~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/hci_event.c

Version: ~ [ linux-5.1-rc5 ] ~ [ linux-5.0.7 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.34 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.111 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.168 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.178 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.138 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.65 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    BlueZ - Bluetooth protocol stack for Linux
  3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
  4 
  5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
  6 
  7    This program is free software; you can redistribute it and/or modify
  8    it under the terms of the GNU General Public License version 2 as
  9    published by the Free Software Foundation;
 10 
 11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 19 
 20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 22    SOFTWARE IS DISCLAIMED.
 23 */
 24 
 25 /* Bluetooth HCI event handling. */
 26 
 27 #include <asm/unaligned.h>
 28 
 29 #include <net/bluetooth/bluetooth.h>
 30 #include <net/bluetooth/hci_core.h>
 31 #include <net/bluetooth/mgmt.h>
 32 
 33 #include "hci_request.h"
 34 #include "hci_debugfs.h"
 35 #include "a2mp.h"
 36 #include "amp.h"
 37 #include "smp.h"
 38 
 39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
 40                  "\x00\x00\x00\x00\x00\x00\x00\x00"
 41 
 42 /* Handle HCI Event packets */
 43 
 44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
 45 {
 46         __u8 status = *((__u8 *) skb->data);
 47 
 48         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 49 
 50         if (status)
 51                 return;
 52 
 53         clear_bit(HCI_INQUIRY, &hdev->flags);
 54         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
 55         wake_up_bit(&hdev->flags, HCI_INQUIRY);
 56 
 57         hci_dev_lock(hdev);
 58         /* Set discovery state to stopped if we're not doing LE active
 59          * scanning.
 60          */
 61         if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
 62             hdev->le_scan_type != LE_SCAN_ACTIVE)
 63                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
 64         hci_dev_unlock(hdev);
 65 
 66         hci_conn_check_pending(hdev);
 67 }
 68 
 69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
 70 {
 71         __u8 status = *((__u8 *) skb->data);
 72 
 73         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 74 
 75         if (status)
 76                 return;
 77 
 78         hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
 79 }
 80 
 81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
 82 {
 83         __u8 status = *((__u8 *) skb->data);
 84 
 85         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 86 
 87         if (status)
 88                 return;
 89 
 90         hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
 91 
 92         hci_conn_check_pending(hdev);
 93 }
 94 
 95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
 96                                           struct sk_buff *skb)
 97 {
 98         BT_DBG("%s", hdev->name);
 99 }
100 
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
102 {
103         struct hci_rp_role_discovery *rp = (void *) skb->data;
104         struct hci_conn *conn;
105 
106         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
107 
108         if (rp->status)
109                 return;
110 
111         hci_dev_lock(hdev);
112 
113         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
114         if (conn)
115                 conn->role = rp->role;
116 
117         hci_dev_unlock(hdev);
118 }
119 
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
121 {
122         struct hci_rp_read_link_policy *rp = (void *) skb->data;
123         struct hci_conn *conn;
124 
125         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126 
127         if (rp->status)
128                 return;
129 
130         hci_dev_lock(hdev);
131 
132         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133         if (conn)
134                 conn->link_policy = __le16_to_cpu(rp->policy);
135 
136         hci_dev_unlock(hdev);
137 }
138 
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140 {
141         struct hci_rp_write_link_policy *rp = (void *) skb->data;
142         struct hci_conn *conn;
143         void *sent;
144 
145         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
146 
147         if (rp->status)
148                 return;
149 
150         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151         if (!sent)
152                 return;
153 
154         hci_dev_lock(hdev);
155 
156         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
157         if (conn)
158                 conn->link_policy = get_unaligned_le16(sent + 2);
159 
160         hci_dev_unlock(hdev);
161 }
162 
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
164                                         struct sk_buff *skb)
165 {
166         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
167 
168         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
169 
170         if (rp->status)
171                 return;
172 
173         hdev->link_policy = __le16_to_cpu(rp->policy);
174 }
175 
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
177                                          struct sk_buff *skb)
178 {
179         __u8 status = *((__u8 *) skb->data);
180         void *sent;
181 
182         BT_DBG("%s status 0x%2.2x", hdev->name, status);
183 
184         if (status)
185                 return;
186 
187         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
188         if (!sent)
189                 return;
190 
191         hdev->link_policy = get_unaligned_le16(sent);
192 }
193 
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
195 {
196         __u8 status = *((__u8 *) skb->data);
197 
198         BT_DBG("%s status 0x%2.2x", hdev->name, status);
199 
200         clear_bit(HCI_RESET, &hdev->flags);
201 
202         if (status)
203                 return;
204 
205         /* Reset all non-persistent flags */
206         hci_dev_clear_volatile_flags(hdev);
207 
208         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
209 
210         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
212 
213         memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214         hdev->adv_data_len = 0;
215 
216         memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217         hdev->scan_rsp_data_len = 0;
218 
219         hdev->le_scan_type = LE_SCAN_PASSIVE;
220 
221         hdev->ssp_debug_mode = 0;
222 
223         hci_bdaddr_list_clear(&hdev->le_white_list);
224         hci_bdaddr_list_clear(&hdev->le_resolv_list);
225 }
226 
227 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
228                                         struct sk_buff *skb)
229 {
230         struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
231         struct hci_cp_read_stored_link_key *sent;
232 
233         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
234 
235         sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
236         if (!sent)
237                 return;
238 
239         if (!rp->status && sent->read_all == 0x01) {
240                 hdev->stored_max_keys = rp->max_keys;
241                 hdev->stored_num_keys = rp->num_keys;
242         }
243 }
244 
245 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
246                                           struct sk_buff *skb)
247 {
248         struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
249 
250         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
251 
252         if (rp->status)
253                 return;
254 
255         if (rp->num_keys <= hdev->stored_num_keys)
256                 hdev->stored_num_keys -= rp->num_keys;
257         else
258                 hdev->stored_num_keys = 0;
259 }
260 
261 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
262 {
263         __u8 status = *((__u8 *) skb->data);
264         void *sent;
265 
266         BT_DBG("%s status 0x%2.2x", hdev->name, status);
267 
268         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
269         if (!sent)
270                 return;
271 
272         hci_dev_lock(hdev);
273 
274         if (hci_dev_test_flag(hdev, HCI_MGMT))
275                 mgmt_set_local_name_complete(hdev, sent, status);
276         else if (!status)
277                 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
278 
279         hci_dev_unlock(hdev);
280 }
281 
282 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
283 {
284         struct hci_rp_read_local_name *rp = (void *) skb->data;
285 
286         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
287 
288         if (rp->status)
289                 return;
290 
291         if (hci_dev_test_flag(hdev, HCI_SETUP) ||
292             hci_dev_test_flag(hdev, HCI_CONFIG))
293                 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
294 }
295 
296 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
297 {
298         __u8 status = *((__u8 *) skb->data);
299         void *sent;
300 
301         BT_DBG("%s status 0x%2.2x", hdev->name, status);
302 
303         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
304         if (!sent)
305                 return;
306 
307         hci_dev_lock(hdev);
308 
309         if (!status) {
310                 __u8 param = *((__u8 *) sent);
311 
312                 if (param == AUTH_ENABLED)
313                         set_bit(HCI_AUTH, &hdev->flags);
314                 else
315                         clear_bit(HCI_AUTH, &hdev->flags);
316         }
317 
318         if (hci_dev_test_flag(hdev, HCI_MGMT))
319                 mgmt_auth_enable_complete(hdev, status);
320 
321         hci_dev_unlock(hdev);
322 }
323 
324 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
325 {
326         __u8 status = *((__u8 *) skb->data);
327         __u8 param;
328         void *sent;
329 
330         BT_DBG("%s status 0x%2.2x", hdev->name, status);
331 
332         if (status)
333                 return;
334 
335         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
336         if (!sent)
337                 return;
338 
339         param = *((__u8 *) sent);
340 
341         if (param)
342                 set_bit(HCI_ENCRYPT, &hdev->flags);
343         else
344                 clear_bit(HCI_ENCRYPT, &hdev->flags);
345 }
346 
347 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
348 {
349         __u8 status = *((__u8 *) skb->data);
350         __u8 param;
351         void *sent;
352 
353         BT_DBG("%s status 0x%2.2x", hdev->name, status);
354 
355         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
356         if (!sent)
357                 return;
358 
359         param = *((__u8 *) sent);
360 
361         hci_dev_lock(hdev);
362 
363         if (status) {
364                 hdev->discov_timeout = 0;
365                 goto done;
366         }
367 
368         if (param & SCAN_INQUIRY)
369                 set_bit(HCI_ISCAN, &hdev->flags);
370         else
371                 clear_bit(HCI_ISCAN, &hdev->flags);
372 
373         if (param & SCAN_PAGE)
374                 set_bit(HCI_PSCAN, &hdev->flags);
375         else
376                 clear_bit(HCI_PSCAN, &hdev->flags);
377 
378 done:
379         hci_dev_unlock(hdev);
380 }
381 
382 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
383 {
384         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
385 
386         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
387 
388         if (rp->status)
389                 return;
390 
391         memcpy(hdev->dev_class, rp->dev_class, 3);
392 
393         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
394                hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
395 }
396 
397 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
398 {
399         __u8 status = *((__u8 *) skb->data);
400         void *sent;
401 
402         BT_DBG("%s status 0x%2.2x", hdev->name, status);
403 
404         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
405         if (!sent)
406                 return;
407 
408         hci_dev_lock(hdev);
409 
410         if (status == 0)
411                 memcpy(hdev->dev_class, sent, 3);
412 
413         if (hci_dev_test_flag(hdev, HCI_MGMT))
414                 mgmt_set_class_of_dev_complete(hdev, sent, status);
415 
416         hci_dev_unlock(hdev);
417 }
418 
419 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
420 {
421         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
422         __u16 setting;
423 
424         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
425 
426         if (rp->status)
427                 return;
428 
429         setting = __le16_to_cpu(rp->voice_setting);
430 
431         if (hdev->voice_setting == setting)
432                 return;
433 
434         hdev->voice_setting = setting;
435 
436         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
437 
438         if (hdev->notify)
439                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
440 }
441 
442 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
443                                        struct sk_buff *skb)
444 {
445         __u8 status = *((__u8 *) skb->data);
446         __u16 setting;
447         void *sent;
448 
449         BT_DBG("%s status 0x%2.2x", hdev->name, status);
450 
451         if (status)
452                 return;
453 
454         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
455         if (!sent)
456                 return;
457 
458         setting = get_unaligned_le16(sent);
459 
460         if (hdev->voice_setting == setting)
461                 return;
462 
463         hdev->voice_setting = setting;
464 
465         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
466 
467         if (hdev->notify)
468                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
469 }
470 
471 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
472                                           struct sk_buff *skb)
473 {
474         struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
475 
476         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
477 
478         if (rp->status)
479                 return;
480 
481         hdev->num_iac = rp->num_iac;
482 
483         BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
484 }
485 
486 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
487 {
488         __u8 status = *((__u8 *) skb->data);
489         struct hci_cp_write_ssp_mode *sent;
490 
491         BT_DBG("%s status 0x%2.2x", hdev->name, status);
492 
493         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
494         if (!sent)
495                 return;
496 
497         hci_dev_lock(hdev);
498 
499         if (!status) {
500                 if (sent->mode)
501                         hdev->features[1][0] |= LMP_HOST_SSP;
502                 else
503                         hdev->features[1][0] &= ~LMP_HOST_SSP;
504         }
505 
506         if (hci_dev_test_flag(hdev, HCI_MGMT))
507                 mgmt_ssp_enable_complete(hdev, sent->mode, status);
508         else if (!status) {
509                 if (sent->mode)
510                         hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
511                 else
512                         hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
513         }
514 
515         hci_dev_unlock(hdev);
516 }
517 
518 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
519 {
520         u8 status = *((u8 *) skb->data);
521         struct hci_cp_write_sc_support *sent;
522 
523         BT_DBG("%s status 0x%2.2x", hdev->name, status);
524 
525         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
526         if (!sent)
527                 return;
528 
529         hci_dev_lock(hdev);
530 
531         if (!status) {
532                 if (sent->support)
533                         hdev->features[1][0] |= LMP_HOST_SC;
534                 else
535                         hdev->features[1][0] &= ~LMP_HOST_SC;
536         }
537 
538         if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
539                 if (sent->support)
540                         hci_dev_set_flag(hdev, HCI_SC_ENABLED);
541                 else
542                         hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
543         }
544 
545         hci_dev_unlock(hdev);
546 }
547 
548 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
549 {
550         struct hci_rp_read_local_version *rp = (void *) skb->data;
551 
552         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
553 
554         if (rp->status)
555                 return;
556 
557         if (hci_dev_test_flag(hdev, HCI_SETUP) ||
558             hci_dev_test_flag(hdev, HCI_CONFIG)) {
559                 hdev->hci_ver = rp->hci_ver;
560                 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
561                 hdev->lmp_ver = rp->lmp_ver;
562                 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
563                 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
564         }
565 }
566 
567 static void hci_cc_read_local_commands(struct hci_dev *hdev,
568                                        struct sk_buff *skb)
569 {
570         struct hci_rp_read_local_commands *rp = (void *) skb->data;
571 
572         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
573 
574         if (rp->status)
575                 return;
576 
577         if (hci_dev_test_flag(hdev, HCI_SETUP) ||
578             hci_dev_test_flag(hdev, HCI_CONFIG))
579                 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
580 }
581 
582 static void hci_cc_read_local_features(struct hci_dev *hdev,
583                                        struct sk_buff *skb)
584 {
585         struct hci_rp_read_local_features *rp = (void *) skb->data;
586 
587         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
588 
589         if (rp->status)
590                 return;
591 
592         memcpy(hdev->features, rp->features, 8);
593 
594         /* Adjust default settings according to features
595          * supported by device. */
596 
597         if (hdev->features[0][0] & LMP_3SLOT)
598                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
599 
600         if (hdev->features[0][0] & LMP_5SLOT)
601                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
602 
603         if (hdev->features[0][1] & LMP_HV2) {
604                 hdev->pkt_type  |= (HCI_HV2);
605                 hdev->esco_type |= (ESCO_HV2);
606         }
607 
608         if (hdev->features[0][1] & LMP_HV3) {
609                 hdev->pkt_type  |= (HCI_HV3);
610                 hdev->esco_type |= (ESCO_HV3);
611         }
612 
613         if (lmp_esco_capable(hdev))
614                 hdev->esco_type |= (ESCO_EV3);
615 
616         if (hdev->features[0][4] & LMP_EV4)
617                 hdev->esco_type |= (ESCO_EV4);
618 
619         if (hdev->features[0][4] & LMP_EV5)
620                 hdev->esco_type |= (ESCO_EV5);
621 
622         if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
623                 hdev->esco_type |= (ESCO_2EV3);
624 
625         if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
626                 hdev->esco_type |= (ESCO_3EV3);
627 
628         if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
629                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
630 }
631 
632 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
633                                            struct sk_buff *skb)
634 {
635         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
636 
637         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
638 
639         if (rp->status)
640                 return;
641 
642         if (hdev->max_page < rp->max_page)
643                 hdev->max_page = rp->max_page;
644 
645         if (rp->page < HCI_MAX_PAGES)
646                 memcpy(hdev->features[rp->page], rp->features, 8);
647 }
648 
649 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
650                                           struct sk_buff *skb)
651 {
652         struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
653 
654         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
655 
656         if (rp->status)
657                 return;
658 
659         hdev->flow_ctl_mode = rp->mode;
660 }
661 
662 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
663 {
664         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
665 
666         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
667 
668         if (rp->status)
669                 return;
670 
671         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
672         hdev->sco_mtu  = rp->sco_mtu;
673         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
674         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
675 
676         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
677                 hdev->sco_mtu  = 64;
678                 hdev->sco_pkts = 8;
679         }
680 
681         hdev->acl_cnt = hdev->acl_pkts;
682         hdev->sco_cnt = hdev->sco_pkts;
683 
684         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
685                hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
686 }
687 
688 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
689 {
690         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
691 
692         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
693 
694         if (rp->status)
695                 return;
696 
697         if (test_bit(HCI_INIT, &hdev->flags))
698                 bacpy(&hdev->bdaddr, &rp->bdaddr);
699 
700         if (hci_dev_test_flag(hdev, HCI_SETUP))
701                 bacpy(&hdev->setup_addr, &rp->bdaddr);
702 }
703 
704 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
705                                            struct sk_buff *skb)
706 {
707         struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
708 
709         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
710 
711         if (rp->status)
712                 return;
713 
714         if (test_bit(HCI_INIT, &hdev->flags)) {
715                 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
716                 hdev->page_scan_window = __le16_to_cpu(rp->window);
717         }
718 }
719 
720 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
721                                             struct sk_buff *skb)
722 {
723         u8 status = *((u8 *) skb->data);
724         struct hci_cp_write_page_scan_activity *sent;
725 
726         BT_DBG("%s status 0x%2.2x", hdev->name, status);
727 
728         if (status)
729                 return;
730 
731         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
732         if (!sent)
733                 return;
734 
735         hdev->page_scan_interval = __le16_to_cpu(sent->interval);
736         hdev->page_scan_window = __le16_to_cpu(sent->window);
737 }
738 
739 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
740                                            struct sk_buff *skb)
741 {
742         struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
743 
744         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
745 
746         if (rp->status)
747                 return;
748 
749         if (test_bit(HCI_INIT, &hdev->flags))
750                 hdev->page_scan_type = rp->type;
751 }
752 
753 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
754                                         struct sk_buff *skb)
755 {
756         u8 status = *((u8 *) skb->data);
757         u8 *type;
758 
759         BT_DBG("%s status 0x%2.2x", hdev->name, status);
760 
761         if (status)
762                 return;
763 
764         type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
765         if (type)
766                 hdev->page_scan_type = *type;
767 }
768 
769 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
770                                         struct sk_buff *skb)
771 {
772         struct hci_rp_read_data_block_size *rp = (void *) skb->data;
773 
774         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
775 
776         if (rp->status)
777                 return;
778 
779         hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
780         hdev->block_len = __le16_to_cpu(rp->block_len);
781         hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
782 
783         hdev->block_cnt = hdev->num_blocks;
784 
785         BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
786                hdev->block_cnt, hdev->block_len);
787 }
788 
789 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
790 {
791         struct hci_rp_read_clock *rp = (void *) skb->data;
792         struct hci_cp_read_clock *cp;
793         struct hci_conn *conn;
794 
795         BT_DBG("%s", hdev->name);
796 
797         if (skb->len < sizeof(*rp))
798                 return;
799 
800         if (rp->status)
801                 return;
802 
803         hci_dev_lock(hdev);
804 
805         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
806         if (!cp)
807                 goto unlock;
808 
809         if (cp->which == 0x00) {
810                 hdev->clock = le32_to_cpu(rp->clock);
811                 goto unlock;
812         }
813 
814         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
815         if (conn) {
816                 conn->clock = le32_to_cpu(rp->clock);
817                 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
818         }
819 
820 unlock:
821         hci_dev_unlock(hdev);
822 }
823 
824 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
825                                        struct sk_buff *skb)
826 {
827         struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
828 
829         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
830 
831         if (rp->status)
832                 return;
833 
834         hdev->amp_status = rp->amp_status;
835         hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
836         hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
837         hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
838         hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
839         hdev->amp_type = rp->amp_type;
840         hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
841         hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
842         hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
843         hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
844 }
845 
846 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
847                                          struct sk_buff *skb)
848 {
849         struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
850 
851         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
852 
853         if (rp->status)
854                 return;
855 
856         hdev->inq_tx_power = rp->tx_power;
857 }
858 
859 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
860 {
861         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
862         struct hci_cp_pin_code_reply *cp;
863         struct hci_conn *conn;
864 
865         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
866 
867         hci_dev_lock(hdev);
868 
869         if (hci_dev_test_flag(hdev, HCI_MGMT))
870                 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
871 
872         if (rp->status)
873                 goto unlock;
874 
875         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
876         if (!cp)
877                 goto unlock;
878 
879         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
880         if (conn)
881                 conn->pin_length = cp->pin_len;
882 
883 unlock:
884         hci_dev_unlock(hdev);
885 }
886 
887 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
888 {
889         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
890 
891         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
892 
893         hci_dev_lock(hdev);
894 
895         if (hci_dev_test_flag(hdev, HCI_MGMT))
896                 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
897                                                  rp->status);
898 
899         hci_dev_unlock(hdev);
900 }
901 
902 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
903                                        struct sk_buff *skb)
904 {
905         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
906 
907         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
908 
909         if (rp->status)
910                 return;
911 
912         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
913         hdev->le_pkts = rp->le_max_pkt;
914 
915         hdev->le_cnt = hdev->le_pkts;
916 
917         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
918 }
919 
920 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
921                                           struct sk_buff *skb)
922 {
923         struct hci_rp_le_read_local_features *rp = (void *) skb->data;
924 
925         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
926 
927         if (rp->status)
928                 return;
929 
930         memcpy(hdev->le_features, rp->features, 8);
931 }
932 
933 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
934                                         struct sk_buff *skb)
935 {
936         struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
937 
938         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
939 
940         if (rp->status)
941                 return;
942 
943         hdev->adv_tx_power = rp->tx_power;
944 }
945 
946 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
947 {
948         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
949 
950         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
951 
952         hci_dev_lock(hdev);
953 
954         if (hci_dev_test_flag(hdev, HCI_MGMT))
955                 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
956                                                  rp->status);
957 
958         hci_dev_unlock(hdev);
959 }
960 
961 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
962                                           struct sk_buff *skb)
963 {
964         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
965 
966         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
967 
968         hci_dev_lock(hdev);
969 
970         if (hci_dev_test_flag(hdev, HCI_MGMT))
971                 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
972                                                      ACL_LINK, 0, rp->status);
973 
974         hci_dev_unlock(hdev);
975 }
976 
977 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
978 {
979         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
980 
981         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
982 
983         hci_dev_lock(hdev);
984 
985         if (hci_dev_test_flag(hdev, HCI_MGMT))
986                 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
987                                                  0, rp->status);
988 
989         hci_dev_unlock(hdev);
990 }
991 
992 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
993                                           struct sk_buff *skb)
994 {
995         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
996 
997         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
998 
999         hci_dev_lock(hdev);
1000 
1001         if (hci_dev_test_flag(hdev, HCI_MGMT))
1002                 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1003                                                      ACL_LINK, 0, rp->status);
1004 
1005         hci_dev_unlock(hdev);
1006 }
1007 
1008 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1009                                        struct sk_buff *skb)
1010 {
1011         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1012 
1013         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1014 }
1015 
1016 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1017                                            struct sk_buff *skb)
1018 {
1019         struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1020 
1021         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1022 }
1023 
1024 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1025 {
1026         __u8 status = *((__u8 *) skb->data);
1027         bdaddr_t *sent;
1028 
1029         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1030 
1031         if (status)
1032                 return;
1033 
1034         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1035         if (!sent)
1036                 return;
1037 
1038         hci_dev_lock(hdev);
1039 
1040         bacpy(&hdev->random_addr, sent);
1041 
1042         hci_dev_unlock(hdev);
1043 }
1044 
1045 static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1046 {
1047         __u8 status = *((__u8 *) skb->data);
1048         struct hci_cp_le_set_default_phy *cp;
1049 
1050         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1051 
1052         if (status)
1053                 return;
1054 
1055         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1056         if (!cp)
1057                 return;
1058 
1059         hci_dev_lock(hdev);
1060 
1061         hdev->le_tx_def_phys = cp->tx_phys;
1062         hdev->le_rx_def_phys = cp->rx_phys;
1063 
1064         hci_dev_unlock(hdev);
1065 }
1066 
1067 static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1068                                               struct sk_buff *skb)
1069 {
1070         __u8 status = *((__u8 *) skb->data);
1071         struct hci_cp_le_set_adv_set_rand_addr *cp;
1072         struct adv_info *adv_instance;
1073 
1074         if (status)
1075                 return;
1076 
1077         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1078         if (!cp)
1079                 return;
1080 
1081         hci_dev_lock(hdev);
1082 
1083         if (!hdev->cur_adv_instance) {
1084                 /* Store in hdev for instance 0 (Set adv and Directed advs) */
1085                 bacpy(&hdev->random_addr, &cp->bdaddr);
1086         } else {
1087                 adv_instance = hci_find_adv_instance(hdev,
1088                                                      hdev->cur_adv_instance);
1089                 if (adv_instance)
1090                         bacpy(&adv_instance->random_addr, &cp->bdaddr);
1091         }
1092 
1093         hci_dev_unlock(hdev);
1094 }
1095 
1096 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1097 {
1098         __u8 *sent, status = *((__u8 *) skb->data);
1099 
1100         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1101 
1102         if (status)
1103                 return;
1104 
1105         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1106         if (!sent)
1107                 return;
1108 
1109         hci_dev_lock(hdev);
1110 
1111         /* If we're doing connection initiation as peripheral. Set a
1112          * timeout in case something goes wrong.
