~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/hci_event.c

Version: ~ [ linux-5.12-rc7 ] ~ [ linux-5.11.13 ] ~ [ linux-5.10.29 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.111 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.186 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.230 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.266 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.266 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    BlueZ - Bluetooth protocol stack for Linux
  3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
  4 
  5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
  6 
  7    This program is free software; you can redistribute it and/or modify
  8    it under the terms of the GNU General Public License version 2 as
  9    published by the Free Software Foundation;
 10 
 11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 19 
 20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 22    SOFTWARE IS DISCLAIMED.
 23 */
 24 
 25 /* Bluetooth HCI event handling. */
 26 
 27 #include <asm/unaligned.h>
 28 
 29 #include <net/bluetooth/bluetooth.h>
 30 #include <net/bluetooth/hci_core.h>
 31 #include <net/bluetooth/mgmt.h>
 32 
 33 #include "hci_request.h"
 34 #include "hci_debugfs.h"
 35 #include "a2mp.h"
 36 #include "amp.h"
 37 #include "smp.h"
 38 
 39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
 40                  "\x00\x00\x00\x00\x00\x00\x00\x00"
 41 
 42 /* Handle HCI Event packets */
 43 
 44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
 45 {
 46         __u8 status = *((__u8 *) skb->data);
 47 
 48         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 49 
 50         if (status)
 51                 return;
 52 
 53         clear_bit(HCI_INQUIRY, &hdev->flags);
 54         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
 55         wake_up_bit(&hdev->flags, HCI_INQUIRY);
 56 
 57         hci_dev_lock(hdev);
 58         /* Set discovery state to stopped if we're not doing LE active
 59          * scanning.
 60          */
 61         if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
 62             hdev->le_scan_type != LE_SCAN_ACTIVE)
 63                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
 64         hci_dev_unlock(hdev);
 65 
 66         hci_conn_check_pending(hdev);
 67 }
 68 
 69 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
 70 {
 71         __u8 status = *((__u8 *) skb->data);
 72 
 73         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 74 
 75         if (status)
 76                 return;
 77 
 78         hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
 79 }
 80 
 81 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
 82 {
 83         __u8 status = *((__u8 *) skb->data);
 84 
 85         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 86 
 87         if (status)
 88                 return;
 89 
 90         hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
 91 
 92         hci_conn_check_pending(hdev);
 93 }
 94 
 95 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
 96                                           struct sk_buff *skb)
 97 {
 98         BT_DBG("%s", hdev->name);
 99 }
100 
101 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
102 {
103         struct hci_rp_role_discovery *rp = (void *) skb->data;
104         struct hci_conn *conn;
105 
106         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
107 
108         if (rp->status)
109                 return;
110 
111         hci_dev_lock(hdev);
112 
113         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
114         if (conn)
115                 conn->role = rp->role;
116 
117         hci_dev_unlock(hdev);
118 }
119 
120 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
121 {
122         struct hci_rp_read_link_policy *rp = (void *) skb->data;
123         struct hci_conn *conn;
124 
125         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
126 
127         if (rp->status)
128                 return;
129 
130         hci_dev_lock(hdev);
131 
132         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
133         if (conn)
134                 conn->link_policy = __le16_to_cpu(rp->policy);
135 
136         hci_dev_unlock(hdev);
137 }
138 
139 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140 {
141         struct hci_rp_write_link_policy *rp = (void *) skb->data;
142         struct hci_conn *conn;
143         void *sent;
144 
145         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
146 
147         if (rp->status)
148                 return;
149 
150         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
151         if (!sent)
152                 return;
153 
154         hci_dev_lock(hdev);
155 
156         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
157         if (conn)
158                 conn->link_policy = get_unaligned_le16(sent + 2);
159 
160         hci_dev_unlock(hdev);
161 }
162 
163 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
164                                         struct sk_buff *skb)
165 {
166         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
167 
168         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
169 
170         if (rp->status)
171                 return;
172 
173         hdev->link_policy = __le16_to_cpu(rp->policy);
174 }
175 
176 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
177                                          struct sk_buff *skb)
178 {
179         __u8 status = *((__u8 *) skb->data);
180         void *sent;
181 
182         BT_DBG("%s status 0x%2.2x", hdev->name, status);
183 
184         if (status)
185                 return;
186 
187         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
188         if (!sent)
189                 return;
190 
191         hdev->link_policy = get_unaligned_le16(sent);
192 }
193 
194 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
195 {
196         __u8 status = *((__u8 *) skb->data);
197 
198         BT_DBG("%s status 0x%2.2x", hdev->name, status);
199 
200         clear_bit(HCI_RESET, &hdev->flags);
201 
202         if (status)
203                 return;
204 
205         /* Reset all non-persistent flags */
206         hci_dev_clear_volatile_flags(hdev);
207 
208         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
209 
210         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
211         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
212 
213         memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
214         hdev->adv_data_len = 0;
215 
216         memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
217         hdev->scan_rsp_data_len = 0;
218 
219         hdev->le_scan_type = LE_SCAN_PASSIVE;
220 
221         hdev->ssp_debug_mode = 0;
222 
223         hci_bdaddr_list_clear(&hdev->le_white_list);
224 }
225 
226 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
227                                         struct sk_buff *skb)
228 {
229         struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
230         struct hci_cp_read_stored_link_key *sent;
231 
232         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
233 
234         sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
235         if (!sent)
236                 return;
237 
238         if (!rp->status && sent->read_all == 0x01) {
239                 hdev->stored_max_keys = rp->max_keys;
240                 hdev->stored_num_keys = rp->num_keys;
241         }
242 }
243 
244 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
245                                           struct sk_buff *skb)
246 {
247         struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
248 
249         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
250 
251         if (rp->status)
252                 return;
253 
254         if (rp->num_keys <= hdev->stored_num_keys)
255                 hdev->stored_num_keys -= rp->num_keys;
256         else
257                 hdev->stored_num_keys = 0;
258 }
259 
260 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
261 {
262         __u8 status = *((__u8 *) skb->data);
263         void *sent;
264 
265         BT_DBG("%s status 0x%2.2x", hdev->name, status);
266 
267         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
268         if (!sent)
269                 return;
270 
271         hci_dev_lock(hdev);
272 
273         if (hci_dev_test_flag(hdev, HCI_MGMT))
274                 mgmt_set_local_name_complete(hdev, sent, status);
275         else if (!status)
276                 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
277 
278         hci_dev_unlock(hdev);
279 }
280 
281 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
282 {
283         struct hci_rp_read_local_name *rp = (void *) skb->data;
284 
285         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
286 
287         if (rp->status)
288                 return;
289 
290         if (hci_dev_test_flag(hdev, HCI_SETUP) ||
291             hci_dev_test_flag(hdev, HCI_CONFIG))
292                 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
293 }
294 
295 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
296 {
297         __u8 status = *((__u8 *) skb->data);
298         void *sent;
299 
300         BT_DBG("%s status 0x%2.2x", hdev->name, status);
301 
302         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
303         if (!sent)
304                 return;
305 
306         hci_dev_lock(hdev);
307 
308         if (!status) {
309                 __u8 param = *((__u8 *) sent);
310 
311                 if (param == AUTH_ENABLED)
312                         set_bit(HCI_AUTH, &hdev->flags);
313                 else
314                         clear_bit(HCI_AUTH, &hdev->flags);
315         }
316 
317         if (hci_dev_test_flag(hdev, HCI_MGMT))
318                 mgmt_auth_enable_complete(hdev, status);
319 
320         hci_dev_unlock(hdev);
321 }
322 
323 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
324 {
325         __u8 status = *((__u8 *) skb->data);
326         __u8 param;
327         void *sent;
328 
329         BT_DBG("%s status 0x%2.2x", hdev->name, status);
330 
331         if (status)
332                 return;
333 
334         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
335         if (!sent)
336                 return;
337 
338         param = *((__u8 *) sent);
339 
340         if (param)
341                 set_bit(HCI_ENCRYPT, &hdev->flags);
342         else
343                 clear_bit(HCI_ENCRYPT, &hdev->flags);
344 }
345 
346 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
347 {
348         __u8 status = *((__u8 *) skb->data);
349         __u8 param;
350         void *sent;
351 
352         BT_DBG("%s status 0x%2.2x", hdev->name, status);
353 
354         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
355         if (!sent)
356                 return;
357 
358         param = *((__u8 *) sent);
359 
360         hci_dev_lock(hdev);
361 
362         if (status) {
363                 hdev->discov_timeout = 0;
364                 goto done;
365         }
366 
367         if (param & SCAN_INQUIRY)
368                 set_bit(HCI_ISCAN, &hdev->flags);
369         else
370                 clear_bit(HCI_ISCAN, &hdev->flags);
371 
372         if (param & SCAN_PAGE)
373                 set_bit(HCI_PSCAN, &hdev->flags);
374         else
375                 clear_bit(HCI_PSCAN, &hdev->flags);
376 
377 done:
378         hci_dev_unlock(hdev);
379 }
380 
381 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
382 {
383         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
384 
385         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
386 
387         if (rp->status)
388                 return;
389 
390         memcpy(hdev->dev_class, rp->dev_class, 3);
391 
392         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
393                hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
394 }
395 
396 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
397 {
398         __u8 status = *((__u8 *) skb->data);
399         void *sent;
400 
401         BT_DBG("%s status 0x%2.2x", hdev->name, status);
402 
403         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
404         if (!sent)
405                 return;
406 
407         hci_dev_lock(hdev);
408 
409         if (status == 0)
410                 memcpy(hdev->dev_class, sent, 3);
411 
412         if (hci_dev_test_flag(hdev, HCI_MGMT))
413                 mgmt_set_class_of_dev_complete(hdev, sent, status);
414 
415         hci_dev_unlock(hdev);
416 }
417 
418 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
419 {
420         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
421         __u16 setting;
422 
423         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
424 
425         if (rp->status)
426                 return;
427 
428         setting = __le16_to_cpu(rp->voice_setting);
429 
430         if (hdev->voice_setting == setting)
431                 return;
432 
433         hdev->voice_setting = setting;
434 
435         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
436 
437         if (hdev->notify)
438                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
439 }
440 
441 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
442                                        struct sk_buff *skb)
443 {
444         __u8 status = *((__u8 *) skb->data);
445         __u16 setting;
446         void *sent;
447 
448         BT_DBG("%s status 0x%2.2x", hdev->name, status);
449 
450         if (status)
451                 return;
452 
453         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
454         if (!sent)
455                 return;
456 
457         setting = get_unaligned_le16(sent);
458 
459         if (hdev->voice_setting == setting)
460                 return;
461 
462         hdev->voice_setting = setting;
463 
464         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
465 
466         if (hdev->notify)
467                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
468 }
469 
470 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
471                                           struct sk_buff *skb)
472 {
473         struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
474 
475         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
476 
477         if (rp->status)
478                 return;
479 
480         hdev->num_iac = rp->num_iac;
481 
482         BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
483 }
484 
485 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
486 {
487         __u8 status = *((__u8 *) skb->data);
488         struct hci_cp_write_ssp_mode *sent;
489 
490         BT_DBG("%s status 0x%2.2x", hdev->name, status);
491 
492         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
493         if (!sent)
494                 return;
495 
496         hci_dev_lock(hdev);
497 
498         if (!status) {
499                 if (sent->mode)
500                         hdev->features[1][0] |= LMP_HOST_SSP;
501                 else
502                         hdev->features[1][0] &= ~LMP_HOST_SSP;
503         }
504 
505         if (hci_dev_test_flag(hdev, HCI_MGMT))
506                 mgmt_ssp_enable_complete(hdev, sent->mode, status);
507         else if (!status) {
508                 if (sent->mode)
509                         hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
510                 else
511                         hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
512         }
513 
514         hci_dev_unlock(hdev);
515 }
516 
517 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
518 {
519         u8 status = *((u8 *) skb->data);
520         struct hci_cp_write_sc_support *sent;
521 
522         BT_DBG("%s status 0x%2.2x", hdev->name, status);
523 
524         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
525         if (!sent)
526                 return;
527 
528         hci_dev_lock(hdev);
529 
530         if (!status) {
531                 if (sent->support)
532                         hdev->features[1][0] |= LMP_HOST_SC;
533                 else
534                         hdev->features[1][0] &= ~LMP_HOST_SC;
535         }
536 
537         if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
538                 if (sent->support)
539                         hci_dev_set_flag(hdev, HCI_SC_ENABLED);
540                 else
541                         hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
542         }
543 
544         hci_dev_unlock(hdev);
545 }
546 
547 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
548 {
549         struct hci_rp_read_local_version *rp = (void *) skb->data;
550 
551         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
552 
553         if (rp->status)
554                 return;
555 
556         if (hci_dev_test_flag(hdev, HCI_SETUP) ||
557             hci_dev_test_flag(hdev, HCI_CONFIG)) {
558                 hdev->hci_ver = rp->hci_ver;
559                 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
560                 hdev->lmp_ver = rp->lmp_ver;
561                 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
562                 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
563         }
564 }
565 
566 static void hci_cc_read_local_commands(struct hci_dev *hdev,
567                                        struct sk_buff *skb)
568 {
569         struct hci_rp_read_local_commands *rp = (void *) skb->data;
570 
571         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
572 
573         if (rp->status)
574                 return;
575 
576         if (hci_dev_test_flag(hdev, HCI_SETUP) ||
577             hci_dev_test_flag(hdev, HCI_CONFIG))
578                 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
579 }
580 
581 static void hci_cc_read_local_features(struct hci_dev *hdev,
582                                        struct sk_buff *skb)
583 {
584         struct hci_rp_read_local_features *rp = (void *) skb->data;
585 
586         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
587 
588         if (rp->status)
589                 return;
590 
591         memcpy(hdev->features, rp->features, 8);
592 
593         /* Adjust default settings according to features
594          * supported by device. */
595 
596         if (hdev->features[0][0] & LMP_3SLOT)
597                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
598 
599         if (hdev->features[0][0] & LMP_5SLOT)
600                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
601 
602         if (hdev->features[0][1] & LMP_HV2) {
603                 hdev->pkt_type  |= (HCI_HV2);
604                 hdev->esco_type |= (ESCO_HV2);
605         }
606 
607         if (hdev->features[0][1] & LMP_HV3) {
608                 hdev->pkt_type  |= (HCI_HV3);
609                 hdev->esco_type |= (ESCO_HV3);
610         }
611 
612         if (lmp_esco_capable(hdev))
613                 hdev->esco_type |= (ESCO_EV3);
614 
615         if (hdev->features[0][4] & LMP_EV4)
616                 hdev->esco_type |= (ESCO_EV4);
617 
618         if (hdev->features[0][4] & LMP_EV5)
619                 hdev->esco_type |= (ESCO_EV5);
620 
621         if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
622                 hdev->esco_type |= (ESCO_2EV3);
623 
624         if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
625                 hdev->esco_type |= (ESCO_3EV3);
626 
627         if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
628                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
629 }
630 
631 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
632                                            struct sk_buff *skb)
633 {
634         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
635 
636         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
637 
638         if (rp->status)
639                 return;
640 
641         if (hdev->max_page < rp->max_page)
642                 hdev->max_page = rp->max_page;
643 
644         if (rp->page < HCI_MAX_PAGES)
645                 memcpy(hdev->features[rp->page], rp->features, 8);
646 }
647 
648 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
649                                           struct sk_buff *skb)
650 {
651         struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
652 
653         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
654 
655         if (rp->status)
656                 return;
657 
658         hdev->flow_ctl_mode = rp->mode;
659 }
660 
661 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
662 {
663         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
664 
665         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
666 
667         if (rp->status)
668                 return;
669 
670         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
671         hdev->sco_mtu  = rp->sco_mtu;
672         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
673         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
674 
675         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
676                 hdev->sco_mtu  = 64;
677                 hdev->sco_pkts = 8;
678         }
679 
680         hdev->acl_cnt = hdev->acl_pkts;
681         hdev->sco_cnt = hdev->sco_pkts;
682 
683         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
684                hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
685 }
686 
687 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
688 {
689         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
690 
691         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
692 
693         if (rp->status)
694                 return;
695 
696         if (test_bit(HCI_INIT, &hdev->flags))
697                 bacpy(&hdev->bdaddr, &rp->bdaddr);
698 
699         if (hci_dev_test_flag(hdev, HCI_SETUP))
700                 bacpy(&hdev->setup_addr, &rp->bdaddr);
701 }
702 
703 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
704                                            struct sk_buff *skb)
705 {
706         struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
707 
708         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
709 
710         if (rp->status)
711                 return;
712 
713         if (test_bit(HCI_INIT, &hdev->flags)) {
714                 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
715                 hdev->page_scan_window = __le16_to_cpu(rp->window);
716         }
717 }
718 
719 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
720                                             struct sk_buff *skb)
721 {
722         u8 status = *((u8 *) skb->data);
723         struct hci_cp_write_page_scan_activity *sent;
724 
725         BT_DBG("%s status 0x%2.2x", hdev->name, status);
726 
727         if (status)
728                 return;
729 
730         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
731         if (!sent)
732                 return;
733 
734         hdev->page_scan_interval = __le16_to_cpu(sent->interval);
735         hdev->page_scan_window = __le16_to_cpu(sent->window);
736 }
737 
738 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
739                                            struct sk_buff *skb)
740 {
741         struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
742 
743         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
744 
745         if (rp->status)
746                 return;
747 
748         if (test_bit(HCI_INIT, &hdev->flags))
749                 hdev->page_scan_type = rp->type;
750 }
751 
752 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
753                                         struct sk_buff *skb)
754 {
755         u8 status = *((u8 *) skb->data);
756         u8 *type;
757 
758         BT_DBG("%s status 0x%2.2x", hdev->name, status);
759 
760         if (status)
761                 return;
762 
763         type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
764         if (type)
765                 hdev->page_scan_type = *type;
766 }
767 
768 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
769                                         struct sk_buff *skb)
770 {
771         struct hci_rp_read_data_block_size *rp = (void *) skb->data;
772 
773         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
774 
775         if (rp->status)
776                 return;
777 
778         hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
779         hdev->block_len = __le16_to_cpu(rp->block_len);
780         hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
781 
782         hdev->block_cnt = hdev->num_blocks;
783 
784         BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
785                hdev->block_cnt, hdev->block_len);
786 }
787 
788 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
789 {
790         struct hci_rp_read_clock *rp = (void *) skb->data;
791         struct hci_cp_read_clock *cp;
792         struct hci_conn *conn;
793 
794         BT_DBG("%s", hdev->name);
795 
796         if (skb->len < sizeof(*rp))
797                 return;
798 
799         if (rp->status)
800                 return;
801 
802         hci_dev_lock(hdev);
803 
804         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
805         if (!cp)
806                 goto unlock;
807 
808         if (cp->which == 0x00) {
809                 hdev->clock = le32_to_cpu(rp->clock);
810                 goto unlock;
811         }
812 
813         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
814         if (conn) {
815                 conn->clock = le32_to_cpu(rp->clock);
816                 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
817         }
818 
819 unlock:
820         hci_dev_unlock(hdev);
821 }
822 
823 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
824                                        struct sk_buff *skb)
825 {
826         struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
827 
828         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
829 
830         if (rp->status)
831                 return;
832 
833         hdev->amp_status = rp->amp_status;
834         hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
835         hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
836         hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
837         hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
838         hdev->amp_type = rp->amp_type;
839         hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
840         hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
841         hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
842         hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
843 }
844 
845 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
846                                          struct sk_buff *skb)
847 {
848         struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
849 
850         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
851 
852         if (rp->status)
853                 return;
854 
855         hdev->inq_tx_power = rp->tx_power;
856 }
857 
858 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
859 {
860         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
861         struct hci_cp_pin_code_reply *cp;
862         struct hci_conn *conn;
863 
864         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
865 
866         hci_dev_lock(hdev);
867 
868         if (hci_dev_test_flag(hdev, HCI_MGMT))
869                 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
870 
871         if (rp->status)
872                 goto unlock;
873 
874         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
875         if (!cp)
876                 goto unlock;
877 
878         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
879         if (conn)
880                 conn->pin_length = cp->pin_len;
881 
882 unlock:
883         hci_dev_unlock(hdev);
884 }
885 
886 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
887 {
888         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
889 
890         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
891 
892         hci_dev_lock(hdev);
893 
894         if (hci_dev_test_flag(hdev, HCI_MGMT))
895                 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
896                                                  rp->status);
897 
898         hci_dev_unlock(hdev);
899 }
900 
901 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
902                                        struct sk_buff *skb)
903 {
904         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
905 
906         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
907 
908         if (rp->status)
909                 return;
910 
911         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
912         hdev->le_pkts = rp->le_max_pkt;
913 
914         hdev->le_cnt = hdev->le_pkts;
915 
916         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
917 }
918 
919 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
920                                           struct sk_buff *skb)
921 {
922         struct hci_rp_le_read_local_features *rp = (void *) skb->data;
923 
924         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
925 
926         if (rp->status)
927                 return;
928 
929         memcpy(hdev->le_features, rp->features, 8);
930 }
931 
932 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
933                                         struct sk_buff *skb)
934 {
935         struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
936 
937         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
938 
939         if (rp->status)
940                 return;
941 
942         hdev->adv_tx_power = rp->tx_power;
943 }
944 
945 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
946 {
947         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
948 
949         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
950 
951         hci_dev_lock(hdev);
952 
953         if (hci_dev_test_flag(hdev, HCI_MGMT))
954                 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
955                                                  rp->status);
956 
957         hci_dev_unlock(hdev);
958 }
959 
960 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
961                                           struct sk_buff *skb)
962 {
963         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
964 
965         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
966 
967         hci_dev_lock(hdev);
968 
969         if (hci_dev_test_flag(hdev, HCI_MGMT))
970                 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
971                                                      ACL_LINK, 0, rp->status);
972 
973         hci_dev_unlock(hdev);
974 }
975 
976 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
977 {
978         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
979 
980         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
981 
982         hci_dev_lock(hdev);
983 
984         if (hci_dev_test_flag(hdev, HCI_MGMT))
985                 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
986                                                  0, rp->status);
987 
988         hci_dev_unlock(hdev);
989 }
990 
991 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
992                                           struct sk_buff *skb)
993 {
994         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
995 
996         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
997 
998         hci_dev_lock(hdev);
999 
1000         if (hci_dev_test_flag(hdev, HCI_MGMT))
1001                 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1002                                                      ACL_LINK, 0, rp->status);
1003 
1004         hci_dev_unlock(hdev);
1005 }
1006 
1007 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1008                                        struct sk_buff *skb)
1009 {
1010         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1011 
1012         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1013 }
1014 
1015 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1016                                            struct sk_buff *skb)
1017 {
1018         struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1019 
1020         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1021 }
1022 
1023 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1024 {
1025         __u8 status = *((__u8 *) skb->data);
1026         bdaddr_t *sent;
1027 
1028         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1029 
1030         if (status)
1031                 return;
1032 
1033         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1034         if (!sent)
1035                 return;
1036 
1037         hci_dev_lock(hdev);
1038 
1039         bacpy(&hdev->random_addr, sent);
1040 
1041         hci_dev_unlock(hdev);
1042 }
1043 
1044 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1045 {
1046         __u8 *sent, status = *((__u8 *) skb->data);
1047 
1048         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1049 
1050         if (status)
1051                 return;
1052 
1053         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1054         if (!sent)
1055                 return;
1056 
1057         hci_dev_lock(hdev);
1058 
1059         /* If we're doing connection initiation as peripheral. Set a
1060          * timeout in case something goes wrong.
