net/bluetooth/hci_event.c

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
   4
   5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License version 2 as
   9    published by the Free Software Foundation;
  10
  11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22    SOFTWARE IS DISCLAIMED.
  23 */
  24
  25 /* Bluetooth HCI event handling. */
  26
  27 #include <asm/unaligned.h>
  28
  29 #include <net/bluetooth/bluetooth.h>
  30 #include <net/bluetooth/hci_core.h>
  31 #include <net/bluetooth/mgmt.h>
  32
  33 #include "a2mp.h"
  34 #include "amp.h"
  35
  36 /* Handle HCI Event packets */
  37
  38 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
  39 {
  40         __u8 status = *((__u8 *) skb->data);
  41
  42         BT_DBG("%s status 0x%2.2x", hdev->name, status);
  43
  44         if (status)
  45                 return;
  46
  47         clear_bit(HCI_INQUIRY, &hdev->flags);
  48         smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
  49         wake_up_bit(&hdev->flags, HCI_INQUIRY);
  50
  51         hci_conn_check_pending(hdev);
  52 }
  53
  54 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
  55 {
  56         __u8 status = *((__u8 *) skb->data);
  57
  58         BT_DBG("%s status 0x%2.2x", hdev->name, status);
  59
  60         if (status)
  61                 return;
  62
  63         set_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
  64 }
  65
  66 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
  67 {
  68         __u8 status = *((__u8 *) skb->data);
  69
  70         BT_DBG("%s status 0x%2.2x", hdev->name, status);
  71
  72         if (status)
  73                 return;
  74
  75         clear_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
  76
  77         hci_conn_check_pending(hdev);
  78 }
  79
  80 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
  81                                           struct sk_buff *skb)
  82 {
  83         BT_DBG("%s", hdev->name);
  84 }
  85
  86 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
  87 {
  88         struct hci_rp_role_discovery *rp = (void *) skb->data;
  89         struct hci_conn *conn;
  90
  91         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
  92
  93         if (rp->status)
  94                 return;
  95
  96         hci_dev_lock(hdev);
  97
  98         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
  99         if (conn) {
 100                 if (rp->role)
 101                         conn->link_mode &= ~HCI_LM_MASTER;
 102                 else
 103                         conn->link_mode |= HCI_LM_MASTER;
 104         }
 105
 106         hci_dev_unlock(hdev);
 107 }
 108
 109 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
 110 {
 111         struct hci_rp_read_link_policy *rp = (void *) skb->data;
 112         struct hci_conn *conn;
 113
 114         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 115
 116         if (rp->status)
 117                 return;
 118
 119         hci_dev_lock(hdev);
 120
 121         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
 122         if (conn)
 123                 conn->link_policy = __le16_to_cpu(rp->policy);
 124
 125         hci_dev_unlock(hdev);
 126 }
 127
 128 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
 129 {
 130         struct hci_rp_write_link_policy *rp = (void *) skb->data;
 131         struct hci_conn *conn;
 132         void *sent;
 133
 134         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 135
 136         if (rp->status)
 137                 return;
 138
 139         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
 140         if (!sent)
 141                 return;
 142
 143         hci_dev_lock(hdev);
 144
 145         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
 146         if (conn)
 147                 conn->link_policy = get_unaligned_le16(sent + 2);
 148
 149         hci_dev_unlock(hdev);
 150 }
 151
 152 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
 153                                         struct sk_buff *skb)
 154 {
 155         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
 156
 157         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 158
 159         if (rp->status)
 160                 return;
 161
 162         hdev->link_policy = __le16_to_cpu(rp->policy);
 163 }
 164
 165 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
 166                                          struct sk_buff *skb)
 167 {
 168         __u8 status = *((__u8 *) skb->data);
 169         void *sent;
 170
 171         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 172
 173         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
 174         if (!sent)
 175                 return;
 176
 177         if (!status)
 178                 hdev->link_policy = get_unaligned_le16(sent);
 179 }
 180
 181 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
 182 {
 183         __u8 status = *((__u8 *) skb->data);
 184
 185         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 186
 187         clear_bit(HCI_RESET, &hdev->flags);
 188
 189         /* Reset all non-persistent flags */
 190         hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
 191
 192         hdev->discovery.state = DISCOVERY_STOPPED;
 193         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
 194         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
 195
 196         memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
 197         hdev->adv_data_len = 0;
 198
 199         memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
 200         hdev->scan_rsp_data_len = 0;
 201
 202         hdev->ssp_debug_mode = 0;
 203 }
 204
 205 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
 206 {
 207         __u8 status = *((__u8 *) skb->data);
 208         void *sent;
 209
 210         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 211
 212         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
 213         if (!sent)
 214                 return;
 215
 216         hci_dev_lock(hdev);
 217
 218         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 219                 mgmt_set_local_name_complete(hdev, sent, status);
 220         else if (!status)
 221                 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
 222
 223         hci_dev_unlock(hdev);
 224 }
 225
 226 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
 227 {
 228         struct hci_rp_read_local_name *rp = (void *) skb->data;
 229
 230         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 231
 232         if (rp->status)
 233                 return;
 234
 235         if (test_bit(HCI_SETUP, &hdev->dev_flags))
 236                 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
 237 }
 238
 239 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
 240 {
 241         __u8 status = *((__u8 *) skb->data);
 242         void *sent;
 243
 244         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 245
 246         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
 247         if (!sent)
 248                 return;
 249
 250         if (!status) {
 251                 __u8 param = *((__u8 *) sent);
 252
 253                 if (param == AUTH_ENABLED)
 254                         set_bit(HCI_AUTH, &hdev->flags);
 255                 else
 256                         clear_bit(HCI_AUTH, &hdev->flags);
 257         }
 258
 259         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 260                 mgmt_auth_enable_complete(hdev, status);
 261 }
 262
 263 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
 264 {
 265         __u8 status = *((__u8 *) skb->data);
 266         void *sent;
 267
 268         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 269
 270         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
 271         if (!sent)
 272                 return;
 273
 274         if (!status) {
 275                 __u8 param = *((__u8 *) sent);
 276
 277                 if (param)
 278                         set_bit(HCI_ENCRYPT, &hdev->flags);
 279                 else
 280                         clear_bit(HCI_ENCRYPT, &hdev->flags);
 281         }
 282 }
 283
 284 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
 285 {
 286         __u8 param, status = *((__u8 *) skb->data);
 287         int old_pscan, old_iscan;
 288         void *sent;
 289
 290         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 291
 292         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
 293         if (!sent)
 294                 return;
 295
 296         param = *((__u8 *) sent);
 297
 298         hci_dev_lock(hdev);
 299
 300         if (status) {
 301                 mgmt_write_scan_failed(hdev, param, status);
 302                 hdev->discov_timeout = 0;
 303                 goto done;
 304         }
 305
 306         /* We need to ensure that we set this back on if someone changed
 307          * the scan mode through a raw HCI socket.
 308          */
 309         set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
 310
 311         old_pscan = test_and_clear_bit(HCI_PSCAN, &hdev->flags);
 312         old_iscan = test_and_clear_bit(HCI_ISCAN, &hdev->flags);
 313
 314         if (param & SCAN_INQUIRY) {
 315                 set_bit(HCI_ISCAN, &hdev->flags);
 316                 if (!old_iscan)
 317                         mgmt_discoverable(hdev, 1);
 318         } else if (old_iscan)
 319                 mgmt_discoverable(hdev, 0);
 320
 321         if (param & SCAN_PAGE) {
 322                 set_bit(HCI_PSCAN, &hdev->flags);
 323                 if (!old_pscan)
 324                         mgmt_connectable(hdev, 1);
 325         } else if (old_pscan)
 326                 mgmt_connectable(hdev, 0);
 327
 328 done:
 329         hci_dev_unlock(hdev);
 330 }
 331
 332 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
 333 {
 334         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
 335
 336         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 337
 338         if (rp->status)
 339                 return;
 340
 341         memcpy(hdev->dev_class, rp->dev_class, 3);
 342
 343         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
 344                hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
 345 }
 346
 347 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
 348 {
 349         __u8 status = *((__u8 *) skb->data);
 350         void *sent;
 351
 352         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 353
 354         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
 355         if (!sent)
 356                 return;
 357
 358         hci_dev_lock(hdev);
 359
 360         if (status == 0)
 361                 memcpy(hdev->dev_class, sent, 3);
 362
 363         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 364                 mgmt_set_class_of_dev_complete(hdev, sent, status);
 365
 366         hci_dev_unlock(hdev);
 367 }
 368
 369 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
 370 {
 371         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
 372         __u16 setting;
 373
 374         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 375
 376         if (rp->status)
 377                 return;
 378
 379         setting = __le16_to_cpu(rp->voice_setting);
 380
 381         if (hdev->voice_setting == setting)
 382                 return;
 383
 384         hdev->voice_setting = setting;
 385
 386         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
 387
 388         if (hdev->notify)
 389                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
 390 }
 391
 392 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
 393                                        struct sk_buff *skb)
 394 {
 395         __u8 status = *((__u8 *) skb->data);
 396         __u16 setting;
 397         void *sent;
 398
 399         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 400
 401         if (status)
 402                 return;
 403
 404         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
 405         if (!sent)
 406                 return;
 407
 408         setting = get_unaligned_le16(sent);
 409
 410         if (hdev->voice_setting == setting)
 411                 return;
 412
 413         hdev->voice_setting = setting;
 414
 415         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
 416
 417         if (hdev->notify)
 418                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
 419 }
 420
 421 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
 422                                           struct sk_buff *skb)
 423 {
 424         struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
 425
 426         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 427
 428         if (rp->status)
 429                 return;
 430
 431         hdev->num_iac = rp->num_iac;
 432
 433         BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
 434 }
 435
 436 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
 437 {
 438         __u8 status = *((__u8 *) skb->data);
 439         struct hci_cp_write_ssp_mode *sent;
 440
 441         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 442
 443         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
 444         if (!sent)
 445                 return;
 446
 447         if (!status) {
 448                 if (sent->mode)
 449                         hdev->features[1][0] |= LMP_HOST_SSP;
 450                 else
 451                         hdev->features[1][0] &= ~LMP_HOST_SSP;
 452         }
 453
 454         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 455                 mgmt_ssp_enable_complete(hdev, sent->mode, status);
 456         else if (!status) {
 457                 if (sent->mode)
 458                         set_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
 459                 else
 460                         clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
 461         }
 462 }
 463
 464 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
 465 {
 466         u8 status = *((u8 *) skb->data);
 467         struct hci_cp_write_sc_support *sent;
 468
 469         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 470
 471         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
 472         if (!sent)
 473                 return;
 474
 475         if (!status) {
 476                 if (sent->support)
 477                         hdev->features[1][0] |= LMP_HOST_SC;
 478                 else
 479                         hdev->features[1][0] &= ~LMP_HOST_SC;
 480         }
 481
 482         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 483                 mgmt_sc_enable_complete(hdev, sent->support, status);
 484         else if (!status) {
 485                 if (sent->support)
 486                         set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
 487                 else
 488                         clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
 489         }
 490 }
 491
 492 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
 493 {
 494         struct hci_rp_read_local_version *rp = (void *) skb->data;
 495
 496         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 497
 498         if (rp->status)
 499                 return;
 500
 501         if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
 502                 hdev->hci_ver = rp->hci_ver;
 503                 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
 504                 hdev->lmp_ver = rp->lmp_ver;
 505                 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
 506                 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
 507         }
 508 }
 509
 510 static void hci_cc_read_local_commands(struct hci_dev *hdev,
 511                                        struct sk_buff *skb)
 512 {
 513         struct hci_rp_read_local_commands *rp = (void *) skb->data;
 514
 515         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 516
 517         if (rp->status)
 518                 return;
 519
 520         if (test_bit(HCI_SETUP, &hdev->dev_flags))
 521                 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
 522 }
 523
 524 static void hci_cc_read_local_features(struct hci_dev *hdev,
 525                                        struct sk_buff *skb)
 526 {
 527         struct hci_rp_read_local_features *rp = (void *) skb->data;
 528
 529         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 530
 531         if (rp->status)
 532                 return;
 533
 534         memcpy(hdev->features, rp->features, 8);
 535
 536         /* Adjust default settings according to features
 537          * supported by device. */
 538
 539         if (hdev->features[0][0] & LMP_3SLOT)
 540                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
 541
 542         if (hdev->features[0][0] & LMP_5SLOT)
 543                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
 544
 545         if (hdev->features[0][1] & LMP_HV2) {
 546                 hdev->pkt_type  |= (HCI_HV2);
 547                 hdev->esco_type |= (ESCO_HV2);
 548         }
 549
 550         if (hdev->features[0][1] & LMP_HV3) {
 551                 hdev->pkt_type  |= (HCI_HV3);
 552                 hdev->esco_type |= (ESCO_HV3);
 553         }
 554
 555         if (lmp_esco_capable(hdev))
 556                 hdev->esco_type |= (ESCO_EV3);
 557
 558         if (hdev->features[0][4] & LMP_EV4)
 559                 hdev->esco_type |= (ESCO_EV4);
 560
 561         if (hdev->features[0][4] & LMP_EV5)
 562                 hdev->esco_type |= (ESCO_EV5);
 563
 564         if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
 565                 hdev->esco_type |= (ESCO_2EV3);
 566
 567         if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
 568                 hdev->esco_type |= (ESCO_3EV3);
 569
 570         if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
 571                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
 572 }
 573
 574 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
 575                                            struct sk_buff *skb)
 576 {
 577         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
 578
 579         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 580
 581         if (rp->status)
 582                 return;
 583
 584         if (hdev->max_page < rp->max_page)
 585                 hdev->max_page = rp->max_page;
 586
 587         if (rp->page < HCI_MAX_PAGES)
 588                 memcpy(hdev->features[rp->page], rp->features, 8);
 589 }
 590
 591 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
 592                                           struct sk_buff *skb)
 593 {
 594         struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
 595
 596         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 597
 598         if (!rp->status)
 599                 hdev->flow_ctl_mode = rp->mode;
 600 }
 601
 602 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
 603 {
 604         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
 605
 606         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 607
 608         if (rp->status)
 609                 return;
 610
 611         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
 612         hdev->sco_mtu  = rp->sco_mtu;
 613         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
 614         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
 615
 616         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
 617                 hdev->sco_mtu  = 64;
 618                 hdev->sco_pkts = 8;
 619         }
 620
 621         hdev->acl_cnt = hdev->acl_pkts;
 622         hdev->sco_cnt = hdev->sco_pkts;
 623
 624         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
 625                hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
 626 }
 627
 628 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
 629 {
 630         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
 631
 632         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 633
 634         if (!rp->status)
 635                 bacpy(&hdev->bdaddr, &rp->bdaddr);
 636 }
 637
 638 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
 639                                            struct sk_buff *skb)
 640 {
 641         struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
 642
 643         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 644
 645         if (test_bit(HCI_INIT, &hdev->flags) && !rp->status) {
 646                 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
 647                 hdev->page_scan_window = __le16_to_cpu(rp->window);
 648         }
 649 }
 650
 651 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
 652                                             struct sk_buff *skb)
 653 {
 654         u8 status = *((u8 *) skb->data);
 655         struct hci_cp_write_page_scan_activity *sent;
 656
 657         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 658
 659         if (status)
 660                 return;
 661
 662         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
 663         if (!sent)
 664                 return;
 665
 666         hdev->page_scan_interval = __le16_to_cpu(sent->interval);
 667         hdev->page_scan_window = __le16_to_cpu(sent->window);
 668 }
 669
 670 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
 671                                            struct sk_buff *skb)
 672 {
 673         struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
 674
 675         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 676
 677         if (test_bit(HCI_INIT, &hdev->flags) && !rp->status)
 678                 hdev->page_scan_type = rp->type;
 679 }
 680
 681 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
