git.samba.org / sfrench / cifs-2.6.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branches 'acpi-processor', 'acpi-hotplug' and 'acpi-battery'
[sfrench/cifs-2.6.git] / net / bluetooth / hci_event.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <asm/unaligned.h>
28
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "a2mp.h"
34 #include "amp.h"
35 #include "smp.h"
36
37 /* Handle HCI Event packets */
38
39 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
40 {
41         __u8 status = *((__u8 *) skb->data);
42
43         BT_DBG("%s status 0x%2.2x", hdev->name, status);
44
45         if (status)
46                 return;
47
48         clear_bit(HCI_INQUIRY, &hdev->flags);
49         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
50         wake_up_bit(&hdev->flags, HCI_INQUIRY);
51
52         hci_dev_lock(hdev);
53         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
54         hci_dev_unlock(hdev);
55
56         hci_conn_check_pending(hdev);
57 }
58
59 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
60 {
61         __u8 status = *((__u8 *) skb->data);
62
63         BT_DBG("%s status 0x%2.2x", hdev->name, status);
64
65         if (status)
66                 return;
67
68         set_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
69 }
70
71 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
72 {
73         __u8 status = *((__u8 *) skb->data);
74
75         BT_DBG("%s status 0x%2.2x", hdev->name, status);
76
77         if (status)
78                 return;
79
80         clear_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
81
82         hci_conn_check_pending(hdev);
83 }
84
85 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
86                                           struct sk_buff *skb)
87 {
88         BT_DBG("%s", hdev->name);
89 }
90
91 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
92 {
93         struct hci_rp_role_discovery *rp = (void *) skb->data;
94         struct hci_conn *conn;
95
96         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
97
98         if (rp->status)
99                 return;
100
101         hci_dev_lock(hdev);
102
103         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
104         if (conn)
105                 conn->role = rp->role;
106
107         hci_dev_unlock(hdev);
108 }
109
110 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
111 {
112         struct hci_rp_read_link_policy *rp = (void *) skb->data;
113         struct hci_conn *conn;
114
115         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
116
117         if (rp->status)
118                 return;
119
120         hci_dev_lock(hdev);
121
122         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
123         if (conn)
124                 conn->link_policy = __le16_to_cpu(rp->policy);
125
126         hci_dev_unlock(hdev);
127 }
128
129 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
130 {
131         struct hci_rp_write_link_policy *rp = (void *) skb->data;
132         struct hci_conn *conn;
133         void *sent;
134
135         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
136
137         if (rp->status)
138                 return;
139
140         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
141         if (!sent)
142                 return;
143
144         hci_dev_lock(hdev);
145
146         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
147         if (conn)
148                 conn->link_policy = get_unaligned_le16(sent + 2);
149
150         hci_dev_unlock(hdev);
151 }
152
153 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
154                                         struct sk_buff *skb)
155 {
156         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
157
158         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
159
160         if (rp->status)
161                 return;
162
163         hdev->link_policy = __le16_to_cpu(rp->policy);
164 }
165
166 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
167                                          struct sk_buff *skb)
168 {
169         __u8 status = *((__u8 *) skb->data);
170         void *sent;
171
172         BT_DBG("%s status 0x%2.2x", hdev->name, status);
173
174         if (status)
175                 return;
176
177         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
178         if (!sent)
179                 return;
180
181         hdev->link_policy = get_unaligned_le16(sent);
182 }
183
184 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
185 {
186         __u8 status = *((__u8 *) skb->data);
187
188         BT_DBG("%s status 0x%2.2x", hdev->name, status);
189
190         clear_bit(HCI_RESET, &hdev->flags);
191
192         /* Reset all non-persistent flags */
193         hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
194
195         hdev->discovery.state = DISCOVERY_STOPPED;
196         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
197         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
198
199         memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
200         hdev->adv_data_len = 0;
201
202         memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
203         hdev->scan_rsp_data_len = 0;
204
205         hdev->le_scan_type = LE_SCAN_PASSIVE;
206
207         hdev->ssp_debug_mode = 0;
208 }
209
210 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
211 {
212         __u8 status = *((__u8 *) skb->data);
213         void *sent;
214
215         BT_DBG("%s status 0x%2.2x", hdev->name, status);
216
217         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
218         if (!sent)
219                 return;
220
221         hci_dev_lock(hdev);
222
223         if (test_bit(HCI_MGMT, &hdev->dev_flags))
224                 mgmt_set_local_name_complete(hdev, sent, status);
225         else if (!status)
226                 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
227
228         hci_dev_unlock(hdev);
229 }
230
231 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
232 {
233         struct hci_rp_read_local_name *rp = (void *) skb->data;
234
235         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
236
237         if (rp->status)
238                 return;
239
240         if (test_bit(HCI_SETUP, &hdev->dev_flags))
241                 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
242 }
243
244 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
245 {
246         __u8 status = *((__u8 *) skb->data);
247         void *sent;
248
249         BT_DBG("%s status 0x%2.2x", hdev->name, status);
250
251         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
252         if (!sent)
253                 return;
254
255         if (!status) {
256                 __u8 param = *((__u8 *) sent);
257
258                 if (param == AUTH_ENABLED)
259                         set_bit(HCI_AUTH, &hdev->flags);
260                 else
261                         clear_bit(HCI_AUTH, &hdev->flags);
262         }
263
264         if (test_bit(HCI_MGMT, &hdev->dev_flags))
265                 mgmt_auth_enable_complete(hdev, status);
266 }
267
268 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
269 {
270         __u8 status = *((__u8 *) skb->data);
271         __u8 param;
272         void *sent;
273
274         BT_DBG("%s status 0x%2.2x", hdev->name, status);
275
276         if (status)
277                 return;
278
279         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
280         if (!sent)
281                 return;
282
283         param = *((__u8 *) sent);
284
285         if (param)
286                 set_bit(HCI_ENCRYPT, &hdev->flags);
287         else
288                 clear_bit(HCI_ENCRYPT, &hdev->flags);
289 }
290
291 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
292 {
293         __u8 status = *((__u8 *) skb->data);
294         __u8 param;
295         void *sent;
296
297         BT_DBG("%s status 0x%2.2x", hdev->name, status);
298
299         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
300         if (!sent)
301                 return;
302
303         param = *((__u8 *) sent);
304
305         hci_dev_lock(hdev);
306
307         if (status) {
308                 hdev->discov_timeout = 0;
309                 goto done;
310         }
311
312         if (param & SCAN_INQUIRY)
313                 set_bit(HCI_ISCAN, &hdev->flags);
314         else
315                 clear_bit(HCI_ISCAN, &hdev->flags);
316
317         if (param & SCAN_PAGE)
318                 set_bit(HCI_PSCAN, &hdev->flags);
319         else
320                 clear_bit(HCI_PSCAN, &hdev->flags);
321
322 done:
323         hci_dev_unlock(hdev);
324 }
325
326 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
327 {
328         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
329
330         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
331
332         if (rp->status)
333                 return;
334
335         memcpy(hdev->dev_class, rp->dev_class, 3);
336
337         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
338                hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
339 }
340
341 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
342 {
343         __u8 status = *((__u8 *) skb->data);
344         void *sent;
345
346         BT_DBG("%s status 0x%2.2x", hdev->name, status);
347
348         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
349         if (!sent)
350                 return;
351
352         hci_dev_lock(hdev);
353
354         if (status == 0)
355                 memcpy(hdev->dev_class, sent, 3);
356
357         if (test_bit(HCI_MGMT, &hdev->dev_flags))
358                 mgmt_set_class_of_dev_complete(hdev, sent, status);
359
360         hci_dev_unlock(hdev);
361 }
362
363 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
364 {
365         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
366         __u16 setting;
367
368         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
369
370         if (rp->status)
371                 return;
372
373         setting = __le16_to_cpu(rp->voice_setting);
374
375         if (hdev->voice_setting == setting)
376                 return;
377
378         hdev->voice_setting = setting;
379
380         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
381
382         if (hdev->notify)
383                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
384 }
385
386 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
387                                        struct sk_buff *skb)
388 {
389         __u8 status = *((__u8 *) skb->data);
390         __u16 setting;
391         void *sent;
392
393         BT_DBG("%s status 0x%2.2x", hdev->name, status);
394
395         if (status)
396                 return;
397
398         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
399         if (!sent)
400                 return;
401
402         setting = get_unaligned_le16(sent);
403
404         if (hdev->voice_setting == setting)
405                 return;
406
407         hdev->voice_setting = setting;
408
409         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
410
411         if (hdev->notify)
412                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
413 }
414
415 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
416                                           struct sk_buff *skb)
417 {
418         struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
419
420         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
421
422         if (rp->status)
423                 return;
424
425         hdev->num_iac = rp->num_iac;
426
427         BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
428 }
429
430 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
431 {
432         __u8 status = *((__u8 *) skb->data);
433         struct hci_cp_write_ssp_mode *sent;
434
435         BT_DBG("%s status 0x%2.2x", hdev->name, status);
436
437         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
438         if (!sent)
439                 return;
440
441         if (!status) {
442                 if (sent->mode)
443                         hdev->features[1][0] |= LMP_HOST_SSP;
444                 else
445                         hdev->features[1][0] &= ~LMP_HOST_SSP;
446         }
447
448         if (test_bit(HCI_MGMT, &hdev->dev_flags))
449                 mgmt_ssp_enable_complete(hdev, sent->mode, status);
450         else if (!status) {
451                 if (sent->mode)
452                         set_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
453                 else
454                         clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
455         }
456 }
457
458 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
459 {
460         u8 status = *((u8 *) skb->data);
461         struct hci_cp_write_sc_support *sent;
462
463         BT_DBG("%s status 0x%2.2x", hdev->name, status);
464
465         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
466         if (!sent)
467                 return;
468
469         if (!status) {
470                 if (sent->support)
471                         hdev->features[1][0] |= LMP_HOST_SC;
472                 else
473                         hdev->features[1][0] &= ~LMP_HOST_SC;
474         }
475
476         if (test_bit(HCI_MGMT, &hdev->dev_flags))
477                 mgmt_sc_enable_complete(hdev, sent->support, status);
478         else if (!status) {
479                 if (sent->support)
480                         set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
481                 else
482                         clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
483         }
484 }
485
486 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
487 {
488         struct hci_rp_read_local_version *rp = (void *) skb->data;
489
490         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
491
492         if (rp->status)
493                 return;
494
495         if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
496                 hdev->hci_ver = rp->hci_ver;
497                 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
498                 hdev->lmp_ver = rp->lmp_ver;
499                 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
500                 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
501         }
502 }
503
504 static void hci_cc_read_local_commands(struct hci_dev *hdev,
505                                        struct sk_buff *skb)
506 {
507         struct hci_rp_read_local_commands *rp = (void *) skb->data;
508
509         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
510
511         if (rp->status)
512                 return;
513
514         if (test_bit(HCI_SETUP, &hdev->dev_flags))
515                 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
516 }
517
518 static void hci_cc_read_local_features(struct hci_dev *hdev,
519                                        struct sk_buff *skb)
520 {
521         struct hci_rp_read_local_features *rp = (void *) skb->data;
522
523         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
524
525         if (rp->status)
526                 return;
527
528         memcpy(hdev->features, rp->features, 8);
529
530         /* Adjust default settings according to features
531          * supported by device. */
532
533         if (hdev->features[0][0] & LMP_3SLOT)
534                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
535
536         if (hdev->features[0][0] & LMP_5SLOT)
537                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
538
539         if (hdev->features[0][1] & LMP_HV2) {
540                 hdev->pkt_type  |= (HCI_HV2);
541                 hdev->esco_type |= (ESCO_HV2);
542         }
543
544         if (hdev->features[0][1] & LMP_HV3) {
545                 hdev->pkt_type  |= (HCI_HV3);
546                 hdev->esco_type |= (ESCO_HV3);
547         }
548
549         if (lmp_esco_capable(hdev))
550                 hdev->esco_type |= (ESCO_EV3);
551
552         if (hdev->features[0][4] & LMP_EV4)
553                 hdev->esco_type |= (ESCO_EV4);
554
555         if (hdev->features[0][4] & LMP_EV5)
556                 hdev->esco_type |= (ESCO_EV5);
557
558         if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
559                 hdev->esco_type |= (ESCO_2EV3);
560
561         if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
562                 hdev->esco_type |= (ESCO_3EV3);
563
564         if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
565                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
566 }
567
568 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
569                                            struct sk_buff *skb)
570 {
571         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
572
573         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
574
575         if (rp->status)
576                 return;
577
578         if (hdev->max_page < rp->max_page)
579                 hdev->max_page = rp->max_page;
580
581         if (rp->page < HCI_MAX_PAGES)
582                 memcpy(hdev->features[rp->page], rp->features, 8);
583 }
584
585 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
586                                           struct sk_buff *skb)
587 {
588         struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
589
590         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
591
592         if (rp->status)
593                 return;
594
595         hdev->flow_ctl_mode = rp->mode;
596 }
597
598 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
599 {
600         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
601
602         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
603
604         if (rp->status)
605                 return;
606
607         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
608         hdev->sco_mtu  = rp->sco_mtu;
609         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
610         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
611
612         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
613                 hdev->sco_mtu  = 64;
614                 hdev->sco_pkts = 8;
615         }
616
617         hdev->acl_cnt = hdev->acl_pkts;
618         hdev->sco_cnt = hdev->sco_pkts;
619
620         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
621                hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
622 }
623
624 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
625 {
626         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
627
628         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
629
630         if (rp->status)
631                 return;
632
633         if (test_bit(HCI_INIT, &hdev->flags))
634                 bacpy(&hdev->bdaddr, &rp->bdaddr);
635
636         if (test_bit(HCI_SETUP, &hdev->dev_flags))
637                 bacpy(&hdev->setup_addr, &rp->bdaddr);
638 }
639
640 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
641                                            struct sk_buff *skb)
642 {
643         struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
644
645         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
646
647         if (rp->status)
648                 return;
649
650         if (test_bit(HCI_INIT, &hdev->flags)) {
651                 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
652                 hdev->page_scan_window = __le16_to_cpu(rp->window);
653         }
654 }
655
656 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
657                                             struct sk_buff *skb)
658 {
659         u8 status = *((u8 *) skb->data);
660         struct hci_cp_write_page_scan_activity *sent;
661
662         BT_DBG("%s status 0x%2.2x", hdev->name, status);
663
664         if (status)
665                 return;
666
667         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
668         if (!sent)
669                 return;
670
671         hdev->page_scan_interval = __le16_to_cpu(sent->interval);
672         hdev->page_scan_window = __le16_to_cpu(sent->window);
673 }
674
675 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
676                                            struct sk_buff *skb)
677 {
678         struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
679
680         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
681
682         if (rp->status)
683                 return;
684
685         if (test_bit(HCI_INIT, &hdev->flags))
686                 hdev->page_scan_type = rp->type;
687 }
688
689 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
690                                         struct sk_buff *skb)
691 {
692         u8 status = *((u8 *) skb->data);
693         u8 *type;
694
695         BT_DBG("%s status 0x%2.2x", hdev->name, status);
696
697         if (status)
698                 return;
699
700         type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
701         if (type)
702                 hdev->page_scan_type = *type;
703 }
704
705 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
706                                         struct sk_buff *skb)
707 {
708         struct hci_rp_read_data_block_size *rp = (void *) skb->data;
709
710         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
711
712         if (rp->status)
713                 return;
714
715         hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
716         hdev->block_len = __le16_to_cpu(rp->block_len);
717         hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
718
719         hdev->block_cnt = hdev->num_blocks;
720
721         BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
722                hdev->block_cnt, hdev->block_len);
723 }
724
725 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
726 {
727         struct hci_rp_read_clock *rp = (void *) skb->data;
728         struct hci_cp_read_clock *cp;
729         struct hci_conn *conn;
730
731         BT_DBG("%s", hdev->name);
732
733         if (skb->len < sizeof(*rp))
734                 return;
735
736         if (rp->status)
737                 return;
738
739         hci_dev_lock(hdev);
740
741         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
742         if (!cp)
743                 goto unlock;
744
745         if (cp->which == 0x00) {
746                 hdev->clock = le32_to_cpu(rp->clock);
747                 goto unlock;
748         }
749
750         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
751         if (conn) {
752                 conn->clock = le32_to_cpu(rp->clock);
753                 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
754         }
755
756 unlock:
757         hci_dev_unlock(hdev);
758 }
759
760 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
761                                        struct sk_buff *skb)
762 {
763         struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
764
765         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
766
767         if (rp->status)
768                 goto a2mp_rsp;
769
770         hdev->amp_status = rp->amp_status;
771         hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
772         hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
773         hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
774         hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
775         hdev->amp_type = rp->amp_type;
776         hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
777         hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
778         hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
779         hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
780
781 a2mp_rsp:
782         a2mp_send_getinfo_rsp(hdev);
783 }
784
785 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev,
786                                         struct sk_buff *skb)
787 {
788         struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data;
789         struct amp_assoc *assoc = &hdev->loc_assoc;
790         size_t rem_len, frag_len;
791
792         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
793
794         if (rp->status)
795                 goto a2mp_rsp;
796
797         frag_len = skb->len - sizeof(*rp);
798         rem_len = __le16_to_cpu(rp->rem_len);
799
800         if (rem_len > frag_len) {
801                 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
802
803                 memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
804                 assoc->offset += frag_len;
805
806                 /* Read other fragments */
807                 amp_read_loc_assoc_frag(hdev, rp->phy_handle);
808
809                 return;
810         }
811
812         memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
813         assoc->len = assoc->offset + rem_len;
814         assoc->offset = 0;
815
816 a2mp_rsp:
817         /* Send A2MP Rsp when all fragments are received */
818         a2mp_send_getampassoc_rsp(hdev, rp->status);
819         a2mp_send_create_phy_link_req(hdev, rp->status);
820 }
821
822 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
823                                          struct sk_buff *skb)
824 {
825         struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
826
827         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
828
829         if (rp->status)
830                 return;
831
832         hdev->inq_tx_power = rp->tx_power;
833 }
834
835 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
836 {
837         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
838         struct hci_cp_pin_code_reply *cp;
839         struct hci_conn *conn;
840
841         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
842
843         hci_dev_lock(hdev);
844
845         if (test_bit(HCI_MGMT, &hdev->dev_flags))
846                 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
847
848         if (rp->status)
849                 goto unlock;
850
851         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
852         if (!cp)
853                 goto unlock;
854
855         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
856         if (conn)
857                 conn->pin_length = cp->pin_len;
858
859 unlock:
860         hci_dev_unlock(hdev);
861 }
862
863 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
864 {
865         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
866
867         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
868
869         hci_dev_lock(hdev);
870
871         if (test_bit(HCI_MGMT, &hdev->dev_flags))
872                 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
873                                                  rp->status);
874
875         hci_dev_unlock(hdev);
876 }
877
878 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
879                                        struct sk_buff *skb)
880 {
881         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
882
883         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
884
885         if (rp->status)
886                 return;
887
888         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
889         hdev->le_pkts = rp->le_max_pkt;
890
891         hdev->le_cnt = hdev->le_pkts;
892
893         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
894 }
895
896 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
897                                           struct sk_buff *skb)
898 {
899         struct hci_rp_le_read_local_features *rp = (void *) skb->data;
900
901         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
902
903         if (rp->status)
904                 return;
905
906         memcpy(hdev->le_features, rp->features, 8);
907 }
908
909 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
910                                         struct sk_buff *skb)
911 {
912         struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
913
914         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
915
916         if (rp->status)
917                 return;
918
919         hdev->adv_tx_power = rp->tx_power;
920 }
921
922 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
923 {
924         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
925
926         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
927
928         hci_dev_lock(hdev);
929
930         if (test_bit(HCI_MGMT, &hdev->dev_flags))
931                 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
932                                                  rp->status);
933
934         hci_dev_unlock(hdev);
935 }
936
937 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
938                                           struct sk_buff *skb)
939 {
940         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
941
942         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
943
944         hci_dev_lock(hdev);
945
946         if (test_bit(HCI_MGMT, &hdev->dev_flags))
947                 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
948                                                      ACL_LINK, 0, rp->status);
949
950         hci_dev_unlock(hdev);
951 }
952
953 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
954 {
955         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
956
957         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
958
959         hci_dev_lock(hdev);
960
961         if (test_bit(HCI_MGMT, &hdev->dev_flags))
962                 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
963                                                  0, rp->status);
964
965         hci_dev_unlock(hdev);
966 }
967
968 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
969                                           struct sk_buff *skb)
970 {
971         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
972
973         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
974
975         hci_dev_lock(hdev);
976
977         if (test_bit(HCI_MGMT, &hdev->dev_flags))
978                 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
979                                                      ACL_LINK, 0, rp->status);
980
981         hci_dev_unlock(hdev);
982 }
983
984 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
985                                        struct sk_buff *skb)
986 {
987         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
988
989         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
990
991         hci_dev_lock(hdev);
992         mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->randomizer,
993                                           NULL, NULL, rp->status);
994         hci_dev_unlock(hdev);
995 }
996
997 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
998                                            struct sk_buff *skb)
999 {
1000         struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1001
1002         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1003
1004         hci_dev_lock(hdev);
1005         mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->randomizer192,
1006                                           rp->hash256, rp->randomizer256,
1007                                           rp->status);
1008         hci_dev_unlock(hdev);
1009 }
1010
1011
1012 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1013 {
1014         __u8 status = *((__u8 *) skb->data);
1015         bdaddr_t *sent;
1016
1017         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1018
1019         if (status)
1020                 return;
1021
1022         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1023         if (!sent)
1024                 return;
1025
1026         hci_dev_lock(hdev);
1027
1028         bacpy(&hdev->random_addr, sent);
1029
1030         hci_dev_unlock(hdev);
1031 }
1032
1033 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1034 {
1035         __u8 *sent, status = *((__u8 *) skb->data);
1036
1037         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1038
1039         if (status)
1040                 return;
1041
1042         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1043         if (!sent)
1044                 return;
1045
1046         hci_dev_lock(hdev);
1047
1048         /* If we're doing connection initation as peripheral. Set a
1049          * timeout in case something goes wrong.
1050          */
1051         if (*sent) {
1052                 struct hci_conn *conn;
1053
1054                 set_bit(HCI_LE_ADV, &hdev->dev_flags);
1055
1056                 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1057                 if (conn)
1058                         queue_delayed_work(hdev->workqueue,
1059                                            &conn->le_conn_timeout,
1060                                            conn->conn_timeout);
1061         } else {
1062                 clear_bit(HCI_LE_ADV, &hdev->dev_flags);
1063         }
1064
1065         hci_dev_unlock(hdev);
1066 }
1067
1068 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1069 {
1070         struct hci_cp_le_set_scan_param *cp;
1071         __u8 status = *((__u8 *) skb->data);
1072
1073         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1074
1075         if (status)
1076                 return;
1077
1078         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1079         if (!cp)
1080                 return;
1081
1082         hci_dev_lock(hdev);
1083
1084         hdev->le_scan_type = cp->type;
1085
1086         hci_dev_unlock(hdev);
1087 }
1088
1089 static bool has_pending_adv_report(struct hci_dev *hdev)
1090 {
1091         struct discovery_state *d = &hdev->discovery;
1092
1093         return bacmp(&d->last_adv_addr, BDADDR_ANY);
1094 }
1095
1096 static void clear_pending_adv_report(struct hci_dev *hdev)
1097 {
1098         struct discovery_state *d = &hdev->discovery;
1099
1100         bacpy(&d->last_adv_addr, BDADDR_ANY);
1101         d->last_adv_data_len = 0;
1102 }
1103
1104 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1105                                      u8 bdaddr_type, s8 rssi, u32 flags,
1106                                      u8 *data, u8 len)
1107 {
1108         struct discovery_state *d = &hdev->discovery;
1109
1110         bacpy(&d->last_adv_addr, bdaddr);
1111         d->last_adv_addr_type = bdaddr_type;
1112         d->last_adv_rssi = rssi;
1113         d->last_adv_flags = flags;
1114         memcpy(d->last_adv_data, data, len);
1115         d->last_adv_data_len = len;
1116 }
1117
1118 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1119                                       struct sk_buff *skb)
1120 {
1121         struct hci_cp_le_set_scan_enable *cp;
1122         __u8 status = *((__u8 *) skb->data);
1123
1124         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1125
1126         if (status)
1127                 return;
1128
1129         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1130         if (!cp)
1131                 return;
1132
1133         switch (cp->enable) {
1134         case LE_SCAN_ENABLE:
1135                 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1136                 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1137                         clear_pending_adv_report(hdev);
1138                 break;
1139
1140         case LE_SCAN_DISABLE:
1141                 /* We do this here instead of when setting DISCOVERY_STOPPED
1142                  * since the latter would potentially require waiting for
1143                  * inquiry to stop too.
1144                  */
1145                 if (has_pending_adv_report(hdev)) {
1146                         struct discovery_state *d = &hdev->discovery;
1147
1148                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1149                                           d->last_adv_addr_type, NULL,
1150                                           d->last_adv_rssi, d->last_adv_flags,
1151                                           d->last_adv_data,
1152                                           d->last_adv_data_len, NULL, 0);
1153                 }
1154
1155                 /* Cancel this timer so that we don't try to disable scanning
1156                  * when it's already disabled.
1157                  */
1158                 cancel_delayed_work(&hdev->le_scan_disable);
1159
1160                 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1161
1162                 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1163                  * interrupted scanning due to a connect request. Mark
1164                  * therefore discovery as stopped. If this was not
1165                  * because of a connect request advertising might have
1166                  * been disabled because of active scanning, so
1167                  * re-enable it again if necessary.
1168                  */
1169                 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED,
1170                                        &hdev->dev_flags))
1171                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1172                 else if (!test_bit(HCI_LE_ADV, &hdev->dev_flags) &&
1173                          hdev->discovery.state == DISCOVERY_FINDING)
1174                         mgmt_reenable_advertising(hdev);
1175
1176                 break;
1177
1178         default:
1179                 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1180                 break;
1181         }
1182 }
1183
1184 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1185                                            struct sk_buff *skb)
1186 {
1187         struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1188
1189         BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1190
1191         if (rp->status)
1192                 return;
1193
1194         hdev->le_white_list_size = rp->size;
1195 }
1196
1197 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1198                                        struct sk_buff *skb)
1199 {
1200         __u8 status = *((__u8 *) skb->data);
1201
1202         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1203
1204         if (status)
1205                 return;
1206
1207         hci_bdaddr_list_clear(&hdev->le_white_list);
1208 }
1209
1210 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1211                                         struct sk_buff *skb)
1212 {
1213         struct hci_cp_le_add_to_white_list *sent;
1214         __u8 status = *((__u8 *) skb->data);
1215
1216         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1217
1218         if (status)
1219                 return;
1220
1221         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1222         if (!sent)
1223                 return;
1224
1225         hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1226                            sent->bdaddr_type);
1227 }
1228
1229 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1230                                           struct sk_buff *skb)
1231 {
1232         struct hci_cp_le_del_from_white_list *sent;
1233         __u8 status = *((__u8 *) skb->data);
1234
1235         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1236
1237         if (status)
1238                 return;
1239
1240         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1241         if (!sent)
1242                 return;
1243
1244         hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1245                             sent->bdaddr_type);
1246 }
1247
1248 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1249                                             struct sk_buff *skb)
1250 {
1251         struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1252
1253         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1254
1255         if (rp->status)
1256                 return;
1257
1258         memcpy(hdev->le_states, rp->le_states, 8);
1259 }
1260
1261 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1262                                            struct sk_buff *skb)
1263 {
1264         struct hci_cp_write_le_host_supported *sent;
1265         __u8 status = *((__u8 *) skb->data);
1266
1267         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1268
1269         if (status)
1270                 return;
1271
1272         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1273         if (!sent)
1274                 return;
1275
1276         if (sent->le) {
1277                 hdev->features[1][0] |= LMP_HOST_LE;
1278                 set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1279         } else {
1280                 hdev->features[1][0] &= ~LMP_HOST_LE;
1281                 clear_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1282                 clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
1283         }
1284
1285         if (sent->simul)
1286                 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1287         else
1288                 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1289 }
1290
1291 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1292 {
1293         struct hci_cp_le_set_adv_param *cp;
1294         u8 status = *((u8 *) skb->data);
1295
1296         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1297
1298         if (status)
1299                 return;
1300
1301         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1302         if (!cp)
1303                 return;
1304
1305         hci_dev_lock(hdev);
1306         hdev->adv_addr_type = cp->own_address_type;
1307         hci_dev_unlock(hdev);
1308 }
1309
1310 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1311                                           struct sk_buff *skb)
1312 {
1313         struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data;
1314
1315         BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
1316                hdev->name, rp->status, rp->phy_handle);
1317
1318         if (rp->status)
1319                 return;
1320
1321         amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1322 }
1323
1324 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1325 {
1326         struct hci_rp_read_rssi *rp = (void *) skb->data;
1327         struct hci_conn *conn;
1328
1329         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1330
1331         if (rp->status)
1332                 return;
1333
1334         hci_dev_lock(hdev);
1335
1336         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1337         if (conn)
1338                 conn->rssi = rp->rssi;
1339
1340         hci_dev_unlock(hdev);
1341 }
1342
1343 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1344 {
1345         struct hci_cp_read_tx_power *sent;
1346         struct hci_rp_read_tx_power *rp = (void *) skb->data;
1347         struct hci_conn *conn;
1348
1349         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1350
1351         if (rp->status)
1352                 return;
1353
1354         sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1355         if (!sent)
1356                 return;
1357
1358         hci_dev_lock(hdev);
1359
1360         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1361         if (!conn)
1362                 goto unlock;
1363
1364         switch (sent->type) {
1365         case 0x00:
1366                 conn->tx_power = rp->tx_power;
1367                 break;
1368         case 0x01:
1369                 conn->max_tx_power = rp->tx_power;
1370                 break;
1371         }
1372
1373 unlock:
1374         hci_dev_unlock(hdev);
1375 }
1376
1377 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1378 {
1379         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1380
1381         if (status) {
1382                 hci_conn_check_pending(hdev);
1383                 return;
1384         }
1385
1386         set_bit(HCI_INQUIRY, &hdev->flags);
1387 }
1388
1389 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1390 {
1391         struct hci_cp_create_conn *cp;
1392         struct hci_conn *conn;
1393
1394         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1395
1396         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1397         if (!cp)
1398                 return;
1399
1400         hci_dev_lock(hdev);
1401
1402         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1403
1404         BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1405
1406         if (status) {
1407                 if (conn && conn->state == BT_CONNECT) {
1408                         if (status != 0x0c || conn->attempt > 2) {
1409                                 conn->state = BT_CLOSED;
1410                                 hci_proto_connect_cfm(conn, status);
1411                                 hci_conn_del(conn);
1412                         } else
1413                                 conn->state = BT_CONNECT2;
1414                 }
1415         } else {
1416                 if (!conn) {
1417                         conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1418                                             HCI_ROLE_MASTER);
1419                         if (!conn)
1420                                 BT_ERR("No memory for new connection");
1421                 }
1422         }
1423
1424         hci_dev_unlock(hdev);
1425 }
1426
1427 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1428 {
1429         struct hci_cp_add_sco *cp;
1430         struct hci_conn *acl, *sco;
1431         __u16 handle;
1432
1433         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1434
1435         if (!status)
1436                 return;
1437
1438         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1439         if (!cp)
1440                 return;
1441
1442         handle = __le16_to_cpu(cp->handle);
1443
1444         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1445
1446         hci_dev_lock(hdev);
1447
1448         acl = hci_conn_hash_lookup_handle(hdev, handle);
1449         if (acl) {
1450                 sco = acl->link;
1451                 if (sco) {
1452                         sco->state = BT_CLOSED;
1453
1454                         hci_proto_connect_cfm(sco, status);
1455                         hci_conn_del(sco);
1456                 }
1457         }
1458
1459         hci_dev_unlock(hdev);
1460 }
1461
1462 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1463 {
1464         struct hci_cp_auth_requested *cp;
1465         struct hci_conn *conn;
1466
1467         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1468
1469         if (!status)
1470                 return;
1471
1472         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1473         if (!cp)
1474                 return;
1475
1476         hci_dev_lock(hdev);
1477
1478         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1479         if (conn) {
1480                 if (conn->state == BT_CONFIG) {
1481                         hci_proto_connect_cfm(conn, status);
1482                         hci_conn_drop(conn);
1483                 }
1484         }
1485
1486         hci_dev_unlock(hdev);
1487 }
1488
1489 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1490 {
1491         struct hci_cp_set_conn_encrypt *cp;
1492         struct hci_conn *conn;
1493
1494         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1495
1496         if (!status)
1497                 return;
1498
1499         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1500         if (!cp)
1501                 return;
1502
1503         hci_dev_lock(hdev);
1504
1505         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1506         if (conn) {
1507                 if (conn->state == BT_CONFIG) {
1508                         hci_proto_connect_cfm(conn, status);
1509                         hci_conn_drop(conn);
1510                 }
1511         }
1512
1513         hci_dev_unlock(hdev);
1514 }
1515
1516 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1517                                     struct hci_conn *conn)
1518 {
1519         if (conn->state != BT_CONFIG || !conn->out)
1520                 return 0;
1521
1522         if (conn->pending_sec_level == BT_SECURITY_SDP)
1523                 return 0;
1524
1525         /* Only request authentication for SSP connections or non-SSP
1526          * devices with sec_level MEDIUM or HIGH or if MITM protection
1527          * is requested.