1061          */
1062         if (*sent) {
1063                 struct hci_conn *conn;
1064 
1065                 hci_dev_set_flag(hdev, HCI_LE_ADV);
1066 
1067                 conn = hci_lookup_le_connect(hdev);
1068                 if (conn)
1069                         queue_delayed_work(hdev->workqueue,
1070                                            &conn->le_conn_timeout,
1071                                            conn->conn_timeout);
1072         } else {
1073                 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1074         }
1075 
1076         hci_dev_unlock(hdev);
1077 }
1078 
1079 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1080 {
1081         struct hci_cp_le_set_scan_param *cp;
1082         __u8 status = *((__u8 *) skb->data);
1083 
1084         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1085 
1086         if (status)
1087                 return;
1088 
1089         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1090         if (!cp)
1091                 return;
1092 
1093         hci_dev_lock(hdev);
1094 
1095         hdev->le_scan_type = cp->type;
1096 
1097         hci_dev_unlock(hdev);
1098 }
1099 
1100 static bool has_pending_adv_report(struct hci_dev *hdev)
1101 {
1102         struct discovery_state *d = &hdev->discovery;
1103 
1104         return bacmp(&d->last_adv_addr, BDADDR_ANY);
1105 }
1106 
1107 static void clear_pending_adv_report(struct hci_dev *hdev)
1108 {
1109         struct discovery_state *d = &hdev->discovery;
1110 
1111         bacpy(&d->last_adv_addr, BDADDR_ANY);
1112         d->last_adv_data_len = 0;
1113 }
1114 
1115 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1116                                      u8 bdaddr_type, s8 rssi, u32 flags,
1117                                      u8 *data, u8 len)
1118 {
1119         struct discovery_state *d = &hdev->discovery;
1120 
1121         bacpy(&d->last_adv_addr, bdaddr);
1122         d->last_adv_addr_type = bdaddr_type;
1123         d->last_adv_rssi = rssi;
1124         d->last_adv_flags = flags;
1125         memcpy(d->last_adv_data, data, len);
1126         d->last_adv_data_len = len;
1127 }
1128 
1129 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1130                                       struct sk_buff *skb)
1131 {
1132         struct hci_cp_le_set_scan_enable *cp;
1133         __u8 status = *((__u8 *) skb->data);
1134 
1135         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1136 
1137         if (status)
1138                 return;
1139 
1140         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1141         if (!cp)
1142                 return;
1143 
1144         hci_dev_lock(hdev);
1145 
1146         switch (cp->enable) {
1147         case LE_SCAN_ENABLE:
1148                 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1149                 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1150                         clear_pending_adv_report(hdev);
1151                 break;
1152 
1153         case LE_SCAN_DISABLE:
1154                 /* We do this here instead of when setting DISCOVERY_STOPPED
1155                  * since the latter would potentially require waiting for
1156                  * inquiry to stop too.
1157                  */
1158                 if (has_pending_adv_report(hdev)) {
1159                         struct discovery_state *d = &hdev->discovery;
1160 
1161                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1162                                           d->last_adv_addr_type, NULL,
1163                                           d->last_adv_rssi, d->last_adv_flags,
1164                                           d->last_adv_data,
1165                                           d->last_adv_data_len, NULL, 0);
1166                 }
1167 
1168                 /* Cancel this timer so that we don't try to disable scanning
1169                  * when it's already disabled.
1170                  */
1171                 cancel_delayed_work(&hdev->le_scan_disable);
1172 
1173                 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1174 
1175                 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1176                  * interrupted scanning due to a connect request. Mark
1177                  * therefore discovery as stopped. If this was not
1178                  * because of a connect request advertising might have
1179                  * been disabled because of active scanning, so
1180                  * re-enable it again if necessary.
1181                  */
1182                 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1183                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1184                 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1185                          hdev->discovery.state == DISCOVERY_FINDING)
1186                         hci_req_reenable_advertising(hdev);
1187 
1188                 break;
1189 
1190         default:
1191                 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1192                            cp->enable);
1193                 break;
1194         }
1195 
1196         hci_dev_unlock(hdev);
1197 }
1198 
1199 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1200                                            struct sk_buff *skb)
1201 {
1202         struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1203 
1204         BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1205 
1206         if (rp->status)
1207                 return;
1208 
1209         hdev->le_white_list_size = rp->size;
1210 }
1211 
1212 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1213                                        struct sk_buff *skb)
1214 {
1215         __u8 status = *((__u8 *) skb->data);
1216 
1217         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1218 
1219         if (status)
1220                 return;
1221 
1222         hci_bdaddr_list_clear(&hdev->le_white_list);
1223 }
1224 
1225 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1226                                         struct sk_buff *skb)
1227 {
1228         struct hci_cp_le_add_to_white_list *sent;
1229         __u8 status = *((__u8 *) skb->data);
1230 
1231         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1232 
1233         if (status)
1234                 return;
1235 
1236         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1237         if (!sent)
1238                 return;
1239 
1240         hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1241                            sent->bdaddr_type);
1242 }
1243 
1244 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1245                                           struct sk_buff *skb)
1246 {
1247         struct hci_cp_le_del_from_white_list *sent;
1248         __u8 status = *((__u8 *) skb->data);
1249 
1250         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1251 
1252         if (status)
1253                 return;
1254 
1255         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1256         if (!sent)
1257                 return;
1258 
1259         hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1260                             sent->bdaddr_type);
1261 }
1262 
1263 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1264                                             struct sk_buff *skb)
1265 {
1266         struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1267 
1268         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1269 
1270         if (rp->status)
1271                 return;
1272 
1273         memcpy(hdev->le_states, rp->le_states, 8);
1274 }
1275 
1276 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1277                                         struct sk_buff *skb)
1278 {
1279         struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1280 
1281         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1282 
1283         if (rp->status)
1284                 return;
1285 
1286         hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1287         hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1288 }
1289 
1290 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1291                                          struct sk_buff *skb)
1292 {
1293         struct hci_cp_le_write_def_data_len *sent;
1294         __u8 status = *((__u8 *) skb->data);
1295 
1296         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1297 
1298         if (status)
1299                 return;
1300 
1301         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1302         if (!sent)
1303                 return;
1304 
1305         hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1306         hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1307 }
1308 
1309 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1310                                         struct sk_buff *skb)
1311 {
1312         struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1313 
1314         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1315 
1316         if (rp->status)
1317                 return;
1318 
1319         hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1320         hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1321         hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1322         hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1323 }
1324 
1325 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1326                                            struct sk_buff *skb)
1327 {
1328         struct hci_cp_write_le_host_supported *sent;
1329         __u8 status = *((__u8 *) skb->data);
1330 
1331         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1332 
1333         if (status)
1334                 return;
1335 
1336         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1337         if (!sent)
1338                 return;
1339 
1340         hci_dev_lock(hdev);
1341 
1342         if (sent->le) {
1343                 hdev->features[1][0] |= LMP_HOST_LE;
1344                 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1345         } else {
1346                 hdev->features[1][0] &= ~LMP_HOST_LE;
1347                 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1348                 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1349         }
1350 
1351         if (sent->simul)
1352                 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1353         else
1354                 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1355 
1356         hci_dev_unlock(hdev);
1357 }
1358 
1359 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1360 {
1361         struct hci_cp_le_set_adv_param *cp;
1362         u8 status = *((u8 *) skb->data);
1363 
1364         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1365 
1366         if (status)
1367                 return;
1368 
1369         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1370         if (!cp)
1371                 return;
1372 
1373         hci_dev_lock(hdev);
1374         hdev->adv_addr_type = cp->own_address_type;
1375         hci_dev_unlock(hdev);
1376 }
1377 
1378 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1379 {
1380         struct hci_rp_read_rssi *rp = (void *) skb->data;
1381         struct hci_conn *conn;
1382 
1383         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1384 
1385         if (rp->status)
1386                 return;
1387 
1388         hci_dev_lock(hdev);
1389 
1390         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1391         if (conn)
1392                 conn->rssi = rp->rssi;
1393 
1394         hci_dev_unlock(hdev);
1395 }
1396 
1397 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1398 {
1399         struct hci_cp_read_tx_power *sent;
1400         struct hci_rp_read_tx_power *rp = (void *) skb->data;
1401         struct hci_conn *conn;
1402 
1403         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1404 
1405         if (rp->status)
1406                 return;
1407 
1408         sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1409         if (!sent)
1410                 return;
1411 
1412         hci_dev_lock(hdev);
1413 
1414         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1415         if (!conn)
1416                 goto unlock;
1417 
1418         switch (sent->type) {
1419         case 0x00:
1420                 conn->tx_power = rp->tx_power;
1421                 break;
1422         case 0x01:
1423                 conn->max_tx_power = rp->tx_power;
1424                 break;
1425         }
1426 
1427 unlock:
1428         hci_dev_unlock(hdev);
1429 }
1430 
1431 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1432 {
1433         u8 status = *((u8 *) skb->data);
1434         u8 *mode;
1435 
1436         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1437 
1438         if (status)
1439                 return;
1440 
1441         mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1442         if (mode)
1443                 hdev->ssp_debug_mode = *mode;
1444 }
1445 
1446 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1447 {
1448         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1449 
1450         if (status) {
1451                 hci_conn_check_pending(hdev);
1452                 return;
1453         }
1454 
1455         set_bit(HCI_INQUIRY, &hdev->flags);
1456 }
1457 
1458 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1459 {
1460         struct hci_cp_create_conn *cp;
1461         struct hci_conn *conn;
1462 
1463         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1464 
1465         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1466         if (!cp)
1467                 return;
1468 
1469         hci_dev_lock(hdev);
1470 
1471         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1472 
1473         BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1474 
1475         if (status) {
1476                 if (conn && conn->state == BT_CONNECT) {
1477                         if (status != 0x0c || conn->attempt > 2) {
1478                                 conn->state = BT_CLOSED;
1479                                 hci_connect_cfm(conn, status);
1480                                 hci_conn_del(conn);
1481                         } else
1482                                 conn->state = BT_CONNECT2;
1483                 }
1484         } else {
1485                 if (!conn) {
1486                         conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1487                                             HCI_ROLE_MASTER);
1488                         if (!conn)
1489                                 bt_dev_err(hdev, "no memory for new connection");
1490                 }
1491         }
1492 
1493         hci_dev_unlock(hdev);
1494 }
1495 
1496 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1497 {
1498         struct hci_cp_add_sco *cp;
1499         struct hci_conn *acl, *sco;
1500         __u16 handle;
1501 
1502         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1503 
1504         if (!status)
1505                 return;
1506 
1507         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1508         if (!cp)
1509                 return;
1510 
1511         handle = __le16_to_cpu(cp->handle);
1512 
1513         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1514 
1515         hci_dev_lock(hdev);
1516 
1517         acl = hci_conn_hash_lookup_handle(hdev, handle);
1518         if (acl) {
1519                 sco = acl->link;
1520                 if (sco) {
1521                         sco->state = BT_CLOSED;
1522 
1523                         hci_connect_cfm(sco, status);
1524                         hci_conn_del(sco);
1525                 }
1526         }
1527 
1528         hci_dev_unlock(hdev);
1529 }
1530 
1531 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1532 {
1533         struct hci_cp_auth_requested *cp;
1534         struct hci_conn *conn;
1535 
1536         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1537 
1538         if (!status)
1539                 return;
1540 
1541         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1542         if (!cp)
1543                 return;
1544 
1545         hci_dev_lock(hdev);
1546 
1547         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1548         if (conn) {
1549                 if (conn->state == BT_CONFIG) {
1550                         hci_connect_cfm(conn, status);
1551                         hci_conn_drop(conn);
1552                 }
1553         }
1554 
1555         hci_dev_unlock(hdev);
1556 }
1557 
1558 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1559 {
1560         struct hci_cp_set_conn_encrypt *cp;
1561         struct hci_conn *conn;
1562 
1563         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1564 
1565         if (!status)
1566                 return;
1567 
1568         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1569         if (!cp)
1570                 return;
1571 
1572         hci_dev_lock(hdev);
1573 
1574         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1575         if (conn) {
1576                 if (conn->state == BT_CONFIG) {
1577                         hci_connect_cfm(conn, status);
1578                         hci_conn_drop(conn);
1579                 }
1580         }
1581 
1582         hci_dev_unlock(hdev);
1583 }
1584 
1585 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1586                                     struct hci_conn *conn)
1587 {
1588         if (conn->state != BT_CONFIG || !conn->out)
1589                 return 0;
1590 
1591         if (conn->pending_sec_level == BT_SECURITY_SDP)
1592                 return 0;
1593 
1594         /* Only request authentication for SSP connections or non-SSP
1595          * devices with sec_level MEDIUM or HIGH or if MITM protection
1596          * is requested.
1597          */
1598         if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1599             conn->pending_sec_level != BT_SECURITY_FIPS &&
1600             conn->pending_sec_level != BT_SECURITY_HIGH &&
1601             conn->pending_sec_level != BT_SECURITY_MEDIUM)
1602                 return 0;
1603 
1604         return 1;
1605 }
1606 
1607 static int hci_resolve_name(struct hci_dev *hdev,
1608                                    struct inquiry_entry *e)
1609 {
1610         struct hci_cp_remote_name_req cp;
1611 
1612         memset(&cp, 0, sizeof(cp));
1613 
1614         bacpy(&cp.bdaddr, &e->data.bdaddr);
1615         cp.pscan_rep_mode = e->data.pscan_rep_mode;
1616         cp.pscan_mode = e->data.pscan_mode;
1617         cp.clock_offset = e->data.clock_offset;
1618 
1619         return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1620 }
1621 
1622 static bool hci_resolve_next_name(struct hci_dev *hdev)
1623 {
1624         struct discovery_state *discov = &hdev->discovery;
1625         struct inquiry_entry *e;
1626 
1627         if (list_empty(&discov->resolve))
1628                 return false;
1629 
1630         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1631         if (!e)
1632                 return false;
1633 
1634         if (hci_resolve_name(hdev, e) == 0) {
1635                 e->name_state = NAME_PENDING;
1636                 return true;
1637         }
1638 
1639         return false;
1640 }
1641 
1642 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1643                                    bdaddr_t *bdaddr, u8 *name, u8 name_len)
1644 {
1645         struct discovery_state *discov = &hdev->discovery;
1646         struct inquiry_entry *e;
1647 
1648         /* Update the mgmt connected state if necessary. Be careful with
1649          * conn objects that exist but are not (yet) connected however.
