xref: /openbmc/linux/net/bluetooth/hci_event.c (revision 799a545b)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI event handling. */
26 
27 #include <asm/unaligned.h>
28 
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32 
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
35 #include "a2mp.h"
36 #include "amp.h"
37 #include "smp.h"
38 
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
41 
42 /* Handle HCI Event packets */
43 
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
45 {
46 	__u8 status = *((__u8 *) skb->data);
47 
48 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
49 
50 	if (status)
51 		return;
52 
53 	clear_bit(HCI_INQUIRY, &hdev->flags);
54 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
56 
57 	hci_dev_lock(hdev);
58 	/* Set discovery state to stopped if we're not doing LE active
59 	 * scanning.
60 	 */
61 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 	    hdev->le_scan_type != LE_SCAN_ACTIVE)
63 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
64 	hci_dev_unlock(hdev);
65 
66 	hci_conn_check_pending(hdev);
67 }
68 
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
70 {
71 	__u8 status = *((__u8 *) skb->data);
72 
73 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
74 
75 	if (status)
76 		return;
77 
78 	hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
79 }
80 
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
82 {
83 	__u8 status = *((__u8 *) skb->data);
84 
85 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
86 
87 	if (status)
88 		return;
89 
90 	hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
91 
92 	hci_conn_check_pending(hdev);
93 }
94 
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
96 					  struct sk_buff *skb)
97 {
98 	BT_DBG("%s", hdev->name);
99 }
100 
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
102 {
103 	struct hci_rp_role_discovery *rp = (void *) skb->data;
104 	struct hci_conn *conn;
105 
106 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
107 
108 	if (rp->status)
109 		return;
110 
111 	hci_dev_lock(hdev);
112 
113 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
114 	if (conn)
115 		conn->role = rp->role;
116 
117 	hci_dev_unlock(hdev);
118 }
119 
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
121 {
122 	struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 	struct hci_conn *conn;
124 
125 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126 
127 	if (rp->status)
128 		return;
129 
130 	hci_dev_lock(hdev);
131 
132 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133 	if (conn)
134 		conn->link_policy = __le16_to_cpu(rp->policy);
135 
136 	hci_dev_unlock(hdev);
137 }
138 
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140 {
141 	struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 	struct hci_conn *conn;
143 	void *sent;
144 
145 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
146 
147 	if (rp->status)
148 		return;
149 
150 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 	if (!sent)
152 		return;
153 
154 	hci_dev_lock(hdev);
155 
156 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
157 	if (conn)
158 		conn->link_policy = get_unaligned_le16(sent + 2);
159 
160 	hci_dev_unlock(hdev);
161 }
162 
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
164 					struct sk_buff *skb)
165 {
166 	struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
167 
168 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
169 
170 	if (rp->status)
171 		return;
172 
173 	hdev->link_policy = __le16_to_cpu(rp->policy);
174 }
175 
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
177 					 struct sk_buff *skb)
178 {
179 	__u8 status = *((__u8 *) skb->data);
180 	void *sent;
181 
182 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
183 
184 	if (status)
185 		return;
186 
187 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
188 	if (!sent)
189 		return;
190 
191 	hdev->link_policy = get_unaligned_le16(sent);
192 }
193 
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
195 {
196 	__u8 status = *((__u8 *) skb->data);
197 
198 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
199 
200 	clear_bit(HCI_RESET, &hdev->flags);
201 
202 	if (status)
203 		return;
204 
205 	/* Reset all non-persistent flags */
206 	hci_dev_clear_volatile_flags(hdev);
207 
208 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
209 
210 	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
212 
213 	memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 	hdev->adv_data_len = 0;
215 
216 	memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 	hdev->scan_rsp_data_len = 0;
218 
219 	hdev->le_scan_type = LE_SCAN_PASSIVE;
220 
221 	hdev->ssp_debug_mode = 0;
222 
223 	hci_bdaddr_list_clear(&hdev->le_white_list);
224 }
225 
226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
227 					struct sk_buff *skb)
228 {
229 	struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230 	struct hci_cp_read_stored_link_key *sent;
231 
232 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
233 
234 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
235 	if (!sent)
236 		return;
237 
238 	if (!rp->status && sent->read_all == 0x01) {
239 		hdev->stored_max_keys = rp->max_keys;
240 		hdev->stored_num_keys = rp->num_keys;
241 	}
242 }
243 
244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
245 					  struct sk_buff *skb)
246 {
247 	struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
248 
249 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250 
251 	if (rp->status)
252 		return;
253 
254 	if (rp->num_keys <= hdev->stored_num_keys)
255 		hdev->stored_num_keys -= rp->num_keys;
256 	else
257 		hdev->stored_num_keys = 0;
258 }
259 
260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
261 {
262 	__u8 status = *((__u8 *) skb->data);
263 	void *sent;
264 
265 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
266 
267 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
268 	if (!sent)
269 		return;
270 
271 	hci_dev_lock(hdev);
272 
273 	if (hci_dev_test_flag(hdev, HCI_MGMT))
274 		mgmt_set_local_name_complete(hdev, sent, status);
275 	else if (!status)
276 		memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
277 
278 	hci_dev_unlock(hdev);
279 }
280 
281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
282 {
283 	struct hci_rp_read_local_name *rp = (void *) skb->data;
284 
285 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
286 
287 	if (rp->status)
288 		return;
289 
290 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291 	    hci_dev_test_flag(hdev, HCI_CONFIG))
292 		memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
293 }
294 
295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
296 {
297 	__u8 status = *((__u8 *) skb->data);
298 	void *sent;
299 
300 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
301 
302 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
303 	if (!sent)
304 		return;
305 
306 	hci_dev_lock(hdev);
307 
308 	if (!status) {
309 		__u8 param = *((__u8 *) sent);
310 
311 		if (param == AUTH_ENABLED)
312 			set_bit(HCI_AUTH, &hdev->flags);
313 		else
314 			clear_bit(HCI_AUTH, &hdev->flags);
315 	}
316 
317 	if (hci_dev_test_flag(hdev, HCI_MGMT))
318 		mgmt_auth_enable_complete(hdev, status);
319 
320 	hci_dev_unlock(hdev);
321 }
322 
323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
324 {
325 	__u8 status = *((__u8 *) skb->data);
326 	__u8 param;
327 	void *sent;
328 
329 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
330 
331 	if (status)
332 		return;
333 
334 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
335 	if (!sent)
336 		return;
337 
338 	param = *((__u8 *) sent);
339 
340 	if (param)
341 		set_bit(HCI_ENCRYPT, &hdev->flags);
342 	else
343 		clear_bit(HCI_ENCRYPT, &hdev->flags);
344 }
345 
346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
347 {
348 	__u8 status = *((__u8 *) skb->data);
349 	__u8 param;
350 	void *sent;
351 
352 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
353 
354 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
355 	if (!sent)
356 		return;
357 
358 	param = *((__u8 *) sent);
359 
360 	hci_dev_lock(hdev);
361 
362 	if (status) {
363 		hdev->discov_timeout = 0;
364 		goto done;
365 	}
366 
367 	if (param & SCAN_INQUIRY)
368 		set_bit(HCI_ISCAN, &hdev->flags);
369 	else
370 		clear_bit(HCI_ISCAN, &hdev->flags);
371 
372 	if (param & SCAN_PAGE)
373 		set_bit(HCI_PSCAN, &hdev->flags);
374 	else
375 		clear_bit(HCI_PSCAN, &hdev->flags);
376 
377 done:
378 	hci_dev_unlock(hdev);
379 }
380 
381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
382 {
383 	struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
384 
385 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
386 
387 	if (rp->status)
388 		return;
389 
390 	memcpy(hdev->dev_class, rp->dev_class, 3);
391 
392 	BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393 	       hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
394 }
395 
396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
397 {
398 	__u8 status = *((__u8 *) skb->data);
399 	void *sent;
400 
401 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
402 
403 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
404 	if (!sent)
405 		return;
406 
407 	hci_dev_lock(hdev);
408 
409 	if (status == 0)
410 		memcpy(hdev->dev_class, sent, 3);
411 
412 	if (hci_dev_test_flag(hdev, HCI_MGMT))
413 		mgmt_set_class_of_dev_complete(hdev, sent, status);
414 
415 	hci_dev_unlock(hdev);
416 }
417 
418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
419 {
420 	struct hci_rp_read_voice_setting *rp = (void *) skb->data;
421 	__u16 setting;
422 
423 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
424 
425 	if (rp->status)
426 		return;
427 
428 	setting = __le16_to_cpu(rp->voice_setting);
429 
430 	if (hdev->voice_setting == setting)
431 		return;
432 
433 	hdev->voice_setting = setting;
434 
435 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
436 
437 	if (hdev->notify)
438 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
439 }
440 
441 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
442 				       struct sk_buff *skb)
443 {
444 	__u8 status = *((__u8 *) skb->data);
445 	__u16 setting;
446 	void *sent;
447 
448 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
449 
450 	if (status)
451 		return;
452 
453 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
454 	if (!sent)
455 		return;
456 
457 	setting = get_unaligned_le16(sent);
458 
459 	if (hdev->voice_setting == setting)
460 		return;
461 
462 	hdev->voice_setting = setting;
463 
464 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
465 
466 	if (hdev->notify)
467 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
468 }
469 
470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
471 					  struct sk_buff *skb)
472 {
473 	struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
474 
475 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
476 
477 	if (rp->status)
478 		return;
479 
480 	hdev->num_iac = rp->num_iac;
481 
482 	BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
483 }
484 
485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
486 {
487 	__u8 status = *((__u8 *) skb->data);
488 	struct hci_cp_write_ssp_mode *sent;
489 
490 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
491 
492 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
493 	if (!sent)
494 		return;
495 
496 	hci_dev_lock(hdev);
497 
498 	if (!status) {
499 		if (sent->mode)
500 			hdev->features[1][0] |= LMP_HOST_SSP;
501 		else
502 			hdev->features[1][0] &= ~LMP_HOST_SSP;
503 	}
504 
505 	if (hci_dev_test_flag(hdev, HCI_MGMT))
506 		mgmt_ssp_enable_complete(hdev, sent->mode, status);
507 	else if (!status) {
508 		if (sent->mode)
509 			hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
510 		else
511 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
512 	}
513 
514 	hci_dev_unlock(hdev);
515 }
516 
517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
518 {
519 	u8 status = *((u8 *) skb->data);
520 	struct hci_cp_write_sc_support *sent;
521 
522 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
523 
524 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
525 	if (!sent)
526 		return;
527 
528 	hci_dev_lock(hdev);
529 
530 	if (!status) {
531 		if (sent->support)
532 			hdev->features[1][0] |= LMP_HOST_SC;
533 		else
534 			hdev->features[1][0] &= ~LMP_HOST_SC;
535 	}
536 
537 	if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
538 		if (sent->support)
539 			hci_dev_set_flag(hdev, HCI_SC_ENABLED);
540 		else
541 			hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
542 	}
543 
544 	hci_dev_unlock(hdev);
545 }
546 
547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
548 {
549 	struct hci_rp_read_local_version *rp = (void *) skb->data;
550 
551 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
552 
553 	if (rp->status)
554 		return;
555 
556 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
558 		hdev->hci_ver = rp->hci_ver;
559 		hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560 		hdev->lmp_ver = rp->lmp_ver;
561 		hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562 		hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
563 	}
564 }
565 
566 static void hci_cc_read_local_commands(struct hci_dev *hdev,
567 				       struct sk_buff *skb)
568 {
569 	struct hci_rp_read_local_commands *rp = (void *) skb->data;
570 
571 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
572 
573 	if (rp->status)
574 		return;
575 
576 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577 	    hci_dev_test_flag(hdev, HCI_CONFIG))
578 		memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
579 }
580 
581 static void hci_cc_read_local_features(struct hci_dev *hdev,
582 				       struct sk_buff *skb)
583 {
584 	struct hci_rp_read_local_features *rp = (void *) skb->data;
585 
586 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
587 
588 	if (rp->status)
589 		return;
590 
591 	memcpy(hdev->features, rp->features, 8);
592 
593 	/* Adjust default settings according to features
594 	 * supported by device. */
595 
596 	if (hdev->features[0][0] & LMP_3SLOT)
597 		hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
598 
599 	if (hdev->features[0][0] & LMP_5SLOT)
600 		hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
601 
602 	if (hdev->features[0][1] & LMP_HV2) {
603 		hdev->pkt_type  |= (HCI_HV2);
604 		hdev->esco_type |= (ESCO_HV2);
605 	}
606 
607 	if (hdev->features[0][1] & LMP_HV3) {
608 		hdev->pkt_type  |= (HCI_HV3);
609 		hdev->esco_type |= (ESCO_HV3);
610 	}
611 
612 	if (lmp_esco_capable(hdev))
613 		hdev->esco_type |= (ESCO_EV3);
614 
615 	if (hdev->features[0][4] & LMP_EV4)
616 		hdev->esco_type |= (ESCO_EV4);
617 
618 	if (hdev->features[0][4] & LMP_EV5)
619 		hdev->esco_type |= (ESCO_EV5);
620 
621 	if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622 		hdev->esco_type |= (ESCO_2EV3);
623 
624 	if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625 		hdev->esco_type |= (ESCO_3EV3);
626 
627 	if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628 		hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
629 }
630 
631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
632 					   struct sk_buff *skb)
633 {
634 	struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
635 
636 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
637 
638 	if (rp->status)
639 		return;
640 
641 	if (hdev->max_page < rp->max_page)
642 		hdev->max_page = rp->max_page;
643 
644 	if (rp->page < HCI_MAX_PAGES)
645 		memcpy(hdev->features[rp->page], rp->features, 8);
646 }
647 
648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
649 					  struct sk_buff *skb)
650 {
651 	struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
652 
653 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
654 
655 	if (rp->status)
656 		return;
657 
658 	hdev->flow_ctl_mode = rp->mode;
659 }
660 
661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
662 {
663 	struct hci_rp_read_buffer_size *rp = (void *) skb->data;
664 
665 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
666 
667 	if (rp->status)
668 		return;
669 
670 	hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
671 	hdev->sco_mtu  = rp->sco_mtu;
672 	hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673 	hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
674 
675 	if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
676 		hdev->sco_mtu  = 64;
677 		hdev->sco_pkts = 8;
678 	}
679 
680 	hdev->acl_cnt = hdev->acl_pkts;
681 	hdev->sco_cnt = hdev->sco_pkts;
682 
683 	BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684 	       hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
685 }
686 
687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
688 {
689 	struct hci_rp_read_bd_addr *rp = (void *) skb->data;
690 
691 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
692 
693 	if (rp->status)
694 		return;
695 
696 	if (test_bit(HCI_INIT, &hdev->flags))
697 		bacpy(&hdev->bdaddr, &rp->bdaddr);
698 
699 	if (hci_dev_test_flag(hdev, HCI_SETUP))
700 		bacpy(&hdev->setup_addr, &rp->bdaddr);
701 }
702 
703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
704 					   struct sk_buff *skb)
705 {
706 	struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
707 
708 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
709 
710 	if (rp->status)
711 		return;
712 
713 	if (test_bit(HCI_INIT, &hdev->flags)) {
714 		hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715 		hdev->page_scan_window = __le16_to_cpu(rp->window);
716 	}
717 }
718 
719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
720 					    struct sk_buff *skb)
721 {
722 	u8 status = *((u8 *) skb->data);
723 	struct hci_cp_write_page_scan_activity *sent;
724 
725 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
726 
727 	if (status)
728 		return;
729 
730 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
731 	if (!sent)
732 		return;
733 
734 	hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735 	hdev->page_scan_window = __le16_to_cpu(sent->window);
736 }
737 
738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
739 					   struct sk_buff *skb)
740 {
741 	struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
742 
743 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
744 
745 	if (rp->status)
746 		return;
747 
748 	if (test_bit(HCI_INIT, &hdev->flags))
749 		hdev->page_scan_type = rp->type;
750 }
751 
752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
753 					struct sk_buff *skb)
754 {
755 	u8 status = *((u8 *) skb->data);
756 	u8 *type;
757 
758 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
759 
760 	if (status)
761 		return;
762 
763 	type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
764 	if (type)
765 		hdev->page_scan_type = *type;
766 }
767 
768 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
769 					struct sk_buff *skb)
770 {
771 	struct hci_rp_read_data_block_size *rp = (void *) skb->data;
772 
773 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
774 
775 	if (rp->status)
776 		return;
777 
778 	hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779 	hdev->block_len = __le16_to_cpu(rp->block_len);
780 	hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
781 
782 	hdev->block_cnt = hdev->num_blocks;
783 
784 	BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785 	       hdev->block_cnt, hdev->block_len);
786 }
787 
788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
789 {
790 	struct hci_rp_read_clock *rp = (void *) skb->data;
791 	struct hci_cp_read_clock *cp;
792 	struct hci_conn *conn;
793 
794 	BT_DBG("%s", hdev->name);
795 
796 	if (skb->len < sizeof(*rp))
797 		return;
798 
799 	if (rp->status)
800 		return;
801 
802 	hci_dev_lock(hdev);
803 
804 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
805 	if (!cp)
806 		goto unlock;
807 
808 	if (cp->which == 0x00) {
809 		hdev->clock = le32_to_cpu(rp->clock);
810 		goto unlock;
811 	}
812 
813 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
814 	if (conn) {
815 		conn->clock = le32_to_cpu(rp->clock);
816 		conn->clock_accuracy = le16_to_cpu(rp->accuracy);
817 	}
818 
819 unlock:
820 	hci_dev_unlock(hdev);
821 }
822 
823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
824 				       struct sk_buff *skb)
825 {
826 	struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
827 
828 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
829 
830 	if (rp->status)
831 		return;
832 
833 	hdev->amp_status = rp->amp_status;
834 	hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835 	hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836 	hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837 	hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838 	hdev->amp_type = rp->amp_type;
839 	hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840 	hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841 	hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842 	hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
843 }
844 
845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
846 					 struct sk_buff *skb)
847 {
848 	struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
849 
850 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
851 
852 	if (rp->status)
853 		return;
854 
855 	hdev->inq_tx_power = rp->tx_power;
856 }
857 
858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
859 {
860 	struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861 	struct hci_cp_pin_code_reply *cp;
862 	struct hci_conn *conn;
863 
864 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
865 
866 	hci_dev_lock(hdev);
867 
868 	if (hci_dev_test_flag(hdev, HCI_MGMT))
869 		mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
870 
871 	if (rp->status)
872 		goto unlock;
873 
874 	cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
875 	if (!cp)
876 		goto unlock;
877 
878 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
879 	if (conn)
880 		conn->pin_length = cp->pin_len;
881 
882 unlock:
883 	hci_dev_unlock(hdev);
884 }
885 
886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
887 {
888 	struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
889 
890 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
891 
892 	hci_dev_lock(hdev);
893 
894 	if (hci_dev_test_flag(hdev, HCI_MGMT))
895 		mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
896 						 rp->status);
897 
898 	hci_dev_unlock(hdev);
899 }
900 
901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
902 				       struct sk_buff *skb)
903 {
904 	struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
905 
906 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
907 
908 	if (rp->status)
909 		return;
910 
911 	hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912 	hdev->le_pkts = rp->le_max_pkt;
913 
914 	hdev->le_cnt = hdev->le_pkts;
915 
916 	BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
917 }
918 
919 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
920 					  struct sk_buff *skb)
921 {
922 	struct hci_rp_le_read_local_features *rp = (void *) skb->data;
923 
924 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
925 
926 	if (rp->status)
927 		return;
928 
929 	memcpy(hdev->le_features, rp->features, 8);
930 }
931 
932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
933 					struct sk_buff *skb)
934 {
935 	struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
936 
937 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
938 
939 	if (rp->status)
940 		return;
941 
942 	hdev->adv_tx_power = rp->tx_power;
943 }
944 
945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
946 {
947 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
948 
949 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
950 
951 	hci_dev_lock(hdev);
952 
953 	if (hci_dev_test_flag(hdev, HCI_MGMT))
954 		mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
955 						 rp->status);
956 
957 	hci_dev_unlock(hdev);
958 }
959 
960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
961 					  struct sk_buff *skb)
962 {
963 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
964 
965 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
966 
967 	hci_dev_lock(hdev);
968 
969 	if (hci_dev_test_flag(hdev, HCI_MGMT))
970 		mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971 						     ACL_LINK, 0, rp->status);
972 
973 	hci_dev_unlock(hdev);
974 }
975 
976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
977 {
978 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
979 
980 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
981 
982 	hci_dev_lock(hdev);
983 
984 	if (hci_dev_test_flag(hdev, HCI_MGMT))
985 		mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
986 						 0, rp->status);
987 
988 	hci_dev_unlock(hdev);
989 }
990 
991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
992 					  struct sk_buff *skb)
993 {
994 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
995 
996 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
997 
998 	hci_dev_lock(hdev);
999 
1000 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 		mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002 						     ACL_LINK, 0, rp->status);
1003 
1004 	hci_dev_unlock(hdev);
1005 }
1006 
1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008 				       struct sk_buff *skb)
1009 {
1010 	struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1011 
1012 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1013 }
1014 
1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016 					   struct sk_buff *skb)
1017 {
1018 	struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1019 
1020 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1021 }
1022 
1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1024 {
1025 	__u8 status = *((__u8 *) skb->data);
1026 	bdaddr_t *sent;
1027 
1028 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1029 
1030 	if (status)
1031 		return;
1032 
1033 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1034 	if (!sent)
1035 		return;
1036 
1037 	hci_dev_lock(hdev);
1038 
1039 	bacpy(&hdev->random_addr, sent);
1040 
1041 	hci_dev_unlock(hdev);
1042 }
1043 
1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1045 {
1046 	__u8 *sent, status = *((__u8 *) skb->data);
1047 
1048 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1049 
1050 	if (status)
1051 		return;
1052 
1053 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1054 	if (!sent)
1055 		return;
1056 
1057 	hci_dev_lock(hdev);
1058 
1059 	/* If we're doing connection initiation as peripheral. Set a
1060 	 * timeout in case something goes wrong.