 682                                         struct sk_buff *skb)
 683 {
 684         u8 status = *((u8 *) skb->data);
 685         u8 *type;
 686
 687         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 688
 689         if (status)
 690                 return;
 691
 692         type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
 693         if (type)
 694                 hdev->page_scan_type = *type;
 695 }
 696
 697 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
 698                                         struct sk_buff *skb)
 699 {
 700         struct hci_rp_read_data_block_size *rp = (void *) skb->data;
 701
 702         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 703
 704         if (rp->status)
 705                 return;
 706
 707         hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
 708         hdev->block_len = __le16_to_cpu(rp->block_len);
 709         hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
 710
 711         hdev->block_cnt = hdev->num_blocks;
 712
 713         BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
 714                hdev->block_cnt, hdev->block_len);
 715 }
 716
 717 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
 718                                        struct sk_buff *skb)
 719 {
 720         struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
 721
 722         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 723
 724         if (rp->status)
 725                 goto a2mp_rsp;
 726
 727         hdev->amp_status = rp->amp_status;
 728         hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
 729         hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
 730         hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
 731         hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
 732         hdev->amp_type = rp->amp_type;
 733         hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
 734         hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
 735         hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
 736         hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
 737
 738 a2mp_rsp:
 739         a2mp_send_getinfo_rsp(hdev);
 740 }
 741
 742 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev,
 743                                         struct sk_buff *skb)
 744 {
 745         struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data;
 746         struct amp_assoc *assoc = &hdev->loc_assoc;
 747         size_t rem_len, frag_len;
 748
 749         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 750
 751         if (rp->status)
 752                 goto a2mp_rsp;
 753
 754         frag_len = skb->len - sizeof(*rp);
 755         rem_len = __le16_to_cpu(rp->rem_len);
 756
 757         if (rem_len > frag_len) {
 758                 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
 759
 760                 memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
 761                 assoc->offset += frag_len;
 762
 763                 /* Read other fragments */
 764                 amp_read_loc_assoc_frag(hdev, rp->phy_handle);
 765
 766                 return;
 767         }
 768
 769         memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
 770         assoc->len = assoc->offset + rem_len;
 771         assoc->offset = 0;
 772
 773 a2mp_rsp:
 774         /* Send A2MP Rsp when all fragments are received */
 775         a2mp_send_getampassoc_rsp(hdev, rp->status);
 776         a2mp_send_create_phy_link_req(hdev, rp->status);
 777 }
 778
 779 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
 780                                          struct sk_buff *skb)
 781 {
 782         struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
 783
 784         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 785
 786         if (!rp->status)
 787                 hdev->inq_tx_power = rp->tx_power;
 788 }
 789
 790 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
 791 {
 792         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
 793         struct hci_cp_pin_code_reply *cp;
 794         struct hci_conn *conn;
 795
 796         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 797
 798         hci_dev_lock(hdev);
 799
 800         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 801                 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
 802
 803         if (rp->status)
 804                 goto unlock;
 805
 806         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
 807         if (!cp)
 808                 goto unlock;
 809
 810         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
 811         if (conn)
 812                 conn->pin_length = cp->pin_len;
 813
 814 unlock:
 815         hci_dev_unlock(hdev);
 816 }
 817
 818 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
 819 {
 820         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
 821
 822         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 823
 824         hci_dev_lock(hdev);
 825
 826         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 827                 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
 828                                                  rp->status);
 829
 830         hci_dev_unlock(hdev);
 831 }
 832
 833 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
 834                                        struct sk_buff *skb)
 835 {
 836         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
 837
 838         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 839
 840         if (rp->status)
 841                 return;
 842
 843         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
 844         hdev->le_pkts = rp->le_max_pkt;
 845
 846         hdev->le_cnt = hdev->le_pkts;
 847
 848         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
 849 }
 850
 851 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
 852                                           struct sk_buff *skb)
 853 {
 854         struct hci_rp_le_read_local_features *rp = (void *) skb->data;
 855
 856         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 857
 858         if (!rp->status)
 859                 memcpy(hdev->le_features, rp->features, 8);
 860 }
 861
 862 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
 863                                         struct sk_buff *skb)
 864 {
 865         struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
 866
 867         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 868
 869         if (!rp->status)
 870                 hdev->adv_tx_power = rp->tx_power;
 871 }
 872
 873 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
 874 {
 875         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
 876
 877         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 878
 879         hci_dev_lock(hdev);
 880
 881         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 882                 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
 883                                                  rp->status);
 884
 885         hci_dev_unlock(hdev);
 886 }
 887
 888 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
 889                                           struct sk_buff *skb)
 890 {
 891         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
 892
 893         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 894
 895         hci_dev_lock(hdev);
 896
 897         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 898                 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
 899                                                      ACL_LINK, 0, rp->status);
 900
 901         hci_dev_unlock(hdev);
 902 }
 903
 904 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
 905 {
 906         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
 907
 908         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 909
 910         hci_dev_lock(hdev);
 911
 912         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 913                 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
 914                                                  0, rp->status);
 915
 916         hci_dev_unlock(hdev);
 917 }
 918
 919 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
 920                                           struct sk_buff *skb)
 921 {
 922         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
 923
 924         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 925
 926         hci_dev_lock(hdev);
 927
 928         if (test_bit(HCI_MGMT, &hdev->dev_flags))
 929                 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
 930                                                      ACL_LINK, 0, rp->status);
 931
 932         hci_dev_unlock(hdev);
 933 }
 934
 935 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
 936                                        struct sk_buff *skb)
 937 {
 938         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
 939
 940         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 941
 942         hci_dev_lock(hdev);
 943         mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->randomizer,
 944                                           NULL, NULL, rp->status);
 945         hci_dev_unlock(hdev);
 946 }
 947
 948 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
 949                                            struct sk_buff *skb)
 950 {
 951         struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
 952
 953         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 954
 955         hci_dev_lock(hdev);
 956         mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->randomizer192,
 957                                           rp->hash256, rp->randomizer256,
 958                                           rp->status);
 959         hci_dev_unlock(hdev);
 960 }
 961
 962
 963 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
 964 {
 965         __u8 status = *((__u8 *) skb->data);
 966         bdaddr_t *sent;
 967
 968         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 969
 970         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
 971         if (!sent)
 972                 return;
 973
 974         hci_dev_lock(hdev);
 975
 976         if (!status)
 977                 bacpy(&hdev->random_addr, sent);
 978
 979         hci_dev_unlock(hdev);
 980 }
 981
 982 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
 983 {
 984         __u8 *sent, status = *((__u8 *) skb->data);
 985
 986         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 987
 988         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
 989         if (!sent)
 990                 return;
 991
 992         hci_dev_lock(hdev);
 993
 994         if (!status)
 995                 mgmt_advertising(hdev, *sent);
 996
 997         hci_dev_unlock(hdev);
 998 }
 999
1000 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1001                                       struct sk_buff *skb)
1002 {
1003         struct hci_cp_le_set_scan_enable *cp;
1004         __u8 status = *((__u8 *) skb->data);
1005
1006         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1007
1008         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1009         if (!cp)
1010                 return;
1011
1012         if (status)
1013                 return;
1014
1015         switch (cp->enable) {
1016         case LE_SCAN_ENABLE:
1017                 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1018                 break;
1019
1020         case LE_SCAN_DISABLE:
1021                 /* Cancel this timer so that we don't try to disable scanning
1022                  * when it's already disabled.
1023                  */
1024                 cancel_delayed_work(&hdev->le_scan_disable);
1025
1026                 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1027                 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1028                  * interrupted scanning due to a connect request. Mark
1029                  * therefore discovery as stopped.
1030                  */
1031                 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED,
1032                                        &hdev->dev_flags))
1033                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1034                 break;
1035
1036         default:
1037                 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1038                 break;
1039         }
1040 }
1041
1042 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1043                                            struct sk_buff *skb)
1044 {
1045         struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1046
1047         BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1048
1049         if (!rp->status)
1050                 hdev->le_white_list_size = rp->size;
1051 }
1052
1053 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1054                                        struct sk_buff *skb)
1055 {
1056         __u8 status = *((__u8 *) skb->data);
1057
1058         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1059
1060         if (!status)
1061                 hci_white_list_clear(hdev);
1062 }
1063
1064 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1065                                         struct sk_buff *skb)
1066 {
1067         struct hci_cp_le_add_to_white_list *sent;
1068         __u8 status = *((__u8 *) skb->data);
1069
1070         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1071
1072         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1073         if (!sent)
1074                 return;
1075
1076         if (!status)
1077                 hci_white_list_add(hdev, &sent->bdaddr, sent->bdaddr_type);
1078 }
1079
1080 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1081                                           struct sk_buff *skb)
1082 {
1083         struct hci_cp_le_del_from_white_list *sent;
1084         __u8 status = *((__u8 *) skb->data);
1085
1086         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1087
1088         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1089         if (!sent)
1090                 return;
1091
1092         if (!status)
1093                 hci_white_list_del(hdev, &sent->bdaddr, sent->bdaddr_type);
1094 }
1095
1096 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1097                                             struct sk_buff *skb)
1098 {
1099         struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1100
1101         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1102
1103         if (!rp->status)
1104                 memcpy(hdev->le_states, rp->le_states, 8);
1105 }
1106
1107 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1108                                            struct sk_buff *skb)
1109 {
1110         struct hci_cp_write_le_host_supported *sent;
1111         __u8 status = *((__u8 *) skb->data);
1112
1113         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1114
1115         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1116         if (!sent)
1117                 return;
1118
1119         if (!status) {
1120                 if (sent->le) {
1121                         hdev->features[1][0] |= LMP_HOST_LE;
1122                         set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1123                 } else {
1124                         hdev->features[1][0] &= ~LMP_HOST_LE;
1125                         clear_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1126                         clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
1127                 }
1128
1129                 if (sent->simul)
1130                         hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1131                 else
1132                         hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1133         }
1134 }
1135
1136 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1137 {
1138         struct hci_cp_le_set_adv_param *cp;
1139         u8 status = *((u8 *) skb->data);
1140
1141         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1142
1143         if (status)
1144                 return;
1145
1146         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1147         if (!cp)
1148                 return;
1149
1150         hci_dev_lock(hdev);
1151         hdev->adv_addr_type = cp->own_address_type;
1152         hci_dev_unlock(hdev);
1153 }
1154
1155 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1156                                           struct sk_buff *skb)
1157 {
1158         struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data;
1159
1160         BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
1161                hdev->name, rp->status, rp->phy_handle);
1162
1163         if (rp->status)
1164                 return;
1165
1166         amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1167 }
1168
1169 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1170 {
1171         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1172
1173         if (status) {
1174                 hci_conn_check_pending(hdev);
1175                 return;
1176         }
1177
1178         set_bit(HCI_INQUIRY, &hdev->flags);
1179 }
1180
1181 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1182 {
1183         struct hci_cp_create_conn *cp;
1184         struct hci_conn *conn;
1185
1186         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1187
1188         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1189         if (!cp)
1190                 return;
1191
1192         hci_dev_lock(hdev);
1193
1194         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1195
1196         BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1197
1198         if (status) {
1199                 if (conn && conn->state == BT_CONNECT) {
1200                         if (status != 0x0c || conn->attempt > 2) {
1201                                 conn->state = BT_CLOSED;
1202                                 hci_proto_connect_cfm(conn, status);
1203                                 hci_conn_del(conn);
1204                         } else
1205                                 conn->state = BT_CONNECT2;
1206                 }
1207         } else {
1208                 if (!conn) {
1209                         conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr);
1210                         if (conn) {
1211                                 conn->out = true;
1212                                 conn->link_mode |= HCI_LM_MASTER;
1213                         } else
1214                                 BT_ERR("No memory for new connection");
1215                 }
1216         }
1217
1218         hci_dev_unlock(hdev);
1219 }
1220
1221 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1222 {
1223         struct hci_cp_add_sco *cp;
1224         struct hci_conn *acl, *sco;
1225         __u16 handle;
1226
1227         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1228
1229         if (!status)
1230                 return;
1231
1232         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1233         if (!cp)
1234                 return;
1235
1236         handle = __le16_to_cpu(cp->handle);
1237
1238         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1239
1240         hci_dev_lock(hdev);
1241
1242         acl = hci_conn_hash_lookup_handle(hdev, handle);
1243         if (acl) {
1244                 sco = acl->link;
1245                 if (sco) {
1246                         sco->state = BT_CLOSED;
1247
1248                         hci_proto_connect_cfm(sco, status);
1249                         hci_conn_del(sco);
1250                 }
1251         }
1252
1253         hci_dev_unlock(hdev);
1254 }
1255
1256 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1257 {
1258         struct hci_cp_auth_requested *cp;
1259         struct hci_conn *conn;
1260
1261         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1262
1263         if (!status)
1264                 return;
1265
1266         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1267         if (!cp)
1268                 return;
1269
1270         hci_dev_lock(hdev);
1271
1272         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1273         if (conn) {
1274                 if (conn->state == BT_CONFIG) {
1275                         hci_proto_connect_cfm(conn, status);
1276                         hci_conn_drop(conn);
1277                 }
1278         }
1279
1280         hci_dev_unlock(hdev);
1281 }
1282
1283 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1284 {
1285         struct hci_cp_set_conn_encrypt *cp;
1286         struct hci_conn *conn;
1287
1288         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1289
1290         if (!status)
1291                 return;
1292
1293         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1294         if (!cp)
1295                 return;
1296
1297         hci_dev_lock(hdev);
1298
1299         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1300         if (conn) {
1301                 if (conn->state == BT_CONFIG) {
1302                         hci_proto_connect_cfm(conn, status);
1303                         hci_conn_drop(conn);
1304                 }
1305         }
1306
1307         hci_dev_unlock(hdev);
1308 }
1309
1310 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1311                                     struct hci_conn *conn)
1312 {
1313         if (conn->state != BT_CONFIG || !conn->out)
1314                 return 0;
1315
1316         if (conn->pending_sec_level == BT_SECURITY_SDP)
1317                 return 0;
1318
1319         /* Only request authentication for SSP connections or non-SSP
1320          * devices with sec_level MEDIUM or HIGH or if MITM protection
1321          * is requested.
1322          */
1323         if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1324             conn->pending_sec_level != BT_SECURITY_HIGH &&
1325             conn->pending_sec_level != BT_SECURITY_MEDIUM)
1326                 return 0;
1327
1328         return 1;
1329 }
1330
1331 static int hci_resolve_name(struct hci_dev *hdev,
1332                                    struct inquiry_entry *e)
1333 {
1334         struct hci_cp_remote_name_req cp;
1335
1336         memset(&cp, 0, sizeof(cp));
1337
1338         bacpy(&cp.bdaddr, &e->data.bdaddr);
1339         cp.pscan_rep_mode = e->data.pscan_rep_mode;
1340         cp.pscan_mode = e->data.pscan_mode;
1341         cp.clock_offset = e->data.clock_offset;
1342
1343         return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1344 }
1345
1346 static bool hci_resolve_next_name(struct hci_dev *hdev)
1347 {
1348         struct discovery_state *discov = &hdev->discovery;
1349         struct inquiry_entry *e;
1350
1351         if (list_empty(&discov->resolve))
1352                 return false;
1353
1354         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1355         if (!e)
1356                 return false;
1357
1358         if (hci_resolve_name(hdev, e) == 0) {
1359                 e->name_state = NAME_PENDING;
1360                 return true;
1361         }
1362
1363         return false;
1364 }
1365
1366 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1367                                    bdaddr_t *bdaddr, u8 *name, u8 name_len)
1368 {
1369         struct discovery_state *discov = &hdev->discovery;
1370         struct inquiry_entry *e;
1371
1372         if (conn && !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1373                 mgmt_device_connected(hdev, bdaddr, ACL_LINK, 0x00, 0, name,
1374                                       name_len, conn->dev_class);
1375
1376         if (discov->state == DISCOVERY_STOPPED)
1377                 return;
1378
1379         if (discov->state == DISCOVERY_STOPPING)
1380                 goto discov_complete;
1381
1382         if (discov->state != DISCOVERY_RESOLVING)
1383                 return;
1384
1385         e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1386         /* If the device was not found in a list of found devices names of which
1387          * are pending. there is no need to continue resolving a next name as it
1388          * will be done upon receiving another Remote Name Request Complete
1389          * Event */
1390         if (!e)
1391                 return;
1392
1393         list_del(&e->list);
1394         if (name) {
1395                 e->name_state = NAME_KNOWN;
1396                 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1397                                  e->data.rssi, name, name_len);
1398         } else {
1399                 e->name_state = NAME_NOT_KNOWN;
1400         }
1401
1402         if (hci_resolve_next_name(hdev))
1403                 return;
1404
1405 discov_complete:
1406         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1407 }
1408
1409 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1410 {
1411         struct hci_cp_remote_name_req *cp;
1412         struct hci_conn *conn;
1413
1414         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1415
1416         /* If successful wait for the name req complete event before
1417          * checking for the need to do authentication */
1418         if (!status)
1419                 return;
1420
1421         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1422         if (!cp)
1423                 return;
1424
1425         hci_dev_lock(hdev);
1426
1427         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1428
1429         if (test_bit(HCI_MGMT, &hdev->dev_flags))
1430                 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1431
1432         if (!conn)
1433                 goto unlock;
1434
1435         if (!hci_outgoing_auth_needed(hdev, conn))
1436                 goto unlock;
1437
1438         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1439                 struct hci_cp_auth_requested auth_cp;
1440
1441                 auth_cp.handle = __cpu_to_le16(conn->handle);
1442                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1443                              sizeof(auth_cp), &auth_cp);
1444         }
1445
1446 unlock:
1447         hci_dev_unlock(hdev);
1448 }
1449
1450 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1451 {
1452         struct hci_cp_read_remote_features *cp;
1453         struct hci_conn *conn;
1454
1455         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1456
1457         if (!status)
1458                 return;
1459
1460         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1461         if (!cp)
1462                 return;
1463
1464         hci_dev_lock(hdev);
1465
1466         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1467         if (conn) {
1468                 if (conn->state == BT_CONFIG) {
1469                         hci_proto_connect_cfm(conn, status);
1470                         hci_conn_drop(conn);
1471                 }
1472         }
1473
1474         hci_dev_unlock(hdev);
1475 }
1476
1477 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1478 {
1479         struct hci_cp_read_remote_ext_features *cp;
1480         struct hci_conn *conn;
1481
1482         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1483
1484         if (!status)
1485                 return;
1486
1487         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1488         if (!cp)
1489                 return;
1490
1491         hci_dev_lock(hdev);
1492
1493         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1494         if (conn) {
1495                 if (conn->state == BT_CONFIG) {
1496                         hci_proto_connect_cfm(conn, status);
1497                         hci_conn_drop(conn);
1498                 }
1499         }
1500
1501         hci_dev_unlock(hdev);
1502 }
1503
1504 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1505 {
1506         struct hci_cp_setup_sync_conn *cp;
1507         struct hci_conn *acl, *sco;
1508         __u16 handle;
1509
1510         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1511
1512         if (!status)
1513                 return;
1514
1515         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1516         if (!cp)
1517                 return;
1518
1519         handle = __le16_to_cpu(cp->handle);
1520
1521         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1522
1523         hci_dev_lock(hdev);
1524
1525         acl = hci_conn_hash_lookup_handle(hdev, handle);
1526         if (acl) {
1527                 sco = acl->link;
1528                 if (sco) {
1529                         sco->state = BT_CLOSED;
1530
1531                         hci_proto_connect_cfm(sco, status);
1532                         hci_conn_del(sco);
1533                 }
1534         }
1535
1536         hci_dev_unlock(hdev);
1537 }
1538
1539 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1540 {
1541         struct hci_cp_sniff_mode *cp;
1542         struct hci_conn *conn;
1543
1544         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1545
1546         if (!status)
1547                 return;
1548
1549         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1550         if (!cp)
1551                 return;
1552
1553         hci_dev_lock(hdev);
1554
1555         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1556         if (conn) {
1557                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1558
1559                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1560                         hci_sco_setup(conn, status);
1561         }
1562
1563         hci_dev_unlock(hdev);
1564 }
1565
1566 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1567 {
1568         struct hci_cp_exit_sniff_mode *cp;
1569         struct hci_conn *conn;
1570
1571         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1572
1573         if (!status)
1574                 return;
1575
1576         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1577         if (!cp)
1578                 return;
1579
1580         hci_dev_lock(hdev);
1581
1582         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1583         if (conn) {
1584                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1585
1586                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1587                         hci_sco_setup(conn, status);
1588         }
1589
1590         hci_dev_unlock(hdev);
1591 }
1592
1593 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1594 {
1595         struct hci_cp_disconnect *cp;
1596         struct hci_conn *conn;
1597
1598         if (!status)
1599                 return;
1600
1601         cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1602         if (!cp)
1603                 return;
1604
1605         hci_dev_lock(hdev);
1606
1607         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1608         if (conn)
1609                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1610                                        conn->dst_type, status);
1611
1612         hci_dev_unlock(hdev);
1613 }
1614
1615 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status)
1616 {
1617         struct hci_cp_create_phy_link *cp;
1618
1619         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1620
1621         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
1622         if (!cp)
1623                 return;
1624
1625         hci_dev_lock(hdev);
1626
1627         if (status) {
1628                 struct hci_conn *hcon;
1629
1630                 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
1631                 if (hcon)
1632                         hci_conn_del(hcon);
1633         } else {
1634                 amp_write_remote_assoc(hdev, cp->phy_handle);
1635         }
1636
1637         hci_dev_unlock(hdev);
1638 }
1639
1640 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1641 {
1642         struct hci_cp_accept_phy_link *cp;
1643
1644         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1645
1646         if (status)
1647                 return;
1648
1649         cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
1650         if (!cp)
1651                 return;
1652
1653         amp_write_remote_assoc(hdev, cp->phy_handle);
1654 }
1655
1656 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1657 {
1658         struct hci_cp_le_create_conn *cp;
1659         struct hci_conn *conn;
1660
1661         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1662
1663         /* All connection failure handling is taken care of by the
1664          * hci_le_conn_failed function which is triggered by the HCI
1665          * request completion callbacks used for connecting.
1666          */
1667         if (status)
1668                 return;
1669
1670         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1671         if (!cp)
1672                 return;
1673
1674         hci_dev_lock(hdev);
1675
1676         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1677         if (!conn)
1678                 goto unlock;
1679
1680         /* Store the initiator and responder address information which
1681          * is needed for SMP. These values will not change during the
1682          * lifetime of the connection.
1683          */
1684         conn->init_addr_type = cp->own_address_type;
1685         if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1686                 bacpy(&conn->init_addr, &hdev->random_addr);
1687         else
1688                 bacpy(&conn->init_addr, &hdev->bdaddr);
1689
1690         conn->resp_addr_type = cp->peer_addr_type;
1691         bacpy(&conn->resp_addr, &cp->peer_addr);
1692
1693         /* We don't want the connection attempt to stick around
1694          * indefinitely since LE doesn't have a page timeout concept
1695          * like BR/EDR. Set a timer for any connection that doesn't use
1696          * the white list for connecting.
1697          */
1698         if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1699                 queue_delayed_work(conn->hdev->workqueue,
1700                                    &conn->le_conn_timeout,
1701                                    HCI_LE_CONN_TIMEOUT);
1702
1703 unlock:
1704         hci_dev_unlock(hdev);
1705 }
1706
1707 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1708 {
1709         __u8 status = *((__u8 *) skb->data);
1710         struct discovery_state *discov = &hdev->discovery;
1711         struct inquiry_entry *e;
1712
1713         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1714
1715         hci_conn_check_pending(hdev);
1716
1717         if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
1718                 return;
1719
1720         smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
1721         wake_up_bit(&hdev->flags, HCI_INQUIRY);
1722
1723         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1724                 return;
1725
1726         hci_dev_lock(hdev);
1727
1728         if (discov->state != DISCOVERY_FINDING)
1729                 goto unlock;
1730
1731         if (list_empty(&discov->resolve)) {
1732                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1733                 goto unlock;
1734         }
1735
1736         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1737         if (e && hci_resolve_name(hdev, e) == 0) {
1738                 e->name_state = NAME_PENDING;
1739                 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
1740         } else {
1741                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1742         }
1743
1744 unlock:
1745         hci_dev_unlock(hdev);
1746 }
1747
1748 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1749 {
1750         struct inquiry_data data;
1751         struct inquiry_info *info = (void *) (skb->data + 1);
1752         int num_rsp = *((__u8 *) skb->data);
1753
1754         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
1755
1756         if (!num_rsp)
1757                 return;
1758
1759         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
1760                 return;
1761
1762         hci_dev_lock(hdev);
1763
1764         for (; num_rsp; num_rsp--, info++) {
1765                 bool name_known, ssp;
1766
1767                 bacpy(&data.bdaddr, &info->bdaddr);
1768                 data.pscan_rep_mode     = info->pscan_rep_mode;
1769                 data.pscan_period_mode  = info->pscan_period_mode;
1770                 data.pscan_mode         = info->pscan_mode;
1771                 memcpy(data.dev_class, info->dev_class, 3);
1772                 data.clock_offset       = info->clock_offset;
1773                 data.rssi               = 0x00;
1774                 data.ssp_mode           = 0x00;
1775
1776                 name_known = hci_inquiry_cache_update(hdev, &data, false, &ssp);
1777                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
1778                                   info->dev_class, 0, !name_known, ssp, NULL,
1779                                   0);
1780         }
1781
1782         hci_dev_unlock(hdev);
1783 }
1784
1785 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1786 {
1787         struct hci_ev_conn_complete *ev = (void *) skb->data;
1788         struct hci_conn *conn;
1789
1790         BT_DBG("%s", hdev->name);
1791
1792         hci_dev_lock(hdev);
1793
1794         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
1795         if (!conn) {
1796                 if (ev->link_type != SCO_LINK)
1797                         goto unlock;
1798
1799                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
1800                 if (!conn)
1801                         goto unlock;
1802
1803                 conn->type = SCO_LINK;
1804         }
1805
1806         if (!ev->status) {
1807                 conn->handle = __le16_to_cpu(ev->handle);
1808
1809                 if (conn->type == ACL_LINK) {
1810                         conn->state = BT_CONFIG;
1811                         hci_conn_hold(conn);
1812
1813                         if (!conn->out && !hci_conn_ssp_enabled(conn) &&
1814                             !hci_find_link_key(hdev, &ev->bdaddr))
1815                                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
1816                         else
1817                                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1818                 } else
1819                         conn->state = BT_CONNECTED;
1820
1821                 hci_conn_add_sysfs(conn);
1822
1823                 if (test_bit(HCI_AUTH, &hdev->flags))
1824                         conn->link_mode |= HCI_LM_AUTH;
1825
1826                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
1827                         conn->link_mode |= HCI_LM_ENCRYPT;
1828
1829                 /* Get remote features */
1830                 if (conn->type == ACL_LINK) {
1831                         struct hci_cp_read_remote_features cp;
1832                         cp.handle = ev->handle;
1833                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
1834                                      sizeof(cp), &cp);
1835                 }
1836
1837                 /* Set packet type for incoming connection */
1838                 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
1839                         struct hci_cp_change_conn_ptype cp;
1840                         cp.handle = ev->handle;
1841                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
1842                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
1843                                      &cp);
1844                 }
1845         } else {
1846                 conn->state = BT_CLOSED;
1847                 if (conn->type == ACL_LINK)
1848                         mgmt_connect_failed(hdev, &conn->dst, conn->type,
1849                                             conn->dst_type, ev->status);
1850         }
1851
1852         if (conn->type == ACL_LINK)
1853                 hci_sco_setup(conn, ev->status);
1854
1855         if (ev->status) {
1856                 hci_proto_connect_cfm(conn, ev->status);
1857                 hci_conn_del(conn);
1858         } else if (ev->link_type != ACL_LINK)
1859                 hci_proto_connect_cfm(conn, ev->status);
1860
1861 unlock:
1862         hci_dev_unlock(hdev);