1528          */
1529         if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1530             conn->pending_sec_level != BT_SECURITY_FIPS &&
1531             conn->pending_sec_level != BT_SECURITY_HIGH &&
1532             conn->pending_sec_level != BT_SECURITY_MEDIUM)
1533                 return 0;
1534
1535         return 1;
1536 }
1537
1538 static int hci_resolve_name(struct hci_dev *hdev,
1539                                    struct inquiry_entry *e)
1540 {
1541         struct hci_cp_remote_name_req cp;
1542
1543         memset(&cp, 0, sizeof(cp));
1544
1545         bacpy(&cp.bdaddr, &e->data.bdaddr);
1546         cp.pscan_rep_mode = e->data.pscan_rep_mode;
1547         cp.pscan_mode = e->data.pscan_mode;
1548         cp.clock_offset = e->data.clock_offset;
1549
1550         return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1551 }
1552
1553 static bool hci_resolve_next_name(struct hci_dev *hdev)
1554 {
1555         struct discovery_state *discov = &hdev->discovery;
1556         struct inquiry_entry *e;
1557
1558         if (list_empty(&discov->resolve))
1559                 return false;
1560
1561         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1562         if (!e)
1563                 return false;
1564
1565         if (hci_resolve_name(hdev, e) == 0) {
1566                 e->name_state = NAME_PENDING;
1567                 return true;
1568         }
1569
1570         return false;
1571 }
1572
1573 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1574                                    bdaddr_t *bdaddr, u8 *name, u8 name_len)
1575 {
1576         struct discovery_state *discov = &hdev->discovery;
1577         struct inquiry_entry *e;
1578
1579         if (conn && !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1580                 mgmt_device_connected(hdev, bdaddr, ACL_LINK, 0x00, 0, name,
1581                                       name_len, conn->dev_class);
1582
1583         if (discov->state == DISCOVERY_STOPPED)
1584                 return;
1585
1586         if (discov->state == DISCOVERY_STOPPING)
1587                 goto discov_complete;
1588
1589         if (discov->state != DISCOVERY_RESOLVING)
1590                 return;
1591
1592         e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1593         /* If the device was not found in a list of found devices names of which
1594          * are pending. there is no need to continue resolving a next name as it
1595          * will be done upon receiving another Remote Name Request Complete
1596          * Event */
1597         if (!e)
1598                 return;
1599
1600         list_del(&e->list);
1601         if (name) {
1602                 e->name_state = NAME_KNOWN;
1603                 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1604                                  e->data.rssi, name, name_len);
1605         } else {
1606                 e->name_state = NAME_NOT_KNOWN;
1607         }
1608
1609         if (hci_resolve_next_name(hdev))
1610                 return;
1611
1612 discov_complete:
1613         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1614 }
1615
1616 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1617 {
1618         struct hci_cp_remote_name_req *cp;
1619         struct hci_conn *conn;
1620
1621         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1622
1623         /* If successful wait for the name req complete event before
1624          * checking for the need to do authentication */
1625         if (!status)
1626                 return;
1627
1628         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1629         if (!cp)
1630                 return;
1631
1632         hci_dev_lock(hdev);
1633
1634         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1635
1636         if (test_bit(HCI_MGMT, &hdev->dev_flags))
1637                 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1638
1639         if (!conn)
1640                 goto unlock;
1641
1642         if (!hci_outgoing_auth_needed(hdev, conn))
1643                 goto unlock;
1644
1645         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1646                 struct hci_cp_auth_requested auth_cp;
1647
1648                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1649
1650                 auth_cp.handle = __cpu_to_le16(conn->handle);
1651                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1652                              sizeof(auth_cp), &auth_cp);
1653         }
1654
1655 unlock:
1656         hci_dev_unlock(hdev);
1657 }
1658
1659 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1660 {
1661         struct hci_cp_read_remote_features *cp;
1662         struct hci_conn *conn;
1663
1664         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1665
1666         if (!status)
1667                 return;
1668
1669         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1670         if (!cp)
1671                 return;
1672
1673         hci_dev_lock(hdev);
1674
1675         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1676         if (conn) {
1677                 if (conn->state == BT_CONFIG) {
1678                         hci_proto_connect_cfm(conn, status);
1679                         hci_conn_drop(conn);
1680                 }
1681         }
1682
1683         hci_dev_unlock(hdev);
1684 }
1685
1686 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1687 {
1688         struct hci_cp_read_remote_ext_features *cp;
1689         struct hci_conn *conn;
1690
1691         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1692
1693         if (!status)
1694                 return;
1695
1696         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1697         if (!cp)
1698                 return;
1699
1700         hci_dev_lock(hdev);
1701
1702         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1703         if (conn) {
1704                 if (conn->state == BT_CONFIG) {
1705                         hci_proto_connect_cfm(conn, status);
1706                         hci_conn_drop(conn);
1707                 }
1708         }
1709
1710         hci_dev_unlock(hdev);
1711 }
1712
1713 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1714 {
1715         struct hci_cp_setup_sync_conn *cp;
1716         struct hci_conn *acl, *sco;
1717         __u16 handle;
1718
1719         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1720
1721         if (!status)
1722                 return;
1723
1724         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1725         if (!cp)
1726                 return;
1727
1728         handle = __le16_to_cpu(cp->handle);
1729
1730         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1731
1732         hci_dev_lock(hdev);
1733
1734         acl = hci_conn_hash_lookup_handle(hdev, handle);
1735         if (acl) {
1736                 sco = acl->link;
1737                 if (sco) {
1738                         sco->state = BT_CLOSED;
1739
1740                         hci_proto_connect_cfm(sco, status);
1741                         hci_conn_del(sco);
1742                 }
1743         }
1744
1745         hci_dev_unlock(hdev);
1746 }
1747
1748 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1749 {
1750         struct hci_cp_sniff_mode *cp;
1751         struct hci_conn *conn;
1752
1753         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1754
1755         if (!status)
1756                 return;
1757
1758         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1759         if (!cp)
1760                 return;
1761
1762         hci_dev_lock(hdev);
1763
1764         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1765         if (conn) {
1766                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1767
1768                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1769                         hci_sco_setup(conn, status);
1770         }
1771
1772         hci_dev_unlock(hdev);
1773 }
1774
1775 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1776 {
1777         struct hci_cp_exit_sniff_mode *cp;
1778         struct hci_conn *conn;
1779
1780         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1781
1782         if (!status)
1783                 return;
1784
1785         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1786         if (!cp)
1787                 return;
1788
1789         hci_dev_lock(hdev);
1790
1791         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1792         if (conn) {
1793                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1794
1795                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1796                         hci_sco_setup(conn, status);
1797         }
1798
1799         hci_dev_unlock(hdev);
1800 }
1801
1802 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1803 {
1804         struct hci_cp_disconnect *cp;
1805         struct hci_conn *conn;
1806
1807         if (!status)
1808                 return;
1809
1810         cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1811         if (!cp)
1812                 return;
1813
1814         hci_dev_lock(hdev);
1815
1816         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1817         if (conn)
1818                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1819                                        conn->dst_type, status);
1820
1821         hci_dev_unlock(hdev);
1822 }
1823
1824 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status)
1825 {
1826         struct hci_cp_create_phy_link *cp;
1827
1828         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1829
1830         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
1831         if (!cp)
1832                 return;
1833
1834         hci_dev_lock(hdev);
1835
1836         if (status) {
1837                 struct hci_conn *hcon;
1838
1839                 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
1840                 if (hcon)
1841                         hci_conn_del(hcon);
1842         } else {
1843                 amp_write_remote_assoc(hdev, cp->phy_handle);
1844         }
1845
1846         hci_dev_unlock(hdev);
1847 }
1848
1849 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1850 {
1851         struct hci_cp_accept_phy_link *cp;
1852
1853         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1854
1855         if (status)
1856                 return;
1857
1858         cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
1859         if (!cp)
1860                 return;
1861
1862         amp_write_remote_assoc(hdev, cp->phy_handle);
1863 }
1864
1865 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1866 {
1867         struct hci_cp_le_create_conn *cp;
1868         struct hci_conn *conn;
1869
1870         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1871
1872         /* All connection failure handling is taken care of by the
1873          * hci_le_conn_failed function which is triggered by the HCI
1874          * request completion callbacks used for connecting.
1875          */
1876         if (status)
1877                 return;
1878
1879         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1880         if (!cp)
1881                 return;
1882
1883         hci_dev_lock(hdev);
1884
1885         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1886         if (!conn)
1887                 goto unlock;
1888
1889         /* Store the initiator and responder address information which
1890          * is needed for SMP. These values will not change during the
1891          * lifetime of the connection.
1892          */
1893         conn->init_addr_type = cp->own_address_type;
1894         if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1895                 bacpy(&conn->init_addr, &hdev->random_addr);
1896         else
1897                 bacpy(&conn->init_addr, &hdev->bdaddr);
1898
1899         conn->resp_addr_type = cp->peer_addr_type;
1900         bacpy(&conn->resp_addr, &cp->peer_addr);
1901
1902         /* We don't want the connection attempt to stick around
1903          * indefinitely since LE doesn't have a page timeout concept
1904          * like BR/EDR. Set a timer for any connection that doesn't use
1905          * the white list for connecting.
1906          */
1907         if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1908                 queue_delayed_work(conn->hdev->workqueue,
1909                                    &conn->le_conn_timeout,
1910                                    conn->conn_timeout);
1911
1912 unlock:
1913         hci_dev_unlock(hdev);
1914 }
1915
1916 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1917 {
1918         struct hci_cp_le_start_enc *cp;
1919         struct hci_conn *conn;
1920
1921         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1922
1923         if (!status)
1924                 return;
1925
1926         hci_dev_lock(hdev);
1927
1928         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1929         if (!cp)
1930                 goto unlock;
1931
1932         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1933         if (!conn)
1934                 goto unlock;
1935
1936         if (conn->state != BT_CONNECTED)
1937                 goto unlock;
1938
1939         hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
1940         hci_conn_drop(conn);
1941
1942 unlock:
1943         hci_dev_unlock(hdev);
1944 }
1945
1946 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1947 {
1948         __u8 status = *((__u8 *) skb->data);
1949         struct discovery_state *discov = &hdev->discovery;
1950         struct inquiry_entry *e;
1951
1952         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1953
1954         hci_conn_check_pending(hdev);
1955
1956         if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
1957                 return;
1958
1959         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
1960         wake_up_bit(&hdev->flags, HCI_INQUIRY);
1961
1962         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1963                 return;
1964
1965         hci_dev_lock(hdev);
1966
1967         if (discov->state != DISCOVERY_FINDING)
1968                 goto unlock;
1969
1970         if (list_empty(&discov->resolve)) {
1971                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1972                 goto unlock;
1973         }
1974
1975         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1976         if (e && hci_resolve_name(hdev, e) == 0) {
1977                 e->name_state = NAME_PENDING;
1978                 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
1979         } else {
1980                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1981         }
1982
1983 unlock:
1984         hci_dev_unlock(hdev);
1985 }
1986
1987 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1988 {
1989         struct inquiry_data data;
1990         struct inquiry_info *info = (void *) (skb->data + 1);
1991         int num_rsp = *((__u8 *) skb->data);
1992
1993         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
1994
1995         if (!num_rsp)
1996                 return;
1997
1998         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
1999                 return;
2000
2001         hci_dev_lock(hdev);
2002
2003         for (; num_rsp; num_rsp--, info++) {
2004                 u32 flags;
2005
2006                 bacpy(&data.bdaddr, &info->bdaddr);
2007                 data.pscan_rep_mode     = info->pscan_rep_mode;
2008                 data.pscan_period_mode  = info->pscan_period_mode;
2009                 data.pscan_mode         = info->pscan_mode;
2010                 memcpy(data.dev_class, info->dev_class, 3);
2011                 data.clock_offset       = info->clock_offset;
2012                 data.rssi               = 0x00;
2013                 data.ssp_mode           = 0x00;
2014
2015                 flags = hci_inquiry_cache_update(hdev, &data, false);
2016
2017                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2018                                   info->dev_class, 0, flags, NULL, 0, NULL, 0);
2019         }
2020
2021         hci_dev_unlock(hdev);
2022 }
2023
2024 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2025 {
2026         struct hci_ev_conn_complete *ev = (void *) skb->data;
2027         struct hci_conn *conn;
2028
2029         BT_DBG("%s", hdev->name);
2030
2031         hci_dev_lock(hdev);
2032
2033         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2034         if (!conn) {
2035                 if (ev->link_type != SCO_LINK)
2036                         goto unlock;
2037
2038                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2039                 if (!conn)
2040                         goto unlock;
2041
2042                 conn->type = SCO_LINK;
2043         }
2044
2045         if (!ev->status) {
2046                 conn->handle = __le16_to_cpu(ev->handle);
2047
2048                 if (conn->type == ACL_LINK) {
2049                         conn->state = BT_CONFIG;
2050                         hci_conn_hold(conn);
2051
2052                         if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2053                             !hci_find_link_key(hdev, &ev->bdaddr))
2054                                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2055                         else
2056                                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2057                 } else
2058                         conn->state = BT_CONNECTED;
2059
2060                 hci_conn_add_sysfs(conn);
2061
2062                 if (test_bit(HCI_AUTH, &hdev->flags))
2063                         set_bit(HCI_CONN_AUTH, &conn->flags);
2064
2065                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2066                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2067
2068                 /* Get remote features */
2069                 if (conn->type == ACL_LINK) {
2070                         struct hci_cp_read_remote_features cp;
2071                         cp.handle = ev->handle;
2072                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2073                                      sizeof(cp), &cp);
2074                 }
2075
2076                 /* Set packet type for incoming connection */
2077                 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2078                         struct hci_cp_change_conn_ptype cp;
2079                         cp.handle = ev->handle;
2080                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
2081                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2082                                      &cp);
2083                 }
2084         } else {
2085                 conn->state = BT_CLOSED;
2086                 if (conn->type == ACL_LINK)
2087                         mgmt_connect_failed(hdev, &conn->dst, conn->type,
2088                                             conn->dst_type, ev->status);
2089         }
2090
2091         if (conn->type == ACL_LINK)
2092                 hci_sco_setup(conn, ev->status);
2093
2094         if (ev->status) {
2095                 hci_proto_connect_cfm(conn, ev->status);
2096                 hci_conn_del(conn);
2097         } else if (ev->link_type != ACL_LINK)
2098                 hci_proto_connect_cfm(conn, ev->status);
2099
2100 unlock:
2101         hci_dev_unlock(hdev);
2102
2103         hci_conn_check_pending(hdev);
2104 }
2105
2106 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2107 {
2108         struct hci_cp_reject_conn_req cp;
2109
2110         bacpy(&cp.bdaddr, bdaddr);
2111         cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2112         hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2113 }
2114
2115 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2116 {
2117         struct hci_ev_conn_request *ev = (void *) skb->data;
2118         int mask = hdev->link_mode;
2119         struct inquiry_entry *ie;
2120         struct hci_conn *conn;
2121         __u8 flags = 0;
2122
2123         BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2124                ev->link_type);
2125
2126         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2127                                       &flags);
2128
2129         if (!(mask & HCI_LM_ACCEPT)) {
2130                 hci_reject_conn(hdev, &ev->bdaddr);
