]> git.karo-electronics.de Git - karo-tx-linux.git/blob - net/bluetooth/hci_event.c
projects / karo-tx-linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Bluetooth: Use helper function to determine BR/EDR OOB data present
[karo-tx-linux.git] / net / bluetooth / hci_event.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <asm/unaligned.h>
28
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
35 #include "a2mp.h"
36 #include "amp.h"
37 #include "smp.h"
38
39 /* Handle HCI Event packets */
40
41 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
42 {
43         __u8 status = *((__u8 *) skb->data);
44
45         BT_DBG("%s status 0x%2.2x", hdev->name, status);
46
47         if (status)
48                 return;
49
50         clear_bit(HCI_INQUIRY, &hdev->flags);
51         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
52         wake_up_bit(&hdev->flags, HCI_INQUIRY);
53
54         hci_dev_lock(hdev);
55         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
56         hci_dev_unlock(hdev);
57
58         hci_conn_check_pending(hdev);
59 }
60
61 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
62 {
63         __u8 status = *((__u8 *) skb->data);
64
65         BT_DBG("%s status 0x%2.2x", hdev->name, status);
66
67         if (status)
68                 return;
69
70         set_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
71 }
72
73 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
74 {
75         __u8 status = *((__u8 *) skb->data);
76
77         BT_DBG("%s status 0x%2.2x", hdev->name, status);
78
79         if (status)
80                 return;
81
82         clear_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
83
84         hci_conn_check_pending(hdev);
85 }
86
87 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
88                                           struct sk_buff *skb)
89 {
90         BT_DBG("%s", hdev->name);
91 }
92
93 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
94 {
95         struct hci_rp_role_discovery *rp = (void *) skb->data;
96         struct hci_conn *conn;
97
98         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
99
100         if (rp->status)
101                 return;
102
103         hci_dev_lock(hdev);
104
105         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
106         if (conn)
107                 conn->role = rp->role;
108
109         hci_dev_unlock(hdev);
110 }
111
112 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
113 {
114         struct hci_rp_read_link_policy *rp = (void *) skb->data;
115         struct hci_conn *conn;
116
117         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
118
119         if (rp->status)
120                 return;
121
122         hci_dev_lock(hdev);
123
124         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
125         if (conn)
126                 conn->link_policy = __le16_to_cpu(rp->policy);
127
128         hci_dev_unlock(hdev);
129 }
130
131 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
132 {
133         struct hci_rp_write_link_policy *rp = (void *) skb->data;
134         struct hci_conn *conn;
135         void *sent;
136
137         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
138
139         if (rp->status)
140                 return;
141
142         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
143         if (!sent)
144                 return;
145
146         hci_dev_lock(hdev);
147
148         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
149         if (conn)
150                 conn->link_policy = get_unaligned_le16(sent + 2);
151
152         hci_dev_unlock(hdev);
153 }
154
155 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
156                                         struct sk_buff *skb)
157 {
158         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
159
160         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
161
162         if (rp->status)
163                 return;
164
165         hdev->link_policy = __le16_to_cpu(rp->policy);
166 }
167
168 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
169                                          struct sk_buff *skb)
170 {
171         __u8 status = *((__u8 *) skb->data);
172         void *sent;
173
174         BT_DBG("%s status 0x%2.2x", hdev->name, status);
175
176         if (status)
177                 return;
178
179         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
180         if (!sent)
181                 return;
182
183         hdev->link_policy = get_unaligned_le16(sent);
184 }
185
186 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
187 {
188         __u8 status = *((__u8 *) skb->data);
189
190         BT_DBG("%s status 0x%2.2x", hdev->name, status);
191
192         clear_bit(HCI_RESET, &hdev->flags);
193
194         if (status)
195                 return;
196
197         /* Reset all non-persistent flags */
198         hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
199
200         hdev->discovery.state = DISCOVERY_STOPPED;
201         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
202         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
203
204         memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
205         hdev->adv_data_len = 0;
206
207         memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
208         hdev->scan_rsp_data_len = 0;
209
210         hdev->le_scan_type = LE_SCAN_PASSIVE;
211
212         hdev->ssp_debug_mode = 0;
213
214         hci_bdaddr_list_clear(&hdev->le_white_list);
215 }
216
217 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
218                                         struct sk_buff *skb)
219 {
220         struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
221         struct hci_cp_read_stored_link_key *sent;
222
223         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
224
225         sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
226         if (!sent)
227                 return;
228
229         if (!rp->status && sent->read_all == 0x01) {
230                 hdev->stored_max_keys = rp->max_keys;
231                 hdev->stored_num_keys = rp->num_keys;
232         }
233 }
234
235 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
236                                           struct sk_buff *skb)
237 {
238         struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
239
240         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
241
242         if (rp->status)
243                 return;
244
245         if (rp->num_keys <= hdev->stored_num_keys)
246                 hdev->stored_num_keys -= rp->num_keys;
247         else
248                 hdev->stored_num_keys = 0;
249 }
250
251 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
252 {
253         __u8 status = *((__u8 *) skb->data);
254         void *sent;
255
256         BT_DBG("%s status 0x%2.2x", hdev->name, status);
257
258         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
259         if (!sent)
260                 return;
261
262         hci_dev_lock(hdev);
263
264         if (test_bit(HCI_MGMT, &hdev->dev_flags))
265                 mgmt_set_local_name_complete(hdev, sent, status);
266         else if (!status)
267                 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
268
269         hci_dev_unlock(hdev);
270 }
271
272 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
273 {
274         struct hci_rp_read_local_name *rp = (void *) skb->data;
275
276         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
277
278         if (rp->status)
279                 return;
280
281         if (test_bit(HCI_SETUP, &hdev->dev_flags) ||
282             test_bit(HCI_CONFIG, &hdev->dev_flags))
283                 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
284 }
285
286 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
287 {
288         __u8 status = *((__u8 *) skb->data);
289         void *sent;
290
291         BT_DBG("%s status 0x%2.2x", hdev->name, status);
292
293         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
294         if (!sent)
295                 return;
296
297         hci_dev_lock(hdev);
298
299         if (!status) {
300                 __u8 param = *((__u8 *) sent);
301
302                 if (param == AUTH_ENABLED)
303                         set_bit(HCI_AUTH, &hdev->flags);
304                 else
305                         clear_bit(HCI_AUTH, &hdev->flags);
306         }
307
308         if (test_bit(HCI_MGMT, &hdev->dev_flags))
309                 mgmt_auth_enable_complete(hdev, status);
310
311         hci_dev_unlock(hdev);
312 }
313
314 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
315 {
316         __u8 status = *((__u8 *) skb->data);
317         __u8 param;
318         void *sent;
319
320         BT_DBG("%s status 0x%2.2x", hdev->name, status);
321
322         if (status)
323                 return;
324
325         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
326         if (!sent)
327                 return;
328
329         param = *((__u8 *) sent);
330
331         if (param)
332                 set_bit(HCI_ENCRYPT, &hdev->flags);
333         else
334                 clear_bit(HCI_ENCRYPT, &hdev->flags);
335 }
336
337 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
338 {
339         __u8 status = *((__u8 *) skb->data);
340         __u8 param;
341         void *sent;
342
343         BT_DBG("%s status 0x%2.2x", hdev->name, status);
344
345         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
346         if (!sent)
347                 return;
348
349         param = *((__u8 *) sent);
350
351         hci_dev_lock(hdev);
352
353         if (status) {
354                 hdev->discov_timeout = 0;
355                 goto done;
356         }
357
358         if (param & SCAN_INQUIRY)
359                 set_bit(HCI_ISCAN, &hdev->flags);
360         else
361                 clear_bit(HCI_ISCAN, &hdev->flags);
362
363         if (param & SCAN_PAGE)
364                 set_bit(HCI_PSCAN, &hdev->flags);
365         else
366                 clear_bit(HCI_PSCAN, &hdev->flags);
367
368 done:
369         hci_dev_unlock(hdev);
370 }
371
372 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
373 {
374         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
375
376         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
377
378         if (rp->status)
379                 return;
380
381         memcpy(hdev->dev_class, rp->dev_class, 3);
382
383         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
384                hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
385 }
386
387 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
388 {
389         __u8 status = *((__u8 *) skb->data);
390         void *sent;
391
392         BT_DBG("%s status 0x%2.2x", hdev->name, status);
393
394         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
395         if (!sent)
396                 return;
397
398         hci_dev_lock(hdev);
399
400         if (status == 0)
401                 memcpy(hdev->dev_class, sent, 3);
402
403         if (test_bit(HCI_MGMT, &hdev->dev_flags))
404                 mgmt_set_class_of_dev_complete(hdev, sent, status);
405
406         hci_dev_unlock(hdev);
407 }
408
409 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
410 {
411         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
412         __u16 setting;
413
414         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
415
416         if (rp->status)
417                 return;
418
419         setting = __le16_to_cpu(rp->voice_setting);
420
421         if (hdev->voice_setting == setting)
422                 return;
423
424         hdev->voice_setting = setting;
425
426         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
427
428         if (hdev->notify)
429                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
430 }
431
432 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
433                                        struct sk_buff *skb)
434 {
435         __u8 status = *((__u8 *) skb->data);
436         __u16 setting;
437         void *sent;
438
439         BT_DBG("%s status 0x%2.2x", hdev->name, status);
440
441         if (status)
442                 return;
443
444         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
445         if (!sent)
446                 return;
447
448         setting = get_unaligned_le16(sent);
449
450         if (hdev->voice_setting == setting)
451                 return;
452
453         hdev->voice_setting = setting;
454
455         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
456
457         if (hdev->notify)
458                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
459 }
460
461 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
462                                           struct sk_buff *skb)
463 {
464         struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
465
466         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
467
468         if (rp->status)
469                 return;
470
471         hdev->num_iac = rp->num_iac;
472
473         BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
474 }
475
476 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
477 {
478         __u8 status = *((__u8 *) skb->data);
479         struct hci_cp_write_ssp_mode *sent;
480
481         BT_DBG("%s status 0x%2.2x", hdev->name, status);
482
483         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
484         if (!sent)
485                 return;
486
487         hci_dev_lock(hdev);
488
489         if (!status) {
490                 if (sent->mode)
491                         hdev->features[1][0] |= LMP_HOST_SSP;
492                 else
493                         hdev->features[1][0] &= ~LMP_HOST_SSP;
494         }
495
496         if (test_bit(HCI_MGMT, &hdev->dev_flags))
497                 mgmt_ssp_enable_complete(hdev, sent->mode, status);
498         else if (!status) {
499                 if (sent->mode)
500                         set_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
501                 else
502                         clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
503         }
504
505         hci_dev_unlock(hdev);
506 }
507
508 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
509 {
510         u8 status = *((u8 *) skb->data);
511         struct hci_cp_write_sc_support *sent;
512
513         BT_DBG("%s status 0x%2.2x", hdev->name, status);
514
515         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
516         if (!sent)
517                 return;
518
519         hci_dev_lock(hdev);
520
521         if (!status) {
522                 if (sent->support)
523                         hdev->features[1][0] |= LMP_HOST_SC;
524                 else
525                         hdev->features[1][0] &= ~LMP_HOST_SC;
526         }
527
528         if (!test_bit(HCI_MGMT, &hdev->dev_flags) && !status) {
529                 if (sent->support)
530                         set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
531                 else
532                         clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
533         }
534
535         hci_dev_unlock(hdev);
536 }
537
538 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
539 {
540         struct hci_rp_read_local_version *rp = (void *) skb->data;
541
542         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
543
544         if (rp->status)
545                 return;
546
547         if (test_bit(HCI_SETUP, &hdev->dev_flags) ||
548             test_bit(HCI_CONFIG, &hdev->dev_flags)) {
549                 hdev->hci_ver = rp->hci_ver;
550                 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
551                 hdev->lmp_ver = rp->lmp_ver;
552                 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
553                 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
554         }
555 }
556
557 static void hci_cc_read_local_commands(struct hci_dev *hdev,
558                                        struct sk_buff *skb)
559 {
560         struct hci_rp_read_local_commands *rp = (void *) skb->data;
561
562         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
563
564         if (rp->status)
565                 return;
566
567         if (test_bit(HCI_SETUP, &hdev->dev_flags) ||
568             test_bit(HCI_CONFIG, &hdev->dev_flags))
569                 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
570 }
571
572 static void hci_cc_read_local_features(struct hci_dev *hdev,
573                                        struct sk_buff *skb)
574 {
575         struct hci_rp_read_local_features *rp = (void *) skb->data;
576
577         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
578
579         if (rp->status)
580                 return;
581
582         memcpy(hdev->features, rp->features, 8);
583
584         /* Adjust default settings according to features
585          * supported by device. */
586
587         if (hdev->features[0][0] & LMP_3SLOT)
588                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
589
590         if (hdev->features[0][0] & LMP_5SLOT)
591                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
592
593         if (hdev->features[0][1] & LMP_HV2) {
594                 hdev->pkt_type  |= (HCI_HV2);
595                 hdev->esco_type |= (ESCO_HV2);
596         }
597
598         if (hdev->features[0][1] & LMP_HV3) {
599                 hdev->pkt_type  |= (HCI_HV3);
600                 hdev->esco_type |= (ESCO_HV3);
601         }
602
603         if (lmp_esco_capable(hdev))
604                 hdev->esco_type |= (ESCO_EV3);
605
606         if (hdev->features[0][4] & LMP_EV4)
607                 hdev->esco_type |= (ESCO_EV4);
608
609         if (hdev->features[0][4] & LMP_EV5)
610                 hdev->esco_type |= (ESCO_EV5);
611
612         if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
613                 hdev->esco_type |= (ESCO_2EV3);
614
615         if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
616                 hdev->esco_type |= (ESCO_3EV3);
617
618         if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
619                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
620 }
621
622 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
623                                            struct sk_buff *skb)
624 {
625         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
626
627         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
628
629         if (rp->status)
630                 return;
631
632         if (hdev->max_page < rp->max_page)
633                 hdev->max_page = rp->max_page;
634
635         if (rp->page < HCI_MAX_PAGES)
636                 memcpy(hdev->features[rp->page], rp->features, 8);
637 }
638
639 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
640                                           struct sk_buff *skb)
641 {
642         struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
643
644         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
645
646         if (rp->status)
647                 return;
648
649         hdev->flow_ctl_mode = rp->mode;
650 }
651
652 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
653 {
654         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
655
656         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
657
658         if (rp->status)
659                 return;
660
661         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
662         hdev->sco_mtu  = rp->sco_mtu;
663         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
664         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
665
666         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
667                 hdev->sco_mtu  = 64;
668                 hdev->sco_pkts = 8;
669         }
670
671         hdev->acl_cnt = hdev->acl_pkts;
672         hdev->sco_cnt = hdev->sco_pkts;
673
674         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
675                hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
676 }
677
678 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
679 {
680         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
681
682         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
683
684         if (rp->status)
685                 return;
686
687         if (test_bit(HCI_INIT, &hdev->flags))
688                 bacpy(&hdev->bdaddr, &rp->bdaddr);
689
690         if (test_bit(HCI_SETUP, &hdev->dev_flags))
691                 bacpy(&hdev->setup_addr, &rp->bdaddr);
692 }
693
694 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
695                                            struct sk_buff *skb)
696 {
697         struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
698
699         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
700
701         if (rp->status)
702                 return;
703
704         if (test_bit(HCI_INIT, &hdev->flags)) {
705                 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
706                 hdev->page_scan_window = __le16_to_cpu(rp->window);
707         }
708 }
709
710 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
711                                             struct sk_buff *skb)
712 {
713         u8 status = *((u8 *) skb->data);
714         struct hci_cp_write_page_scan_activity *sent;
715
716         BT_DBG("%s status 0x%2.2x", hdev->name, status);
717
718         if (status)
719                 return;
720
721         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
722         if (!sent)
723                 return;
724
725         hdev->page_scan_interval = __le16_to_cpu(sent->interval);
726         hdev->page_scan_window = __le16_to_cpu(sent->window);
727 }
728
729 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
730                                            struct sk_buff *skb)
731 {
732         struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
733
734         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
735
736         if (rp->status)
737                 return;
738
739         if (test_bit(HCI_INIT, &hdev->flags))
740                 hdev->page_scan_type = rp->type;
741 }
742
743 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
744                                         struct sk_buff *skb)
745 {
746         u8 status = *((u8 *) skb->data);
747         u8 *type;
748
749         BT_DBG("%s status 0x%2.2x", hdev->name, status);
750
751         if (status)
752                 return;
753
754         type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
755         if (type)
756                 hdev->page_scan_type = *type;
757 }
758
759 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
760                                         struct sk_buff *skb)
761 {
762         struct hci_rp_read_data_block_size *rp = (void *) skb->data;
763
764         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
765
766         if (rp->status)
767                 return;
768
769         hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
770         hdev->block_len = __le16_to_cpu(rp->block_len);
771         hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
772
773         hdev->block_cnt = hdev->num_blocks;
774
775         BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
776                hdev->block_cnt, hdev->block_len);
777 }
778
779 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
780 {
781         struct hci_rp_read_clock *rp = (void *) skb->data;
782         struct hci_cp_read_clock *cp;
783         struct hci_conn *conn;
784
785         BT_DBG("%s", hdev->name);
786
787         if (skb->len < sizeof(*rp))
788                 return;
789
790         if (rp->status)
791                 return;
792
793         hci_dev_lock(hdev);
794
795         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
796         if (!cp)
797                 goto unlock;
798
799         if (cp->which == 0x00) {
800                 hdev->clock = le32_to_cpu(rp->clock);
801                 goto unlock;
802         }
803
804         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
805         if (conn) {
806                 conn->clock = le32_to_cpu(rp->clock);
807                 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
808         }
809
810 unlock:
811         hci_dev_unlock(hdev);
812 }
813
814 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
815                                        struct sk_buff *skb)
816 {
817         struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
818
819         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
820
821         if (rp->status)
822                 goto a2mp_rsp;
823
824         hdev->amp_status = rp->amp_status;
825         hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
826         hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
827         hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
828         hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
829         hdev->amp_type = rp->amp_type;
830         hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
831         hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
832         hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
833         hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
834
835 a2mp_rsp:
836         a2mp_send_getinfo_rsp(hdev);
837 }
838
839 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev,
840                                         struct sk_buff *skb)
841 {
842         struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data;
843         struct amp_assoc *assoc = &hdev->loc_assoc;
844         size_t rem_len, frag_len;
845
846         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
847
848         if (rp->status)
849                 goto a2mp_rsp;
850
851         frag_len = skb->len - sizeof(*rp);
852         rem_len = __le16_to_cpu(rp->rem_len);
853