1863
1864         hci_conn_check_pending(hdev);
1865 }
1866
1867 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1868 {
1869         struct hci_ev_conn_request *ev = (void *) skb->data;
1870         int mask = hdev->link_mode;
1871         __u8 flags = 0;
1872
1873         BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
1874                ev->link_type);
1875
1876         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
1877                                       &flags);
1878
1879         if ((mask & HCI_LM_ACCEPT) &&
1880             !hci_blacklist_lookup(hdev, &ev->bdaddr, BDADDR_BREDR)) {
1881                 /* Connection accepted */
1882                 struct inquiry_entry *ie;
1883                 struct hci_conn *conn;
1884
1885                 hci_dev_lock(hdev);
1886
1887                 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
1888                 if (ie)
1889                         memcpy(ie->data.dev_class, ev->dev_class, 3);
1890
1891                 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
1892                                                &ev->bdaddr);
1893                 if (!conn) {
1894                         conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr);
1895                         if (!conn) {
1896                                 BT_ERR("No memory for new connection");
1897                                 hci_dev_unlock(hdev);
1898                                 return;
1899                         }
1900                 }
1901
1902                 memcpy(conn->dev_class, ev->dev_class, 3);
1903
1904                 hci_dev_unlock(hdev);
1905
1906                 if (ev->link_type == ACL_LINK ||
1907                     (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
1908                         struct hci_cp_accept_conn_req cp;
1909                         conn->state = BT_CONNECT;
1910
1911                         bacpy(&cp.bdaddr, &ev->bdaddr);
1912
1913                         if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
1914                                 cp.role = 0x00; /* Become master */
1915                         else
1916                                 cp.role = 0x01; /* Remain slave */
1917
1918                         hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp),
1919                                      &cp);
1920                 } else if (!(flags & HCI_PROTO_DEFER)) {
1921                         struct hci_cp_accept_sync_conn_req cp;
1922                         conn->state = BT_CONNECT;
1923
1924                         bacpy(&cp.bdaddr, &ev->bdaddr);
1925                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
1926
1927                         cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
1928                         cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
1929                         cp.max_latency    = cpu_to_le16(0xffff);
1930                         cp.content_format = cpu_to_le16(hdev->voice_setting);
1931                         cp.retrans_effort = 0xff;
1932
1933                         hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
1934                                      sizeof(cp), &cp);
1935                 } else {
1936                         conn->state = BT_CONNECT2;
1937                         hci_proto_connect_cfm(conn, 0);
1938                 }
1939         } else {
1940                 /* Connection rejected */
1941                 struct hci_cp_reject_conn_req cp;
1942
1943                 bacpy(&cp.bdaddr, &ev->bdaddr);
1944                 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
1945                 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
1946         }
1947 }
1948
1949 static u8 hci_to_mgmt_reason(u8 err)
1950 {
1951         switch (err) {
1952         case HCI_ERROR_CONNECTION_TIMEOUT:
1953                 return MGMT_DEV_DISCONN_TIMEOUT;
1954         case HCI_ERROR_REMOTE_USER_TERM:
1955         case HCI_ERROR_REMOTE_LOW_RESOURCES:
1956         case HCI_ERROR_REMOTE_POWER_OFF:
1957                 return MGMT_DEV_DISCONN_REMOTE;
1958         case HCI_ERROR_LOCAL_HOST_TERM:
1959                 return MGMT_DEV_DISCONN_LOCAL_HOST;
1960         default:
1961                 return MGMT_DEV_DISCONN_UNKNOWN;
1962         }
1963 }
1964
1965 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1966 {
1967         struct hci_ev_disconn_complete *ev = (void *) skb->data;
1968         u8 reason = hci_to_mgmt_reason(ev->reason);
1969         struct hci_conn_params *params;
1970         struct hci_conn *conn;
1971         bool mgmt_connected;
1972         u8 type;
1973
1974         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
1975
1976         hci_dev_lock(hdev);
1977
1978         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1979         if (!conn)
1980                 goto unlock;
1981
1982         if (ev->status) {
1983                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1984                                        conn->dst_type, ev->status);
1985                 goto unlock;
1986         }
1987
1988         conn->state = BT_CLOSED;
1989
1990         mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
1991         mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
1992                                 reason, mgmt_connected);
1993
1994         if (conn->type == ACL_LINK && conn->flush_key)
1995                 hci_remove_link_key(hdev, &conn->dst);
1996
1997         params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
1998         if (params) {
1999                 switch (params->auto_connect) {
2000                 case HCI_AUTO_CONN_LINK_LOSS:
2001                         if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2002                                 break;
2003                         /* Fall through */
2004
2005                 case HCI_AUTO_CONN_ALWAYS:
2006                         hci_pend_le_conn_add(hdev, &conn->dst, conn->dst_type);
2007                         break;
2008
2009                 default:
2010                         break;
2011                 }
2012         }
2013
2014         type = conn->type;
2015
2016         hci_proto_disconn_cfm(conn, ev->reason);
2017         hci_conn_del(conn);
2018
2019         /* Re-enable advertising if necessary, since it might
2020          * have been disabled by the connection. From the
2021          * HCI_LE_Set_Advertise_Enable command description in
2022          * the core specification (v4.0):
2023          * "The Controller shall continue advertising until the Host
2024          * issues an LE_Set_Advertise_Enable command with
2025          * Advertising_Enable set to 0x00 (Advertising is disabled)
2026          * or until a connection is created or until the Advertising
2027          * is timed out due to Directed Advertising."
2028          */
2029         if (type == LE_LINK)
2030                 mgmt_reenable_advertising(hdev);
2031
2032 unlock:
2033         hci_dev_unlock(hdev);
2034 }
2035
2036 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2037 {
2038         struct hci_ev_auth_complete *ev = (void *) skb->data;
2039         struct hci_conn *conn;
2040
2041         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2042
2043         hci_dev_lock(hdev);
2044
2045         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2046         if (!conn)
2047                 goto unlock;
2048
2049         if (!ev->status) {
2050                 if (!hci_conn_ssp_enabled(conn) &&
2051                     test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2052                         BT_INFO("re-auth of legacy device is not possible.");
2053                 } else {
2054                         conn->link_mode |= HCI_LM_AUTH;
2055                         conn->sec_level = conn->pending_sec_level;
2056                 }
2057         } else {
2058                 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
2059                                  ev->status);
2060         }
2061
2062         clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2063         clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2064
2065         if (conn->state == BT_CONFIG) {
2066                 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2067                         struct hci_cp_set_conn_encrypt cp;
2068                         cp.handle  = ev->handle;
2069                         cp.encrypt = 0x01;
2070                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2071                                      &cp);
2072                 } else {
2073                         conn->state = BT_CONNECTED;
2074                         hci_proto_connect_cfm(conn, ev->status);
2075                         hci_conn_drop(conn);
2076                 }
2077         } else {
2078                 hci_auth_cfm(conn, ev->status);
2079
2080                 hci_conn_hold(conn);
2081                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2082                 hci_conn_drop(conn);
2083         }
2084
2085         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2086                 if (!ev->status) {
2087                         struct hci_cp_set_conn_encrypt cp;
2088                         cp.handle  = ev->handle;
2089                         cp.encrypt = 0x01;
2090                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2091                                      &cp);
2092                 } else {
2093                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2094                         hci_encrypt_cfm(conn, ev->status, 0x00);
2095                 }
2096         }
2097
2098 unlock:
2099         hci_dev_unlock(hdev);
2100 }
2101
2102 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2103 {
2104         struct hci_ev_remote_name *ev = (void *) skb->data;
2105         struct hci_conn *conn;
2106
2107         BT_DBG("%s", hdev->name);
2108
2109         hci_conn_check_pending(hdev);
2110
2111         hci_dev_lock(hdev);
2112
2113         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2114
2115         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2116                 goto check_auth;
2117
2118         if (ev->status == 0)
2119                 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2120                                        strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2121         else
2122                 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2123
2124 check_auth:
2125         if (!conn)
2126                 goto unlock;
2127
2128         if (!hci_outgoing_auth_needed(hdev, conn))
2129                 goto unlock;
2130
2131         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2132                 struct hci_cp_auth_requested cp;
2133                 cp.handle = __cpu_to_le16(conn->handle);
2134                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2135         }
2136
2137 unlock:
2138         hci_dev_unlock(hdev);
2139 }
2140
2141 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2142 {
2143         struct hci_ev_encrypt_change *ev = (void *) skb->data;
2144         struct hci_conn *conn;
2145
2146         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2147
2148         hci_dev_lock(hdev);
2149
2150         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2151         if (!conn)
2152                 goto unlock;
2153
2154         if (!ev->status) {
2155                 if (ev->encrypt) {
2156                         /* Encryption implies authentication */
2157                         conn->link_mode |= HCI_LM_AUTH;
2158                         conn->link_mode |= HCI_LM_ENCRYPT;
2159                         conn->sec_level = conn->pending_sec_level;
2160
2161                         /* P-256 authentication key implies FIPS */
2162                         if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2163                                 conn->link_mode |= HCI_LM_FIPS;
2164
2165                         if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2166                             conn->type == LE_LINK)
2167                                 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2168                 } else {
2169                         conn->link_mode &= ~HCI_LM_ENCRYPT;
2170                         clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2171                 }
2172         }
2173
2174         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2175
2176         if (ev->status && conn->state == BT_CONNECTED) {
2177                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2178                 hci_conn_drop(conn);
2179                 goto unlock;
2180         }
2181
2182         if (conn->state == BT_CONFIG) {
2183                 if (!ev->status)
2184                         conn->state = BT_CONNECTED;
2185
2186                 hci_proto_connect_cfm(conn, ev->status);
2187                 hci_conn_drop(conn);
2188         } else
2189                 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2190
2191 unlock:
2192         hci_dev_unlock(hdev);
2193 }
2194
2195 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2196                                              struct sk_buff *skb)
2197 {
2198         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2199         struct hci_conn *conn;
2200
2201         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2202
2203         hci_dev_lock(hdev);
2204
2205         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2206         if (conn) {
2207                 if (!ev->status)
2208                         conn->link_mode |= HCI_LM_SECURE;
2209
2210                 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2211
2212                 hci_key_change_cfm(conn, ev->status);
2213         }
2214
2215         hci_dev_unlock(hdev);
2216 }
2217
2218 static void hci_remote_features_evt(struct hci_dev *hdev,
2219                                     struct sk_buff *skb)
2220 {
2221         struct hci_ev_remote_features *ev = (void *) skb->data;
2222         struct hci_conn *conn;
2223
2224         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2225
2226         hci_dev_lock(hdev);
2227
2228         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2229         if (!conn)
2230                 goto unlock;
2231
2232         if (!ev->status)
2233                 memcpy(conn->features[0], ev->features, 8);
2234
2235         if (conn->state != BT_CONFIG)
2236                 goto unlock;
2237
2238         if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) {
2239                 struct hci_cp_read_remote_ext_features cp;
2240                 cp.handle = ev->handle;
2241                 cp.page = 0x01;
2242                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2243                              sizeof(cp), &cp);
2244                 goto unlock;
2245         }
2246
2247         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2248                 struct hci_cp_remote_name_req cp;
2249                 memset(&cp, 0, sizeof(cp));
2250                 bacpy(&cp.bdaddr, &conn->dst);
2251                 cp.pscan_rep_mode = 0x02;
2252                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2253         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2254                 mgmt_device_connected(hdev, &conn->dst, conn->type,
2255                                       conn->dst_type, 0, NULL, 0,
2256                                       conn->dev_class);
2257
2258         if (!hci_outgoing_auth_needed(hdev, conn)) {
2259                 conn->state = BT_CONNECTED;
2260                 hci_proto_connect_cfm(conn, ev->status);
2261                 hci_conn_drop(conn);
2262         }
2263
2264 unlock:
2265         hci_dev_unlock(hdev);
2266 }
2267
2268 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2269 {
2270         struct hci_ev_cmd_complete *ev = (void *) skb->data;
2271         u8 status = skb->data[sizeof(*ev)];
2272         __u16 opcode;
2273
2274         skb_pull(skb, sizeof(*ev));
2275
2276         opcode = __le16_to_cpu(ev->opcode);
2277
2278         switch (opcode) {
2279         case HCI_OP_INQUIRY_CANCEL:
2280                 hci_cc_inquiry_cancel(hdev, skb);
2281                 break;
2282
2283         case HCI_OP_PERIODIC_INQ:
2284                 hci_cc_periodic_inq(hdev, skb);
2285                 break;
2286
2287         case HCI_OP_EXIT_PERIODIC_INQ:
2288                 hci_cc_exit_periodic_inq(hdev, skb);
2289                 break;
2290
2291         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2292                 hci_cc_remote_name_req_cancel(hdev, skb);
2293                 break;
2294
2295         case HCI_OP_ROLE_DISCOVERY:
2296                 hci_cc_role_discovery(hdev, skb);
2297                 break;
2298
2299         case HCI_OP_READ_LINK_POLICY:
2300                 hci_cc_read_link_policy(hdev, skb);
2301                 break;
2302
2303         case HCI_OP_WRITE_LINK_POLICY:
2304                 hci_cc_write_link_policy(hdev, skb);
2305                 break;
2306
2307         case HCI_OP_READ_DEF_LINK_POLICY:
2308                 hci_cc_read_def_link_policy(hdev, skb);
2309                 break;
2310
2311         case HCI_OP_WRITE_DEF_LINK_POLICY:
2312                 hci_cc_write_def_link_policy(hdev, skb);
2313                 break;
2314
2315         case HCI_OP_RESET:
2316                 hci_cc_reset(hdev, skb);
2317                 break;
2318
2319         case HCI_OP_WRITE_LOCAL_NAME:
2320                 hci_cc_write_local_name(hdev, skb);
2321                 break;
2322
2323         case HCI_OP_READ_LOCAL_NAME:
2324                 hci_cc_read_local_name(hdev, skb);
2325                 break;
2326
2327         case HCI_OP_WRITE_AUTH_ENABLE:
2328                 hci_cc_write_auth_enable(hdev, skb);
2329                 break;
2330
2331         case HCI_OP_WRITE_ENCRYPT_MODE:
2332                 hci_cc_write_encrypt_mode(hdev, skb);
2333                 break;
2334
2335         case HCI_OP_WRITE_SCAN_ENABLE:
2336                 hci_cc_write_scan_enable(hdev, skb);
2337                 break;
2338
2339         case HCI_OP_READ_CLASS_OF_DEV:
2340                 hci_cc_read_class_of_dev(hdev, skb);
2341                 break;
2342
2343         case HCI_OP_WRITE_CLASS_OF_DEV:
2344                 hci_cc_write_class_of_dev(hdev, skb);
2345                 break;
2346
