 
5502 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5503 
5504 	if (ev->status)
5505 		return;
5506 
5507 	hci_dev_lock(hdev);
5508 
5509 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5510 	if (conn) {
5511 		conn->le_conn_interval = le16_to_cpu(ev->interval);
5512 		conn->le_conn_latency = le16_to_cpu(ev->latency);
5513 		conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5514 	}
5515 
5516 	hci_dev_unlock(hdev);
5517 }
5518 
5519 /* This function requires the caller holds hdev->lock */
5520 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5521 					      bdaddr_t *addr,
5522 					      u8 addr_type, bool addr_resolved,
5523 					      u8 adv_type, bdaddr_t *direct_rpa)
5524 {
5525 	struct hci_conn *conn;
5526 	struct hci_conn_params *params;
5527 
5528 	/* If the event is not connectable don't proceed further */
5529 	if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5530 		return NULL;
5531 
5532 	/* Ignore if the device is blocked */
5533 	if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type))
5534 		return NULL;
5535 
5536 	/* Most controller will fail if we try to create new connections
5537 	 * while we have an existing one in peripheral role.
5538 	 */
5539 	if (hdev->conn_hash.le_num_peripheral > 0 &&
5540 	    (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
5541 	     !(hdev->le_states[3] & 0x10)))
5542 		return NULL;
5543 
5544 	/* If we're not connectable only connect devices that we have in
5545 	 * our pend_le_conns list.
5546 	 */
5547 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5548 					   addr_type);
5549 	if (!params)
5550 		return NULL;
5551 
5552 	if (!params->explicit_connect) {
5553 		switch (params->auto_connect) {
5554 		case HCI_AUTO_CONN_DIRECT:
5555 			/* Only devices advertising with ADV_DIRECT_IND are
5556 			 * triggering a connection attempt. This is allowing
5557 			 * incoming connections from peripheral devices.
5558 			 */
5559 			if (adv_type != LE_ADV_DIRECT_IND)
5560 				return NULL;
5561 			break;
5562 		case HCI_AUTO_CONN_ALWAYS:
5563 			/* Devices advertising with ADV_IND or ADV_DIRECT_IND
5564 			 * are triggering a connection attempt. This means
5565 			 * that incoming connections from peripheral device are
5566 			 * accepted and also outgoing connections to peripheral
5567 			 * devices are established when found.
5568 			 */
5569 			break;
5570 		default:
5571 			return NULL;
5572 		}
5573 	}
5574 
5575 	conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
5576 			      BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
5577 			      HCI_ROLE_MASTER, direct_rpa);
5578 	if (!IS_ERR(conn)) {
5579 		/* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5580 		 * by higher layer that tried to connect, if no then
5581 		 * store the pointer since we don't really have any
5582 		 * other owner of the object besides the params that
5583 		 * triggered it. This way we can abort the connection if
5584 		 * the parameters get removed and keep the reference
5585 		 * count consistent once the connection is established.
5586 		 */
5587 
5588 		if (!params->explicit_connect)
5589 			params->conn = hci_conn_get(conn);
5590 
5591 		return conn;
5592 	}
5593 
5594 	switch (PTR_ERR(conn)) {
5595 	case -EBUSY:
5596 		/* If hci_connect() returns -EBUSY it means there is already
5597 		 * an LE connection attempt going on. Since controllers don't
5598 		 * support more than one connection attempt at the time, we
5599 		 * don't consider this an error case.
5600 		 */
5601 		break;
5602 	default:
5603 		BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5604 		return NULL;
5605 	}
5606 
5607 	return NULL;
5608 }
5609 
5610 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5611 			       u8 bdaddr_type, bdaddr_t *direct_addr,
5612 			       u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
5613 			       bool ext_adv)
5614 {
5615 	struct discovery_state *d = &hdev->discovery;
5616 	struct smp_irk *irk;
5617 	struct hci_conn *conn;
5618 	bool match, bdaddr_resolved;
5619 	u32 flags;
5620 	u8 *ptr;
5621 
5622 	switch (type) {
5623 	case LE_ADV_IND:
5624 	case LE_ADV_DIRECT_IND:
5625 	case LE_ADV_SCAN_IND:
5626 	case LE_ADV_NONCONN_IND:
5627 	case LE_ADV_SCAN_RSP:
5628 		break;
5629 	default:
5630 		bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5631 				       "type: 0x%02x", type);
5632 		return;
5633 	}
5634 
5635 	if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
5636 		bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
5637 		return;
5638 	}
5639 
5640 	/* Find the end of the data in case the report contains padded zero
5641 	 * bytes at the end causing an invalid length value.