1650          * Only those in BT_CONFIG or BT_CONNECTED states can be
1651          * considered connected.
1652          */
1653         if (conn &&
1654             (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1655             !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1656                 mgmt_device_connected(hdev, conn, 0, name, name_len);
1657 
1658         if (discov->state == DISCOVERY_STOPPED)
1659                 return;
1660 
1661         if (discov->state == DISCOVERY_STOPPING)
1662                 goto discov_complete;
1663 
1664         if (discov->state != DISCOVERY_RESOLVING)
1665                 return;
1666 
1667         e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1668         /* If the device was not found in a list of found devices names of which
1669          * are pending. there is no need to continue resolving a next name as it
1670          * will be done upon receiving another Remote Name Request Complete
1671          * Event */
1672         if (!e)
1673                 return;
1674 
1675         list_del(&e->list);
1676         if (name) {
1677                 e->name_state = NAME_KNOWN;
1678                 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1679                                  e->data.rssi, name, name_len);
1680         } else {
1681                 e->name_state = NAME_NOT_KNOWN;
1682         }
1683 
1684         if (hci_resolve_next_name(hdev))
1685                 return;
1686 
1687 discov_complete:
1688         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1689 }
1690 
1691 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1692 {
1693         struct hci_cp_remote_name_req *cp;
1694         struct hci_conn *conn;
1695 
1696         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1697 
1698         /* If successful wait for the name req complete event before
1699          * checking for the need to do authentication */
1700         if (!status)
1701                 return;
1702 
1703         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1704         if (!cp)
1705                 return;
1706 
1707         hci_dev_lock(hdev);
1708 
1709         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1710 
1711         if (hci_dev_test_flag(hdev, HCI_MGMT))
1712                 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1713 
1714         if (!conn)
1715                 goto unlock;
1716 
1717         if (!hci_outgoing_auth_needed(hdev, conn))
1718                 goto unlock;
1719 
1720         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1721                 struct hci_cp_auth_requested auth_cp;
1722 
1723                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1724 
1725                 auth_cp.handle = __cpu_to_le16(conn->handle);
1726                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1727                              sizeof(auth_cp), &auth_cp);
1728         }
1729 
1730 unlock:
1731         hci_dev_unlock(hdev);
1732 }
1733 
1734 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1735 {
1736         struct hci_cp_read_remote_features *cp;
1737         struct hci_conn *conn;
1738 
1739         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1740 
1741         if (!status)
1742                 return;
1743 
1744         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1745         if (!cp)
1746                 return;
1747 
1748         hci_dev_lock(hdev);
1749 
1750         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1751         if (conn) {
1752                 if (conn->state == BT_CONFIG) {
1753                         hci_connect_cfm(conn, status);
1754                         hci_conn_drop(conn);
1755                 }
1756         }
1757 
1758         hci_dev_unlock(hdev);
1759 }
1760 
1761 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1762 {
1763         struct hci_cp_read_remote_ext_features *cp;
1764         struct hci_conn *conn;
1765 
1766         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1767 
1768         if (!status)
1769                 return;
1770 
1771         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1772         if (!cp)
1773                 return;
1774 
1775         hci_dev_lock(hdev);
1776 
1777         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1778         if (conn) {
1779                 if (conn->state == BT_CONFIG) {
1780                         hci_connect_cfm(conn, status);
1781                         hci_conn_drop(conn);
1782                 }
1783         }
1784 
1785         hci_dev_unlock(hdev);
1786 }
1787 
1788 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1789 {
1790         struct hci_cp_setup_sync_conn *cp;
1791         struct hci_conn *acl, *sco;
1792         __u16 handle;
1793 
1794         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1795 
1796         if (!status)
1797                 return;
1798 
1799         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1800         if (!cp)
1801                 return;
1802 
1803         handle = __le16_to_cpu(cp->handle);
1804 
1805         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1806 
1807         hci_dev_lock(hdev);
1808 
1809         acl = hci_conn_hash_lookup_handle(hdev, handle);
1810         if (acl) {
1811                 sco = acl->link;
1812                 if (sco) {
1813                         sco->state = BT_CLOSED;
1814 
1815                         hci_connect_cfm(sco, status);
1816                         hci_conn_del(sco);
1817                 }
1818         }
1819 
1820         hci_dev_unlock(hdev);
1821 }
1822 
1823 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1824 {
1825         struct hci_cp_sniff_mode *cp;
1826         struct hci_conn *conn;
1827 
1828         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1829 
1830         if (!status)
1831                 return;
1832 
1833         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1834         if (!cp)
1835                 return;
1836 
1837         hci_dev_lock(hdev);
1838 
1839         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1840         if (conn) {
1841                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1842 
1843                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1844                         hci_sco_setup(conn, status);
1845         }
1846 
1847         hci_dev_unlock(hdev);
1848 }
1849 
1850 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1851 {
1852         struct hci_cp_exit_sniff_mode *cp;
1853         struct hci_conn *conn;
1854 
1855         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1856 
1857         if (!status)
1858                 return;
1859 
1860         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1861         if (!cp)
1862                 return;
1863 
1864         hci_dev_lock(hdev);
1865 
1866         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1867         if (conn) {
1868                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1869 
1870                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1871                         hci_sco_setup(conn, status);
1872         }
1873 
1874         hci_dev_unlock(hdev);
1875 }
1876 
1877 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1878 {
1879         struct hci_cp_disconnect *cp;
1880         struct hci_conn *conn;
1881 
1882         if (!status)
1883                 return;
1884 
1885         cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1886         if (!cp)
1887                 return;
1888 
1889         hci_dev_lock(hdev);
1890 
1891         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1892         if (conn)
1893                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1894                                        conn->dst_type, status);
1895 
1896         hci_dev_unlock(hdev);
1897 }
1898 
1899 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1900 {
1901         struct hci_cp_le_create_conn *cp;
1902         struct hci_conn *conn;
1903 
1904         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1905 
1906         /* All connection failure handling is taken care of by the
1907          * hci_le_conn_failed function which is triggered by the HCI
1908          * request completion callbacks used for connecting.
1909          */
1910         if (status)
1911                 return;
1912 
1913         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1914         if (!cp)
1915                 return;
1916 
1917         hci_dev_lock(hdev);
1918 
1919         conn = hci_conn_hash_lookup_le(hdev, &cp->peer_addr,
1920                                        cp->peer_addr_type);
1921         if (!conn)
1922                 goto unlock;
1923 
1924         /* Store the initiator and responder address information which
1925          * is needed for SMP. These values will not change during the
1926          * lifetime of the connection.
1927          */
1928         conn->init_addr_type = cp->own_address_type;
1929         if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1930                 bacpy(&conn->init_addr, &hdev->random_addr);
1931         else
1932                 bacpy(&conn->init_addr, &hdev->bdaddr);
1933 
1934         conn->resp_addr_type = cp->peer_addr_type;
1935         bacpy(&conn->resp_addr, &cp->peer_addr);
1936 
1937         /* We don't want the connection attempt to stick around
1938          * indefinitely since LE doesn't have a page timeout concept
1939          * like BR/EDR. Set a timer for any connection that doesn't use
1940          * the white list for connecting.
1941          */
1942         if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1943                 queue_delayed_work(conn->hdev->workqueue,
1944                                    &conn->le_conn_timeout,
1945                                    conn->conn_timeout);
1946 
1947 unlock:
1948         hci_dev_unlock(hdev);
1949 }
1950 
1951 static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
1952 {
1953         struct hci_cp_le_read_remote_features *cp;
1954         struct hci_conn *conn;
1955 
1956         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1957 
1958         if (!status)
1959                 return;
1960 
1961         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
1962         if (!cp)
1963                 return;
1964 
1965         hci_dev_lock(hdev);
1966 
1967         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1968         if (conn) {
1969                 if (conn->state == BT_CONFIG) {
1970                         hci_connect_cfm(conn, status);
1971                         hci_conn_drop(conn);
1972                 }
1973         }
1974 
1975         hci_dev_unlock(hdev);
1976 }
1977 
1978 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1979 {
1980         struct hci_cp_le_start_enc *cp;
1981         struct hci_conn *conn;
1982 
1983         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1984 
1985         if (!status)
1986                 return;
1987 
1988         hci_dev_lock(hdev);
1989 
1990         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1991         if (!cp)
1992                 goto unlock;
1993 
1994         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1995         if (!conn)
1996                 goto unlock;
1997 
1998         if (conn->state != BT_CONNECTED)
1999                 goto unlock;
2000 
2001         hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2002         hci_conn_drop(conn);
2003 
2004 unlock:
2005         hci_dev_unlock(hdev);
2006 }
2007 
2008 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2009 {
2010         struct hci_cp_switch_role *cp;
2011         struct hci_conn *conn;
2012 
2013         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2014 
2015         if (!status)
2016                 return;
2017 
2018         cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2019         if (!cp)
2020                 return;
2021 
2022         hci_dev_lock(hdev);
2023 
2024         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2025         if (conn)
2026                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2027 
2028         hci_dev_unlock(hdev);
2029 }
2030 
2031 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2032 {
2033         __u8 status = *((__u8 *) skb->data);
2034         struct discovery_state *discov = &hdev->discovery;
2035         struct inquiry_entry *e;
2036 
2037         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2038 
2039         hci_conn_check_pending(hdev);
2040 
2041         if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2042                 return;
2043 
2044         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2045         wake_up_bit(&hdev->flags, HCI_INQUIRY);
2046 
2047         if (!hci_dev_test_flag(hdev, HCI_MGMT))
2048                 return;
2049 
2050         hci_dev_lock(hdev);
2051 
2052         if (discov->state != DISCOVERY_FINDING)
2053                 goto unlock;
2054 
2055         if (list_empty(&discov->resolve)) {
2056                 /* When BR/EDR inquiry is active and no LE scanning is in
2057                  * progress, then change discovery state to indicate completion.
2058                  *
2059                  * When running LE scanning and BR/EDR inquiry simultaneously
2060                  * and the LE scan already finished, then change the discovery
2061                  * state to indicate completion.
2062                  */
2063                 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2064                     !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2065                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2066                 goto unlock;
2067         }
2068 
2069         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2070         if (e && hci_resolve_name(hdev, e) == 0) {
2071                 e->name_state = NAME_PENDING;
2072                 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2073         } else {
2074                 /* When BR/EDR inquiry is active and no LE scanning is in
2075                  * progress, then change discovery state to indicate completion.
2076                  *
2077                  * When running LE scanning and BR/EDR inquiry simultaneously
2078                  * and the LE scan already finished, then change the discovery
2079                  * state to indicate completion.
2080                  */
2081                 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2082                     !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2083                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2084         }
2085 
2086 unlock:
2087         hci_dev_unlock(hdev);
2088 }
2089 
2090 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2091 {
2092         struct inquiry_data data;
2093         struct inquiry_info *info = (void *) (skb->data + 1);
2094         int num_rsp = *((__u8 *) skb->data);
2095 
2096         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2097 
2098         if (!num_rsp)
2099                 return;
2100 
2101         if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2102                 return;
2103 
2104         hci_dev_lock(hdev);
2105 
2106         for (; num_rsp; num_rsp--, info++) {
2107                 u32 flags;
2108 
2109                 bacpy(&data.bdaddr, &info->bdaddr);
2110                 data.pscan_rep_mode     = info->pscan_rep_mode;
2111                 data.pscan_period_mode  = info->pscan_period_mode;
2112                 data.pscan_mode         = info->pscan_mode;
2113                 memcpy(data.dev_class, info->dev_class, 3);
2114                 data.clock_offset       = info->clock_offset;
2115                 data.rssi               = HCI_RSSI_INVALID;
2116                 data.ssp_mode           = 0x00;
2117 
2118                 flags = hci_inquiry_cache_update(hdev, &data, false);
2119 
2120                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2121                                   info->dev_class, HCI_RSSI_INVALID,
2122                                   flags, NULL, 0, NULL, 0);
2123         }
2124 
2125         hci_dev_unlock(hdev);
2126 }
2127 
2128 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2129 {
2130         struct hci_ev_conn_complete *ev = (void *) skb->data;
2131         struct hci_conn *conn;
2132 
2133         BT_DBG("%s", hdev->name);
2134 
2135         hci_dev_lock(hdev);
2136 
2137         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2138         if (!conn) {
2139                 if (ev->link_type != SCO_LINK)
2140                         goto unlock;
2141 
2142                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2143                 if (!conn)
2144                         goto unlock;
2145 
2146                 conn->type = SCO_LINK;
2147         }
2148 
2149         if (!ev->status) {
2150                 conn->handle = __le16_to_cpu(ev->handle);
2151 
2152                 if (conn->type == ACL_LINK) {
2153                         conn->state = BT_CONFIG;
2154                         hci_conn_hold(conn);
2155 
2156                         if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2157                             !hci_find_link_key(hdev, &ev->bdaddr))
2158                                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2159                         else
2160                                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2161                 } else
2162                         conn->state = BT_CONNECTED;
2163 
2164                 hci_debugfs_create_conn(conn);
2165                 hci_conn_add_sysfs(conn);
2166 
2167                 if (test_bit(HCI_AUTH, &hdev->flags))
2168                         set_bit(HCI_CONN_AUTH, &conn->flags);
2169 
2170                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2171                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2172 
2173                 /* Get remote features */
2174                 if (conn->type == ACL_LINK) {
2175                         struct hci_cp_read_remote_features cp;
2176                         cp.handle = ev->handle;
2177                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2178                                      sizeof(cp), &cp);
2179 
2180                         hci_req_update_scan(hdev);
2181                 }
2182 
2183                 /* Set packet type for incoming connection */
2184                 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2185                         struct hci_cp_change_conn_ptype cp;
2186                         cp.handle = ev->handle;
2187                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
2188                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2189                                      &cp);
2190                 }
2191         } else {
2192                 conn->state = BT_CLOSED;
2193                 if (conn->type == ACL_LINK)
2194                         mgmt_connect_failed(hdev, &conn->dst, conn->type,
2195                                             conn->dst_type, ev->status);
2196         }
2197 
2198         if (conn->type == ACL_LINK)
2199                 hci_sco_setup(conn, ev->status);
2200 
2201         if (ev->status) {
2202                 hci_connect_cfm(conn, ev->status);
2203                 hci_conn_del(conn);
2204         } else if (ev->link_type != ACL_LINK)
2205                 hci_connect_cfm(conn, ev->status);
2206 
2207 unlock:
2208         hci_dev_unlock(hdev);
2209 
2210         hci_conn_check_pending(hdev);
2211 }
2212 
2213 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2214 {
2215         struct hci_cp_reject_conn_req cp;
2216 
2217         bacpy(&cp.bdaddr, bdaddr);
2218         cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2219         hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2220 }
2221 
2222 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2223 {
2224         struct hci_ev_conn_request *ev = (void *) skb->data;
2225         int mask = hdev->link_mode;
2226         struct inquiry_entry *ie;
2227         struct hci_conn *conn;
2228         __u8 flags = 0;
2229 
2230         BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2231                ev->link_type);
2232 
2233         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2234                                       &flags);
2235 
2236         if (!(mask & HCI_LM_ACCEPT)) {
2237                 hci_reject_conn(hdev, &ev->bdaddr);
2238                 return;
2239         }
2240 
2241         if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2242                                    BDADDR_BREDR)) {
2243                 hci_reject_conn(hdev, &ev->bdaddr);
2244                 return;
2245         }
2246 
2247         /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2248          * connection. These features are only touched through mgmt so
2249          * only do the checks if HCI_MGMT is set.
2250          */
2251         if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2252             !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2253             !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2254                                     BDADDR_BREDR)) {
2255                     hci_reject_conn(hdev, &ev->bdaddr);
2256                     return;
2257         }
2258 
2259         /* Connection accepted */
2260 
2261         hci_dev_lock(hdev);
2262 
2263         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2264         if (ie)
2265                 memcpy(ie->data.dev_class, ev->dev_class, 3);
2266 
2267         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2268                         &ev->bdaddr);
2269         if (!conn) {
2270                 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2271                                     HCI_ROLE_SLAVE);
2272                 if (!conn) {
2273                         bt_dev_err(hdev, "no memory for new connection");
2274                         hci_dev_unlock(hdev);
2275                         return;
2276                 }
2277         }
2278 
2279         memcpy(conn->dev_class, ev->dev_class, 3);
2280 
2281         hci_dev_unlock(hdev);
2282 
2283         if (ev->link_type == ACL_LINK ||
2284             (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2285                 struct hci_cp_accept_conn_req cp;
2286                 conn->state = BT_CONNECT;
2287 
2288                 bacpy(&cp.bdaddr, &ev->bdaddr);
2289 
2290                 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2291                         cp.role = 0x00; /* Become master */
2292                 else
2293                         cp.role = 0x01; /* Remain slave */
2294 
2295                 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2296         } else if (!(flags & HCI_PROTO_DEFER)) {
2297                 struct hci_cp_accept_sync_conn_req cp;
2298                 conn->state = BT_CONNECT;
2299 
2300                 bacpy(&cp.bdaddr, &ev->bdaddr);
2301                 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2302 
2303                 cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2304                 cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2305                 cp.max_latency    = cpu_to_le16(0xffff);
2306                 cp.content_format = cpu_to_le16(hdev->voice_setting);
2307                 cp.retrans_effort = 0xff;
2308 
2309                 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2310                              &cp);
2311         } else {
2312                 conn->state = BT_CONNECT2;
2313                 hci_connect_cfm(conn, 0);
2314         }
2315 }
2316 
2317 static u8 hci_to_mgmt_reason(u8 err)
2318 {
2319         switch (err) {
2320         case HCI_ERROR_CONNECTION_TIMEOUT:
2321                 return MGMT_DEV_DISCONN_TIMEOUT;
2322         case HCI_ERROR_REMOTE_USER_TERM:
2323         case HCI_ERROR_REMOTE_LOW_RESOURCES:
2324         case HCI_ERROR_REMOTE_POWER_OFF:
2325                 return MGMT_DEV_DISCONN_REMOTE;
2326         case HCI_ERROR_LOCAL_HOST_TERM:
2327                 return MGMT_DEV_DISCONN_LOCAL_HOST;
2328         default:
2329                 return MGMT_DEV_DISCONN_UNKNOWN;
2330         }
2331 }
2332 
2333 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2334 {
2335         struct hci_ev_disconn_complete *ev = (void *) skb->data;
2336         u8 reason;
2337         struct hci_conn_params *params;
2338         struct hci_conn *conn;
2339         bool mgmt_connected;
2340         u8 type;
2341 
2342         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2343 
2344         hci_dev_lock(hdev);
2345 
2346         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2347         if (!conn)
2348                 goto unlock;
2349 
2350         if (ev->status) {
2351                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2352                                        conn->dst_type, ev->status);
2353                 goto unlock;
2354         }
2355 
2356         conn->state = BT_CLOSED;
2357 
2358         mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2359 
2360         if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
2361                 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
2362         else
2363                 reason = hci_to_mgmt_reason(ev->reason);
2364 
2365         mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2366                                 reason, mgmt_connected);
2367 
2368         if (conn->type == ACL_LINK) {
2369                 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2370                         hci_remove_link_key(hdev, &conn->dst);
2371 
2372                 hci_req_update_scan(hdev);
2373         }
2374 
2375         params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2376         if (params) {
2377                 switch (params->auto_connect) {
2378                 case HCI_AUTO_CONN_LINK_LOSS:
2379                         if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2380                                 break;
2381                         /* Fall through */
2382 
2383                 case HCI_AUTO_CONN_DIRECT:
2384                 case HCI_AUTO_CONN_ALWAYS:
2385                         list_del_init(&params->action);
2386                         list_add(&params->action, &hdev->pend_le_conns);
2387                         hci_update_background_scan(hdev);
2388                         break;
2389 
2390                 default:
2391                         break;
2392                 }
2393         }
2394 
2395         type = conn->type;
2396 
2397         hci_disconn_cfm(conn, ev->reason);
2398         hci_conn_del(conn);
2399 
2400         /* Re-enable advertising if necessary, since it might
2401          * have been disabled by the connection. From the
2402          * HCI_LE_Set_Advertise_Enable command description in
2403          * the core specification (v4.0):
2404          * "The Controller shall continue advertising until the Host
2405          * issues an LE_Set_Advertise_Enable command with
2406          * Advertising_Enable set to 0x00 (Advertising is disabled)
2407          * or until a connection is created or until the Advertising
2408          * is timed out due to Directed Advertising."