1113          */
1114         if (*sent) {
1115                 struct hci_conn *conn;
1116 
1117                 hci_dev_set_flag(hdev, HCI_LE_ADV);
1118 
1119                 conn = hci_lookup_le_connect(hdev);
1120                 if (conn)
1121                         queue_delayed_work(hdev->workqueue,
1122                                            &conn->le_conn_timeout,
1123                                            conn->conn_timeout);
1124         } else {
1125                 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1126         }
1127 
1128         hci_dev_unlock(hdev);
1129 }
1130 
1131 static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1132                                          struct sk_buff *skb)
1133 {
1134         struct hci_cp_le_set_ext_adv_enable *cp;
1135         __u8 status = *((__u8 *) skb->data);
1136 
1137         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1138 
1139         if (status)
1140                 return;
1141 
1142         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1143         if (!cp)
1144                 return;
1145 
1146         hci_dev_lock(hdev);
1147 
1148         if (cp->enable) {
1149                 struct hci_conn *conn;
1150 
1151                 hci_dev_set_flag(hdev, HCI_LE_ADV);
1152 
1153                 conn = hci_lookup_le_connect(hdev);
1154                 if (conn)
1155                         queue_delayed_work(hdev->workqueue,
1156                                            &conn->le_conn_timeout,
1157                                            conn->conn_timeout);
1158         } else {
1159                 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1160         }
1161 
1162         hci_dev_unlock(hdev);
1163 }
1164 
1165 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1166 {
1167         struct hci_cp_le_set_scan_param *cp;
1168         __u8 status = *((__u8 *) skb->data);
1169 
1170         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1171 
1172         if (status)
1173                 return;
1174 
1175         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1176         if (!cp)
1177                 return;
1178 
1179         hci_dev_lock(hdev);
1180 
1181         hdev->le_scan_type = cp->type;
1182 
1183         hci_dev_unlock(hdev);
1184 }
1185 
1186 static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1187                                          struct sk_buff *skb)
1188 {
1189         struct hci_cp_le_set_ext_scan_params *cp;
1190         __u8 status = *((__u8 *) skb->data);
1191         struct hci_cp_le_scan_phy_params *phy_param;
1192 
1193         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1194 
1195         if (status)
1196                 return;
1197 
1198         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1199         if (!cp)
1200                 return;
1201 
1202         phy_param = (void *)cp->data;
1203 
1204         hci_dev_lock(hdev);
1205 
1206         hdev->le_scan_type = phy_param->type;
1207 
1208         hci_dev_unlock(hdev);
1209 }
1210 
1211 static bool has_pending_adv_report(struct hci_dev *hdev)
1212 {
1213         struct discovery_state *d = &hdev->discovery;
1214 
1215         return bacmp(&d->last_adv_addr, BDADDR_ANY);
1216 }
1217 
1218 static void clear_pending_adv_report(struct hci_dev *hdev)
1219 {
1220         struct discovery_state *d = &hdev->discovery;
1221 
1222         bacpy(&d->last_adv_addr, BDADDR_ANY);
1223         d->last_adv_data_len = 0;
1224 }
1225 
1226 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1227                                      u8 bdaddr_type, s8 rssi, u32 flags,
1228                                      u8 *data, u8 len)
1229 {
1230         struct discovery_state *d = &hdev->discovery;
1231 
1232         bacpy(&d->last_adv_addr, bdaddr);
1233         d->last_adv_addr_type = bdaddr_type;
1234         d->last_adv_rssi = rssi;
1235         d->last_adv_flags = flags;
1236         memcpy(d->last_adv_data, data, len);
1237         d->last_adv_data_len = len;
1238 }
1239 
1240 static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1241 {
1242         hci_dev_lock(hdev);
1243 
1244         switch (enable) {
1245         case LE_SCAN_ENABLE:
1246                 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1247                 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1248                         clear_pending_adv_report(hdev);
1249                 break;
1250 
1251         case LE_SCAN_DISABLE:
1252                 /* We do this here instead of when setting DISCOVERY_STOPPED
1253                  * since the latter would potentially require waiting for
1254                  * inquiry to stop too.
1255                  */
1256                 if (has_pending_adv_report(hdev)) {
1257                         struct discovery_state *d = &hdev->discovery;
1258 
1259                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1260                                           d->last_adv_addr_type, NULL,
1261                                           d->last_adv_rssi, d->last_adv_flags,
1262                                           d->last_adv_data,
1263                                           d->last_adv_data_len, NULL, 0);
1264                 }
1265 
1266                 /* Cancel this timer so that we don't try to disable scanning
1267                  * when it's already disabled.
1268                  */
1269                 cancel_delayed_work(&hdev->le_scan_disable);
1270 
1271                 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1272 
1273                 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1274                  * interrupted scanning due to a connect request. Mark
1275                  * therefore discovery as stopped. If this was not
1276                  * because of a connect request advertising might have
1277                  * been disabled because of active scanning, so
1278                  * re-enable it again if necessary.
1279                  */
1280                 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1281                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1282                 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1283                          hdev->discovery.state == DISCOVERY_FINDING)
1284                         hci_req_reenable_advertising(hdev);
1285 
1286                 break;
1287 
1288         default:
1289                 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1290                            enable);
1291                 break;
1292         }
1293 
1294         hci_dev_unlock(hdev);
1295 }
1296 
1297 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1298                                       struct sk_buff *skb)
1299 {
1300         struct hci_cp_le_set_scan_enable *cp;
1301         __u8 status = *((__u8 *) skb->data);
1302 
1303         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1304 
1305         if (status)
1306                 return;
1307 
1308         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1309         if (!cp)
1310                 return;
1311 
1312         le_set_scan_enable_complete(hdev, cp->enable);
1313 }
1314 
1315 static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1316                                       struct sk_buff *skb)
1317 {
1318         struct hci_cp_le_set_ext_scan_enable *cp;
1319         __u8 status = *((__u8 *) skb->data);
1320 
1321         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1322 
1323         if (status)
1324                 return;
1325 
1326         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1327         if (!cp)
1328                 return;
1329 
1330         le_set_scan_enable_complete(hdev, cp->enable);
1331 }
1332 
1333 static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1334                                       struct sk_buff *skb)
1335 {
1336         struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1337 
1338         BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1339                rp->num_of_sets);
1340 
1341         if (rp->status)
1342                 return;
1343 
1344         hdev->le_num_of_adv_sets = rp->num_of_sets;
1345 }
1346 
1347 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1348                                            struct sk_buff *skb)
1349 {
1350         struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1351 
1352         BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1353 
1354         if (rp->status)
1355                 return;
1356 
1357         hdev->le_white_list_size = rp->size;
1358 }
1359 
1360 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1361                                        struct sk_buff *skb)
1362 {
1363         __u8 status = *((__u8 *) skb->data);
1364 
1365         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1366 
1367         if (status)
1368                 return;
1369 
1370         hci_bdaddr_list_clear(&hdev->le_white_list);
1371 }
1372 
1373 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1374                                         struct sk_buff *skb)
1375 {
1376         struct hci_cp_le_add_to_white_list *sent;
1377         __u8 status = *((__u8 *) skb->data);
1378 
1379         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1380 
1381         if (status)
1382                 return;
1383 
1384         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1385         if (!sent)
1386                 return;
1387 
1388         hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1389                            sent->bdaddr_type);
1390 }
1391 
1392 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1393                                           struct sk_buff *skb)
1394 {
1395         struct hci_cp_le_del_from_white_list *sent;
1396         __u8 status = *((__u8 *) skb->data);
1397 
1398         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1399 
1400         if (status)
1401                 return;
1402 
1403         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1404         if (!sent)
1405                 return;
1406 
1407         hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1408                             sent->bdaddr_type);
1409 }
1410 
1411 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1412                                             struct sk_buff *skb)
1413 {
1414         struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1415 
1416         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1417 
1418         if (rp->status)
1419                 return;
1420 
1421         memcpy(hdev->le_states, rp->le_states, 8);
1422 }
1423 
1424 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1425                                         struct sk_buff *skb)
1426 {
1427         struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1428 
1429         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1430 
1431         if (rp->status)
1432                 return;
1433 
1434         hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1435         hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1436 }
1437 
1438 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1439                                          struct sk_buff *skb)
1440 {
1441         struct hci_cp_le_write_def_data_len *sent;
1442         __u8 status = *((__u8 *) skb->data);
1443 
1444         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1445 
1446         if (status)
1447                 return;
1448 
1449         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1450         if (!sent)
1451                 return;
1452 
1453         hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1454         hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1455 }
1456 
1457 static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,
1458                                          struct sk_buff *skb)
1459 {
1460         struct hci_cp_le_add_to_resolv_list *sent;
1461         __u8 status = *((__u8 *) skb->data);
1462 
1463         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1464 
1465         if (status)
1466                 return;
1467 
1468         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1469         if (!sent)
1470                 return;
1471 
1472         hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1473                                 sent->bdaddr_type, sent->peer_irk,
1474                                 sent->local_irk);
1475 }
1476 
1477 static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,
1478                                           struct sk_buff *skb)
1479 {
1480         struct hci_cp_le_del_from_resolv_list *sent;
1481         __u8 status = *((__u8 *) skb->data);
1482 
1483         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1484 
1485         if (status)
1486                 return;
1487 
1488         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1489         if (!sent)
1490                 return;
1491 
1492         hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1493                             sent->bdaddr_type);
1494 }
1495 
1496 static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1497                                        struct sk_buff *skb)
1498 {
1499         __u8 status = *((__u8 *) skb->data);
1500 
1501         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1502 
1503         if (status)
1504                 return;
1505 
1506         hci_bdaddr_list_clear(&hdev->le_resolv_list);
1507 }
1508 
1509 static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1510                                            struct sk_buff *skb)
1511 {
1512         struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1513 
1514         BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1515 
1516         if (rp->status)
1517                 return;
1518 
1519         hdev->le_resolv_list_size = rp->size;
1520 }
1521 
1522 static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1523                                                 struct sk_buff *skb)
1524 {
1525         __u8 *sent, status = *((__u8 *) skb->data);
1526 
1527         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1528 
1529         if (status)
1530                 return;
1531 
1532         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1533         if (!sent)
1534                 return;
1535 
1536         hci_dev_lock(hdev);
1537 
1538         if (*sent)
1539                 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1540         else
1541                 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1542 
1543         hci_dev_unlock(hdev);
1544 }
1545 
1546 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1547                                         struct sk_buff *skb)
1548 {
1549         struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1550 
1551         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1552 
1553         if (rp->status)
1554                 return;
1555 
1556         hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1557         hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1558         hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1559         hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1560 }
1561 
1562 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1563                                            struct sk_buff *skb)
1564 {
1565         struct hci_cp_write_le_host_supported *sent;
1566         __u8 status = *((__u8 *) skb->data);
1567 
1568         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1569 
1570         if (status)
1571                 return;
1572 
1573         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1574         if (!sent)
1575                 return;
1576 
1577         hci_dev_lock(hdev);
1578 
1579         if (sent->le) {
1580                 hdev->features[1][0] |= LMP_HOST_LE;
1581                 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1582         } else {
1583                 hdev->features[1][0] &= ~LMP_HOST_LE;
1584                 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1585                 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1586         }
1587 
1588         if (sent->simul)
1589                 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1590         else
1591                 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1592 
1593         hci_dev_unlock(hdev);
1594 }
1595 
1596 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1597 {
1598         struct hci_cp_le_set_adv_param *cp;
1599         u8 status = *((u8 *) skb->data);
1600 
1601         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1602 
1603         if (status)
1604                 return;
1605 
1606         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1607         if (!cp)
1608                 return;
1609 
1610         hci_dev_lock(hdev);
1611         hdev->adv_addr_type = cp->own_address_type;
1612         hci_dev_unlock(hdev);
1613 }
1614 
1615 static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1616 {
1617         struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1618         struct hci_cp_le_set_ext_adv_params *cp;
1619         struct adv_info *adv_instance;
1620 
1621         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1622 
1623         if (rp->status)
1624                 return;
1625 
1626         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1627         if (!cp)
1628                 return;
1629 
1630         hci_dev_lock(hdev);
1631         hdev->adv_addr_type = cp->own_addr_type;
1632         if (!hdev->cur_adv_instance) {
1633                 /* Store in hdev for instance 0 */
1634                 hdev->adv_tx_power = rp->tx_power;
1635         } else {
1636                 adv_instance = hci_find_adv_instance(hdev,
1637                                                      hdev->cur_adv_instance);
1638                 if (adv_instance)
1639                         adv_instance->tx_power = rp->tx_power;
1640         }
1641         /* Update adv data as tx power is known now */
1642         hci_req_update_adv_data(hdev, hdev->cur_adv_instance);
1643         hci_dev_unlock(hdev);
1644 }
1645 
1646 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1647 {
1648         struct hci_rp_read_rssi *rp = (void *) skb->data;
1649         struct hci_conn *conn;
1650 
1651         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1652 
1653         if (rp->status)
1654                 return;
1655 
1656         hci_dev_lock(hdev);
1657 
1658         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1659         if (conn)
1660                 conn->rssi = rp->rssi;
1661 
1662         hci_dev_unlock(hdev);
1663 }
1664 
1665 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1666 {
1667         struct hci_cp_read_tx_power *sent;
1668         struct hci_rp_read_tx_power *rp = (void *) skb->data;
1669         struct hci_conn *conn;
1670 
1671         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1672 
1673         if (rp->status)
1674                 return;
1675 
1676         sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1677         if (!sent)
1678                 return;
1679 
1680         hci_dev_lock(hdev);
1681 
1682         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1683         if (!conn)
1684                 goto unlock;
1685 
1686         switch (sent->type) {
1687         case 0x00:
1688                 conn->tx_power = rp->tx_power;
1689                 break;
1690         case 0x01:
1691                 conn->max_tx_power = rp->tx_power;
1692                 break;
1693         }
1694 
1695 unlock:
1696         hci_dev_unlock(hdev);
1697 }
1698 
1699 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1700 {
1701         u8 status = *((u8 *) skb->data);
1702         u8 *mode;
1703 
1704         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1705 
1706         if (status)
1707                 return;
1708 
1709         mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1710         if (mode)
1711                 hdev->ssp_debug_mode = *mode;
1712 }
1713 
1714 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1715 {
1716         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1717 
1718         if (status) {
1719                 hci_conn_check_pending(hdev);
1720                 return;
1721         }
1722 
1723         set_bit(HCI_INQUIRY, &hdev->flags);
1724 }
1725 
1726 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1727 {
1728         struct hci_cp_create_conn *cp;
1729         struct hci_conn *conn;
1730 
1731         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1732 
1733         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1734         if (!cp)
1735                 return;
1736 
1737         hci_dev_lock(hdev);
1738 
1739         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1740 
1741         BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1742 
1743         if (status) {
1744                 if (conn && conn->state == BT_CONNECT) {
1745                         if (status != 0x0c || conn->attempt > 2) {
1746                                 conn->state = BT_CLOSED;
1747                                 hci_connect_cfm(conn, status);
1748                                 hci_conn_del(conn);
1749                         } else
1750                                 conn->state = BT_CONNECT2;
1751                 }
1752         } else {
1753                 if (!conn) {
1754                         conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1755                                             HCI_ROLE_MASTER);
1756                         if (!conn)
1757                                 bt_dev_err(hdev, "no memory for new connection");
1758                 }
1759         }
1760 
1761         hci_dev_unlock(hdev);
1762 }
1763 
1764 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1765 {
1766         struct hci_cp_add_sco *cp;
1767         struct hci_conn *acl, *sco;
1768         __u16 handle;
1769 
1770         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1771 
1772         if (!status)
1773                 return;
1774 
1775         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1776         if (!cp)
1777                 return;
1778 
1779         handle = __le16_to_cpu(cp->handle);
1780 
1781         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1782 
1783         hci_dev_lock(hdev);
1784 
1785         acl = hci_conn_hash_lookup_handle(hdev, handle);
1786         if (acl) {
1787                 sco = acl->link;
1788                 if (sco) {
1789                         sco->state = BT_CLOSED;
1790 
1791                         hci_connect_cfm(sco, status);
1792                         hci_conn_del(sco);
1793                 }
1794         }
1795 
1796         hci_dev_unlock(hdev);
1797 }
1798 
1799 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1800 {
1801         struct hci_cp_auth_requested *cp;
1802         struct hci_conn *conn;
1803 
1804         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1805 
1806         if (!status)
1807                 return;
1808 
1809         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1810         if (!cp)
1811                 return;
1812 
1813         hci_dev_lock(hdev);
1814 
1815         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1816         if (conn) {
1817                 if (conn->state == BT_CONFIG) {
1818                         hci_connect_cfm(conn, status);
1819                         hci_conn_drop(conn);
1820                 }
1821         }
1822 
1823         hci_dev_unlock(hdev);
1824 }
1825 
1826 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1827 {
1828         struct hci_cp_set_conn_encrypt *cp;
1829         struct hci_conn *conn;
1830 
1831         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1832 
1833         if (!status)
1834                 return;
1835 
1836         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1837         if (!cp)
1838                 return;
1839 
1840         hci_dev_lock(hdev);
1841 
1842         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1843         if (conn) {
1844                 if (conn->state == BT_CONFIG) {
1845                         hci_connect_cfm(conn, status);
1846                         hci_conn_drop(conn);
1847                 }
1848         }
1849 
1850         hci_dev_unlock(hdev);
1851 }
1852 
1853 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1854                                     struct hci_conn *conn)
1855 {
1856         if (conn->state != BT_CONFIG || !conn->out)
1857                 return 0;
1858 
1859         if (conn->pending_sec_level == BT_SECURITY_SDP)
1860                 return 0;
1861 
1862         /* Only request authentication for SSP connections or non-SSP
1863          * devices with sec_level MEDIUM or HIGH or if MITM protection
1864          * is requested.