5642 	 *
5643 	 * When data is NULL, len is 0 so there is no need for extra ptr
5644 	 * check as 'ptr < data + 0' is already false in such case.
5645 	 */
5646 	for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5647 		if (ptr + 1 + *ptr > data + len)
5648 			break;
5649 	}
5650 
5651 	/* Adjust for actual length. This handles the case when remote
5652 	 * device is advertising with incorrect data length.
5653 	 */
5654 	len = ptr - data;
5655 
5656 	/* If the direct address is present, then this report is from
5657 	 * a LE Direct Advertising Report event. In that case it is
5658 	 * important to see if the address is matching the local
5659 	 * controller address.
5660 	 */
5661 	if (direct_addr) {
5662 		direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
5663 						  &bdaddr_resolved);
5664 
5665 		/* Only resolvable random addresses are valid for these
5666 		 * kind of reports and others can be ignored.
5667 		 */
5668 		if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5669 			return;
5670 
5671 		/* If the controller is not using resolvable random
5672 		 * addresses, then this report can be ignored.
5673 		 */
5674 		if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5675 			return;
5676 
5677 		/* If the local IRK of the controller does not match
5678 		 * with the resolvable random address provided, then
5679 		 * this report can be ignored.
5680 		 */
5681 		if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5682 			return;
5683 	}
5684 
5685 	/* Check if we need to convert to identity address */
5686 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5687 	if (irk) {
5688 		bdaddr = &irk->bdaddr;
5689 		bdaddr_type = irk->addr_type;
5690 	}
5691 
5692 	bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
5693 
5694 	/* Check if we have been requested to connect to this device.
5695 	 *
5696 	 * direct_addr is set only for directed advertising reports (it is NULL
5697 	 * for advertising reports) and is already verified to be RPA above.
5698 	 */
5699 	conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
5700 				     type, direct_addr);
5701 	if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
5702 		/* Store report for later inclusion by
5703 		 * mgmt_device_connected
5704 		 */
5705 		memcpy(conn->le_adv_data, data, len);
5706 		conn->le_adv_data_len = len;
5707 	}
5708 
5709 	/* Passive scanning shouldn't trigger any device found events,
5710 	 * except for devices marked as CONN_REPORT for which we do send
5711 	 * device found events, or advertisement monitoring requested.
5712 	 */
5713 	if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5714 		if (type == LE_ADV_DIRECT_IND)
5715 			return;
5716 
5717 		if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5718 					       bdaddr, bdaddr_type) &&
5719 		    idr_is_empty(&hdev->adv_monitors_idr))
5720 			return;
5721 
5722 		if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5723 			flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5724 		else
5725 			flags = 0;
5726 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5727 				  rssi, flags, data, len, NULL, 0);
5728 		return;
5729 	}
5730 
5731 	/* When receiving non-connectable or scannable undirected
5732 	 * advertising reports, this means that the remote device is
5733 	 * not connectable and then clearly indicate this in the
5734 	 * device found event.
5735 	 *
5736 	 * When receiving a scan response, then there is no way to
5737 	 * know if the remote device is connectable or not. However
5738 	 * since scan responses are merged with a previously seen
5739 	 * advertising report, the flags field from that report
5740 	 * will be used.
5741 	 *
5742 	 * In the really unlikely case that a controller get confused
5743 	 * and just sends a scan response event, then it is marked as
5744 	 * not connectable as well.
5745 	 */
5746 	if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5747 	    type == LE_ADV_SCAN_RSP)
5748 		flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5749 	else
5750 		flags = 0;
5751 
5752 	/* If there's nothing pending either store the data from this
5753 	 * event or send an immediate device found event if the data
5754 	 * should not be stored for later.
5755 	 */
5756 	if (!ext_adv &&	!has_pending_adv_report(hdev)) {
5757 		/* If the report will trigger a SCAN_REQ store it for
5758 		 * later merging.
5759 		 */
5760 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5761 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5762 						 rssi, flags, data, len);
5763 			return;
5764 		}
5765 
5766 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5767 				  rssi, flags, data, len, NULL, 0);
5768 		return;
5769 	}
5770 
5771 	/* Check if the pending report is for the same device as the new one */
5772 	match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5773 		 bdaddr_type == d->last_adv_addr_type);
5774 
5775 	/* If the pending data doesn't match this report or this isn't a
5776 	 * scan response (e.g. we got a duplicate ADV_IND) then force
5777 	 * sending of the pending data.