2409          */
2410         if (type == LE_LINK)
2411                 hci_req_reenable_advertising(hdev);
2412 
2413 unlock:
2414         hci_dev_unlock(hdev);
2415 }
2416 
2417 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2418 {
2419         struct hci_ev_auth_complete *ev = (void *) skb->data;
2420         struct hci_conn *conn;
2421 
2422         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2423 
2424         hci_dev_lock(hdev);
2425 
2426         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2427         if (!conn)
2428                 goto unlock;
2429 
2430         if (!ev->status) {
2431                 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2432 
2433                 if (!hci_conn_ssp_enabled(conn) &&
2434                     test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2435                         bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2436                 } else {
2437                         set_bit(HCI_CONN_AUTH, &conn->flags);
2438                         conn->sec_level = conn->pending_sec_level;
2439                 }
2440         } else {
2441                 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2442                         set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2443 
2444                 mgmt_auth_failed(conn, ev->status);
2445         }
2446 
2447         clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2448         clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2449 
2450         if (conn->state == BT_CONFIG) {
2451                 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2452                         struct hci_cp_set_conn_encrypt cp;
2453                         cp.handle  = ev->handle;
2454                         cp.encrypt = 0x01;
2455                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2456                                      &cp);
2457                 } else {
2458                         conn->state = BT_CONNECTED;
2459                         hci_connect_cfm(conn, ev->status);
2460                         hci_conn_drop(conn);
2461                 }
2462         } else {
2463                 hci_auth_cfm(conn, ev->status);
2464 
2465                 hci_conn_hold(conn);
2466                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2467                 hci_conn_drop(conn);
2468         }
2469 
2470         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2471                 if (!ev->status) {
2472                         struct hci_cp_set_conn_encrypt cp;
2473                         cp.handle  = ev->handle;
2474                         cp.encrypt = 0x01;
2475                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2476                                      &cp);
2477                 } else {
2478                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2479                         hci_encrypt_cfm(conn, ev->status, 0x00);
2480                 }
2481         }
2482 
2483 unlock:
2484         hci_dev_unlock(hdev);
2485 }
2486 
2487 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2488 {
2489         struct hci_ev_remote_name *ev = (void *) skb->data;
2490         struct hci_conn *conn;
2491 
2492         BT_DBG("%s", hdev->name);
2493 
2494         hci_conn_check_pending(hdev);
2495 
2496         hci_dev_lock(hdev);
2497 
2498         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2499 
2500         if (!hci_dev_test_flag(hdev, HCI_MGMT))
2501                 goto check_auth;
2502 
2503         if (ev->status == 0)
2504                 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2505                                        strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2506         else
2507                 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2508 
2509 check_auth:
2510         if (!conn)
2511                 goto unlock;
2512 
2513         if (!hci_outgoing_auth_needed(hdev, conn))
2514                 goto unlock;
2515 
2516         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2517                 struct hci_cp_auth_requested cp;
2518 
2519                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2520 
2521                 cp.handle = __cpu_to_le16(conn->handle);
2522                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2523         }
2524 
2525 unlock:
2526         hci_dev_unlock(hdev);
2527 }
2528 
2529 static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
2530                                        u16 opcode, struct sk_buff *skb)
2531 {
2532         const struct hci_rp_read_enc_key_size *rp;
2533         struct hci_conn *conn;
2534         u16 handle;
2535 
2536         BT_DBG("%s status 0x%02x", hdev->name, status);
2537 
2538         if (!skb || skb->len < sizeof(*rp)) {
2539                 bt_dev_err(hdev, "invalid read key size response");
2540                 return;
2541         }
2542 
2543         rp = (void *)skb->data;
2544         handle = le16_to_cpu(rp->handle);
2545 
2546         hci_dev_lock(hdev);
2547 
2548         conn = hci_conn_hash_lookup_handle(hdev, handle);
2549         if (!conn)
2550                 goto unlock;
2551 
2552         /* If we fail to read the encryption key size, assume maximum
2553          * (which is the same we do also when this HCI command isn't
2554          * supported.
2555          */
2556         if (rp->status) {
2557                 bt_dev_err(hdev, "failed to read key size for handle %u",
2558                            handle);
2559                 conn->enc_key_size = HCI_LINK_KEY_SIZE;
2560         } else {
2561                 conn->enc_key_size = rp->key_size;
2562         }
2563 
2564         if (conn->state == BT_CONFIG) {
2565                 conn->state = BT_CONNECTED;
2566                 hci_connect_cfm(conn, 0);
2567                 hci_conn_drop(conn);
2568         } else {
2569                 u8 encrypt;
2570 
2571                 if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
2572                         encrypt = 0x00;
2573                 else if (test_bit(HCI_CONN_AES_CCM, &conn->flags))
2574                         encrypt = 0x02;
2575                 else
2576                         encrypt = 0x01;
2577 
2578                 hci_encrypt_cfm(conn, 0, encrypt);
2579         }
2580 
2581 unlock:
2582         hci_dev_unlock(hdev);
2583 }
2584 
2585 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2586 {
2587         struct hci_ev_encrypt_change *ev = (void *) skb->data;
2588         struct hci_conn *conn;
2589 
2590         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2591 
2592         hci_dev_lock(hdev);
2593 
2594         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2595         if (!conn)
2596                 goto unlock;
2597 
2598         if (!ev->status) {
2599                 if (ev->encrypt) {
2600                         /* Encryption implies authentication */
2601                         set_bit(HCI_CONN_AUTH, &conn->flags);
2602                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2603                         conn->sec_level = conn->pending_sec_level;
2604 
2605                         /* P-256 authentication key implies FIPS */
2606                         if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2607                                 set_bit(HCI_CONN_FIPS, &conn->flags);
2608 
2609                         if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2610                             conn->type == LE_LINK)
2611                                 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2612                 } else {
2613                         clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2614                         clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2615                 }
2616         }
2617 
2618         /* We should disregard the current RPA and generate a new one
2619          * whenever the encryption procedure fails.
2620          */
2621         if (ev->status && conn->type == LE_LINK)
2622                 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2623 
2624         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2625 
2626         if (ev->status && conn->state == BT_CONNECTED) {
2627                 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
2628                         set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
2629 
2630                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2631                 hci_conn_drop(conn);
2632                 goto unlock;
2633         }
2634 
2635         /* In Secure Connections Only mode, do not allow any connections
2636          * that are not encrypted with AES-CCM using a P-256 authenticated
2637          * combination key.
2638          */
2639         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2640             (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2641              conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2642                 hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2643                 hci_conn_drop(conn);
2644                 goto unlock;
2645         }
2646 
2647         /* Try reading the encryption key size for encrypted ACL links */
2648         if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
2649                 struct hci_cp_read_enc_key_size cp;
2650                 struct hci_request req;
2651 
2652                 /* Only send HCI_Read_Encryption_Key_Size if the
2653                  * controller really supports it. If it doesn't, assume
2654                  * the default size (16).
2655                  */
2656                 if (!(hdev->commands[20] & 0x10)) {
2657                         conn->enc_key_size = HCI_LINK_KEY_SIZE;
2658                         goto notify;
2659                 }
2660 
2661                 hci_req_init(&req, hdev);
2662 
2663                 cp.handle = cpu_to_le16(conn->handle);
2664                 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
2665 
2666                 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2667                         bt_dev_err(hdev, "sending read key size failed");
2668                         conn->enc_key_size = HCI_LINK_KEY_SIZE;
2669                         goto notify;
2670                 }
2671 
2672                 goto unlock;
2673         }
2674 
2675 notify:
2676         if (conn->state == BT_CONFIG) {
2677                 if (!ev->status)
2678                         conn->state = BT_CONNECTED;
2679 
2680                 hci_connect_cfm(conn, ev->status);
2681                 hci_conn_drop(conn);
2682         } else
2683                 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2684 
2685 unlock:
2686         hci_dev_unlock(hdev);
2687 }
2688 
2689 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2690                                              struct sk_buff *skb)
2691 {
2692         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2693         struct hci_conn *conn;
2694 
2695         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2696 
2697         hci_dev_lock(hdev);
2698 
2699         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2700         if (conn) {
2701                 if (!ev->status)
2702                         set_bit(HCI_CONN_SECURE, &conn->flags);
2703 
2704                 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2705 
2706                 hci_key_change_cfm(conn, ev->status);
2707         }
2708 
2709         hci_dev_unlock(hdev);
2710 }
2711 
2712 static void hci_remote_features_evt(struct hci_dev *hdev,
2713                                     struct sk_buff *skb)
2714 {
2715         struct hci_ev_remote_features *ev = (void *) skb->data;
2716         struct hci_conn *conn;
2717 
2718         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2719 
2720         hci_dev_lock(hdev);
2721 
2722         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2723         if (!conn)
2724                 goto unlock;
2725 
2726         if (!ev->status)
2727                 memcpy(conn->features[0], ev->features, 8);
2728 
2729         if (conn->state != BT_CONFIG)
2730                 goto unlock;
2731 
2732         if (!ev->status && lmp_ext_feat_capable(hdev) &&
2733             lmp_ext_feat_capable(conn)) {
2734                 struct hci_cp_read_remote_ext_features cp;
2735                 cp.handle = ev->handle;
2736                 cp.page = 0x01;
2737                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2738                              sizeof(cp), &cp);
2739                 goto unlock;
2740         }
2741 
2742         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2743                 struct hci_cp_remote_name_req cp;
2744                 memset(&cp, 0, sizeof(cp));
2745                 bacpy(&cp.bdaddr, &conn->dst);
2746                 cp.pscan_rep_mode = 0x02;
2747                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2748         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2749                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2750 
2751         if (!hci_outgoing_auth_needed(hdev, conn)) {
2752                 conn->state = BT_CONNECTED;
2753                 hci_connect_cfm(conn, ev->status);
2754                 hci_conn_drop(conn);
2755         }
2756 
2757 unlock:
2758         hci_dev_unlock(hdev);
2759 }
2760 
2761 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
2762                                  u16 *opcode, u8 *status,
2763                                  hci_req_complete_t *req_complete,
2764                                  hci_req_complete_skb_t *req_complete_skb)
2765 {
2766         struct hci_ev_cmd_complete *ev = (void *) skb->data;
2767 
2768         *opcode = __le16_to_cpu(ev->opcode);
2769         *status = skb->data[sizeof(*ev)];
2770 
2771         skb_pull(skb, sizeof(*ev));
2772 
2773         switch (*opcode) {
2774         case HCI_OP_INQUIRY_CANCEL:
2775                 hci_cc_inquiry_cancel(hdev, skb);
2776                 break;
2777 
2778         case HCI_OP_PERIODIC_INQ:
2779                 hci_cc_periodic_inq(hdev, skb);
2780                 break;
2781 
2782         case HCI_OP_EXIT_PERIODIC_INQ:
2783                 hci_cc_exit_periodic_inq(hdev, skb);
2784                 break;
2785 
2786         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2787                 hci_cc_remote_name_req_cancel(hdev, skb);
2788                 break;
2789 
2790         case HCI_OP_ROLE_DISCOVERY:
2791                 hci_cc_role_discovery(hdev, skb);
2792                 break;
2793 
2794         case HCI_OP_READ_LINK_POLICY:
2795                 hci_cc_read_link_policy(hdev, skb);
2796                 break;
2797 
2798         case HCI_OP_WRITE_LINK_POLICY:
2799                 hci_cc_write_link_policy(hdev, skb);
2800                 break;
2801 
2802         case HCI_OP_READ_DEF_LINK_POLICY:
2803                 hci_cc_read_def_link_policy(hdev, skb);
2804                 break;
2805 
2806         case HCI_OP_WRITE_DEF_LINK_POLICY:
2807                 hci_cc_write_def_link_policy(hdev, skb);
2808                 break;
2809 
2810         case HCI_OP_RESET:
2811                 hci_cc_reset(hdev, skb);
2812                 break;
2813 
2814         case HCI_OP_READ_STORED_LINK_KEY:
2815                 hci_cc_read_stored_link_key(hdev, skb);
2816                 break;
2817 
2818         case HCI_OP_DELETE_STORED_LINK_KEY:
2819                 hci_cc_delete_stored_link_key(hdev, skb);
2820                 break;
2821 
2822         case HCI_OP_WRITE_LOCAL_NAME:
2823                 hci_cc_write_local_name(hdev, skb);
2824                 break;
2825 
2826         case HCI_OP_READ_LOCAL_NAME:
2827                 hci_cc_read_local_name(hdev, skb);
2828                 break;
2829 
2830         case HCI_OP_WRITE_AUTH_ENABLE:
2831                 hci_cc_write_auth_enable(hdev, skb);
2832                 break;
2833 
2834         case HCI_OP_WRITE_ENCRYPT_MODE:
2835                 hci_cc_write_encrypt_mode(hdev, skb);
2836                 break;
2837 
2838         case HCI_OP_WRITE_SCAN_ENABLE:
2839                 hci_cc_write_scan_enable(hdev, skb);
2840                 break;
2841 
2842         case HCI_OP_READ_CLASS_OF_DEV:
2843                 hci_cc_read_class_of_dev(hdev, skb);
2844                 break;
2845 
2846         case HCI_OP_WRITE_CLASS_OF_DEV:
2847                 hci_cc_write_class_of_dev(hdev, skb);
2848                 break;
2849 
2850         case HCI_OP_READ_VOICE_SETTING:
2851                 hci_cc_read_voice_setting(hdev, skb);
2852                 break;
2853 
2854         case HCI_OP_WRITE_VOICE_SETTING:
2855                 hci_cc_write_voice_setting(hdev, skb);
2856                 break;
2857 
2858         case HCI_OP_READ_NUM_SUPPORTED_IAC:
2859                 hci_cc_read_num_supported_iac(hdev, skb);
2860                 break;
2861 
2862         case HCI_OP_WRITE_SSP_MODE:
2863                 hci_cc_write_ssp_mode(hdev, skb);
2864                 break;
2865 
2866         case HCI_OP_WRITE_SC_SUPPORT:
2867                 hci_cc_write_sc_support(hdev, skb);
2868                 break;
2869 
2870         case HCI_OP_READ_LOCAL_VERSION:
2871                 hci_cc_read_local_version(hdev, skb);
2872                 break;
2873 
2874         case HCI_OP_READ_LOCAL_COMMANDS:
2875                 hci_cc_read_local_commands(hdev, skb);
2876                 break;
2877 
2878         case HCI_OP_READ_LOCAL_FEATURES:
2879                 hci_cc_read_local_features(hdev, skb);
2880                 break;
2881 
2882         case HCI_OP_READ_LOCAL_EXT_FEATURES:
2883                 hci_cc_read_local_ext_features(hdev, skb);
2884                 break;
2885 
2886         case HCI_OP_READ_BUFFER_SIZE:
2887                 hci_cc_read_buffer_size(hdev, skb);
2888                 break;
2889 
2890         case HCI_OP_READ_BD_ADDR:
2891                 hci_cc_read_bd_addr(hdev, skb);
2892                 break;
2893 
2894         case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2895                 hci_cc_read_page_scan_activity(hdev, skb);
2896                 break;
2897 
2898         case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2899                 hci_cc_write_page_scan_activity(hdev, skb);
2900                 break;
2901 
2902         case HCI_OP_READ_PAGE_SCAN_TYPE:
2903                 hci_cc_read_page_scan_type(hdev, skb);
2904                 break;
2905 
2906         case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2907                 hci_cc_write_page_scan_type(hdev, skb);
2908                 break;
2909 
2910         case HCI_OP_READ_DATA_BLOCK_SIZE:
2911                 hci_cc_read_data_block_size(hdev, skb);
2912                 break;
2913 
2914         case HCI_OP_READ_FLOW_CONTROL_MODE:
2915                 hci_cc_read_flow_control_mode(hdev, skb);
2916                 break;
2917 
2918         case HCI_OP_READ_LOCAL_AMP_INFO:
2919                 hci_cc_read_local_amp_info(hdev, skb);
2920                 break;
2921 
2922         case HCI_OP_READ_CLOCK:
2923                 hci_cc_read_clock(hdev, skb);
2924                 break;
2925 
2926         case HCI_OP_READ_INQ_RSP_TX_POWER:
2927                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2928                 break;
2929 
2930         case HCI_OP_PIN_CODE_REPLY:
2931                 hci_cc_pin_code_reply(hdev, skb);
2932                 break;
2933 
2934         case HCI_OP_PIN_CODE_NEG_REPLY:
2935                 hci_cc_pin_code_neg_reply(hdev, skb);
2936                 break;
2937 
2938         case HCI_OP_READ_LOCAL_OOB_DATA:
2939                 hci_cc_read_local_oob_data(hdev, skb);
2940                 break;
2941 
2942         case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2943                 hci_cc_read_local_oob_ext_data(hdev, skb);
2944                 break;
2945 
2946         case HCI_OP_LE_READ_BUFFER_SIZE:
2947                 hci_cc_le_read_buffer_size(hdev, skb);
2948                 break;
2949 
2950         case HCI_OP_LE_READ_LOCAL_FEATURES:
2951                 hci_cc_le_read_local_features(hdev, skb);
2952                 break;
2953 
2954         case HCI_OP_LE_READ_ADV_TX_POWER:
2955                 hci_cc_le_read_adv_tx_power(hdev, skb);
2956                 break;
2957 
2958         case HCI_OP_USER_CONFIRM_REPLY:
2959                 hci_cc_user_confirm_reply(hdev, skb);
2960                 break;
2961 
2962         case HCI_OP_USER_CONFIRM_NEG_REPLY:
2963                 hci_cc_user_confirm_neg_reply(hdev, skb);
2964                 break;
2965 
2966         case HCI_OP_USER_PASSKEY_REPLY:
2967                 hci_cc_user_passkey_reply(hdev, skb);
2968                 break;