1061 	 */
1062 	if (*sent) {
1063 		struct hci_conn *conn;
1064 
1065 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1066 
1067 		conn = hci_lookup_le_connect(hdev);
1068 		if (conn)
1069 			queue_delayed_work(hdev->workqueue,
1070 					   &conn->le_conn_timeout,
1071 					   conn->conn_timeout);
1072 	} else {
1073 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1074 	}
1075 
1076 	hci_dev_unlock(hdev);
1077 }
1078 
1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1080 {
1081 	struct hci_cp_le_set_scan_param *cp;
1082 	__u8 status = *((__u8 *) skb->data);
1083 
1084 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1085 
1086 	if (status)
1087 		return;
1088 
1089 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1090 	if (!cp)
1091 		return;
1092 
1093 	hci_dev_lock(hdev);
1094 
1095 	hdev->le_scan_type = cp->type;
1096 
1097 	hci_dev_unlock(hdev);
1098 }
1099 
1100 static bool has_pending_adv_report(struct hci_dev *hdev)
1101 {
1102 	struct discovery_state *d = &hdev->discovery;
1103 
1104 	return bacmp(&d->last_adv_addr, BDADDR_ANY);
1105 }
1106 
1107 static void clear_pending_adv_report(struct hci_dev *hdev)
1108 {
1109 	struct discovery_state *d = &hdev->discovery;
1110 
1111 	bacpy(&d->last_adv_addr, BDADDR_ANY);
1112 	d->last_adv_data_len = 0;
1113 }
1114 
1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116 				     u8 bdaddr_type, s8 rssi, u32 flags,
1117 				     u8 *data, u8 len)
1118 {
1119 	struct discovery_state *d = &hdev->discovery;
1120 
1121 	bacpy(&d->last_adv_addr, bdaddr);
1122 	d->last_adv_addr_type = bdaddr_type;
1123 	d->last_adv_rssi = rssi;
1124 	d->last_adv_flags = flags;
1125 	memcpy(d->last_adv_data, data, len);
1126 	d->last_adv_data_len = len;
1127 }
1128 
1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130 				      struct sk_buff *skb)
1131 {
1132 	struct hci_cp_le_set_scan_enable *cp;
1133 	__u8 status = *((__u8 *) skb->data);
1134 
1135 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1136 
1137 	if (status)
1138 		return;
1139 
1140 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1141 	if (!cp)
1142 		return;
1143 
1144 	hci_dev_lock(hdev);
1145 
1146 	switch (cp->enable) {
1147 	case LE_SCAN_ENABLE:
1148 		hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149 		if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150 			clear_pending_adv_report(hdev);
1151 		break;
1152 
1153 	case LE_SCAN_DISABLE:
1154 		/* We do this here instead of when setting DISCOVERY_STOPPED
1155 		 * since the latter would potentially require waiting for
1156 		 * inquiry to stop too.
1157 		 */
1158 		if (has_pending_adv_report(hdev)) {
1159 			struct discovery_state *d = &hdev->discovery;
1160 
1161 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162 					  d->last_adv_addr_type, NULL,
1163 					  d->last_adv_rssi, d->last_adv_flags,
1164 					  d->last_adv_data,
1165 					  d->last_adv_data_len, NULL, 0);
1166 		}
1167 
1168 		/* Cancel this timer so that we don't try to disable scanning
1169 		 * when it's already disabled.
1170 		 */
1171 		cancel_delayed_work(&hdev->le_scan_disable);
1172 
1173 		hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1174 
1175 		/* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176 		 * interrupted scanning due to a connect request. Mark
1177 		 * therefore discovery as stopped. If this was not
1178 		 * because of a connect request advertising might have
1179 		 * been disabled because of active scanning, so
1180 		 * re-enable it again if necessary.
1181 		 */
1182 		if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184 		else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185 			 hdev->discovery.state == DISCOVERY_FINDING)
1186 			hci_req_reenable_advertising(hdev);
1187 
1188 		break;
1189 
1190 	default:
1191 		BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1192 		break;
1193 	}
1194 
1195 	hci_dev_unlock(hdev);
1196 }
1197 
1198 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1199 					   struct sk_buff *skb)
1200 {
1201 	struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1202 
1203 	BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1204 
1205 	if (rp->status)
1206 		return;
1207 
1208 	hdev->le_white_list_size = rp->size;
1209 }
1210 
1211 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1212 				       struct sk_buff *skb)
1213 {
1214 	__u8 status = *((__u8 *) skb->data);
1215 
1216 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1217 
1218 	if (status)
1219 		return;
1220 
1221 	hci_bdaddr_list_clear(&hdev->le_white_list);
1222 }
1223 
1224 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1225 					struct sk_buff *skb)
1226 {
1227 	struct hci_cp_le_add_to_white_list *sent;
1228 	__u8 status = *((__u8 *) skb->data);
1229 
1230 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1231 
1232 	if (status)
1233 		return;
1234 
1235 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1236 	if (!sent)
1237 		return;
1238 
1239 	hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1240 			   sent->bdaddr_type);
1241 }
1242 
1243 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1244 					  struct sk_buff *skb)
1245 {
1246 	struct hci_cp_le_del_from_white_list *sent;
1247 	__u8 status = *((__u8 *) skb->data);
1248 
1249 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1250 
1251 	if (status)
1252 		return;
1253 
1254 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1255 	if (!sent)
1256 		return;
1257 
1258 	hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1259 			    sent->bdaddr_type);
1260 }
1261 
1262 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1263 					    struct sk_buff *skb)
1264 {
1265 	struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1266 
1267 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1268 
1269 	if (rp->status)
1270 		return;
1271 
1272 	memcpy(hdev->le_states, rp->le_states, 8);
1273 }
1274 
1275 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1276 					struct sk_buff *skb)
1277 {
1278 	struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1279 
1280 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1281 
1282 	if (rp->status)
1283 		return;
1284 
1285 	hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1286 	hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1287 }
1288 
1289 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1290 					 struct sk_buff *skb)
1291 {
1292 	struct hci_cp_le_write_def_data_len *sent;
1293 	__u8 status = *((__u8 *) skb->data);
1294 
1295 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1296 
1297 	if (status)
1298 		return;
1299 
1300 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1301 	if (!sent)
1302 		return;
1303 
1304 	hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1305 	hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1306 }
1307 
1308 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1309 					struct sk_buff *skb)
1310 {
1311 	struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1312 
1313 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1314 
1315 	if (rp->status)
1316 		return;
1317 
1318 	hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1319 	hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1320 	hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1321 	hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1322 }
1323 
1324 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1325 					   struct sk_buff *skb)
1326 {
1327 	struct hci_cp_write_le_host_supported *sent;
1328 	__u8 status = *((__u8 *) skb->data);
1329 
1330 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1331 
1332 	if (status)
1333 		return;
1334 
1335 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1336 	if (!sent)
1337 		return;
1338 
1339 	hci_dev_lock(hdev);
1340 
1341 	if (sent->le) {
1342 		hdev->features[1][0] |= LMP_HOST_LE;
1343 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1344 	} else {
1345 		hdev->features[1][0] &= ~LMP_HOST_LE;
1346 		hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1347 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1348 	}
1349 
1350 	if (sent->simul)
1351 		hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1352 	else
1353 		hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1354 
1355 	hci_dev_unlock(hdev);
1356 }
1357 
1358 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1359 {
1360 	struct hci_cp_le_set_adv_param *cp;
1361 	u8 status = *((u8 *) skb->data);
1362 
1363 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1364 
1365 	if (status)
1366 		return;
1367 
1368 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1369 	if (!cp)
1370 		return;
1371 
1372 	hci_dev_lock(hdev);
1373 	hdev->adv_addr_type = cp->own_address_type;
1374 	hci_dev_unlock(hdev);
1375 }
1376 
1377 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1378 {
1379 	struct hci_rp_read_rssi *rp = (void *) skb->data;
1380 	struct hci_conn *conn;
1381 
1382 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1383 
1384 	if (rp->status)
1385 		return;
1386 
1387 	hci_dev_lock(hdev);
1388 
1389 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1390 	if (conn)
1391 		conn->rssi = rp->rssi;
1392 
1393 	hci_dev_unlock(hdev);
1394 }
1395 
1396 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1397 {
1398 	struct hci_cp_read_tx_power *sent;
1399 	struct hci_rp_read_tx_power *rp = (void *) skb->data;
1400 	struct hci_conn *conn;
1401 
1402 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1403 
1404 	if (rp->status)
1405 		return;
1406 
1407 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1408 	if (!sent)
1409 		return;
1410 
1411 	hci_dev_lock(hdev);
1412 
1413 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1414 	if (!conn)
1415 		goto unlock;
1416 
1417 	switch (sent->type) {
1418 	case 0x00:
1419 		conn->tx_power = rp->tx_power;
1420 		break;
1421 	case 0x01:
1422 		conn->max_tx_power = rp->tx_power;
1423 		break;
1424 	}
1425 
1426 unlock:
1427 	hci_dev_unlock(hdev);
1428 }
1429 
1430 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1431 {
1432 	u8 status = *((u8 *) skb->data);
1433 	u8 *mode;
1434 
1435 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1436 
1437 	if (status)
1438 		return;
1439 
1440 	mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1441 	if (mode)
1442 		hdev->ssp_debug_mode = *mode;
1443 }
1444 
1445 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1446 {
1447 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1448 
1449 	if (status) {
1450 		hci_conn_check_pending(hdev);
1451 		return;
1452 	}
1453 
1454 	set_bit(HCI_INQUIRY, &hdev->flags);
1455 }
1456 
1457 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1458 {
1459 	struct hci_cp_create_conn *cp;
1460 	struct hci_conn *conn;
1461 
1462 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1463 
1464 	cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1465 	if (!cp)
1466 		return;
1467 
1468 	hci_dev_lock(hdev);
1469 
1470 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1471 
1472 	BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1473 
1474 	if (status) {
1475 		if (conn && conn->state == BT_CONNECT) {
1476 			if (status != 0x0c || conn->attempt > 2) {
1477 				conn->state = BT_CLOSED;
1478 				hci_connect_cfm(conn, status);
1479 				hci_conn_del(conn);
1480 			} else
1481 				conn->state = BT_CONNECT2;
1482 		}
1483 	} else {
1484 		if (!conn) {
1485 			conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1486 					    HCI_ROLE_MASTER);
1487 			if (!conn)
1488 				BT_ERR("No memory for new connection");
1489 		}
1490 	}
1491 
1492 	hci_dev_unlock(hdev);
1493 }
1494 
1495 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1496 {
1497 	struct hci_cp_add_sco *cp;
1498 	struct hci_conn *acl, *sco;
1499 	__u16 handle;
1500 
1501 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1502 
1503 	if (!status)
1504 		return;
1505 
1506 	cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1507 	if (!cp)
1508 		return;
1509 
1510 	handle = __le16_to_cpu(cp->handle);
1511 
1512 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1513 
1514 	hci_dev_lock(hdev);
1515 
1516 	acl = hci_conn_hash_lookup_handle(hdev, handle);
1517 	if (acl) {
1518 		sco = acl->link;
1519 		if (sco) {
1520 			sco->state = BT_CLOSED;
1521 
1522 			hci_connect_cfm(sco, status);
1523 			hci_conn_del(sco);
1524 		}
1525 	}
1526 
1527 	hci_dev_unlock(hdev);
1528 }
1529 
1530 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1531 {
1532 	struct hci_cp_auth_requested *cp;
1533 	struct hci_conn *conn;
1534 
1535 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1536 
1537 	if (!status)
1538 		return;
1539 
1540 	cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1541 	if (!cp)
1542 		return;
1543 
1544 	hci_dev_lock(hdev);
1545 
1546 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1547 	if (conn) {
1548 		if (conn->state == BT_CONFIG) {
1549 			hci_connect_cfm(conn, status);
1550 			hci_conn_drop(conn);
1551 		}
1552 	}
1553 
1554 	hci_dev_unlock(hdev);
1555 }
1556 
1557 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1558 {
1559 	struct hci_cp_set_conn_encrypt *cp;
1560 	struct hci_conn *conn;
1561 
1562 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1563 
1564 	if (!status)
1565 		return;
1566 
1567 	cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1568 	if (!cp)
1569 		return;
1570 
1571 	hci_dev_lock(hdev);
1572 
1573 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1574 	if (conn) {
1575 		if (conn->state == BT_CONFIG) {
1576 			hci_connect_cfm(conn, status);
1577 			hci_conn_drop(conn);
1578 		}
1579 	}
1580 
1581 	hci_dev_unlock(hdev);
1582 }
1583 
1584 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1585 				    struct hci_conn *conn)
1586 {
1587 	if (conn->state != BT_CONFIG || !conn->out)
1588 		return 0;
1589 
1590 	if (conn->pending_sec_level == BT_SECURITY_SDP)
1591 		return 0;
1592 
1593 	/* Only request authentication for SSP connections or non-SSP
1594 	 * devices with sec_level MEDIUM or HIGH or if MITM protection
1595 	 * is requested.
1596 	 */
1597 	if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1598 	    conn->pending_sec_level != BT_SECURITY_FIPS &&
1599 	    conn->pending_sec_level != BT_SECURITY_HIGH &&
1600 	    conn->pending_sec_level != BT_SECURITY_MEDIUM)
1601 		return 0;
1602 
1603 	return 1;
1604 }
1605 
1606 static int hci_resolve_name(struct hci_dev *hdev,
1607 				   struct inquiry_entry *e)
1608 {
1609 	struct hci_cp_remote_name_req cp;
1610 
1611 	memset(&cp, 0, sizeof(cp));
1612 
1613 	bacpy(&cp.bdaddr, &e->data.bdaddr);
1614 	cp.pscan_rep_mode = e->data.pscan_rep_mode;
1615 	cp.pscan_mode = e->data.pscan_mode;
1616 	cp.clock_offset = e->data.clock_offset;
1617 
1618 	return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1619 }
1620 
1621 static bool hci_resolve_next_name(struct hci_dev *hdev)
1622 {
1623 	struct discovery_state *discov = &hdev->discovery;
1624 	struct inquiry_entry *e;
1625 
1626 	if (list_empty(&discov->resolve))
1627 		return false;
1628 
1629 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1630 	if (!e)
1631 		return false;
1632 
1633 	if (hci_resolve_name(hdev, e) == 0) {
1634 		e->name_state = NAME_PENDING;
1635 		return true;
1636 	}
1637 
1638 	return false;
1639 }
1640 
1641 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1642 				   bdaddr_t *bdaddr, u8 *name, u8 name_len)
1643 {
1644 	struct discovery_state *discov = &hdev->discovery;
1645 	struct inquiry_entry *e;
1646 
1647 	/* Update the mgmt connected state if necessary. Be careful with
1648 	 * conn objects that exist but are not (yet) connected however.
1649 	 * Only those in BT_CONFIG or BT_CONNECTED states can be
1650 	 * considered connected.