854         if (rem_len > frag_len) {
855                 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
856
857                 memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
858                 assoc->offset += frag_len;
859
860                 /* Read other fragments */
861                 amp_read_loc_assoc_frag(hdev, rp->phy_handle);
862
863                 return;
864         }
865
866         memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
867         assoc->len = assoc->offset + rem_len;
868         assoc->offset = 0;
869
870 a2mp_rsp:
871         /* Send A2MP Rsp when all fragments are received */
872         a2mp_send_getampassoc_rsp(hdev, rp->status);
873         a2mp_send_create_phy_link_req(hdev, rp->status);
874 }
875
876 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
877                                          struct sk_buff *skb)
878 {
879         struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
880
881         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
882
883         if (rp->status)
884                 return;
885
886         hdev->inq_tx_power = rp->tx_power;
887 }
888
889 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
890 {
891         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
892         struct hci_cp_pin_code_reply *cp;
893         struct hci_conn *conn;
894
895         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
896
897         hci_dev_lock(hdev);
898
899         if (test_bit(HCI_MGMT, &hdev->dev_flags))
900                 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
901
902         if (rp->status)
903                 goto unlock;
904
905         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
906         if (!cp)
907                 goto unlock;
908
909         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
910         if (conn)
911                 conn->pin_length = cp->pin_len;
912
913 unlock:
914         hci_dev_unlock(hdev);
915 }
916
917 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
918 {
919         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
920
921         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
922
923         hci_dev_lock(hdev);
924
925         if (test_bit(HCI_MGMT, &hdev->dev_flags))
926                 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
927                                                  rp->status);
928
929         hci_dev_unlock(hdev);
930 }
931
932 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
933                                        struct sk_buff *skb)
934 {
935         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
936
937         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
938
939         if (rp->status)
940                 return;
941
942         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
943         hdev->le_pkts = rp->le_max_pkt;
944
945         hdev->le_cnt = hdev->le_pkts;
946
947         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
948 }
949
950 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
951                                           struct sk_buff *skb)
952 {
953         struct hci_rp_le_read_local_features *rp = (void *) skb->data;
954
955         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
956
957         if (rp->status)
958                 return;
959
960         memcpy(hdev->le_features, rp->features, 8);
961 }
962
963 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
964                                         struct sk_buff *skb)
965 {
966         struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
967
968         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969
970         if (rp->status)
971                 return;
972
973         hdev->adv_tx_power = rp->tx_power;
974 }
975
976 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
977 {
978         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
979
980         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
981
982         hci_dev_lock(hdev);
983
984         if (test_bit(HCI_MGMT, &hdev->dev_flags))
985                 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
986                                                  rp->status);
987
988         hci_dev_unlock(hdev);
989 }
990
991 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
992                                           struct sk_buff *skb)
993 {
994         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
995
996         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
997
998         hci_dev_lock(hdev);
999
1000         if (test_bit(HCI_MGMT, &hdev->dev_flags))
1001                 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1002                                                      ACL_LINK, 0, rp->status);
1003
1004         hci_dev_unlock(hdev);
1005 }
1006
1007 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1008 {
1009         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1010
1011         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1012
1013         hci_dev_lock(hdev);
1014
1015         if (test_bit(HCI_MGMT, &hdev->dev_flags))
1016                 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1017                                                  0, rp->status);
1018
1019         hci_dev_unlock(hdev);
1020 }
1021
1022 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1023                                           struct sk_buff *skb)
1024 {
1025         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1026
1027         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1028
1029         hci_dev_lock(hdev);
1030
1031         if (test_bit(HCI_MGMT, &hdev->dev_flags))
1032                 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1033                                                      ACL_LINK, 0, rp->status);
1034
1035         hci_dev_unlock(hdev);
1036 }
1037
1038 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1039                                        struct sk_buff *skb)
1040 {
1041         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1042
1043         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1044
1045         hci_dev_lock(hdev);
1046         mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->rand, NULL, NULL,
1047                                           rp->status);
1048         hci_dev_unlock(hdev);
1049 }
1050
1051 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1052                                            struct sk_buff *skb)
1053 {
1054         struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1055
1056         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1057
1058         hci_dev_lock(hdev);
1059         mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->rand192,
1060                                           rp->hash256, rp->rand256,
1061                                           rp->status);
1062         hci_dev_unlock(hdev);
1063 }
1064
1065
1066 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1067 {
1068         __u8 status = *((__u8 *) skb->data);
1069         bdaddr_t *sent;
1070
1071         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1072
1073         if (status)
1074                 return;
1075
1076         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1077         if (!sent)
1078                 return;
1079
1080         hci_dev_lock(hdev);
1081
1082         bacpy(&hdev->random_addr, sent);
1083
1084         hci_dev_unlock(hdev);
1085 }
1086
1087 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1088 {
1089         __u8 *sent, status = *((__u8 *) skb->data);
1090
1091         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1092
1093         if (status)
1094                 return;
1095
1096         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1097         if (!sent)
1098                 return;
1099
1100         hci_dev_lock(hdev);
1101
1102         /* If we're doing connection initiation as peripheral. Set a
1103          * timeout in case something goes wrong.
1104          */
1105         if (*sent) {
1106                 struct hci_conn *conn;
1107
1108                 set_bit(HCI_LE_ADV, &hdev->dev_flags);
1109
1110                 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1111                 if (conn)
1112                         queue_delayed_work(hdev->workqueue,
1113                                            &conn->le_conn_timeout,
1114                                            conn->conn_timeout);
1115         } else {
1116                 clear_bit(HCI_LE_ADV, &hdev->dev_flags);
1117         }
1118
1119         hci_dev_unlock(hdev);
1120 }
1121
1122 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1123 {
1124         struct hci_cp_le_set_scan_param *cp;
1125         __u8 status = *((__u8 *) skb->data);
1126
1127         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1128
1129         if (status)
1130                 return;
1131
1132         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1133         if (!cp)
1134                 return;
1135
1136         hci_dev_lock(hdev);
1137
1138         hdev->le_scan_type = cp->type;
1139
1140         hci_dev_unlock(hdev);
1141 }
1142
1143 static bool has_pending_adv_report(struct hci_dev *hdev)
1144 {
1145         struct discovery_state *d = &hdev->discovery;
1146
1147         return bacmp(&d->last_adv_addr, BDADDR_ANY);
1148 }
1149
1150 static void clear_pending_adv_report(struct hci_dev *hdev)
1151 {
1152         struct discovery_state *d = &hdev->discovery;
1153
1154         bacpy(&d->last_adv_addr, BDADDR_ANY);
1155         d->last_adv_data_len = 0;
1156 }
1157
1158 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1159                                      u8 bdaddr_type, s8 rssi, u32 flags,
1160                                      u8 *data, u8 len)
1161 {
1162         struct discovery_state *d = &hdev->discovery;
1163
1164         bacpy(&d->last_adv_addr, bdaddr);
1165         d->last_adv_addr_type = bdaddr_type;
1166         d->last_adv_rssi = rssi;
1167         d->last_adv_flags = flags;
1168         memcpy(d->last_adv_data, data, len);
1169         d->last_adv_data_len = len;
1170 }
1171
1172 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1173                                       struct sk_buff *skb)
1174 {
1175         struct hci_cp_le_set_scan_enable *cp;
1176         __u8 status = *((__u8 *) skb->data);
1177
1178         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1179
1180         if (status)
1181                 return;
1182
1183         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1184         if (!cp)
1185                 return;
1186
1187         hci_dev_lock(hdev);
1188
1189         switch (cp->enable) {
1190         case LE_SCAN_ENABLE:
1191                 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1192                 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1193                         clear_pending_adv_report(hdev);
1194                 break;
1195
1196         case LE_SCAN_DISABLE:
1197                 /* We do this here instead of when setting DISCOVERY_STOPPED
1198                  * since the latter would potentially require waiting for
1199                  * inquiry to stop too.
1200                  */
1201                 if (has_pending_adv_report(hdev)) {
1202                         struct discovery_state *d = &hdev->discovery;
1203
1204                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1205                                           d->last_adv_addr_type, NULL,
1206                                           d->last_adv_rssi, d->last_adv_flags,
1207                                           d->last_adv_data,
1208                                           d->last_adv_data_len, NULL, 0);
1209                 }
1210
1211                 /* Cancel this timer so that we don't try to disable scanning
1212                  * when it's already disabled.
1213                  */
1214                 cancel_delayed_work(&hdev->le_scan_disable);
1215
1216                 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1217
1218                 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1219                  * interrupted scanning due to a connect request. Mark
1220                  * therefore discovery as stopped. If this was not
1221                  * because of a connect request advertising might have
1222                  * been disabled because of active scanning, so
1223                  * re-enable it again if necessary.
1224                  */
1225                 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED,
1226                                        &hdev->dev_flags))
1227                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1228                 else if (!test_bit(HCI_LE_ADV, &hdev->dev_flags) &&
1229                          hdev->discovery.state == DISCOVERY_FINDING)
1230                         mgmt_reenable_advertising(hdev);
1231
1232                 break;
1233
1234         default:
1235                 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1236                 break;
1237         }
1238
1239         hci_dev_unlock(hdev);
1240 }
1241
1242 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1243                                            struct sk_buff *skb)
1244 {
1245         struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1246
1247         BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1248
1249         if (rp->status)
1250                 return;
1251
1252         hdev->le_white_list_size = rp->size;
1253 }
1254
1255 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1256                                        struct sk_buff *skb)
1257 {
1258         __u8 status = *((__u8 *) skb->data);
1259
1260         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1261
1262         if (status)
1263                 return;
1264
1265         hci_bdaddr_list_clear(&hdev->le_white_list);
1266 }
1267
1268 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1269                                         struct sk_buff *skb)
1270 {
1271         struct hci_cp_le_add_to_white_list *sent;
1272         __u8 status = *((__u8 *) skb->data);
1273
1274         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1275
1276         if (status)
1277                 return;
1278
1279         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1280         if (!sent)
1281                 return;
1282
1283         hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1284                            sent->bdaddr_type);
1285 }
1286
1287 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1288                                           struct sk_buff *skb)
1289 {
1290         struct hci_cp_le_del_from_white_list *sent;
1291         __u8 status = *((__u8 *) skb->data);
1292
1293         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1294
1295         if (status)
1296                 return;
1297
1298         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1299         if (!sent)
1300                 return;
1301
1302         hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1303                             sent->bdaddr_type);
1304 }
1305
1306 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1307                                             struct sk_buff *skb)
1308 {
1309         struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1310
1311         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1312
1313         if (rp->status)
1314                 return;
1315
1316         memcpy(hdev->le_states, rp->le_states, 8);
1317 }
1318
1319 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1320                                         struct sk_buff *skb)
1321 {
1322         struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1323
1324         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1325
1326         if (rp->status)
1327                 return;
1328
1329         hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1330         hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1331 }
1332
1333 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1334                                          struct sk_buff *skb)
1335 {
1336         struct hci_cp_le_write_def_data_len *sent;
1337         __u8 status = *((__u8 *) skb->data);
1338
1339         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1340
1341         if (status)
1342                 return;
1343
1344         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1345         if (!sent)
1346                 return;
1347
1348         hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1349         hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1350 }
1351
1352 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1353                                         struct sk_buff *skb)
1354 {
1355         struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1356
1357         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1358
1359         if (rp->status)
1360                 return;
1361
1362         hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1363         hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1364         hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1365         hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1366 }
1367
1368 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1369                                            struct sk_buff *skb)
1370 {
1371         struct hci_cp_write_le_host_supported *sent;
1372         __u8 status = *((__u8 *) skb->data);
1373
1374         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1375
1376         if (status)
1377                 return;
1378
1379         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1380         if (!sent)
1381                 return;
1382
1383         hci_dev_lock(hdev);
1384
1385         if (sent->le) {
1386                 hdev->features[1][0] |= LMP_HOST_LE;
1387                 set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1388         } else {
1389                 hdev->features[1][0] &= ~LMP_HOST_LE;
1390                 clear_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1391                 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
1392         }
1393
1394         if (sent->simul)
1395                 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1396         else
1397                 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1398
1399         hci_dev_unlock(hdev);
1400 }
1401
1402 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1403 {
1404         struct hci_cp_le_set_adv_param *cp;
1405         u8 status = *((u8 *) skb->data);
1406
1407         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1408
1409         if (status)
1410                 return;
1411
1412         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1413         if (!cp)
1414                 return;
1415
1416         hci_dev_lock(hdev);
1417         hdev->adv_addr_type = cp->own_address_type;
1418         hci_dev_unlock(hdev);
1419 }
1420
1421 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1422                                           struct sk_buff *skb)
1423 {
1424         struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data;
1425
1426         BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
1427                hdev->name, rp->status, rp->phy_handle);
1428
1429         if (rp->status)
1430                 return;
1431
1432         amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1433 }
1434
1435 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1436 {
1437         struct hci_rp_read_rssi *rp = (void *) skb->data;
1438         struct hci_conn *conn;
1439
1440         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1441
1442         if (rp->status)
1443                 return;
1444
1445         hci_dev_lock(hdev);
1446
1447         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1448         if (conn)
1449                 conn->rssi = rp->rssi;
1450
1451         hci_dev_unlock(hdev);
1452 }
1453
1454 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1455 {
1456         struct hci_cp_read_tx_power *sent;
1457         struct hci_rp_read_tx_power *rp = (void *) skb->data;
1458         struct hci_conn *conn;
1459
1460         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1461
1462         if (rp->status)
1463                 return;
1464
1465         sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1466         if (!sent)
1467                 return;
1468
1469         hci_dev_lock(hdev);
1470
1471         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1472         if (!conn)
1473                 goto unlock;
1474
1475         switch (sent->type) {
1476         case 0x00:
1477                 conn->tx_power = rp->tx_power;
1478                 break;
1479         case 0x01:
1480                 conn->max_tx_power = rp->tx_power;
1481                 break;
1482         }
1483
1484 unlock:
1485         hci_dev_unlock(hdev);
1486 }
1487
1488 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1489 {
1490         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1491
1492         if (status) {
1493                 hci_conn_check_pending(hdev);
1494                 return;
1495         }
1496
1497         set_bit(HCI_INQUIRY, &hdev->flags);
1498 }
1499
1500 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1501 {
1502         struct hci_cp_create_conn *cp;
1503         struct hci_conn *conn;
1504
1505         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1506
1507         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1508         if (!cp)
1509                 return;
1510
1511         hci_dev_lock(hdev);
1512
1513         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1514
1515         BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1516
1517         if (status) {
1518                 if (conn && conn->state == BT_CONNECT) {
1519                         if (status != 0x0c || conn->attempt > 2) {
1520                                 conn->state = BT_CLOSED;
1521                                 hci_proto_connect_cfm(conn, status);
1522                                 hci_conn_del(conn);
1523                         } else
1524                                 conn->state = BT_CONNECT2;
1525                 }
1526         } else {
1527                 if (!conn) {
1528                         conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1529                                             HCI_ROLE_MASTER);
1530                         if (!conn)
1531                                 BT_ERR("No memory for new connection");
1532                 }
1533         }
1534
1535         hci_dev_unlock(hdev);
1536 }
1537
1538 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1539 {
1540         struct hci_cp_add_sco *cp;
1541         struct hci_conn *acl, *sco;
1542         __u16 handle;
1543
1544         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1545
1546         if (!status)
1547                 return;
1548
1549         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1550         if (!cp)
1551                 return;
1552
1553         handle = __le16_to_cpu(cp->handle);
1554
1555         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1556
1557         hci_dev_lock(hdev);
1558
1559         acl = hci_conn_hash_lookup_handle(hdev, handle);
1560         if (acl) {
1561                 sco = acl->link;
1562                 if (sco) {
1563                         sco->state = BT_CLOSED;
1564
1565                         hci_proto_connect_cfm(sco, status);
1566                         hci_conn_del(sco);
1567                 }
1568         }
1569
1570         hci_dev_unlock(hdev);
1571 }
1572
1573 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1574 {
1575         struct hci_cp_auth_requested *cp;
1576         struct hci_conn *conn;
1577
1578         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1579
1580         if (!status)
1581                 return;
1582
1583         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1584         if (!cp)
1585                 return;
1586
1587         hci_dev_lock(hdev);
1588
1589         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1590         if (conn) {
1591                 if (conn->state == BT_CONFIG) {
1592                         hci_proto_connect_cfm(conn, status);
1593                         hci_conn_drop(conn);
1594                 }
1595         }
1596
1597         hci_dev_unlock(hdev);
1598 }
1599
1600 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1601 {
1602         struct hci_cp_set_conn_encrypt *cp;
1603         struct hci_conn *conn;
1604
1605         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1606
1607         if (!status)
1608                 return;
1609
1610         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1611         if (!cp)
1612                 return;
1613
1614         hci_dev_lock(hdev);
1615
1616         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1617         if (conn) {
1618                 if (conn->state == BT_CONFIG) {
1619                         hci_proto_connect_cfm(conn, status);
1620                         hci_conn_drop(conn);
1621                 }
1622         }
1623
1624         hci_dev_unlock(hdev);
1625 }
1626
1627 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1628                                     struct hci_conn *conn)
1629 {
1630         if (conn->state != BT_CONFIG || !conn->out)
1631                 return 0;
1632
1633         if (conn->pending_sec_level == BT_SECURITY_SDP)
1634                 return 0;
1635
1636         /* Only request authentication for SSP connections or non-SSP
1637          * devices with sec_level MEDIUM or HIGH or if MITM protection
1638          * is requested.
