]> git.karo-electronics.de Git - karo-tx-linux.git/blob - net/bluetooth/hci_event.c
projects / karo-tx-linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
[karo-tx-linux.git] / net / bluetooth / hci_event.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <asm/unaligned.h>
28
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "a2mp.h"
34 #include "amp.h"
35
36 /* Handle HCI Event packets */
37
38 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
39 {
40         __u8 status = *((__u8 *) skb->data);
41
42         BT_DBG("%s status 0x%2.2x", hdev->name, status);
43
44         if (status)
45                 return;
46
47         clear_bit(HCI_INQUIRY, &hdev->flags);
48         smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
49         wake_up_bit(&hdev->flags, HCI_INQUIRY);
50
51         hci_conn_check_pending(hdev);
52 }
53
54 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
55 {
56         __u8 status = *((__u8 *) skb->data);
57
58         BT_DBG("%s status 0x%2.2x", hdev->name, status);
59
60         if (status)
61                 return;
62
63         set_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
64 }
65
66 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
67 {
68         __u8 status = *((__u8 *) skb->data);
69
70         BT_DBG("%s status 0x%2.2x", hdev->name, status);
71
72         if (status)
73                 return;
74
75         clear_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
76
77         hci_conn_check_pending(hdev);
78 }
79
80 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
81                                           struct sk_buff *skb)
82 {
83         BT_DBG("%s", hdev->name);
84 }
85
86 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
87 {
88         struct hci_rp_role_discovery *rp = (void *) skb->data;
89         struct hci_conn *conn;
90
91         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
92
93         if (rp->status)
94                 return;
95
96         hci_dev_lock(hdev);
97
98         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
99         if (conn) {
100                 if (rp->role)
101                         conn->link_mode &= ~HCI_LM_MASTER;
102                 else
103                         conn->link_mode |= HCI_LM_MASTER;
104         }
105
106         hci_dev_unlock(hdev);
107 }
108
109 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
110 {
111         struct hci_rp_read_link_policy *rp = (void *) skb->data;
112         struct hci_conn *conn;
113
114         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
115
116         if (rp->status)
117                 return;
118
119         hci_dev_lock(hdev);
120
121         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
122         if (conn)
123                 conn->link_policy = __le16_to_cpu(rp->policy);
124
125         hci_dev_unlock(hdev);
126 }
127
128 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
129 {
130         struct hci_rp_write_link_policy *rp = (void *) skb->data;
131         struct hci_conn *conn;
132         void *sent;
133
134         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
135
136         if (rp->status)
137                 return;
138
139         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
140         if (!sent)
141                 return;
142
143         hci_dev_lock(hdev);
144
145         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
146         if (conn)
147                 conn->link_policy = get_unaligned_le16(sent + 2);
148
149         hci_dev_unlock(hdev);
150 }
151
152 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
153                                         struct sk_buff *skb)
154 {
155         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
156
157         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
158
159         if (rp->status)
160                 return;
161
162         hdev->link_policy = __le16_to_cpu(rp->policy);
163 }
164
165 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
166                                          struct sk_buff *skb)
167 {
168         __u8 status = *((__u8 *) skb->data);
169         void *sent;
170
171         BT_DBG("%s status 0x%2.2x", hdev->name, status);
172
173         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
174         if (!sent)
175                 return;
176
177         if (!status)
178                 hdev->link_policy = get_unaligned_le16(sent);
179 }
180
181 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
182 {
183         __u8 status = *((__u8 *) skb->data);
184
185         BT_DBG("%s status 0x%2.2x", hdev->name, status);
186
187         clear_bit(HCI_RESET, &hdev->flags);
188
189         /* Reset all non-persistent flags */
190         hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
191
192         hdev->discovery.state = DISCOVERY_STOPPED;
193         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
194         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
195
196         memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
197         hdev->adv_data_len = 0;
198
199         memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
200         hdev->scan_rsp_data_len = 0;
201
202         hdev->le_scan_type = LE_SCAN_PASSIVE;
203
204         hdev->ssp_debug_mode = 0;
205 }
206
207 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
208 {
209         __u8 status = *((__u8 *) skb->data);
210         void *sent;
211
212         BT_DBG("%s status 0x%2.2x", hdev->name, status);
213
214         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
215         if (!sent)
216                 return;
217
218         hci_dev_lock(hdev);
219
220         if (test_bit(HCI_MGMT, &hdev->dev_flags))
221                 mgmt_set_local_name_complete(hdev, sent, status);
222         else if (!status)
223                 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
224
225         hci_dev_unlock(hdev);
226 }
227
228 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
229 {
230         struct hci_rp_read_local_name *rp = (void *) skb->data;
231
232         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
233
234         if (rp->status)
235                 return;
236
237         if (test_bit(HCI_SETUP, &hdev->dev_flags))
238                 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
239 }
240
241 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
242 {
243         __u8 status = *((__u8 *) skb->data);
244         void *sent;
245
246         BT_DBG("%s status 0x%2.2x", hdev->name, status);
247
248         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
249         if (!sent)
250                 return;
251
252         if (!status) {
253                 __u8 param = *((__u8 *) sent);
254
255                 if (param == AUTH_ENABLED)
256                         set_bit(HCI_AUTH, &hdev->flags);
257                 else
258                         clear_bit(HCI_AUTH, &hdev->flags);
259         }
260
261         if (test_bit(HCI_MGMT, &hdev->dev_flags))
262                 mgmt_auth_enable_complete(hdev, status);
263 }
264
265 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
266 {
267         __u8 status = *((__u8 *) skb->data);
268         void *sent;
269
270         BT_DBG("%s status 0x%2.2x", hdev->name, status);
271
272         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
273         if (!sent)
274                 return;
275
276         if (!status) {
277                 __u8 param = *((__u8 *) sent);
278
279                 if (param)
280                         set_bit(HCI_ENCRYPT, &hdev->flags);
281                 else
282                         clear_bit(HCI_ENCRYPT, &hdev->flags);
283         }
284 }
285
286 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
287 {
288         __u8 param, status = *((__u8 *) skb->data);
289         int old_pscan, old_iscan;
290         void *sent;
291
292         BT_DBG("%s status 0x%2.2x", hdev->name, status);
293
294         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
295         if (!sent)
296                 return;
297
298         param = *((__u8 *) sent);
299
300         hci_dev_lock(hdev);
301
302         if (status) {
303                 mgmt_write_scan_failed(hdev, param, status);
304                 hdev->discov_timeout = 0;
305                 goto done;
306         }
307
308         /* We need to ensure that we set this back on if someone changed
309          * the scan mode through a raw HCI socket.
310          */
311         set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
312
313         old_pscan = test_and_clear_bit(HCI_PSCAN, &hdev->flags);
314         old_iscan = test_and_clear_bit(HCI_ISCAN, &hdev->flags);
315
316         if (param & SCAN_INQUIRY) {
317                 set_bit(HCI_ISCAN, &hdev->flags);
318                 if (!old_iscan)
319                         mgmt_discoverable(hdev, 1);
320         } else if (old_iscan)
321                 mgmt_discoverable(hdev, 0);
322
323         if (param & SCAN_PAGE) {
324                 set_bit(HCI_PSCAN, &hdev->flags);
325                 if (!old_pscan)
326                         mgmt_connectable(hdev, 1);
327         } else if (old_pscan)
328                 mgmt_connectable(hdev, 0);
329
330 done:
331         hci_dev_unlock(hdev);
332 }
333
334 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
335 {
336         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
337
338         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
339
340         if (rp->status)
341                 return;
342
343         memcpy(hdev->dev_class, rp->dev_class, 3);
344
345         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
346                hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
347 }
348
349 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
350 {
351         __u8 status = *((__u8 *) skb->data);
352         void *sent;
353
354         BT_DBG("%s status 0x%2.2x", hdev->name, status);
355
356         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
357         if (!sent)
358                 return;
359
360         hci_dev_lock(hdev);
361
362         if (status == 0)
363                 memcpy(hdev->dev_class, sent, 3);
364
365         if (test_bit(HCI_MGMT, &hdev->dev_flags))
366                 mgmt_set_class_of_dev_complete(hdev, sent, status);
367
368         hci_dev_unlock(hdev);
369 }
370
371 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
372 {
373         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
374         __u16 setting;
375
376         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
377
378         if (rp->status)
379                 return;
380
381         setting = __le16_to_cpu(rp->voice_setting);
382
383         if (hdev->voice_setting == setting)
384                 return;
385
386         hdev->voice_setting = setting;
387
388         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
389
390         if (hdev->notify)
391                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
392 }
393
394 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
395                                        struct sk_buff *skb)
396 {
397         __u8 status = *((__u8 *) skb->data);
398         __u16 setting;
399         void *sent;
400
401         BT_DBG("%s status 0x%2.2x", hdev->name, status);
402
403         if (status)
404                 return;
405
406         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
407         if (!sent)
408                 return;
409
410         setting = get_unaligned_le16(sent);
411
412         if (hdev->voice_setting == setting)
413                 return;
414
415         hdev->voice_setting = setting;
416
417         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
418
419         if (hdev->notify)
420                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
421 }
422
423 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
424                                           struct sk_buff *skb)
425 {
426         struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
427
428         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
429
430         if (rp->status)
431                 return;
432
433         hdev->num_iac = rp->num_iac;
434
435         BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
436 }
437
438 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
439 {
440         __u8 status = *((__u8 *) skb->data);
441         struct hci_cp_write_ssp_mode *sent;
442
443         BT_DBG("%s status 0x%2.2x", hdev->name, status);
444
445         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
446         if (!sent)
447                 return;
448
449         if (!status) {
450                 if (sent->mode)
451                         hdev->features[1][0] |= LMP_HOST_SSP;
452                 else
453                         hdev->features[1][0] &= ~LMP_HOST_SSP;
454         }
455
456         if (test_bit(HCI_MGMT, &hdev->dev_flags))
457                 mgmt_ssp_enable_complete(hdev, sent->mode, status);
458         else if (!status) {
459                 if (sent->mode)
460                         set_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
461                 else
462                         clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
463         }
464 }
465
466 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
467 {
468         u8 status = *((u8 *) skb->data);
469         struct hci_cp_write_sc_support *sent;
470
471         BT_DBG("%s status 0x%2.2x", hdev->name, status);
472
473         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
474         if (!sent)
475                 return;
476
477         if (!status) {
478                 if (sent->support)
479                         hdev->features[1][0] |= LMP_HOST_SC;
480                 else
481                         hdev->features[1][0] &= ~LMP_HOST_SC;
482         }
483
484         if (test_bit(HCI_MGMT, &hdev->dev_flags))
485                 mgmt_sc_enable_complete(hdev, sent->support, status);
486         else if (!status) {
487                 if (sent->support)
488                         set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
489                 else
490                         clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
491         }
492 }
493
494 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
495 {
496         struct hci_rp_read_local_version *rp = (void *) skb->data;
497
498         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
499
500         if (rp->status)
501                 return;
502
503         if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
504                 hdev->hci_ver = rp->hci_ver;
505                 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
506                 hdev->lmp_ver = rp->lmp_ver;
507                 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
508                 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
509         }
510 }
511
512 static void hci_cc_read_local_commands(struct hci_dev *hdev,
513                                        struct sk_buff *skb)
514 {
515         struct hci_rp_read_local_commands *rp = (void *) skb->data;
516
517         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
518
519         if (rp->status)
520                 return;
521
522         if (test_bit(HCI_SETUP, &hdev->dev_flags))
523                 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
524 }
525
526 static void hci_cc_read_local_features(struct hci_dev *hdev,
527                                        struct sk_buff *skb)
528 {
529         struct hci_rp_read_local_features *rp = (void *) skb->data;
530
531         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
532
533         if (rp->status)
534                 return;
535
536         memcpy(hdev->features, rp->features, 8);
537
538         /* Adjust default settings according to features
539          * supported by device. */
540
541         if (hdev->features[0][0] & LMP_3SLOT)
542                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
543
544         if (hdev->features[0][0] & LMP_5SLOT)
545                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
546
547         if (hdev->features[0][1] & LMP_HV2) {
548                 hdev->pkt_type  |= (HCI_HV2);
549                 hdev->esco_type |= (ESCO_HV2);
550         }
551
552         if (hdev->features[0][1] & LMP_HV3) {
553                 hdev->pkt_type  |= (HCI_HV3);
554                 hdev->esco_type |= (ESCO_HV3);
555         }
556
557         if (lmp_esco_capable(hdev))
558                 hdev->esco_type |= (ESCO_EV3);
559
560         if (hdev->features[0][4] & LMP_EV4)
561                 hdev->esco_type |= (ESCO_EV4);
562
563         if (hdev->features[0][4] & LMP_EV5)
564                 hdev->esco_type |= (ESCO_EV5);
565
566         if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
567                 hdev->esco_type |= (ESCO_2EV3);
568
569         if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
570                 hdev->esco_type |= (ESCO_3EV3);
571
572         if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
573                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
574 }
575
576 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
577                                            struct sk_buff *skb)
578 {
579         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
580
581         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
582
583         if (rp->status)
584                 return;
585
586         if (hdev->max_page < rp->max_page)
587                 hdev->max_page = rp->max_page;
588
589         if (rp->page < HCI_MAX_PAGES)
590                 memcpy(hdev->features[rp->page], rp->features, 8);
591 }
592
593 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
594                                           struct sk_buff *skb)
595 {
596         struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
597
598         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
599
600         if (!rp->status)
601                 hdev->flow_ctl_mode = rp->mode;
602 }
603
604 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
605 {
606         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
607
608         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
609
610         if (rp->status)
611                 return;
612
613         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
614         hdev->sco_mtu  = rp->sco_mtu;
615         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
616         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
617
618         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
619                 hdev->sco_mtu  = 64;
620                 hdev->sco_pkts = 8;
621         }
622
623         hdev->acl_cnt = hdev->acl_pkts;
624         hdev->sco_cnt = hdev->sco_pkts;
625
626         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
627                hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
628 }
629
630 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
631 {
632         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
633
634         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
635
636         if (!rp->status)
637                 bacpy(&hdev->bdaddr, &rp->bdaddr);
638 }
639
640 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
641                                            struct sk_buff *skb)
642 {
643         struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
644
645         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
646
647         if (test_bit(HCI_INIT, &hdev->flags) && !rp->status) {
648                 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
649                 hdev->page_scan_window = __le16_to_cpu(rp->window);
650         }
651 }
652
653 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
654                                             struct sk_buff *skb)
655 {
656         u8 status = *((u8 *) skb->data);
657         struct hci_cp_write_page_scan_activity *sent;
658
659         BT_DBG("%s status 0x%2.2x", hdev->name, status);
660
661         if (status)
662                 return;
663
664         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
665         if (!sent)
666                 return;
667
668         hdev->page_scan_interval = __le16_to_cpu(sent->interval);
669         hdev->page_scan_window = __le16_to_cpu(sent->window);
670 }
671
672 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
673                                            struct sk_buff *skb)
674 {
675         struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
676
677         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
678
679         if (test_bit(HCI_INIT, &hdev->flags) && !rp->status)
680                 hdev->page_scan_type = rp->type;
681 }
682
683 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
684                                         struct sk_buff *skb)
685 {
686         u8 status = *((u8 *) skb->data);
687         u8 *type;
688
689         BT_DBG("%s status 0x%2.2x", hdev->name, status);
690
691         if (status)
692                 return;
693
694         type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
695         if (type)
696                 hdev->page_scan_type = *type;
697 }
698
699 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
700                                         struct sk_buff *skb)
701 {
702         struct hci_rp_read_data_block_size *rp = (void *) skb->data;
703
704         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
705
706         if (rp->status)
707                 return;
708
709         hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
710         hdev->block_len = __le16_to_cpu(rp->block_len);
711         hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
712
713         hdev->block_cnt = hdev->num_blocks;
714
715         BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
716                hdev->block_cnt, hdev->block_len);
717 }
718
719 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
720                                        struct sk_buff *skb)
721 {
722         struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
723
724         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
725
726         if (rp->status)
727                 goto a2mp_rsp;
728
729         hdev->amp_status = rp->amp_status;
730         hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
731         hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
732         hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