5778 	 */
5779 	if (type != LE_ADV_SCAN_RSP || !match) {
5780 		/* Send out whatever is in the cache, but skip duplicates */
5781 		if (!match)
5782 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5783 					  d->last_adv_addr_type, NULL,
5784 					  d->last_adv_rssi, d->last_adv_flags,
5785 					  d->last_adv_data,
5786 					  d->last_adv_data_len, NULL, 0);
5787 
5788 		/* If the new report will trigger a SCAN_REQ store it for
5789 		 * later merging.
5790 		 */
5791 		if (!ext_adv && (type == LE_ADV_IND ||
5792 				 type == LE_ADV_SCAN_IND)) {
5793 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5794 						 rssi, flags, data, len);
5795 			return;
5796 		}
5797 
5798 		/* The advertising reports cannot be merged, so clear
5799 		 * the pending report and send out a device found event.
5800 		 */
5801 		clear_pending_adv_report(hdev);
5802 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5803 				  rssi, flags, data, len, NULL, 0);
5804 		return;
5805 	}
5806 
5807 	/* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5808 	 * the new event is a SCAN_RSP. We can therefore proceed with
5809 	 * sending a merged device found event.
5810 	 */
5811 	mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5812 			  d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5813 			  d->last_adv_data, d->last_adv_data_len, data, len);
5814 	clear_pending_adv_report(hdev);
5815 }
5816 
5817 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5818 {
5819 	u8 num_reports = skb->data[0];
5820 	void *ptr = &skb->data[1];
5821 
5822 	hci_dev_lock(hdev);
5823 
5824 	while (num_reports--) {
5825 		struct hci_ev_le_advertising_info *ev = ptr;
5826 		s8 rssi;
5827 
5828 		if (ev->length <= HCI_MAX_AD_LENGTH) {
5829 			rssi = ev->data[ev->length];
5830 			process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5831 					   ev->bdaddr_type, NULL, 0, rssi,
5832 					   ev->data, ev->length, false);
5833 		} else {
5834 			bt_dev_err(hdev, "Dropping invalid advertising data");
5835 		}
5836 
5837 		ptr += sizeof(*ev) + ev->length + 1;
5838 	}
5839 
5840 	hci_dev_unlock(hdev);
5841 }
5842 
5843 static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
5844 {
5845 	if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5846 		switch (evt_type) {
5847 		case LE_LEGACY_ADV_IND:
5848 			return LE_ADV_IND;
5849 		case LE_LEGACY_ADV_DIRECT_IND:
5850 			return LE_ADV_DIRECT_IND;
5851 		case LE_LEGACY_ADV_SCAN_IND:
5852 			return LE_ADV_SCAN_IND;
5853 		case LE_LEGACY_NONCONN_IND:
5854 			return LE_ADV_NONCONN_IND;
5855 		case LE_LEGACY_SCAN_RSP_ADV:
5856 		case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5857 			return LE_ADV_SCAN_RSP;
5858 		}
5859 
5860 		goto invalid;
5861 	}
5862 
5863 	if (evt_type & LE_EXT_ADV_CONN_IND) {
5864 		if (evt_type & LE_EXT_ADV_DIRECT_IND)
5865 			return LE_ADV_DIRECT_IND;
5866 
5867 		return LE_ADV_IND;
5868 	}
5869 
5870 	if (evt_type & LE_EXT_ADV_SCAN_RSP)
5871 		return LE_ADV_SCAN_RSP;
5872 
5873 	if (evt_type & LE_EXT_ADV_SCAN_IND)
5874 		return LE_ADV_SCAN_IND;
5875 
5876 	if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5877 	    evt_type & LE_EXT_ADV_DIRECT_IND)
5878 		return LE_ADV_NONCONN_IND;
5879 
5880 invalid:
5881 	bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
5882 			       evt_type);
5883 
5884 	return LE_ADV_INVALID;
5885 }
5886 
5887 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5888 {
5889 	u8 num_reports = skb->data[0];
5890 	void *ptr = &skb->data[1];
5891 
5892 	hci_dev_lock(hdev);
5893 
5894 	while (num_reports--) {
5895 		struct hci_ev_le_ext_adv_report *ev = ptr;
5896 		u8 legacy_evt_type;
5897 		u16 evt_type;
5898 
5899 		evt_type = __le16_to_cpu(ev->evt_type);
5900 		legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
5901 		if (legacy_evt_type != LE_ADV_INVALID) {
5902 			process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5903 					   ev->bdaddr_type, NULL, 0, ev->rssi,
5904 					   ev->data, ev->length,
5905 					   !(evt_type & LE_EXT_ADV_LEGACY_PDU));
5906 		}
5907 
5908 		ptr += sizeof(*ev) + ev->length;
5909 	}
5910 
5911 	hci_dev_unlock(hdev);
5912 }
5913 
5914 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5915 					    struct sk_buff *skb)
5916 {
5917 	struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5918 	struct hci_conn *conn;
5919 
5920 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5921 
5922 	hci_dev_lock(hdev);
5923 
5924 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5925 	if (conn) {
5926 		if (!ev->status)
5927 			memcpy(conn->features[0], ev->features, 8);
5928 
5929 		if (conn->state == BT_CONFIG) {
5930 			__u8 status;
5931 
5932 			/* If the local controller supports peripheral-initiated
5933 			 * features exchange, but the remote controller does
5934 			 * not, then it is possible that the error code 0x1a
5935 			 * for unsupported remote feature gets returned.