2131                 return;
2132         }
2133
2134         if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2135                                    BDADDR_BREDR)) {
2136                 hci_reject_conn(hdev, &ev->bdaddr);
2137                 return;
2138         }
2139
2140         if (!test_bit(HCI_CONNECTABLE, &hdev->dev_flags) &&
2141             !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2142                                     BDADDR_BREDR)) {
2143                     hci_reject_conn(hdev, &ev->bdaddr);
2144                     return;
2145         }
2146
2147         /* Connection accepted */
2148
2149         hci_dev_lock(hdev);
2150
2151         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2152         if (ie)
2153                 memcpy(ie->data.dev_class, ev->dev_class, 3);
2154
2155         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2156                         &ev->bdaddr);
2157         if (!conn) {
2158                 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2159                                     HCI_ROLE_SLAVE);
2160                 if (!conn) {
2161                         BT_ERR("No memory for new connection");
2162                         hci_dev_unlock(hdev);
2163                         return;
2164                 }
2165         }
2166
2167         memcpy(conn->dev_class, ev->dev_class, 3);
2168
2169         hci_dev_unlock(hdev);
2170
2171         if (ev->link_type == ACL_LINK ||
2172             (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2173                 struct hci_cp_accept_conn_req cp;
2174                 conn->state = BT_CONNECT;
2175
2176                 bacpy(&cp.bdaddr, &ev->bdaddr);
2177
2178                 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2179                         cp.role = 0x00; /* Become master */
2180                 else
2181                         cp.role = 0x01; /* Remain slave */
2182
2183                 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2184         } else if (!(flags & HCI_PROTO_DEFER)) {
2185                 struct hci_cp_accept_sync_conn_req cp;
2186                 conn->state = BT_CONNECT;
2187
2188                 bacpy(&cp.bdaddr, &ev->bdaddr);
2189                 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2190
2191                 cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2192                 cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2193                 cp.max_latency    = cpu_to_le16(0xffff);
2194                 cp.content_format = cpu_to_le16(hdev->voice_setting);
2195                 cp.retrans_effort = 0xff;
2196
2197                 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2198                              &cp);
2199         } else {
2200                 conn->state = BT_CONNECT2;
2201                 hci_proto_connect_cfm(conn, 0);
2202         }
2203 }
2204
2205 static u8 hci_to_mgmt_reason(u8 err)
2206 {
2207         switch (err) {
2208         case HCI_ERROR_CONNECTION_TIMEOUT:
2209                 return MGMT_DEV_DISCONN_TIMEOUT;
2210         case HCI_ERROR_REMOTE_USER_TERM:
2211         case HCI_ERROR_REMOTE_LOW_RESOURCES:
2212         case HCI_ERROR_REMOTE_POWER_OFF:
2213                 return MGMT_DEV_DISCONN_REMOTE;
2214         case HCI_ERROR_LOCAL_HOST_TERM:
2215                 return MGMT_DEV_DISCONN_LOCAL_HOST;
2216         default:
2217                 return MGMT_DEV_DISCONN_UNKNOWN;
2218         }
2219 }
2220
2221 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2222 {
2223         struct hci_ev_disconn_complete *ev = (void *) skb->data;
2224         u8 reason = hci_to_mgmt_reason(ev->reason);
2225         struct hci_conn_params *params;
2226         struct hci_conn *conn;
2227         bool mgmt_connected;
2228         u8 type;
2229
2230         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2231
2232         hci_dev_lock(hdev);
2233
2234         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2235         if (!conn)
2236                 goto unlock;
2237
2238         if (ev->status) {
2239                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2240                                        conn->dst_type, ev->status);
2241                 goto unlock;
2242         }
2243
2244         conn->state = BT_CLOSED;
2245
2246         mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2247         mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2248                                 reason, mgmt_connected);
2249
2250         if (conn->type == ACL_LINK &&
2251             test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2252                 hci_remove_link_key(hdev, &conn->dst);
2253
2254         params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2255         if (params) {
2256                 switch (params->auto_connect) {
2257                 case HCI_AUTO_CONN_LINK_LOSS:
2258                         if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2259                                 break;
2260                         /* Fall through */
2261
2262                 case HCI_AUTO_CONN_DIRECT:
2263                 case HCI_AUTO_CONN_ALWAYS:
2264                         list_del_init(&params->action);
2265                         list_add(&params->action, &hdev->pend_le_conns);
2266                         hci_update_background_scan(hdev);
2267                         break;
2268
2269                 default:
2270                         break;
2271                 }
2272         }
2273
2274         type = conn->type;
2275
2276         hci_proto_disconn_cfm(conn, ev->reason);
2277         hci_conn_del(conn);
2278
2279         /* Re-enable advertising if necessary, since it might
2280          * have been disabled by the connection. From the
2281          * HCI_LE_Set_Advertise_Enable command description in
2282          * the core specification (v4.0):
2283          * "The Controller shall continue advertising until the Host
2284          * issues an LE_Set_Advertise_Enable command with
2285          * Advertising_Enable set to 0x00 (Advertising is disabled)
2286          * or until a connection is created or until the Advertising
2287          * is timed out due to Directed Advertising."
2288          */
2289         if (type == LE_LINK)
2290                 mgmt_reenable_advertising(hdev);
2291
2292 unlock:
2293         hci_dev_unlock(hdev);
2294 }
2295
2296 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2297 {
2298         struct hci_ev_auth_complete *ev = (void *) skb->data;
2299         struct hci_conn *conn;
2300
2301         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2302
2303         hci_dev_lock(hdev);
2304
2305         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2306         if (!conn)
2307                 goto unlock;
2308
2309         if (!ev->status) {
2310                 if (!hci_conn_ssp_enabled(conn) &&
2311                     test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2312                         BT_INFO("re-auth of legacy device is not possible.");
2313                 } else {
2314                         set_bit(HCI_CONN_AUTH, &conn->flags);
2315                         conn->sec_level = conn->pending_sec_level;
2316                 }
2317         } else {
2318                 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
2319                                  ev->status);
2320         }
2321
2322         clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2323         clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2324
2325         if (conn->state == BT_CONFIG) {
2326                 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2327                         struct hci_cp_set_conn_encrypt cp;
2328                         cp.handle  = ev->handle;
2329                         cp.encrypt = 0x01;
2330                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2331                                      &cp);
2332                 } else {
2333                         conn->state = BT_CONNECTED;
2334                         hci_proto_connect_cfm(conn, ev->status);
2335                         hci_conn_drop(conn);
2336                 }
2337         } else {
2338                 hci_auth_cfm(conn, ev->status);
2339
2340                 hci_conn_hold(conn);
2341                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2342                 hci_conn_drop(conn);
2343         }
2344
2345         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2346                 if (!ev->status) {
2347                         struct hci_cp_set_conn_encrypt cp;
2348                         cp.handle  = ev->handle;
2349                         cp.encrypt = 0x01;
2350                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2351                                      &cp);
2352                 } else {
2353                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2354                         hci_encrypt_cfm(conn, ev->status, 0x00);
2355                 }
2356         }
2357
2358 unlock:
2359         hci_dev_unlock(hdev);
2360 }
2361
2362 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2363 {
2364         struct hci_ev_remote_name *ev = (void *) skb->data;
2365         struct hci_conn *conn;
2366
2367         BT_DBG("%s", hdev->name);
2368
2369         hci_conn_check_pending(hdev);
2370
2371         hci_dev_lock(hdev);
2372
2373         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2374
2375         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2376                 goto check_auth;
2377
2378         if (ev->status == 0)
2379                 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2380                                        strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2381         else
2382                 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2383
2384 check_auth:
2385         if (!conn)
2386                 goto unlock;
2387
2388         if (!hci_outgoing_auth_needed(hdev, conn))
2389                 goto unlock;
2390
2391         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2392                 struct hci_cp_auth_requested cp;
2393
2394                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2395
2396                 cp.handle = __cpu_to_le16(conn->handle);
2397                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2398         }
2399
2400 unlock:
2401         hci_dev_unlock(hdev);
2402 }
2403
2404 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2405 {
2406         struct hci_ev_encrypt_change *ev = (void *) skb->data;
2407         struct hci_conn *conn;
2408
2409         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2410
2411         hci_dev_lock(hdev);
2412
2413         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2414         if (!conn)
2415                 goto unlock;
2416
2417         if (!ev->status) {
2418                 if (ev->encrypt) {
2419                         /* Encryption implies authentication */
2420                         set_bit(HCI_CONN_AUTH, &conn->flags);
2421                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2422                         conn->sec_level = conn->pending_sec_level;
2423
2424                         /* P-256 authentication key implies FIPS */
2425                         if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2426                                 set_bit(HCI_CONN_FIPS, &conn->flags);
2427
2428                         if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2429                             conn->type == LE_LINK)
2430                                 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2431                 } else {
2432                         clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2433                         clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2434                 }
2435         }
2436
2437         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2438
2439         if (ev->status && conn->state == BT_CONNECTED) {
2440                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2441                 hci_conn_drop(conn);
2442                 goto unlock;
2443         }
2444
2445         if (conn->state == BT_CONFIG) {
2446                 if (!ev->status)
2447                         conn->state = BT_CONNECTED;
2448
2449                 /* In Secure Connections Only mode, do not allow any
2450                  * connections that are not encrypted with AES-CCM
2451                  * using a P-256 authenticated combination key.
2452                  */
2453                 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) &&
2454                     (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2455                      conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2456                         hci_proto_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2457                         hci_conn_drop(conn);
2458                         goto unlock;
2459                 }
2460
2461                 hci_proto_connect_cfm(conn, ev->status);
2462                 hci_conn_drop(conn);
2463         } else
2464                 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2465
2466 unlock:
2467         hci_dev_unlock(hdev);
2468 }
2469
2470 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2471                                              struct sk_buff *skb)
2472 {
2473         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2474         struct hci_conn *conn;
2475
2476         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2477
2478         hci_dev_lock(hdev);
2479
2480         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2481         if (conn) {
2482                 if (!ev->status)
2483                         set_bit(HCI_CONN_SECURE, &conn->flags);
2484
2485                 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2486
2487                 hci_key_change_cfm(conn, ev->status);
2488         }
2489
2490         hci_dev_unlock(hdev);
2491 }
2492
2493 static void hci_remote_features_evt(struct hci_dev *hdev,
2494                                     struct sk_buff *skb)
2495 {
2496         struct hci_ev_remote_features *ev = (void *) skb->data;
2497         struct hci_conn *conn;
2498
2499         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2500
2501         hci_dev_lock(hdev);
2502
2503         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2504         if (!conn)
2505                 goto unlock;
2506
2507         if (!ev->status)
2508                 memcpy(conn->features[0], ev->features, 8);
2509
2510         if (conn->state != BT_CONFIG)
2511                 goto unlock;
2512
2513         if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) {
2514                 struct hci_cp_read_remote_ext_features cp;
2515                 cp.handle = ev->handle;
2516                 cp.page = 0x01;
2517                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2518                              sizeof(cp), &cp);
2519                 goto unlock;
2520         }
2521
2522         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2523                 struct hci_cp_remote_name_req cp;
2524                 memset(&cp, 0, sizeof(cp));
2525                 bacpy(&cp.bdaddr, &conn->dst);
2526                 cp.pscan_rep_mode = 0x02;
2527                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2528         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2529                 mgmt_device_connected(hdev, &conn->dst, conn->type,
2530                                       conn->dst_type, 0, NULL, 0,
2531                                       conn->dev_class);
2532
2533         if (!hci_outgoing_auth_needed(hdev, conn)) {
2534                 conn->state = BT_CONNECTED;
2535                 hci_proto_connect_cfm(conn, ev->status);
2536                 hci_conn_drop(conn);
2537         }
2538
2539 unlock:
2540         hci_dev_unlock(hdev);
2541 }
2542
2543 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2544 {
2545         struct hci_ev_cmd_complete *ev = (void *) skb->data;
2546         u8 status = skb->data[sizeof(*ev)];
2547         __u16 opcode;
2548
2549         skb_pull(skb, sizeof(*ev));
2550
2551         opcode = __le16_to_cpu(ev->opcode);
2552
2553         switch (opcode) {
2554         case HCI_OP_INQUIRY_CANCEL:
2555                 hci_cc_inquiry_cancel(hdev, skb);
2556                 break;
2557
2558         case HCI_OP_PERIODIC_INQ:
2559                 hci_cc_periodic_inq(hdev, skb);
2560                 break;
2561
2562         case HCI_OP_EXIT_PERIODIC_INQ:
2563                 hci_cc_exit_periodic_inq(hdev, skb);
2564                 break;
2565
2566         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2567                 hci_cc_remote_name_req_cancel(hdev, skb);
2568                 break;
2569
2570         case HCI_OP_ROLE_DISCOVERY:
2571                 hci_cc_role_discovery(hdev, skb);
2572                 break;
2573
2574         case HCI_OP_READ_LINK_POLICY:
2575                 hci_cc_read_link_policy(hdev, skb);
2576                 break;
2577
2578         case HCI_OP_WRITE_LINK_POLICY:
2579                 hci_cc_write_link_policy(hdev, skb);
2580                 break;
2581
2582         case HCI_OP_READ_DEF_LINK_POLICY:
2583                 hci_cc_read_def_link_policy(hdev, skb);
2584                 break;
2585
2586         case HCI_OP_WRITE_DEF_LINK_POLICY:
2587                 hci_cc_write_def_link_policy(hdev, skb);
2588                 break;
2589
2590         case HCI_OP_RESET:
2591                 hci_cc_reset(hdev, skb);
2592                 break;
2593
2594         case HCI_OP_WRITE_LOCAL_NAME:
2595                 hci_cc_write_local_name(hdev, skb);
2596                 break;
2597
2598         case HCI_OP_READ_LOCAL_NAME:
2599                 hci_cc_read_local_name(hdev, skb);
2600                 break;
2601
2602         case HCI_OP_WRITE_AUTH_ENABLE:
2603                 hci_cc_write_auth_enable(hdev, skb);
2604                 break;
2605
2606         case HCI_OP_WRITE_ENCRYPT_MODE:
2607                 hci_cc_write_encrypt_mode(hdev, skb);
2608                 break;
2609
2610         case HCI_OP_WRITE_SCAN_ENABLE:
2611                 hci_cc_write_scan_enable(hdev, skb);
2612                 break;
2613
2614         case HCI_OP_READ_CLASS_OF_DEV:
2615                 hci_cc_read_class_of_dev(hdev, skb);
2616                 break;
2617
2618         case HCI_OP_WRITE_CLASS_OF_DEV:
2619                 hci_cc_write_class_of_dev(hdev, skb);
2620                 break;
2621
2622         case HCI_OP_READ_VOICE_SETTING:
2623                 hci_cc_read_voice_setting(hdev, skb);
2624                 break;
2625
2626         case HCI_OP_WRITE_VOICE_SETTING:
2627                 hci_cc_write_voice_setting(hdev, skb);
2628                 break;
2629
2630         case HCI_OP_READ_NUM_SUPPORTED_IAC:
2631                 hci_cc_read_num_supported_iac(hdev, skb);
2632                 break;
2633
2634         case HCI_OP_WRITE_SSP_MODE:
2635                 hci_cc_write_ssp_mode(hdev, skb);
2636                 break;
2637
2638         case HCI_OP_WRITE_SC_SUPPORT:
2639                 hci_cc_write_sc_support(hdev, skb);
2640                 break;
2641
2642         case HCI_OP_READ_LOCAL_VERSION:
2643                 hci_cc_read_local_version(hdev, skb);
2644                 break;
2645
2646         case HCI_OP_READ_LOCAL_COMMANDS:
2647                 hci_cc_read_local_commands(hdev, skb);
2648                 break;
2649
2650         case HCI_OP_READ_LOCAL_FEATURES:
2651                 hci_cc_read_local_features(hdev, skb);
2652                 break;
2653
2654         case HCI_OP_READ_LOCAL_EXT_FEATURES:
2655                 hci_cc_read_local_ext_features(hdev, skb);
2656                 break;
2657
2658         case HCI_OP_READ_BUFFER_SIZE:
2659                 hci_cc_read_buffer_size(hdev, skb);
2660                 break;
2661
2662         case HCI_OP_READ_BD_ADDR:
2663                 hci_cc_read_bd_addr(hdev, skb);
2664                 break;
2665
2666         case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2667                 hci_cc_read_page_scan_activity(hdev, skb);
2668                 break;
2669
2670         case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2671                 hci_cc_write_page_scan_activity(hdev, skb);
2672                 break;
2673
2674         case HCI_OP_READ_PAGE_SCAN_TYPE:
2675                 hci_cc_read_page_scan_type(hdev, skb);
2676                 break;
2677
2678         case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2679                 hci_cc_write_page_scan_type(hdev, skb);
2680                 break;
2681
2682         case HCI_OP_READ_DATA_BLOCK_SIZE:
2683                 hci_cc_read_data_block_size(hdev, skb);
2684                 break;
2685
2686         case HCI_OP_READ_FLOW_CONTROL_MODE:
2687                 hci_cc_read_flow_control_mode(hdev, skb);
2688                 break;
2689
2690         case HCI_OP_READ_LOCAL_AMP_INFO:
2691                 hci_cc_read_local_amp_info(hdev, skb);
2692                 break;
2693
2694         case HCI_OP_READ_CLOCK:
2695                 hci_cc_read_clock(hdev, skb);
2696                 break;
2697
2698         case HCI_OP_READ_LOCAL_AMP_ASSOC:
2699                 hci_cc_read_local_amp_assoc(hdev, skb);
2700                 break;
2701
2702         case HCI_OP_READ_INQ_RSP_TX_POWER:
2703                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2704                 break;
2705
2706         case HCI_OP_PIN_CODE_REPLY:
2707                 hci_cc_pin_code_reply(hdev, skb);
2708                 break;
2709
2710         case HCI_OP_PIN_CODE_NEG_REPLY:
2711                 hci_cc_pin_code_neg_reply(hdev, skb);
2712                 break;
2713
2714         case HCI_OP_READ_LOCAL_OOB_DATA:
2715                 hci_cc_read_local_oob_data(hdev, skb);
2716                 break;
2717
2718         case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2719                 hci_cc_read_local_oob_ext_data(hdev, skb);
2720                 break;
2721
2722         case HCI_OP_LE_READ_BUFFER_SIZE:
2723                 hci_cc_le_read_buffer_size(hdev, skb);
2724                 break;
2725
2726         case HCI_OP_LE_READ_LOCAL_FEATURES:
2727                 hci_cc_le_read_local_features(hdev, skb);
2728                 break;
2729
2730         case HCI_OP_LE_READ_ADV_TX_POWER:
2731                 hci_cc_le_read_adv_tx_power(hdev, skb);
2732                 break;
2733
2734         case HCI_OP_USER_CONFIRM_REPLY:
2735                 hci_cc_user_confirm_reply(hdev, skb);
2736                 break;
2737
2738         case HCI_OP_USER_CONFIRM_NEG_REPLY:
2739                 hci_cc_user_confirm_neg_reply(hdev, skb);
2740                 break;
2741
2742         case HCI_OP_USER_PASSKEY_REPLY:
2743                 hci_cc_user_passkey_reply(hdev, skb);
2744                 break;
2745
2746         case HCI_OP_USER_PASSKEY_NEG_REPLY:
2747                 hci_cc_user_passkey_neg_reply(hdev, skb);
2748                 break;
2749
2750         case HCI_OP_LE_SET_RANDOM_ADDR:
2751                 hci_cc_le_set_random_addr(hdev, skb);
2752                 break;
2753
2754         case HCI_OP_LE_SET_ADV_ENABLE:
2755                 hci_cc_le_set_adv_enable(hdev, skb);
2756                 break;
2757
2758         case HCI_OP_LE_SET_SCAN_PARAM:
2759                 hci_cc_le_set_scan_param(hdev, skb);
2760                 break;
2761
2762         case HCI_OP_LE_SET_SCAN_ENABLE:
2763                 hci_cc_le_set_scan_enable(hdev, skb);
2764                 break;
2765
2766         case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2767                 hci_cc_le_read_white_list_size(hdev, skb);
2768                 break;
2769
2770         case HCI_OP_LE_CLEAR_WHITE_LIST:
2771                 hci_cc_le_clear_white_list(hdev, skb);
2772                 break;
2773
2774         case HCI_OP_LE_ADD_TO_WHITE_LIST:
2775                 hci_cc_le_add_to_white_list(hdev, skb);
2776                 break;
2777
2778         case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2779                 hci_cc_le_del_from_white_list(hdev, skb);
2780                 break;
2781
2782         case HCI_OP_LE_READ_SUPPORTED_STATES:
2783                 hci_cc_le_read_supported_states(hdev, skb);
2784                 break;
2785
2786         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
2787                 hci_cc_write_le_host_supported(hdev, skb);
2788                 break;
2789
2790         case HCI_OP_LE_SET_ADV_PARAM:
2791                 hci_cc_set_adv_param(hdev, skb);
2792                 break;
2793
2794         case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
2795                 hci_cc_write_remote_amp_assoc(hdev, skb);
2796                 break;
2797
2798         case HCI_OP_READ_RSSI:
2799                 hci_cc_read_rssi(hdev, skb);
2800                 break;
2801
2802         case HCI_OP_READ_TX_POWER:
2803                 hci_cc_read_tx_power(hdev, skb);
2804                 break;
2805
2806         default:
2807                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2808                 break;
2809         }
2810
2811         if (opcode != HCI_OP_NOP)
2812                 cancel_delayed_work(&hdev->cmd_timer);
2813
2814         hci_req_cmd_complete(hdev, opcode, status);
2815
2816         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2817                 atomic_set(&hdev->cmd_cnt, 1);
2818                 if (!skb_queue_empty(&hdev->cmd_q))
2819                         queue_work(hdev->workqueue, &hdev->cmd_work);
2820         }
2821 }
2822
2823 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2824 {
2825         struct hci_ev_cmd_status *ev = (void *) skb->data;
2826         __u16 opcode;
2827
2828         skb_pull(skb, sizeof(*ev));
2829
2830         opcode = __le16_to_cpu(ev->opcode);
2831
2832         switch (opcode) {
2833         case HCI_OP_INQUIRY:
2834                 hci_cs_inquiry(hdev, ev->status);
2835                 break;
2836
2837         case HCI_OP_CREATE_CONN:
2838                 hci_cs_create_conn(hdev, ev->status);
2839                 break;
2840
2841         case HCI_OP_ADD_SCO:
2842                 hci_cs_add_sco(hdev, ev->status);
2843                 break;
2844
2845         case HCI_OP_AUTH_REQUESTED:
2846                 hci_cs_auth_requested(hdev, ev->status);
2847                 break;
2848
2849         case HCI_OP_SET_CONN_ENCRYPT:
2850                 hci_cs_set_conn_encrypt(hdev, ev->status);
2851                 break;
2852
2853         case HCI_OP_REMOTE_NAME_REQ:
2854                 hci_cs_remote_name_req(hdev, ev->status);
2855                 break;
2856
2857         case HCI_OP_READ_REMOTE_FEATURES:
2858                 hci_cs_read_remote_features(hdev, ev->status);
2859                 break;
2860
2861         case HCI_OP_READ_REMOTE_EXT_FEATURES:
2862                 hci_cs_read_remote_ext_features(hdev, ev->status);
2863                 break;
2864
2865         case HCI_OP_SETUP_SYNC_CONN:
2866                 hci_cs_setup_sync_conn(hdev, ev->status);
2867                 break;
2868
2869         case HCI_OP_SNIFF_MODE:
2870                 hci_cs_sniff_mode(hdev, ev->status);
2871                 break;
2872
2873         case HCI_OP_EXIT_SNIFF_MODE:
2874                 hci_cs_exit_sniff_mode(hdev, ev->status);
2875                 break;
2876
2877         case HCI_OP_DISCONNECT:
2878                 hci_cs_disconnect(hdev, ev->status);
2879                 break;
2880
2881         case HCI_OP_CREATE_PHY_LINK:
2882                 hci_cs_create_phylink(hdev, ev->status);
2883                 break;
2884
2885         case HCI_OP_ACCEPT_PHY_LINK:
2886                 hci_cs_accept_phylink(hdev, ev->status);
2887                 break;
2888
2889         case HCI_OP_LE_CREATE_CONN:
2890                 hci_cs_le_create_conn(hdev, ev->status);
2891                 break;
2892
2893         case HCI_OP_LE_START_ENC:
2894                 hci_cs_le_start_enc(hdev, ev->status);
2895                 break;
2896
2897         default:
2898                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2899                 break;
2900         }
2901
2902         if (opcode != HCI_OP_NOP)
2903                 cancel_delayed_work(&hdev->cmd_timer);
2904
2905         if (ev->status ||
2906             (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
2907                 hci_req_cmd_complete(hdev, opcode, ev->status);
2908
2909         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2910                 atomic_set(&hdev->cmd_cnt, 1);
2911                 if (!skb_queue_empty(&hdev->cmd_q))
2912                         queue_work(hdev->workqueue, &hdev->cmd_work);
2913         }
2914 }
2915
2916 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2917 {
2918         struct hci_ev_role_change *ev = (void *) skb->data;
2919         struct hci_conn *conn;
2920
2921         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2922
2923         hci_dev_lock(hdev);
2924
2925         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2926         if (conn) {
2927                 if (!ev->status)
2928                         conn->role = ev->role;
2929
2930                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2931
2932                 hci_role_switch_cfm(conn, ev->status, ev->role);
2933         }
2934
2935         hci_dev_unlock(hdev);
2936 }
2937
2938 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
2939 {
2940         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2941         int i;
2942
2943         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
2944                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2945                 return;
2946         }
2947
2948         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2949             ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
2950                 BT_DBG("%s bad parameters", hdev->name);
2951                 return;
2952         }
2953
2954         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2955
2956         for (i = 0; i < ev->num_hndl; i++) {
2957                 struct hci_comp_pkts_info *info = &ev->handles[i];
2958                 struct hci_conn *conn;
2959                 __u16  handle, count;
2960
2961                 handle = __le16_to_cpu(info->handle);
2962                 count  = __le16_to_cpu(info->count);
2963
2964                 conn = hci_conn_hash_lookup_handle(hdev, handle);
2965                 if (!conn)
2966                         continue;
2967
2968                 conn->sent -= count;
2969
2970                 switch (conn->type) {
2971                 case ACL_LINK:
2972                         hdev->acl_cnt += count;
2973                         if (hdev->acl_cnt > hdev->acl_pkts)
2974                                 hdev->acl_cnt = hdev->acl_pkts;
2975                         break;
2976
2977                 case LE_LINK:
2978                         if (hdev->le_pkts) {
2979                                 hdev->le_cnt += count;
2980                                 if (hdev->le_cnt > hdev->le_pkts)
2981                                         hdev->le_cnt = hdev->le_pkts;
2982                         } else {
2983                                 hdev->acl_cnt += count;
2984                                 if (hdev->acl_cnt > hdev->acl_pkts)
2985                                         hdev->acl_cnt = hdev->acl_pkts;
2986                         }
2987                         break;
2988
2989                 case SCO_LINK:
2990                         hdev->sco_cnt += count;
2991                         if (hdev->sco_cnt > hdev->sco_pkts)
2992                                 hdev->sco_cnt = hdev->sco_pkts;
2993                         break;
2994
2995                 default:
2996                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
2997                         break;
2998                 }
2999         }
3000
3001         queue_work(hdev->workqueue, &hdev->tx_work);
3002 }
3003
3004 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3005                                                  __u16 handle)
3006 {
3007         struct hci_chan *chan;
3008
3009         switch (hdev->dev_type) {
3010         case HCI_BREDR:
3011                 return hci_conn_hash_lookup_handle(hdev, handle);
3012         case HCI_AMP:
3013                 chan = hci_chan_lookup_handle(hdev, handle);
3014                 if (chan)
3015                         return chan->conn;
3016                 break;
3017         default:
3018                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3019                 break;
3020         }
3021
3022         return NULL;
3023 }
3024
3025 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3026 {
3027         struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3028         int i;
3029
3030         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3031                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3032                 return;
3033         }
3034
3035         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3036             ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3037                 BT_DBG("%s bad parameters", hdev->name);
3038                 return;
3039         }
3040
3041         BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3042                ev->num_hndl);
3043
3044         for (i = 0; i < ev->num_hndl; i++) {
3045                 struct hci_comp_blocks_info *info = &ev->handles[i];
3046                 struct hci_conn *conn = NULL;
3047                 __u16  handle, block_count;
3048
3049                 handle = __le16_to_cpu(info->handle);
3050                 block_count = __le16_to_cpu(info->blocks);
3051
3052                 conn = __hci_conn_lookup_handle(hdev, handle);
3053                 if (!conn)
3054                         continue;
3055
3056                 conn->sent -= block_count;
3057
3058                 switch (conn->type) {
3059                 case ACL_LINK:
3060                 case AMP_LINK:
3061                         hdev->block_cnt += block_count;
3062                         if (hdev->block_cnt > hdev->num_blocks)
3063                                 hdev->block_cnt = hdev->num_blocks;
3064                         break;
3065
3066                 default:
3067                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
3068                         break;
3069                 }
3070         }
3071
3072         queue_work(hdev->workqueue, &hdev->tx_work);
3073 }
3074
3075 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3076 {
3077         struct hci_ev_mode_change *ev = (void *) skb->data;
3078         struct hci_conn *conn;
3079
3080         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3081
3082         hci_dev_lock(hdev);
3083
3084         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3085         if (conn) {
3086                 conn->mode = ev->mode;
3087
3088                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3089                                         &conn->flags)) {
3090                         if (conn->mode == HCI_CM_ACTIVE)
3091                                 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3092                         else
3093                                 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3094                 }
3095
3096                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3097                         hci_sco_setup(conn, ev->status);
3098         }
3099
3100         hci_dev_unlock(hdev);
3101 }
3102
3103 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3104 {
3105         struct hci_ev_pin_code_req *ev = (void *) skb->data;
3106         struct hci_conn *conn;
3107
3108         BT_DBG("%s", hdev->name);
3109
3110         hci_dev_lock(hdev);
3111
3112         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3113         if (!conn)
3114                 goto unlock;
3115
3116         if (conn->state == BT_CONNECTED) {
3117                 hci_conn_hold(conn);
3118                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3119                 hci_conn_drop(conn);
3120         }
3121
3122         if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
3123             !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3124                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3125                              sizeof(ev->bdaddr), &ev->bdaddr);
3126         } else if (test_bit(HCI_MGMT, &hdev->dev_flags)) {
3127                 u8 secure;
3128
3129                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3130                         secure = 1;
3131                 else
3132                         secure = 0;
3133
3134                 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3135         }
3136
3137 unlock:
3138         hci_dev_unlock(hdev);
3139 }
3140
3141 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3142 {
3143         struct hci_ev_link_key_req *ev = (void *) skb->data;
3144         struct hci_cp_link_key_reply cp;
3145         struct hci_conn *conn;
3146         struct link_key *key;
3147
3148         BT_DBG("%s", hdev->name);
3149
3150         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3151                 return;
3152
3153         hci_dev_lock(hdev);
3154
3155         key = hci_find_link_key(hdev, &ev->bdaddr);
3156         if (!key) {
3157                 BT_DBG("%s link key not found for %pMR", hdev->name,
3158                        &ev->bdaddr);
3159                 goto not_found;
3160         }
3161
3162         BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3163                &ev->bdaddr);
3164
3165         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3166         if (conn) {
3167                 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3168                      key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3169                     conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3170                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
3171                         goto not_found;
3172                 }
3173
3174                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3175                     (conn->pending_sec_level == BT_SECURITY_HIGH ||
3176                      conn->pending_sec_level == BT_SECURITY_FIPS)) {
3177                         BT_DBG("%s ignoring key unauthenticated for high security",
3178                                hdev->name);
3179                         goto not_found;
3180                 }
3181
3182                 conn->key_type = key->type;
3183                 conn->pin_length = key->pin_len;
3184         }
3185
3186         bacpy(&cp.bdaddr, &ev->bdaddr);
3187         memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3188
3189         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3190
3191         hci_dev_unlock(hdev);
3192
3193         return;
3194
3195 not_found:
3196         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3197         hci_dev_unlock(hdev);
3198 }
3199
3200 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3201 {
3202         struct hci_ev_link_key_notify *ev = (void *) skb->data;
3203         struct hci_conn *conn;
3204         struct link_key *key;
3205         bool persistent;
3206         u8 pin_len = 0;
3207
3208         BT_DBG("%s", hdev->name);
3209
3210         hci_dev_lock(hdev);
3211
3212         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3213         if (conn) {
3214                 hci_conn_hold(conn);
3215                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3216                 pin_len = conn->pin_length;
3217
3218                 if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
3219                         conn->key_type = ev->key_type;
3220
3221                 hci_conn_drop(conn);
3222         }
3223
3224         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3225                 goto unlock;
3226
3227         key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3228                                 ev->key_type, pin_len, &persistent);
3229         if (!key)
3230                 goto unlock;
3231
3232         mgmt_new_link_key(hdev, key, persistent);
3233
3234         /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3235          * is set. If it's not set simply remove the key from the kernel
3236          * list (we've still notified user space about it but with
3237          * store_hint being 0).