2347         case HCI_OP_READ_VOICE_SETTING:
2348                 hci_cc_read_voice_setting(hdev, skb);
2349                 break;
2350
2351         case HCI_OP_WRITE_VOICE_SETTING:
2352                 hci_cc_write_voice_setting(hdev, skb);
2353                 break;
2354
2355         case HCI_OP_READ_NUM_SUPPORTED_IAC:
2356                 hci_cc_read_num_supported_iac(hdev, skb);
2357                 break;
2358
2359         case HCI_OP_WRITE_SSP_MODE:
2360                 hci_cc_write_ssp_mode(hdev, skb);
2361                 break;
2362
2363         case HCI_OP_WRITE_SC_SUPPORT:
2364                 hci_cc_write_sc_support(hdev, skb);
2365                 break;
2366
2367         case HCI_OP_READ_LOCAL_VERSION:
2368                 hci_cc_read_local_version(hdev, skb);
2369                 break;
2370
2371         case HCI_OP_READ_LOCAL_COMMANDS:
2372                 hci_cc_read_local_commands(hdev, skb);
2373                 break;
2374
2375         case HCI_OP_READ_LOCAL_FEATURES:
2376                 hci_cc_read_local_features(hdev, skb);
2377                 break;
2378
2379         case HCI_OP_READ_LOCAL_EXT_FEATURES:
2380                 hci_cc_read_local_ext_features(hdev, skb);
2381                 break;
2382
2383         case HCI_OP_READ_BUFFER_SIZE:
2384                 hci_cc_read_buffer_size(hdev, skb);
2385                 break;
2386
2387         case HCI_OP_READ_BD_ADDR:
2388                 hci_cc_read_bd_addr(hdev, skb);
2389                 break;
2390
2391         case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2392                 hci_cc_read_page_scan_activity(hdev, skb);
2393                 break;
2394
2395         case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2396                 hci_cc_write_page_scan_activity(hdev, skb);
2397                 break;
2398
2399         case HCI_OP_READ_PAGE_SCAN_TYPE:
2400                 hci_cc_read_page_scan_type(hdev, skb);
2401                 break;
2402
2403         case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2404                 hci_cc_write_page_scan_type(hdev, skb);
2405                 break;
2406
2407         case HCI_OP_READ_DATA_BLOCK_SIZE:
2408                 hci_cc_read_data_block_size(hdev, skb);
2409                 break;
2410
2411         case HCI_OP_READ_FLOW_CONTROL_MODE:
2412                 hci_cc_read_flow_control_mode(hdev, skb);
2413                 break;
2414
2415         case HCI_OP_READ_LOCAL_AMP_INFO:
2416                 hci_cc_read_local_amp_info(hdev, skb);
2417                 break;
2418
2419         case HCI_OP_READ_LOCAL_AMP_ASSOC:
2420                 hci_cc_read_local_amp_assoc(hdev, skb);
2421                 break;
2422
2423         case HCI_OP_READ_INQ_RSP_TX_POWER:
2424                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2425                 break;
2426
2427         case HCI_OP_PIN_CODE_REPLY:
2428                 hci_cc_pin_code_reply(hdev, skb);
2429                 break;
2430
2431         case HCI_OP_PIN_CODE_NEG_REPLY:
2432                 hci_cc_pin_code_neg_reply(hdev, skb);
2433                 break;
2434
2435         case HCI_OP_READ_LOCAL_OOB_DATA:
2436                 hci_cc_read_local_oob_data(hdev, skb);
2437                 break;
2438
2439         case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2440                 hci_cc_read_local_oob_ext_data(hdev, skb);
2441                 break;
2442
2443         case HCI_OP_LE_READ_BUFFER_SIZE:
2444                 hci_cc_le_read_buffer_size(hdev, skb);
2445                 break;
2446
2447         case HCI_OP_LE_READ_LOCAL_FEATURES:
2448                 hci_cc_le_read_local_features(hdev, skb);
2449                 break;
2450
2451         case HCI_OP_LE_READ_ADV_TX_POWER:
2452                 hci_cc_le_read_adv_tx_power(hdev, skb);
2453                 break;
2454
2455         case HCI_OP_USER_CONFIRM_REPLY:
2456                 hci_cc_user_confirm_reply(hdev, skb);
2457                 break;
2458
2459         case HCI_OP_USER_CONFIRM_NEG_REPLY:
2460                 hci_cc_user_confirm_neg_reply(hdev, skb);
2461                 break;
2462
2463         case HCI_OP_USER_PASSKEY_REPLY:
2464                 hci_cc_user_passkey_reply(hdev, skb);
2465                 break;
2466
2467         case HCI_OP_USER_PASSKEY_NEG_REPLY:
2468                 hci_cc_user_passkey_neg_reply(hdev, skb);
2469                 break;
2470
2471         case HCI_OP_LE_SET_RANDOM_ADDR:
2472                 hci_cc_le_set_random_addr(hdev, skb);
2473                 break;
2474
2475         case HCI_OP_LE_SET_ADV_ENABLE:
2476                 hci_cc_le_set_adv_enable(hdev, skb);
2477                 break;
2478
2479         case HCI_OP_LE_SET_SCAN_ENABLE:
2480                 hci_cc_le_set_scan_enable(hdev, skb);
2481                 break;
2482
2483         case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2484                 hci_cc_le_read_white_list_size(hdev, skb);
2485                 break;
2486
2487         case HCI_OP_LE_CLEAR_WHITE_LIST:
2488                 hci_cc_le_clear_white_list(hdev, skb);
2489                 break;
2490
2491         case HCI_OP_LE_ADD_TO_WHITE_LIST:
2492                 hci_cc_le_add_to_white_list(hdev, skb);
2493                 break;
2494
2495         case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2496                 hci_cc_le_del_from_white_list(hdev, skb);
2497                 break;
2498
2499         case HCI_OP_LE_READ_SUPPORTED_STATES:
2500                 hci_cc_le_read_supported_states(hdev, skb);
2501                 break;
2502
2503         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
2504                 hci_cc_write_le_host_supported(hdev, skb);
2505                 break;
2506
2507         case HCI_OP_LE_SET_ADV_PARAM:
2508                 hci_cc_set_adv_param(hdev, skb);
2509                 break;
2510
2511         case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
2512                 hci_cc_write_remote_amp_assoc(hdev, skb);
2513                 break;
2514
2515         default:
2516                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2517                 break;
2518         }
2519
2520         if (opcode != HCI_OP_NOP)
2521                 del_timer(&hdev->cmd_timer);
2522
2523         hci_req_cmd_complete(hdev, opcode, status);
2524
2525         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2526                 atomic_set(&hdev->cmd_cnt, 1);
2527                 if (!skb_queue_empty(&hdev->cmd_q))
2528                         queue_work(hdev->workqueue, &hdev->cmd_work);
2529         }
2530 }
2531
2532 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2533 {
2534         struct hci_ev_cmd_status *ev = (void *) skb->data;
2535         __u16 opcode;
2536
2537         skb_pull(skb, sizeof(*ev));
2538
2539         opcode = __le16_to_cpu(ev->opcode);
2540
2541         switch (opcode) {
2542         case HCI_OP_INQUIRY:
2543                 hci_cs_inquiry(hdev, ev->status);
2544                 break;
2545
2546         case HCI_OP_CREATE_CONN:
2547                 hci_cs_create_conn(hdev, ev->status);
2548                 break;
2549
2550         case HCI_OP_ADD_SCO:
2551                 hci_cs_add_sco(hdev, ev->status);
2552                 break;
2553
2554         case HCI_OP_AUTH_REQUESTED:
2555                 hci_cs_auth_requested(hdev, ev->status);
2556                 break;
2557
2558         case HCI_OP_SET_CONN_ENCRYPT:
2559                 hci_cs_set_conn_encrypt(hdev, ev->status);
2560                 break;
2561
2562         case HCI_OP_REMOTE_NAME_REQ:
2563                 hci_cs_remote_name_req(hdev, ev->status);
2564                 break;
2565
2566         case HCI_OP_READ_REMOTE_FEATURES:
2567                 hci_cs_read_remote_features(hdev, ev->status);
2568                 break;
2569
2570         case HCI_OP_READ_REMOTE_EXT_FEATURES:
2571                 hci_cs_read_remote_ext_features(hdev, ev->status);
2572                 break;
2573
2574         case HCI_OP_SETUP_SYNC_CONN:
2575                 hci_cs_setup_sync_conn(hdev, ev->status);
2576                 break;
2577
2578         case HCI_OP_SNIFF_MODE:
2579                 hci_cs_sniff_mode(hdev, ev->status);
2580                 break;
2581
2582         case HCI_OP_EXIT_SNIFF_MODE:
2583                 hci_cs_exit_sniff_mode(hdev, ev->status);
2584                 break;
2585
2586         case HCI_OP_DISCONNECT:
2587                 hci_cs_disconnect(hdev, ev->status);
2588                 break;
2589
2590         case HCI_OP_CREATE_PHY_LINK:
2591                 hci_cs_create_phylink(hdev, ev->status);
2592                 break;
2593
2594         case HCI_OP_ACCEPT_PHY_LINK:
2595                 hci_cs_accept_phylink(hdev, ev->status);
2596                 break;
2597
2598         case HCI_OP_LE_CREATE_CONN:
2599                 hci_cs_le_create_conn(hdev, ev->status);
2600                 break;
2601
2602         default:
2603                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2604                 break;
2605         }
2606
2607         if (opcode != HCI_OP_NOP)
2608                 del_timer(&hdev->cmd_timer);
2609
2610         if (ev->status ||
2611             (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
2612                 hci_req_cmd_complete(hdev, opcode, ev->status);
2613
2614         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2615                 atomic_set(&hdev->cmd_cnt, 1);
2616                 if (!skb_queue_empty(&hdev->cmd_q))
2617                         queue_work(hdev->workqueue, &hdev->cmd_work);
2618         }
2619 }
2620
2621 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2622 {
2623         struct hci_ev_role_change *ev = (void *) skb->data;
2624         struct hci_conn *conn;
2625
2626         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2627
2628         hci_dev_lock(hdev);
2629
2630         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2631         if (conn) {
2632                 if (!ev->status) {
2633                         if (ev->role)
2634                                 conn->link_mode &= ~HCI_LM_MASTER;
2635                         else
2636                                 conn->link_mode |= HCI_LM_MASTER;
2637                 }
2638
2639                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2640
2641                 hci_role_switch_cfm(conn, ev->status, ev->role);
2642         }
2643
2644         hci_dev_unlock(hdev);
2645 }
2646
2647 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
2648 {
2649         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2650         int i;
2651
2652         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
2653                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2654                 return;
2655         }
2656
2657         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2658             ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
2659                 BT_DBG("%s bad parameters", hdev->name);
2660                 return;
2661         }
2662
2663         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2664
2665         for (i = 0; i < ev->num_hndl; i++) {
2666                 struct hci_comp_pkts_info *info = &ev->handles[i];
2667                 struct hci_conn *conn;
2668                 __u16  handle, count;
2669
2670                 handle = __le16_to_cpu(info->handle);
2671                 count  = __le16_to_cpu(info->count);
2672
2673                 conn = hci_conn_hash_lookup_handle(hdev, handle);
2674                 if (!conn)
2675                         continue;
2676
2677                 conn->sent -= count;
2678
2679                 switch (conn->type) {
2680                 case ACL_LINK:
2681                         hdev->acl_cnt += count;
2682                         if (hdev->acl_cnt > hdev->acl_pkts)
2683                                 hdev->acl_cnt = hdev->acl_pkts;
2684                         break;
2685
2686                 case LE_LINK:
2687                         if (hdev->le_pkts) {
2688                                 hdev->le_cnt += count;
2689                                 if (hdev->le_cnt > hdev->le_pkts)
2690                                         hdev->le_cnt = hdev->le_pkts;
2691                         } else {
2692                                 hdev->acl_cnt += count;
2693                                 if (hdev->acl_cnt > hdev->acl_pkts)
2694                                         hdev->acl_cnt = hdev->acl_pkts;
2695                         }
2696                         break;
2697
2698                 case SCO_LINK:
2699                         hdev->sco_cnt += count;
2700                         if (hdev->sco_cnt > hdev->sco_pkts)
2701                                 hdev->sco_cnt = hdev->sco_pkts;
2702                         break;
2703
2704                 default:
2705                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
2706                         break;
2707                 }
2708         }
2709
2710         queue_work(hdev->workqueue, &hdev->tx_work);
2711 }
2712
2713 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
2714                                                  __u16 handle)
2715 {
2716         struct hci_chan *chan;
2717
2718         switch (hdev->dev_type) {
2719         case HCI_BREDR:
2720                 return hci_conn_hash_lookup_handle(hdev, handle);
2721         case HCI_AMP:
2722                 chan = hci_chan_lookup_handle(hdev, handle);
2723                 if (chan)
2724                         return chan->conn;
2725                 break;
2726         default:
2727                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
2728                 break;
2729         }
2730
2731         return NULL;
2732 }
2733
2734 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
2735 {
2736         struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
2737         int i;
2738
2739         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
2740                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2741                 return;
2742         }
2743
2744         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2745             ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
2746                 BT_DBG("%s bad parameters", hdev->name);
2747                 return;
2748         }
2749
2750         BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
2751                ev->num_hndl);
2752
2753         for (i = 0; i < ev->num_hndl; i++) {
2754                 struct hci_comp_blocks_info *info = &ev->handles[i];
2755                 struct hci_conn *conn = NULL;
2756                 __u16  handle, block_count;
2757
2758                 handle = __le16_to_cpu(info->handle);
2759                 block_count = __le16_to_cpu(info->blocks);
2760
2761                 conn = __hci_conn_lookup_handle(hdev, handle);
2762                 if (!conn)
2763                         continue;
2764
2765                 conn->sent -= block_count;
2766
2767                 switch (conn->type) {
2768                 case ACL_LINK:
2769                 case AMP_LINK:
2770                         hdev->block_cnt += block_count;
2771                         if (hdev->block_cnt > hdev->num_blocks)
2772                                 hdev->block_cnt = hdev->num_blocks;
2773                         break;
2774
2775                 default:
2776                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
2777                         break;
2778                 }
2779         }
2780
2781         queue_work(hdev->workqueue, &hdev->tx_work);
2782 }
2783
2784 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2785 {
2786         struct hci_ev_mode_change *ev = (void *) skb->data;
2787         struct hci_conn *conn;
2788
2789         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2790
2791         hci_dev_lock(hdev);
2792
2793         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2794         if (conn) {
2795                 conn->mode = ev->mode;
2796
2797                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
2798                                         &conn->flags)) {
2799                         if (conn->mode == HCI_CM_ACTIVE)
2800                                 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
2801                         else
2802                                 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
2803                 }
2804
2805                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2806                         hci_sco_setup(conn, ev->status);
2807         }
2808
2809         hci_dev_unlock(hdev);
2810 }
2811
2812 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2813 {
2814         struct hci_ev_pin_code_req *ev = (void *) skb->data;
2815         struct hci_conn *conn;
2816
2817         BT_DBG("%s", hdev->name);
2818
2819         hci_dev_lock(hdev);
2820
2821         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2822         if (!conn)
2823                 goto unlock;
2824
2825         if (conn->state == BT_CONNECTED) {
2826                 hci_conn_hold(conn);
2827                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2828                 hci_conn_drop(conn);
2829         }
2830
2831         if (!test_bit(HCI_PAIRABLE, &hdev->dev_flags))
2832                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2833                              sizeof(ev->bdaddr), &ev->bdaddr);
2834         else if (test_bit(HCI_MGMT, &hdev->dev_flags)) {
2835                 u8 secure;
2836
2837                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
2838                         secure = 1;
2839                 else
2840                         secure = 0;
2841
2842                 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
2843         }
2844
2845 unlock:
2846         hci_dev_unlock(hdev);
2847 }
2848
2849 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2850 {
2851         struct hci_ev_link_key_req *ev = (void *) skb->data;
2852         struct hci_cp_link_key_reply cp;
2853         struct hci_conn *conn;
2854         struct link_key *key;
2855
2856         BT_DBG("%s", hdev->name);
2857
2858         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2859                 return;
2860
2861         hci_dev_lock(hdev);
2862
2863         key = hci_find_link_key(hdev, &ev->bdaddr);
2864         if (!key) {
2865                 BT_DBG("%s link key not found for %pMR", hdev->name,