5936 			 *
5937 			 * In this specific case, allow the connection to
5938 			 * transition into connected state and mark it as
5939 			 * successful.
5940 			 */
5941 			if (!conn->out && ev->status == 0x1a &&
5942 			    (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
5943 				status = 0x00;
5944 			else
5945 				status = ev->status;
5946 
5947 			conn->state = BT_CONNECTED;
5948 			hci_connect_cfm(conn, status);
5949 			hci_conn_drop(conn);
5950 		}
5951 	}
5952 
5953 	hci_dev_unlock(hdev);
5954 }
5955 
5956 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5957 {
5958 	struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5959 	struct hci_cp_le_ltk_reply cp;
5960 	struct hci_cp_le_ltk_neg_reply neg;
5961 	struct hci_conn *conn;
5962 	struct smp_ltk *ltk;
5963 
5964 	BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5965 
5966 	hci_dev_lock(hdev);
5967 
5968 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5969 	if (conn == NULL)
5970 		goto not_found;
5971 
5972 	ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5973 	if (!ltk)
5974 		goto not_found;
5975 
5976 	if (smp_ltk_is_sc(ltk)) {
5977 		/* With SC both EDiv and Rand are set to zero */
5978 		if (ev->ediv || ev->rand)
5979 			goto not_found;
5980 	} else {
5981 		/* For non-SC keys check that EDiv and Rand match */
5982 		if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5983 			goto not_found;
5984 	}
5985 
5986 	memcpy(cp.ltk, ltk->val, ltk->enc_size);
5987 	memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5988 	cp.handle = cpu_to_le16(conn->handle);
5989 
5990 	conn->pending_sec_level = smp_ltk_sec_level(ltk);
5991 
5992 	conn->enc_key_size = ltk->enc_size;
5993 
5994 	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5995 
5996 	/* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5997 	 * temporary key used to encrypt a connection following
5998 	 * pairing. It is used during the Encrypted Session Setup to
5999 	 * distribute the keys. Later, security can be re-established
6000 	 * using a distributed LTK.
6001 	 */
6002 	if (ltk->type == SMP_STK) {
6003 		set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6004 		list_del_rcu(&ltk->list);
6005 		kfree_rcu(ltk, rcu);
6006 	} else {
6007 		clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6008 	}
6009 
6010 	hci_dev_unlock(hdev);
6011 
6012 	return;
6013 
6014 not_found:
6015 	neg.handle = ev->handle;
6016 	hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6017 	hci_dev_unlock(hdev);
6018 }
6019 
6020 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6021 				      u8 reason)
6022 {
6023 	struct hci_cp_le_conn_param_req_neg_reply cp;
6024 
6025 	cp.handle = cpu_to_le16(handle);
6026 	cp.reason = reason;
6027 
6028 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6029 		     &cp);
6030 }
6031 
6032 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
6033 					     struct sk_buff *skb)
6034 {
6035 	struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
6036 	struct hci_cp_le_conn_param_req_reply cp;
6037 	struct hci_conn *hcon;
6038 	u16 handle, min, max, latency, timeout;
6039 
6040 	handle = le16_to_cpu(ev->handle);
6041 	min = le16_to_cpu(ev->interval_min);
6042 	max = le16_to_cpu(ev->interval_max);
6043 	latency = le16_to_cpu(ev->latency);
6044 	timeout = le16_to_cpu(ev->timeout);
6045 
6046 	hcon = hci_conn_hash_lookup_handle(hdev, handle);
6047 	if (!hcon || hcon->state != BT_CONNECTED)
6048 		return send_conn_param_neg_reply(hdev, handle,
6049 						 HCI_ERROR_UNKNOWN_CONN_ID);
6050 
6051 	if (hci_check_conn_params(min, max, latency, timeout))
6052 		return send_conn_param_neg_reply(hdev, handle,
6053 						 HCI_ERROR_INVALID_LL_PARAMS);
6054 
6055 	if (hcon->role == HCI_ROLE_MASTER) {
6056 		struct hci_conn_params *params;
6057 		u8 store_hint;
6058 
6059 		hci_dev_lock(hdev);
6060 
6061 		params = hci_conn_params_lookup(hdev, &hcon->dst,
6062 						hcon->dst_type);
6063 		if (params) {
6064 			params->conn_min_interval = min;