733         hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
734         hdev->amp_type = rp->amp_type;
735         hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
736         hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
737         hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
738         hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
739
740 a2mp_rsp:
741         a2mp_send_getinfo_rsp(hdev);
742 }
743
744 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev,
745                                         struct sk_buff *skb)
746 {
747         struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data;
748         struct amp_assoc *assoc = &hdev->loc_assoc;
749         size_t rem_len, frag_len;
750
751         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
752
753         if (rp->status)
754                 goto a2mp_rsp;
755
756         frag_len = skb->len - sizeof(*rp);
757         rem_len = __le16_to_cpu(rp->rem_len);
758
759         if (rem_len > frag_len) {
760                 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
761
762                 memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
763                 assoc->offset += frag_len;
764
765                 /* Read other fragments */
766                 amp_read_loc_assoc_frag(hdev, rp->phy_handle);
767
768                 return;
769         }
770
771         memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
772         assoc->len = assoc->offset + rem_len;
773         assoc->offset = 0;
774
775 a2mp_rsp:
776         /* Send A2MP Rsp when all fragments are received */
777         a2mp_send_getampassoc_rsp(hdev, rp->status);
778         a2mp_send_create_phy_link_req(hdev, rp->status);
779 }
780
781 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
782                                          struct sk_buff *skb)
783 {
784         struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
785
786         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
787
788         if (!rp->status)
789                 hdev->inq_tx_power = rp->tx_power;
790 }
791
792 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
793 {
794         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
795         struct hci_cp_pin_code_reply *cp;
796         struct hci_conn *conn;
797
798         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
799
800         hci_dev_lock(hdev);
801
802         if (test_bit(HCI_MGMT, &hdev->dev_flags))
803                 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
804
805         if (rp->status)
806                 goto unlock;
807
808         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
809         if (!cp)
810                 goto unlock;
811
812         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
813         if (conn)
814                 conn->pin_length = cp->pin_len;
815
816 unlock:
817         hci_dev_unlock(hdev);
818 }
819
820 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
821 {
822         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
823
824         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
825
826         hci_dev_lock(hdev);
827
828         if (test_bit(HCI_MGMT, &hdev->dev_flags))
829                 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
830                                                  rp->status);
831
832         hci_dev_unlock(hdev);
833 }
834
835 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
836                                        struct sk_buff *skb)
837 {
838         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
839
840         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
841
842         if (rp->status)
843                 return;
844
845         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
846         hdev->le_pkts = rp->le_max_pkt;
847
848         hdev->le_cnt = hdev->le_pkts;
849
850         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
851 }
852
853 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
854                                           struct sk_buff *skb)
855 {
856         struct hci_rp_le_read_local_features *rp = (void *) skb->data;
857
858         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
859
860         if (!rp->status)
861                 memcpy(hdev->le_features, rp->features, 8);
862 }
863
864 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
865                                         struct sk_buff *skb)
866 {
867         struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
868
869         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
870
871         if (!rp->status)
872                 hdev->adv_tx_power = rp->tx_power;
873 }
874
875 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
876 {
877         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
878
879         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
880
881         hci_dev_lock(hdev);
882
883         if (test_bit(HCI_MGMT, &hdev->dev_flags))
884                 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
885                                                  rp->status);
886
887         hci_dev_unlock(hdev);
888 }
889
890 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
891                                           struct sk_buff *skb)
892 {
893         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
894
895         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
896
897         hci_dev_lock(hdev);
898
899         if (test_bit(HCI_MGMT, &hdev->dev_flags))
900                 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
901                                                      ACL_LINK, 0, rp->status);
902
903         hci_dev_unlock(hdev);
904 }
905
906 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
907 {
908         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
909
910         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
911
912         hci_dev_lock(hdev);
913
914         if (test_bit(HCI_MGMT, &hdev->dev_flags))
915                 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
916                                                  0, rp->status);
917
918         hci_dev_unlock(hdev);
919 }
920
921 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
922                                           struct sk_buff *skb)
923 {
924         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
925
926         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
927
928         hci_dev_lock(hdev);
929
930         if (test_bit(HCI_MGMT, &hdev->dev_flags))
931                 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
932                                                      ACL_LINK, 0, rp->status);
933
934         hci_dev_unlock(hdev);
935 }
936
937 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
938                                        struct sk_buff *skb)
939 {
940         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
941
942         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
943
944         hci_dev_lock(hdev);
945         mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->randomizer,
946                                           NULL, NULL, rp->status);
947         hci_dev_unlock(hdev);
948 }
949
950 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
951                                            struct sk_buff *skb)
952 {
953         struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
954
955         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
956
957         hci_dev_lock(hdev);
958         mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->randomizer192,
959                                           rp->hash256, rp->randomizer256,
960                                           rp->status);
961         hci_dev_unlock(hdev);
962 }
963
964
965 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
966 {
967         __u8 status = *((__u8 *) skb->data);
968         bdaddr_t *sent;
969
970         BT_DBG("%s status 0x%2.2x", hdev->name, status);
971
972         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
973         if (!sent)
974                 return;
975
976         hci_dev_lock(hdev);
977
978         if (!status)
979                 bacpy(&hdev->random_addr, sent);
980
981         hci_dev_unlock(hdev);
982 }
983
984 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
985 {
986         __u8 *sent, status = *((__u8 *) skb->data);
987
988         BT_DBG("%s status 0x%2.2x", hdev->name, status);
989
990         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
991         if (!sent)
992                 return;
993
994         if (status)
995                 return;
996
997         hci_dev_lock(hdev);
998
999         /* If we're doing connection initation as peripheral. Set a
1000          * timeout in case something goes wrong.
1001          */
1002         if (*sent) {
1003                 struct hci_conn *conn;
1004
1005                 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1006                 if (conn)
1007                         queue_delayed_work(hdev->workqueue,
1008                                            &conn->le_conn_timeout,
1009                                            HCI_LE_CONN_TIMEOUT);
1010         }
1011
1012         mgmt_advertising(hdev, *sent);
1013
1014         hci_dev_unlock(hdev);
1015 }
1016
1017 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1018 {
1019         struct hci_cp_le_set_scan_param *cp;
1020         __u8 status = *((__u8 *) skb->data);
1021
1022         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1023
1024         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1025         if (!cp)
1026                 return;
1027
1028         hci_dev_lock(hdev);
1029
1030         if (!status)
1031                 hdev->le_scan_type = cp->type;
1032
1033         hci_dev_unlock(hdev);
1034 }
1035
1036 static bool has_pending_adv_report(struct hci_dev *hdev)
1037 {
1038         struct discovery_state *d = &hdev->discovery;
1039
1040         return bacmp(&d->last_adv_addr, BDADDR_ANY);
1041 }
1042
1043 static void clear_pending_adv_report(struct hci_dev *hdev)
1044 {
1045         struct discovery_state *d = &hdev->discovery;
1046
1047         bacpy(&d->last_adv_addr, BDADDR_ANY);
1048         d->last_adv_data_len = 0;
1049 }
1050
1051 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1052                                      u8 bdaddr_type, s8 rssi, u8 *data, u8 len)
1053 {
1054         struct discovery_state *d = &hdev->discovery;
1055
1056         bacpy(&d->last_adv_addr, bdaddr);
1057         d->last_adv_addr_type = bdaddr_type;
1058         d->last_adv_rssi = rssi;
1059         memcpy(d->last_adv_data, data, len);
1060         d->last_adv_data_len = len;
1061 }
1062
1063 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1064                                       struct sk_buff *skb)
1065 {
1066         struct hci_cp_le_set_scan_enable *cp;
1067         __u8 status = *((__u8 *) skb->data);
1068
1069         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1070
1071         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1072         if (!cp)
1073                 return;
1074
1075         if (status)
1076                 return;
1077
1078         switch (cp->enable) {
1079         case LE_SCAN_ENABLE:
1080                 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1081                 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1082                         clear_pending_adv_report(hdev);
1083                 break;
1084
1085         case LE_SCAN_DISABLE:
1086                 /* We do this here instead of when setting DISCOVERY_STOPPED
1087                  * since the latter would potentially require waiting for
1088                  * inquiry to stop too.
1089                  */
1090                 if (has_pending_adv_report(hdev)) {
1091                         struct discovery_state *d = &hdev->discovery;
1092
1093                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1094                                           d->last_adv_addr_type, NULL,
1095                                           d->last_adv_rssi, 0, 1,
1096                                           d->last_adv_data,
1097                                           d->last_adv_data_len, NULL, 0);
1098                 }
1099
1100                 /* Cancel this timer so that we don't try to disable scanning
1101                  * when it's already disabled.
1102                  */
1103                 cancel_delayed_work(&hdev->le_scan_disable);
1104
1105                 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1106                 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1107                  * interrupted scanning due to a connect request. Mark
1108                  * therefore discovery as stopped.
1109                  */
1110                 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED,
1111                                        &hdev->dev_flags))
1112                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1113                 break;
1114
1115         default:
1116                 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1117                 break;
1118         }
1119 }
1120
1121 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1122                                            struct sk_buff *skb)
1123 {
1124         struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1125
1126         BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1127
1128         if (!rp->status)
1129                 hdev->le_white_list_size = rp->size;
1130 }
1131
1132 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1133                                        struct sk_buff *skb)
1134 {
1135         __u8 status = *((__u8 *) skb->data);
1136
1137         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1138
1139         if (!status)
1140                 hci_white_list_clear(hdev);
1141 }
1142
1143 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1144                                         struct sk_buff *skb)
1145 {
1146         struct hci_cp_le_add_to_white_list *sent;
1147         __u8 status = *((__u8 *) skb->data);
1148
1149         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1150
1151         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1152         if (!sent)
1153                 return;
1154
1155         if (!status)
1156                 hci_white_list_add(hdev, &sent->bdaddr, sent->bdaddr_type);
1157 }
1158
1159 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1160                                           struct sk_buff *skb)
1161 {
1162         struct hci_cp_le_del_from_white_list *sent;
1163         __u8 status = *((__u8 *) skb->data);
1164
1165         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1166
1167         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1168         if (!sent)
1169                 return;
1170
1171         if (!status)
1172                 hci_white_list_del(hdev, &sent->bdaddr, sent->bdaddr_type);
1173 }
1174
1175 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1176                                             struct sk_buff *skb)
1177 {
1178         struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1179
1180         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1181
1182         if (!rp->status)
1183                 memcpy(hdev->le_states, rp->le_states, 8);
1184 }
1185
1186 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1187                                            struct sk_buff *skb)
1188 {
1189         struct hci_cp_write_le_host_supported *sent;
1190         __u8 status = *((__u8 *) skb->data);
1191
1192         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1193
1194         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1195         if (!sent)
1196                 return;
1197
1198         if (!status) {
1199                 if (sent->le) {
1200                         hdev->features[1][0] |= LMP_HOST_LE;
1201                         set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1202                 } else {
1203                         hdev->features[1][0] &= ~LMP_HOST_LE;
1204                         clear_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1205                         clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
1206                 }
1207
1208                 if (sent->simul)
1209                         hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1210                 else
1211                         hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1212         }
1213 }
1214
1215 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1216 {
1217         struct hci_cp_le_set_adv_param *cp;
1218         u8 status = *((u8 *) skb->data);
1219
1220         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1221
1222         if (status)
1223                 return;
1224
1225         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1226         if (!cp)
1227                 return;
1228
1229         hci_dev_lock(hdev);
1230         hdev->adv_addr_type = cp->own_address_type;
1231         hci_dev_unlock(hdev);
1232 }
1233
1234 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1235                                           struct sk_buff *skb)
1236 {
1237         struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data;
1238
1239         BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
1240                hdev->name, rp->status, rp->phy_handle);
1241
1242         if (rp->status)
1243                 return;
1244
1245         amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1246 }
1247
1248 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1249 {
1250         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1251
1252         if (status) {
1253                 hci_conn_check_pending(hdev);
1254                 return;
1255         }
1256
1257         set_bit(HCI_INQUIRY, &hdev->flags);
1258 }
1259
1260 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1261 {
1262         struct hci_cp_create_conn *cp;
1263         struct hci_conn *conn;
1264
1265         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1266
1267         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1268         if (!cp)
1269                 return;
1270
1271         hci_dev_lock(hdev);
1272
1273         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1274
1275         BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1276
1277         if (status) {
1278                 if (conn && conn->state == BT_CONNECT) {
1279                         if (status != 0x0c || conn->attempt > 2) {
1280                                 conn->state = BT_CLOSED;
1281                                 hci_proto_connect_cfm(conn, status);
1282                                 hci_conn_del(conn);
1283                         } else
1284                                 conn->state = BT_CONNECT2;
1285                 }
1286         } else {
1287                 if (!conn) {
1288                         conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr);
1289                         if (conn) {
1290                                 conn->out = true;
1291                                 conn->link_mode |= HCI_LM_MASTER;
1292                         } else
1293                                 BT_ERR("No memory for new connection");
1294                 }
1295         }
1296
1297         hci_dev_unlock(hdev);
1298 }
1299
1300 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1301 {
1302         struct hci_cp_add_sco *cp;
1303         struct hci_conn *acl, *sco;
1304         __u16 handle;
1305
1306         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1307
1308         if (!status)
1309                 return;
1310
1311         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1312         if (!cp)
1313                 return;
1314
1315         handle = __le16_to_cpu(cp->handle);
1316
1317         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1318
1319         hci_dev_lock(hdev);
1320
1321         acl = hci_conn_hash_lookup_handle(hdev, handle);
1322         if (acl) {
1323                 sco = acl->link;
1324                 if (sco) {
1325                         sco->state = BT_CLOSED;
1326
1327                         hci_proto_connect_cfm(sco, status);
1328                         hci_conn_del(sco);
1329                 }
1330         }
1331
1332         hci_dev_unlock(hdev);
1333 }
1334
1335 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1336 {
1337         struct hci_cp_auth_requested *cp;
1338         struct hci_conn *conn;
1339
1340         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1341
1342         if (!status)
1343                 return;
1344
1345         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1346         if (!cp)
1347                 return;
1348
1349         hci_dev_lock(hdev);
1350
1351         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1352         if (conn) {
1353                 if (conn->state == BT_CONFIG) {
1354                         hci_proto_connect_cfm(conn, status);
1355                         hci_conn_drop(conn);
1356                 }
1357         }
1358
1359         hci_dev_unlock(hdev);
1360 }
1361
1362 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1363 {
1364         struct hci_cp_set_conn_encrypt *cp;
1365         struct hci_conn *conn;
1366
1367         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1368
1369         if (!status)
1370                 return;
1371
1372         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1373         if (!cp)
1374                 return;
1375
1376         hci_dev_lock(hdev);
1377
1378         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1379         if (conn) {
1380                 if (conn->state == BT_CONFIG) {
1381                         hci_proto_connect_cfm(conn, status);
1382                         hci_conn_drop(conn);
1383                 }
1384         }
1385
1386         hci_dev_unlock(hdev);
1387 }
1388
1389 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1390                                     struct hci_conn *conn)
1391 {
1392         if (conn->state != BT_CONFIG || !conn->out)
1393                 return 0;
1394
1395         if (conn->pending_sec_level == BT_SECURITY_SDP)
1396                 return 0;
1397
1398         /* Only request authentication for SSP connections or non-SSP
1399          * devices with sec_level MEDIUM or HIGH or if MITM protection
1400          * is requested.