1651 	 */
1652 	if (conn &&
1653 	    (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1654 	    !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1655 		mgmt_device_connected(hdev, conn, 0, name, name_len);
1656 
1657 	if (discov->state == DISCOVERY_STOPPED)
1658 		return;
1659 
1660 	if (discov->state == DISCOVERY_STOPPING)
1661 		goto discov_complete;
1662 
1663 	if (discov->state != DISCOVERY_RESOLVING)
1664 		return;
1665 
1666 	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1667 	/* If the device was not found in a list of found devices names of which
1668 	 * are pending. there is no need to continue resolving a next name as it
1669 	 * will be done upon receiving another Remote Name Request Complete
1670 	 * Event */
1671 	if (!e)
1672 		return;
1673 
1674 	list_del(&e->list);
1675 	if (name) {
1676 		e->name_state = NAME_KNOWN;
1677 		mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1678 				 e->data.rssi, name, name_len);
1679 	} else {
1680 		e->name_state = NAME_NOT_KNOWN;
1681 	}
1682 
1683 	if (hci_resolve_next_name(hdev))
1684 		return;
1685 
1686 discov_complete:
1687 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1688 }
1689 
1690 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1691 {
1692 	struct hci_cp_remote_name_req *cp;
1693 	struct hci_conn *conn;
1694 
1695 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1696 
1697 	/* If successful wait for the name req complete event before
1698 	 * checking for the need to do authentication */
1699 	if (!status)
1700 		return;
1701 
1702 	cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1703 	if (!cp)
1704 		return;
1705 
1706 	hci_dev_lock(hdev);
1707 
1708 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1709 
1710 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1711 		hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1712 
1713 	if (!conn)
1714 		goto unlock;
1715 
1716 	if (!hci_outgoing_auth_needed(hdev, conn))
1717 		goto unlock;
1718 
1719 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1720 		struct hci_cp_auth_requested auth_cp;
1721 
1722 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1723 
1724 		auth_cp.handle = __cpu_to_le16(conn->handle);
1725 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1726 			     sizeof(auth_cp), &auth_cp);
1727 	}
1728 
1729 unlock:
1730 	hci_dev_unlock(hdev);
1731 }
1732 
1733 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1734 {
1735 	struct hci_cp_read_remote_features *cp;
1736 	struct hci_conn *conn;
1737 
1738 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1739 
1740 	if (!status)
1741 		return;
1742 
1743 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1744 	if (!cp)
1745 		return;
1746 
1747 	hci_dev_lock(hdev);
1748 
1749 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1750 	if (conn) {
1751 		if (conn->state == BT_CONFIG) {
1752 			hci_connect_cfm(conn, status);
1753 			hci_conn_drop(conn);
1754 		}
1755 	}
1756 
1757 	hci_dev_unlock(hdev);
1758 }
1759 
1760 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1761 {
1762 	struct hci_cp_read_remote_ext_features *cp;
1763 	struct hci_conn *conn;
1764 
1765 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1766 
1767 	if (!status)
1768 		return;
1769 
1770 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1771 	if (!cp)
1772 		return;
1773 
1774 	hci_dev_lock(hdev);
1775 
1776 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1777 	if (conn) {
1778 		if (conn->state == BT_CONFIG) {
1779 			hci_connect_cfm(conn, status);
1780 			hci_conn_drop(conn);
1781 		}
1782 	}
1783 
1784 	hci_dev_unlock(hdev);
1785 }
1786 
1787 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1788 {
1789 	struct hci_cp_setup_sync_conn *cp;
1790 	struct hci_conn *acl, *sco;
1791 	__u16 handle;
1792 
1793 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1794 
1795 	if (!status)
1796 		return;
1797 
1798 	cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1799 	if (!cp)
1800 		return;
1801 
1802 	handle = __le16_to_cpu(cp->handle);
1803 
1804 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1805 
1806 	hci_dev_lock(hdev);
1807 
1808 	acl = hci_conn_hash_lookup_handle(hdev, handle);
1809 	if (acl) {
1810 		sco = acl->link;
1811 		if (sco) {
1812 			sco->state = BT_CLOSED;
1813 
1814 			hci_connect_cfm(sco, status);
1815 			hci_conn_del(sco);
1816 		}
1817 	}
1818 
1819 	hci_dev_unlock(hdev);
1820 }
1821 
1822 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1823 {
1824 	struct hci_cp_sniff_mode *cp;
1825 	struct hci_conn *conn;
1826 
1827 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1828 
1829 	if (!status)
1830 		return;
1831 
1832 	cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1833 	if (!cp)
1834 		return;
1835 
1836 	hci_dev_lock(hdev);
1837 
1838 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1839 	if (conn) {
1840 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1841 
1842 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1843 			hci_sco_setup(conn, status);
1844 	}
1845 
1846 	hci_dev_unlock(hdev);
1847 }
1848 
1849 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1850 {
1851 	struct hci_cp_exit_sniff_mode *cp;
1852 	struct hci_conn *conn;
1853 
1854 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1855 
1856 	if (!status)
1857 		return;
1858 
1859 	cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1860 	if (!cp)
1861 		return;
1862 
1863 	hci_dev_lock(hdev);
1864 
1865 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1866 	if (conn) {
1867 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1868 
1869 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1870 			hci_sco_setup(conn, status);
1871 	}
1872 
1873 	hci_dev_unlock(hdev);
1874 }
1875 
1876 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1877 {
1878 	struct hci_cp_disconnect *cp;
1879 	struct hci_conn *conn;
1880 
1881 	if (!status)
1882 		return;
1883 
1884 	cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1885 	if (!cp)
1886 		return;
1887 
1888 	hci_dev_lock(hdev);
1889 
1890 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1891 	if (conn)
1892 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1893 				       conn->dst_type, status);
1894 
1895 	hci_dev_unlock(hdev);
1896 }
1897 
1898 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1899 {
1900 	struct hci_cp_le_create_conn *cp;
1901 	struct hci_conn *conn;
1902 
1903 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1904 
1905 	/* All connection failure handling is taken care of by the
1906 	 * hci_le_conn_failed function which is triggered by the HCI
1907 	 * request completion callbacks used for connecting.
1908 	 */
1909 	if (status)
1910 		return;
1911 
1912 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1913 	if (!cp)
1914 		return;
1915 
1916 	hci_dev_lock(hdev);
1917 
1918 	conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr,
1919 				       cp->peer_addr_type);
1920 	if (!conn)
1921 		goto unlock;
1922 
1923 	/* Store the initiator and responder address information which
1924 	 * is needed for SMP. These values will not change during the
1925 	 * lifetime of the connection.
1926 	 */
1927 	conn->init_addr_type = cp->own_address_type;
1928 	if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1929 		bacpy(&conn->init_addr, &hdev->random_addr);
1930 	else
1931 		bacpy(&conn->init_addr, &hdev->bdaddr);
1932 
1933 	conn->resp_addr_type = cp->peer_addr_type;
1934 	bacpy(&conn->resp_addr, &cp->peer_addr);
1935 
1936 	/* We don't want the connection attempt to stick around
1937 	 * indefinitely since LE doesn't have a page timeout concept
1938 	 * like BR/EDR. Set a timer for any connection that doesn't use
1939 	 * the white list for connecting.
1940 	 */
1941 	if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1942 		queue_delayed_work(conn->hdev->workqueue,
1943 				   &conn->le_conn_timeout,
1944 				   conn->conn_timeout);
1945 
1946 unlock:
1947 	hci_dev_unlock(hdev);
1948 }
1949 
1950 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1951 {
1952 	struct hci_cp_le_read_remote_features *cp;
1953 	struct hci_conn *conn;
1954 
1955 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1956 
1957 	if (!status)
1958 		return;
1959 
1960 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1961 	if (!cp)
1962 		return;
1963 
1964 	hci_dev_lock(hdev);
1965 
1966 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1967 	if (conn) {
1968 		if (conn->state == BT_CONFIG) {
1969 			hci_connect_cfm(conn, status);
1970 			hci_conn_drop(conn);
1971 		}
1972 	}
1973 
1974 	hci_dev_unlock(hdev);
1975 }
1976 
1977 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1978 {
1979 	struct hci_cp_le_start_enc *cp;
1980 	struct hci_conn *conn;
1981 
1982 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1983 
1984 	if (!status)
1985 		return;
1986 
1987 	hci_dev_lock(hdev);
1988 
1989 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1990 	if (!cp)
1991 		goto unlock;
1992 
1993 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1994 	if (!conn)
1995 		goto unlock;
1996 
1997 	if (conn->state != BT_CONNECTED)
1998 		goto unlock;
1999 
2000 	hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2001 	hci_conn_drop(conn);
2002 
2003 unlock:
2004 	hci_dev_unlock(hdev);
2005 }
2006 
2007 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2008 {
2009 	struct hci_cp_switch_role *cp;
2010 	struct hci_conn *conn;
2011 
2012 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2013 
2014 	if (!status)
2015 		return;
2016 
2017 	cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2018 	if (!cp)
2019 		return;
2020 
2021 	hci_dev_lock(hdev);
2022 
2023 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2024 	if (conn)
2025 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2026 
2027 	hci_dev_unlock(hdev);
2028 }
2029 
2030 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2031 {
2032 	__u8 status = *((__u8 *) skb->data);
2033 	struct discovery_state *discov = &hdev->discovery;
2034 	struct inquiry_entry *e;
2035 
2036 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2037 
2038 	hci_conn_check_pending(hdev);
2039 
2040 	if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2041 		return;
2042 
2043 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2044 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
2045 
2046 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2047 		return;
2048 
2049 	hci_dev_lock(hdev);
2050 
2051 	if (discov->state != DISCOVERY_FINDING)
2052 		goto unlock;
2053 
2054 	if (list_empty(&discov->resolve)) {
2055 		/* When BR/EDR inquiry is active and no LE scanning is in
2056 		 * progress, then change discovery state to indicate completion.
2057 		 *
2058 		 * When running LE scanning and BR/EDR inquiry simultaneously
2059 		 * and the LE scan already finished, then change the discovery
2060 		 * state to indicate completion.
2061 		 */
2062 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2063 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2064 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2065 		goto unlock;
2066 	}
2067 
2068 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2069 	if (e && hci_resolve_name(hdev, e) == 0) {
2070 		e->name_state = NAME_PENDING;
2071 		hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2072 	} else {
2073 		/* When BR/EDR inquiry is active and no LE scanning is in
2074 		 * progress, then change discovery state to indicate completion.
2075 		 *
2076 		 * When running LE scanning and BR/EDR inquiry simultaneously
2077 		 * and the LE scan already finished, then change the discovery
2078 		 * state to indicate completion.
2079 		 */
2080 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2081 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2082 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2083 	}
2084 
2085 unlock:
2086 	hci_dev_unlock(hdev);
2087 }
2088 
2089 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2090 {
2091 	struct inquiry_data data;
2092 	struct inquiry_info *info = (void *) (skb->data + 1);
2093 	int num_rsp = *((__u8 *) skb->data);
2094 
2095 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2096 
2097 	if (!num_rsp)
2098 		return;
2099 
2100 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2101 		return;
2102 
2103 	hci_dev_lock(hdev);
2104 
2105 	for (; num_rsp; num_rsp--, info++) {
2106 		u32 flags;
2107 
2108 		bacpy(&data.bdaddr, &info->bdaddr);
2109 		data.pscan_rep_mode	= info->pscan_rep_mode;
2110 		data.pscan_period_mode	= info->pscan_period_mode;
2111 		data.pscan_mode		= info->pscan_mode;
2112 		memcpy(data.dev_class, info->dev_class, 3);
2113 		data.clock_offset	= info->clock_offset;
2114 		data.rssi		= HCI_RSSI_INVALID;
2115 		data.ssp_mode		= 0x00;
2116 
2117 		flags = hci_inquiry_cache_update(hdev, &data, false);
2118 
2119 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2120 				  info->dev_class, HCI_RSSI_INVALID,
2121 				  flags, NULL, 0, NULL, 0);
2122 	}
2123 
2124 	hci_dev_unlock(hdev);
2125 }
2126 
2127 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2128 {
2129 	struct hci_ev_conn_complete *ev = (void *) skb->data;
2130 	struct hci_conn *conn;
2131 
2132 	BT_DBG("%s", hdev->name);
2133 
2134 	hci_dev_lock(hdev);
2135 
2136 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2137 	if (!conn) {
2138 		if (ev->link_type != SCO_LINK)
2139 			goto unlock;
2140 
2141 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2142 		if (!conn)
2143 			goto unlock;
2144 
2145 		conn->type = SCO_LINK;
2146 	}
2147 
2148 	if (!ev->status) {
2149 		conn->handle = __le16_to_cpu(ev->handle);
2150 
2151 		if (conn->type == ACL_LINK) {
2152 			conn->state = BT_CONFIG;
2153 			hci_conn_hold(conn);
2154 
2155 			if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2156 			    !hci_find_link_key(hdev, &ev->bdaddr))
2157 				conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2158 			else
2159 				conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2160 		} else
2161 			conn->state = BT_CONNECTED;
2162 
2163 		hci_debugfs_create_conn(conn);
2164 		hci_conn_add_sysfs(conn);
2165 
2166 		if (test_bit(HCI_AUTH, &hdev->flags))
2167 			set_bit(HCI_CONN_AUTH, &conn->flags);
2168 
2169 		if (test_bit(HCI_ENCRYPT, &hdev->flags))
2170 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2171 
2172 		/* Get remote features */
2173 		if (conn->type == ACL_LINK) {
2174 			struct hci_cp_read_remote_features cp;
2175 			cp.handle = ev->handle;
2176 			hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2177 				     sizeof(cp), &cp);
2178 
2179 			hci_req_update_scan(hdev);
2180 		}
2181 
2182 		/* Set packet type for incoming connection */
2183 		if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2184 			struct hci_cp_change_conn_ptype cp;
2185 			cp.handle = ev->handle;
2186 			cp.pkt_type = cpu_to_le16(conn->pkt_type);
2187 			hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2188 				     &cp);
2189 		}
2190 	} else {
2191 		conn->state = BT_CLOSED;
2192 		if (conn->type == ACL_LINK)
2193 			mgmt_connect_failed(hdev, &conn->dst, conn->type,
2194 					    conn->dst_type, ev->status);
2195 	}
2196 
2197 	if (conn->type == ACL_LINK)
2198 		hci_sco_setup(conn, ev->status);
2199 
2200 	if (ev->status) {
2201 		hci_connect_cfm(conn, ev->status);
2202 		hci_conn_del(conn);
2203 	} else if (ev->link_type != ACL_LINK)
2204 		hci_connect_cfm(conn, ev->status);
2205 
2206 unlock:
2207 	hci_dev_unlock(hdev);
2208 
2209 	hci_conn_check_pending(hdev);
2210 }
2211 
2212 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2213 {
2214 	struct hci_cp_reject_conn_req cp;
2215 
2216 	bacpy(&cp.bdaddr, bdaddr);
2217 	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2218 	hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2219 }
2220 
2221 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2222 {
2223 	struct hci_ev_conn_request *ev = (void *) skb->data;
2224 	int mask = hdev->link_mode;
2225 	struct inquiry_entry *ie;
2226 	struct hci_conn *conn;
2227 	__u8 flags = 0;
2228 
2229 	BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2230 	       ev->link_type);
2231 
2232 	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2233 				      &flags);
2234 
2235 	if (!(mask & HCI_LM_ACCEPT)) {
2236 		hci_reject_conn(hdev, &ev->bdaddr);
2237 		return;
2238 	}
2239 
2240 	if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2241 				   BDADDR_BREDR)) {
2242 		hci_reject_conn(hdev, &ev->bdaddr);
2243 		return;
2244 	}
2245 
2246 	/* Require HCI_CONNECTABLE or a whitelist entry to accept the
2247 	 * connection. These features are only touched through mgmt so
2248 	 * only do the checks if HCI_MGMT is set.
2249 	 */
2250 	if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2251 	    !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2252 	    !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2253 				    BDADDR_BREDR)) {
2254 		    hci_reject_conn(hdev, &ev->bdaddr);
2255 		    return;
2256 	}
2257 
2258 	/* Connection accepted */
2259 
2260 	hci_dev_lock(hdev);
2261 
2262 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2263 	if (ie)
2264 		memcpy(ie->data.dev_class, ev->dev_class, 3);
2265 
2266 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2267 			&ev->bdaddr);
2268 	if (!conn) {
2269 		conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2270 				    HCI_ROLE_SLAVE);
2271 		if (!conn) {
2272 			BT_ERR("No memory for new connection");
2273 			hci_dev_unlock(hdev);
2274 			return;
2275 		}
2276 	}
2277 
2278 	memcpy(conn->dev_class, ev->dev_class, 3);
2279 
2280 	hci_dev_unlock(hdev);
2281 
2282 	if (ev->link_type == ACL_LINK ||
2283 	    (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2284 		struct hci_cp_accept_conn_req cp;
2285 		conn->state = BT_CONNECT;
2286 
2287 		bacpy(&cp.bdaddr, &ev->bdaddr);
2288 
2289 		if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2290 			cp.role = 0x00; /* Become master */
2291 		else
2292 			cp.role = 0x01; /* Remain slave */
2293 
2294 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2295 	} else if (!(flags & HCI_PROTO_DEFER)) {
2296 		struct hci_cp_accept_sync_conn_req cp;
2297 		conn->state = BT_CONNECT;
2298 
2299 		bacpy(&cp.bdaddr, &ev->bdaddr);
2300 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
2301 
2302 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2303 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2304 		cp.max_latency    = cpu_to_le16(0xffff);
2305 		cp.content_format = cpu_to_le16(hdev->voice_setting);
2306 		cp.retrans_effort = 0xff;
2307 
2308 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2309 			     &cp);
2310 	} else {
2311 		conn->state = BT_CONNECT2;
2312 		hci_connect_cfm(conn, 0);
2313 	}
2314 }
2315 
2316 static u8 hci_to_mgmt_reason(u8 err)
2317 {
2318 	switch (err) {
2319 	case HCI_ERROR_CONNECTION_TIMEOUT:
2320 		return MGMT_DEV_DISCONN_TIMEOUT;
2321 	case HCI_ERROR_REMOTE_USER_TERM:
2322 	case HCI_ERROR_REMOTE_LOW_RESOURCES:
2323 	case HCI_ERROR_REMOTE_POWER_OFF:
2324 		return MGMT_DEV_DISCONN_REMOTE;
2325 	case HCI_ERROR_LOCAL_HOST_TERM:
2326 		return MGMT_DEV_DISCONN_LOCAL_HOST;
2327 	default:
2328 		return MGMT_DEV_DISCONN_UNKNOWN;
2329 	}
2330 }
2331 
2332 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2333 {
2334 	struct hci_ev_disconn_complete *ev = (void *) skb->data;
2335 	u8 reason;
2336 	struct hci_conn_params *params;
2337 	struct hci_conn *conn;
2338 	bool mgmt_connected;
2339 	u8 type;
2340 
2341 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2342 
2343 	hci_dev_lock(hdev);
2344 
2345 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2346 	if (!conn)
2347 		goto unlock;
2348 
2349 	if (ev->status) {
2350 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2351 				       conn->dst_type, ev->status);
2352 		goto unlock;
2353 	}
2354 
2355 	conn->state = BT_CLOSED;
2356 
2357 	mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2358 
2359 	if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2360 		reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2361 	else
2362 		reason = hci_to_mgmt_reason(ev->reason);
2363 
2364 	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2365 				reason, mgmt_connected);
2366 
2367 	if (conn->type == ACL_LINK) {
2368 		if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2369 			hci_remove_link_key(hdev, &conn->dst);
2370 
2371 		hci_req_update_scan(hdev);
2372 	}
2373 
2374 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2375 	if (params) {
2376 		switch (params->auto_connect) {
2377 		case HCI_AUTO_CONN_LINK_LOSS:
2378 			if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2379 				break;
2380 			/* Fall through */
2381 
2382 		case HCI_AUTO_CONN_DIRECT:
2383 		case HCI_AUTO_CONN_ALWAYS:
2384 			list_del_init(&params->action);
2385 			list_add(&params->action, &hdev->pend_le_conns);
2386 			hci_update_background_scan(hdev);
2387 			break;
2388 
2389 		default:
2390 			break;
2391 		}
2392 	}
2393 
2394 	type = conn->type;
2395 
2396 	hci_disconn_cfm(conn, ev->reason);
2397 	hci_conn_del(conn);
2398 
2399 	/* Re-enable advertising if necessary, since it might
2400 	 * have been disabled by the connection. From the
2401 	 * HCI_LE_Set_Advertise_Enable command description in
2402 	 * the core specification (v4.0):
2403 	 * "The Controller shall continue advertising until the Host
2404 	 * issues an LE_Set_Advertise_Enable command with
2405 	 * Advertising_Enable set to 0x00 (Advertising is disabled)
2406 	 * or until a connection is created or until the Advertising
2407 	 * is timed out due to Directed Advertising."
2408 	 */
2409 	if (type == LE_LINK)
2410 		hci_req_reenable_advertising(hdev);
2411 
2412 unlock:
2413 	hci_dev_unlock(hdev);
2414 }
2415 
2416 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2417 {
2418 	struct hci_ev_auth_complete *ev = (void *) skb->data;
2419 	struct hci_conn *conn;
2420 
2421 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2422 
2423 	hci_dev_lock(hdev);
2424 
2425 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2426 	if (!conn)
2427 		goto unlock;
2428 
2429 	if (!ev->status) {
2430 		clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2431 
2432 		if (!hci_conn_ssp_enabled(conn) &&
2433 		    test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2434 			BT_INFO("re-auth of legacy device is not possible.");
2435 		} else {
2436 			set_bit(HCI_CONN_AUTH, &conn->flags);
2437 			conn->sec_level = conn->pending_sec_level;
2438 		}
2439 	} else {
2440 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2441 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2442 
2443 		mgmt_auth_failed(conn, ev->status);
2444 	}
2445 
2446 	clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2447 	clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2448 
2449 	if (conn->state == BT_CONFIG) {
2450 		if (!ev->status && hci_conn_ssp_enabled(conn)) {
2451 			struct hci_cp_set_conn_encrypt cp;
2452 			cp.handle  = ev->handle;
2453 			cp.encrypt = 0x01;
2454 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2455 				     &cp);
2456 		} else {
2457 			conn->state = BT_CONNECTED;
2458 			hci_connect_cfm(conn, ev->status);
2459 			hci_conn_drop(conn);
2460 		}
2461 	} else {
2462 		hci_auth_cfm(conn, ev->status);
2463 
2464 		hci_conn_hold(conn);
2465 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2466 		hci_conn_drop(conn);
2467 	}
2468 
2469 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2470 		if (!ev->status) {
2471 			struct hci_cp_set_conn_encrypt cp;
2472 			cp.handle  = ev->handle;
2473 			cp.encrypt = 0x01;
2474 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2475 				     &cp);
2476 		} else {
2477 			clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2478 			hci_encrypt_cfm(conn, ev->status, 0x00);
2479 		}
2480 	}
2481 
2482 unlock:
2483 	hci_dev_unlock(hdev);
2484 }
2485 
2486 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2487 {
2488 	struct hci_ev_remote_name *ev = (void *) skb->data;
2489 	struct hci_conn *conn;
2490 
2491 	BT_DBG("%s", hdev->name);
2492 
2493 	hci_conn_check_pending(hdev);
2494 
2495 	hci_dev_lock(hdev);
2496 
2497 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2498 
2499 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2500 		goto check_auth;
2501 
2502 	if (ev->status == 0)
2503 		hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2504 				       strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2505 	else
2506 		hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2507 
2508 check_auth:
2509 	if (!conn)
2510 		goto unlock;
2511 
2512 	if (!hci_outgoing_auth_needed(hdev, conn))
2513 		goto unlock;
2514 
2515 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2516 		struct hci_cp_auth_requested cp;
2517 
2518 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2519 
2520 		cp.handle = __cpu_to_le16(conn->handle);
2521 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2522 	}
2523 
2524 unlock:
2525 	hci_dev_unlock(hdev);
2526 }
2527 
2528 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2529 				       u16 opcode, struct sk_buff *skb)
2530 {
2531 	const struct hci_rp_read_enc_key_size *rp;
2532 	struct hci_conn *conn;
2533 	u16 handle;
2534 
2535 	BT_DBG("%s status 0x%02x", hdev->name, status);
2536 
2537 	if (!skb || skb->len < sizeof(*rp)) {
2538 		BT_ERR("%s invalid HCI Read Encryption Key Size response",
2539 		       hdev->name);
2540 		return;
2541 	}
2542 
2543 	rp = (void *)skb->data;
2544 	handle = le16_to_cpu(rp->handle);
2545 
2546 	hci_dev_lock(hdev);
2547 
2548 	conn = hci_conn_hash_lookup_handle(hdev, handle);
2549 	if (!conn)
2550 		goto unlock;
2551 
2552 	/* If we fail to read the encryption key size, assume maximum
2553 	 * (which is the same we do also when this HCI command isn't
2554 	 * supported.
2555 	 */
2556 	if (rp->status) {
2557 		BT_ERR("%s failed to read key size for handle %u", hdev->name,
2558 		       handle);
2559 		conn->enc_key_size = HCI_LINK_KEY_SIZE;
2560 	} else {
2561 		conn->enc_key_size = rp->key_size;
2562 	}
2563 
2564 	if (conn->state == BT_CONFIG) {
2565 		conn->state = BT_CONNECTED;
2566 		hci_connect_cfm(conn, 0);
2567 		hci_conn_drop(conn);
2568 	} else {
2569 		u8 encrypt;
2570 
2571 		if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2572 			encrypt = 0x00;
2573 		else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2574 			encrypt = 0x02;
2575 		else
2576 			encrypt = 0x01;
2577 
2578 		hci_encrypt_cfm(conn, 0, encrypt);
2579 	}
2580 
2581 unlock:
2582 	hci_dev_unlock(hdev);
2583 }
2584 
2585 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2586 {
2587 	struct hci_ev_encrypt_change *ev = (void *) skb->data;
2588 	struct hci_conn *conn;
2589 
2590 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2591 
2592 	hci_dev_lock(hdev);
2593 
2594 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2595 	if (!conn)
2596 		goto unlock;
2597 
2598 	if (!ev->status) {
2599 		if (ev->encrypt) {
2600 			/* Encryption implies authentication */
2601 			set_bit(HCI_CONN_AUTH, &conn->flags);
2602 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2603 			conn->sec_level = conn->pending_sec_level;
2604 
2605 			/* P-256 authentication key implies FIPS */
2606 			if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2607 				set_bit(HCI_CONN_FIPS, &conn->flags);
2608 
2609 			if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2610 			    conn->type == LE_LINK)
2611 				set_bit(HCI_CONN_AES_CCM, &conn->flags);
2612 		} else {
2613 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2614 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2615 		}
2616 	}
2617 
2618 	/* We should disregard the current RPA and generate a new one
2619 	 * whenever the encryption procedure fails.
2620 	 */
2621 	if (ev->status && conn->type == LE_LINK)
2622 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2623 
2624 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2625 
2626 	if (ev->status && conn->state == BT_CONNECTED) {
2627 		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2628 			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2629 
2630 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2631 		hci_conn_drop(conn);
2632 		goto unlock;
2633 	}
2634 
2635 	/* In Secure Connections Only mode, do not allow any connections
2636 	 * that are not encrypted with AES-CCM using a P-256 authenticated
2637 	 * combination key.
2638 	 */
2639 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2640 	    (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2641 	     conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2642 		hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2643 		hci_conn_drop(conn);
2644 		goto unlock;
2645 	}
2646 
2647 	/* Try reading the encryption key size for encrypted ACL links */
2648 	if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2649 		struct hci_cp_read_enc_key_size cp;
2650 		struct hci_request req;
2651 
2652 		/* Only send HCI_Read_Encryption_Key_Size if the
2653 		 * controller really supports it. If it doesn't, assume
2654 		 * the default size (16).
2655 		 */
2656 		if (!(hdev->commands[20] & 0x10)) {
2657 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
2658 			goto notify;
2659 		}
2660 
2661 		hci_req_init(&req, hdev);
2662 
2663 		cp.handle = cpu_to_le16(conn->handle);
2664 		hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2665 
2666 		if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2667 			BT_ERR("Sending HCI Read Encryption Key Size failed");
2668 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
2669 			goto notify;
2670 		}
2671 
2672 		goto unlock;
2673 	}
2674 
2675 notify:
2676 	if (conn->state == BT_CONFIG) {
2677 		if (!ev->status)
2678 			conn->state = BT_CONNECTED;
2679 
2680 		hci_connect_cfm(conn, ev->status);
2681 		hci_conn_drop(conn);
2682 	} else
2683 		hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2684 
2685 unlock:
2686 	hci_dev_unlock(hdev);
2687 }
2688 
2689 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2690 					     struct sk_buff *skb)
2691 {
2692 	struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2693 	struct hci_conn *conn;
2694 
2695 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2696 
2697 	hci_dev_lock(hdev);
2698 
2699 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2700 	if (conn) {
2701 		if (!ev->status)
2702 			set_bit(HCI_CONN_SECURE, &conn->flags);
2703 
2704 		clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2705 
2706 		hci_key_change_cfm(conn, ev->status);
2707 	}
2708 
2709 	hci_dev_unlock(hdev);
2710 }
2711 
2712 static void hci_remote_features_evt(struct hci_dev *hdev,
2713 				    struct sk_buff *skb)
2714 {
2715 	struct hci_ev_remote_features *ev = (void *) skb->data;
2716 	struct hci_conn *conn;
2717 
2718 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2719 
2720 	hci_dev_lock(hdev);
2721 
2722 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2723 	if (!conn)
2724 		goto unlock;
2725 
2726 	if (!ev->status)
2727 		memcpy(conn->features[0], ev->features, 8);
2728 
2729 	if (conn->state != BT_CONFIG)
2730 		goto unlock;
2731 
2732 	if (!ev->status && lmp_ext_feat_capable(hdev) &&
2733 	    lmp_ext_feat_capable(conn)) {
2734 		struct hci_cp_read_remote_ext_features cp;
2735 		cp.handle = ev->handle;
2736 		cp.page = 0x01;
2737 		hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2738 			     sizeof(cp), &cp);
2739 		goto unlock;
2740 	}
2741 
2742 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2743 		struct hci_cp_remote_name_req cp;
2744 		memset(&cp, 0, sizeof(cp));
2745 		bacpy(&cp.bdaddr, &conn->dst);
2746 		cp.pscan_rep_mode = 0x02;
2747 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2748 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2749 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
2750 
2751 	if (!hci_outgoing_auth_needed(hdev, conn)) {
2752 		conn->state = BT_CONNECTED;
2753 		hci_connect_cfm(conn, ev->status);
2754 		hci_conn_drop(conn);
2755 	}
2756 
2757 unlock:
2758 	hci_dev_unlock(hdev);
2759 }
2760 
2761 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2762 				 u16 *opcode, u8 *status,
2763 				 hci_req_complete_t *req_complete,
2764 				 hci_req_complete_skb_t *req_complete_skb)
2765 {
2766 	struct hci_ev_cmd_complete *ev = (void *) skb->data;
2767 
2768 	*opcode = __le16_to_cpu(ev->opcode);
2769 	*status = skb->data[sizeof(*ev)];
2770 
2771 	skb_pull(skb, sizeof(*ev));
2772 
2773 	switch (*opcode) {
2774 	case HCI_OP_INQUIRY_CANCEL:
2775 		hci_cc_inquiry_cancel(hdev, skb);
2776 		break;
2777 
2778 	case HCI_OP_PERIODIC_INQ:
2779 		hci_cc_periodic_inq(hdev, skb);
2780 		break;
2781 
2782 	case HCI_OP_EXIT_PERIODIC_INQ:
2783 		hci_cc_exit_periodic_inq(hdev, skb);
2784 		break;
2785 
2786 	case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2787 		hci_cc_remote_name_req_cancel(hdev, skb);
2788 		break;
2789 
2790 	case HCI_OP_ROLE_DISCOVERY:
2791 		hci_cc_role_discovery(hdev, skb);
2792 		break;
2793 
2794 	case HCI_OP_READ_LINK_POLICY:
2795 		hci_cc_read_link_policy(hdev, skb);
2796 		break;
2797 
2798 	case HCI_OP_WRITE_LINK_POLICY:
2799 		hci_cc_write_link_policy(hdev, skb);
2800 		break;
2801 
2802 	case HCI_OP_READ_DEF_LINK_POLICY:
2803 		hci_cc_read_def_link_policy(hdev, skb);
2804 		break;
2805 
2806 	case HCI_OP_WRITE_DEF_LINK_POLICY:
2807 		hci_cc_write_def_link_policy(hdev, skb);
2808 		break;
2809 
2810 	case HCI_OP_RESET:
2811 		hci_cc_reset(hdev, skb);
2812 		break;
2813 
2814 	case HCI_OP_READ_STORED_LINK_KEY:
2815 		hci_cc_read_stored_link_key(hdev, skb);
2816 		break;
2817 
2818 	case HCI_OP_DELETE_STORED_LINK_KEY:
2819 		hci_cc_delete_stored_link_key(hdev, skb);
2820 		break;
2821 
2822 	case HCI_OP_WRITE_LOCAL_NAME:
2823 		hci_cc_write_local_name(hdev, skb);
2824 		break;
2825 
2826 	case HCI_OP_READ_LOCAL_NAME:
2827 		hci_cc_read_local_name(hdev, skb);
2828 		break;
2829 
2830 	case HCI_OP_WRITE_AUTH_ENABLE:
2831 		hci_cc_write_auth_enable(hdev, skb);
2832 		break;
2833 
2834 	case HCI_OP_WRITE_ENCRYPT_MODE:
2835 		hci_cc_write_encrypt_mode(hdev, skb);
2836 		break;
2837 
2838 	case HCI_OP_WRITE_SCAN_ENABLE:
2839 		hci_cc_write_scan_enable(hdev, skb);
2840 		break;
2841 
2842 	case HCI_OP_READ_CLASS_OF_DEV:
2843 		hci_cc_read_class_of_dev(hdev, skb);
2844 		break;
2845 
2846 	case HCI_OP_WRITE_CLASS_OF_DEV:
2847 		hci_cc_write_class_of_dev(hdev, skb);
2848 		break;
2849 
2850 	case HCI_OP_READ_VOICE_SETTING:
2851 		hci_cc_read_voice_setting(hdev, skb);
2852 		break;
2853 
2854 	case HCI_OP_WRITE_VOICE_SETTING:
2855 		hci_cc_write_voice_setting(hdev, skb);
2856 		break;
2857 
2858 	case HCI_OP_READ_NUM_SUPPORTED_IAC:
2859 		hci_cc_read_num_supported_iac(hdev, skb);
2860 		break;
2861 
2862 	case HCI_OP_WRITE_SSP_MODE:
2863 		hci_cc_write_ssp_mode(hdev, skb);
2864 		break;
2865 
2866 	case HCI_OP_WRITE_SC_SUPPORT:
2867 		hci_cc_write_sc_support(hdev, skb);
2868 		break;
2869 
2870 	case HCI_OP_READ_LOCAL_VERSION:
2871 		hci_cc_read_local_version(hdev, skb);
2872 		break;
2873 
2874 	case HCI_OP_READ_LOCAL_COMMANDS:
2875 		hci_cc_read_local_commands(hdev, skb);
2876 		break;
2877 
2878 	case HCI_OP_READ_LOCAL_FEATURES:
2879 		hci_cc_read_local_features(hdev, skb);
2880 		break;
2881 
2882 	case HCI_OP_READ_LOCAL_EXT_FEATURES:
2883 		hci_cc_read_local_ext_features(hdev, skb);
2884 		break;
2885 
2886 	case HCI_OP_READ_BUFFER_SIZE:
2887 		hci_cc_read_buffer_size(hdev, skb);
2888 		break;
2889 
2890 	case HCI_OP_READ_BD_ADDR:
2891 		hci_cc_read_bd_addr(hdev, skb);
2892 		break;
2893 
2894 	case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2895 		hci_cc_read_page_scan_activity(hdev, skb);
2896 		break;
2897 
2898 	case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2899 		hci_cc_write_page_scan_activity(hdev, skb);
2900 		break;
2901 
2902 	case HCI_OP_READ_PAGE_SCAN_TYPE:
2903 		hci_cc_read_page_scan_type(hdev, skb);
2904 		break;
2905 
2906 	case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2907 		hci_cc_write_page_scan_type(hdev, skb);
2908 		break;
2909 
2910 	case HCI_OP_READ_DATA_BLOCK_SIZE:
2911 		hci_cc_read_data_block_size(hdev, skb);
2912 		break;
2913 
2914 	case HCI_OP_READ_FLOW_CONTROL_MODE:
2915 		hci_cc_read_flow_control_mode(hdev, skb);
2916 		break;
2917 
2918 	case HCI_OP_READ_LOCAL_AMP_INFO:
2919 		hci_cc_read_local_amp_info(hdev, skb);
2920 		break;
2921 
2922 	case HCI_OP_READ_CLOCK:
2923 		hci_cc_read_clock(hdev, skb);
2924 		break;
2925 
2926 	case HCI_OP_READ_INQ_RSP_TX_POWER:
2927 		hci_cc_read_inq_rsp_tx_power(hdev, skb);
2928 		break;
2929 
2930 	case HCI_OP_PIN_CODE_REPLY:
2931 		hci_cc_pin_code_reply(hdev, skb);
2932 		break;
2933 
2934 	case HCI_OP_PIN_CODE_NEG_REPLY:
2935 		hci_cc_pin_code_neg_reply(hdev, skb);
2936 		break;
2937 
2938 	case HCI_OP_READ_LOCAL_OOB_DATA:
2939 		hci_cc_read_local_oob_data(hdev, skb);
2940 		break;
2941 
2942 	case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2943 		hci_cc_read_local_oob_ext_data(hdev, skb);
2944 		break;
2945 
2946 	case HCI_OP_LE_READ_BUFFER_SIZE:
2947 		hci_cc_le_read_buffer_size(hdev, skb);
2948 		break;
2949 
2950 	case HCI_OP_LE_READ_LOCAL_FEATURES:
2951 		hci_cc_le_read_local_features(hdev, skb);
2952 		break;
2953 
2954 	case HCI_OP_LE_READ_ADV_TX_POWER:
2955 		hci_cc_le_read_adv_tx_power(hdev, skb);
2956 		break;
2957 
2958 	case HCI_OP_USER_CONFIRM_REPLY:
2959 		hci_cc_user_confirm_reply(hdev, skb);
2960 		break;
2961 
2962 	case HCI_OP_USER_CONFIRM_NEG_REPLY:
2963 		hci_cc_user_confirm_neg_reply(hdev, skb);
2964 		break;
2965 
2966 	case HCI_OP_USER_PASSKEY_REPLY:
2967 		hci_cc_user_passkey_reply(hdev, skb);
2968 		break;
2969 
2970 	case HCI_OP_USER_PASSKEY_NEG_REPLY:
2971 		hci_cc_user_passkey_neg_reply(hdev, skb);
2972 		break;
2973 
2974 	case HCI_OP_LE_SET_RANDOM_ADDR:
2975 		hci_cc_le_set_random_addr(hdev, skb);
2976 		break;
2977 
2978 	case HCI_OP_LE_SET_ADV_ENABLE:
2979 		hci_cc_le_set_adv_enable(hdev, skb);
2980 		break;
2981 
2982 	case HCI_OP_LE_SET_SCAN_PARAM:
2983 		hci_cc_le_set_scan_param(hdev, skb);
2984 		break;
2985 
2986 	case HCI_OP_LE_SET_SCAN_ENABLE:
2987 		hci_cc_le_set_scan_enable(hdev, skb);
2988 		break;
2989 
2990 	case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2991 		hci_cc_le_read_white_list_size(hdev, skb);
2992 		break;
2993 
2994 	case HCI_OP_LE_CLEAR_WHITE_LIST:
2995 		hci_cc_le_clear_white_list(hdev, skb);
2996 		break;
2997 
2998 	case HCI_OP_LE_ADD_TO_WHITE_LIST:
2999 		hci_cc_le_add_to_white_list(hdev, skb);
3000 		break;
3001 
3002 	case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3003 		hci_cc_le_del_from_white_list(hdev, skb);
3004 		break;
3005 
3006 	case HCI_OP_LE_READ_SUPPORTED_STATES:
3007 		hci_cc_le_read_supported_states(hdev, skb);
3008 		break;
3009 
3010 	case HCI_OP_LE_READ_DEF_DATA_LEN:
3011 		hci_cc_le_read_def_data_len(hdev, skb);
3012 		break;
3013 
3014 	case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3015 		hci_cc_le_write_def_data_len(hdev, skb);
3016 		break;
3017 
3018 	case HCI_OP_LE_READ_MAX_DATA_LEN:
3019 		hci_cc_le_read_max_data_len(hdev, skb);
3020 		break;
3021 
3022 	case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3023 		hci_cc_write_le_host_supported(hdev, skb);
3024 		break;
3025 
3026 	case HCI_OP_LE_SET_ADV_PARAM:
3027 		hci_cc_set_adv_param(hdev, skb);
3028 		break;
3029 
3030 	case HCI_OP_READ_RSSI:
3031 		hci_cc_read_rssi(hdev, skb);
3032 		break;
3033 
3034 	case HCI_OP_READ_TX_POWER:
3035 		hci_cc_read_tx_power(hdev, skb);
3036 		break;
3037 
3038 	case HCI_OP_WRITE_SSP_DEBUG_MODE:
3039 		hci_cc_write_ssp_debug_mode(hdev, skb);
3040 		break;
3041 
3042 	default:
3043 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3044 		break;
3045 	}
3046 
3047 	if (*opcode != HCI_OP_NOP)
3048 		cancel_delayed_work(&hdev->cmd_timer);
3049 
3050 	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3051 		atomic_set(&hdev->cmd_cnt, 1);
3052 
3053 	hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3054 			     req_complete_skb);
3055 
3056 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3057 		queue_work(hdev->workqueue, &hdev->cmd_work);
3058 }
3059 
3060 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3061 			       u16 *opcode, u8 *status,
3062 			       hci_req_complete_t *req_complete,
3063 			       hci_req_complete_skb_t *req_complete_skb)
3064 {
3065 	struct hci_ev_cmd_status *ev = (void *) skb->data;
3066 
3067 	skb_pull(skb, sizeof(*ev));
3068 
3069 	*opcode = __le16_to_cpu(ev->opcode);
3070 	*status = ev->status;
3071 
3072 	switch (*opcode) {
3073 	case HCI_OP_INQUIRY:
3074 		hci_cs_inquiry(hdev, ev->status);
3075 		break;
3076 
3077 	case HCI_OP_CREATE_CONN:
3078 		hci_cs_create_conn(hdev, ev->status);
3079 		break;
3080 
3081 	case HCI_OP_DISCONNECT:
3082 		hci_cs_disconnect(hdev, ev->status);
3083 		break;
3084 
3085 	case HCI_OP_ADD_SCO:
3086 		hci_cs_add_sco(hdev, ev->status);
3087 		break;
3088 
3089 	case HCI_OP_AUTH_REQUESTED:
3090 		hci_cs_auth_requested(hdev, ev->status);
3091 		break;
3092 
3093 	case HCI_OP_SET_CONN_ENCRYPT:
3094 		hci_cs_set_conn_encrypt(hdev, ev->status);
3095 		break;
3096 
3097 	case HCI_OP_REMOTE_NAME_REQ:
3098 		hci_cs_remote_name_req(hdev, ev->status);
3099 		break;
3100 
3101 	case HCI_OP_READ_REMOTE_FEATURES:
3102 		hci_cs_read_remote_features(hdev, ev->status);
3103 		break;
3104 
3105 	case HCI_OP_READ_REMOTE_EXT_FEATURES:
3106 		hci_cs_read_remote_ext_features(hdev, ev->status);
3107 		break;
3108 
3109 	case HCI_OP_SETUP_SYNC_CONN:
3110 		hci_cs_setup_sync_conn(hdev, ev->status);
3111 		break;
3112 
3113 	case HCI_OP_SNIFF_MODE:
3114 		hci_cs_sniff_mode(hdev, ev->status);
3115 		break;
3116 
3117 	case HCI_OP_EXIT_SNIFF_MODE:
3118 		hci_cs_exit_sniff_mode(hdev, ev->status);
3119 		break;
3120 
3121 	case HCI_OP_SWITCH_ROLE:
3122 		hci_cs_switch_role(hdev, ev->status);
3123 		break;
3124 
3125 	case HCI_OP_LE_CREATE_CONN:
3126 		hci_cs_le_create_conn(hdev, ev->status);
3127 		break;
3128 
3129 	case HCI_OP_LE_READ_REMOTE_FEATURES:
3130 		hci_cs_le_read_remote_features(hdev, ev->status);
3131 		break;
3132 
3133 	case HCI_OP_LE_START_ENC:
3134 		hci_cs_le_start_enc(hdev, ev->status);
3135 		break;
3136 
3137 	default:
3138 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3139 		break;
3140 	}
3141 
3142 	if (*opcode != HCI_OP_NOP)
3143 		cancel_delayed_work(&hdev->cmd_timer);
3144 
3145 	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3146 		atomic_set(&hdev->cmd_cnt, 1);
3147 
3148 	/* Indicate request completion if the command failed. Also, if
3149 	 * we're not waiting for a special event and we get a success
3150 	 * command status we should try to flag the request as completed
3151 	 * (since for this kind of commands there will not be a command
3152 	 * complete event).
3153 	 */
3154 	if (ev->status ||
3155 	    (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3156 		hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3157 				     req_complete_skb);
3158 
3159 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3160 		queue_work(hdev->workqueue, &hdev->cmd_work);
3161 }
3162 
3163 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3164 {
3165 	struct hci_ev_hardware_error *ev = (void *) skb->data;
3166 
3167 	hdev->hw_error_code = ev->code;
3168 
3169 	queue_work(hdev->req_workqueue, &hdev->error_reset);
3170 }
3171 
3172 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3173 {
3174 	struct hci_ev_role_change *ev = (void *) skb->data;
3175 	struct hci_conn *conn;
3176 
3177 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3178 
3179 	hci_dev_lock(hdev);
3180 
3181 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3182 	if (conn) {
3183 		if (!ev->status)
3184 			conn->role = ev->role;
3185 
3186 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3187 
3188 		hci_role_switch_cfm(conn, ev->status, ev->role);
3189 	}
3190 
3191 	hci_dev_unlock(hdev);
3192 }
3193 
3194 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3195 {
3196 	struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3197 	int i;
3198 
3199 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3200 		BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3201 		return;
3202 	}
3203 
3204 	if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3205 	    ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3206 		BT_DBG("%s bad parameters", hdev->name);
3207 		return;
3208 	}
3209 
3210 	BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3211 
3212 	for (i = 0; i < ev->num_hndl; i++) {
3213 		struct hci_comp_pkts_info *info = &ev->handles[i];
3214 		struct hci_conn *conn;
3215 		__u16  handle, count;
3216 
3217 		handle = __le16_to_cpu(info->handle);
3218 		count  = __le16_to_cpu(info->count);
3219 
3220 		conn = hci_conn_hash_lookup_handle(hdev, handle);
3221 		if (!conn)
3222 			continue;
3223 
3224 		conn->sent -= count;
3225 
3226 		switch (conn->type) {
3227 		case ACL_LINK:
3228 			hdev->acl_cnt += count;
3229 			if (hdev->acl_cnt > hdev->acl_pkts)
3230 				hdev->acl_cnt = hdev->acl_pkts;
3231 			break;
3232 
3233 		case LE_LINK:
3234 			if (hdev->le_pkts) {
3235 				hdev->le_cnt += count;
3236 				if (hdev->le_cnt > hdev->le_pkts)
3237 					hdev->le_cnt = hdev->le_pkts;
3238 			} else {
3239 				hdev->acl_cnt += count;
3240 				if (hdev->acl_cnt > hdev->acl_pkts)
3241 					hdev->acl_cnt = hdev->acl_pkts;
3242 			}
3243 			break;
3244 
3245 		case SCO_LINK:
3246 			hdev->sco_cnt += count;
3247 			if (hdev->sco_cnt > hdev->sco_pkts)
3248 				hdev->sco_cnt = hdev->sco_pkts;
3249 			break;
3250 
3251 		default:
3252 			BT_ERR("Unknown type %d conn %p", conn->type, conn);
3253 			break;
3254 		}
3255 	}
3256 
3257 	queue_work(hdev->workqueue, &hdev->tx_work);
3258 }
3259 
3260 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3261 						 __u16 handle)
3262 {
3263 	struct hci_chan *chan;
3264 
3265 	switch (hdev->dev_type) {
3266 	case HCI_PRIMARY:
3267 		return hci_conn_hash_lookup_handle(hdev, handle);
3268 	case HCI_AMP:
3269 		chan = hci_chan_lookup_handle(hdev, handle);
3270 		if (chan)
3271 			return chan->conn;
3272 		break;
3273 	default:
3274 		BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3275 		break;
3276 	}
3277 
3278 	return NULL;
3279 }
3280 
3281 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3282 {
3283 	struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3284 	int i;
3285 
3286 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3287 		BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3288 		return;
3289 	}
3290 
3291 	if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3292 	    ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3293 		BT_DBG("%s bad parameters", hdev->name);
3294 		return;
3295 	}
3296 
3297 	BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3298 	       ev->num_hndl);
3299 
3300 	for (i = 0; i < ev->num_hndl; i++) {
3301 		struct hci_comp_blocks_info *info = &ev->handles[i];
3302 		struct hci_conn *conn = NULL;
3303 		__u16  handle, block_count;
3304 
3305 		handle = __le16_to_cpu(info->handle);
3306 		block_count = __le16_to_cpu(info->blocks);
3307 
3308 		conn = __hci_conn_lookup_handle(hdev, handle);
3309 		if (!conn)
3310 			continue;
3311 
3312 		conn->sent -= block_count;
3313 
3314 		switch (conn->type) {
3315 		case ACL_LINK:
3316 		case AMP_LINK:
3317 			hdev->block_cnt += block_count;
3318 			if (hdev->block_cnt > hdev->num_blocks)
3319 				hdev->block_cnt = hdev->num_blocks;
3320 			break;
3321 
3322 		default:
3323 			BT_ERR("Unknown type %d conn %p", conn->type, conn);
3324 			break;
3325 		}
3326 	}
3327 
3328 	queue_work(hdev->workqueue, &hdev->tx_work);
3329 }
3330 
3331 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3332 {
3333 	struct hci_ev_mode_change *ev = (void *) skb->data;
3334 	struct hci_conn *conn;
3335 
3336 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3337 
3338 	hci_dev_lock(hdev);
3339 
3340 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3341 	if (conn) {
3342 		conn->mode = ev->mode;
3343 
3344 		if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3345 					&conn->flags)) {
3346 			if (conn->mode == HCI_CM_ACTIVE)
3347 				set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3348 			else
3349 				clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3350 		}
3351 
3352 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3353 			hci_sco_setup(conn, ev->status);
3354 	}
3355 
3356 	hci_dev_unlock(hdev);
3357 }
3358 
3359 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3360 {
3361 	struct hci_ev_pin_code_req *ev = (void *) skb->data;
3362 	struct hci_conn *conn;
3363 
3364 	BT_DBG("%s", hdev->name);
3365 
3366 	hci_dev_lock(hdev);
3367 
3368 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3369 	if (!conn)
3370 		goto unlock;
3371 
3372 	if (conn->state == BT_CONNECTED) {
3373 		hci_conn_hold(conn);
3374 		conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3375 		hci_conn_drop(conn);
3376 	}
3377 
3378 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3379 	    !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3380 		hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3381 			     sizeof(ev->bdaddr), &ev->bdaddr);
3382 	} else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3383 		u8 secure;
3384 
3385 		if (conn->pending_sec_level == BT_SECURITY_HIGH)
3386 			secure = 1;
3387 		else
3388 			secure = 0;
3389 
3390 		mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3391 	}
3392 
3393 unlock:
3394 	hci_dev_unlock(hdev);
3395 }
3396 
3397 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3398 {
3399 	if (key_type == HCI_LK_CHANGED_COMBINATION)
3400 		return;
3401 
3402 	conn->pin_length = pin_len;
3403 	conn->key_type = key_type;
3404 
3405 	switch (key_type) {
3406 	case HCI_LK_LOCAL_UNIT:
3407 	case HCI_LK_REMOTE_UNIT:
3408 	case HCI_LK_DEBUG_COMBINATION:
3409 		return;
3410 	case HCI_LK_COMBINATION:
3411 		if (pin_len == 16)
3412 			conn->pending_sec_level = BT_SECURITY_HIGH;
3413 		else
3414 			conn->pending_sec_level = BT_SECURITY_MEDIUM;
3415 		break;
3416 	case HCI_LK_UNAUTH_COMBINATION_P192:
3417 	case HCI_LK_UNAUTH_COMBINATION_P256:
3418 		conn->pending_sec_level = BT_SECURITY_MEDIUM;
3419 		break;
3420 	case HCI_LK_AUTH_COMBINATION_P192:
3421 		conn->pending_sec_level = BT_SECURITY_HIGH;
3422 		break;
3423 	case HCI_LK_AUTH_COMBINATION_P256:
3424 		conn->pending_sec_level = BT_SECURITY_FIPS;
3425 		break;
3426 	}
3427 }
3428 
3429 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3430 {
3431 	struct hci_ev_link_key_req *ev = (void *) skb->data;
3432 	struct hci_cp_link_key_reply cp;
3433 	struct hci_conn *conn;
3434 	struct link_key *key;
3435 
3436 	BT_DBG("%s", hdev->name);
3437 
3438 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3439 		return;
3440 
3441 	hci_dev_lock(hdev);
3442 
3443 	key = hci_find_link_key(hdev, &ev->bdaddr);
3444 	if (!key) {
3445 		BT_DBG("%s link key not found for %pMR", hdev->name,
3446 		       &ev->bdaddr);
3447 		goto not_found;
3448 	}
3449 
3450 	BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3451 	       &ev->bdaddr);
3452 
3453 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3454 	if (conn) {
3455 		clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3456 
3457 		if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3458 		     key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3459 		    conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3460 			BT_DBG("%s ignoring unauthenticated key", hdev->name);
3461 			goto not_found;
3462 		}
3463 
3464 		if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3465 		    (conn->pending_sec_level == BT_SECURITY_HIGH ||
3466 		     conn->pending_sec_level == BT_SECURITY_FIPS)) {
3467 			BT_DBG("%s ignoring key unauthenticated for high security",
3468 			       hdev->name);
3469 			goto not_found;
3470 		}
3471 
3472 		conn_set_key(conn, key->type, key->pin_len);
3473 	}
3474 
3475 	bacpy(&cp.bdaddr, &ev->bdaddr);
3476 	memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3477 
3478 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3479 
3480 	hci_dev_unlock(hdev);
3481 
3482 	return;
3483 
3484 not_found:
3485 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3486 	hci_dev_unlock(hdev);
3487 }
3488 
3489 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3490 {
3491 	struct hci_ev_link_key_notify *ev = (void *) skb->data;
3492 	struct hci_conn *conn;
3493 	struct link_key *key;
3494 	bool persistent;
3495 	u8 pin_len = 0;
3496 
3497 	BT_DBG("%s", hdev->name);
3498 
3499 	hci_dev_lock(hdev);
3500 
3501 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3502 	if (!conn)
3503 		goto unlock;
3504 
3505 	hci_conn_hold(conn);
3506 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3507 	hci_conn_drop(conn);
3508 
3509 	set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3510 	conn_set_key(conn, ev->key_type, conn->pin_length);
3511 
3512 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3513 		goto unlock;
3514 
3515 	key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3516 			        ev->key_type, pin_len, &persistent);
3517 	if (!key)
3518 		goto unlock;
3519 
3520 	/* Update connection information since adding the key will have
3521 	 * fixed up the type in the case of changed combination keys.
3522 	 */
3523 	if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3524 		conn_set_key(conn, key->type, key->pin_len);
3525 
3526 	mgmt_new_link_key(hdev, key, persistent);
3527 
3528 	/* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3529 	 * is set. If it's not set simply remove the key from the kernel
3530 	 * list (we've still notified user space about it but with
3531 	 * store_hint being 0).
3532 	 */
3533 	if (key->type == HCI_LK_DEBUG_COMBINATION &&
3534 	    !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3535 		list_del_rcu(&key->list);
3536 		kfree_rcu(key, rcu);
3537 		goto unlock;
3538 	}
3539 
3540 	if (persistent)
3541 		clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3542 	else
3543 		set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3544 
3545 unlock:
3546 	hci_dev_unlock(hdev);
3547 }
3548 
3549 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3550 {
3551 	struct hci_ev_clock_offset *ev = (void *) skb->data;
3552 	struct hci_conn *conn;
3553 
3554 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3555 
3556 	hci_dev_lock(hdev);
3557 
3558 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3559 	if (conn && !ev->status) {
3560 		struct inquiry_entry *ie;
3561 
3562 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3563 		if (ie) {
3564 			ie->data.clock_offset = ev->clock_offset;
3565 			ie->timestamp = jiffies;
3566 		}
3567 	}
3568 
3569 	hci_dev_unlock(hdev);
3570 }
3571 
3572 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3573 {
3574 	struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3575 	struct hci_conn *conn;
3576 
3577 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3578 
3579 	hci_dev_lock(hdev);
3580 
3581 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3582 	if (conn && !ev->status)
3583 		conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3584 
3585 	hci_dev_unlock(hdev);
3586 }
3587 
3588 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3589 {
3590 	struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3591 	struct inquiry_entry *ie;
3592 
3593 	BT_DBG("%s", hdev->name);
3594 
3595 	hci_dev_lock(hdev);
3596 
3597 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3598 	if (ie) {
3599 		ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3600 		ie->timestamp = jiffies;
3601 	}
3602 
3603 	hci_dev_unlock(hdev);
3604 }
3605 
3606 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3607 					     struct sk_buff *skb)
3608 {
3609 	struct inquiry_data data;
3610 	int num_rsp = *((__u8 *) skb->data);
3611 
3612 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3613 
3614 	if (!num_rsp)
3615 		return;
3616 
3617 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3618 		return;
3619 
3620 	hci_dev_lock(hdev);
3621 
3622 	if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3623 		struct inquiry_info_with_rssi_and_pscan_mode *info;
3624 		info = (void *) (skb->data + 1);
3625 
3626 		for (; num_rsp; num_rsp--, info++) {
3627 			u32 flags;
3628 
3629 			bacpy(&data.bdaddr, &info->bdaddr);
3630 			data.pscan_rep_mode	= info->pscan_rep_mode;
3631 			data.pscan_period_mode	= info->pscan_period_mode;
3632 			data.pscan_mode		= info->pscan_mode;
3633 			memcpy(data.dev_class, info->dev_class, 3);
3634 			data.clock_offset	= info->clock_offset;
3635 			data.rssi		= info->rssi;
3636 			data.ssp_mode		= 0x00;
3637 
3638 			flags = hci_inquiry_cache_update(hdev, &data, false);
3639 
3640 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3641 					  info->dev_class, info->rssi,
3642 					  flags, NULL, 0, NULL, 0);
3643 		}
3644 	} else {
3645 		struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3646 
3647 		for (; num_rsp; num_rsp--, info++) {
3648 			u32 flags;
3649 
3650 			bacpy(&data.bdaddr, &info->bdaddr);
3651 			data.pscan_rep_mode	= info->pscan_rep_mode;
3652 			data.pscan_period_mode	= info->pscan_period_mode;
3653 			data.pscan_mode		= 0x00;
3654 			memcpy(data.dev_class, info->dev_class, 3);
3655 			data.clock_offset	= info->clock_offset;
3656 			data.rssi		= info->rssi;
3657 			data.ssp_mode		= 0x00;
3658 
3659 			flags = hci_inquiry_cache_update(hdev, &data, false);
3660 
3661 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3662 					  info->dev_class, info->rssi,
3663 					  flags, NULL, 0, NULL, 0);
3664 		}
3665 	}
3666 
3667 	hci_dev_unlock(hdev);
3668 }
3669 
3670 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3671 					struct sk_buff *skb)
3672 {
3673 	struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3674 	struct hci_conn *conn;
3675 
3676 	BT_DBG("%s", hdev->name);
3677 
3678 	hci_dev_lock(hdev);
3679 
3680 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3681 	if (!conn)
3682 		goto unlock;
3683 
3684 	if (ev->page < HCI_MAX_PAGES)
3685 		memcpy(conn->features[ev->page], ev->features, 8);
3686 
3687 	if (!ev->status && ev->page == 0x01) {
3688 		struct inquiry_entry *ie;
3689 
3690 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3691 		if (ie)
3692 			ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3693 
3694 		if (ev->features[0] & LMP_HOST_SSP) {
3695 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3696 		} else {
3697 			/* It is mandatory by the Bluetooth specification that
3698 			 * Extended Inquiry Results are only used when Secure
3699 			 * Simple Pairing is enabled, but some devices violate
3700 			 * this.
3701 			 *
3702 			 * To make these devices work, the internal SSP
3703 			 * enabled flag needs to be cleared if the remote host
3704 			 * features do not indicate SSP support */
3705 			clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3706 		}
3707 
3708 		if (ev->features[0] & LMP_HOST_SC)
3709 			set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3710 	}
3711 
3712 	if (conn->state != BT_CONFIG)
3713 		goto unlock;
3714 
3715 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3716 		struct hci_cp_remote_name_req cp;
3717 		memset(&cp, 0, sizeof(cp));
3718 		bacpy(&cp.bdaddr, &conn->dst);
3719 		cp.pscan_rep_mode = 0x02;
3720 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3721 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3722 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
3723 
3724 	if (!hci_outgoing_auth_needed(hdev, conn)) {
3725 		conn->state = BT_CONNECTED;
3726 		hci_connect_cfm(conn, ev->status);
3727 		hci_conn_drop(conn);
3728 	}
3729 
3730 unlock:
3731 	hci_dev_unlock(hdev);
3732 }
3733 
3734 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3735 				       struct sk_buff *skb)
3736 {
3737 	struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3738 	struct hci_conn *conn;
3739 
3740 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3741 
3742 	hci_dev_lock(hdev);
3743 
3744 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3745 	if (!conn) {
3746 		if (ev->link_type == ESCO_LINK)
3747 			goto unlock;
3748 
3749 		/* When the link type in the event indicates SCO connection
3750 		 * and lookup of the connection object fails, then check
3751 		 * if an eSCO connection object exists.
3752 		 *
3753 		 * The core limits the synchronous connections to either
3754 		 * SCO or eSCO. The eSCO connection is preferred and tried
3755 		 * to be setup first and until successfully established,
3756 		 * the link type will be hinted as eSCO.
3757 		 */
3758 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3759 		if (!conn)
3760 			goto unlock;
3761 	}
3762 
3763 	switch (ev->status) {
3764 	case 0x00:
3765 		conn->handle = __le16_to_cpu(ev->handle);
3766 		conn->state  = BT_CONNECTED;
3767 		conn->type   = ev->link_type;
3768 
3769 		hci_debugfs_create_conn(conn);
3770 		hci_conn_add_sysfs(conn);
3771 		break;
3772 
3773 	case 0x10:	/* Connection Accept Timeout */
3774 	case 0x0d:	/* Connection Rejected due to Limited Resources */
3775 	case 0x11:	/* Unsupported Feature or Parameter Value */
3776 	case 0x1c:	/* SCO interval rejected */
3777 	case 0x1a:	/* Unsupported Remote Feature */
3778 	case 0x1f:	/* Unspecified error */
3779 	case 0x20:	/* Unsupported LMP Parameter value */
3780 		if (conn->out) {
3781 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3782 					(hdev->esco_type & EDR_ESCO_MASK);
3783 			if (hci_setup_sync(conn, conn->link->handle))
3784 				goto unlock;
3785 		}
3786 		/* fall through */
3787 
3788 	default:
3789 		conn->state = BT_CLOSED;
3790 		break;
3791 	}
3792 
3793 	hci_connect_cfm(conn, ev->status);
3794 	if (ev->status)
3795 		hci_conn_del(conn);
3796 
3797 unlock:
3798 	hci_dev_unlock(hdev);
3799 }
3800 
3801 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3802 {
3803 	size_t parsed = 0;
3804 
3805 	while (parsed < eir_len) {
3806 		u8 field_len = eir[0];
3807 
3808 		if (field_len == 0)
3809 			return parsed;
3810 
3811 		parsed += field_len + 1;
3812 		eir += field_len + 1;
3813 	}
3814 
3815 	return eir_len;
3816 }
3817 
3818 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3819 					    struct sk_buff *skb)
3820 {
3821 	struct inquiry_data data;
3822 	struct extended_inquiry_info *info = (void *) (skb->data + 1);
3823 	int num_rsp = *((__u8 *) skb->data);
3824 	size_t eir_len;
3825 
3826 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3827 
3828 	if (!num_rsp)
3829 		return;
3830 
3831 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3832 		return;
3833 
3834 	hci_dev_lock(hdev);
3835 
3836 	for (; num_rsp; num_rsp--, info++) {
3837 		u32 flags;
3838 		bool name_known;
3839 
3840 		bacpy(&data.bdaddr, &info->bdaddr);
3841 		data.pscan_rep_mode	= info->pscan_rep_mode;
3842 		data.pscan_period_mode	= info->pscan_period_mode;
3843 		data.pscan_mode		= 0x00;
3844 		memcpy(data.dev_class, info->dev_class, 3);
3845 		data.clock_offset	= info->clock_offset;
3846 		data.rssi		= info->rssi;
3847 		data.ssp_mode		= 0x01;
3848 
3849 		if (hci_dev_test_flag(hdev, HCI_MGMT))
3850 			name_known = eir_get_data(info->data,
3851 						  sizeof(info->data),
3852 						  EIR_NAME_COMPLETE, NULL);
3853 		else
3854 			name_known = true;
3855 
3856 		flags = hci_inquiry_cache_update(hdev, &data, name_known);
3857 
3858 		eir_len = eir_get_length(info->data, sizeof(info->data));
3859 
3860 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3861 				  info->dev_class, info->rssi,
3862 				  flags, info->data, eir_len, NULL, 0);
3863 	}
3864 
3865 	hci_dev_unlock(hdev);
3866 }
3867 
3868 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3869 					 struct sk_buff *skb)
3870 {
3871 	struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3872 	struct hci_conn *conn;
3873 
3874 	BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3875 	       __le16_to_cpu(ev->handle));
3876 
3877 	hci_dev_lock(hdev);
3878 
3879 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3880 	if (!conn)
3881 		goto unlock;
3882 
3883 	/* For BR/EDR the necessary steps are taken through the
3884 	 * auth_complete event.
3885 	 */
3886 	if (conn->type != LE_LINK)
3887 		goto unlock;
3888 
3889 	if (!ev->status)
3890 		conn->sec_level = conn->pending_sec_level;
3891 
3892 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3893 
3894 	if (ev->status && conn->state == BT_CONNECTED) {
3895 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3896 		hci_conn_drop(conn);
3897 		goto unlock;
3898 	}
3899 
3900 	if (conn->state == BT_CONFIG) {
3901 		if (!ev->status)
3902 			conn->state = BT_CONNECTED;
3903 
3904 		hci_connect_cfm(conn, ev->status);
3905 		hci_conn_drop(conn);
3906 	} else {
3907 		hci_auth_cfm(conn, ev->status);
3908 
3909 		hci_conn_hold(conn);
3910 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3911 		hci_conn_drop(conn);
3912 	}
3913 
3914 unlock:
3915 	hci_dev_unlock(hdev);
3916 }
3917 
3918 static u8 hci_get_auth_req(struct hci_conn *conn)
3919 {
3920 	/* If remote requests no-bonding follow that lead */
3921 	if (conn->remote_auth == HCI_AT_NO_BONDING ||
3922 	    conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3923 		return conn->remote_auth | (conn->auth_type & 0x01);
3924 
3925 	/* If both remote and local have enough IO capabilities, require
3926 	 * MITM protection
3927 	 */
3928 	if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3929 	    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3930 		return conn->remote_auth | 0x01;
3931 
3932 	/* No MITM protection possible so ignore remote requirement */
3933 	return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3934 }
3935 
3936 static u8 bredr_oob_data_present(struct hci_conn *conn)
3937 {
3938 	struct hci_dev *hdev = conn->hdev;
3939 	struct oob_data *data;
3940 
3941 	data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3942 	if (!data)
3943 		return 0x00;
3944 
3945 	if (bredr_sc_enabled(hdev)) {
3946 		/* When Secure Connections is enabled, then just
3947 		 * return the present value stored with the OOB
3948 		 * data. The stored value contains the right present
3949 		 * information. However it can only be trusted when
3950 		 * not in Secure Connection Only mode.
3951 		 */
3952 		if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3953 			return data->present;
3954 
3955 		/* When Secure Connections Only mode is enabled, then
3956 		 * the P-256 values are required. If they are not
3957 		 * available, then do not declare that OOB data is
3958 		 * present.
3959 		 */
3960 		if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3961 		    !memcmp(data->hash256, ZERO_KEY, 16))
3962 			return 0x00;
3963 
3964 		return 0x02;
3965 	}
3966 
3967 	/* When Secure Connections is not enabled or actually
3968 	 * not supported by the hardware, then check that if
3969 	 * P-192 data values are present.
3970 	 */
3971 	if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3972 	    !memcmp(data->hash192, ZERO_KEY, 16))
3973 		return 0x00;
3974 
3975 	return 0x01;
3976 }
3977 
3978 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3979 {
3980 	struct hci_ev_io_capa_request *ev = (void *) skb->data;
3981 	struct hci_conn *conn;
3982 
3983 	BT_DBG("%s", hdev->name);
3984 
3985 	hci_dev_lock(hdev);
3986 
3987 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3988 	if (!conn)
3989 		goto unlock;
3990 
3991 	hci_conn_hold(conn);
3992 
3993 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3994 		goto unlock;
3995 
3996 	/* Allow pairing if we're pairable, the initiators of the
3997 	 * pairing or if the remote is not requesting bonding.
3998 	 */
3999 	if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4000 	    test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4001 	    (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4002 		struct hci_cp_io_capability_reply cp;
4003 
4004 		bacpy(&cp.bdaddr, &ev->bdaddr);
4005 		/* Change the IO capability from KeyboardDisplay
4006 		 * to DisplayYesNo as it is not supported by BT spec. */
4007 		cp.capability = (conn->io_capability == 0x04) ?
4008 				HCI_IO_DISPLAY_YESNO : conn->io_capability;
4009 
4010 		/* If we are initiators, there is no remote information yet */
4011 		if (conn->remote_auth == 0xff) {
4012 			/* Request MITM protection if our IO caps allow it
4013 			 * except for the no-bonding case.
4014 			 */
4015 			if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4016 			    conn->auth_type != HCI_AT_NO_BONDING)
4017 				conn->auth_type |= 0x01;
4018 		} else {
4019 			conn->auth_type = hci_get_auth_req(conn);
4020 		}
4021 
4022 		/* If we're not bondable, force one of the non-bondable
4023 		 * authentication requirement values.
4024 		 */
4025 		if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4026 			conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4027 
4028 		cp.authentication = conn->auth_type;
4029 		cp.oob_data = bredr_oob_data_present(conn);
4030 
4031 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4032 			     sizeof(cp), &cp);
4033 	} else {
4034 		struct hci_cp_io_capability_neg_reply cp;
4035 
4036 		bacpy(&cp.bdaddr, &ev->bdaddr);
4037 		cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4038 
4039 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4040 			     sizeof(cp), &cp);
4041 	}
4042 
4043 unlock:
4044 	hci_dev_unlock(hdev);
4045 }
4046 
4047 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4048 {
4049 	struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4050 	struct hci_conn *conn;
4051 
4052 	BT_DBG("%s", hdev->name);
4053 
4054 	hci_dev_lock(hdev);
4055 
4056 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4057 	if (!conn)
4058 		goto unlock;
4059 
4060 	conn->remote_cap = ev->capability;
4061 	conn->remote_auth = ev->authentication;
4062 
4063 unlock:
4064 	hci_dev_unlock(hdev);
4065 }
4066 
4067 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4068 					 struct sk_buff *skb)
4069 {
4070 	struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4071 	int loc_mitm, rem_mitm, confirm_hint = 0;
4072 	struct hci_conn *conn;
4073 
4074 	BT_DBG("%s", hdev->name);
4075 
4076 	hci_dev_lock(hdev);
4077 
4078 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4079 		goto unlock;
4080 
4081 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4082 	if (!conn)
4083 		goto unlock;
4084 
4085 	loc_mitm = (conn->auth_type & 0x01);
4086 	rem_mitm = (conn->remote_auth & 0x01);
4087 
4088 	/* If we require MITM but the remote device can't provide that
4089 	 * (it has NoInputNoOutput) then reject the confirmation
4090 	 * request. We check the security level here since it doesn't
4091 	 * necessarily match conn->auth_type.
4092 	 */
4093 	if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4094 	    conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4095 		BT_DBG("Rejecting request: remote device can't provide MITM");
4096 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4097 			     sizeof(ev->bdaddr), &ev->bdaddr);
4098 		goto unlock;
4099 	}
4100 
4101 	/* If no side requires MITM protection; auto-accept */
4102 	if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4103 	    (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4104 
4105 		/* If we're not the initiators request authorization to
4106 		 * proceed from user space (mgmt_user_confirm with
4107 		 * confirm_hint set to 1). The exception is if neither
4108 		 * side had MITM or if the local IO capability is
4109 		 * NoInputNoOutput, in which case we do auto-accept
4110 		 */
4111 		if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4112 		    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4113 		    (loc_mitm || rem_mitm)) {
4114 			BT_DBG("Confirming auto-accept as acceptor");
4115 			confirm_hint = 1;
4116 			goto confirm;
4117 		}
4118 
4119 		BT_DBG("Auto-accept of user confirmation with %ums delay",
4120 		       hdev->auto_accept_delay);
4121 
4122 		if (hdev->auto_accept_delay > 0) {
4123 			int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4124 			queue_delayed_work(conn->hdev->workqueue,
4125 					   &conn->auto_accept_work, delay);
4126 			goto unlock;
4127 		}
4128 
4129 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4130 			     sizeof(ev->bdaddr), &ev->bdaddr);
4131 		goto unlock;
4132 	}
4133 
4134 confirm:
4135 	mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4136 				  le32_to_cpu(ev->passkey), confirm_hint);
4137 
4138 unlock:
4139 	hci_dev_unlock(hdev);
4140 }
4141 
4142 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4143 					 struct sk_buff *skb)
4144 {
4145 	struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4146 
4147 	BT_DBG("%s", hdev->name);
4148 
4149 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4150 		mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4151 }
4152 
4153 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4154 					struct sk_buff *skb)
4155 {
4156 	struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4157 	struct hci_conn *conn;
4158 
4159 	BT_DBG("%s", hdev->name);
4160 
4161 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4162 	if (!conn)
4163 		return;
4164 
4165 	conn->passkey_notify = __le32_to_cpu(ev->passkey);
4166 	conn->passkey_entered = 0;
4167 
4168 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4169 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4170 					 conn->dst_type, conn->passkey_notify,
4171 					 conn->passkey_entered);
4172 }
4173 
4174 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4175 {
4176 	struct hci_ev_keypress_notify *ev = (void *) skb->data;
4177 	struct hci_conn *conn;
4178 
4179 	BT_DBG("%s", hdev->name);
4180 
4181 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4182 	if (!conn)
4183 		return;
4184 
4185 	switch (ev->type) {
4186 	case HCI_KEYPRESS_STARTED:
4187 		conn->passkey_entered = 0;
4188 		return;
4189 
4190 	case HCI_KEYPRESS_ENTERED:
4191 		conn->passkey_entered++;
4192 		break;
4193 
4194 	case HCI_KEYPRESS_ERASED:
4195 		conn->passkey_entered--;
4196 		break;
4197 
4198 	case HCI_KEYPRESS_CLEARED:
4199 		conn->passkey_entered = 0;
4200 		break;
4201 
4202 	case HCI_KEYPRESS_COMPLETED:
4203 		return;
4204 	}
4205 
4206 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4207 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4208 					 conn->dst_type, conn->passkey_notify,
4209 					 conn->passkey_entered);
4210 }
4211 
4212 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4213 					 struct sk_buff *skb)
4214 {
4215 	struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4216 	struct hci_conn *conn;
4217 
4218 	BT_DBG("%s", hdev->name);
4219 
4220 	hci_dev_lock(hdev);
4221 
4222 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4223 	if (!conn)
4224 		goto unlock;
4225 
4226 	/* Reset the authentication requirement to unknown */
4227 	conn->remote_auth = 0xff;
4228 
4229 	/* To avoid duplicate auth_failed events to user space we check
4230 	 * the HCI_CONN_AUTH_PEND flag which will be set if we
4231 	 * initiated the authentication. A traditional auth_complete
4232 	 * event gets always produced as initiator and is also mapped to
4233 	 * the mgmt_auth_failed event */
4234 	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4235 		mgmt_auth_failed(conn, ev->status);
4236 
4237 	hci_conn_drop(conn);
4238 
4239 unlock:
4240 	hci_dev_unlock(hdev);
4241 }
4242 
4243 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4244 					 struct sk_buff *skb)
4245 {
4246 	struct hci_ev_remote_host_features *ev = (void *) skb->data;
4247 	struct inquiry_entry *ie;
4248 	struct hci_conn *conn;
4249 
4250 	BT_DBG("%s", hdev->name);
4251 
4252 	hci_dev_lock(hdev);
4253 
4254 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4255 	if (conn)
4256 		memcpy(conn->features[1], ev->features, 8);
4257 
4258 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4259 	if (ie)
4260 		ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4261 
4262 	hci_dev_unlock(hdev);
4263 }
4264 
4265 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4266 					    struct sk_buff *skb)
4267 {
4268 	struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4269 	struct oob_data *data;
4270 
4271 	BT_DBG("%s", hdev->name);
4272 
4273 	hci_dev_lock(hdev);
4274 
4275 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4276 		goto unlock;
4277 
4278 	data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4279 	if (!data) {
4280 		struct hci_cp_remote_oob_data_neg_reply cp;
4281 
4282 		bacpy(&cp.bdaddr, &ev->bdaddr);
4283 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4284 			     sizeof(cp), &cp);
4285 		goto unlock;
4286 	}
4287 
4288 	if (bredr_sc_enabled(hdev)) {
4289 		struct hci_cp_remote_oob_ext_data_reply cp;
4290 
4291 		bacpy(&cp.bdaddr, &ev->bdaddr);
4292 		if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4293 			memset(cp.hash192, 0, sizeof(cp.hash192));
4294 			memset(cp.rand192, 0, sizeof(cp.rand192));
4295 		} else {
4296 			memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4297 			memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4298 		}
4299 		memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4300 		memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4301 
4302 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4303 			     sizeof(cp), &cp);
4304 	} else {
4305 		struct hci_cp_remote_oob_data_reply cp;
4306 
4307 		bacpy(&cp.bdaddr, &ev->bdaddr);
4308 		memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4309 		memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4310 
4311 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4312 			     sizeof(cp), &cp);
4313 	}
4314 
4315 unlock:
4316 	hci_dev_unlock(hdev);
4317 }
4318 
4319 #if IS_ENABLED(CONFIG_BT_HS)
4320 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4321 {
4322 	struct hci_ev_channel_selected *ev = (void *)skb->data;
4323 	struct hci_conn *hcon;
4324 
4325 	BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4326 
4327 	skb_pull(skb, sizeof(*ev));
4328 
4329 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4330 	if (!hcon)
4331 		return;
4332 
4333 	amp_read_loc_assoc_final_data(hdev, hcon);
4334 }
4335 
4336 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4337 				      struct sk_buff *skb)
4338 {
4339 	struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4340 	struct hci_conn *hcon, *bredr_hcon;
4341 
4342 	BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4343 	       ev->status);
4344 
4345 	hci_dev_lock(hdev);
4346 
4347 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4348 	if (!hcon) {
4349 		hci_dev_unlock(hdev);
4350 		return;
4351 	}
4352 
4353 	if (ev->status) {
4354 		hci_conn_del(hcon);
4355 		hci_dev_unlock(hdev);
4356 		return;
4357 	}
4358 
4359 	bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4360 
4361 	hcon->state = BT_CONNECTED;
4362 	bacpy(&hcon->dst, &bredr_hcon->dst);
4363 
4364 	hci_conn_hold(hcon);
4365 	hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4366 	hci_conn_drop(hcon);
4367 
4368 	hci_debugfs_create_conn(hcon);
4369 	hci_conn_add_sysfs(hcon);
4370 
4371 	amp_physical_cfm(bredr_hcon, hcon);
4372 
4373 	hci_dev_unlock(hdev);
4374 }
4375 
4376 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4377 {
4378 	struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4379 	struct hci_conn *hcon;
4380 	struct hci_chan *hchan;
4381 	struct amp_mgr *mgr;
4382 
4383 	BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4384 	       hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4385 	       ev->status);
4386 
4387 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4388 	if (!hcon)
4389 		return;
4390 
4391 	/* Create AMP hchan */
4392 	hchan = hci_chan_create(hcon);
4393 	if (!hchan)
4394 		return;
4395 
4396 	hchan->handle = le16_to_cpu(ev->handle);
4397 
4398 	BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4399 
4400 	mgr = hcon->amp_mgr;
4401 	if (mgr && mgr->bredr_chan) {
4402 		struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4403 
4404 		l2cap_chan_lock(bredr_chan);
4405 
4406 		bredr_chan->conn->mtu = hdev->block_mtu;
4407 		l2cap_logical_cfm(bredr_chan, hchan, 0);
4408 		hci_conn_hold(hcon);
4409 
4410 		l2cap_chan_unlock(bredr_chan);
4411 	}
4412 }
4413 
4414 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4415 					     struct sk_buff *skb)
4416 {
4417 	struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4418 	struct hci_chan *hchan;
4419 
4420 	BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4421 	       le16_to_cpu(ev->handle), ev->status);
4422 
4423 	if (ev->status)
4424 		return;
4425 
4426 	hci_dev_lock(hdev);
4427 
4428 	hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4429 	if (!hchan)
4430 		goto unlock;
4431 
4432 	amp_destroy_logical_link(hchan, ev->reason);
4433 
4434 unlock:
4435 	hci_dev_unlock(hdev);
4436 }
4437 
4438 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4439 					     struct sk_buff *skb)
4440 {
4441 	struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4442 	struct hci_conn *hcon;
4443 
4444 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4445 
4446 	if (ev->status)
4447 		return;
4448 
4449 	hci_dev_lock(hdev);
4450 
4451 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4452 	if (hcon) {
4453 		hcon->state = BT_CLOSED;
4454 		hci_conn_del(hcon);
4455 	}
4456 
4457 	hci_dev_unlock(hdev);
4458 }
4459 #endif
4460 
4461 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4462 {
4463 	struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4464 	struct hci_conn_params *params;
4465 	struct hci_conn *conn;
4466 	struct smp_irk *irk;
4467 	u8 addr_type;
4468 
4469 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4470 
4471 	hci_dev_lock(hdev);
4472 
4473 	/* All controllers implicitly stop advertising in the event of a
4474 	 * connection, so ensure that the state bit is cleared.
4475 	 */
4476 	hci_dev_clear_flag(hdev, HCI_LE_ADV);
4477 
4478 	conn = hci_lookup_le_connect(hdev);
4479 	if (!conn) {
4480 		conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4481 		if (!conn) {
4482 			BT_ERR("No memory for new connection");
4483 			goto unlock;
4484 		}
4485 
4486 		conn->dst_type = ev->bdaddr_type;
4487 
4488 		/* If we didn't have a hci_conn object previously
4489 		 * but we're in master role this must be something
4490 		 * initiated using a white list. Since white list based
4491 		 * connections are not "first class citizens" we don't
4492 		 * have full tracking of them. Therefore, we go ahead
4493 		 * with a "best effort" approach of determining the
4494 		 * initiator address based on the HCI_PRIVACY flag.
4495 		 */
4496 		if (conn->out) {
4497 			conn->resp_addr_type = ev->bdaddr_type;
4498 			bacpy(&conn->resp_addr, &ev->bdaddr);
4499 			if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4500 				conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4501 				bacpy(&conn->init_addr, &hdev->rpa);
4502 			} else {
4503 				hci_copy_identity_address(hdev,
4504 							  &conn->init_addr,
4505 							  &conn->init_addr_type);
4506 			}
4507 		}
4508 	} else {
4509 		cancel_delayed_work(&conn->le_conn_timeout);
4510 	}
4511 
4512 	if (!conn->out) {
4513 		/* Set the responder (our side) address type based on
4514 		 * the advertising address type.
4515 		 */
4516 		conn->resp_addr_type = hdev->adv_addr_type;
4517 		if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4518 			bacpy(&conn->resp_addr, &hdev->random_addr);
4519 		else
4520 			bacpy(&conn->resp_addr, &hdev->bdaddr);
4521 
4522 		conn->init_addr_type = ev->bdaddr_type;
4523 		bacpy(&conn->init_addr, &ev->bdaddr);
4524 
4525 		/* For incoming connections, set the default minimum
4526 		 * and maximum connection interval. They will be used
4527 		 * to check if the parameters are in range and if not
4528 		 * trigger the connection update procedure.
4529 		 */
4530 		conn->le_conn_min_interval = hdev->le_conn_min_interval;
4531 		conn->le_conn_max_interval = hdev->le_conn_max_interval;
4532 	}
4533 
4534 	/* Lookup the identity address from the stored connection
4535 	 * address and address type.
4536 	 *
4537 	 * When establishing connections to an identity address, the
4538 	 * connection procedure will store the resolvable random
4539 	 * address first. Now if it can be converted back into the
4540 	 * identity address, start using the identity address from
4541 	 * now on.
4542 	 */
4543 	irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4544 	if (irk) {
4545 		bacpy(&conn->dst, &irk->bdaddr);
4546 		conn->dst_type = irk->addr_type;
4547 	}
4548 
4549 	if (ev->status) {
4550 		hci_le_conn_failed(conn, ev->status);
4551 		goto unlock;
4552 	}
4553 
4554 	if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4555 		addr_type = BDADDR_LE_PUBLIC;
4556 	else
4557 		addr_type = BDADDR_LE_RANDOM;
4558 
4559 	/* Drop the connection if the device is blocked */
4560 	if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4561 		hci_conn_drop(conn);
4562 		goto unlock;
4563 	}
4564 
4565 	if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4566 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
4567 
4568 	conn->sec_level = BT_SECURITY_LOW;
4569 	conn->handle = __le16_to_cpu(ev->handle);
4570 	conn->state = BT_CONFIG;
4571 
4572 	conn->le_conn_interval = le16_to_cpu(ev->interval);
4573 	conn->le_conn_latency = le16_to_cpu(ev->latency);
4574 	conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4575 
4576 	hci_debugfs_create_conn(conn);
4577 	hci_conn_add_sysfs(conn);
4578 
4579 	if (!ev->status) {
4580 		/* The remote features procedure is defined for master
4581 		 * role only. So only in case of an initiated connection
4582 		 * request the remote features.
4583 		 *
4584 		 * If the local controller supports slave-initiated features
4585 		 * exchange, then requesting the remote features in slave
4586 		 * role is possible. Otherwise just transition into the
4587 		 * connected state without requesting the remote features.
4588 		 */
4589 		if (conn->out ||
4590 		    (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4591 			struct hci_cp_le_read_remote_features cp;
4592 
4593 			cp.handle = __cpu_to_le16(conn->handle);
4594 
4595 			hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4596 				     sizeof(cp), &cp);
4597 
4598 			hci_conn_hold(conn);
4599 		} else {
4600 			conn->state = BT_CONNECTED;
4601 			hci_connect_cfm(conn, ev->status);
4602 		}
4603 	} else {
4604 		hci_connect_cfm(conn, ev->status);
4605 	}
4606 
4607 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4608 					   conn->dst_type);
4609 	if (params) {
4610 		list_del_init(&params->action);
4611 		if (params->conn) {
4612 			hci_conn_drop(params->conn);
4613 			hci_conn_put(params->conn);
4614 			params->conn = NULL;
4615 		}
4616 	}
4617 
4618 unlock:
4619 	hci_update_background_scan(hdev);
4620 	hci_dev_unlock(hdev);
4621 }
4622 
4623 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4624 					    struct sk_buff *skb)
4625 {
4626 	struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4627 	struct hci_conn *conn;
4628 
4629 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4630 
4631 	if (ev->status)
4632 		return;
4633 
4634 	hci_dev_lock(hdev);
4635 
4636 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4637 	if (conn) {
4638 		conn->le_conn_interval = le16_to_cpu(ev->interval);
4639 		conn->le_conn_latency = le16_to_cpu(ev->latency);
4640 		conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4641 	}
4642 
4643 	hci_dev_unlock(hdev);
4644 }
4645 
4646 /* This function requires the caller holds hdev->lock */
4647 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4648 					      bdaddr_t *addr,
4649 					      u8 addr_type, u8 adv_type)
4650 {
4651 	struct hci_conn *conn;
4652 	struct hci_conn_params *params;
4653 
4654 	/* If the event is not connectable don't proceed further */
4655 	if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4656 		return NULL;
4657 
4658 	/* Ignore if the device is blocked */
4659 	if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4660 		return NULL;
4661 
4662 	/* Most controller will fail if we try to create new connections
4663 	 * while we have an existing one in slave role.
4664 	 */
4665 	if (hdev->conn_hash.le_num_slave > 0)
4666 		return NULL;
4667 
4668 	/* If we're not connectable only connect devices that we have in
4669 	 * our pend_le_conns list.
4670 	 */
4671 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4672 					   addr_type);
4673 	if (!params)
4674 		return NULL;
4675 
4676 	if (!params->explicit_connect) {
4677 		switch (params->auto_connect) {
4678 		case HCI_AUTO_CONN_DIRECT:
4679 			/* Only devices advertising with ADV_DIRECT_IND are
4680 			 * triggering a connection attempt. This is allowing
4681 			 * incoming connections from slave devices.
4682 			 */
4683 			if (adv_type != LE_ADV_DIRECT_IND)
4684 				return NULL;
4685 			break;
4686 		case HCI_AUTO_CONN_ALWAYS:
4687 			/* Devices advertising with ADV_IND or ADV_DIRECT_IND
4688 			 * are triggering a connection attempt. This means
4689 			 * that incoming connectioms from slave device are
4690 			 * accepted and also outgoing connections to slave
4691 			 * devices are established when found.
4692 			 */
4693 			break;
4694 		default:
4695 			return NULL;
4696 		}
4697 	}
4698 
4699 	conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4700 			      HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4701 	if (!IS_ERR(conn)) {
4702 		/* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4703 		 * by higher layer that tried to connect, if no then
4704 		 * store the pointer since we don't really have any
4705 		 * other owner of the object besides the params that
4706 		 * triggered it. This way we can abort the connection if
4707 		 * the parameters get removed and keep the reference
4708 		 * count consistent once the connection is established.
4709 		 */
4710 
4711 		if (!params->explicit_connect)
4712 			params->conn = hci_conn_get(conn);
4713 
4714 		return conn;
4715 	}
4716 
4717 	switch (PTR_ERR(conn)) {
4718 	case -EBUSY:
4719 		/* If hci_connect() returns -EBUSY it means there is already
4720 		 * an LE connection attempt going on. Since controllers don't
4721 		 * support more than one connection attempt at the time, we
4722 		 * don't consider this an error case.
4723 		 */
4724 		break;
4725 	default:
4726 		BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4727 		return NULL;
4728 	}
4729 
4730 	return NULL;
4731 }
4732 
4733 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4734 			       u8 bdaddr_type, bdaddr_t *direct_addr,
4735 			       u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4736 {
4737 	struct discovery_state *d = &hdev->discovery;
4738 	struct smp_irk *irk;
4739 	struct hci_conn *conn;
4740 	bool match;
4741 	u32 flags;
4742 	u8 *ptr, real_len;
4743 
4744 	switch (type) {
4745 	case LE_ADV_IND:
4746 	case LE_ADV_DIRECT_IND:
4747 	case LE_ADV_SCAN_IND:
4748 	case LE_ADV_NONCONN_IND:
4749 	case LE_ADV_SCAN_RSP:
4750 		break;
4751 	default:
4752 		BT_ERR_RATELIMITED("Unknown advetising packet type: 0x%02x",
4753 				   type);
4754 		return;
4755 	}
4756 
4757 	/* Find the end of the data in case the report contains padded zero
4758 	 * bytes at the end causing an invalid length value.
4759 	 *
4760 	 * When data is NULL, len is 0 so there is no need for extra ptr
4761 	 * check as 'ptr < data + 0' is already false in such case.
4762 	 */
4763 	for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
4764 		if (ptr + 1 + *ptr > data + len)
4765 			break;
4766 	}
4767 
4768 	real_len = ptr - data;
4769 
4770 	/* Adjust for actual length */
4771 	if (len != real_len) {
4772 		BT_ERR_RATELIMITED("%s advertising data length corrected",
4773 				   hdev->name);
4774 		len = real_len;
4775 	}
4776 
4777 	/* If the direct address is present, then this report is from
4778 	 * a LE Direct Advertising Report event. In that case it is
4779 	 * important to see if the address is matching the local
4780 	 * controller address.
4781 	 */
4782 	if (direct_addr) {
4783 		/* Only resolvable random addresses are valid for these
4784 		 * kind of reports and others can be ignored.
4785 		 */
4786 		if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4787 			return;
4788 
4789 		/* If the controller is not using resolvable random
4790 		 * addresses, then this report can be ignored.
4791 		 */
4792 		if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4793 			return;
4794 
4795 		/* If the local IRK of the controller does not match
4796 		 * with the resolvable random address provided, then
4797 		 * this report can be ignored.
4798 		 */
4799 		if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4800 			return;
4801 	}
4802 
4803 	/* Check if we need to convert to identity address */
4804 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4805 	if (irk) {
4806 		bdaddr = &irk->bdaddr;
4807 		bdaddr_type = irk->addr_type;
4808 	}
4809 
4810 	/* Check if we have been requested to connect to this device */
4811 	conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4812 	if (conn && type == LE_ADV_IND) {
4813 		/* Store report for later inclusion by
4814 		 * mgmt_device_connected
4815 		 */
4816 		memcpy(conn->le_adv_data, data, len);
4817 		conn->le_adv_data_len = len;
4818 	}
4819 
4820 	/* Passive scanning shouldn't trigger any device found events,
4821 	 * except for devices marked as CONN_REPORT for which we do send
4822 	 * device found events.
4823 	 */
4824 	if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4825 		if (type == LE_ADV_DIRECT_IND)
4826 			return;
4827 
4828 		if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4829 					       bdaddr, bdaddr_type))
4830 			return;
4831 
4832 		if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4833 			flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4834 		else
4835 			flags = 0;
4836 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4837 				  rssi, flags, data, len, NULL, 0);
4838 		return;
4839 	}
4840 
4841 	/* When receiving non-connectable or scannable undirected
4842 	 * advertising reports, this means that the remote device is
4843 	 * not connectable and then clearly indicate this in the
4844 	 * device found event.
4845 	 *
4846 	 * When receiving a scan response, then there is no way to
4847 	 * know if the remote device is connectable or not. However
4848 	 * since scan responses are merged with a previously seen
4849 	 * advertising report, the flags field from that report
4850 	 * will be used.
4851 	 *
4852 	 * In the really unlikely case that a controller get confused
4853 	 * and just sends a scan response event, then it is marked as
4854 	 * not connectable as well.
4855 	 */
4856 	if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4857 	    type == LE_ADV_SCAN_RSP)
4858 		flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4859 	else
4860 		flags = 0;
4861 
4862 	/* If there's nothing pending either store the data from this
4863 	 * event or send an immediate device found event if the data
4864 	 * should not be stored for later.
4865 	 */
4866 	if (!has_pending_adv_report(hdev)) {
4867 		/* If the report will trigger a SCAN_REQ store it for
4868 		 * later merging.
4869 		 */
4870 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4871 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4872 						 rssi, flags, data, len);
4873 			return;
4874 		}
4875 
4876 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4877 				  rssi, flags, data, len, NULL, 0);
4878 		return;
4879 	}
4880 
4881 	/* Check if the pending report is for the same device as the new one */
4882 	match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4883 		 bdaddr_type == d->last_adv_addr_type);
4884 
4885 	/* If the pending data doesn't match this report or this isn't a
4886 	 * scan response (e.g. we got a duplicate ADV_IND) then force
4887 	 * sending of the pending data.
4888 	 */
4889 	if (type != LE_ADV_SCAN_RSP || !match) {
4890 		/* Send out whatever is in the cache, but skip duplicates */
4891 		if (!match)
4892 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4893 					  d->last_adv_addr_type, NULL,
4894 					  d->last_adv_rssi, d->last_adv_flags,
4895 					  d->last_adv_data,
4896 					  d->last_adv_data_len, NULL, 0);
4897 
4898 		/* If the new report will trigger a SCAN_REQ store it for
4899 		 * later merging.
4900 		 */
4901 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4902 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4903 						 rssi, flags, data, len);
4904 			return;
4905 		}
4906 
4907 		/* The advertising reports cannot be merged, so clear
4908 		 * the pending report and send out a device found event.
4909 		 */
4910 		clear_pending_adv_report(hdev);
4911 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4912 				  rssi, flags, data, len, NULL, 0);
4913 		return;
4914 	}
4915 
4916 	/* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4917 	 * the new event is a SCAN_RSP. We can therefore proceed with
4918 	 * sending a merged device found event.
4919 	 */
4920 	mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4921 			  d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4922 			  d->last_adv_data, d->last_adv_data_len, data, len);
4923 	clear_pending_adv_report(hdev);
4924 }
4925 
4926 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4927 {
4928 	u8 num_reports = skb->data[0];
4929 	void *ptr = &skb->data[1];
4930 
4931 	hci_dev_lock(hdev);
4932 
4933 	while (num_reports--) {
4934 		struct hci_ev_le_advertising_info *ev = ptr;
4935 		s8 rssi;
4936 
4937 		rssi = ev->data[ev->length];
4938 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4939 				   ev->bdaddr_type, NULL, 0, rssi,
4940 				   ev->data, ev->length);
4941 
4942 		ptr += sizeof(*ev) + ev->length + 1;
4943 	}
4944 
4945 	hci_dev_unlock(hdev);
4946 }
4947 
4948 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4949 					    struct sk_buff *skb)
4950 {
4951 	struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4952 	struct hci_conn *conn;
4953 
4954 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4955 
4956 	hci_dev_lock(hdev);
4957 
4958 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4959 	if (conn) {
4960 		if (!ev->status)
4961 			memcpy(conn->features[0], ev->features, 8);
4962 
4963 		if (conn->state == BT_CONFIG) {
4964 			__u8 status;
4965 
4966 			/* If the local controller supports slave-initiated
4967 			 * features exchange, but the remote controller does
4968 			 * not, then it is possible that the error code 0x1a
4969 			 * for unsupported remote feature gets returned.
4970 			 *
4971 			 * In this specific case, allow the connection to
4972 			 * transition into connected state and mark it as
4973 			 * successful.
4974 			 */
4975 			if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4976 			    !conn->out && ev->status == 0x1a)
4977 				status = 0x00;
4978 			else
4979 				status = ev->status;
4980 
4981 			conn->state = BT_CONNECTED;
4982 			hci_connect_cfm(conn, status);
4983 			hci_conn_drop(conn);
4984 		}
4985 	}
4986 
4987 	hci_dev_unlock(hdev);
4988 }
4989 
4990 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4991 {
4992 	struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4993 	struct hci_cp_le_ltk_reply cp;
4994 	struct hci_cp_le_ltk_neg_reply neg;
4995 	struct hci_conn *conn;
4996 	struct smp_ltk *ltk;
4997 
4998 	BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4999 
5000 	hci_dev_lock(hdev);
5001 
5002 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5003 	if (conn == NULL)
5004 		goto not_found;
5005 
5006 	ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5007 	if (!ltk)
5008 		goto not_found;
5009 
5010 	if (smp_ltk_is_sc(ltk)) {
5011 		/* With SC both EDiv and Rand are set to zero */
5012 		if (ev->ediv || ev->rand)
5013 			goto not_found;
5014 	} else {
5015 		/* For non-SC keys check that EDiv and Rand match */
5016 		if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5017 			goto not_found;
5018 	}
5019 
5020 	memcpy(cp.ltk, ltk->val, ltk->enc_size);
5021 	memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5022 	cp.handle = cpu_to_le16(conn->handle);
5023 
5024 	conn->pending_sec_level = smp_ltk_sec_level(ltk);
5025 
5026 	conn->enc_key_size = ltk->enc_size;
5027 
5028 	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5029 
5030 	/* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5031 	 * temporary key used to encrypt a connection following
5032 	 * pairing. It is used during the Encrypted Session Setup to
5033 	 * distribute the keys. Later, security can be re-established
5034 	 * using a distributed LTK.
5035 	 */
5036 	if (ltk->type == SMP_STK) {
5037 		set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5038 		list_del_rcu(&ltk->list);
5039 		kfree_rcu(ltk, rcu);
5040 	} else {
5041 		clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5042 	}
5043 
5044 	hci_dev_unlock(hdev);
5045 
5046 	return;
5047 
5048 not_found:
5049 	neg.handle = ev->handle;
5050 	hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5051 	hci_dev_unlock(hdev);
5052 }
5053 
5054 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5055 				      u8 reason)
5056 {
5057 	struct hci_cp_le_conn_param_req_neg_reply cp;
5058 
5059 	cp.handle = cpu_to_le16(handle);
5060 	cp.reason = reason;
5061 
5062 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5063 		     &cp);
5064 }
5065 
5066 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5067 					     struct sk_buff *skb)
5068 {
5069 	struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5070 	struct hci_cp_le_conn_param_req_reply cp;
5071 	struct hci_conn *hcon;
5072 	u16 handle, min, max, latency, timeout;
5073 
5074 	handle = le16_to_cpu(ev->handle);
5075 	min = le16_to_cpu(ev->interval_min);
5076 	max = le16_to_cpu(ev->interval_max);
5077 	latency = le16_to_cpu(ev->latency);
5078 	timeout = le16_to_cpu(ev->timeout);
5079 
5080 	hcon = hci_conn_hash_lookup_handle(hdev, handle);
5081 	if (!hcon || hcon->state != BT_CONNECTED)
5082 		return send_conn_param_neg_reply(hdev, handle,
5083 						 HCI_ERROR_UNKNOWN_CONN_ID);
5084 
5085 	if (hci_check_conn_params(min, max, latency, timeout))
5086 		return send_conn_param_neg_reply(hdev, handle,
5087 						 HCI_ERROR_INVALID_LL_PARAMS);
5088 
5089 	if (hcon->role == HCI_ROLE_MASTER) {
5090 		struct hci_conn_params *params;
5091 		u8 store_hint;
5092 
5093 		hci_dev_lock(hdev);
5094 
5095 		params = hci_conn_params_lookup(hdev, &hcon->dst,
5096 						hcon->dst_type);
5097 		if (params) {
5098 			params->conn_min_interval = min;
5099 			params->conn_max_interval = max;
5100 			params->conn_latency = latency;
5101 			params->supervision_timeout = timeout;
5102 			store_hint = 0x01;
5103 		} else{
5104 			store_hint = 0x00;
5105 		}
5106 
5107 		hci_dev_unlock(hdev);
5108 
5109 		mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5110 				    store_hint, min, max, latency, timeout);
5111 	}
5112 
5113 	cp.handle = ev->handle;
5114 	cp.interval_min = ev->interval_min;
5115 	cp.interval_max = ev->interval_max;
5116 	cp.latency = ev->latency;
5117 	cp.timeout = ev->timeout;
5118 	cp.min_ce_len = 0;
5119 	cp.max_ce_len = 0;
5120 
5121 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5122 }
5123 
5124 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5125 					 struct sk_buff *skb)
5126 {
5127 	u8 num_reports = skb->data[0];
5128 	void *ptr = &skb->data[1];
5129 
5130 	hci_dev_lock(hdev);
5131 
5132 	while (num_reports--) {
5133 		struct hci_ev_le_direct_adv_info *ev = ptr;
5134 
5135 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5136 				   ev->bdaddr_type, &ev->direct_addr,
5137 				   ev->direct_addr_type, ev->rssi, NULL, 0);
5138 
5139 		ptr += sizeof(*ev);
5140 	}
5141 
5142 	hci_dev_unlock(hdev);
5143 }
5144 
5145 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5146 {
5147 	struct hci_ev_le_meta *le_ev = (void *) skb->data;
5148 
5149 	skb_pull(skb, sizeof(*le_ev));
5150 
5151 	switch (le_ev->subevent) {
5152 	case HCI_EV_LE_CONN_COMPLETE:
5153 		hci_le_conn_complete_evt(hdev, skb);
5154 		break;
5155 
5156 	case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5157 		hci_le_conn_update_complete_evt(hdev, skb);
5158 		break;
5159 
5160 	case HCI_EV_LE_ADVERTISING_REPORT:
5161 		hci_le_adv_report_evt(hdev, skb);
5162 		break;
5163 
5164 	case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5165 		hci_le_remote_feat_complete_evt(hdev, skb);
5166 		break;
5167 
5168 	case HCI_EV_LE_LTK_REQ:
5169 		hci_le_ltk_request_evt(hdev, skb);
5170 		break;
5171 
5172 	case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5173 		hci_le_remote_conn_param_req_evt(hdev, skb);
5174 		break;
5175 
5176 	case HCI_EV_LE_DIRECT_ADV_REPORT:
5177 		hci_le_direct_adv_report_evt(hdev, skb);
5178 		break;
5179 
5180 	default:
5181 		break;
5182 	}
5183 }
5184 
5185 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5186 				 u8 event, struct sk_buff *skb)
5187 {
5188 	struct hci_ev_cmd_complete *ev;
5189 	struct hci_event_hdr *hdr;
5190 
5191 	if (!skb)
5192 		return false;
5193 
5194 	if (skb->len < sizeof(*hdr)) {
5195 		BT_ERR("Too short HCI event");
5196 		return false;
5197 	}
5198 
5199 	hdr = (void *) skb->data;
5200 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
5201 
5202 	if (event) {
5203 		if (hdr->evt != event)
5204 			return false;
5205 		return true;
5206 	}
5207 
5208 	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5209 		BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
5210 		return false;
5211 	}
5212 
5213 	if (skb->len < sizeof(*ev)) {
5214 		BT_ERR("Too short cmd_complete event");
5215 		return false;
5216 	}
5217 
5218 	ev = (void *) skb->data;
5219 	skb_pull(skb, sizeof(*ev));
5220 
5221 	if (opcode != __le16_to_cpu(ev->opcode)) {
5222 		BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5223 		       __le16_to_cpu(ev->opcode));
5224 		return false;
5225 	}
5226 
5227 	return true;
5228 }
5229 
5230 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5231 {
5232 	struct hci_event_hdr *hdr = (void *) skb->data;
5233 	hci_req_complete_t req_complete = NULL;
5234 	hci_req_complete_skb_t req_complete_skb = NULL;
5235 	struct sk_buff *orig_skb = NULL;
5236 	u8 status = 0, event = hdr->evt, req_evt = 0;
5237 	u16 opcode = HCI_OP_NOP;
5238 
5239 	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5240 		struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5241 		opcode = __le16_to_cpu(cmd_hdr->opcode);
5242 		hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5243 				     &req_complete_skb);
5244 		req_evt = event;
5245 	}
5246 
5247 	/* If it looks like we might end up having to call
5248 	 * req_complete_skb, store a pristine copy of the skb since the
5249 	 * various handlers may modify the original one through
5250 	 * skb_pull() calls, etc.
5251 	 */
5252 	if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5253 	    event == HCI_EV_CMD_COMPLETE)
5254 		orig_skb = skb_clone(skb, GFP_KERNEL);
5255 
5256 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
5257 
5258 	switch (event) {
5259 	case HCI_EV_INQUIRY_COMPLETE:
5260 		hci_inquiry_complete_evt(hdev, skb);
5261 		break;
5262 
5263 	case HCI_EV_INQUIRY_RESULT:
5264 		hci_inquiry_result_evt(hdev, skb);
5265 		break;
5266 
5267 	case HCI_EV_CONN_COMPLETE:
5268 		hci_conn_complete_evt(hdev, skb);
5269 		break;
5270 
5271 	case HCI_EV_CONN_REQUEST:
5272 		hci_conn_request_evt(hdev, skb);
5273 		break;
5274 
5275 	case HCI_EV_DISCONN_COMPLETE:
5276 		hci_disconn_complete_evt(hdev, skb);
5277 		break;
5278 
5279 	case HCI_EV_AUTH_COMPLETE:
5280 		hci_auth_complete_evt(hdev, skb);
5281 		break;
5282 
5283 	case HCI_EV_REMOTE_NAME:
5284 		hci_remote_name_evt(hdev, skb);
5285 		break;
5286 
5287 	case HCI_EV_ENCRYPT_CHANGE:
5288 		hci_encrypt_change_evt(hdev, skb);
5289 		break;
5290 
5291 	case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5292 		hci_change_link_key_complete_evt(hdev, skb);
5293 		break;
5294 
5295 	case HCI_EV_REMOTE_FEATURES:
5296 		hci_remote_features_evt(hdev, skb);
5297 		break;
5298 
5299 	case HCI_EV_CMD_COMPLETE:
5300 		hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5301 				     &req_complete, &req_complete_skb);
5302 		break;
5303 
5304 	case HCI_EV_CMD_STATUS:
5305 		hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5306 				   &req_complete_skb);
5307 		break;
5308 
5309 	case HCI_EV_HARDWARE_ERROR:
5310 		hci_hardware_error_evt(hdev, skb);
5311 		break;
5312 
5313 	case HCI_EV_ROLE_CHANGE:
5314 		hci_role_change_evt(hdev, skb);
5315 		break;
5316 
5317 	case HCI_EV_NUM_COMP_PKTS:
5318 		hci_num_comp_pkts_evt(hdev, skb);
5319 		break;
5320 
5321 	case HCI_EV_MODE_CHANGE:
5322 		hci_mode_change_evt(hdev, skb);
5323 		break;
5324 
5325 	case HCI_EV_PIN_CODE_REQ:
5326 		hci_pin_code_request_evt(hdev, skb);
5327 		break;
5328 
5329 	case HCI_EV_LINK_KEY_REQ:
5330 		hci_link_key_request_evt(hdev, skb);
5331 		break;
5332 
5333 	case HCI_EV_LINK_KEY_NOTIFY:
5334 		hci_link_key_notify_evt(hdev, skb);
5335 		break;
5336 
5337 	case HCI_EV_CLOCK_OFFSET:
5338 		hci_clock_offset_evt(hdev, skb);
5339 		break;
5340 
5341 	case HCI_EV_PKT_TYPE_CHANGE:
5342 		hci_pkt_type_change_evt(hdev, skb);
5343 		break;
5344 
5345 	case HCI_EV_PSCAN_REP_MODE:
5346 		hci_pscan_rep_mode_evt(hdev, skb);
5347 		break;
5348 
5349 	case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5350 		hci_inquiry_result_with_rssi_evt(hdev, skb);
5351 		break;
5352 
5353 	case HCI_EV_REMOTE_EXT_FEATURES:
5354 		hci_remote_ext_features_evt(hdev, skb);
5355 		break;
5356 
5357 	case HCI_EV_SYNC_CONN_COMPLETE:
5358 		hci_sync_conn_complete_evt(hdev, skb);
5359 		break;
5360 
5361 	case HCI_EV_EXTENDED_INQUIRY_RESULT:
5362 		hci_extended_inquiry_result_evt(hdev, skb);
5363 		break;
5364 
5365 	case HCI_EV_KEY_REFRESH_COMPLETE:
5366 		hci_key_refresh_complete_evt(hdev, skb);
5367 		break;
5368 
5369 	case HCI_EV_IO_CAPA_REQUEST:
5370 		hci_io_capa_request_evt(hdev, skb);
5371 		break;
5372 
5373 	case HCI_EV_IO_CAPA_REPLY:
5374 		hci_io_capa_reply_evt(hdev, skb);
5375 		break;
5376 
5377 	case HCI_EV_USER_CONFIRM_REQUEST:
5378 		hci_user_confirm_request_evt(hdev, skb);
5379 		break;
5380 
5381 	case HCI_EV_USER_PASSKEY_REQUEST:
5382 		hci_user_passkey_request_evt(hdev, skb);
5383 		break;
5384 
5385 	case HCI_EV_USER_PASSKEY_NOTIFY:
5386 		hci_user_passkey_notify_evt(hdev, skb);
5387 		break;
5388 
5389 	case HCI_EV_KEYPRESS_NOTIFY:
5390 		hci_keypress_notify_evt(hdev, skb);
5391 		break;
5392 
5393 	case HCI_EV_SIMPLE_PAIR_COMPLETE:
5394 		hci_simple_pair_complete_evt(hdev, skb);
5395 		break;
5396 
5397 	case HCI_EV_REMOTE_HOST_FEATURES:
5398 		hci_remote_host_features_evt(hdev, skb);
5399 		break;
5400 
5401 	case HCI_EV_LE_META:
5402 		hci_le_meta_evt(hdev, skb);
5403 		break;
5404 
5405 	case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5406 		hci_remote_oob_data_request_evt(hdev, skb);
5407 		break;
5408 
5409 #if IS_ENABLED(CONFIG_BT_HS)
5410 	case HCI_EV_CHANNEL_SELECTED:
5411 		hci_chan_selected_evt(hdev, skb);
5412 		break;
5413 
5414 	case HCI_EV_PHY_LINK_COMPLETE:
5415 		hci_phy_link_complete_evt(hdev, skb);
5416 		break;
5417 
5418 	case HCI_EV_LOGICAL_LINK_COMPLETE:
5419 		hci_loglink_complete_evt(hdev, skb);
5420 		break;
5421 
5422 	case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5423 		hci_disconn_loglink_complete_evt(hdev, skb);
5424 		break;
5425 
5426 	case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5427 		hci_disconn_phylink_complete_evt(hdev, skb);
5428 		break;
5429 #endif
5430 
5431 	case HCI_EV_NUM_COMP_BLOCKS:
5432 		hci_num_comp_blocks_evt(hdev, skb);
5433 		break;
5434 
5435 	default:
5436 		BT_DBG("%s event 0x%2.2x", hdev->name, event);
5437 		break;
5438 	}
5439 
5440 	if (req_complete) {
5441 		req_complete(hdev, status, opcode);
5442 	} else if (req_complete_skb) {
5443 		if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5444 			kfree_skb(orig_skb);
5445 			orig_skb = NULL;
5446 		}
5447 		req_complete_skb(hdev, status, opcode, orig_skb);
5448 	}
5449 
5450 	kfree_skb(orig_skb);
5451 	kfree_skb(skb);
5452 	hdev->stat.evt_rx++;
5453 }
5454