6065 			params->conn_max_interval = max;
6066 			params->conn_latency = latency;
6067 			params->supervision_timeout = timeout;
6068 			store_hint = 0x01;
6069 		} else {
6070 			store_hint = 0x00;
6071 		}
6072 
6073 		hci_dev_unlock(hdev);
6074 
6075 		mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6076 				    store_hint, min, max, latency, timeout);
6077 	}
6078 
6079 	cp.handle = ev->handle;
6080 	cp.interval_min = ev->interval_min;
6081 	cp.interval_max = ev->interval_max;
6082 	cp.latency = ev->latency;
6083 	cp.timeout = ev->timeout;
6084 	cp.min_ce_len = 0;
6085 	cp.max_ce_len = 0;
6086 
6087 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6088 }
6089 
6090 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
6091 					 struct sk_buff *skb)
6092 {
6093 	u8 num_reports = skb->data[0];
6094 	struct hci_ev_le_direct_adv_info *ev = (void *)&skb->data[1];
6095 
6096 	if (!num_reports || skb->len < num_reports * sizeof(*ev) + 1)
6097 		return;
6098 
6099 	hci_dev_lock(hdev);
6100 
6101 	for (; num_reports; num_reports--, ev++)
6102 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
6103 				   ev->bdaddr_type, &ev->direct_addr,
6104 				   ev->direct_addr_type, ev->rssi, NULL, 0,
6105 				   false);
6106 
6107 	hci_dev_unlock(hdev);
6108 }
6109 
6110 static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb)
6111 {
6112 	struct hci_ev_le_phy_update_complete *ev = (void *) skb->data;
6113 	struct hci_conn *conn;
6114 
6115 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
6116 
6117 	if (ev->status)
6118 		return;
6119 
6120 	hci_dev_lock(hdev);
6121 
6122 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6123 	if (!conn)
6124 		goto unlock;
6125 
6126 	conn->le_tx_phy = ev->tx_phy;
6127 	conn->le_rx_phy = ev->rx_phy;
6128 
6129 unlock:
6130 	hci_dev_unlock(hdev);
6131 }
6132 
6133 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
6134 {
6135 	struct hci_ev_le_meta *le_ev = (void *) skb->data;
6136 
6137 	skb_pull(skb, sizeof(*le_ev));
6138 
6139 	switch (le_ev->subevent) {
6140 	case HCI_EV_LE_CONN_COMPLETE:
6141 		hci_le_conn_complete_evt(hdev, skb);
6142 		break;
6143 
6144 	case HCI_EV_LE_CONN_UPDATE_COMPLETE:
6145 		hci_le_conn_update_complete_evt(hdev, skb);
6146 		break;
6147 
6148 	case HCI_EV_LE_ADVERTISING_REPORT:
6149 		hci_le_adv_report_evt(hdev, skb);
6150 		break;
6151 
6152 	case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
6153 		hci_le_remote_feat_complete_evt(hdev, skb);
6154 		break;
6155 
6156 	case HCI_EV_LE_LTK_REQ:
6157 		hci_le_ltk_request_evt(hdev, skb);
6158 		break;
6159 
6160 	case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
6161 		hci_le_remote_conn_param_req_evt(hdev, skb);
6162 		break;
6163 
6164 	case HCI_EV_LE_DIRECT_ADV_REPORT:
6165 		hci_le_direct_adv_report_evt(hdev, skb);
6166 		break;
6167 
6168 	case HCI_EV_LE_PHY_UPDATE_COMPLETE:
6169 		hci_le_phy_update_evt(hdev, skb);
6170 		break;
6171 
6172 	case HCI_EV_LE_EXT_ADV_REPORT:
6173 		hci_le_ext_adv_report_evt(hdev, skb);
6174 		break;
6175 
6176 	case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
6177 		hci_le_enh_conn_complete_evt(hdev, skb);
6178 		break;
6179 
6180 	case HCI_EV_LE_EXT_ADV_SET_TERM:
6181 		hci_le_ext_adv_term_evt(hdev, skb);
6182 		break;
6183 
6184 	default:
6185 		break;
6186 	}
6187 }
6188 
6189 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
6190 				 u8 event, struct sk_buff *skb)
6191 {
6192 	struct hci_ev_cmd_complete *ev;
6193 	struct hci_event_hdr *hdr;
6194 
6195 	if (!skb)
6196 		return false;
6197 
6198 	if (skb->len < sizeof(*hdr)) {
6199 		bt_dev_err(hdev, "too short HCI event");
6200 		return false;
6201 	}
6202 
6203 	hdr = (void *) skb->data;
6204 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
6205 
6206 	if (event) {
6207 		if (hdr->evt != event)
6208 			return false;
6209 		return true;
6210 	}
6211 
6212 	/* Check if request ended in Command Status - no way to retrieve
6213 	 * any extra parameters in this case.