2866                        &ev->bdaddr);
2867                 goto not_found;
2868         }
2869
2870         BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
2871                &ev->bdaddr);
2872
2873         if (!test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) &&
2874             key->type == HCI_LK_DEBUG_COMBINATION) {
2875                 BT_DBG("%s ignoring debug key", hdev->name);
2876                 goto not_found;
2877         }
2878
2879         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2880         if (conn) {
2881                 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
2882                      key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
2883                     conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
2884                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
2885                         goto not_found;
2886                 }
2887
2888                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
2889                     conn->pending_sec_level == BT_SECURITY_HIGH) {
2890                         BT_DBG("%s ignoring key unauthenticated for high security",
2891                                hdev->name);
2892                         goto not_found;
2893                 }
2894
2895                 conn->key_type = key->type;
2896                 conn->pin_length = key->pin_len;
2897         }
2898
2899         bacpy(&cp.bdaddr, &ev->bdaddr);
2900         memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
2901
2902         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
2903
2904         hci_dev_unlock(hdev);
2905
2906         return;
2907
2908 not_found:
2909         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
2910         hci_dev_unlock(hdev);
2911 }
2912
2913 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
2914 {
2915         struct hci_ev_link_key_notify *ev = (void *) skb->data;
2916         struct hci_conn *conn;
2917         u8 pin_len = 0;
2918
2919         BT_DBG("%s", hdev->name);
2920
2921         hci_dev_lock(hdev);
2922
2923         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2924         if (conn) {
2925                 hci_conn_hold(conn);
2926                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2927                 pin_len = conn->pin_length;
2928
2929                 if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
2930                         conn->key_type = ev->key_type;
2931
2932                 hci_conn_drop(conn);
2933         }
2934
2935         if (test_bit(HCI_MGMT, &hdev->dev_flags))
2936                 hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key,
2937                                  ev->key_type, pin_len);
2938
2939         hci_dev_unlock(hdev);
2940 }
2941
2942 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
2943 {
2944         struct hci_ev_clock_offset *ev = (void *) skb->data;
2945         struct hci_conn *conn;
2946
2947         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2948
2949         hci_dev_lock(hdev);
2950
2951         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2952         if (conn && !ev->status) {
2953                 struct inquiry_entry *ie;
2954
2955                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
2956                 if (ie) {
2957                         ie->data.clock_offset = ev->clock_offset;
2958                         ie->timestamp = jiffies;
2959                 }
2960         }
2961
2962         hci_dev_unlock(hdev);
2963 }
2964
2965 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2966 {
2967         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
2968         struct hci_conn *conn;
2969
2970         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2971
2972         hci_dev_lock(hdev);
2973
2974         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2975         if (conn && !ev->status)
2976                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
2977
2978         hci_dev_unlock(hdev);
2979 }
2980
2981 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
2982 {
2983         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
2984         struct inquiry_entry *ie;
2985
2986         BT_DBG("%s", hdev->name);
2987
2988         hci_dev_lock(hdev);
2989
2990         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2991         if (ie) {
2992                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
2993                 ie->timestamp = jiffies;
2994         }
2995
2996         hci_dev_unlock(hdev);
2997 }
2998
2999 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3000                                              struct sk_buff *skb)
3001 {
3002         struct inquiry_data data;
3003         int num_rsp = *((__u8 *) skb->data);
3004         bool name_known, ssp;
3005
3006         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3007
3008         if (!num_rsp)
3009                 return;
3010
3011         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3012                 return;
3013
3014         hci_dev_lock(hdev);
3015
3016         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3017                 struct inquiry_info_with_rssi_and_pscan_mode *info;
3018                 info = (void *) (skb->data + 1);
3019
3020                 for (; num_rsp; num_rsp--, info++) {
3021                         bacpy(&data.bdaddr, &info->bdaddr);
3022                         data.pscan_rep_mode     = info->pscan_rep_mode;
3023                         data.pscan_period_mode  = info->pscan_period_mode;
3024                         data.pscan_mode         = info->pscan_mode;
3025                         memcpy(data.dev_class, info->dev_class, 3);
3026                         data.clock_offset       = info->clock_offset;
3027                         data.rssi               = info->rssi;
3028                         data.ssp_mode           = 0x00;
3029
3030                         name_known = hci_inquiry_cache_update(hdev, &data,
3031                                                               false, &ssp);
3032                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3033                                           info->dev_class, info->rssi,
3034                                           !name_known, ssp, NULL, 0);
3035                 }
3036         } else {
3037                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3038
3039                 for (; num_rsp; num_rsp--, info++) {
3040                         bacpy(&data.bdaddr, &info->bdaddr);
3041                         data.pscan_rep_mode     = info->pscan_rep_mode;
3042                         data.pscan_period_mode  = info->pscan_period_mode;
3043                         data.pscan_mode         = 0x00;
3044                         memcpy(data.dev_class, info->dev_class, 3);
3045                         data.clock_offset       = info->clock_offset;
3046                         data.rssi               = info->rssi;
3047                         data.ssp_mode           = 0x00;
3048                         name_known = hci_inquiry_cache_update(hdev, &data,
3049                                                               false, &ssp);
3050                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3051                                           info->dev_class, info->rssi,
3052                                           !name_known, ssp, NULL, 0);
3053                 }
3054         }
3055
3056         hci_dev_unlock(hdev);
3057 }
3058
3059 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3060                                         struct sk_buff *skb)
3061 {
3062         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3063         struct hci_conn *conn;
3064
3065         BT_DBG("%s", hdev->name);
3066
3067         hci_dev_lock(hdev);
3068
3069         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3070         if (!conn)
3071                 goto unlock;
3072
3073         if (ev->page < HCI_MAX_PAGES)
3074                 memcpy(conn->features[ev->page], ev->features, 8);
3075
3076         if (!ev->status && ev->page == 0x01) {
3077                 struct inquiry_entry *ie;
3078
3079                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3080                 if (ie)
3081                         ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3082
3083                 if (ev->features[0] & LMP_HOST_SSP) {
3084                         set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3085                 } else {
3086                         /* It is mandatory by the Bluetooth specification that
3087                          * Extended Inquiry Results are only used when Secure
3088                          * Simple Pairing is enabled, but some devices violate
3089                          * this.
3090                          *
3091                          * To make these devices work, the internal SSP
3092                          * enabled flag needs to be cleared if the remote host
3093                          * features do not indicate SSP support */
3094                         clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3095                 }
3096
3097                 if (ev->features[0] & LMP_HOST_SC)
3098                         set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3099         }
3100
3101         if (conn->state != BT_CONFIG)
3102                 goto unlock;
3103
3104         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3105                 struct hci_cp_remote_name_req cp;
3106                 memset(&cp, 0, sizeof(cp));
3107                 bacpy(&cp.bdaddr, &conn->dst);
3108                 cp.pscan_rep_mode = 0x02;
3109                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3110         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3111                 mgmt_device_connected(hdev, &conn->dst, conn->type,
3112                                       conn->dst_type, 0, NULL, 0,
3113                                       conn->dev_class);
3114
3115         if (!hci_outgoing_auth_needed(hdev, conn)) {
3116                 conn->state = BT_CONNECTED;
3117                 hci_proto_connect_cfm(conn, ev->status);
3118                 hci_conn_drop(conn);
3119         }
3120
3121 unlock:
3122         hci_dev_unlock(hdev);
3123 }
3124
3125 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3126                                        struct sk_buff *skb)
3127 {
3128         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3129         struct hci_conn *conn;
3130
3131         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3132
3133         hci_dev_lock(hdev);
3134
3135         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3136         if (!conn) {
3137                 if (ev->link_type == ESCO_LINK)
3138                         goto unlock;
3139
3140                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3141                 if (!conn)
3142                         goto unlock;
3143
3144                 conn->type = SCO_LINK;
3145         }
3146
3147         switch (ev->status) {
3148         case 0x00:
3149                 conn->handle = __le16_to_cpu(ev->handle);
3150                 conn->state  = BT_CONNECTED;
3151
3152                 hci_conn_add_sysfs(conn);
3153                 break;
3154
3155         case 0x0d:      /* Connection Rejected due to Limited Resources */
3156         case 0x11:      /* Unsupported Feature or Parameter Value */
3157         case 0x1c:      /* SCO interval rejected */
3158         case 0x1a:      /* Unsupported Remote Feature */
3159         case 0x1f:      /* Unspecified error */
3160         case 0x20:      /* Unsupported LMP Parameter value */
3161                 if (conn->out) {
3162                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3163                                         (hdev->esco_type & EDR_ESCO_MASK);
3164                         if (hci_setup_sync(conn, conn->link->handle))
3165                                 goto unlock;
3166                 }
3167                 /* fall through */
3168
3169         default:
3170                 conn->state = BT_CLOSED;
3171                 break;
3172         }
3173
3174         hci_proto_connect_cfm(conn, ev->status);
3175         if (ev->status)
3176                 hci_conn_del(conn);
3177
3178 unlock:
3179         hci_dev_unlock(hdev);
3180 }
3181
3182 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3183 {
3184         size_t parsed = 0;
3185
3186         while (parsed < eir_len) {
3187                 u8 field_len = eir[0];
3188
3189                 if (field_len == 0)
3190                         return parsed;
3191
3192                 parsed += field_len + 1;
3193                 eir += field_len + 1;
3194         }
3195
3196         return eir_len;
3197 }
3198
3199 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3200                                             struct sk_buff *skb)
3201 {
3202         struct inquiry_data data;
3203         struct extended_inquiry_info *info = (void *) (skb->data + 1);
3204         int num_rsp = *((__u8 *) skb->data);
3205         size_t eir_len;
3206
3207         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3208
3209         if (!num_rsp)
3210                 return;
3211
3212         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3213                 return;
3214
3215         hci_dev_lock(hdev);
3216
3217         for (; num_rsp; num_rsp--, info++) {
3218                 bool name_known, ssp;
3219
3220                 bacpy(&data.bdaddr, &info->bdaddr);
3221                 data.pscan_rep_mode     = info->pscan_rep_mode;
3222                 data.pscan_period_mode  = info->pscan_period_mode;
3223                 data.pscan_mode         = 0x00;
3224                 memcpy(data.dev_class, info->dev_class, 3);
3225                 data.clock_offset       = info->clock_offset;
3226                 data.rssi               = info->rssi;
3227                 data.ssp_mode           = 0x01;
3228
3229                 if (test_bit(HCI_MGMT, &hdev->dev_flags))
3230                         name_known = eir_has_data_type(info->data,
3231                                                        sizeof(info->data),
3232                                                        EIR_NAME_COMPLETE);
3233                 else
3234                         name_known = true;
3235
3236                 name_known = hci_inquiry_cache_update(hdev, &data, name_known,
3237                                                       &ssp);
3238                 eir_len = eir_get_length(info->data, sizeof(info->data));
3239                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3240                                   info->dev_class, info->rssi, !name_known,
3241                                   ssp, info->data, eir_len);
3242         }
3243
3244         hci_dev_unlock(hdev);
3245 }
3246
3247 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3248                                          struct sk_buff *skb)
3249 {
3250         struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3251         struct hci_conn *conn;
3252
3253         BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3254                __le16_to_cpu(ev->handle));
3255
3256         hci_dev_lock(hdev);
3257
3258         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3259         if (!conn)
3260                 goto unlock;
3261
3262         if (!ev->status)
3263                 conn->sec_level = conn->pending_sec_level;
3264
3265         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3266
3267         if (ev->status && conn->state == BT_CONNECTED) {
3268                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3269                 hci_conn_drop(conn);
3270                 goto unlock;
3271         }
3272
3273         if (conn->state == BT_CONFIG) {
3274                 if (!ev->status)
3275                         conn->state = BT_CONNECTED;
3276
3277                 hci_proto_connect_cfm(conn, ev->status);
3278                 hci_conn_drop(conn);
3279         } else {
3280                 hci_auth_cfm(conn, ev->status);
3281
3282                 hci_conn_hold(conn);
3283                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3284                 hci_conn_drop(conn);
3285         }
3286
3287 unlock:
3288         hci_dev_unlock(hdev);
3289 }
3290
3291 static u8 hci_get_auth_req(struct hci_conn *conn)
3292 {
3293         /* If remote requests dedicated bonding follow that lead */
3294         if (conn->remote_auth == HCI_AT_DEDICATED_BONDING ||
3295             conn->remote_auth == HCI_AT_DEDICATED_BONDING_MITM) {
3296                 /* If both remote and local IO capabilities allow MITM
3297                  * protection then require it, otherwise don't */
3298                 if (conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT ||
3299                     conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)
3300                         return HCI_AT_DEDICATED_BONDING;
3301                 else
3302                         return HCI_AT_DEDICATED_BONDING_MITM;
3303         }
3304
3305         /* If remote requests no-bonding follow that lead */
3306         if (conn->remote_auth == HCI_AT_NO_BONDING ||
3307             conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3308                 return conn->remote_auth | (conn->auth_type & 0x01);
3309
3310         return conn->auth_type;
3311 }
3312
3313 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3314 {
3315         struct hci_ev_io_capa_request *ev = (void *) skb->data;
3316         struct hci_conn *conn;
3317
3318         BT_DBG("%s", hdev->name);
3319
3320         hci_dev_lock(hdev);
3321
3322         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3323         if (!conn)
3324                 goto unlock;
3325
3326         hci_conn_hold(conn);
3327
3328         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3329                 goto unlock;
3330
3331         if (test_bit(HCI_PAIRABLE, &hdev->dev_flags) ||
3332             (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3333                 struct hci_cp_io_capability_reply cp;
3334
3335                 bacpy(&cp.bdaddr, &ev->bdaddr);
3336                 /* Change the IO capability from KeyboardDisplay
3337                  * to DisplayYesNo as it is not supported by BT spec. */
3338                 cp.capability = (conn->io_capability == 0x04) ?