1401          */
1402         if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1403             conn->pending_sec_level != BT_SECURITY_HIGH &&
1404             conn->pending_sec_level != BT_SECURITY_MEDIUM)
1405                 return 0;
1406
1407         return 1;
1408 }
1409
1410 static int hci_resolve_name(struct hci_dev *hdev,
1411                                    struct inquiry_entry *e)
1412 {
1413         struct hci_cp_remote_name_req cp;
1414
1415         memset(&cp, 0, sizeof(cp));
1416
1417         bacpy(&cp.bdaddr, &e->data.bdaddr);
1418         cp.pscan_rep_mode = e->data.pscan_rep_mode;
1419         cp.pscan_mode = e->data.pscan_mode;
1420         cp.clock_offset = e->data.clock_offset;
1421
1422         return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1423 }
1424
1425 static bool hci_resolve_next_name(struct hci_dev *hdev)
1426 {
1427         struct discovery_state *discov = &hdev->discovery;
1428         struct inquiry_entry *e;
1429
1430         if (list_empty(&discov->resolve))
1431                 return false;
1432
1433         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1434         if (!e)
1435                 return false;
1436
1437         if (hci_resolve_name(hdev, e) == 0) {
1438                 e->name_state = NAME_PENDING;
1439                 return true;
1440         }
1441
1442         return false;
1443 }
1444
1445 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1446                                    bdaddr_t *bdaddr, u8 *name, u8 name_len)
1447 {
1448         struct discovery_state *discov = &hdev->discovery;
1449         struct inquiry_entry *e;
1450
1451         if (conn && !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1452                 mgmt_device_connected(hdev, bdaddr, ACL_LINK, 0x00, 0, name,
1453                                       name_len, conn->dev_class);
1454
1455         if (discov->state == DISCOVERY_STOPPED)
1456                 return;
1457
1458         if (discov->state == DISCOVERY_STOPPING)
1459                 goto discov_complete;
1460
1461         if (discov->state != DISCOVERY_RESOLVING)
1462                 return;
1463
1464         e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1465         /* If the device was not found in a list of found devices names of which
1466          * are pending. there is no need to continue resolving a next name as it
1467          * will be done upon receiving another Remote Name Request Complete
1468          * Event */
1469         if (!e)
1470                 return;
1471
1472         list_del(&e->list);
1473         if (name) {
1474                 e->name_state = NAME_KNOWN;
1475                 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1476                                  e->data.rssi, name, name_len);
1477         } else {
1478                 e->name_state = NAME_NOT_KNOWN;
1479         }
1480
1481         if (hci_resolve_next_name(hdev))
1482                 return;
1483
1484 discov_complete:
1485         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1486 }
1487
1488 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1489 {
1490         struct hci_cp_remote_name_req *cp;
1491         struct hci_conn *conn;
1492
1493         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1494
1495         /* If successful wait for the name req complete event before
1496          * checking for the need to do authentication */
1497         if (!status)
1498                 return;
1499
1500         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1501         if (!cp)
1502                 return;
1503
1504         hci_dev_lock(hdev);
1505
1506         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1507
1508         if (test_bit(HCI_MGMT, &hdev->dev_flags))
1509                 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1510
1511         if (!conn)
1512                 goto unlock;
1513
1514         if (!hci_outgoing_auth_needed(hdev, conn))
1515                 goto unlock;
1516
1517         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1518                 struct hci_cp_auth_requested auth_cp;
1519
1520                 auth_cp.handle = __cpu_to_le16(conn->handle);
1521                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1522                              sizeof(auth_cp), &auth_cp);
1523         }
1524
1525 unlock:
1526         hci_dev_unlock(hdev);
1527 }
1528
1529 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1530 {
1531         struct hci_cp_read_remote_features *cp;
1532         struct hci_conn *conn;
1533
1534         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1535
1536         if (!status)
1537                 return;
1538
1539         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1540         if (!cp)
1541                 return;
1542
1543         hci_dev_lock(hdev);
1544
1545         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1546         if (conn) {
1547                 if (conn->state == BT_CONFIG) {
1548                         hci_proto_connect_cfm(conn, status);
1549                         hci_conn_drop(conn);
1550                 }
1551         }
1552
1553         hci_dev_unlock(hdev);
1554 }
1555
1556 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1557 {
1558         struct hci_cp_read_remote_ext_features *cp;
1559         struct hci_conn *conn;
1560
1561         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1562
1563         if (!status)
1564                 return;
1565
1566         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1567         if (!cp)
1568                 return;
1569
1570         hci_dev_lock(hdev);
1571
1572         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1573         if (conn) {
1574                 if (conn->state == BT_CONFIG) {
1575                         hci_proto_connect_cfm(conn, status);
1576                         hci_conn_drop(conn);
1577                 }
1578         }
1579
1580         hci_dev_unlock(hdev);
1581 }
1582
1583 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1584 {
1585         struct hci_cp_setup_sync_conn *cp;
1586         struct hci_conn *acl, *sco;
1587         __u16 handle;
1588
1589         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1590
1591         if (!status)
1592                 return;
1593
1594         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1595         if (!cp)
1596                 return;
1597
1598         handle = __le16_to_cpu(cp->handle);
1599
1600         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1601
1602         hci_dev_lock(hdev);
1603
1604         acl = hci_conn_hash_lookup_handle(hdev, handle);
1605         if (acl) {
1606                 sco = acl->link;
1607                 if (sco) {
1608                         sco->state = BT_CLOSED;
1609
1610                         hci_proto_connect_cfm(sco, status);
1611                         hci_conn_del(sco);
1612                 }
1613         }
1614
1615         hci_dev_unlock(hdev);
1616 }
1617
1618 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1619 {
1620         struct hci_cp_sniff_mode *cp;
1621         struct hci_conn *conn;
1622
1623         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1624
1625         if (!status)
1626                 return;
1627
1628         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1629         if (!cp)
1630                 return;
1631
1632         hci_dev_lock(hdev);
1633
1634         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1635         if (conn) {
1636                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1637
1638                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1639                         hci_sco_setup(conn, status);
1640         }
1641
1642         hci_dev_unlock(hdev);
1643 }
1644
1645 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1646 {
1647         struct hci_cp_exit_sniff_mode *cp;
1648         struct hci_conn *conn;
1649
1650         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1651
1652         if (!status)
1653                 return;
1654
1655         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1656         if (!cp)
1657                 return;
1658
1659         hci_dev_lock(hdev);
1660
1661         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1662         if (conn) {
1663                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1664
1665                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1666                         hci_sco_setup(conn, status);
1667         }
1668
1669         hci_dev_unlock(hdev);
1670 }
1671
1672 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1673 {
1674         struct hci_cp_disconnect *cp;
1675         struct hci_conn *conn;
1676
1677         if (!status)
1678                 return;
1679
1680         cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1681         if (!cp)
1682                 return;
1683
1684         hci_dev_lock(hdev);
1685
1686         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1687         if (conn)
1688                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1689                                        conn->dst_type, status);
1690
1691         hci_dev_unlock(hdev);
1692 }
1693
1694 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status)
1695 {
1696         struct hci_cp_create_phy_link *cp;
1697
1698         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1699
1700         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
1701         if (!cp)
1702                 return;
1703
1704         hci_dev_lock(hdev);
1705
1706         if (status) {
1707                 struct hci_conn *hcon;
1708
1709                 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
1710                 if (hcon)
1711                         hci_conn_del(hcon);
1712         } else {
1713                 amp_write_remote_assoc(hdev, cp->phy_handle);
1714         }
1715
1716         hci_dev_unlock(hdev);
1717 }
1718
1719 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1720 {
1721         struct hci_cp_accept_phy_link *cp;
1722
1723         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1724
1725         if (status)
1726                 return;
1727
1728         cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
1729         if (!cp)
1730                 return;
1731
1732         amp_write_remote_assoc(hdev, cp->phy_handle);
1733 }
1734
1735 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1736 {
1737         struct hci_cp_le_create_conn *cp;
1738         struct hci_conn *conn;
1739
1740         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1741
1742         /* All connection failure handling is taken care of by the
1743          * hci_le_conn_failed function which is triggered by the HCI
1744          * request completion callbacks used for connecting.
1745          */
1746         if (status)
1747                 return;
1748
1749         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1750         if (!cp)
1751                 return;
1752
1753         hci_dev_lock(hdev);
1754
1755         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1756         if (!conn)
1757                 goto unlock;
1758
1759         /* Store the initiator and responder address information which
1760          * is needed for SMP. These values will not change during the
1761          * lifetime of the connection.
1762          */
1763         conn->init_addr_type = cp->own_address_type;
1764         if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1765                 bacpy(&conn->init_addr, &hdev->random_addr);
1766         else
1767                 bacpy(&conn->init_addr, &hdev->bdaddr);
1768
1769         conn->resp_addr_type = cp->peer_addr_type;
1770         bacpy(&conn->resp_addr, &cp->peer_addr);
1771
1772         /* We don't want the connection attempt to stick around
1773          * indefinitely since LE doesn't have a page timeout concept
1774          * like BR/EDR. Set a timer for any connection that doesn't use
1775          * the white list for connecting.
1776          */
1777         if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1778                 queue_delayed_work(conn->hdev->workqueue,
1779                                    &conn->le_conn_timeout,
1780                                    HCI_LE_CONN_TIMEOUT);
1781
1782 unlock:
1783         hci_dev_unlock(hdev);
1784 }
1785
1786 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1787 {
1788         struct hci_cp_le_start_enc *cp;
1789         struct hci_conn *conn;
1790
1791         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1792
1793         if (!status)
1794                 return;
1795
1796         hci_dev_lock(hdev);
1797
1798         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1799         if (!cp)
1800                 goto unlock;
1801
1802         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1803         if (!conn)
1804                 goto unlock;
1805
1806         if (conn->state != BT_CONNECTED)
1807                 goto unlock;
1808
1809         hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
1810         hci_conn_drop(conn);
1811
1812 unlock:
1813         hci_dev_unlock(hdev);
1814 }
1815
1816 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1817 {
1818         __u8 status = *((__u8 *) skb->data);
1819         struct discovery_state *discov = &hdev->discovery;
1820         struct inquiry_entry *e;
1821
1822         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1823
1824         hci_conn_check_pending(hdev);
1825
1826         if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
1827                 return;
1828
1829         smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
1830         wake_up_bit(&hdev->flags, HCI_INQUIRY);
1831
1832         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1833                 return;
1834
1835         hci_dev_lock(hdev);
1836
1837         if (discov->state != DISCOVERY_FINDING)
1838                 goto unlock;
1839
1840         if (list_empty(&discov->resolve)) {
1841                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1842                 goto unlock;
1843         }
1844
1845         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1846         if (e && hci_resolve_name(hdev, e) == 0) {
1847                 e->name_state = NAME_PENDING;
1848                 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
1849         } else {
1850                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1851         }
1852
1853 unlock:
1854         hci_dev_unlock(hdev);
1855 }
1856
1857 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1858 {
1859         struct inquiry_data data;
1860         struct inquiry_info *info = (void *) (skb->data + 1);
1861         int num_rsp = *((__u8 *) skb->data);
1862
1863         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
1864
1865         if (!num_rsp)
1866                 return;
1867
1868         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
1869                 return;
1870
1871         hci_dev_lock(hdev);
1872
1873         for (; num_rsp; num_rsp--, info++) {
1874                 bool name_known, ssp;
1875
1876                 bacpy(&data.bdaddr, &info->bdaddr);
1877                 data.pscan_rep_mode     = info->pscan_rep_mode;
1878                 data.pscan_period_mode  = info->pscan_period_mode;
1879                 data.pscan_mode         = info->pscan_mode;
1880                 memcpy(data.dev_class, info->dev_class, 3);
1881                 data.clock_offset       = info->clock_offset;
1882                 data.rssi               = 0x00;
1883                 data.ssp_mode           = 0x00;
1884
1885                 name_known = hci_inquiry_cache_update(hdev, &data, false, &ssp);
1886                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
1887                                   info->dev_class, 0, !name_known, ssp, NULL,
1888                                   0, NULL, 0);
1889         }
1890
1891         hci_dev_unlock(hdev);
1892 }
1893
1894 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1895 {
1896         struct hci_ev_conn_complete *ev = (void *) skb->data;