6214 	 */
6215 	if (hdr->evt == HCI_EV_CMD_STATUS)
6216 		return false;
6217 
6218 	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
6219 		bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
6220 			   hdr->evt);
6221 		return false;
6222 	}
6223 
6224 	if (skb->len < sizeof(*ev)) {
6225 		bt_dev_err(hdev, "too short cmd_complete event");
6226 		return false;
6227 	}
6228 
6229 	ev = (void *) skb->data;
6230 	skb_pull(skb, sizeof(*ev));
6231 
6232 	if (opcode != __le16_to_cpu(ev->opcode)) {
6233 		BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
6234 		       __le16_to_cpu(ev->opcode));
6235 		return false;
6236 	}
6237 
6238 	return true;
6239 }
6240 
6241 static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
6242 				  struct sk_buff *skb)
6243 {
6244 	struct hci_ev_le_advertising_info *adv;
6245 	struct hci_ev_le_direct_adv_info *direct_adv;
6246 	struct hci_ev_le_ext_adv_report *ext_adv;
6247 	const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
6248 	const struct hci_ev_conn_request *conn_request = (void *)skb->data;
6249 
6250 	hci_dev_lock(hdev);
6251 
6252 	/* If we are currently suspended and this is the first BT event seen,
6253 	 * save the wake reason associated with the event.
6254 	 */
6255 	if (!hdev->suspended || hdev->wake_reason)
6256 		goto unlock;
6257 
6258 	/* Default to remote wake. Values for wake_reason are documented in the
6259 	 * Bluez mgmt api docs.
6260 	 */
6261 	hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
6262 
6263 	/* Once configured for remote wakeup, we should only wake up for
6264 	 * reconnections. It's useful to see which device is waking us up so
6265 	 * keep track of the bdaddr of the connection event that woke us up.
6266 	 */
6267 	if (event == HCI_EV_CONN_REQUEST) {
6268 		bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
6269 		hdev->wake_addr_type = BDADDR_BREDR;
6270 	} else if (event == HCI_EV_CONN_COMPLETE) {
6271 		bacpy(&hdev->wake_addr, &conn_request->bdaddr);
6272 		hdev->wake_addr_type = BDADDR_BREDR;
6273 	} else if (event == HCI_EV_LE_META) {
6274 		struct hci_ev_le_meta *le_ev = (void *)skb->data;
6275 		u8 subevent = le_ev->subevent;
6276 		u8 *ptr = &skb->data[sizeof(*le_ev)];
6277 		u8 num_reports = *ptr;
6278 
6279 		if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
6280 		     subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
6281 		     subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
6282 		    num_reports) {
6283 			adv = (void *)(ptr + 1);
6284 			direct_adv = (void *)(ptr + 1);
6285 			ext_adv = (void *)(ptr + 1);
6286 
6287 			switch (subevent) {
6288 			case HCI_EV_LE_ADVERTISING_REPORT:
6289 				bacpy(&hdev->wake_addr, &adv->bdaddr);
6290 				hdev->wake_addr_type = adv->bdaddr_type;
6291 				break;
6292 			case HCI_EV_LE_DIRECT_ADV_REPORT:
6293 				bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
6294 				hdev->wake_addr_type = direct_adv->bdaddr_type;
6295 				break;
6296 			case HCI_EV_LE_EXT_ADV_REPORT:
6297 				bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
6298 				hdev->wake_addr_type = ext_adv->bdaddr_type;
6299 				break;
6300 			}
6301 		}
6302 	} else {
6303 		hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
6304 	}
6305 
6306 unlock:
6307 	hci_dev_unlock(hdev);
6308 }
6309 
6310 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
6311 {
6312 	struct hci_event_hdr *hdr = (void *) skb->data;
6313 	hci_req_complete_t req_complete = NULL;
6314 	hci_req_complete_skb_t req_complete_skb = NULL;
6315 	struct sk_buff *orig_skb = NULL;
6316 	u8 status = 0, event = hdr->evt, req_evt = 0;
6317 	u16 opcode = HCI_OP_NOP;
6318 
6319 	if (!event) {
6320 		bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
6321 		goto done;
6322 	}
6323 
6324 	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
6325 		struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
6326 		opcode = __le16_to_cpu(cmd_hdr->opcode);
6327 		hci_req_cmd_complete(hdev, opcode, status, &req_complete,
6328 				     &req_complete_skb);
6329 		req_evt = event;
6330 	}
6331 
6332 	/* If it looks like we might end up having to call
6333 	 * req_complete_skb, store a pristine copy of the skb since the
6334 	 * various handlers may modify the original one through
6335 	 * skb_pull() calls, etc.