2969 
2970         case HCI_OP_USER_PASSKEY_NEG_REPLY:
2971                 hci_cc_user_passkey_neg_reply(hdev, skb);
2972                 break;
2973 
2974         case HCI_OP_LE_SET_RANDOM_ADDR:
2975                 hci_cc_le_set_random_addr(hdev, skb);
2976                 break;
2977 
2978         case HCI_OP_LE_SET_ADV_ENABLE:
2979                 hci_cc_le_set_adv_enable(hdev, skb);
2980                 break;
2981 
2982         case HCI_OP_LE_SET_SCAN_PARAM:
2983                 hci_cc_le_set_scan_param(hdev, skb);
2984                 break;
2985 
2986         case HCI_OP_LE_SET_SCAN_ENABLE:
2987                 hci_cc_le_set_scan_enable(hdev, skb);
2988                 break;
2989 
2990         case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2991                 hci_cc_le_read_white_list_size(hdev, skb);
2992                 break;
2993 
2994         case HCI_OP_LE_CLEAR_WHITE_LIST:
2995                 hci_cc_le_clear_white_list(hdev, skb);
2996                 break;
2997 
2998         case HCI_OP_LE_ADD_TO_WHITE_LIST:
2999                 hci_cc_le_add_to_white_list(hdev, skb);
3000                 break;
3001 
3002         case HCI_OP_LE_DEL_FROM_WHITE_LIST:
3003                 hci_cc_le_del_from_white_list(hdev, skb);
3004                 break;
3005 
3006         case HCI_OP_LE_READ_SUPPORTED_STATES:
3007                 hci_cc_le_read_supported_states(hdev, skb);
3008                 break;
3009 
3010         case HCI_OP_LE_READ_DEF_DATA_LEN:
3011                 hci_cc_le_read_def_data_len(hdev, skb);
3012                 break;
3013 
3014         case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3015                 hci_cc_le_write_def_data_len(hdev, skb);
3016                 break;
3017 
3018         case HCI_OP_LE_READ_MAX_DATA_LEN:
3019                 hci_cc_le_read_max_data_len(hdev, skb);
3020                 break;
3021 
3022         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3023                 hci_cc_write_le_host_supported(hdev, skb);
3024                 break;
3025 
3026         case HCI_OP_LE_SET_ADV_PARAM:
3027                 hci_cc_set_adv_param(hdev, skb);
3028                 break;
3029 
3030         case HCI_OP_READ_RSSI:
3031                 hci_cc_read_rssi(hdev, skb);
3032                 break;
3033 
3034         case HCI_OP_READ_TX_POWER:
3035                 hci_cc_read_tx_power(hdev, skb);
3036                 break;
3037 
3038         case HCI_OP_WRITE_SSP_DEBUG_MODE:
3039                 hci_cc_write_ssp_debug_mode(hdev, skb);
3040                 break;
3041 
3042         default:
3043                 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3044                 break;
3045         }
3046 
3047         if (*opcode != HCI_OP_NOP)
3048                 cancel_delayed_work(&hdev->cmd_timer);
3049 
3050         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3051                 atomic_set(&hdev->cmd_cnt, 1);
3052 
3053         hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3054                              req_complete_skb);
3055 
3056         if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3057                 queue_work(hdev->workqueue, &hdev->cmd_work);
3058 }
3059 
3060 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3061                                u16 *opcode, u8 *status,
3062                                hci_req_complete_t *req_complete,
3063                                hci_req_complete_skb_t *req_complete_skb)
3064 {
3065         struct hci_ev_cmd_status *ev = (void *) skb->data;
3066 
3067         skb_pull(skb, sizeof(*ev));
3068 
3069         *opcode = __le16_to_cpu(ev->opcode);
3070         *status = ev->status;
3071 
3072         switch (*opcode) {
3073         case HCI_OP_INQUIRY:
3074                 hci_cs_inquiry(hdev, ev->status);
3075                 break;
3076 
3077         case HCI_OP_CREATE_CONN:
3078                 hci_cs_create_conn(hdev, ev->status);
3079                 break;
3080 
3081         case HCI_OP_DISCONNECT:
3082                 hci_cs_disconnect(hdev, ev->status);
3083                 break;
3084 
3085         case HCI_OP_ADD_SCO:
3086                 hci_cs_add_sco(hdev, ev->status);
3087                 break;
3088 
3089         case HCI_OP_AUTH_REQUESTED:
3090                 hci_cs_auth_requested(hdev, ev->status);
3091                 break;
3092 
3093         case HCI_OP_SET_CONN_ENCRYPT:
3094                 hci_cs_set_conn_encrypt(hdev, ev->status);
3095                 break;
3096 
3097         case HCI_OP_REMOTE_NAME_REQ:
3098                 hci_cs_remote_name_req(hdev, ev->status);
3099                 break;
3100 
3101         case HCI_OP_READ_REMOTE_FEATURES:
3102                 hci_cs_read_remote_features(hdev, ev->status);
3103                 break;
3104 
3105         case HCI_OP_READ_REMOTE_EXT_FEATURES:
3106                 hci_cs_read_remote_ext_features(hdev, ev->status);
3107                 break;
3108 
3109         case HCI_OP_SETUP_SYNC_CONN:
3110                 hci_cs_setup_sync_conn(hdev, ev->status);
3111                 break;
3112 
3113         case HCI_OP_SNIFF_MODE:
3114                 hci_cs_sniff_mode(hdev, ev->status);
3115                 break;
3116 
3117         case HCI_OP_EXIT_SNIFF_MODE:
3118                 hci_cs_exit_sniff_mode(hdev, ev->status);
3119                 break;
3120 
3121         case HCI_OP_SWITCH_ROLE:
3122                 hci_cs_switch_role(hdev, ev->status);
3123                 break;
3124 
3125         case HCI_OP_LE_CREATE_CONN:
3126                 hci_cs_le_create_conn(hdev, ev->status);
3127                 break;
3128 
3129         case HCI_OP_LE_READ_REMOTE_FEATURES:
3130                 hci_cs_le_read_remote_features(hdev, ev->status);
3131                 break;
3132 
3133         case HCI_OP_LE_START_ENC:
3134                 hci_cs_le_start_enc(hdev, ev->status);
3135                 break;
3136 
3137         default:
3138                 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
3139                 break;
3140         }
3141 
3142         if (*opcode != HCI_OP_NOP)
3143                 cancel_delayed_work(&hdev->cmd_timer);
3144 
3145         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags))
3146                 atomic_set(&hdev->cmd_cnt, 1);
3147 
3148         /* Indicate request completion if the command failed. Also, if
3149          * we're not waiting for a special event and we get a success
3150          * command status we should try to flag the request as completed
3151          * (since for this kind of commands there will not be a command
3152          * complete event).
3153          */
3154         if (ev->status ||
3155             (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
3156                 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3157                                      req_complete_skb);
3158 
3159         if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3160                 queue_work(hdev->workqueue, &hdev->cmd_work);
3161 }
3162 
3163 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3164 {
3165         struct hci_ev_hardware_error *ev = (void *) skb->data;
3166 
3167         hdev->hw_error_code = ev->code;
3168 
3169         queue_work(hdev->req_workqueue, &hdev->error_reset);
3170 }
3171 
3172 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3173 {
3174         struct hci_ev_role_change *ev = (void *) skb->data;
3175         struct hci_conn *conn;
3176 
3177         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3178 
3179         hci_dev_lock(hdev);
3180 
3181         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3182         if (conn) {
3183                 if (!ev->status)
3184                         conn->role = ev->role;
3185 
3186                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3187 
3188                 hci_role_switch_cfm(conn, ev->status, ev->role);
3189         }
3190 
3191         hci_dev_unlock(hdev);
3192 }
3193 
3194 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3195 {
3196         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3197         int i;
3198 
3199         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3200                 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3201                 return;
3202         }
3203 
3204         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3205             ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3206                 BT_DBG("%s bad parameters", hdev->name);
3207                 return;
3208         }
3209 
3210         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3211 
3212         for (i = 0; i < ev->num_hndl; i++) {
3213                 struct hci_comp_pkts_info *info = &ev->handles[i];
3214                 struct hci_conn *conn;
3215                 __u16  handle, count;
3216 
3217                 handle = __le16_to_cpu(info->handle);
3218                 count  = __le16_to_cpu(info->count);
3219 
3220                 conn = hci_conn_hash_lookup_handle(hdev, handle);
3221                 if (!conn)
3222                         continue;
3223 
3224                 conn->sent -= count;
3225 
3226                 switch (conn->type) {
3227                 case ACL_LINK:
3228                         hdev->acl_cnt += count;
3229                         if (hdev->acl_cnt > hdev->acl_pkts)
3230                                 hdev->acl_cnt = hdev->acl_pkts;
3231                         break;
3232 
3233                 case LE_LINK:
3234                         if (hdev->le_pkts) {
3235                                 hdev->le_cnt += count;
3236                                 if (hdev->le_cnt > hdev->le_pkts)
3237                                         hdev->le_cnt = hdev->le_pkts;
3238                         } else {
3239                                 hdev->acl_cnt += count;
3240                                 if (hdev->acl_cnt > hdev->acl_pkts)
3241                                         hdev->acl_cnt = hdev->acl_pkts;
3242                         }
3243                         break;
3244 
3245                 case SCO_LINK:
3246                         hdev->sco_cnt += count;
3247                         if (hdev->sco_cnt > hdev->sco_pkts)
3248                                 hdev->sco_cnt = hdev->sco_pkts;
3249                         break;
3250 
3251                 default:
3252                         bt_dev_err(hdev, "unknown type %d conn %p",
3253                                    conn->type, conn);
3254                         break;
3255                 }
3256         }
3257 
3258         queue_work(hdev->workqueue, &hdev->tx_work);
3259 }
3260 
3261 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3262                                                  __u16 handle)
3263 {
3264         struct hci_chan *chan;
3265 
3266         switch (hdev->dev_type) {
3267         case HCI_PRIMARY:
3268                 return hci_conn_hash_lookup_handle(hdev, handle);
3269         case HCI_AMP:
3270                 chan = hci_chan_lookup_handle(hdev, handle);
3271                 if (chan)
3272                         return chan->conn;
3273                 break;
3274         default:
3275                 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
3276                 break;
3277         }
3278 
3279         return NULL;
3280 }
3281 
3282 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3283 {
3284         struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3285         int i;
3286 
3287         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3288                 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
3289                 return;
3290         }
3291 
3292         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3293             ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3294                 BT_DBG("%s bad parameters", hdev->name);
3295                 return;
3296         }
3297 
3298         BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3299                ev->num_hndl);
3300 
3301         for (i = 0; i < ev->num_hndl; i++) {
3302                 struct hci_comp_blocks_info *info = &ev->handles[i];
3303                 struct hci_conn *conn = NULL;
3304                 __u16  handle, block_count;
3305 
3306                 handle = __le16_to_cpu(info->handle);
3307                 block_count = __le16_to_cpu(info->blocks);
3308 
3309                 conn = __hci_conn_lookup_handle(hdev, handle);
3310                 if (!conn)
3311                         continue;
3312 
3313                 conn->sent -= block_count;
3314 
3315                 switch (conn->type) {
3316                 case ACL_LINK:
3317                 case AMP_LINK:
3318                         hdev->block_cnt += block_count;
3319                         if (hdev->block_cnt > hdev->num_blocks)
3320                                 hdev->block_cnt = hdev->num_blocks;
3321                         break;
3322 
3323                 default:
3324                         bt_dev_err(hdev, "unknown type %d conn %p",
3325                                    conn->type, conn);
3326                         break;
3327                 }
3328         }
3329 
3330         queue_work(hdev->workqueue, &hdev->tx_work);
3331 }
3332 
3333 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3334 {
3335         struct hci_ev_mode_change *ev = (void *) skb->data;
3336         struct hci_conn *conn;
3337 
3338         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3339 
3340         hci_dev_lock(hdev);
3341 
3342         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3343         if (conn) {
3344                 conn->mode = ev->mode;
3345 
3346                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3347                                         &conn->flags)) {
3348                         if (conn->mode == HCI_CM_ACTIVE)
3349                                 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3350                         else
3351                                 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3352                 }
3353 
3354                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3355                         hci_sco_setup(conn, ev->status);
3356         }
3357 
3358         hci_dev_unlock(hdev);
3359 }
3360 
3361 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3362 {
3363         struct hci_ev_pin_code_req *ev = (void *) skb->data;
3364         struct hci_conn *conn;
3365 
3366         BT_DBG("%s", hdev->name);
3367 
3368         hci_dev_lock(hdev);
3369 
3370         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3371         if (!conn)
3372                 goto unlock;
3373 
3374         if (conn->state == BT_CONNECTED) {
3375                 hci_conn_hold(conn);
3376                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3377                 hci_conn_drop(conn);
3378         }
3379 
3380         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3381             !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3382                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3383                              sizeof(ev->bdaddr), &ev->bdaddr);
3384         } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3385                 u8 secure;
3386 
3387                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3388                         secure = 1;
3389                 else
3390                         secure = 0;
3391 
3392                 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3393         }
3394 
3395 unlock:
3396         hci_dev_unlock(hdev);
3397 }
3398 
3399 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3400 {
3401         if (key_type == HCI_LK_CHANGED_COMBINATION)
3402                 return;
3403 
3404         conn->pin_length = pin_len;
3405         conn->key_type = key_type;
3406 
3407         switch (key_type) {
3408         case HCI_LK_LOCAL_UNIT:
3409         case HCI_LK_REMOTE_UNIT:
3410         case HCI_LK_DEBUG_COMBINATION:
3411                 return;
3412         case HCI_LK_COMBINATION:
3413                 if (pin_len == 16)
3414                         conn->pending_sec_level = BT_SECURITY_HIGH;
3415                 else
3416                         conn->pending_sec_level = BT_SECURITY_MEDIUM;
3417                 break;
3418         case HCI_LK_UNAUTH_COMBINATION_P192:
3419         case HCI_LK_UNAUTH_COMBINATION_P256:
3420                 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3421                 break;
3422         case HCI_LK_AUTH_COMBINATION_P192:
3423                 conn->pending_sec_level = BT_SECURITY_HIGH;
3424                 break;
3425         case HCI_LK_AUTH_COMBINATION_P256:
3426                 conn->pending_sec_level = BT_SECURITY_FIPS;
3427                 break;
3428         }
3429 }
3430 
3431 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3432 {
3433         struct hci_ev_link_key_req *ev = (void *) skb->data;
3434         struct hci_cp_link_key_reply cp;
3435         struct hci_conn *conn;
3436         struct link_key *key;
3437 
3438         BT_DBG("%s", hdev->name);
3439 
3440         if (!hci_dev_test_flag(hdev, HCI_MGMT))
3441                 return;
3442 
3443         hci_dev_lock(hdev);
3444 
3445         key = hci_find_link_key(hdev, &ev->bdaddr);
3446         if (!key) {
3447                 BT_DBG("%s link key not found for %pMR", hdev->name,
3448                        &ev->bdaddr);
3449                 goto not_found;
3450         }
3451 
3452         BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3453                &ev->bdaddr);
3454 
3455         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3456         if (conn) {
3457                 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3458 
3459                 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3460                      key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3461                     conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3462                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
3463                         goto not_found;
3464                 }
3465 
3466                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3467                     (conn->pending_sec_level == BT_SECURITY_HIGH ||
3468                      conn->pending_sec_level == BT_SECURITY_FIPS)) {
3469                         BT_DBG("%s ignoring key unauthenticated for high security",
3470                                hdev->name);
3471                         goto not_found;
3472                 }
3473 
3474                 conn_set_key(conn, key->type, key->pin_len);
3475         }
3476 
3477         bacpy(&cp.bdaddr, &ev->bdaddr);
3478         memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3479 
3480         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3481 
3482         hci_dev_unlock(hdev);
3483 
3484         return;
3485 
3486 not_found:
3487         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3488         hci_dev_unlock(hdev);
3489 }
3490 
3491 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3492 {
3493         struct hci_ev_link_key_notify *ev = (void *) skb->data;
3494         struct hci_conn *conn;
3495         struct link_key *key;
3496         bool persistent;
3497         u8 pin_len = 0;
3498 
3499         BT_DBG("%s", hdev->name);
3500 
3501         hci_dev_lock(hdev);
3502 
3503         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3504         if (!conn)
3505                 goto unlock;
3506 
3507         hci_conn_hold(conn);
3508         conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3509         hci_conn_drop(conn);
3510 
3511         set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3512         conn_set_key(conn, ev->key_type, conn->pin_length);
3513 
3514         if (!hci_dev_test_flag(hdev, HCI_MGMT))
3515                 goto unlock;
3516 
3517         key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3518                                 ev->key_type, pin_len, &persistent);
3519         if (!key)
3520                 goto unlock;
3521 
3522         /* Update connection information since adding the key will have
3523          * fixed up the type in the case of changed combination keys.
3524          */
3525         if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3526                 conn_set_key(conn, key->type, key->pin_len);
3527 
3528         mgmt_new_link_key(hdev, key, persistent);
3529 
3530         /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3531          * is set. If it's not set simply remove the key from the kernel
3532          * list (we've still notified user space about it but with
3533          * store_hint being 0).