1897         struct hci_conn *conn;
1898
1899         BT_DBG("%s", hdev->name);
1900
1901         hci_dev_lock(hdev);
1902
1903         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
1904         if (!conn) {
1905                 if (ev->link_type != SCO_LINK)
1906                         goto unlock;
1907
1908                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
1909                 if (!conn)
1910                         goto unlock;
1911
1912                 conn->type = SCO_LINK;
1913         }
1914
1915         if (!ev->status) {
1916                 conn->handle = __le16_to_cpu(ev->handle);
1917
1918                 if (conn->type == ACL_LINK) {
1919                         conn->state = BT_CONFIG;
1920                         hci_conn_hold(conn);
1921
1922                         if (!conn->out && !hci_conn_ssp_enabled(conn) &&
1923                             !hci_find_link_key(hdev, &ev->bdaddr))
1924                                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
1925                         else
1926                                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1927                 } else
1928                         conn->state = BT_CONNECTED;
1929
1930                 hci_conn_add_sysfs(conn);
1931
1932                 if (test_bit(HCI_AUTH, &hdev->flags))
1933                         conn->link_mode |= HCI_LM_AUTH;
1934
1935                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
1936                         conn->link_mode |= HCI_LM_ENCRYPT;
1937
1938                 /* Get remote features */
1939                 if (conn->type == ACL_LINK) {
1940                         struct hci_cp_read_remote_features cp;
1941                         cp.handle = ev->handle;
1942                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
1943                                      sizeof(cp), &cp);
1944                 }
1945
1946                 /* Set packet type for incoming connection */
1947                 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
1948                         struct hci_cp_change_conn_ptype cp;
1949                         cp.handle = ev->handle;
1950                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
1951                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
1952                                      &cp);
1953                 }
1954         } else {
1955                 conn->state = BT_CLOSED;
1956                 if (conn->type == ACL_LINK)
1957                         mgmt_connect_failed(hdev, &conn->dst, conn->type,
1958                                             conn->dst_type, ev->status);
1959         }
1960
1961         if (conn->type == ACL_LINK)
1962                 hci_sco_setup(conn, ev->status);
1963
1964         if (ev->status) {
1965                 hci_proto_connect_cfm(conn, ev->status);
1966                 hci_conn_del(conn);
1967         } else if (ev->link_type != ACL_LINK)
1968                 hci_proto_connect_cfm(conn, ev->status);
1969
1970 unlock:
1971         hci_dev_unlock(hdev);
1972
1973         hci_conn_check_pending(hdev);
1974 }
1975
1976 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1977 {
1978         struct hci_ev_conn_request *ev = (void *) skb->data;
1979         int mask = hdev->link_mode;
1980         __u8 flags = 0;
1981
1982         BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
1983                ev->link_type);
1984
1985         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
1986                                       &flags);
1987
1988         if ((mask & HCI_LM_ACCEPT) &&
1989             !hci_blacklist_lookup(hdev, &ev->bdaddr, BDADDR_BREDR)) {
1990                 /* Connection accepted */
1991                 struct inquiry_entry *ie;
1992                 struct hci_conn *conn;
1993
1994                 hci_dev_lock(hdev);
1995
1996                 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
1997                 if (ie)
1998                         memcpy(ie->data.dev_class, ev->dev_class, 3);
1999
2000                 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2001                                                &ev->bdaddr);
2002                 if (!conn) {
2003                         conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr);
2004                         if (!conn) {
2005                                 BT_ERR("No memory for new connection");
2006                                 hci_dev_unlock(hdev);
2007                                 return;
2008                         }
2009                 }
2010
2011                 memcpy(conn->dev_class, ev->dev_class, 3);
2012
2013                 hci_dev_unlock(hdev);
2014
2015                 if (ev->link_type == ACL_LINK ||
2016                     (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2017                         struct hci_cp_accept_conn_req cp;
2018                         conn->state = BT_CONNECT;
2019
2020                         bacpy(&cp.bdaddr, &ev->bdaddr);
2021
2022                         if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2023                                 cp.role = 0x00; /* Become master */
2024                         else
2025                                 cp.role = 0x01; /* Remain slave */
2026
2027                         hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp),
2028                                      &cp);
2029                 } else if (!(flags & HCI_PROTO_DEFER)) {
2030                         struct hci_cp_accept_sync_conn_req cp;
2031                         conn->state = BT_CONNECT;
2032
2033                         bacpy(&cp.bdaddr, &ev->bdaddr);
2034                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
2035
2036                         cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2037                         cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2038                         cp.max_latency    = cpu_to_le16(0xffff);
2039                         cp.content_format = cpu_to_le16(hdev->voice_setting);
2040                         cp.retrans_effort = 0xff;
2041
2042                         hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
2043                                      sizeof(cp), &cp);
2044                 } else {
2045                         conn->state = BT_CONNECT2;
2046                         hci_proto_connect_cfm(conn, 0);
2047                 }
2048         } else {
2049                 /* Connection rejected */
2050                 struct hci_cp_reject_conn_req cp;
2051
2052                 bacpy(&cp.bdaddr, &ev->bdaddr);
2053                 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2054                 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2055         }
2056 }
2057
2058 static u8 hci_to_mgmt_reason(u8 err)
2059 {
2060         switch (err) {
2061         case HCI_ERROR_CONNECTION_TIMEOUT:
2062                 return MGMT_DEV_DISCONN_TIMEOUT;
2063         case HCI_ERROR_REMOTE_USER_TERM:
2064         case HCI_ERROR_REMOTE_LOW_RESOURCES:
2065         case HCI_ERROR_REMOTE_POWER_OFF:
2066                 return MGMT_DEV_DISCONN_REMOTE;
2067         case HCI_ERROR_LOCAL_HOST_TERM:
2068                 return MGMT_DEV_DISCONN_LOCAL_HOST;
2069         default:
2070                 return MGMT_DEV_DISCONN_UNKNOWN;
2071         }
2072 }
2073
2074 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2075 {
2076         struct hci_ev_disconn_complete *ev = (void *) skb->data;
2077         u8 reason = hci_to_mgmt_reason(ev->reason);
2078         struct hci_conn_params *params;
2079         struct hci_conn *conn;
2080         bool mgmt_connected;
2081         u8 type;
2082
2083         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2084
2085         hci_dev_lock(hdev);
2086
2087         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2088         if (!conn)
2089                 goto unlock;
2090
2091         if (ev->status) {
2092                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2093                                        conn->dst_type, ev->status);
2094                 goto unlock;
2095         }
2096
2097         conn->state = BT_CLOSED;
2098
2099         mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2100         mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2101                                 reason, mgmt_connected);
2102
2103         if (conn->type == ACL_LINK && conn->flush_key)
2104                 hci_remove_link_key(hdev, &conn->dst);
2105
2106         params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2107         if (params) {
2108                 switch (params->auto_connect) {
2109                 case HCI_AUTO_CONN_LINK_LOSS:
2110                         if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2111                                 break;
2112                         /* Fall through */
2113
2114                 case HCI_AUTO_CONN_ALWAYS:
2115                         hci_pend_le_conn_add(hdev, &conn->dst, conn->dst_type);
2116                         break;
2117
2118                 default:
2119                         break;
2120                 }
2121         }
2122
2123         type = conn->type;
2124
2125         hci_proto_disconn_cfm(conn, ev->reason);
2126         hci_conn_del(conn);
2127
2128         /* Re-enable advertising if necessary, since it might
2129          * have been disabled by the connection. From the
2130          * HCI_LE_Set_Advertise_Enable command description in
2131          * the core specification (v4.0):
2132          * "The Controller shall continue advertising until the Host
2133          * issues an LE_Set_Advertise_Enable command with
2134          * Advertising_Enable set to 0x00 (Advertising is disabled)
2135          * or until a connection is created or until the Advertising
2136          * is timed out due to Directed Advertising."
2137          */
2138         if (type == LE_LINK)
2139                 mgmt_reenable_advertising(hdev);
2140
2141 unlock:
2142         hci_dev_unlock(hdev);
2143 }
2144
2145 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2146 {
2147         struct hci_ev_auth_complete *ev = (void *) skb->data;
2148         struct hci_conn *conn;
2149
2150         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2151
2152         hci_dev_lock(hdev);
2153
2154         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2155         if (!conn)
2156                 goto unlock;
2157
2158         if (!ev->status) {
2159                 if (!hci_conn_ssp_enabled(conn) &&
2160                     test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2161                         BT_INFO("re-auth of legacy device is not possible.");
2162                 } else {
2163                         conn->link_mode |= HCI_LM_AUTH;
2164                         conn->sec_level = conn->pending_sec_level;
2165                 }
2166         } else {
2167                 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
2168                                  ev->status);
2169         }
2170
2171         clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2172         clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2173
2174         if (conn->state == BT_CONFIG) {
2175                 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2176                         struct hci_cp_set_conn_encrypt cp;
2177                         cp.handle  = ev->handle;
2178                         cp.encrypt = 0x01;
2179                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2180                                      &cp);
2181                 } else {
2182                         conn->state = BT_CONNECTED;
2183                         hci_proto_connect_cfm(conn, ev->status);
2184                         hci_conn_drop(conn);
2185                 }
2186         } else {
2187                 hci_auth_cfm(conn, ev->status);
2188
2189                 hci_conn_hold(conn);
2190                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2191                 hci_conn_drop(conn);
2192         }
2193
2194         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2195                 if (!ev->status) {
2196                         struct hci_cp_set_conn_encrypt cp;
2197                         cp.handle  = ev->handle;
2198                         cp.encrypt = 0x01;
2199                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2200                                      &cp);
2201                 } else {
2202                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2203                         hci_encrypt_cfm(conn, ev->status, 0x00);
2204                 }
2205         }
2206
2207 unlock:
2208         hci_dev_unlock(hdev);
2209 }
2210
2211 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2212 {
2213         struct hci_ev_remote_name *ev = (void *) skb->data;
2214         struct hci_conn *conn;
2215
2216         BT_DBG("%s", hdev->name);
2217
2218         hci_conn_check_pending(hdev);
2219
2220         hci_dev_lock(hdev);
2221
2222         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2223
2224         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2225                 goto check_auth;
2226
2227         if (ev->status == 0)
2228                 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2229                                        strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2230         else
2231                 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2232
2233 check_auth:
2234         if (!conn)
2235                 goto unlock;
2236
2237         if (!hci_outgoing_auth_needed(hdev, conn))
2238                 goto unlock;
2239
2240         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2241                 struct hci_cp_auth_requested cp;
2242                 cp.handle = __cpu_to_le16(conn->handle);
2243                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2244         }
2245
2246 unlock:
2247         hci_dev_unlock(hdev);
2248 }
2249
2250 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2251 {
2252         struct hci_ev_encrypt_change *ev = (void *) skb->data;
2253         struct hci_conn *conn;
2254
2255         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2256
2257         hci_dev_lock(hdev);
2258
2259         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2260         if (!conn)
2261                 goto unlock;
2262
2263         if (!ev->status) {
2264                 if (ev->encrypt) {
2265                         /* Encryption implies authentication */
2266                         conn->link_mode |= HCI_LM_AUTH;
2267                         conn->link_mode |= HCI_LM_ENCRYPT;
2268                         conn->sec_level = conn->pending_sec_level;
2269
2270                         /* P-256 authentication key implies FIPS */
2271                         if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2272                                 conn->link_mode |= HCI_LM_FIPS;
2273
2274                         if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2275                             conn->type == LE_LINK)
2276                                 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2277                 } else {
2278                         conn->link_mode &= ~HCI_LM_ENCRYPT;
2279                         clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2280                 }
2281         }
2282
2283         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2284
2285         if (ev->status && conn->state == BT_CONNECTED) {
2286                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2287                 hci_conn_drop(conn);
2288                 goto unlock;
2289         }
2290
2291         if (conn->state == BT_CONFIG) {
2292                 if (!ev->status)
2293                         conn->state = BT_CONNECTED;
2294
2295                 /* In Secure Connections Only mode, do not allow any
2296                  * connections that are not encrypted with AES-CCM
2297                  * using a P-256 authenticated combination key.