3238          */
3239         if (key->type == HCI_LK_DEBUG_COMBINATION &&
3240             !test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags)) {
3241                 list_del(&key->list);
3242                 kfree(key);
3243         } else if (conn) {
3244                 if (persistent)
3245                         clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3246                 else
3247                         set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3248         }
3249
3250 unlock:
3251         hci_dev_unlock(hdev);
3252 }
3253
3254 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3255 {
3256         struct hci_ev_clock_offset *ev = (void *) skb->data;
3257         struct hci_conn *conn;
3258
3259         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3260
3261         hci_dev_lock(hdev);
3262
3263         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3264         if (conn && !ev->status) {
3265                 struct inquiry_entry *ie;
3266
3267                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3268                 if (ie) {
3269                         ie->data.clock_offset = ev->clock_offset;
3270                         ie->timestamp = jiffies;
3271                 }
3272         }
3273
3274         hci_dev_unlock(hdev);
3275 }
3276
3277 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3278 {
3279         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3280         struct hci_conn *conn;
3281
3282         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3283
3284         hci_dev_lock(hdev);
3285
3286         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3287         if (conn && !ev->status)
3288                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3289
3290         hci_dev_unlock(hdev);
3291 }
3292
3293 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3294 {
3295         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3296         struct inquiry_entry *ie;
3297
3298         BT_DBG("%s", hdev->name);
3299
3300         hci_dev_lock(hdev);
3301
3302         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3303         if (ie) {
3304                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3305                 ie->timestamp = jiffies;
3306         }
3307
3308         hci_dev_unlock(hdev);
3309 }
3310
3311 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3312                                              struct sk_buff *skb)
3313 {
3314         struct inquiry_data data;
3315         int num_rsp = *((__u8 *) skb->data);
3316
3317         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3318
3319         if (!num_rsp)
3320                 return;
3321
3322         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3323                 return;
3324
3325         hci_dev_lock(hdev);
3326
3327         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3328                 struct inquiry_info_with_rssi_and_pscan_mode *info;
3329                 info = (void *) (skb->data + 1);
3330
3331                 for (; num_rsp; num_rsp--, info++) {
3332                         u32 flags;
3333
3334                         bacpy(&data.bdaddr, &info->bdaddr);
3335                         data.pscan_rep_mode     = info->pscan_rep_mode;
3336                         data.pscan_period_mode  = info->pscan_period_mode;
3337                         data.pscan_mode         = info->pscan_mode;
3338                         memcpy(data.dev_class, info->dev_class, 3);
3339                         data.clock_offset       = info->clock_offset;
3340                         data.rssi               = info->rssi;
3341                         data.ssp_mode           = 0x00;
3342
3343                         flags = hci_inquiry_cache_update(hdev, &data, false);
3344
3345                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3346                                           info->dev_class, info->rssi,
3347                                           flags, NULL, 0, NULL, 0);
3348                 }
3349         } else {
3350                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3351
3352                 for (; num_rsp; num_rsp--, info++) {
3353                         u32 flags;
3354
3355                         bacpy(&data.bdaddr, &info->bdaddr);
3356                         data.pscan_rep_mode     = info->pscan_rep_mode;
3357                         data.pscan_period_mode  = info->pscan_period_mode;
3358                         data.pscan_mode         = 0x00;
3359                         memcpy(data.dev_class, info->dev_class, 3);
3360                         data.clock_offset       = info->clock_offset;
3361                         data.rssi               = info->rssi;
3362                         data.ssp_mode           = 0x00;
3363
3364                         flags = hci_inquiry_cache_update(hdev, &data, false);
3365
3366                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3367                                           info->dev_class, info->rssi,
3368                                           flags, NULL, 0, NULL, 0);
3369                 }
3370         }
3371
3372         hci_dev_unlock(hdev);
3373 }
3374
3375 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3376                                         struct sk_buff *skb)
3377 {
3378         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3379         struct hci_conn *conn;
3380
3381         BT_DBG("%s", hdev->name);
3382
3383         hci_dev_lock(hdev);
3384
3385         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3386         if (!conn)
3387                 goto unlock;
3388
3389         if (ev->page < HCI_MAX_PAGES)
3390                 memcpy(conn->features[ev->page], ev->features, 8);
3391
3392         if (!ev->status && ev->page == 0x01) {
3393                 struct inquiry_entry *ie;
3394
3395                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3396                 if (ie)
3397                         ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3398
3399                 if (ev->features[0] & LMP_HOST_SSP) {
3400                         set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3401                 } else {
3402                         /* It is mandatory by the Bluetooth specification that
3403                          * Extended Inquiry Results are only used when Secure
3404                          * Simple Pairing is enabled, but some devices violate
3405                          * this.
3406                          *
3407                          * To make these devices work, the internal SSP
3408                          * enabled flag needs to be cleared if the remote host
3409                          * features do not indicate SSP support */
3410                         clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3411                 }
3412
3413                 if (ev->features[0] & LMP_HOST_SC)
3414                         set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3415         }
3416
3417         if (conn->state != BT_CONFIG)
3418                 goto unlock;
3419
3420         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3421                 struct hci_cp_remote_name_req cp;
3422                 memset(&cp, 0, sizeof(cp));
3423                 bacpy(&cp.bdaddr, &conn->dst);
3424                 cp.pscan_rep_mode = 0x02;
3425                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3426         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3427                 mgmt_device_connected(hdev, &conn->dst, conn->type,
3428                                       conn->dst_type, 0, NULL, 0,
3429                                       conn->dev_class);
3430
3431         if (!hci_outgoing_auth_needed(hdev, conn)) {
3432                 conn->state = BT_CONNECTED;
3433                 hci_proto_connect_cfm(conn, ev->status);
3434                 hci_conn_drop(conn);
3435         }
3436
3437 unlock:
3438         hci_dev_unlock(hdev);
3439 }
3440
3441 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3442                                        struct sk_buff *skb)
3443 {
3444         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3445         struct hci_conn *conn;
3446
3447         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3448
3449         hci_dev_lock(hdev);
3450
3451         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3452         if (!conn) {
3453                 if (ev->link_type == ESCO_LINK)
3454                         goto unlock;
3455
3456                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3457                 if (!conn)
3458                         goto unlock;
3459
3460                 conn->type = SCO_LINK;
3461         }
3462
3463         switch (ev->status) {
3464         case 0x00:
3465                 conn->handle = __le16_to_cpu(ev->handle);
3466                 conn->state  = BT_CONNECTED;
3467
3468                 hci_conn_add_sysfs(conn);
3469                 break;
3470
3471         case 0x10:      /* Connection Accept Timeout */
3472         case 0x0d:      /* Connection Rejected due to Limited Resources */
3473         case 0x11:      /* Unsupported Feature or Parameter Value */
3474         case 0x1c:      /* SCO interval rejected */
3475         case 0x1a:      /* Unsupported Remote Feature */
3476         case 0x1f:      /* Unspecified error */
3477         case 0x20:      /* Unsupported LMP Parameter value */
3478                 if (conn->out) {
3479                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3480                                         (hdev->esco_type & EDR_ESCO_MASK);
3481                         if (hci_setup_sync(conn, conn->link->handle))
3482                                 goto unlock;
3483                 }
3484                 /* fall through */
3485
3486         default:
3487                 conn->state = BT_CLOSED;
3488                 break;
3489         }
3490
3491         hci_proto_connect_cfm(conn, ev->status);
3492         if (ev->status)
3493                 hci_conn_del(conn);
3494
3495 unlock:
3496         hci_dev_unlock(hdev);
3497 }
3498
3499 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3500 {
3501         size_t parsed = 0;
3502
3503         while (parsed < eir_len) {
3504                 u8 field_len = eir[0];
3505
3506                 if (field_len == 0)
3507                         return parsed;
3508
3509                 parsed += field_len + 1;
3510                 eir += field_len + 1;
3511         }
3512
3513         return eir_len;
3514 }
3515
3516 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3517                                             struct sk_buff *skb)
3518 {
3519         struct inquiry_data data;
3520         struct extended_inquiry_info *info = (void *) (skb->data + 1);
3521         int num_rsp = *((__u8 *) skb->data);
3522         size_t eir_len;
3523
3524         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3525
3526         if (!num_rsp)
3527                 return;
3528
3529         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3530                 return;
3531
3532         hci_dev_lock(hdev);
3533
3534         for (; num_rsp; num_rsp--, info++) {
3535                 u32 flags;
3536                 bool name_known;
3537
3538                 bacpy(&data.bdaddr, &info->bdaddr);
3539                 data.pscan_rep_mode     = info->pscan_rep_mode;
3540                 data.pscan_period_mode  = info->pscan_period_mode;
3541                 data.pscan_mode         = 0x00;
3542                 memcpy(data.dev_class, info->dev_class, 3);
3543                 data.clock_offset       = info->clock_offset;
3544                 data.rssi               = info->rssi;
3545                 data.ssp_mode           = 0x01;
3546
3547                 if (test_bit(HCI_MGMT, &hdev->dev_flags))
3548                         name_known = eir_has_data_type(info->data,
3549                                                        sizeof(info->data),
3550                                                        EIR_NAME_COMPLETE);
3551                 else
3552                         name_known = true;
3553
3554                 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3555
3556                 eir_len = eir_get_length(info->data, sizeof(info->data));
3557
3558                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3559                                   info->dev_class, info->rssi,
3560                                   flags, info->data, eir_len, NULL, 0);
3561         }
3562
3563         hci_dev_unlock(hdev);
3564 }
3565
3566 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3567                                          struct sk_buff *skb)
3568 {
3569         struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3570         struct hci_conn *conn;
3571
3572         BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3573                __le16_to_cpu(ev->handle));
3574
3575         hci_dev_lock(hdev);
3576
3577         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3578         if (!conn)
3579                 goto unlock;
3580
3581         /* For BR/EDR the necessary steps are taken through the
3582          * auth_complete event.
3583          */
3584         if (conn->type != LE_LINK)
3585                 goto unlock;
3586
3587         if (!ev->status)
3588                 conn->sec_level = conn->pending_sec_level;
3589
3590         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3591
3592         if (ev->status && conn->state == BT_CONNECTED) {
3593                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3594                 hci_conn_drop(conn);
3595                 goto unlock;
3596         }
3597
3598         if (conn->state == BT_CONFIG) {
3599                 if (!ev->status)
3600                         conn->state = BT_CONNECTED;
3601
3602                 hci_proto_connect_cfm(conn, ev->status);
3603                 hci_conn_drop(conn);
3604         } else {
3605                 hci_auth_cfm(conn, ev->status);
3606
3607                 hci_conn_hold(conn);
3608                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3609                 hci_conn_drop(conn);
3610         }
3611
3612 unlock:
3613         hci_dev_unlock(hdev);
3614 }
3615
3616 static u8 hci_get_auth_req(struct hci_conn *conn)
3617 {
3618         /* If remote requests no-bonding follow that lead */
3619         if (conn->remote_auth == HCI_AT_NO_BONDING ||
3620             conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3621                 return conn->remote_auth | (conn->auth_type & 0x01);
3622
3623         /* If both remote and local have enough IO capabilities, require
3624          * MITM protection
3625          */
3626         if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3627             conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3628                 return conn->remote_auth | 0x01;
3629
3630         /* No MITM protection possible so ignore remote requirement */
3631         return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3632 }
3633
3634 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3635 {
3636         struct hci_ev_io_capa_request *ev = (void *) skb->data;
3637         struct hci_conn *conn;
3638
3639         BT_DBG("%s", hdev->name);
3640
3641         hci_dev_lock(hdev);
3642
3643         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3644         if (!conn)
3645                 goto unlock;
3646
3647         hci_conn_hold(conn);
3648
3649         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3650                 goto unlock;
3651
3652         /* Allow pairing if we're pairable, the initiators of the
3653          * pairing or if the remote is not requesting bonding.
3654          */
3655         if (test_bit(HCI_BONDABLE, &hdev->dev_flags) ||
3656             test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3657             (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3658                 struct hci_cp_io_capability_reply cp;
3659
3660                 bacpy(&cp.bdaddr, &ev->bdaddr);
3661                 /* Change the IO capability from KeyboardDisplay
3662                  * to DisplayYesNo as it is not supported by BT spec. */
3663                 cp.capability = (conn->io_capability == 0x04) ?
3664                                 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3665
3666                 /* If we are initiators, there is no remote information yet */
3667                 if (conn->remote_auth == 0xff) {
3668                         /* Request MITM protection if our IO caps allow it
3669                          * except for the no-bonding case.
3670                          */
3671                         if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3672                             conn->auth_type != HCI_AT_NO_BONDING)
3673                                 conn->auth_type |= 0x01;
3674                 } else {
3675                         conn->auth_type = hci_get_auth_req(conn);
3676                 }
3677
3678                 /* If we're not bondable, force one of the non-bondable
3679                  * authentication requirement values.
3680                  */
3681                 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags))
3682                         conn->auth_type &= HCI_AT_NO_BONDING_MITM;
3683
3684                 cp.authentication = conn->auth_type;
3685
3686                 if (hci_find_remote_oob_data(hdev, &conn->dst) &&
3687                     (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
3688                         cp.oob_data = 0x01;
3689                 else
3690                         cp.oob_data = 0x00;
3691
3692                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
3693                              sizeof(cp), &cp);
3694         } else {
3695                 struct hci_cp_io_capability_neg_reply cp;
3696
3697                 bacpy(&cp.bdaddr, &ev->bdaddr);
3698                 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
3699
3700                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
3701                              sizeof(cp), &cp);
3702         }
3703
3704 unlock:
3705         hci_dev_unlock(hdev);
3706 }
3707
3708 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
3709 {
3710         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
3711         struct hci_conn *conn;
3712
3713         BT_DBG("%s", hdev->name);
3714
3715         hci_dev_lock(hdev);
3716
3717         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3718         if (!conn)
3719                 goto unlock;
3720
3721         conn->remote_cap = ev->capability;
3722         conn->remote_auth = ev->authentication;
3723         if (ev->oob_data)
3724                 set_bit(HCI_CONN_REMOTE_OOB, &conn->flags);
3725
3726 unlock:
3727         hci_dev_unlock(hdev);
3728 }
3729
3730 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3731                                          struct sk_buff *skb)
3732 {
3733         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
3734         int loc_mitm, rem_mitm, confirm_hint = 0;
3735         struct hci_conn *conn;
3736
3737         BT_DBG("%s", hdev->name);
3738
3739         hci_dev_lock(hdev);
3740
3741         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3742                 goto unlock;
3743
3744         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3745         if (!conn)
3746                 goto unlock;
3747
3748         loc_mitm = (conn->auth_type & 0x01);
3749         rem_mitm = (conn->remote_auth & 0x01);
3750
3751         /* If we require MITM but the remote device can't provide that
3752          * (it has NoInputNoOutput) then reject the confirmation
3753          * request. We check the security level here since it doesn't
3754          * necessarily match conn->auth_type.
3755          */
3756         if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
3757             conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3758                 BT_DBG("Rejecting request: remote device can't provide MITM");
3759                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
3760                              sizeof(ev->bdaddr), &ev->bdaddr);
3761                 goto unlock;
3762         }
3763
3764         /* If no side requires MITM protection; auto-accept */
3765         if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
3766             (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
3767
3768                 /* If we're not the initiators request authorization to
3769                  * proceed from user space (mgmt_user_confirm with
3770                  * confirm_hint set to 1). The exception is if neither
3771                  * side had MITM or if the local IO capability is
3772                  * NoInputNoOutput, in which case we do auto-accept
3773                  */
3774                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
3775                     conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3776                     (loc_mitm || rem_mitm)) {
3777                         BT_DBG("Confirming auto-accept as acceptor");
3778                         confirm_hint = 1;
3779                         goto confirm;
3780                 }
3781
3782                 BT_DBG("Auto-accept of user confirmation with %ums delay",
3783                        hdev->auto_accept_delay);
3784
3785                 if (hdev->auto_accept_delay > 0) {
3786                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
3787                         queue_delayed_work(conn->hdev->workqueue,
3788                                            &conn->auto_accept_work, delay);
3789                         goto unlock;
3790                 }
3791
3792                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
3793                              sizeof(ev->bdaddr), &ev->bdaddr);
3794                 goto unlock;
3795         }
3796
3797 confirm:
3798         mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
3799                                   le32_to_cpu(ev->passkey), confirm_hint);
3800
3801 unlock:
3802         hci_dev_unlock(hdev);
3803 }
3804
3805 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
3806                                          struct sk_buff *skb)
3807 {
3808         struct hci_ev_user_passkey_req *ev = (void *) skb->data;
3809
3810         BT_DBG("%s", hdev->name);
3811
3812         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3813                 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
3814 }
3815
3816 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
3817                                         struct sk_buff *skb)
3818 {
3819         struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
3820         struct hci_conn *conn;
3821
3822         BT_DBG("%s", hdev->name);
3823
3824         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3825         if (!conn)
3826                 return;
3827
3828         conn->passkey_notify = __le32_to_cpu(ev->passkey);
3829         conn->passkey_entered = 0;
3830
3831         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3832                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3833                                          conn->dst_type, conn->passkey_notify,
3834                                          conn->passkey_entered);
3835 }
3836
3837 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3838 {
3839         struct hci_ev_keypress_notify *ev = (void *) skb->data;
3840         struct hci_conn *conn;
3841
3842         BT_DBG("%s", hdev->name);
3843
3844         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3845         if (!conn)
3846                 return;
3847
3848         switch (ev->type) {
3849         case HCI_KEYPRESS_STARTED:
3850                 conn->passkey_entered = 0;
3851                 return;
3852
3853         case HCI_KEYPRESS_ENTERED:
3854                 conn->passkey_entered++;
3855                 break;
3856
3857         case HCI_KEYPRESS_ERASED:
3858                 conn->passkey_entered--;
3859                 break;
3860
3861         case HCI_KEYPRESS_CLEARED:
3862                 conn->passkey_entered = 0;
3863                 break;
3864
3865         case HCI_KEYPRESS_COMPLETED:
3866                 return;
3867         }
3868
3869         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3870                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3871                                          conn->dst_type, conn->passkey_notify,
3872                                          conn->passkey_entered);
3873 }
3874
3875 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
3876                                          struct sk_buff *skb)
3877 {
3878         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
3879         struct hci_conn *conn;
3880
3881         BT_DBG("%s", hdev->name);
3882
3883         hci_dev_lock(hdev);
3884
3885         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3886         if (!conn)
3887                 goto unlock;
3888
3889         /* Reset the authentication requirement to unknown */
3890         conn->remote_auth = 0xff;
3891
3892         /* To avoid duplicate auth_failed events to user space we check
3893          * the HCI_CONN_AUTH_PEND flag which will be set if we
3894          * initiated the authentication. A traditional auth_complete
3895          * event gets always produced as initiator and is also mapped to
3896          * the mgmt_auth_failed event */
3897         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
3898                 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
3899                                  ev->status);
3900
3901         hci_conn_drop(conn);
3902
3903 unlock:
3904         hci_dev_unlock(hdev);
3905 }
3906
3907 static void hci_remote_host_features_evt(struct hci_dev *hdev,
3908                                          struct sk_buff *skb)
3909 {
3910         struct hci_ev_remote_host_features *ev = (void *) skb->data;
3911         struct inquiry_entry *ie;
3912         struct hci_conn *conn;
3913
3914         BT_DBG("%s", hdev->name);
3915
3916         hci_dev_lock(hdev);
3917
3918         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3919         if (conn)
3920                 memcpy(conn->features[1], ev->features, 8);
3921
3922         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3923         if (ie)
3924                 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3925
3926         hci_dev_unlock(hdev);
3927 }
3928
3929 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
3930                                             struct sk_buff *skb)
3931 {
3932         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
3933         struct oob_data *data;
3934
3935         BT_DBG("%s", hdev->name);
3936
3937         hci_dev_lock(hdev);
3938
3939         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3940                 goto unlock;
3941
3942         data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
3943         if (data) {
3944                 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
3945                         struct hci_cp_remote_oob_ext_data_reply cp;
3946
3947                         bacpy(&cp.bdaddr, &ev->bdaddr);
3948                         memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
3949                         memcpy(cp.randomizer192, data->randomizer192,
3950                                sizeof(cp.randomizer192));
3951                         memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
3952                         memcpy(cp.randomizer256, data->randomizer256,
3953                                sizeof(cp.randomizer256));
3954
3955                         hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
3956                                      sizeof(cp), &cp);
3957                 } else {
3958                         struct hci_cp_remote_oob_data_reply cp;
3959
3960                         bacpy(&cp.bdaddr, &ev->bdaddr);
3961                         memcpy(cp.hash, data->hash192, sizeof(cp.hash));
3962                         memcpy(cp.randomizer, data->randomizer192,
3963                                sizeof(cp.randomizer));
3964
3965                         hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
3966                                      sizeof(cp), &cp);
3967                 }
3968         } else {
3969                 struct hci_cp_remote_oob_data_neg_reply cp;
3970
3971                 bacpy(&cp.bdaddr, &ev->bdaddr);
3972                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
3973                              sizeof(cp), &cp);
3974         }
3975
3976 unlock:
3977         hci_dev_unlock(hdev);
3978 }
3979
3980 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
3981                                       struct sk_buff *skb)
3982 {
3983         struct hci_ev_phy_link_complete *ev = (void *) skb->data;
3984         struct hci_conn *hcon, *bredr_hcon;
3985
3986         BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
3987                ev->status);
3988
3989         hci_dev_lock(hdev);
3990
3991         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3992         if (!hcon) {
3993                 hci_dev_unlock(hdev);
3994                 return;
3995         }
3996
3997         if (ev->status) {
3998                 hci_conn_del(hcon);
3999                 hci_dev_unlock(hdev);
4000                 return;
4001         }
4002
4003         bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4004
4005         hcon->state = BT_CONNECTED;
4006         bacpy(&hcon->dst, &bredr_hcon->dst);
4007
4008         hci_conn_hold(hcon);
4009         hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4010         hci_conn_drop(hcon);
4011
4012         hci_conn_add_sysfs(hcon);
4013
4014         amp_physical_cfm(bredr_hcon, hcon);
4015
4016         hci_dev_unlock(hdev);
4017 }
4018
4019 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4020 {
4021         struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4022         struct hci_conn *hcon;
4023         struct hci_chan *hchan;
4024         struct amp_mgr *mgr;
4025
4026         BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4027                hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4028                ev->status);
4029
4030         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4031         if (!hcon)
4032                 return;
4033
4034         /* Create AMP hchan */
4035         hchan = hci_chan_create(hcon);
4036         if (!hchan)
4037                 return;
4038
4039         hchan->handle = le16_to_cpu(ev->handle);
4040
4041         BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4042
4043         mgr = hcon->amp_mgr;
4044         if (mgr && mgr->bredr_chan) {
4045                 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4046
4047                 l2cap_chan_lock(bredr_chan);
4048
4049                 bredr_chan->conn->mtu = hdev->block_mtu;
4050                 l2cap_logical_cfm(bredr_chan, hchan, 0);
4051                 hci_conn_hold(hcon);
4052
4053                 l2cap_chan_unlock(bredr_chan);
4054         }
4055 }
4056
4057 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4058                                              struct sk_buff *skb)
4059 {
4060         struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4061         struct hci_chan *hchan;
4062
4063         BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4064                le16_to_cpu(ev->handle), ev->status);
4065
4066         if (ev->status)
4067                 return;
4068
4069         hci_dev_lock(hdev);
4070
4071         hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4072         if (!hchan)
4073                 goto unlock;
4074
4075         amp_destroy_logical_link(hchan, ev->reason);
4076
4077 unlock:
4078         hci_dev_unlock(hdev);
4079 }
4080
4081 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4082                                              struct sk_buff *skb)
4083 {
4084         struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4085         struct hci_conn *hcon;
4086
4087         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4088
4089         if (ev->status)
4090                 return;
4091
4092         hci_dev_lock(hdev);
4093
4094         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4095         if (hcon) {
4096                 hcon->state = BT_CLOSED;
4097                 hci_conn_del(hcon);
4098         }
4099
4100         hci_dev_unlock(hdev);
4101 }
4102
4103 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4104 {
4105         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4106         struct hci_conn_params *params;
4107         struct hci_conn *conn;
4108         struct smp_irk *irk;
4109         u8 addr_type;
4110
4111         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4112
4113         hci_dev_lock(hdev);
4114
4115         /* All controllers implicitly stop advertising in the event of a
4116          * connection, so ensure that the state bit is cleared.
4117          */
4118         clear_bit(HCI_LE_ADV, &hdev->dev_flags);
4119
4120         conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
4121         if (!conn) {
4122                 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4123                 if (!conn) {
4124                         BT_ERR("No memory for new connection");
4125                         goto unlock;
4126                 }
4127
4128                 conn->dst_type = ev->bdaddr_type;
4129
4130                 /* If we didn't have a hci_conn object previously
4131                  * but we're in master role this must be something
4132                  * initiated using a white list. Since white list based
4133                  * connections are not "first class citizens" we don't
4134                  * have full tracking of them. Therefore, we go ahead
4135                  * with a "best effort" approach of determining the
4136                  * initiator address based on the HCI_PRIVACY flag.
4137                  */
4138                 if (conn->out) {
4139                         conn->resp_addr_type = ev->bdaddr_type;
4140                         bacpy(&conn->resp_addr, &ev->bdaddr);
4141                         if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
4142                                 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4143                                 bacpy(&conn->init_addr, &hdev->rpa);
4144                         } else {
4145                                 hci_copy_identity_address(hdev,
4146                                                           &conn->init_addr,
4147                                                           &conn->init_addr_type);
4148                         }
4149                 }
4150         } else {
4151                 cancel_delayed_work(&conn->le_conn_timeout);
4152         }
4153
4154         if (!conn->out) {
4155                 /* Set the responder (our side) address type based on
4156                  * the advertising address type.
4157                  */
4158                 conn->resp_addr_type = hdev->adv_addr_type;
4159                 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4160                         bacpy(&conn->resp_addr, &hdev->random_addr);
4161                 else
4162                         bacpy(&conn->resp_addr, &hdev->bdaddr);
4163
4164                 conn->init_addr_type = ev->bdaddr_type;
4165                 bacpy(&conn->init_addr, &ev->bdaddr);
4166
4167                 /* For incoming connections, set the default minimum
4168                  * and maximum connection interval. They will be used
4169                  * to check if the parameters are in range and if not
4170                  * trigger the connection update procedure.
4171                  */
4172                 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4173                 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4174         }
4175
4176         /* Lookup the identity address from the stored connection
4177          * address and address type.
4178          *
4179          * When establishing connections to an identity address, the
4180          * connection procedure will store the resolvable random
4181          * address first. Now if it can be converted back into the
4182          * identity address, start using the identity address from
4183          * now on.
4184          */
4185         irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4186         if (irk) {
4187                 bacpy(&conn->dst, &irk->bdaddr);
4188                 conn->dst_type = irk->addr_type;
4189         }
4190
4191         if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4192                 addr_type = BDADDR_LE_PUBLIC;
4193         else
4194                 addr_type = BDADDR_LE_RANDOM;
4195
4196         if (ev->status) {
4197                 hci_le_conn_failed(conn, ev->status);
4198                 goto unlock;
4199         }
4200
4201         /* Drop the connection if the device is blocked */
4202         if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4203                 hci_conn_drop(conn);
4204                 goto unlock;
4205         }
4206
4207         if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4208                 mgmt_device_connected(hdev, &conn->dst, conn->type,
4209                                       conn->dst_type, 0, NULL, 0, NULL);
4210
4211         conn->sec_level = BT_SECURITY_LOW;
4212         conn->handle = __le16_to_cpu(ev->handle);
4213         conn->state = BT_CONNECTED;
4214
4215         conn->le_conn_interval = le16_to_cpu(ev->interval);
4216         conn->le_conn_latency = le16_to_cpu(ev->latency);
4217         conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4218
4219         hci_conn_add_sysfs(conn);
4220
4221         hci_proto_connect_cfm(conn, ev->status);
4222
4223         params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
4224         if (params)
4225                 list_del_init(&params->action);
4226
4227 unlock:
4228         hci_update_background_scan(hdev);
4229         hci_dev_unlock(hdev);
4230 }
4231
4232 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4233                                             struct sk_buff *skb)
4234 {
4235         struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4236         struct hci_conn *conn;
4237
4238         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4239
4240         if (ev->status)
4241                 return;
4242
4243         hci_dev_lock(hdev);
4244
4245         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4246         if (conn) {
4247                 conn->le_conn_interval = le16_to_cpu(ev->interval);
4248                 conn->le_conn_latency = le16_to_cpu(ev->latency);
4249                 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4250         }
4251
4252         hci_dev_unlock(hdev);
4253 }
4254
4255 /* This function requires the caller holds hdev->lock */
4256 static void check_pending_le_conn(struct hci_dev *hdev, bdaddr_t *addr,
4257                                   u8 addr_type, u8 adv_type)
4258 {
4259         struct hci_conn *conn;
4260         struct hci_conn_params *params;
4261
4262         /* If the event is not connectable don't proceed further */
4263         if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4264                 return;
4265
4266         /* Ignore if the device is blocked */
4267         if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4268                 return;
4269
4270         /* Most controller will fail if we try to create new connections
4271          * while we have an existing one in slave role.
4272          */
4273         if (hdev->conn_hash.le_num_slave > 0)
4274                 return;
4275
4276         /* If we're not connectable only connect devices that we have in
4277          * our pend_le_conns list.
4278          */
4279         params = hci_pend_le_action_lookup(&hdev->pend_le_conns,
4280                                            addr, addr_type);
4281         if (!params)
4282                 return;
4283
4284         switch (params->auto_connect) {
4285         case HCI_AUTO_CONN_DIRECT:
4286                 /* Only devices advertising with ADV_DIRECT_IND are
4287                  * triggering a connection attempt. This is allowing
4288                  * incoming connections from slave devices.
4289                  */
4290                 if (adv_type != LE_ADV_DIRECT_IND)
4291                         return;
4292                 break;
4293         case HCI_AUTO_CONN_ALWAYS:
4294                 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4295                  * are triggering a connection attempt. This means
4296                  * that incoming connectioms from slave device are
4297                  * accepted and also outgoing connections to slave
4298                  * devices are established when found.
4299                  */
4300                 break;
4301         default:
4302                 return;
4303         }
4304
4305         conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4306                               HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4307         if (!IS_ERR(conn))
4308                 return;
4309
4310         switch (PTR_ERR(conn)) {
4311         case -EBUSY:
4312                 /* If hci_connect() returns -EBUSY it means there is already
4313                  * an LE connection attempt going on. Since controllers don't
4314                  * support more than one connection attempt at the time, we
4315                  * don't consider this an error case.
4316                  */
4317                 break;
4318         default:
4319                 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4320         }
4321 }
4322
4323 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4324                                u8 bdaddr_type, s8 rssi, u8 *data, u8 len)
4325 {
4326         struct discovery_state *d = &hdev->discovery;
4327         struct smp_irk *irk;
4328         bool match;
4329         u32 flags;
4330
4331         /* Check if we need to convert to identity address */
4332         irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4333         if (irk) {
4334                 bdaddr = &irk->bdaddr;
4335                 bdaddr_type = irk->addr_type;
4336         }
4337
4338         /* Check if we have been requested to connect to this device */
4339         check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4340
4341         /* Passive scanning shouldn't trigger any device found events,
4342          * except for devices marked as CONN_REPORT for which we do send
4343          * device found events.
4344          */
4345         if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4346                 if (type == LE_ADV_DIRECT_IND)
4347                         return;
4348
4349                 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4350                                                bdaddr, bdaddr_type))
4351                         return;
4352
4353                 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4354                         flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4355                 else
4356                         flags = 0;
4357                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4358                                   rssi, flags, data, len, NULL, 0);
4359                 return;
4360         }
4361
4362         /* When receiving non-connectable or scannable undirected
4363          * advertising reports, this means that the remote device is
4364          * not connectable and then clearly indicate this in the
4365          * device found event.
4366          *
4367          * When receiving a scan response, then there is no way to
4368          * know if the remote device is connectable or not. However
4369          * since scan responses are merged with a previously seen
4370          * advertising report, the flags field from that report
4371          * will be used.
4372          *
4373          * In the really unlikely case that a controller get confused
4374          * and just sends a scan response event, then it is marked as
4375          * not connectable as well.
4376          */
4377         if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4378             type == LE_ADV_SCAN_RSP)
4379                 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4380         else
4381                 flags = 0;
4382
4383         /* If there's nothing pending either store the data from this
4384          * event or send an immediate device found event if the data
4385          * should not be stored for later.
4386          */
4387         if (!has_pending_adv_report(hdev)) {
4388                 /* If the report will trigger a SCAN_REQ store it for
4389                  * later merging.
4390                  */
4391                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4392                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4393                                                  rssi, flags, data, len);
4394                         return;
4395                 }
4396
4397                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4398                                   rssi, flags, data, len, NULL, 0);
4399                 return;
4400         }
4401
4402         /* Check if the pending report is for the same device as the new one */
4403         match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4404                  bdaddr_type == d->last_adv_addr_type);
4405
4406         /* If the pending data doesn't match this report or this isn't a
4407          * scan response (e.g. we got a duplicate ADV_IND) then force
4408          * sending of the pending data.
4409          */
4410         if (type != LE_ADV_SCAN_RSP || !match) {
4411                 /* Send out whatever is in the cache, but skip duplicates */
4412                 if (!match)
4413                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4414                                           d->last_adv_addr_type, NULL,
4415                                           d->last_adv_rssi, d->last_adv_flags,
4416                                           d->last_adv_data,
4417                                           d->last_adv_data_len, NULL, 0);
4418
4419                 /* If the new report will trigger a SCAN_REQ store it for
4420                  * later merging.
4421                  */
4422                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4423                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4424                                                  rssi, flags, data, len);
4425                         return;
4426                 }
4427
4428                 /* The advertising reports cannot be merged, so clear
4429                  * the pending report and send out a device found event.
4430                  */
4431                 clear_pending_adv_report(hdev);
4432                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4433                                   rssi, flags, data, len, NULL, 0);
4434                 return;
4435         }
4436
4437         /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4438          * the new event is a SCAN_RSP. We can therefore proceed with
4439          * sending a merged device found event.
4440          */
4441         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4442                           d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4443                           d->last_adv_data, d->last_adv_data_len, data, len);
4444         clear_pending_adv_report(hdev);
4445 }
4446
4447 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4448 {
4449         u8 num_reports = skb->data[0];
4450         void *ptr = &skb->data[1];
4451
4452         hci_dev_lock(hdev);
4453
4454         while (num_reports--) {
4455                 struct hci_ev_le_advertising_info *ev = ptr;
4456                 s8 rssi;
4457
4458                 rssi = ev->data[ev->length];
4459                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4460                                    ev->bdaddr_type, rssi, ev->data, ev->length);
4461
4462                 ptr += sizeof(*ev) + ev->length + 1;
4463         }
4464
4465         hci_dev_unlock(hdev);
4466 }
4467
4468 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4469 {
4470         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4471         struct hci_cp_le_ltk_reply cp;
4472         struct hci_cp_le_ltk_neg_reply neg;
4473         struct hci_conn *conn;
4474         struct smp_ltk *ltk;
4475
4476         BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4477
4478         hci_dev_lock(hdev);
4479
4480         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4481         if (conn == NULL)
4482                 goto not_found;
4483
4484         ltk = hci_find_ltk(hdev, ev->ediv, ev->rand, conn->role);
4485         if (ltk == NULL)
4486                 goto not_found;
4487
4488         memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
4489         cp.handle = cpu_to_le16(conn->handle);
4490
4491         if (ltk->authenticated)
4492                 conn->pending_sec_level = BT_SECURITY_HIGH;
4493         else
4494                 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4495
4496         conn->enc_key_size = ltk->enc_size;
4497
4498         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
4499
4500         /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
4501          * temporary key used to encrypt a connection following
4502          * pairing. It is used during the Encrypted Session Setup to
4503          * distribute the keys. Later, security can be re-established
4504          * using a distributed LTK.
4505          */
4506         if (ltk->type == SMP_STK) {
4507                 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4508                 list_del(&ltk->list);
4509                 kfree(ltk);
4510         } else {
4511                 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4512         }
4513
4514         hci_dev_unlock(hdev);
4515
4516         return;
4517
4518 not_found:
4519         neg.handle = ev->handle;
4520         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
4521         hci_dev_unlock(hdev);
4522 }
4523
4524 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
4525                                       u8 reason)
4526 {
4527         struct hci_cp_le_conn_param_req_neg_reply cp;
4528
4529         cp.handle = cpu_to_le16(handle);
4530         cp.reason = reason;
4531
4532         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
4533                      &cp);
4534 }
4535
4536 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
4537                                              struct sk_buff *skb)
4538 {
4539         struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
4540         struct hci_cp_le_conn_param_req_reply cp;
4541         struct hci_conn *hcon;
4542         u16 handle, min, max, latency, timeout;
4543
4544         handle = le16_to_cpu(ev->handle);
4545         min = le16_to_cpu(ev->interval_min);
4546         max = le16_to_cpu(ev->interval_max);
4547         latency = le16_to_cpu(ev->latency);
4548         timeout = le16_to_cpu(ev->timeout);
4549
4550         hcon = hci_conn_hash_lookup_handle(hdev, handle);
4551         if (!hcon || hcon->state != BT_CONNECTED)
4552                 return send_conn_param_neg_reply(hdev, handle,
4553                                                  HCI_ERROR_UNKNOWN_CONN_ID);
4554
4555         if (hci_check_conn_params(min, max, latency, timeout))
4556                 return send_conn_param_neg_reply(hdev, handle,
4557                                                  HCI_ERROR_INVALID_LL_PARAMS);
4558
4559         if (hcon->role == HCI_ROLE_MASTER) {
4560                 struct hci_conn_params *params;
4561                 u8 store_hint;
4562
4563                 hci_dev_lock(hdev);
4564
4565                 params = hci_conn_params_lookup(hdev, &hcon->dst,
4566                                                 hcon->dst_type);
4567                 if (params) {
4568                         params->conn_min_interval = min;
4569                         params->conn_max_interval = max;
4570                         params->conn_latency = latency;
4571                         params->supervision_timeout = timeout;
4572                         store_hint = 0x01;
4573                 } else{
4574                         store_hint = 0x00;
4575                 }
4576
4577                 hci_dev_unlock(hdev);
4578
4579                 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
4580                                     store_hint, min, max, latency, timeout);
4581         }
4582
4583         cp.handle = ev->handle;
4584         cp.interval_min = ev->interval_min;
4585         cp.interval_max = ev->interval_max;
4586         cp.latency = ev->latency;
4587         cp.timeout = ev->timeout;
4588         cp.min_ce_len = 0;
4589         cp.max_ce_len = 0;
4590
4591         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
4592 }
4593
4594 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4595 {
4596         struct hci_ev_le_meta *le_ev = (void *) skb->data;
4597
4598         skb_pull(skb, sizeof(*le_ev));
4599
4600         switch (le_ev->subevent) {
4601         case HCI_EV_LE_CONN_COMPLETE:
4602                 hci_le_conn_complete_evt(hdev, skb);
4603                 break;
4604
4605         case HCI_EV_LE_CONN_UPDATE_COMPLETE:
4606                 hci_le_conn_update_complete_evt(hdev, skb);
4607                 break;
4608
4609         case HCI_EV_LE_ADVERTISING_REPORT:
4610                 hci_le_adv_report_evt(hdev, skb);
4611                 break;
4612
4613         case HCI_EV_LE_LTK_REQ:
4614                 hci_le_ltk_request_evt(hdev, skb);
4615                 break;
4616
4617         case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
4618                 hci_le_remote_conn_param_req_evt(hdev, skb);
4619                 break;
4620
4621         default:
4622                 break;
4623         }
4624 }
4625
4626 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4627 {
4628         struct hci_ev_channel_selected *ev = (void *) skb->data;
4629         struct hci_conn *hcon;
4630
4631         BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4632
4633         skb_pull(skb, sizeof(*ev));
4634
4635         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4636         if (!hcon)
4637                 return;
4638
4639         amp_read_loc_assoc_final_data(hdev, hcon);
4640 }
4641
4642 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
4643 {
4644         struct hci_event_hdr *hdr = (void *) skb->data;
4645         __u8 event = hdr->evt;
4646
4647         hci_dev_lock(hdev);
4648
4649         /* Received events are (currently) only needed when a request is
4650          * ongoing so avoid unnecessary memory allocation.
4651          */
4652         if (hci_req_pending(hdev)) {
4653                 kfree_skb(hdev->recv_evt);
4654                 hdev->recv_evt = skb_clone(skb, GFP_KERNEL);
4655         }
4656
4657         hci_dev_unlock(hdev);
4658
4659         skb_pull(skb, HCI_EVENT_HDR_SIZE);
4660
4661         if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
4662                 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
4663                 u16 opcode = __le16_to_cpu(cmd_hdr->opcode);
4664
4665                 hci_req_cmd_complete(hdev, opcode, 0);
4666         }
4667
4668         switch (event) {
4669         case HCI_EV_INQUIRY_COMPLETE:
4670                 hci_inquiry_complete_evt(hdev, skb);
4671                 break;
4672
4673         case HCI_EV_INQUIRY_RESULT:
4674                 hci_inquiry_result_evt(hdev, skb);
4675                 break;
4676
4677         case HCI_EV_CONN_COMPLETE:
4678                 hci_conn_complete_evt(hdev, skb);
4679                 break;
4680
4681         case HCI_EV_CONN_REQUEST:
4682                 hci_conn_request_evt(hdev, skb);
4683                 break;
4684
4685         case HCI_EV_DISCONN_COMPLETE:
4686                 hci_disconn_complete_evt(hdev, skb);
4687                 break;
4688
4689         case HCI_EV_AUTH_COMPLETE:
4690                 hci_auth_complete_evt(hdev, skb);
4691                 break;
4692
4693         case HCI_EV_REMOTE_NAME:
4694                 hci_remote_name_evt(hdev, skb);
4695                 break;
4696
4697         case HCI_EV_ENCRYPT_CHANGE:
4698                 hci_encrypt_change_evt(hdev, skb);
4699                 break;
4700
4701         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
4702                 hci_change_link_key_complete_evt(hdev, skb);
4703                 break;
4704
4705         case HCI_EV_REMOTE_FEATURES:
4706                 hci_remote_features_evt(hdev, skb);
4707                 break;
4708
4709         case HCI_EV_CMD_COMPLETE:
4710                 hci_cmd_complete_evt(hdev, skb);
4711                 break;
4712
4713         case HCI_EV_CMD_STATUS:
4714                 hci_cmd_status_evt(hdev, skb);
4715                 break;
4716
4717         case HCI_EV_ROLE_CHANGE:
4718                 hci_role_change_evt(hdev, skb);
4719                 break;
4720
4721         case HCI_EV_NUM_COMP_PKTS:
4722                 hci_num_comp_pkts_evt(hdev, skb);
4723                 break;
4724
4725         case HCI_EV_MODE_CHANGE:
4726                 hci_mode_change_evt(hdev, skb);
4727                 break;
4728
4729         case HCI_EV_PIN_CODE_REQ:
4730                 hci_pin_code_request_evt(hdev, skb);
4731                 break;
4732
4733         case HCI_EV_LINK_KEY_REQ:
4734                 hci_link_key_request_evt(hdev, skb);
4735                 break;
4736
4737         case HCI_EV_LINK_KEY_NOTIFY:
4738                 hci_link_key_notify_evt(hdev, skb);
4739                 break;
4740
4741         case HCI_EV_CLOCK_OFFSET:
4742                 hci_clock_offset_evt(hdev, skb);
4743                 break;
4744
4745         case HCI_EV_PKT_TYPE_CHANGE:
4746                 hci_pkt_type_change_evt(hdev, skb);
4747                 break;
4748
4749         case HCI_EV_PSCAN_REP_MODE:
4750                 hci_pscan_rep_mode_evt(hdev, skb);
4751                 break;
4752
4753         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
4754                 hci_inquiry_result_with_rssi_evt(hdev, skb);
4755                 break;
4756
4757         case HCI_EV_REMOTE_EXT_FEATURES:
4758                 hci_remote_ext_features_evt(hdev, skb);
4759                 break;
4760
4761         case HCI_EV_SYNC_CONN_COMPLETE:
4762                 hci_sync_conn_complete_evt(hdev, skb);
4763                 break;
4764
4765         case HCI_EV_EXTENDED_INQUIRY_RESULT:
4766                 hci_extended_inquiry_result_evt(hdev, skb);
4767                 break;
4768
4769         case HCI_EV_KEY_REFRESH_COMPLETE:
4770                 hci_key_refresh_complete_evt(hdev, skb);
4771                 break;
4772
4773         case HCI_EV_IO_CAPA_REQUEST:
4774                 hci_io_capa_request_evt(hdev, skb);
4775                 break;
4776
4777         case HCI_EV_IO_CAPA_REPLY:
4778                 hci_io_capa_reply_evt(hdev, skb);
4779                 break;
4780
4781         case HCI_EV_USER_CONFIRM_REQUEST:
4782                 hci_user_confirm_request_evt(hdev, skb);
4783                 break;
4784
4785         case HCI_EV_USER_PASSKEY_REQUEST:
4786                 hci_user_passkey_request_evt(hdev, skb);
4787                 break;
4788
4789         case HCI_EV_USER_PASSKEY_NOTIFY:
4790                 hci_user_passkey_notify_evt(hdev, skb);
4791                 break;
4792
4793         case HCI_EV_KEYPRESS_NOTIFY:
4794                 hci_keypress_notify_evt(hdev, skb);
4795                 break;
4796
4797         case HCI_EV_SIMPLE_PAIR_COMPLETE:
4798                 hci_simple_pair_complete_evt(hdev, skb);
4799                 break;
4800
4801         case HCI_EV_REMOTE_HOST_FEATURES:
4802                 hci_remote_host_features_evt(hdev, skb);
4803                 break;
4804
4805         case HCI_EV_LE_META:
4806                 hci_le_meta_evt(hdev, skb);
4807                 break;
4808
4809         case HCI_EV_CHANNEL_SELECTED:
4810                 hci_chan_selected_evt(hdev, skb);
4811                 break;
4812
4813         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
4814                 hci_remote_oob_data_request_evt(hdev, skb);
4815                 break;
4816
4817         case HCI_EV_PHY_LINK_COMPLETE:
4818                 hci_phy_link_complete_evt(hdev, skb);
4819                 break;
4820
4821         case HCI_EV_LOGICAL_LINK_COMPLETE:
4822                 hci_loglink_complete_evt(hdev, skb);
4823                 break;
4824
4825         case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
4826                 hci_disconn_loglink_complete_evt(hdev, skb);
4827                 break;
4828
4829         case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
4830                 hci_disconn_phylink_complete_evt(hdev, skb);
4831                 break;
4832
4833         case HCI_EV_NUM_COMP_BLOCKS:
4834                 hci_num_comp_blocks_evt(hdev, skb);
4835                 break;
4836
4837         default:
4838                 BT_DBG("%s event 0x%2.2x", hdev->name, event);
4839                 break;
4840         }
4841
4842         kfree_skb(skb);
4843         hdev->stat.evt_rx++;
4844 }
Unnamed repository; edit this file 'description' to name the repository.