6336 	 */
6337 	if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
6338 	    event == HCI_EV_CMD_COMPLETE)
6339 		orig_skb = skb_clone(skb, GFP_KERNEL);
6340 
6341 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
6342 
6343 	/* Store wake reason if we're suspended */
6344 	hci_store_wake_reason(hdev, event, skb);
6345 
6346 	switch (event) {
6347 	case HCI_EV_INQUIRY_COMPLETE:
6348 		hci_inquiry_complete_evt(hdev, skb);
6349 		break;
6350 
6351 	case HCI_EV_INQUIRY_RESULT:
6352 		hci_inquiry_result_evt(hdev, skb);
6353 		break;
6354 
6355 	case HCI_EV_CONN_COMPLETE:
6356 		hci_conn_complete_evt(hdev, skb);
6357 		break;
6358 
6359 	case HCI_EV_CONN_REQUEST:
6360 		hci_conn_request_evt(hdev, skb);
6361 		break;
6362 
6363 	case HCI_EV_DISCONN_COMPLETE:
6364 		hci_disconn_complete_evt(hdev, skb);
6365 		break;
6366 
6367 	case HCI_EV_AUTH_COMPLETE:
6368 		hci_auth_complete_evt(hdev, skb);
6369 		break;
6370 
6371 	case HCI_EV_REMOTE_NAME:
6372 		hci_remote_name_evt(hdev, skb);
6373 		break;
6374 
6375 	case HCI_EV_ENCRYPT_CHANGE:
6376 		hci_encrypt_change_evt(hdev, skb);
6377 		break;
6378 
6379 	case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
6380 		hci_change_link_key_complete_evt(hdev, skb);
6381 		break;
6382 
6383 	case HCI_EV_REMOTE_FEATURES:
6384 		hci_remote_features_evt(hdev, skb);
6385 		break;
6386 
6387 	case HCI_EV_CMD_COMPLETE:
6388 		hci_cmd_complete_evt(hdev, skb, &opcode, &status,
6389 				     &req_complete, &req_complete_skb);
6390 		break;
6391 
6392 	case HCI_EV_CMD_STATUS:
6393 		hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
6394 				   &req_complete_skb);
6395 		break;
6396 
6397 	case HCI_EV_HARDWARE_ERROR:
6398 		hci_hardware_error_evt(hdev, skb);
6399 		break;
6400 
6401 	case HCI_EV_ROLE_CHANGE:
6402 		hci_role_change_evt(hdev, skb);
6403 		break;
6404 
6405 	case HCI_EV_NUM_COMP_PKTS:
6406 		hci_num_comp_pkts_evt(hdev, skb);
6407 		break;
6408 
6409 	case HCI_EV_MODE_CHANGE:
6410 		hci_mode_change_evt(hdev, skb);
6411 		break;
6412 
6413 	case HCI_EV_PIN_CODE_REQ:
6414 		hci_pin_code_request_evt(hdev, skb);
6415 		break;
6416 
6417 	case HCI_EV_LINK_KEY_REQ:
6418 		hci_link_key_request_evt(hdev, skb);
6419 		break;
6420 
6421 	case HCI_EV_LINK_KEY_NOTIFY:
6422 		hci_link_key_notify_evt(hdev, skb);
6423 		break;
6424 
6425 	case HCI_EV_CLOCK_OFFSET:
6426 		hci_clock_offset_evt(hdev, skb);
6427 		break;
6428 
6429 	case HCI_EV_PKT_TYPE_CHANGE:
6430 		hci_pkt_type_change_evt(hdev, skb);
6431 		break;
6432 
6433 	case HCI_EV_PSCAN_REP_MODE:
6434 		hci_pscan_rep_mode_evt(hdev, skb);
6435 		break;
6436 
6437 	case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
6438 		hci_inquiry_result_with_rssi_evt(hdev, skb);
6439 		break;
6440 