2298                  */
2299                 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) &&
2300                     (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2301                      conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2302                         hci_proto_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2303                         hci_conn_drop(conn);
2304                         goto unlock;
2305                 }
2306
2307                 hci_proto_connect_cfm(conn, ev->status);
2308                 hci_conn_drop(conn);
2309         } else
2310                 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2311
2312 unlock:
2313         hci_dev_unlock(hdev);
2314 }
2315
2316 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2317                                              struct sk_buff *skb)
2318 {
2319         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2320         struct hci_conn *conn;
2321
2322         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2323
2324         hci_dev_lock(hdev);
2325
2326         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2327         if (conn) {
2328                 if (!ev->status)
2329                         conn->link_mode |= HCI_LM_SECURE;
2330
2331                 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2332
2333                 hci_key_change_cfm(conn, ev->status);
2334         }
2335
2336         hci_dev_unlock(hdev);
2337 }
2338
2339 static void hci_remote_features_evt(struct hci_dev *hdev,
2340                                     struct sk_buff *skb)
2341 {
2342         struct hci_ev_remote_features *ev = (void *) skb->data;
2343         struct hci_conn *conn;
2344
2345         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2346
2347         hci_dev_lock(hdev);
2348
2349         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2350         if (!conn)
2351                 goto unlock;
2352
2353         if (!ev->status)
2354                 memcpy(conn->features[0], ev->features, 8);
2355
2356         if (conn->state != BT_CONFIG)
2357                 goto unlock;
2358
2359         if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) {
2360                 struct hci_cp_read_remote_ext_features cp;
2361                 cp.handle = ev->handle;
2362                 cp.page = 0x01;
2363                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2364                              sizeof(cp), &cp);
2365                 goto unlock;
2366         }
2367
2368         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2369                 struct hci_cp_remote_name_req cp;
2370                 memset(&cp, 0, sizeof(cp));
2371                 bacpy(&cp.bdaddr, &conn->dst);
2372                 cp.pscan_rep_mode = 0x02;
2373                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2374         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2375                 mgmt_device_connected(hdev, &conn->dst, conn->type,
2376                                       conn->dst_type, 0, NULL, 0,
2377                                       conn->dev_class);
2378
2379         if (!hci_outgoing_auth_needed(hdev, conn)) {
2380                 conn->state = BT_CONNECTED;
2381                 hci_proto_connect_cfm(conn, ev->status);
2382                 hci_conn_drop(conn);
2383         }
2384
2385 unlock:
2386         hci_dev_unlock(hdev);
2387 }
2388
2389 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2390 {
2391         struct hci_ev_cmd_complete *ev = (void *) skb->data;
2392         u8 status = skb->data[sizeof(*ev)];
2393         __u16 opcode;
2394
2395         skb_pull(skb, sizeof(*ev));
2396
2397         opcode = __le16_to_cpu(ev->opcode);
2398
2399         switch (opcode) {
2400         case HCI_OP_INQUIRY_CANCEL:
2401                 hci_cc_inquiry_cancel(hdev, skb);
2402                 break;
2403
2404         case HCI_OP_PERIODIC_INQ:
2405                 hci_cc_periodic_inq(hdev, skb);
2406                 break;
2407
2408         case HCI_OP_EXIT_PERIODIC_INQ:
2409                 hci_cc_exit_periodic_inq(hdev, skb);
2410                 break;
2411
2412         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2413                 hci_cc_remote_name_req_cancel(hdev, skb);
2414                 break;
2415
2416         case HCI_OP_ROLE_DISCOVERY:
2417                 hci_cc_role_discovery(hdev, skb);
2418                 break;
2419
2420         case HCI_OP_READ_LINK_POLICY:
2421                 hci_cc_read_link_policy(hdev, skb);
2422                 break;
2423
2424         case HCI_OP_WRITE_LINK_POLICY:
2425                 hci_cc_write_link_policy(hdev, skb);
2426                 break;
2427
2428         case HCI_OP_READ_DEF_LINK_POLICY:
2429                 hci_cc_read_def_link_policy(hdev, skb);
2430                 break;
2431
2432         case HCI_OP_WRITE_DEF_LINK_POLICY:
2433                 hci_cc_write_def_link_policy(hdev, skb);
2434                 break;
2435
2436         case HCI_OP_RESET:
2437                 hci_cc_reset(hdev, skb);
2438                 break;
2439
2440         case HCI_OP_WRITE_LOCAL_NAME:
2441                 hci_cc_write_local_name(hdev, skb);
2442                 break;
2443
2444         case HCI_OP_READ_LOCAL_NAME:
2445                 hci_cc_read_local_name(hdev, skb);
2446                 break;
2447
2448         case HCI_OP_WRITE_AUTH_ENABLE:
2449                 hci_cc_write_auth_enable(hdev, skb);
2450                 break;
2451
2452         case HCI_OP_WRITE_ENCRYPT_MODE:
2453                 hci_cc_write_encrypt_mode(hdev, skb);
2454                 break;
2455
2456         case HCI_OP_WRITE_SCAN_ENABLE:
2457                 hci_cc_write_scan_enable(hdev, skb);
2458                 break;
2459
2460         case HCI_OP_READ_CLASS_OF_DEV:
2461                 hci_cc_read_class_of_dev(hdev, skb);
2462                 break;
2463
2464         case HCI_OP_WRITE_CLASS_OF_DEV:
2465                 hci_cc_write_class_of_dev(hdev, skb);
2466                 break;
2467
2468         case HCI_OP_READ_VOICE_SETTING:
2469                 hci_cc_read_voice_setting(hdev, skb);
2470                 break;
2471
2472         case HCI_OP_WRITE_VOICE_SETTING:
2473                 hci_cc_write_voice_setting(hdev, skb);
2474                 break;
2475
2476         case HCI_OP_READ_NUM_SUPPORTED_IAC:
2477                 hci_cc_read_num_supported_iac(hdev, skb);
2478                 break;
2479
2480         case HCI_OP_WRITE_SSP_MODE:
2481                 hci_cc_write_ssp_mode(hdev, skb);
2482                 break;
2483
2484         case HCI_OP_WRITE_SC_SUPPORT:
2485                 hci_cc_write_sc_support(hdev, skb);
2486                 break;
2487
2488         case HCI_OP_READ_LOCAL_VERSION:
2489                 hci_cc_read_local_version(hdev, skb);
2490                 break;
2491
2492         case HCI_OP_READ_LOCAL_COMMANDS:
2493                 hci_cc_read_local_commands(hdev, skb);
2494                 break;
2495
2496         case HCI_OP_READ_LOCAL_FEATURES:
2497                 hci_cc_read_local_features(hdev, skb);
2498                 break;
2499
2500         case HCI_OP_READ_LOCAL_EXT_FEATURES:
2501                 hci_cc_read_local_ext_features(hdev, skb);
2502                 break;
2503
2504         case HCI_OP_READ_BUFFER_SIZE:
2505                 hci_cc_read_buffer_size(hdev, skb);
2506                 break;
2507
2508         case HCI_OP_READ_BD_ADDR:
2509                 hci_cc_read_bd_addr(hdev, skb);
2510                 break;
2511
2512         case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2513                 hci_cc_read_page_scan_activity(hdev, skb);
2514                 break;
2515
2516         case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2517                 hci_cc_write_page_scan_activity(hdev, skb);
2518                 break;
2519
2520         case HCI_OP_READ_PAGE_SCAN_TYPE:
2521                 hci_cc_read_page_scan_type(hdev, skb);
2522                 break;
2523
2524         case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2525                 hci_cc_write_page_scan_type(hdev, skb);
2526                 break;
2527
2528         case HCI_OP_READ_DATA_BLOCK_SIZE:
2529                 hci_cc_read_data_block_size(hdev, skb);
2530                 break;
2531
2532         case HCI_OP_READ_FLOW_CONTROL_MODE:
2533                 hci_cc_read_flow_control_mode(hdev, skb);
2534                 break;
2535
2536         case HCI_OP_READ_LOCAL_AMP_INFO:
2537                 hci_cc_read_local_amp_info(hdev, skb);
2538                 break;
2539
2540         case HCI_OP_READ_LOCAL_AMP_ASSOC:
2541                 hci_cc_read_local_amp_assoc(hdev, skb);
2542                 break;
2543
2544         case HCI_OP_READ_INQ_RSP_TX_POWER:
2545                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2546                 break;
2547
2548         case HCI_OP_PIN_CODE_REPLY:
2549                 hci_cc_pin_code_reply(hdev, skb);
2550                 break;
2551
2552         case HCI_OP_PIN_CODE_NEG_REPLY:
2553                 hci_cc_pin_code_neg_reply(hdev, skb);
2554                 break;
2555
2556         case HCI_OP_READ_LOCAL_OOB_DATA:
2557                 hci_cc_read_local_oob_data(hdev, skb);
2558                 break;
2559
2560         case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2561                 hci_cc_read_local_oob_ext_data(hdev, skb);
2562                 break;
2563
2564         case HCI_OP_LE_READ_BUFFER_SIZE:
2565                 hci_cc_le_read_buffer_size(hdev, skb);
2566                 break;
2567
2568         case HCI_OP_LE_READ_LOCAL_FEATURES:
2569                 hci_cc_le_read_local_features(hdev, skb);
2570                 break;
2571
2572         case HCI_OP_LE_READ_ADV_TX_POWER:
2573                 hci_cc_le_read_adv_tx_power(hdev, skb);
2574                 break;
2575
2576         case HCI_OP_USER_CONFIRM_REPLY:
2577                 hci_cc_user_confirm_reply(hdev, skb);
2578                 break;
2579
2580         case HCI_OP_USER_CONFIRM_NEG_REPLY:
2581                 hci_cc_user_confirm_neg_reply(hdev, skb);
2582                 break;
2583
2584         case HCI_OP_USER_PASSKEY_REPLY:
2585                 hci_cc_user_passkey_reply(hdev, skb);
2586                 break;
2587
2588         case HCI_OP_USER_PASSKEY_NEG_REPLY:
2589                 hci_cc_user_passkey_neg_reply(hdev, skb);
2590                 break;
2591
2592         case HCI_OP_LE_SET_RANDOM_ADDR:
2593                 hci_cc_le_set_random_addr(hdev, skb);
2594                 break;
2595
2596         case HCI_OP_LE_SET_ADV_ENABLE:
2597                 hci_cc_le_set_adv_enable(hdev, skb);
2598                 break;
2599
2600         case HCI_OP_LE_SET_SCAN_PARAM:
2601                 hci_cc_le_set_scan_param(hdev, skb);
2602                 break;
2603
2604         case HCI_OP_LE_SET_SCAN_ENABLE:
2605                 hci_cc_le_set_scan_enable(hdev, skb);
2606                 break;
2607
2608         case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2609                 hci_cc_le_read_white_list_size(hdev, skb);
2610                 break;
2611
2612         case HCI_OP_LE_CLEAR_WHITE_LIST:
2613                 hci_cc_le_clear_white_list(hdev, skb);
2614                 break;
2615
2616         case HCI_OP_LE_ADD_TO_WHITE_LIST:
2617                 hci_cc_le_add_to_white_list(hdev, skb);
2618                 break;
2619
2620         case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2621                 hci_cc_le_del_from_white_list(hdev, skb);
2622                 break;
2623
2624         case HCI_OP_LE_READ_SUPPORTED_STATES:
2625                 hci_cc_le_read_supported_states(hdev, skb);
2626                 break;
2627
2628         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
2629                 hci_cc_write_le_host_supported(hdev, skb);
2630                 break;
2631
2632         case HCI_OP_LE_SET_ADV_PARAM:
2633                 hci_cc_set_adv_param(hdev, skb);
2634                 break;
2635
2636         case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
2637                 hci_cc_write_remote_amp_assoc(hdev, skb);
2638                 break;
2639
2640         default:
2641                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2642                 break;
2643         }
2644
2645         if (opcode != HCI_OP_NOP)
2646                 del_timer(&hdev->cmd_timer);
2647
2648         hci_req_cmd_complete(hdev, opcode, status);
2649
2650         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2651                 atomic_set(&hdev->cmd_cnt, 1);
2652                 if (!skb_queue_empty(&hdev->cmd_q))
2653                         queue_work(hdev->workqueue, &hdev->cmd_work);
2654         }
2655 }
2656
2657 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2658 {
2659         struct hci_ev_cmd_status *ev = (void *) skb->data;
2660         __u16 opcode;
2661
2662         skb_pull(skb, sizeof(*ev));
2663
2664         opcode = __le16_to_cpu(ev->opcode);
2665
2666         switch (opcode) {
2667         case HCI_OP_INQUIRY:
2668                 hci_cs_inquiry(hdev, ev->status);
2669                 break;
2670
2671         case HCI_OP_CREATE_CONN:
2672                 hci_cs_create_conn(hdev, ev->status);
2673                 break;
2674
2675         case HCI_OP_ADD_SCO:
2676                 hci_cs_add_sco(hdev, ev->status);
2677                 break;
2678
2679         case HCI_OP_AUTH_REQUESTED:
2680                 hci_cs_auth_requested(hdev, ev->status);
2681                 break;
2682
2683         case HCI_OP_SET_CONN_ENCRYPT:
2684                 hci_cs_set_conn_encrypt(hdev, ev->status);
2685                 break;
2686
2687         case HCI_OP_REMOTE_NAME_REQ:
2688                 hci_cs_remote_name_req(hdev, ev->status);
2689                 break;
2690
2691         case HCI_OP_READ_REMOTE_FEATURES:
2692                 hci_cs_read_remote_features(hdev, ev->status);
2693                 break;
2694
2695         case HCI_OP_READ_REMOTE_EXT_FEATURES:
2696                 hci_cs_read_remote_ext_features(hdev, ev->status);
2697                 break;
2698
2699         case HCI_OP_SETUP_SYNC_CONN:
2700                 hci_cs_setup_sync_conn(hdev, ev->status);
2701                 break;
2702
2703         case HCI_OP_SNIFF_MODE:
2704                 hci_cs_sniff_mode(hdev, ev->status);
2705                 break;
2706
2707         case HCI_OP_EXIT_SNIFF_MODE:
2708                 hci_cs_exit_sniff_mode(hdev, ev->status);
2709                 break;
2710
2711         case HCI_OP_DISCONNECT:
2712                 hci_cs_disconnect(hdev, ev->status);
2713                 break;
2714
2715         case HCI_OP_CREATE_PHY_LINK:
2716                 hci_cs_create_phylink(hdev, ev->status);
2717                 break;
2718
2719         case HCI_OP_ACCEPT_PHY_LINK:
2720                 hci_cs_accept_phylink(hdev, ev->status);
2721                 break;
2722
2723         case HCI_OP_LE_CREATE_CONN:
2724                 hci_cs_le_create_conn(hdev, ev->status);
2725                 break;
2726
2727         case HCI_OP_LE_START_ENC:
2728                 hci_cs_le_start_enc(hdev, ev->status);
2729                 break;
2730
2731         default:
2732                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2733                 break;
2734         }
2735
2736         if (opcode != HCI_OP_NOP)
2737                 del_timer(&hdev->cmd_timer);
2738
2739         if (ev->status ||
2740             (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
2741                 hci_req_cmd_complete(hdev, opcode, ev->status);
2742
2743         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2744                 atomic_set(&hdev->cmd_cnt, 1);
2745                 if (!skb_queue_empty(&hdev->cmd_q))
2746                         queue_work(hdev->workqueue, &hdev->cmd_work);
2747         }
2748 }
2749
2750 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2751 {
2752         struct hci_ev_role_change *ev = (void *) skb->data;
2753         struct hci_conn *conn;
2754
2755         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2756
2757         hci_dev_lock(hdev);
2758
2759         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2760         if (conn) {
2761                 if (!ev->status) {
2762                         if (ev->role)
2763                                 conn->link_mode &= ~HCI_LM_MASTER;
2764                         else
2765                                 conn->link_mode |= HCI_LM_MASTER;
2766                 }
2767
2768                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2769
2770                 hci_role_switch_cfm(conn, ev->status, ev->role);
2771         }
2772
2773         hci_dev_unlock(hdev);
2774 }
2775
2776 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
2777 {
2778         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2779         int i;
2780
2781         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
2782                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2783                 return;
2784         }
2785
2786         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2787             ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
2788                 BT_DBG("%s bad parameters", hdev->name);
2789                 return;
2790         }
2791
2792         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2793
2794         for (i = 0; i < ev->num_hndl; i++) {
2795                 struct hci_comp_pkts_info *info = &ev->handles[i];
2796                 struct hci_conn *conn;
2797                 __u16  handle, count;
2798
2799                 handle = __le16_to_cpu(info->handle);
2800                 count  = __le16_to_cpu(info->count);
2801
2802                 conn = hci_conn_hash_lookup_handle(hdev, handle);
2803                 if (!conn)
2804                         continue;
2805
2806                 conn->sent -= count;
2807
2808                 switch (conn->type) {
2809                 case ACL_LINK:
2810                         hdev->acl_cnt += count;
2811                         if (hdev->acl_cnt > hdev->acl_pkts)
2812                                 hdev->acl_cnt = hdev->acl_pkts;
2813                         break;
2814
2815                 case LE_LINK:
2816                         if (hdev->le_pkts) {
2817                                 hdev->le_cnt += count;
2818                                 if (hdev->le_cnt > hdev->le_pkts)
2819                                         hdev->le_cnt = hdev->le_pkts;
2820                         } else {
2821                                 hdev->acl_cnt += count;
2822                                 if (hdev->acl_cnt > hdev->acl_pkts)
2823                                         hdev->acl_cnt = hdev->acl_pkts;
2824                         }
2825                         break;
2826
2827                 case SCO_LINK:
2828                         hdev->sco_cnt += count;
2829                         if (hdev->sco_cnt > hdev->sco_pkts)
2830                                 hdev->sco_cnt = hdev->sco_pkts;
2831                         break;
2832
2833                 default:
2834                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
2835                         break;
2836                 }
2837         }
2838
2839         queue_work(hdev->workqueue, &hdev->tx_work);
2840 }
2841
2842 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
2843                                                  __u16 handle)
2844 {
2845         struct hci_chan *chan;
2846
2847         switch (hdev->dev_type) {
2848         case HCI_BREDR:
2849                 return hci_conn_hash_lookup_handle(hdev, handle);
2850         case HCI_AMP:
2851                 chan = hci_chan_lookup_handle(hdev, handle);
2852                 if (chan)
2853                         return chan->conn;
2854                 break;
2855         default:
2856                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
2857                 break;
2858         }
2859
2860         return NULL;
2861 }
2862
2863 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
2864 {
2865         struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
2866         int i;
2867
2868         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
2869                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2870                 return;
2871         }
2872
2873         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2874             ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
2875                 BT_DBG("%s bad parameters", hdev->name);
2876                 return;
2877         }
2878
2879         BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
2880                ev->num_hndl);
2881
2882         for (i = 0; i < ev->num_hndl; i++) {
2883                 struct hci_comp_blocks_info *info = &ev->handles[i];
2884                 struct hci_conn *conn = NULL;
2885                 __u16  handle, block_count;
2886
2887                 handle = __le16_to_cpu(info->handle);
2888                 block_count = __le16_to_cpu(info->blocks);
2889
2890                 conn = __hci_conn_lookup_handle(hdev, handle);
2891                 if (!conn)
2892                         continue;
2893
2894                 conn->sent -= block_count;
2895
2896                 switch (conn->type) {
2897                 case ACL_LINK:
2898                 case AMP_LINK:
2899                         hdev->block_cnt += block_count;
2900                         if (hdev->block_cnt > hdev->num_blocks)
2901                                 hdev->block_cnt = hdev->num_blocks;
2902                         break;
2903
2904                 default:
2905                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
2906                         break;
2907                 }
2908         }
2909
2910         queue_work(hdev->workqueue, &hdev->tx_work);
2911 }
2912
2913 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2914 {
2915         struct hci_ev_mode_change *ev = (void *) skb->data;
2916         struct hci_conn *conn;
2917
2918         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2919
2920         hci_dev_lock(hdev);
2921
2922         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2923         if (conn) {
2924                 conn->mode = ev->mode;
2925
2926                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
2927                                         &conn->flags)) {
2928                         if (conn->mode == HCI_CM_ACTIVE)
2929                                 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
2930                         else
2931                                 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
2932                 }
2933
2934                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2935                         hci_sco_setup(conn, ev->status);
2936         }
2937
2938         hci_dev_unlock(hdev);
2939 }
2940
2941 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2942 {
2943         struct hci_ev_pin_code_req *ev = (void *) skb->data;
2944         struct hci_conn *conn;
2945
2946         BT_DBG("%s", hdev->name);
2947
2948         hci_dev_lock(hdev);
2949
2950         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2951         if (!conn)
2952                 goto unlock;
2953
2954         if (conn->state == BT_CONNECTED) {
2955                 hci_conn_hold(conn);
2956                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2957                 hci_conn_drop(conn);
2958         }
2959
2960         if (!test_bit(HCI_PAIRABLE, &hdev->dev_flags))
2961                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2962                              sizeof(ev->bdaddr), &ev->bdaddr);
2963         else if (test_bit(HCI_MGMT, &hdev->dev_flags)) {
2964                 u8 secure;
2965
2966                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
2967                         secure = 1;
2968                 else
2969                         secure = 0;
2970
2971                 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
2972         }
2973
2974 unlock:
2975         hci_dev_unlock(hdev);
2976 }
2977
2978 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2979 {
2980         struct hci_ev_link_key_req *ev = (void *) skb->data;
2981         struct hci_cp_link_key_reply cp;
2982         struct hci_conn *conn;
2983         struct link_key *key;
2984
2985         BT_DBG("%s", hdev->name);
2986
2987         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2988                 return;
2989
2990         hci_dev_lock(hdev);
2991
2992         key = hci_find_link_key(hdev, &ev->bdaddr);
2993         if (!key) {
2994                 BT_DBG("%s link key not found for %pMR", hdev->name,
2995                        &ev->bdaddr);
2996                 goto not_found;
2997         }
2998
2999         BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3000                &ev->bdaddr);
3001
3002         if (!test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) &&
3003             key->type == HCI_LK_DEBUG_COMBINATION) {
3004                 BT_DBG("%s ignoring debug key", hdev->name);
3005                 goto not_found;
3006         }
3007
3008         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3009         if (conn) {
3010                 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3011                      key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3012                     conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3013                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
3014                         goto not_found;
3015                 }
3016
3017                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3018                     conn->pending_sec_level == BT_SECURITY_HIGH) {
3019                         BT_DBG("%s ignoring key unauthenticated for high security",
3020                                hdev->name);
3021                         goto not_found;
3022                 }
3023
3024                 conn->key_type = key->type;
3025                 conn->pin_length = key->pin_len;
3026         }
3027
3028         bacpy(&cp.bdaddr, &ev->bdaddr);
3029         memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3030
3031         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3032
3033         hci_dev_unlock(hdev);
3034
3035         return;
3036
3037 not_found:
3038         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3039         hci_dev_unlock(hdev);
3040 }
3041
3042 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3043 {
3044         struct hci_ev_link_key_notify *ev = (void *) skb->data;
3045         struct hci_conn *conn;
3046         u8 pin_len = 0;
3047
3048         BT_DBG("%s", hdev->name);
3049
3050         hci_dev_lock(hdev);
3051
3052         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3053         if (conn) {
3054                 hci_conn_hold(conn);
3055                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3056                 pin_len = conn->pin_length;
3057
3058                 if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
3059                         conn->key_type = ev->key_type;
3060
3061                 hci_conn_drop(conn);
3062         }
3063
3064         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3065                 hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key,
3066                                  ev->key_type, pin_len);
3067
3068         hci_dev_unlock(hdev);
3069 }
3070
3071 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3072 {
3073         struct hci_ev_clock_offset *ev = (void *) skb->data;
3074         struct hci_conn *conn;
3075
3076         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3077
3078         hci_dev_lock(hdev);
3079
3080         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3081         if (conn && !ev->status) {
3082                 struct inquiry_entry *ie;
3083
3084                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3085                 if (ie) {
3086                         ie->data.clock_offset = ev->clock_offset;
3087                         ie->timestamp = jiffies;
3088                 }
3089         }
3090
3091         hci_dev_unlock(hdev);
3092 }
3093
3094 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3095 {
3096         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3097         struct hci_conn *conn;
3098
3099         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3100
3101         hci_dev_lock(hdev);
3102
3103         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3104         if (conn && !ev->status)
3105                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3106
3107         hci_dev_unlock(hdev);
3108 }
3109
3110 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3111 {
3112         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3113         struct inquiry_entry *ie;
3114
3115         BT_DBG("%s", hdev->name);
3116
3117         hci_dev_lock(hdev);
3118
3119         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3120         if (ie) {
3121                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3122                 ie->timestamp = jiffies;
3123         }
3124
3125         hci_dev_unlock(hdev);
3126 }
3127
3128 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3129                                              struct sk_buff *skb)
3130 {
3131         struct inquiry_data data;
3132         int num_rsp = *((__u8 *) skb->data);
3133         bool name_known, ssp;
3134
3135         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3136
3137         if (!num_rsp)
3138                 return;
3139
3140         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3141                 return;
3142
3143         hci_dev_lock(hdev);
3144
3145         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3146                 struct inquiry_info_with_rssi_and_pscan_mode *info;
3147                 info = (void *) (skb->data + 1);
3148
3149                 for (; num_rsp; num_rsp--, info++) {
3150                         bacpy(&data.bdaddr, &info->bdaddr);
3151                         data.pscan_rep_mode     = info->pscan_rep_mode;
3152                         data.pscan_period_mode  = info->pscan_period_mode;
3153                         data.pscan_mode         = info->pscan_mode;
3154                         memcpy(data.dev_class, info->dev_class, 3);
3155                         data.clock_offset       = info->clock_offset;
3156                         data.rssi               = info->rssi;
3157                         data.ssp_mode           = 0x00;
3158
3159                         name_known = hci_inquiry_cache_update(hdev, &data,
3160                                                               false, &ssp);
3161                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3162                                           info->dev_class, info->rssi,
3163                                           !name_known, ssp, NULL, 0, NULL, 0);
3164                 }
3165         } else {
3166                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3167
3168                 for (; num_rsp; num_rsp--, info++) {
3169                         bacpy(&data.bdaddr, &info->bdaddr);
3170                         data.pscan_rep_mode     = info->pscan_rep_mode;
3171                         data.pscan_period_mode  = info->pscan_period_mode;
3172                         data.pscan_mode         = 0x00;
3173                         memcpy(data.dev_class, info->dev_class, 3);
3174                         data.clock_offset       = info->clock_offset;
3175                         data.rssi               = info->rssi;
3176                         data.ssp_mode           = 0x00;
3177                         name_known = hci_inquiry_cache_update(hdev, &data,
3178                                                               false, &ssp);
3179                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3180                                           info->dev_class, info->rssi,
3181                                           !name_known, ssp, NULL, 0, NULL, 0);
3182                 }
3183         }
3184
3185         hci_dev_unlock(hdev);
3186 }
3187
3188 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3189                                         struct sk_buff *skb)
3190 {
3191         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3192         struct hci_conn *conn;
3193
3194         BT_DBG("%s", hdev->name);
3195
3196         hci_dev_lock(hdev);
3197
3198         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3199         if (!conn)
3200                 goto unlock;
3201
3202         if (ev->page < HCI_MAX_PAGES)
3203                 memcpy(conn->features[ev->page], ev->features, 8);
3204
3205         if (!ev->status && ev->page == 0x01) {
3206                 struct inquiry_entry *ie;
3207
3208                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3209                 if (ie)
3210                         ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3211
3212                 if (ev->features[0] & LMP_HOST_SSP) {
3213                         set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3214                 } else {
3215                         /* It is mandatory by the Bluetooth specification that
3216                          * Extended Inquiry Results are only used when Secure
3217                          * Simple Pairing is enabled, but some devices violate
3218                          * this.
3219                          *
3220                          * To make these devices work, the internal SSP
3221                          * enabled flag needs to be cleared if the remote host
3222                          * features do not indicate SSP support */
3223                         clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3224                 }
3225
3226                 if (ev->features[0] & LMP_HOST_SC)
3227                         set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3228         }
3229
3230         if (conn->state != BT_CONFIG)
3231                 goto unlock;
3232
3233         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3234                 struct hci_cp_remote_name_req cp;
3235                 memset(&cp, 0, sizeof(cp));
3236                 bacpy(&cp.bdaddr, &conn->dst);
3237                 cp.pscan_rep_mode = 0x02;
3238                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3239         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3240                 mgmt_device_connected(hdev, &conn->dst, conn->type,
3241                                       conn->dst_type, 0, NULL, 0,
3242                                       conn->dev_class);
3243
3244         if (!hci_outgoing_auth_needed(hdev, conn)) {
3245                 conn->state = BT_CONNECTED;
3246                 hci_proto_connect_cfm(conn, ev->status);
3247                 hci_conn_drop(conn);
3248         }
3249
3250 unlock:
3251         hci_dev_unlock(hdev);
3252 }
3253
3254 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3255                                        struct sk_buff *skb)
3256 {
3257         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3258         struct hci_conn *conn;
3259
3260         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3261
3262         hci_dev_lock(hdev);
3263
3264         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3265         if (!conn) {
3266                 if (ev->link_type == ESCO_LINK)
3267                         goto unlock;
3268
3269                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3270                 if (!conn)
3271                         goto unlock;
3272
3273                 conn->type = SCO_LINK;
3274         }
3275
3276         switch (ev->status) {
3277         case 0x00:
3278                 conn->handle = __le16_to_cpu(ev->handle);
3279                 conn->state  = BT_CONNECTED;
3280
3281                 hci_conn_add_sysfs(conn);
3282                 break;
3283
3284         case 0x0d:      /* Connection Rejected due to Limited Resources */
3285         case 0x11:      /* Unsupported Feature or Parameter Value */
3286         case 0x1c:      /* SCO interval rejected */
3287         case 0x1a:      /* Unsupported Remote Feature */
3288         case 0x1f:      /* Unspecified error */
3289         case 0x20:      /* Unsupported LMP Parameter value */
3290                 if (conn->out) {
3291                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3292                                         (hdev->esco_type & EDR_ESCO_MASK);
3293                         if (hci_setup_sync(conn, conn->link->handle))
3294                                 goto unlock;
3295                 }
3296                 /* fall through */
3297
3298         default:
3299                 conn->state = BT_CLOSED;
3300                 break;
3301         }
3302
3303         hci_proto_connect_cfm(conn, ev->status);
3304         if (ev->status)
3305                 hci_conn_del(conn);
3306
3307 unlock:
3308         hci_dev_unlock(hdev);
3309 }
3310
3311 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3312 {
3313         size_t parsed = 0;
3314
3315         while (parsed < eir_len) {
3316                 u8 field_len = eir[0];
3317
3318                 if (field_len == 0)
3319                         return parsed;
3320
3321                 parsed += field_len + 1;
3322                 eir += field_len + 1;
3323         }
3324
3325         return eir_len;
3326 }
3327
3328 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3329                                             struct sk_buff *skb)
3330 {
3331         struct inquiry_data data;
3332         struct extended_inquiry_info *info = (void *) (skb->data + 1);
3333         int num_rsp = *((__u8 *) skb->data);
3334         size_t eir_len;
3335
3336         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3337
3338         if (!num_rsp)
3339                 return;
3340
3341         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3342                 return;
3343
3344         hci_dev_lock(hdev);
3345
3346         for (; num_rsp; num_rsp--, info++) {
3347                 bool name_known, ssp;
3348
3349                 bacpy(&data.bdaddr, &info->bdaddr);
3350                 data.pscan_rep_mode     = info->pscan_rep_mode;
3351                 data.pscan_period_mode  = info->pscan_period_mode;
3352                 data.pscan_mode         = 0x00;
3353                 memcpy(data.dev_class, info->dev_class, 3);
3354                 data.clock_offset       = info->clock_offset;
3355                 data.rssi               = info->rssi;
3356                 data.ssp_mode           = 0x01;
3357
3358                 if (test_bit(HCI_MGMT, &hdev->dev_flags))
3359                         name_known = eir_has_data_type(info->data,
3360                                                        sizeof(info->data),
3361                                                        EIR_NAME_COMPLETE);
3362                 else
3363                         name_known = true;
3364
3365                 name_known = hci_inquiry_cache_update(hdev, &data, name_known,
3366                                                       &ssp);
3367                 eir_len = eir_get_length(info->data, sizeof(info->data));
3368                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3369                                   info->dev_class, info->rssi, !name_known,
3370                                   ssp, info->data, eir_len, NULL, 0);
3371         }
3372
3373         hci_dev_unlock(hdev);
3374 }
3375
3376 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3377                                          struct sk_buff *skb)
3378 {
3379         struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3380         struct hci_conn *conn;
3381
3382         BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3383                __le16_to_cpu(ev->handle));
3384
3385         hci_dev_lock(hdev);
3386
3387         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3388         if (!conn)
3389                 goto unlock;
3390
3391         /* For BR/EDR the necessary steps are taken through the
3392          * auth_complete event.
3393          */
3394         if (conn->type != LE_LINK)
3395                 goto unlock;
3396
3397         if (!ev->status)
3398                 conn->sec_level = conn->pending_sec_level;
3399
3400         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3401
3402         if (ev->status && conn->state == BT_CONNECTED) {
3403                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3404                 hci_conn_drop(conn);
3405                 goto unlock;
3406         }
3407
3408         if (conn->state == BT_CONFIG) {
3409                 if (!ev->status)
3410                         conn->state = BT_CONNECTED;
3411
3412                 hci_proto_connect_cfm(conn, ev->status);
3413                 hci_conn_drop(conn);
3414         } else {
3415                 hci_auth_cfm(conn, ev->status);
3416
3417                 hci_conn_hold(conn);
3418                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3419                 hci_conn_drop(conn);
3420         }
3421
3422 unlock:
3423         hci_dev_unlock(hdev);
3424 }
3425
3426 static u8 hci_get_auth_req(struct hci_conn *conn)
3427 {
3428         /* If remote requests no-bonding follow that lead */
3429         if (conn->remote_auth == HCI_AT_NO_BONDING ||
3430             conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3431                 return conn->remote_auth | (conn->auth_type & 0x01);
3432
3433         /* If both remote and local have enough IO capabilities, require
3434          * MITM protection
3435          */
3436         if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3437             conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3438                 return conn->remote_auth | 0x01;
3439
3440         /* No MITM protection possible so ignore remote requirement */
3441         return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3442 }
3443
3444 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3445 {
3446         struct hci_ev_io_capa_request *ev = (void *) skb->data;
3447         struct hci_conn *conn;
3448
3449         BT_DBG("%s", hdev->name);
3450
3451         hci_dev_lock(hdev);
3452
3453         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3454         if (!conn)
3455                 goto unlock;
3456
3457         hci_conn_hold(conn);
3458
3459         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3460                 goto unlock;
3461
3462         if (test_bit(HCI_PAIRABLE, &hdev->dev_flags) ||
3463             (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3464                 struct hci_cp_io_capability_reply cp;
3465
3466                 bacpy(&cp.bdaddr, &ev->bdaddr);
3467                 /* Change the IO capability from KeyboardDisplay
3468                  * to DisplayYesNo as it is not supported by BT spec. */
3469                 cp.capability = (conn->io_capability == 0x04) ?