1639          */
1640         if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1641             conn->pending_sec_level != BT_SECURITY_FIPS &&
1642             conn->pending_sec_level != BT_SECURITY_HIGH &&
1643             conn->pending_sec_level != BT_SECURITY_MEDIUM)
1644                 return 0;
1645
1646         return 1;
1647 }
1648
1649 static int hci_resolve_name(struct hci_dev *hdev,
1650                                    struct inquiry_entry *e)
1651 {
1652         struct hci_cp_remote_name_req cp;
1653
1654         memset(&cp, 0, sizeof(cp));
1655
1656         bacpy(&cp.bdaddr, &e->data.bdaddr);
1657         cp.pscan_rep_mode = e->data.pscan_rep_mode;
1658         cp.pscan_mode = e->data.pscan_mode;
1659         cp.clock_offset = e->data.clock_offset;
1660
1661         return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1662 }
1663
1664 static bool hci_resolve_next_name(struct hci_dev *hdev)
1665 {
1666         struct discovery_state *discov = &hdev->discovery;
1667         struct inquiry_entry *e;
1668
1669         if (list_empty(&discov->resolve))
1670                 return false;
1671
1672         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1673         if (!e)
1674                 return false;
1675
1676         if (hci_resolve_name(hdev, e) == 0) {
1677                 e->name_state = NAME_PENDING;
1678                 return true;
1679         }
1680
1681         return false;
1682 }
1683
1684 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1685                                    bdaddr_t *bdaddr, u8 *name, u8 name_len)
1686 {
1687         struct discovery_state *discov = &hdev->discovery;
1688         struct inquiry_entry *e;
1689
1690         /* Update the mgmt connected state if necessary. Be careful with
1691          * conn objects that exist but are not (yet) connected however.
1692          * Only those in BT_CONFIG or BT_CONNECTED states can be
1693          * considered connected.
1694          */
1695         if (conn &&
1696             (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1697             !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1698                 mgmt_device_connected(hdev, conn, 0, name, name_len);
1699
1700         if (discov->state == DISCOVERY_STOPPED)
1701                 return;
1702
1703         if (discov->state == DISCOVERY_STOPPING)
1704                 goto discov_complete;
1705
1706         if (discov->state != DISCOVERY_RESOLVING)
1707                 return;
1708
1709         e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1710         /* If the device was not found in a list of found devices names of which
1711          * are pending. there is no need to continue resolving a next name as it
1712          * will be done upon receiving another Remote Name Request Complete
1713          * Event */
1714         if (!e)
1715                 return;
1716
1717         list_del(&e->list);
1718         if (name) {
1719                 e->name_state = NAME_KNOWN;
1720                 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1721                                  e->data.rssi, name, name_len);
1722         } else {
1723                 e->name_state = NAME_NOT_KNOWN;
1724         }
1725
1726         if (hci_resolve_next_name(hdev))
1727                 return;
1728
1729 discov_complete:
1730         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1731 }
1732
1733 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1734 {
1735         struct hci_cp_remote_name_req *cp;
1736         struct hci_conn *conn;
1737
1738         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1739
1740         /* If successful wait for the name req complete event before
1741          * checking for the need to do authentication */
1742         if (!status)
1743                 return;
1744
1745         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1746         if (!cp)
1747                 return;
1748
1749         hci_dev_lock(hdev);
1750
1751         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1752
1753         if (test_bit(HCI_MGMT, &hdev->dev_flags))
1754                 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1755
1756         if (!conn)
1757                 goto unlock;
1758
1759         if (!hci_outgoing_auth_needed(hdev, conn))
1760                 goto unlock;
1761
1762         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1763                 struct hci_cp_auth_requested auth_cp;
1764
1765                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1766
1767                 auth_cp.handle = __cpu_to_le16(conn->handle);
1768                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1769                              sizeof(auth_cp), &auth_cp);
1770         }
1771
1772 unlock:
1773         hci_dev_unlock(hdev);
1774 }
1775
1776 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1777 {
1778         struct hci_cp_read_remote_features *cp;
1779         struct hci_conn *conn;
1780
1781         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1782
1783         if (!status)
1784                 return;
1785
1786         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1787         if (!cp)
1788                 return;
1789
1790         hci_dev_lock(hdev);
1791
1792         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1793         if (conn) {
1794                 if (conn->state == BT_CONFIG) {
1795                         hci_proto_connect_cfm(conn, status);
1796                         hci_conn_drop(conn);
1797                 }
1798         }
1799
1800         hci_dev_unlock(hdev);
1801 }
1802
1803 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1804 {
1805         struct hci_cp_read_remote_ext_features *cp;
1806         struct hci_conn *conn;
1807
1808         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1809
1810         if (!status)
1811                 return;
1812
1813         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1814         if (!cp)
1815                 return;
1816
1817         hci_dev_lock(hdev);
1818
1819         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1820         if (conn) {
1821                 if (conn->state == BT_CONFIG) {
1822                         hci_proto_connect_cfm(conn, status);
1823                         hci_conn_drop(conn);
1824                 }
1825         }
1826
1827         hci_dev_unlock(hdev);
1828 }
1829
1830 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1831 {
1832         struct hci_cp_setup_sync_conn *cp;
1833         struct hci_conn *acl, *sco;
1834         __u16 handle;
1835
1836         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1837
1838         if (!status)
1839                 return;
1840
1841         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1842         if (!cp)
1843                 return;
1844
1845         handle = __le16_to_cpu(cp->handle);
1846
1847         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1848
1849         hci_dev_lock(hdev);
1850
1851         acl = hci_conn_hash_lookup_handle(hdev, handle);
1852         if (acl) {
1853                 sco = acl->link;
1854                 if (sco) {
1855                         sco->state = BT_CLOSED;
1856
1857                         hci_proto_connect_cfm(sco, status);
1858                         hci_conn_del(sco);
1859                 }
1860         }
1861
1862         hci_dev_unlock(hdev);
1863 }
1864
1865 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1866 {
1867         struct hci_cp_sniff_mode *cp;
1868         struct hci_conn *conn;
1869
1870         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1871
1872         if (!status)
1873                 return;
1874
1875         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1876         if (!cp)
1877                 return;
1878
1879         hci_dev_lock(hdev);
1880
1881         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1882         if (conn) {
1883                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1884
1885                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1886                         hci_sco_setup(conn, status);
1887         }
1888
1889         hci_dev_unlock(hdev);
1890 }
1891
1892 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1893 {
1894         struct hci_cp_exit_sniff_mode *cp;
1895         struct hci_conn *conn;
1896
1897         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1898
1899         if (!status)
1900                 return;
1901
1902         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1903         if (!cp)
1904                 return;
1905
1906         hci_dev_lock(hdev);
1907
1908         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1909         if (conn) {
1910                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1911
1912                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1913                         hci_sco_setup(conn, status);
1914         }
1915
1916         hci_dev_unlock(hdev);
1917 }
1918
1919 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1920 {
1921         struct hci_cp_disconnect *cp;
1922         struct hci_conn *conn;
1923
1924         if (!status)
1925                 return;
1926
1927         cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1928         if (!cp)
1929                 return;
1930
1931         hci_dev_lock(hdev);
1932
1933         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1934         if (conn)
1935                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1936                                        conn->dst_type, status);
1937
1938         hci_dev_unlock(hdev);
1939 }
1940
1941 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status)
1942 {
1943         struct hci_cp_create_phy_link *cp;
1944
1945         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1946
1947         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
1948         if (!cp)
1949                 return;
1950
1951         hci_dev_lock(hdev);
1952
1953         if (status) {
1954                 struct hci_conn *hcon;
1955
1956                 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
1957                 if (hcon)
1958                         hci_conn_del(hcon);
1959         } else {
1960                 amp_write_remote_assoc(hdev, cp->phy_handle);
1961         }
1962
1963         hci_dev_unlock(hdev);
1964 }
1965
1966 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1967 {
1968         struct hci_cp_accept_phy_link *cp;
1969
1970         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1971
1972         if (status)
1973                 return;
1974
1975         cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
1976         if (!cp)
1977                 return;
1978
1979         amp_write_remote_assoc(hdev, cp->phy_handle);
1980 }
1981
1982 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1983 {
1984         struct hci_cp_le_create_conn *cp;
1985         struct hci_conn *conn;
1986
1987         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1988
1989         /* All connection failure handling is taken care of by the
1990          * hci_le_conn_failed function which is triggered by the HCI
1991          * request completion callbacks used for connecting.
1992          */
1993         if (status)
1994                 return;
1995
1996         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1997         if (!cp)
1998                 return;
1999
2000         hci_dev_lock(hdev);
2001
2002         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
2003         if (!conn)
2004                 goto unlock;
2005
2006         /* Store the initiator and responder address information which
2007          * is needed for SMP. These values will not change during the
2008          * lifetime of the connection.
2009          */
2010         conn->init_addr_type = cp->own_address_type;
2011         if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
2012                 bacpy(&conn->init_addr, &hdev->random_addr);
2013         else
2014                 bacpy(&conn->init_addr, &hdev->bdaddr);
2015
2016         conn->resp_addr_type = cp->peer_addr_type;
2017         bacpy(&conn->resp_addr, &cp->peer_addr);
2018
2019         /* We don't want the connection attempt to stick around
2020          * indefinitely since LE doesn't have a page timeout concept
2021          * like BR/EDR. Set a timer for any connection that doesn't use
2022          * the white list for connecting.
2023          */
2024         if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
2025                 queue_delayed_work(conn->hdev->workqueue,
2026                                    &conn->le_conn_timeout,
2027                                    conn->conn_timeout);
2028
2029 unlock:
2030         hci_dev_unlock(hdev);
2031 }
2032
2033 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2034 {
2035         struct hci_cp_le_start_enc *cp;
2036         struct hci_conn *conn;
2037
2038         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2039
2040         if (!status)
2041                 return;
2042
2043         hci_dev_lock(hdev);
2044
2045         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2046         if (!cp)
2047                 goto unlock;
2048
2049         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2050         if (!conn)
2051                 goto unlock;
2052
2053         if (conn->state != BT_CONNECTED)
2054                 goto unlock;
2055
2056         hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2057         hci_conn_drop(conn);
2058
2059 unlock:
2060         hci_dev_unlock(hdev);
2061 }
2062
2063 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2064 {
2065         struct hci_cp_switch_role *cp;
2066         struct hci_conn *conn;
2067
2068         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2069
2070         if (!status)
2071                 return;
2072
2073         cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2074         if (!cp)
2075                 return;
2076
2077         hci_dev_lock(hdev);
2078
2079         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2080         if (conn)
2081                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2082
2083         hci_dev_unlock(hdev);
2084 }
2085
2086 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2087 {
2088         __u8 status = *((__u8 *) skb->data);
2089         struct discovery_state *discov = &hdev->discovery;
2090         struct inquiry_entry *e;
2091
2092         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2093
2094         hci_conn_check_pending(hdev);
2095
2096         if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2097                 return;
2098
2099         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2100         wake_up_bit(&hdev->flags, HCI_INQUIRY);
2101
2102         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2103                 return;
2104
2105         hci_dev_lock(hdev);
2106
2107         if (discov->state != DISCOVERY_FINDING)
2108                 goto unlock;
2109
2110         if (list_empty(&discov->resolve)) {
2111                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2112                 goto unlock;
2113         }
2114
2115         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2116         if (e && hci_resolve_name(hdev, e) == 0) {
2117                 e->name_state = NAME_PENDING;
2118                 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2119         } else {
2120                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2121         }
2122
2123 unlock:
2124         hci_dev_unlock(hdev);
2125 }
2126
2127 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2128 {
2129         struct inquiry_data data;
2130         struct inquiry_info *info = (void *) (skb->data + 1);
2131         int num_rsp = *((__u8 *) skb->data);
2132
2133         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2134
2135         if (!num_rsp)
2136                 return;
2137
2138         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
2139                 return;
2140
2141         hci_dev_lock(hdev);
2142
2143         for (; num_rsp; num_rsp--, info++) {
2144                 u32 flags;
2145
2146                 bacpy(&data.bdaddr, &info->bdaddr);
2147                 data.pscan_rep_mode     = info->pscan_rep_mode;
2148                 data.pscan_period_mode  = info->pscan_period_mode;
2149                 data.pscan_mode         = info->pscan_mode;
2150                 memcpy(data.dev_class, info->dev_class, 3);
2151                 data.clock_offset       = info->clock_offset;
2152                 data.rssi               = HCI_RSSI_INVALID;
2153                 data.ssp_mode           = 0x00;
2154
2155                 flags = hci_inquiry_cache_update(hdev, &data, false);
2156
2157                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2158                                   info->dev_class, HCI_RSSI_INVALID,
2159                                   flags, NULL, 0, NULL, 0);
2160         }
2161
2162         hci_dev_unlock(hdev);
2163 }
2164
2165 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2166 {
2167         struct hci_ev_conn_complete *ev = (void *) skb->data;
2168         struct hci_conn *conn;
2169
2170         BT_DBG("%s", hdev->name);
2171
2172         hci_dev_lock(hdev);
2173
2174         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2175         if (!conn) {
2176                 if (ev->link_type != SCO_LINK)
2177                         goto unlock;
2178
2179                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2180                 if (!conn)
2181                         goto unlock;
2182
2183                 conn->type = SCO_LINK;
2184         }
2185
2186         if (!ev->status) {
2187                 conn->handle = __le16_to_cpu(ev->handle);
2188
2189                 if (conn->type == ACL_LINK) {
2190                         conn->state = BT_CONFIG;
2191                         hci_conn_hold(conn);
2192
2193                         if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2194                             !hci_find_link_key(hdev, &ev->bdaddr))
2195                                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2196                         else
2197                                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2198                 } else
2199                         conn->state = BT_CONNECTED;
2200
2201                 hci_debugfs_create_conn(conn);
2202                 hci_conn_add_sysfs(conn);
2203
2204                 if (test_bit(HCI_AUTH, &hdev->flags))
2205                         set_bit(HCI_CONN_AUTH, &conn->flags);
2206
2207                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2208                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2209
2210                 /* Get remote features */
2211                 if (conn->type == ACL_LINK) {
2212                         struct hci_cp_read_remote_features cp;
2213                         cp.handle = ev->handle;
2214                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2215                                      sizeof(cp), &cp);
2216
2217                         hci_update_page_scan(hdev);
2218                 }
2219
2220                 /* Set packet type for incoming connection */
2221                 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2222                         struct hci_cp_change_conn_ptype cp;
2223                         cp.handle = ev->handle;
2224                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
2225                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2226                                      &cp);
2227                 }
2228         } else {
2229                 conn->state = BT_CLOSED;
2230                 if (conn->type == ACL_LINK)
2231                         mgmt_connect_failed(hdev, &conn->dst, conn->type,
2232                                             conn->dst_type, ev->status);
2233         }
2234
2235         if (conn->type == ACL_LINK)
2236                 hci_sco_setup(conn, ev->status);
2237
2238         if (ev->status) {
2239                 hci_proto_connect_cfm(conn, ev->status);
2240                 hci_conn_del(conn);
2241         } else if (ev->link_type != ACL_LINK)
2242                 hci_proto_connect_cfm(conn, ev->status);
2243
2244 unlock:
2245         hci_dev_unlock(hdev);
2246
2247         hci_conn_check_pending(hdev);
2248 }
2249
2250 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2251 {
2252         struct hci_cp_reject_conn_req cp;
2253
2254         bacpy(&cp.bdaddr, bdaddr);
2255         cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2256         hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2257 }
2258
2259 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2260 {
2261         struct hci_ev_conn_request *ev = (void *) skb->data;
2262         int mask = hdev->link_mode;
2263         struct inquiry_entry *ie;
2264         struct hci_conn *conn;
2265         __u8 flags = 0;
2266
2267         BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2268                ev->link_type);
2269
2270         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2271                                       &flags);
2272
2273         if (!(mask & HCI_LM_ACCEPT)) {
2274                 hci_reject_conn(hdev, &ev->bdaddr);
2275                 return;
2276         }
2277
2278         if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2279                                    BDADDR_BREDR)) {
2280                 hci_reject_conn(hdev, &ev->bdaddr);
2281                 return;
2282         }
2283
2284         /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2285          * connection. These features are only touched through mgmt so
2286          * only do the checks if HCI_MGMT is set.
2287          */
2288         if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
2289             !test_bit(HCI_CONNECTABLE, &hdev->dev_flags) &&
2290             !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2291                                     BDADDR_BREDR)) {
2292                     hci_reject_conn(hdev, &ev->bdaddr);
2293                     return;
2294         }
2295
2296         /* Connection accepted */
2297
2298         hci_dev_lock(hdev);
2299
2300         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2301         if (ie)
2302                 memcpy(ie->data.dev_class, ev->dev_class, 3);
2303
2304         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2305                         &ev->bdaddr);
2306         if (!conn) {
2307                 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2308                                     HCI_ROLE_SLAVE);
2309                 if (!conn) {
2310                         BT_ERR("No memory for new connection");
2311                         hci_dev_unlock(hdev);
2312                         return;
2313                 }
2314         }
2315
2316         memcpy(conn->dev_class, ev->dev_class, 3);
2317
2318         hci_dev_unlock(hdev);
2319
2320         if (ev->link_type == ACL_LINK ||
2321             (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2322                 struct hci_cp_accept_conn_req cp;
2323                 conn->state = BT_CONNECT;
2324
2325                 bacpy(&cp.bdaddr, &ev->bdaddr);
2326
2327                 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2328                         cp.role = 0x00; /* Become master */
2329                 else
2330                         cp.role = 0x01; /* Remain slave */
2331
2332                 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2333         } else if (!(flags & HCI_PROTO_DEFER)) {
2334                 struct hci_cp_accept_sync_conn_req cp;
2335                 conn->state = BT_CONNECT;
2336
2337                 bacpy(&cp.bdaddr, &ev->bdaddr);
2338                 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2339
2340                 cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2341                 cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2342                 cp.max_latency    = cpu_to_le16(0xffff);
2343                 cp.content_format = cpu_to_le16(hdev->voice_setting);
2344                 cp.retrans_effort = 0xff;
2345
2346                 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2347                              &cp);
2348         } else {
2349                 conn->state = BT_CONNECT2;
2350                 hci_proto_connect_cfm(conn, 0);
2351         }
2352 }
2353
2354 static u8 hci_to_mgmt_reason(u8 err)
2355 {
2356         switch (err) {
2357         case HCI_ERROR_CONNECTION_TIMEOUT:
2358                 return MGMT_DEV_DISCONN_TIMEOUT;
2359         case HCI_ERROR_REMOTE_USER_TERM:
2360         case HCI_ERROR_REMOTE_LOW_RESOURCES:
2361         case HCI_ERROR_REMOTE_POWER_OFF:
2362                 return MGMT_DEV_DISCONN_REMOTE;
2363         case HCI_ERROR_LOCAL_HOST_TERM:
2364                 return MGMT_DEV_DISCONN_LOCAL_HOST;
2365         default:
2366                 return MGMT_DEV_DISCONN_UNKNOWN;
2367         }
2368 }
2369
2370 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2371 {
2372         struct hci_ev_disconn_complete *ev = (void *) skb->data;
2373         u8 reason = hci_to_mgmt_reason(ev->reason);
2374         struct hci_conn_params *params;
2375         struct hci_conn *conn;
2376         bool mgmt_connected;
2377         u8 type;
2378
2379         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2380
2381         hci_dev_lock(hdev);
2382
2383         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2384         if (!conn)
2385                 goto unlock;
2386
2387         if (ev->status) {
2388                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2389                                        conn->dst_type, ev->status);
2390                 goto unlock;
2391         }
2392
2393         conn->state = BT_CLOSED;
2394
2395         mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2396         mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2397                                 reason, mgmt_connected);
2398
2399         if (conn->type == ACL_LINK) {
2400                 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2401                         hci_remove_link_key(hdev, &conn->dst);
2402
2403                 hci_update_page_scan(hdev);
2404         }
2405
2406         params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2407         if (params) {
2408                 switch (params->auto_connect) {
2409                 case HCI_AUTO_CONN_LINK_LOSS:
2410                         if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2411                                 break;
2412                         /* Fall through */
2413
2414                 case HCI_AUTO_CONN_DIRECT:
2415                 case HCI_AUTO_CONN_ALWAYS:
2416                         list_del_init(&params->action);
2417                         list_add(&params->action, &hdev->pend_le_conns);
2418                         hci_update_background_scan(hdev);
2419                         break;
2420
2421                 default:
2422                         break;
2423                 }
2424         }
2425
2426         type = conn->type;
2427
2428         hci_proto_disconn_cfm(conn, ev->reason);
2429         hci_conn_del(conn);
2430
2431         /* Re-enable advertising if necessary, since it might
2432          * have been disabled by the connection. From the
2433          * HCI_LE_Set_Advertise_Enable command description in
2434          * the core specification (v4.0):
2435          * "The Controller shall continue advertising until the Host
2436          * issues an LE_Set_Advertise_Enable command with
2437          * Advertising_Enable set to 0x00 (Advertising is disabled)
2438          * or until a connection is created or until the Advertising
2439          * is timed out due to Directed Advertising."
2440          */
2441         if (type == LE_LINK)
2442                 mgmt_reenable_advertising(hdev);
2443
2444 unlock:
2445         hci_dev_unlock(hdev);
2446 }
2447
2448 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2449 {
2450         struct hci_ev_auth_complete *ev = (void *) skb->data;
2451         struct hci_conn *conn;
2452
2453         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2454
2455         hci_dev_lock(hdev);
2456
2457         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2458         if (!conn)
2459                 goto unlock;
2460
2461         if (!ev->status) {
2462                 if (!hci_conn_ssp_enabled(conn) &&
2463                     test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2464                         BT_INFO("re-auth of legacy device is not possible.");
2465                 } else {
2466                         set_bit(HCI_CONN_AUTH, &conn->flags);
2467                         conn->sec_level = conn->pending_sec_level;
2468                 }
2469         } else {
2470                 mgmt_auth_failed(conn, ev->status);
2471         }
2472
2473         clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2474         clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2475
2476         if (conn->state == BT_CONFIG) {
2477                 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2478                         struct hci_cp_set_conn_encrypt cp;
2479                         cp.handle  = ev->handle;
2480                         cp.encrypt = 0x01;
2481                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2482                                      &cp);
2483                 } else {
2484                         conn->state = BT_CONNECTED;
2485                         hci_proto_connect_cfm(conn, ev->status);
2486                         hci_conn_drop(conn);
2487                 }
2488         } else {
2489                 hci_auth_cfm(conn, ev->status);
2490
2491                 hci_conn_hold(conn);
2492                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2493                 hci_conn_drop(conn);
2494         }
2495
2496         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2497                 if (!ev->status) {
2498                         struct hci_cp_set_conn_encrypt cp;
2499                         cp.handle  = ev->handle;
2500                         cp.encrypt = 0x01;
2501                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2502                                      &cp);
2503                 } else {
2504                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2505                         hci_encrypt_cfm(conn, ev->status, 0x00);
2506                 }
2507         }
2508
2509 unlock:
2510         hci_dev_unlock(hdev);
2511 }
2512
2513 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2514 {
2515         struct hci_ev_remote_name *ev = (void *) skb->data;
2516         struct hci_conn *conn;
2517
2518         BT_DBG("%s", hdev->name);
2519
2520         hci_conn_check_pending(hdev);
2521
2522         hci_dev_lock(hdev);
2523
2524         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2525
2526         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2527                 goto check_auth;
2528
2529         if (ev->status == 0)
2530                 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2531                                        strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2532         else
2533                 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2534
2535 check_auth:
2536         if (!conn)
2537                 goto unlock;
2538
2539         if (!hci_outgoing_auth_needed(hdev, conn))
2540                 goto unlock;
2541
2542         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2543                 struct hci_cp_auth_requested cp;
2544
2545                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2546
2547                 cp.handle = __cpu_to_le16(conn->handle);
2548                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2549         }
2550
2551 unlock:
2552         hci_dev_unlock(hdev);
2553 }
2554
2555 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2556 {
2557         struct hci_ev_encrypt_change *ev = (void *) skb->data;
2558         struct hci_conn *conn;
2559
2560         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2561
2562         hci_dev_lock(hdev);
2563
2564         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2565         if (!conn)
2566                 goto unlock;
2567
2568         if (!ev->status) {
2569                 if (ev->encrypt) {
2570                         /* Encryption implies authentication */
2571                         set_bit(HCI_CONN_AUTH, &conn->flags);
2572                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2573                         conn->sec_level = conn->pending_sec_level;
2574
2575                         /* P-256 authentication key implies FIPS */
2576                         if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2577                                 set_bit(HCI_CONN_FIPS, &conn->flags);
2578
2579                         if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2580                             conn->type == LE_LINK)
2581                                 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2582                 } else {
2583                         clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2584                         clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2585                 }
2586         }
2587
2588         /* We should disregard the current RPA and generate a new one
2589          * whenever the encryption procedure fails.
2590          */
2591         if (ev->status && conn->type == LE_LINK)
2592                 set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
2593
2594         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2595
2596         if (ev->status && conn->state == BT_CONNECTED) {
2597                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2598                 hci_conn_drop(conn);
2599                 goto unlock;
2600         }
2601
2602         if (conn->state == BT_CONFIG) {
2603                 if (!ev->status)
2604                         conn->state = BT_CONNECTED;
2605
2606                 /* In Secure Connections Only mode, do not allow any
2607                  * connections that are not encrypted with AES-CCM
2608                  * using a P-256 authenticated combination key.
2609                  */
2610                 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) &&
2611                     (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2612                      conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2613                         hci_proto_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2614                         hci_conn_drop(conn);
2615                         goto unlock;
2616                 }
2617
2618                 hci_proto_connect_cfm(conn, ev->status);
2619                 hci_conn_drop(conn);
2620         } else
2621                 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2622
2623 unlock:
2624         hci_dev_unlock(hdev);
2625 }
2626
2627 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2628                                              struct sk_buff *skb)
2629 {
2630         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2631         struct hci_conn *conn;
2632
2633         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2634
2635         hci_dev_lock(hdev);
2636
2637         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2638         if (conn) {
2639                 if (!ev->status)
2640                         set_bit(HCI_CONN_SECURE, &conn->flags);
2641
2642                 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2643
2644                 hci_key_change_cfm(conn, ev->status);
2645         }
2646
2647         hci_dev_unlock(hdev);
2648 }
2649
2650 static void hci_remote_features_evt(struct hci_dev *hdev,
2651                                     struct sk_buff *skb)
2652 {
2653         struct hci_ev_remote_features *ev = (void *) skb->data;
2654         struct hci_conn *conn;
2655
2656         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2657
2658         hci_dev_lock(hdev);
2659
2660         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2661         if (!conn)
2662                 goto unlock;
2663
2664         if (!ev->status)
2665                 memcpy(conn->features[0], ev->features, 8);
2666
2667         if (conn->state != BT_CONFIG)
2668                 goto unlock;
2669
2670         if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) {
2671                 struct hci_cp_read_remote_ext_features cp;
2672                 cp.handle = ev->handle;
2673                 cp.page = 0x01;
2674                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2675                              sizeof(cp), &cp);
2676                 goto unlock;
2677         }
2678
2679         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2680                 struct hci_cp_remote_name_req cp;
2681                 memset(&cp, 0, sizeof(cp));
2682                 bacpy(&cp.bdaddr, &conn->dst);
2683                 cp.pscan_rep_mode = 0x02;
2684                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2685         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2686                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2687
2688         if (!hci_outgoing_auth_needed(hdev, conn)) {
2689                 conn->state = BT_CONNECTED;
2690                 hci_proto_connect_cfm(conn, ev->status);
2691                 hci_conn_drop(conn);
2692         }
2693
2694 unlock:
2695         hci_dev_unlock(hdev);
2696 }
2697
2698 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2699 {
2700         struct hci_ev_cmd_complete *ev = (void *) skb->data;
2701         u8 status = skb->data[sizeof(*ev)];
2702         __u16 opcode;
2703
2704         skb_pull(skb, sizeof(*ev));
2705
2706         opcode = __le16_to_cpu(ev->opcode);
2707
2708         switch (opcode) {
2709         case HCI_OP_INQUIRY_CANCEL:
2710                 hci_cc_inquiry_cancel(hdev, skb);
2711                 break;
2712
2713         case HCI_OP_PERIODIC_INQ:
2714                 hci_cc_periodic_inq(hdev, skb);
2715                 break;
2716
2717         case HCI_OP_EXIT_PERIODIC_INQ:
2718                 hci_cc_exit_periodic_inq(hdev, skb);
2719                 break;
2720
2721         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2722                 hci_cc_remote_name_req_cancel(hdev, skb);
2723                 break;
2724
2725         case HCI_OP_ROLE_DISCOVERY:
2726                 hci_cc_role_discovery(hdev, skb);
2727                 break;
2728
2729         case HCI_OP_READ_LINK_POLICY:
2730                 hci_cc_read_link_policy(hdev, skb);
2731                 break;
2732
2733         case HCI_OP_WRITE_LINK_POLICY:
2734                 hci_cc_write_link_policy(hdev, skb);
2735                 break;
2736
2737         case HCI_OP_READ_DEF_LINK_POLICY:
2738                 hci_cc_read_def_link_policy(hdev, skb);
2739                 break;
2740
2741         case HCI_OP_WRITE_DEF_LINK_POLICY:
2742                 hci_cc_write_def_link_policy(hdev, skb);
2743                 break;
2744
2745         case HCI_OP_RESET:
2746                 hci_cc_reset(hdev, skb);
2747                 break;
2748
2749         case HCI_OP_READ_STORED_LINK_KEY:
2750                 hci_cc_read_stored_link_key(hdev, skb);
2751                 break;
2752
2753         case HCI_OP_DELETE_STORED_LINK_KEY:
2754                 hci_cc_delete_stored_link_key(hdev, skb);
2755                 break;
2756
2757         case HCI_OP_WRITE_LOCAL_NAME:
2758                 hci_cc_write_local_name(hdev, skb);
2759                 break;
2760
2761         case HCI_OP_READ_LOCAL_NAME:
2762                 hci_cc_read_local_name(hdev, skb);
2763                 break;
2764
2765         case HCI_OP_WRITE_AUTH_ENABLE:
2766                 hci_cc_write_auth_enable(hdev, skb);
2767                 break;
2768
2769         case HCI_OP_WRITE_ENCRYPT_MODE:
2770                 hci_cc_write_encrypt_mode(hdev, skb);
2771                 break;
2772
2773         case HCI_OP_WRITE_SCAN_ENABLE:
2774                 hci_cc_write_scan_enable(hdev, skb);
2775                 break;
2776
2777         case HCI_OP_READ_CLASS_OF_DEV:
2778                 hci_cc_read_class_of_dev(hdev, skb);
2779                 break;
2780
2781         case HCI_OP_WRITE_CLASS_OF_DEV:
2782                 hci_cc_write_class_of_dev(hdev, skb);
2783                 break;
2784
2785         case HCI_OP_READ_VOICE_SETTING:
2786                 hci_cc_read_voice_setting(hdev, skb);
2787                 break;
2788
2789         case HCI_OP_WRITE_VOICE_SETTING:
2790                 hci_cc_write_voice_setting(hdev, skb);
2791                 break;
2792
2793         case HCI_OP_READ_NUM_SUPPORTED_IAC:
2794                 hci_cc_read_num_supported_iac(hdev, skb);
2795                 break;
2796
2797         case HCI_OP_WRITE_SSP_MODE:
2798                 hci_cc_write_ssp_mode(hdev, skb);
2799                 break;
2800
2801         case HCI_OP_WRITE_SC_SUPPORT:
2802                 hci_cc_write_sc_support(hdev, skb);
2803                 break;
2804
2805         case HCI_OP_READ_LOCAL_VERSION:
2806                 hci_cc_read_local_version(hdev, skb);
2807                 break;
2808
2809         case HCI_OP_READ_LOCAL_COMMANDS:
2810                 hci_cc_read_local_commands(hdev, skb);
2811                 break;
2812
2813         case HCI_OP_READ_LOCAL_FEATURES:
2814                 hci_cc_read_local_features(hdev, skb);
2815                 break;
2816
2817         case HCI_OP_READ_LOCAL_EXT_FEATURES:
2818                 hci_cc_read_local_ext_features(hdev, skb);
2819                 break;
2820
2821         case HCI_OP_READ_BUFFER_SIZE:
2822                 hci_cc_read_buffer_size(hdev, skb);
2823                 break;
2824
2825         case HCI_OP_READ_BD_ADDR:
2826                 hci_cc_read_bd_addr(hdev, skb);
2827                 break;
2828
2829         case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2830                 hci_cc_read_page_scan_activity(hdev, skb);
2831                 break;
2832
2833         case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2834                 hci_cc_write_page_scan_activity(hdev, skb);
2835                 break;
2836
2837         case HCI_OP_READ_PAGE_SCAN_TYPE:
2838                 hci_cc_read_page_scan_type(hdev, skb);
2839                 break;
2840
2841         case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2842                 hci_cc_write_page_scan_type(hdev, skb);
2843                 break;
2844
2845         case HCI_OP_READ_DATA_BLOCK_SIZE:
2846                 hci_cc_read_data_block_size(hdev, skb);
2847                 break;
2848
2849         case HCI_OP_READ_FLOW_CONTROL_MODE:
2850                 hci_cc_read_flow_control_mode(hdev, skb);
2851                 break;
2852
2853         case HCI_OP_READ_LOCAL_AMP_INFO:
2854                 hci_cc_read_local_amp_info(hdev, skb);
2855                 break;
2856
2857         case HCI_OP_READ_CLOCK:
2858                 hci_cc_read_clock(hdev, skb);
2859                 break;
2860
2861         case HCI_OP_READ_LOCAL_AMP_ASSOC:
2862                 hci_cc_read_local_amp_assoc(hdev, skb);
2863                 break;
2864
2865         case HCI_OP_READ_INQ_RSP_TX_POWER:
2866                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2867                 break;
2868
2869         case HCI_OP_PIN_CODE_REPLY:
2870                 hci_cc_pin_code_reply(hdev, skb);
2871                 break;
2872
2873         case HCI_OP_PIN_CODE_NEG_REPLY:
2874                 hci_cc_pin_code_neg_reply(hdev, skb);
2875                 break;
2876
2877         case HCI_OP_READ_LOCAL_OOB_DATA:
2878                 hci_cc_read_local_oob_data(hdev, skb);
2879                 break;
2880
2881         case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2882                 hci_cc_read_local_oob_ext_data(hdev, skb);
2883                 break;
2884
2885         case HCI_OP_LE_READ_BUFFER_SIZE:
2886                 hci_cc_le_read_buffer_size(hdev, skb);
2887                 break;
2888
2889         case HCI_OP_LE_READ_LOCAL_FEATURES:
2890                 hci_cc_le_read_local_features(hdev, skb);
2891                 break;
2892
2893         case HCI_OP_LE_READ_ADV_TX_POWER:
2894                 hci_cc_le_read_adv_tx_power(hdev, skb);
2895                 break;
2896
2897         case HCI_OP_USER_CONFIRM_REPLY:
2898                 hci_cc_user_confirm_reply(hdev, skb);
2899                 break;
2900
2901         case HCI_OP_USER_CONFIRM_NEG_REPLY:
2902                 hci_cc_user_confirm_neg_reply(hdev, skb);
2903                 break;
2904
2905         case HCI_OP_USER_PASSKEY_REPLY:
2906                 hci_cc_user_passkey_reply(hdev, skb);
2907                 break;
2908
2909         case HCI_OP_USER_PASSKEY_NEG_REPLY:
2910                 hci_cc_user_passkey_neg_reply(hdev, skb);
2911                 break;
2912
2913         case HCI_OP_LE_SET_RANDOM_ADDR:
2914                 hci_cc_le_set_random_addr(hdev, skb);
2915                 break;
2916
2917         case HCI_OP_LE_SET_ADV_ENABLE:
2918                 hci_cc_le_set_adv_enable(hdev, skb);
2919                 break;
2920
2921         case HCI_OP_LE_SET_SCAN_PARAM:
2922                 hci_cc_le_set_scan_param(hdev, skb);
2923                 break;
2924
2925         case HCI_OP_LE_SET_SCAN_ENABLE:
2926                 hci_cc_le_set_scan_enable(hdev, skb);
2927                 break;
2928
2929         case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2930                 hci_cc_le_read_white_list_size(hdev, skb);
2931                 break;
2932
2933         case HCI_OP_LE_CLEAR_WHITE_LIST:
2934                 hci_cc_le_clear_white_list(hdev, skb);
2935                 break;
2936
2937         case HCI_OP_LE_ADD_TO_WHITE_LIST:
2938                 hci_cc_le_add_to_white_list(hdev, skb);
2939                 break;
2940
2941         case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2942                 hci_cc_le_del_from_white_list(hdev, skb);
2943                 break;
2944
2945         case HCI_OP_LE_READ_SUPPORTED_STATES:
2946                 hci_cc_le_read_supported_states(hdev, skb);
2947                 break;
2948
2949         case HCI_OP_LE_READ_DEF_DATA_LEN:
2950                 hci_cc_le_read_def_data_len(hdev, skb);
2951                 break;
2952
2953         case HCI_OP_LE_WRITE_DEF_DATA_LEN:
2954                 hci_cc_le_write_def_data_len(hdev, skb);
2955                 break;
2956
2957         case HCI_OP_LE_READ_MAX_DATA_LEN:
2958                 hci_cc_le_read_max_data_len(hdev, skb);
2959                 break;
2960
2961         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
2962                 hci_cc_write_le_host_supported(hdev, skb);
2963                 break;
2964
2965         case HCI_OP_LE_SET_ADV_PARAM:
2966                 hci_cc_set_adv_param(hdev, skb);
2967                 break;
2968
2969         case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
2970                 hci_cc_write_remote_amp_assoc(hdev, skb);
2971                 break;
2972
2973         case HCI_OP_READ_RSSI:
2974                 hci_cc_read_rssi(hdev, skb);
2975                 break;
2976
2977         case HCI_OP_READ_TX_POWER:
2978                 hci_cc_read_tx_power(hdev, skb);
2979                 break;
2980
2981         default:
2982                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2983                 break;
2984         }
2985
2986         if (opcode != HCI_OP_NOP)
2987                 cancel_delayed_work(&hdev->cmd_timer);
2988
2989         hci_req_cmd_complete(hdev, opcode, status);
2990
2991         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2992                 atomic_set(&hdev->cmd_cnt, 1);
2993                 if (!skb_queue_empty(&hdev->cmd_q))
2994                         queue_work(hdev->workqueue, &hdev->cmd_work);
2995         }
2996 }
2997
2998 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2999 {
3000         struct hci_ev_cmd_status *ev = (void *) skb->data;
3001         __u16 opcode;
3002
3003         skb_pull(skb, sizeof(*ev));
3004
3005         opcode = __le16_to_cpu(ev->opcode);
3006
3007         switch (opcode) {
3008         case HCI_OP_INQUIRY:
3009                 hci_cs_inquiry(hdev, ev->status);
3010                 break;
3011
3012         case HCI_OP_CREATE_CONN:
3013                 hci_cs_create_conn(hdev, ev->status);
3014                 break;
3015
3016         case HCI_OP_DISCONNECT:
3017                 hci_cs_disconnect(hdev, ev->status);
3018                 break;
3019
3020         case HCI_OP_ADD_SCO:
3021                 hci_cs_add_sco(hdev, ev->status);
3022                 break;
3023
3024         case HCI_OP_AUTH_REQUESTED:
3025                 hci_cs_auth_requested(hdev, ev->status);
3026                 break;
3027
3028         case HCI_OP_SET_CONN_ENCRYPT:
3029                 hci_cs_set_conn_encrypt(hdev, ev->status);
3030                 break;
3031
3032         case HCI_OP_REMOTE_NAME_REQ:
3033                 hci_cs_remote_name_req(hdev, ev->status);
3034                 break;
3035
3036         case HCI_OP_READ_REMOTE_FEATURES:
3037                 hci_cs_read_remote_features(hdev, ev->status);
3038                 break;
3039
3040         case HCI_OP_READ_REMOTE_EXT_FEATURES:
3041                 hci_cs_read_remote_ext_features(hdev, ev->status);
3042                 break;
3043
3044         case HCI_OP_SETUP_SYNC_CONN:
3045                 hci_cs_setup_sync_conn(hdev, ev->status);
3046                 break;
3047
3048         case HCI_OP_CREATE_PHY_LINK:
3049                 hci_cs_create_phylink(hdev, ev->status);
3050                 break;
3051
3052         case HCI_OP_ACCEPT_PHY_LINK:
3053                 hci_cs_accept_phylink(hdev, ev->status);
3054                 break;
3055
3056         case HCI_OP_SNIFF_MODE:
3057                 hci_cs_sniff_mode(hdev, ev->status);
3058                 break;
3059
3060         case HCI_OP_EXIT_SNIFF_MODE:
3061                 hci_cs_exit_sniff_mode(hdev, ev->status);
3062                 break;
3063
3064         case HCI_OP_SWITCH_ROLE:
3065                 hci_cs_switch_role(hdev, ev->status);
3066                 break;
3067
3068         case HCI_OP_LE_CREATE_CONN:
3069                 hci_cs_le_create_conn(hdev, ev->status);
3070                 break;
3071
3072         case HCI_OP_LE_START_ENC:
3073                 hci_cs_le_start_enc(hdev, ev->status);
3074                 break;
3075
3076         default:
3077                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3078                 break;
3079         }
3080
3081         if (opcode != HCI_OP_NOP)
3082                 cancel_delayed_work(&hdev->cmd_timer);
3083
3084         if (ev->status ||
3085             (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
3086                 hci_req_cmd_complete(hdev, opcode, ev->status);
3087
3088         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
3089                 atomic_set(&hdev->cmd_cnt, 1);
3090                 if (!skb_queue_empty(&hdev->cmd_q))
3091                         queue_work(hdev->workqueue, &hdev->cmd_work);
3092         }
3093 }
3094
3095 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3096 {
3097         struct hci_ev_hardware_error *ev = (void *) skb->data;
3098
3099         BT_ERR("%s hardware error 0x%2.2x", hdev->name, ev->code);
3100 }
3101
3102 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3103 {
3104         struct hci_ev_role_change *ev = (void *) skb->data;
3105         struct hci_conn *conn;
3106
3107         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3108
3109         hci_dev_lock(hdev);
3110
3111         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3112         if (conn) {
3113                 if (!ev->status)
3114                         conn->role = ev->role;
3115
3116                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3117
3118                 hci_role_switch_cfm(conn, ev->status, ev->role);
3119         }
3120
3121         hci_dev_unlock(hdev);
3122 }
3123
3124 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3125 {
3126         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3127         int i;
3128
3129         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3130                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3131                 return;
3132         }
3133
3134         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3135             ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3136                 BT_DBG("%s bad parameters", hdev->name);
3137                 return;
3138         }
3139
3140         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3141
3142         for (i = 0; i < ev->num_hndl; i++) {
3143                 struct hci_comp_pkts_info *info = &ev->handles[i];
3144                 struct hci_conn *conn;
3145                 __u16  handle, count;
3146
3147                 handle = __le16_to_cpu(info->handle);
3148                 count  = __le16_to_cpu(info->count);
3149
3150                 conn = hci_conn_hash_lookup_handle(hdev, handle);
3151                 if (!conn)
3152                         continue;
3153
3154                 conn->sent -= count;
3155
3156                 switch (conn->type) {
3157                 case ACL_LINK:
3158                         hdev->acl_cnt += count;
3159                         if (hdev->acl_cnt > hdev->acl_pkts)
3160                                 hdev->acl_cnt = hdev->acl_pkts;
3161                         break;
3162
3163                 case LE_LINK:
3164                         if (hdev->le_pkts) {
3165                                 hdev->le_cnt += count;
3166                                 if (hdev->le_cnt > hdev->le_pkts)
3167                                         hdev->le_cnt = hdev->le_pkts;
3168                         } else {
3169                                 hdev->acl_cnt += count;
3170                                 if (hdev->acl_cnt > hdev->acl_pkts)
3171                                         hdev->acl_cnt = hdev->acl_pkts;
3172                         }
3173                         break;
3174
3175                 case SCO_LINK:
3176                         hdev->sco_cnt += count;
3177                         if (hdev->sco_cnt > hdev->sco_pkts)
3178                                 hdev->sco_cnt = hdev->sco_pkts;
3179                         break;
3180
3181                 default:
3182                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
3183                         break;
3184                 }
3185         }
3186
3187         queue_work(hdev->workqueue, &hdev->tx_work);
3188 }
3189
3190 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3191                                                  __u16 handle)
3192 {
3193         struct hci_chan *chan;
3194
3195         switch (hdev->dev_type) {
3196         case HCI_BREDR:
3197                 return hci_conn_hash_lookup_handle(hdev, handle);
3198         case HCI_AMP:
3199                 chan = hci_chan_lookup_handle(hdev, handle);
3200                 if (chan)
3201                         return chan->conn;
3202                 break;
3203         default:
3204                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3205                 break;
3206         }
3207
3208         return NULL;
3209 }
3210
3211 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3212 {
3213         struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3214         int i;
3215
3216         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3217                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3218                 return;
3219         }
3220
3221         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3222             ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3223                 BT_DBG("%s bad parameters", hdev->name);
3224                 return;
3225         }
3226
3227         BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3228                ev->num_hndl);
3229
3230         for (i = 0; i < ev->num_hndl; i++) {
3231                 struct hci_comp_blocks_info *info = &ev->handles[i];
3232                 struct hci_conn *conn = NULL;
3233                 __u16  handle, block_count;
3234
3235                 handle = __le16_to_cpu(info->handle);
3236                 block_count = __le16_to_cpu(info->blocks);
3237
3238                 conn = __hci_conn_lookup_handle(hdev, handle);
3239                 if (!conn)
3240                         continue;
3241
3242                 conn->sent -= block_count;
3243
3244                 switch (conn->type) {
3245                 case ACL_LINK:
3246                 case AMP_LINK:
3247                         hdev->block_cnt += block_count;
3248                         if (hdev->block_cnt > hdev->num_blocks)
3249                                 hdev->block_cnt = hdev->num_blocks;
3250                         break;
3251
3252                 default:
3253                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
3254                         break;
3255                 }
3256         }
3257
3258         queue_work(hdev->workqueue, &hdev->tx_work);
3259 }
3260
3261 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3262 {
3263         struct hci_ev_mode_change *ev = (void *) skb->data;
3264         struct hci_conn *conn;
3265
3266         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3267
3268         hci_dev_lock(hdev);
3269
3270         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3271         if (conn) {
3272                 conn->mode = ev->mode;
3273
3274                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3275                                         &conn->flags)) {
3276                         if (conn->mode == HCI_CM_ACTIVE)
3277                                 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3278                         else
3279                                 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3280                 }
3281
3282                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3283                         hci_sco_setup(conn, ev->status);
3284         }
3285
3286         hci_dev_unlock(hdev);
3287 }
3288
3289 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3290 {
3291         struct hci_ev_pin_code_req *ev = (void *) skb->data;
3292         struct hci_conn *conn;
3293
3294         BT_DBG("%s", hdev->name);
3295
3296         hci_dev_lock(hdev);
3297
3298         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3299         if (!conn)
3300                 goto unlock;
3301
3302         if (conn->state == BT_CONNECTED) {
3303                 hci_conn_hold(conn);
3304                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3305                 hci_conn_drop(conn);
3306         }
3307
3308         if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
3309             !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3310                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3311                              sizeof(ev->bdaddr), &ev->bdaddr);
3312         } else if (test_bit(HCI_MGMT, &hdev->dev_flags)) {
3313                 u8 secure;
3314
3315                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3316                         secure = 1;
3317                 else
3318                         secure = 0;
3319
3320                 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3321         }
3322
3323 unlock:
3324         hci_dev_unlock(hdev);
3325 }
3326
3327 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3328 {
3329         if (key_type == HCI_LK_CHANGED_COMBINATION)
3330                 return;
3331
3332         conn->pin_length = pin_len;
3333         conn->key_type = key_type;
3334
3335         switch (key_type) {
3336         case HCI_LK_LOCAL_UNIT:
3337         case HCI_LK_REMOTE_UNIT:
3338         case HCI_LK_DEBUG_COMBINATION:
3339                 return;
3340         case HCI_LK_COMBINATION:
3341                 if (pin_len == 16)
3342                         conn->pending_sec_level = BT_SECURITY_HIGH;
3343                 else
3344                         conn->pending_sec_level = BT_SECURITY_MEDIUM;
3345                 break;
3346         case HCI_LK_UNAUTH_COMBINATION_P192:
3347         case HCI_LK_UNAUTH_COMBINATION_P256:
3348                 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3349                 break;
3350         case HCI_LK_AUTH_COMBINATION_P192:
3351                 conn->pending_sec_level = BT_SECURITY_HIGH;
3352                 break;
3353         case HCI_LK_AUTH_COMBINATION_P256:
3354                 conn->pending_sec_level = BT_SECURITY_FIPS;
3355                 break;
3356         }
3357 }
3358
3359 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3360 {
3361         struct hci_ev_link_key_req *ev = (void *) skb->data;
3362         struct hci_cp_link_key_reply cp;
3363         struct hci_conn *conn;
3364         struct link_key *key;
3365
3366         BT_DBG("%s", hdev->name);
3367
3368         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3369                 return;
3370
3371         hci_dev_lock(hdev);
3372
3373         key = hci_find_link_key(hdev, &ev->bdaddr);
3374         if (!key) {
3375                 BT_DBG("%s link key not found for %pMR", hdev->name,
3376                        &ev->bdaddr);
3377                 goto not_found;
3378         }
3379
3380         BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3381                &ev->bdaddr);
3382
3383         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3384         if (conn) {
3385                 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3386
3387                 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3388                      key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3389                     conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3390                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
3391                         goto not_found;
3392                 }
3393
3394                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3395                     (conn->pending_sec_level == BT_SECURITY_HIGH ||
3396                      conn->pending_sec_level == BT_SECURITY_FIPS)) {
3397                         BT_DBG("%s ignoring key unauthenticated for high security",
3398                                hdev->name);
3399                         goto not_found;
3400                 }
3401
3402                 conn_set_key(conn, key->type, key->pin_len);
3403         }
3404
3405         bacpy(&cp.bdaddr, &ev->bdaddr);
3406         memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3407
3408         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3409
3410         hci_dev_unlock(hdev);
3411
3412         return;
3413
3414 not_found:
3415         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3416         hci_dev_unlock(hdev);
3417 }
3418
3419 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3420 {
3421         struct hci_ev_link_key_notify *ev = (void *) skb->data;
3422         struct hci_conn *conn;
3423         struct link_key *key;
3424         bool persistent;
3425         u8 pin_len = 0;
3426
3427         BT_DBG("%s", hdev->name);
3428
3429         hci_dev_lock(hdev);
3430
3431         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3432         if (!conn)
3433                 goto unlock;
3434
3435         hci_conn_hold(conn);
3436         conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3437         hci_conn_drop(conn);
3438
3439         set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3440         conn_set_key(conn, ev->key_type, conn->pin_length);
3441
3442         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3443                 goto unlock;
3444
3445         key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3446                                 ev->key_type, pin_len, &persistent);
3447         if (!key)
3448                 goto unlock;
3449
3450         /* Update connection information since adding the key will have
3451          * fixed up the type in the case of changed combination keys.
3452          */
3453         if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3454                 conn_set_key(conn, key->type, key->pin_len);
3455
3456         mgmt_new_link_key(hdev, key, persistent);
3457
3458         /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3459          * is set. If it's not set simply remove the key from the kernel
3460          * list (we've still notified user space about it but with
3461          * store_hint being 0).
3462          */
3463         if (key->type == HCI_LK_DEBUG_COMBINATION &&
3464             !test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags)) {
3465                 list_del_rcu(&key->list);
3466                 kfree_rcu(key, rcu);
3467                 goto unlock;
3468         }
3469
3470         if (persistent)
3471                 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3472         else
3473                 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3474
3475 unlock:
3476         hci_dev_unlock(hdev);
3477 }
3478
3479 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3480 {
3481         struct hci_ev_clock_offset *ev = (void *) skb->data;
3482         struct hci_conn *conn;
3483
3484         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3485
3486         hci_dev_lock(hdev);
3487
3488         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3489         if (conn && !ev->status) {
3490                 struct inquiry_entry *ie;
3491
3492                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3493                 if (ie) {
3494                         ie->data.clock_offset = ev->clock_offset;
3495                         ie->timestamp = jiffies;
3496                 }
3497         }
3498
3499         hci_dev_unlock(hdev);
3500 }
3501
3502 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3503 {
3504         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3505         struct hci_conn *conn;
3506
3507         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3508
3509         hci_dev_lock(hdev);
3510
3511         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3512         if (conn && !ev->status)
3513                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3514
3515         hci_dev_unlock(hdev);
3516 }
3517
3518 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3519 {
3520         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3521         struct inquiry_entry *ie;
3522
3523         BT_DBG("%s", hdev->name);
3524
3525         hci_dev_lock(hdev);
3526
3527         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3528         if (ie) {
3529                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3530                 ie->timestamp = jiffies;
3531         }
3532
3533         hci_dev_unlock(hdev);
3534 }
3535
3536 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3537                                              struct sk_buff *skb)
3538 {
3539         struct inquiry_data data;
3540         int num_rsp = *((__u8 *) skb->data);
3541
3542         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3543
3544         if (!num_rsp)
3545                 return;
3546
3547         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3548                 return;
3549
3550         hci_dev_lock(hdev);
3551
3552         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3553                 struct inquiry_info_with_rssi_and_pscan_mode *info;
3554                 info = (void *) (skb->data + 1);
3555
3556                 for (; num_rsp; num_rsp--, info++) {
3557                         u32 flags;
3558
3559                         bacpy(&data.bdaddr, &info->bdaddr);
3560                         data.pscan_rep_mode     = info->pscan_rep_mode;
3561                         data.pscan_period_mode  = info->pscan_period_mode;
3562                         data.pscan_mode         = info->pscan_mode;
3563                         memcpy(data.dev_class, info->dev_class, 3);
3564                         data.clock_offset       = info->clock_offset;
3565                         data.rssi               = info->rssi;
3566                         data.ssp_mode           = 0x00;
3567
3568                         flags = hci_inquiry_cache_update(hdev, &data, false);
3569
3570                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3571                                           info->dev_class, info->rssi,
3572                                           flags, NULL, 0, NULL, 0);
3573                 }
3574         } else {
3575                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3576
3577                 for (; num_rsp; num_rsp--, info++) {
3578                         u32 flags;
3579
3580                         bacpy(&data.bdaddr, &info->bdaddr);
3581                         data.pscan_rep_mode     = info->pscan_rep_mode;
3582                         data.pscan_period_mode  = info->pscan_period_mode;
3583                         data.pscan_mode         = 0x00;
3584                         memcpy(data.dev_class, info->dev_class, 3);
3585                         data.clock_offset       = info->clock_offset;
3586                         data.rssi               = info->rssi;
3587                         data.ssp_mode           = 0x00;
3588
3589                         flags = hci_inquiry_cache_update(hdev, &data, false);
3590
3591                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3592                                           info->dev_class, info->rssi,
3593                                           flags, NULL, 0, NULL, 0);
3594                 }
3595         }
3596
3597         hci_dev_unlock(hdev);
3598 }
3599
3600 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3601                                         struct sk_buff *skb)
3602 {
3603         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3604         struct hci_conn *conn;
3605
3606         BT_DBG("%s", hdev->name);
3607
3608         hci_dev_lock(hdev);
3609
3610         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3611         if (!conn)
3612                 goto unlock;
3613
3614         if (ev->page < HCI_MAX_PAGES)
3615                 memcpy(conn->features[ev->page], ev->features, 8);
3616
3617         if (!ev->status && ev->page == 0x01) {
3618                 struct inquiry_entry *ie;
3619
3620                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3621                 if (ie)
3622                         ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3623
3624                 if (ev->features[0] & LMP_HOST_SSP) {
3625                         set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3626                 } else {
3627                         /* It is mandatory by the Bluetooth specification that
3628                          * Extended Inquiry Results are only used when Secure
3629                          * Simple Pairing is enabled, but some devices violate
3630                          * this.
3631                          *
3632                          * To make these devices work, the internal SSP
3633                          * enabled flag needs to be cleared if the remote host
3634                          * features do not indicate SSP support */
3635                         clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3636                 }
3637
3638                 if (ev->features[0] & LMP_HOST_SC)
3639                         set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3640         }
3641
3642         if (conn->state != BT_CONFIG)
3643                 goto unlock;
3644
3645         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3646                 struct hci_cp_remote_name_req cp;
3647                 memset(&cp, 0, sizeof(cp));
3648                 bacpy(&cp.bdaddr, &conn->dst);
3649                 cp.pscan_rep_mode = 0x02;
3650                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3651         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3652                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3653
3654         if (!hci_outgoing_auth_needed(hdev, conn)) {
3655                 conn->state = BT_CONNECTED;
3656                 hci_proto_connect_cfm(conn, ev->status);
3657                 hci_conn_drop(conn);
3658         }
3659
3660 unlock:
3661         hci_dev_unlock(hdev);
3662 }
3663
3664 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3665                                        struct sk_buff *skb)
3666 {
3667         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3668         struct hci_conn *conn;
3669
3670         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3671
3672         hci_dev_lock(hdev);
3673
3674         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3675         if (!conn) {
3676                 if (ev->link_type == ESCO_LINK)
3677                         goto unlock;
3678
3679                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3680                 if (!conn)
3681                         goto unlock;
3682
3683                 conn->type = SCO_LINK;
3684         }
3685
3686         switch (ev->status) {
3687         case 0x00:
3688                 conn->handle = __le16_to_cpu(ev->handle);
3689                 conn->state  = BT_CONNECTED;
3690
3691                 hci_debugfs_create_conn(conn);
3692                 hci_conn_add_sysfs(conn);
3693                 break;
3694
3695         case 0x10:      /* Connection Accept Timeout */
3696         case 0x0d:      /* Connection Rejected due to Limited Resources */
3697         case 0x11:      /* Unsupported Feature or Parameter Value */
3698         case 0x1c:      /* SCO interval rejected */
3699         case 0x1a:      /* Unsupported Remote Feature */
3700         case 0x1f:      /* Unspecified error */
3701         case 0x20:      /* Unsupported LMP Parameter value */
3702                 if (conn->out) {
3703                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3704                                         (hdev->esco_type & EDR_ESCO_MASK);
3705                         if (hci_setup_sync(conn, conn->link->handle))
3706                                 goto unlock;
3707                 }
3708                 /* fall through */
3709
3710         default:
3711                 conn->state = BT_CLOSED;
3712                 break;
3713         }
3714
3715         hci_proto_connect_cfm(conn, ev->status);
3716         if (ev->status)
3717                 hci_conn_del(conn);
3718
3719 unlock:
3720         hci_dev_unlock(hdev);
3721 }
3722
3723 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3724 {
3725         size_t parsed = 0;
3726
3727         while (parsed < eir_len) {
3728                 u8 field_len = eir[0];
3729
3730                 if (field_len == 0)
3731                         return parsed;
3732
3733                 parsed += field_len + 1;
3734                 eir += field_len + 1;
3735         }
3736
3737         return eir_len;
3738 }
3739
3740 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3741                                             struct sk_buff *skb)
3742 {
3743         struct inquiry_data data;
3744         struct extended_inquiry_info *info = (void *) (skb->data + 1);
3745         int num_rsp = *((__u8 *) skb->data);
3746         size_t eir_len;
3747
3748         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3749
3750         if (!num_rsp)
3751                 return;
3752
3753         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3754                 return;
3755
3756         hci_dev_lock(hdev);
3757
3758         for (; num_rsp; num_rsp--, info++) {
3759                 u32 flags;
3760                 bool name_known;
3761
3762                 bacpy(&data.bdaddr, &info->bdaddr);
3763                 data.pscan_rep_mode     = info->pscan_rep_mode;
3764                 data.pscan_period_mode  = info->pscan_period_mode;
3765                 data.pscan_mode         = 0x00;
3766                 memcpy(data.dev_class, info->dev_class, 3);
3767                 data.clock_offset       = info->clock_offset;
3768                 data.rssi               = info->rssi;
3769                 data.ssp_mode           = 0x01;
3770
3771                 if (test_bit(HCI_MGMT, &hdev->dev_flags))
3772                         name_known = eir_has_data_type(info->data,
3773                                                        sizeof(info->data),
3774                                                        EIR_NAME_COMPLETE);
3775                 else
3776                         name_known = true;
3777
3778                 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3779
3780                 eir_len = eir_get_length(info->data, sizeof(info->data));
3781
3782                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3783                                   info->dev_class, info->rssi,
3784                                   flags, info->data, eir_len, NULL, 0);
3785         }
3786
3787         hci_dev_unlock(hdev);
3788 }
3789
3790 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3791                                          struct sk_buff *skb)
3792 {
3793         struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3794         struct hci_conn *conn;
3795
3796         BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3797                __le16_to_cpu(ev->handle));
3798
3799         hci_dev_lock(hdev);
3800
3801         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3802         if (!conn)
3803                 goto unlock;
3804
3805         /* For BR/EDR the necessary steps are taken through the
3806          * auth_complete event.
3807          */
3808         if (conn->type != LE_LINK)
3809                 goto unlock;
3810
3811         if (!ev->status)
3812                 conn->sec_level = conn->pending_sec_level;
3813
3814         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3815
3816         if (ev->status && conn->state == BT_CONNECTED) {
3817                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3818                 hci_conn_drop(conn);
3819                 goto unlock;
3820         }
3821
3822         if (conn->state == BT_CONFIG) {
3823                 if (!ev->status)
3824                         conn->state = BT_CONNECTED;
3825
3826                 hci_proto_connect_cfm(conn, ev->status);
3827                 hci_conn_drop(conn);
3828         } else {
3829                 hci_auth_cfm(conn, ev->status);
3830
3831                 hci_conn_hold(conn);
3832                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3833                 hci_conn_drop(conn);
3834         }
3835
3836 unlock:
3837         hci_dev_unlock(hdev);
3838 }
3839
3840 static u8 hci_get_auth_req(struct hci_conn *conn)
3841 {
3842         /* If remote requests no-bonding follow that lead */
3843         if (conn->remote_auth == HCI_AT_NO_BONDING ||
3844             conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3845                 return conn->remote_auth | (conn->auth_type & 0x01);
3846
3847         /* If both remote and local have enough IO capabilities, require
3848          * MITM protection
3849          */
3850         if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3851             conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3852                 return conn->remote_auth | 0x01;
3853
3854         /* No MITM protection possible so ignore remote requirement */
3855         return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3856 }
3857
3858 static u8 bredr_oob_data_present(struct hci_conn *conn)
3859 {
3860         struct hci_dev *hdev = conn->hdev;
3861         struct oob_data *data;
3862
3863         data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3864         if (!data)
3865                 return 0x00;
3866
3867         if (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags))
3868                 return 0x01;
3869
3870         return 0x00;
3871 }
3872
3873 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3874 {
3875         struct hci_ev_io_capa_request *ev = (void *) skb->data;
3876         struct hci_conn *conn;
3877
3878         BT_DBG("%s", hdev->name);
3879
3880         hci_dev_lock(hdev);
3881
3882         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3883         if (!conn)
3884                 goto unlock;
3885
3886         hci_conn_hold(conn);
3887
3888         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3889                 goto unlock;
3890
3891         /* Allow pairing if we're pairable, the initiators of the
3892          * pairing or if the remote is not requesting bonding.
3893          */
3894         if (test_bit(HCI_BONDABLE, &hdev->dev_flags) ||
3895             test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3896             (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3897                 struct hci_cp_io_capability_reply cp;
3898
3899                 bacpy(&cp.bdaddr, &ev->bdaddr);
3900                 /* Change the IO capability from KeyboardDisplay
3901                  * to DisplayYesNo as it is not supported by BT spec. */
3902                 cp.capability = (conn->io_capability == 0x04) ?
3903                                 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3904
3905                 /* If we are initiators, there is no remote information yet */
3906                 if (conn->remote_auth == 0xff) {
3907                         /* Request MITM protection if our IO caps allow it
3908                          * except for the no-bonding case.
3909                          */
3910                         if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3911                             conn->auth_type != HCI_AT_NO_BONDING)
3912                                 conn->auth_type |= 0x01;
3913                 } else {
3914                         conn->auth_type = hci_get_auth_req(conn);
3915                 }
3916
3917                 /* If we're not bondable, force one of the non-bondable
3918                  * authentication requirement values.
3919                  */
3920                 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags))
3921                         conn->auth_type &= HCI_AT_NO_BONDING_MITM;
3922
3923                 cp.authentication = conn->auth_type;
3924                 cp.oob_data = bredr_oob_data_present(conn);
3925
3926                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
3927                              sizeof(cp), &cp);
3928         } else {
3929                 struct hci_cp_io_capability_neg_reply cp;
3930
3931                 bacpy(&cp.bdaddr, &ev->bdaddr);
3932                 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
3933
3934                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
3935                              sizeof(cp), &cp);
3936         }
3937
3938 unlock:
3939         hci_dev_unlock(hdev);
3940 }
3941
3942 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
3943 {
3944         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
3945         struct hci_conn *conn;
3946
3947         BT_DBG("%s", hdev->name);
3948
3949         hci_dev_lock(hdev);
3950
3951         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3952         if (!conn)
3953                 goto unlock;
3954
3955         conn->remote_cap = ev->capability;
3956         conn->remote_auth = ev->authentication;
3957         if (ev->oob_data)
3958                 set_bit(HCI_CONN_REMOTE_OOB, &conn->flags);
3959
3960 unlock:
3961         hci_dev_unlock(hdev);
3962 }
3963
3964 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3965                                          struct sk_buff *skb)
3966 {
3967         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
3968         int loc_mitm, rem_mitm, confirm_hint = 0;
3969         struct hci_conn *conn;
3970
3971         BT_DBG("%s", hdev->name);
3972
3973         hci_dev_lock(hdev);
3974
3975         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3976                 goto unlock;
3977
3978         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3979         if (!conn)
3980                 goto unlock;
3981
3982         loc_mitm = (conn->auth_type & 0x01);
3983         rem_mitm = (conn->remote_auth & 0x01);
3984
3985         /* If we require MITM but the remote device can't provide that
3986          * (it has NoInputNoOutput) then reject the confirmation
3987          * request. We check the security level here since it doesn't
3988          * necessarily match conn->auth_type.
3989          */
3990         if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
3991             conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3992                 BT_DBG("Rejecting request: remote device can't provide MITM");
3993                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
3994                              sizeof(ev->bdaddr), &ev->bdaddr);
3995                 goto unlock;
3996         }
3997
3998         /* If no side requires MITM protection; auto-accept */
3999         if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4000             (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4001
4002                 /* If we're not the initiators request authorization to
4003                  * proceed from user space (mgmt_user_confirm with
4004                  * confirm_hint set to 1). The exception is if neither
4005                  * side had MITM or if the local IO capability is
4006                  * NoInputNoOutput, in which case we do auto-accept
4007                  */
4008                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4009                     conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4010                     (loc_mitm || rem_mitm)) {
4011                         BT_DBG("Confirming auto-accept as acceptor");
4012                         confirm_hint = 1;
4013                         goto confirm;
4014                 }
4015
4016                 BT_DBG("Auto-accept of user confirmation with %ums delay",
4017                        hdev->auto_accept_delay);
4018
4019                 if (hdev->auto_accept_delay > 0) {
4020                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4021                         queue_delayed_work(conn->hdev->workqueue,
4022                                            &conn->auto_accept_work, delay);
4023                         goto unlock;
4024                 }
4025
4026                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4027                              sizeof(ev->bdaddr), &ev->bdaddr);
4028                 goto unlock;
4029         }
4030
4031 confirm:
4032         mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4033                                   le32_to_cpu(ev->passkey), confirm_hint);
4034
4035 unlock:
4036         hci_dev_unlock(hdev);
4037 }
4038
4039 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4040                                          struct sk_buff *skb)
4041 {
4042         struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4043
4044         BT_DBG("%s", hdev->name);
4045
4046         if (test_bit(HCI_MGMT, &hdev->dev_flags))
4047                 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4048 }
4049
4050 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4051                                         struct sk_buff *skb)
4052 {
4053         struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4054         struct hci_conn *conn;
4055
4056         BT_DBG("%s", hdev->name);
4057
4058         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4059         if (!conn)
4060                 return;
4061
4062         conn->passkey_notify = __le32_to_cpu(ev->passkey);
4063         conn->passkey_entered = 0;
4064
4065         if (test_bit(HCI_MGMT, &hdev->dev_flags))
4066                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4067                                          conn->dst_type, conn->passkey_notify,
4068                                          conn->passkey_entered);
4069 }
4070
4071 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4072 {
4073         struct hci_ev_keypress_notify *ev = (void *) skb->data;
4074         struct hci_conn *conn;
4075
4076         BT_DBG("%s", hdev->name);
4077
4078         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4079         if (!conn)
4080                 return;
4081
4082         switch (ev->type) {
4083         case HCI_KEYPRESS_STARTED:
4084                 conn->passkey_entered = 0;
4085                 return;
4086
4087         case HCI_KEYPRESS_ENTERED:
4088                 conn->passkey_entered++;
4089                 break;
4090
4091         case HCI_KEYPRESS_ERASED:
4092                 conn->passkey_entered--;
4093                 break;
4094
4095         case HCI_KEYPRESS_CLEARED:
4096                 conn->passkey_entered = 0;
4097                 break;
4098
4099         case HCI_KEYPRESS_COMPLETED:
4100                 return;
4101         }
4102
4103         if (test_bit(HCI_MGMT, &hdev->dev_flags))
4104                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4105                                          conn->dst_type, conn->passkey_notify,
4106                                          conn->passkey_entered);
4107 }
4108
4109 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4110                                          struct sk_buff *skb)
4111 {
4112         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4113         struct hci_conn *conn;
4114
4115         BT_DBG("%s", hdev->name);
4116
4117         hci_dev_lock(hdev);
4118
4119         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4120         if (!conn)
4121                 goto unlock;
4122
4123         /* Reset the authentication requirement to unknown */
4124         conn->remote_auth = 0xff;
4125
4126         /* To avoid duplicate auth_failed events to user space we check
4127          * the HCI_CONN_AUTH_PEND flag which will be set if we
4128          * initiated the authentication. A traditional auth_complete
4129          * event gets always produced as initiator and is also mapped to
4130          * the mgmt_auth_failed event */
4131         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4132                 mgmt_auth_failed(conn, ev->status);
4133
4134         hci_conn_drop(conn);
4135
4136 unlock:
4137         hci_dev_unlock(hdev);
4138 }
4139
4140 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4141                                          struct sk_buff *skb)
4142 {
4143         struct hci_ev_remote_host_features *ev = (void *) skb->data;
4144         struct inquiry_entry *ie;
4145         struct hci_conn *conn;
4146
4147         BT_DBG("%s", hdev->name);
4148
4149         hci_dev_lock(hdev);
4150
4151         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4152         if (conn)
4153                 memcpy(conn->features[1], ev->features, 8);
4154
4155         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4156         if (ie)
4157                 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4158
4159         hci_dev_unlock(hdev);
4160 }
4161
4162 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4163                                             struct sk_buff *skb)
4164 {
4165         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4166         struct oob_data *data;
4167
4168         BT_DBG("%s", hdev->name);
4169
4170         hci_dev_lock(hdev);
4171
4172         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
4173                 goto unlock;
4174
4175         data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4176         if (!data) {
4177                 struct hci_cp_remote_oob_data_neg_reply cp;
4178
4179                 bacpy(&cp.bdaddr, &ev->bdaddr);
4180                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4181                              sizeof(cp), &cp);
4182                 goto unlock;
4183         }
4184
4185         if (bredr_sc_enabled(hdev)) {
4186                 struct hci_cp_remote_oob_ext_data_reply cp;
4187
4188                 bacpy(&cp.bdaddr, &ev->bdaddr);
4189                 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags)) {
4190                         memset(cp.hash192, 0, sizeof(cp.hash192));
4191                         memset(cp.rand192, 0, sizeof(cp.rand192));
4192                 } else {
4193                         memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4194                         memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4195                 }
4196                 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4197                 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4198
4199                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4200                              sizeof(cp), &cp);
4201         } else {
4202                 struct hci_cp_remote_oob_data_reply cp;
4203
4204                 bacpy(&cp.bdaddr, &ev->bdaddr);
4205                 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4206                 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4207
4208                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4209                              sizeof(cp), &cp);
4210         }
4211
4212 unlock:
4213         hci_dev_unlock(hdev);
4214 }
4215
4216 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4217                                       struct sk_buff *skb)
4218 {
4219         struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4220         struct hci_conn *hcon, *bredr_hcon;
4221
4222         BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4223                ev->status);
4224
4225         hci_dev_lock(hdev);
4226
4227         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4228         if (!hcon) {
4229                 hci_dev_unlock(hdev);
4230                 return;
4231         }
4232
4233         if (ev->status) {
4234                 hci_conn_del(hcon);
4235                 hci_dev_unlock(hdev);
4236                 return;
4237         }
4238
4239         bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4240
4241         hcon->state = BT_CONNECTED;
4242         bacpy(&hcon->dst, &bredr_hcon->dst);
4243
4244         hci_conn_hold(hcon);
4245         hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4246         hci_conn_drop(hcon);
4247
4248         hci_debugfs_create_conn(hcon);
4249         hci_conn_add_sysfs(hcon);
4250
4251         amp_physical_cfm(bredr_hcon, hcon);
4252
4253         hci_dev_unlock(hdev);
4254 }
4255
4256 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4257 {
4258         struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4259         struct hci_conn *hcon;
4260         struct hci_chan *hchan;
4261         struct amp_mgr *mgr;
4262
4263         BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4264                hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4265                ev->status);
4266
4267         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4268         if (!hcon)
4269                 return;
4270
4271         /* Create AMP hchan */
4272         hchan = hci_chan_create(hcon);
4273         if (!hchan)
4274                 return;
4275
4276         hchan->handle = le16_to_cpu(ev->handle);
4277
4278         BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4279
4280         mgr = hcon->amp_mgr;
4281         if (mgr && mgr->bredr_chan) {
4282                 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4283
4284                 l2cap_chan_lock(bredr_chan);
4285
4286                 bredr_chan->conn->mtu = hdev->block_mtu;
4287                 l2cap_logical_cfm(bredr_chan, hchan, 0);
4288                 hci_conn_hold(hcon);
4289
4290                 l2cap_chan_unlock(bredr_chan);
4291         }
4292 }
4293
4294 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4295                                              struct sk_buff *skb)
4296 {
4297         struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4298         struct hci_chan *hchan;
4299
4300         BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4301                le16_to_cpu(ev->handle), ev->status);
4302
4303         if (ev->status)
4304                 return;
4305
4306         hci_dev_lock(hdev);
4307
4308         hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4309         if (!hchan)
4310                 goto unlock;
4311
4312         amp_destroy_logical_link(hchan, ev->reason);
4313
4314 unlock:
4315         hci_dev_unlock(hdev);
4316 }
4317
4318 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4319                                              struct sk_buff *skb)
4320 {
4321         struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4322         struct hci_conn *hcon;
4323
4324         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4325
4326         if (ev->status)
4327                 return;
4328
4329         hci_dev_lock(hdev);
4330
4331         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4332         if (hcon) {
4333                 hcon->state = BT_CLOSED;
4334                 hci_conn_del(hcon);
4335         }
4336
4337         hci_dev_unlock(hdev);
4338 }
4339
4340 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4341 {
4342         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4343         struct hci_conn_params *params;
4344         struct hci_conn *conn;
4345         struct smp_irk *irk;
4346         u8 addr_type;
4347
4348         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4349
4350         hci_dev_lock(hdev);
4351
4352         /* All controllers implicitly stop advertising in the event of a
4353          * connection, so ensure that the state bit is cleared.
4354          */
4355         clear_bit(HCI_LE_ADV, &hdev->dev_flags);
4356
4357         conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
4358         if (!conn) {
4359                 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4360                 if (!conn) {
4361                         BT_ERR("No memory for new connection");
4362                         goto unlock;
4363                 }
4364
4365                 conn->dst_type = ev->bdaddr_type;
4366
4367                 /* If we didn't have a hci_conn object previously
4368                  * but we're in master role this must be something
4369                  * initiated using a white list. Since white list based
4370                  * connections are not "first class citizens" we don't
4371                  * have full tracking of them. Therefore, we go ahead
4372                  * with a "best effort" approach of determining the
4373                  * initiator address based on the HCI_PRIVACY flag.
4374                  */
4375                 if (conn->out) {
4376                         conn->resp_addr_type = ev->bdaddr_type;
4377                         bacpy(&conn->resp_addr, &ev->bdaddr);
4378                         if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
4379                                 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4380                                 bacpy(&conn->init_addr, &hdev->rpa);
4381                         } else {
4382                                 hci_copy_identity_address(hdev,
4383                                                           &conn->init_addr,
4384                                                           &conn->init_addr_type);
4385                         }
4386                 }
4387         } else {
4388                 cancel_delayed_work(&conn->le_conn_timeout);
4389         }
4390
4391         if (!conn->out) {
4392                 /* Set the responder (our side) address type based on
4393                  * the advertising address type.
4394                  */
4395                 conn->resp_addr_type = hdev->adv_addr_type;
4396                 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4397                         bacpy(&conn->resp_addr, &hdev->random_addr);
4398                 else
4399                         bacpy(&conn->resp_addr, &hdev->bdaddr);
4400
4401                 conn->init_addr_type = ev->bdaddr_type;
4402                 bacpy(&conn->init_addr, &ev->bdaddr);
4403
4404                 /* For incoming connections, set the default minimum
4405                  * and maximum connection interval. They will be used
4406                  * to check if the parameters are in range and if not
4407                  * trigger the connection update procedure.
4408                  */
4409                 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4410                 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4411         }
4412
4413         /* Lookup the identity address from the stored connection
4414          * address and address type.
4415          *
4416          * When establishing connections to an identity address, the
4417          * connection procedure will store the resolvable random
4418          * address first. Now if it can be converted back into the
4419          * identity address, start using the identity address from
4420          * now on.
4421          */
4422         irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4423         if (irk) {
4424                 bacpy(&conn->dst, &irk->bdaddr);
4425                 conn->dst_type = irk->addr_type;
4426         }
4427
4428         if (ev->status) {
4429                 hci_le_conn_failed(conn, ev->status);
4430                 goto unlock;
4431         }
4432
4433         if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4434                 addr_type = BDADDR_LE_PUBLIC;
4435         else
4436                 addr_type = BDADDR_LE_RANDOM;
4437
4438         /* Drop the connection if the device is blocked */
4439         if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4440                 hci_conn_drop(conn);
4441                 goto unlock;
4442         }
4443
4444         if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4445                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4446
4447         conn->sec_level = BT_SECURITY_LOW;
4448         conn->handle = __le16_to_cpu(ev->handle);
4449         conn->state = BT_CONNECTED;
4450
4451         conn->le_conn_interval = le16_to_cpu(ev->interval);
4452         conn->le_conn_latency = le16_to_cpu(ev->latency);
4453         conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4454
4455         hci_debugfs_create_conn(conn);
4456         hci_conn_add_sysfs(conn);
4457
4458         hci_proto_connect_cfm(conn, ev->status);
4459
4460         params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4461                                            conn->dst_type);
4462         if (params) {
4463                 list_del_init(&params->action);
4464                 if (params->conn) {
4465                         hci_conn_drop(params->conn);
4466                         hci_conn_put(params->conn);
4467                         params->conn = NULL;
4468                 }
4469         }
4470
4471 unlock:
4472         hci_update_background_scan(hdev);
4473         hci_dev_unlock(hdev);
4474 }
4475
4476 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4477                                             struct sk_buff *skb)
4478 {
4479         struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4480         struct hci_conn *conn;
4481
4482         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4483
4484         if (ev->status)
4485                 return;
4486
4487         hci_dev_lock(hdev);
4488
4489         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4490         if (conn) {
4491                 conn->le_conn_interval = le16_to_cpu(ev->interval);
4492                 conn->le_conn_latency = le16_to_cpu(ev->latency);
4493                 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4494         }
4495
4496         hci_dev_unlock(hdev);
4497 }
4498
4499 /* This function requires the caller holds hdev->lock */
4500 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4501                                               bdaddr_t *addr,
4502                                               u8 addr_type, u8 adv_type)
4503 {
4504         struct hci_conn *conn;
4505         struct hci_conn_params *params;
4506
4507         /* If the event is not connectable don't proceed further */
4508         if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4509                 return NULL;
4510
4511         /* Ignore if the device is blocked */
4512         if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4513                 return NULL;
4514
4515         /* Most controller will fail if we try to create new connections
4516          * while we have an existing one in slave role.
4517          */
4518         if (hdev->conn_hash.le_num_slave > 0)
4519                 return NULL;
4520
4521         /* If we're not connectable only connect devices that we have in
4522          * our pend_le_conns list.
4523          */
4524         params = hci_pend_le_action_lookup(&hdev->pend_le_conns,
4525                                            addr, addr_type);
4526         if (!params)
4527                 return NULL;
4528
4529         switch (params->auto_connect) {
4530         case HCI_AUTO_CONN_DIRECT:
4531                 /* Only devices advertising with ADV_DIRECT_IND are
4532                  * triggering a connection attempt. This is allowing
4533                  * incoming connections from slave devices.
4534                  */
4535                 if (adv_type != LE_ADV_DIRECT_IND)
4536                         return NULL;
4537                 break;
4538         case HCI_AUTO_CONN_ALWAYS:
4539                 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4540                  * are triggering a connection attempt. This means
4541                  * that incoming connectioms from slave device are
4542                  * accepted and also outgoing connections to slave
4543                  * devices are established when found.
4544                  */
4545                 break;
4546         default:
4547                 return NULL;
4548         }
4549
4550         conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4551                               HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4552         if (!IS_ERR(conn)) {
4553                 /* Store the pointer since we don't really have any
4554                  * other owner of the object besides the params that
4555                  * triggered it. This way we can abort the connection if
4556                  * the parameters get removed and keep the reference
4557                  * count consistent once the connection is established.
4558                  */
4559                 params->conn = hci_conn_get(conn);
4560                 return conn;
4561         }
4562
4563         switch (PTR_ERR(conn)) {
4564         case -EBUSY:
4565                 /* If hci_connect() returns -EBUSY it means there is already
4566                  * an LE connection attempt going on. Since controllers don't
4567                  * support more than one connection attempt at the time, we
4568                  * don't consider this an error case.
4569                  */
4570                 break;
4571         default:
4572                 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4573                 return NULL;
4574         }
4575
4576         return NULL;
4577 }
4578
4579 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4580                                u8 bdaddr_type, bdaddr_t *direct_addr,
4581                                u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4582 {
4583         struct discovery_state *d = &hdev->discovery;
4584         struct smp_irk *irk;
4585         struct hci_conn *conn;
4586         bool match;
4587         u32 flags;
4588
4589         /* If the direct address is present, then this report is from
4590          * a LE Direct Advertising Report event. In that case it is
4591          * important to see if the address is matching the local
4592          * controller address.
4593          */
4594         if (direct_addr) {
4595                 /* Only resolvable random addresses are valid for these
4596                  * kind of reports and others can be ignored.
4597                  */
4598                 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4599                         return;
4600
4601                 /* If the controller is not using resolvable random
4602                  * addresses, then this report can be ignored.
4603                  */
4604                 if (!test_bit(HCI_PRIVACY, &hdev->dev_flags))
4605                         return;
4606
4607                 /* If the local IRK of the controller does not match
4608                  * with the resolvable random address provided, then
4609                  * this report can be ignored.
4610                  */
4611                 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4612                         return;
4613         }
4614
4615         /* Check if we need to convert to identity address */
4616         irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4617         if (irk) {
4618                 bdaddr = &irk->bdaddr;
4619                 bdaddr_type = irk->addr_type;
4620         }
4621
4622         /* Check if we have been requested to connect to this device */
4623         conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4624         if (conn && type == LE_ADV_IND) {
4625                 /* Store report for later inclusion by
4626                  * mgmt_device_connected
4627                  */
4628                 memcpy(conn->le_adv_data, data, len);
4629                 conn->le_adv_data_len = len;
4630         }
4631
4632         /* Passive scanning shouldn't trigger any device found events,
4633          * except for devices marked as CONN_REPORT for which we do send
4634          * device found events.
4635          */
4636         if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4637                 if (type == LE_ADV_DIRECT_IND)
4638                         return;
4639
4640                 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4641                                                bdaddr, bdaddr_type))
4642                         return;
4643
4644                 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4645                         flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4646                 else
4647                         flags = 0;
4648                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4649                                   rssi, flags, data, len, NULL, 0);
4650                 return;
4651         }
4652
4653         /* When receiving non-connectable or scannable undirected
4654          * advertising reports, this means that the remote device is
4655          * not connectable and then clearly indicate this in the
4656          * device found event.
4657          *
4658          * When receiving a scan response, then there is no way to
4659          * know if the remote device is connectable or not. However
4660          * since scan responses are merged with a previously seen
4661          * advertising report, the flags field from that report
4662          * will be used.
4663          *
4664          * In the really unlikely case that a controller get confused
4665          * and just sends a scan response event, then it is marked as
4666          * not connectable as well.
4667          */
4668         if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4669             type == LE_ADV_SCAN_RSP)
4670                 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4671         else
4672                 flags = 0;
4673
4674         /* If there's nothing pending either store the data from this
4675          * event or send an immediate device found event if the data
4676          * should not be stored for later.
4677          */
4678         if (!has_pending_adv_report(hdev)) {
4679                 /* If the report will trigger a SCAN_REQ store it for
4680                  * later merging.
4681                  */
4682                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4683                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4684                                                  rssi, flags, data, len);
4685                         return;
4686                 }
4687
4688                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4689                                   rssi, flags, data, len, NULL, 0);
4690                 return;
4691         }
4692
4693         /* Check if the pending report is for the same device as the new one */
4694         match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4695                  bdaddr_type == d->last_adv_addr_type);
4696
4697         /* If the pending data doesn't match this report or this isn't a
4698          * scan response (e.g. we got a duplicate ADV_IND) then force
4699          * sending of the pending data.
4700          */
4701         if (type != LE_ADV_SCAN_RSP || !match) {
4702                 /* Send out whatever is in the cache, but skip duplicates */
4703                 if (!match)
4704                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4705                                           d->last_adv_addr_type, NULL,
4706                                           d->last_adv_rssi, d->last_adv_flags,
4707                                           d->last_adv_data,
4708                                           d->last_adv_data_len, NULL, 0);
4709
4710                 /* If the new report will trigger a SCAN_REQ store it for
4711                  * later merging.
4712                  */
4713                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4714                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4715                                                  rssi, flags, data, len);
4716                         return;
4717                 }
4718
4719                 /* The advertising reports cannot be merged, so clear
4720                  * the pending report and send out a device found event.
4721                  */
4722                 clear_pending_adv_report(hdev);
4723                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4724                                   rssi, flags, data, len, NULL, 0);
4725                 return;
4726         }
4727
4728         /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4729          * the new event is a SCAN_RSP. We can therefore proceed with
4730          * sending a merged device found event.
4731          */
4732         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4733                           d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4734                           d->last_adv_data, d->last_adv_data_len, data, len);
4735         clear_pending_adv_report(hdev);
4736 }
4737
4738 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4739 {
4740         u8 num_reports = skb->data[0];
4741         void *ptr = &skb->data[1];
4742
4743         hci_dev_lock(hdev);
4744
4745         while (num_reports--) {
4746                 struct hci_ev_le_advertising_info *ev = ptr;
4747                 s8 rssi;
4748
4749                 rssi = ev->data[ev->length];
4750                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4751                                    ev->bdaddr_type, NULL, 0, rssi,
4752                                    ev->data, ev->length);
4753
4754                 ptr += sizeof(*ev) + ev->length + 1;
4755         }
4756
4757         hci_dev_unlock(hdev);
4758 }
4759
4760 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4761 {
4762         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4763         struct hci_cp_le_ltk_reply cp;
4764         struct hci_cp_le_ltk_neg_reply neg;
4765         struct hci_conn *conn;
4766         struct smp_ltk *ltk;
4767
4768         BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4769
4770         hci_dev_lock(hdev);
4771
4772         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4773         if (conn == NULL)
4774                 goto not_found;
4775
4776         ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4777         if (!ltk)
4778                 goto not_found;
4779
4780         if (smp_ltk_is_sc(ltk)) {
4781                 /* With SC both EDiv and Rand are set to zero */
4782                 if (ev->ediv || ev->rand)
4783                         goto not_found;
4784         } else {
4785                 /* For non-SC keys check that EDiv and Rand match */
4786                 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4787                         goto not_found;
4788         }
4789
4790         memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
4791         cp.handle = cpu_to_le16(conn->handle);
4792
4793         conn->pending_sec_level = smp_ltk_sec_level(ltk);
4794
4795         conn->enc_key_size = ltk->enc_size;
4796
4797         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
4798
4799         /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
4800          * temporary key used to encrypt a connection following
4801          * pairing. It is used during the Encrypted Session Setup to
4802          * distribute the keys. Later, security can be re-established
4803          * using a distributed LTK.
4804          */
4805         if (ltk->type == SMP_STK) {
4806                 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4807                 list_del_rcu(&ltk->list);
4808                 kfree_rcu(ltk, rcu);
4809         } else {
4810                 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4811         }
4812
4813         hci_dev_unlock(hdev);
4814
4815         return;
4816
4817 not_found:
4818         neg.handle = ev->handle;
4819         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
4820         hci_dev_unlock(hdev);
4821 }
4822
4823 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
4824                                       u8 reason)
4825 {
4826         struct hci_cp_le_conn_param_req_neg_reply cp;
4827
4828         cp.handle = cpu_to_le16(handle);
4829         cp.reason = reason;
4830
4831         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
4832                      &cp);
4833 }
4834
4835 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
4836                                              struct sk_buff *skb)
4837 {
4838         struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
4839         struct hci_cp_le_conn_param_req_reply cp;
4840         struct hci_conn *hcon;
4841         u16 handle, min, max, latency, timeout;
4842
4843         handle = le16_to_cpu(ev->handle);
4844         min = le16_to_cpu(ev->interval_min);
4845         max = le16_to_cpu(ev->interval_max);
4846         latency = le16_to_cpu(ev->latency);
4847         timeout = le16_to_cpu(ev->timeout);
4848
4849         hcon = hci_conn_hash_lookup_handle(hdev, handle);
4850         if (!hcon || hcon->state != BT_CONNECTED)
4851                 return send_conn_param_neg_reply(hdev, handle,
4852                                                  HCI_ERROR_UNKNOWN_CONN_ID);
4853
4854         if (hci_check_conn_params(min, max, latency, timeout))
4855                 return send_conn_param_neg_reply(hdev, handle,
4856                                                  HCI_ERROR_INVALID_LL_PARAMS);
4857
4858         if (hcon->role == HCI_ROLE_MASTER) {
4859                 struct hci_conn_params *params;
4860                 u8 store_hint;
4861
4862                 hci_dev_lock(hdev);
4863
4864                 params = hci_conn_params_lookup(hdev, &hcon->dst,
4865                                                 hcon->dst_type);
4866                 if (params) {
4867                         params->conn_min_interval = min;
4868                         params->conn_max_interval = max;
4869                         params->conn_latency = latency;
4870                         params->supervision_timeout = timeout;
4871                         store_hint = 0x01;
4872                 } else{
4873                         store_hint = 0x00;
4874                 }
4875
4876                 hci_dev_unlock(hdev);
4877
4878                 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
4879                                     store_hint, min, max, latency, timeout);
4880         }
4881
4882         cp.handle = ev->handle;
4883         cp.interval_min = ev->interval_min;
4884         cp.interval_max = ev->interval_max;
4885         cp.latency = ev->latency;
4886         cp.timeout = ev->timeout;
4887         cp.min_ce_len = 0;
4888         cp.max_ce_len = 0;
4889
4890         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
4891 }
4892
4893 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
4894                                          struct sk_buff *skb)
4895 {
4896         u8 num_reports = skb->data[0];
4897         void *ptr = &skb->data[1];
4898
4899         hci_dev_lock(hdev);
4900
4901         while (num_reports--) {
4902                 struct hci_ev_le_direct_adv_info *ev = ptr;
4903
4904                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4905                                    ev->bdaddr_type, &ev->direct_addr,
4906                                    ev->direct_addr_type, ev->rssi, NULL, 0);
4907
4908                 ptr += sizeof(*ev);
4909         }
4910
4911         hci_dev_unlock(hdev);
4912 }
4913
4914 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4915 {
4916         struct hci_ev_le_meta *le_ev = (void *) skb->data;
4917
4918         skb_pull(skb, sizeof(*le_ev));
4919
4920         switch (le_ev->subevent) {
4921         case HCI_EV_LE_CONN_COMPLETE:
4922                 hci_le_conn_complete_evt(hdev, skb);
4923                 break;
4924
4925         case HCI_EV_LE_CONN_UPDATE_COMPLETE:
4926                 hci_le_conn_update_complete_evt(hdev, skb);
4927                 break;
4928
4929         case HCI_EV_LE_ADVERTISING_REPORT:
4930                 hci_le_adv_report_evt(hdev, skb);
4931                 break;
4932
4933         case HCI_EV_LE_LTK_REQ:
4934                 hci_le_ltk_request_evt(hdev, skb);
4935                 break;
4936
4937         case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
4938                 hci_le_remote_conn_param_req_evt(hdev, skb);
4939                 break;
4940
4941         case HCI_EV_LE_DIRECT_ADV_REPORT:
4942                 hci_le_direct_adv_report_evt(hdev, skb);
4943                 break;
4944
4945         default:
4946                 break;
4947         }
4948 }
4949
4950 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4951 {
4952         struct hci_ev_channel_selected *ev = (void *) skb->data;
4953         struct hci_conn *hcon;
4954
4955         BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4956
4957         skb_pull(skb, sizeof(*ev));
4958
4959         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4960         if (!hcon)
4961                 return;
4962
4963         amp_read_loc_assoc_final_data(hdev, hcon);
4964 }
4965
4966 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
4967 {
4968         struct hci_event_hdr *hdr = (void *) skb->data;
4969         __u8 event = hdr->evt;
4970
4971         hci_dev_lock(hdev);
4972
4973         /* Received events are (currently) only needed when a request is
4974          * ongoing so avoid unnecessary memory allocation.
4975          */
4976         if (hci_req_pending(hdev)) {
4977                 kfree_skb(hdev->recv_evt);
4978                 hdev->recv_evt = skb_clone(skb, GFP_KERNEL);
4979         }
4980
4981         hci_dev_unlock(hdev);
4982
4983         skb_pull(skb, HCI_EVENT_HDR_SIZE);
4984
4985         if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
4986                 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
4987                 u16 opcode = __le16_to_cpu(cmd_hdr->opcode);
4988
4989                 hci_req_cmd_complete(hdev, opcode, 0);
4990         }
4991
4992         switch (event) {
4993         case HCI_EV_INQUIRY_COMPLETE:
4994                 hci_inquiry_complete_evt(hdev, skb);
4995                 break;
4996
4997         case HCI_EV_INQUIRY_RESULT:
4998                 hci_inquiry_result_evt(hdev, skb);
4999                 break;
5000
5001         case HCI_EV_CONN_COMPLETE:
5002                 hci_conn_complete_evt(hdev, skb);
5003                 break;
5004
5005         case HCI_EV_CONN_REQUEST:
5006                 hci_conn_request_evt(hdev, skb);
5007                 break;
5008
5009         case HCI_EV_DISCONN_COMPLETE:
5010                 hci_disconn_complete_evt(hdev, skb);
5011                 break;
5012
5013         case HCI_EV_AUTH_COMPLETE:
5014                 hci_auth_complete_evt(hdev, skb);
5015                 break;
5016
5017         case HCI_EV_REMOTE_NAME:
5018                 hci_remote_name_evt(hdev, skb);
5019                 break;
5020
5021         case HCI_EV_ENCRYPT_CHANGE:
5022                 hci_encrypt_change_evt(hdev, skb);
5023                 break;
5024
5025         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5026                 hci_change_link_key_complete_evt(hdev, skb);
5027                 break;
5028
5029         case HCI_EV_REMOTE_FEATURES:
5030                 hci_remote_features_evt(hdev, skb);
5031                 break;
5032
5033         case HCI_EV_CMD_COMPLETE:
5034                 hci_cmd_complete_evt(hdev, skb);
5035                 break;
5036
5037         case HCI_EV_CMD_STATUS:
5038                 hci_cmd_status_evt(hdev, skb);
5039                 break;
5040
5041         case HCI_EV_HARDWARE_ERROR:
5042                 hci_hardware_error_evt(hdev, skb);
5043                 break;
5044
5045         case HCI_EV_ROLE_CHANGE:
5046                 hci_role_change_evt(hdev, skb);
5047                 break;
5048
5049         case HCI_EV_NUM_COMP_PKTS:
5050                 hci_num_comp_pkts_evt(hdev, skb);
5051                 break;
5052
5053         case HCI_EV_MODE_CHANGE:
5054                 hci_mode_change_evt(hdev, skb);
5055                 break;
5056
5057         case HCI_EV_PIN_CODE_REQ:
5058                 hci_pin_code_request_evt(hdev, skb);
5059                 break;
5060
5061         case HCI_EV_LINK_KEY_REQ:
5062                 hci_link_key_request_evt(hdev, skb);
5063                 break;
5064
5065         case HCI_EV_LINK_KEY_NOTIFY:
5066                 hci_link_key_notify_evt(hdev, skb);
5067                 break;
5068
5069         case HCI_EV_CLOCK_OFFSET:
5070                 hci_clock_offset_evt(hdev, skb);
5071                 break;
5072
5073         case HCI_EV_PKT_TYPE_CHANGE:
5074                 hci_pkt_type_change_evt(hdev, skb);
5075                 break;
5076
5077         case HCI_EV_PSCAN_REP_MODE:
5078                 hci_pscan_rep_mode_evt(hdev, skb);
5079                 break;
5080
5081         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5082                 hci_inquiry_result_with_rssi_evt(hdev, skb);
5083                 break;
5084
5085         case HCI_EV_REMOTE_EXT_FEATURES:
5086                 hci_remote_ext_features_evt(hdev, skb);
5087                 break;
5088
5089         case HCI_EV_SYNC_CONN_COMPLETE:
5090                 hci_sync_conn_complete_evt(hdev, skb);
5091                 break;
5092
5093         case HCI_EV_EXTENDED_INQUIRY_RESULT:
5094                 hci_extended_inquiry_result_evt(hdev, skb);
5095                 break;
5096
5097         case HCI_EV_KEY_REFRESH_COMPLETE:
5098                 hci_key_refresh_complete_evt(hdev, skb);
5099                 break;
5100
5101         case HCI_EV_IO_CAPA_REQUEST:
5102                 hci_io_capa_request_evt(hdev, skb);
5103                 break;
5104
5105         case HCI_EV_IO_CAPA_REPLY:
5106                 hci_io_capa_reply_evt(hdev, skb);
5107                 break;
5108
5109         case HCI_EV_USER_CONFIRM_REQUEST:
5110                 hci_user_confirm_request_evt(hdev, skb);
5111                 break;
5112
5113         case HCI_EV_USER_PASSKEY_REQUEST:
5114                 hci_user_passkey_request_evt(hdev, skb);
5115                 break;
5116
5117         case HCI_EV_USER_PASSKEY_NOTIFY:
5118                 hci_user_passkey_notify_evt(hdev, skb);
5119                 break;
5120
5121         case HCI_EV_KEYPRESS_NOTIFY:
5122                 hci_keypress_notify_evt(hdev, skb);
5123                 break;
5124
5125         case HCI_EV_SIMPLE_PAIR_COMPLETE:
5126                 hci_simple_pair_complete_evt(hdev, skb);
5127                 break;
5128
5129         case HCI_EV_REMOTE_HOST_FEATURES:
5130                 hci_remote_host_features_evt(hdev, skb);
5131                 break;
5132
5133         case HCI_EV_LE_META:
5134                 hci_le_meta_evt(hdev, skb);
5135                 break;
5136
5137         case HCI_EV_CHANNEL_SELECTED:
5138                 hci_chan_selected_evt(hdev, skb);
5139                 break;
5140
5141         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5142                 hci_remote_oob_data_request_evt(hdev, skb);
5143                 break;
5144
5145         case HCI_EV_PHY_LINK_COMPLETE:
5146                 hci_phy_link_complete_evt(hdev, skb);
5147                 break;
5148
5149         case HCI_EV_LOGICAL_LINK_COMPLETE:
5150                 hci_loglink_complete_evt(hdev, skb);
5151                 break;
5152
5153         case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5154                 hci_disconn_loglink_complete_evt(hdev, skb);
5155                 break;
5156
5157         case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5158                 hci_disconn_phylink_complete_evt(hdev, skb);
5159                 break;
5160
5161         case HCI_EV_NUM_COMP_BLOCKS:
5162                 hci_num_comp_blocks_evt(hdev, skb);
5163                 break;
5164
5165         default:
5166                 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5167                 break;
5168         }
5169
5170         kfree_skb(skb);
5171         hdev->stat.evt_rx++;
5172 }
Linux kernel for KaRo TX COM modules