6441 	case HCI_EV_REMOTE_EXT_FEATURES:
6442 		hci_remote_ext_features_evt(hdev, skb);
6443 		break;
6444 
6445 	case HCI_EV_SYNC_CONN_COMPLETE:
6446 		hci_sync_conn_complete_evt(hdev, skb);
6447 		break;
6448 
6449 	case HCI_EV_EXTENDED_INQUIRY_RESULT:
6450 		hci_extended_inquiry_result_evt(hdev, skb);
6451 		break;
6452 
6453 	case HCI_EV_KEY_REFRESH_COMPLETE:
6454 		hci_key_refresh_complete_evt(hdev, skb);
6455 		break;
6456 
6457 	case HCI_EV_IO_CAPA_REQUEST:
6458 		hci_io_capa_request_evt(hdev, skb);
6459 		break;
6460 
6461 	case HCI_EV_IO_CAPA_REPLY:
6462 		hci_io_capa_reply_evt(hdev, skb);
6463 		break;
6464 
6465 	case HCI_EV_USER_CONFIRM_REQUEST:
6466 		hci_user_confirm_request_evt(hdev, skb);
6467 		break;
6468 
6469 	case HCI_EV_USER_PASSKEY_REQUEST:
6470 		hci_user_passkey_request_evt(hdev, skb);
6471 		break;
6472 
6473 	case HCI_EV_USER_PASSKEY_NOTIFY:
6474 		hci_user_passkey_notify_evt(hdev, skb);
6475 		break;
6476 
6477 	case HCI_EV_KEYPRESS_NOTIFY:
6478 		hci_keypress_notify_evt(hdev, skb);
6479 		break;
6480 
6481 	case HCI_EV_SIMPLE_PAIR_COMPLETE:
6482 		hci_simple_pair_complete_evt(hdev, skb);
6483 		break;
6484 
6485 	case HCI_EV_REMOTE_HOST_FEATURES:
6486 		hci_remote_host_features_evt(hdev, skb);
6487 		break;
6488 
6489 	case HCI_EV_LE_META:
6490 		hci_le_meta_evt(hdev, skb);
6491 		break;
6492 
6493 	case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6494 		hci_remote_oob_data_request_evt(hdev, skb);
6495 		break;
6496 
6497 #if IS_ENABLED(CONFIG_BT_HS)
6498 	case HCI_EV_CHANNEL_SELECTED:
6499 		hci_chan_selected_evt(hdev, skb);
6500 		break;
6501 
6502 	case HCI_EV_PHY_LINK_COMPLETE:
6503 		hci_phy_link_complete_evt(hdev, skb);
6504 		break;
6505 
6506 	case HCI_EV_LOGICAL_LINK_COMPLETE:
6507 		hci_loglink_complete_evt(hdev, skb);
6508 		break;
6509 
6510 	case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6511 		hci_disconn_loglink_complete_evt(hdev, skb);
6512 		break;
6513 
6514 	case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6515 		hci_disconn_phylink_complete_evt(hdev, skb);
6516 		break;
6517 #endif
6518 
6519 	case HCI_EV_NUM_COMP_BLOCKS:
6520 		hci_num_comp_blocks_evt(hdev, skb);
6521 		break;
6522 
6523 	case HCI_EV_VENDOR:
6524 		msft_vendor_evt(hdev, skb);
6525 		break;
6526 
6527 	default:
6528 		BT_DBG("%s event 0x%2.2x", hdev->name, event);
6529 		break;
6530 	}
6531 
6532 	if (req_complete) {
6533 		req_complete(hdev, status, opcode);
6534 	} else if (req_complete_skb) {
6535 		if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6536 			kfree_skb(orig_skb);
6537 			orig_skb = NULL;
6538 		}
6539 		req_complete_skb(hdev, status, opcode, orig_skb);
6540 	}
6541 
6542 done:
6543 	kfree_skb(orig_skb);
6544 	kfree_skb(skb);
6545 	hdev->stat.evt_rx++;
6546 }
6547