3339                                 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3340                 conn->auth_type = hci_get_auth_req(conn);
3341                 cp.authentication = conn->auth_type;
3342
3343                 if (hci_find_remote_oob_data(hdev, &conn->dst) &&
3344                     (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
3345                         cp.oob_data = 0x01;
3346                 else
3347                         cp.oob_data = 0x00;
3348
3349                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
3350                              sizeof(cp), &cp);
3351         } else {
3352                 struct hci_cp_io_capability_neg_reply cp;
3353
3354                 bacpy(&cp.bdaddr, &ev->bdaddr);
3355                 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
3356
3357                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
3358                              sizeof(cp), &cp);
3359         }
3360
3361 unlock:
3362         hci_dev_unlock(hdev);
3363 }
3364
3365 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
3366 {
3367         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
3368         struct hci_conn *conn;
3369
3370         BT_DBG("%s", hdev->name);
3371
3372         hci_dev_lock(hdev);
3373
3374         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3375         if (!conn)
3376                 goto unlock;
3377
3378         conn->remote_cap = ev->capability;
3379         conn->remote_auth = ev->authentication;
3380         if (ev->oob_data)
3381                 set_bit(HCI_CONN_REMOTE_OOB, &conn->flags);
3382
3383 unlock:
3384         hci_dev_unlock(hdev);
3385 }
3386
3387 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3388                                          struct sk_buff *skb)
3389 {
3390         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
3391         int loc_mitm, rem_mitm, confirm_hint = 0;
3392         struct hci_conn *conn;
3393
3394         BT_DBG("%s", hdev->name);
3395
3396         hci_dev_lock(hdev);
3397
3398         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3399                 goto unlock;
3400
3401         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3402         if (!conn)
3403                 goto unlock;
3404
3405         loc_mitm = (conn->auth_type & 0x01);
3406         rem_mitm = (conn->remote_auth & 0x01);
3407
3408         /* If we require MITM but the remote device can't provide that
3409          * (it has NoInputNoOutput) then reject the confirmation
3410          * request. The only exception is when we're dedicated bonding
3411          * initiators (connect_cfm_cb set) since then we always have the MITM
3412          * bit set. */
3413         if (!conn->connect_cfm_cb && loc_mitm &&
3414             conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3415                 BT_DBG("Rejecting request: remote device can't provide MITM");
3416                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
3417                              sizeof(ev->bdaddr), &ev->bdaddr);
3418                 goto unlock;
3419         }
3420
3421         /* If no side requires MITM protection; auto-accept */
3422         if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
3423             (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
3424
3425                 /* If we're not the initiators request authorization to
3426                  * proceed from user space (mgmt_user_confirm with
3427                  * confirm_hint set to 1). */
3428                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3429                         BT_DBG("Confirming auto-accept as acceptor");
3430                         confirm_hint = 1;
3431                         goto confirm;
3432                 }
3433
3434                 BT_DBG("Auto-accept of user confirmation with %ums delay",
3435                        hdev->auto_accept_delay);
3436
3437                 if (hdev->auto_accept_delay > 0) {
3438                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
3439                         queue_delayed_work(conn->hdev->workqueue,
3440                                            &conn->auto_accept_work, delay);
3441                         goto unlock;
3442                 }
3443
3444                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
3445                              sizeof(ev->bdaddr), &ev->bdaddr);
3446                 goto unlock;
3447         }
3448
3449 confirm:
3450         mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, ev->passkey,
3451                                   confirm_hint);
3452
3453 unlock:
3454         hci_dev_unlock(hdev);
3455 }
3456
3457 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
3458                                          struct sk_buff *skb)
3459 {
3460         struct hci_ev_user_passkey_req *ev = (void *) skb->data;
3461
3462         BT_DBG("%s", hdev->name);
3463
3464         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3465                 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
3466 }
3467
3468 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
3469                                         struct sk_buff *skb)
3470 {
3471         struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
3472         struct hci_conn *conn;
3473
3474         BT_DBG("%s", hdev->name);
3475
3476         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3477         if (!conn)
3478                 return;
3479
3480         conn->passkey_notify = __le32_to_cpu(ev->passkey);
3481         conn->passkey_entered = 0;
3482
3483         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3484                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3485                                          conn->dst_type, conn->passkey_notify,
3486                                          conn->passkey_entered);
3487 }
3488
3489 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3490 {
3491         struct hci_ev_keypress_notify *ev = (void *) skb->data;
3492         struct hci_conn *conn;
3493
3494         BT_DBG("%s", hdev->name);
3495
3496         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3497         if (!conn)
3498                 return;
3499
3500         switch (ev->type) {
3501         case HCI_KEYPRESS_STARTED:
3502                 conn->passkey_entered = 0;
3503                 return;
3504
3505         case HCI_KEYPRESS_ENTERED:
3506                 conn->passkey_entered++;
3507                 break;
3508
3509         case HCI_KEYPRESS_ERASED:
3510                 conn->passkey_entered--;
3511                 break;
3512
3513         case HCI_KEYPRESS_CLEARED:
3514                 conn->passkey_entered = 0;
3515                 break;
3516
3517         case HCI_KEYPRESS_COMPLETED:
3518                 return;
3519         }
3520
3521         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3522                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3523                                          conn->dst_type, conn->passkey_notify,
3524                                          conn->passkey_entered);
3525 }
3526
3527 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
3528                                          struct sk_buff *skb)
3529 {
3530         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
3531         struct hci_conn *conn;
3532
3533         BT_DBG("%s", hdev->name);
3534
3535         hci_dev_lock(hdev);
3536
3537         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3538         if (!conn)
3539                 goto unlock;
3540
3541         /* To avoid duplicate auth_failed events to user space we check
3542          * the HCI_CONN_AUTH_PEND flag which will be set if we
3543          * initiated the authentication. A traditional auth_complete
3544          * event gets always produced as initiator and is also mapped to
3545          * the mgmt_auth_failed event */
3546         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
3547                 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
3548                                  ev->status);
3549
3550         hci_conn_drop(conn);
3551
3552 unlock:
3553         hci_dev_unlock(hdev);
3554 }
3555
3556 static void hci_remote_host_features_evt(struct hci_dev *hdev,
3557                                          struct sk_buff *skb)
3558 {
3559         struct hci_ev_remote_host_features *ev = (void *) skb->data;
3560         struct inquiry_entry *ie;
3561         struct hci_conn *conn;
3562
3563         BT_DBG("%s", hdev->name);
3564
3565         hci_dev_lock(hdev);
3566
3567         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3568         if (conn)
3569                 memcpy(conn->features[1], ev->features, 8);
3570
3571         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3572         if (ie)
3573                 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3574
3575         hci_dev_unlock(hdev);
3576 }
3577
3578 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
3579                                             struct sk_buff *skb)
3580 {
3581         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
3582         struct oob_data *data;
3583
3584         BT_DBG("%s", hdev->name);
3585
3586         hci_dev_lock(hdev);
3587
3588         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3589                 goto unlock;
3590
3591         data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
3592         if (data) {
3593                 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
3594                         struct hci_cp_remote_oob_ext_data_reply cp;
3595
3596                         bacpy(&cp.bdaddr, &ev->bdaddr);
3597                         memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
3598                         memcpy(cp.randomizer192, data->randomizer192,
3599                                sizeof(cp.randomizer192));
3600                         memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
3601                         memcpy(cp.randomizer256, data->randomizer256,
3602                                sizeof(cp.randomizer256));
3603
3604                         hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
3605                                      sizeof(cp), &cp);
3606                 } else {
3607                         struct hci_cp_remote_oob_data_reply cp;
3608
3609                         bacpy(&cp.bdaddr, &ev->bdaddr);
3610                         memcpy(cp.hash, data->hash192, sizeof(cp.hash));
3611                         memcpy(cp.randomizer, data->randomizer192,
3612                                sizeof(cp.randomizer));
3613
3614                         hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
3615                                      sizeof(cp), &cp);
3616                 }
3617         } else {
3618                 struct hci_cp_remote_oob_data_neg_reply cp;
3619
3620                 bacpy(&cp.bdaddr, &ev->bdaddr);
3621                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
3622                              sizeof(cp), &cp);
3623         }
3624
3625 unlock:
3626         hci_dev_unlock(hdev);
3627 }
3628
3629 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
3630                                       struct sk_buff *skb)
3631 {
3632         struct hci_ev_phy_link_complete *ev = (void *) skb->data;
3633         struct hci_conn *hcon, *bredr_hcon;
3634
3635         BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
3636                ev->status);
3637
3638         hci_dev_lock(hdev);
3639
3640         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3641         if (!hcon) {
3642                 hci_dev_unlock(hdev);
3643                 return;
3644         }
3645
3646         if (ev->status) {
3647                 hci_conn_del(hcon);
3648                 hci_dev_unlock(hdev);
3649                 return;
3650         }
3651
3652         bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
3653
3654         hcon->state = BT_CONNECTED;
3655         bacpy(&hcon->dst, &bredr_hcon->dst);
3656
3657         hci_conn_hold(hcon);
3658         hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3659         hci_conn_drop(hcon);
3660
3661         hci_conn_add_sysfs(hcon);
3662
3663         amp_physical_cfm(bredr_hcon, hcon);
3664
3665         hci_dev_unlock(hdev);
3666 }
3667
3668 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3669 {
3670         struct hci_ev_logical_link_complete *ev = (void *) skb->data;
3671         struct hci_conn *hcon;
3672         struct hci_chan *hchan;
3673         struct amp_mgr *mgr;
3674
3675         BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
3676                hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
3677                ev->status);
3678
3679         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3680         if (!hcon)
3681                 return;
3682
3683         /* Create AMP hchan */
3684         hchan = hci_chan_create(hcon);
3685         if (!hchan)
3686                 return;
3687
3688         hchan->handle = le16_to_cpu(ev->handle);
3689
3690         BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
3691
3692         mgr = hcon->amp_mgr;
3693         if (mgr && mgr->bredr_chan) {
3694                 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
3695
3696                 l2cap_chan_lock(bredr_chan);
3697
3698                 bredr_chan->conn->mtu = hdev->block_mtu;
3699                 l2cap_logical_cfm(bredr_chan, hchan, 0);
3700                 hci_conn_hold(hcon);
3701
3702                 l2cap_chan_unlock(bredr_chan);
3703         }
3704 }
3705
3706 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
3707                                              struct sk_buff *skb)
3708 {
3709         struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
3710         struct hci_chan *hchan;
3711
3712         BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
3713                le16_to_cpu(ev->handle), ev->status);
3714
3715         if (ev->status)
3716                 return;
3717
3718         hci_dev_lock(hdev);
3719
3720         hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
3721         if (!hchan)
3722                 goto unlock;
3723
3724         amp_destroy_logical_link(hchan, ev->reason);
3725
3726 unlock:
3727         hci_dev_unlock(hdev);
3728 }
3729
3730 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
3731                                              struct sk_buff *skb)
3732 {
3733         struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
3734         struct hci_conn *hcon;
3735
3736         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3737
3738         if (ev->status)
3739                 return;
3740
3741         hci_dev_lock(hdev);
3742
3743         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3744         if (hcon) {
3745                 hcon->state = BT_CLOSED;
3746                 hci_conn_del(hcon);
3747         }
3748
3749         hci_dev_unlock(hdev);
3750 }
3751
3752 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3753 {
3754         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
3755         struct hci_conn *conn;
3756         struct smp_irk *irk;
3757
3758         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3759
3760         hci_dev_lock(hdev);
3761
3762         conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
3763         if (!conn) {
3764                 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr);
3765                 if (!conn) {
3766                         BT_ERR("No memory for new connection");
3767                         goto unlock;
3768                 }
3769
3770                 conn->dst_type = ev->bdaddr_type;
3771
3772                 /* The advertising parameters for own address type
3773                  * define which source address and source address
3774                  * type this connections has.
3775                  */
3776                 if (bacmp(&conn->src, BDADDR_ANY)) {
3777                         conn->src_type = ADDR_LE_DEV_PUBLIC;
3778                 } else {
3779                         bacpy(&conn->src, &hdev->static_addr);
3780                         conn->src_type = ADDR_LE_DEV_RANDOM;
3781                 }
3782
3783                 if (ev->role == LE_CONN_ROLE_MASTER) {
3784                         conn->out = true;
3785                         conn->link_mode |= HCI_LM_MASTER;
3786                 }
3787
3788                 /* If we didn't have a hci_conn object previously
3789                  * but we're in master role this must be something
3790                  * initiated using a white list. Since white list based
3791                  * connections are not "first class citizens" we don't
3792                  * have full tracking of them. Therefore, we go ahead
3793                  * with a "best effort" approach of determining the
3794                  * initiator address based on the HCI_PRIVACY flag.
3795                  */
3796                 if (conn->out) {
3797                         conn->resp_addr_type = ev->bdaddr_type;
3798                         bacpy(&conn->resp_addr, &ev->bdaddr);
3799                         if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
3800                                 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
3801                                 bacpy(&conn->init_addr, &hdev->rpa);
3802                         } else {
3803                                 hci_copy_identity_address(hdev,
3804                                                           &conn->init_addr,
3805                                                           &conn->init_addr_type);
3806                         }
3807                 } else {
3808                         /* Set the responder (our side) address type based on
3809                          * the advertising address type.
3810                          */
3811                         conn->resp_addr_type = hdev->adv_addr_type;
3812                         if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
3813                                 bacpy(&conn->resp_addr, &hdev->random_addr);
3814                         else
3815                                 bacpy(&conn->resp_addr, &hdev->bdaddr);
3816
3817                         conn->init_addr_type = ev->bdaddr_type;
3818                         bacpy(&conn->init_addr, &ev->bdaddr);
3819                 }
3820         } else {
3821                 cancel_delayed_work(&conn->le_conn_timeout);
3822         }
3823
3824         /* Ensure that the hci_conn contains the identity address type
3825          * regardless of which address the connection was made with.
3826          */
3827         hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
3828
3829         /* Lookup the identity address from the stored connection
3830          * address and address type.
3831          *
3832          * When establishing connections to an identity address, the
3833          * connection procedure will store the resolvable random
3834          * address first. Now if it can be converted back into the
3835          * identity address, start using the identity address from
3836          * now on.
3837          */
3838         irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
3839         if (irk) {
3840                 bacpy(&conn->dst, &irk->bdaddr);
3841                 conn->dst_type = irk->addr_type;
3842         }
3843
3844         if (ev->status) {
3845                 hci_le_conn_failed(conn, ev->status);
3846                 goto unlock;
3847         }
3848
3849         if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3850                 mgmt_device_connected(hdev, &conn->dst, conn->type,
3851                                       conn->dst_type, 0, NULL, 0, NULL);
3852
3853         conn->sec_level = BT_SECURITY_LOW;
3854         conn->handle = __le16_to_cpu(ev->handle);
3855         conn->state = BT_CONNECTED;
3856
3857         if (test_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags))
3858                 set_bit(HCI_CONN_6LOWPAN, &conn->flags);
3859
3860         hci_conn_add_sysfs(conn);
3861
3862         hci_proto_connect_cfm(conn, ev->status);
3863
3864         hci_pend_le_conn_del(hdev, &conn->dst, conn->dst_type);
3865
3866 unlock:
3867         hci_dev_unlock(hdev);
3868 }
3869
3870 /* This function requires the caller holds hdev->lock */
3871 static void check_pending_le_conn(struct hci_dev *hdev, bdaddr_t *addr,
3872                                   u8 addr_type)
3873 {
3874         struct hci_conn *conn;
3875         struct smp_irk *irk;
3876
3877         /* If this is a resolvable address, we should resolve it and then
3878          * update address and address type variables.
3879          */
3880         irk = hci_get_irk(hdev, addr, addr_type);
3881         if (irk) {
3882                 addr = &irk->bdaddr;
3883                 addr_type = irk->addr_type;
3884         }
3885
3886         if (!hci_pend_le_conn_lookup(hdev, addr, addr_type))
3887                 return;
3888
3889         conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
3890                               HCI_AT_NO_BONDING);
3891         if (!IS_ERR(conn))
3892                 return;
3893
3894         switch (PTR_ERR(conn)) {
3895         case -EBUSY:
3896                 /* If hci_connect() returns -EBUSY it means there is already
3897                  * an LE connection attempt going on. Since controllers don't
3898                  * support more than one connection attempt at the time, we
3899                  * don't consider this an error case.
3900                  */
3901                 break;
3902         default:
3903                 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
3904         }
3905 }
3906
3907 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
3908 {
3909         u8 num_reports = skb->data[0];
3910         void *ptr = &skb->data[1];
3911         s8 rssi;
3912
3913         hci_dev_lock(hdev);
3914
3915         while (num_reports--) {
3916                 struct hci_ev_le_advertising_info *ev = ptr;
3917
3918                 if (ev->evt_type == LE_ADV_IND ||
3919                     ev->evt_type == LE_ADV_DIRECT_IND)
3920                         check_pending_le_conn(hdev, &ev->bdaddr,
3921                                               ev->bdaddr_type);
3922
3923                 rssi = ev->data[ev->length];
3924                 mgmt_device_found(hdev, &ev->bdaddr, LE_LINK, ev->bdaddr_type,
3925                                   NULL, rssi, 0, 1, ev->data, ev->length);
3926
3927                 ptr += sizeof(*ev) + ev->length + 1;
3928         }
3929
3930         hci_dev_unlock(hdev);
3931 }
3932
3933 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3934 {
3935         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
3936         struct hci_cp_le_ltk_reply cp;
3937         struct hci_cp_le_ltk_neg_reply neg;
3938         struct hci_conn *conn;
3939         struct smp_ltk *ltk;
3940
3941         BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
3942
3943         hci_dev_lock(hdev);
3944
3945         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3946         if (conn == NULL)
3947                 goto not_found;
3948
3949         ltk = hci_find_ltk(hdev, ev->ediv, ev->rand, conn->out);
3950         if (ltk == NULL)
3951                 goto not_found;
3952
3953         memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
3954         cp.handle = cpu_to_le16(conn->handle);
3955
3956         if (ltk->authenticated)
3957                 conn->pending_sec_level = BT_SECURITY_HIGH;
3958         else
3959                 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3960
3961         conn->enc_key_size = ltk->enc_size;
3962
3963         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
3964
3965         /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
3966          * temporary key used to encrypt a connection following
3967          * pairing. It is used during the Encrypted Session Setup to
3968          * distribute the keys. Later, security can be re-established
3969          * using a distributed LTK.
3970          */
3971         if (ltk->type == HCI_SMP_STK_SLAVE) {
3972                 list_del(&ltk->list);
3973                 kfree(ltk);
3974         }
3975
3976         hci_dev_unlock(hdev);
3977
3978         return;
3979
3980 not_found:
3981         neg.handle = ev->handle;
3982         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
3983         hci_dev_unlock(hdev);
3984 }
3985
3986 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
3987 {
3988         struct hci_ev_le_meta *le_ev = (void *) skb->data;
3989
3990         skb_pull(skb, sizeof(*le_ev));
3991
3992         switch (le_ev->subevent) {
3993         case HCI_EV_LE_CONN_COMPLETE:
3994                 hci_le_conn_complete_evt(hdev, skb);
3995                 break;
3996
3997         case HCI_EV_LE_ADVERTISING_REPORT:
3998                 hci_le_adv_report_evt(hdev, skb);
3999                 break;
4000
4001         case HCI_EV_LE_LTK_REQ:
4002                 hci_le_ltk_request_evt(hdev, skb);
4003                 break;
4004
4005         default:
4006                 break;
4007         }
4008 }
4009
4010 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4011 {
4012         struct hci_ev_channel_selected *ev = (void *) skb->data;
4013         struct hci_conn *hcon;
4014
4015         BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4016
4017         skb_pull(skb, sizeof(*ev));
4018
4019         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4020         if (!hcon)
4021                 return;
4022
4023         amp_read_loc_assoc_final_data(hdev, hcon);
4024 }
4025
4026 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
4027 {
4028         struct hci_event_hdr *hdr = (void *) skb->data;
4029         __u8 event = hdr->evt;
4030
4031         hci_dev_lock(hdev);
4032
4033         /* Received events are (currently) only needed when a request is
4034          * ongoing so avoid unnecessary memory allocation.
4035          */
4036         if (hdev->req_status == HCI_REQ_PEND) {
4037                 kfree_skb(hdev->recv_evt);
4038                 hdev->recv_evt = skb_clone(skb, GFP_KERNEL);
4039         }
4040
4041         hci_dev_unlock(hdev);
4042
4043         skb_pull(skb, HCI_EVENT_HDR_SIZE);
4044
4045         if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
4046                 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
4047                 u16 opcode = __le16_to_cpu(cmd_hdr->opcode);
4048
4049                 hci_req_cmd_complete(hdev, opcode, 0);
4050         }
4051
4052         switch (event) {
4053         case HCI_EV_INQUIRY_COMPLETE:
4054                 hci_inquiry_complete_evt(hdev, skb);
4055                 break;
4056
4057         case HCI_EV_INQUIRY_RESULT:
4058                 hci_inquiry_result_evt(hdev, skb);
4059                 break;
4060
4061         case HCI_EV_CONN_COMPLETE:
4062                 hci_conn_complete_evt(hdev, skb);
4063                 break;
4064
4065         case HCI_EV_CONN_REQUEST:
4066                 hci_conn_request_evt(hdev, skb);
4067                 break;
4068
4069         case HCI_EV_DISCONN_COMPLETE:
4070                 hci_disconn_complete_evt(hdev, skb);
4071                 break;
4072
4073         case HCI_EV_AUTH_COMPLETE:
4074                 hci_auth_complete_evt(hdev, skb);
4075                 break;
4076
4077         case HCI_EV_REMOTE_NAME:
4078                 hci_remote_name_evt(hdev, skb);
4079                 break;
4080
4081         case HCI_EV_ENCRYPT_CHANGE:
4082                 hci_encrypt_change_evt(hdev, skb);
4083                 break;
4084
4085         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
4086                 hci_change_link_key_complete_evt(hdev, skb);
4087                 break;
4088
4089         case HCI_EV_REMOTE_FEATURES:
4090                 hci_remote_features_evt(hdev, skb);
4091                 break;
4092
4093         case HCI_EV_CMD_COMPLETE:
4094                 hci_cmd_complete_evt(hdev, skb);
4095                 break;
4096
4097         case HCI_EV_CMD_STATUS:
4098                 hci_cmd_status_evt(hdev, skb);
4099                 break;
4100
4101         case HCI_EV_ROLE_CHANGE:
4102                 hci_role_change_evt(hdev, skb);
4103                 break;
4104
4105         case HCI_EV_NUM_COMP_PKTS:
4106                 hci_num_comp_pkts_evt(hdev, skb);
4107                 break;
4108
4109         case HCI_EV_MODE_CHANGE:
4110                 hci_mode_change_evt(hdev, skb);
4111                 break;
4112
4113         case HCI_EV_PIN_CODE_REQ:
4114                 hci_pin_code_request_evt(hdev, skb);
4115                 break;
4116
4117         case HCI_EV_LINK_KEY_REQ:
4118                 hci_link_key_request_evt(hdev, skb);
4119                 break;
4120
4121         case HCI_EV_LINK_KEY_NOTIFY:
4122                 hci_link_key_notify_evt(hdev, skb);
4123                 break;
4124
4125         case HCI_EV_CLOCK_OFFSET:
4126                 hci_clock_offset_evt(hdev, skb);
4127                 break;
4128
4129         case HCI_EV_PKT_TYPE_CHANGE:
4130                 hci_pkt_type_change_evt(hdev, skb);
4131                 break;
4132
4133         case HCI_EV_PSCAN_REP_MODE:
4134                 hci_pscan_rep_mode_evt(hdev, skb);
4135                 break;
4136
4137         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
4138                 hci_inquiry_result_with_rssi_evt(hdev, skb);
4139                 break;
4140
4141         case HCI_EV_REMOTE_EXT_FEATURES:
4142                 hci_remote_ext_features_evt(hdev, skb);
4143                 break;
4144
4145         case HCI_EV_SYNC_CONN_COMPLETE:
4146                 hci_sync_conn_complete_evt(hdev, skb);
4147                 break;
4148
4149         case HCI_EV_EXTENDED_INQUIRY_RESULT:
4150                 hci_extended_inquiry_result_evt(hdev, skb);
4151                 break;
4152
4153         case HCI_EV_KEY_REFRESH_COMPLETE:
4154                 hci_key_refresh_complete_evt(hdev, skb);
4155                 break;
4156
4157         case HCI_EV_IO_CAPA_REQUEST:
4158                 hci_io_capa_request_evt(hdev, skb);
4159                 break;
4160
4161         case HCI_EV_IO_CAPA_REPLY:
4162                 hci_io_capa_reply_evt(hdev, skb);
4163                 break;
4164
4165         case HCI_EV_USER_CONFIRM_REQUEST:
4166                 hci_user_confirm_request_evt(hdev, skb);
4167                 break;
4168
4169         case HCI_EV_USER_PASSKEY_REQUEST:
4170                 hci_user_passkey_request_evt(hdev, skb);
4171                 break;
4172
4173         case HCI_EV_USER_PASSKEY_NOTIFY:
4174                 hci_user_passkey_notify_evt(hdev, skb);
4175                 break;
4176
4177         case HCI_EV_KEYPRESS_NOTIFY:
4178                 hci_keypress_notify_evt(hdev, skb);
4179                 break;
4180
4181         case HCI_EV_SIMPLE_PAIR_COMPLETE:
4182                 hci_simple_pair_complete_evt(hdev, skb);
4183                 break;
4184
4185         case HCI_EV_REMOTE_HOST_FEATURES:
4186                 hci_remote_host_features_evt(hdev, skb);
4187                 break;
4188
4189         case HCI_EV_LE_META:
4190                 hci_le_meta_evt(hdev, skb);
4191                 break;
4192
4193         case HCI_EV_CHANNEL_SELECTED:
4194                 hci_chan_selected_evt(hdev, skb);
4195                 break;
4196
4197         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
4198                 hci_remote_oob_data_request_evt(hdev, skb);
4199                 break;
4200
4201         case HCI_EV_PHY_LINK_COMPLETE:
4202                 hci_phy_link_complete_evt(hdev, skb);
4203                 break;
4204
4205         case HCI_EV_LOGICAL_LINK_COMPLETE:
4206                 hci_loglink_complete_evt(hdev, skb);
4207                 break;
4208
4209         case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
4210                 hci_disconn_loglink_complete_evt(hdev, skb);
4211                 break;
4212
4213         case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
4214                 hci_disconn_phylink_complete_evt(hdev, skb);
4215                 break;
4216
4217         case HCI_EV_NUM_COMP_BLOCKS:
4218                 hci_num_comp_blocks_evt(hdev, skb);
4219                 break;
4220
4221         default:
4222                 BT_DBG("%s event 0x%2.2x", hdev->name, event);
4223                 break;
4224         }
4225
4226         kfree_skb(skb);
4227         hdev->stat.evt_rx++;
4228 }