3470                                 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3471
3472                 /* If we are initiators, there is no remote information yet */
3473                 if (conn->remote_auth == 0xff) {
3474                         cp.authentication = conn->auth_type;
3475
3476                         /* Request MITM protection if our IO caps allow it
3477                          * except for the no-bonding case
3478                          */
3479                         if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3480                             cp.authentication != HCI_AT_NO_BONDING)
3481                                 cp.authentication |= 0x01;
3482                 } else {
3483                         conn->auth_type = hci_get_auth_req(conn);
3484                         cp.authentication = conn->auth_type;
3485                 }
3486
3487                 if (hci_find_remote_oob_data(hdev, &conn->dst) &&
3488                     (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
3489                         cp.oob_data = 0x01;
3490                 else
3491                         cp.oob_data = 0x00;
3492
3493                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
3494                              sizeof(cp), &cp);
3495         } else {
3496                 struct hci_cp_io_capability_neg_reply cp;
3497
3498                 bacpy(&cp.bdaddr, &ev->bdaddr);
3499                 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
3500
3501                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
3502                              sizeof(cp), &cp);
3503         }
3504
3505 unlock:
3506         hci_dev_unlock(hdev);
3507 }
3508
3509 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
3510 {
3511         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
3512         struct hci_conn *conn;
3513
3514         BT_DBG("%s", hdev->name);
3515
3516         hci_dev_lock(hdev);
3517
3518         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3519         if (!conn)
3520                 goto unlock;
3521
3522         conn->remote_cap = ev->capability;
3523         conn->remote_auth = ev->authentication;
3524         if (ev->oob_data)
3525                 set_bit(HCI_CONN_REMOTE_OOB, &conn->flags);
3526
3527 unlock:
3528         hci_dev_unlock(hdev);
3529 }
3530
3531 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3532                                          struct sk_buff *skb)
3533 {
3534         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
3535         int loc_mitm, rem_mitm, confirm_hint = 0;
3536         struct hci_conn *conn;
3537
3538         BT_DBG("%s", hdev->name);
3539
3540         hci_dev_lock(hdev);
3541
3542         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3543                 goto unlock;
3544
3545         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3546         if (!conn)
3547                 goto unlock;
3548
3549         loc_mitm = (conn->auth_type & 0x01);
3550         rem_mitm = (conn->remote_auth & 0x01);
3551
3552         /* If we require MITM but the remote device can't provide that
3553          * (it has NoInputNoOutput) then reject the confirmation request
3554          */
3555         if (loc_mitm && conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3556                 BT_DBG("Rejecting request: remote device can't provide MITM");
3557                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
3558                              sizeof(ev->bdaddr), &ev->bdaddr);
3559                 goto unlock;
3560         }
3561
3562         /* If no side requires MITM protection; auto-accept */
3563         if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
3564             (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
3565
3566                 /* If we're not the initiators request authorization to
3567                  * proceed from user space (mgmt_user_confirm with
3568                  * confirm_hint set to 1). */
3569                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3570                         BT_DBG("Confirming auto-accept as acceptor");
3571                         confirm_hint = 1;
3572                         goto confirm;
3573                 }
3574
3575                 BT_DBG("Auto-accept of user confirmation with %ums delay",
3576                        hdev->auto_accept_delay);
3577
3578                 if (hdev->auto_accept_delay > 0) {
3579                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
3580                         queue_delayed_work(conn->hdev->workqueue,
3581                                            &conn->auto_accept_work, delay);
3582                         goto unlock;
3583                 }
3584
3585                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
3586                              sizeof(ev->bdaddr), &ev->bdaddr);
3587                 goto unlock;
3588         }
3589
3590 confirm:
3591         mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
3592                                   le32_to_cpu(ev->passkey), confirm_hint);
3593
3594 unlock:
3595         hci_dev_unlock(hdev);
3596 }
3597
3598 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
3599                                          struct sk_buff *skb)
3600 {
3601         struct hci_ev_user_passkey_req *ev = (void *) skb->data;
3602
3603         BT_DBG("%s", hdev->name);
3604
3605         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3606                 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
3607 }
3608
3609 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
3610                                         struct sk_buff *skb)
3611 {
3612         struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
3613         struct hci_conn *conn;
3614
3615         BT_DBG("%s", hdev->name);
3616
3617         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3618         if (!conn)
3619                 return;
3620
3621         conn->passkey_notify = __le32_to_cpu(ev->passkey);
3622         conn->passkey_entered = 0;
3623
3624         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3625                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3626                                          conn->dst_type, conn->passkey_notify,
3627                                          conn->passkey_entered);
3628 }
3629
3630 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3631 {
3632         struct hci_ev_keypress_notify *ev = (void *) skb->data;
3633         struct hci_conn *conn;
3634
3635         BT_DBG("%s", hdev->name);
3636
3637         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3638         if (!conn)
3639                 return;
3640
3641         switch (ev->type) {
3642         case HCI_KEYPRESS_STARTED:
3643                 conn->passkey_entered = 0;
3644                 return;
3645
3646         case HCI_KEYPRESS_ENTERED:
3647                 conn->passkey_entered++;
3648                 break;
3649
3650         case HCI_KEYPRESS_ERASED:
3651                 conn->passkey_entered--;
3652                 break;
3653
3654         case HCI_KEYPRESS_CLEARED:
3655                 conn->passkey_entered = 0;
3656                 break;
3657
3658         case HCI_KEYPRESS_COMPLETED:
3659                 return;
3660         }
3661
3662         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3663                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3664                                          conn->dst_type, conn->passkey_notify,
3665                                          conn->passkey_entered);
3666 }
3667
3668 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
3669                                          struct sk_buff *skb)
3670 {
3671         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
3672         struct hci_conn *conn;
3673
3674         BT_DBG("%s", hdev->name);
3675
3676         hci_dev_lock(hdev);
3677
3678         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3679         if (!conn)
3680                 goto unlock;
3681
3682         /* To avoid duplicate auth_failed events to user space we check
3683          * the HCI_CONN_AUTH_PEND flag which will be set if we
3684          * initiated the authentication. A traditional auth_complete
3685          * event gets always produced as initiator and is also mapped to
3686          * the mgmt_auth_failed event */
3687         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
3688                 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
3689                                  ev->status);
3690
3691         hci_conn_drop(conn);
3692
3693 unlock:
3694         hci_dev_unlock(hdev);
3695 }
3696
3697 static void hci_remote_host_features_evt(struct hci_dev *hdev,
3698                                          struct sk_buff *skb)
3699 {
3700         struct hci_ev_remote_host_features *ev = (void *) skb->data;
3701         struct inquiry_entry *ie;
3702         struct hci_conn *conn;
3703
3704         BT_DBG("%s", hdev->name);
3705
3706         hci_dev_lock(hdev);
3707
3708         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3709         if (conn)
3710                 memcpy(conn->features[1], ev->features, 8);
3711
3712         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3713         if (ie)
3714                 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3715
3716         hci_dev_unlock(hdev);
3717 }
3718
3719 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
3720                                             struct sk_buff *skb)
3721 {
3722         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
3723         struct oob_data *data;
3724
3725         BT_DBG("%s", hdev->name);
3726
3727         hci_dev_lock(hdev);
3728
3729         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3730                 goto unlock;
3731
3732         data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
3733         if (data) {
3734                 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
3735                         struct hci_cp_remote_oob_ext_data_reply cp;
3736
3737                         bacpy(&cp.bdaddr, &ev->bdaddr);
3738                         memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
3739                         memcpy(cp.randomizer192, data->randomizer192,
3740                                sizeof(cp.randomizer192));
3741                         memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
3742                         memcpy(cp.randomizer256, data->randomizer256,
3743                                sizeof(cp.randomizer256));
3744
3745                         hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
3746                                      sizeof(cp), &cp);
3747                 } else {
3748                         struct hci_cp_remote_oob_data_reply cp;
3749
3750                         bacpy(&cp.bdaddr, &ev->bdaddr);
3751                         memcpy(cp.hash, data->hash192, sizeof(cp.hash));
3752                         memcpy(cp.randomizer, data->randomizer192,
3753                                sizeof(cp.randomizer));
3754
3755                         hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
3756                                      sizeof(cp), &cp);
3757                 }
3758         } else {
3759                 struct hci_cp_remote_oob_data_neg_reply cp;
3760
3761                 bacpy(&cp.bdaddr, &ev->bdaddr);
3762                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
3763                              sizeof(cp), &cp);
3764         }
3765
3766 unlock:
3767         hci_dev_unlock(hdev);
3768 }
3769
3770 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
3771                                       struct sk_buff *skb)
3772 {
3773         struct hci_ev_phy_link_complete *ev = (void *) skb->data;
3774         struct hci_conn *hcon, *bredr_hcon;
3775
3776         BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
3777                ev->status);
3778
3779         hci_dev_lock(hdev);
3780
3781         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3782         if (!hcon) {
3783                 hci_dev_unlock(hdev);
3784                 return;
3785         }
3786
3787         if (ev->status) {
3788                 hci_conn_del(hcon);
3789                 hci_dev_unlock(hdev);
3790                 return;
3791         }
3792
3793         bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
3794
3795         hcon->state = BT_CONNECTED;
3796         bacpy(&hcon->dst, &bredr_hcon->dst);
3797
3798         hci_conn_hold(hcon);
3799         hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3800         hci_conn_drop(hcon);
3801
3802         hci_conn_add_sysfs(hcon);
3803
3804         amp_physical_cfm(bredr_hcon, hcon);
3805
3806         hci_dev_unlock(hdev);
3807 }
3808
3809 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3810 {
3811         struct hci_ev_logical_link_complete *ev = (void *) skb->data;
3812         struct hci_conn *hcon;
3813         struct hci_chan *hchan;
3814         struct amp_mgr *mgr;
3815
3816         BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
3817                hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
3818                ev->status);
3819
3820         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3821         if (!hcon)
3822                 return;
3823
3824         /* Create AMP hchan */
3825         hchan = hci_chan_create(hcon);
3826         if (!hchan)
3827                 return;
3828
3829         hchan->handle = le16_to_cpu(ev->handle);
3830
3831         BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
3832
3833         mgr = hcon->amp_mgr;
3834         if (mgr && mgr->bredr_chan) {
3835                 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
3836
3837                 l2cap_chan_lock(bredr_chan);
3838
3839                 bredr_chan->conn->mtu = hdev->block_mtu;
3840                 l2cap_logical_cfm(bredr_chan, hchan, 0);
3841                 hci_conn_hold(hcon);
3842
3843                 l2cap_chan_unlock(bredr_chan);
3844         }
3845 }
3846
3847 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
3848                                              struct sk_buff *skb)
3849 {
3850         struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
3851         struct hci_chan *hchan;
3852
3853         BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
3854                le16_to_cpu(ev->handle), ev->status);
3855
3856         if (ev->status)
3857                 return;
3858
3859         hci_dev_lock(hdev);
3860
3861         hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
3862         if (!hchan)
3863                 goto unlock;
3864
3865         amp_destroy_logical_link(hchan, ev->reason);
3866
3867 unlock:
3868         hci_dev_unlock(hdev);
3869 }
3870
3871 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
3872                                              struct sk_buff *skb)
3873 {
3874         struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
3875         struct hci_conn *hcon;
3876
3877         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3878
3879         if (ev->status)
3880                 return;
3881
3882         hci_dev_lock(hdev);
3883
3884         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3885         if (hcon) {
3886                 hcon->state = BT_CLOSED;
3887                 hci_conn_del(hcon);
3888         }
3889
3890         hci_dev_unlock(hdev);
3891 }
3892
3893 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3894 {
3895         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
3896         struct hci_conn *conn;
3897         struct smp_irk *irk;
3898
3899         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3900
3901         hci_dev_lock(hdev);
3902
3903         conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
3904         if (!conn) {
3905                 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr);
3906                 if (!conn) {
3907                         BT_ERR("No memory for new connection");
3908                         goto unlock;
3909                 }
3910
3911                 conn->dst_type = ev->bdaddr_type;
3912
3913                 if (ev->role == LE_CONN_ROLE_MASTER) {
3914                         conn->out = true;
3915                         conn->link_mode |= HCI_LM_MASTER;
3916                 }
3917
3918                 /* If we didn't have a hci_conn object previously
3919                  * but we're in master role this must be something
3920                  * initiated using a white list. Since white list based
3921                  * connections are not "first class citizens" we don't
3922                  * have full tracking of them. Therefore, we go ahead
3923                  * with a "best effort" approach of determining the
3924                  * initiator address based on the HCI_PRIVACY flag.
3925                  */
3926                 if (conn->out) {
3927                         conn->resp_addr_type = ev->bdaddr_type;
3928                         bacpy(&conn->resp_addr, &ev->bdaddr);
3929                         if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
3930                                 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
3931                                 bacpy(&conn->init_addr, &hdev->rpa);
3932                         } else {
3933                                 hci_copy_identity_address(hdev,
3934                                                           &conn->init_addr,
3935                                                           &conn->init_addr_type);
3936                         }
3937                 }
3938         } else {
3939                 cancel_delayed_work(&conn->le_conn_timeout);
3940         }
3941
3942         if (!conn->out) {
3943                 /* Set the responder (our side) address type based on
3944                  * the advertising address type.
3945                  */
3946                 conn->resp_addr_type = hdev->adv_addr_type;
3947                 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
3948                         bacpy(&conn->resp_addr, &hdev->random_addr);
3949                 else
3950                         bacpy(&conn->resp_addr, &hdev->bdaddr);
3951
3952                 conn->init_addr_type = ev->bdaddr_type;
3953                 bacpy(&conn->init_addr, &ev->bdaddr);
3954         }
3955
3956         /* Lookup the identity address from the stored connection
3957          * address and address type.
3958          *
3959          * When establishing connections to an identity address, the
3960          * connection procedure will store the resolvable random
3961          * address first. Now if it can be converted back into the
3962          * identity address, start using the identity address from
3963          * now on.
3964          */
3965         irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
3966         if (irk) {
3967                 bacpy(&conn->dst, &irk->bdaddr);
3968                 conn->dst_type = irk->addr_type;
3969         }
3970
3971         if (ev->status) {
3972                 hci_le_conn_failed(conn, ev->status);
3973                 goto unlock;
3974         }
3975
3976         if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3977                 mgmt_device_connected(hdev, &conn->dst, conn->type,
3978                                       conn->dst_type, 0, NULL, 0, NULL);
3979
3980         conn->sec_level = BT_SECURITY_LOW;
3981         conn->handle = __le16_to_cpu(ev->handle);
3982         conn->state = BT_CONNECTED;
3983
3984         if (test_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags))
3985                 set_bit(HCI_CONN_6LOWPAN, &conn->flags);
3986
3987         hci_conn_add_sysfs(conn);
3988
3989         hci_proto_connect_cfm(conn, ev->status);
3990
3991         hci_pend_le_conn_del(hdev, &conn->dst, conn->dst_type);
3992
3993 unlock:
3994         hci_dev_unlock(hdev);
3995 }
3996
3997 /* This function requires the caller holds hdev->lock */
3998 static void check_pending_le_conn(struct hci_dev *hdev, bdaddr_t *addr,
3999                                   u8 addr_type)
4000 {
4001         struct hci_conn *conn;
4002         struct smp_irk *irk;
4003
4004         /* If this is a resolvable address, we should resolve it and then
4005          * update address and address type variables.
4006          */
4007         irk = hci_get_irk(hdev, addr, addr_type);
4008         if (irk) {
4009                 addr = &irk->bdaddr;
4010                 addr_type = irk->addr_type;
4011         }
4012
4013         if (!hci_pend_le_conn_lookup(hdev, addr, addr_type))
4014                 return;
4015
4016         conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4017                               HCI_AT_NO_BONDING);
4018         if (!IS_ERR(conn))
4019                 return;
4020
4021         switch (PTR_ERR(conn)) {
4022         case -EBUSY:
4023                 /* If hci_connect() returns -EBUSY it means there is already
4024                  * an LE connection attempt going on. Since controllers don't
4025                  * support more than one connection attempt at the time, we
4026                  * don't consider this an error case.
4027                  */
4028                 break;
4029         default:
4030                 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4031         }
4032 }
4033
4034 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4035                                u8 bdaddr_type, s8 rssi, u8 *data, u8 len)
4036 {
4037         struct discovery_state *d = &hdev->discovery;
4038         bool match;
4039
4040         /* Passive scanning shouldn't trigger any device found events */
4041         if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4042                 if (type == LE_ADV_IND || type == LE_ADV_DIRECT_IND)
4043                         check_pending_le_conn(hdev, bdaddr, bdaddr_type);
4044                 return;
4045         }
4046
4047         /* If there's nothing pending either store the data from this
4048          * event or send an immediate device found event if the data
4049          * should not be stored for later.
4050          */
4051         if (!has_pending_adv_report(hdev)) {
4052                 /* If the report will trigger a SCAN_REQ store it for
4053                  * later merging.
4054                  */
4055                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4056                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4057                                                  rssi, data, len);
4058                         return;
4059                 }
4060
4061                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4062                                   rssi, 0, 1, data, len, NULL, 0);
4063                 return;
4064         }
4065
4066         /* Check if the pending report is for the same device as the new one */
4067         match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4068                  bdaddr_type == d->last_adv_addr_type);
4069
4070         /* If the pending data doesn't match this report or this isn't a
4071          * scan response (e.g. we got a duplicate ADV_IND) then force
4072          * sending of the pending data.
4073          */
4074         if (type != LE_ADV_SCAN_RSP || !match) {
4075                 /* Send out whatever is in the cache, but skip duplicates */
4076                 if (!match)
4077                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4078                                           d->last_adv_addr_type, NULL,
4079                                           d->last_adv_rssi, 0, 1,
4080                                           d->last_adv_data,
4081                                           d->last_adv_data_len, NULL, 0);
4082
4083                 /* If the new report will trigger a SCAN_REQ store it for
4084                  * later merging.
4085                  */
4086                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4087                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4088                                                  rssi, data, len);
4089                         return;
4090                 }
4091
4092                 /* The advertising reports cannot be merged, so clear
4093                  * the pending report and send out a device found event.
4094                  */
4095                 clear_pending_adv_report(hdev);
4096                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4097                                   rssi, 0, 1, data, len, NULL, 0);
4098                 return;
4099         }
4100
4101         /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4102          * the new event is a SCAN_RSP. We can therefore proceed with
4103          * sending a merged device found event.
4104          */
4105         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4106                           d->last_adv_addr_type, NULL, rssi, 0, 1, data, len,
4107                           d->last_adv_data, d->last_adv_data_len);
4108         clear_pending_adv_report(hdev);
4109 }
4110
4111 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4112 {
4113         u8 num_reports = skb->data[0];
4114         void *ptr = &skb->data[1];
4115
4116         hci_dev_lock(hdev);
4117
4118         while (num_reports--) {
4119                 struct hci_ev_le_advertising_info *ev = ptr;
4120                 s8 rssi;
4121
4122                 rssi = ev->data[ev->length];
4123                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4124                                    ev->bdaddr_type, rssi, ev->data, ev->length);
4125
4126                 ptr += sizeof(*ev) + ev->length + 1;
4127         }
4128
4129         hci_dev_unlock(hdev);
4130 }
4131
4132 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4133 {
4134         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4135         struct hci_cp_le_ltk_reply cp;
4136         struct hci_cp_le_ltk_neg_reply neg;
4137         struct hci_conn *conn;
4138         struct smp_ltk *ltk;
4139
4140         BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4141
4142         hci_dev_lock(hdev);
4143
4144         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4145         if (conn == NULL)
4146                 goto not_found;
4147
4148         ltk = hci_find_ltk(hdev, ev->ediv, ev->rand, conn->out);
4149         if (ltk == NULL)
4150                 goto not_found;
4151
4152         memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
4153         cp.handle = cpu_to_le16(conn->handle);
4154
4155         if (ltk->authenticated)
4156                 conn->pending_sec_level = BT_SECURITY_HIGH;
4157         else
4158                 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4159
4160         conn->enc_key_size = ltk->enc_size;
4161
4162         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
4163
4164         /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
4165          * temporary key used to encrypt a connection following
4166          * pairing. It is used during the Encrypted Session Setup to
4167          * distribute the keys. Later, security can be re-established
4168          * using a distributed LTK.
4169          */
4170         if (ltk->type == HCI_SMP_STK_SLAVE) {
4171                 list_del(&ltk->list);
4172                 kfree(ltk);
4173         }
4174
4175         hci_dev_unlock(hdev);
4176
4177         return;
4178
4179 not_found:
4180         neg.handle = ev->handle;
4181         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
4182         hci_dev_unlock(hdev);
4183 }
4184
4185 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4186 {
4187         struct hci_ev_le_meta *le_ev = (void *) skb->data;
4188
4189         skb_pull(skb, sizeof(*le_ev));
4190
4191         switch (le_ev->subevent) {
4192         case HCI_EV_LE_CONN_COMPLETE:
4193                 hci_le_conn_complete_evt(hdev, skb);
4194                 break;
4195
4196         case HCI_EV_LE_ADVERTISING_REPORT:
4197                 hci_le_adv_report_evt(hdev, skb);
4198                 break;
4199
4200         case HCI_EV_LE_LTK_REQ:
4201                 hci_le_ltk_request_evt(hdev, skb);
4202                 break;
4203
4204         default:
4205                 break;
4206         }
4207 }
4208
4209 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4210 {
4211         struct hci_ev_channel_selected *ev = (void *) skb->data;
4212         struct hci_conn *hcon;
4213
4214         BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4215
4216         skb_pull(skb, sizeof(*ev));
4217
4218         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4219         if (!hcon)
4220                 return;
4221
4222         amp_read_loc_assoc_final_data(hdev, hcon);
4223 }
4224
4225 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
4226 {
4227         struct hci_event_hdr *hdr = (void *) skb->data;
4228         __u8 event = hdr->evt;
4229
4230         hci_dev_lock(hdev);
4231
4232         /* Received events are (currently) only needed when a request is
4233          * ongoing so avoid unnecessary memory allocation.
4234          */
4235         if (hdev->req_status == HCI_REQ_PEND) {
4236                 kfree_skb(hdev->recv_evt);
4237                 hdev->recv_evt = skb_clone(skb, GFP_KERNEL);
4238         }
4239
4240         hci_dev_unlock(hdev);
4241
4242         skb_pull(skb, HCI_EVENT_HDR_SIZE);
4243
4244         if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
4245                 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
4246                 u16 opcode = __le16_to_cpu(cmd_hdr->opcode);
4247
4248                 hci_req_cmd_complete(hdev, opcode, 0);
4249         }
4250
4251         switch (event) {
4252         case HCI_EV_INQUIRY_COMPLETE:
4253                 hci_inquiry_complete_evt(hdev, skb);
4254                 break;
4255
4256         case HCI_EV_INQUIRY_RESULT:
4257                 hci_inquiry_result_evt(hdev, skb);
4258                 break;
4259
4260         case HCI_EV_CONN_COMPLETE:
4261                 hci_conn_complete_evt(hdev, skb);
4262                 break;
4263
4264         case HCI_EV_CONN_REQUEST:
4265                 hci_conn_request_evt(hdev, skb);
4266                 break;
4267
4268         case HCI_EV_DISCONN_COMPLETE:
4269                 hci_disconn_complete_evt(hdev, skb);
4270                 break;
4271
4272         case HCI_EV_AUTH_COMPLETE:
4273                 hci_auth_complete_evt(hdev, skb);
4274                 break;
4275
4276         case HCI_EV_REMOTE_NAME:
4277                 hci_remote_name_evt(hdev, skb);
4278                 break;
4279
4280         case HCI_EV_ENCRYPT_CHANGE:
4281                 hci_encrypt_change_evt(hdev, skb);
4282                 break;
4283
4284         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
4285                 hci_change_link_key_complete_evt(hdev, skb);
4286                 break;
4287
4288         case HCI_EV_REMOTE_FEATURES:
4289                 hci_remote_features_evt(hdev, skb);
4290                 break;
4291
4292         case HCI_EV_CMD_COMPLETE:
4293                 hci_cmd_complete_evt(hdev, skb);
4294                 break;
4295
4296         case HCI_EV_CMD_STATUS:
4297                 hci_cmd_status_evt(hdev, skb);
4298                 break;
4299
4300         case HCI_EV_ROLE_CHANGE:
4301                 hci_role_change_evt(hdev, skb);
4302                 break;
4303
4304         case HCI_EV_NUM_COMP_PKTS:
4305                 hci_num_comp_pkts_evt(hdev, skb);
4306                 break;
4307
4308         case HCI_EV_MODE_CHANGE:
4309                 hci_mode_change_evt(hdev, skb);
4310                 break;
4311
4312         case HCI_EV_PIN_CODE_REQ:
4313                 hci_pin_code_request_evt(hdev, skb);
4314                 break;
4315
4316         case HCI_EV_LINK_KEY_REQ:
4317                 hci_link_key_request_evt(hdev, skb);
4318                 break;
4319
4320         case HCI_EV_LINK_KEY_NOTIFY:
4321                 hci_link_key_notify_evt(hdev, skb);
4322                 break;
4323
4324         case HCI_EV_CLOCK_OFFSET:
4325                 hci_clock_offset_evt(hdev, skb);
4326                 break;
4327
4328         case HCI_EV_PKT_TYPE_CHANGE:
4329                 hci_pkt_type_change_evt(hdev, skb);
4330                 break;
4331
4332         case HCI_EV_PSCAN_REP_MODE:
4333                 hci_pscan_rep_mode_evt(hdev, skb);
4334                 break;
4335
4336         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
4337                 hci_inquiry_result_with_rssi_evt(hdev, skb);
4338                 break;
4339
4340         case HCI_EV_REMOTE_EXT_FEATURES:
4341                 hci_remote_ext_features_evt(hdev, skb);
4342                 break;
4343
4344         case HCI_EV_SYNC_CONN_COMPLETE:
4345                 hci_sync_conn_complete_evt(hdev, skb);
4346                 break;
4347
4348         case HCI_EV_EXTENDED_INQUIRY_RESULT:
4349                 hci_extended_inquiry_result_evt(hdev, skb);
4350                 break;
4351
4352         case HCI_EV_KEY_REFRESH_COMPLETE:
4353                 hci_key_refresh_complete_evt(hdev, skb);
4354                 break;
4355
4356         case HCI_EV_IO_CAPA_REQUEST:
4357                 hci_io_capa_request_evt(hdev, skb);
4358                 break;
4359
4360         case HCI_EV_IO_CAPA_REPLY:
4361                 hci_io_capa_reply_evt(hdev, skb);
4362                 break;
4363
4364         case HCI_EV_USER_CONFIRM_REQUEST:
4365                 hci_user_confirm_request_evt(hdev, skb);
4366                 break;
4367
4368         case HCI_EV_USER_PASSKEY_REQUEST:
4369                 hci_user_passkey_request_evt(hdev, skb);
4370                 break;
4371
4372         case HCI_EV_USER_PASSKEY_NOTIFY:
4373                 hci_user_passkey_notify_evt(hdev, skb);
4374                 break;
4375
4376         case HCI_EV_KEYPRESS_NOTIFY:
4377                 hci_keypress_notify_evt(hdev, skb);
4378                 break;
4379
4380         case HCI_EV_SIMPLE_PAIR_COMPLETE:
4381                 hci_simple_pair_complete_evt(hdev, skb);
4382                 break;
4383
4384         case HCI_EV_REMOTE_HOST_FEATURES:
4385                 hci_remote_host_features_evt(hdev, skb);
4386                 break;
4387
4388         case HCI_EV_LE_META:
4389                 hci_le_meta_evt(hdev, skb);
4390                 break;
4391
4392         case HCI_EV_CHANNEL_SELECTED:
4393                 hci_chan_selected_evt(hdev, skb);
4394                 break;
4395
4396         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
4397                 hci_remote_oob_data_request_evt(hdev, skb);
4398                 break;
4399
4400         case HCI_EV_PHY_LINK_COMPLETE:
4401                 hci_phy_link_complete_evt(hdev, skb);
4402                 break;
4403
4404         case HCI_EV_LOGICAL_LINK_COMPLETE:
4405                 hci_loglink_complete_evt(hdev, skb);
4406                 break;
4407
4408         case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
4409                 hci_disconn_loglink_complete_evt(hdev, skb);
4410                 break;
4411
4412         case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
4413                 hci_disconn_phylink_complete_evt(hdev, skb);
4414                 break;
4415
4416         case HCI_EV_NUM_COMP_BLOCKS:
4417                 hci_num_comp_blocks_evt(hdev, skb);
4418                 break;
4419
4420         default:
4421                 BT_DBG("%s event 0x%2.2x", hdev->name, event);
4422                 break;
4423         }
4424
4425         kfree_skb(skb);
4426         hdev->stat.evt_rx++;
4427 }
Linux kernel for KaRo TX COM modules