3534          */
3535         if (key->type == HCI_LK_DEBUG_COMBINATION &&
3536             !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3537                 list_del_rcu(&key->list);
3538                 kfree_rcu(key, rcu);
3539                 goto unlock;
3540         }
3541 
3542         if (persistent)
3543                 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3544         else
3545                 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3546 
3547 unlock:
3548         hci_dev_unlock(hdev);
3549 }
3550 
3551 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3552 {
3553         struct hci_ev_clock_offset *ev = (void *) skb->data;
3554         struct hci_conn *conn;
3555 
3556         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3557 
3558         hci_dev_lock(hdev);
3559 
3560         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3561         if (conn && !ev->status) {
3562                 struct inquiry_entry *ie;
3563 
3564                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3565                 if (ie) {
3566                         ie->data.clock_offset = ev->clock_offset;
3567                         ie->timestamp = jiffies;
3568                 }
3569         }
3570 
3571         hci_dev_unlock(hdev);
3572 }
3573 
3574 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3575 {
3576         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3577         struct hci_conn *conn;
3578 
3579         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3580 
3581         hci_dev_lock(hdev);
3582 
3583         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3584         if (conn && !ev->status)
3585                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3586 
3587         hci_dev_unlock(hdev);
3588 }
3589 
3590 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3591 {
3592         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3593         struct inquiry_entry *ie;
3594 
3595         BT_DBG("%s", hdev->name);
3596 
3597         hci_dev_lock(hdev);
3598 
3599         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3600         if (ie) {
3601                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3602                 ie->timestamp = jiffies;
3603         }
3604 
3605         hci_dev_unlock(hdev);
3606 }
3607 
3608 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3609                                              struct sk_buff *skb)
3610 {
3611         struct inquiry_data data;
3612         int num_rsp = *((__u8 *) skb->data);
3613 
3614         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3615 
3616         if (!num_rsp)
3617                 return;
3618 
3619         if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3620                 return;
3621 
3622         hci_dev_lock(hdev);
3623 
3624         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3625                 struct inquiry_info_with_rssi_and_pscan_mode *info;
3626                 info = (void *) (skb->data + 1);
3627 
3628                 for (; num_rsp; num_rsp--, info++) {
3629                         u32 flags;
3630 
3631                         bacpy(&data.bdaddr, &info->bdaddr);
3632                         data.pscan_rep_mode     = info->pscan_rep_mode;
3633                         data.pscan_period_mode  = info->pscan_period_mode;
3634                         data.pscan_mode         = info->pscan_mode;
3635                         memcpy(data.dev_class, info->dev_class, 3);
3636                         data.clock_offset       = info->clock_offset;
3637                         data.rssi               = info->rssi;
3638                         data.ssp_mode           = 0x00;
3639 
3640                         flags = hci_inquiry_cache_update(hdev, &data, false);
3641 
3642                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3643                                           info->dev_class, info->rssi,
3644                                           flags, NULL, 0, NULL, 0);
3645                 }
3646         } else {
3647                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3648 
3649                 for (; num_rsp; num_rsp--, info++) {
3650                         u32 flags;
3651 
3652                         bacpy(&data.bdaddr, &info->bdaddr);
3653                         data.pscan_rep_mode     = info->pscan_rep_mode;
3654                         data.pscan_period_mode  = info->pscan_period_mode;
3655                         data.pscan_mode         = 0x00;
3656                         memcpy(data.dev_class, info->dev_class, 3);
3657                         data.clock_offset       = info->clock_offset;
3658                         data.rssi               = info->rssi;
3659                         data.ssp_mode           = 0x00;
3660 
3661                         flags = hci_inquiry_cache_update(hdev, &data, false);
3662 
3663                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3664                                           info->dev_class, info->rssi,
3665                                           flags, NULL, 0, NULL, 0);
3666                 }
3667         }
3668 
3669         hci_dev_unlock(hdev);
3670 }
3671 
3672 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3673                                         struct sk_buff *skb)
3674 {
3675         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3676         struct hci_conn *conn;
3677 
3678         BT_DBG("%s", hdev->name);
3679 
3680         hci_dev_lock(hdev);
3681 
3682         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3683         if (!conn)
3684                 goto unlock;
3685 
3686         if (ev->page < HCI_MAX_PAGES)
3687                 memcpy(conn->features[ev->page], ev->features, 8);
3688 
3689         if (!ev->status && ev->page == 0x01) {
3690                 struct inquiry_entry *ie;
3691 
3692                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3693                 if (ie)
3694                         ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3695 
3696                 if (ev->features[0] & LMP_HOST_SSP) {
3697                         set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3698                 } else {
3699                         /* It is mandatory by the Bluetooth specification that
3700                          * Extended Inquiry Results are only used when Secure
3701                          * Simple Pairing is enabled, but some devices violate
3702                          * this.
3703                          *
3704                          * To make these devices work, the internal SSP
3705                          * enabled flag needs to be cleared if the remote host
3706                          * features do not indicate SSP support */
3707                         clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3708                 }
3709 
3710                 if (ev->features[0] & LMP_HOST_SC)
3711                         set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3712         }
3713 
3714         if (conn->state != BT_CONFIG)
3715                 goto unlock;
3716 
3717         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3718                 struct hci_cp_remote_name_req cp;
3719                 memset(&cp, 0, sizeof(cp));
3720                 bacpy(&cp.bdaddr, &conn->dst);
3721                 cp.pscan_rep_mode = 0x02;
3722                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3723         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3724                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3725 
3726         if (!hci_outgoing_auth_needed(hdev, conn)) {
3727                 conn->state = BT_CONNECTED;
3728                 hci_connect_cfm(conn, ev->status);
3729                 hci_conn_drop(conn);
3730         }
3731 
3732 unlock:
3733         hci_dev_unlock(hdev);
3734 }
3735 
3736 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3737                                        struct sk_buff *skb)
3738 {
3739         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3740         struct hci_conn *conn;
3741 
3742         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3743 
3744         hci_dev_lock(hdev);
3745 
3746         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3747         if (!conn) {
3748                 if (ev->link_type == ESCO_LINK)
3749                         goto unlock;
3750 
3751                 /* When the link type in the event indicates SCO connection
3752                  * and lookup of the connection object fails, then check
3753                  * if an eSCO connection object exists.
3754                  *
3755                  * The core limits the synchronous connections to either
3756                  * SCO or eSCO. The eSCO connection is preferred and tried
3757                  * to be setup first and until successfully established,
3758                  * the link type will be hinted as eSCO.
3759                  */
3760                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3761                 if (!conn)
3762                         goto unlock;
3763         }
3764 
3765         switch (ev->status) {
3766         case 0x00:
3767                 conn->handle = __le16_to_cpu(ev->handle);
3768                 conn->state  = BT_CONNECTED;
3769                 conn->type   = ev->link_type;
3770 
3771                 hci_debugfs_create_conn(conn);
3772                 hci_conn_add_sysfs(conn);
3773                 break;
3774 
3775         case 0x10:      /* Connection Accept Timeout */
3776         case 0x0d:      /* Connection Rejected due to Limited Resources */
3777         case 0x11:      /* Unsupported Feature or Parameter Value */
3778         case 0x1c:      /* SCO interval rejected */
3779         case 0x1a:      /* Unsupported Remote Feature */
3780         case 0x1f:      /* Unspecified error */
3781         case 0x20:      /* Unsupported LMP Parameter value */
3782                 if (conn->out) {
3783                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3784                                         (hdev->esco_type & EDR_ESCO_MASK);
3785                         if (hci_setup_sync(conn, conn->link->handle))
3786                                 goto unlock;
3787                 }
3788                 /* fall through */
3789 
3790         default:
3791                 conn->state = BT_CLOSED;
3792                 break;
3793         }
3794 
3795         hci_connect_cfm(conn, ev->status);
3796         if (ev->status)
3797                 hci_conn_del(conn);
3798 
3799 unlock:
3800         hci_dev_unlock(hdev);
3801 }
3802 
3803 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3804 {
3805         size_t parsed = 0;
3806 
3807         while (parsed < eir_len) {
3808                 u8 field_len = eir[0];
3809 
3810                 if (field_len == 0)
3811                         return parsed;
3812 
3813                 parsed += field_len + 1;
3814                 eir += field_len + 1;
3815         }
3816 
3817         return eir_len;
3818 }
3819 
3820 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3821                                             struct sk_buff *skb)
3822 {
3823         struct inquiry_data data;
3824         struct extended_inquiry_info *info = (void *) (skb->data + 1);
3825         int num_rsp = *((__u8 *) skb->data);
3826         size_t eir_len;
3827 
3828         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3829 
3830         if (!num_rsp)
3831                 return;
3832 
3833         if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3834                 return;
3835 
3836         hci_dev_lock(hdev);
3837 
3838         for (; num_rsp; num_rsp--, info++) {
3839                 u32 flags;
3840                 bool name_known;
3841 
3842                 bacpy(&data.bdaddr, &info->bdaddr);
3843                 data.pscan_rep_mode     = info->pscan_rep_mode;
3844                 data.pscan_period_mode  = info->pscan_period_mode;
3845                 data.pscan_mode         = 0x00;
3846                 memcpy(data.dev_class, info->dev_class, 3);
3847                 data.clock_offset       = info->clock_offset;
3848                 data.rssi               = info->rssi;
3849                 data.ssp_mode           = 0x01;
3850 
3851                 if (hci_dev_test_flag(hdev, HCI_MGMT))
3852                         name_known = eir_get_data(info->data,
3853                                                   sizeof(info->data),
3854                                                   EIR_NAME_COMPLETE, NULL);
3855                 else
3856                         name_known = true;
3857 
3858                 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3859 
3860                 eir_len = eir_get_length(info->data, sizeof(info->data));
3861 
3862                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3863                                   info->dev_class, info->rssi,
3864                                   flags, info->data, eir_len, NULL, 0);
3865         }
3866 
3867         hci_dev_unlock(hdev);
3868 }
3869 
3870 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3871                                          struct sk_buff *skb)
3872 {
3873         struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3874         struct hci_conn *conn;
3875 
3876         BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3877                __le16_to_cpu(ev->handle));
3878 
3879         hci_dev_lock(hdev);
3880 
3881         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3882         if (!conn)
3883                 goto unlock;
3884 
3885         /* For BR/EDR the necessary steps are taken through the
3886          * auth_complete event.
3887          */
3888         if (conn->type != LE_LINK)
3889                 goto unlock;
3890 
3891         if (!ev->status)
3892                 conn->sec_level = conn->pending_sec_level;
3893 
3894         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3895 
3896         if (ev->status && conn->state == BT_CONNECTED) {
3897                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3898                 hci_conn_drop(conn);
3899                 goto unlock;
3900         }
3901 
3902         if (conn->state == BT_CONFIG) {
3903                 if (!ev->status)
3904                         conn->state = BT_CONNECTED;
3905 
3906                 hci_connect_cfm(conn, ev->status);
3907                 hci_conn_drop(conn);
3908         } else {
3909                 hci_auth_cfm(conn, ev->status);
3910 
3911                 hci_conn_hold(conn);
3912                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3913                 hci_conn_drop(conn);
3914         }
3915 
3916 unlock:
3917         hci_dev_unlock(hdev);
3918 }
3919 
3920 static u8 hci_get_auth_req(struct hci_conn *conn)
3921 {
3922         /* If remote requests no-bonding follow that lead */
3923         if (conn->remote_auth == HCI_AT_NO_BONDING ||
3924             conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3925                 return conn->remote_auth | (conn->auth_type & 0x01);
3926 
3927         /* If both remote and local have enough IO capabilities, require
3928          * MITM protection
3929          */
3930         if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3931             conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3932                 return conn->remote_auth | 0x01;
3933 
3934         /* No MITM protection possible so ignore remote requirement */
3935         return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3936 }
3937 
3938 static u8 bredr_oob_data_present(struct hci_conn *conn)
3939 {
3940         struct hci_dev *hdev = conn->hdev;
3941         struct oob_data *data;
3942 
3943         data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3944         if (!data)
3945                 return 0x00;
3946 
3947         if (bredr_sc_enabled(hdev)) {
3948                 /* When Secure Connections is enabled, then just
3949                  * return the present value stored with the OOB
3950                  * data. The stored value contains the right present
3951                  * information. However it can only be trusted when
3952                  * not in Secure Connection Only mode.
3953                  */
3954                 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3955                         return data->present;
3956 
3957                 /* When Secure Connections Only mode is enabled, then
3958                  * the P-256 values are required. If they are not
3959                  * available, then do not declare that OOB data is
3960                  * present.
3961                  */
3962                 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3963                     !memcmp(data->hash256, ZERO_KEY, 16))
3964                         return 0x00;
3965 
3966                 return 0x02;
3967         }
3968 
3969         /* When Secure Connections is not enabled or actually
3970          * not supported by the hardware, then check that if
3971          * P-192 data values are present.
3972          */
3973         if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3974             !memcmp(data->hash192, ZERO_KEY, 16))
3975                 return 0x00;
3976 
3977         return 0x01;
3978 }
3979 
3980 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3981 {
3982         struct hci_ev_io_capa_request *ev = (void *) skb->data;
3983         struct hci_conn *conn;
3984 
3985         BT_DBG("%s", hdev->name);
3986 
3987         hci_dev_lock(hdev);
3988 
3989         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3990         if (!conn)
3991                 goto unlock;
3992 
3993         hci_conn_hold(conn);
3994 
3995         if (!hci_dev_test_flag(hdev, HCI_MGMT))
3996                 goto unlock;
3997 
3998         /* Allow pairing if we're pairable, the initiators of the
3999          * pairing or if the remote is not requesting bonding.
4000          */
4001         if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
4002             test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
4003             (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
4004                 struct hci_cp_io_capability_reply cp;
4005 
4006                 bacpy(&cp.bdaddr, &ev->bdaddr);
4007                 /* Change the IO capability from KeyboardDisplay
4008                  * to DisplayYesNo as it is not supported by BT spec. */
4009                 cp.capability = (conn->io_capability == 0x04) ?
4010                                 HCI_IO_DISPLAY_YESNO : conn->io_capability;
4011 
4012                 /* If we are initiators, there is no remote information yet */
4013                 if (conn->remote_auth == 0xff) {
4014                         /* Request MITM protection if our IO caps allow it
4015                          * except for the no-bonding case.
4016                          */
4017                         if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4018                             conn->auth_type != HCI_AT_NO_BONDING)
4019                                 conn->auth_type |= 0x01;
4020                 } else {
4021                         conn->auth_type = hci_get_auth_req(conn);
4022                 }
4023 
4024                 /* If we're not bondable, force one of the non-bondable
4025                  * authentication requirement values.
4026                  */
4027                 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
4028                         conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4029 
4030                 cp.authentication = conn->auth_type;
4031                 cp.oob_data = bredr_oob_data_present(conn);
4032 
4033                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
4034                              sizeof(cp), &cp);
4035         } else {
4036                 struct hci_cp_io_capability_neg_reply cp;
4037 
4038                 bacpy(&cp.bdaddr, &ev->bdaddr);
4039                 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
4040 
4041                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
4042                              sizeof(cp), &cp);
4043         }
4044 
4045 unlock:
4046         hci_dev_unlock(hdev);
4047 }
4048 
4049 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
4050 {
4051         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4052         struct hci_conn *conn;
4053 
4054         BT_DBG("%s", hdev->name);
4055 
4056         hci_dev_lock(hdev);
4057 
4058         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4059         if (!conn)
4060                 goto unlock;
4061 
4062         conn->remote_cap = ev->capability;
4063         conn->remote_auth = ev->authentication;
4064 
4065 unlock:
4066         hci_dev_unlock(hdev);
4067 }
4068 
4069 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4070                                          struct sk_buff *skb)
4071 {
4072         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4073         int loc_mitm, rem_mitm, confirm_hint = 0;
4074         struct hci_conn *conn;
4075 
4076         BT_DBG("%s", hdev->name);
4077 
4078         hci_dev_lock(hdev);
4079 
4080         if (!hci_dev_test_flag(hdev, HCI_MGMT))
4081                 goto unlock;
4082 
4083         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4084         if (!conn)
4085                 goto unlock;
4086 
4087         loc_mitm = (conn->auth_type & 0x01);
4088         rem_mitm = (conn->remote_auth & 0x01);
4089 
4090         /* If we require MITM but the remote device can't provide that
4091          * (it has NoInputNoOutput) then reject the confirmation
4092          * request. We check the security level here since it doesn't
4093          * necessarily match conn->auth_type.