1865          */
1866         if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1867             conn->pending_sec_level != BT_SECURITY_FIPS &&
1868             conn->pending_sec_level != BT_SECURITY_HIGH &&
1869             conn->pending_sec_level != BT_SECURITY_MEDIUM)
1870                 return 0;
1871 
1872         return 1;
1873 }
1874 
1875 static int hci_resolve_name(struct hci_dev *hdev,
1876                                    struct inquiry_entry *e)
1877 {
1878         struct hci_cp_remote_name_req cp;
1879 
1880         memset(&cp, 0, sizeof(cp));
1881 
1882         bacpy(&cp.bdaddr, &e->data.bdaddr);
1883         cp.pscan_rep_mode = e->data.pscan_rep_mode;
1884         cp.pscan_mode = e->data.pscan_mode;
1885         cp.clock_offset = e->data.clock_offset;
1886 
1887         return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1888 }
1889 
1890 static bool hci_resolve_next_name(struct hci_dev *hdev)
1891 {
1892         struct discovery_state *discov = &hdev->discovery;
1893         struct inquiry_entry *e;
1894 
1895         if (list_empty(&discov->resolve))
1896                 return false;
1897 
1898         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1899         if (!e)
1900                 return false;
1901 
1902         if (hci_resolve_name(hdev, e) == 0) {
1903                 e->name_state = NAME_PENDING;
1904                 return true;
1905         }
1906 
1907         return false;
1908 }
1909 
1910 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1911                                    bdaddr_t *bdaddr, u8 *name, u8 name_len)
1912 {
1913         struct discovery_state *discov = &hdev->discovery;
1914         struct inquiry_entry *e;
1915 
1916         /* Update the mgmt connected state if necessary. Be careful with
1917          * conn objects that exist but are not (yet) connected however.
1918          * Only those in BT_CONFIG or BT_CONNECTED states can be
1919          * considered connected.
1920          */
1921         if (conn &&
1922             (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1923             !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1924                 mgmt_device_connected(hdev, conn, 0, name, name_len);
1925 
1926         if (discov->state == DISCOVERY_STOPPED)
1927                 return;
1928 
1929         if (discov->state == DISCOVERY_STOPPING)
1930                 goto discov_complete;
1931 
1932         if (discov->state != DISCOVERY_RESOLVING)
1933                 return;
1934 
1935         e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1936         /* If the device was not found in a list of found devices names of which
1937          * are pending. there is no need to continue resolving a next name as it
1938          * will be done upon receiving another Remote Name Request Complete
1939          * Event */
1940         if (!e)
1941                 return;
1942 
1943         list_del(&e->list);
1944         if (name) {
1945                 e->name_state = NAME_KNOWN;
1946                 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1947                                  e->data.rssi, name, name_len);
1948         } else {
1949                 e->name_state = NAME_NOT_KNOWN;
1950         }
1951 
1952         if (hci_resolve_next_name(hdev))
1953                 return;
1954 
1955 discov_complete:
1956         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1957 }
1958 
1959 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1960 {
1961         struct hci_cp_remote_name_req *cp;
1962         struct hci_conn *conn;
1963 
1964         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1965 
1966         /* If successful wait for the name req complete event before
1967          * checking for the need to do authentication */
1968         if (!status)
1969                 return;
1970 
1971         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1972         if (!cp)
1973                 return;
1974 
1975         hci_dev_lock(hdev);
1976 
1977         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1978 
1979         if (hci_dev_test_flag(hdev, HCI_MGMT))
1980                 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1981 
1982         if (!conn)
1983                 goto unlock;
1984 
1985         if (!hci_outgoing_auth_needed(hdev, conn))
1986                 goto unlock;
1987 
1988         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1989                 struct hci_cp_auth_requested auth_cp;
1990 
1991                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1992 
1993                 auth_cp.handle = __cpu_to_le16(conn->handle);
1994                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1995                              sizeof(auth_cp), &auth_cp);
1996         }
1997 
1998 unlock:
1999         hci_dev_unlock(hdev);
2000 }
2001 
2002 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2003 {
2004         struct hci_cp_read_remote_features *cp;
2005         struct hci_conn *conn;
2006 
2007         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2008 
2009         if (!status)
2010                 return;
2011 
2012         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2013         if (!cp)
2014                 return;
2015 
2016         hci_dev_lock(hdev);
2017 
2018         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2019         if (conn) {
2020                 if (conn->state == BT_CONFIG) {
2021                         hci_connect_cfm(conn, status);
2022                         hci_conn_drop(conn);
2023                 }
2024         }
2025 
2026         hci_dev_unlock(hdev);
2027 }
2028 
2029 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2030 {
2031         struct hci_cp_read_remote_ext_features *cp;
2032         struct hci_conn *conn;
2033 
2034         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2035 
2036         if (!status)
2037                 return;
2038 
2039         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2040         if (!cp)
2041                 return;
2042 
2043         hci_dev_lock(hdev);
2044 
2045         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2046         if (conn) {
2047                 if (conn->state == BT_CONFIG) {
2048                         hci_connect_cfm(conn, status);
2049                         hci_conn_drop(conn);
2050                 }
2051         }
2052 
2053         hci_dev_unlock(hdev);
2054 }
2055 
2056 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2057 {
2058         struct hci_cp_setup_sync_conn *cp;
2059         struct hci_conn *acl, *sco;
2060         __u16 handle;
2061 
2062         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2063 
2064         if (!status)
2065                 return;
2066 
2067         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2068         if (!cp)
2069                 return;
2070 
2071         handle = __le16_to_cpu(cp->handle);
2072 
2073         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
2074 
2075         hci_dev_lock(hdev);
2076 
2077         acl = hci_conn_hash_lookup_handle(hdev, handle);
2078         if (acl) {
2079                 sco = acl->link;
2080                 if (sco) {
2081                         sco->state = BT_CLOSED;
2082 
2083                         hci_connect_cfm(sco, status);
2084                         hci_conn_del(sco);
2085                 }
2086         }
2087 
2088         hci_dev_unlock(hdev);
2089 }
2090 
2091 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2092 {
2093         struct hci_cp_sniff_mode *cp;
2094         struct hci_conn *conn;
2095 
2096         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2097 
2098         if (!status)
2099                 return;
2100 
2101         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2102         if (!cp)
2103                 return;
2104 
2105         hci_dev_lock(hdev);
2106 
2107         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2108         if (conn) {
2109                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2110 
2111                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2112                         hci_sco_setup(conn, status);
2113         }
2114 
2115         hci_dev_unlock(hdev);
2116 }
2117 
2118 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2119 {
2120         struct hci_cp_exit_sniff_mode *cp;
2121         struct hci_conn *conn;
2122 
2123         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2124 
2125         if (!status)
2126                 return;
2127 
2128         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2129         if (!cp)
2130                 return;
2131 
2132         hci_dev_lock(hdev);
2133 
2134         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2135         if (conn) {
2136                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2137 
2138                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2139                         hci_sco_setup(conn, status);
2140         }
2141 
2142         hci_dev_unlock(hdev);
2143 }
2144 
2145 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2146 {
2147         struct hci_cp_disconnect *cp;
2148         struct hci_conn *conn;
2149 
2150         if (!status)
2151                 return;
2152 
2153         cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2154         if (!cp)
2155                 return;
2156 
2157         hci_dev_lock(hdev);
2158 
2159         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2160         if (conn)
2161                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2162                                        conn->dst_type, status);
2163 
2164         hci_dev_unlock(hdev);
2165 }
2166 
2167 static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2168                               u8 peer_addr_type, u8 own_address_type,
2169                               u8 filter_policy)
2170 {
2171         struct hci_conn *conn;
2172 
2173         conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2174                                        peer_addr_type);
2175         if (!conn)
2176                 return;
2177 
2178         /* Store the initiator and responder address information which
2179          * is needed for SMP. These values will not change during the
2180          * lifetime of the connection.
2181          */
2182         conn->init_addr_type = own_address_type;
2183         if (own_address_type == ADDR_LE_DEV_RANDOM)
2184                 bacpy(&conn->init_addr, &hdev->random_addr);
2185         else
2186                 bacpy(&conn->init_addr, &hdev->bdaddr);
2187 
2188         conn->resp_addr_type = peer_addr_type;
2189         bacpy(&conn->resp_addr, peer_addr);
2190 
2191         /* We don't want the connection attempt to stick around
2192          * indefinitely since LE doesn't have a page timeout concept
2193          * like BR/EDR. Set a timer for any connection that doesn't use
2194          * the white list for connecting.
2195          */
2196         if (filter_policy == HCI_LE_USE_PEER_ADDR)
2197                 queue_delayed_work(conn->hdev->workqueue,
2198                                    &conn->le_conn_timeout,
2199                                    conn->conn_timeout);
2200 }
2201 
2202 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2203 {
2204         struct hci_cp_le_create_conn *cp;
2205 
2206         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2207 
2208         /* All connection failure handling is taken care of by the
2209          * hci_le_conn_failed function which is triggered by the HCI
2210          * request completion callbacks used for connecting.
2211          */
2212         if (status)
2213                 return;
2214 
2215         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2216         if (!cp)
2217                 return;
2218 
2219         hci_dev_lock(hdev);
2220 
2221         cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2222                           cp->own_address_type, cp->filter_policy);
2223 
2224         hci_dev_unlock(hdev);
2225 }
2226 
2227 static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2228 {
2229         struct hci_cp_le_ext_create_conn *cp;
2230 
2231         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2232 
2233         /* All connection failure handling is taken care of by the
2234          * hci_le_conn_failed function which is triggered by the HCI
2235          * request completion callbacks used for connecting.
2236          */
2237         if (status)
2238                 return;
2239 
2240         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2241         if (!cp)
2242                 return;
2243 
2244         hci_dev_lock(hdev);
2245 
2246         cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2247                           cp->own_addr_type, cp->filter_policy);
2248 
2249         hci_dev_unlock(hdev);
2250 }
2251 
2252 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2253 {
2254         struct hci_cp_le_read_remote_features *cp;
2255         struct hci_conn *conn;
2256 
2257         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2258 
2259         if (!status)
2260                 return;
2261 
2262         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2263         if (!cp)
2264                 return;
2265 
2266         hci_dev_lock(hdev);
2267 
2268         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2269         if (conn) {
2270                 if (conn->state == BT_CONFIG) {
2271                         hci_connect_cfm(conn, status);
2272                         hci_conn_drop(conn);
2273                 }
2274         }
2275 
2276         hci_dev_unlock(hdev);
2277 }
2278 
2279 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2280 {
2281         struct hci_cp_le_start_enc *cp;
2282         struct hci_conn *conn;
2283 
2284         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2285 
2286         if (!status)
2287                 return;
2288 
2289         hci_dev_lock(hdev);
2290 
2291         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2292         if (!cp)
2293                 goto unlock;
2294 
2295         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2296         if (!conn)
2297                 goto unlock;
2298 
2299         if (conn->state != BT_CONNECTED)
2300                 goto unlock;
2301 
2302         hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2303         hci_conn_drop(conn);
2304 
2305 unlock:
2306         hci_dev_unlock(hdev);
2307 }
2308 
2309 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2310 {
2311         struct hci_cp_switch_role *cp;
2312         struct hci_conn *conn;
2313 
2314         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2315 
2316         if (!status)
2317                 return;
2318 
2319         cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2320         if (!cp)
2321                 return;
2322 
2323         hci_dev_lock(hdev);
2324 
2325         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2326         if (conn)
2327                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2328 
2329         hci_dev_unlock(hdev);
2330 }
2331 
2332 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2333 {
2334         __u8 status = *((__u8 *) skb->data);
2335         struct discovery_state *discov = &hdev->discovery;
2336         struct inquiry_entry *e;
2337 
2338         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2339 
2340         hci_conn_check_pending(hdev);
2341 
2342         if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2343                 return;
2344 
2345         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2346         wake_up_bit(&hdev->flags, HCI_INQUIRY);
2347 
2348         if (!hci_dev_test_flag(hdev, HCI_MGMT))
2349                 return;
2350 
2351         hci_dev_lock(hdev);
2352 
2353         if (discov->state != DISCOVERY_FINDING)
2354                 goto unlock;
2355 
2356         if (list_empty(&discov->resolve)) {
2357                 /* When BR/EDR inquiry is active and no LE scanning is in
2358                  * progress, then change discovery state to indicate completion.
2359                  *
2360                  * When running LE scanning and BR/EDR inquiry simultaneously
2361                  * and the LE scan already finished, then change the discovery
2362                  * state to indicate completion.
2363                  */
2364                 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2365                     !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2366                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2367                 goto unlock;
2368         }
2369 
2370         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2371         if (e && hci_resolve_name(hdev, e) == 0) {
2372                 e->name_state = NAME_PENDING;
2373                 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2374         } else {
2375                 /* When BR/EDR inquiry is active and no LE scanning is in
2376                  * progress, then change discovery state to indicate completion.
2377                  *
2378                  * When running LE scanning and BR/EDR inquiry simultaneously
2379                  * and the LE scan already finished, then change the discovery
2380                  * state to indicate completion.
2381                  */
2382                 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2383                     !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2384                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2385         }
2386 
2387 unlock:
2388         hci_dev_unlock(hdev);
2389 }
2390 
2391 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2392 {
2393         struct inquiry_data data;
2394         struct inquiry_info *info = (void *) (skb->data + 1);
2395         int num_rsp = *((__u8 *) skb->data);
2396 
2397         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2398 
2399         if (!num_rsp)
2400                 return;
2401 
2402         if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2403                 return;
2404 
2405         hci_dev_lock(hdev);
2406 
2407         for (; num_rsp; num_rsp--, info++) {
2408                 u32 flags;
2409 
2410                 bacpy(&data.bdaddr, &info->bdaddr);
2411                 data.pscan_rep_mode     = info->pscan_rep_mode;
2412                 data.pscan_period_mode  = info->pscan_period_mode;
2413                 data.pscan_mode         = info->pscan_mode;
2414                 memcpy(data.dev_class, info->dev_class, 3);
2415                 data.clock_offset       = info->clock_offset;
2416                 data.rssi               = HCI_RSSI_INVALID;
2417                 data.ssp_mode           = 0x00;
2418 
2419                 flags = hci_inquiry_cache_update(hdev, &data, false);
2420 
2421                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2422                                   info->dev_class, HCI_RSSI_INVALID,
2423                                   flags, NULL, 0, NULL, 0);
2424         }
2425 
2426         hci_dev_unlock(hdev);
2427 }
2428 
2429 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2430 {
2431         struct hci_ev_conn_complete *ev = (void *) skb->data;
2432         struct hci_conn *conn;
2433 
2434         BT_DBG("%s", hdev->name);
2435 
2436         hci_dev_lock(hdev);
2437 
2438         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2439         if (!conn) {
2440                 if (ev->link_type != SCO_LINK)
2441                         goto unlock;
2442 
2443                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2444                 if (!conn)
2445                         goto unlock;
2446 
2447                 conn->type = SCO_LINK;
2448         }
2449 
2450         if (!ev->status) {
2451                 conn->handle = __le16_to_cpu(ev->handle);
2452 
2453                 if (conn->type == ACL_LINK) {
2454                         conn->state = BT_CONFIG;
2455                         hci_conn_hold(conn);
2456 
2457                         if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2458                             !hci_find_link_key(hdev, &ev->bdaddr))
2459                                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2460                         else
2461                                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2462                 } else
2463                         conn->state = BT_CONNECTED;
2464 
2465                 hci_debugfs_create_conn(conn);
2466                 hci_conn_add_sysfs(conn);
2467 
2468                 if (test_bit(HCI_AUTH, &hdev->flags))
2469                         set_bit(HCI_CONN_AUTH, &conn->flags);
2470 
2471                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2472                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2473 
2474                 /* Get remote features */
2475                 if (conn->type == ACL_LINK) {
2476                         struct hci_cp_read_remote_features cp;
2477                         cp.handle = ev->handle;
2478                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2479                                      sizeof(cp), &cp);
2480 
2481                         hci_req_update_scan(hdev);
2482                 }
2483 
2484                 /* Set packet type for incoming connection */
2485                 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2486                         struct hci_cp_change_conn_ptype cp;
2487                         cp.handle = ev->handle;
2488                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
2489                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2490                                      &cp);
2491                 }
2492         } else {
2493                 conn->state = BT_CLOSED;
2494                 if (conn->type == ACL_LINK)
2495                         mgmt_connect_failed(hdev, &conn->dst, conn->type,
2496                                             conn->dst_type, ev->status);
2497         }
2498 
2499         if (conn->type == ACL_LINK)
2500                 hci_sco_setup(conn, ev->status);
2501 
2502         if (ev->status) {
2503                 hci_connect_cfm(conn, ev->status);
2504                 hci_conn_del(conn);
2505         } else if (ev->link_type != ACL_LINK)
2506                 hci_connect_cfm(conn, ev->status);
2507 
2508 unlock:
2509         hci_dev_unlock(hdev);
2510 
2511         hci_conn_check_pending(hdev);
2512 }
2513 
2514 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2515 {
2516         struct hci_cp_reject_conn_req cp;
2517 
2518         bacpy(&cp.bdaddr, bdaddr);
2519         cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2520         hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2521 }
2522 
2523 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2524 {
2525         struct hci_ev_conn_request *ev = (void *) skb->data;
2526         int mask = hdev->link_mode;
2527         struct inquiry_entry *ie;
2528         struct hci_conn *conn;
2529         __u8 flags = 0;
2530 
2531         BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2532                ev->link_type);
2533 
2534         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2535                                       &flags);
2536 
2537         if (!(mask & HCI_LM_ACCEPT)) {
2538                 hci_reject_conn(hdev, &ev->bdaddr);
2539                 return;
2540         }
2541 
2542         if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2543                                    BDADDR_BREDR)) {
2544                 hci_reject_conn(hdev, &ev->bdaddr);
2545                 return;
2546         }
2547 
2548         /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2549          * connection. These features are only touched through mgmt so
2550          * only do the checks if HCI_MGMT is set.
2551          */
2552         if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2553             !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2554             !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2555                                     BDADDR_BREDR)) {
2556                     hci_reject_conn(hdev, &ev->bdaddr);
2557                     return;
2558         }
2559 
2560         /* Connection accepted */
2561 
2562         hci_dev_lock(hdev);
2563 
2564         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2565         if (ie)
2566                 memcpy(ie->data.dev_class, ev->dev_class, 3);
2567 
2568         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2569                         &ev->bdaddr);
2570         if (!conn) {
2571                 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2572                                     HCI_ROLE_SLAVE);
2573                 if (!conn) {
2574                         bt_dev_err(hdev, "no memory for new connection");
2575                         hci_dev_unlock(hdev);
2576                         return;
2577                 }
2578         }
2579 
2580         memcpy(conn->dev_class, ev->dev_class, 3);
2581 
2582         hci_dev_unlock(hdev);
2583 
2584         if (ev->link_type == ACL_LINK ||
2585             (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2586                 struct hci_cp_accept_conn_req cp;
2587                 conn->state = BT_CONNECT;
2588 
2589                 bacpy(&cp.bdaddr, &ev->bdaddr);
2590 
2591                 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2592                         cp.role = 0x00; /* Become master */
2593                 else
2594                         cp.role = 0x01; /* Remain slave */
2595 
2596                 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2597         } else if (!(flags & HCI_PROTO_DEFER)) {
2598                 struct hci_cp_accept_sync_conn_req cp;
2599                 conn->state = BT_CONNECT;
2600 
2601                 bacpy(&cp.bdaddr, &ev->bdaddr);
2602                 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2603 
2604                 cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2605                 cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2606                 cp.max_latency    = cpu_to_le16(0xffff);
2607                 cp.content_format = cpu_to_le16(hdev->voice_setting);
2608                 cp.retrans_effort = 0xff;
2609 
2610                 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2611                              &cp);
2612         } else {
2613                 conn->state = BT_CONNECT2;
2614                 hci_connect_cfm(conn, 0);
2615         }
2616 }
2617 
2618 static u8 hci_to_mgmt_reason(u8 err)
2619 {
2620         switch (err) {
2621         case HCI_ERROR_CONNECTION_TIMEOUT:
2622                 return MGMT_DEV_DISCONN_TIMEOUT;
2623         case HCI_ERROR_REMOTE_USER_TERM:
2624         case HCI_ERROR_REMOTE_LOW_RESOURCES:
2625         case HCI_ERROR_REMOTE_POWER_OFF:
2626                 return MGMT_DEV_DISCONN_REMOTE;
2627         case HCI_ERROR_LOCAL_HOST_TERM:
2628                 return MGMT_DEV_DISCONN_LOCAL_HOST;
2629         default:
2630                 return MGMT_DEV_DISCONN_UNKNOWN;
2631         }
2632 }
2633 
2634 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2635 {
2636         struct hci_ev_disconn_complete *ev = (void *) skb->data;
2637         u8 reason;
2638         struct hci_conn_params *params;
2639         struct hci_conn *conn;
2640         bool mgmt_connected;
2641         u8 type;
2642 
2643         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2644 
2645         hci_dev_lock(hdev);
2646 
2647         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2648         if (!conn)
2649                 goto unlock;
2650 
2651         if (ev->status) {
2652                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2653                                        conn->dst_type, ev->status);
2654                 goto unlock;
2655         }
2656 
2657         conn->state = BT_CLOSED;
2658 
2659         mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2660 
2661         if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2662                 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2663         else
2664                 reason = hci_to_mgmt_reason(ev->reason);
2665 
2666         mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2667                                 reason, mgmt_connected);
2668 
2669         if (conn->type == ACL_LINK) {
2670                 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2671                         hci_remove_link_key(hdev, &conn->dst);
2672 
2673                 hci_req_update_scan(hdev);
2674         }
2675 
2676         params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2677         if (params) {
2678                 switch (params->auto_connect) {
2679                 case HCI_AUTO_CONN_LINK_LOSS:
2680                         if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2681                                 break;
2682                         /* Fall through */
2683 
2684                 case HCI_AUTO_CONN_DIRECT:
2685                 case HCI_AUTO_CONN_ALWAYS:
2686                         list_del_init(&params->action);
2687                         list_add(&params->action, &hdev->pend_le_conns);
2688                         hci_update_background_scan(hdev);
2689                         break;
2690 
2691                 default:
2692                         break;
2693                 }
2694         }
2695 
2696         type = conn->type;
2697 
2698         hci_disconn_cfm(conn, ev->reason);
2699         hci_conn_del(conn);
2700 
2701         /* Re-enable advertising if necessary, since it might
2702          * have been disabled by the connection. From the
2703          * HCI_LE_Set_Advertise_Enable command description in
2704          * the core specification (v4.0):
2705          * "The Controller shall continue advertising until the Host
2706          * issues an LE_Set_Advertise_Enable command with
2707          * Advertising_Enable set to 0x00 (Advertising is disabled)
2708          * or until a connection is created or until the Advertising
2709          * is timed out due to Directed Advertising."
2710          */
2711         if (type == LE_LINK)
2712                 hci_req_reenable_advertising(hdev);
2713 
2714 unlock:
2715         hci_dev_unlock(hdev);
2716 }
2717 
2718 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2719 {
2720         struct hci_ev_auth_complete *ev = (void *) skb->data;
2721         struct hci_conn *conn;
2722 
2723         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2724 
2725         hci_dev_lock(hdev);
2726 
2727         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2728         if (!conn)
2729                 goto unlock;
2730 
2731         if (!ev->status) {
2732                 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2733 
2734                 if (!hci_conn_ssp_enabled(conn) &&
2735                     test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2736                         bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2737                 } else {
2738                         set_bit(HCI_CONN_AUTH, &conn->flags);
2739                         conn->sec_level = conn->pending_sec_level;
2740                 }
2741         } else {
2742                 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2743                         set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2744 
2745                 mgmt_auth_failed(conn, ev->status);
2746         }
2747 
2748         clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2749         clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2750 
2751         if (conn->state == BT_CONFIG) {
2752                 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2753                         struct hci_cp_set_conn_encrypt cp;
2754                         cp.handle  = ev->handle;
2755                         cp.encrypt = 0x01;
2756                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2757                                      &cp);
2758                 } else {
2759                         conn->state = BT_CONNECTED;
2760                         hci_connect_cfm(conn, ev->status);
2761                         hci_conn_drop(conn);
2762                 }
2763         } else {
2764                 hci_auth_cfm(conn, ev->status);
2765 
2766                 hci_conn_hold(conn);
2767                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2768                 hci_conn_drop(conn);
2769         }
2770 
2771         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2772                 if (!ev->status) {
2773                         struct hci_cp_set_conn_encrypt cp;
2774                         cp.handle  = ev->handle;
2775                         cp.encrypt = 0x01;
2776                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2777                                      &cp);
2778                 } else {
2779                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2780                         hci_encrypt_cfm(conn, ev->status, 0x00);
2781                 }
2782         }
2783 
2784 unlock:
2785         hci_dev_unlock(hdev);
2786 }
2787 
2788 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2789 {
2790         struct hci_ev_remote_name *ev = (void *) skb->data;
2791         struct hci_conn *conn;
2792 
2793         BT_DBG("%s", hdev->name);
2794 
2795         hci_conn_check_pending(hdev);
2796 
2797         hci_dev_lock(hdev);
2798 
2799         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2800 
2801         if (!hci_dev_test_flag(hdev, HCI_MGMT))
2802                 goto check_auth;
2803 
2804         if (ev->status == 0)
2805                 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2806                                        strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2807         else
2808                 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2809 
2810 check_auth:
2811         if (!conn)
2812                 goto unlock;
2813 
2814         if (!hci_outgoing_auth_needed(hdev, conn))
2815                 goto unlock;
2816 
2817         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2818                 struct hci_cp_auth_requested cp;
2819 
2820                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2821 
2822                 cp.handle = __cpu_to_le16(conn->handle);
2823                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2824         }
2825 
2826 unlock:
2827         hci_dev_unlock(hdev);
2828 }
2829 
2830 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2831                                        u16 opcode, struct sk_buff *skb)
2832 {
2833         const struct hci_rp_read_enc_key_size *rp;
2834         struct hci_conn *conn;
2835         u16 handle;
2836 
2837         BT_DBG("%s status 0x%02x", hdev->name, status);
2838 
2839         if (!skb || skb->len < sizeof(*rp)) {
2840                 bt_dev_err(hdev, "invalid read key size response");
2841                 return;
2842         }
2843 
2844         rp = (void *)skb->data;
2845         handle = le16_to_cpu(rp->handle);
2846 
2847         hci_dev_lock(hdev);
2848 
2849         conn = hci_conn_hash_lookup_handle(hdev, handle);
2850         if (!conn)
2851                 goto unlock;
2852 
2853         /* If we fail to read the encryption key size, assume maximum
2854          * (which is the same we do also when this HCI command isn't
2855          * supported.
2856          */
2857         if (rp->status) {
2858                 bt_dev_err(hdev, "failed to read key size for handle %u",
2859                            handle);
2860                 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2861         } else {
2862                 conn->enc_key_size = rp->key_size;
2863         }
2864 
2865         if (conn->state == BT_CONFIG) {
2866                 conn->state = BT_CONNECTED;
2867                 hci_connect_cfm(conn, 0);
2868                 hci_conn_drop(conn);
2869         } else {
2870                 u8 encrypt;
2871 
2872                 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2873                         encrypt = 0x00;
2874                 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2875                         encrypt = 0x02;
2876                 else
2877                         encrypt = 0x01;
2878 
2879                 hci_encrypt_cfm(conn, 0, encrypt);
2880         }
2881 
2882 unlock:
2883         hci_dev_unlock(hdev);
2884 }
2885 
2886 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2887 {
2888         struct hci_ev_encrypt_change *ev = (void *) skb->data;
2889         struct hci_conn *conn;
2890 
2891         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2892 
2893         hci_dev_lock(hdev);
2894 
2895         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2896         if (!conn)
2897                 goto unlock;
2898 
2899         if (!ev->status) {
2900                 if (ev->encrypt) {
2901                         /* Encryption implies authentication */
2902                         set_bit(HCI_CONN_AUTH, &conn->flags);
2903                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2904                         conn->sec_level = conn->pending_sec_level;
2905 
2906                         /* P-256 authentication key implies FIPS */
2907                         if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2908                                 set_bit(HCI_CONN_FIPS, &conn->flags);
2909 
2910                         if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2911                             conn->type == LE_LINK)
2912                                 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2913                 } else {
2914                         clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2915                         clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2916                 }
2917         }
2918 
2919         /* We should disregard the current RPA and generate a new one
2920          * whenever the encryption procedure fails.
2921          */
2922         if (ev->status && conn->type == LE_LINK) {
2923                 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2924                 hci_adv_instances_set_rpa_expired(hdev, true);
2925         }
2926 
2927         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2928 
2929         if (ev->status && conn->state == BT_CONNECTED) {
2930                 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2931                         set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2932 
2933                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2934                 hci_conn_drop(conn);
2935                 goto unlock;
2936         }
2937 
2938         /* In Secure Connections Only mode, do not allow any connections
2939          * that are not encrypted with AES-CCM using a P-256 authenticated
2940          * combination key.
2941          */
2942         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2943             (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2944              conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2945                 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2946                 hci_conn_drop(conn);
2947                 goto unlock;
2948         }
2949 
2950         /* Try reading the encryption key size for encrypted ACL links */
2951         if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2952                 struct hci_cp_read_enc_key_size cp;
2953                 struct hci_request req;
2954 
2955                 /* Only send HCI_Read_Encryption_Key_Size if the
2956                  * controller really supports it. If it doesn't, assume
2957                  * the default size (16).
2958                  */
2959                 if (!(hdev->commands[20] & 0x10)) {
2960                         conn->enc_key_size = HCI_LINK_KEY_SIZE;
2961                         goto notify;
2962                 }
2963 
2964                 hci_req_init(&req, hdev);
2965 
2966                 cp.handle = cpu_to_le16(conn->handle);
2967                 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2968 
2969                 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2970                         bt_dev_err(hdev, "sending read key size failed");
2971                         conn->enc_key_size = HCI_LINK_KEY_SIZE;
2972                         goto notify;
2973                 }
2974 
2975                 goto unlock;
2976         }
2977 
2978 notify:
2979         if (conn->state == BT_CONFIG) {
2980                 if (!ev->status)
2981                         conn->state = BT_CONNECTED;
2982 
2983                 hci_connect_cfm(conn, ev->status);
2984                 hci_conn_drop(conn);
2985         } else
2986                 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2987 
2988 unlock:
2989         hci_dev_unlock(hdev);
2990 }
2991 
2992 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2993                                              struct sk_buff *skb)
2994 {
2995         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2996         struct hci_conn *conn;
2997 
2998         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2999 
3000         hci_dev_lock(hdev);
3001 
3002         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3003         if (conn) {
3004                 if (!ev->status)
3005                         set_bit(HCI_CONN_SECURE, &conn->flags);
3006 
3007                 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3008 
3009                 hci_key_change_cfm(conn, ev->status);
3010         }
3011 
3012         hci_dev_unlock(hdev);
3013 }
3014 
3015 static void hci_remote_features_evt(struct hci_dev *hdev,
3016                                     struct sk_buff *skb)
3017 {
3018         struct hci_ev_remote_features *ev = (void *) skb->data;
3019         struct hci_conn *conn;
3020 
3021         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3022 
3023         hci_dev_lock(hdev);
3024 
3025         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3026         if (!conn)
3027                 goto unlock;
3028 
3029         if (!ev->status)
3030                 memcpy(conn->features[0], ev->features, 8);
3031 
3032         if (conn->state != BT_CONFIG)
3033                 goto unlock;
3034 
3035         if (!ev->status && lmp_ext_feat_capable(hdev) &&
3036             lmp_ext_feat_capable(conn)) {
3037                 struct hci_cp_read_remote_ext_features cp;
3038                 cp.handle = ev->handle;
3039                 cp.page = 0x01;
3040                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3041                              sizeof(cp), &cp);
3042                 goto unlock;
3043         }
3044 
3045         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3046                 struct hci_cp_remote_name_req cp;
3047                 memset(&cp, 0, sizeof(cp));
3048                 bacpy(&cp.bdaddr, &conn->dst);
3049                 cp.pscan_rep_mode = 0x02;
3050                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3051         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3052                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3053 
3054         if (!hci_outgoing_auth_needed(hdev, conn)) {
3055                 conn->state = BT_CONNECTED;
3056                 hci_connect_cfm(conn, ev->status);
3057                 hci_conn_drop(conn);
3058         }
3059 
3060 unlock:
3061         hci_dev_unlock(hdev);
3062 }
3063 
3064 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3065                                  u16 *opcode, u8 *status,
3066                                  hci_req_complete_t *req_complete,
3067                                  hci_req_complete_skb_t *req_complete_skb)
3068 {
3069         struct hci_ev_cmd_complete *ev = (void *) skb->data;
3070 
3071         *opcode = __le16_to_cpu(ev->opcode);
3072         *status = skb->data[sizeof(*ev)];
3073 
3074         skb_pull(skb, sizeof(*ev));
3075 
3076         switch (*opcode) {
3077         case HCI_OP_INQUIRY_CANCEL:
3078                 hci_cc_inquiry_cancel(hdev, skb);
3079                 break;
3080 
3081         case HCI_OP_PERIODIC_INQ:
3082                 hci_cc_periodic_inq(hdev, skb);
3083                 break;
3084 
3085         case HCI_OP_EXIT_PERIODIC_INQ:
3086                 hci_cc_exit_periodic_inq(hdev, skb);
3087                 break;
3088 
3089         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3090                 hci_cc_remote_name_req_cancel(hdev, skb);
3091                 break;
3092 
3093         case HCI_OP_ROLE_DISCOVERY:
3094                 hci_cc_role_discovery(hdev, skb);
3095                 break;
3096 
3097         case HCI_OP_READ_LINK_POLICY:
3098                 hci_cc_read_link_policy(hdev, skb);
3099                 break;
3100 
3101         case HCI_OP_WRITE_LINK_POLICY:
3102                 hci_cc_write_link_policy(hdev, skb);
3103                 break;
3104 
3105         case HCI_OP_READ_DEF_LINK_POLICY:
3106                 hci_cc_read_def_link_policy(hdev, skb);
3107                 break;
3108 
3109         case HCI_OP_WRITE_DEF_LINK_POLICY:
3110                 hci_cc_write_def_link_policy(hdev, skb);
3111                 break;
3112 
3113         case HCI_OP_RESET:
3114                 hci_cc_reset(hdev, skb);
3115                 break;
3116 
3117         case HCI_OP_READ_STORED_LINK_KEY:
3118                 hci_cc_read_stored_link_key(hdev, skb);
3119                 break;
3120 
3121         case HCI_OP_DELETE_STORED_LINK_KEY:
3122                 hci_cc_delete_stored_link_key(hdev, skb);
3123                 break;
3124 
3125         case HCI_OP_WRITE_LOCAL_NAME:
3126                 hci_cc_write_local_name(hdev, skb);
3127                 break;
3128 
3129         case HCI_OP_READ_LOCAL_NAME:
3130                 hci_cc_read_local_name(hdev, skb);
3131                 break;
3132 
3133         case HCI_OP_WRITE_AUTH_ENABLE:
3134                 hci_cc_write_auth_enable(hdev, skb);
3135                 break;
3136 
3137         case HCI_OP_WRITE_ENCRYPT_MODE:
3138                 hci_cc_write_encrypt_mode(hdev, skb);
3139                 break;
3140 
3141         case HCI_OP_WRITE_SCAN_ENABLE:
3142                 hci_cc_write_scan_enable(hdev, skb);
3143                 break;
3144 
3145         case HCI_OP_READ_CLASS_OF_DEV:
3146                 hci_cc_read_class_of_dev(hdev, skb);
3147                 break;
3148 
3149         case HCI_OP_WRITE_CLASS_OF_DEV:
3150                 hci_cc_write_class_of_dev(hdev, skb);
3151                 break;
3152 
3153         case HCI_OP_READ_VOICE_SETTING:
3154                 hci_cc_read_voice_setting(hdev, skb);
3155                 break;
3156 
3157         case HCI_OP_WRITE_VOICE_SETTING:
3158                 hci_cc_write_voice_setting(hdev, skb);
3159                 break;
3160 
3161         case HCI_OP_READ_NUM_SUPPORTED_IAC:
3162                 hci_cc_read_num_supported_iac(hdev, skb);
3163                 break;
3164 
3165         case HCI_OP_WRITE_SSP_MODE:
3166                 hci_cc_write_ssp_mode(hdev, skb);
3167                 break;
3168 
3169         case HCI_OP_WRITE_SC_SUPPORT:
3170                 hci_cc_write_sc_support(hdev, skb);
3171                 break;
3172 
3173         case HCI_OP_READ_LOCAL_VERSION:
3174                 hci_cc_read_local_version(hdev, skb);
3175                 break;
3176 
3177         case HCI_OP_READ_LOCAL_COMMANDS:
3178                 hci_cc_read_local_commands(hdev, skb);
3179                 break;
3180 
3181         case HCI_OP_READ_LOCAL_FEATURES:
3182                 hci_cc_read_local_features(hdev, skb);
3183                 break;
3184 
3185         case HCI_OP_READ_LOCAL_EXT_FEATURES:
3186                 hci_cc_read_local_ext_features(hdev, skb);
3187                 break;
3188 
3189         case HCI_OP_READ_BUFFER_SIZE:
3190                 hci_cc_read_buffer_size(hdev, skb);
3191                 break;
3192 
3193         case HCI_OP_READ_BD_ADDR:
3194                 hci_cc_read_bd_addr(hdev, skb);
3195                 break;
3196 
3197         case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3198                 hci_cc_read_page_scan_activity(hdev, skb);
3199                 break;
3200 
3201         case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3202                 hci_cc_write_page_scan_activity(hdev, skb);
3203                 break;
3204 
3205         case HCI_OP_READ_PAGE_SCAN_TYPE:
3206                 hci_cc_read_page_scan_type(hdev, skb);
3207                 break;
3208 
3209         case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3210                 hci_cc_write_page_scan_type(hdev, skb);
3211                 break;
3212 
3213         case HCI_OP_READ_DATA_BLOCK_SIZE:
3214                 hci_cc_read_data_block_size(hdev, skb);
3215                 break;
3216 
3217         case HCI_OP_READ_FLOW_CONTROL_MODE:
3218                 hci_cc_read_flow_control_mode(hdev, skb);
3219                 break;
3220 
3221         case HCI_OP_READ_LOCAL_AMP_INFO:
3222                 hci_cc_read_local_amp_info(hdev, skb);
3223                 break;
3224 
3225         case HCI_OP_READ_CLOCK:
3226                 hci_cc_read_clock(hdev, skb);
3227                 break;
3228 
3229         case HCI_OP_READ_INQ_RSP_TX_POWER:
3230                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3231                 break;
3232 
3233         case HCI_OP_PIN_CODE_REPLY:
3234                 hci_cc_pin_code_reply(hdev, skb);
3235                 break;
3236 
3237         case HCI_OP_PIN_CODE_NEG_REPLY:
3238                 hci_cc_pin_code_neg_reply(hdev, skb);
3239                 break;
3240 
3241         case HCI_OP_READ_LOCAL_OOB_DATA:
3242                 hci_cc_read_local_oob_data(hdev, skb);
3243                 break;
3244 
3245         case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3246                 hci_cc_read_local_oob_ext_data(hdev, skb);
3247                 break;
3248 
3249         case HCI_OP_LE_READ_BUFFER_SIZE:
3250                 hci_cc_le_read_buffer_size(hdev, skb);
3251                 break;
3252 
3253         case HCI_OP_LE_READ_LOCAL_FEATURES:
3254                 hci_cc_le_read_local_features(hdev, skb);
3255                 break;
3256 
3257         case HCI_OP_LE_READ_ADV_TX_POWER:
3258                 hci_cc_le_read_adv_tx_power(hdev, skb);
3259                 break;
3260 
3261         case HCI_OP_USER_CONFIRM_REPLY:
3262                 hci_cc_user_confirm_reply(hdev, skb);
3263                 break;
3264 
3265         case HCI_OP_USER_CONFIRM_NEG_REPLY:
3266                 hci_cc_user_confirm_neg_reply(hdev, skb);
3267                 break;
3268 
3269         case HCI_OP_USER_PASSKEY_REPLY:
3270                 hci_cc_user_passkey_reply(hdev, skb);
3271                 break;
3272 
3273         case HCI_OP_USER_PASSKEY_NEG_REPLY:
3274                 hci_cc_user_passkey_neg_reply(hdev, skb);
3275                 break;
3276 
3277         case HCI_OP_LE_SET_RANDOM_ADDR:
3278                 hci_cc_le_set_random_addr(hdev, skb);
3279                 break;
3280 
3281         case HCI_OP_LE_SET_ADV_ENABLE:
3282                 hci_cc_le_set_adv_enable(hdev, skb);
3283                 break;
3284 
3285         case HCI_OP_LE_SET_SCAN_PARAM:
3286                 hci_cc_le_set_scan_param(hdev, skb);
3287                 break;
3288 
3289         case HCI_OP_LE_SET_SCAN_ENABLE:
3290                 hci_cc_le_set_scan_enable(hdev, skb);
3291                 break;
3292 
3293         case HCI_OP_LE_READ_WHITE_LIST_SIZE:
3294                 hci_cc_le_read_white_list_size(hdev, skb);
3295                 break;
3296 
3297         case HCI_OP_LE_CLEAR_WHITE_LIST:
3298                 hci_cc_le_clear_white_list(hdev, skb);
3299                 break;
3300 
3301         case HCI_OP_LE_ADD_TO_WHITE_LIST:
3302                 hci_cc_le_add_to_white_list(hdev, skb);
3303                 break;
3304 
3305         case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3306                 hci_cc_le_del_from_white_list(hdev, skb);
3307                 break;
3308 
3309         case HCI_OP_LE_READ_SUPPORTED_STATES:
3310                 hci_cc_le_read_supported_states(hdev, skb);
3311                 break;
3312 
3313         case HCI_OP_LE_READ_DEF_DATA_LEN:
3314                 hci_cc_le_read_def_data_len(hdev, skb);
3315                 break;
3316 
3317         case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3318                 hci_cc_le_write_def_data_len(hdev, skb);
3319                 break;
3320 
3321         case HCI_OP_LE_ADD_TO_RESOLV_LIST:
3322                 hci_cc_le_add_to_resolv_list(hdev, skb);
3323                 break;
3324 
3325         case HCI_OP_LE_DEL_FROM_RESOLV_LIST:
3326                 hci_cc_le_del_from_resolv_list(hdev, skb);
3327                 break;
3328 
3329         case HCI_OP_LE_CLEAR_RESOLV_LIST:
3330                 hci_cc_le_clear_resolv_list(hdev, skb);
3331                 break;
3332 
3333         case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3334                 hci_cc_le_read_resolv_list_size(hdev, skb);
3335                 break;
3336 
3337         case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3338                 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3339                 break;
3340 
3341         case HCI_OP_LE_READ_MAX_DATA_LEN:
3342                 hci_cc_le_read_max_data_len(hdev, skb);
3343                 break;
3344 
3345         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3346                 hci_cc_write_le_host_supported(hdev, skb);
3347                 break;
3348 
3349         case HCI_OP_LE_SET_ADV_PARAM:
3350                 hci_cc_set_adv_param(hdev, skb);
3351                 break;
3352 
3353         case HCI_OP_READ_RSSI:
3354                 hci_cc_read_rssi(hdev, skb);
3355                 break;
3356 
3357         case HCI_OP_READ_TX_POWER:
3358                 hci_cc_read_tx_power(hdev, skb);
3359                 break;
3360 
3361         case HCI_OP_WRITE_SSP_DEBUG_MODE:
3362                 hci_cc_write_ssp_debug_mode(hdev, skb);
3363                 break;
3364 
3365         case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3366                 hci_cc_le_set_ext_scan_param(hdev, skb);
3367                 break;
3368 
3369         case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3370                 hci_cc_le_set_ext_scan_enable(hdev, skb);
3371                 break;
3372 
3373         case HCI_OP_LE_SET_DEFAULT_PHY:
3374                 hci_cc_le_set_default_phy(hdev, skb);
3375                 break;
3376 
3377         case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3378                 hci_cc_le_read_num_adv_sets(hdev, skb);
3379                 break;
3380 
3381         case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3382                 hci_cc_set_ext_adv_param(hdev, skb);
3383                 break;
3384 
3385         case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3386                 hci_cc_le_set_ext_adv_enable(hdev, skb);
3387                 break;
3388 
3389         case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3390                 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3391                 break;
3392 
3393         default:
3394                 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3395                 break;
3396         }
3397 
3398         if (*opcode != HCI_OP_NOP)
3399                 cancel_delayed_work(&hdev->cmd_timer);
3400 
3401         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3402                 atomic_set(&hdev->cmd_cnt, 1);
3403 
3404         hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3405                              req_complete_skb);
3406 
3407         if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3408                 queue_work(hdev->workqueue, &hdev->cmd_work);
3409 }
3410 
3411 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3412                                u16 *opcode, u8 *status,
3413                                hci_req_complete_t *req_complete,
3414                                hci_req_complete_skb_t *req_complete_skb)
3415 {
3416         struct hci_ev_cmd_status *ev = (void *) skb->data;
3417 
3418         skb_pull(skb, sizeof(*ev));
3419 
3420         *opcode = __le16_to_cpu(ev->opcode);
3421         *status = ev->status;
3422 
3423         switch (*opcode) {
3424         case HCI_OP_INQUIRY:
3425                 hci_cs_inquiry(hdev, ev->status);
3426                 break;
3427 
3428         case HCI_OP_CREATE_CONN:
3429                 hci_cs_create_conn(hdev, ev->status);
3430                 break;
3431 
3432         case HCI_OP_DISCONNECT:
3433                 hci_cs_disconnect(hdev, ev->status);
3434                 break;
3435 
3436         case HCI_OP_ADD_SCO:
3437                 hci_cs_add_sco(hdev, ev->status);
3438                 break;
3439 
3440         case HCI_OP_AUTH_REQUESTED:
3441                 hci_cs_auth_requested(hdev, ev->status);
3442                 break;
3443 
3444         case HCI_OP_SET_CONN_ENCRYPT:
3445                 hci_cs_set_conn_encrypt(hdev, ev->status);
3446                 break;
3447 
3448         case HCI_OP_REMOTE_NAME_REQ:
3449                 hci_cs_remote_name_req(hdev, ev->status);
3450                 break;
3451 
3452         case HCI_OP_READ_REMOTE_FEATURES:
3453                 hci_cs_read_remote_features(hdev, ev->status);
3454                 break;
3455 
3456         case HCI_OP_READ_REMOTE_EXT_FEATURES:
3457                 hci_cs_read_remote_ext_features(hdev, ev->status);
3458                 break;
3459 
3460         case HCI_OP_SETUP_SYNC_CONN:
3461                 hci_cs_setup_sync_conn(hdev, ev->status);
3462                 break;
3463 
3464         case HCI_OP_SNIFF_MODE:
3465                 hci_cs_sniff_mode(hdev, ev->status);
3466                 break;
3467 
3468         case HCI_OP_EXIT_SNIFF_MODE:
3469                 hci_cs_exit_sniff_mode(hdev, ev->status);
3470                 break;
3471 
3472         case HCI_OP_SWITCH_ROLE:
3473                 hci_cs_switch_role(hdev, ev->status);
3474                 break;
3475 
3476         case HCI_OP_LE_CREATE_CONN:
3477                 hci_cs_le_create_conn(hdev, ev->status);
3478                 break;
3479 
3480         case HCI_OP_LE_READ_REMOTE_FEATURES:
3481                 hci_cs_le_read_remote_features(hdev, ev->status);
3482                 break;
3483 
3484         case HCI_OP_LE_START_ENC:
3485                 hci_cs_le_start_enc(hdev, ev->status);
3486                 break;
3487 
3488         case HCI_OP_LE_EXT_CREATE_CONN:
3489                 hci_cs_le_ext_create_conn(hdev, ev->status);
3490                 break;
3491 
3492         default:
3493                 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3494                 break;
3495         }
3496 
3497         if (*opcode != HCI_OP_NOP)
3498                 cancel_delayed_work(&hdev->cmd_timer);
3499 
3500         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3501                 atomic_set(&hdev->cmd_cnt, 1);
3502 
3503         /* Indicate request completion if the command failed. Also, if
3504          * we're not waiting for a special event and we get a success
3505          * command status we should try to flag the request as completed
3506          * (since for this kind of commands there will not be a command
3507          * complete event).
3508          */
3509         if (ev->status ||
3510             (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3511                 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3512                                      req_complete_skb);
3513 
3514         if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3515                 queue_work(hdev->workqueue, &hdev->cmd_work);
3516 }
3517 
3518 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3519 {
3520         struct hci_ev_hardware_error *ev = (void *) skb->data;
3521 
3522         hdev->hw_error_code = ev->code;
3523 
3524         queue_work(hdev->req_workqueue, &hdev->error_reset);
3525 }
3526 
3527 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3528 {
3529         struct hci_ev_role_change *ev = (void *) skb->data;
3530         struct hci_conn *conn;
3531 
3532         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3533 
3534         hci_dev_lock(hdev);
3535 
3536         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3537         if (conn) {
3538                 if (!ev->status)
3539                         conn->role = ev->role;
3540 
3541                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3542 
3543                 hci_role_switch_cfm(conn, ev->status, ev->role);
3544         }
3545 
3546         hci_dev_unlock(hdev);
3547 }
3548 
3549 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3550 {
3551         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3552         int i;
3553 
3554         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3555                 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3556                 return;
3557         }
3558 
3559         if (skb->len < sizeof(*ev) ||
3560             skb->len < struct_size(ev, handles, ev->num_hndl)) {
3561                 BT_DBG("%s bad parameters", hdev->name);
3562                 return;
3563         }
3564 
3565         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3566 
3567         for (i = 0; i < ev->num_hndl; i++) {
3568                 struct hci_comp_pkts_info *info = &ev->handles[i];
3569                 struct hci_conn *conn;
3570                 __u16  handle, count;
3571 
3572                 handle = __le16_to_cpu(info->handle);
3573                 count  = __le16_to_cpu(info->count);
3574 
3575                 conn = hci_conn_hash_lookup_handle(hdev, handle);
3576                 if (!conn)
3577                         continue;
3578 
3579                 conn->sent -= count;
3580 
3581                 switch (conn->type) {
3582                 case ACL_LINK:
3583                         hdev->acl_cnt += count;
3584                         if (hdev->acl_cnt > hdev->acl_pkts)
3585                                 hdev->acl_cnt = hdev->acl_pkts;
3586                         break;
3587 
3588                 case LE_LINK:
3589                         if (hdev->le_pkts) {
3590                                 hdev->le_cnt += count;
3591                                 if (hdev->le_cnt > hdev->le_pkts)
3592                                         hdev->le_cnt = hdev->le_pkts;
3593                         } else {
3594                                 hdev->acl_cnt += count;
3595                                 if (hdev->acl_cnt > hdev->acl_pkts)
3596                                         hdev->acl_cnt = hdev->acl_pkts;
3597                         }
3598                         break;
3599 
3600                 case SCO_LINK:
3601                         hdev->sco_cnt += count;
3602                         if (hdev->sco_cnt > hdev->sco_pkts)
3603                                 hdev->sco_cnt = hdev->sco_pkts;
3604                         break;
3605 
3606                 default:
3607                         bt_dev_err(hdev, "unknown type %d conn %p",
3608                                    conn->type, conn);
3609                         break;
3610                 }
3611         }
3612 
3613         queue_work(hdev->workqueue, &hdev->tx_work);
3614 }
3615 
3616 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3617                                                  __u16 handle)
3618 {
3619         struct hci_chan *chan;
3620 
3621         switch (hdev->dev_type) {
3622         case HCI_PRIMARY:
3623                 return hci_conn_hash_lookup_handle(hdev, handle);
3624         case HCI_AMP:
3625                 chan = hci_chan_lookup_handle(hdev, handle);
3626                 if (chan)
3627                         return chan->conn;
3628                 break;
3629         default:
3630                 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3631                 break;
3632         }
3633 
3634         return NULL;
3635 }
3636 
3637 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3638 {
3639         struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3640         int i;
3641 
3642         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3643                 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3644                 return;
3645         }
3646 
3647         if (skb->len < sizeof(*ev) ||
3648             skb->len < struct_size(ev, handles, ev->num_hndl)) {
3649                 BT_DBG("%s bad parameters", hdev->name);
3650                 return;
3651         }
3652 
3653         BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3654                ev->num_hndl);
3655 
3656         for (i = 0; i < ev->num_hndl; i++) {
3657                 struct hci_comp_blocks_info *info = &ev->handles[i];
3658                 struct hci_conn *conn = NULL;
3659                 __u16  handle, block_count;
3660 
3661                 handle = __le16_to_cpu(info->handle);
3662                 block_count = __le16_to_cpu(info->blocks);
3663 
3664                 conn = __hci_conn_lookup_handle(hdev, handle);
3665                 if (!conn)
3666                         continue;
3667 
3668                 conn->sent -= block_count;
3669 
3670                 switch (conn->type) {
3671                 case ACL_LINK:
3672                 case AMP_LINK:
3673                         hdev->block_cnt += block_count;
3674                         if (hdev->block_cnt > hdev->num_blocks)
3675                                 hdev->block_cnt = hdev->num_blocks;
3676                         break;
3677 
3678                 default:
3679                         bt_dev_err(hdev, "unknown type %d conn %p",
3680                                    conn->type, conn);
3681                         break;
3682                 }
3683         }
3684 
3685         queue_work(hdev->workqueue, &hdev->tx_work);
3686 }
3687 
3688 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3689 {
3690         struct hci_ev_mode_change *ev = (void *) skb->data;
3691         struct hci_conn *conn;
3692 
3693         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3694 
3695         hci_dev_lock(hdev);
3696 
3697         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3698         if (conn) {
3699                 conn->mode = ev->mode;
3700 
3701                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3702                                         &conn->flags)) {
3703                         if (conn->mode == HCI_CM_ACTIVE)
3704                                 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3705                         else
3706                                 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3707                 }
3708 
3709                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3710                         hci_sco_setup(conn, ev->status);
3711         }
3712 
3713         hci_dev_unlock(hdev);
3714 }
3715 
3716 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3717 {
3718         struct hci_ev_pin_code_req *ev = (void *) skb->data;
3719         struct hci_conn *conn;
3720 
3721         BT_DBG("%s", hdev->name);
3722 
3723         hci_dev_lock(hdev);
3724 
3725         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3726         if (!conn)
3727                 goto unlock;
3728 
3729         if (conn->state == BT_CONNECTED) {
3730                 hci_conn_hold(conn);
3731                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3732                 hci_conn_drop(conn);
3733         }
3734 
3735         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3736             !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3737                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3738                              sizeof(ev->bdaddr), &ev->bdaddr);
3739         } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3740                 u8 secure;
3741 
3742                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3743                         secure = 1;
3744                 else
3745                         secure = 0;
3746 
3747                 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3748         }
3749 
3750 unlock:
3751         hci_dev_unlock(hdev);
3752 }
3753 
3754 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3755 {
3756         if (key_type == HCI_LK_CHANGED_COMBINATION)
3757                 return;
3758 
3759         conn->pin_length = pin_len;
3760         conn->key_type = key_type;
3761 
3762         switch (key_type) {
3763         case HCI_LK_LOCAL_UNIT:
3764         case HCI_LK_REMOTE_UNIT:
3765         case HCI_LK_DEBUG_COMBINATION:
3766                 return;
3767         case HCI_LK_COMBINATION:
3768                 if (pin_len == 16)
3769                         conn->pending_sec_level = BT_SECURITY_HIGH;
3770                 else
3771                         conn->pending_sec_level = BT_SECURITY_MEDIUM;
3772                 break;
3773         case HCI_LK_UNAUTH_COMBINATION_P192:
3774         case HCI_LK_UNAUTH_COMBINATION_P256:
3775                 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3776                 break;
3777         case HCI_LK_AUTH_COMBINATION_P192:
3778                 conn->pending_sec_level = BT_SECURITY_HIGH;
3779                 break;
3780         case HCI_LK_AUTH_COMBINATION_P256:
3781                 conn->pending_sec_level = BT_SECURITY_FIPS;
3782                 break;
3783         }
3784 }
3785 
3786 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3787 {
3788         struct hci_ev_link_key_req *ev = (void *) skb->data;
3789         struct hci_cp_link_key_reply cp;
3790         struct hci_conn *conn;
3791         struct link_key *key;
3792 
3793         BT_DBG("%s", hdev->name);
3794 
3795         if (!hci_dev_test_flag(hdev, HCI_MGMT))
3796                 return;
3797 
3798         hci_dev_lock(hdev);
3799 
3800         key = hci_find_link_key(hdev, &ev->bdaddr);
3801         if (!key) {
3802                 BT_DBG("%s link key not found for %pMR", hdev->name,
3803                        &ev->bdaddr);
3804                 goto not_found;
3805         }
3806 
3807         BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3808                &ev->bdaddr);
3809 
3810         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3811         if (conn) {
3812                 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3813 
3814                 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3815                      key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3816                     conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3817                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
3818                         goto not_found;
3819                 }
3820 
3821                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3822                     (conn->pending_sec_level == BT_SECURITY_HIGH ||
3823                      conn->pending_sec_level == BT_SECURITY_FIPS)) {
3824                         BT_DBG("%s ignoring key unauthenticated for high security",
3825                                hdev->name);
3826                         goto not_found;
3827                 }
3828 
3829                 conn_set_key(conn, key->type, key->pin_len);
3830         }
3831 
3832         bacpy(&cp.bdaddr, &ev->bdaddr);
3833         memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3834 
3835         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3836 
3837         hci_dev_unlock(hdev);
3838 
3839         return;
3840 
3841 not_found:
3842         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3843         hci_dev_unlock(hdev);
3844 }
3845 
3846 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3847 {
3848         struct hci_ev_link_key_notify *ev = (void *) skb->data;
3849         struct hci_conn *conn;
3850         struct link_key *key;
3851         bool persistent;
3852         u8 pin_len = 0;
3853 
3854         BT_DBG("%s", hdev->name);
3855 
3856         hci_dev_lock(hdev);
3857 
3858         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3859         if (!conn)
3860                 goto unlock;
3861 
3862         hci_conn_hold(conn);
3863         conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3864         hci_conn_drop(conn);
3865 
3866         set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3867         conn_set_key(conn, ev->key_type, conn->pin_length);
3868 
3869         if (!hci_dev_test_flag(hdev, HCI_MGMT))
3870                 goto unlock;
3871 
3872         key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3873                                 ev->key_type, pin_len, &persistent);
3874         if (!key)
3875                 goto unlock;
3876 
3877         /* Update connection information since adding the key will have
3878          * fixed up the type in the case of changed combination keys.
3879          */
3880         if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3881                 conn_set_key(conn, key->type, key->pin_len);
3882 
3883         mgmt_new_link_key(hdev, key, persistent);
3884 
3885         /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3886          * is set. If it's not set simply remove the key from the kernel
3887          * list (we've still notified user space about it but with
3888          * store_hint being 0).
3889          */
3890         if (key->type == HCI_LK_DEBUG_COMBINATION &&
3891             !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3892                 list_del_rcu(&key->list);
3893                 kfree_rcu(key, rcu);
3894                 goto unlock;
3895         }
3896 
3897         if (persistent)
3898                 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3899         else
3900                 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3901 
3902 unlock:
3903         hci_dev_unlock(hdev);
3904 }
3905 
3906 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3907 {
3908         struct hci_ev_clock_offset *ev = (void *) skb->data;
3909         struct hci_conn *conn;
3910 
3911         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3912 
3913         hci_dev_lock(hdev);
3914 
3915         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3916         if (conn && !ev->status) {
3917                 struct inquiry_entry *ie;
3918 
3919                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3920                 if (ie) {
3921                         ie->data.clock_offset = ev->clock_offset;
3922                         ie->timestamp = jiffies;
3923                 }
3924         }
3925 
3926         hci_dev_unlock(hdev);
3927 }
3928 
3929 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3930 {
3931         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3932         struct hci_conn *conn;
3933 
3934         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3935 
3936         hci_dev_lock(hdev);
3937 
3938         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3939         if (conn && !ev->status)
3940                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3941 
3942         hci_dev_unlock(hdev);
3943 }
3944 
3945 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3946 {
3947         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3948         struct inquiry_entry *ie;
3949 
3950         BT_DBG("%s", hdev->name);
3951 
3952         hci_dev_lock(hdev);
3953 
3954         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3955         if (ie) {
3956                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3957                 ie->timestamp = jiffies;
3958         }
3959 
3960         hci_dev_unlock(hdev);
3961 }
3962 
3963 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3964                                              struct sk_buff *skb)
3965 {
3966         struct inquiry_data data;
3967         int num_rsp = *((__u8 *) skb->data);
3968 
3969         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3970 
3971         if (!num_rsp)
3972                 return;
3973 
3974         if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3975                 return;
3976 
3977         hci_dev_lock(hdev);
3978 
3979         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3980                 struct inquiry_info_with_rssi_and_pscan_mode *info;
3981                 info = (void *) (skb->data + 1);
3982 
3983                 for (; num_rsp; num_rsp--, info++) {
3984                         u32 flags;
3985 
3986                         bacpy(&data.bdaddr, &info->bdaddr);
3987                         data.pscan_rep_mode     = info->pscan_rep_mode;
3988                         data.pscan_period_mode  = info->pscan_period_mode;
3989                         data.pscan_mode         = info->pscan_mode;
3990                         memcpy(data.dev_class, info->dev_class, 3);
3991                         data.clock_offset       = info->clock_offset;
3992                         data.rssi               = info->rssi;
3993                         data.ssp_mode           = 0x00;
3994 
3995                         flags = hci_inquiry_cache_update(hdev, &data, false);
3996 
3997                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3998                                           info->dev_class, info->rssi,
3999                                           flags, NULL, 0, NULL, 0);
4000                 }
4001         } else {
4002                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4003 
4004                 for (; num_rsp; num_rsp--, info++) {
4005                         u32 flags;
4006 
4007                         bacpy(&data.bdaddr, &info->bdaddr);
4008                         data.pscan_rep_mode     = info->pscan_rep_mode;
4009                         data.pscan_period_mode  = info->pscan_period_mode;
4010                         data.pscan_mode         = 0x00;
4011                         memcpy(data.dev_class, info->dev_class, 3);
4012                         data.clock_offset       = info->clock_offset;
4013                         data.rssi               = info->rssi;
4014                         data.ssp_mode           = 0x00;
4015 
4016                         flags = hci_inquiry_cache_update(hdev, &data, false);
4017 
4018                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4019                                           info->dev_class, info->rssi,
4020                                           flags, NULL, 0, NULL, 0);
4021                 }
4022         }
4023 
4024         hci_dev_unlock(hdev);
4025 }
4026 
4027 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4028                                         struct sk_buff *skb)
4029 {
4030         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4031         struct hci_conn *conn;
4032 
4033         BT_DBG("%s", hdev->name);
4034 
4035         hci_dev_lock(hdev);
4036 
4037         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4038         if (!conn)
4039                 goto unlock;
4040 
4041         if (ev->page < HCI_MAX_PAGES)
4042                 memcpy(conn->features[ev->page], ev->features, 8);
4043 
4044         if (!ev->status && ev->page == 0x01) {
4045                 struct inquiry_entry *ie;
4046 
4047                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4048                 if (ie)
4049                         ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4050 
4051                 if (ev->features[0] & LMP_HOST_SSP) {
4052                         set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4053                 } else {
4054                         /* It is mandatory by the Bluetooth specification that
4055                          * Extended Inquiry Results are only used when Secure
4056                          * Simple Pairing is enabled, but some devices violate
4057                          * this.
4058                          *
4059                          * To make these devices work, the internal SSP
4060                          * enabled flag needs to be cleared if the remote host
4061                          * features do not indicate SSP support */
4062                         clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4063                 }
4064 
4065                 if (ev->features[0] & LMP_HOST_SC)
4066                         set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4067         }
4068 
4069         if (conn->state != BT_CONFIG)
4070                 goto unlock;
4071 
4072         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4073                 struct hci_cp_remote_name_req cp;
4074                 memset(&cp, 0, sizeof(cp));
4075                 bacpy(&cp.bdaddr, &conn->dst);
4076                 cp.pscan_rep_mode = 0x02;
4077                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4078         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4079                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4080 
4081         if (!hci_outgoing_auth_needed(hdev, conn)) {
4082                 conn->state = BT_CONNECTED;
4083                 hci_connect_cfm(conn, ev->status);
4084                 hci_conn_drop(conn);
4085         }
4086 
4087 unlock:
4088         hci_dev_unlock(hdev);
4089 }
4090 
4091 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4092                                        struct sk_buff *skb)
4093 {
4094         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4095         struct hci_conn *conn;
4096 
4097         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4098 
4099         hci_dev_lock(hdev);
4100 
4101         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4102         if (!conn) {
4103                 if (ev->link_type == ESCO_LINK)
4104                         goto unlock;
4105 
4106                 /* When the link type in the event indicates SCO connection
4107                  * and lookup of the connection object fails, then check
4108                  * if an eSCO connection object exists.
4109                  *
4110                  * The core limits the synchronous connections to either
4111                  * SCO or eSCO. The eSCO connection is preferred and tried
4112                  * to be setup first and until successfully established,
4113                  * the link type will be hinted as eSCO.
4114                  */
4115                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4116                 if (!conn)
4117                         goto unlock;
4118         }
4119 
4120         switch (ev->status) {
4121         case 0x00:
4122                 conn->handle = __le16_to_cpu(ev->handle);
4123                 conn->state  = BT_CONNECTED;
4124                 conn->type   = ev->link_type;
4125 
4126                 hci_debugfs_create_conn(conn);
4127                 hci_conn_add_sysfs(conn);
4128                 break;
4129 
4130         case 0x10:      /* Connection Accept Timeout */
4131         case 0x0d:      /* Connection Rejected due to Limited Resources */
4132         case 0x11:      /* Unsupported Feature or Parameter Value */
4133         case 0x1c:      /* SCO interval rejected */
4134         case 0x1a:      /* Unsupported Remote Feature */
4135         case 0x1f:      /* Unspecified error */
4136         case 0x20:      /* Unsupported LMP Parameter value */
4137                 if (conn->out) {
4138                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4139                                         (hdev->esco_type & EDR_ESCO_MASK);
4140                         if (hci_setup_sync(conn, conn->link->handle))
4141                                 goto unlock;
4142                 }
4143                 /* fall through */
4144 
4145         default:
4146                 conn->state = BT_CLOSED;
4147                 break;
4148         }
4149 
4150         hci_connect_cfm(conn, ev->status);
4151         if (ev->status)
4152                 hci_conn_del(conn);
4153 
4154 unlock:
4155         hci_dev_unlock(hdev);
4156 }
4157 
4158 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4159 {
4160         size_t parsed = 0;
4161 
4162         while (parsed < eir_len) {
4163                 u8 field_len = eir[0];
4164 
4165                 if (field_len == 0)
4166                         return parsed;
4167 
4168                 parsed += field_len + 1;
4169                 eir += field_len + 1;
4170         }
4171 
4172         return eir_len;
4173 }
4174 
4175 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4176                                             struct sk_buff *skb)
4177 {
4178         struct inquiry_data data;
4179         struct extended_inquiry_info *info = (void *) (skb->data + 1);
4180         int num_rsp = *((__u8 *) skb->data);
4181         size_t eir_len;
4182 
4183         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4184 
4185         if (!num_rsp)
4186                 return;
4187 
4188         if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4189                 return;
4190 
4191         hci_dev_lock(hdev);
4192 
4193         for (; num_rsp; num_rsp--, info++) {
4194                 u32 flags;
4195                 bool name_known;
4196 
4197                 bacpy(&data.bdaddr, &info->bdaddr);
4198                 data.pscan_rep_mode     = info->pscan_rep_mode;
4199                 data.pscan_period_mode  = info->pscan_period_mode;
4200                 data.pscan_mode         = 0x00;
4201                 memcpy(data.dev_class, info->dev_class, 3);
4202                 data.clock_offset       = info->clock_offset;
4203                 data.rssi               = info->rssi;
4204                 data.ssp_mode           = 0x01;
4205 
4206                 if (hci_dev_test_flag(hdev, HCI_MGMT))
4207                         name_known = eir_get_data(info->data,
4208                                                   sizeof(info->data),
4209                                                   EIR_NAME_COMPLETE, NULL);
4210                 else
4211                         name_known = true;
4212 
4213                 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4214 
4215                 eir_len = eir_get_length(info->data, sizeof(info->data));
4216 
4217                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4218                                   info->dev_class, info->rssi,
4219                                   flags, info->data, eir_len, NULL, 0);
4220         }
4221 
4222         hci_dev_unlock(hdev);
4223 }
4224 
4225 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4226                                          struct sk_buff *skb)
4227 {
4228         struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4229         struct hci_conn *conn;
4230 
4231         BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
4232                __le16_to_cpu(ev->handle));
4233 
4234         hci_dev_lock(hdev);
4235 
4236         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4237         if (!conn)
4238                 goto unlock;
4239 
4240         /* For BR/EDR the necessary steps are taken through the
4241          * auth_complete event.
4242          */
4243         if (conn->type != LE_LINK)
4244                 goto unlock;
4245 
4246         if (!ev->status)
4247                 conn->sec_level = conn->pending_sec_level;
4248 
4249         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4250 
4251         if (ev->status && conn->state == BT_CONNECTED) {
4252                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4253                 hci_conn_drop(conn);
4254                 goto unlock;
4255         }
4256 
4257         if (conn->state == BT_CONFIG) {
4258                 if (!ev->status)
4259                         conn->state = BT_CONNECTED;
4260 
4261                 hci_connect_cfm(conn, ev->status);
4262                 hci_conn_drop(conn);
4263         } else {
4264                 hci_auth_cfm(conn, ev->status);
4265 
4266                 hci_conn_hold(conn);
4267                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4268                 hci_conn_drop(conn);
4269         }
4270 
4271 unlock:
4272         hci_dev_unlock(hdev);
4273 }
4274 
4275 static u8 hci_get_auth_req(struct hci_conn *conn)
4276 {
4277         /* If remote requests no-bonding follow that lead */
4278         if (conn->remote_auth == HCI_AT_NO_BONDING ||
4279             conn->remote_auth == HCI_AT_NO_BONDING_MITM)
4280                 return conn->remote_auth | (conn->auth_type & 0x01);
4281 
4282         /* If both remote and local have enough IO capabilities, require
4283          * MITM protection
4284          */
4285         if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4286             conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4287                 return conn->remote_auth | 0x01;
4288 
4289         /* No MITM protection possible so ignore remote requirement */
4290         return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
4291 }
4292 
4293 static u8 bredr_oob_data_present(struct hci_conn *conn)
4294 {
4295         struct hci_dev *hdev = conn->hdev;
4296         struct oob_data *data;
4297 
4298         data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4299         if (!data)
4300                 return 0x00;
4301 
4302         if (bredr_sc_enabled(hdev)) {
4303                 /* When Secure Connections is enabled, then just
4304                  * return the present value stored with the OOB
4305                  * data. The stored value contains the right present
4306                  * information. However it can only be trusted when
4307                  * not in Secure Connection Only mode.
4308                  */
4309                 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4310                         return data->present;
4311 
4312                 /* When Secure Connections Only mode is enabled, then
4313                  * the P-256 values are required. If they are not
4314                  * available, then do not declare that OOB data is
4315                  * present.
4316                  */
4317                 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4318                     !memcmp(data->hash256, ZERO_KEY, 16))
4319                         return 0x00;
4320 
4321                 return 0x02;
4322         }
4323 
4324         /* When Secure Connections is not enabled or actually
4325          * not supported by the hardware, then check that if
4326          * P-192 data values are present.
4327          */
4328         if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4329             !memcmp(data->hash192, ZERO_KEY, 16))
4330                 return 0x00;
4331 
4332         return 0x01;
4333 }
4334 
4335 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4336 {
4337         struct hci_ev_io_capa_request *ev = (void *) skb->data;
4338         struct hci_conn *conn;
4339 
4340         BT_DBG("%s", hdev->name);
4341 
4342         hci_dev_lock(hdev);
4343 
4344         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4345         if (!conn)
4346                 goto unlock;
4347 
4348         hci_conn_hold(conn);
4349 
4350         if (!hci_dev_test_flag(hdev, HCI_MGMT))
4351                 goto unlock;
4352 
4353         /* Allow pairing if we're pairable, the initiators of the
4354          * pairing or if the remote is not requesting bonding.
4355          */
4356         if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4357             test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4358             (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4359                 struct hci_cp_io_capability_reply cp;
4360 
4361                 bacpy(&cp.bdaddr, &ev->bdaddr);
4362                 /* Change the IO capability from KeyboardDisplay
4363                  * to DisplayYesNo as it is not supported by BT spec. */
4364                 cp.capability = (conn->io_capability == 0x04) ?
4365                                 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4366 
4367                 /* If we are initiators, there is no remote information yet */
4368                 if (conn->remote_auth == 0xff) {
4369                         /* Request MITM protection if our IO caps allow it
4370                          * except for the no-bonding case.
4371                          */
4372                         if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4373                             conn->auth_type != HCI_AT_NO_BONDING)
4374                                 conn->auth_type |= 0x01;
4375                 } else {
4376                         conn->auth_type = hci_get_auth_req(conn);
4377                 }
4378 
4379                 /* If we're not bondable, force one of the non-bondable
4380                  * authentication requirement values.
4381                  */
4382                 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4383                         conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4384 
4385                 cp.authentication = conn->auth_type;
4386                 cp.oob_data = bredr_oob_data_present(conn);
4387 
4388                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4389                              sizeof(cp), &cp);
4390         } else {
4391                 struct hci_cp_io_capability_neg_reply cp;
4392 
4393                 bacpy(&cp.bdaddr, &ev->bdaddr);
4394                 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4395 
4396                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4397                              sizeof(cp), &cp);
4398         }
4399 
4400 unlock:
4401         hci_dev_unlock(hdev);
4402 }
4403 
4404 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4405 {
4406         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4407         struct hci_conn *conn;
4408 
4409         BT_DBG("%s", hdev->name);
4410 
4411         hci_dev_lock(hdev);
4412 
4413         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4414         if (!conn)
4415                 goto unlock;
4416 
4417         conn->remote_cap = ev->capability;
4418         conn->remote_auth = ev->authentication;
4419 
4420 unlock:
4421         hci_dev_unlock(hdev);
4422 }
4423 
4424 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4425                                          struct sk_buff *skb)
4426 {
4427         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4428         int loc_mitm, rem_mitm, confirm_hint = 0;
4429         struct hci_conn *conn;
4430 
4431         BT_DBG("%s", hdev->name);
4432 
4433         hci_dev_lock(hdev);
4434 
4435         if (!hci_dev_test_flag(hdev, HCI_MGMT))
4436                 goto unlock;
4437 
4438         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4439         if (!conn)
4440                 goto unlock;
4441 
4442         loc_mitm = (conn->auth_type & 0x01);
4443         rem_mitm = (conn->remote_auth & 0x01);
4444 
4445         /* If we require MITM but the remote device can't provide that
4446          * (it has NoInputNoOutput) then reject the confirmation
4447          * request. We check the security level here since it doesn't
4448          * necessarily match conn->auth_type.
4449          */
4450         if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4451             conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4452                 BT_DBG("Rejecting request: remote device can't provide MITM");
4453                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4454                              sizeof(ev->bdaddr), &ev->bdaddr);
4455                 goto unlock;
4456         }
4457 
4458         /* If no side requires MITM protection; auto-accept */
4459         if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4460             (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4461 
4462                 /* If we're not the initiators request authorization to
4463                  * proceed from user space (mgmt_user_confirm with
4464                  * confirm_hint set to 1). The exception is if neither
4465                  * side had MITM or if the local IO capability is
4466                  * NoInputNoOutput, in which case we do auto-accept
4467                  */
4468                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4469                     conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4470                     (loc_mitm || rem_mitm)) {
4471                         BT_DBG("Confirming auto-accept as acceptor");
4472                         confirm_hint = 1;
4473                         goto confirm;
4474                 }
4475 
4476                 BT_DBG("Auto-accept of user confirmation with %ums delay",
4477                        hdev->auto_accept_delay);
4478 
4479                 if (hdev->auto_accept_delay > 0) {
4480                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4481                         queue_delayed_work(conn->hdev->workqueue,
4482                                            &conn->auto_accept_work, delay);
4483                         goto unlock;
4484                 }
4485 
4486                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4487                              sizeof(ev->bdaddr), &ev->bdaddr);
4488                 goto unlock;
4489         }
4490 
4491 confirm:
4492         mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4493                                   le32_to_cpu(ev->passkey), confirm_hint);
4494 
4495 unlock:
4496         hci_dev_unlock(hdev);
4497 }
4498 
4499 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4500                                          struct sk_buff *skb)
4501 {
4502         struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4503 
4504         BT_DBG("%s", hdev->name);
4505 
4506         if (hci_dev_test_flag(hdev, HCI_MGMT))
4507                 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4508 }
4509 
4510 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4511                                         struct sk_buff *skb)
4512 {
4513         struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4514         struct hci_conn *conn;
4515 
4516         BT_DBG("%s", hdev->name);
4517 
4518         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4519         if (!conn)
4520                 return;
4521 
4522         conn->passkey_notify = __le32_to_cpu(ev->passkey);
4523         conn->passkey_entered = 0;
4524 
4525         if (hci_dev_test_flag(hdev, HCI_MGMT))
4526                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4527                                          conn->dst_type, conn->passkey_notify,
4528                                          conn->passkey_entered);
4529 }
4530 
4531 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4532 {
4533         struct hci_ev_keypress_notify *ev = (void *) skb->data;
4534         struct hci_conn *conn;
4535 
4536         BT_DBG("%s", hdev->name);
4537 
4538         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4539         if (!conn)
4540                 return;
4541 
4542         switch (ev->type) {
4543         case HCI_KEYPRESS_STARTED:
4544                 conn->passkey_entered = 0;
4545                 return;
4546 
4547         case HCI_KEYPRESS_ENTERED:
4548                 conn->passkey_entered++;
4549                 break;
4550 
4551         case HCI_KEYPRESS_ERASED:
4552                 conn->passkey_entered--;
4553                 break;
4554 
4555         case HCI_KEYPRESS_CLEARED:
4556                 conn->passkey_entered = 0;
4557                 break;
4558 
4559         case HCI_KEYPRESS_COMPLETED:
4560                 return;
4561         }
4562 
4563         if (hci_dev_test_flag(hdev, HCI_MGMT))
4564                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4565                                          conn->dst_type, conn->passkey_notify,
4566                                          conn->passkey_entered);
4567 }
4568 
4569 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4570                                          struct sk_buff *skb)
4571 {
4572         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4573         struct hci_conn *conn;
4574 
4575         BT_DBG("%s", hdev->name);
4576 
4577         hci_dev_lock(hdev);
4578 
4579         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4580         if (!conn)
4581                 goto unlock;
4582 
4583         /* Reset the authentication requirement to unknown */
4584         conn->remote_auth = 0xff;
4585 
4586         /* To avoid duplicate auth_failed events to user space we check
4587          * the HCI_CONN_AUTH_PEND flag which will be set if we
4588          * initiated the authentication. A traditional auth_complete
4589          * event gets always produced as initiator and is also mapped to
4590          * the mgmt_auth_failed event */
4591         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4592                 mgmt_auth_failed(conn, ev->status);
4593 
4594         hci_conn_drop(conn);
4595 
4596 unlock:
4597         hci_dev_unlock(hdev);
4598 }
4599 
4600 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4601                                          struct sk_buff *skb)
4602 {
4603         struct hci_ev_remote_host_features *ev = (void *) skb->data;
4604         struct inquiry_entry *ie;
4605         struct hci_conn *conn;
4606 
4607         BT_DBG("%s", hdev->name);
4608 
4609         hci_dev_lock(hdev);
4610 
4611         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4612         if (conn)
4613                 memcpy(conn->features[1], ev->features, 8);
4614 
4615         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4616         if (ie)
4617                 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4618 
4619         hci_dev_unlock(hdev);
4620 }
4621 
4622 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4623                                             struct sk_buff *skb)
4624 {
4625         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4626         struct oob_data *data;
4627 
4628         BT_DBG("%s", hdev->name);
4629 
4630         hci_dev_lock(hdev);
4631 
4632         if (!hci_dev_test_flag(hdev, HCI_MGMT))
4633                 goto unlock;
4634 
4635         data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4636         if (!data) {
4637                 struct hci_cp_remote_oob_data_neg_reply cp;
4638 
4639                 bacpy(&cp.bdaddr, &ev->bdaddr);
4640                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4641                              sizeof(cp), &cp);
4642                 goto unlock;
4643         }
4644 
4645         if (bredr_sc_enabled(hdev)) {
4646                 struct hci_cp_remote_oob_ext_data_reply cp;
4647 
4648                 bacpy(&cp.bdaddr, &ev->bdaddr);
4649                 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4650                         memset(cp.hash192, 0, sizeof(cp.hash192));
4651                         memset(cp.rand192, 0, sizeof(cp.rand192));
4652                 } else {
4653                         memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4654                         memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4655                 }
4656                 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4657                 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4658 
4659                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4660                              sizeof(cp), &cp);
4661         } else {
4662                 struct hci_cp_remote_oob_data_reply cp;
4663 
4664                 bacpy(&cp.bdaddr, &ev->bdaddr);
4665                 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4666                 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4667 
4668                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4669                              sizeof(cp), &cp);
4670         }
4671 
4672 unlock:
4673         hci_dev_unlock(hdev);
4674 }
4675 
4676 #if IS_ENABLED(CONFIG_BT_HS)
4677 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4678 {
4679         struct hci_ev_channel_selected *ev = (void *)skb->data;
4680         struct hci_conn *hcon;
4681 
4682         BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4683 
4684         skb_pull(skb, sizeof(*ev));
4685 
4686         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4687         if (!hcon)
4688                 return;
4689 
4690         amp_read_loc_assoc_final_data(hdev, hcon);
4691 }
4692 
4693 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4694                                       struct sk_buff *skb)
4695 {
4696         struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4697         struct hci_conn *hcon, *bredr_hcon;
4698 
4699         BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4700                ev->status);
4701 
4702         hci_dev_lock(hdev);
4703 
4704         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4705         if (!hcon) {
4706                 hci_dev_unlock(hdev);
4707                 return;
4708         }
4709 
4710         if (ev->status) {
4711                 hci_conn_del(hcon);
4712                 hci_dev_unlock(hdev);
4713                 return;
4714         }
4715 
4716         bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4717 
4718         hcon->state = BT_CONNECTED;
4719         bacpy(&hcon->dst, &bredr_hcon->dst);
4720 
4721         hci_conn_hold(hcon);
4722         hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4723         hci_conn_drop(hcon);
4724 
4725         hci_debugfs_create_conn(hcon);
4726         hci_conn_add_sysfs(hcon);
4727 
4728         amp_physical_cfm(bredr_hcon, hcon);
4729 
4730         hci_dev_unlock(hdev);
4731 }
4732 
4733 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4734 {
4735         struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4736         struct hci_conn *hcon;
4737         struct hci_chan *hchan;
4738         struct amp_mgr *mgr;
4739 
4740         BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4741                hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4742                ev->status);
4743 
4744         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4745         if (!hcon)
4746                 return;
4747 
4748         /* Create AMP hchan */
4749         hchan = hci_chan_create(hcon);
4750         if (!hchan)
4751                 return;
4752 
4753         hchan->handle = le16_to_cpu(ev->handle);
4754 
4755         BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4756 
4757         mgr = hcon->amp_mgr;
4758         if (mgr && mgr->bredr_chan) {
4759                 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4760 
4761                 l2cap_chan_lock(bredr_chan);
4762 
4763                 bredr_chan->conn->mtu = hdev->block_mtu;
4764                 l2cap_logical_cfm(bredr_chan, hchan, 0);
4765                 hci_conn_hold(hcon);
4766 
4767                 l2cap_chan_unlock(bredr_chan);
4768         }
4769 }
4770 
4771 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4772                                              struct sk_buff *skb)
4773 {
4774         struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4775         struct hci_chan *hchan;
4776 
4777         BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4778                le16_to_cpu(ev->handle), ev->status);
4779 
4780         if (ev->status)
4781                 return;
4782 
4783         hci_dev_lock(hdev);
4784 
4785         hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4786         if (!hchan)
4787                 goto unlock;
4788 
4789         amp_destroy_logical_link(hchan, ev->reason);
4790 
4791 unlock:
4792         hci_dev_unlock(hdev);
4793 }
4794 
4795 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4796                                              struct sk_buff *skb)
4797 {
4798         struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4799         struct hci_conn *hcon;
4800 
4801         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4802 
4803         if (ev->status)
4804                 return;
4805 
4806         hci_dev_lock(hdev);
4807 
4808         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4809         if (hcon) {
4810                 hcon->state = BT_CLOSED;
4811                 hci_conn_del(hcon);
4812         }
4813 
4814         hci_dev_unlock(hdev);
4815 }
4816 #endif
4817 
4818 static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
4819                         bdaddr_t *bdaddr, u8 bdaddr_type, u8 role, u16 handle,
4820                         u16 interval, u16 latency, u16 supervision_timeout)
4821 {
4822         struct hci_conn_params *params;
4823         struct hci_conn *conn;
4824         struct smp_irk *irk;
4825         u8 addr_type;
4826 
4827         hci_dev_lock(hdev);
4828 
4829         /* All controllers implicitly stop advertising in the event of a
4830          * connection, so ensure that the state bit is cleared.
4831          */
4832         hci_dev_clear_flag(hdev, HCI_LE_ADV);
4833 
4834         conn = hci_lookup_le_connect(hdev);
4835         if (!conn) {
4836                 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
4837                 if (!conn) {
4838                         bt_dev_err(hdev, "no memory for new connection");
4839                         goto unlock;
4840                 }
4841 
4842                 conn->dst_type = bdaddr_type;
4843 
4844                 /* If we didn't have a hci_conn object previously
4845                  * but we're in master role this must be something
4846                  * initiated using a white list. Since white list based
4847                  * connections are not "first class citizens" we don't
4848                  * have full tracking of them. Therefore, we go ahead
4849                  * with a "best effort" approach of determining the
4850                  * initiator address based on the HCI_PRIVACY flag.
4851                  */
4852                 if (conn->out) {
4853                         conn->resp_addr_type = bdaddr_type;
4854                         bacpy(&conn->resp_addr, bdaddr);
4855                         if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4856                                 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4857                                 bacpy(&conn->init_addr, &hdev->rpa);
4858                         } else {
4859                                 hci_copy_identity_address(hdev,
4860                                                           &conn->init_addr,
4861                                                           &conn->init_addr_type);
4862                         }
4863                 }
4864         } else {
4865                 cancel_delayed_work(&conn->le_conn_timeout);
4866         }
4867 
4868         if (!conn->out) {
4869                 /* Set the responder (our side) address type based on
4870                  * the advertising address type.
4871                  */
4872                 conn->resp_addr_type = hdev->adv_addr_type;
4873                 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
4874                         /* In case of ext adv, resp_addr will be updated in
4875                          * Adv Terminated event.
4876                          */
4877                         if (!ext_adv_capable(hdev))
4878                                 bacpy(&conn->resp_addr, &hdev->random_addr);
4879                 } else {
4880                         bacpy(&conn->resp_addr, &hdev->bdaddr);
4881                 }
4882 
4883                 conn->init_addr_type = bdaddr_type;
4884                 bacpy(&conn->init_addr, bdaddr);
4885 
4886                 /* For incoming connections, set the default minimum
4887                  * and maximum connection interval. They will be used
4888                  * to check if the parameters are in range and if not
4889                  * trigger the connection update procedure.
4890                  */
4891                 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4892                 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4893         }
4894 
4895         /* Lookup the identity address from the stored connection
4896          * address and address type.
4897          *
4898          * When establishing connections to an identity address, the
4899          * connection procedure will store the resolvable random
4900          * address first. Now if it can be converted back into the
4901          * identity address, start using the identity address from
4902          * now on.
4903          */
4904         irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4905         if (irk) {
4906                 bacpy(&conn->dst, &irk->bdaddr);
4907                 conn->dst_type = irk->addr_type;
4908         }
4909 
4910         if (status) {
4911                 hci_le_conn_failed(conn, status);
4912                 goto unlock;
4913         }
4914 
4915         if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4916                 addr_type = BDADDR_LE_PUBLIC;
4917         else
4918                 addr_type = BDADDR_LE_RANDOM;
4919 
4920         /* Drop the connection if the device is blocked */
4921         if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4922                 hci_conn_drop(conn);
4923                 goto unlock;
4924         }
4925 
4926         if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4927                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4928 
4929         conn->sec_level = BT_SECURITY_LOW;
4930         conn->handle = handle;
4931         conn->state = BT_CONFIG;
4932 
4933         conn->le_conn_interval = interval;
4934         conn->le_conn_latency = latency;
4935         conn->le_supv_timeout = supervision_timeout;
4936 
4937         hci_debugfs_create_conn(conn);
4938         hci_conn_add_sysfs(conn);
4939 
4940         /* The remote features procedure is defined for master
4941          * role only. So only in case of an initiated connection
4942          * request the remote features.
4943          *
4944          * If the local controller supports slave-initiated features
4945          * exchange, then requesting the remote features in slave
4946          * role is possible. Otherwise just transition into the
4947          * connected state without requesting the remote features.
4948          */
4949         if (conn->out ||
4950             (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4951                 struct hci_cp_le_read_remote_features cp;
4952 
4953                 cp.handle = __cpu_to_le16(conn->handle);
4954 
4955                 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4956                              sizeof(cp), &cp);
4957 
4958                 hci_conn_hold(conn);
4959         } else {
4960                 conn->state = BT_CONNECTED;
4961                 hci_connect_cfm(conn, status);
4962         }
4963 
4964         params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4965                                            conn->dst_type);
4966         if (params) {
4967                 list_del_init(&params->action);
4968                 if (params->conn) {
4969                         hci_conn_drop(params->conn);
4970                         hci_conn_put(params->conn);
4971                         params->conn = NULL;
4972                 }
4973         }
4974 
4975 unlock:
4976         hci_update_background_scan(hdev);
4977         hci_dev_unlock(hdev);
4978 }
4979 
4980 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4981 {
4982         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4983 
4984         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4985 
4986         le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
4987                              ev->role, le16_to_cpu(ev->handle),
4988                              le16_to_cpu(ev->interval),
4989                              le16_to_cpu(ev->latency),
4990                              le16_to_cpu(ev->supervision_timeout));
4991 }
4992 
4993 static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
4994                                          struct sk_buff *skb)
4995 {
4996         struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
4997 
4998         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4999 
5000         le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5001                              ev->role, le16_to_cpu(ev->handle),
5002                              le16_to_cpu(ev->interval),
5003                              le16_to_cpu(ev->latency),
5004                              le16_to_cpu(ev->supervision_timeout));
5005 }
5006 
5007 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5008 {
5009         struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5010         struct hci_conn *conn;
5011 
5012         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5013 
5014         if (ev->status)
5015                 return;
5016 
5017         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5018         if (conn) {
5019                 struct adv_info *adv_instance;
5020 
5021                 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM)
5022                         return;
5023 
5024                 if (!hdev->cur_adv_instance) {
5025                         bacpy(&conn->resp_addr, &hdev->random_addr);
5026                         return;
5027                 }
5028 
5029                 adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
5030                 if (adv_instance)
5031                         bacpy(&conn->resp_addr, &adv_instance->random_addr);
5032         }
5033 }
5034 
5035 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5036                                             struct sk_buff *skb)
5037 {
5038         struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5039         struct hci_conn *conn;
5040 
5041         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5042 
5043         if (ev->status)
5044                 return;
5045 
5046         hci_dev_lock(hdev);
5047 
5048         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5049         if (conn) {
5050                 conn->le_conn_interval = le16_to_cpu(ev->interval);
5051                 conn->le_conn_latency = le16_to_cpu(ev->latency);
5052                 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5053         }
5054 
5055         hci_dev_unlock(hdev);
5056 }
5057 
5058 /* This function requires the caller holds hdev->lock */
5059 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5060                                               bdaddr_t *addr,
5061                                               u8 addr_type, u8 adv_type,
5062                                               bdaddr_t *direct_rpa)
5063 {
5064         struct hci_conn *conn;
5065         struct hci_conn_params *params;
5066 
5067         /* If the event is not connectable don't proceed further */
5068         if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5069                 return NULL;
5070 
5071         /* Ignore if the device is blocked */
5072         if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
5073                 return NULL;
5074 
5075         /* Most controller will fail if we try to create new connections
5076          * while we have an existing one in slave role.
5077          */
5078         if (hdev->conn_hash.le_num_slave > 0)
5079                 return NULL;
5080 
5081         /* If we're not connectable only connect devices that we have in
5082          * our pend_le_conns list.
5083          */
5084         params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5085                                            addr_type);
5086         if (!params)
5087                 return NULL;
5088 
5089         if (!params->explicit_connect) {
5090                 switch (params->auto_connect) {
5091                 case HCI_AUTO_CONN_DIRECT:
5092                         /* Only devices advertising with ADV_DIRECT_IND are
5093                          * triggering a connection attempt. This is allowing
5094                          * incoming connections from slave devices.
5095                          */
5096                         if (adv_type != LE_ADV_DIRECT_IND)
5097                                 return NULL;
5098                         break;
5099                 case HCI_AUTO_CONN_ALWAYS:
5100                         /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5101                          * are triggering a connection attempt. This means
5102                          * that incoming connectioms from slave device are
5103                          * accepted and also outgoing connections to slave
5104                          * devices are established when found.
5105                          */
5106                         break;
5107                 default:
5108                         return NULL;
5109                 }
5110         }
5111 
5112         conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
5113                               HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
5114                               direct_rpa);
5115         if (!IS_ERR(conn)) {
5116                 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5117                  * by higher layer that tried to connect, if no then
5118                  * store the pointer since we don't really have any
5119                  * other owner of the object besides the params that
5120                  * triggered it. This way we can abort the connection if
5121                  * the parameters get removed and keep the reference
5122                  * count consistent once the connection is established.
5123                  */
5124 
5125                 if (!params->explicit_connect)
5126                         params->conn = hci_conn_get(conn);
5127 
5128                 return conn;
5129         }
5130 
5131         switch (PTR_ERR(conn)) {
5132         case -EBUSY:
5133                 /* If hci_connect() returns -EBUSY it means there is already
5134                  * an LE connection attempt going on. Since controllers don't
5135                  * support more than one connection attempt at the time, we
5136                  * don't consider this an error case.
5137                  */
5138                 break;
5139         default:
5140                 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5141                 return NULL;
5142         }
5143 
5144         return NULL;
5145 }
5146 
5147 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
5148                                u8 bdaddr_type, bdaddr_t *direct_addr,
5149                                u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
5150 {
5151         struct discovery_state *d = &hdev->discovery;
5152         struct smp_irk *irk;
5153         struct hci_conn *conn;
5154         bool match;
5155         u32 flags;
5156         u8 *ptr, real_len;
5157 
5158         switch (type) {
5159         case LE_ADV_IND:
5160         case LE_ADV_DIRECT_IND:
5161         case LE_ADV_SCAN_IND:
5162         case LE_ADV_NONCONN_IND:
5163         case LE_ADV_SCAN_RSP:
5164                 break;
5165         default:
5166                 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5167                                        "type: 0x%02x", type);
5168                 return;
5169         }
5170 
5171         /* Find the end of the data in case the report contains padded zero
5172          * bytes at the end causing an invalid length value.
5173          *
5174          * When data is NULL, len is 0 so there is no need for extra ptr
5175          * check as 'ptr < data + 0' is already false in such case.
5176          */
5177         for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5178                 if (ptr + 1 + *ptr > data + len)
5179                         break;
5180         }
5181 
5182         real_len = ptr - data;
5183 
5184         /* Adjust for actual length */
5185         if (len != real_len) {
5186                 bt_dev_err_ratelimited(hdev, "advertising data len corrected");
5187                 len = real_len;
5188         }
5189 
5190         /* If the direct address is present, then this report is from
5191          * a LE Direct Advertising Report event. In that case it is
5192          * important to see if the address is matching the local
5193          * controller address.
5194          */
5195         if (direct_addr) {
5196                 /* Only resolvable random addresses are valid for these
5197                  * kind of reports and others can be ignored.
5198                  */
5199                 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5200                         return;
5201 
5202                 /* If the controller is not using resolvable random
5203                  * addresses, then this report can be ignored.
5204                  */
5205                 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
5206                         return;
5207 
5208                 /* If the local IRK of the controller does not match
5209                  * with the resolvable random address provided, then
5210                  * this report can be ignored.
5211                  */
5212                 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5213                         return;
5214         }
5215 
5216         /* Check if we need to convert to identity address */
5217         irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5218         if (irk) {
5219                 bdaddr = &irk->bdaddr;
5220                 bdaddr_type = irk->addr_type;
5221         }
5222 
5223         /* Check if we have been requested to connect to this device.
5224          *
5225          * direct_addr is set only for directed advertising reports (it is NULL
5226          * for advertising reports) and is already verified to be RPA above.
5227          */
5228         conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
5229                                                                 direct_addr);
5230         if (conn && type == LE_ADV_IND) {
5231                 /* Store report for later inclusion by
5232                  * mgmt_device_connected
5233                  */
5234                 memcpy(conn->le_adv_data, data, len);
5235                 conn->le_adv_data_len = len;
5236         }
5237 
5238         /* Passive scanning shouldn't trigger any device found events,
5239          * except for devices marked as CONN_REPORT for which we do send
5240          * device found events.
5241          */
5242         if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
5243                 if (type == LE_ADV_DIRECT_IND)
5244                         return;
5245 
5246                 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
5247                                                bdaddr, bdaddr_type))
5248                         return;
5249 
5250                 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5251                         flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5252                 else
5253                         flags = 0;
5254                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5255                                   rssi, flags, data, len, NULL, 0);
5256                 return;
5257         }
5258 
5259         /* When receiving non-connectable or scannable undirected
5260          * advertising reports, this means that the remote device is
5261          * not connectable and then clearly indicate this in the
5262          * device found event.
5263          *
5264          * When receiving a scan response, then there is no way to
5265          * know if the remote device is connectable or not. However
5266          * since scan responses are merged with a previously seen
5267          * advertising report, the flags field from that report
5268          * will be used.
5269          *
5270          * In the really unlikely case that a controller get confused
5271          * and just sends a scan response event, then it is marked as
5272          * not connectable as well.
5273          */
5274         if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5275             type == LE_ADV_SCAN_RSP)
5276                 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5277         else
5278                 flags = 0;
5279 
5280         /* If there's nothing pending either store the data from this
5281          * event or send an immediate device found event if the data
5282          * should not be stored for later.
5283          */
5284         if (!has_pending_adv_report(hdev)) {
5285                 /* If the report will trigger a SCAN_REQ store it for
5286                  * later merging.
5287                  */
5288                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5289                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5290                                                  rssi, flags, data, len);
5291                         return;
5292                 }
5293 
5294                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5295                                   rssi, flags, data, len, NULL, 0);
5296                 return;
5297         }
5298 
5299         /* Check if the pending report is for the same device as the new one */
5300         match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5301                  bdaddr_type == d->last_adv_addr_type);
5302 
5303         /* If the pending data doesn't match this report or this isn't a
5304          * scan response (e.g. we got a duplicate ADV_IND) then force
5305          * sending of the pending data.
5306          */
5307         if (type != LE_ADV_SCAN_RSP || !match) {
5308                 /* Send out whatever is in the cache, but skip duplicates */
5309                 if (!match)
5310                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5311                                           d->last_adv_addr_type, NULL,
5312                                           d->last_adv_rssi, d->last_adv_flags,
5313                                           d->last_adv_data,
5314                                           d->last_adv_data_len, NULL, 0);
5315 
5316                 /* If the new report will trigger a SCAN_REQ store it for
5317                  * later merging.
5318                  */
5319                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5320                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
5321                                                  rssi, flags, data, len);
5322                         return;
5323                 }
5324 
5325                 /* The advertising reports cannot be merged, so clear
5326                  * the pending report and send out a device found event.
5327                  */
5328                 clear_pending_adv_report(hdev);
5329                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5330                                   rssi, flags, data, len, NULL, 0);
5331                 return;
5332         }
5333 
5334         /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5335          * the new event is a SCAN_RSP. We can therefore proceed with
5336          * sending a merged device found event.
5337          */
5338         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
5339                           d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
5340                           d->last_adv_data, d->last_adv_data_len, data, len);
5341         clear_pending_adv_report(hdev);
5342 }
5343 
5344 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5345 {
5346         u8 num_reports = skb->data[0];
5347         void *ptr = &skb->data[1];
5348 
5349         hci_dev_lock(hdev);
5350 
5351         while (num_reports--) {
5352                 struct hci_ev_le_advertising_info *ev = ptr;
5353                 s8 rssi;
5354 
5355                 if (ev->length <= HCI_MAX_AD_LENGTH) {
5356                         rssi = ev->data[ev->length];
5357                         process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5358                                            ev->bdaddr_type, NULL, 0, rssi,
5359                                            ev->data, ev->length);
5360                 } else {
5361                         bt_dev_err(hdev, "Dropping invalid advertising data");
5362                 }
5363 
5364                 ptr += sizeof(*ev) + ev->length + 1;
5365         }
5366 
5367         hci_dev_unlock(hdev);
5368 }
5369 
5370 static u8 ext_evt_type_to_legacy(u16 evt_type)
5371 {
5372         if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5373                 switch (evt_type) {
5374                 case LE_LEGACY_ADV_IND:
5375                         return LE_ADV_IND;
5376                 case LE_LEGACY_ADV_DIRECT_IND:
5377                         return LE_ADV_DIRECT_IND;
5378                 case LE_LEGACY_ADV_SCAN_IND:
5379                         return LE_ADV_SCAN_IND;
5380                 case LE_LEGACY_NONCONN_IND:
5381                         return LE_ADV_NONCONN_IND;
5382                 case LE_LEGACY_SCAN_RSP_ADV:
5383                 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5384                         return LE_ADV_SCAN_RSP;
5385                 }
5386 
5387                 BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5388                                    evt_type);
5389 
5390                 return LE_ADV_INVALID;
5391         }
5392 
5393         if (evt_type & LE_EXT_ADV_CONN_IND) {
5394                 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5395                         return LE_ADV_DIRECT_IND;
5396 
5397                 return LE_ADV_IND;
5398         }
5399 
5400         if (evt_type & LE_EXT_ADV_SCAN_RSP)
5401                 return LE_ADV_SCAN_RSP;
5402 
5403         if (evt_type & LE_EXT_ADV_SCAN_IND)
5404                 return LE_ADV_SCAN_IND;
5405 
5406         if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5407             evt_type & LE_EXT_ADV_DIRECT_IND)
5408                 return LE_ADV_NONCONN_IND;
5409 
5410         BT_ERR_RATELIMITED("Unknown advertising packet type: 0x%02x",
5411                                    evt_type);
5412 
5413         return LE_ADV_INVALID;
5414 }
5415 
5416 static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5417 {
5418         u8 num_reports = skb->data[0];
5419         void *ptr = &skb->data[1];
5420 
5421         hci_dev_lock(hdev);
5422 
5423         while (num_reports--) {
5424                 struct hci_ev_le_ext_adv_report *ev = ptr;
5425                 u8 legacy_evt_type;
5426                 u16 evt_type;
5427 
5428                 evt_type = __le16_to_cpu(ev->evt_type);
5429                 legacy_evt_type = ext_evt_type_to_legacy(evt_type);
5430                 if (legacy_evt_type != LE_ADV_INVALID) {
5431                         process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5432                                            ev->bdaddr_type, NULL, 0, ev->rssi,
5433                                            ev->data, ev->length);
5434                 }
5435 
5436                 ptr += sizeof(*ev) + ev->length + 1;
5437         }
5438 
5439         hci_dev_unlock(hdev);
5440 }
5441 
5442 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5443                                             struct sk_buff *skb)
5444 {
5445         struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5446         struct hci_conn *conn;
5447 
5448         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5449 
5450         hci_dev_lock(hdev);
5451 
5452         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5453         if (conn) {
5454                 if (!ev->status)
5455                         memcpy(conn->features[0], ev->features, 8);
5456 
5457                 if (conn->state == BT_CONFIG) {
5458                         __u8 status;
5459 
5460                         /* If the local controller supports slave-initiated
5461                          * features exchange, but the remote controller does
5462                          * not, then it is possible that the error code 0x1a
5463                          * for unsupported remote feature gets returned.
5464                          *
5465                          * In this specific case, allow the connection to
5466                          * transition into connected state and mark it as
5467                          * successful.
5468                          */
5469                         if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
5470                             !conn->out && ev->status == 0x1a)
5471                                 status = 0x00;
5472                         else
5473                                 status = ev->status;
5474 
5475                         conn->state = BT_CONNECTED;
5476                         hci_connect_cfm(conn, status);
5477                         hci_conn_drop(conn);
5478                 }
5479         }
5480 
5481         hci_dev_unlock(hdev);
5482 }
5483 
5484 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
5485 {
5486         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5487         struct hci_cp_le_ltk_reply cp;
5488         struct hci_cp_le_ltk_neg_reply neg;
5489         struct hci_conn *conn;
5490         struct smp_ltk *ltk;
5491 
5492         BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5493 
5494         hci_dev_lock(hdev);
5495 
5496         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5497         if (conn == NULL)
5498                 goto not_found;
5499 
5500         ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5501         if (!ltk)
5502                 goto not_found;
5503 
5504         if (smp_ltk_is_sc(ltk)) {
5505                 /* With SC both EDiv and Rand are set to zero */
5506                 if (ev->ediv || ev->rand)
5507                         goto not_found;
5508         } else {
5509                 /* For non-SC keys check that EDiv and Rand match */
5510                 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5511                         goto not_found;
5512         }
5513 
5514         memcpy(cp.ltk, ltk->val, ltk->enc_size);
5515         memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5516         cp.handle = cpu_to_le16(conn->handle);
5517 
5518         conn->pending_sec_level = smp_ltk_sec_level(ltk);
5519 
5520         conn->enc_key_size = ltk->enc_size;
5521 
5522         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5523 
5524         /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5525          * temporary key used to encrypt a connection following
5526          * pairing. It is used during the Encrypted Session Setup to
5527          * distribute the keys. Later, security can be re-established
5528          * using a distributed LTK.
5529          */
5530         if (ltk->type == SMP_STK) {
5531                 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5532                 list_del_rcu(&ltk->list);
5533                 kfree_rcu(ltk, rcu);
5534         } else {
5535                 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5536         }
5537 
5538         hci_dev_unlock(hdev);
5539 
5540         return;
5541 
5542 not_found:
5543         neg.handle = ev->handle;
5544         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5545         hci_dev_unlock(hdev);
5546 }
5547 
5548 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5549                                       u8 reason)
5550 {
5551         struct hci_cp_le_conn_param_req_neg_reply cp;
5552 
5553         cp.handle = cpu_to_le16(handle);
5554         cp.reason = reason;
5555 
5556         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5557                      &cp);
5558 }
5559 
5560 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5561                                              struct sk_buff *skb)
5562 {
5563         struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5564         struct hci_cp_le_conn_param_req_reply cp;
5565         struct hci_conn *hcon;
5566         u16 handle, min, max, latency, timeout;
5567 
5568         handle = le16_to_cpu(ev->handle);
5569         min = le16_to_cpu(ev->interval_min);
5570         max = le16_to_cpu(ev->interval_max);
5571         latency = le16_to_cpu(ev->latency);
5572         timeout = le16_to_cpu(ev->timeout);
5573 
5574         hcon = hci_conn_hash_lookup_handle(hdev, handle);
5575         if (!hcon || hcon->state != BT_CONNECTED)
5576                 return send_conn_param_neg_reply(hdev, handle,
5577                                                  HCI_ERROR_UNKNOWN_CONN_ID);
5578 
5579         if (hci_check_conn_params(min, max, latency, timeout))
5580                 return send_conn_param_neg_reply(hdev, handle,
5581                                                  HCI_ERROR_INVALID_LL_PARAMS);
5582 
5583         if (hcon->role == HCI_ROLE_MASTER) {
5584                 struct hci_conn_params *params;
5585                 u8 store_hint;
5586 
5587                 hci_dev_lock(hdev);
5588 
5589                 params = hci_conn_params_lookup(hdev, &hcon->dst,
5590                                                 hcon->dst_type);
5591                 if (params) {
5592                         params->conn_min_interval = min;
5593                         params->conn_max_interval = max;
5594                         params->conn_latency = latency;
5595                         params->supervision_timeout = timeout;
5596                         store_hint = 0x01;
5597                 } else{
5598                         store_hint = 0x00;
5599                 }
5600 
5601                 hci_dev_unlock(hdev);
5602 
5603                 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5604                                     store_hint, min, max, latency, timeout);
5605         }
5606 
5607         cp.handle = ev->handle;
5608         cp.interval_min = ev->interval_min;
5609         cp.interval_max = ev->interval_max;
5610         cp.latency = ev->latency;
5611         cp.timeout = ev->timeout;
5612         cp.min_ce_len = 0;
5613         cp.max_ce_len = 0;
5614 
5615         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5616 }
5617 
5618 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5619                                          struct sk_buff *skb)
5620 {
5621         u8 num_reports = skb->data[0];
5622         void *ptr = &skb->data[1];
5623 
5624         hci_dev_lock(hdev);
5625 
5626         while (num_reports--) {
5627                 struct hci_ev_le_direct_adv_info *ev = ptr;
5628 
5629                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5630                                    ev->bdaddr_type, &ev->direct_addr,
5631                                    ev->direct_addr_type, ev->rssi, NULL, 0);
5632 
5633                 ptr += sizeof(*ev);
5634         }
5635 
5636         hci_dev_unlock(hdev);
5637 }
5638 
5639 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5640 {
5641         struct hci_ev_le_meta *le_ev = (void *) skb->data;
5642 
5643         skb_pull(skb, sizeof(*le_ev));
5644 
5645         switch (le_ev->subevent) {
5646         case HCI_EV_LE_CONN_COMPLETE:
5647                 hci_le_conn_complete_evt(hdev, skb);
5648                 break;
5649 
5650         case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5651                 hci_le_conn_update_complete_evt(hdev, skb);
5652                 break;
5653 
5654         case HCI_EV_LE_ADVERTISING_REPORT:
5655                 hci_le_adv_report_evt(hdev, skb);
5656                 break;
5657 
5658         case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5659                 hci_le_remote_feat_complete_evt(hdev, skb);
5660                 break;
5661 
5662         case HCI_EV_LE_LTK_REQ:
5663                 hci_le_ltk_request_evt(hdev, skb);
5664                 break;
5665 
5666         case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5667                 hci_le_remote_conn_param_req_evt(hdev, skb);
5668                 break;
5669 
5670         case HCI_EV_LE_DIRECT_ADV_REPORT:
5671                 hci_le_direct_adv_report_evt(hdev, skb);
5672                 break;
5673 
5674         case HCI_EV_LE_EXT_ADV_REPORT:
5675                 hci_le_ext_adv_report_evt(hdev, skb);
5676                 break;
5677 
5678         case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
5679                 hci_le_enh_conn_complete_evt(hdev, skb);
5680                 break;
5681 
5682         case HCI_EV_LE_EXT_ADV_SET_TERM:
5683                 hci_le_ext_adv_term_evt(hdev, skb);
5684                 break;
5685 
5686         default:
5687                 break;
5688         }
5689 }
5690 
5691 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5692                                  u8 event, struct sk_buff *skb)
5693 {
5694         struct hci_ev_cmd_complete *ev;
5695         struct hci_event_hdr *hdr;
5696 
5697         if (!skb)
5698                 return false;
5699 
5700         if (skb->len < sizeof(*hdr)) {
5701                 bt_dev_err(hdev, "too short HCI event");
5702                 return false;
5703         }
5704 
5705         hdr = (void *) skb->data;
5706         skb_pull(skb, HCI_EVENT_HDR_SIZE);
5707 
5708         if (event) {
5709                 if (hdr->evt != event)
5710                         return false;
5711                 return true;
5712         }
5713 
5714         /* Check if request ended in Command Status - no way to retreive
5715          * any extra parameters in this case.
5716          */
5717         if (hdr->evt == HCI_EV_CMD_STATUS)
5718                 return false;
5719 
5720         if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5721                 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5722                            hdr->evt);
5723                 return false;
5724         }
5725 
5726         if (skb->len < sizeof(*ev)) {
5727                 bt_dev_err(hdev, "too short cmd_complete event");
5728                 return false;
5729         }
5730 
5731         ev = (void *) skb->data;
5732         skb_pull(skb, sizeof(*ev));
5733 
5734         if (opcode != __le16_to_cpu(ev->opcode)) {
5735                 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5736                        __le16_to_cpu(ev->opcode));
5737                 return false;
5738         }
5739 
5740         return true;
5741 }
5742 
5743 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5744 {
5745         struct hci_event_hdr *hdr = (void *) skb->data;
5746         hci_req_complete_t req_complete = NULL;
5747         hci_req_complete_skb_t req_complete_skb = NULL;
5748         struct sk_buff *orig_skb = NULL;
5749         u8 status = 0, event = hdr->evt, req_evt = 0;
5750         u16 opcode = HCI_OP_NOP;
5751 
5752         if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5753                 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5754                 opcode = __le16_to_cpu(cmd_hdr->opcode);
5755                 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5756                                      &req_complete_skb);
5757                 req_evt = event;
5758         }
5759 
5760         /* If it looks like we might end up having to call
5761          * req_complete_skb, store a pristine copy of the skb since the
5762          * various handlers may modify the original one through
5763          * skb_pull() calls, etc.
5764          */
5765         if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5766             event == HCI_EV_CMD_COMPLETE)
5767                 orig_skb = skb_clone(skb, GFP_KERNEL);
5768 
5769         skb_pull(skb, HCI_EVENT_HDR_SIZE);
5770 
5771         switch (event) {
5772         case HCI_EV_INQUIRY_COMPLETE:
5773                 hci_inquiry_complete_evt(hdev, skb);
5774                 break;
5775 
5776         case HCI_EV_INQUIRY_RESULT:
5777                 hci_inquiry_result_evt(hdev, skb);
5778                 break;
5779 
5780         case HCI_EV_CONN_COMPLETE:
5781                 hci_conn_complete_evt(hdev, skb);
5782                 break;
5783 
5784         case HCI_EV_CONN_REQUEST:
5785                 hci_conn_request_evt(hdev, skb);
5786                 break;
5787 
5788         case HCI_EV_DISCONN_COMPLETE:
5789                 hci_disconn_complete_evt(hdev, skb);
5790                 break;
5791 
5792         case HCI_EV_AUTH_COMPLETE:
5793                 hci_auth_complete_evt(hdev, skb);
5794                 break;
5795 
5796         case HCI_EV_REMOTE_NAME:
5797                 hci_remote_name_evt(hdev, skb);
5798                 break;
5799 
5800         case HCI_EV_ENCRYPT_CHANGE:
5801                 hci_encrypt_change_evt(hdev, skb);
5802                 break;
5803 
5804         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5805                 hci_change_link_key_complete_evt(hdev, skb);
5806                 break;
5807 
5808         case HCI_EV_REMOTE_FEATURES:
5809                 hci_remote_features_evt(hdev, skb);
5810                 break;
5811 
5812         case HCI_EV_CMD_COMPLETE:
5813                 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5814                                      &req_complete, &req_complete_skb);
5815                 break;
5816 
5817         case HCI_EV_CMD_STATUS:
5818                 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5819                                    &req_complete_skb);
5820                 break;
5821 
5822         case HCI_EV_HARDWARE_ERROR:
5823                 hci_hardware_error_evt(hdev, skb);
5824                 break;
5825 
5826         case HCI_EV_ROLE_CHANGE:
5827                 hci_role_change_evt(hdev, skb);
5828                 break;
5829 
5830         case HCI_EV_NUM_COMP_PKTS:
5831                 hci_num_comp_pkts_evt(hdev, skb);
5832                 break;
5833 
5834         case HCI_EV_MODE_CHANGE:
5835                 hci_mode_change_evt(hdev, skb);
5836                 break;
5837 
5838         case HCI_EV_PIN_CODE_REQ:
5839                 hci_pin_code_request_evt(hdev, skb);
5840                 break;
5841 
5842         case HCI_EV_LINK_KEY_REQ:
5843                 hci_link_key_request_evt(hdev, skb);
5844                 break;
5845 
5846         case HCI_EV_LINK_KEY_NOTIFY:
5847                 hci_link_key_notify_evt(hdev, skb);
5848                 break;
5849 
5850         case HCI_EV_CLOCK_OFFSET:
5851                 hci_clock_offset_evt(hdev, skb);
5852                 break;
5853 
5854         case HCI_EV_PKT_TYPE_CHANGE:
5855                 hci_pkt_type_change_evt(hdev, skb);
5856                 break;
5857 
5858         case HCI_EV_PSCAN_REP_MODE:
5859                 hci_pscan_rep_mode_evt(hdev, skb);
5860                 break;
5861 
5862         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5863                 hci_inquiry_result_with_rssi_evt(hdev, skb);
5864                 break;
5865 
5866         case HCI_EV_REMOTE_EXT_FEATURES:
5867                 hci_remote_ext_features_evt(hdev, skb);
5868                 break;
5869 
5870         case HCI_EV_SYNC_CONN_COMPLETE:
5871                 hci_sync_conn_complete_evt(hdev, skb);
5872                 break;
5873 
5874         case HCI_EV_EXTENDED_INQUIRY_RESULT:
5875                 hci_extended_inquiry_result_evt(hdev, skb);
5876                 break;
5877 
5878         case HCI_EV_KEY_REFRESH_COMPLETE:
5879                 hci_key_refresh_complete_evt(hdev, skb);
5880                 break;
5881 
5882         case HCI_EV_IO_CAPA_REQUEST:
5883                 hci_io_capa_request_evt(hdev, skb);
5884                 break;
5885 
5886         case HCI_EV_IO_CAPA_REPLY:
5887                 hci_io_capa_reply_evt(hdev, skb);
5888                 break;
5889 
5890         case HCI_EV_USER_CONFIRM_REQUEST:
5891                 hci_user_confirm_request_evt(hdev, skb);
5892                 break;
5893 
5894         case HCI_EV_USER_PASSKEY_REQUEST:
5895                 hci_user_passkey_request_evt(hdev, skb);
5896                 break;
5897 
5898         case HCI_EV_USER_PASSKEY_NOTIFY:
5899                 hci_user_passkey_notify_evt(hdev, skb);
5900                 break;
5901 
5902         case HCI_EV_KEYPRESS_NOTIFY:
5903                 hci_keypress_notify_evt(hdev, skb);
5904                 break;
5905 
5906         case HCI_EV_SIMPLE_PAIR_COMPLETE:
5907                 hci_simple_pair_complete_evt(hdev, skb);
5908                 break;
5909 
5910         case HCI_EV_REMOTE_HOST_FEATURES:
5911                 hci_remote_host_features_evt(hdev, skb);
5912                 break;
5913 
5914         case HCI_EV_LE_META:
5915                 hci_le_meta_evt(hdev, skb);
5916                 break;
5917 
5918         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5919                 hci_remote_oob_data_request_evt(hdev, skb);
5920                 break;
5921 
5922 #if IS_ENABLED(CONFIG_BT_HS)
5923         case HCI_EV_CHANNEL_SELECTED:
5924                 hci_chan_selected_evt(hdev, skb);
5925                 break;
5926 
5927         case HCI_EV_PHY_LINK_COMPLETE:
5928                 hci_phy_link_complete_evt(hdev, skb);
5929                 break;
5930 
5931         case HCI_EV_LOGICAL_LINK_COMPLETE:
5932                 hci_loglink_complete_evt(hdev, skb);
5933                 break;
5934 
5935         case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5936                 hci_disconn_loglink_complete_evt(hdev, skb);
5937                 break;
5938 
5939         case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5940                 hci_disconn_phylink_complete_evt(hdev, skb);
5941                 break;
5942 #endif
5943 
5944         case HCI_EV_NUM_COMP_BLOCKS:
5945                 hci_num_comp_blocks_evt(hdev, skb);
5946                 break;
5947 
5948         default:
5949                 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5950                 break;
5951         }
5952 
5953         if (req_complete) {
5954                 req_complete(hdev, status, opcode);
5955         } else if (req_complete_skb) {
5956                 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5957                         kfree_skb(orig_skb);
5958                         orig_skb = NULL;
5959                 }
5960                 req_complete_skb(hdev, status, opcode, orig_skb);
5961         }
5962 
5963         kfree_skb(orig_skb);
5964         kfree_skb(skb);
5965         hdev->stat.evt_rx++;
5966 }
5967 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp