xref: /openbmc/linux/net/bluetooth/hci_event.c (revision a06c488d)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4 
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI event handling. */
26 
27 #include <asm/unaligned.h>
28 
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32 
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
35 #include "a2mp.h"
36 #include "amp.h"
37 #include "smp.h"
38 
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
41 
42 /* Handle HCI Event packets */
43 
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
45 {
46 	__u8 status = *((__u8 *) skb->data);
47 
48 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
49 
50 	if (status)
51 		return;
52 
53 	clear_bit(HCI_INQUIRY, &hdev->flags);
54 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
56 
57 	hci_dev_lock(hdev);
58 	/* Set discovery state to stopped if we're not doing LE active
59 	 * scanning.
60 	 */
61 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
62 	    hdev->le_scan_type != LE_SCAN_ACTIVE)
63 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
64 	hci_dev_unlock(hdev);
65 
66 	hci_conn_check_pending(hdev);
67 }
68 
69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
70 {
71 	__u8 status = *((__u8 *) skb->data);
72 
73 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
74 
75 	if (status)
76 		return;
77 
78 	hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
79 }
80 
81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
82 {
83 	__u8 status = *((__u8 *) skb->data);
84 
85 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
86 
87 	if (status)
88 		return;
89 
90 	hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
91 
92 	hci_conn_check_pending(hdev);
93 }
94 
95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
96 					  struct sk_buff *skb)
97 {
98 	BT_DBG("%s", hdev->name);
99 }
100 
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
102 {
103 	struct hci_rp_role_discovery *rp = (void *) skb->data;
104 	struct hci_conn *conn;
105 
106 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
107 
108 	if (rp->status)
109 		return;
110 
111 	hci_dev_lock(hdev);
112 
113 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
114 	if (conn)
115 		conn->role = rp->role;
116 
117 	hci_dev_unlock(hdev);
118 }
119 
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
121 {
122 	struct hci_rp_read_link_policy *rp = (void *) skb->data;
123 	struct hci_conn *conn;
124 
125 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126 
127 	if (rp->status)
128 		return;
129 
130 	hci_dev_lock(hdev);
131 
132 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133 	if (conn)
134 		conn->link_policy = __le16_to_cpu(rp->policy);
135 
136 	hci_dev_unlock(hdev);
137 }
138 
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140 {
141 	struct hci_rp_write_link_policy *rp = (void *) skb->data;
142 	struct hci_conn *conn;
143 	void *sent;
144 
145 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
146 
147 	if (rp->status)
148 		return;
149 
150 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151 	if (!sent)
152 		return;
153 
154 	hci_dev_lock(hdev);
155 
156 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
157 	if (conn)
158 		conn->link_policy = get_unaligned_le16(sent + 2);
159 
160 	hci_dev_unlock(hdev);
161 }
162 
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
164 					struct sk_buff *skb)
165 {
166 	struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
167 
168 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
169 
170 	if (rp->status)
171 		return;
172 
173 	hdev->link_policy = __le16_to_cpu(rp->policy);
174 }
175 
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
177 					 struct sk_buff *skb)
178 {
179 	__u8 status = *((__u8 *) skb->data);
180 	void *sent;
181 
182 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
183 
184 	if (status)
185 		return;
186 
187 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
188 	if (!sent)
189 		return;
190 
191 	hdev->link_policy = get_unaligned_le16(sent);
192 }
193 
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
195 {
196 	__u8 status = *((__u8 *) skb->data);
197 
198 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
199 
200 	clear_bit(HCI_RESET, &hdev->flags);
201 
202 	if (status)
203 		return;
204 
205 	/* Reset all non-persistent flags */
206 	hci_dev_clear_volatile_flags(hdev);
207 
208 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
209 
210 	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211 	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
212 
213 	memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214 	hdev->adv_data_len = 0;
215 
216 	memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217 	hdev->scan_rsp_data_len = 0;
218 
219 	hdev->le_scan_type = LE_SCAN_PASSIVE;
220 
221 	hdev->ssp_debug_mode = 0;
222 
223 	hci_bdaddr_list_clear(&hdev->le_white_list);
224 }
225 
226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
227 					struct sk_buff *skb)
228 {
229 	struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230 	struct hci_cp_read_stored_link_key *sent;
231 
232 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
233 
234 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
235 	if (!sent)
236 		return;
237 
238 	if (!rp->status && sent->read_all == 0x01) {
239 		hdev->stored_max_keys = rp->max_keys;
240 		hdev->stored_num_keys = rp->num_keys;
241 	}
242 }
243 
244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
245 					  struct sk_buff *skb)
246 {
247 	struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
248 
249 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250 
251 	if (rp->status)
252 		return;
253 
254 	if (rp->num_keys <= hdev->stored_num_keys)
255 		hdev->stored_num_keys -= rp->num_keys;
256 	else
257 		hdev->stored_num_keys = 0;
258 }
259 
260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
261 {
262 	__u8 status = *((__u8 *) skb->data);
263 	void *sent;
264 
265 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
266 
267 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
268 	if (!sent)
269 		return;
270 
271 	hci_dev_lock(hdev);
272 
273 	if (hci_dev_test_flag(hdev, HCI_MGMT))
274 		mgmt_set_local_name_complete(hdev, sent, status);
275 	else if (!status)
276 		memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
277 
278 	hci_dev_unlock(hdev);
279 }
280 
281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
282 {
283 	struct hci_rp_read_local_name *rp = (void *) skb->data;
284 
285 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
286 
287 	if (rp->status)
288 		return;
289 
290 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291 	    hci_dev_test_flag(hdev, HCI_CONFIG))
292 		memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
293 }
294 
295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
296 {
297 	__u8 status = *((__u8 *) skb->data);
298 	void *sent;
299 
300 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
301 
302 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
303 	if (!sent)
304 		return;
305 
306 	hci_dev_lock(hdev);
307 
308 	if (!status) {
309 		__u8 param = *((__u8 *) sent);
310 
311 		if (param == AUTH_ENABLED)
312 			set_bit(HCI_AUTH, &hdev->flags);
313 		else
314 			clear_bit(HCI_AUTH, &hdev->flags);
315 	}
316 
317 	if (hci_dev_test_flag(hdev, HCI_MGMT))
318 		mgmt_auth_enable_complete(hdev, status);
319 
320 	hci_dev_unlock(hdev);
321 }
322 
323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
324 {
325 	__u8 status = *((__u8 *) skb->data);
326 	__u8 param;
327 	void *sent;
328 
329 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
330 
331 	if (status)
332 		return;
333 
334 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
335 	if (!sent)
336 		return;
337 
338 	param = *((__u8 *) sent);
339 
340 	if (param)
341 		set_bit(HCI_ENCRYPT, &hdev->flags);
342 	else
343 		clear_bit(HCI_ENCRYPT, &hdev->flags);
344 }
345 
346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
347 {
348 	__u8 status = *((__u8 *) skb->data);
349 	__u8 param;
350 	void *sent;
351 
352 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
353 
354 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
355 	if (!sent)
356 		return;
357 
358 	param = *((__u8 *) sent);
359 
360 	hci_dev_lock(hdev);
361 
362 	if (status) {
363 		hdev->discov_timeout = 0;
364 		goto done;
365 	}
366 
367 	if (param & SCAN_INQUIRY)
368 		set_bit(HCI_ISCAN, &hdev->flags);
369 	else
370 		clear_bit(HCI_ISCAN, &hdev->flags);
371 
372 	if (param & SCAN_PAGE)
373 		set_bit(HCI_PSCAN, &hdev->flags);
374 	else
375 		clear_bit(HCI_PSCAN, &hdev->flags);
376 
377 done:
378 	hci_dev_unlock(hdev);
379 }
380 
381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
382 {
383 	struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
384 
385 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
386 
387 	if (rp->status)
388 		return;
389 
390 	memcpy(hdev->dev_class, rp->dev_class, 3);
391 
392 	BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393 	       hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
394 }
395 
396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
397 {
398 	__u8 status = *((__u8 *) skb->data);
399 	void *sent;
400 
401 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
402 
403 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
404 	if (!sent)
405 		return;
406 
407 	hci_dev_lock(hdev);
408 
409 	if (status == 0)
410 		memcpy(hdev->dev_class, sent, 3);
411 
412 	if (hci_dev_test_flag(hdev, HCI_MGMT))
413 		mgmt_set_class_of_dev_complete(hdev, sent, status);
414 
415 	hci_dev_unlock(hdev);
416 }
417 
418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
419 {
420 	struct hci_rp_read_voice_setting *rp = (void *) skb->data;
421 	__u16 setting;
422 
423 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
424 
425 	if (rp->status)
426 		return;
427 
428 	setting = __le16_to_cpu(rp->voice_setting);
429 
430 	if (hdev->voice_setting == setting)
431 		return;
432 
433 	hdev->voice_setting = setting;
434 
435 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
436 
437 	if (hdev->notify)
438 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
439 }
440 
441 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
442 				       struct sk_buff *skb)
443 {
444 	__u8 status = *((__u8 *) skb->data);
445 	__u16 setting;
446 	void *sent;
447 
448 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
449 
450 	if (status)
451 		return;
452 
453 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
454 	if (!sent)
455 		return;
456 
457 	setting = get_unaligned_le16(sent);
458 
459 	if (hdev->voice_setting == setting)
460 		return;
461 
462 	hdev->voice_setting = setting;
463 
464 	BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
465 
466 	if (hdev->notify)
467 		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
468 }
469 
470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
471 					  struct sk_buff *skb)
472 {
473 	struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
474 
475 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
476 
477 	if (rp->status)
478 		return;
479 
480 	hdev->num_iac = rp->num_iac;
481 
482 	BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
483 }
484 
485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
486 {
487 	__u8 status = *((__u8 *) skb->data);
488 	struct hci_cp_write_ssp_mode *sent;
489 
490 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
491 
492 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
493 	if (!sent)
494 		return;
495 
496 	hci_dev_lock(hdev);
497 
498 	if (!status) {
499 		if (sent->mode)
500 			hdev->features[1][0] |= LMP_HOST_SSP;
501 		else
502 			hdev->features[1][0] &= ~LMP_HOST_SSP;
503 	}
504 
505 	if (hci_dev_test_flag(hdev, HCI_MGMT))
506 		mgmt_ssp_enable_complete(hdev, sent->mode, status);
507 	else if (!status) {
508 		if (sent->mode)
509 			hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
510 		else
511 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
512 	}
513 
514 	hci_dev_unlock(hdev);
515 }
516 
517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
518 {
519 	u8 status = *((u8 *) skb->data);
520 	struct hci_cp_write_sc_support *sent;
521 
522 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
523 
524 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
525 	if (!sent)
526 		return;
527 
528 	hci_dev_lock(hdev);
529 
530 	if (!status) {
531 		if (sent->support)
532 			hdev->features[1][0] |= LMP_HOST_SC;
533 		else
534 			hdev->features[1][0] &= ~LMP_HOST_SC;
535 	}
536 
537 	if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
538 		if (sent->support)
539 			hci_dev_set_flag(hdev, HCI_SC_ENABLED);
540 		else
541 			hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
542 	}
543 
544 	hci_dev_unlock(hdev);
545 }
546 
547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
548 {
549 	struct hci_rp_read_local_version *rp = (void *) skb->data;
550 
551 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
552 
553 	if (rp->status)
554 		return;
555 
556 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557 	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
558 		hdev->hci_ver = rp->hci_ver;
559 		hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560 		hdev->lmp_ver = rp->lmp_ver;
561 		hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562 		hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
563 	}
564 }
565 
566 static void hci_cc_read_local_commands(struct hci_dev *hdev,
567 				       struct sk_buff *skb)
568 {
569 	struct hci_rp_read_local_commands *rp = (void *) skb->data;
570 
571 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
572 
573 	if (rp->status)
574 		return;
575 
576 	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577 	    hci_dev_test_flag(hdev, HCI_CONFIG))
578 		memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
579 }
580 
581 static void hci_cc_read_local_features(struct hci_dev *hdev,
582 				       struct sk_buff *skb)
583 {
584 	struct hci_rp_read_local_features *rp = (void *) skb->data;
585 
586 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
587 
588 	if (rp->status)
589 		return;
590 
591 	memcpy(hdev->features, rp->features, 8);
592 
593 	/* Adjust default settings according to features
594 	 * supported by device. */
595 
596 	if (hdev->features[0][0] & LMP_3SLOT)
597 		hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
598 
599 	if (hdev->features[0][0] & LMP_5SLOT)
600 		hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
601 
602 	if (hdev->features[0][1] & LMP_HV2) {
603 		hdev->pkt_type  |= (HCI_HV2);
604 		hdev->esco_type |= (ESCO_HV2);
605 	}
606 
607 	if (hdev->features[0][1] & LMP_HV3) {
608 		hdev->pkt_type  |= (HCI_HV3);
609 		hdev->esco_type |= (ESCO_HV3);
610 	}
611 
612 	if (lmp_esco_capable(hdev))
613 		hdev->esco_type |= (ESCO_EV3);
614 
615 	if (hdev->features[0][4] & LMP_EV4)
616 		hdev->esco_type |= (ESCO_EV4);
617 
618 	if (hdev->features[0][4] & LMP_EV5)
619 		hdev->esco_type |= (ESCO_EV5);
620 
621 	if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622 		hdev->esco_type |= (ESCO_2EV3);
623 
624 	if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625 		hdev->esco_type |= (ESCO_3EV3);
626 
627 	if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628 		hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
629 }
630 
631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
632 					   struct sk_buff *skb)
633 {
634 	struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
635 
636 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
637 
638 	if (rp->status)
639 		return;
640 
641 	if (hdev->max_page < rp->max_page)
642 		hdev->max_page = rp->max_page;
643 
644 	if (rp->page < HCI_MAX_PAGES)
645 		memcpy(hdev->features[rp->page], rp->features, 8);
646 }
647 
648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
649 					  struct sk_buff *skb)
650 {
651 	struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
652 
653 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
654 
655 	if (rp->status)
656 		return;
657 
658 	hdev->flow_ctl_mode = rp->mode;
659 }
660 
661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
662 {
663 	struct hci_rp_read_buffer_size *rp = (void *) skb->data;
664 
665 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
666 
667 	if (rp->status)
668 		return;
669 
670 	hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
671 	hdev->sco_mtu  = rp->sco_mtu;
672 	hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673 	hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
674 
675 	if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
676 		hdev->sco_mtu  = 64;
677 		hdev->sco_pkts = 8;
678 	}
679 
680 	hdev->acl_cnt = hdev->acl_pkts;
681 	hdev->sco_cnt = hdev->sco_pkts;
682 
683 	BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684 	       hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
685 }
686 
687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
688 {
689 	struct hci_rp_read_bd_addr *rp = (void *) skb->data;
690 
691 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
692 
693 	if (rp->status)
694 		return;
695 
696 	if (test_bit(HCI_INIT, &hdev->flags))
697 		bacpy(&hdev->bdaddr, &rp->bdaddr);
698 
699 	if (hci_dev_test_flag(hdev, HCI_SETUP))
700 		bacpy(&hdev->setup_addr, &rp->bdaddr);
701 }
702 
703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
704 					   struct sk_buff *skb)
705 {
706 	struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
707 
708 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
709 
710 	if (rp->status)
711 		return;
712 
713 	if (test_bit(HCI_INIT, &hdev->flags)) {
714 		hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715 		hdev->page_scan_window = __le16_to_cpu(rp->window);
716 	}
717 }
718 
719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
720 					    struct sk_buff *skb)
721 {
722 	u8 status = *((u8 *) skb->data);
723 	struct hci_cp_write_page_scan_activity *sent;
724 
725 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
726 
727 	if (status)
728 		return;
729 
730 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
731 	if (!sent)
732 		return;
733 
734 	hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735 	hdev->page_scan_window = __le16_to_cpu(sent->window);
736 }
737 
738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
739 					   struct sk_buff *skb)
740 {
741 	struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
742 
743 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
744 
745 	if (rp->status)
746 		return;
747 
748 	if (test_bit(HCI_INIT, &hdev->flags))
749 		hdev->page_scan_type = rp->type;
750 }
751 
752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
753 					struct sk_buff *skb)
754 {
755 	u8 status = *((u8 *) skb->data);
756 	u8 *type;
757 
758 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
759 
760 	if (status)
761 		return;
762 
763 	type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
764 	if (type)
765 		hdev->page_scan_type = *type;
766 }
767 
768 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
769 					struct sk_buff *skb)
770 {
771 	struct hci_rp_read_data_block_size *rp = (void *) skb->data;
772 
773 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
774 
775 	if (rp->status)
776 		return;
777 
778 	hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779 	hdev->block_len = __le16_to_cpu(rp->block_len);
780 	hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
781 
782 	hdev->block_cnt = hdev->num_blocks;
783 
784 	BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785 	       hdev->block_cnt, hdev->block_len);
786 }
787 
788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
789 {
790 	struct hci_rp_read_clock *rp = (void *) skb->data;
791 	struct hci_cp_read_clock *cp;
792 	struct hci_conn *conn;
793 
794 	BT_DBG("%s", hdev->name);
795 
796 	if (skb->len < sizeof(*rp))
797 		return;
798 
799 	if (rp->status)
800 		return;
801 
802 	hci_dev_lock(hdev);
803 
804 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
805 	if (!cp)
806 		goto unlock;
807 
808 	if (cp->which == 0x00) {
809 		hdev->clock = le32_to_cpu(rp->clock);
810 		goto unlock;
811 	}
812 
813 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
814 	if (conn) {
815 		conn->clock = le32_to_cpu(rp->clock);
816 		conn->clock_accuracy = le16_to_cpu(rp->accuracy);
817 	}
818 
819 unlock:
820 	hci_dev_unlock(hdev);
821 }
822 
823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
824 				       struct sk_buff *skb)
825 {
826 	struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
827 
828 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
829 
830 	if (rp->status)
831 		return;
832 
833 	hdev->amp_status = rp->amp_status;
834 	hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835 	hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836 	hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837 	hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838 	hdev->amp_type = rp->amp_type;
839 	hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840 	hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841 	hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842 	hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
843 }
844 
845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
846 					 struct sk_buff *skb)
847 {
848 	struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
849 
850 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
851 
852 	if (rp->status)
853 		return;
854 
855 	hdev->inq_tx_power = rp->tx_power;
856 }
857 
858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
859 {
860 	struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861 	struct hci_cp_pin_code_reply *cp;
862 	struct hci_conn *conn;
863 
864 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
865 
866 	hci_dev_lock(hdev);
867 
868 	if (hci_dev_test_flag(hdev, HCI_MGMT))
869 		mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
870 
871 	if (rp->status)
872 		goto unlock;
873 
874 	cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
875 	if (!cp)
876 		goto unlock;
877 
878 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
879 	if (conn)
880 		conn->pin_length = cp->pin_len;
881 
882 unlock:
883 	hci_dev_unlock(hdev);
884 }
885 
886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
887 {
888 	struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
889 
890 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
891 
892 	hci_dev_lock(hdev);
893 
894 	if (hci_dev_test_flag(hdev, HCI_MGMT))
895 		mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
896 						 rp->status);
897 
898 	hci_dev_unlock(hdev);
899 }
900 
901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
902 				       struct sk_buff *skb)
903 {
904 	struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
905 
906 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
907 
908 	if (rp->status)
909 		return;
910 
911 	hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912 	hdev->le_pkts = rp->le_max_pkt;
913 
914 	hdev->le_cnt = hdev->le_pkts;
915 
916 	BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
917 }
918 
919 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
920 					  struct sk_buff *skb)
921 {
922 	struct hci_rp_le_read_local_features *rp = (void *) skb->data;
923 
924 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
925 
926 	if (rp->status)
927 		return;
928 
929 	memcpy(hdev->le_features, rp->features, 8);
930 }
931 
932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
933 					struct sk_buff *skb)
934 {
935 	struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
936 
937 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
938 
939 	if (rp->status)
940 		return;
941 
942 	hdev->adv_tx_power = rp->tx_power;
943 }
944 
945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
946 {
947 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
948 
949 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
950 
951 	hci_dev_lock(hdev);
952 
953 	if (hci_dev_test_flag(hdev, HCI_MGMT))
954 		mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
955 						 rp->status);
956 
957 	hci_dev_unlock(hdev);
958 }
959 
960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
961 					  struct sk_buff *skb)
962 {
963 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
964 
965 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
966 
967 	hci_dev_lock(hdev);
968 
969 	if (hci_dev_test_flag(hdev, HCI_MGMT))
970 		mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971 						     ACL_LINK, 0, rp->status);
972 
973 	hci_dev_unlock(hdev);
974 }
975 
976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
977 {
978 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
979 
980 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
981 
982 	hci_dev_lock(hdev);
983 
984 	if (hci_dev_test_flag(hdev, HCI_MGMT))
985 		mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
986 						 0, rp->status);
987 
988 	hci_dev_unlock(hdev);
989 }
990 
991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
992 					  struct sk_buff *skb)
993 {
994 	struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
995 
996 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
997 
998 	hci_dev_lock(hdev);
999 
1000 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1001 		mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002 						     ACL_LINK, 0, rp->status);
1003 
1004 	hci_dev_unlock(hdev);
1005 }
1006 
1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008 				       struct sk_buff *skb)
1009 {
1010 	struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1011 
1012 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1013 }
1014 
1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016 					   struct sk_buff *skb)
1017 {
1018 	struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1019 
1020 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1021 }
1022 
1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1024 {
1025 	__u8 status = *((__u8 *) skb->data);
1026 	bdaddr_t *sent;
1027 
1028 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1029 
1030 	if (status)
1031 		return;
1032 
1033 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1034 	if (!sent)
1035 		return;
1036 
1037 	hci_dev_lock(hdev);
1038 
1039 	bacpy(&hdev->random_addr, sent);
1040 
1041 	hci_dev_unlock(hdev);
1042 }
1043 
1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1045 {
1046 	__u8 *sent, status = *((__u8 *) skb->data);
1047 
1048 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1049 
1050 	if (status)
1051 		return;
1052 
1053 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1054 	if (!sent)
1055 		return;
1056 
1057 	hci_dev_lock(hdev);
1058 
1059 	/* If we're doing connection initiation as peripheral. Set a
1060 	 * timeout in case something goes wrong.
1061 	 */
1062 	if (*sent) {
1063 		struct hci_conn *conn;
1064 
1065 		hci_dev_set_flag(hdev, HCI_LE_ADV);
1066 
1067 		conn = hci_lookup_le_connect(hdev);
1068 		if (conn)
1069 			queue_delayed_work(hdev->workqueue,
1070 					   &conn->le_conn_timeout,
1071 					   conn->conn_timeout);
1072 	} else {
1073 		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1074 	}
1075 
1076 	hci_dev_unlock(hdev);
1077 }
1078 
1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1080 {
1081 	struct hci_cp_le_set_scan_param *cp;
1082 	__u8 status = *((__u8 *) skb->data);
1083 
1084 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1085 
1086 	if (status)
1087 		return;
1088 
1089 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1090 	if (!cp)
1091 		return;
1092 
1093 	hci_dev_lock(hdev);
1094 
1095 	hdev->le_scan_type = cp->type;
1096 
1097 	hci_dev_unlock(hdev);
1098 }
1099 
1100 static bool has_pending_adv_report(struct hci_dev *hdev)
1101 {
1102 	struct discovery_state *d = &hdev->discovery;
1103 
1104 	return bacmp(&d->last_adv_addr, BDADDR_ANY);
1105 }
1106 
1107 static void clear_pending_adv_report(struct hci_dev *hdev)
1108 {
1109 	struct discovery_state *d = &hdev->discovery;
1110 
1111 	bacpy(&d->last_adv_addr, BDADDR_ANY);
1112 	d->last_adv_data_len = 0;
1113 }
1114 
1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116 				     u8 bdaddr_type, s8 rssi, u32 flags,
1117 				     u8 *data, u8 len)
1118 {
1119 	struct discovery_state *d = &hdev->discovery;
1120 
1121 	bacpy(&d->last_adv_addr, bdaddr);
1122 	d->last_adv_addr_type = bdaddr_type;
1123 	d->last_adv_rssi = rssi;
1124 	d->last_adv_flags = flags;
1125 	memcpy(d->last_adv_data, data, len);
1126 	d->last_adv_data_len = len;
1127 }
1128 
1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130 				      struct sk_buff *skb)
1131 {
1132 	struct hci_cp_le_set_scan_enable *cp;
1133 	__u8 status = *((__u8 *) skb->data);
1134 
1135 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1136 
1137 	if (status)
1138 		return;
1139 
1140 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1141 	if (!cp)
1142 		return;
1143 
1144 	hci_dev_lock(hdev);
1145 
1146 	switch (cp->enable) {
1147 	case LE_SCAN_ENABLE:
1148 		hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149 		if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150 			clear_pending_adv_report(hdev);
1151 		break;
1152 
1153 	case LE_SCAN_DISABLE:
1154 		/* We do this here instead of when setting DISCOVERY_STOPPED
1155 		 * since the latter would potentially require waiting for
1156 		 * inquiry to stop too.
1157 		 */
1158 		if (has_pending_adv_report(hdev)) {
1159 			struct discovery_state *d = &hdev->discovery;
1160 
1161 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162 					  d->last_adv_addr_type, NULL,
1163 					  d->last_adv_rssi, d->last_adv_flags,
1164 					  d->last_adv_data,
1165 					  d->last_adv_data_len, NULL, 0);
1166 		}
1167 
1168 		/* Cancel this timer so that we don't try to disable scanning
1169 		 * when it's already disabled.
1170 		 */
1171 		cancel_delayed_work(&hdev->le_scan_disable);
1172 
1173 		hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1174 
1175 		/* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176 		 * interrupted scanning due to a connect request. Mark
1177 		 * therefore discovery as stopped. If this was not
1178 		 * because of a connect request advertising might have
1179 		 * been disabled because of active scanning, so
1180 		 * re-enable it again if necessary.
1181 		 */
1182 		if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184 		else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185 			 hdev->discovery.state == DISCOVERY_FINDING)
1186 			hci_req_reenable_advertising(hdev);
1187 
1188 		break;
1189 
1190 	default:
1191 		BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1192 		break;
1193 	}
1194 
1195 	hci_dev_unlock(hdev);
1196 }
1197 
1198 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1199 					   struct sk_buff *skb)
1200 {
1201 	struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1202 
1203 	BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1204 
1205 	if (rp->status)
1206 		return;
1207 
1208 	hdev->le_white_list_size = rp->size;
1209 }
1210 
1211 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1212 				       struct sk_buff *skb)
1213 {
1214 	__u8 status = *((__u8 *) skb->data);
1215 
1216 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1217 
1218 	if (status)
1219 		return;
1220 
1221 	hci_bdaddr_list_clear(&hdev->le_white_list);
1222 }
1223 
1224 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1225 					struct sk_buff *skb)
1226 {
1227 	struct hci_cp_le_add_to_white_list *sent;
1228 	__u8 status = *((__u8 *) skb->data);
1229 
1230 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1231 
1232 	if (status)
1233 		return;
1234 
1235 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1236 	if (!sent)
1237 		return;
1238 
1239 	hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1240 			   sent->bdaddr_type);
1241 }
1242 
1243 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1244 					  struct sk_buff *skb)
1245 {
1246 	struct hci_cp_le_del_from_white_list *sent;
1247 	__u8 status = *((__u8 *) skb->data);
1248 
1249 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1250 
1251 	if (status)
1252 		return;
1253 
1254 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1255 	if (!sent)
1256 		return;
1257 
1258 	hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1259 			    sent->bdaddr_type);
1260 }
1261 
1262 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1263 					    struct sk_buff *skb)
1264 {
1265 	struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1266 
1267 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1268 
1269 	if (rp->status)
1270 		return;
1271 
1272 	memcpy(hdev->le_states, rp->le_states, 8);
1273 }
1274 
1275 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1276 					struct sk_buff *skb)
1277 {
1278 	struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1279 
1280 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1281 
1282 	if (rp->status)
1283 		return;
1284 
1285 	hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1286 	hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1287 }
1288 
1289 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1290 					 struct sk_buff *skb)
1291 {
1292 	struct hci_cp_le_write_def_data_len *sent;
1293 	__u8 status = *((__u8 *) skb->data);
1294 
1295 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1296 
1297 	if (status)
1298 		return;
1299 
1300 	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1301 	if (!sent)
1302 		return;
1303 
1304 	hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1305 	hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1306 }
1307 
1308 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1309 					struct sk_buff *skb)
1310 {
1311 	struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1312 
1313 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1314 
1315 	if (rp->status)
1316 		return;
1317 
1318 	hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1319 	hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1320 	hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1321 	hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1322 }
1323 
1324 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1325 					   struct sk_buff *skb)
1326 {
1327 	struct hci_cp_write_le_host_supported *sent;
1328 	__u8 status = *((__u8 *) skb->data);
1329 
1330 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1331 
1332 	if (status)
1333 		return;
1334 
1335 	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1336 	if (!sent)
1337 		return;
1338 
1339 	hci_dev_lock(hdev);
1340 
1341 	if (sent->le) {
1342 		hdev->features[1][0] |= LMP_HOST_LE;
1343 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1344 	} else {
1345 		hdev->features[1][0] &= ~LMP_HOST_LE;
1346 		hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1347 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1348 	}
1349 
1350 	if (sent->simul)
1351 		hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1352 	else
1353 		hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1354 
1355 	hci_dev_unlock(hdev);
1356 }
1357 
1358 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1359 {
1360 	struct hci_cp_le_set_adv_param *cp;
1361 	u8 status = *((u8 *) skb->data);
1362 
1363 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1364 
1365 	if (status)
1366 		return;
1367 
1368 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1369 	if (!cp)
1370 		return;
1371 
1372 	hci_dev_lock(hdev);
1373 	hdev->adv_addr_type = cp->own_address_type;
1374 	hci_dev_unlock(hdev);
1375 }
1376 
1377 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1378 {
1379 	struct hci_rp_read_rssi *rp = (void *) skb->data;
1380 	struct hci_conn *conn;
1381 
1382 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1383 
1384 	if (rp->status)
1385 		return;
1386 
1387 	hci_dev_lock(hdev);
1388 
1389 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1390 	if (conn)
1391 		conn->rssi = rp->rssi;
1392 
1393 	hci_dev_unlock(hdev);
1394 }
1395 
1396 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1397 {
1398 	struct hci_cp_read_tx_power *sent;
1399 	struct hci_rp_read_tx_power *rp = (void *) skb->data;
1400 	struct hci_conn *conn;
1401 
1402 	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1403 
1404 	if (rp->status)
1405 		return;
1406 
1407 	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1408 	if (!sent)
1409 		return;
1410 
1411 	hci_dev_lock(hdev);
1412 
1413 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1414 	if (!conn)
1415 		goto unlock;
1416 
1417 	switch (sent->type) {
1418 	case 0x00:
1419 		conn->tx_power = rp->tx_power;
1420 		break;
1421 	case 0x01:
1422 		conn->max_tx_power = rp->tx_power;
1423 		break;
1424 	}
1425 
1426 unlock:
1427 	hci_dev_unlock(hdev);
1428 }
1429 
1430 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1431 {
1432 	u8 status = *((u8 *) skb->data);
1433 	u8 *mode;
1434 
1435 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1436 
1437 	if (status)
1438 		return;
1439 
1440 	mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1441 	if (mode)
1442 		hdev->ssp_debug_mode = *mode;
1443 }
1444 
1445 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1446 {
1447 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1448 
1449 	if (status) {
1450 		hci_conn_check_pending(hdev);
1451 		return;
1452 	}
1453 
1454 	set_bit(HCI_INQUIRY, &hdev->flags);
1455 }
1456 
1457 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1458 {
1459 	struct hci_cp_create_conn *cp;
1460 	struct hci_conn *conn;
1461 
1462 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1463 
1464 	cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1465 	if (!cp)
1466 		return;
1467 
1468 	hci_dev_lock(hdev);
1469 
1470 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1471 
1472 	BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1473 
1474 	if (status) {
1475 		if (conn && conn->state == BT_CONNECT) {
1476 			if (status != 0x0c || conn->attempt > 2) {
1477 				conn->state = BT_CLOSED;
1478 				hci_connect_cfm(conn, status);
1479 				hci_conn_del(conn);
1480 			} else
1481 				conn->state = BT_CONNECT2;
1482 		}
1483 	} else {
1484 		if (!conn) {
1485 			conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1486 					    HCI_ROLE_MASTER);
1487 			if (!conn)
1488 				BT_ERR("No memory for new connection");
1489 		}
1490 	}
1491 
1492 	hci_dev_unlock(hdev);
1493 }
1494 
1495 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1496 {
1497 	struct hci_cp_add_sco *cp;
1498 	struct hci_conn *acl, *sco;
1499 	__u16 handle;
1500 
1501 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1502 
1503 	if (!status)
1504 		return;
1505 
1506 	cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1507 	if (!cp)
1508 		return;
1509 
1510 	handle = __le16_to_cpu(cp->handle);
1511 
1512 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1513 
1514 	hci_dev_lock(hdev);
1515 
1516 	acl = hci_conn_hash_lookup_handle(hdev, handle);
1517 	if (acl) {
1518 		sco = acl->link;
1519 		if (sco) {
1520 			sco->state = BT_CLOSED;
1521 
1522 			hci_connect_cfm(sco, status);
1523 			hci_conn_del(sco);
1524 		}
1525 	}
1526 
1527 	hci_dev_unlock(hdev);
1528 }
1529 
1530 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1531 {
1532 	struct hci_cp_auth_requested *cp;
1533 	struct hci_conn *conn;
1534 
1535 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1536 
1537 	if (!status)
1538 		return;
1539 
1540 	cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1541 	if (!cp)
1542 		return;
1543 
1544 	hci_dev_lock(hdev);
1545 
1546 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1547 	if (conn) {
1548 		if (conn->state == BT_CONFIG) {
1549 			hci_connect_cfm(conn, status);
1550 			hci_conn_drop(conn);
1551 		}
1552 	}
1553 
1554 	hci_dev_unlock(hdev);
1555 }
1556 
1557 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1558 {
1559 	struct hci_cp_set_conn_encrypt *cp;
1560 	struct hci_conn *conn;
1561 
1562 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1563 
1564 	if (!status)
1565 		return;
1566 
1567 	cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1568 	if (!cp)
1569 		return;
1570 
1571 	hci_dev_lock(hdev);
1572 
1573 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1574 	if (conn) {
1575 		if (conn->state == BT_CONFIG) {
1576 			hci_connect_cfm(conn, status);
1577 			hci_conn_drop(conn);
1578 		}
1579 	}
1580 
1581 	hci_dev_unlock(hdev);
1582 }
1583 
1584 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1585 				    struct hci_conn *conn)
1586 {
1587 	if (conn->state != BT_CONFIG || !conn->out)
1588 		return 0;
1589 
1590 	if (conn->pending_sec_level == BT_SECURITY_SDP)
1591 		return 0;
1592 
1593 	/* Only request authentication for SSP connections or non-SSP
1594 	 * devices with sec_level MEDIUM or HIGH or if MITM protection
1595 	 * is requested.
1596 	 */
1597 	if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1598 	    conn->pending_sec_level != BT_SECURITY_FIPS &&
1599 	    conn->pending_sec_level != BT_SECURITY_HIGH &&
1600 	    conn->pending_sec_level != BT_SECURITY_MEDIUM)
1601 		return 0;
1602 
1603 	return 1;
1604 }
1605 
1606 static int hci_resolve_name(struct hci_dev *hdev,
1607 				   struct inquiry_entry *e)
1608 {
1609 	struct hci_cp_remote_name_req cp;
1610 
1611 	memset(&cp, 0, sizeof(cp));
1612 
1613 	bacpy(&cp.bdaddr, &e->data.bdaddr);
1614 	cp.pscan_rep_mode = e->data.pscan_rep_mode;
1615 	cp.pscan_mode = e->data.pscan_mode;
1616 	cp.clock_offset = e->data.clock_offset;
1617 
1618 	return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1619 }
1620 
1621 static bool hci_resolve_next_name(struct hci_dev *hdev)
1622 {
1623 	struct discovery_state *discov = &hdev->discovery;
1624 	struct inquiry_entry *e;
1625 
1626 	if (list_empty(&discov->resolve))
1627 		return false;
1628 
1629 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1630 	if (!e)
1631 		return false;
1632 
1633 	if (hci_resolve_name(hdev, e) == 0) {
1634 		e->name_state = NAME_PENDING;
1635 		return true;
1636 	}
1637 
1638 	return false;
1639 }
1640 
1641 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1642 				   bdaddr_t *bdaddr, u8 *name, u8 name_len)
1643 {
1644 	struct discovery_state *discov = &hdev->discovery;
1645 	struct inquiry_entry *e;
1646 
1647 	/* Update the mgmt connected state if necessary. Be careful with
1648 	 * conn objects that exist but are not (yet) connected however.
1649 	 * Only those in BT_CONFIG or BT_CONNECTED states can be
1650 	 * considered connected.
1651 	 */
1652 	if (conn &&
1653 	    (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1654 	    !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1655 		mgmt_device_connected(hdev, conn, 0, name, name_len);
1656 
1657 	if (discov->state == DISCOVERY_STOPPED)
1658 		return;
1659 
1660 	if (discov->state == DISCOVERY_STOPPING)
1661 		goto discov_complete;
1662 
1663 	if (discov->state != DISCOVERY_RESOLVING)
1664 		return;
1665 
1666 	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1667 	/* If the device was not found in a list of found devices names of which
1668 	 * are pending. there is no need to continue resolving a next name as it
1669 	 * will be done upon receiving another Remote Name Request Complete
1670 	 * Event */
1671 	if (!e)
1672 		return;
1673 
1674 	list_del(&e->list);
1675 	if (name) {
1676 		e->name_state = NAME_KNOWN;
1677 		mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1678 				 e->data.rssi, name, name_len);
1679 	} else {
1680 		e->name_state = NAME_NOT_KNOWN;
1681 	}
1682 
1683 	if (hci_resolve_next_name(hdev))
1684 		return;
1685 
1686 discov_complete:
1687 	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1688 }
1689 
1690 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1691 {
1692 	struct hci_cp_remote_name_req *cp;
1693 	struct hci_conn *conn;
1694 
1695 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1696 
1697 	/* If successful wait for the name req complete event before
1698 	 * checking for the need to do authentication */
1699 	if (!status)
1700 		return;
1701 
1702 	cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1703 	if (!cp)
1704 		return;
1705 
1706 	hci_dev_lock(hdev);
1707 
1708 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1709 
1710 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1711 		hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1712 
1713 	if (!conn)
1714 		goto unlock;
1715 
1716 	if (!hci_outgoing_auth_needed(hdev, conn))
1717 		goto unlock;
1718 
1719 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1720 		struct hci_cp_auth_requested auth_cp;
1721 
1722 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1723 
1724 		auth_cp.handle = __cpu_to_le16(conn->handle);
1725 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1726 			     sizeof(auth_cp), &auth_cp);
1727 	}
1728 
1729 unlock:
1730 	hci_dev_unlock(hdev);
1731 }
1732 
1733 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1734 {
1735 	struct hci_cp_read_remote_features *cp;
1736 	struct hci_conn *conn;
1737 
1738 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1739 
1740 	if (!status)
1741 		return;
1742 
1743 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1744 	if (!cp)
1745 		return;
1746 
1747 	hci_dev_lock(hdev);
1748 
1749 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1750 	if (conn) {
1751 		if (conn->state == BT_CONFIG) {
1752 			hci_connect_cfm(conn, status);
1753 			hci_conn_drop(conn);
1754 		}
1755 	}
1756 
1757 	hci_dev_unlock(hdev);
1758 }
1759 
1760 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1761 {
1762 	struct hci_cp_read_remote_ext_features *cp;
1763 	struct hci_conn *conn;
1764 
1765 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1766 
1767 	if (!status)
1768 		return;
1769 
1770 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1771 	if (!cp)
1772 		return;
1773 
1774 	hci_dev_lock(hdev);
1775 
1776 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1777 	if (conn) {
1778 		if (conn->state == BT_CONFIG) {
1779 			hci_connect_cfm(conn, status);
1780 			hci_conn_drop(conn);
1781 		}
1782 	}
1783 
1784 	hci_dev_unlock(hdev);
1785 }
1786 
1787 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1788 {
1789 	struct hci_cp_setup_sync_conn *cp;
1790 	struct hci_conn *acl, *sco;
1791 	__u16 handle;
1792 
1793 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1794 
1795 	if (!status)
1796 		return;
1797 
1798 	cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1799 	if (!cp)
1800 		return;
1801 
1802 	handle = __le16_to_cpu(cp->handle);
1803 
1804 	BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1805 
1806 	hci_dev_lock(hdev);
1807 
1808 	acl = hci_conn_hash_lookup_handle(hdev, handle);
1809 	if (acl) {
1810 		sco = acl->link;
1811 		if (sco) {
1812 			sco->state = BT_CLOSED;
1813 
1814 			hci_connect_cfm(sco, status);
1815 			hci_conn_del(sco);
1816 		}
1817 	}
1818 
1819 	hci_dev_unlock(hdev);
1820 }
1821 
1822 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1823 {
1824 	struct hci_cp_sniff_mode *cp;
1825 	struct hci_conn *conn;
1826 
1827 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1828 
1829 	if (!status)
1830 		return;
1831 
1832 	cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1833 	if (!cp)
1834 		return;
1835 
1836 	hci_dev_lock(hdev);
1837 
1838 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1839 	if (conn) {
1840 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1841 
1842 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1843 			hci_sco_setup(conn, status);
1844 	}
1845 
1846 	hci_dev_unlock(hdev);
1847 }
1848 
1849 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1850 {
1851 	struct hci_cp_exit_sniff_mode *cp;
1852 	struct hci_conn *conn;
1853 
1854 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1855 
1856 	if (!status)
1857 		return;
1858 
1859 	cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1860 	if (!cp)
1861 		return;
1862 
1863 	hci_dev_lock(hdev);
1864 
1865 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1866 	if (conn) {
1867 		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1868 
1869 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1870 			hci_sco_setup(conn, status);
1871 	}
1872 
1873 	hci_dev_unlock(hdev);
1874 }
1875 
1876 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1877 {
1878 	struct hci_cp_disconnect *cp;
1879 	struct hci_conn *conn;
1880 
1881 	if (!status)
1882 		return;
1883 
1884 	cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1885 	if (!cp)
1886 		return;
1887 
1888 	hci_dev_lock(hdev);
1889 
1890 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1891 	if (conn)
1892 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1893 				       conn->dst_type, status);
1894 
1895 	hci_dev_unlock(hdev);
1896 }
1897 
1898 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1899 {
1900 	struct hci_cp_le_create_conn *cp;
1901 	struct hci_conn *conn;
1902 
1903 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1904 
1905 	/* All connection failure handling is taken care of by the
1906 	 * hci_le_conn_failed function which is triggered by the HCI
1907 	 * request completion callbacks used for connecting.
1908 	 */
1909 	if (status)
1910 		return;
1911 
1912 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1913 	if (!cp)
1914 		return;
1915 
1916 	hci_dev_lock(hdev);
1917 
1918 	conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr,
1919 				       cp->peer_addr_type);
1920 	if (!conn)
1921 		goto unlock;
1922 
1923 	/* Store the initiator and responder address information which
1924 	 * is needed for SMP. These values will not change during the
1925 	 * lifetime of the connection.
1926 	 */
1927 	conn->init_addr_type = cp->own_address_type;
1928 	if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1929 		bacpy(&conn->init_addr, &hdev->random_addr);
1930 	else
1931 		bacpy(&conn->init_addr, &hdev->bdaddr);
1932 
1933 	conn->resp_addr_type = cp->peer_addr_type;
1934 	bacpy(&conn->resp_addr, &cp->peer_addr);
1935 
1936 	/* We don't want the connection attempt to stick around
1937 	 * indefinitely since LE doesn't have a page timeout concept
1938 	 * like BR/EDR. Set a timer for any connection that doesn't use
1939 	 * the white list for connecting.
1940 	 */
1941 	if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1942 		queue_delayed_work(conn->hdev->workqueue,
1943 				   &conn->le_conn_timeout,
1944 				   conn->conn_timeout);
1945 
1946 unlock:
1947 	hci_dev_unlock(hdev);
1948 }
1949 
1950 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1951 {
1952 	struct hci_cp_le_read_remote_features *cp;
1953 	struct hci_conn *conn;
1954 
1955 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1956 
1957 	if (!status)
1958 		return;
1959 
1960 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1961 	if (!cp)
1962 		return;
1963 
1964 	hci_dev_lock(hdev);
1965 
1966 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1967 	if (conn) {
1968 		if (conn->state == BT_CONFIG) {
1969 			hci_connect_cfm(conn, status);
1970 			hci_conn_drop(conn);
1971 		}
1972 	}
1973 
1974 	hci_dev_unlock(hdev);
1975 }
1976 
1977 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1978 {
1979 	struct hci_cp_le_start_enc *cp;
1980 	struct hci_conn *conn;
1981 
1982 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
1983 
1984 	if (!status)
1985 		return;
1986 
1987 	hci_dev_lock(hdev);
1988 
1989 	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1990 	if (!cp)
1991 		goto unlock;
1992 
1993 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1994 	if (!conn)
1995 		goto unlock;
1996 
1997 	if (conn->state != BT_CONNECTED)
1998 		goto unlock;
1999 
2000 	hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2001 	hci_conn_drop(conn);
2002 
2003 unlock:
2004 	hci_dev_unlock(hdev);
2005 }
2006 
2007 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2008 {
2009 	struct hci_cp_switch_role *cp;
2010 	struct hci_conn *conn;
2011 
2012 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2013 
2014 	if (!status)
2015 		return;
2016 
2017 	cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2018 	if (!cp)
2019 		return;
2020 
2021 	hci_dev_lock(hdev);
2022 
2023 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2024 	if (conn)
2025 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2026 
2027 	hci_dev_unlock(hdev);
2028 }
2029 
2030 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2031 {
2032 	__u8 status = *((__u8 *) skb->data);
2033 	struct discovery_state *discov = &hdev->discovery;
2034 	struct inquiry_entry *e;
2035 
2036 	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2037 
2038 	hci_conn_check_pending(hdev);
2039 
2040 	if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2041 		return;
2042 
2043 	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2044 	wake_up_bit(&hdev->flags, HCI_INQUIRY);
2045 
2046 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2047 		return;
2048 
2049 	hci_dev_lock(hdev);
2050 
2051 	if (discov->state != DISCOVERY_FINDING)
2052 		goto unlock;
2053 
2054 	if (list_empty(&discov->resolve)) {
2055 		/* When BR/EDR inquiry is active and no LE scanning is in
2056 		 * progress, then change discovery state to indicate completion.
2057 		 *
2058 		 * When running LE scanning and BR/EDR inquiry simultaneously
2059 		 * and the LE scan already finished, then change the discovery
2060 		 * state to indicate completion.
2061 		 */
2062 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2063 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2064 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2065 		goto unlock;
2066 	}
2067 
2068 	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2069 	if (e && hci_resolve_name(hdev, e) == 0) {
2070 		e->name_state = NAME_PENDING;
2071 		hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2072 	} else {
2073 		/* When BR/EDR inquiry is active and no LE scanning is in
2074 		 * progress, then change discovery state to indicate completion.
2075 		 *
2076 		 * When running LE scanning and BR/EDR inquiry simultaneously
2077 		 * and the LE scan already finished, then change the discovery
2078 		 * state to indicate completion.
2079 		 */
2080 		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2081 		    !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2082 			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2083 	}
2084 
2085 unlock:
2086 	hci_dev_unlock(hdev);
2087 }
2088 
2089 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2090 {
2091 	struct inquiry_data data;
2092 	struct inquiry_info *info = (void *) (skb->data + 1);
2093 	int num_rsp = *((__u8 *) skb->data);
2094 
2095 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2096 
2097 	if (!num_rsp)
2098 		return;
2099 
2100 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2101 		return;
2102 
2103 	hci_dev_lock(hdev);
2104 
2105 	for (; num_rsp; num_rsp--, info++) {
2106 		u32 flags;
2107 
2108 		bacpy(&data.bdaddr, &info->bdaddr);
2109 		data.pscan_rep_mode	= info->pscan_rep_mode;
2110 		data.pscan_period_mode	= info->pscan_period_mode;
2111 		data.pscan_mode		= info->pscan_mode;
2112 		memcpy(data.dev_class, info->dev_class, 3);
2113 		data.clock_offset	= info->clock_offset;
2114 		data.rssi		= HCI_RSSI_INVALID;
2115 		data.ssp_mode		= 0x00;
2116 
2117 		flags = hci_inquiry_cache_update(hdev, &data, false);
2118 
2119 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2120 				  info->dev_class, HCI_RSSI_INVALID,
2121 				  flags, NULL, 0, NULL, 0);
2122 	}
2123 
2124 	hci_dev_unlock(hdev);
2125 }
2126 
2127 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2128 {
2129 	struct hci_ev_conn_complete *ev = (void *) skb->data;
2130 	struct hci_conn *conn;
2131 
2132 	BT_DBG("%s", hdev->name);
2133 
2134 	hci_dev_lock(hdev);
2135 
2136 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2137 	if (!conn) {
2138 		if (ev->link_type != SCO_LINK)
2139 			goto unlock;
2140 
2141 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2142 		if (!conn)
2143 			goto unlock;
2144 
2145 		conn->type = SCO_LINK;
2146 	}
2147 
2148 	if (!ev->status) {
2149 		conn->handle = __le16_to_cpu(ev->handle);
2150 
2151 		if (conn->type == ACL_LINK) {
2152 			conn->state = BT_CONFIG;
2153 			hci_conn_hold(conn);
2154 
2155 			if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2156 			    !hci_find_link_key(hdev, &ev->bdaddr))
2157 				conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2158 			else
2159 				conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2160 		} else
2161 			conn->state = BT_CONNECTED;
2162 
2163 		hci_debugfs_create_conn(conn);
2164 		hci_conn_add_sysfs(conn);
2165 
2166 		if (test_bit(HCI_AUTH, &hdev->flags))
2167 			set_bit(HCI_CONN_AUTH, &conn->flags);
2168 
2169 		if (test_bit(HCI_ENCRYPT, &hdev->flags))
2170 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2171 
2172 		/* Get remote features */
2173 		if (conn->type == ACL_LINK) {
2174 			struct hci_cp_read_remote_features cp;
2175 			cp.handle = ev->handle;
2176 			hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2177 				     sizeof(cp), &cp);
2178 
2179 			hci_req_update_scan(hdev);
2180 		}
2181 
2182 		/* Set packet type for incoming connection */
2183 		if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2184 			struct hci_cp_change_conn_ptype cp;
2185 			cp.handle = ev->handle;
2186 			cp.pkt_type = cpu_to_le16(conn->pkt_type);
2187 			hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2188 				     &cp);
2189 		}
2190 	} else {
2191 		conn->state = BT_CLOSED;
2192 		if (conn->type == ACL_LINK)
2193 			mgmt_connect_failed(hdev, &conn->dst, conn->type,
2194 					    conn->dst_type, ev->status);
2195 	}
2196 
2197 	if (conn->type == ACL_LINK)
2198 		hci_sco_setup(conn, ev->status);
2199 
2200 	if (ev->status) {
2201 		hci_connect_cfm(conn, ev->status);
2202 		hci_conn_del(conn);
2203 	} else if (ev->link_type != ACL_LINK)
2204 		hci_connect_cfm(conn, ev->status);
2205 
2206 unlock:
2207 	hci_dev_unlock(hdev);
2208 
2209 	hci_conn_check_pending(hdev);
2210 }
2211 
2212 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2213 {
2214 	struct hci_cp_reject_conn_req cp;
2215 
2216 	bacpy(&cp.bdaddr, bdaddr);
2217 	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2218 	hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2219 }
2220 
2221 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2222 {
2223 	struct hci_ev_conn_request *ev = (void *) skb->data;
2224 	int mask = hdev->link_mode;
2225 	struct inquiry_entry *ie;
2226 	struct hci_conn *conn;
2227 	__u8 flags = 0;
2228 
2229 	BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2230 	       ev->link_type);
2231 
2232 	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2233 				      &flags);
2234 
2235 	if (!(mask & HCI_LM_ACCEPT)) {
2236 		hci_reject_conn(hdev, &ev->bdaddr);
2237 		return;
2238 	}
2239 
2240 	if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2241 				   BDADDR_BREDR)) {
2242 		hci_reject_conn(hdev, &ev->bdaddr);
2243 		return;
2244 	}
2245 
2246 	/* Require HCI_CONNECTABLE or a whitelist entry to accept the
2247 	 * connection. These features are only touched through mgmt so
2248 	 * only do the checks if HCI_MGMT is set.
2249 	 */
2250 	if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2251 	    !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2252 	    !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2253 				    BDADDR_BREDR)) {
2254 		    hci_reject_conn(hdev, &ev->bdaddr);
2255 		    return;
2256 	}
2257 
2258 	/* Connection accepted */
2259 
2260 	hci_dev_lock(hdev);
2261 
2262 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2263 	if (ie)
2264 		memcpy(ie->data.dev_class, ev->dev_class, 3);
2265 
2266 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2267 			&ev->bdaddr);
2268 	if (!conn) {
2269 		conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2270 				    HCI_ROLE_SLAVE);
2271 		if (!conn) {
2272 			BT_ERR("No memory for new connection");
2273 			hci_dev_unlock(hdev);
2274 			return;
2275 		}
2276 	}
2277 
2278 	memcpy(conn->dev_class, ev->dev_class, 3);
2279 
2280 	hci_dev_unlock(hdev);
2281 
2282 	if (ev->link_type == ACL_LINK ||
2283 	    (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2284 		struct hci_cp_accept_conn_req cp;
2285 		conn->state = BT_CONNECT;
2286 
2287 		bacpy(&cp.bdaddr, &ev->bdaddr);
2288 
2289 		if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2290 			cp.role = 0x00; /* Become master */
2291 		else
2292 			cp.role = 0x01; /* Remain slave */
2293 
2294 		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2295 	} else if (!(flags & HCI_PROTO_DEFER)) {
2296 		struct hci_cp_accept_sync_conn_req cp;
2297 		conn->state = BT_CONNECT;
2298 
2299 		bacpy(&cp.bdaddr, &ev->bdaddr);
2300 		cp.pkt_type = cpu_to_le16(conn->pkt_type);
2301 
2302 		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2303 		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2304 		cp.max_latency    = cpu_to_le16(0xffff);
2305 		cp.content_format = cpu_to_le16(hdev->voice_setting);
2306 		cp.retrans_effort = 0xff;
2307 
2308 		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2309 			     &cp);
2310 	} else {
2311 		conn->state = BT_CONNECT2;
2312 		hci_connect_cfm(conn, 0);
2313 	}
2314 }
2315 
2316 static u8 hci_to_mgmt_reason(u8 err)
2317 {
2318 	switch (err) {
2319 	case HCI_ERROR_CONNECTION_TIMEOUT:
2320 		return MGMT_DEV_DISCONN_TIMEOUT;
2321 	case HCI_ERROR_REMOTE_USER_TERM:
2322 	case HCI_ERROR_REMOTE_LOW_RESOURCES:
2323 	case HCI_ERROR_REMOTE_POWER_OFF:
2324 		return MGMT_DEV_DISCONN_REMOTE;
2325 	case HCI_ERROR_LOCAL_HOST_TERM:
2326 		return MGMT_DEV_DISCONN_LOCAL_HOST;
2327 	default:
2328 		return MGMT_DEV_DISCONN_UNKNOWN;
2329 	}
2330 }
2331 
2332 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2333 {
2334 	struct hci_ev_disconn_complete *ev = (void *) skb->data;
2335 	u8 reason = hci_to_mgmt_reason(ev->reason);
2336 	struct hci_conn_params *params;
2337 	struct hci_conn *conn;
2338 	bool mgmt_connected;
2339 	u8 type;
2340 
2341 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2342 
2343 	hci_dev_lock(hdev);
2344 
2345 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2346 	if (!conn)
2347 		goto unlock;
2348 
2349 	if (ev->status) {
2350 		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2351 				       conn->dst_type, ev->status);
2352 		goto unlock;
2353 	}
2354 
2355 	conn->state = BT_CLOSED;
2356 
2357 	mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2358 	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2359 				reason, mgmt_connected);
2360 
2361 	if (conn->type == ACL_LINK) {
2362 		if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2363 			hci_remove_link_key(hdev, &conn->dst);
2364 
2365 		hci_req_update_scan(hdev);
2366 	}
2367 
2368 	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2369 	if (params) {
2370 		switch (params->auto_connect) {
2371 		case HCI_AUTO_CONN_LINK_LOSS:
2372 			if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2373 				break;
2374 			/* Fall through */
2375 
2376 		case HCI_AUTO_CONN_DIRECT:
2377 		case HCI_AUTO_CONN_ALWAYS:
2378 			list_del_init(&params->action);
2379 			list_add(&params->action, &hdev->pend_le_conns);
2380 			hci_update_background_scan(hdev);
2381 			break;
2382 
2383 		default:
2384 			break;
2385 		}
2386 	}
2387 
2388 	type = conn->type;
2389 
2390 	hci_disconn_cfm(conn, ev->reason);
2391 	hci_conn_del(conn);
2392 
2393 	/* Re-enable advertising if necessary, since it might
2394 	 * have been disabled by the connection. From the
2395 	 * HCI_LE_Set_Advertise_Enable command description in
2396 	 * the core specification (v4.0):
2397 	 * "The Controller shall continue advertising until the Host
2398 	 * issues an LE_Set_Advertise_Enable command with
2399 	 * Advertising_Enable set to 0x00 (Advertising is disabled)
2400 	 * or until a connection is created or until the Advertising
2401 	 * is timed out due to Directed Advertising."
2402 	 */
2403 	if (type == LE_LINK)
2404 		hci_req_reenable_advertising(hdev);
2405 
2406 unlock:
2407 	hci_dev_unlock(hdev);
2408 }
2409 
2410 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2411 {
2412 	struct hci_ev_auth_complete *ev = (void *) skb->data;
2413 	struct hci_conn *conn;
2414 
2415 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2416 
2417 	hci_dev_lock(hdev);
2418 
2419 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2420 	if (!conn)
2421 		goto unlock;
2422 
2423 	if (!ev->status) {
2424 		if (!hci_conn_ssp_enabled(conn) &&
2425 		    test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2426 			BT_INFO("re-auth of legacy device is not possible.");
2427 		} else {
2428 			set_bit(HCI_CONN_AUTH, &conn->flags);
2429 			conn->sec_level = conn->pending_sec_level;
2430 		}
2431 	} else {
2432 		mgmt_auth_failed(conn, ev->status);
2433 	}
2434 
2435 	clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2436 	clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2437 
2438 	if (conn->state == BT_CONFIG) {
2439 		if (!ev->status && hci_conn_ssp_enabled(conn)) {
2440 			struct hci_cp_set_conn_encrypt cp;
2441 			cp.handle  = ev->handle;
2442 			cp.encrypt = 0x01;
2443 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2444 				     &cp);
2445 		} else {
2446 			conn->state = BT_CONNECTED;
2447 			hci_connect_cfm(conn, ev->status);
2448 			hci_conn_drop(conn);
2449 		}
2450 	} else {
2451 		hci_auth_cfm(conn, ev->status);
2452 
2453 		hci_conn_hold(conn);
2454 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2455 		hci_conn_drop(conn);
2456 	}
2457 
2458 	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2459 		if (!ev->status) {
2460 			struct hci_cp_set_conn_encrypt cp;
2461 			cp.handle  = ev->handle;
2462 			cp.encrypt = 0x01;
2463 			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2464 				     &cp);
2465 		} else {
2466 			clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2467 			hci_encrypt_cfm(conn, ev->status, 0x00);
2468 		}
2469 	}
2470 
2471 unlock:
2472 	hci_dev_unlock(hdev);
2473 }
2474 
2475 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2476 {
2477 	struct hci_ev_remote_name *ev = (void *) skb->data;
2478 	struct hci_conn *conn;
2479 
2480 	BT_DBG("%s", hdev->name);
2481 
2482 	hci_conn_check_pending(hdev);
2483 
2484 	hci_dev_lock(hdev);
2485 
2486 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2487 
2488 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2489 		goto check_auth;
2490 
2491 	if (ev->status == 0)
2492 		hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2493 				       strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2494 	else
2495 		hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2496 
2497 check_auth:
2498 	if (!conn)
2499 		goto unlock;
2500 
2501 	if (!hci_outgoing_auth_needed(hdev, conn))
2502 		goto unlock;
2503 
2504 	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2505 		struct hci_cp_auth_requested cp;
2506 
2507 		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2508 
2509 		cp.handle = __cpu_to_le16(conn->handle);
2510 		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2511 	}
2512 
2513 unlock:
2514 	hci_dev_unlock(hdev);
2515 }
2516 
2517 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2518 				       u16 opcode, struct sk_buff *skb)
2519 {
2520 	const struct hci_rp_read_enc_key_size *rp;
2521 	struct hci_conn *conn;
2522 	u16 handle;
2523 
2524 	BT_DBG("%s status 0x%02x", hdev->name, status);
2525 
2526 	if (!skb || skb->len < sizeof(*rp)) {
2527 		BT_ERR("%s invalid HCI Read Encryption Key Size response",
2528 		       hdev->name);
2529 		return;
2530 	}
2531 
2532 	rp = (void *)skb->data;
2533 	handle = le16_to_cpu(rp->handle);
2534 
2535 	hci_dev_lock(hdev);
2536 
2537 	conn = hci_conn_hash_lookup_handle(hdev, handle);
2538 	if (!conn)
2539 		goto unlock;
2540 
2541 	/* If we fail to read the encryption key size, assume maximum
2542 	 * (which is the same we do also when this HCI command isn't
2543 	 * supported.
2544 	 */
2545 	if (rp->status) {
2546 		BT_ERR("%s failed to read key size for handle %u", hdev->name,
2547 		       handle);
2548 		conn->enc_key_size = HCI_LINK_KEY_SIZE;
2549 	} else {
2550 		conn->enc_key_size = rp->key_size;
2551 	}
2552 
2553 	if (conn->state == BT_CONFIG) {
2554 		conn->state = BT_CONNECTED;
2555 		hci_connect_cfm(conn, 0);
2556 		hci_conn_drop(conn);
2557 	} else {
2558 		u8 encrypt;
2559 
2560 		if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2561 			encrypt = 0x00;
2562 		else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2563 			encrypt = 0x02;
2564 		else
2565 			encrypt = 0x01;
2566 
2567 		hci_encrypt_cfm(conn, 0, encrypt);
2568 	}
2569 
2570 unlock:
2571 	hci_dev_unlock(hdev);
2572 }
2573 
2574 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2575 {
2576 	struct hci_ev_encrypt_change *ev = (void *) skb->data;
2577 	struct hci_conn *conn;
2578 
2579 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2580 
2581 	hci_dev_lock(hdev);
2582 
2583 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2584 	if (!conn)
2585 		goto unlock;
2586 
2587 	if (!ev->status) {
2588 		if (ev->encrypt) {
2589 			/* Encryption implies authentication */
2590 			set_bit(HCI_CONN_AUTH, &conn->flags);
2591 			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2592 			conn->sec_level = conn->pending_sec_level;
2593 
2594 			/* P-256 authentication key implies FIPS */
2595 			if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2596 				set_bit(HCI_CONN_FIPS, &conn->flags);
2597 
2598 			if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2599 			    conn->type == LE_LINK)
2600 				set_bit(HCI_CONN_AES_CCM, &conn->flags);
2601 		} else {
2602 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2603 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2604 		}
2605 	}
2606 
2607 	/* We should disregard the current RPA and generate a new one
2608 	 * whenever the encryption procedure fails.
2609 	 */
2610 	if (ev->status && conn->type == LE_LINK)
2611 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2612 
2613 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2614 
2615 	if (ev->status && conn->state == BT_CONNECTED) {
2616 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2617 		hci_conn_drop(conn);
2618 		goto unlock;
2619 	}
2620 
2621 	/* In Secure Connections Only mode, do not allow any connections
2622 	 * that are not encrypted with AES-CCM using a P-256 authenticated
2623 	 * combination key.
2624 	 */
2625 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2626 	    (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2627 	     conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2628 		hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2629 		hci_conn_drop(conn);
2630 		goto unlock;
2631 	}
2632 
2633 	/* Try reading the encryption key size for encrypted ACL links */
2634 	if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2635 		struct hci_cp_read_enc_key_size cp;
2636 		struct hci_request req;
2637 
2638 		/* Only send HCI_Read_Encryption_Key_Size if the
2639 		 * controller really supports it. If it doesn't, assume
2640 		 * the default size (16).
2641 		 */
2642 		if (!(hdev->commands[20] & 0x10)) {
2643 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
2644 			goto notify;
2645 		}
2646 
2647 		hci_req_init(&req, hdev);
2648 
2649 		cp.handle = cpu_to_le16(conn->handle);
2650 		hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2651 
2652 		if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2653 			BT_ERR("Sending HCI Read Encryption Key Size failed");
2654 			conn->enc_key_size = HCI_LINK_KEY_SIZE;
2655 			goto notify;
2656 		}
2657 
2658 		goto unlock;
2659 	}
2660 
2661 notify:
2662 	if (conn->state == BT_CONFIG) {
2663 		if (!ev->status)
2664 			conn->state = BT_CONNECTED;
2665 
2666 		hci_connect_cfm(conn, ev->status);
2667 		hci_conn_drop(conn);
2668 	} else
2669 		hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2670 
2671 unlock:
2672 	hci_dev_unlock(hdev);
2673 }
2674 
2675 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2676 					     struct sk_buff *skb)
2677 {
2678 	struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2679 	struct hci_conn *conn;
2680 
2681 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2682 
2683 	hci_dev_lock(hdev);
2684 
2685 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2686 	if (conn) {
2687 		if (!ev->status)
2688 			set_bit(HCI_CONN_SECURE, &conn->flags);
2689 
2690 		clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2691 
2692 		hci_key_change_cfm(conn, ev->status);
2693 	}
2694 
2695 	hci_dev_unlock(hdev);
2696 }
2697 
2698 static void hci_remote_features_evt(struct hci_dev *hdev,
2699 				    struct sk_buff *skb)
2700 {
2701 	struct hci_ev_remote_features *ev = (void *) skb->data;
2702 	struct hci_conn *conn;
2703 
2704 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2705 
2706 	hci_dev_lock(hdev);
2707 
2708 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2709 	if (!conn)
2710 		goto unlock;
2711 
2712 	if (!ev->status)
2713 		memcpy(conn->features[0], ev->features, 8);
2714 
2715 	if (conn->state != BT_CONFIG)
2716 		goto unlock;
2717 
2718 	if (!ev->status && lmp_ext_feat_capable(hdev) &&
2719 	    lmp_ext_feat_capable(conn)) {
2720 		struct hci_cp_read_remote_ext_features cp;
2721 		cp.handle = ev->handle;
2722 		cp.page = 0x01;
2723 		hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2724 			     sizeof(cp), &cp);
2725 		goto unlock;
2726 	}
2727 
2728 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2729 		struct hci_cp_remote_name_req cp;
2730 		memset(&cp, 0, sizeof(cp));
2731 		bacpy(&cp.bdaddr, &conn->dst);
2732 		cp.pscan_rep_mode = 0x02;
2733 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2734 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2735 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
2736 
2737 	if (!hci_outgoing_auth_needed(hdev, conn)) {
2738 		conn->state = BT_CONNECTED;
2739 		hci_connect_cfm(conn, ev->status);
2740 		hci_conn_drop(conn);
2741 	}
2742 
2743 unlock:
2744 	hci_dev_unlock(hdev);
2745 }
2746 
2747 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2748 				 u16 *opcode, u8 *status,
2749 				 hci_req_complete_t *req_complete,
2750 				 hci_req_complete_skb_t *req_complete_skb)
2751 {
2752 	struct hci_ev_cmd_complete *ev = (void *) skb->data;
2753 
2754 	*opcode = __le16_to_cpu(ev->opcode);
2755 	*status = skb->data[sizeof(*ev)];
2756 
2757 	skb_pull(skb, sizeof(*ev));
2758 
2759 	switch (*opcode) {
2760 	case HCI_OP_INQUIRY_CANCEL:
2761 		hci_cc_inquiry_cancel(hdev, skb);
2762 		break;
2763 
2764 	case HCI_OP_PERIODIC_INQ:
2765 		hci_cc_periodic_inq(hdev, skb);
2766 		break;
2767 
2768 	case HCI_OP_EXIT_PERIODIC_INQ:
2769 		hci_cc_exit_periodic_inq(hdev, skb);
2770 		break;
2771 
2772 	case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2773 		hci_cc_remote_name_req_cancel(hdev, skb);
2774 		break;
2775 
2776 	case HCI_OP_ROLE_DISCOVERY:
2777 		hci_cc_role_discovery(hdev, skb);
2778 		break;
2779 
2780 	case HCI_OP_READ_LINK_POLICY:
2781 		hci_cc_read_link_policy(hdev, skb);
2782 		break;
2783 
2784 	case HCI_OP_WRITE_LINK_POLICY:
2785 		hci_cc_write_link_policy(hdev, skb);
2786 		break;
2787 
2788 	case HCI_OP_READ_DEF_LINK_POLICY:
2789 		hci_cc_read_def_link_policy(hdev, skb);
2790 		break;
2791 
2792 	case HCI_OP_WRITE_DEF_LINK_POLICY:
2793 		hci_cc_write_def_link_policy(hdev, skb);
2794 		break;
2795 
2796 	case HCI_OP_RESET:
2797 		hci_cc_reset(hdev, skb);
2798 		break;
2799 
2800 	case HCI_OP_READ_STORED_LINK_KEY:
2801 		hci_cc_read_stored_link_key(hdev, skb);
2802 		break;
2803 
2804 	case HCI_OP_DELETE_STORED_LINK_KEY:
2805 		hci_cc_delete_stored_link_key(hdev, skb);
2806 		break;
2807 
2808 	case HCI_OP_WRITE_LOCAL_NAME:
2809 		hci_cc_write_local_name(hdev, skb);
2810 		break;
2811 
2812 	case HCI_OP_READ_LOCAL_NAME:
2813 		hci_cc_read_local_name(hdev, skb);
2814 		break;
2815 
2816 	case HCI_OP_WRITE_AUTH_ENABLE:
2817 		hci_cc_write_auth_enable(hdev, skb);
2818 		break;
2819 
2820 	case HCI_OP_WRITE_ENCRYPT_MODE:
2821 		hci_cc_write_encrypt_mode(hdev, skb);
2822 		break;
2823 
2824 	case HCI_OP_WRITE_SCAN_ENABLE:
2825 		hci_cc_write_scan_enable(hdev, skb);
2826 		break;
2827 
2828 	case HCI_OP_READ_CLASS_OF_DEV:
2829 		hci_cc_read_class_of_dev(hdev, skb);
2830 		break;
2831 
2832 	case HCI_OP_WRITE_CLASS_OF_DEV:
2833 		hci_cc_write_class_of_dev(hdev, skb);
2834 		break;
2835 
2836 	case HCI_OP_READ_VOICE_SETTING:
2837 		hci_cc_read_voice_setting(hdev, skb);
2838 		break;
2839 
2840 	case HCI_OP_WRITE_VOICE_SETTING:
2841 		hci_cc_write_voice_setting(hdev, skb);
2842 		break;
2843 
2844 	case HCI_OP_READ_NUM_SUPPORTED_IAC:
2845 		hci_cc_read_num_supported_iac(hdev, skb);
2846 		break;
2847 
2848 	case HCI_OP_WRITE_SSP_MODE:
2849 		hci_cc_write_ssp_mode(hdev, skb);
2850 		break;
2851 
2852 	case HCI_OP_WRITE_SC_SUPPORT:
2853 		hci_cc_write_sc_support(hdev, skb);
2854 		break;
2855 
2856 	case HCI_OP_READ_LOCAL_VERSION:
2857 		hci_cc_read_local_version(hdev, skb);
2858 		break;
2859 
2860 	case HCI_OP_READ_LOCAL_COMMANDS:
2861 		hci_cc_read_local_commands(hdev, skb);
2862 		break;
2863 
2864 	case HCI_OP_READ_LOCAL_FEATURES:
2865 		hci_cc_read_local_features(hdev, skb);
2866 		break;
2867 
2868 	case HCI_OP_READ_LOCAL_EXT_FEATURES:
2869 		hci_cc_read_local_ext_features(hdev, skb);
2870 		break;
2871 
2872 	case HCI_OP_READ_BUFFER_SIZE:
2873 		hci_cc_read_buffer_size(hdev, skb);
2874 		break;
2875 
2876 	case HCI_OP_READ_BD_ADDR:
2877 		hci_cc_read_bd_addr(hdev, skb);
2878 		break;
2879 
2880 	case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2881 		hci_cc_read_page_scan_activity(hdev, skb);
2882 		break;
2883 
2884 	case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2885 		hci_cc_write_page_scan_activity(hdev, skb);
2886 		break;
2887 
2888 	case HCI_OP_READ_PAGE_SCAN_TYPE:
2889 		hci_cc_read_page_scan_type(hdev, skb);
2890 		break;
2891 
2892 	case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2893 		hci_cc_write_page_scan_type(hdev, skb);
2894 		break;
2895 
2896 	case HCI_OP_READ_DATA_BLOCK_SIZE:
2897 		hci_cc_read_data_block_size(hdev, skb);
2898 		break;
2899 
2900 	case HCI_OP_READ_FLOW_CONTROL_MODE:
2901 		hci_cc_read_flow_control_mode(hdev, skb);
2902 		break;
2903 
2904 	case HCI_OP_READ_LOCAL_AMP_INFO:
2905 		hci_cc_read_local_amp_info(hdev, skb);
2906 		break;
2907 
2908 	case HCI_OP_READ_CLOCK:
2909 		hci_cc_read_clock(hdev, skb);
2910 		break;
2911 
2912 	case HCI_OP_READ_INQ_RSP_TX_POWER:
2913 		hci_cc_read_inq_rsp_tx_power(hdev, skb);
2914 		break;
2915 
2916 	case HCI_OP_PIN_CODE_REPLY:
2917 		hci_cc_pin_code_reply(hdev, skb);
2918 		break;
2919 
2920 	case HCI_OP_PIN_CODE_NEG_REPLY:
2921 		hci_cc_pin_code_neg_reply(hdev, skb);
2922 		break;
2923 
2924 	case HCI_OP_READ_LOCAL_OOB_DATA:
2925 		hci_cc_read_local_oob_data(hdev, skb);
2926 		break;
2927 
2928 	case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2929 		hci_cc_read_local_oob_ext_data(hdev, skb);
2930 		break;
2931 
2932 	case HCI_OP_LE_READ_BUFFER_SIZE:
2933 		hci_cc_le_read_buffer_size(hdev, skb);
2934 		break;
2935 
2936 	case HCI_OP_LE_READ_LOCAL_FEATURES:
2937 		hci_cc_le_read_local_features(hdev, skb);
2938 		break;
2939 
2940 	case HCI_OP_LE_READ_ADV_TX_POWER:
2941 		hci_cc_le_read_adv_tx_power(hdev, skb);
2942 		break;
2943 
2944 	case HCI_OP_USER_CONFIRM_REPLY:
2945 		hci_cc_user_confirm_reply(hdev, skb);
2946 		break;
2947 
2948 	case HCI_OP_USER_CONFIRM_NEG_REPLY:
2949 		hci_cc_user_confirm_neg_reply(hdev, skb);
2950 		break;
2951 
2952 	case HCI_OP_USER_PASSKEY_REPLY:
2953 		hci_cc_user_passkey_reply(hdev, skb);
2954 		break;
2955 
2956 	case HCI_OP_USER_PASSKEY_NEG_REPLY:
2957 		hci_cc_user_passkey_neg_reply(hdev, skb);
2958 		break;
2959 
2960 	case HCI_OP_LE_SET_RANDOM_ADDR:
2961 		hci_cc_le_set_random_addr(hdev, skb);
2962 		break;
2963 
2964 	case HCI_OP_LE_SET_ADV_ENABLE:
2965 		hci_cc_le_set_adv_enable(hdev, skb);
2966 		break;
2967 
2968 	case HCI_OP_LE_SET_SCAN_PARAM:
2969 		hci_cc_le_set_scan_param(hdev, skb);
2970 		break;
2971 
2972 	case HCI_OP_LE_SET_SCAN_ENABLE:
2973 		hci_cc_le_set_scan_enable(hdev, skb);
2974 		break;
2975 
2976 	case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2977 		hci_cc_le_read_white_list_size(hdev, skb);
2978 		break;
2979 
2980 	case HCI_OP_LE_CLEAR_WHITE_LIST:
2981 		hci_cc_le_clear_white_list(hdev, skb);
2982 		break;
2983 
2984 	case HCI_OP_LE_ADD_TO_WHITE_LIST:
2985 		hci_cc_le_add_to_white_list(hdev, skb);
2986 		break;
2987 
2988 	case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2989 		hci_cc_le_del_from_white_list(hdev, skb);
2990 		break;
2991 
2992 	case HCI_OP_LE_READ_SUPPORTED_STATES:
2993 		hci_cc_le_read_supported_states(hdev, skb);
2994 		break;
2995 
2996 	case HCI_OP_LE_READ_DEF_DATA_LEN:
2997 		hci_cc_le_read_def_data_len(hdev, skb);
2998 		break;
2999 
3000 	case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3001 		hci_cc_le_write_def_data_len(hdev, skb);
3002 		break;
3003 
3004 	case HCI_OP_LE_READ_MAX_DATA_LEN:
3005 		hci_cc_le_read_max_data_len(hdev, skb);
3006 		break;
3007 
3008 	case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3009 		hci_cc_write_le_host_supported(hdev, skb);
3010 		break;
3011 
3012 	case HCI_OP_LE_SET_ADV_PARAM:
3013 		hci_cc_set_adv_param(hdev, skb);
3014 		break;
3015 
3016 	case HCI_OP_READ_RSSI:
3017 		hci_cc_read_rssi(hdev, skb);
3018 		break;
3019 
3020 	case HCI_OP_READ_TX_POWER:
3021 		hci_cc_read_tx_power(hdev, skb);
3022 		break;
3023 
3024 	case HCI_OP_WRITE_SSP_DEBUG_MODE:
3025 		hci_cc_write_ssp_debug_mode(hdev, skb);
3026 		break;
3027 
3028 	default:
3029 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3030 		break;
3031 	}
3032 
3033 	if (*opcode != HCI_OP_NOP)
3034 		cancel_delayed_work(&hdev->cmd_timer);
3035 
3036 	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3037 		atomic_set(&hdev->cmd_cnt, 1);
3038 
3039 	hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3040 			     req_complete_skb);
3041 
3042 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3043 		queue_work(hdev->workqueue, &hdev->cmd_work);
3044 }
3045 
3046 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3047 			       u16 *opcode, u8 *status,
3048 			       hci_req_complete_t *req_complete,
3049 			       hci_req_complete_skb_t *req_complete_skb)
3050 {
3051 	struct hci_ev_cmd_status *ev = (void *) skb->data;
3052 
3053 	skb_pull(skb, sizeof(*ev));
3054 
3055 	*opcode = __le16_to_cpu(ev->opcode);
3056 	*status = ev->status;
3057 
3058 	switch (*opcode) {
3059 	case HCI_OP_INQUIRY:
3060 		hci_cs_inquiry(hdev, ev->status);
3061 		break;
3062 
3063 	case HCI_OP_CREATE_CONN:
3064 		hci_cs_create_conn(hdev, ev->status);
3065 		break;
3066 
3067 	case HCI_OP_DISCONNECT:
3068 		hci_cs_disconnect(hdev, ev->status);
3069 		break;
3070 
3071 	case HCI_OP_ADD_SCO:
3072 		hci_cs_add_sco(hdev, ev->status);
3073 		break;
3074 
3075 	case HCI_OP_AUTH_REQUESTED:
3076 		hci_cs_auth_requested(hdev, ev->status);
3077 		break;
3078 
3079 	case HCI_OP_SET_CONN_ENCRYPT:
3080 		hci_cs_set_conn_encrypt(hdev, ev->status);
3081 		break;
3082 
3083 	case HCI_OP_REMOTE_NAME_REQ:
3084 		hci_cs_remote_name_req(hdev, ev->status);
3085 		break;
3086 
3087 	case HCI_OP_READ_REMOTE_FEATURES:
3088 		hci_cs_read_remote_features(hdev, ev->status);
3089 		break;
3090 
3091 	case HCI_OP_READ_REMOTE_EXT_FEATURES:
3092 		hci_cs_read_remote_ext_features(hdev, ev->status);
3093 		break;
3094 
3095 	case HCI_OP_SETUP_SYNC_CONN:
3096 		hci_cs_setup_sync_conn(hdev, ev->status);
3097 		break;
3098 
3099 	case HCI_OP_SNIFF_MODE:
3100 		hci_cs_sniff_mode(hdev, ev->status);
3101 		break;
3102 
3103 	case HCI_OP_EXIT_SNIFF_MODE:
3104 		hci_cs_exit_sniff_mode(hdev, ev->status);
3105 		break;
3106 
3107 	case HCI_OP_SWITCH_ROLE:
3108 		hci_cs_switch_role(hdev, ev->status);
3109 		break;
3110 
3111 	case HCI_OP_LE_CREATE_CONN:
3112 		hci_cs_le_create_conn(hdev, ev->status);
3113 		break;
3114 
3115 	case HCI_OP_LE_READ_REMOTE_FEATURES:
3116 		hci_cs_le_read_remote_features(hdev, ev->status);
3117 		break;
3118 
3119 	case HCI_OP_LE_START_ENC:
3120 		hci_cs_le_start_enc(hdev, ev->status);
3121 		break;
3122 
3123 	default:
3124 		BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3125 		break;
3126 	}
3127 
3128 	if (*opcode != HCI_OP_NOP)
3129 		cancel_delayed_work(&hdev->cmd_timer);
3130 
3131 	if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3132 		atomic_set(&hdev->cmd_cnt, 1);
3133 
3134 	/* Indicate request completion if the command failed. Also, if
3135 	 * we're not waiting for a special event and we get a success
3136 	 * command status we should try to flag the request as completed
3137 	 * (since for this kind of commands there will not be a command
3138 	 * complete event).
3139 	 */
3140 	if (ev->status ||
3141 	    (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3142 		hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3143 				     req_complete_skb);
3144 
3145 	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3146 		queue_work(hdev->workqueue, &hdev->cmd_work);
3147 }
3148 
3149 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3150 {
3151 	struct hci_ev_hardware_error *ev = (void *) skb->data;
3152 
3153 	hdev->hw_error_code = ev->code;
3154 
3155 	queue_work(hdev->req_workqueue, &hdev->error_reset);
3156 }
3157 
3158 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3159 {
3160 	struct hci_ev_role_change *ev = (void *) skb->data;
3161 	struct hci_conn *conn;
3162 
3163 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3164 
3165 	hci_dev_lock(hdev);
3166 
3167 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3168 	if (conn) {
3169 		if (!ev->status)
3170 			conn->role = ev->role;
3171 
3172 		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3173 
3174 		hci_role_switch_cfm(conn, ev->status, ev->role);
3175 	}
3176 
3177 	hci_dev_unlock(hdev);
3178 }
3179 
3180 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3181 {
3182 	struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3183 	int i;
3184 
3185 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3186 		BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3187 		return;
3188 	}
3189 
3190 	if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3191 	    ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3192 		BT_DBG("%s bad parameters", hdev->name);
3193 		return;
3194 	}
3195 
3196 	BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3197 
3198 	for (i = 0; i < ev->num_hndl; i++) {
3199 		struct hci_comp_pkts_info *info = &ev->handles[i];
3200 		struct hci_conn *conn;
3201 		__u16  handle, count;
3202 
3203 		handle = __le16_to_cpu(info->handle);
3204 		count  = __le16_to_cpu(info->count);
3205 
3206 		conn = hci_conn_hash_lookup_handle(hdev, handle);
3207 		if (!conn)
3208 			continue;
3209 
3210 		conn->sent -= count;
3211 
3212 		switch (conn->type) {
3213 		case ACL_LINK:
3214 			hdev->acl_cnt += count;
3215 			if (hdev->acl_cnt > hdev->acl_pkts)
3216 				hdev->acl_cnt = hdev->acl_pkts;
3217 			break;
3218 
3219 		case LE_LINK:
3220 			if (hdev->le_pkts) {
3221 				hdev->le_cnt += count;
3222 				if (hdev->le_cnt > hdev->le_pkts)
3223 					hdev->le_cnt = hdev->le_pkts;
3224 			} else {
3225 				hdev->acl_cnt += count;
3226 				if (hdev->acl_cnt > hdev->acl_pkts)
3227 					hdev->acl_cnt = hdev->acl_pkts;
3228 			}
3229 			break;
3230 
3231 		case SCO_LINK:
3232 			hdev->sco_cnt += count;
3233 			if (hdev->sco_cnt > hdev->sco_pkts)
3234 				hdev->sco_cnt = hdev->sco_pkts;
3235 			break;
3236 
3237 		default:
3238 			BT_ERR("Unknown type %d conn %p", conn->type, conn);
3239 			break;
3240 		}
3241 	}
3242 
3243 	queue_work(hdev->workqueue, &hdev->tx_work);
3244 }
3245 
3246 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3247 						 __u16 handle)
3248 {
3249 	struct hci_chan *chan;
3250 
3251 	switch (hdev->dev_type) {
3252 	case HCI_BREDR:
3253 		return hci_conn_hash_lookup_handle(hdev, handle);
3254 	case HCI_AMP:
3255 		chan = hci_chan_lookup_handle(hdev, handle);
3256 		if (chan)
3257 			return chan->conn;
3258 		break;
3259 	default:
3260 		BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3261 		break;
3262 	}
3263 
3264 	return NULL;
3265 }
3266 
3267 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3268 {
3269 	struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3270 	int i;
3271 
3272 	if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3273 		BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3274 		return;
3275 	}
3276 
3277 	if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3278 	    ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3279 		BT_DBG("%s bad parameters", hdev->name);
3280 		return;
3281 	}
3282 
3283 	BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3284 	       ev->num_hndl);
3285 
3286 	for (i = 0; i < ev->num_hndl; i++) {
3287 		struct hci_comp_blocks_info *info = &ev->handles[i];
3288 		struct hci_conn *conn = NULL;
3289 		__u16  handle, block_count;
3290 
3291 		handle = __le16_to_cpu(info->handle);
3292 		block_count = __le16_to_cpu(info->blocks);
3293 
3294 		conn = __hci_conn_lookup_handle(hdev, handle);
3295 		if (!conn)
3296 			continue;
3297 
3298 		conn->sent -= block_count;
3299 
3300 		switch (conn->type) {
3301 		case ACL_LINK:
3302 		case AMP_LINK:
3303 			hdev->block_cnt += block_count;
3304 			if (hdev->block_cnt > hdev->num_blocks)
3305 				hdev->block_cnt = hdev->num_blocks;
3306 			break;
3307 
3308 		default:
3309 			BT_ERR("Unknown type %d conn %p", conn->type, conn);
3310 			break;
3311 		}
3312 	}
3313 
3314 	queue_work(hdev->workqueue, &hdev->tx_work);
3315 }
3316 
3317 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3318 {
3319 	struct hci_ev_mode_change *ev = (void *) skb->data;
3320 	struct hci_conn *conn;
3321 
3322 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3323 
3324 	hci_dev_lock(hdev);
3325 
3326 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3327 	if (conn) {
3328 		conn->mode = ev->mode;
3329 
3330 		if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3331 					&conn->flags)) {
3332 			if (conn->mode == HCI_CM_ACTIVE)
3333 				set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3334 			else
3335 				clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3336 		}
3337 
3338 		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3339 			hci_sco_setup(conn, ev->status);
3340 	}
3341 
3342 	hci_dev_unlock(hdev);
3343 }
3344 
3345 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3346 {
3347 	struct hci_ev_pin_code_req *ev = (void *) skb->data;
3348 	struct hci_conn *conn;
3349 
3350 	BT_DBG("%s", hdev->name);
3351 
3352 	hci_dev_lock(hdev);
3353 
3354 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3355 	if (!conn)
3356 		goto unlock;
3357 
3358 	if (conn->state == BT_CONNECTED) {
3359 		hci_conn_hold(conn);
3360 		conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3361 		hci_conn_drop(conn);
3362 	}
3363 
3364 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3365 	    !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3366 		hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3367 			     sizeof(ev->bdaddr), &ev->bdaddr);
3368 	} else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3369 		u8 secure;
3370 
3371 		if (conn->pending_sec_level == BT_SECURITY_HIGH)
3372 			secure = 1;
3373 		else
3374 			secure = 0;
3375 
3376 		mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3377 	}
3378 
3379 unlock:
3380 	hci_dev_unlock(hdev);
3381 }
3382 
3383 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3384 {
3385 	if (key_type == HCI_LK_CHANGED_COMBINATION)
3386 		return;
3387 
3388 	conn->pin_length = pin_len;
3389 	conn->key_type = key_type;
3390 
3391 	switch (key_type) {
3392 	case HCI_LK_LOCAL_UNIT:
3393 	case HCI_LK_REMOTE_UNIT:
3394 	case HCI_LK_DEBUG_COMBINATION:
3395 		return;
3396 	case HCI_LK_COMBINATION:
3397 		if (pin_len == 16)
3398 			conn->pending_sec_level = BT_SECURITY_HIGH;
3399 		else
3400 			conn->pending_sec_level = BT_SECURITY_MEDIUM;
3401 		break;
3402 	case HCI_LK_UNAUTH_COMBINATION_P192:
3403 	case HCI_LK_UNAUTH_COMBINATION_P256:
3404 		conn->pending_sec_level = BT_SECURITY_MEDIUM;
3405 		break;
3406 	case HCI_LK_AUTH_COMBINATION_P192:
3407 		conn->pending_sec_level = BT_SECURITY_HIGH;
3408 		break;
3409 	case HCI_LK_AUTH_COMBINATION_P256:
3410 		conn->pending_sec_level = BT_SECURITY_FIPS;
3411 		break;
3412 	}
3413 }
3414 
3415 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3416 {
3417 	struct hci_ev_link_key_req *ev = (void *) skb->data;
3418 	struct hci_cp_link_key_reply cp;
3419 	struct hci_conn *conn;
3420 	struct link_key *key;
3421 
3422 	BT_DBG("%s", hdev->name);
3423 
3424 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3425 		return;
3426 
3427 	hci_dev_lock(hdev);
3428 
3429 	key = hci_find_link_key(hdev, &ev->bdaddr);
3430 	if (!key) {
3431 		BT_DBG("%s link key not found for %pMR", hdev->name,
3432 		       &ev->bdaddr);
3433 		goto not_found;
3434 	}
3435 
3436 	BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3437 	       &ev->bdaddr);
3438 
3439 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3440 	if (conn) {
3441 		clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3442 
3443 		if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3444 		     key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3445 		    conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3446 			BT_DBG("%s ignoring unauthenticated key", hdev->name);
3447 			goto not_found;
3448 		}
3449 
3450 		if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3451 		    (conn->pending_sec_level == BT_SECURITY_HIGH ||
3452 		     conn->pending_sec_level == BT_SECURITY_FIPS)) {
3453 			BT_DBG("%s ignoring key unauthenticated for high security",
3454 			       hdev->name);
3455 			goto not_found;
3456 		}
3457 
3458 		conn_set_key(conn, key->type, key->pin_len);
3459 	}
3460 
3461 	bacpy(&cp.bdaddr, &ev->bdaddr);
3462 	memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3463 
3464 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3465 
3466 	hci_dev_unlock(hdev);
3467 
3468 	return;
3469 
3470 not_found:
3471 	hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3472 	hci_dev_unlock(hdev);
3473 }
3474 
3475 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3476 {
3477 	struct hci_ev_link_key_notify *ev = (void *) skb->data;
3478 	struct hci_conn *conn;
3479 	struct link_key *key;
3480 	bool persistent;
3481 	u8 pin_len = 0;
3482 
3483 	BT_DBG("%s", hdev->name);
3484 
3485 	hci_dev_lock(hdev);
3486 
3487 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3488 	if (!conn)
3489 		goto unlock;
3490 
3491 	hci_conn_hold(conn);
3492 	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3493 	hci_conn_drop(conn);
3494 
3495 	set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3496 	conn_set_key(conn, ev->key_type, conn->pin_length);
3497 
3498 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3499 		goto unlock;
3500 
3501 	key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3502 			        ev->key_type, pin_len, &persistent);
3503 	if (!key)
3504 		goto unlock;
3505 
3506 	/* Update connection information since adding the key will have
3507 	 * fixed up the type in the case of changed combination keys.
3508 	 */
3509 	if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3510 		conn_set_key(conn, key->type, key->pin_len);
3511 
3512 	mgmt_new_link_key(hdev, key, persistent);
3513 
3514 	/* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3515 	 * is set. If it's not set simply remove the key from the kernel
3516 	 * list (we've still notified user space about it but with
3517 	 * store_hint being 0).
3518 	 */
3519 	if (key->type == HCI_LK_DEBUG_COMBINATION &&
3520 	    !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3521 		list_del_rcu(&key->list);
3522 		kfree_rcu(key, rcu);
3523 		goto unlock;
3524 	}
3525 
3526 	if (persistent)
3527 		clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3528 	else
3529 		set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3530 
3531 unlock:
3532 	hci_dev_unlock(hdev);
3533 }
3534 
3535 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3536 {
3537 	struct hci_ev_clock_offset *ev = (void *) skb->data;
3538 	struct hci_conn *conn;
3539 
3540 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3541 
3542 	hci_dev_lock(hdev);
3543 
3544 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3545 	if (conn && !ev->status) {
3546 		struct inquiry_entry *ie;
3547 
3548 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3549 		if (ie) {
3550 			ie->data.clock_offset = ev->clock_offset;
3551 			ie->timestamp = jiffies;
3552 		}
3553 	}
3554 
3555 	hci_dev_unlock(hdev);
3556 }
3557 
3558 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3559 {
3560 	struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3561 	struct hci_conn *conn;
3562 
3563 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3564 
3565 	hci_dev_lock(hdev);
3566 
3567 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3568 	if (conn && !ev->status)
3569 		conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3570 
3571 	hci_dev_unlock(hdev);
3572 }
3573 
3574 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3575 {
3576 	struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3577 	struct inquiry_entry *ie;
3578 
3579 	BT_DBG("%s", hdev->name);
3580 
3581 	hci_dev_lock(hdev);
3582 
3583 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3584 	if (ie) {
3585 		ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3586 		ie->timestamp = jiffies;
3587 	}
3588 
3589 	hci_dev_unlock(hdev);
3590 }
3591 
3592 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3593 					     struct sk_buff *skb)
3594 {
3595 	struct inquiry_data data;
3596 	int num_rsp = *((__u8 *) skb->data);
3597 
3598 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3599 
3600 	if (!num_rsp)
3601 		return;
3602 
3603 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3604 		return;
3605 
3606 	hci_dev_lock(hdev);
3607 
3608 	if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3609 		struct inquiry_info_with_rssi_and_pscan_mode *info;
3610 		info = (void *) (skb->data + 1);
3611 
3612 		for (; num_rsp; num_rsp--, info++) {
3613 			u32 flags;
3614 
3615 			bacpy(&data.bdaddr, &info->bdaddr);
3616 			data.pscan_rep_mode	= info->pscan_rep_mode;
3617 			data.pscan_period_mode	= info->pscan_period_mode;
3618 			data.pscan_mode		= info->pscan_mode;
3619 			memcpy(data.dev_class, info->dev_class, 3);
3620 			data.clock_offset	= info->clock_offset;
3621 			data.rssi		= info->rssi;
3622 			data.ssp_mode		= 0x00;
3623 
3624 			flags = hci_inquiry_cache_update(hdev, &data, false);
3625 
3626 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3627 					  info->dev_class, info->rssi,
3628 					  flags, NULL, 0, NULL, 0);
3629 		}
3630 	} else {
3631 		struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3632 
3633 		for (; num_rsp; num_rsp--, info++) {
3634 			u32 flags;
3635 
3636 			bacpy(&data.bdaddr, &info->bdaddr);
3637 			data.pscan_rep_mode	= info->pscan_rep_mode;
3638 			data.pscan_period_mode	= info->pscan_period_mode;
3639 			data.pscan_mode		= 0x00;
3640 			memcpy(data.dev_class, info->dev_class, 3);
3641 			data.clock_offset	= info->clock_offset;
3642 			data.rssi		= info->rssi;
3643 			data.ssp_mode		= 0x00;
3644 
3645 			flags = hci_inquiry_cache_update(hdev, &data, false);
3646 
3647 			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3648 					  info->dev_class, info->rssi,
3649 					  flags, NULL, 0, NULL, 0);
3650 		}
3651 	}
3652 
3653 	hci_dev_unlock(hdev);
3654 }
3655 
3656 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3657 					struct sk_buff *skb)
3658 {
3659 	struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3660 	struct hci_conn *conn;
3661 
3662 	BT_DBG("%s", hdev->name);
3663 
3664 	hci_dev_lock(hdev);
3665 
3666 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3667 	if (!conn)
3668 		goto unlock;
3669 
3670 	if (ev->page < HCI_MAX_PAGES)
3671 		memcpy(conn->features[ev->page], ev->features, 8);
3672 
3673 	if (!ev->status && ev->page == 0x01) {
3674 		struct inquiry_entry *ie;
3675 
3676 		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3677 		if (ie)
3678 			ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3679 
3680 		if (ev->features[0] & LMP_HOST_SSP) {
3681 			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3682 		} else {
3683 			/* It is mandatory by the Bluetooth specification that
3684 			 * Extended Inquiry Results are only used when Secure
3685 			 * Simple Pairing is enabled, but some devices violate
3686 			 * this.
3687 			 *
3688 			 * To make these devices work, the internal SSP
3689 			 * enabled flag needs to be cleared if the remote host
3690 			 * features do not indicate SSP support */
3691 			clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3692 		}
3693 
3694 		if (ev->features[0] & LMP_HOST_SC)
3695 			set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3696 	}
3697 
3698 	if (conn->state != BT_CONFIG)
3699 		goto unlock;
3700 
3701 	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3702 		struct hci_cp_remote_name_req cp;
3703 		memset(&cp, 0, sizeof(cp));
3704 		bacpy(&cp.bdaddr, &conn->dst);
3705 		cp.pscan_rep_mode = 0x02;
3706 		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3707 	} else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3708 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
3709 
3710 	if (!hci_outgoing_auth_needed(hdev, conn)) {
3711 		conn->state = BT_CONNECTED;
3712 		hci_connect_cfm(conn, ev->status);
3713 		hci_conn_drop(conn);
3714 	}
3715 
3716 unlock:
3717 	hci_dev_unlock(hdev);
3718 }
3719 
3720 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3721 				       struct sk_buff *skb)
3722 {
3723 	struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3724 	struct hci_conn *conn;
3725 
3726 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3727 
3728 	hci_dev_lock(hdev);
3729 
3730 	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3731 	if (!conn) {
3732 		if (ev->link_type == ESCO_LINK)
3733 			goto unlock;
3734 
3735 		/* When the link type in the event indicates SCO connection
3736 		 * and lookup of the connection object fails, then check
3737 		 * if an eSCO connection object exists.
3738 		 *
3739 		 * The core limits the synchronous connections to either
3740 		 * SCO or eSCO. The eSCO connection is preferred and tried
3741 		 * to be setup first and until successfully established,
3742 		 * the link type will be hinted as eSCO.
3743 		 */
3744 		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3745 		if (!conn)
3746 			goto unlock;
3747 	}
3748 
3749 	switch (ev->status) {
3750 	case 0x00:
3751 		conn->handle = __le16_to_cpu(ev->handle);
3752 		conn->state  = BT_CONNECTED;
3753 		conn->type   = ev->link_type;
3754 
3755 		hci_debugfs_create_conn(conn);
3756 		hci_conn_add_sysfs(conn);
3757 		break;
3758 
3759 	case 0x10:	/* Connection Accept Timeout */
3760 	case 0x0d:	/* Connection Rejected due to Limited Resources */
3761 	case 0x11:	/* Unsupported Feature or Parameter Value */
3762 	case 0x1c:	/* SCO interval rejected */
3763 	case 0x1a:	/* Unsupported Remote Feature */
3764 	case 0x1f:	/* Unspecified error */
3765 	case 0x20:	/* Unsupported LMP Parameter value */
3766 		if (conn->out) {
3767 			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3768 					(hdev->esco_type & EDR_ESCO_MASK);
3769 			if (hci_setup_sync(conn, conn->link->handle))
3770 				goto unlock;
3771 		}
3772 		/* fall through */
3773 
3774 	default:
3775 		conn->state = BT_CLOSED;
3776 		break;
3777 	}
3778 
3779 	hci_connect_cfm(conn, ev->status);
3780 	if (ev->status)
3781 		hci_conn_del(conn);
3782 
3783 unlock:
3784 	hci_dev_unlock(hdev);
3785 }
3786 
3787 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3788 {
3789 	size_t parsed = 0;
3790 
3791 	while (parsed < eir_len) {
3792 		u8 field_len = eir[0];
3793 
3794 		if (field_len == 0)
3795 			return parsed;
3796 
3797 		parsed += field_len + 1;
3798 		eir += field_len + 1;
3799 	}
3800 
3801 	return eir_len;
3802 }
3803 
3804 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3805 					    struct sk_buff *skb)
3806 {
3807 	struct inquiry_data data;
3808 	struct extended_inquiry_info *info = (void *) (skb->data + 1);
3809 	int num_rsp = *((__u8 *) skb->data);
3810 	size_t eir_len;
3811 
3812 	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3813 
3814 	if (!num_rsp)
3815 		return;
3816 
3817 	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3818 		return;
3819 
3820 	hci_dev_lock(hdev);
3821 
3822 	for (; num_rsp; num_rsp--, info++) {
3823 		u32 flags;
3824 		bool name_known;
3825 
3826 		bacpy(&data.bdaddr, &info->bdaddr);
3827 		data.pscan_rep_mode	= info->pscan_rep_mode;
3828 		data.pscan_period_mode	= info->pscan_period_mode;
3829 		data.pscan_mode		= 0x00;
3830 		memcpy(data.dev_class, info->dev_class, 3);
3831 		data.clock_offset	= info->clock_offset;
3832 		data.rssi		= info->rssi;
3833 		data.ssp_mode		= 0x01;
3834 
3835 		if (hci_dev_test_flag(hdev, HCI_MGMT))
3836 			name_known = eir_get_data(info->data,
3837 						  sizeof(info->data),
3838 						  EIR_NAME_COMPLETE, NULL);
3839 		else
3840 			name_known = true;
3841 
3842 		flags = hci_inquiry_cache_update(hdev, &data, name_known);
3843 
3844 		eir_len = eir_get_length(info->data, sizeof(info->data));
3845 
3846 		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3847 				  info->dev_class, info->rssi,
3848 				  flags, info->data, eir_len, NULL, 0);
3849 	}
3850 
3851 	hci_dev_unlock(hdev);
3852 }
3853 
3854 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3855 					 struct sk_buff *skb)
3856 {
3857 	struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3858 	struct hci_conn *conn;
3859 
3860 	BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3861 	       __le16_to_cpu(ev->handle));
3862 
3863 	hci_dev_lock(hdev);
3864 
3865 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3866 	if (!conn)
3867 		goto unlock;
3868 
3869 	/* For BR/EDR the necessary steps are taken through the
3870 	 * auth_complete event.
3871 	 */
3872 	if (conn->type != LE_LINK)
3873 		goto unlock;
3874 
3875 	if (!ev->status)
3876 		conn->sec_level = conn->pending_sec_level;
3877 
3878 	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3879 
3880 	if (ev->status && conn->state == BT_CONNECTED) {
3881 		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3882 		hci_conn_drop(conn);
3883 		goto unlock;
3884 	}
3885 
3886 	if (conn->state == BT_CONFIG) {
3887 		if (!ev->status)
3888 			conn->state = BT_CONNECTED;
3889 
3890 		hci_connect_cfm(conn, ev->status);
3891 		hci_conn_drop(conn);
3892 	} else {
3893 		hci_auth_cfm(conn, ev->status);
3894 
3895 		hci_conn_hold(conn);
3896 		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3897 		hci_conn_drop(conn);
3898 	}
3899 
3900 unlock:
3901 	hci_dev_unlock(hdev);
3902 }
3903 
3904 static u8 hci_get_auth_req(struct hci_conn *conn)
3905 {
3906 	/* If remote requests no-bonding follow that lead */
3907 	if (conn->remote_auth == HCI_AT_NO_BONDING ||
3908 	    conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3909 		return conn->remote_auth | (conn->auth_type & 0x01);
3910 
3911 	/* If both remote and local have enough IO capabilities, require
3912 	 * MITM protection
3913 	 */
3914 	if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3915 	    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3916 		return conn->remote_auth | 0x01;
3917 
3918 	/* No MITM protection possible so ignore remote requirement */
3919 	return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3920 }
3921 
3922 static u8 bredr_oob_data_present(struct hci_conn *conn)
3923 {
3924 	struct hci_dev *hdev = conn->hdev;
3925 	struct oob_data *data;
3926 
3927 	data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3928 	if (!data)
3929 		return 0x00;
3930 
3931 	if (bredr_sc_enabled(hdev)) {
3932 		/* When Secure Connections is enabled, then just
3933 		 * return the present value stored with the OOB
3934 		 * data. The stored value contains the right present
3935 		 * information. However it can only be trusted when
3936 		 * not in Secure Connection Only mode.
3937 		 */
3938 		if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3939 			return data->present;
3940 
3941 		/* When Secure Connections Only mode is enabled, then
3942 		 * the P-256 values are required. If they are not
3943 		 * available, then do not declare that OOB data is
3944 		 * present.
3945 		 */
3946 		if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3947 		    !memcmp(data->hash256, ZERO_KEY, 16))
3948 			return 0x00;
3949 
3950 		return 0x02;
3951 	}
3952 
3953 	/* When Secure Connections is not enabled or actually
3954 	 * not supported by the hardware, then check that if
3955 	 * P-192 data values are present.
3956 	 */
3957 	if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3958 	    !memcmp(data->hash192, ZERO_KEY, 16))
3959 		return 0x00;
3960 
3961 	return 0x01;
3962 }
3963 
3964 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3965 {
3966 	struct hci_ev_io_capa_request *ev = (void *) skb->data;
3967 	struct hci_conn *conn;
3968 
3969 	BT_DBG("%s", hdev->name);
3970 
3971 	hci_dev_lock(hdev);
3972 
3973 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3974 	if (!conn)
3975 		goto unlock;
3976 
3977 	hci_conn_hold(conn);
3978 
3979 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3980 		goto unlock;
3981 
3982 	/* Allow pairing if we're pairable, the initiators of the
3983 	 * pairing or if the remote is not requesting bonding.
3984 	 */
3985 	if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
3986 	    test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3987 	    (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3988 		struct hci_cp_io_capability_reply cp;
3989 
3990 		bacpy(&cp.bdaddr, &ev->bdaddr);
3991 		/* Change the IO capability from KeyboardDisplay
3992 		 * to DisplayYesNo as it is not supported by BT spec. */
3993 		cp.capability = (conn->io_capability == 0x04) ?
3994 				HCI_IO_DISPLAY_YESNO : conn->io_capability;
3995 
3996 		/* If we are initiators, there is no remote information yet */
3997 		if (conn->remote_auth == 0xff) {
3998 			/* Request MITM protection if our IO caps allow it
3999 			 * except for the no-bonding case.
4000 			 */
4001 			if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4002 			    conn->auth_type != HCI_AT_NO_BONDING)
4003 				conn->auth_type |= 0x01;
4004 		} else {
4005 			conn->auth_type = hci_get_auth_req(conn);
4006 		}
4007 
4008 		/* If we're not bondable, force one of the non-bondable
4009 		 * authentication requirement values.
4010 		 */
4011 		if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4012 			conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4013 
4014 		cp.authentication = conn->auth_type;
4015 		cp.oob_data = bredr_oob_data_present(conn);
4016 
4017 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4018 			     sizeof(cp), &cp);
4019 	} else {
4020 		struct hci_cp_io_capability_neg_reply cp;
4021 
4022 		bacpy(&cp.bdaddr, &ev->bdaddr);
4023 		cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4024 
4025 		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4026 			     sizeof(cp), &cp);
4027 	}
4028 
4029 unlock:
4030 	hci_dev_unlock(hdev);
4031 }
4032 
4033 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4034 {
4035 	struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4036 	struct hci_conn *conn;
4037 
4038 	BT_DBG("%s", hdev->name);
4039 
4040 	hci_dev_lock(hdev);
4041 
4042 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4043 	if (!conn)
4044 		goto unlock;
4045 
4046 	conn->remote_cap = ev->capability;
4047 	conn->remote_auth = ev->authentication;
4048 
4049 unlock:
4050 	hci_dev_unlock(hdev);
4051 }
4052 
4053 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4054 					 struct sk_buff *skb)
4055 {
4056 	struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4057 	int loc_mitm, rem_mitm, confirm_hint = 0;
4058 	struct hci_conn *conn;
4059 
4060 	BT_DBG("%s", hdev->name);
4061 
4062 	hci_dev_lock(hdev);
4063 
4064 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4065 		goto unlock;
4066 
4067 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4068 	if (!conn)
4069 		goto unlock;
4070 
4071 	loc_mitm = (conn->auth_type & 0x01);
4072 	rem_mitm = (conn->remote_auth & 0x01);
4073 
4074 	/* If we require MITM but the remote device can't provide that
4075 	 * (it has NoInputNoOutput) then reject the confirmation
4076 	 * request. We check the security level here since it doesn't
4077 	 * necessarily match conn->auth_type.
4078 	 */
4079 	if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4080 	    conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4081 		BT_DBG("Rejecting request: remote device can't provide MITM");
4082 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4083 			     sizeof(ev->bdaddr), &ev->bdaddr);
4084 		goto unlock;
4085 	}
4086 
4087 	/* If no side requires MITM protection; auto-accept */
4088 	if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4089 	    (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4090 
4091 		/* If we're not the initiators request authorization to
4092 		 * proceed from user space (mgmt_user_confirm with
4093 		 * confirm_hint set to 1). The exception is if neither
4094 		 * side had MITM or if the local IO capability is
4095 		 * NoInputNoOutput, in which case we do auto-accept
4096 		 */
4097 		if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4098 		    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4099 		    (loc_mitm || rem_mitm)) {
4100 			BT_DBG("Confirming auto-accept as acceptor");
4101 			confirm_hint = 1;
4102 			goto confirm;
4103 		}
4104 
4105 		BT_DBG("Auto-accept of user confirmation with %ums delay",
4106 		       hdev->auto_accept_delay);
4107 
4108 		if (hdev->auto_accept_delay > 0) {
4109 			int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4110 			queue_delayed_work(conn->hdev->workqueue,
4111 					   &conn->auto_accept_work, delay);
4112 			goto unlock;
4113 		}
4114 
4115 		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4116 			     sizeof(ev->bdaddr), &ev->bdaddr);
4117 		goto unlock;
4118 	}
4119 
4120 confirm:
4121 	mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4122 				  le32_to_cpu(ev->passkey), confirm_hint);
4123 
4124 unlock:
4125 	hci_dev_unlock(hdev);
4126 }
4127 
4128 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4129 					 struct sk_buff *skb)
4130 {
4131 	struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4132 
4133 	BT_DBG("%s", hdev->name);
4134 
4135 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4136 		mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4137 }
4138 
4139 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4140 					struct sk_buff *skb)
4141 {
4142 	struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4143 	struct hci_conn *conn;
4144 
4145 	BT_DBG("%s", hdev->name);
4146 
4147 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4148 	if (!conn)
4149 		return;
4150 
4151 	conn->passkey_notify = __le32_to_cpu(ev->passkey);
4152 	conn->passkey_entered = 0;
4153 
4154 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4155 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4156 					 conn->dst_type, conn->passkey_notify,
4157 					 conn->passkey_entered);
4158 }
4159 
4160 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4161 {
4162 	struct hci_ev_keypress_notify *ev = (void *) skb->data;
4163 	struct hci_conn *conn;
4164 
4165 	BT_DBG("%s", hdev->name);
4166 
4167 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4168 	if (!conn)
4169 		return;
4170 
4171 	switch (ev->type) {
4172 	case HCI_KEYPRESS_STARTED:
4173 		conn->passkey_entered = 0;
4174 		return;
4175 
4176 	case HCI_KEYPRESS_ENTERED:
4177 		conn->passkey_entered++;
4178 		break;
4179 
4180 	case HCI_KEYPRESS_ERASED:
4181 		conn->passkey_entered--;
4182 		break;
4183 
4184 	case HCI_KEYPRESS_CLEARED:
4185 		conn->passkey_entered = 0;
4186 		break;
4187 
4188 	case HCI_KEYPRESS_COMPLETED:
4189 		return;
4190 	}
4191 
4192 	if (hci_dev_test_flag(hdev, HCI_MGMT))
4193 		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4194 					 conn->dst_type, conn->passkey_notify,
4195 					 conn->passkey_entered);
4196 }
4197 
4198 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4199 					 struct sk_buff *skb)
4200 {
4201 	struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4202 	struct hci_conn *conn;
4203 
4204 	BT_DBG("%s", hdev->name);
4205 
4206 	hci_dev_lock(hdev);
4207 
4208 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4209 	if (!conn)
4210 		goto unlock;
4211 
4212 	/* Reset the authentication requirement to unknown */
4213 	conn->remote_auth = 0xff;
4214 
4215 	/* To avoid duplicate auth_failed events to user space we check
4216 	 * the HCI_CONN_AUTH_PEND flag which will be set if we
4217 	 * initiated the authentication. A traditional auth_complete
4218 	 * event gets always produced as initiator and is also mapped to
4219 	 * the mgmt_auth_failed event */
4220 	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4221 		mgmt_auth_failed(conn, ev->status);
4222 
4223 	hci_conn_drop(conn);
4224 
4225 unlock:
4226 	hci_dev_unlock(hdev);
4227 }
4228 
4229 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4230 					 struct sk_buff *skb)
4231 {
4232 	struct hci_ev_remote_host_features *ev = (void *) skb->data;
4233 	struct inquiry_entry *ie;
4234 	struct hci_conn *conn;
4235 
4236 	BT_DBG("%s", hdev->name);
4237 
4238 	hci_dev_lock(hdev);
4239 
4240 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4241 	if (conn)
4242 		memcpy(conn->features[1], ev->features, 8);
4243 
4244 	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4245 	if (ie)
4246 		ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4247 
4248 	hci_dev_unlock(hdev);
4249 }
4250 
4251 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4252 					    struct sk_buff *skb)
4253 {
4254 	struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4255 	struct oob_data *data;
4256 
4257 	BT_DBG("%s", hdev->name);
4258 
4259 	hci_dev_lock(hdev);
4260 
4261 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4262 		goto unlock;
4263 
4264 	data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4265 	if (!data) {
4266 		struct hci_cp_remote_oob_data_neg_reply cp;
4267 
4268 		bacpy(&cp.bdaddr, &ev->bdaddr);
4269 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4270 			     sizeof(cp), &cp);
4271 		goto unlock;
4272 	}
4273 
4274 	if (bredr_sc_enabled(hdev)) {
4275 		struct hci_cp_remote_oob_ext_data_reply cp;
4276 
4277 		bacpy(&cp.bdaddr, &ev->bdaddr);
4278 		if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4279 			memset(cp.hash192, 0, sizeof(cp.hash192));
4280 			memset(cp.rand192, 0, sizeof(cp.rand192));
4281 		} else {
4282 			memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4283 			memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4284 		}
4285 		memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4286 		memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4287 
4288 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4289 			     sizeof(cp), &cp);
4290 	} else {
4291 		struct hci_cp_remote_oob_data_reply cp;
4292 
4293 		bacpy(&cp.bdaddr, &ev->bdaddr);
4294 		memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4295 		memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4296 
4297 		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4298 			     sizeof(cp), &cp);
4299 	}
4300 
4301 unlock:
4302 	hci_dev_unlock(hdev);
4303 }
4304 
4305 #if IS_ENABLED(CONFIG_BT_HS)
4306 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4307 {
4308 	struct hci_ev_channel_selected *ev = (void *)skb->data;
4309 	struct hci_conn *hcon;
4310 
4311 	BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4312 
4313 	skb_pull(skb, sizeof(*ev));
4314 
4315 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4316 	if (!hcon)
4317 		return;
4318 
4319 	amp_read_loc_assoc_final_data(hdev, hcon);
4320 }
4321 
4322 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4323 				      struct sk_buff *skb)
4324 {
4325 	struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4326 	struct hci_conn *hcon, *bredr_hcon;
4327 
4328 	BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4329 	       ev->status);
4330 
4331 	hci_dev_lock(hdev);
4332 
4333 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4334 	if (!hcon) {
4335 		hci_dev_unlock(hdev);
4336 		return;
4337 	}
4338 
4339 	if (ev->status) {
4340 		hci_conn_del(hcon);
4341 		hci_dev_unlock(hdev);
4342 		return;
4343 	}
4344 
4345 	bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4346 
4347 	hcon->state = BT_CONNECTED;
4348 	bacpy(&hcon->dst, &bredr_hcon->dst);
4349 
4350 	hci_conn_hold(hcon);
4351 	hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4352 	hci_conn_drop(hcon);
4353 
4354 	hci_debugfs_create_conn(hcon);
4355 	hci_conn_add_sysfs(hcon);
4356 
4357 	amp_physical_cfm(bredr_hcon, hcon);
4358 
4359 	hci_dev_unlock(hdev);
4360 }
4361 
4362 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4363 {
4364 	struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4365 	struct hci_conn *hcon;
4366 	struct hci_chan *hchan;
4367 	struct amp_mgr *mgr;
4368 
4369 	BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4370 	       hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4371 	       ev->status);
4372 
4373 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4374 	if (!hcon)
4375 		return;
4376 
4377 	/* Create AMP hchan */
4378 	hchan = hci_chan_create(hcon);
4379 	if (!hchan)
4380 		return;
4381 
4382 	hchan->handle = le16_to_cpu(ev->handle);
4383 
4384 	BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4385 
4386 	mgr = hcon->amp_mgr;
4387 	if (mgr && mgr->bredr_chan) {
4388 		struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4389 
4390 		l2cap_chan_lock(bredr_chan);
4391 
4392 		bredr_chan->conn->mtu = hdev->block_mtu;
4393 		l2cap_logical_cfm(bredr_chan, hchan, 0);
4394 		hci_conn_hold(hcon);
4395 
4396 		l2cap_chan_unlock(bredr_chan);
4397 	}
4398 }
4399 
4400 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4401 					     struct sk_buff *skb)
4402 {
4403 	struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4404 	struct hci_chan *hchan;
4405 
4406 	BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4407 	       le16_to_cpu(ev->handle), ev->status);
4408 
4409 	if (ev->status)
4410 		return;
4411 
4412 	hci_dev_lock(hdev);
4413 
4414 	hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4415 	if (!hchan)
4416 		goto unlock;
4417 
4418 	amp_destroy_logical_link(hchan, ev->reason);
4419 
4420 unlock:
4421 	hci_dev_unlock(hdev);
4422 }
4423 
4424 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4425 					     struct sk_buff *skb)
4426 {
4427 	struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4428 	struct hci_conn *hcon;
4429 
4430 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4431 
4432 	if (ev->status)
4433 		return;
4434 
4435 	hci_dev_lock(hdev);
4436 
4437 	hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4438 	if (hcon) {
4439 		hcon->state = BT_CLOSED;
4440 		hci_conn_del(hcon);
4441 	}
4442 
4443 	hci_dev_unlock(hdev);
4444 }
4445 #endif
4446 
4447 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4448 {
4449 	struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4450 	struct hci_conn_params *params;
4451 	struct hci_conn *conn;
4452 	struct smp_irk *irk;
4453 	u8 addr_type;
4454 
4455 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4456 
4457 	hci_dev_lock(hdev);
4458 
4459 	/* All controllers implicitly stop advertising in the event of a
4460 	 * connection, so ensure that the state bit is cleared.
4461 	 */
4462 	hci_dev_clear_flag(hdev, HCI_LE_ADV);
4463 
4464 	conn = hci_lookup_le_connect(hdev);
4465 	if (!conn) {
4466 		conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4467 		if (!conn) {
4468 			BT_ERR("No memory for new connection");
4469 			goto unlock;
4470 		}
4471 
4472 		conn->dst_type = ev->bdaddr_type;
4473 
4474 		/* If we didn't have a hci_conn object previously
4475 		 * but we're in master role this must be something
4476 		 * initiated using a white list. Since white list based
4477 		 * connections are not "first class citizens" we don't
4478 		 * have full tracking of them. Therefore, we go ahead
4479 		 * with a "best effort" approach of determining the
4480 		 * initiator address based on the HCI_PRIVACY flag.
4481 		 */
4482 		if (conn->out) {
4483 			conn->resp_addr_type = ev->bdaddr_type;
4484 			bacpy(&conn->resp_addr, &ev->bdaddr);
4485 			if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4486 				conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4487 				bacpy(&conn->init_addr, &hdev->rpa);
4488 			} else {
4489 				hci_copy_identity_address(hdev,
4490 							  &conn->init_addr,
4491 							  &conn->init_addr_type);
4492 			}
4493 		}
4494 	} else {
4495 		cancel_delayed_work(&conn->le_conn_timeout);
4496 	}
4497 
4498 	if (!conn->out) {
4499 		/* Set the responder (our side) address type based on
4500 		 * the advertising address type.
4501 		 */
4502 		conn->resp_addr_type = hdev->adv_addr_type;
4503 		if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4504 			bacpy(&conn->resp_addr, &hdev->random_addr);
4505 		else
4506 			bacpy(&conn->resp_addr, &hdev->bdaddr);
4507 
4508 		conn->init_addr_type = ev->bdaddr_type;
4509 		bacpy(&conn->init_addr, &ev->bdaddr);
4510 
4511 		/* For incoming connections, set the default minimum
4512 		 * and maximum connection interval. They will be used
4513 		 * to check if the parameters are in range and if not
4514 		 * trigger the connection update procedure.
4515 		 */
4516 		conn->le_conn_min_interval = hdev->le_conn_min_interval;
4517 		conn->le_conn_max_interval = hdev->le_conn_max_interval;
4518 	}
4519 
4520 	/* Lookup the identity address from the stored connection
4521 	 * address and address type.
4522 	 *
4523 	 * When establishing connections to an identity address, the
4524 	 * connection procedure will store the resolvable random
4525 	 * address first. Now if it can be converted back into the
4526 	 * identity address, start using the identity address from
4527 	 * now on.
4528 	 */
4529 	irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4530 	if (irk) {
4531 		bacpy(&conn->dst, &irk->bdaddr);
4532 		conn->dst_type = irk->addr_type;
4533 	}
4534 
4535 	if (ev->status) {
4536 		hci_le_conn_failed(conn, ev->status);
4537 		goto unlock;
4538 	}
4539 
4540 	if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4541 		addr_type = BDADDR_LE_PUBLIC;
4542 	else
4543 		addr_type = BDADDR_LE_RANDOM;
4544 
4545 	/* Drop the connection if the device is blocked */
4546 	if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4547 		hci_conn_drop(conn);
4548 		goto unlock;
4549 	}
4550 
4551 	if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4552 		mgmt_device_connected(hdev, conn, 0, NULL, 0);
4553 
4554 	conn->sec_level = BT_SECURITY_LOW;
4555 	conn->handle = __le16_to_cpu(ev->handle);
4556 	conn->state = BT_CONFIG;
4557 
4558 	conn->le_conn_interval = le16_to_cpu(ev->interval);
4559 	conn->le_conn_latency = le16_to_cpu(ev->latency);
4560 	conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4561 
4562 	hci_debugfs_create_conn(conn);
4563 	hci_conn_add_sysfs(conn);
4564 
4565 	if (!ev->status) {
4566 		/* The remote features procedure is defined for master
4567 		 * role only. So only in case of an initiated connection
4568 		 * request the remote features.
4569 		 *
4570 		 * If the local controller supports slave-initiated features
4571 		 * exchange, then requesting the remote features in slave
4572 		 * role is possible. Otherwise just transition into the
4573 		 * connected state without requesting the remote features.
4574 		 */
4575 		if (conn->out ||
4576 		    (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4577 			struct hci_cp_le_read_remote_features cp;
4578 
4579 			cp.handle = __cpu_to_le16(conn->handle);
4580 
4581 			hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4582 				     sizeof(cp), &cp);
4583 
4584 			hci_conn_hold(conn);
4585 		} else {
4586 			conn->state = BT_CONNECTED;
4587 			hci_connect_cfm(conn, ev->status);
4588 		}
4589 	} else {
4590 		hci_connect_cfm(conn, ev->status);
4591 	}
4592 
4593 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4594 					   conn->dst_type);
4595 	if (params) {
4596 		list_del_init(&params->action);
4597 		if (params->conn) {
4598 			hci_conn_drop(params->conn);
4599 			hci_conn_put(params->conn);
4600 			params->conn = NULL;
4601 		}
4602 	}
4603 
4604 unlock:
4605 	hci_update_background_scan(hdev);
4606 	hci_dev_unlock(hdev);
4607 }
4608 
4609 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4610 					    struct sk_buff *skb)
4611 {
4612 	struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4613 	struct hci_conn *conn;
4614 
4615 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4616 
4617 	if (ev->status)
4618 		return;
4619 
4620 	hci_dev_lock(hdev);
4621 
4622 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4623 	if (conn) {
4624 		conn->le_conn_interval = le16_to_cpu(ev->interval);
4625 		conn->le_conn_latency = le16_to_cpu(ev->latency);
4626 		conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4627 	}
4628 
4629 	hci_dev_unlock(hdev);
4630 }
4631 
4632 /* This function requires the caller holds hdev->lock */
4633 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4634 					      bdaddr_t *addr,
4635 					      u8 addr_type, u8 adv_type)
4636 {
4637 	struct hci_conn *conn;
4638 	struct hci_conn_params *params;
4639 
4640 	/* If the event is not connectable don't proceed further */
4641 	if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4642 		return NULL;
4643 
4644 	/* Ignore if the device is blocked */
4645 	if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4646 		return NULL;
4647 
4648 	/* Most controller will fail if we try to create new connections
4649 	 * while we have an existing one in slave role.
4650 	 */
4651 	if (hdev->conn_hash.le_num_slave > 0)
4652 		return NULL;
4653 
4654 	/* If we're not connectable only connect devices that we have in
4655 	 * our pend_le_conns list.
4656 	 */
4657 	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4658 					   addr_type);
4659 	if (!params)
4660 		return NULL;
4661 
4662 	if (!params->explicit_connect) {
4663 		switch (params->auto_connect) {
4664 		case HCI_AUTO_CONN_DIRECT:
4665 			/* Only devices advertising with ADV_DIRECT_IND are
4666 			 * triggering a connection attempt. This is allowing
4667 			 * incoming connections from slave devices.
4668 			 */
4669 			if (adv_type != LE_ADV_DIRECT_IND)
4670 				return NULL;
4671 			break;
4672 		case HCI_AUTO_CONN_ALWAYS:
4673 			/* Devices advertising with ADV_IND or ADV_DIRECT_IND
4674 			 * are triggering a connection attempt. This means
4675 			 * that incoming connectioms from slave device are
4676 			 * accepted and also outgoing connections to slave
4677 			 * devices are established when found.
4678 			 */
4679 			break;
4680 		default:
4681 			return NULL;
4682 		}
4683 	}
4684 
4685 	conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4686 			      HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4687 	if (!IS_ERR(conn)) {
4688 		/* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4689 		 * by higher layer that tried to connect, if no then
4690 		 * store the pointer since we don't really have any
4691 		 * other owner of the object besides the params that
4692 		 * triggered it. This way we can abort the connection if
4693 		 * the parameters get removed and keep the reference
4694 		 * count consistent once the connection is established.
4695 		 */
4696 
4697 		if (!params->explicit_connect)
4698 			params->conn = hci_conn_get(conn);
4699 
4700 		return conn;
4701 	}
4702 
4703 	switch (PTR_ERR(conn)) {
4704 	case -EBUSY:
4705 		/* If hci_connect() returns -EBUSY it means there is already
4706 		 * an LE connection attempt going on. Since controllers don't
4707 		 * support more than one connection attempt at the time, we
4708 		 * don't consider this an error case.
4709 		 */
4710 		break;
4711 	default:
4712 		BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4713 		return NULL;
4714 	}
4715 
4716 	return NULL;
4717 }
4718 
4719 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4720 			       u8 bdaddr_type, bdaddr_t *direct_addr,
4721 			       u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4722 {
4723 	struct discovery_state *d = &hdev->discovery;
4724 	struct smp_irk *irk;
4725 	struct hci_conn *conn;
4726 	bool match;
4727 	u32 flags;
4728 	u8 *ptr, real_len;
4729 
4730 	/* Find the end of the data in case the report contains padded zero
4731 	 * bytes at the end causing an invalid length value.
4732 	 *
4733 	 * When data is NULL, len is 0 so there is no need for extra ptr
4734 	 * check as 'ptr < data + 0' is already false in such case.
4735 	 */
4736 	for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
4737 		if (ptr + 1 + *ptr > data + len)
4738 			break;
4739 	}
4740 
4741 	real_len = ptr - data;
4742 
4743 	/* Adjust for actual length */
4744 	if (len != real_len) {
4745 		BT_ERR_RATELIMITED("%s advertising data length corrected",
4746 				   hdev->name);
4747 		len = real_len;
4748 	}
4749 
4750 	/* If the direct address is present, then this report is from
4751 	 * a LE Direct Advertising Report event. In that case it is
4752 	 * important to see if the address is matching the local
4753 	 * controller address.
4754 	 */
4755 	if (direct_addr) {
4756 		/* Only resolvable random addresses are valid for these
4757 		 * kind of reports and others can be ignored.
4758 		 */
4759 		if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4760 			return;
4761 
4762 		/* If the controller is not using resolvable random
4763 		 * addresses, then this report can be ignored.
4764 		 */
4765 		if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4766 			return;
4767 
4768 		/* If the local IRK of the controller does not match
4769 		 * with the resolvable random address provided, then
4770 		 * this report can be ignored.
4771 		 */
4772 		if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4773 			return;
4774 	}
4775 
4776 	/* Check if we need to convert to identity address */
4777 	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4778 	if (irk) {
4779 		bdaddr = &irk->bdaddr;
4780 		bdaddr_type = irk->addr_type;
4781 	}
4782 
4783 	/* Check if we have been requested to connect to this device */
4784 	conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4785 	if (conn && type == LE_ADV_IND) {
4786 		/* Store report for later inclusion by
4787 		 * mgmt_device_connected
4788 		 */
4789 		memcpy(conn->le_adv_data, data, len);
4790 		conn->le_adv_data_len = len;
4791 	}
4792 
4793 	/* Passive scanning shouldn't trigger any device found events,
4794 	 * except for devices marked as CONN_REPORT for which we do send
4795 	 * device found events.
4796 	 */
4797 	if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4798 		if (type == LE_ADV_DIRECT_IND)
4799 			return;
4800 
4801 		if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4802 					       bdaddr, bdaddr_type))
4803 			return;
4804 
4805 		if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4806 			flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4807 		else
4808 			flags = 0;
4809 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4810 				  rssi, flags, data, len, NULL, 0);
4811 		return;
4812 	}
4813 
4814 	/* When receiving non-connectable or scannable undirected
4815 	 * advertising reports, this means that the remote device is
4816 	 * not connectable and then clearly indicate this in the
4817 	 * device found event.
4818 	 *
4819 	 * When receiving a scan response, then there is no way to
4820 	 * know if the remote device is connectable or not. However
4821 	 * since scan responses are merged with a previously seen
4822 	 * advertising report, the flags field from that report
4823 	 * will be used.
4824 	 *
4825 	 * In the really unlikely case that a controller get confused
4826 	 * and just sends a scan response event, then it is marked as
4827 	 * not connectable as well.
4828 	 */
4829 	if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4830 	    type == LE_ADV_SCAN_RSP)
4831 		flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4832 	else
4833 		flags = 0;
4834 
4835 	/* If there's nothing pending either store the data from this
4836 	 * event or send an immediate device found event if the data
4837 	 * should not be stored for later.
4838 	 */
4839 	if (!has_pending_adv_report(hdev)) {
4840 		/* If the report will trigger a SCAN_REQ store it for
4841 		 * later merging.
4842 		 */
4843 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4844 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4845 						 rssi, flags, data, len);
4846 			return;
4847 		}
4848 
4849 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4850 				  rssi, flags, data, len, NULL, 0);
4851 		return;
4852 	}
4853 
4854 	/* Check if the pending report is for the same device as the new one */
4855 	match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4856 		 bdaddr_type == d->last_adv_addr_type);
4857 
4858 	/* If the pending data doesn't match this report or this isn't a
4859 	 * scan response (e.g. we got a duplicate ADV_IND) then force
4860 	 * sending of the pending data.
4861 	 */
4862 	if (type != LE_ADV_SCAN_RSP || !match) {
4863 		/* Send out whatever is in the cache, but skip duplicates */
4864 		if (!match)
4865 			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4866 					  d->last_adv_addr_type, NULL,
4867 					  d->last_adv_rssi, d->last_adv_flags,
4868 					  d->last_adv_data,
4869 					  d->last_adv_data_len, NULL, 0);
4870 
4871 		/* If the new report will trigger a SCAN_REQ store it for
4872 		 * later merging.
4873 		 */
4874 		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4875 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4876 						 rssi, flags, data, len);
4877 			return;
4878 		}
4879 
4880 		/* The advertising reports cannot be merged, so clear
4881 		 * the pending report and send out a device found event.
4882 		 */
4883 		clear_pending_adv_report(hdev);
4884 		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4885 				  rssi, flags, data, len, NULL, 0);
4886 		return;
4887 	}
4888 
4889 	/* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4890 	 * the new event is a SCAN_RSP. We can therefore proceed with
4891 	 * sending a merged device found event.
4892 	 */
4893 	mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4894 			  d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4895 			  d->last_adv_data, d->last_adv_data_len, data, len);
4896 	clear_pending_adv_report(hdev);
4897 }
4898 
4899 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4900 {
4901 	u8 num_reports = skb->data[0];
4902 	void *ptr = &skb->data[1];
4903 
4904 	hci_dev_lock(hdev);
4905 
4906 	while (num_reports--) {
4907 		struct hci_ev_le_advertising_info *ev = ptr;
4908 		s8 rssi;
4909 
4910 		rssi = ev->data[ev->length];
4911 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4912 				   ev->bdaddr_type, NULL, 0, rssi,
4913 				   ev->data, ev->length);
4914 
4915 		ptr += sizeof(*ev) + ev->length + 1;
4916 	}
4917 
4918 	hci_dev_unlock(hdev);
4919 }
4920 
4921 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4922 					    struct sk_buff *skb)
4923 {
4924 	struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4925 	struct hci_conn *conn;
4926 
4927 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4928 
4929 	hci_dev_lock(hdev);
4930 
4931 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4932 	if (conn) {
4933 		if (!ev->status)
4934 			memcpy(conn->features[0], ev->features, 8);
4935 
4936 		if (conn->state == BT_CONFIG) {
4937 			__u8 status;
4938 
4939 			/* If the local controller supports slave-initiated
4940 			 * features exchange, but the remote controller does
4941 			 * not, then it is possible that the error code 0x1a
4942 			 * for unsupported remote feature gets returned.
4943 			 *
4944 			 * In this specific case, allow the connection to
4945 			 * transition into connected state and mark it as
4946 			 * successful.
4947 			 */
4948 			if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4949 			    !conn->out && ev->status == 0x1a)
4950 				status = 0x00;
4951 			else
4952 				status = ev->status;
4953 
4954 			conn->state = BT_CONNECTED;
4955 			hci_connect_cfm(conn, status);
4956 			hci_conn_drop(conn);
4957 		}
4958 	}
4959 
4960 	hci_dev_unlock(hdev);
4961 }
4962 
4963 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4964 {
4965 	struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4966 	struct hci_cp_le_ltk_reply cp;
4967 	struct hci_cp_le_ltk_neg_reply neg;
4968 	struct hci_conn *conn;
4969 	struct smp_ltk *ltk;
4970 
4971 	BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4972 
4973 	hci_dev_lock(hdev);
4974 
4975 	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4976 	if (conn == NULL)
4977 		goto not_found;
4978 
4979 	ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4980 	if (!ltk)
4981 		goto not_found;
4982 
4983 	if (smp_ltk_is_sc(ltk)) {
4984 		/* With SC both EDiv and Rand are set to zero */
4985 		if (ev->ediv || ev->rand)
4986 			goto not_found;
4987 	} else {
4988 		/* For non-SC keys check that EDiv and Rand match */
4989 		if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4990 			goto not_found;
4991 	}
4992 
4993 	memcpy(cp.ltk, ltk->val, ltk->enc_size);
4994 	memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
4995 	cp.handle = cpu_to_le16(conn->handle);
4996 
4997 	conn->pending_sec_level = smp_ltk_sec_level(ltk);
4998 
4999 	conn->enc_key_size = ltk->enc_size;
5000 
5001 	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5002 
5003 	/* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5004 	 * temporary key used to encrypt a connection following
5005 	 * pairing. It is used during the Encrypted Session Setup to
5006 	 * distribute the keys. Later, security can be re-established
5007 	 * using a distributed LTK.
5008 	 */
5009 	if (ltk->type == SMP_STK) {
5010 		set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5011 		list_del_rcu(&ltk->list);
5012 		kfree_rcu(ltk, rcu);
5013 	} else {
5014 		clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5015 	}
5016 
5017 	hci_dev_unlock(hdev);
5018 
5019 	return;
5020 
5021 not_found:
5022 	neg.handle = ev->handle;
5023 	hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5024 	hci_dev_unlock(hdev);
5025 }
5026 
5027 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5028 				      u8 reason)
5029 {
5030 	struct hci_cp_le_conn_param_req_neg_reply cp;
5031 
5032 	cp.handle = cpu_to_le16(handle);
5033 	cp.reason = reason;
5034 
5035 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5036 		     &cp);
5037 }
5038 
5039 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5040 					     struct sk_buff *skb)
5041 {
5042 	struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5043 	struct hci_cp_le_conn_param_req_reply cp;
5044 	struct hci_conn *hcon;
5045 	u16 handle, min, max, latency, timeout;
5046 
5047 	handle = le16_to_cpu(ev->handle);
5048 	min = le16_to_cpu(ev->interval_min);
5049 	max = le16_to_cpu(ev->interval_max);
5050 	latency = le16_to_cpu(ev->latency);
5051 	timeout = le16_to_cpu(ev->timeout);
5052 
5053 	hcon = hci_conn_hash_lookup_handle(hdev, handle);
5054 	if (!hcon || hcon->state != BT_CONNECTED)
5055 		return send_conn_param_neg_reply(hdev, handle,
5056 						 HCI_ERROR_UNKNOWN_CONN_ID);
5057 
5058 	if (hci_check_conn_params(min, max, latency, timeout))
5059 		return send_conn_param_neg_reply(hdev, handle,
5060 						 HCI_ERROR_INVALID_LL_PARAMS);
5061 
5062 	if (hcon->role == HCI_ROLE_MASTER) {
5063 		struct hci_conn_params *params;
5064 		u8 store_hint;
5065 
5066 		hci_dev_lock(hdev);
5067 
5068 		params = hci_conn_params_lookup(hdev, &hcon->dst,
5069 						hcon->dst_type);
5070 		if (params) {
5071 			params->conn_min_interval = min;
5072 			params->conn_max_interval = max;
5073 			params->conn_latency = latency;
5074 			params->supervision_timeout = timeout;
5075 			store_hint = 0x01;
5076 		} else{
5077 			store_hint = 0x00;
5078 		}
5079 
5080 		hci_dev_unlock(hdev);
5081 
5082 		mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5083 				    store_hint, min, max, latency, timeout);
5084 	}
5085 
5086 	cp.handle = ev->handle;
5087 	cp.interval_min = ev->interval_min;
5088 	cp.interval_max = ev->interval_max;
5089 	cp.latency = ev->latency;
5090 	cp.timeout = ev->timeout;
5091 	cp.min_ce_len = 0;
5092 	cp.max_ce_len = 0;
5093 
5094 	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5095 }
5096 
5097 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5098 					 struct sk_buff *skb)
5099 {
5100 	u8 num_reports = skb->data[0];
5101 	void *ptr = &skb->data[1];
5102 
5103 	hci_dev_lock(hdev);
5104 
5105 	while (num_reports--) {
5106 		struct hci_ev_le_direct_adv_info *ev = ptr;
5107 
5108 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5109 				   ev->bdaddr_type, &ev->direct_addr,
5110 				   ev->direct_addr_type, ev->rssi, NULL, 0);
5111 
5112 		ptr += sizeof(*ev);
5113 	}
5114 
5115 	hci_dev_unlock(hdev);
5116 }
5117 
5118 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5119 {
5120 	struct hci_ev_le_meta *le_ev = (void *) skb->data;
5121 
5122 	skb_pull(skb, sizeof(*le_ev));
5123 
5124 	switch (le_ev->subevent) {
5125 	case HCI_EV_LE_CONN_COMPLETE:
5126 		hci_le_conn_complete_evt(hdev, skb);
5127 		break;
5128 
5129 	case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5130 		hci_le_conn_update_complete_evt(hdev, skb);
5131 		break;
5132 
5133 	case HCI_EV_LE_ADVERTISING_REPORT:
5134 		hci_le_adv_report_evt(hdev, skb);
5135 		break;
5136 
5137 	case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5138 		hci_le_remote_feat_complete_evt(hdev, skb);
5139 		break;
5140 
5141 	case HCI_EV_LE_LTK_REQ:
5142 		hci_le_ltk_request_evt(hdev, skb);
5143 		break;
5144 
5145 	case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5146 		hci_le_remote_conn_param_req_evt(hdev, skb);
5147 		break;
5148 
5149 	case HCI_EV_LE_DIRECT_ADV_REPORT:
5150 		hci_le_direct_adv_report_evt(hdev, skb);
5151 		break;
5152 
5153 	default:
5154 		break;
5155 	}
5156 }
5157 
5158 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5159 				 u8 event, struct sk_buff *skb)
5160 {
5161 	struct hci_ev_cmd_complete *ev;
5162 	struct hci_event_hdr *hdr;
5163 
5164 	if (!skb)
5165 		return false;
5166 
5167 	if (skb->len < sizeof(*hdr)) {
5168 		BT_ERR("Too short HCI event");
5169 		return false;
5170 	}
5171 
5172 	hdr = (void *) skb->data;
5173 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
5174 
5175 	if (event) {
5176 		if (hdr->evt != event)
5177 			return false;
5178 		return true;
5179 	}
5180 
5181 	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5182 		BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
5183 		return false;
5184 	}
5185 
5186 	if (skb->len < sizeof(*ev)) {
5187 		BT_ERR("Too short cmd_complete event");
5188 		return false;
5189 	}
5190 
5191 	ev = (void *) skb->data;
5192 	skb_pull(skb, sizeof(*ev));
5193 
5194 	if (opcode != __le16_to_cpu(ev->opcode)) {
5195 		BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5196 		       __le16_to_cpu(ev->opcode));
5197 		return false;
5198 	}
5199 
5200 	return true;
5201 }
5202 
5203 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5204 {
5205 	struct hci_event_hdr *hdr = (void *) skb->data;
5206 	hci_req_complete_t req_complete = NULL;
5207 	hci_req_complete_skb_t req_complete_skb = NULL;
5208 	struct sk_buff *orig_skb = NULL;
5209 	u8 status = 0, event = hdr->evt, req_evt = 0;
5210 	u16 opcode = HCI_OP_NOP;
5211 
5212 	if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5213 		struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5214 		opcode = __le16_to_cpu(cmd_hdr->opcode);
5215 		hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5216 				     &req_complete_skb);
5217 		req_evt = event;
5218 	}
5219 
5220 	/* If it looks like we might end up having to call
5221 	 * req_complete_skb, store a pristine copy of the skb since the
5222 	 * various handlers may modify the original one through
5223 	 * skb_pull() calls, etc.
5224 	 */
5225 	if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5226 	    event == HCI_EV_CMD_COMPLETE)
5227 		orig_skb = skb_clone(skb, GFP_KERNEL);
5228 
5229 	skb_pull(skb, HCI_EVENT_HDR_SIZE);
5230 
5231 	switch (event) {
5232 	case HCI_EV_INQUIRY_COMPLETE:
5233 		hci_inquiry_complete_evt(hdev, skb);
5234 		break;
5235 
5236 	case HCI_EV_INQUIRY_RESULT:
5237 		hci_inquiry_result_evt(hdev, skb);
5238 		break;
5239 
5240 	case HCI_EV_CONN_COMPLETE:
5241 		hci_conn_complete_evt(hdev, skb);
5242 		break;
5243 
5244 	case HCI_EV_CONN_REQUEST:
5245 		hci_conn_request_evt(hdev, skb);
5246 		break;
5247 
5248 	case HCI_EV_DISCONN_COMPLETE:
5249 		hci_disconn_complete_evt(hdev, skb);
5250 		break;
5251 
5252 	case HCI_EV_AUTH_COMPLETE:
5253 		hci_auth_complete_evt(hdev, skb);
5254 		break;
5255 
5256 	case HCI_EV_REMOTE_NAME:
5257 		hci_remote_name_evt(hdev, skb);
5258 		break;
5259 
5260 	case HCI_EV_ENCRYPT_CHANGE:
5261 		hci_encrypt_change_evt(hdev, skb);
5262 		break;
5263 
5264 	case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5265 		hci_change_link_key_complete_evt(hdev, skb);
5266 		break;
5267 
5268 	case HCI_EV_REMOTE_FEATURES:
5269 		hci_remote_features_evt(hdev, skb);
5270 		break;
5271 
5272 	case HCI_EV_CMD_COMPLETE:
5273 		hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5274 				     &req_complete, &req_complete_skb);
5275 		break;
5276 
5277 	case HCI_EV_CMD_STATUS:
5278 		hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5279 				   &req_complete_skb);
5280 		break;
5281 
5282 	case HCI_EV_HARDWARE_ERROR:
5283 		hci_hardware_error_evt(hdev, skb);
5284 		break;
5285 
5286 	case HCI_EV_ROLE_CHANGE:
5287 		hci_role_change_evt(hdev, skb);
5288 		break;
5289 
5290 	case HCI_EV_NUM_COMP_PKTS:
5291 		hci_num_comp_pkts_evt(hdev, skb);
5292 		break;
5293 
5294 	case HCI_EV_MODE_CHANGE:
5295 		hci_mode_change_evt(hdev, skb);
5296 		break;
5297 
5298 	case HCI_EV_PIN_CODE_REQ:
5299 		hci_pin_code_request_evt(hdev, skb);
5300 		break;
5301 
5302 	case HCI_EV_LINK_KEY_REQ:
5303 		hci_link_key_request_evt(hdev, skb);
5304 		break;
5305 
5306 	case HCI_EV_LINK_KEY_NOTIFY:
5307 		hci_link_key_notify_evt(hdev, skb);
5308 		break;
5309 
5310 	case HCI_EV_CLOCK_OFFSET:
5311 		hci_clock_offset_evt(hdev, skb);
5312 		break;
5313 
5314 	case HCI_EV_PKT_TYPE_CHANGE:
5315 		hci_pkt_type_change_evt(hdev, skb);
5316 		break;
5317 
5318 	case HCI_EV_PSCAN_REP_MODE:
5319 		hci_pscan_rep_mode_evt(hdev, skb);
5320 		break;
5321 
5322 	case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5323 		hci_inquiry_result_with_rssi_evt(hdev, skb);
5324 		break;
5325 
5326 	case HCI_EV_REMOTE_EXT_FEATURES:
5327 		hci_remote_ext_features_evt(hdev, skb);
5328 		break;
5329 
5330 	case HCI_EV_SYNC_CONN_COMPLETE:
5331 		hci_sync_conn_complete_evt(hdev, skb);
5332 		break;
5333 
5334 	case HCI_EV_EXTENDED_INQUIRY_RESULT:
5335 		hci_extended_inquiry_result_evt(hdev, skb);
5336 		break;
5337 
5338 	case HCI_EV_KEY_REFRESH_COMPLETE:
5339 		hci_key_refresh_complete_evt(hdev, skb);
5340 		break;
5341 
5342 	case HCI_EV_IO_CAPA_REQUEST:
5343 		hci_io_capa_request_evt(hdev, skb);
5344 		break;
5345 
5346 	case HCI_EV_IO_CAPA_REPLY:
5347 		hci_io_capa_reply_evt(hdev, skb);
5348 		break;
5349 
5350 	case HCI_EV_USER_CONFIRM_REQUEST:
5351 		hci_user_confirm_request_evt(hdev, skb);
5352 		break;
5353 
5354 	case HCI_EV_USER_PASSKEY_REQUEST:
5355 		hci_user_passkey_request_evt(hdev, skb);
5356 		break;
5357 
5358 	case HCI_EV_USER_PASSKEY_NOTIFY:
5359 		hci_user_passkey_notify_evt(hdev, skb);
5360 		break;
5361 
5362 	case HCI_EV_KEYPRESS_NOTIFY:
5363 		hci_keypress_notify_evt(hdev, skb);
5364 		break;
5365 
5366 	case HCI_EV_SIMPLE_PAIR_COMPLETE:
5367 		hci_simple_pair_complete_evt(hdev, skb);
5368 		break;
5369 
5370 	case HCI_EV_REMOTE_HOST_FEATURES:
5371 		hci_remote_host_features_evt(hdev, skb);
5372 		break;
5373 
5374 	case HCI_EV_LE_META:
5375 		hci_le_meta_evt(hdev, skb);
5376 		break;
5377 
5378 	case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5379 		hci_remote_oob_data_request_evt(hdev, skb);
5380 		break;
5381 
5382 #if IS_ENABLED(CONFIG_BT_HS)
5383 	case HCI_EV_CHANNEL_SELECTED:
5384 		hci_chan_selected_evt(hdev, skb);
5385 		break;
5386 
5387 	case HCI_EV_PHY_LINK_COMPLETE:
5388 		hci_phy_link_complete_evt(hdev, skb);
5389 		break;
5390 
5391 	case HCI_EV_LOGICAL_LINK_COMPLETE:
5392 		hci_loglink_complete_evt(hdev, skb);
5393 		break;
5394 
5395 	case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5396 		hci_disconn_loglink_complete_evt(hdev, skb);
5397 		break;
5398 
5399 	case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5400 		hci_disconn_phylink_complete_evt(hdev, skb);
5401 		break;
5402 #endif
5403 
5404 	case HCI_EV_NUM_COMP_BLOCKS:
5405 		hci_num_comp_blocks_evt(hdev, skb);
5406 		break;
5407 
5408 	default:
5409 		BT_DBG("%s event 0x%2.2x", hdev->name, event);
5410 		break;
5411 	}
5412 
5413 	if (req_complete) {
5414 		req_complete(hdev, status, opcode);
5415 	} else if (req_complete_skb) {
5416 		if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5417 			kfree_skb(orig_skb);
5418 			orig_skb = NULL;
5419 		}
5420 		req_complete_skb(hdev, status, opcode, orig_skb);
5421 	}
5422 
5423 	kfree_skb(orig_skb);
5424 	kfree_skb(skb);
5425 	hdev->stat.evt_rx++;
5426 }
5427