4094          */
4095         if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4096             conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4097                 BT_DBG("Rejecting request: remote device can't provide MITM");
4098                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4099                              sizeof(ev->bdaddr), &ev->bdaddr);
4100                 goto unlock;
4101         }
4102 
4103         /* If no side requires MITM protection; auto-accept */
4104         if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4105             (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4106 
4107                 /* If we're not the initiators request authorization to
4108                  * proceed from user space (mgmt_user_confirm with
4109                  * confirm_hint set to 1). The exception is if neither
4110                  * side had MITM or if the local IO capability is
4111                  * NoInputNoOutput, in which case we do auto-accept
4112                  */
4113                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4114                     conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4115                     (loc_mitm || rem_mitm)) {
4116                         BT_DBG("Confirming auto-accept as acceptor");
4117                         confirm_hint = 1;
4118                         goto confirm;
4119                 }
4120 
4121                 BT_DBG("Auto-accept of user confirmation with %ums delay",
4122                        hdev->auto_accept_delay);
4123 
4124                 if (hdev->auto_accept_delay > 0) {
4125                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4126                         queue_delayed_work(conn->hdev->workqueue,
4127                                            &conn->auto_accept_work, delay);
4128                         goto unlock;
4129                 }
4130 
4131                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4132                              sizeof(ev->bdaddr), &ev->bdaddr);
4133                 goto unlock;
4134         }
4135 
4136 confirm:
4137         mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4138                                   le32_to_cpu(ev->passkey), confirm_hint);
4139 
4140 unlock:
4141         hci_dev_unlock(hdev);
4142 }
4143 
4144 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4145                                          struct sk_buff *skb)
4146 {
4147         struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4148 
4149         BT_DBG("%s", hdev->name);
4150 
4151         if (hci_dev_test_flag(hdev, HCI_MGMT))
4152                 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4153 }
4154 
4155 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4156                                         struct sk_buff *skb)
4157 {
4158         struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4159         struct hci_conn *conn;
4160 
4161         BT_DBG("%s", hdev->name);
4162 
4163         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4164         if (!conn)
4165                 return;
4166 
4167         conn->passkey_notify = __le32_to_cpu(ev->passkey);
4168         conn->passkey_entered = 0;
4169 
4170         if (hci_dev_test_flag(hdev, HCI_MGMT))
4171                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4172                                          conn->dst_type, conn->passkey_notify,
4173                                          conn->passkey_entered);
4174 }
4175 
4176 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4177 {
4178         struct hci_ev_keypress_notify *ev = (void *) skb->data;
4179         struct hci_conn *conn;
4180 
4181         BT_DBG("%s", hdev->name);
4182 
4183         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4184         if (!conn)
4185                 return;
4186 
4187         switch (ev->type) {
4188         case HCI_KEYPRESS_STARTED:
4189                 conn->passkey_entered = 0;
4190                 return;
4191 
4192         case HCI_KEYPRESS_ENTERED:
4193                 conn->passkey_entered++;
4194                 break;
4195 
4196         case HCI_KEYPRESS_ERASED:
4197                 conn->passkey_entered--;
4198                 break;
4199 
4200         case HCI_KEYPRESS_CLEARED:
4201                 conn->passkey_entered = 0;
4202                 break;
4203 
4204         case HCI_KEYPRESS_COMPLETED:
4205                 return;
4206         }
4207 
4208         if (hci_dev_test_flag(hdev, HCI_MGMT))
4209                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4210                                          conn->dst_type, conn->passkey_notify,
4211                                          conn->passkey_entered);
4212 }
4213 
4214 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4215                                          struct sk_buff *skb)
4216 {
4217         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4218         struct hci_conn *conn;
4219 
4220         BT_DBG("%s", hdev->name);
4221 
4222         hci_dev_lock(hdev);
4223 
4224         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4225         if (!conn)
4226                 goto unlock;
4227 
4228         /* Reset the authentication requirement to unknown */
4229         conn->remote_auth = 0xff;
4230 
4231         /* To avoid duplicate auth_failed events to user space we check
4232          * the HCI_CONN_AUTH_PEND flag which will be set if we
4233          * initiated the authentication. A traditional auth_complete
4234          * event gets always produced as initiator and is also mapped to
4235          * the mgmt_auth_failed event */
4236         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4237                 mgmt_auth_failed(conn, ev->status);
4238 
4239         hci_conn_drop(conn);
4240 
4241 unlock:
4242         hci_dev_unlock(hdev);
4243 }
4244 
4245 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4246                                          struct sk_buff *skb)
4247 {
4248         struct hci_ev_remote_host_features *ev = (void *) skb->data;
4249         struct inquiry_entry *ie;
4250         struct hci_conn *conn;
4251 
4252         BT_DBG("%s", hdev->name);
4253 
4254         hci_dev_lock(hdev);
4255 
4256         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4257         if (conn)
4258                 memcpy(conn->features[1], ev->features, 8);
4259 
4260         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4261         if (ie)
4262                 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4263 
4264         hci_dev_unlock(hdev);
4265 }
4266 
4267 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4268                                             struct sk_buff *skb)
4269 {
4270         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4271         struct oob_data *data;
4272 
4273         BT_DBG("%s", hdev->name);
4274 
4275         hci_dev_lock(hdev);
4276 
4277         if (!hci_dev_test_flag(hdev, HCI_MGMT))
4278                 goto unlock;
4279 
4280         data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4281         if (!data) {
4282                 struct hci_cp_remote_oob_data_neg_reply cp;
4283 
4284                 bacpy(&cp.bdaddr, &ev->bdaddr);
4285                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4286                              sizeof(cp), &cp);
4287                 goto unlock;
4288         }
4289 
4290         if (bredr_sc_enabled(hdev)) {
4291                 struct hci_cp_remote_oob_ext_data_reply cp;
4292 
4293                 bacpy(&cp.bdaddr, &ev->bdaddr);
4294                 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4295                         memset(cp.hash192, 0, sizeof(cp.hash192));
4296                         memset(cp.rand192, 0, sizeof(cp.rand192));
4297                 } else {
4298                         memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4299                         memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4300                 }
4301                 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4302                 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4303 
4304                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4305                              sizeof(cp), &cp);
4306         } else {
4307                 struct hci_cp_remote_oob_data_reply cp;
4308 
4309                 bacpy(&cp.bdaddr, &ev->bdaddr);
4310                 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4311                 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4312 
4313                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4314                              sizeof(cp), &cp);
4315         }
4316 
4317 unlock:
4318         hci_dev_unlock(hdev);
4319 }
4320 
4321 #if IS_ENABLED(CONFIG_BT_HS)
4322 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4323 {
4324         struct hci_ev_channel_selected *ev = (void *)skb->data;
4325         struct hci_conn *hcon;
4326 
4327         BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4328 
4329         skb_pull(skb, sizeof(*ev));
4330 
4331         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4332         if (!hcon)
4333                 return;
4334 
4335         amp_read_loc_assoc_final_data(hdev, hcon);
4336 }
4337 
4338 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4339                                       struct sk_buff *skb)
4340 {
4341         struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4342         struct hci_conn *hcon, *bredr_hcon;
4343 
4344         BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4345                ev->status);
4346 
4347         hci_dev_lock(hdev);
4348 
4349         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4350         if (!hcon) {
4351                 hci_dev_unlock(hdev);
4352                 return;
4353         }
4354 
4355         if (ev->status) {
4356                 hci_conn_del(hcon);
4357                 hci_dev_unlock(hdev);
4358                 return;
4359         }
4360 
4361         bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4362 
4363         hcon->state = BT_CONNECTED;
4364         bacpy(&hcon->dst, &bredr_hcon->dst);
4365 
4366         hci_conn_hold(hcon);
4367         hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4368         hci_conn_drop(hcon);
4369 
4370         hci_debugfs_create_conn(hcon);
4371         hci_conn_add_sysfs(hcon);
4372 
4373         amp_physical_cfm(bredr_hcon, hcon);
4374 
4375         hci_dev_unlock(hdev);
4376 }
4377 
4378 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4379 {
4380         struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4381         struct hci_conn *hcon;
4382         struct hci_chan *hchan;
4383         struct amp_mgr *mgr;
4384 
4385         BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4386                hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4387                ev->status);
4388 
4389         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4390         if (!hcon)
4391                 return;
4392 
4393         /* Create AMP hchan */
4394         hchan = hci_chan_create(hcon);
4395         if (!hchan)
4396                 return;
4397 
4398         hchan->handle = le16_to_cpu(ev->handle);
4399 
4400         BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4401 
4402         mgr = hcon->amp_mgr;
4403         if (mgr && mgr->bredr_chan) {
4404                 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4405 
4406                 l2cap_chan_lock(bredr_chan);
4407 
4408                 bredr_chan->conn->mtu = hdev->block_mtu;
4409                 l2cap_logical_cfm(bredr_chan, hchan, 0);
4410                 hci_conn_hold(hcon);
4411 
4412                 l2cap_chan_unlock(bredr_chan);
4413         }
4414 }
4415 
4416 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4417                                              struct sk_buff *skb)
4418 {
4419         struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4420         struct hci_chan *hchan;
4421 
4422         BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4423                le16_to_cpu(ev->handle), ev->status);
4424 
4425         if (ev->status)
4426                 return;
4427 
4428         hci_dev_lock(hdev);
4429 
4430         hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4431         if (!hchan)
4432                 goto unlock;
4433 
4434         amp_destroy_logical_link(hchan, ev->reason);
4435 
4436 unlock:
4437         hci_dev_unlock(hdev);
4438 }
4439 
4440 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4441                                              struct sk_buff *skb)
4442 {
4443         struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4444         struct hci_conn *hcon;
4445 
4446         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4447 
4448         if (ev->status)
4449                 return;
4450 
4451         hci_dev_lock(hdev);
4452 
4453         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4454         if (hcon) {
4455                 hcon->state = BT_CLOSED;
4456                 hci_conn_del(hcon);
4457         }
4458 
4459         hci_dev_unlock(hdev);
4460 }
4461 #endif
4462 
4463 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4464 {
4465         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4466         struct hci_conn_params *params;
4467         struct hci_conn *conn;
4468         struct smp_irk *irk;
4469         u8 addr_type;
4470 
4471         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4472 
4473         hci_dev_lock(hdev);
4474 
4475         /* All controllers implicitly stop advertising in the event of a
4476          * connection, so ensure that the state bit is cleared.
4477          */
4478         hci_dev_clear_flag(hdev, HCI_LE_ADV);
4479 
4480         conn = hci_lookup_le_connect(hdev);
4481         if (!conn) {
4482                 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4483                 if (!conn) {
4484                         bt_dev_err(hdev, "no memory for new connection");
4485                         goto unlock;
4486                 }
4487 
4488                 conn->dst_type = ev->bdaddr_type;
4489 
4490                 /* If we didn't have a hci_conn object previously
4491                  * but we're in master role this must be something
4492                  * initiated using a white list. Since white list based
4493                  * connections are not "first class citizens" we don't
4494                  * have full tracking of them. Therefore, we go ahead
4495                  * with a "best effort" approach of determining the
4496                  * initiator address based on the HCI_PRIVACY flag.
4497                  */
4498                 if (conn->out) {
4499                         conn->resp_addr_type = ev->bdaddr_type;
4500                         bacpy(&conn->resp_addr, &ev->bdaddr);
4501                         if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4502                                 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4503                                 bacpy(&conn->init_addr, &hdev->rpa);
4504                         } else {
4505                                 hci_copy_identity_address(hdev,
4506                                                           &conn->init_addr,
4507                                                           &conn->init_addr_type);
4508                         }
4509                 }
4510         } else {
4511                 cancel_delayed_work(&conn->le_conn_timeout);
4512         }
4513 
4514         if (!conn->out) {
4515                 /* Set the responder (our side) address type based on
4516                  * the advertising address type.
4517                  */
4518                 conn->resp_addr_type = hdev->adv_addr_type;
4519                 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4520                         bacpy(&conn->resp_addr, &hdev->random_addr);
4521                 else
4522                         bacpy(&conn->resp_addr, &hdev->bdaddr);
4523 
4524                 conn->init_addr_type = ev->bdaddr_type;
4525                 bacpy(&conn->init_addr, &ev->bdaddr);
4526 
4527                 /* For incoming connections, set the default minimum
4528                  * and maximum connection interval. They will be used
4529                  * to check if the parameters are in range and if not
4530                  * trigger the connection update procedure.
4531                  */
4532                 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4533                 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4534         }
4535 
4536         /* Lookup the identity address from the stored connection
4537          * address and address type.
4538          *
4539          * When establishing connections to an identity address, the
4540          * connection procedure will store the resolvable random
4541          * address first. Now if it can be converted back into the
4542          * identity address, start using the identity address from
4543          * now on.
4544          */
4545         irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4546         if (irk) {
4547                 bacpy(&conn->dst, &irk->bdaddr);
4548                 conn->dst_type = irk->addr_type;
4549         }
4550 
4551         if (ev->status) {
4552                 hci_le_conn_failed(conn, ev->status);
4553                 goto unlock;
4554         }
4555 
4556         if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4557                 addr_type = BDADDR_LE_PUBLIC;
4558         else
4559                 addr_type = BDADDR_LE_RANDOM;
4560 
4561         /* Drop the connection if the device is blocked */
4562         if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4563                 hci_conn_drop(conn);
4564                 goto unlock;
4565         }
4566 
4567         if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4568                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4569 
4570         conn->sec_level = BT_SECURITY_LOW;
4571         conn->handle = __le16_to_cpu(ev->handle);
4572         conn->state = BT_CONFIG;
4573 
4574         conn->le_conn_interval = le16_to_cpu(ev->interval);
4575         conn->le_conn_latency = le16_to_cpu(ev->latency);
4576         conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4577 
4578         hci_debugfs_create_conn(conn);
4579         hci_conn_add_sysfs(conn);
4580 
4581         if (!ev->status) {
4582                 /* The remote features procedure is defined for master
4583                  * role only. So only in case of an initiated connection
4584                  * request the remote features.
4585                  *
4586                  * If the local controller supports slave-initiated features
4587                  * exchange, then requesting the remote features in slave
4588                  * role is possible. Otherwise just transition into the
4589                  * connected state without requesting the remote features.
4590                  */
4591                 if (conn->out ||
4592                     (hdev->le_features[0] & HCI_LE_SLAVE_FEATURES)) {
4593                         struct hci_cp_le_read_remote_features cp;
4594 
4595                         cp.handle = __cpu_to_le16(conn->handle);
4596 
4597                         hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
4598                                      sizeof(cp), &cp);
4599 
4600                         hci_conn_hold(conn);
4601                 } else {
4602                         conn->state = BT_CONNECTED;
4603                         hci_connect_cfm(conn, ev->status);
4604                 }
4605         } else {
4606                 hci_connect_cfm(conn, ev->status);
4607         }
4608 
4609         params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4610                                            conn->dst_type);
4611         if (params) {
4612                 list_del_init(&params->action);
4613                 if (params->conn) {
4614                         hci_conn_drop(params->conn);
4615                         hci_conn_put(params->conn);
4616                         params->conn = NULL;
4617                 }
4618         }
4619 
4620 unlock:
4621         hci_update_background_scan(hdev);
4622         hci_dev_unlock(hdev);
4623 }
4624 
4625 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4626                                             struct sk_buff *skb)
4627 {
4628         struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4629         struct hci_conn *conn;
4630 
4631         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4632 
4633         if (ev->status)
4634                 return;
4635 
4636         hci_dev_lock(hdev);
4637 
4638         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4639         if (conn) {
4640                 conn->le_conn_interval = le16_to_cpu(ev->interval);
4641                 conn->le_conn_latency = le16_to_cpu(ev->latency);
4642                 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4643         }
4644 
4645         hci_dev_unlock(hdev);
4646 }
4647 
4648 /* This function requires the caller holds hdev->lock */
4649 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4650                                               bdaddr_t *addr,
4651                                               u8 addr_type, u8 adv_type,
4652                                               bdaddr_t *direct_rpa)
4653 {
4654         struct hci_conn *conn;
4655         struct hci_conn_params *params;
4656 
4657         /* If the event is not connectable don't proceed further */
4658         if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4659                 return NULL;
4660 
4661         /* Ignore if the device is blocked */
4662         if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4663                 return NULL;
4664 
4665         /* Most controller will fail if we try to create new connections
4666          * while we have an existing one in slave role.
4667          */
4668         if (hdev->conn_hash.le_num_slave > 0)
4669                 return NULL;
4670 
4671         /* If we're not connectable only connect devices that we have in
4672          * our pend_le_conns list.
4673          */
4674         params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
4675                                            addr_type);
4676         if (!params)
4677                 return NULL;
4678 
4679         if (!params->explicit_connect) {
4680                 switch (params->auto_connect) {
4681                 case HCI_AUTO_CONN_DIRECT:
4682                         /* Only devices advertising with ADV_DIRECT_IND are
4683                          * triggering a connection attempt. This is allowing
4684                          * incoming connections from slave devices.
4685                          */
4686                         if (adv_type != LE_ADV_DIRECT_IND)
4687                                 return NULL;
4688                         break;
4689                 case HCI_AUTO_CONN_ALWAYS:
4690                         /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4691                          * are triggering a connection attempt. This means
4692                          * that incoming connectioms from slave device are
4693                          * accepted and also outgoing connections to slave
4694                          * devices are established when found.
4695                          */
4696                         break;
4697                 default:
4698                         return NULL;
4699                 }
4700         }
4701 
4702         conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4703                               HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
4704                               direct_rpa);
4705         if (!IS_ERR(conn)) {
4706                 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
4707                  * by higher layer that tried to connect, if no then
4708                  * store the pointer since we don't really have any
4709                  * other owner of the object besides the params that
4710                  * triggered it. This way we can abort the connection if
4711                  * the parameters get removed and keep the reference
4712                  * count consistent once the connection is established.
4713                  */
4714 
4715                 if (!params->explicit_connect)
4716                         params->conn = hci_conn_get(conn);
4717 
4718                 return conn;
4719         }
4720 
4721         switch (PTR_ERR(conn)) {
4722         case -EBUSY:
4723                 /* If hci_connect() returns -EBUSY it means there is already
4724                  * an LE connection attempt going on. Since controllers don't
4725                  * support more than one connection attempt at the time, we
4726                  * don't consider this an error case.
4727                  */
4728                 break;
4729         default:
4730                 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4731                 return NULL;
4732         }
4733 
4734         return NULL;
4735 }
4736 
4737 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4738                                u8 bdaddr_type, bdaddr_t *direct_addr,
4739                                u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4740 {
4741         struct discovery_state *d = &hdev->discovery;
4742         struct smp_irk *irk;
4743         struct hci_conn *conn;
4744         bool match;
4745         u32 flags;
4746         u8 *ptr, real_len;
4747 
4748         switch (type) {
4749         case LE_ADV_IND:
4750         case LE_ADV_DIRECT_IND:
4751         case LE_ADV_SCAN_IND:
4752         case LE_ADV_NONCONN_IND:
4753         case LE_ADV_SCAN_RSP:
4754                 break;
4755         default:
4756                 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
4757                                        "type: 0x%02x", type);
4758                 return;
4759         }
4760 
4761         /* Find the end of the data in case the report contains padded zero
4762          * bytes at the end causing an invalid length value.
4763          *
4764          * When data is NULL, len is 0 so there is no need for extra ptr
4765          * check as 'ptr < data + 0' is already false in such case.
4766          */
4767         for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
4768                 if (ptr + 1 + *ptr > data + len)
4769                         break;
4770         }
4771 
4772         real_len = ptr - data;
4773 
4774         /* Adjust for actual length */
4775         if (len != real_len) {
4776                 bt_dev_err_ratelimited(hdev, "advertising data len corrected");
4777                 len = real_len;
4778         }
4779 
4780         /* If the direct address is present, then this report is from
4781          * a LE Direct Advertising Report event. In that case it is
4782          * important to see if the address is matching the local
4783          * controller address.
4784          */
4785         if (direct_addr) {
4786                 /* Only resolvable random addresses are valid for these
4787                  * kind of reports and others can be ignored.
4788                  */
4789                 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4790                         return;
4791 
4792                 /* If the controller is not using resolvable random
4793                  * addresses, then this report can be ignored.
4794                  */
4795                 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4796                         return;
4797 
4798                 /* If the local IRK of the controller does not match
4799                  * with the resolvable random address provided, then
4800                  * this report can be ignored.
4801                  */
4802                 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4803                         return;
4804         }
4805 
4806         /* Check if we need to convert to identity address */
4807         irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4808         if (irk) {
4809                 bdaddr = &irk->bdaddr;
4810                 bdaddr_type = irk->addr_type;
4811         }
4812 
4813         /* Check if we have been requested to connect to this device.
4814          *
4815          * direct_addr is set only for directed advertising reports (it is NULL
4816          * for advertising reports) and is already verified to be RPA above.
4817          */
4818         conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
4819                                                                 direct_addr);
4820         if (conn && type == LE_ADV_IND) {
4821                 /* Store report for later inclusion by
4822                  * mgmt_device_connected
4823                  */
4824                 memcpy(conn->le_adv_data, data, len);
4825                 conn->le_adv_data_len = len;
4826         }
4827 
4828         /* Passive scanning shouldn't trigger any device found events,
4829          * except for devices marked as CONN_REPORT for which we do send
4830          * device found events.
4831          */
4832         if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4833                 if (type == LE_ADV_DIRECT_IND)
4834                         return;
4835 
4836                 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4837                                                bdaddr, bdaddr_type))
4838                         return;
4839 
4840                 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4841                         flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4842                 else
4843                         flags = 0;
4844                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4845                                   rssi, flags, data, len, NULL, 0);
4846                 return;
4847         }
4848 
4849         /* When receiving non-connectable or scannable undirected
4850          * advertising reports, this means that the remote device is
4851          * not connectable and then clearly indicate this in the
4852          * device found event.
4853          *
4854          * When receiving a scan response, then there is no way to
4855          * know if the remote device is connectable or not. However
4856          * since scan responses are merged with a previously seen
4857          * advertising report, the flags field from that report
4858          * will be used.
4859          *
4860          * In the really unlikely case that a controller get confused
4861          * and just sends a scan response event, then it is marked as
4862          * not connectable as well.
4863          */
4864         if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4865             type == LE_ADV_SCAN_RSP)
4866                 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4867         else
4868                 flags = 0;
4869 
4870         /* If there's nothing pending either store the data from this
4871          * event or send an immediate device found event if the data
4872          * should not be stored for later.
4873          */
4874         if (!has_pending_adv_report(hdev)) {
4875                 /* If the report will trigger a SCAN_REQ store it for
4876                  * later merging.
4877                  */
4878                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4879                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4880                                                  rssi, flags, data, len);
4881                         return;
4882                 }
4883 
4884                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4885                                   rssi, flags, data, len, NULL, 0);
4886                 return;
4887         }
4888 
4889         /* Check if the pending report is for the same device as the new one */
4890         match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4891                  bdaddr_type == d->last_adv_addr_type);
4892 
4893         /* If the pending data doesn't match this report or this isn't a
4894          * scan response (e.g. we got a duplicate ADV_IND) then force
4895          * sending of the pending data.
4896          */
4897         if (type != LE_ADV_SCAN_RSP || !match) {
4898                 /* Send out whatever is in the cache, but skip duplicates */
4899                 if (!match)
4900                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4901                                           d->last_adv_addr_type, NULL,
4902                                           d->last_adv_rssi, d->last_adv_flags,
4903                                           d->last_adv_data,
4904                                           d->last_adv_data_len, NULL, 0);
4905 
4906                 /* If the new report will trigger a SCAN_REQ store it for
4907                  * later merging.
4908                  */
4909                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4910                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4911                                                  rssi, flags, data, len);
4912                         return;
4913                 }
4914 
4915                 /* The advertising reports cannot be merged, so clear
4916                  * the pending report and send out a device found event.
4917                  */
4918                 clear_pending_adv_report(hdev);
4919                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4920                                   rssi, flags, data, len, NULL, 0);
4921                 return;
4922         }
4923 
4924         /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4925          * the new event is a SCAN_RSP. We can therefore proceed with
4926          * sending a merged device found event.
4927          */
4928         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4929                           d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4930                           d->last_adv_data, d->last_adv_data_len, data, len);
4931         clear_pending_adv_report(hdev);
4932 }
4933 
4934 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4935 {
4936         u8 num_reports = skb->data[0];
4937         void *ptr = &skb->data[1];
4938 
4939         hci_dev_lock(hdev);
4940 
4941         while (num_reports--) {
4942                 struct hci_ev_le_advertising_info *ev = ptr;
4943                 s8 rssi;
4944 
4945                 rssi = ev->data[ev->length];
4946                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4947                                    ev->bdaddr_type, NULL, 0, rssi,
4948                                    ev->data, ev->length);
4949 
4950                 ptr += sizeof(*ev) + ev->length + 1;
4951         }
4952 
4953         hci_dev_unlock(hdev);
4954 }
4955 
4956 static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
4957                                             struct sk_buff *skb)
4958 {
4959         struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
4960         struct hci_conn *conn;
4961 
4962         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4963 
4964         hci_dev_lock(hdev);
4965 
4966         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4967         if (conn) {
4968                 if (!ev->status)
4969                         memcpy(conn->features[0], ev->features, 8);
4970 
4971                 if (conn->state == BT_CONFIG) {
4972                         __u8 status;
4973 
4974                         /* If the local controller supports slave-initiated
4975                          * features exchange, but the remote controller does
4976                          * not, then it is possible that the error code 0x1a
4977                          * for unsupported remote feature gets returned.
4978                          *
4979                          * In this specific case, allow the connection to
4980                          * transition into connected state and mark it as
4981                          * successful.
4982                          */
4983                         if ((hdev->le_features[0] & HCI_LE_SLAVE_FEATURES) &&
4984                             !conn->out && ev->status == 0x1a)
4985                                 status = 0x00;
4986                         else
4987                                 status = ev->status;
4988 
4989                         conn->state = BT_CONNECTED;
4990                         hci_connect_cfm(conn, status);
4991                         hci_conn_drop(conn);
4992                 }
4993         }
4994 
4995         hci_dev_unlock(hdev);
4996 }
4997 
4998 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4999 {
5000         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
5001         struct hci_cp_le_ltk_reply cp;
5002         struct hci_cp_le_ltk_neg_reply neg;
5003         struct hci_conn *conn;
5004         struct smp_ltk *ltk;
5005 
5006         BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
5007 
5008         hci_dev_lock(hdev);
5009 
5010         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5011         if (conn == NULL)
5012                 goto not_found;
5013 
5014         ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5015         if (!ltk)
5016                 goto not_found;
5017 
5018         if (smp_ltk_is_sc(ltk)) {
5019                 /* With SC both EDiv and Rand are set to zero */
5020                 if (ev->ediv || ev->rand)
5021                         goto not_found;
5022         } else {
5023                 /* For non-SC keys check that EDiv and Rand match */
5024                 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
5025                         goto not_found;
5026         }
5027 
5028         memcpy(cp.ltk, ltk->val, ltk->enc_size);
5029         memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
5030         cp.handle = cpu_to_le16(conn->handle);
5031 
5032         conn->pending_sec_level = smp_ltk_sec_level(ltk);
5033 
5034         conn->enc_key_size = ltk->enc_size;
5035 
5036         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
5037 
5038         /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
5039          * temporary key used to encrypt a connection following
5040          * pairing. It is used during the Encrypted Session Setup to
5041          * distribute the keys. Later, security can be re-established
5042          * using a distributed LTK.
5043          */
5044         if (ltk->type == SMP_STK) {
5045                 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5046                 list_del_rcu(&ltk->list);
5047                 kfree_rcu(ltk, rcu);
5048         } else {
5049                 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
5050         }
5051 
5052         hci_dev_unlock(hdev);
5053 
5054         return;
5055 
5056 not_found:
5057         neg.handle = ev->handle;
5058         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
5059         hci_dev_unlock(hdev);
5060 }
5061 
5062 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
5063                                       u8 reason)
5064 {
5065         struct hci_cp_le_conn_param_req_neg_reply cp;
5066 
5067         cp.handle = cpu_to_le16(handle);
5068         cp.reason = reason;
5069 
5070         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
5071                      &cp);
5072 }
5073 
5074 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
5075                                              struct sk_buff *skb)
5076 {
5077         struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
5078         struct hci_cp_le_conn_param_req_reply cp;
5079         struct hci_conn *hcon;
5080         u16 handle, min, max, latency, timeout;
5081 
5082         handle = le16_to_cpu(ev->handle);
5083         min = le16_to_cpu(ev->interval_min);
5084         max = le16_to_cpu(ev->interval_max);
5085         latency = le16_to_cpu(ev->latency);
5086         timeout = le16_to_cpu(ev->timeout);
5087 
5088         hcon = hci_conn_hash_lookup_handle(hdev, handle);
5089         if (!hcon || hcon->state != BT_CONNECTED)
5090                 return send_conn_param_neg_reply(hdev, handle,
5091                                                  HCI_ERROR_UNKNOWN_CONN_ID);
5092 
5093         if (hci_check_conn_params(min, max, latency, timeout))
5094                 return send_conn_param_neg_reply(hdev, handle,
5095                                                  HCI_ERROR_INVALID_LL_PARAMS);
5096 
5097         if (hcon->role == HCI_ROLE_MASTER) {
5098                 struct hci_conn_params *params;
5099                 u8 store_hint;
5100 
5101                 hci_dev_lock(hdev);
5102 
5103                 params = hci_conn_params_lookup(hdev, &hcon->dst,
5104                                                 hcon->dst_type);
5105                 if (params) {
5106                         params->conn_min_interval = min;
5107                         params->conn_max_interval = max;
5108                         params->conn_latency = latency;
5109                         params->supervision_timeout = timeout;
5110                         store_hint = 0x01;
5111                 } else{
5112                         store_hint = 0x00;
5113                 }
5114 
5115                 hci_dev_unlock(hdev);
5116 
5117                 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
5118                                     store_hint, min, max, latency, timeout);
5119         }
5120 
5121         cp.handle = ev->handle;
5122         cp.interval_min = ev->interval_min;
5123         cp.interval_max = ev->interval_max;
5124         cp.latency = ev->latency;
5125         cp.timeout = ev->timeout;
5126         cp.min_ce_len = 0;
5127         cp.max_ce_len = 0;
5128 
5129         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
5130 }
5131 
5132 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
5133                                          struct sk_buff *skb)
5134 {
5135         u8 num_reports = skb->data[0];
5136         void *ptr = &skb->data[1];
5137 
5138         hci_dev_lock(hdev);
5139 
5140         while (num_reports--) {
5141                 struct hci_ev_le_direct_adv_info *ev = ptr;
5142 
5143                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5144                                    ev->bdaddr_type, &ev->direct_addr,
5145                                    ev->direct_addr_type, ev->rssi, NULL, 0);
5146 
5147                 ptr += sizeof(*ev);
5148         }
5149 
5150         hci_dev_unlock(hdev);
5151 }
5152 
5153 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
5154 {
5155         struct hci_ev_le_meta *le_ev = (void *) skb->data;
5156 
5157         skb_pull(skb, sizeof(*le_ev));
5158 
5159         switch (le_ev->subevent) {
5160         case HCI_EV_LE_CONN_COMPLETE:
5161                 hci_le_conn_complete_evt(hdev, skb);
5162                 break;
5163 
5164         case HCI_EV_LE_CONN_UPDATE_COMPLETE:
5165                 hci_le_conn_update_complete_evt(hdev, skb);
5166                 break;
5167 
5168         case HCI_EV_LE_ADVERTISING_REPORT:
5169                 hci_le_adv_report_evt(hdev, skb);
5170                 break;
5171 
5172         case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
5173                 hci_le_remote_feat_complete_evt(hdev, skb);
5174                 break;
5175 
5176         case HCI_EV_LE_LTK_REQ:
5177                 hci_le_ltk_request_evt(hdev, skb);
5178                 break;
5179 
5180         case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
5181                 hci_le_remote_conn_param_req_evt(hdev, skb);
5182                 break;
5183 
5184         case HCI_EV_LE_DIRECT_ADV_REPORT:
5185                 hci_le_direct_adv_report_evt(hdev, skb);
5186                 break;
5187 
5188         default:
5189                 break;
5190         }
5191 }
5192 
5193 static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
5194                                  u8 event, struct sk_buff *skb)
5195 {
5196         struct hci_ev_cmd_complete *ev;
5197         struct hci_event_hdr *hdr;
5198 
5199         if (!skb)
5200                 return false;
5201 
5202         if (skb->len < sizeof(*hdr)) {
5203                 bt_dev_err(hdev, "too short HCI event");
5204                 return false;
5205         }
5206 
5207         hdr = (void *) skb->data;
5208         skb_pull(skb, HCI_EVENT_HDR_SIZE);
5209 
5210         if (event) {
5211                 if (hdr->evt != event)
5212                         return false;
5213                 return true;
5214         }
5215 
5216         if (hdr->evt != HCI_EV_CMD_COMPLETE) {
5217                 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
5218                            hdr->evt);
5219                 return false;
5220         }
5221 
5222         if (skb->len < sizeof(*ev)) {
5223                 bt_dev_err(hdev, "too short cmd_complete event");
5224                 return false;
5225         }
5226 
5227         ev = (void *) skb->data;
5228         skb_pull(skb, sizeof(*ev));
5229 
5230         if (opcode != __le16_to_cpu(ev->opcode)) {
5231                 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
5232                        __le16_to_cpu(ev->opcode));
5233                 return false;
5234         }
5235 
5236         return true;
5237 }
5238 
5239 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5240 {
5241         struct hci_event_hdr *hdr = (void *) skb->data;
5242         hci_req_complete_t req_complete = NULL;
5243         hci_req_complete_skb_t req_complete_skb = NULL;
5244         struct sk_buff *orig_skb = NULL;
5245         u8 status = 0, event = hdr->evt, req_evt = 0;
5246         u16 opcode = HCI_OP_NOP;
5247 
5248         if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
5249                 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5250                 opcode = __le16_to_cpu(cmd_hdr->opcode);
5251                 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
5252                                      &req_complete_skb);
5253                 req_evt = event;
5254         }
5255 
5256         /* If it looks like we might end up having to call
5257          * req_complete_skb, store a pristine copy of the skb since the
5258          * various handlers may modify the original one through
5259          * skb_pull() calls, etc.
5260          */
5261         if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
5262             event == HCI_EV_CMD_COMPLETE)
5263                 orig_skb = skb_clone(skb, GFP_KERNEL);
5264 
5265         skb_pull(skb, HCI_EVENT_HDR_SIZE);
5266 
5267         switch (event) {
5268         case HCI_EV_INQUIRY_COMPLETE:
5269                 hci_inquiry_complete_evt(hdev, skb);
5270                 break;
5271 
5272         case HCI_EV_INQUIRY_RESULT:
5273                 hci_inquiry_result_evt(hdev, skb);
5274                 break;
5275 
5276         case HCI_EV_CONN_COMPLETE:
5277                 hci_conn_complete_evt(hdev, skb);
5278                 break;
5279 
5280         case HCI_EV_CONN_REQUEST:
5281                 hci_conn_request_evt(hdev, skb);
5282                 break;
5283 
5284         case HCI_EV_DISCONN_COMPLETE:
5285                 hci_disconn_complete_evt(hdev, skb);
5286                 break;
5287 
5288         case HCI_EV_AUTH_COMPLETE:
5289                 hci_auth_complete_evt(hdev, skb);
5290                 break;
5291 
5292         case HCI_EV_REMOTE_NAME:
5293                 hci_remote_name_evt(hdev, skb);
5294                 break;
5295 
5296         case HCI_EV_ENCRYPT_CHANGE:
5297                 hci_encrypt_change_evt(hdev, skb);
5298                 break;
5299 
5300         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5301                 hci_change_link_key_complete_evt(hdev, skb);
5302                 break;
5303 
5304         case HCI_EV_REMOTE_FEATURES:
5305                 hci_remote_features_evt(hdev, skb);
5306                 break;
5307 
5308         case HCI_EV_CMD_COMPLETE:
5309                 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
5310                                      &req_complete, &req_complete_skb);
5311                 break;
5312 
5313         case HCI_EV_CMD_STATUS:
5314                 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
5315                                    &req_complete_skb);
5316                 break;
5317 
5318         case HCI_EV_HARDWARE_ERROR:
5319                 hci_hardware_error_evt(hdev, skb);
5320                 break;
5321 
5322         case HCI_EV_ROLE_CHANGE:
5323                 hci_role_change_evt(hdev, skb);
5324                 break;
5325 
5326         case HCI_EV_NUM_COMP_PKTS:
5327                 hci_num_comp_pkts_evt(hdev, skb);
5328                 break;
5329 
5330         case HCI_EV_MODE_CHANGE:
5331                 hci_mode_change_evt(hdev, skb);
5332                 break;
5333 
5334         case HCI_EV_PIN_CODE_REQ:
5335                 hci_pin_code_request_evt(hdev, skb);
5336                 break;
5337 
5338         case HCI_EV_LINK_KEY_REQ:
5339                 hci_link_key_request_evt(hdev, skb);
5340                 break;
5341 
5342         case HCI_EV_LINK_KEY_NOTIFY:
5343                 hci_link_key_notify_evt(hdev, skb);
5344                 break;
5345 
5346         case HCI_EV_CLOCK_OFFSET:
5347                 hci_clock_offset_evt(hdev, skb);
5348                 break;
5349 
5350         case HCI_EV_PKT_TYPE_CHANGE:
5351                 hci_pkt_type_change_evt(hdev, skb);
5352                 break;
5353 
5354         case HCI_EV_PSCAN_REP_MODE:
5355                 hci_pscan_rep_mode_evt(hdev, skb);
5356                 break;
5357 
5358         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5359                 hci_inquiry_result_with_rssi_evt(hdev, skb);
5360                 break;
5361 
5362         case HCI_EV_REMOTE_EXT_FEATURES:
5363                 hci_remote_ext_features_evt(hdev, skb);
5364                 break;
5365 
5366         case HCI_EV_SYNC_CONN_COMPLETE:
5367                 hci_sync_conn_complete_evt(hdev, skb);
5368                 break;
5369 
5370         case HCI_EV_EXTENDED_INQUIRY_RESULT:
5371                 hci_extended_inquiry_result_evt(hdev, skb);
5372                 break;
5373 
5374         case HCI_EV_KEY_REFRESH_COMPLETE:
5375                 hci_key_refresh_complete_evt(hdev, skb);
5376                 break;
5377 
5378         case HCI_EV_IO_CAPA_REQUEST:
5379                 hci_io_capa_request_evt(hdev, skb);
5380                 break;
5381 
5382         case HCI_EV_IO_CAPA_REPLY:
5383                 hci_io_capa_reply_evt(hdev, skb);
5384                 break;
5385 
5386         case HCI_EV_USER_CONFIRM_REQUEST:
5387                 hci_user_confirm_request_evt(hdev, skb);
5388                 break;
5389 
5390         case HCI_EV_USER_PASSKEY_REQUEST:
5391                 hci_user_passkey_request_evt(hdev, skb);
5392                 break;
5393 
5394         case HCI_EV_USER_PASSKEY_NOTIFY:
5395                 hci_user_passkey_notify_evt(hdev, skb);
5396                 break;
5397 
5398         case HCI_EV_KEYPRESS_NOTIFY:
5399                 hci_keypress_notify_evt(hdev, skb);
5400                 break;
5401 
5402         case HCI_EV_SIMPLE_PAIR_COMPLETE:
5403                 hci_simple_pair_complete_evt(hdev, skb);
5404                 break;
5405 
5406         case HCI_EV_REMOTE_HOST_FEATURES:
5407                 hci_remote_host_features_evt(hdev, skb);
5408                 break;
5409 
5410         case HCI_EV_LE_META:
5411                 hci_le_meta_evt(hdev, skb);
5412                 break;
5413 
5414         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5415                 hci_remote_oob_data_request_evt(hdev, skb);
5416                 break;
5417 
5418 #if IS_ENABLED(CONFIG_BT_HS)
5419         case HCI_EV_CHANNEL_SELECTED:
5420                 hci_chan_selected_evt(hdev, skb);
5421                 break;
5422 
5423         case HCI_EV_PHY_LINK_COMPLETE:
5424                 hci_phy_link_complete_evt(hdev, skb);
5425                 break;
5426 
5427         case HCI_EV_LOGICAL_LINK_COMPLETE:
5428                 hci_loglink_complete_evt(hdev, skb);
5429                 break;
5430 
5431         case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5432                 hci_disconn_loglink_complete_evt(hdev, skb);
5433                 break;
5434 
5435         case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5436                 hci_disconn_phylink_complete_evt(hdev, skb);
5437                 break;
5438 #endif
5439 
5440         case HCI_EV_NUM_COMP_BLOCKS:
5441                 hci_num_comp_blocks_evt(hdev, skb);
5442                 break;
5443 
5444         default:
5445                 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5446                 break;
5447         }
5448 
5449         if (req_complete) {
5450                 req_complete(hdev, status, opcode);
5451         } else if (req_complete_skb) {
5452                 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
5453                         kfree_skb(orig_skb);
5454                         orig_skb = NULL;
5455                 }
5456                 req_complete_skb(hdev, status, opcode, orig_skb);
5457         }
5458 
5459         kfree_skb(orig_skb);
5460         kfree_skb(skb);
5461         hdev->stat.evt_rx++;
5462 }
5463 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp