git.openpandora.org / pandora-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Bluetooth: Store also RSSI for pending advertising reports
[pandora-kernel.git] / net / bluetooth / hci_event.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <asm/unaligned.h>
28
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "a2mp.h"
34 #include "amp.h"
35
36 /* Handle HCI Event packets */
37
38 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
39 {
40         __u8 status = *((__u8 *) skb->data);
41
42         BT_DBG("%s status 0x%2.2x", hdev->name, status);
43
44         if (status)
45                 return;
46
47         clear_bit(HCI_INQUIRY, &hdev->flags);
48         smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
49         wake_up_bit(&hdev->flags, HCI_INQUIRY);
50
51         hci_conn_check_pending(hdev);
52 }
53
54 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
55 {
56         __u8 status = *((__u8 *) skb->data);
57
58         BT_DBG("%s status 0x%2.2x", hdev->name, status);
59
60         if (status)
61                 return;
62
63         set_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
64 }
65
66 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
67 {
68         __u8 status = *((__u8 *) skb->data);
69
70         BT_DBG("%s status 0x%2.2x", hdev->name, status);
71
72         if (status)
73                 return;
74
75         clear_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
76
77         hci_conn_check_pending(hdev);
78 }
79
80 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
81                                           struct sk_buff *skb)
82 {
83         BT_DBG("%s", hdev->name);
84 }
85
86 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
87 {
88         struct hci_rp_role_discovery *rp = (void *) skb->data;
89         struct hci_conn *conn;
90
91         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
92
93         if (rp->status)
94                 return;
95
96         hci_dev_lock(hdev);
97
98         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
99         if (conn) {
100                 if (rp->role)
101                         conn->link_mode &= ~HCI_LM_MASTER;
102                 else
103                         conn->link_mode |= HCI_LM_MASTER;
104         }
105
106         hci_dev_unlock(hdev);
107 }
108
109 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
110 {
111         struct hci_rp_read_link_policy *rp = (void *) skb->data;
112         struct hci_conn *conn;
113
114         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
115
116         if (rp->status)
117                 return;
118
119         hci_dev_lock(hdev);
120
121         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
122         if (conn)
123                 conn->link_policy = __le16_to_cpu(rp->policy);
124
125         hci_dev_unlock(hdev);
126 }
127
128 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
129 {
130         struct hci_rp_write_link_policy *rp = (void *) skb->data;
131         struct hci_conn *conn;
132         void *sent;
133
134         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
135
136         if (rp->status)
137                 return;
138
139         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
140         if (!sent)
141                 return;
142
143         hci_dev_lock(hdev);
144
145         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
146         if (conn)
147                 conn->link_policy = get_unaligned_le16(sent + 2);
148
149         hci_dev_unlock(hdev);
150 }
151
152 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
153                                         struct sk_buff *skb)
154 {
155         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
156
157         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
158
159         if (rp->status)
160                 return;
161
162         hdev->link_policy = __le16_to_cpu(rp->policy);
163 }
164
165 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
166                                          struct sk_buff *skb)
167 {
168         __u8 status = *((__u8 *) skb->data);
169         void *sent;
170
171         BT_DBG("%s status 0x%2.2x", hdev->name, status);
172
173         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
174         if (!sent)
175                 return;
176
177         if (!status)
178                 hdev->link_policy = get_unaligned_le16(sent);
179 }
180
181 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
182 {
183         __u8 status = *((__u8 *) skb->data);
184
185         BT_DBG("%s status 0x%2.2x", hdev->name, status);
186
187         clear_bit(HCI_RESET, &hdev->flags);
188
189         /* Reset all non-persistent flags */
190         hdev->dev_flags &= ~HCI_PERSISTENT_MASK;
191
192         hdev->discovery.state = DISCOVERY_STOPPED;
193         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
194         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
195
196         memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
197         hdev->adv_data_len = 0;
198
199         memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
200         hdev->scan_rsp_data_len = 0;
201
202         hdev->le_scan_type = LE_SCAN_PASSIVE;
203
204         hdev->ssp_debug_mode = 0;
205 }
206
207 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
208 {
209         __u8 status = *((__u8 *) skb->data);
210         void *sent;
211
212         BT_DBG("%s status 0x%2.2x", hdev->name, status);
213
214         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
215         if (!sent)
216                 return;
217
218         hci_dev_lock(hdev);
219
220         if (test_bit(HCI_MGMT, &hdev->dev_flags))
221                 mgmt_set_local_name_complete(hdev, sent, status);
222         else if (!status)
223                 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
224
225         hci_dev_unlock(hdev);
226 }
227
228 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
229 {
230         struct hci_rp_read_local_name *rp = (void *) skb->data;
231
232         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
233
234         if (rp->status)
235                 return;
236
237         if (test_bit(HCI_SETUP, &hdev->dev_flags))
238                 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
239 }
240
241 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
242 {
243         __u8 status = *((__u8 *) skb->data);
244         void *sent;
245
246         BT_DBG("%s status 0x%2.2x", hdev->name, status);
247
248         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
249         if (!sent)
250                 return;
251
252         if (!status) {
253                 __u8 param = *((__u8 *) sent);
254
255                 if (param == AUTH_ENABLED)
256                         set_bit(HCI_AUTH, &hdev->flags);
257                 else
258                         clear_bit(HCI_AUTH, &hdev->flags);
259         }
260
261         if (test_bit(HCI_MGMT, &hdev->dev_flags))
262                 mgmt_auth_enable_complete(hdev, status);
263 }
264
265 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
266 {
267         __u8 status = *((__u8 *) skb->data);
268         void *sent;
269
270         BT_DBG("%s status 0x%2.2x", hdev->name, status);
271
272         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
273         if (!sent)
274                 return;
275
276         if (!status) {
277                 __u8 param = *((__u8 *) sent);
278
279                 if (param)
280                         set_bit(HCI_ENCRYPT, &hdev->flags);
281                 else
282                         clear_bit(HCI_ENCRYPT, &hdev->flags);
283         }
284 }
285
286 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
287 {
288         __u8 param, status = *((__u8 *) skb->data);
289         int old_pscan, old_iscan;
290         void *sent;
291
292         BT_DBG("%s status 0x%2.2x", hdev->name, status);
293
294         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
295         if (!sent)
296                 return;
297
298         param = *((__u8 *) sent);
299
300         hci_dev_lock(hdev);
301
302         if (status) {
303                 mgmt_write_scan_failed(hdev, param, status);
304                 hdev->discov_timeout = 0;
305                 goto done;
306         }
307
308         /* We need to ensure that we set this back on if someone changed
309          * the scan mode through a raw HCI socket.
310          */
311         set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
312
313         old_pscan = test_and_clear_bit(HCI_PSCAN, &hdev->flags);
314         old_iscan = test_and_clear_bit(HCI_ISCAN, &hdev->flags);
315
316         if (param & SCAN_INQUIRY) {
317                 set_bit(HCI_ISCAN, &hdev->flags);
318                 if (!old_iscan)
319                         mgmt_discoverable(hdev, 1);
320         } else if (old_iscan)
321                 mgmt_discoverable(hdev, 0);
322
323         if (param & SCAN_PAGE) {
324                 set_bit(HCI_PSCAN, &hdev->flags);
325                 if (!old_pscan)
326                         mgmt_connectable(hdev, 1);
327         } else if (old_pscan)
328                 mgmt_connectable(hdev, 0);
329
330 done:
331         hci_dev_unlock(hdev);
332 }
333
334 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
335 {
336         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
337
338         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
339
340         if (rp->status)
341                 return;
342
343         memcpy(hdev->dev_class, rp->dev_class, 3);
344
345         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
346                hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
347 }
348
349 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
350 {
351         __u8 status = *((__u8 *) skb->data);
352         void *sent;
353
354         BT_DBG("%s status 0x%2.2x", hdev->name, status);
355
356         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
357         if (!sent)
358                 return;
359
360         hci_dev_lock(hdev);
361
362         if (status == 0)
363                 memcpy(hdev->dev_class, sent, 3);
364
365         if (test_bit(HCI_MGMT, &hdev->dev_flags))
366                 mgmt_set_class_of_dev_complete(hdev, sent, status);
367
368         hci_dev_unlock(hdev);
369 }
370
371 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
372 {
373         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
374         __u16 setting;
375
376         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
377
378         if (rp->status)
379                 return;
380
381         setting = __le16_to_cpu(rp->voice_setting);
382
383         if (hdev->voice_setting == setting)
384                 return;
385
386         hdev->voice_setting = setting;
387
388         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
389
390         if (hdev->notify)
391                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
392 }
393
394 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
395                                        struct sk_buff *skb)
396 {
397         __u8 status = *((__u8 *) skb->data);
398         __u16 setting;
399         void *sent;
400
401         BT_DBG("%s status 0x%2.2x", hdev->name, status);
402
403         if (status)
404                 return;
405
406         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
407         if (!sent)
408                 return;
409
410         setting = get_unaligned_le16(sent);
411
412         if (hdev->voice_setting == setting)
413                 return;
414
415         hdev->voice_setting = setting;
416
417         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
418
419         if (hdev->notify)
420                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
421 }
422
423 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
424                                           struct sk_buff *skb)
425 {
426         struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
427
428         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
429
430         if (rp->status)
431                 return;
432
433         hdev->num_iac = rp->num_iac;
434
435         BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
436 }
437
438 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
439 {
440         __u8 status = *((__u8 *) skb->data);
441         struct hci_cp_write_ssp_mode *sent;
442
443         BT_DBG("%s status 0x%2.2x", hdev->name, status);
444
445         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
446         if (!sent)
447                 return;
448
449         if (!status) {
450                 if (sent->mode)
451                         hdev->features[1][0] |= LMP_HOST_SSP;
452                 else
453                         hdev->features[1][0] &= ~LMP_HOST_SSP;
454         }
455
456         if (test_bit(HCI_MGMT, &hdev->dev_flags))
457                 mgmt_ssp_enable_complete(hdev, sent->mode, status);
458         else if (!status) {
459                 if (sent->mode)
460                         set_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
461                 else
462                         clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
463         }
464 }
465
466 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
467 {
468         u8 status = *((u8 *) skb->data);
469         struct hci_cp_write_sc_support *sent;
470
471         BT_DBG("%s status 0x%2.2x", hdev->name, status);
472
473         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
474         if (!sent)
475                 return;
476
477         if (!status) {
478                 if (sent->support)
479                         hdev->features[1][0] |= LMP_HOST_SC;
480                 else
481                         hdev->features[1][0] &= ~LMP_HOST_SC;
482         }
483
484         if (test_bit(HCI_MGMT, &hdev->dev_flags))
485                 mgmt_sc_enable_complete(hdev, sent->support, status);
486         else if (!status) {
487                 if (sent->support)
488                         set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
489                 else
490                         clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
491         }
492 }
493
494 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
495 {
496         struct hci_rp_read_local_version *rp = (void *) skb->data;
497
498         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
499
500         if (rp->status)
501                 return;
502
503         if (test_bit(HCI_SETUP, &hdev->dev_flags)) {
504                 hdev->hci_ver = rp->hci_ver;
505                 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
506                 hdev->lmp_ver = rp->lmp_ver;
507                 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
508                 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
509         }
510 }
511
512 static void hci_cc_read_local_commands(struct hci_dev *hdev,
513                                        struct sk_buff *skb)
514 {
515         struct hci_rp_read_local_commands *rp = (void *) skb->data;
516
517         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
518
519         if (rp->status)
520                 return;
521
522         if (test_bit(HCI_SETUP, &hdev->dev_flags))
523                 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
524 }
525
526 static void hci_cc_read_local_features(struct hci_dev *hdev,
527                                        struct sk_buff *skb)
528 {
529         struct hci_rp_read_local_features *rp = (void *) skb->data;
530
531         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
532
533         if (rp->status)
534                 return;
535
536         memcpy(hdev->features, rp->features, 8);
537
538         /* Adjust default settings according to features
539          * supported by device. */
540
541         if (hdev->features[0][0] & LMP_3SLOT)
542                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
543
544         if (hdev->features[0][0] & LMP_5SLOT)
545                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
546
547         if (hdev->features[0][1] & LMP_HV2) {
548                 hdev->pkt_type  |= (HCI_HV2);
549                 hdev->esco_type |= (ESCO_HV2);
550         }
551
552         if (hdev->features[0][1] & LMP_HV3) {
553                 hdev->pkt_type  |= (HCI_HV3);
554                 hdev->esco_type |= (ESCO_HV3);
555         }
556
557         if (lmp_esco_capable(hdev))
558                 hdev->esco_type |= (ESCO_EV3);
559
560         if (hdev->features[0][4] & LMP_EV4)
561                 hdev->esco_type |= (ESCO_EV4);
562
563         if (hdev->features[0][4] & LMP_EV5)
564                 hdev->esco_type |= (ESCO_EV5);
565
566         if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
567                 hdev->esco_type |= (ESCO_2EV3);
568
569         if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
570                 hdev->esco_type |= (ESCO_3EV3);
571
572         if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
573                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
574 }
575
576 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
577                                            struct sk_buff *skb)
578 {
579         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
580
581         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
582
583         if (rp->status)
584                 return;
585
586         if (hdev->max_page < rp->max_page)
587                 hdev->max_page = rp->max_page;
588
589         if (rp->page < HCI_MAX_PAGES)
590                 memcpy(hdev->features[rp->page], rp->features, 8);
591 }
592
593 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
594                                           struct sk_buff *skb)
595 {
596         struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
597
598         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
599
600         if (!rp->status)
601                 hdev->flow_ctl_mode = rp->mode;
602 }
603
604 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
605 {
606         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
607
608         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
609
610         if (rp->status)
611                 return;
612
613         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
614         hdev->sco_mtu  = rp->sco_mtu;
615         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
616         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
617
618         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
619                 hdev->sco_mtu  = 64;
620                 hdev->sco_pkts = 8;
621         }
622
623         hdev->acl_cnt = hdev->acl_pkts;
624         hdev->sco_cnt = hdev->sco_pkts;
625
626         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
627                hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
628 }
629
630 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
631 {
632         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
633
634         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
635
636         if (!rp->status)
637                 bacpy(&hdev->bdaddr, &rp->bdaddr);
638 }
639
640 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
641                                            struct sk_buff *skb)
642 {
643         struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
644
645         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
646
647         if (test_bit(HCI_INIT, &hdev->flags) && !rp->status) {
648                 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
649                 hdev->page_scan_window = __le16_to_cpu(rp->window);
650         }
651 }
652
653 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
654                                             struct sk_buff *skb)
655 {
656         u8 status = *((u8 *) skb->data);
657         struct hci_cp_write_page_scan_activity *sent;
658
659         BT_DBG("%s status 0x%2.2x", hdev->name, status);
660
661         if (status)
662                 return;
663
664         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
665         if (!sent)
666                 return;
667
668         hdev->page_scan_interval = __le16_to_cpu(sent->interval);
669         hdev->page_scan_window = __le16_to_cpu(sent->window);
670 }
671
672 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
673                                            struct sk_buff *skb)
674 {
675         struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
676
677         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
678
679         if (test_bit(HCI_INIT, &hdev->flags) && !rp->status)
680                 hdev->page_scan_type = rp->type;
681 }
682
683 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
684                                         struct sk_buff *skb)
685 {
686         u8 status = *((u8 *) skb->data);
687         u8 *type;
688
689         BT_DBG("%s status 0x%2.2x", hdev->name, status);
690
691         if (status)
692                 return;
693
694         type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
695         if (type)
696                 hdev->page_scan_type = *type;
697 }
698
699 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
700                                         struct sk_buff *skb)
701 {
702         struct hci_rp_read_data_block_size *rp = (void *) skb->data;
703
704         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
705
706         if (rp->status)
707                 return;
708
709         hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
710         hdev->block_len = __le16_to_cpu(rp->block_len);
711         hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
712
713         hdev->block_cnt = hdev->num_blocks;
714
715         BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
716                hdev->block_cnt, hdev->block_len);
717 }
718
719 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
720                                        struct sk_buff *skb)
721 {
722         struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
723
724         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
725
726         if (rp->status)
727                 goto a2mp_rsp;
728
729         hdev->amp_status = rp->amp_status;
730         hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
731         hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
732         hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
733         hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
734         hdev->amp_type = rp->amp_type;
735         hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
736         hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
737         hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
738         hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
739
740 a2mp_rsp:
741         a2mp_send_getinfo_rsp(hdev);
742 }
743
744 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev,
745                                         struct sk_buff *skb)
746 {
747         struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data;
748         struct amp_assoc *assoc = &hdev->loc_assoc;
749         size_t rem_len, frag_len;
750
751         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
752
753         if (rp->status)
754                 goto a2mp_rsp;
755
756         frag_len = skb->len - sizeof(*rp);
757         rem_len = __le16_to_cpu(rp->rem_len);
758
759         if (rem_len > frag_len) {
760                 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
761
762                 memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
763                 assoc->offset += frag_len;
764
765                 /* Read other fragments */
766                 amp_read_loc_assoc_frag(hdev, rp->phy_handle);
767
768                 return;
769         }
770
771         memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
772         assoc->len = assoc->offset + rem_len;
773         assoc->offset = 0;
774
775 a2mp_rsp:
776         /* Send A2MP Rsp when all fragments are received */
777         a2mp_send_getampassoc_rsp(hdev, rp->status);
778         a2mp_send_create_phy_link_req(hdev, rp->status);
779 }
780
781 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
782                                          struct sk_buff *skb)
783 {
784         struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
785
786         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
787
788         if (!rp->status)
789                 hdev->inq_tx_power = rp->tx_power;
790 }
791
792 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
793 {
794         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
795         struct hci_cp_pin_code_reply *cp;
796         struct hci_conn *conn;
797
798         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
799
800         hci_dev_lock(hdev);
801
802         if (test_bit(HCI_MGMT, &hdev->dev_flags))
803                 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
804
805         if (rp->status)
806                 goto unlock;
807
808         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
809         if (!cp)
810                 goto unlock;
811
812         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
813         if (conn)
814                 conn->pin_length = cp->pin_len;
815
816 unlock:
817         hci_dev_unlock(hdev);
818 }
819
820 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
821 {
822         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
823
824         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
825
826         hci_dev_lock(hdev);
827
828         if (test_bit(HCI_MGMT, &hdev->dev_flags))
829                 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
830                                                  rp->status);
831
832         hci_dev_unlock(hdev);
833 }
834
835 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
836                                        struct sk_buff *skb)
837 {
838         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
839
840         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
841
842         if (rp->status)
843                 return;
844
845         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
846         hdev->le_pkts = rp->le_max_pkt;
847
848         hdev->le_cnt = hdev->le_pkts;
849
850         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
851 }
852
853 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
854                                           struct sk_buff *skb)
855 {
856         struct hci_rp_le_read_local_features *rp = (void *) skb->data;
857
858         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
859
860         if (!rp->status)
861                 memcpy(hdev->le_features, rp->features, 8);
862 }
863
864 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
865                                         struct sk_buff *skb)
866 {
867         struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
868
869         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
870
871         if (!rp->status)
872                 hdev->adv_tx_power = rp->tx_power;
873 }
874
875 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
876 {
877         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
878
879         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
880
881         hci_dev_lock(hdev);
882
883         if (test_bit(HCI_MGMT, &hdev->dev_flags))
884                 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
885                                                  rp->status);
886
887         hci_dev_unlock(hdev);
888 }
889
890 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
891                                           struct sk_buff *skb)
892 {
893         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
894
895         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
896
897         hci_dev_lock(hdev);
898
899         if (test_bit(HCI_MGMT, &hdev->dev_flags))
900                 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
901                                                      ACL_LINK, 0, rp->status);
902
903         hci_dev_unlock(hdev);
904 }
905
906 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
907 {
908         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
909
910         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
911
912         hci_dev_lock(hdev);
913
914         if (test_bit(HCI_MGMT, &hdev->dev_flags))
915                 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
916                                                  0, rp->status);
917
918         hci_dev_unlock(hdev);
919 }
920
921 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
922                                           struct sk_buff *skb)
923 {
924         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
925
926         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
927
928         hci_dev_lock(hdev);
929
930         if (test_bit(HCI_MGMT, &hdev->dev_flags))
931                 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
932                                                      ACL_LINK, 0, rp->status);
933
934         hci_dev_unlock(hdev);
935 }
936
937 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
938                                        struct sk_buff *skb)
939 {
940         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
941
942         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
943
944         hci_dev_lock(hdev);
945         mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->randomizer,
946                                           NULL, NULL, rp->status);
947         hci_dev_unlock(hdev);
948 }
949
950 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
951                                            struct sk_buff *skb)
952 {
953         struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
954
955         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
956
957         hci_dev_lock(hdev);
958         mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->randomizer192,
959                                           rp->hash256, rp->randomizer256,
960                                           rp->status);
961         hci_dev_unlock(hdev);
962 }
963
964
965 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
966 {
967         __u8 status = *((__u8 *) skb->data);
968         bdaddr_t *sent;
969
970         BT_DBG("%s status 0x%2.2x", hdev->name, status);
971
972         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
973         if (!sent)
974                 return;
975
976         hci_dev_lock(hdev);
977
978         if (!status)
979                 bacpy(&hdev->random_addr, sent);
980
981         hci_dev_unlock(hdev);
982 }
983
984 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
985 {
986         __u8 *sent, status = *((__u8 *) skb->data);
987
988         BT_DBG("%s status 0x%2.2x", hdev->name, status);
989
990         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
991         if (!sent)
992                 return;
993
994         if (status)
995                 return;
996
997         hci_dev_lock(hdev);
998
999         /* If we're doing connection initation as peripheral. Set a
1000          * timeout in case something goes wrong.
1001          */
1002         if (*sent) {
1003                 struct hci_conn *conn;
1004
1005                 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1006                 if (conn)
1007                         queue_delayed_work(hdev->workqueue,
1008                                            &conn->le_conn_timeout,
1009                                            HCI_LE_CONN_TIMEOUT);
1010         }
1011
1012         mgmt_advertising(hdev, *sent);
1013
1014         hci_dev_unlock(hdev);
1015 }
1016
1017 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1018 {
1019         struct hci_cp_le_set_scan_param *cp;
1020         __u8 status = *((__u8 *) skb->data);
1021
1022         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1023
1024         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1025         if (!cp)
1026                 return;
1027
1028         hci_dev_lock(hdev);
1029
1030         if (!status)
1031                 hdev->le_scan_type = cp->type;
1032
1033         hci_dev_unlock(hdev);
1034 }
1035
1036 static bool has_pending_adv_report(struct hci_dev *hdev)
1037 {
1038         struct discovery_state *d = &hdev->discovery;
1039
1040         return bacmp(&d->last_adv_addr, BDADDR_ANY);
1041 }
1042
1043 static void clear_pending_adv_report(struct hci_dev *hdev)
1044 {
1045         struct discovery_state *d = &hdev->discovery;
1046
1047         bacpy(&d->last_adv_addr, BDADDR_ANY);
1048         d->last_adv_data_len = 0;
1049 }
1050
1051 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1052                                      u8 bdaddr_type, s8 rssi, u8 *data, u8 len)
1053 {
1054         struct discovery_state *d = &hdev->discovery;
1055
1056         bacpy(&d->last_adv_addr, bdaddr);
1057         d->last_adv_addr_type = bdaddr_type;
1058         d->last_adv_rssi = rssi;
1059         memcpy(d->last_adv_data, data, len);
1060         d->last_adv_data_len = len;
1061 }
1062
1063 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1064                                       struct sk_buff *skb)
1065 {
1066         struct hci_cp_le_set_scan_enable *cp;
1067         __u8 status = *((__u8 *) skb->data);
1068
1069         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1070
1071         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1072         if (!cp)
1073                 return;
1074
1075         if (status)
1076                 return;
1077
1078         switch (cp->enable) {
1079         case LE_SCAN_ENABLE:
1080                 set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1081                 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1082                         clear_pending_adv_report(hdev);
1083                 break;
1084
1085         case LE_SCAN_DISABLE:
1086                 /* We do this here instead of when setting DISCOVERY_STOPPED
1087                  * since the latter would potentially require waiting for
1088                  * inquiry to stop too.
1089                  */
1090                 if (has_pending_adv_report(hdev)) {
1091                         struct discovery_state *d = &hdev->discovery;
1092
1093                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1094                                           d->last_adv_addr_type, NULL, 0, 0,
1095                                           1, d->last_adv_data,
1096                                           d->last_adv_data_len, NULL, 0);
1097                 }
1098
1099                 /* Cancel this timer so that we don't try to disable scanning
1100                  * when it's already disabled.
1101                  */
1102                 cancel_delayed_work(&hdev->le_scan_disable);
1103
1104                 clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1105                 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1106                  * interrupted scanning due to a connect request. Mark
1107                  * therefore discovery as stopped.
1108                  */
1109                 if (test_and_clear_bit(HCI_LE_SCAN_INTERRUPTED,
1110                                        &hdev->dev_flags))
1111                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1112                 break;
1113
1114         default:
1115                 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1116                 break;
1117         }
1118 }
1119
1120 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1121                                            struct sk_buff *skb)
1122 {
1123         struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1124
1125         BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1126
1127         if (!rp->status)
1128                 hdev->le_white_list_size = rp->size;
1129 }
1130
1131 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1132                                        struct sk_buff *skb)
1133 {
1134         __u8 status = *((__u8 *) skb->data);
1135
1136         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1137
1138         if (!status)
1139                 hci_white_list_clear(hdev);
1140 }
1141
1142 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1143                                         struct sk_buff *skb)
1144 {
1145         struct hci_cp_le_add_to_white_list *sent;
1146         __u8 status = *((__u8 *) skb->data);
1147
1148         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1149
1150         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1151         if (!sent)
1152                 return;
1153
1154         if (!status)
1155                 hci_white_list_add(hdev, &sent->bdaddr, sent->bdaddr_type);
1156 }
1157
1158 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1159                                           struct sk_buff *skb)
1160 {
1161         struct hci_cp_le_del_from_white_list *sent;
1162         __u8 status = *((__u8 *) skb->data);
1163
1164         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1165
1166         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1167         if (!sent)
1168                 return;
1169
1170         if (!status)
1171                 hci_white_list_del(hdev, &sent->bdaddr, sent->bdaddr_type);
1172 }
1173
1174 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1175                                             struct sk_buff *skb)
1176 {
1177         struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1178
1179         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1180
1181         if (!rp->status)
1182                 memcpy(hdev->le_states, rp->le_states, 8);
1183 }
1184
1185 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1186                                            struct sk_buff *skb)
1187 {
1188         struct hci_cp_write_le_host_supported *sent;
1189         __u8 status = *((__u8 *) skb->data);
1190
1191         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1192
1193         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1194         if (!sent)
1195                 return;
1196
1197         if (!status) {
1198                 if (sent->le) {
1199                         hdev->features[1][0] |= LMP_HOST_LE;
1200                         set_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1201                 } else {
1202                         hdev->features[1][0] &= ~LMP_HOST_LE;
1203                         clear_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1204                         clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
1205                 }
1206
1207                 if (sent->simul)
1208                         hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1209                 else
1210                         hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1211         }
1212 }
1213
1214 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1215 {
1216         struct hci_cp_le_set_adv_param *cp;
1217         u8 status = *((u8 *) skb->data);
1218
1219         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1220
1221         if (status)
1222                 return;
1223
1224         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1225         if (!cp)
1226                 return;
1227
1228         hci_dev_lock(hdev);
1229         hdev->adv_addr_type = cp->own_address_type;
1230         hci_dev_unlock(hdev);
1231 }
1232
1233 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1234                                           struct sk_buff *skb)
1235 {
1236         struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data;
1237
1238         BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
1239                hdev->name, rp->status, rp->phy_handle);
1240
1241         if (rp->status)
1242                 return;
1243
1244         amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1245 }
1246
1247 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1248 {
1249         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1250
1251         if (status) {
1252                 hci_conn_check_pending(hdev);
1253                 return;
1254         }
1255
1256         set_bit(HCI_INQUIRY, &hdev->flags);
1257 }
1258
1259 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1260 {
1261         struct hci_cp_create_conn *cp;
1262         struct hci_conn *conn;
1263
1264         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1265
1266         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1267         if (!cp)
1268                 return;
1269
1270         hci_dev_lock(hdev);
1271
1272         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1273
1274         BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1275
1276         if (status) {
1277                 if (conn && conn->state == BT_CONNECT) {
1278                         if (status != 0x0c || conn->attempt > 2) {
1279                                 conn->state = BT_CLOSED;
1280                                 hci_proto_connect_cfm(conn, status);
1281                                 hci_conn_del(conn);
1282                         } else
1283                                 conn->state = BT_CONNECT2;
1284                 }
1285         } else {
1286                 if (!conn) {
1287                         conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr);
1288                         if (conn) {
1289                                 conn->out = true;
1290                                 conn->link_mode |= HCI_LM_MASTER;
1291                         } else
1292                                 BT_ERR("No memory for new connection");
1293                 }
1294         }
1295
1296         hci_dev_unlock(hdev);
1297 }
1298
1299 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1300 {
1301         struct hci_cp_add_sco *cp;
1302         struct hci_conn *acl, *sco;
1303         __u16 handle;
1304
1305         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1306
1307         if (!status)
1308                 return;
1309
1310         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1311         if (!cp)
1312                 return;
1313
1314         handle = __le16_to_cpu(cp->handle);
1315
1316         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1317
1318         hci_dev_lock(hdev);
1319
1320         acl = hci_conn_hash_lookup_handle(hdev, handle);
1321         if (acl) {
1322                 sco = acl->link;
1323                 if (sco) {
1324                         sco->state = BT_CLOSED;
1325
1326                         hci_proto_connect_cfm(sco, status);
1327                         hci_conn_del(sco);
1328                 }
1329         }
1330
1331         hci_dev_unlock(hdev);
1332 }
1333
1334 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1335 {
1336         struct hci_cp_auth_requested *cp;
1337         struct hci_conn *conn;
1338
1339         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1340
1341         if (!status)
1342                 return;
1343
1344         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1345         if (!cp)
1346                 return;
1347
1348         hci_dev_lock(hdev);
1349
1350         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1351         if (conn) {
1352                 if (conn->state == BT_CONFIG) {
1353                         hci_proto_connect_cfm(conn, status);
1354                         hci_conn_drop(conn);
1355                 }
1356         }
1357
1358         hci_dev_unlock(hdev);
1359 }
1360
1361 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1362 {
1363         struct hci_cp_set_conn_encrypt *cp;
1364         struct hci_conn *conn;
1365
1366         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1367
1368         if (!status)
1369                 return;
1370
1371         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1372         if (!cp)
1373                 return;
1374
1375         hci_dev_lock(hdev);
1376
1377         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1378         if (conn) {
1379                 if (conn->state == BT_CONFIG) {
1380                         hci_proto_connect_cfm(conn, status);
1381                         hci_conn_drop(conn);
1382                 }
1383         }
1384
1385         hci_dev_unlock(hdev);
1386 }
1387
1388 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1389                                     struct hci_conn *conn)
1390 {
1391         if (conn->state != BT_CONFIG || !conn->out)
1392                 return 0;
1393
1394         if (conn->pending_sec_level == BT_SECURITY_SDP)
1395                 return 0;
1396
1397         /* Only request authentication for SSP connections or non-SSP
1398          * devices with sec_level MEDIUM or HIGH or if MITM protection
1399          * is requested.
1400          */
1401         if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1402             conn->pending_sec_level != BT_SECURITY_HIGH &&
1403             conn->pending_sec_level != BT_SECURITY_MEDIUM)
1404                 return 0;
1405
1406         return 1;
1407 }
1408
1409 static int hci_resolve_name(struct hci_dev *hdev,
1410                                    struct inquiry_entry *e)
1411 {
1412         struct hci_cp_remote_name_req cp;
1413
1414         memset(&cp, 0, sizeof(cp));
1415
1416         bacpy(&cp.bdaddr, &e->data.bdaddr);
1417         cp.pscan_rep_mode = e->data.pscan_rep_mode;
1418         cp.pscan_mode = e->data.pscan_mode;
1419         cp.clock_offset = e->data.clock_offset;
1420
1421         return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1422 }
1423
1424 static bool hci_resolve_next_name(struct hci_dev *hdev)
1425 {
1426         struct discovery_state *discov = &hdev->discovery;
1427         struct inquiry_entry *e;
1428
1429         if (list_empty(&discov->resolve))
1430                 return false;
1431
1432         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1433         if (!e)
1434                 return false;
1435
1436         if (hci_resolve_name(hdev, e) == 0) {
1437                 e->name_state = NAME_PENDING;
1438                 return true;
1439         }
1440
1441         return false;
1442 }
1443
1444 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1445                                    bdaddr_t *bdaddr, u8 *name, u8 name_len)
1446 {
1447         struct discovery_state *discov = &hdev->discovery;
1448         struct inquiry_entry *e;
1449
1450         if (conn && !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1451                 mgmt_device_connected(hdev, bdaddr, ACL_LINK, 0x00, 0, name,
1452                                       name_len, conn->dev_class);
1453
1454         if (discov->state == DISCOVERY_STOPPED)
1455                 return;
1456
1457         if (discov->state == DISCOVERY_STOPPING)
1458                 goto discov_complete;
1459
1460         if (discov->state != DISCOVERY_RESOLVING)
1461                 return;
1462
1463         e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1464         /* If the device was not found in a list of found devices names of which
1465          * are pending. there is no need to continue resolving a next name as it
1466          * will be done upon receiving another Remote Name Request Complete
1467          * Event */
1468         if (!e)
1469                 return;
1470
1471         list_del(&e->list);
1472         if (name) {
1473                 e->name_state = NAME_KNOWN;
1474                 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1475                                  e->data.rssi, name, name_len);
1476         } else {
1477                 e->name_state = NAME_NOT_KNOWN;
1478         }
1479
1480         if (hci_resolve_next_name(hdev))
1481                 return;
1482
1483 discov_complete:
1484         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1485 }
1486
1487 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1488 {
1489         struct hci_cp_remote_name_req *cp;
1490         struct hci_conn *conn;
1491
1492         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1493
1494         /* If successful wait for the name req complete event before
1495          * checking for the need to do authentication */
1496         if (!status)
1497                 return;
1498
1499         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1500         if (!cp)
1501                 return;
1502
1503         hci_dev_lock(hdev);
1504
1505         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1506
1507         if (test_bit(HCI_MGMT, &hdev->dev_flags))
1508                 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1509
1510         if (!conn)
1511                 goto unlock;
1512
1513         if (!hci_outgoing_auth_needed(hdev, conn))
1514                 goto unlock;
1515
1516         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1517                 struct hci_cp_auth_requested auth_cp;
1518
1519                 auth_cp.handle = __cpu_to_le16(conn->handle);
1520                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1521                              sizeof(auth_cp), &auth_cp);
1522         }
1523
1524 unlock:
1525         hci_dev_unlock(hdev);
1526 }
1527
1528 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1529 {
1530         struct hci_cp_read_remote_features *cp;
1531         struct hci_conn *conn;
1532
1533         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1534
1535         if (!status)
1536                 return;
1537
1538         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1539         if (!cp)
1540                 return;
1541
1542         hci_dev_lock(hdev);
1543
1544         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1545         if (conn) {
1546                 if (conn->state == BT_CONFIG) {
1547                         hci_proto_connect_cfm(conn, status);
1548                         hci_conn_drop(conn);
1549                 }
1550         }
1551
1552         hci_dev_unlock(hdev);
1553 }
1554
1555 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1556 {
1557         struct hci_cp_read_remote_ext_features *cp;
1558         struct hci_conn *conn;
1559
1560         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1561
1562         if (!status)
1563                 return;
1564
1565         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1566         if (!cp)
1567                 return;
1568
1569         hci_dev_lock(hdev);
1570
1571         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1572         if (conn) {
1573                 if (conn->state == BT_CONFIG) {
1574                         hci_proto_connect_cfm(conn, status);
1575                         hci_conn_drop(conn);
1576                 }
1577         }
1578
1579         hci_dev_unlock(hdev);
1580 }
1581
1582 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1583 {
1584         struct hci_cp_setup_sync_conn *cp;
1585         struct hci_conn *acl, *sco;
1586         __u16 handle;
1587
1588         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1589
1590         if (!status)
1591                 return;
1592
1593         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1594         if (!cp)
1595                 return;
1596
1597         handle = __le16_to_cpu(cp->handle);
1598
1599         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1600
1601         hci_dev_lock(hdev);
1602
1603         acl = hci_conn_hash_lookup_handle(hdev, handle);
1604         if (acl) {
1605                 sco = acl->link;
1606                 if (sco) {
1607                         sco->state = BT_CLOSED;
1608
1609                         hci_proto_connect_cfm(sco, status);
1610                         hci_conn_del(sco);
1611                 }
1612         }
1613
1614         hci_dev_unlock(hdev);
1615 }
1616
1617 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1618 {
1619         struct hci_cp_sniff_mode *cp;
1620         struct hci_conn *conn;
1621
1622         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1623
1624         if (!status)
1625                 return;
1626
1627         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1628         if (!cp)
1629                 return;
1630
1631         hci_dev_lock(hdev);
1632
1633         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1634         if (conn) {
1635                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1636
1637                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1638                         hci_sco_setup(conn, status);
1639         }
1640
1641         hci_dev_unlock(hdev);
1642 }
1643
1644 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1645 {
1646         struct hci_cp_exit_sniff_mode *cp;
1647         struct hci_conn *conn;
1648
1649         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1650
1651         if (!status)
1652                 return;
1653
1654         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1655         if (!cp)
1656                 return;
1657
1658         hci_dev_lock(hdev);
1659
1660         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1661         if (conn) {
1662                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1663
1664                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1665                         hci_sco_setup(conn, status);
1666         }
1667
1668         hci_dev_unlock(hdev);
1669 }
1670
1671 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1672 {
1673         struct hci_cp_disconnect *cp;
1674         struct hci_conn *conn;
1675
1676         if (!status)
1677                 return;
1678
1679         cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1680         if (!cp)
1681                 return;
1682
1683         hci_dev_lock(hdev);
1684
1685         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1686         if (conn)
1687                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1688                                        conn->dst_type, status);
1689
1690         hci_dev_unlock(hdev);
1691 }
1692
1693 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status)
1694 {
1695         struct hci_cp_create_phy_link *cp;
1696
1697         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1698
1699         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
1700         if (!cp)
1701                 return;
1702
1703         hci_dev_lock(hdev);
1704
1705         if (status) {
1706                 struct hci_conn *hcon;
1707
1708                 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
1709                 if (hcon)
1710                         hci_conn_del(hcon);
1711         } else {
1712                 amp_write_remote_assoc(hdev, cp->phy_handle);
1713         }
1714
1715         hci_dev_unlock(hdev);
1716 }
1717
1718 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1719 {
1720         struct hci_cp_accept_phy_link *cp;
1721
1722         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1723
1724         if (status)
1725                 return;
1726
1727         cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
1728         if (!cp)
1729                 return;
1730
1731         amp_write_remote_assoc(hdev, cp->phy_handle);
1732 }
1733
1734 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
1735 {
1736         struct hci_cp_le_create_conn *cp;
1737         struct hci_conn *conn;
1738
1739         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1740
1741         /* All connection failure handling is taken care of by the
1742          * hci_le_conn_failed function which is triggered by the HCI
1743          * request completion callbacks used for connecting.
1744          */
1745         if (status)
1746                 return;
1747
1748         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1749         if (!cp)
1750                 return;
1751
1752         hci_dev_lock(hdev);
1753
1754         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1755         if (!conn)
1756                 goto unlock;
1757
1758         /* Store the initiator and responder address information which
1759          * is needed for SMP. These values will not change during the
1760          * lifetime of the connection.
1761          */
1762         conn->init_addr_type = cp->own_address_type;
1763         if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
1764                 bacpy(&conn->init_addr, &hdev->random_addr);
1765         else
1766                 bacpy(&conn->init_addr, &hdev->bdaddr);
1767
1768         conn->resp_addr_type = cp->peer_addr_type;
1769         bacpy(&conn->resp_addr, &cp->peer_addr);
1770
1771         /* We don't want the connection attempt to stick around
1772          * indefinitely since LE doesn't have a page timeout concept
1773          * like BR/EDR. Set a timer for any connection that doesn't use
1774          * the white list for connecting.
1775          */
1776         if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
1777                 queue_delayed_work(conn->hdev->workqueue,
1778                                    &conn->le_conn_timeout,
1779                                    HCI_LE_CONN_TIMEOUT);
1780
1781 unlock:
1782         hci_dev_unlock(hdev);
1783 }
1784
1785 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1786 {
1787         struct hci_cp_le_start_enc *cp;
1788         struct hci_conn *conn;
1789
1790         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1791
1792         if (!status)
1793                 return;
1794
1795         hci_dev_lock(hdev);
1796
1797         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
1798         if (!cp)
1799                 goto unlock;
1800
1801         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1802         if (!conn)
1803                 goto unlock;
1804
1805         if (conn->state != BT_CONNECTED)
1806                 goto unlock;
1807
1808         hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
1809         hci_conn_drop(conn);
1810
1811 unlock:
1812         hci_dev_unlock(hdev);
1813 }
1814
1815 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1816 {
1817         __u8 status = *((__u8 *) skb->data);
1818         struct discovery_state *discov = &hdev->discovery;
1819         struct inquiry_entry *e;
1820
1821         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1822
1823         hci_conn_check_pending(hdev);
1824
1825         if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
1826                 return;
1827
1828         smp_mb__after_clear_bit(); /* wake_up_bit advises about this barrier */
1829         wake_up_bit(&hdev->flags, HCI_INQUIRY);
1830
1831         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1832                 return;
1833
1834         hci_dev_lock(hdev);
1835
1836         if (discov->state != DISCOVERY_FINDING)
1837                 goto unlock;
1838
1839         if (list_empty(&discov->resolve)) {
1840                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1841                 goto unlock;
1842         }
1843
1844         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1845         if (e && hci_resolve_name(hdev, e) == 0) {
1846                 e->name_state = NAME_PENDING;
1847                 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
1848         } else {
1849                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1850         }
1851
1852 unlock:
1853         hci_dev_unlock(hdev);
1854 }
1855
1856 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1857 {
1858         struct inquiry_data data;
1859         struct inquiry_info *info = (void *) (skb->data + 1);
1860         int num_rsp = *((__u8 *) skb->data);
1861
1862         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
1863
1864         if (!num_rsp)
1865                 return;
1866
1867         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
1868                 return;
1869
1870         hci_dev_lock(hdev);
1871
1872         for (; num_rsp; num_rsp--, info++) {
1873                 bool name_known, ssp;
1874
1875                 bacpy(&data.bdaddr, &info->bdaddr);
1876                 data.pscan_rep_mode     = info->pscan_rep_mode;
1877                 data.pscan_period_mode  = info->pscan_period_mode;
1878                 data.pscan_mode         = info->pscan_mode;
1879                 memcpy(data.dev_class, info->dev_class, 3);
1880                 data.clock_offset       = info->clock_offset;
1881                 data.rssi               = 0x00;
1882                 data.ssp_mode           = 0x00;
1883
1884                 name_known = hci_inquiry_cache_update(hdev, &data, false, &ssp);
1885                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
1886                                   info->dev_class, 0, !name_known, ssp, NULL,
1887                                   0, NULL, 0);
1888         }
1889
1890         hci_dev_unlock(hdev);
1891 }
1892
1893 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1894 {
1895         struct hci_ev_conn_complete *ev = (void *) skb->data;
1896         struct hci_conn *conn;
1897
1898         BT_DBG("%s", hdev->name);
1899
1900         hci_dev_lock(hdev);
1901
1902         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
1903         if (!conn) {
1904                 if (ev->link_type != SCO_LINK)
1905                         goto unlock;
1906
1907                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
1908                 if (!conn)
1909                         goto unlock;
1910
1911                 conn->type = SCO_LINK;
1912         }
1913
1914         if (!ev->status) {
1915                 conn->handle = __le16_to_cpu(ev->handle);
1916
1917                 if (conn->type == ACL_LINK) {
1918                         conn->state = BT_CONFIG;
1919                         hci_conn_hold(conn);
1920
1921                         if (!conn->out && !hci_conn_ssp_enabled(conn) &&
1922                             !hci_find_link_key(hdev, &ev->bdaddr))
1923                                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
1924                         else
1925                                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1926                 } else
1927                         conn->state = BT_CONNECTED;
1928
1929                 hci_conn_add_sysfs(conn);
1930
1931                 if (test_bit(HCI_AUTH, &hdev->flags))
1932                         conn->link_mode |= HCI_LM_AUTH;
1933
1934                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
1935                         conn->link_mode |= HCI_LM_ENCRYPT;
1936
1937                 /* Get remote features */
1938                 if (conn->type == ACL_LINK) {
1939                         struct hci_cp_read_remote_features cp;
1940                         cp.handle = ev->handle;
1941                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
1942                                      sizeof(cp), &cp);
1943                 }
1944
1945                 /* Set packet type for incoming connection */
1946                 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
1947                         struct hci_cp_change_conn_ptype cp;
1948                         cp.handle = ev->handle;
1949                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
1950                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
1951                                      &cp);
1952                 }
1953         } else {
1954                 conn->state = BT_CLOSED;
1955                 if (conn->type == ACL_LINK)
1956                         mgmt_connect_failed(hdev, &conn->dst, conn->type,
1957                                             conn->dst_type, ev->status);
1958         }
1959
1960         if (conn->type == ACL_LINK)
1961                 hci_sco_setup(conn, ev->status);
1962
1963         if (ev->status) {
1964                 hci_proto_connect_cfm(conn, ev->status);
1965                 hci_conn_del(conn);
1966         } else if (ev->link_type != ACL_LINK)
1967                 hci_proto_connect_cfm(conn, ev->status);
1968
1969 unlock:
1970         hci_dev_unlock(hdev);
1971
1972         hci_conn_check_pending(hdev);
1973 }
1974
1975 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1976 {
1977         struct hci_ev_conn_request *ev = (void *) skb->data;
1978         int mask = hdev->link_mode;
1979         __u8 flags = 0;
1980
1981         BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
1982                ev->link_type);
1983
1984         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
1985                                       &flags);
1986
1987         if ((mask & HCI_LM_ACCEPT) &&
1988             !hci_blacklist_lookup(hdev, &ev->bdaddr, BDADDR_BREDR)) {
1989                 /* Connection accepted */
1990                 struct inquiry_entry *ie;
1991                 struct hci_conn *conn;
1992
1993                 hci_dev_lock(hdev);
1994
1995                 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
1996                 if (ie)
1997                         memcpy(ie->data.dev_class, ev->dev_class, 3);
1998
1999                 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2000                                                &ev->bdaddr);
2001                 if (!conn) {
2002                         conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr);
2003                         if (!conn) {
2004                                 BT_ERR("No memory for new connection");
2005                                 hci_dev_unlock(hdev);
2006                                 return;
2007                         }
2008                 }
2009
2010                 memcpy(conn->dev_class, ev->dev_class, 3);
2011
2012                 hci_dev_unlock(hdev);
2013
2014                 if (ev->link_type == ACL_LINK ||
2015                     (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2016                         struct hci_cp_accept_conn_req cp;
2017                         conn->state = BT_CONNECT;
2018
2019                         bacpy(&cp.bdaddr, &ev->bdaddr);
2020
2021                         if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2022                                 cp.role = 0x00; /* Become master */
2023                         else
2024                                 cp.role = 0x01; /* Remain slave */
2025
2026                         hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp),
2027                                      &cp);
2028                 } else if (!(flags & HCI_PROTO_DEFER)) {
2029                         struct hci_cp_accept_sync_conn_req cp;
2030                         conn->state = BT_CONNECT;
2031
2032                         bacpy(&cp.bdaddr, &ev->bdaddr);
2033                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
2034
2035                         cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2036                         cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2037                         cp.max_latency    = cpu_to_le16(0xffff);
2038                         cp.content_format = cpu_to_le16(hdev->voice_setting);
2039                         cp.retrans_effort = 0xff;
2040
2041                         hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
2042                                      sizeof(cp), &cp);
2043                 } else {
2044                         conn->state = BT_CONNECT2;
2045                         hci_proto_connect_cfm(conn, 0);
2046                 }
2047         } else {
2048                 /* Connection rejected */
2049                 struct hci_cp_reject_conn_req cp;
2050
2051                 bacpy(&cp.bdaddr, &ev->bdaddr);
2052                 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2053                 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2054         }
2055 }
2056
2057 static u8 hci_to_mgmt_reason(u8 err)
2058 {
2059         switch (err) {
2060         case HCI_ERROR_CONNECTION_TIMEOUT:
2061                 return MGMT_DEV_DISCONN_TIMEOUT;
2062         case HCI_ERROR_REMOTE_USER_TERM:
2063         case HCI_ERROR_REMOTE_LOW_RESOURCES:
2064         case HCI_ERROR_REMOTE_POWER_OFF:
2065                 return MGMT_DEV_DISCONN_REMOTE;
2066         case HCI_ERROR_LOCAL_HOST_TERM:
2067                 return MGMT_DEV_DISCONN_LOCAL_HOST;
2068         default:
2069                 return MGMT_DEV_DISCONN_UNKNOWN;
2070         }
2071 }
2072
2073 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2074 {
2075         struct hci_ev_disconn_complete *ev = (void *) skb->data;
2076         u8 reason = hci_to_mgmt_reason(ev->reason);
2077         struct hci_conn_params *params;
2078         struct hci_conn *conn;
2079         bool mgmt_connected;
2080         u8 type;
2081
2082         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2083
2084         hci_dev_lock(hdev);
2085
2086         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2087         if (!conn)
2088                 goto unlock;
2089
2090         if (ev->status) {
2091                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2092                                        conn->dst_type, ev->status);
2093                 goto unlock;
2094         }
2095
2096         conn->state = BT_CLOSED;
2097
2098         mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2099         mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2100                                 reason, mgmt_connected);
2101
2102         if (conn->type == ACL_LINK && conn->flush_key)
2103                 hci_remove_link_key(hdev, &conn->dst);
2104
2105         params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2106         if (params) {
2107                 switch (params->auto_connect) {
2108                 case HCI_AUTO_CONN_LINK_LOSS:
2109                         if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2110                                 break;
2111                         /* Fall through */
2112
2113                 case HCI_AUTO_CONN_ALWAYS:
2114                         hci_pend_le_conn_add(hdev, &conn->dst, conn->dst_type);
2115                         break;
2116
2117                 default:
2118                         break;
2119                 }
2120         }
2121
2122         type = conn->type;
2123
2124         hci_proto_disconn_cfm(conn, ev->reason);
2125         hci_conn_del(conn);
2126
2127         /* Re-enable advertising if necessary, since it might
2128          * have been disabled by the connection. From the
2129          * HCI_LE_Set_Advertise_Enable command description in
2130          * the core specification (v4.0):
2131          * "The Controller shall continue advertising until the Host
2132          * issues an LE_Set_Advertise_Enable command with
2133          * Advertising_Enable set to 0x00 (Advertising is disabled)
2134          * or until a connection is created or until the Advertising
2135          * is timed out due to Directed Advertising."
2136          */
2137         if (type == LE_LINK)
2138                 mgmt_reenable_advertising(hdev);
2139
2140 unlock:
2141         hci_dev_unlock(hdev);
2142 }
2143
2144 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2145 {
2146         struct hci_ev_auth_complete *ev = (void *) skb->data;
2147         struct hci_conn *conn;
2148
2149         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2150
2151         hci_dev_lock(hdev);
2152
2153         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2154         if (!conn)
2155                 goto unlock;
2156
2157         if (!ev->status) {
2158                 if (!hci_conn_ssp_enabled(conn) &&
2159                     test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2160                         BT_INFO("re-auth of legacy device is not possible.");
2161                 } else {
2162                         conn->link_mode |= HCI_LM_AUTH;
2163                         conn->sec_level = conn->pending_sec_level;
2164                 }
2165         } else {
2166                 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
2167                                  ev->status);
2168         }
2169
2170         clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2171         clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2172
2173         if (conn->state == BT_CONFIG) {
2174                 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2175                         struct hci_cp_set_conn_encrypt cp;
2176                         cp.handle  = ev->handle;
2177                         cp.encrypt = 0x01;
2178                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2179                                      &cp);
2180                 } else {
2181                         conn->state = BT_CONNECTED;
2182                         hci_proto_connect_cfm(conn, ev->status);
2183                         hci_conn_drop(conn);
2184                 }
2185         } else {
2186                 hci_auth_cfm(conn, ev->status);
2187
2188                 hci_conn_hold(conn);
2189                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2190                 hci_conn_drop(conn);
2191         }
2192
2193         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2194                 if (!ev->status) {
2195                         struct hci_cp_set_conn_encrypt cp;
2196                         cp.handle  = ev->handle;
2197                         cp.encrypt = 0x01;
2198                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2199                                      &cp);
2200                 } else {
2201                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2202                         hci_encrypt_cfm(conn, ev->status, 0x00);
2203                 }
2204         }
2205
2206 unlock:
2207         hci_dev_unlock(hdev);
2208 }
2209
2210 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2211 {
2212         struct hci_ev_remote_name *ev = (void *) skb->data;
2213         struct hci_conn *conn;
2214
2215         BT_DBG("%s", hdev->name);
2216
2217         hci_conn_check_pending(hdev);
2218
2219         hci_dev_lock(hdev);
2220
2221         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2222
2223         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2224                 goto check_auth;
2225
2226         if (ev->status == 0)
2227                 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2228                                        strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2229         else
2230                 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2231
2232 check_auth:
2233         if (!conn)
2234                 goto unlock;
2235
2236         if (!hci_outgoing_auth_needed(hdev, conn))
2237                 goto unlock;
2238
2239         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2240                 struct hci_cp_auth_requested cp;
2241                 cp.handle = __cpu_to_le16(conn->handle);
2242                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2243         }
2244
2245 unlock:
2246         hci_dev_unlock(hdev);
2247 }
2248
2249 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2250 {
2251         struct hci_ev_encrypt_change *ev = (void *) skb->data;
2252         struct hci_conn *conn;
2253
2254         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2255
2256         hci_dev_lock(hdev);
2257
2258         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2259         if (!conn)
2260                 goto unlock;
2261
2262         if (!ev->status) {
2263                 if (ev->encrypt) {
2264                         /* Encryption implies authentication */
2265                         conn->link_mode |= HCI_LM_AUTH;
2266                         conn->link_mode |= HCI_LM_ENCRYPT;
2267                         conn->sec_level = conn->pending_sec_level;
2268
2269                         /* P-256 authentication key implies FIPS */
2270                         if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2271                                 conn->link_mode |= HCI_LM_FIPS;
2272
2273                         if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2274                             conn->type == LE_LINK)
2275                                 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2276                 } else {
2277                         conn->link_mode &= ~HCI_LM_ENCRYPT;
2278                         clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2279                 }
2280         }
2281
2282         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2283
2284         if (ev->status && conn->state == BT_CONNECTED) {
2285                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2286                 hci_conn_drop(conn);
2287                 goto unlock;
2288         }
2289
2290         if (conn->state == BT_CONFIG) {
2291                 if (!ev->status)
2292                         conn->state = BT_CONNECTED;
2293
2294                 /* In Secure Connections Only mode, do not allow any
2295                  * connections that are not encrypted with AES-CCM
2296                  * using a P-256 authenticated combination key.
2297                  */
2298                 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) &&
2299                     (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2300                      conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2301                         hci_proto_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2302                         hci_conn_drop(conn);
2303                         goto unlock;
2304                 }
2305
2306                 hci_proto_connect_cfm(conn, ev->status);
2307                 hci_conn_drop(conn);
2308         } else
2309                 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2310
2311 unlock:
2312         hci_dev_unlock(hdev);
2313 }
2314
2315 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2316                                              struct sk_buff *skb)
2317 {
2318         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2319         struct hci_conn *conn;
2320
2321         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2322
2323         hci_dev_lock(hdev);
2324
2325         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2326         if (conn) {
2327                 if (!ev->status)
2328                         conn->link_mode |= HCI_LM_SECURE;
2329
2330                 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2331
2332                 hci_key_change_cfm(conn, ev->status);
2333         }
2334
2335         hci_dev_unlock(hdev);
2336 }
2337
2338 static void hci_remote_features_evt(struct hci_dev *hdev,
2339                                     struct sk_buff *skb)
2340 {
2341         struct hci_ev_remote_features *ev = (void *) skb->data;
2342         struct hci_conn *conn;
2343
2344         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2345
2346         hci_dev_lock(hdev);
2347
2348         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2349         if (!conn)
2350                 goto unlock;
2351
2352         if (!ev->status)
2353                 memcpy(conn->features[0], ev->features, 8);
2354
2355         if (conn->state != BT_CONFIG)
2356                 goto unlock;
2357
2358         if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) {
2359                 struct hci_cp_read_remote_ext_features cp;
2360                 cp.handle = ev->handle;
2361                 cp.page = 0x01;
2362                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2363                              sizeof(cp), &cp);
2364                 goto unlock;
2365         }
2366
2367         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2368                 struct hci_cp_remote_name_req cp;
2369                 memset(&cp, 0, sizeof(cp));
2370                 bacpy(&cp.bdaddr, &conn->dst);
2371                 cp.pscan_rep_mode = 0x02;
2372                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2373         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2374                 mgmt_device_connected(hdev, &conn->dst, conn->type,
2375                                       conn->dst_type, 0, NULL, 0,
2376                                       conn->dev_class);
2377
2378         if (!hci_outgoing_auth_needed(hdev, conn)) {
2379                 conn->state = BT_CONNECTED;
2380                 hci_proto_connect_cfm(conn, ev->status);
2381                 hci_conn_drop(conn);
2382         }
2383
2384 unlock:
2385         hci_dev_unlock(hdev);
2386 }
2387
2388 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2389 {
2390         struct hci_ev_cmd_complete *ev = (void *) skb->data;
2391         u8 status = skb->data[sizeof(*ev)];
2392         __u16 opcode;
2393
2394         skb_pull(skb, sizeof(*ev));
2395
2396         opcode = __le16_to_cpu(ev->opcode);
2397
2398         switch (opcode) {
2399         case HCI_OP_INQUIRY_CANCEL:
2400                 hci_cc_inquiry_cancel(hdev, skb);
2401                 break;
2402
2403         case HCI_OP_PERIODIC_INQ:
2404                 hci_cc_periodic_inq(hdev, skb);
2405                 break;
2406
2407         case HCI_OP_EXIT_PERIODIC_INQ:
2408                 hci_cc_exit_periodic_inq(hdev, skb);
2409                 break;
2410
2411         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2412                 hci_cc_remote_name_req_cancel(hdev, skb);
2413                 break;
2414
2415         case HCI_OP_ROLE_DISCOVERY:
2416                 hci_cc_role_discovery(hdev, skb);
2417                 break;
2418
2419         case HCI_OP_READ_LINK_POLICY:
2420                 hci_cc_read_link_policy(hdev, skb);
2421                 break;
2422
2423         case HCI_OP_WRITE_LINK_POLICY:
2424                 hci_cc_write_link_policy(hdev, skb);
2425                 break;
2426
2427         case HCI_OP_READ_DEF_LINK_POLICY:
2428                 hci_cc_read_def_link_policy(hdev, skb);
2429                 break;
2430
2431         case HCI_OP_WRITE_DEF_LINK_POLICY:
2432                 hci_cc_write_def_link_policy(hdev, skb);
2433                 break;
2434
2435         case HCI_OP_RESET:
2436                 hci_cc_reset(hdev, skb);
2437                 break;
2438
2439         case HCI_OP_WRITE_LOCAL_NAME:
2440                 hci_cc_write_local_name(hdev, skb);
2441                 break;
2442
2443         case HCI_OP_READ_LOCAL_NAME:
2444                 hci_cc_read_local_name(hdev, skb);
2445                 break;
2446
2447         case HCI_OP_WRITE_AUTH_ENABLE:
2448                 hci_cc_write_auth_enable(hdev, skb);
2449                 break;
2450
2451         case HCI_OP_WRITE_ENCRYPT_MODE:
2452                 hci_cc_write_encrypt_mode(hdev, skb);
2453                 break;
2454
2455         case HCI_OP_WRITE_SCAN_ENABLE:
2456                 hci_cc_write_scan_enable(hdev, skb);
2457                 break;
2458
2459         case HCI_OP_READ_CLASS_OF_DEV:
2460                 hci_cc_read_class_of_dev(hdev, skb);
2461                 break;
2462
2463         case HCI_OP_WRITE_CLASS_OF_DEV:
2464                 hci_cc_write_class_of_dev(hdev, skb);
2465                 break;
2466
2467         case HCI_OP_READ_VOICE_SETTING:
2468                 hci_cc_read_voice_setting(hdev, skb);
2469                 break;
2470
2471         case HCI_OP_WRITE_VOICE_SETTING:
2472                 hci_cc_write_voice_setting(hdev, skb);
2473                 break;
2474
2475         case HCI_OP_READ_NUM_SUPPORTED_IAC:
2476                 hci_cc_read_num_supported_iac(hdev, skb);
2477                 break;
2478
2479         case HCI_OP_WRITE_SSP_MODE:
2480                 hci_cc_write_ssp_mode(hdev, skb);
2481                 break;
2482
2483         case HCI_OP_WRITE_SC_SUPPORT:
2484                 hci_cc_write_sc_support(hdev, skb);
2485                 break;
2486
2487         case HCI_OP_READ_LOCAL_VERSION:
2488                 hci_cc_read_local_version(hdev, skb);
2489                 break;
2490
2491         case HCI_OP_READ_LOCAL_COMMANDS:
2492                 hci_cc_read_local_commands(hdev, skb);
2493                 break;
2494
2495         case HCI_OP_READ_LOCAL_FEATURES:
2496                 hci_cc_read_local_features(hdev, skb);
2497                 break;
2498
2499         case HCI_OP_READ_LOCAL_EXT_FEATURES:
2500                 hci_cc_read_local_ext_features(hdev, skb);
2501                 break;
2502
2503         case HCI_OP_READ_BUFFER_SIZE:
2504                 hci_cc_read_buffer_size(hdev, skb);
2505                 break;
2506
2507         case HCI_OP_READ_BD_ADDR:
2508                 hci_cc_read_bd_addr(hdev, skb);
2509                 break;
2510
2511         case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2512                 hci_cc_read_page_scan_activity(hdev, skb);
2513                 break;
2514
2515         case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2516                 hci_cc_write_page_scan_activity(hdev, skb);
2517                 break;
2518
2519         case HCI_OP_READ_PAGE_SCAN_TYPE:
2520                 hci_cc_read_page_scan_type(hdev, skb);
2521                 break;
2522
2523         case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2524                 hci_cc_write_page_scan_type(hdev, skb);
2525                 break;
2526
2527         case HCI_OP_READ_DATA_BLOCK_SIZE:
2528                 hci_cc_read_data_block_size(hdev, skb);
2529                 break;
2530
2531         case HCI_OP_READ_FLOW_CONTROL_MODE:
2532                 hci_cc_read_flow_control_mode(hdev, skb);
2533                 break;
2534
2535         case HCI_OP_READ_LOCAL_AMP_INFO:
2536                 hci_cc_read_local_amp_info(hdev, skb);
2537                 break;
2538
2539         case HCI_OP_READ_LOCAL_AMP_ASSOC:
2540                 hci_cc_read_local_amp_assoc(hdev, skb);
2541                 break;
2542
2543         case HCI_OP_READ_INQ_RSP_TX_POWER:
2544                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2545                 break;
2546
2547         case HCI_OP_PIN_CODE_REPLY:
2548                 hci_cc_pin_code_reply(hdev, skb);
2549                 break;
2550
2551         case HCI_OP_PIN_CODE_NEG_REPLY:
2552                 hci_cc_pin_code_neg_reply(hdev, skb);
2553                 break;
2554
2555         case HCI_OP_READ_LOCAL_OOB_DATA:
2556                 hci_cc_read_local_oob_data(hdev, skb);
2557                 break;
2558
2559         case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2560                 hci_cc_read_local_oob_ext_data(hdev, skb);
2561                 break;
2562
2563         case HCI_OP_LE_READ_BUFFER_SIZE:
2564                 hci_cc_le_read_buffer_size(hdev, skb);
2565                 break;
2566
2567         case HCI_OP_LE_READ_LOCAL_FEATURES:
2568                 hci_cc_le_read_local_features(hdev, skb);
2569                 break;
2570
2571         case HCI_OP_LE_READ_ADV_TX_POWER:
2572                 hci_cc_le_read_adv_tx_power(hdev, skb);
2573                 break;
2574
2575         case HCI_OP_USER_CONFIRM_REPLY:
2576                 hci_cc_user_confirm_reply(hdev, skb);
2577                 break;
2578
2579         case HCI_OP_USER_CONFIRM_NEG_REPLY:
2580                 hci_cc_user_confirm_neg_reply(hdev, skb);
2581                 break;
2582
2583         case HCI_OP_USER_PASSKEY_REPLY:
2584                 hci_cc_user_passkey_reply(hdev, skb);
2585                 break;
2586
2587         case HCI_OP_USER_PASSKEY_NEG_REPLY:
2588                 hci_cc_user_passkey_neg_reply(hdev, skb);
2589                 break;
2590
2591         case HCI_OP_LE_SET_RANDOM_ADDR:
2592                 hci_cc_le_set_random_addr(hdev, skb);
2593                 break;
2594
2595         case HCI_OP_LE_SET_ADV_ENABLE:
2596                 hci_cc_le_set_adv_enable(hdev, skb);
2597                 break;
2598
2599         case HCI_OP_LE_SET_SCAN_PARAM:
2600                 hci_cc_le_set_scan_param(hdev, skb);
2601                 break;
2602
2603         case HCI_OP_LE_SET_SCAN_ENABLE:
2604                 hci_cc_le_set_scan_enable(hdev, skb);
2605                 break;
2606
2607         case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2608                 hci_cc_le_read_white_list_size(hdev, skb);
2609                 break;
2610
2611         case HCI_OP_LE_CLEAR_WHITE_LIST:
2612                 hci_cc_le_clear_white_list(hdev, skb);
2613                 break;
2614
2615         case HCI_OP_LE_ADD_TO_WHITE_LIST:
2616                 hci_cc_le_add_to_white_list(hdev, skb);
2617                 break;
2618
2619         case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2620                 hci_cc_le_del_from_white_list(hdev, skb);
2621                 break;
2622
2623         case HCI_OP_LE_READ_SUPPORTED_STATES:
2624                 hci_cc_le_read_supported_states(hdev, skb);
2625                 break;
2626
2627         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
2628                 hci_cc_write_le_host_supported(hdev, skb);
2629                 break;
2630
2631         case HCI_OP_LE_SET_ADV_PARAM:
2632                 hci_cc_set_adv_param(hdev, skb);
2633                 break;
2634
2635         case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
2636                 hci_cc_write_remote_amp_assoc(hdev, skb);
2637                 break;
2638
2639         default:
2640                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2641                 break;
2642         }
2643
2644         if (opcode != HCI_OP_NOP)
2645                 del_timer(&hdev->cmd_timer);
2646
2647         hci_req_cmd_complete(hdev, opcode, status);
2648
2649         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2650                 atomic_set(&hdev->cmd_cnt, 1);
2651                 if (!skb_queue_empty(&hdev->cmd_q))
2652                         queue_work(hdev->workqueue, &hdev->cmd_work);
2653         }
2654 }
2655
2656 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2657 {
2658         struct hci_ev_cmd_status *ev = (void *) skb->data;
2659         __u16 opcode;
2660
2661         skb_pull(skb, sizeof(*ev));
2662
2663         opcode = __le16_to_cpu(ev->opcode);
2664
2665         switch (opcode) {
2666         case HCI_OP_INQUIRY:
2667                 hci_cs_inquiry(hdev, ev->status);
2668                 break;
2669
2670         case HCI_OP_CREATE_CONN:
2671                 hci_cs_create_conn(hdev, ev->status);
2672                 break;
2673
2674         case HCI_OP_ADD_SCO:
2675                 hci_cs_add_sco(hdev, ev->status);
2676                 break;
2677
2678         case HCI_OP_AUTH_REQUESTED:
2679                 hci_cs_auth_requested(hdev, ev->status);
2680                 break;
2681
2682         case HCI_OP_SET_CONN_ENCRYPT:
2683                 hci_cs_set_conn_encrypt(hdev, ev->status);
2684                 break;
2685
2686         case HCI_OP_REMOTE_NAME_REQ:
2687                 hci_cs_remote_name_req(hdev, ev->status);
2688                 break;
2689
2690         case HCI_OP_READ_REMOTE_FEATURES:
2691                 hci_cs_read_remote_features(hdev, ev->status);
2692                 break;
2693
2694         case HCI_OP_READ_REMOTE_EXT_FEATURES:
2695                 hci_cs_read_remote_ext_features(hdev, ev->status);
2696                 break;
2697
2698         case HCI_OP_SETUP_SYNC_CONN:
2699                 hci_cs_setup_sync_conn(hdev, ev->status);
2700                 break;
2701
2702         case HCI_OP_SNIFF_MODE:
2703                 hci_cs_sniff_mode(hdev, ev->status);
2704                 break;
2705
2706         case HCI_OP_EXIT_SNIFF_MODE:
2707                 hci_cs_exit_sniff_mode(hdev, ev->status);
2708                 break;
2709
2710         case HCI_OP_DISCONNECT:
2711                 hci_cs_disconnect(hdev, ev->status);
2712                 break;
2713
2714         case HCI_OP_CREATE_PHY_LINK:
2715                 hci_cs_create_phylink(hdev, ev->status);
2716                 break;
2717
2718         case HCI_OP_ACCEPT_PHY_LINK:
2719                 hci_cs_accept_phylink(hdev, ev->status);
2720                 break;
2721
2722         case HCI_OP_LE_CREATE_CONN:
2723                 hci_cs_le_create_conn(hdev, ev->status);
2724                 break;
2725
2726         case HCI_OP_LE_START_ENC:
2727                 hci_cs_le_start_enc(hdev, ev->status);
2728                 break;
2729
2730         default:
2731                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2732                 break;
2733         }
2734
2735         if (opcode != HCI_OP_NOP)
2736                 del_timer(&hdev->cmd_timer);
2737
2738         if (ev->status ||
2739             (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req.event))
2740                 hci_req_cmd_complete(hdev, opcode, ev->status);
2741
2742         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2743                 atomic_set(&hdev->cmd_cnt, 1);
2744                 if (!skb_queue_empty(&hdev->cmd_q))
2745                         queue_work(hdev->workqueue, &hdev->cmd_work);
2746         }
2747 }
2748
2749 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2750 {
2751         struct hci_ev_role_change *ev = (void *) skb->data;
2752         struct hci_conn *conn;
2753
2754         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2755
2756         hci_dev_lock(hdev);
2757
2758         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2759         if (conn) {
2760                 if (!ev->status) {
2761                         if (ev->role)
2762                                 conn->link_mode &= ~HCI_LM_MASTER;
2763                         else
2764                                 conn->link_mode |= HCI_LM_MASTER;
2765                 }
2766
2767                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2768
2769                 hci_role_switch_cfm(conn, ev->status, ev->role);
2770         }
2771
2772         hci_dev_unlock(hdev);
2773 }
2774
2775 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
2776 {
2777         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2778         int i;
2779
2780         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
2781                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2782                 return;
2783         }
2784
2785         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2786             ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
2787                 BT_DBG("%s bad parameters", hdev->name);
2788                 return;
2789         }
2790
2791         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2792
2793         for (i = 0; i < ev->num_hndl; i++) {
2794                 struct hci_comp_pkts_info *info = &ev->handles[i];
2795                 struct hci_conn *conn;
2796                 __u16  handle, count;
2797
2798                 handle = __le16_to_cpu(info->handle);
2799                 count  = __le16_to_cpu(info->count);
2800
2801                 conn = hci_conn_hash_lookup_handle(hdev, handle);
2802                 if (!conn)
2803                         continue;
2804
2805                 conn->sent -= count;
2806
2807                 switch (conn->type) {
2808                 case ACL_LINK:
2809                         hdev->acl_cnt += count;
2810                         if (hdev->acl_cnt > hdev->acl_pkts)
2811                                 hdev->acl_cnt = hdev->acl_pkts;
2812                         break;
2813
2814                 case LE_LINK:
2815                         if (hdev->le_pkts) {
2816                                 hdev->le_cnt += count;
2817                                 if (hdev->le_cnt > hdev->le_pkts)
2818                                         hdev->le_cnt = hdev->le_pkts;
2819                         } else {
2820                                 hdev->acl_cnt += count;
2821                                 if (hdev->acl_cnt > hdev->acl_pkts)
2822                                         hdev->acl_cnt = hdev->acl_pkts;
2823                         }
2824                         break;
2825
2826                 case SCO_LINK:
2827                         hdev->sco_cnt += count;
2828                         if (hdev->sco_cnt > hdev->sco_pkts)
2829                                 hdev->sco_cnt = hdev->sco_pkts;
2830                         break;
2831
2832                 default:
2833                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
2834                         break;
2835                 }
2836         }
2837
2838         queue_work(hdev->workqueue, &hdev->tx_work);
2839 }
2840
2841 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
2842                                                  __u16 handle)
2843 {
2844         struct hci_chan *chan;
2845
2846         switch (hdev->dev_type) {
2847         case HCI_BREDR:
2848                 return hci_conn_hash_lookup_handle(hdev, handle);
2849         case HCI_AMP:
2850                 chan = hci_chan_lookup_handle(hdev, handle);
2851                 if (chan)
2852                         return chan->conn;
2853                 break;
2854         default:
2855                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
2856                 break;
2857         }
2858
2859         return NULL;
2860 }
2861
2862 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
2863 {
2864         struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
2865         int i;
2866
2867         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
2868                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2869                 return;
2870         }
2871
2872         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2873             ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
2874                 BT_DBG("%s bad parameters", hdev->name);
2875                 return;
2876         }
2877
2878         BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
2879                ev->num_hndl);
2880
2881         for (i = 0; i < ev->num_hndl; i++) {
2882                 struct hci_comp_blocks_info *info = &ev->handles[i];
2883                 struct hci_conn *conn = NULL;
2884                 __u16  handle, block_count;
2885
2886                 handle = __le16_to_cpu(info->handle);
2887                 block_count = __le16_to_cpu(info->blocks);
2888
2889                 conn = __hci_conn_lookup_handle(hdev, handle);
2890                 if (!conn)
2891                         continue;
2892
2893                 conn->sent -= block_count;
2894
2895                 switch (conn->type) {
2896                 case ACL_LINK:
2897                 case AMP_LINK:
2898                         hdev->block_cnt += block_count;
2899                         if (hdev->block_cnt > hdev->num_blocks)
2900                                 hdev->block_cnt = hdev->num_blocks;
2901                         break;
2902
2903                 default:
2904                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
2905                         break;
2906                 }
2907         }
2908
2909         queue_work(hdev->workqueue, &hdev->tx_work);
2910 }
2911
2912 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2913 {
2914         struct hci_ev_mode_change *ev = (void *) skb->data;
2915         struct hci_conn *conn;
2916
2917         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2918
2919         hci_dev_lock(hdev);
2920
2921         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2922         if (conn) {
2923                 conn->mode = ev->mode;
2924
2925                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
2926                                         &conn->flags)) {
2927                         if (conn->mode == HCI_CM_ACTIVE)
2928                                 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
2929                         else
2930                                 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
2931                 }
2932
2933                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2934                         hci_sco_setup(conn, ev->status);
2935         }
2936
2937         hci_dev_unlock(hdev);
2938 }
2939
2940 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2941 {
2942         struct hci_ev_pin_code_req *ev = (void *) skb->data;
2943         struct hci_conn *conn;
2944
2945         BT_DBG("%s", hdev->name);
2946
2947         hci_dev_lock(hdev);
2948
2949         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2950         if (!conn)
2951                 goto unlock;
2952
2953         if (conn->state == BT_CONNECTED) {
2954                 hci_conn_hold(conn);
2955                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2956                 hci_conn_drop(conn);
2957         }
2958
2959         if (!test_bit(HCI_PAIRABLE, &hdev->dev_flags))
2960                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2961                              sizeof(ev->bdaddr), &ev->bdaddr);
2962         else if (test_bit(HCI_MGMT, &hdev->dev_flags)) {
2963                 u8 secure;
2964
2965                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
2966                         secure = 1;
2967                 else
2968                         secure = 0;
2969
2970                 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
2971         }
2972
2973 unlock:
2974         hci_dev_unlock(hdev);
2975 }
2976
2977 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2978 {
2979         struct hci_ev_link_key_req *ev = (void *) skb->data;
2980         struct hci_cp_link_key_reply cp;
2981         struct hci_conn *conn;
2982         struct link_key *key;
2983
2984         BT_DBG("%s", hdev->name);
2985
2986         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2987                 return;
2988
2989         hci_dev_lock(hdev);
2990
2991         key = hci_find_link_key(hdev, &ev->bdaddr);
2992         if (!key) {
2993                 BT_DBG("%s link key not found for %pMR", hdev->name,
2994                        &ev->bdaddr);
2995                 goto not_found;
2996         }
2997
2998         BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
2999                &ev->bdaddr);
3000
3001         if (!test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) &&
3002             key->type == HCI_LK_DEBUG_COMBINATION) {
3003                 BT_DBG("%s ignoring debug key", hdev->name);
3004                 goto not_found;
3005         }
3006
3007         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3008         if (conn) {
3009                 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3010                      key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3011                     conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3012                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
3013                         goto not_found;
3014                 }
3015
3016                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3017                     conn->pending_sec_level == BT_SECURITY_HIGH) {
3018                         BT_DBG("%s ignoring key unauthenticated for high security",
3019                                hdev->name);
3020                         goto not_found;
3021                 }
3022
3023                 conn->key_type = key->type;
3024                 conn->pin_length = key->pin_len;
3025         }
3026
3027         bacpy(&cp.bdaddr, &ev->bdaddr);
3028         memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3029
3030         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3031
3032         hci_dev_unlock(hdev);
3033
3034         return;
3035
3036 not_found:
3037         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3038         hci_dev_unlock(hdev);
3039 }
3040
3041 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3042 {
3043         struct hci_ev_link_key_notify *ev = (void *) skb->data;
3044         struct hci_conn *conn;
3045         u8 pin_len = 0;
3046
3047         BT_DBG("%s", hdev->name);
3048
3049         hci_dev_lock(hdev);
3050
3051         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3052         if (conn) {
3053                 hci_conn_hold(conn);
3054                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3055                 pin_len = conn->pin_length;
3056
3057                 if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
3058                         conn->key_type = ev->key_type;
3059
3060                 hci_conn_drop(conn);
3061         }
3062
3063         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3064                 hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key,
3065                                  ev->key_type, pin_len);
3066
3067         hci_dev_unlock(hdev);
3068 }
3069
3070 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3071 {
3072         struct hci_ev_clock_offset *ev = (void *) skb->data;
3073         struct hci_conn *conn;
3074
3075         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3076
3077         hci_dev_lock(hdev);
3078
3079         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3080         if (conn && !ev->status) {
3081                 struct inquiry_entry *ie;
3082
3083                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3084                 if (ie) {
3085                         ie->data.clock_offset = ev->clock_offset;
3086                         ie->timestamp = jiffies;
3087                 }
3088         }
3089
3090         hci_dev_unlock(hdev);
3091 }
3092
3093 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3094 {
3095         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3096         struct hci_conn *conn;
3097
3098         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3099
3100         hci_dev_lock(hdev);
3101
3102         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3103         if (conn && !ev->status)
3104                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3105
3106         hci_dev_unlock(hdev);
3107 }
3108
3109 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3110 {
3111         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3112         struct inquiry_entry *ie;
3113
3114         BT_DBG("%s", hdev->name);
3115
3116         hci_dev_lock(hdev);
3117
3118         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3119         if (ie) {
3120                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3121                 ie->timestamp = jiffies;
3122         }
3123
3124         hci_dev_unlock(hdev);
3125 }
3126
3127 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3128                                              struct sk_buff *skb)
3129 {
3130         struct inquiry_data data;
3131         int num_rsp = *((__u8 *) skb->data);
3132         bool name_known, ssp;
3133
3134         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3135
3136         if (!num_rsp)
3137                 return;
3138
3139         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3140                 return;
3141
3142         hci_dev_lock(hdev);
3143
3144         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3145                 struct inquiry_info_with_rssi_and_pscan_mode *info;
3146                 info = (void *) (skb->data + 1);
3147
3148                 for (; num_rsp; num_rsp--, info++) {
3149                         bacpy(&data.bdaddr, &info->bdaddr);
3150                         data.pscan_rep_mode     = info->pscan_rep_mode;
3151                         data.pscan_period_mode  = info->pscan_period_mode;
3152                         data.pscan_mode         = info->pscan_mode;
3153                         memcpy(data.dev_class, info->dev_class, 3);
3154                         data.clock_offset       = info->clock_offset;
3155                         data.rssi               = info->rssi;
3156                         data.ssp_mode           = 0x00;
3157
3158                         name_known = hci_inquiry_cache_update(hdev, &data,
3159                                                               false, &ssp);
3160                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3161                                           info->dev_class, info->rssi,
3162                                           !name_known, ssp, NULL, 0, NULL, 0);
3163                 }
3164         } else {
3165                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3166
3167                 for (; num_rsp; num_rsp--, info++) {
3168                         bacpy(&data.bdaddr, &info->bdaddr);
3169                         data.pscan_rep_mode     = info->pscan_rep_mode;
3170                         data.pscan_period_mode  = info->pscan_period_mode;
3171                         data.pscan_mode         = 0x00;
3172                         memcpy(data.dev_class, info->dev_class, 3);
3173                         data.clock_offset       = info->clock_offset;
3174                         data.rssi               = info->rssi;
3175                         data.ssp_mode           = 0x00;
3176                         name_known = hci_inquiry_cache_update(hdev, &data,
3177                                                               false, &ssp);
3178                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3179                                           info->dev_class, info->rssi,
3180                                           !name_known, ssp, NULL, 0, NULL, 0);
3181                 }
3182         }
3183
3184         hci_dev_unlock(hdev);
3185 }
3186
3187 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3188                                         struct sk_buff *skb)
3189 {
3190         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3191         struct hci_conn *conn;
3192
3193         BT_DBG("%s", hdev->name);
3194
3195         hci_dev_lock(hdev);
3196
3197         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3198         if (!conn)
3199                 goto unlock;
3200
3201         if (ev->page < HCI_MAX_PAGES)
3202                 memcpy(conn->features[ev->page], ev->features, 8);
3203
3204         if (!ev->status && ev->page == 0x01) {
3205                 struct inquiry_entry *ie;
3206
3207                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3208                 if (ie)
3209                         ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3210
3211                 if (ev->features[0] & LMP_HOST_SSP) {
3212                         set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3213                 } else {
3214                         /* It is mandatory by the Bluetooth specification that
3215                          * Extended Inquiry Results are only used when Secure
3216                          * Simple Pairing is enabled, but some devices violate
3217                          * this.
3218                          *
3219                          * To make these devices work, the internal SSP
3220                          * enabled flag needs to be cleared if the remote host
3221                          * features do not indicate SSP support */
3222                         clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3223                 }
3224
3225                 if (ev->features[0] & LMP_HOST_SC)
3226                         set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3227         }
3228
3229         if (conn->state != BT_CONFIG)
3230                 goto unlock;
3231
3232         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3233                 struct hci_cp_remote_name_req cp;
3234                 memset(&cp, 0, sizeof(cp));
3235                 bacpy(&cp.bdaddr, &conn->dst);
3236                 cp.pscan_rep_mode = 0x02;
3237                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3238         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3239                 mgmt_device_connected(hdev, &conn->dst, conn->type,
3240                                       conn->dst_type, 0, NULL, 0,
3241                                       conn->dev_class);
3242
3243         if (!hci_outgoing_auth_needed(hdev, conn)) {
3244                 conn->state = BT_CONNECTED;
3245                 hci_proto_connect_cfm(conn, ev->status);
3246                 hci_conn_drop(conn);
3247         }
3248
3249 unlock:
3250         hci_dev_unlock(hdev);
3251 }
3252
3253 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3254                                        struct sk_buff *skb)
3255 {
3256         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3257         struct hci_conn *conn;
3258
3259         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3260
3261         hci_dev_lock(hdev);
3262
3263         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3264         if (!conn) {
3265                 if (ev->link_type == ESCO_LINK)
3266                         goto unlock;
3267
3268                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3269                 if (!conn)
3270                         goto unlock;
3271
3272                 conn->type = SCO_LINK;
3273         }
3274
3275         switch (ev->status) {
3276         case 0x00:
3277                 conn->handle = __le16_to_cpu(ev->handle);
3278                 conn->state  = BT_CONNECTED;
3279
3280                 hci_conn_add_sysfs(conn);
3281                 break;
3282
3283         case 0x0d:      /* Connection Rejected due to Limited Resources */
3284         case 0x11:      /* Unsupported Feature or Parameter Value */
3285         case 0x1c:      /* SCO interval rejected */
3286         case 0x1a:      /* Unsupported Remote Feature */
3287         case 0x1f:      /* Unspecified error */
3288         case 0x20:      /* Unsupported LMP Parameter value */
3289                 if (conn->out) {
3290                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3291                                         (hdev->esco_type & EDR_ESCO_MASK);
3292                         if (hci_setup_sync(conn, conn->link->handle))
3293                                 goto unlock;
3294                 }
3295                 /* fall through */
3296
3297         default:
3298                 conn->state = BT_CLOSED;
3299                 break;
3300         }
3301
3302         hci_proto_connect_cfm(conn, ev->status);
3303         if (ev->status)
3304                 hci_conn_del(conn);
3305
3306 unlock:
3307         hci_dev_unlock(hdev);
3308 }
3309
3310 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3311 {
3312         size_t parsed = 0;
3313
3314         while (parsed < eir_len) {
3315                 u8 field_len = eir[0];
3316
3317                 if (field_len == 0)
3318                         return parsed;
3319
3320                 parsed += field_len + 1;
3321                 eir += field_len + 1;
3322         }
3323
3324         return eir_len;
3325 }
3326
3327 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3328                                             struct sk_buff *skb)
3329 {
3330         struct inquiry_data data;
3331         struct extended_inquiry_info *info = (void *) (skb->data + 1);
3332         int num_rsp = *((__u8 *) skb->data);
3333         size_t eir_len;
3334
3335         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3336
3337         if (!num_rsp)
3338                 return;
3339
3340         if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3341                 return;
3342
3343         hci_dev_lock(hdev);
3344
3345         for (; num_rsp; num_rsp--, info++) {
3346                 bool name_known, ssp;
3347
3348                 bacpy(&data.bdaddr, &info->bdaddr);
3349                 data.pscan_rep_mode     = info->pscan_rep_mode;
3350                 data.pscan_period_mode  = info->pscan_period_mode;
3351                 data.pscan_mode         = 0x00;
3352                 memcpy(data.dev_class, info->dev_class, 3);
3353                 data.clock_offset       = info->clock_offset;
3354                 data.rssi               = info->rssi;
3355                 data.ssp_mode           = 0x01;
3356
3357                 if (test_bit(HCI_MGMT, &hdev->dev_flags))
3358                         name_known = eir_has_data_type(info->data,
3359                                                        sizeof(info->data),
3360                                                        EIR_NAME_COMPLETE);
3361                 else
3362                         name_known = true;
3363
3364                 name_known = hci_inquiry_cache_update(hdev, &data, name_known,
3365                                                       &ssp);
3366                 eir_len = eir_get_length(info->data, sizeof(info->data));
3367                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3368                                   info->dev_class, info->rssi, !name_known,
3369                                   ssp, info->data, eir_len, NULL, 0);
3370         }
3371
3372         hci_dev_unlock(hdev);
3373 }
3374
3375 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3376                                          struct sk_buff *skb)
3377 {
3378         struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3379         struct hci_conn *conn;
3380
3381         BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3382                __le16_to_cpu(ev->handle));
3383
3384         hci_dev_lock(hdev);
3385
3386         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3387         if (!conn)
3388                 goto unlock;
3389
3390         if (!ev->status)
3391                 conn->sec_level = conn->pending_sec_level;
3392
3393         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3394
3395         if (ev->status && conn->state == BT_CONNECTED) {
3396                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3397                 hci_conn_drop(conn);
3398                 goto unlock;
3399         }
3400
3401         if (conn->state == BT_CONFIG) {
3402                 if (!ev->status)
3403                         conn->state = BT_CONNECTED;
3404
3405                 hci_proto_connect_cfm(conn, ev->status);
3406                 hci_conn_drop(conn);
3407         } else {
3408                 hci_auth_cfm(conn, ev->status);
3409
3410                 hci_conn_hold(conn);
3411                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3412                 hci_conn_drop(conn);
3413         }
3414
3415 unlock:
3416         hci_dev_unlock(hdev);
3417 }
3418
3419 static u8 hci_get_auth_req(struct hci_conn *conn)
3420 {
3421         /* If remote requests dedicated bonding follow that lead */
3422         if (conn->remote_auth == HCI_AT_DEDICATED_BONDING ||
3423             conn->remote_auth == HCI_AT_DEDICATED_BONDING_MITM) {
3424                 /* If both remote and local IO capabilities allow MITM
3425                  * protection then require it, otherwise don't */
3426                 if (conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT ||
3427                     conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)
3428                         return HCI_AT_DEDICATED_BONDING;
3429                 else
3430                         return HCI_AT_DEDICATED_BONDING_MITM;
3431         }
3432
3433         /* If remote requests no-bonding follow that lead */
3434         if (conn->remote_auth == HCI_AT_NO_BONDING ||
3435             conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3436                 return conn->remote_auth | (conn->auth_type & 0x01);
3437
3438         return conn->auth_type;
3439 }
3440
3441 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3442 {
3443         struct hci_ev_io_capa_request *ev = (void *) skb->data;
3444         struct hci_conn *conn;
3445
3446         BT_DBG("%s", hdev->name);
3447
3448         hci_dev_lock(hdev);
3449
3450         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3451         if (!conn)
3452                 goto unlock;
3453
3454         hci_conn_hold(conn);
3455
3456         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3457                 goto unlock;
3458
3459         if (test_bit(HCI_PAIRABLE, &hdev->dev_flags) ||
3460             (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3461                 struct hci_cp_io_capability_reply cp;
3462
3463                 bacpy(&cp.bdaddr, &ev->bdaddr);
3464                 /* Change the IO capability from KeyboardDisplay
3465                  * to DisplayYesNo as it is not supported by BT spec. */
3466                 cp.capability = (conn->io_capability == 0x04) ?
3467                                 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3468                 conn->auth_type = hci_get_auth_req(conn);
3469                 cp.authentication = conn->auth_type;
3470
3471                 if (hci_find_remote_oob_data(hdev, &conn->dst) &&
3472                     (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
3473                         cp.oob_data = 0x01;
3474                 else
3475                         cp.oob_data = 0x00;
3476
3477                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
3478                              sizeof(cp), &cp);
3479         } else {
3480                 struct hci_cp_io_capability_neg_reply cp;
3481
3482                 bacpy(&cp.bdaddr, &ev->bdaddr);
3483                 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
3484
3485                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
3486                              sizeof(cp), &cp);
3487         }
3488
3489 unlock:
3490         hci_dev_unlock(hdev);
3491 }
3492
3493 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
3494 {
3495         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
3496         struct hci_conn *conn;
3497
3498         BT_DBG("%s", hdev->name);
3499
3500         hci_dev_lock(hdev);
3501
3502         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3503         if (!conn)
3504                 goto unlock;
3505
3506         conn->remote_cap = ev->capability;
3507         conn->remote_auth = ev->authentication;
3508         if (ev->oob_data)
3509                 set_bit(HCI_CONN_REMOTE_OOB, &conn->flags);
3510
3511 unlock:
3512         hci_dev_unlock(hdev);
3513 }
3514
3515 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3516                                          struct sk_buff *skb)
3517 {
3518         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
3519         int loc_mitm, rem_mitm, confirm_hint = 0;
3520         struct hci_conn *conn;
3521
3522         BT_DBG("%s", hdev->name);
3523
3524         hci_dev_lock(hdev);
3525
3526         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3527                 goto unlock;
3528
3529         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3530         if (!conn)
3531                 goto unlock;
3532
3533         loc_mitm = (conn->auth_type & 0x01);
3534         rem_mitm = (conn->remote_auth & 0x01);
3535
3536         /* If we require MITM but the remote device can't provide that
3537          * (it has NoInputNoOutput) then reject the confirmation
3538          * request. The only exception is when we're dedicated bonding
3539          * initiators (connect_cfm_cb set) since then we always have the MITM
3540          * bit set. */
3541         if (!conn->connect_cfm_cb && loc_mitm &&
3542             conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
3543                 BT_DBG("Rejecting request: remote device can't provide MITM");
3544                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
3545                              sizeof(ev->bdaddr), &ev->bdaddr);
3546                 goto unlock;
3547         }
3548
3549         /* If no side requires MITM protection; auto-accept */
3550         if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
3551             (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
3552
3553                 /* If we're not the initiators request authorization to
3554                  * proceed from user space (mgmt_user_confirm with
3555                  * confirm_hint set to 1). */
3556                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3557                         BT_DBG("Confirming auto-accept as acceptor");
3558                         confirm_hint = 1;
3559                         goto confirm;
3560                 }
3561
3562                 BT_DBG("Auto-accept of user confirmation with %ums delay",
3563                        hdev->auto_accept_delay);
3564
3565                 if (hdev->auto_accept_delay > 0) {
3566                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
3567                         queue_delayed_work(conn->hdev->workqueue,
3568                                            &conn->auto_accept_work, delay);
3569                         goto unlock;
3570                 }
3571
3572                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
3573                              sizeof(ev->bdaddr), &ev->bdaddr);
3574                 goto unlock;
3575         }
3576
3577 confirm:
3578         mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
3579                                   le32_to_cpu(ev->passkey), confirm_hint);
3580
3581 unlock:
3582         hci_dev_unlock(hdev);
3583 }
3584
3585 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
3586                                          struct sk_buff *skb)
3587 {
3588         struct hci_ev_user_passkey_req *ev = (void *) skb->data;
3589
3590         BT_DBG("%s", hdev->name);
3591
3592         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3593                 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
3594 }
3595
3596 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
3597                                         struct sk_buff *skb)
3598 {
3599         struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
3600         struct hci_conn *conn;
3601
3602         BT_DBG("%s", hdev->name);
3603
3604         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3605         if (!conn)
3606                 return;
3607
3608         conn->passkey_notify = __le32_to_cpu(ev->passkey);
3609         conn->passkey_entered = 0;
3610
3611         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3612                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3613                                          conn->dst_type, conn->passkey_notify,
3614                                          conn->passkey_entered);
3615 }
3616
3617 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3618 {
3619         struct hci_ev_keypress_notify *ev = (void *) skb->data;
3620         struct hci_conn *conn;
3621
3622         BT_DBG("%s", hdev->name);
3623
3624         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3625         if (!conn)
3626                 return;
3627
3628         switch (ev->type) {
3629         case HCI_KEYPRESS_STARTED:
3630                 conn->passkey_entered = 0;
3631                 return;
3632
3633         case HCI_KEYPRESS_ENTERED:
3634                 conn->passkey_entered++;
3635                 break;
3636
3637         case HCI_KEYPRESS_ERASED:
3638                 conn->passkey_entered--;
3639                 break;
3640
3641         case HCI_KEYPRESS_CLEARED:
3642                 conn->passkey_entered = 0;
3643                 break;
3644
3645         case HCI_KEYPRESS_COMPLETED:
3646                 return;
3647         }
3648
3649         if (test_bit(HCI_MGMT, &hdev->dev_flags))
3650                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
3651                                          conn->dst_type, conn->passkey_notify,
3652                                          conn->passkey_entered);
3653 }
3654
3655 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
3656                                          struct sk_buff *skb)
3657 {
3658         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
3659         struct hci_conn *conn;
3660
3661         BT_DBG("%s", hdev->name);
3662
3663         hci_dev_lock(hdev);
3664
3665         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3666         if (!conn)
3667                 goto unlock;
3668
3669         /* To avoid duplicate auth_failed events to user space we check
3670          * the HCI_CONN_AUTH_PEND flag which will be set if we
3671          * initiated the authentication. A traditional auth_complete
3672          * event gets always produced as initiator and is also mapped to
3673          * the mgmt_auth_failed event */
3674         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
3675                 mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
3676                                  ev->status);
3677
3678         hci_conn_drop(conn);
3679
3680 unlock:
3681         hci_dev_unlock(hdev);
3682 }
3683
3684 static void hci_remote_host_features_evt(struct hci_dev *hdev,
3685                                          struct sk_buff *skb)
3686 {
3687         struct hci_ev_remote_host_features *ev = (void *) skb->data;
3688         struct inquiry_entry *ie;
3689         struct hci_conn *conn;
3690
3691         BT_DBG("%s", hdev->name);
3692
3693         hci_dev_lock(hdev);
3694
3695         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3696         if (conn)
3697                 memcpy(conn->features[1], ev->features, 8);
3698
3699         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3700         if (ie)
3701                 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3702
3703         hci_dev_unlock(hdev);
3704 }
3705
3706 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
3707                                             struct sk_buff *skb)
3708 {
3709         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
3710         struct oob_data *data;
3711
3712         BT_DBG("%s", hdev->name);
3713
3714         hci_dev_lock(hdev);
3715
3716         if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3717                 goto unlock;
3718
3719         data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
3720         if (data) {
3721                 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
3722                         struct hci_cp_remote_oob_ext_data_reply cp;
3723
3724                         bacpy(&cp.bdaddr, &ev->bdaddr);
3725                         memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
3726                         memcpy(cp.randomizer192, data->randomizer192,
3727                                sizeof(cp.randomizer192));
3728                         memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
3729                         memcpy(cp.randomizer256, data->randomizer256,
3730                                sizeof(cp.randomizer256));
3731
3732                         hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
3733                                      sizeof(cp), &cp);
3734                 } else {
3735                         struct hci_cp_remote_oob_data_reply cp;
3736
3737                         bacpy(&cp.bdaddr, &ev->bdaddr);
3738                         memcpy(cp.hash, data->hash192, sizeof(cp.hash));
3739                         memcpy(cp.randomizer, data->randomizer192,
3740                                sizeof(cp.randomizer));
3741
3742                         hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
3743                                      sizeof(cp), &cp);
3744                 }
3745         } else {
3746                 struct hci_cp_remote_oob_data_neg_reply cp;
3747
3748                 bacpy(&cp.bdaddr, &ev->bdaddr);
3749                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
3750                              sizeof(cp), &cp);
3751         }
3752
3753 unlock:
3754         hci_dev_unlock(hdev);
3755 }
3756
3757 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
3758                                       struct sk_buff *skb)
3759 {
3760         struct hci_ev_phy_link_complete *ev = (void *) skb->data;
3761         struct hci_conn *hcon, *bredr_hcon;
3762
3763         BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
3764                ev->status);
3765
3766         hci_dev_lock(hdev);
3767
3768         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3769         if (!hcon) {
3770                 hci_dev_unlock(hdev);
3771                 return;
3772         }
3773
3774         if (ev->status) {
3775                 hci_conn_del(hcon);
3776                 hci_dev_unlock(hdev);
3777                 return;
3778         }
3779
3780         bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
3781
3782         hcon->state = BT_CONNECTED;
3783         bacpy(&hcon->dst, &bredr_hcon->dst);
3784
3785         hci_conn_hold(hcon);
3786         hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
3787         hci_conn_drop(hcon);
3788
3789         hci_conn_add_sysfs(hcon);
3790
3791         amp_physical_cfm(bredr_hcon, hcon);
3792
3793         hci_dev_unlock(hdev);
3794 }
3795
3796 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3797 {
3798         struct hci_ev_logical_link_complete *ev = (void *) skb->data;
3799         struct hci_conn *hcon;
3800         struct hci_chan *hchan;
3801         struct amp_mgr *mgr;
3802
3803         BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
3804                hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
3805                ev->status);
3806
3807         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3808         if (!hcon)
3809                 return;
3810
3811         /* Create AMP hchan */
3812         hchan = hci_chan_create(hcon);
3813         if (!hchan)
3814                 return;
3815
3816         hchan->handle = le16_to_cpu(ev->handle);
3817
3818         BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
3819
3820         mgr = hcon->amp_mgr;
3821         if (mgr && mgr->bredr_chan) {
3822                 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
3823
3824                 l2cap_chan_lock(bredr_chan);
3825
3826                 bredr_chan->conn->mtu = hdev->block_mtu;
3827                 l2cap_logical_cfm(bredr_chan, hchan, 0);
3828                 hci_conn_hold(hcon);
3829
3830                 l2cap_chan_unlock(bredr_chan);
3831         }
3832 }
3833
3834 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
3835                                              struct sk_buff *skb)
3836 {
3837         struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
3838         struct hci_chan *hchan;
3839
3840         BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
3841                le16_to_cpu(ev->handle), ev->status);
3842
3843         if (ev->status)
3844                 return;
3845
3846         hci_dev_lock(hdev);
3847
3848         hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
3849         if (!hchan)
3850                 goto unlock;
3851
3852         amp_destroy_logical_link(hchan, ev->reason);
3853
3854 unlock:
3855         hci_dev_unlock(hdev);
3856 }
3857
3858 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
3859                                              struct sk_buff *skb)
3860 {
3861         struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
3862         struct hci_conn *hcon;
3863
3864         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3865
3866         if (ev->status)
3867                 return;
3868
3869         hci_dev_lock(hdev);
3870
3871         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3872         if (hcon) {
3873                 hcon->state = BT_CLOSED;
3874                 hci_conn_del(hcon);
3875         }
3876
3877         hci_dev_unlock(hdev);
3878 }
3879
3880 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3881 {
3882         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
3883         struct hci_conn *conn;
3884         struct smp_irk *irk;
3885
3886         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3887
3888         hci_dev_lock(hdev);
3889
3890         conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
3891         if (!conn) {
3892                 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr);
3893                 if (!conn) {
3894                         BT_ERR("No memory for new connection");
3895                         goto unlock;
3896                 }
3897
3898                 conn->dst_type = ev->bdaddr_type;
3899
3900                 if (ev->role == LE_CONN_ROLE_MASTER) {
3901                         conn->out = true;
3902                         conn->link_mode |= HCI_LM_MASTER;
3903                 }
3904
3905                 /* If we didn't have a hci_conn object previously
3906                  * but we're in master role this must be something
3907                  * initiated using a white list. Since white list based
3908                  * connections are not "first class citizens" we don't
3909                  * have full tracking of them. Therefore, we go ahead
3910                  * with a "best effort" approach of determining the
3911                  * initiator address based on the HCI_PRIVACY flag.
3912                  */
3913                 if (conn->out) {
3914                         conn->resp_addr_type = ev->bdaddr_type;
3915                         bacpy(&conn->resp_addr, &ev->bdaddr);
3916                         if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
3917                                 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
3918                                 bacpy(&conn->init_addr, &hdev->rpa);
3919                         } else {
3920                                 hci_copy_identity_address(hdev,
3921                                                           &conn->init_addr,
3922                                                           &conn->init_addr_type);
3923                         }
3924                 }
3925         } else {
3926                 cancel_delayed_work(&conn->le_conn_timeout);
3927         }
3928
3929         if (!conn->out) {
3930                 /* Set the responder (our side) address type based on
3931                  * the advertising address type.
3932                  */
3933                 conn->resp_addr_type = hdev->adv_addr_type;
3934                 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
3935                         bacpy(&conn->resp_addr, &hdev->random_addr);
3936                 else
3937                         bacpy(&conn->resp_addr, &hdev->bdaddr);
3938
3939                 conn->init_addr_type = ev->bdaddr_type;
3940                 bacpy(&conn->init_addr, &ev->bdaddr);
3941         }
3942
3943         /* Lookup the identity address from the stored connection
3944          * address and address type.
3945          *
3946          * When establishing connections to an identity address, the
3947          * connection procedure will store the resolvable random
3948          * address first. Now if it can be converted back into the
3949          * identity address, start using the identity address from
3950          * now on.
3951          */
3952         irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
3953         if (irk) {
3954                 bacpy(&conn->dst, &irk->bdaddr);
3955                 conn->dst_type = irk->addr_type;
3956         }
3957
3958         if (ev->status) {
3959                 hci_le_conn_failed(conn, ev->status);
3960                 goto unlock;
3961         }
3962
3963         if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3964                 mgmt_device_connected(hdev, &conn->dst, conn->type,
3965                                       conn->dst_type, 0, NULL, 0, NULL);
3966
3967         conn->sec_level = BT_SECURITY_LOW;
3968         conn->handle = __le16_to_cpu(ev->handle);
3969         conn->state = BT_CONNECTED;
3970
3971         if (test_bit(HCI_6LOWPAN_ENABLED, &hdev->dev_flags))
3972                 set_bit(HCI_CONN_6LOWPAN, &conn->flags);
3973
3974         hci_conn_add_sysfs(conn);
3975
3976         hci_proto_connect_cfm(conn, ev->status);
3977
3978         hci_pend_le_conn_del(hdev, &conn->dst, conn->dst_type);
3979
3980 unlock:
3981         hci_dev_unlock(hdev);
3982 }
3983
3984 /* This function requires the caller holds hdev->lock */
3985 static void check_pending_le_conn(struct hci_dev *hdev, bdaddr_t *addr,
3986                                   u8 addr_type)
3987 {
3988         struct hci_conn *conn;
3989         struct smp_irk *irk;
3990
3991         /* If this is a resolvable address, we should resolve it and then
3992          * update address and address type variables.
3993          */
3994         irk = hci_get_irk(hdev, addr, addr_type);
3995         if (irk) {
3996                 addr = &irk->bdaddr;
3997                 addr_type = irk->addr_type;
3998         }
3999
4000         if (!hci_pend_le_conn_lookup(hdev, addr, addr_type))
4001                 return;
4002
4003         conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4004                               HCI_AT_NO_BONDING);
4005         if (!IS_ERR(conn))
4006                 return;
4007
4008         switch (PTR_ERR(conn)) {
4009         case -EBUSY:
4010                 /* If hci_connect() returns -EBUSY it means there is already
4011                  * an LE connection attempt going on. Since controllers don't
4012                  * support more than one connection attempt at the time, we
4013                  * don't consider this an error case.
4014                  */
4015                 break;
4016         default:
4017                 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4018         }
4019 }
4020
4021 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4022                                u8 bdaddr_type, s8 rssi, u8 *data, u8 len)
4023 {
4024         struct discovery_state *d = &hdev->discovery;
4025         bool match;
4026
4027         /* Passive scanning shouldn't trigger any device found events */
4028         if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4029                 if (type == LE_ADV_IND || type == LE_ADV_DIRECT_IND)
4030                         check_pending_le_conn(hdev, bdaddr, bdaddr_type);
4031                 return;
4032         }
4033
4034         /* If there's nothing pending either store the data from this
4035          * event or send an immediate device found event if the data
4036          * should not be stored for later.
4037          */
4038         if (!has_pending_adv_report(hdev)) {
4039                 /* If the report will trigger a SCAN_REQ store it for
4040                  * later merging.
4041                  */
4042                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4043                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4044                                                  rssi, data, len);
4045                         return;
4046                 }
4047
4048                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4049                                   rssi, 0, 1, data, len, NULL, 0);
4050                 return;
4051         }
4052
4053         /* Check if the pending report is for the same device as the new one */
4054         match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4055                  bdaddr_type == d->last_adv_addr_type);
4056
4057         /* If the pending data doesn't match this report or this isn't a
4058          * scan response (e.g. we got a duplicate ADV_IND) then force
4059          * sending of the pending data.
4060          */
4061         if (type != LE_ADV_SCAN_RSP || !match) {
4062                 /* Send out whatever is in the cache, but skip duplicates */
4063                 if (!match)
4064                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4065                                           d->last_adv_addr_type, NULL,
4066                                           d->last_adv_rssi, 0, 1,
4067                                           d->last_adv_data,
4068                                           d->last_adv_data_len, NULL, 0);
4069
4070                 /* If the new report will trigger a SCAN_REQ store it for
4071                  * later merging.
4072                  */
4073                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4074                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4075                                                  rssi, data, len);
4076                         return;
4077                 }
4078
4079                 /* The advertising reports cannot be merged, so clear
4080                  * the pending report and send out a device found event.
4081                  */
4082                 clear_pending_adv_report(hdev);
4083                 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4084                                   d->last_adv_addr_type, NULL, rssi, 0, 1,
4085                                   data, len, NULL, 0);
4086                 return;
4087         }
4088
4089         /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4090          * the new event is a SCAN_RSP. We can therefore proceed with
4091          * sending a merged device found event.
4092          */
4093         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4094                           d->last_adv_addr_type, NULL, rssi, 0, 1, data, len,
4095                           d->last_adv_data, d->last_adv_data_len);
4096         clear_pending_adv_report(hdev);
4097 }
4098
4099 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4100 {
4101         u8 num_reports = skb->data[0];
4102         void *ptr = &skb->data[1];
4103
4104         hci_dev_lock(hdev);
4105
4106         while (num_reports--) {
4107                 struct hci_ev_le_advertising_info *ev = ptr;
4108                 s8 rssi;
4109
4110                 rssi = ev->data[ev->length];
4111                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4112                                    ev->bdaddr_type, rssi, ev->data, ev->length);
4113
4114                 ptr += sizeof(*ev) + ev->length + 1;
4115         }
4116
4117         hci_dev_unlock(hdev);
4118 }
4119
4120 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4121 {
4122         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4123         struct hci_cp_le_ltk_reply cp;
4124         struct hci_cp_le_ltk_neg_reply neg;
4125         struct hci_conn *conn;
4126         struct smp_ltk *ltk;
4127
4128         BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4129
4130         hci_dev_lock(hdev);
4131
4132         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4133         if (conn == NULL)
4134                 goto not_found;
4135
4136         ltk = hci_find_ltk(hdev, ev->ediv, ev->rand, conn->out);
4137         if (ltk == NULL)
4138                 goto not_found;
4139
4140         memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
4141         cp.handle = cpu_to_le16(conn->handle);
4142
4143         if (ltk->authenticated)
4144                 conn->pending_sec_level = BT_SECURITY_HIGH;
4145         else
4146                 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4147
4148         conn->enc_key_size = ltk->enc_size;
4149
4150         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
4151
4152         /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
4153          * temporary key used to encrypt a connection following
4154          * pairing. It is used during the Encrypted Session Setup to
4155          * distribute the keys. Later, security can be re-established
4156          * using a distributed LTK.
4157          */
4158         if (ltk->type == HCI_SMP_STK_SLAVE) {
4159                 list_del(&ltk->list);
4160                 kfree(ltk);
4161         }
4162
4163         hci_dev_unlock(hdev);
4164
4165         return;
4166
4167 not_found:
4168         neg.handle = ev->handle;
4169         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
4170         hci_dev_unlock(hdev);
4171 }
4172
4173 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4174 {
4175         struct hci_ev_le_meta *le_ev = (void *) skb->data;
4176
4177         skb_pull(skb, sizeof(*le_ev));
4178
4179         switch (le_ev->subevent) {
4180         case HCI_EV_LE_CONN_COMPLETE:
4181                 hci_le_conn_complete_evt(hdev, skb);
4182                 break;
4183
4184         case HCI_EV_LE_ADVERTISING_REPORT:
4185                 hci_le_adv_report_evt(hdev, skb);
4186                 break;
4187
4188         case HCI_EV_LE_LTK_REQ:
4189                 hci_le_ltk_request_evt(hdev, skb);
4190                 break;
4191
4192         default:
4193                 break;
4194         }
4195 }
4196
4197 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
4198 {
4199         struct hci_ev_channel_selected *ev = (void *) skb->data;
4200         struct hci_conn *hcon;
4201
4202         BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
4203
4204         skb_pull(skb, sizeof(*ev));
4205
4206         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4207         if (!hcon)
4208                 return;
4209
4210         amp_read_loc_assoc_final_data(hdev, hcon);
4211 }
4212
4213 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
4214 {
4215         struct hci_event_hdr *hdr = (void *) skb->data;
4216         __u8 event = hdr->evt;
4217
4218         hci_dev_lock(hdev);
4219
4220         /* Received events are (currently) only needed when a request is
4221          * ongoing so avoid unnecessary memory allocation.
4222          */
4223         if (hdev->req_status == HCI_REQ_PEND) {
4224                 kfree_skb(hdev->recv_evt);
4225                 hdev->recv_evt = skb_clone(skb, GFP_KERNEL);
4226         }
4227
4228         hci_dev_unlock(hdev);
4229
4230         skb_pull(skb, HCI_EVENT_HDR_SIZE);
4231
4232         if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req.event == event) {
4233                 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
4234                 u16 opcode = __le16_to_cpu(cmd_hdr->opcode);
4235
4236                 hci_req_cmd_complete(hdev, opcode, 0);
4237         }
4238
4239         switch (event) {
4240         case HCI_EV_INQUIRY_COMPLETE:
4241                 hci_inquiry_complete_evt(hdev, skb);
4242                 break;
4243
4244         case HCI_EV_INQUIRY_RESULT:
4245                 hci_inquiry_result_evt(hdev, skb);
4246                 break;
4247
4248         case HCI_EV_CONN_COMPLETE:
4249                 hci_conn_complete_evt(hdev, skb);
4250                 break;
4251
4252         case HCI_EV_CONN_REQUEST:
4253                 hci_conn_request_evt(hdev, skb);
4254                 break;
4255
4256         case HCI_EV_DISCONN_COMPLETE:
4257                 hci_disconn_complete_evt(hdev, skb);
4258                 break;
4259
4260         case HCI_EV_AUTH_COMPLETE:
4261                 hci_auth_complete_evt(hdev, skb);
4262                 break;
4263
4264         case HCI_EV_REMOTE_NAME:
4265                 hci_remote_name_evt(hdev, skb);
4266                 break;
4267
4268         case HCI_EV_ENCRYPT_CHANGE:
4269                 hci_encrypt_change_evt(hdev, skb);
4270                 break;
4271
4272         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
4273                 hci_change_link_key_complete_evt(hdev, skb);
4274                 break;
4275
4276         case HCI_EV_REMOTE_FEATURES:
4277                 hci_remote_features_evt(hdev, skb);
4278                 break;
4279
4280         case HCI_EV_CMD_COMPLETE:
4281                 hci_cmd_complete_evt(hdev, skb);
4282                 break;
4283
4284         case HCI_EV_CMD_STATUS:
4285                 hci_cmd_status_evt(hdev, skb);
4286                 break;
4287
4288         case HCI_EV_ROLE_CHANGE:
4289                 hci_role_change_evt(hdev, skb);
4290                 break;
4291
4292         case HCI_EV_NUM_COMP_PKTS:
4293                 hci_num_comp_pkts_evt(hdev, skb);
4294                 break;
4295
4296         case HCI_EV_MODE_CHANGE:
4297                 hci_mode_change_evt(hdev, skb);
4298                 break;
4299
4300         case HCI_EV_PIN_CODE_REQ:
4301                 hci_pin_code_request_evt(hdev, skb);
4302                 break;
4303
4304         case HCI_EV_LINK_KEY_REQ:
4305                 hci_link_key_request_evt(hdev, skb);
4306                 break;
4307
4308         case HCI_EV_LINK_KEY_NOTIFY:
4309                 hci_link_key_notify_evt(hdev, skb);
4310                 break;
4311
4312         case HCI_EV_CLOCK_OFFSET:
4313                 hci_clock_offset_evt(hdev, skb);
4314                 break;
4315
4316         case HCI_EV_PKT_TYPE_CHANGE:
4317                 hci_pkt_type_change_evt(hdev, skb);
4318                 break;
4319
4320         case HCI_EV_PSCAN_REP_MODE:
4321                 hci_pscan_rep_mode_evt(hdev, skb);
4322                 break;
4323
4324         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
4325                 hci_inquiry_result_with_rssi_evt(hdev, skb);
4326                 break;
4327
4328         case HCI_EV_REMOTE_EXT_FEATURES:
4329                 hci_remote_ext_features_evt(hdev, skb);
4330                 break;
4331
4332         case HCI_EV_SYNC_CONN_COMPLETE:
4333                 hci_sync_conn_complete_evt(hdev, skb);
4334                 break;
4335
4336         case HCI_EV_EXTENDED_INQUIRY_RESULT:
4337                 hci_extended_inquiry_result_evt(hdev, skb);
4338                 break;
4339
4340         case HCI_EV_KEY_REFRESH_COMPLETE:
4341                 hci_key_refresh_complete_evt(hdev, skb);
4342                 break;
4343
4344         case HCI_EV_IO_CAPA_REQUEST:
4345                 hci_io_capa_request_evt(hdev, skb);
4346                 break;
4347
4348         case HCI_EV_IO_CAPA_REPLY:
4349                 hci_io_capa_reply_evt(hdev, skb);
4350                 break;
4351
4352         case HCI_EV_USER_CONFIRM_REQUEST:
4353                 hci_user_confirm_request_evt(hdev, skb);
4354                 break;
4355
4356         case HCI_EV_USER_PASSKEY_REQUEST:
4357                 hci_user_passkey_request_evt(hdev, skb);
4358                 break;
4359
4360         case HCI_EV_USER_PASSKEY_NOTIFY:
4361                 hci_user_passkey_notify_evt(hdev, skb);
4362                 break;
4363
4364         case HCI_EV_KEYPRESS_NOTIFY:
4365                 hci_keypress_notify_evt(hdev, skb);
4366                 break;
4367
4368         case HCI_EV_SIMPLE_PAIR_COMPLETE:
4369                 hci_simple_pair_complete_evt(hdev, skb);
4370                 break;
4371
4372         case HCI_EV_REMOTE_HOST_FEATURES:
4373                 hci_remote_host_features_evt(hdev, skb);
4374                 break;
4375
4376         case HCI_EV_LE_META:
4377                 hci_le_meta_evt(hdev, skb);
4378                 break;
4379
4380         case HCI_EV_CHANNEL_SELECTED:
4381                 hci_chan_selected_evt(hdev, skb);
4382                 break;
4383
4384         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
4385                 hci_remote_oob_data_request_evt(hdev, skb);
4386                 break;
4387
4388         case HCI_EV_PHY_LINK_COMPLETE:
4389                 hci_phy_link_complete_evt(hdev, skb);
4390                 break;
4391
4392         case HCI_EV_LOGICAL_LINK_COMPLETE:
4393                 hci_loglink_complete_evt(hdev, skb);
4394                 break;
4395
4396         case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
4397                 hci_disconn_loglink_complete_evt(hdev, skb);
4398                 break;
4399
4400         case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
4401                 hci_disconn_phylink_complete_evt(hdev, skb);
4402                 break;
4403
4404         case HCI_EV_NUM_COMP_BLOCKS:
4405                 hci_num_comp_blocks_evt(hdev, skb);
4406                 break;
4407
4408         default:
4409                 BT_DBG("%s event 0x%2.2x", hdev->name, event);
4410                 break;
4411         }
4412
4413         kfree_skb(skb);
4414         hdev->stat.evt_rx++;
4415 }
Pandora Kernel Repository