projects / cascardo / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Bluetooth: Add extra SMP_DBG statement for remote OOB data
[cascardo/linux.git] / net / bluetooth / hci_event.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <asm/unaligned.h>
28
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "hci_request.h"
34 #include "hci_debugfs.h"
35 #include "a2mp.h"
36 #include "amp.h"
37 #include "smp.h"
38
39 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
40                  "\x00\x00\x00\x00\x00\x00\x00\x00"
41
42 /* Handle HCI Event packets */
43
44 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
45 {
46         __u8 status = *((__u8 *) skb->data);
47
48         BT_DBG("%s status 0x%2.2x", hdev->name, status);
49
50         if (status)
51                 return;
52
53         clear_bit(HCI_INQUIRY, &hdev->flags);
54         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
55         wake_up_bit(&hdev->flags, HCI_INQUIRY);
56
57         hci_dev_lock(hdev);
58         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
59         hci_dev_unlock(hdev);
60
61         hci_conn_check_pending(hdev);
62 }
63
64 static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
65 {
66         __u8 status = *((__u8 *) skb->data);
67
68         BT_DBG("%s status 0x%2.2x", hdev->name, status);
69
70         if (status)
71                 return;
72
73         hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
74 }
75
76 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
77 {
78         __u8 status = *((__u8 *) skb->data);
79
80         BT_DBG("%s status 0x%2.2x", hdev->name, status);
81
82         if (status)
83                 return;
84
85         hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
86
87         hci_conn_check_pending(hdev);
88 }
89
90 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
91                                           struct sk_buff *skb)
92 {
93         BT_DBG("%s", hdev->name);
94 }
95
96 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
97 {
98         struct hci_rp_role_discovery *rp = (void *) skb->data;
99         struct hci_conn *conn;
100
101         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
102
103         if (rp->status)
104                 return;
105
106         hci_dev_lock(hdev);
107
108         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
109         if (conn)
110                 conn->role = rp->role;
111
112         hci_dev_unlock(hdev);
113 }
114
115 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
116 {
117         struct hci_rp_read_link_policy *rp = (void *) skb->data;
118         struct hci_conn *conn;
119
120         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
121
122         if (rp->status)
123                 return;
124
125         hci_dev_lock(hdev);
126
127         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
128         if (conn)
129                 conn->link_policy = __le16_to_cpu(rp->policy);
130
131         hci_dev_unlock(hdev);
132 }
133
134 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
135 {
136         struct hci_rp_write_link_policy *rp = (void *) skb->data;
137         struct hci_conn *conn;
138         void *sent;
139
140         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
141
142         if (rp->status)
143                 return;
144
145         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
146         if (!sent)
147                 return;
148
149         hci_dev_lock(hdev);
150
151         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
152         if (conn)
153                 conn->link_policy = get_unaligned_le16(sent + 2);
154
155         hci_dev_unlock(hdev);
156 }
157
158 static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
159                                         struct sk_buff *skb)
160 {
161         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
162
163         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
164
165         if (rp->status)
166                 return;
167
168         hdev->link_policy = __le16_to_cpu(rp->policy);
169 }
170
171 static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
172                                          struct sk_buff *skb)
173 {
174         __u8 status = *((__u8 *) skb->data);
175         void *sent;
176
177         BT_DBG("%s status 0x%2.2x", hdev->name, status);
178
179         if (status)
180                 return;
181
182         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
183         if (!sent)
184                 return;
185
186         hdev->link_policy = get_unaligned_le16(sent);
187 }
188
189 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
190 {
191         __u8 status = *((__u8 *) skb->data);
192
193         BT_DBG("%s status 0x%2.2x", hdev->name, status);
194
195         clear_bit(HCI_RESET, &hdev->flags);
196
197         if (status)
198                 return;
199
200         /* Reset all non-persistent flags */
201         hci_dev_clear_volatile_flags(hdev);
202
203         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
204
205         hdev->inq_tx_power = HCI_TX_POWER_INVALID;
206         hdev->adv_tx_power = HCI_TX_POWER_INVALID;
207
208         memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
209         hdev->adv_data_len = 0;
210
211         memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
212         hdev->scan_rsp_data_len = 0;
213
214         hdev->le_scan_type = LE_SCAN_PASSIVE;
215
216         hdev->ssp_debug_mode = 0;
217
218         hci_bdaddr_list_clear(&hdev->le_white_list);
219 }
220
221 static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
222                                         struct sk_buff *skb)
223 {
224         struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
225         struct hci_cp_read_stored_link_key *sent;
226
227         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
228
229         sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
230         if (!sent)
231                 return;
232
233         if (!rp->status && sent->read_all == 0x01) {
234                 hdev->stored_max_keys = rp->max_keys;
235                 hdev->stored_num_keys = rp->num_keys;
236         }
237 }
238
239 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
240                                           struct sk_buff *skb)
241 {
242         struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
243
244         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
245
246         if (rp->status)
247                 return;
248
249         if (rp->num_keys <= hdev->stored_num_keys)
250                 hdev->stored_num_keys -= rp->num_keys;
251         else
252                 hdev->stored_num_keys = 0;
253 }
254
255 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
256 {
257         __u8 status = *((__u8 *) skb->data);
258         void *sent;
259
260         BT_DBG("%s status 0x%2.2x", hdev->name, status);
261
262         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
263         if (!sent)
264                 return;
265
266         hci_dev_lock(hdev);
267
268         if (hci_dev_test_flag(hdev, HCI_MGMT))
269                 mgmt_set_local_name_complete(hdev, sent, status);
270         else if (!status)
271                 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
272
273         hci_dev_unlock(hdev);
274 }
275
276 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
277 {
278         struct hci_rp_read_local_name *rp = (void *) skb->data;
279
280         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
281
282         if (rp->status)
283                 return;
284
285         if (hci_dev_test_flag(hdev, HCI_SETUP) ||
286             hci_dev_test_flag(hdev, HCI_CONFIG))
287                 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
288 }
289
290 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
291 {
292         __u8 status = *((__u8 *) skb->data);
293         void *sent;
294
295         BT_DBG("%s status 0x%2.2x", hdev->name, status);
296
297         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
298         if (!sent)
299                 return;
300
301         hci_dev_lock(hdev);
302
303         if (!status) {
304                 __u8 param = *((__u8 *) sent);
305
306                 if (param == AUTH_ENABLED)
307                         set_bit(HCI_AUTH, &hdev->flags);
308                 else
309                         clear_bit(HCI_AUTH, &hdev->flags);
310         }
311
312         if (hci_dev_test_flag(hdev, HCI_MGMT))
313                 mgmt_auth_enable_complete(hdev, status);
314
315         hci_dev_unlock(hdev);
316 }
317
318 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
319 {
320         __u8 status = *((__u8 *) skb->data);
321         __u8 param;
322         void *sent;
323
324         BT_DBG("%s status 0x%2.2x", hdev->name, status);
325
326         if (status)
327                 return;
328
329         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
330         if (!sent)
331                 return;
332
333         param = *((__u8 *) sent);
334
335         if (param)
336                 set_bit(HCI_ENCRYPT, &hdev->flags);
337         else
338                 clear_bit(HCI_ENCRYPT, &hdev->flags);
339 }
340
341 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
342 {
343         __u8 status = *((__u8 *) skb->data);
344         __u8 param;
345         void *sent;
346
347         BT_DBG("%s status 0x%2.2x", hdev->name, status);
348
349         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
350         if (!sent)
351                 return;
352
353         param = *((__u8 *) sent);
354
355         hci_dev_lock(hdev);
356
357         if (status) {
358                 hdev->discov_timeout = 0;
359                 goto done;
360         }
361
362         if (param & SCAN_INQUIRY)
363                 set_bit(HCI_ISCAN, &hdev->flags);
364         else
365                 clear_bit(HCI_ISCAN, &hdev->flags);
366
367         if (param & SCAN_PAGE)
368                 set_bit(HCI_PSCAN, &hdev->flags);
369         else
370                 clear_bit(HCI_PSCAN, &hdev->flags);
371
372 done:
373         hci_dev_unlock(hdev);
374 }
375
376 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
377 {
378         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
379
380         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
381
382         if (rp->status)
383                 return;
384
385         memcpy(hdev->dev_class, rp->dev_class, 3);
386
387         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
388                hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
389 }
390
391 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
392 {
393         __u8 status = *((__u8 *) skb->data);
394         void *sent;
395
396         BT_DBG("%s status 0x%2.2x", hdev->name, status);
397
398         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
399         if (!sent)
400                 return;
401
402         hci_dev_lock(hdev);
403
404         if (status == 0)
405                 memcpy(hdev->dev_class, sent, 3);
406
407         if (hci_dev_test_flag(hdev, HCI_MGMT))
408                 mgmt_set_class_of_dev_complete(hdev, sent, status);
409
410         hci_dev_unlock(hdev);
411 }
412
413 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
414 {
415         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
416         __u16 setting;
417
418         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
419
420         if (rp->status)
421                 return;
422
423         setting = __le16_to_cpu(rp->voice_setting);
424
425         if (hdev->voice_setting == setting)
426                 return;
427
428         hdev->voice_setting = setting;
429
430         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
431
432         if (hdev->notify)
433                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
434 }
435
436 static void hci_cc_write_voice_setting(struct hci_dev *hdev,
437                                        struct sk_buff *skb)
438 {
439         __u8 status = *((__u8 *) skb->data);
440         __u16 setting;
441         void *sent;
442
443         BT_DBG("%s status 0x%2.2x", hdev->name, status);
444
445         if (status)
446                 return;
447
448         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
449         if (!sent)
450                 return;
451
452         setting = get_unaligned_le16(sent);
453
454         if (hdev->voice_setting == setting)
455                 return;
456
457         hdev->voice_setting = setting;
458
459         BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
460
461         if (hdev->notify)
462                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
463 }
464
465 static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
466                                           struct sk_buff *skb)
467 {
468         struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
469
470         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
471
472         if (rp->status)
473                 return;
474
475         hdev->num_iac = rp->num_iac;
476
477         BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
478 }
479
480 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
481 {
482         __u8 status = *((__u8 *) skb->data);
483         struct hci_cp_write_ssp_mode *sent;
484
485         BT_DBG("%s status 0x%2.2x", hdev->name, status);
486
487         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
488         if (!sent)
489                 return;
490
491         hci_dev_lock(hdev);
492
493         if (!status) {
494                 if (sent->mode)
495                         hdev->features[1][0] |= LMP_HOST_SSP;
496                 else
497                         hdev->features[1][0] &= ~LMP_HOST_SSP;
498         }
499
500         if (hci_dev_test_flag(hdev, HCI_MGMT))
501                 mgmt_ssp_enable_complete(hdev, sent->mode, status);
502         else if (!status) {
503                 if (sent->mode)
504                         hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
505                 else
506                         hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
507         }
508
509         hci_dev_unlock(hdev);
510 }
511
512 static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
513 {
514         u8 status = *((u8 *) skb->data);
515         struct hci_cp_write_sc_support *sent;
516
517         BT_DBG("%s status 0x%2.2x", hdev->name, status);
518
519         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
520         if (!sent)
521                 return;
522
523         hci_dev_lock(hdev);
524
525         if (!status) {
526                 if (sent->support)
527                         hdev->features[1][0] |= LMP_HOST_SC;
528                 else
529                         hdev->features[1][0] &= ~LMP_HOST_SC;
530         }
531
532         if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
533                 if (sent->support)
534                         hci_dev_set_flag(hdev, HCI_SC_ENABLED);
535                 else
536                         hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
537         }
538
539         hci_dev_unlock(hdev);
540 }
541
542 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
543 {
544         struct hci_rp_read_local_version *rp = (void *) skb->data;
545
546         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
547
548         if (rp->status)
549                 return;
550
551         if (hci_dev_test_flag(hdev, HCI_SETUP) ||
552             hci_dev_test_flag(hdev, HCI_CONFIG)) {
553                 hdev->hci_ver = rp->hci_ver;
554                 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
555                 hdev->lmp_ver = rp->lmp_ver;
556                 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
557                 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
558         }
559 }
560
561 static void hci_cc_read_local_commands(struct hci_dev *hdev,
562                                        struct sk_buff *skb)
563 {
564         struct hci_rp_read_local_commands *rp = (void *) skb->data;
565
566         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
567
568         if (rp->status)
569                 return;
570
571         if (hci_dev_test_flag(hdev, HCI_SETUP) ||
572             hci_dev_test_flag(hdev, HCI_CONFIG))
573                 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
574 }
575
576 static void hci_cc_read_local_features(struct hci_dev *hdev,
577                                        struct sk_buff *skb)
578 {
579         struct hci_rp_read_local_features *rp = (void *) skb->data;
580
581         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
582
583         if (rp->status)
584                 return;
585
586         memcpy(hdev->features, rp->features, 8);
587
588         /* Adjust default settings according to features
589          * supported by device. */
590
591         if (hdev->features[0][0] & LMP_3SLOT)
592                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
593
594         if (hdev->features[0][0] & LMP_5SLOT)
595                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
596
597         if (hdev->features[0][1] & LMP_HV2) {
598                 hdev->pkt_type  |= (HCI_HV2);
599                 hdev->esco_type |= (ESCO_HV2);
600         }
601
602         if (hdev->features[0][1] & LMP_HV3) {
603                 hdev->pkt_type  |= (HCI_HV3);
604                 hdev->esco_type |= (ESCO_HV3);
605         }
606
607         if (lmp_esco_capable(hdev))
608                 hdev->esco_type |= (ESCO_EV3);
609
610         if (hdev->features[0][4] & LMP_EV4)
611                 hdev->esco_type |= (ESCO_EV4);
612
613         if (hdev->features[0][4] & LMP_EV5)
614                 hdev->esco_type |= (ESCO_EV5);
615
616         if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
617                 hdev->esco_type |= (ESCO_2EV3);
618
619         if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
620                 hdev->esco_type |= (ESCO_3EV3);
621
622         if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
623                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
624 }
625
626 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
627                                            struct sk_buff *skb)
628 {
629         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
630
631         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
632
633         if (rp->status)
634                 return;
635
636         if (hdev->max_page < rp->max_page)
637                 hdev->max_page = rp->max_page;
638
639         if (rp->page < HCI_MAX_PAGES)
640                 memcpy(hdev->features[rp->page], rp->features, 8);
641 }
642
643 static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
644                                           struct sk_buff *skb)
645 {
646         struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
647
648         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
649
650         if (rp->status)
651                 return;
652
653         hdev->flow_ctl_mode = rp->mode;
654 }
655
656 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
657 {
658         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
659
660         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
661
662         if (rp->status)
663                 return;
664
665         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
666         hdev->sco_mtu  = rp->sco_mtu;
667         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
668         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
669
670         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
671                 hdev->sco_mtu  = 64;
672                 hdev->sco_pkts = 8;
673         }
674
675         hdev->acl_cnt = hdev->acl_pkts;
676         hdev->sco_cnt = hdev->sco_pkts;
677
678         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
679                hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
680 }
681
682 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
683 {
684         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
685
686         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
687
688         if (rp->status)
689                 return;
690
691         if (test_bit(HCI_INIT, &hdev->flags))
692                 bacpy(&hdev->bdaddr, &rp->bdaddr);
693
694         if (hci_dev_test_flag(hdev, HCI_SETUP))
695                 bacpy(&hdev->setup_addr, &rp->bdaddr);
696 }
697
698 static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
699                                            struct sk_buff *skb)
700 {
701         struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
702
703         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
704
705         if (rp->status)
706                 return;
707
708         if (test_bit(HCI_INIT, &hdev->flags)) {
709                 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
710                 hdev->page_scan_window = __le16_to_cpu(rp->window);
711         }
712 }
713
714 static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
715                                             struct sk_buff *skb)
716 {
717         u8 status = *((u8 *) skb->data);
718         struct hci_cp_write_page_scan_activity *sent;
719
720         BT_DBG("%s status 0x%2.2x", hdev->name, status);
721
722         if (status)
723                 return;
724
725         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
726         if (!sent)
727                 return;
728
729         hdev->page_scan_interval = __le16_to_cpu(sent->interval);
730         hdev->page_scan_window = __le16_to_cpu(sent->window);
731 }
732
733 static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
734                                            struct sk_buff *skb)
735 {
736         struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
737
738         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
739
740         if (rp->status)
741                 return;
742
743         if (test_bit(HCI_INIT, &hdev->flags))
744                 hdev->page_scan_type = rp->type;
745 }
746
747 static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
748                                         struct sk_buff *skb)
749 {
750         u8 status = *((u8 *) skb->data);
751         u8 *type;
752
753         BT_DBG("%s status 0x%2.2x", hdev->name, status);
754
755         if (status)
756                 return;
757
758         type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
759         if (type)
760                 hdev->page_scan_type = *type;
761 }
762
763 static void hci_cc_read_data_block_size(struct hci_dev *hdev,
764                                         struct sk_buff *skb)
765 {
766         struct hci_rp_read_data_block_size *rp = (void *) skb->data;
767
768         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
769
770         if (rp->status)
771                 return;
772
773         hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
774         hdev->block_len = __le16_to_cpu(rp->block_len);
775         hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
776
777         hdev->block_cnt = hdev->num_blocks;
778
779         BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
780                hdev->block_cnt, hdev->block_len);
781 }
782
783 static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
784 {
785         struct hci_rp_read_clock *rp = (void *) skb->data;
786         struct hci_cp_read_clock *cp;
787         struct hci_conn *conn;
788
789         BT_DBG("%s", hdev->name);
790
791         if (skb->len < sizeof(*rp))
792                 return;
793
794         if (rp->status)
795                 return;
796
797         hci_dev_lock(hdev);
798
799         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
800         if (!cp)
801                 goto unlock;
802
803         if (cp->which == 0x00) {
804                 hdev->clock = le32_to_cpu(rp->clock);
805                 goto unlock;
806         }
807
808         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
809         if (conn) {
810                 conn->clock = le32_to_cpu(rp->clock);
811                 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
812         }
813
814 unlock:
815         hci_dev_unlock(hdev);
816 }
817
818 static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
819                                        struct sk_buff *skb)
820 {
821         struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
822
823         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
824
825         if (rp->status)
826                 goto a2mp_rsp;
827
828         hdev->amp_status = rp->amp_status;
829         hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
830         hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
831         hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
832         hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
833         hdev->amp_type = rp->amp_type;
834         hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
835         hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
836         hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
837         hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
838
839 a2mp_rsp:
840         a2mp_send_getinfo_rsp(hdev);
841 }
842
843 static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev,
844                                         struct sk_buff *skb)
845 {
846         struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data;
847         struct amp_assoc *assoc = &hdev->loc_assoc;
848         size_t rem_len, frag_len;
849
850         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
851
852         if (rp->status)
853                 goto a2mp_rsp;
854
855         frag_len = skb->len - sizeof(*rp);
856         rem_len = __le16_to_cpu(rp->rem_len);
857
858         if (rem_len > frag_len) {
859                 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
860
861                 memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
862                 assoc->offset += frag_len;
863
864                 /* Read other fragments */
865                 amp_read_loc_assoc_frag(hdev, rp->phy_handle);
866
867                 return;
868         }
869
870         memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
871         assoc->len = assoc->offset + rem_len;
872         assoc->offset = 0;
873
874 a2mp_rsp:
875         /* Send A2MP Rsp when all fragments are received */
876         a2mp_send_getampassoc_rsp(hdev, rp->status);
877         a2mp_send_create_phy_link_req(hdev, rp->status);
878 }
879
880 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
881                                          struct sk_buff *skb)
882 {
883         struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
884
885         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
886
887         if (rp->status)
888                 return;
889
890         hdev->inq_tx_power = rp->tx_power;
891 }
892
893 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
894 {
895         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
896         struct hci_cp_pin_code_reply *cp;
897         struct hci_conn *conn;
898
899         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
900
901         hci_dev_lock(hdev);
902
903         if (hci_dev_test_flag(hdev, HCI_MGMT))
904                 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
905
906         if (rp->status)
907                 goto unlock;
908
909         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
910         if (!cp)
911                 goto unlock;
912
913         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
914         if (conn)
915                 conn->pin_length = cp->pin_len;
916
917 unlock:
918         hci_dev_unlock(hdev);
919 }
920
921 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
922 {
923         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
924
925         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
926
927         hci_dev_lock(hdev);
928
929         if (hci_dev_test_flag(hdev, HCI_MGMT))
930                 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
931                                                  rp->status);
932
933         hci_dev_unlock(hdev);
934 }
935
936 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
937                                        struct sk_buff *skb)
938 {
939         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
940
941         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
942
943         if (rp->status)
944                 return;
945
946         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
947         hdev->le_pkts = rp->le_max_pkt;
948
949         hdev->le_cnt = hdev->le_pkts;
950
951         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
952 }
953
954 static void hci_cc_le_read_local_features(struct hci_dev *hdev,
955                                           struct sk_buff *skb)
956 {
957         struct hci_rp_le_read_local_features *rp = (void *) skb->data;
958
959         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
960
961         if (rp->status)
962                 return;
963
964         memcpy(hdev->le_features, rp->features, 8);
965 }
966
967 static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
968                                         struct sk_buff *skb)
969 {
970         struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
971
972         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
973
974         if (rp->status)
975                 return;
976
977         hdev->adv_tx_power = rp->tx_power;
978 }
979
980 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
981 {
982         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
983
984         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
985
986         hci_dev_lock(hdev);
987
988         if (hci_dev_test_flag(hdev, HCI_MGMT))
989                 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
990                                                  rp->status);
991
992         hci_dev_unlock(hdev);
993 }
994
995 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
996                                           struct sk_buff *skb)
997 {
998         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
999
1000         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1001
1002         hci_dev_lock(hdev);
1003
1004         if (hci_dev_test_flag(hdev, HCI_MGMT))
1005                 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1006                                                      ACL_LINK, 0, rp->status);
1007
1008         hci_dev_unlock(hdev);
1009 }
1010
1011 static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1012 {
1013         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1014
1015         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1016
1017         hci_dev_lock(hdev);
1018
1019         if (hci_dev_test_flag(hdev, HCI_MGMT))
1020                 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1021                                                  0, rp->status);
1022
1023         hci_dev_unlock(hdev);
1024 }
1025
1026 static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1027                                           struct sk_buff *skb)
1028 {
1029         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1030
1031         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1032
1033         hci_dev_lock(hdev);
1034
1035         if (hci_dev_test_flag(hdev, HCI_MGMT))
1036                 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1037                                                      ACL_LINK, 0, rp->status);
1038
1039         hci_dev_unlock(hdev);
1040 }
1041
1042 static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1043                                        struct sk_buff *skb)
1044 {
1045         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1046
1047         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1048
1049         hci_dev_lock(hdev);
1050         mgmt_read_local_oob_data_complete(hdev, rp->hash, rp->rand, NULL, NULL,
1051                                           rp->status);
1052         hci_dev_unlock(hdev);
1053 }
1054
1055 static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1056                                            struct sk_buff *skb)
1057 {
1058         struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1059
1060         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1061
1062         hci_dev_lock(hdev);
1063         mgmt_read_local_oob_data_complete(hdev, rp->hash192, rp->rand192,
1064                                           rp->hash256, rp->rand256,
1065                                           rp->status);
1066         hci_dev_unlock(hdev);
1067 }
1068
1069
1070 static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1071 {
1072         __u8 status = *((__u8 *) skb->data);
1073         bdaddr_t *sent;
1074
1075         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1076
1077         if (status)
1078                 return;
1079
1080         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1081         if (!sent)
1082                 return;
1083
1084         hci_dev_lock(hdev);
1085
1086         bacpy(&hdev->random_addr, sent);
1087
1088         hci_dev_unlock(hdev);
1089 }
1090
1091 static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1092 {
1093         __u8 *sent, status = *((__u8 *) skb->data);
1094
1095         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1096
1097         if (status)
1098                 return;
1099
1100         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1101         if (!sent)
1102                 return;
1103
1104         hci_dev_lock(hdev);
1105
1106         /* If we're doing connection initiation as peripheral. Set a
1107          * timeout in case something goes wrong.
1108          */
1109         if (*sent) {
1110                 struct hci_conn *conn;
1111
1112                 hci_dev_set_flag(hdev, HCI_LE_ADV);
1113
1114                 conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
1115                 if (conn)
1116                         queue_delayed_work(hdev->workqueue,
1117                                            &conn->le_conn_timeout,
1118                                            conn->conn_timeout);
1119         } else {
1120                 hci_dev_clear_flag(hdev, HCI_LE_ADV);
1121         }
1122
1123         hci_dev_unlock(hdev);
1124 }
1125
1126 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1127 {
1128         struct hci_cp_le_set_scan_param *cp;
1129         __u8 status = *((__u8 *) skb->data);
1130
1131         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1132
1133         if (status)
1134                 return;
1135
1136         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1137         if (!cp)
1138                 return;
1139
1140         hci_dev_lock(hdev);
1141
1142         hdev->le_scan_type = cp->type;
1143
1144         hci_dev_unlock(hdev);
1145 }
1146
1147 static bool has_pending_adv_report(struct hci_dev *hdev)
1148 {
1149         struct discovery_state *d = &hdev->discovery;
1150
1151         return bacmp(&d->last_adv_addr, BDADDR_ANY);
1152 }
1153
1154 static void clear_pending_adv_report(struct hci_dev *hdev)
1155 {
1156         struct discovery_state *d = &hdev->discovery;
1157
1158         bacpy(&d->last_adv_addr, BDADDR_ANY);
1159         d->last_adv_data_len = 0;
1160 }
1161
1162 static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1163                                      u8 bdaddr_type, s8 rssi, u32 flags,
1164                                      u8 *data, u8 len)
1165 {
1166         struct discovery_state *d = &hdev->discovery;
1167
1168         bacpy(&d->last_adv_addr, bdaddr);
1169         d->last_adv_addr_type = bdaddr_type;
1170         d->last_adv_rssi = rssi;
1171         d->last_adv_flags = flags;
1172         memcpy(d->last_adv_data, data, len);
1173         d->last_adv_data_len = len;
1174 }
1175
1176 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1177                                       struct sk_buff *skb)
1178 {
1179         struct hci_cp_le_set_scan_enable *cp;
1180         __u8 status = *((__u8 *) skb->data);
1181
1182         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1183
1184         if (status)
1185                 return;
1186
1187         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1188         if (!cp)
1189                 return;
1190
1191         hci_dev_lock(hdev);
1192
1193         switch (cp->enable) {
1194         case LE_SCAN_ENABLE:
1195                 hci_dev_set_flag(hdev, HCI_LE_SCAN);
1196                 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1197                         clear_pending_adv_report(hdev);
1198                 break;
1199
1200         case LE_SCAN_DISABLE:
1201                 /* We do this here instead of when setting DISCOVERY_STOPPED
1202                  * since the latter would potentially require waiting for
1203                  * inquiry to stop too.
1204                  */
1205                 if (has_pending_adv_report(hdev)) {
1206                         struct discovery_state *d = &hdev->discovery;
1207
1208                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1209                                           d->last_adv_addr_type, NULL,
1210                                           d->last_adv_rssi, d->last_adv_flags,
1211                                           d->last_adv_data,
1212                                           d->last_adv_data_len, NULL, 0);
1213                 }
1214
1215                 /* Cancel this timer so that we don't try to disable scanning
1216                  * when it's already disabled.
1217                  */
1218                 cancel_delayed_work(&hdev->le_scan_disable);
1219
1220                 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1221
1222                 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1223                  * interrupted scanning due to a connect request. Mark
1224                  * therefore discovery as stopped. If this was not
1225                  * because of a connect request advertising might have
1226                  * been disabled because of active scanning, so
1227                  * re-enable it again if necessary.
1228                  */
1229                 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1230                         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1231                 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1232                          hdev->discovery.state == DISCOVERY_FINDING)
1233                         mgmt_reenable_advertising(hdev);
1234
1235                 break;
1236
1237         default:
1238                 BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1239                 break;
1240         }
1241
1242         hci_dev_unlock(hdev);
1243 }
1244
1245 static void hci_cc_le_read_white_list_size(struct hci_dev *hdev,
1246                                            struct sk_buff *skb)
1247 {
1248         struct hci_rp_le_read_white_list_size *rp = (void *) skb->data;
1249
1250         BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1251
1252         if (rp->status)
1253                 return;
1254
1255         hdev->le_white_list_size = rp->size;
1256 }
1257
1258 static void hci_cc_le_clear_white_list(struct hci_dev *hdev,
1259                                        struct sk_buff *skb)
1260 {
1261         __u8 status = *((__u8 *) skb->data);
1262
1263         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1264
1265         if (status)
1266                 return;
1267
1268         hci_bdaddr_list_clear(&hdev->le_white_list);
1269 }
1270
1271 static void hci_cc_le_add_to_white_list(struct hci_dev *hdev,
1272                                         struct sk_buff *skb)
1273 {
1274         struct hci_cp_le_add_to_white_list *sent;
1275         __u8 status = *((__u8 *) skb->data);
1276
1277         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1278
1279         if (status)
1280                 return;
1281
1282         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_WHITE_LIST);
1283         if (!sent)
1284                 return;
1285
1286         hci_bdaddr_list_add(&hdev->le_white_list, &sent->bdaddr,
1287                            sent->bdaddr_type);
1288 }
1289
1290 static void hci_cc_le_del_from_white_list(struct hci_dev *hdev,
1291                                           struct sk_buff *skb)
1292 {
1293         struct hci_cp_le_del_from_white_list *sent;
1294         __u8 status = *((__u8 *) skb->data);
1295
1296         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1297
1298         if (status)
1299                 return;
1300
1301         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_WHITE_LIST);
1302         if (!sent)
1303                 return;
1304
1305         hci_bdaddr_list_del(&hdev->le_white_list, &sent->bdaddr,
1306                             sent->bdaddr_type);
1307 }
1308
1309 static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1310                                             struct sk_buff *skb)
1311 {
1312         struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1313
1314         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1315
1316         if (rp->status)
1317                 return;
1318
1319         memcpy(hdev->le_states, rp->le_states, 8);
1320 }
1321
1322 static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1323                                         struct sk_buff *skb)
1324 {
1325         struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1326
1327         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1328
1329         if (rp->status)
1330                 return;
1331
1332         hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1333         hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1334 }
1335
1336 static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1337                                          struct sk_buff *skb)
1338 {
1339         struct hci_cp_le_write_def_data_len *sent;
1340         __u8 status = *((__u8 *) skb->data);
1341
1342         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1343
1344         if (status)
1345                 return;
1346
1347         sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1348         if (!sent)
1349                 return;
1350
1351         hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1352         hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1353 }
1354
1355 static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1356                                         struct sk_buff *skb)
1357 {
1358         struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1359
1360         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1361
1362         if (rp->status)
1363                 return;
1364
1365         hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1366         hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1367         hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1368         hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1369 }
1370
1371 static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1372                                            struct sk_buff *skb)
1373 {
1374         struct hci_cp_write_le_host_supported *sent;
1375         __u8 status = *((__u8 *) skb->data);
1376
1377         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1378
1379         if (status)
1380                 return;
1381
1382         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1383         if (!sent)
1384                 return;
1385
1386         hci_dev_lock(hdev);
1387
1388         if (sent->le) {
1389                 hdev->features[1][0] |= LMP_HOST_LE;
1390                 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
1391         } else {
1392                 hdev->features[1][0] &= ~LMP_HOST_LE;
1393                 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1394                 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1395         }
1396
1397         if (sent->simul)
1398                 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1399         else
1400                 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
1401
1402         hci_dev_unlock(hdev);
1403 }
1404
1405 static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1406 {
1407         struct hci_cp_le_set_adv_param *cp;
1408         u8 status = *((u8 *) skb->data);
1409
1410         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1411
1412         if (status)
1413                 return;
1414
1415         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1416         if (!cp)
1417                 return;
1418
1419         hci_dev_lock(hdev);
1420         hdev->adv_addr_type = cp->own_address_type;
1421         hci_dev_unlock(hdev);
1422 }
1423
1424 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
1425                                           struct sk_buff *skb)
1426 {
1427         struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data;
1428
1429         BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
1430                hdev->name, rp->status, rp->phy_handle);
1431
1432         if (rp->status)
1433                 return;
1434
1435         amp_write_rem_assoc_continue(hdev, rp->phy_handle);
1436 }
1437
1438 static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1439 {
1440         struct hci_rp_read_rssi *rp = (void *) skb->data;
1441         struct hci_conn *conn;
1442
1443         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1444
1445         if (rp->status)
1446                 return;
1447
1448         hci_dev_lock(hdev);
1449
1450         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1451         if (conn)
1452                 conn->rssi = rp->rssi;
1453
1454         hci_dev_unlock(hdev);
1455 }
1456
1457 static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1458 {
1459         struct hci_cp_read_tx_power *sent;
1460         struct hci_rp_read_tx_power *rp = (void *) skb->data;
1461         struct hci_conn *conn;
1462
1463         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1464
1465         if (rp->status)
1466                 return;
1467
1468         sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1469         if (!sent)
1470                 return;
1471
1472         hci_dev_lock(hdev);
1473
1474         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1475         if (!conn)
1476                 goto unlock;
1477
1478         switch (sent->type) {
1479         case 0x00:
1480                 conn->tx_power = rp->tx_power;
1481                 break;
1482         case 0x01:
1483                 conn->max_tx_power = rp->tx_power;
1484                 break;
1485         }
1486
1487 unlock:
1488         hci_dev_unlock(hdev);
1489 }
1490
1491 static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1492 {
1493         u8 status = *((u8 *) skb->data);
1494         u8 *mode;
1495
1496         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1497
1498         if (status)
1499                 return;
1500
1501         mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1502         if (mode)
1503                 hdev->ssp_debug_mode = *mode;
1504 }
1505
1506 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1507 {
1508         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1509
1510         if (status) {
1511                 hci_conn_check_pending(hdev);
1512                 return;
1513         }
1514
1515         set_bit(HCI_INQUIRY, &hdev->flags);
1516 }
1517
1518 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1519 {
1520         struct hci_cp_create_conn *cp;
1521         struct hci_conn *conn;
1522
1523         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1524
1525         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1526         if (!cp)
1527                 return;
1528
1529         hci_dev_lock(hdev);
1530
1531         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1532
1533         BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1534
1535         if (status) {
1536                 if (conn && conn->state == BT_CONNECT) {
1537                         if (status != 0x0c || conn->attempt > 2) {
1538                                 conn->state = BT_CLOSED;
1539                                 hci_connect_cfm(conn, status);
1540                                 hci_conn_del(conn);
1541                         } else
1542                                 conn->state = BT_CONNECT2;
1543                 }
1544         } else {
1545                 if (!conn) {
1546                         conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1547                                             HCI_ROLE_MASTER);
1548                         if (!conn)
1549                                 BT_ERR("No memory for new connection");
1550                 }
1551         }
1552
1553         hci_dev_unlock(hdev);
1554 }
1555
1556 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1557 {
1558         struct hci_cp_add_sco *cp;
1559         struct hci_conn *acl, *sco;
1560         __u16 handle;
1561
1562         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1563
1564         if (!status)
1565                 return;
1566
1567         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1568         if (!cp)
1569                 return;
1570
1571         handle = __le16_to_cpu(cp->handle);
1572
1573         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1574
1575         hci_dev_lock(hdev);
1576
1577         acl = hci_conn_hash_lookup_handle(hdev, handle);
1578         if (acl) {
1579                 sco = acl->link;
1580                 if (sco) {
1581                         sco->state = BT_CLOSED;
1582
1583                         hci_connect_cfm(sco, status);
1584                         hci_conn_del(sco);
1585                 }
1586         }
1587
1588         hci_dev_unlock(hdev);
1589 }
1590
1591 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1592 {
1593         struct hci_cp_auth_requested *cp;
1594         struct hci_conn *conn;
1595
1596         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1597
1598         if (!status)
1599                 return;
1600
1601         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1602         if (!cp)
1603                 return;
1604
1605         hci_dev_lock(hdev);
1606
1607         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1608         if (conn) {
1609                 if (conn->state == BT_CONFIG) {
1610                         hci_connect_cfm(conn, status);
1611                         hci_conn_drop(conn);
1612                 }
1613         }
1614
1615         hci_dev_unlock(hdev);
1616 }
1617
1618 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1619 {
1620         struct hci_cp_set_conn_encrypt *cp;
1621         struct hci_conn *conn;
1622
1623         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1624
1625         if (!status)
1626                 return;
1627
1628         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1629         if (!cp)
1630                 return;
1631
1632         hci_dev_lock(hdev);
1633
1634         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1635         if (conn) {
1636                 if (conn->state == BT_CONFIG) {
1637                         hci_connect_cfm(conn, status);
1638                         hci_conn_drop(conn);
1639                 }
1640         }
1641
1642         hci_dev_unlock(hdev);
1643 }
1644
1645 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1646                                     struct hci_conn *conn)
1647 {
1648         if (conn->state != BT_CONFIG || !conn->out)
1649                 return 0;
1650
1651         if (conn->pending_sec_level == BT_SECURITY_SDP)
1652                 return 0;
1653
1654         /* Only request authentication for SSP connections or non-SSP
1655          * devices with sec_level MEDIUM or HIGH or if MITM protection
1656          * is requested.
1657          */
1658         if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1659             conn->pending_sec_level != BT_SECURITY_FIPS &&
1660             conn->pending_sec_level != BT_SECURITY_HIGH &&
1661             conn->pending_sec_level != BT_SECURITY_MEDIUM)
1662                 return 0;
1663
1664         return 1;
1665 }
1666
1667 static int hci_resolve_name(struct hci_dev *hdev,
1668                                    struct inquiry_entry *e)
1669 {
1670         struct hci_cp_remote_name_req cp;
1671
1672         memset(&cp, 0, sizeof(cp));
1673
1674         bacpy(&cp.bdaddr, &e->data.bdaddr);
1675         cp.pscan_rep_mode = e->data.pscan_rep_mode;
1676         cp.pscan_mode = e->data.pscan_mode;
1677         cp.clock_offset = e->data.clock_offset;
1678
1679         return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1680 }
1681
1682 static bool hci_resolve_next_name(struct hci_dev *hdev)
1683 {
1684         struct discovery_state *discov = &hdev->discovery;
1685         struct inquiry_entry *e;
1686
1687         if (list_empty(&discov->resolve))
1688                 return false;
1689
1690         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1691         if (!e)
1692                 return false;
1693
1694         if (hci_resolve_name(hdev, e) == 0) {
1695                 e->name_state = NAME_PENDING;
1696                 return true;
1697         }
1698
1699         return false;
1700 }
1701
1702 static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1703                                    bdaddr_t *bdaddr, u8 *name, u8 name_len)
1704 {
1705         struct discovery_state *discov = &hdev->discovery;
1706         struct inquiry_entry *e;
1707
1708         /* Update the mgmt connected state if necessary. Be careful with
1709          * conn objects that exist but are not (yet) connected however.
1710          * Only those in BT_CONFIG or BT_CONNECTED states can be
1711          * considered connected.
1712          */
1713         if (conn &&
1714             (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
1715             !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1716                 mgmt_device_connected(hdev, conn, 0, name, name_len);
1717
1718         if (discov->state == DISCOVERY_STOPPED)
1719                 return;
1720
1721         if (discov->state == DISCOVERY_STOPPING)
1722                 goto discov_complete;
1723
1724         if (discov->state != DISCOVERY_RESOLVING)
1725                 return;
1726
1727         e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1728         /* If the device was not found in a list of found devices names of which
1729          * are pending. there is no need to continue resolving a next name as it
1730          * will be done upon receiving another Remote Name Request Complete
1731          * Event */
1732         if (!e)
1733                 return;
1734
1735         list_del(&e->list);
1736         if (name) {
1737                 e->name_state = NAME_KNOWN;
1738                 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1739                                  e->data.rssi, name, name_len);
1740         } else {
1741                 e->name_state = NAME_NOT_KNOWN;
1742         }
1743
1744         if (hci_resolve_next_name(hdev))
1745                 return;
1746
1747 discov_complete:
1748         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1749 }
1750
1751 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1752 {
1753         struct hci_cp_remote_name_req *cp;
1754         struct hci_conn *conn;
1755
1756         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1757
1758         /* If successful wait for the name req complete event before
1759          * checking for the need to do authentication */
1760         if (!status)
1761                 return;
1762
1763         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1764         if (!cp)
1765                 return;
1766
1767         hci_dev_lock(hdev);
1768
1769         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1770
1771         if (hci_dev_test_flag(hdev, HCI_MGMT))
1772                 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1773
1774         if (!conn)
1775                 goto unlock;
1776
1777         if (!hci_outgoing_auth_needed(hdev, conn))
1778                 goto unlock;
1779
1780         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1781                 struct hci_cp_auth_requested auth_cp;
1782
1783                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1784
1785                 auth_cp.handle = __cpu_to_le16(conn->handle);
1786                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
1787                              sizeof(auth_cp), &auth_cp);
1788         }
1789
1790 unlock:
1791         hci_dev_unlock(hdev);
1792 }
1793
1794 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1795 {
1796         struct hci_cp_read_remote_features *cp;
1797         struct hci_conn *conn;
1798
1799         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1800
1801         if (!status)
1802                 return;
1803
1804         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1805         if (!cp)
1806                 return;
1807
1808         hci_dev_lock(hdev);
1809
1810         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1811         if (conn) {
1812                 if (conn->state == BT_CONFIG) {
1813                         hci_connect_cfm(conn, status);
1814                         hci_conn_drop(conn);
1815                 }
1816         }
1817
1818         hci_dev_unlock(hdev);
1819 }
1820
1821 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1822 {
1823         struct hci_cp_read_remote_ext_features *cp;
1824         struct hci_conn *conn;
1825
1826         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1827
1828         if (!status)
1829                 return;
1830
1831         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1832         if (!cp)
1833                 return;
1834
1835         hci_dev_lock(hdev);
1836
1837         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1838         if (conn) {
1839                 if (conn->state == BT_CONFIG) {
1840                         hci_connect_cfm(conn, status);
1841                         hci_conn_drop(conn);
1842                 }
1843         }
1844
1845         hci_dev_unlock(hdev);
1846 }
1847
1848 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1849 {
1850         struct hci_cp_setup_sync_conn *cp;
1851         struct hci_conn *acl, *sco;
1852         __u16 handle;
1853
1854         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1855
1856         if (!status)
1857                 return;
1858
1859         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1860         if (!cp)
1861                 return;
1862
1863         handle = __le16_to_cpu(cp->handle);
1864
1865         BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1866
1867         hci_dev_lock(hdev);
1868
1869         acl = hci_conn_hash_lookup_handle(hdev, handle);
1870         if (acl) {
1871                 sco = acl->link;
1872                 if (sco) {
1873                         sco->state = BT_CLOSED;
1874
1875                         hci_connect_cfm(sco, status);
1876                         hci_conn_del(sco);
1877                 }
1878         }
1879
1880         hci_dev_unlock(hdev);
1881 }
1882
1883 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1884 {
1885         struct hci_cp_sniff_mode *cp;
1886         struct hci_conn *conn;
1887
1888         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1889
1890         if (!status)
1891                 return;
1892
1893         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1894         if (!cp)
1895                 return;
1896
1897         hci_dev_lock(hdev);
1898
1899         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1900         if (conn) {
1901                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1902
1903                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1904                         hci_sco_setup(conn, status);
1905         }
1906
1907         hci_dev_unlock(hdev);
1908 }
1909
1910 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1911 {
1912         struct hci_cp_exit_sniff_mode *cp;
1913         struct hci_conn *conn;
1914
1915         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1916
1917         if (!status)
1918                 return;
1919
1920         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1921         if (!cp)
1922                 return;
1923
1924         hci_dev_lock(hdev);
1925
1926         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1927         if (conn) {
1928                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1929
1930                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1931                         hci_sco_setup(conn, status);
1932         }
1933
1934         hci_dev_unlock(hdev);
1935 }
1936
1937 static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1938 {
1939         struct hci_cp_disconnect *cp;
1940         struct hci_conn *conn;
1941
1942         if (!status)
1943                 return;
1944
1945         cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1946         if (!cp)
1947                 return;
1948
1949         hci_dev_lock(hdev);
1950
1951         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1952         if (conn)
1953                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1954                                        conn->dst_type, status);
1955
1956         hci_dev_unlock(hdev);
1957 }
1958
1959 static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status)
1960 {
1961         struct hci_cp_create_phy_link *cp;
1962
1963         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1964
1965         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
1966         if (!cp)
1967                 return;
1968
1969         hci_dev_lock(hdev);
1970
1971         if (status) {
1972                 struct hci_conn *hcon;
1973
1974                 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
1975                 if (hcon)
1976                         hci_conn_del(hcon);
1977         } else {
1978                 amp_write_remote_assoc(hdev, cp->phy_handle);
1979         }
1980
1981         hci_dev_unlock(hdev);
1982 }
1983
1984 static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
1985 {
1986         struct hci_cp_accept_phy_link *cp;
1987
1988         BT_DBG("%s status 0x%2.2x", hdev->name, status);
1989
1990         if (status)
1991                 return;
1992
1993         cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
1994         if (!cp)
1995                 return;
1996
1997         amp_write_remote_assoc(hdev, cp->phy_handle);
1998 }
1999
2000 static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2001 {
2002         struct hci_cp_le_create_conn *cp;
2003         struct hci_conn *conn;
2004
2005         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2006
2007         /* All connection failure handling is taken care of by the
2008          * hci_le_conn_failed function which is triggered by the HCI
2009          * request completion callbacks used for connecting.
2010          */
2011         if (status)
2012                 return;
2013
2014         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2015         if (!cp)
2016                 return;
2017
2018         hci_dev_lock(hdev);
2019
2020         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
2021         if (!conn)
2022                 goto unlock;
2023
2024         /* Store the initiator and responder address information which
2025          * is needed for SMP. These values will not change during the
2026          * lifetime of the connection.
2027          */
2028         conn->init_addr_type = cp->own_address_type;
2029         if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
2030                 bacpy(&conn->init_addr, &hdev->random_addr);
2031         else
2032                 bacpy(&conn->init_addr, &hdev->bdaddr);
2033
2034         conn->resp_addr_type = cp->peer_addr_type;
2035         bacpy(&conn->resp_addr, &cp->peer_addr);
2036
2037         /* We don't want the connection attempt to stick around
2038          * indefinitely since LE doesn't have a page timeout concept
2039          * like BR/EDR. Set a timer for any connection that doesn't use
2040          * the white list for connecting.
2041          */
2042         if (cp->filter_policy == HCI_LE_USE_PEER_ADDR)
2043                 queue_delayed_work(conn->hdev->workqueue,
2044                                    &conn->le_conn_timeout,
2045                                    conn->conn_timeout);
2046
2047 unlock:
2048         hci_dev_unlock(hdev);
2049 }
2050
2051 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2052 {
2053         struct hci_cp_le_start_enc *cp;
2054         struct hci_conn *conn;
2055
2056         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2057
2058         if (!status)
2059                 return;
2060
2061         hci_dev_lock(hdev);
2062
2063         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2064         if (!cp)
2065                 goto unlock;
2066
2067         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2068         if (!conn)
2069                 goto unlock;
2070
2071         if (conn->state != BT_CONNECTED)
2072                 goto unlock;
2073
2074         hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2075         hci_conn_drop(conn);
2076
2077 unlock:
2078         hci_dev_unlock(hdev);
2079 }
2080
2081 static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2082 {
2083         struct hci_cp_switch_role *cp;
2084         struct hci_conn *conn;
2085
2086         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2087
2088         if (!status)
2089                 return;
2090
2091         cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2092         if (!cp)
2093                 return;
2094
2095         hci_dev_lock(hdev);
2096
2097         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2098         if (conn)
2099                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2100
2101         hci_dev_unlock(hdev);
2102 }
2103
2104 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2105 {
2106         __u8 status = *((__u8 *) skb->data);
2107         struct discovery_state *discov = &hdev->discovery;
2108         struct inquiry_entry *e;
2109
2110         BT_DBG("%s status 0x%2.2x", hdev->name, status);
2111
2112         hci_conn_check_pending(hdev);
2113
2114         if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2115                 return;
2116
2117         smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2118         wake_up_bit(&hdev->flags, HCI_INQUIRY);
2119
2120         if (!hci_dev_test_flag(hdev, HCI_MGMT))
2121                 return;
2122
2123         hci_dev_lock(hdev);
2124
2125         if (discov->state != DISCOVERY_FINDING)
2126                 goto unlock;
2127
2128         if (list_empty(&discov->resolve)) {
2129                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2130                 goto unlock;
2131         }
2132
2133         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2134         if (e && hci_resolve_name(hdev, e) == 0) {
2135                 e->name_state = NAME_PENDING;
2136                 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2137         } else {
2138                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2139         }
2140
2141 unlock:
2142         hci_dev_unlock(hdev);
2143 }
2144
2145 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2146 {
2147         struct inquiry_data data;
2148         struct inquiry_info *info = (void *) (skb->data + 1);
2149         int num_rsp = *((__u8 *) skb->data);
2150
2151         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2152
2153         if (!num_rsp)
2154                 return;
2155
2156         if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
2157                 return;
2158
2159         hci_dev_lock(hdev);
2160
2161         for (; num_rsp; num_rsp--, info++) {
2162                 u32 flags;
2163
2164                 bacpy(&data.bdaddr, &info->bdaddr);
2165                 data.pscan_rep_mode     = info->pscan_rep_mode;
2166                 data.pscan_period_mode  = info->pscan_period_mode;
2167                 data.pscan_mode         = info->pscan_mode;
2168                 memcpy(data.dev_class, info->dev_class, 3);
2169                 data.clock_offset       = info->clock_offset;
2170                 data.rssi               = HCI_RSSI_INVALID;
2171                 data.ssp_mode           = 0x00;
2172
2173                 flags = hci_inquiry_cache_update(hdev, &data, false);
2174
2175                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2176                                   info->dev_class, HCI_RSSI_INVALID,
2177                                   flags, NULL, 0, NULL, 0);
2178         }
2179
2180         hci_dev_unlock(hdev);
2181 }
2182
2183 static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2184 {
2185         struct hci_ev_conn_complete *ev = (void *) skb->data;
2186         struct hci_conn *conn;
2187
2188         BT_DBG("%s", hdev->name);
2189
2190         hci_dev_lock(hdev);
2191
2192         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2193         if (!conn) {
2194                 if (ev->link_type != SCO_LINK)
2195                         goto unlock;
2196
2197                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2198                 if (!conn)
2199                         goto unlock;
2200
2201                 conn->type = SCO_LINK;
2202         }
2203
2204         if (!ev->status) {
2205                 conn->handle = __le16_to_cpu(ev->handle);
2206
2207                 if (conn->type == ACL_LINK) {
2208                         conn->state = BT_CONFIG;
2209                         hci_conn_hold(conn);
2210
2211                         if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2212                             !hci_find_link_key(hdev, &ev->bdaddr))
2213                                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2214                         else
2215                                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2216                 } else
2217                         conn->state = BT_CONNECTED;
2218
2219                 hci_debugfs_create_conn(conn);
2220                 hci_conn_add_sysfs(conn);
2221
2222                 if (test_bit(HCI_AUTH, &hdev->flags))
2223                         set_bit(HCI_CONN_AUTH, &conn->flags);
2224
2225                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
2226                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2227
2228                 /* Get remote features */
2229                 if (conn->type == ACL_LINK) {
2230                         struct hci_cp_read_remote_features cp;
2231                         cp.handle = ev->handle;
2232                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
2233                                      sizeof(cp), &cp);
2234
2235                         hci_update_page_scan(hdev);
2236                 }
2237
2238                 /* Set packet type for incoming connection */
2239                 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
2240                         struct hci_cp_change_conn_ptype cp;
2241                         cp.handle = ev->handle;
2242                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
2243                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2244                                      &cp);
2245                 }
2246         } else {
2247                 conn->state = BT_CLOSED;
2248                 if (conn->type == ACL_LINK)
2249                         mgmt_connect_failed(hdev, &conn->dst, conn->type,
2250                                             conn->dst_type, ev->status);
2251         }
2252
2253         if (conn->type == ACL_LINK)
2254                 hci_sco_setup(conn, ev->status);
2255
2256         if (ev->status) {
2257                 hci_connect_cfm(conn, ev->status);
2258                 hci_conn_del(conn);
2259         } else if (ev->link_type != ACL_LINK)
2260                 hci_connect_cfm(conn, ev->status);
2261
2262 unlock:
2263         hci_dev_unlock(hdev);
2264
2265         hci_conn_check_pending(hdev);
2266 }
2267
2268 static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2269 {
2270         struct hci_cp_reject_conn_req cp;
2271
2272         bacpy(&cp.bdaddr, bdaddr);
2273         cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2274         hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2275 }
2276
2277 static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2278 {
2279         struct hci_ev_conn_request *ev = (void *) skb->data;
2280         int mask = hdev->link_mode;
2281         struct inquiry_entry *ie;
2282         struct hci_conn *conn;
2283         __u8 flags = 0;
2284
2285         BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
2286                ev->link_type);
2287
2288         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2289                                       &flags);
2290
2291         if (!(mask & HCI_LM_ACCEPT)) {
2292                 hci_reject_conn(hdev, &ev->bdaddr);
2293                 return;
2294         }
2295
2296         if (hci_bdaddr_list_lookup(&hdev->blacklist, &ev->bdaddr,
2297                                    BDADDR_BREDR)) {
2298                 hci_reject_conn(hdev, &ev->bdaddr);
2299                 return;
2300         }
2301
2302         /* Require HCI_CONNECTABLE or a whitelist entry to accept the
2303          * connection. These features are only touched through mgmt so
2304          * only do the checks if HCI_MGMT is set.
2305          */
2306         if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2307             !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
2308             !hci_bdaddr_list_lookup(&hdev->whitelist, &ev->bdaddr,
2309                                     BDADDR_BREDR)) {
2310                     hci_reject_conn(hdev, &ev->bdaddr);
2311                     return;
2312         }
2313
2314         /* Connection accepted */
2315
2316         hci_dev_lock(hdev);
2317
2318         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2319         if (ie)
2320                 memcpy(ie->data.dev_class, ev->dev_class, 3);
2321
2322         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2323                         &ev->bdaddr);
2324         if (!conn) {
2325                 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2326                                     HCI_ROLE_SLAVE);
2327                 if (!conn) {
2328                         BT_ERR("No memory for new connection");
2329                         hci_dev_unlock(hdev);
2330                         return;
2331                 }
2332         }
2333
2334         memcpy(conn->dev_class, ev->dev_class, 3);
2335
2336         hci_dev_unlock(hdev);
2337
2338         if (ev->link_type == ACL_LINK ||
2339             (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2340                 struct hci_cp_accept_conn_req cp;
2341                 conn->state = BT_CONNECT;
2342
2343                 bacpy(&cp.bdaddr, &ev->bdaddr);
2344
2345                 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
2346                         cp.role = 0x00; /* Become master */
2347                 else
2348                         cp.role = 0x01; /* Remain slave */
2349
2350                 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2351         } else if (!(flags & HCI_PROTO_DEFER)) {
2352                 struct hci_cp_accept_sync_conn_req cp;
2353                 conn->state = BT_CONNECT;
2354
2355                 bacpy(&cp.bdaddr, &ev->bdaddr);
2356                 cp.pkt_type = cpu_to_le16(conn->pkt_type);
2357
2358                 cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
2359                 cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
2360                 cp.max_latency    = cpu_to_le16(0xffff);
2361                 cp.content_format = cpu_to_le16(hdev->voice_setting);
2362                 cp.retrans_effort = 0xff;
2363
2364                 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2365                              &cp);
2366         } else {
2367                 conn->state = BT_CONNECT2;
2368                 hci_connect_cfm(conn, 0);
2369         }
2370 }
2371
2372 static u8 hci_to_mgmt_reason(u8 err)
2373 {
2374         switch (err) {
2375         case HCI_ERROR_CONNECTION_TIMEOUT:
2376                 return MGMT_DEV_DISCONN_TIMEOUT;
2377         case HCI_ERROR_REMOTE_USER_TERM:
2378         case HCI_ERROR_REMOTE_LOW_RESOURCES:
2379         case HCI_ERROR_REMOTE_POWER_OFF:
2380                 return MGMT_DEV_DISCONN_REMOTE;
2381         case HCI_ERROR_LOCAL_HOST_TERM:
2382                 return MGMT_DEV_DISCONN_LOCAL_HOST;
2383         default:
2384                 return MGMT_DEV_DISCONN_UNKNOWN;
2385         }
2386 }
2387
2388 static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2389 {
2390         struct hci_ev_disconn_complete *ev = (void *) skb->data;
2391         u8 reason = hci_to_mgmt_reason(ev->reason);
2392         struct hci_conn_params *params;
2393         struct hci_conn *conn;
2394         bool mgmt_connected;
2395         u8 type;
2396
2397         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2398
2399         hci_dev_lock(hdev);
2400
2401         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2402         if (!conn)
2403                 goto unlock;
2404
2405         if (ev->status) {
2406                 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2407                                        conn->dst_type, ev->status);
2408                 goto unlock;
2409         }
2410
2411         conn->state = BT_CLOSED;
2412
2413         mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2414         mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2415                                 reason, mgmt_connected);
2416
2417         if (conn->type == ACL_LINK) {
2418                 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2419                         hci_remove_link_key(hdev, &conn->dst);
2420
2421                 hci_update_page_scan(hdev);
2422         }
2423
2424         params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2425         if (params) {
2426                 switch (params->auto_connect) {
2427                 case HCI_AUTO_CONN_LINK_LOSS:
2428                         if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2429                                 break;
2430                         /* Fall through */
2431
2432                 case HCI_AUTO_CONN_DIRECT:
2433                 case HCI_AUTO_CONN_ALWAYS:
2434                         list_del_init(&params->action);
2435                         list_add(&params->action, &hdev->pend_le_conns);
2436                         hci_update_background_scan(hdev);
2437                         break;
2438
2439                 default:
2440                         break;
2441                 }
2442         }
2443
2444         type = conn->type;
2445
2446         hci_disconn_cfm(conn, ev->reason);
2447         hci_conn_del(conn);
2448
2449         /* Re-enable advertising if necessary, since it might
2450          * have been disabled by the connection. From the
2451          * HCI_LE_Set_Advertise_Enable command description in
2452          * the core specification (v4.0):
2453          * "The Controller shall continue advertising until the Host
2454          * issues an LE_Set_Advertise_Enable command with
2455          * Advertising_Enable set to 0x00 (Advertising is disabled)
2456          * or until a connection is created or until the Advertising
2457          * is timed out due to Directed Advertising."
2458          */
2459         if (type == LE_LINK)
2460                 mgmt_reenable_advertising(hdev);
2461
2462 unlock:
2463         hci_dev_unlock(hdev);
2464 }
2465
2466 static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2467 {
2468         struct hci_ev_auth_complete *ev = (void *) skb->data;
2469         struct hci_conn *conn;
2470
2471         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2472
2473         hci_dev_lock(hdev);
2474
2475         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2476         if (!conn)
2477                 goto unlock;
2478
2479         if (!ev->status) {
2480                 if (!hci_conn_ssp_enabled(conn) &&
2481                     test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2482                         BT_INFO("re-auth of legacy device is not possible.");
2483                 } else {
2484                         set_bit(HCI_CONN_AUTH, &conn->flags);
2485                         conn->sec_level = conn->pending_sec_level;
2486                 }
2487         } else {
2488                 mgmt_auth_failed(conn, ev->status);
2489         }
2490
2491         clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2492         clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
2493
2494         if (conn->state == BT_CONFIG) {
2495                 if (!ev->status && hci_conn_ssp_enabled(conn)) {
2496                         struct hci_cp_set_conn_encrypt cp;
2497                         cp.handle  = ev->handle;
2498                         cp.encrypt = 0x01;
2499                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2500                                      &cp);
2501                 } else {
2502                         conn->state = BT_CONNECTED;
2503                         hci_connect_cfm(conn, ev->status);
2504                         hci_conn_drop(conn);
2505                 }
2506         } else {
2507                 hci_auth_cfm(conn, ev->status);
2508
2509                 hci_conn_hold(conn);
2510                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2511                 hci_conn_drop(conn);
2512         }
2513
2514         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
2515                 if (!ev->status) {
2516                         struct hci_cp_set_conn_encrypt cp;
2517                         cp.handle  = ev->handle;
2518                         cp.encrypt = 0x01;
2519                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
2520                                      &cp);
2521                 } else {
2522                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2523                         hci_encrypt_cfm(conn, ev->status, 0x00);
2524                 }
2525         }
2526
2527 unlock:
2528         hci_dev_unlock(hdev);
2529 }
2530
2531 static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2532 {
2533         struct hci_ev_remote_name *ev = (void *) skb->data;
2534         struct hci_conn *conn;
2535
2536         BT_DBG("%s", hdev->name);
2537
2538         hci_conn_check_pending(hdev);
2539
2540         hci_dev_lock(hdev);
2541
2542         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2543
2544         if (!hci_dev_test_flag(hdev, HCI_MGMT))
2545                 goto check_auth;
2546
2547         if (ev->status == 0)
2548                 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2549                                        strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2550         else
2551                 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2552
2553 check_auth:
2554         if (!conn)
2555                 goto unlock;
2556
2557         if (!hci_outgoing_auth_needed(hdev, conn))
2558                 goto unlock;
2559
2560         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2561                 struct hci_cp_auth_requested cp;
2562
2563                 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2564
2565                 cp.handle = __cpu_to_le16(conn->handle);
2566                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2567         }
2568
2569 unlock:
2570         hci_dev_unlock(hdev);
2571 }
2572
2573 static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2574 {
2575         struct hci_ev_encrypt_change *ev = (void *) skb->data;
2576         struct hci_conn *conn;
2577
2578         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2579
2580         hci_dev_lock(hdev);
2581
2582         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2583         if (!conn)
2584                 goto unlock;
2585
2586         if (!ev->status) {
2587                 if (ev->encrypt) {
2588                         /* Encryption implies authentication */
2589                         set_bit(HCI_CONN_AUTH, &conn->flags);
2590                         set_bit(HCI_CONN_ENCRYPT, &conn->flags);
2591                         conn->sec_level = conn->pending_sec_level;
2592
2593                         /* P-256 authentication key implies FIPS */
2594                         if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
2595                                 set_bit(HCI_CONN_FIPS, &conn->flags);
2596
2597                         if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
2598                             conn->type == LE_LINK)
2599                                 set_bit(HCI_CONN_AES_CCM, &conn->flags);
2600                 } else {
2601                         clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
2602                         clear_bit(HCI_CONN_AES_CCM, &conn->flags);
2603                 }
2604         }
2605
2606         /* We should disregard the current RPA and generate a new one
2607          * whenever the encryption procedure fails.
2608          */
2609         if (ev->status && conn->type == LE_LINK)
2610                 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
2611
2612         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2613
2614         if (ev->status && conn->state == BT_CONNECTED) {
2615                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2616                 hci_conn_drop(conn);
2617                 goto unlock;
2618         }
2619
2620         if (conn->state == BT_CONFIG) {
2621                 if (!ev->status)
2622                         conn->state = BT_CONNECTED;
2623
2624                 /* In Secure Connections Only mode, do not allow any
2625                  * connections that are not encrypted with AES-CCM
2626                  * using a P-256 authenticated combination key.
2627                  */
2628                 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) &&
2629                     (!test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
2630                      conn->key_type != HCI_LK_AUTH_COMBINATION_P256)) {
2631                         hci_connect_cfm(conn, HCI_ERROR_AUTH_FAILURE);
2632                         hci_conn_drop(conn);
2633                         goto unlock;
2634                 }
2635
2636                 hci_connect_cfm(conn, ev->status);
2637                 hci_conn_drop(conn);
2638         } else
2639                 hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2640
2641 unlock:
2642         hci_dev_unlock(hdev);
2643 }
2644
2645 static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2646                                              struct sk_buff *skb)
2647 {
2648         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2649         struct hci_conn *conn;
2650
2651         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2652
2653         hci_dev_lock(hdev);
2654
2655         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2656         if (conn) {
2657                 if (!ev->status)
2658                         set_bit(HCI_CONN_SECURE, &conn->flags);
2659
2660                 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2661
2662                 hci_key_change_cfm(conn, ev->status);
2663         }
2664
2665         hci_dev_unlock(hdev);
2666 }
2667
2668 static void hci_remote_features_evt(struct hci_dev *hdev,
2669                                     struct sk_buff *skb)
2670 {
2671         struct hci_ev_remote_features *ev = (void *) skb->data;
2672         struct hci_conn *conn;
2673
2674         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2675
2676         hci_dev_lock(hdev);
2677
2678         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2679         if (!conn)
2680                 goto unlock;
2681
2682         if (!ev->status)
2683                 memcpy(conn->features[0], ev->features, 8);
2684
2685         if (conn->state != BT_CONFIG)
2686                 goto unlock;
2687
2688         if (!ev->status && lmp_ext_feat_capable(hdev) &&
2689             lmp_ext_feat_capable(conn)) {
2690                 struct hci_cp_read_remote_ext_features cp;
2691                 cp.handle = ev->handle;
2692                 cp.page = 0x01;
2693                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2694                              sizeof(cp), &cp);
2695                 goto unlock;
2696         }
2697
2698         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2699                 struct hci_cp_remote_name_req cp;
2700                 memset(&cp, 0, sizeof(cp));
2701                 bacpy(&cp.bdaddr, &conn->dst);
2702                 cp.pscan_rep_mode = 0x02;
2703                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2704         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2705                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
2706
2707         if (!hci_outgoing_auth_needed(hdev, conn)) {
2708                 conn->state = BT_CONNECTED;
2709                 hci_connect_cfm(conn, ev->status);
2710                 hci_conn_drop(conn);
2711         }
2712
2713 unlock:
2714         hci_dev_unlock(hdev);
2715 }
2716
2717 static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2718 {
2719         struct hci_ev_cmd_complete *ev = (void *) skb->data;
2720         u8 status = skb->data[sizeof(*ev)];
2721         __u16 opcode;
2722
2723         skb_pull(skb, sizeof(*ev));
2724
2725         opcode = __le16_to_cpu(ev->opcode);
2726
2727         switch (opcode) {
2728         case HCI_OP_INQUIRY_CANCEL:
2729                 hci_cc_inquiry_cancel(hdev, skb);
2730                 break;
2731
2732         case HCI_OP_PERIODIC_INQ:
2733                 hci_cc_periodic_inq(hdev, skb);
2734                 break;
2735
2736         case HCI_OP_EXIT_PERIODIC_INQ:
2737                 hci_cc_exit_periodic_inq(hdev, skb);
2738                 break;
2739
2740         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2741                 hci_cc_remote_name_req_cancel(hdev, skb);
2742                 break;
2743
2744         case HCI_OP_ROLE_DISCOVERY:
2745                 hci_cc_role_discovery(hdev, skb);
2746                 break;
2747
2748         case HCI_OP_READ_LINK_POLICY:
2749                 hci_cc_read_link_policy(hdev, skb);
2750                 break;
2751
2752         case HCI_OP_WRITE_LINK_POLICY:
2753                 hci_cc_write_link_policy(hdev, skb);
2754                 break;
2755
2756         case HCI_OP_READ_DEF_LINK_POLICY:
2757                 hci_cc_read_def_link_policy(hdev, skb);
2758                 break;
2759
2760         case HCI_OP_WRITE_DEF_LINK_POLICY:
2761                 hci_cc_write_def_link_policy(hdev, skb);
2762                 break;
2763
2764         case HCI_OP_RESET:
2765                 hci_cc_reset(hdev, skb);
2766                 break;
2767
2768         case HCI_OP_READ_STORED_LINK_KEY:
2769                 hci_cc_read_stored_link_key(hdev, skb);
2770                 break;
2771
2772         case HCI_OP_DELETE_STORED_LINK_KEY:
2773                 hci_cc_delete_stored_link_key(hdev, skb);
2774                 break;
2775
2776         case HCI_OP_WRITE_LOCAL_NAME:
2777                 hci_cc_write_local_name(hdev, skb);
2778                 break;
2779
2780         case HCI_OP_READ_LOCAL_NAME:
2781                 hci_cc_read_local_name(hdev, skb);
2782                 break;
2783
2784         case HCI_OP_WRITE_AUTH_ENABLE:
2785                 hci_cc_write_auth_enable(hdev, skb);
2786                 break;
2787
2788         case HCI_OP_WRITE_ENCRYPT_MODE:
2789                 hci_cc_write_encrypt_mode(hdev, skb);
2790                 break;
2791
2792         case HCI_OP_WRITE_SCAN_ENABLE:
2793                 hci_cc_write_scan_enable(hdev, skb);
2794                 break;
2795
2796         case HCI_OP_READ_CLASS_OF_DEV:
2797                 hci_cc_read_class_of_dev(hdev, skb);
2798                 break;
2799
2800         case HCI_OP_WRITE_CLASS_OF_DEV:
2801                 hci_cc_write_class_of_dev(hdev, skb);
2802                 break;
2803
2804         case HCI_OP_READ_VOICE_SETTING:
2805                 hci_cc_read_voice_setting(hdev, skb);
2806                 break;
2807
2808         case HCI_OP_WRITE_VOICE_SETTING:
2809                 hci_cc_write_voice_setting(hdev, skb);
2810                 break;
2811
2812         case HCI_OP_READ_NUM_SUPPORTED_IAC:
2813                 hci_cc_read_num_supported_iac(hdev, skb);
2814                 break;
2815
2816         case HCI_OP_WRITE_SSP_MODE:
2817                 hci_cc_write_ssp_mode(hdev, skb);
2818                 break;
2819
2820         case HCI_OP_WRITE_SC_SUPPORT:
2821                 hci_cc_write_sc_support(hdev, skb);
2822                 break;
2823
2824         case HCI_OP_READ_LOCAL_VERSION:
2825                 hci_cc_read_local_version(hdev, skb);
2826                 break;
2827
2828         case HCI_OP_READ_LOCAL_COMMANDS:
2829                 hci_cc_read_local_commands(hdev, skb);
2830                 break;
2831
2832         case HCI_OP_READ_LOCAL_FEATURES:
2833                 hci_cc_read_local_features(hdev, skb);
2834                 break;
2835
2836         case HCI_OP_READ_LOCAL_EXT_FEATURES:
2837                 hci_cc_read_local_ext_features(hdev, skb);
2838                 break;
2839
2840         case HCI_OP_READ_BUFFER_SIZE:
2841                 hci_cc_read_buffer_size(hdev, skb);
2842                 break;
2843
2844         case HCI_OP_READ_BD_ADDR:
2845                 hci_cc_read_bd_addr(hdev, skb);
2846                 break;
2847
2848         case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
2849                 hci_cc_read_page_scan_activity(hdev, skb);
2850                 break;
2851
2852         case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
2853                 hci_cc_write_page_scan_activity(hdev, skb);
2854                 break;
2855
2856         case HCI_OP_READ_PAGE_SCAN_TYPE:
2857                 hci_cc_read_page_scan_type(hdev, skb);
2858                 break;
2859
2860         case HCI_OP_WRITE_PAGE_SCAN_TYPE:
2861                 hci_cc_write_page_scan_type(hdev, skb);
2862                 break;
2863
2864         case HCI_OP_READ_DATA_BLOCK_SIZE:
2865                 hci_cc_read_data_block_size(hdev, skb);
2866                 break;
2867
2868         case HCI_OP_READ_FLOW_CONTROL_MODE:
2869                 hci_cc_read_flow_control_mode(hdev, skb);
2870                 break;
2871
2872         case HCI_OP_READ_LOCAL_AMP_INFO:
2873                 hci_cc_read_local_amp_info(hdev, skb);
2874                 break;
2875
2876         case HCI_OP_READ_CLOCK:
2877                 hci_cc_read_clock(hdev, skb);
2878                 break;
2879
2880         case HCI_OP_READ_LOCAL_AMP_ASSOC:
2881                 hci_cc_read_local_amp_assoc(hdev, skb);
2882                 break;
2883
2884         case HCI_OP_READ_INQ_RSP_TX_POWER:
2885                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
2886                 break;
2887
2888         case HCI_OP_PIN_CODE_REPLY:
2889                 hci_cc_pin_code_reply(hdev, skb);
2890                 break;
2891
2892         case HCI_OP_PIN_CODE_NEG_REPLY:
2893                 hci_cc_pin_code_neg_reply(hdev, skb);
2894                 break;
2895
2896         case HCI_OP_READ_LOCAL_OOB_DATA:
2897                 hci_cc_read_local_oob_data(hdev, skb);
2898                 break;
2899
2900         case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
2901                 hci_cc_read_local_oob_ext_data(hdev, skb);
2902                 break;
2903
2904         case HCI_OP_LE_READ_BUFFER_SIZE:
2905                 hci_cc_le_read_buffer_size(hdev, skb);
2906                 break;
2907
2908         case HCI_OP_LE_READ_LOCAL_FEATURES:
2909                 hci_cc_le_read_local_features(hdev, skb);
2910                 break;
2911
2912         case HCI_OP_LE_READ_ADV_TX_POWER:
2913                 hci_cc_le_read_adv_tx_power(hdev, skb);
2914                 break;
2915
2916         case HCI_OP_USER_CONFIRM_REPLY:
2917                 hci_cc_user_confirm_reply(hdev, skb);
2918                 break;
2919
2920         case HCI_OP_USER_CONFIRM_NEG_REPLY:
2921                 hci_cc_user_confirm_neg_reply(hdev, skb);
2922                 break;
2923
2924         case HCI_OP_USER_PASSKEY_REPLY:
2925                 hci_cc_user_passkey_reply(hdev, skb);
2926                 break;
2927
2928         case HCI_OP_USER_PASSKEY_NEG_REPLY:
2929                 hci_cc_user_passkey_neg_reply(hdev, skb);
2930                 break;
2931
2932         case HCI_OP_LE_SET_RANDOM_ADDR:
2933                 hci_cc_le_set_random_addr(hdev, skb);
2934                 break;
2935
2936         case HCI_OP_LE_SET_ADV_ENABLE:
2937                 hci_cc_le_set_adv_enable(hdev, skb);
2938                 break;
2939
2940         case HCI_OP_LE_SET_SCAN_PARAM:
2941                 hci_cc_le_set_scan_param(hdev, skb);
2942                 break;
2943
2944         case HCI_OP_LE_SET_SCAN_ENABLE:
2945                 hci_cc_le_set_scan_enable(hdev, skb);
2946                 break;
2947
2948         case HCI_OP_LE_READ_WHITE_LIST_SIZE:
2949                 hci_cc_le_read_white_list_size(hdev, skb);
2950                 break;
2951
2952         case HCI_OP_LE_CLEAR_WHITE_LIST:
2953                 hci_cc_le_clear_white_list(hdev, skb);
2954                 break;
2955
2956         case HCI_OP_LE_ADD_TO_WHITE_LIST:
2957                 hci_cc_le_add_to_white_list(hdev, skb);
2958                 break;
2959
2960         case HCI_OP_LE_DEL_FROM_WHITE_LIST:
2961                 hci_cc_le_del_from_white_list(hdev, skb);
2962                 break;
2963
2964         case HCI_OP_LE_READ_SUPPORTED_STATES:
2965                 hci_cc_le_read_supported_states(hdev, skb);
2966                 break;
2967
2968         case HCI_OP_LE_READ_DEF_DATA_LEN:
2969                 hci_cc_le_read_def_data_len(hdev, skb);
2970                 break;
2971
2972         case HCI_OP_LE_WRITE_DEF_DATA_LEN:
2973                 hci_cc_le_write_def_data_len(hdev, skb);
2974                 break;
2975
2976         case HCI_OP_LE_READ_MAX_DATA_LEN:
2977                 hci_cc_le_read_max_data_len(hdev, skb);
2978                 break;
2979
2980         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
2981                 hci_cc_write_le_host_supported(hdev, skb);
2982                 break;
2983
2984         case HCI_OP_LE_SET_ADV_PARAM:
2985                 hci_cc_set_adv_param(hdev, skb);
2986                 break;
2987
2988         case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
2989                 hci_cc_write_remote_amp_assoc(hdev, skb);
2990                 break;
2991
2992         case HCI_OP_READ_RSSI:
2993                 hci_cc_read_rssi(hdev, skb);
2994                 break;
2995
2996         case HCI_OP_READ_TX_POWER:
2997                 hci_cc_read_tx_power(hdev, skb);
2998                 break;
2999
3000         case HCI_OP_WRITE_SSP_DEBUG_MODE:
3001                 hci_cc_write_ssp_debug_mode(hdev, skb);
3002                 break;
3003
3004         default:
3005                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3006                 break;
3007         }
3008
3009         if (opcode != HCI_OP_NOP)
3010                 cancel_delayed_work(&hdev->cmd_timer);
3011
3012         hci_req_cmd_complete(hdev, opcode, status);
3013
3014         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
3015                 atomic_set(&hdev->cmd_cnt, 1);
3016                 if (!skb_queue_empty(&hdev->cmd_q))
3017                         queue_work(hdev->workqueue, &hdev->cmd_work);
3018         }
3019 }
3020
3021 static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
3022 {
3023         struct hci_ev_cmd_status *ev = (void *) skb->data;
3024         __u16 opcode;
3025
3026         skb_pull(skb, sizeof(*ev));
3027
3028         opcode = __le16_to_cpu(ev->opcode);
3029
3030         switch (opcode) {
3031         case HCI_OP_INQUIRY:
3032                 hci_cs_inquiry(hdev, ev->status);
3033                 break;
3034
3035         case HCI_OP_CREATE_CONN:
3036                 hci_cs_create_conn(hdev, ev->status);
3037                 break;
3038
3039         case HCI_OP_DISCONNECT:
3040                 hci_cs_disconnect(hdev, ev->status);
3041                 break;
3042
3043         case HCI_OP_ADD_SCO:
3044                 hci_cs_add_sco(hdev, ev->status);
3045                 break;
3046
3047         case HCI_OP_AUTH_REQUESTED:
3048                 hci_cs_auth_requested(hdev, ev->status);
3049                 break;
3050
3051         case HCI_OP_SET_CONN_ENCRYPT:
3052                 hci_cs_set_conn_encrypt(hdev, ev->status);
3053                 break;
3054
3055         case HCI_OP_REMOTE_NAME_REQ:
3056                 hci_cs_remote_name_req(hdev, ev->status);
3057                 break;
3058
3059         case HCI_OP_READ_REMOTE_FEATURES:
3060                 hci_cs_read_remote_features(hdev, ev->status);
3061                 break;
3062
3063         case HCI_OP_READ_REMOTE_EXT_FEATURES:
3064                 hci_cs_read_remote_ext_features(hdev, ev->status);
3065                 break;
3066
3067         case HCI_OP_SETUP_SYNC_CONN:
3068                 hci_cs_setup_sync_conn(hdev, ev->status);
3069                 break;
3070
3071         case HCI_OP_CREATE_PHY_LINK:
3072                 hci_cs_create_phylink(hdev, ev->status);
3073                 break;
3074
3075         case HCI_OP_ACCEPT_PHY_LINK:
3076                 hci_cs_accept_phylink(hdev, ev->status);
3077                 break;
3078
3079         case HCI_OP_SNIFF_MODE:
3080                 hci_cs_sniff_mode(hdev, ev->status);
3081                 break;
3082
3083         case HCI_OP_EXIT_SNIFF_MODE:
3084                 hci_cs_exit_sniff_mode(hdev, ev->status);
3085                 break;
3086
3087         case HCI_OP_SWITCH_ROLE:
3088                 hci_cs_switch_role(hdev, ev->status);
3089                 break;
3090
3091         case HCI_OP_LE_CREATE_CONN:
3092                 hci_cs_le_create_conn(hdev, ev->status);
3093                 break;
3094
3095         case HCI_OP_LE_START_ENC:
3096                 hci_cs_le_start_enc(hdev, ev->status);
3097                 break;
3098
3099         default:
3100                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
3101                 break;
3102         }
3103
3104         if (opcode != HCI_OP_NOP)
3105                 cancel_delayed_work(&hdev->cmd_timer);
3106
3107         if (ev->status ||
3108             (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->req_event))
3109                 hci_req_cmd_complete(hdev, opcode, ev->status);
3110
3111         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
3112                 atomic_set(&hdev->cmd_cnt, 1);
3113                 if (!skb_queue_empty(&hdev->cmd_q))
3114                         queue_work(hdev->workqueue, &hdev->cmd_work);
3115         }
3116 }
3117
3118 static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3119 {
3120         struct hci_ev_hardware_error *ev = (void *) skb->data;
3121
3122         hdev->hw_error_code = ev->code;
3123
3124         queue_work(hdev->req_workqueue, &hdev->error_reset);
3125 }
3126
3127 static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3128 {
3129         struct hci_ev_role_change *ev = (void *) skb->data;
3130         struct hci_conn *conn;
3131
3132         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3133
3134         hci_dev_lock(hdev);
3135
3136         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3137         if (conn) {
3138                 if (!ev->status)
3139                         conn->role = ev->role;
3140
3141                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
3142
3143                 hci_role_switch_cfm(conn, ev->status, ev->role);
3144         }
3145
3146         hci_dev_unlock(hdev);
3147 }
3148
3149 static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
3150 {
3151         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
3152         int i;
3153
3154         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
3155                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3156                 return;
3157         }
3158
3159         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3160             ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
3161                 BT_DBG("%s bad parameters", hdev->name);
3162                 return;
3163         }
3164
3165         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3166
3167         for (i = 0; i < ev->num_hndl; i++) {
3168                 struct hci_comp_pkts_info *info = &ev->handles[i];
3169                 struct hci_conn *conn;
3170                 __u16  handle, count;
3171
3172                 handle = __le16_to_cpu(info->handle);
3173                 count  = __le16_to_cpu(info->count);
3174
3175                 conn = hci_conn_hash_lookup_handle(hdev, handle);
3176                 if (!conn)
3177                         continue;
3178
3179                 conn->sent -= count;
3180
3181                 switch (conn->type) {
3182                 case ACL_LINK:
3183                         hdev->acl_cnt += count;
3184                         if (hdev->acl_cnt > hdev->acl_pkts)
3185                                 hdev->acl_cnt = hdev->acl_pkts;
3186                         break;
3187
3188                 case LE_LINK:
3189                         if (hdev->le_pkts) {
3190                                 hdev->le_cnt += count;
3191                                 if (hdev->le_cnt > hdev->le_pkts)
3192                                         hdev->le_cnt = hdev->le_pkts;
3193                         } else {
3194                                 hdev->acl_cnt += count;
3195                                 if (hdev->acl_cnt > hdev->acl_pkts)
3196                                         hdev->acl_cnt = hdev->acl_pkts;
3197                         }
3198                         break;
3199
3200                 case SCO_LINK:
3201                         hdev->sco_cnt += count;
3202                         if (hdev->sco_cnt > hdev->sco_pkts)
3203                                 hdev->sco_cnt = hdev->sco_pkts;
3204                         break;
3205
3206                 default:
3207                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
3208                         break;
3209                 }
3210         }
3211
3212         queue_work(hdev->workqueue, &hdev->tx_work);
3213 }
3214
3215 static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
3216                                                  __u16 handle)
3217 {
3218         struct hci_chan *chan;
3219
3220         switch (hdev->dev_type) {
3221         case HCI_BREDR:
3222                 return hci_conn_hash_lookup_handle(hdev, handle);
3223         case HCI_AMP:
3224                 chan = hci_chan_lookup_handle(hdev, handle);
3225                 if (chan)
3226                         return chan->conn;
3227                 break;
3228         default:
3229                 BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
3230                 break;
3231         }
3232
3233         return NULL;
3234 }
3235
3236 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
3237 {
3238         struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
3239         int i;
3240
3241         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
3242                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
3243                 return;
3244         }
3245
3246         if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
3247             ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
3248                 BT_DBG("%s bad parameters", hdev->name);
3249                 return;
3250         }
3251
3252         BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
3253                ev->num_hndl);
3254
3255         for (i = 0; i < ev->num_hndl; i++) {
3256                 struct hci_comp_blocks_info *info = &ev->handles[i];
3257                 struct hci_conn *conn = NULL;
3258                 __u16  handle, block_count;
3259
3260                 handle = __le16_to_cpu(info->handle);
3261                 block_count = __le16_to_cpu(info->blocks);
3262
3263                 conn = __hci_conn_lookup_handle(hdev, handle);
3264                 if (!conn)
3265                         continue;
3266
3267                 conn->sent -= block_count;
3268
3269                 switch (conn->type) {
3270                 case ACL_LINK:
3271                 case AMP_LINK:
3272                         hdev->block_cnt += block_count;
3273                         if (hdev->block_cnt > hdev->num_blocks)
3274                                 hdev->block_cnt = hdev->num_blocks;
3275                         break;
3276
3277                 default:
3278                         BT_ERR("Unknown type %d conn %p", conn->type, conn);
3279                         break;
3280                 }
3281         }
3282
3283         queue_work(hdev->workqueue, &hdev->tx_work);
3284 }
3285
3286 static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3287 {
3288         struct hci_ev_mode_change *ev = (void *) skb->data;
3289         struct hci_conn *conn;
3290
3291         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3292
3293         hci_dev_lock(hdev);
3294
3295         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3296         if (conn) {
3297                 conn->mode = ev->mode;
3298
3299                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
3300                                         &conn->flags)) {
3301                         if (conn->mode == HCI_CM_ACTIVE)
3302                                 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3303                         else
3304                                 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
3305                 }
3306
3307                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
3308                         hci_sco_setup(conn, ev->status);
3309         }
3310
3311         hci_dev_unlock(hdev);
3312 }
3313
3314 static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3315 {
3316         struct hci_ev_pin_code_req *ev = (void *) skb->data;
3317         struct hci_conn *conn;
3318
3319         BT_DBG("%s", hdev->name);
3320
3321         hci_dev_lock(hdev);
3322
3323         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3324         if (!conn)
3325                 goto unlock;
3326
3327         if (conn->state == BT_CONNECTED) {
3328                 hci_conn_hold(conn);
3329                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3330                 hci_conn_drop(conn);
3331         }
3332
3333         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
3334             !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
3335                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3336                              sizeof(ev->bdaddr), &ev->bdaddr);
3337         } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
3338                 u8 secure;
3339
3340                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
3341                         secure = 1;
3342                 else
3343                         secure = 0;
3344
3345                 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
3346         }
3347
3348 unlock:
3349         hci_dev_unlock(hdev);
3350 }
3351
3352 static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
3353 {
3354         if (key_type == HCI_LK_CHANGED_COMBINATION)
3355                 return;
3356
3357         conn->pin_length = pin_len;
3358         conn->key_type = key_type;
3359
3360         switch (key_type) {
3361         case HCI_LK_LOCAL_UNIT:
3362         case HCI_LK_REMOTE_UNIT:
3363         case HCI_LK_DEBUG_COMBINATION:
3364                 return;
3365         case HCI_LK_COMBINATION:
3366                 if (pin_len == 16)
3367                         conn->pending_sec_level = BT_SECURITY_HIGH;
3368                 else
3369                         conn->pending_sec_level = BT_SECURITY_MEDIUM;
3370                 break;
3371         case HCI_LK_UNAUTH_COMBINATION_P192:
3372         case HCI_LK_UNAUTH_COMBINATION_P256:
3373                 conn->pending_sec_level = BT_SECURITY_MEDIUM;
3374                 break;
3375         case HCI_LK_AUTH_COMBINATION_P192:
3376                 conn->pending_sec_level = BT_SECURITY_HIGH;
3377                 break;
3378         case HCI_LK_AUTH_COMBINATION_P256:
3379                 conn->pending_sec_level = BT_SECURITY_FIPS;
3380                 break;
3381         }
3382 }
3383
3384 static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3385 {
3386         struct hci_ev_link_key_req *ev = (void *) skb->data;
3387         struct hci_cp_link_key_reply cp;
3388         struct hci_conn *conn;
3389         struct link_key *key;
3390
3391         BT_DBG("%s", hdev->name);
3392
3393         if (!hci_dev_test_flag(hdev, HCI_MGMT))
3394                 return;
3395
3396         hci_dev_lock(hdev);
3397
3398         key = hci_find_link_key(hdev, &ev->bdaddr);
3399         if (!key) {
3400                 BT_DBG("%s link key not found for %pMR", hdev->name,
3401                        &ev->bdaddr);
3402                 goto not_found;
3403         }
3404
3405         BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
3406                &ev->bdaddr);
3407
3408         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3409         if (conn) {
3410                 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3411
3412                 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
3413                      key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
3414                     conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
3415                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
3416                         goto not_found;
3417                 }
3418
3419                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
3420                     (conn->pending_sec_level == BT_SECURITY_HIGH ||
3421                      conn->pending_sec_level == BT_SECURITY_FIPS)) {
3422                         BT_DBG("%s ignoring key unauthenticated for high security",
3423                                hdev->name);
3424                         goto not_found;
3425                 }
3426
3427                 conn_set_key(conn, key->type, key->pin_len);
3428         }
3429
3430         bacpy(&cp.bdaddr, &ev->bdaddr);
3431         memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
3432
3433         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
3434
3435         hci_dev_unlock(hdev);
3436
3437         return;
3438
3439 not_found:
3440         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
3441         hci_dev_unlock(hdev);
3442 }
3443
3444 static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
3445 {
3446         struct hci_ev_link_key_notify *ev = (void *) skb->data;
3447         struct hci_conn *conn;
3448         struct link_key *key;
3449         bool persistent;
3450         u8 pin_len = 0;
3451
3452         BT_DBG("%s", hdev->name);
3453
3454         hci_dev_lock(hdev);
3455
3456         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3457         if (!conn)
3458                 goto unlock;
3459
3460         hci_conn_hold(conn);
3461         conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3462         hci_conn_drop(conn);
3463
3464         set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
3465         conn_set_key(conn, ev->key_type, conn->pin_length);
3466
3467         if (!hci_dev_test_flag(hdev, HCI_MGMT))
3468                 goto unlock;
3469
3470         key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
3471                                 ev->key_type, pin_len, &persistent);
3472         if (!key)
3473                 goto unlock;
3474
3475         /* Update connection information since adding the key will have
3476          * fixed up the type in the case of changed combination keys.
3477          */
3478         if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
3479                 conn_set_key(conn, key->type, key->pin_len);
3480
3481         mgmt_new_link_key(hdev, key, persistent);
3482
3483         /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
3484          * is set. If it's not set simply remove the key from the kernel
3485          * list (we've still notified user space about it but with
3486          * store_hint being 0).
3487          */
3488         if (key->type == HCI_LK_DEBUG_COMBINATION &&
3489             !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
3490                 list_del_rcu(&key->list);
3491                 kfree_rcu(key, rcu);
3492                 goto unlock;
3493         }
3494
3495         if (persistent)
3496                 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3497         else
3498                 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
3499
3500 unlock:
3501         hci_dev_unlock(hdev);
3502 }
3503
3504 static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
3505 {
3506         struct hci_ev_clock_offset *ev = (void *) skb->data;
3507         struct hci_conn *conn;
3508
3509         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3510
3511         hci_dev_lock(hdev);
3512
3513         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3514         if (conn && !ev->status) {
3515                 struct inquiry_entry *ie;
3516
3517                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3518                 if (ie) {
3519                         ie->data.clock_offset = ev->clock_offset;
3520                         ie->timestamp = jiffies;
3521                 }
3522         }
3523
3524         hci_dev_unlock(hdev);
3525 }
3526
3527 static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
3528 {
3529         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
3530         struct hci_conn *conn;
3531
3532         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3533
3534         hci_dev_lock(hdev);
3535
3536         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3537         if (conn && !ev->status)
3538                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
3539
3540         hci_dev_unlock(hdev);
3541 }
3542
3543 static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
3544 {
3545         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
3546         struct inquiry_entry *ie;
3547
3548         BT_DBG("%s", hdev->name);
3549
3550         hci_dev_lock(hdev);
3551
3552         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3553         if (ie) {
3554                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
3555                 ie->timestamp = jiffies;
3556         }
3557
3558         hci_dev_unlock(hdev);
3559 }
3560
3561 static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
3562                                              struct sk_buff *skb)
3563 {
3564         struct inquiry_data data;
3565         int num_rsp = *((__u8 *) skb->data);
3566
3567         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3568
3569         if (!num_rsp)
3570                 return;
3571
3572         if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3573                 return;
3574
3575         hci_dev_lock(hdev);
3576
3577         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
3578                 struct inquiry_info_with_rssi_and_pscan_mode *info;
3579                 info = (void *) (skb->data + 1);
3580
3581                 for (; num_rsp; num_rsp--, info++) {
3582                         u32 flags;
3583
3584                         bacpy(&data.bdaddr, &info->bdaddr);
3585                         data.pscan_rep_mode     = info->pscan_rep_mode;
3586                         data.pscan_period_mode  = info->pscan_period_mode;
3587                         data.pscan_mode         = info->pscan_mode;
3588                         memcpy(data.dev_class, info->dev_class, 3);
3589                         data.clock_offset       = info->clock_offset;
3590                         data.rssi               = info->rssi;
3591                         data.ssp_mode           = 0x00;
3592
3593                         flags = hci_inquiry_cache_update(hdev, &data, false);
3594
3595                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3596                                           info->dev_class, info->rssi,
3597                                           flags, NULL, 0, NULL, 0);
3598                 }
3599         } else {
3600                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
3601
3602                 for (; num_rsp; num_rsp--, info++) {
3603                         u32 flags;
3604
3605                         bacpy(&data.bdaddr, &info->bdaddr);
3606                         data.pscan_rep_mode     = info->pscan_rep_mode;
3607                         data.pscan_period_mode  = info->pscan_period_mode;
3608                         data.pscan_mode         = 0x00;
3609                         memcpy(data.dev_class, info->dev_class, 3);
3610                         data.clock_offset       = info->clock_offset;
3611                         data.rssi               = info->rssi;
3612                         data.ssp_mode           = 0x00;
3613
3614                         flags = hci_inquiry_cache_update(hdev, &data, false);
3615
3616                         mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3617                                           info->dev_class, info->rssi,
3618                                           flags, NULL, 0, NULL, 0);
3619                 }
3620         }
3621
3622         hci_dev_unlock(hdev);
3623 }
3624
3625 static void hci_remote_ext_features_evt(struct hci_dev *hdev,
3626                                         struct sk_buff *skb)
3627 {
3628         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
3629         struct hci_conn *conn;
3630
3631         BT_DBG("%s", hdev->name);
3632
3633         hci_dev_lock(hdev);
3634
3635         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3636         if (!conn)
3637                 goto unlock;
3638
3639         if (ev->page < HCI_MAX_PAGES)
3640                 memcpy(conn->features[ev->page], ev->features, 8);
3641
3642         if (!ev->status && ev->page == 0x01) {
3643                 struct inquiry_entry *ie;
3644
3645                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
3646                 if (ie)
3647                         ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3648
3649                 if (ev->features[0] & LMP_HOST_SSP) {
3650                         set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3651                 } else {
3652                         /* It is mandatory by the Bluetooth specification that
3653                          * Extended Inquiry Results are only used when Secure
3654                          * Simple Pairing is enabled, but some devices violate
3655                          * this.
3656                          *
3657                          * To make these devices work, the internal SSP
3658                          * enabled flag needs to be cleared if the remote host
3659                          * features do not indicate SSP support */
3660                         clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
3661                 }
3662
3663                 if (ev->features[0] & LMP_HOST_SC)
3664                         set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
3665         }
3666
3667         if (conn->state != BT_CONFIG)
3668                 goto unlock;
3669
3670         if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
3671                 struct hci_cp_remote_name_req cp;
3672                 memset(&cp, 0, sizeof(cp));
3673                 bacpy(&cp.bdaddr, &conn->dst);
3674                 cp.pscan_rep_mode = 0x02;
3675                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3676         } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3677                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
3678
3679         if (!hci_outgoing_auth_needed(hdev, conn)) {
3680                 conn->state = BT_CONNECTED;
3681                 hci_connect_cfm(conn, ev->status);
3682                 hci_conn_drop(conn);
3683         }
3684
3685 unlock:
3686         hci_dev_unlock(hdev);
3687 }
3688
3689 static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
3690                                        struct sk_buff *skb)
3691 {
3692         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
3693         struct hci_conn *conn;
3694
3695         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3696
3697         hci_dev_lock(hdev);
3698
3699         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3700         if (!conn) {
3701                 if (ev->link_type == ESCO_LINK)
3702                         goto unlock;
3703
3704                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
3705                 if (!conn)
3706                         goto unlock;
3707
3708                 conn->type = SCO_LINK;
3709         }
3710
3711         switch (ev->status) {
3712         case 0x00:
3713                 conn->handle = __le16_to_cpu(ev->handle);
3714                 conn->state  = BT_CONNECTED;
3715
3716                 hci_debugfs_create_conn(conn);
3717                 hci_conn_add_sysfs(conn);
3718                 break;
3719
3720         case 0x10:      /* Connection Accept Timeout */
3721         case 0x0d:      /* Connection Rejected due to Limited Resources */
3722         case 0x11:      /* Unsupported Feature or Parameter Value */
3723         case 0x1c:      /* SCO interval rejected */
3724         case 0x1a:      /* Unsupported Remote Feature */
3725         case 0x1f:      /* Unspecified error */
3726         case 0x20:      /* Unsupported LMP Parameter value */
3727                 if (conn->out) {
3728                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
3729                                         (hdev->esco_type & EDR_ESCO_MASK);
3730                         if (hci_setup_sync(conn, conn->link->handle))
3731                                 goto unlock;
3732                 }
3733                 /* fall through */
3734
3735         default:
3736                 conn->state = BT_CLOSED;
3737                 break;
3738         }
3739
3740         hci_connect_cfm(conn, ev->status);
3741         if (ev->status)
3742                 hci_conn_del(conn);
3743
3744 unlock:
3745         hci_dev_unlock(hdev);
3746 }
3747
3748 static inline size_t eir_get_length(u8 *eir, size_t eir_len)
3749 {
3750         size_t parsed = 0;
3751
3752         while (parsed < eir_len) {
3753                 u8 field_len = eir[0];
3754
3755                 if (field_len == 0)
3756                         return parsed;
3757
3758                 parsed += field_len + 1;
3759                 eir += field_len + 1;
3760         }
3761
3762         return eir_len;
3763 }
3764
3765 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3766                                             struct sk_buff *skb)
3767 {
3768         struct inquiry_data data;
3769         struct extended_inquiry_info *info = (void *) (skb->data + 1);
3770         int num_rsp = *((__u8 *) skb->data);
3771         size_t eir_len;
3772
3773         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3774
3775         if (!num_rsp)
3776                 return;
3777
3778         if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3779                 return;
3780
3781         hci_dev_lock(hdev);
3782
3783         for (; num_rsp; num_rsp--, info++) {
3784                 u32 flags;
3785                 bool name_known;
3786
3787                 bacpy(&data.bdaddr, &info->bdaddr);
3788                 data.pscan_rep_mode     = info->pscan_rep_mode;
3789                 data.pscan_period_mode  = info->pscan_period_mode;
3790                 data.pscan_mode         = 0x00;
3791                 memcpy(data.dev_class, info->dev_class, 3);
3792                 data.clock_offset       = info->clock_offset;
3793                 data.rssi               = info->rssi;
3794                 data.ssp_mode           = 0x01;
3795
3796                 if (hci_dev_test_flag(hdev, HCI_MGMT))
3797                         name_known = eir_has_data_type(info->data,
3798                                                        sizeof(info->data),
3799                                                        EIR_NAME_COMPLETE);
3800                 else
3801                         name_known = true;
3802
3803                 flags = hci_inquiry_cache_update(hdev, &data, name_known);
3804
3805                 eir_len = eir_get_length(info->data, sizeof(info->data));
3806
3807                 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3808                                   info->dev_class, info->rssi,
3809                                   flags, info->data, eir_len, NULL, 0);
3810         }
3811
3812         hci_dev_unlock(hdev);
3813 }
3814
3815 static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3816                                          struct sk_buff *skb)
3817 {
3818         struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3819         struct hci_conn *conn;
3820
3821         BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3822                __le16_to_cpu(ev->handle));
3823
3824         hci_dev_lock(hdev);
3825
3826         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3827         if (!conn)
3828                 goto unlock;
3829
3830         /* For BR/EDR the necessary steps are taken through the
3831          * auth_complete event.
3832          */
3833         if (conn->type != LE_LINK)
3834                 goto unlock;
3835
3836         if (!ev->status)
3837                 conn->sec_level = conn->pending_sec_level;
3838
3839         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3840
3841         if (ev->status && conn->state == BT_CONNECTED) {
3842                 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3843                 hci_conn_drop(conn);
3844                 goto unlock;
3845         }
3846
3847         if (conn->state == BT_CONFIG) {
3848                 if (!ev->status)
3849                         conn->state = BT_CONNECTED;
3850
3851                 hci_connect_cfm(conn, ev->status);
3852                 hci_conn_drop(conn);
3853         } else {
3854                 hci_auth_cfm(conn, ev->status);
3855
3856                 hci_conn_hold(conn);
3857                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3858                 hci_conn_drop(conn);
3859         }
3860
3861 unlock:
3862         hci_dev_unlock(hdev);
3863 }
3864
3865 static u8 hci_get_auth_req(struct hci_conn *conn)
3866 {
3867         /* If remote requests no-bonding follow that lead */
3868         if (conn->remote_auth == HCI_AT_NO_BONDING ||
3869             conn->remote_auth == HCI_AT_NO_BONDING_MITM)
3870                 return conn->remote_auth | (conn->auth_type & 0x01);
3871
3872         /* If both remote and local have enough IO capabilities, require
3873          * MITM protection
3874          */
3875         if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
3876             conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
3877                 return conn->remote_auth | 0x01;
3878
3879         /* No MITM protection possible so ignore remote requirement */
3880         return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
3881 }
3882
3883 static u8 bredr_oob_data_present(struct hci_conn *conn)
3884 {
3885         struct hci_dev *hdev = conn->hdev;
3886         struct oob_data *data;
3887
3888         data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
3889         if (!data)
3890                 return 0x00;
3891
3892         if (bredr_sc_enabled(hdev)) {
3893                 /* When Secure Connections is enabled, then just
3894                  * return the present value stored with the OOB
3895                  * data. The stored value contains the right present
3896                  * information. However it can only be trusted when
3897                  * not in Secure Connection Only mode.
3898                  */
3899                 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
3900                         return data->present;
3901
3902                 /* When Secure Connections Only mode is enabled, then
3903                  * the P-256 values are required. If they are not
3904                  * available, then do not declare that OOB data is
3905                  * present.
3906                  */
3907                 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
3908                     !memcmp(data->hash256, ZERO_KEY, 16))
3909                         return 0x00;
3910
3911                 return 0x02;
3912         }
3913
3914         /* When Secure Connections is not enabled or actually
3915          * not supported by the hardware, then check that if
3916          * P-192 data values are present.
3917          */
3918         if (!memcmp(data->rand192, ZERO_KEY, 16) ||
3919             !memcmp(data->hash192, ZERO_KEY, 16))
3920                 return 0x00;
3921
3922         return 0x01;
3923 }
3924
3925 static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3926 {
3927         struct hci_ev_io_capa_request *ev = (void *) skb->data;
3928         struct hci_conn *conn;
3929
3930         BT_DBG("%s", hdev->name);
3931
3932         hci_dev_lock(hdev);
3933
3934         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3935         if (!conn)
3936                 goto unlock;
3937
3938         hci_conn_hold(conn);
3939
3940         if (!hci_dev_test_flag(hdev, HCI_MGMT))
3941                 goto unlock;
3942
3943         /* Allow pairing if we're pairable, the initiators of the
3944          * pairing or if the remote is not requesting bonding.
3945          */
3946         if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
3947             test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
3948             (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3949                 struct hci_cp_io_capability_reply cp;
3950
3951                 bacpy(&cp.bdaddr, &ev->bdaddr);
3952                 /* Change the IO capability from KeyboardDisplay
3953                  * to DisplayYesNo as it is not supported by BT spec. */
3954                 cp.capability = (conn->io_capability == 0x04) ?
3955                                 HCI_IO_DISPLAY_YESNO : conn->io_capability;
3956
3957                 /* If we are initiators, there is no remote information yet */
3958                 if (conn->remote_auth == 0xff) {
3959                         /* Request MITM protection if our IO caps allow it
3960                          * except for the no-bonding case.
3961                          */
3962                         if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
3963                             conn->auth_type != HCI_AT_NO_BONDING)
3964                                 conn->auth_type |= 0x01;
3965                 } else {
3966                         conn->auth_type = hci_get_auth_req(conn);
3967                 }
3968
3969                 /* If we're not bondable, force one of the non-bondable
3970                  * authentication requirement values.
3971                  */
3972                 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
3973                         conn->auth_type &= HCI_AT_NO_BONDING_MITM;
3974
3975                 cp.authentication = conn->auth_type;
3976                 cp.oob_data = bredr_oob_data_present(conn);
3977
3978                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
3979                              sizeof(cp), &cp);
3980         } else {
3981                 struct hci_cp_io_capability_neg_reply cp;
3982
3983                 bacpy(&cp.bdaddr, &ev->bdaddr);
3984                 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
3985
3986                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
3987                              sizeof(cp), &cp);
3988         }
3989
3990 unlock:
3991         hci_dev_unlock(hdev);
3992 }
3993
3994 static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
3995 {
3996         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
3997         struct hci_conn *conn;
3998
3999         BT_DBG("%s", hdev->name);
4000
4001         hci_dev_lock(hdev);
4002
4003         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4004         if (!conn)
4005                 goto unlock;
4006
4007         conn->remote_cap = ev->capability;
4008         conn->remote_auth = ev->authentication;
4009
4010 unlock:
4011         hci_dev_unlock(hdev);
4012 }
4013
4014 static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4015                                          struct sk_buff *skb)
4016 {
4017         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
4018         int loc_mitm, rem_mitm, confirm_hint = 0;
4019         struct hci_conn *conn;
4020
4021         BT_DBG("%s", hdev->name);
4022
4023         hci_dev_lock(hdev);
4024
4025         if (!hci_dev_test_flag(hdev, HCI_MGMT))
4026                 goto unlock;
4027
4028         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4029         if (!conn)
4030                 goto unlock;
4031
4032         loc_mitm = (conn->auth_type & 0x01);
4033         rem_mitm = (conn->remote_auth & 0x01);
4034
4035         /* If we require MITM but the remote device can't provide that
4036          * (it has NoInputNoOutput) then reject the confirmation
4037          * request. We check the security level here since it doesn't
4038          * necessarily match conn->auth_type.
4039          */
4040         if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4041             conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
4042                 BT_DBG("Rejecting request: remote device can't provide MITM");
4043                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
4044                              sizeof(ev->bdaddr), &ev->bdaddr);
4045                 goto unlock;
4046         }
4047
4048         /* If no side requires MITM protection; auto-accept */
4049         if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4050             (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
4051
4052                 /* If we're not the initiators request authorization to
4053                  * proceed from user space (mgmt_user_confirm with
4054                  * confirm_hint set to 1). The exception is if neither
4055                  * side had MITM or if the local IO capability is
4056                  * NoInputNoOutput, in which case we do auto-accept
4057                  */
4058                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
4059                     conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
4060                     (loc_mitm || rem_mitm)) {
4061                         BT_DBG("Confirming auto-accept as acceptor");
4062                         confirm_hint = 1;
4063                         goto confirm;
4064                 }
4065
4066                 BT_DBG("Auto-accept of user confirmation with %ums delay",
4067                        hdev->auto_accept_delay);
4068
4069                 if (hdev->auto_accept_delay > 0) {
4070                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
4071                         queue_delayed_work(conn->hdev->workqueue,
4072                                            &conn->auto_accept_work, delay);
4073                         goto unlock;
4074                 }
4075
4076                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
4077                              sizeof(ev->bdaddr), &ev->bdaddr);
4078                 goto unlock;
4079         }
4080
4081 confirm:
4082         mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4083                                   le32_to_cpu(ev->passkey), confirm_hint);
4084
4085 unlock:
4086         hci_dev_unlock(hdev);
4087 }
4088
4089 static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4090                                          struct sk_buff *skb)
4091 {
4092         struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4093
4094         BT_DBG("%s", hdev->name);
4095
4096         if (hci_dev_test_flag(hdev, HCI_MGMT))
4097                 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
4098 }
4099
4100 static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4101                                         struct sk_buff *skb)
4102 {
4103         struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4104         struct hci_conn *conn;
4105
4106         BT_DBG("%s", hdev->name);
4107
4108         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4109         if (!conn)
4110                 return;
4111
4112         conn->passkey_notify = __le32_to_cpu(ev->passkey);
4113         conn->passkey_entered = 0;
4114
4115         if (hci_dev_test_flag(hdev, HCI_MGMT))
4116                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4117                                          conn->dst_type, conn->passkey_notify,
4118                                          conn->passkey_entered);
4119 }
4120
4121 static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4122 {
4123         struct hci_ev_keypress_notify *ev = (void *) skb->data;
4124         struct hci_conn *conn;
4125
4126         BT_DBG("%s", hdev->name);
4127
4128         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4129         if (!conn)
4130                 return;
4131
4132         switch (ev->type) {
4133         case HCI_KEYPRESS_STARTED:
4134                 conn->passkey_entered = 0;
4135                 return;
4136
4137         case HCI_KEYPRESS_ENTERED:
4138                 conn->passkey_entered++;
4139                 break;
4140
4141         case HCI_KEYPRESS_ERASED:
4142                 conn->passkey_entered--;
4143                 break;
4144
4145         case HCI_KEYPRESS_CLEARED:
4146                 conn->passkey_entered = 0;
4147                 break;
4148
4149         case HCI_KEYPRESS_COMPLETED:
4150                 return;
4151         }
4152
4153         if (hci_dev_test_flag(hdev, HCI_MGMT))
4154                 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4155                                          conn->dst_type, conn->passkey_notify,
4156                                          conn->passkey_entered);
4157 }
4158
4159 static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
4160                                          struct sk_buff *skb)
4161 {
4162         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
4163         struct hci_conn *conn;
4164
4165         BT_DBG("%s", hdev->name);
4166
4167         hci_dev_lock(hdev);
4168
4169         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4170         if (!conn)
4171                 goto unlock;
4172
4173         /* Reset the authentication requirement to unknown */
4174         conn->remote_auth = 0xff;
4175
4176         /* To avoid duplicate auth_failed events to user space we check
4177          * the HCI_CONN_AUTH_PEND flag which will be set if we
4178          * initiated the authentication. A traditional auth_complete
4179          * event gets always produced as initiator and is also mapped to
4180          * the mgmt_auth_failed event */
4181         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
4182                 mgmt_auth_failed(conn, ev->status);
4183
4184         hci_conn_drop(conn);
4185
4186 unlock:
4187         hci_dev_unlock(hdev);
4188 }
4189
4190 static void hci_remote_host_features_evt(struct hci_dev *hdev,
4191                                          struct sk_buff *skb)
4192 {
4193         struct hci_ev_remote_host_features *ev = (void *) skb->data;
4194         struct inquiry_entry *ie;
4195         struct hci_conn *conn;
4196
4197         BT_DBG("%s", hdev->name);
4198
4199         hci_dev_lock(hdev);
4200
4201         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4202         if (conn)
4203                 memcpy(conn->features[1], ev->features, 8);
4204
4205         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4206         if (ie)
4207                 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4208
4209         hci_dev_unlock(hdev);
4210 }
4211
4212 static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
4213                                             struct sk_buff *skb)
4214 {
4215         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
4216         struct oob_data *data;
4217
4218         BT_DBG("%s", hdev->name);
4219
4220         hci_dev_lock(hdev);
4221
4222         if (!hci_dev_test_flag(hdev, HCI_MGMT))
4223                 goto unlock;
4224
4225         data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
4226         if (!data) {
4227                 struct hci_cp_remote_oob_data_neg_reply cp;
4228
4229                 bacpy(&cp.bdaddr, &ev->bdaddr);
4230                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
4231                              sizeof(cp), &cp);
4232                 goto unlock;
4233         }
4234
4235         if (bredr_sc_enabled(hdev)) {
4236                 struct hci_cp_remote_oob_ext_data_reply cp;
4237
4238                 bacpy(&cp.bdaddr, &ev->bdaddr);
4239                 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4240                         memset(cp.hash192, 0, sizeof(cp.hash192));
4241                         memset(cp.rand192, 0, sizeof(cp.rand192));
4242                 } else {
4243                         memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
4244                         memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
4245                 }
4246                 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
4247                 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
4248
4249                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
4250                              sizeof(cp), &cp);
4251         } else {
4252                 struct hci_cp_remote_oob_data_reply cp;
4253
4254                 bacpy(&cp.bdaddr, &ev->bdaddr);
4255                 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
4256                 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
4257
4258                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
4259                              sizeof(cp), &cp);
4260         }
4261
4262 unlock:
4263         hci_dev_unlock(hdev);
4264 }
4265
4266 static void hci_phy_link_complete_evt(struct hci_dev *hdev,
4267                                       struct sk_buff *skb)
4268 {
4269         struct hci_ev_phy_link_complete *ev = (void *) skb->data;
4270         struct hci_conn *hcon, *bredr_hcon;
4271
4272         BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
4273                ev->status);
4274
4275         hci_dev_lock(hdev);
4276
4277         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4278         if (!hcon) {
4279                 hci_dev_unlock(hdev);
4280                 return;
4281         }
4282
4283         if (ev->status) {
4284                 hci_conn_del(hcon);
4285                 hci_dev_unlock(hdev);
4286                 return;
4287         }
4288
4289         bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
4290
4291         hcon->state = BT_CONNECTED;
4292         bacpy(&hcon->dst, &bredr_hcon->dst);
4293
4294         hci_conn_hold(hcon);
4295         hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
4296         hci_conn_drop(hcon);
4297
4298         hci_debugfs_create_conn(hcon);
4299         hci_conn_add_sysfs(hcon);
4300
4301         amp_physical_cfm(bredr_hcon, hcon);
4302
4303         hci_dev_unlock(hdev);
4304 }
4305
4306 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4307 {
4308         struct hci_ev_logical_link_complete *ev = (void *) skb->data;
4309         struct hci_conn *hcon;
4310         struct hci_chan *hchan;
4311         struct amp_mgr *mgr;
4312
4313         BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
4314                hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
4315                ev->status);
4316
4317         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4318         if (!hcon)
4319                 return;
4320
4321         /* Create AMP hchan */
4322         hchan = hci_chan_create(hcon);
4323         if (!hchan)
4324                 return;
4325
4326         hchan->handle = le16_to_cpu(ev->handle);
4327
4328         BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
4329
4330         mgr = hcon->amp_mgr;
4331         if (mgr && mgr->bredr_chan) {
4332                 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
4333
4334                 l2cap_chan_lock(bredr_chan);
4335
4336                 bredr_chan->conn->mtu = hdev->block_mtu;
4337                 l2cap_logical_cfm(bredr_chan, hchan, 0);
4338                 hci_conn_hold(hcon);
4339
4340                 l2cap_chan_unlock(bredr_chan);
4341         }
4342 }
4343
4344 static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
4345                                              struct sk_buff *skb)
4346 {
4347         struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
4348         struct hci_chan *hchan;
4349
4350         BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
4351                le16_to_cpu(ev->handle), ev->status);
4352
4353         if (ev->status)
4354                 return;
4355
4356         hci_dev_lock(hdev);
4357
4358         hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
4359         if (!hchan)
4360                 goto unlock;
4361
4362         amp_destroy_logical_link(hchan, ev->reason);
4363
4364 unlock:
4365         hci_dev_unlock(hdev);
4366 }
4367
4368 static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
4369                                              struct sk_buff *skb)
4370 {
4371         struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
4372         struct hci_conn *hcon;
4373
4374         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4375
4376         if (ev->status)
4377                 return;
4378
4379         hci_dev_lock(hdev);
4380
4381         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
4382         if (hcon) {
4383                 hcon->state = BT_CLOSED;
4384                 hci_conn_del(hcon);
4385         }
4386
4387         hci_dev_unlock(hdev);
4388 }
4389
4390 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
4391 {
4392         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
4393         struct hci_conn_params *params;
4394         struct hci_conn *conn;
4395         struct smp_irk *irk;
4396         u8 addr_type;
4397
4398         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4399
4400         hci_dev_lock(hdev);
4401
4402         /* All controllers implicitly stop advertising in the event of a
4403          * connection, so ensure that the state bit is cleared.
4404          */
4405         hci_dev_clear_flag(hdev, HCI_LE_ADV);
4406
4407         conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
4408         if (!conn) {
4409                 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr, ev->role);
4410                 if (!conn) {
4411                         BT_ERR("No memory for new connection");
4412                         goto unlock;
4413                 }
4414
4415                 conn->dst_type = ev->bdaddr_type;
4416
4417                 /* If we didn't have a hci_conn object previously
4418                  * but we're in master role this must be something
4419                  * initiated using a white list. Since white list based
4420                  * connections are not "first class citizens" we don't
4421                  * have full tracking of them. Therefore, we go ahead
4422                  * with a "best effort" approach of determining the
4423                  * initiator address based on the HCI_PRIVACY flag.
4424                  */
4425                 if (conn->out) {
4426                         conn->resp_addr_type = ev->bdaddr_type;
4427                         bacpy(&conn->resp_addr, &ev->bdaddr);
4428                         if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
4429                                 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
4430                                 bacpy(&conn->init_addr, &hdev->rpa);
4431                         } else {
4432                                 hci_copy_identity_address(hdev,
4433                                                           &conn->init_addr,
4434                                                           &conn->init_addr_type);
4435                         }
4436                 }
4437         } else {
4438                 cancel_delayed_work(&conn->le_conn_timeout);
4439         }
4440
4441         if (!conn->out) {
4442                 /* Set the responder (our side) address type based on
4443                  * the advertising address type.
4444                  */
4445                 conn->resp_addr_type = hdev->adv_addr_type;
4446                 if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
4447                         bacpy(&conn->resp_addr, &hdev->random_addr);
4448                 else
4449                         bacpy(&conn->resp_addr, &hdev->bdaddr);
4450
4451                 conn->init_addr_type = ev->bdaddr_type;
4452                 bacpy(&conn->init_addr, &ev->bdaddr);
4453
4454                 /* For incoming connections, set the default minimum
4455                  * and maximum connection interval. They will be used
4456                  * to check if the parameters are in range and if not
4457                  * trigger the connection update procedure.
4458                  */
4459                 conn->le_conn_min_interval = hdev->le_conn_min_interval;
4460                 conn->le_conn_max_interval = hdev->le_conn_max_interval;
4461         }
4462
4463         /* Lookup the identity address from the stored connection
4464          * address and address type.
4465          *
4466          * When establishing connections to an identity address, the
4467          * connection procedure will store the resolvable random
4468          * address first. Now if it can be converted back into the
4469          * identity address, start using the identity address from
4470          * now on.
4471          */
4472         irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
4473         if (irk) {
4474                 bacpy(&conn->dst, &irk->bdaddr);
4475                 conn->dst_type = irk->addr_type;
4476         }
4477
4478         if (ev->status) {
4479                 hci_le_conn_failed(conn, ev->status);
4480                 goto unlock;
4481         }
4482
4483         if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
4484                 addr_type = BDADDR_LE_PUBLIC;
4485         else
4486                 addr_type = BDADDR_LE_RANDOM;
4487
4488         /* Drop the connection if the device is blocked */
4489         if (hci_bdaddr_list_lookup(&hdev->blacklist, &conn->dst, addr_type)) {
4490                 hci_conn_drop(conn);
4491                 goto unlock;
4492         }
4493
4494         if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
4495                 mgmt_device_connected(hdev, conn, 0, NULL, 0);
4496
4497         conn->sec_level = BT_SECURITY_LOW;
4498         conn->handle = __le16_to_cpu(ev->handle);
4499         conn->state = BT_CONNECTED;
4500
4501         conn->le_conn_interval = le16_to_cpu(ev->interval);
4502         conn->le_conn_latency = le16_to_cpu(ev->latency);
4503         conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4504
4505         hci_debugfs_create_conn(conn);
4506         hci_conn_add_sysfs(conn);
4507
4508         hci_connect_cfm(conn, ev->status);
4509
4510         params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
4511                                            conn->dst_type);
4512         if (params) {
4513                 list_del_init(&params->action);
4514                 if (params->conn) {
4515                         hci_conn_drop(params->conn);
4516                         hci_conn_put(params->conn);
4517                         params->conn = NULL;
4518                 }
4519         }
4520
4521 unlock:
4522         hci_update_background_scan(hdev);
4523         hci_dev_unlock(hdev);
4524 }
4525
4526 static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
4527                                             struct sk_buff *skb)
4528 {
4529         struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
4530         struct hci_conn *conn;
4531
4532         BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
4533
4534         if (ev->status)
4535                 return;
4536
4537         hci_dev_lock(hdev);
4538
4539         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4540         if (conn) {
4541                 conn->le_conn_interval = le16_to_cpu(ev->interval);
4542                 conn->le_conn_latency = le16_to_cpu(ev->latency);
4543                 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
4544         }
4545
4546         hci_dev_unlock(hdev);
4547 }
4548
4549 /* This function requires the caller holds hdev->lock */
4550 static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
4551                                               bdaddr_t *addr,
4552                                               u8 addr_type, u8 adv_type)
4553 {
4554         struct hci_conn *conn;
4555         struct hci_conn_params *params;
4556
4557         /* If the event is not connectable don't proceed further */
4558         if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
4559                 return NULL;
4560
4561         /* Ignore if the device is blocked */
4562         if (hci_bdaddr_list_lookup(&hdev->blacklist, addr, addr_type))
4563                 return NULL;
4564
4565         /* Most controller will fail if we try to create new connections
4566          * while we have an existing one in slave role.
4567          */
4568         if (hdev->conn_hash.le_num_slave > 0)
4569                 return NULL;
4570
4571         /* If we're not connectable only connect devices that we have in
4572          * our pend_le_conns list.
4573          */
4574         params = hci_pend_le_action_lookup(&hdev->pend_le_conns,
4575                                            addr, addr_type);
4576         if (!params)
4577                 return NULL;
4578
4579         switch (params->auto_connect) {
4580         case HCI_AUTO_CONN_DIRECT:
4581                 /* Only devices advertising with ADV_DIRECT_IND are
4582                  * triggering a connection attempt. This is allowing
4583                  * incoming connections from slave devices.
4584                  */
4585                 if (adv_type != LE_ADV_DIRECT_IND)
4586                         return NULL;
4587                 break;
4588         case HCI_AUTO_CONN_ALWAYS:
4589                 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
4590                  * are triggering a connection attempt. This means
4591                  * that incoming connectioms from slave device are
4592                  * accepted and also outgoing connections to slave
4593                  * devices are established when found.
4594                  */
4595                 break;
4596         default:
4597                 return NULL;
4598         }
4599
4600         conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
4601                               HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
4602         if (!IS_ERR(conn)) {
4603                 /* Store the pointer since we don't really have any
4604                  * other owner of the object besides the params that
4605                  * triggered it. This way we can abort the connection if
4606                  * the parameters get removed and keep the reference
4607                  * count consistent once the connection is established.
4608                  */
4609                 params->conn = hci_conn_get(conn);
4610                 return conn;
4611         }
4612
4613         switch (PTR_ERR(conn)) {
4614         case -EBUSY:
4615                 /* If hci_connect() returns -EBUSY it means there is already
4616                  * an LE connection attempt going on. Since controllers don't
4617                  * support more than one connection attempt at the time, we
4618                  * don't consider this an error case.
4619                  */
4620                 break;
4621         default:
4622                 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
4623                 return NULL;
4624         }
4625
4626         return NULL;
4627 }
4628
4629 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
4630                                u8 bdaddr_type, bdaddr_t *direct_addr,
4631                                u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
4632 {
4633         struct discovery_state *d = &hdev->discovery;
4634         struct smp_irk *irk;
4635         struct hci_conn *conn;
4636         bool match;
4637         u32 flags;
4638
4639         /* If the direct address is present, then this report is from
4640          * a LE Direct Advertising Report event. In that case it is
4641          * important to see if the address is matching the local
4642          * controller address.
4643          */
4644         if (direct_addr) {
4645                 /* Only resolvable random addresses are valid for these
4646                  * kind of reports and others can be ignored.
4647                  */
4648                 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
4649                         return;
4650
4651                 /* If the controller is not using resolvable random
4652                  * addresses, then this report can be ignored.
4653                  */
4654                 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
4655                         return;
4656
4657                 /* If the local IRK of the controller does not match
4658                  * with the resolvable random address provided, then
4659                  * this report can be ignored.
4660                  */
4661                 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
4662                         return;
4663         }
4664
4665         /* Check if we need to convert to identity address */
4666         irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
4667         if (irk) {
4668                 bdaddr = &irk->bdaddr;
4669                 bdaddr_type = irk->addr_type;
4670         }
4671
4672         /* Check if we have been requested to connect to this device */
4673         conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
4674         if (conn && type == LE_ADV_IND) {
4675                 /* Store report for later inclusion by
4676                  * mgmt_device_connected
4677                  */
4678                 memcpy(conn->le_adv_data, data, len);
4679                 conn->le_adv_data_len = len;
4680         }
4681
4682         /* Passive scanning shouldn't trigger any device found events,
4683          * except for devices marked as CONN_REPORT for which we do send
4684          * device found events.
4685          */
4686         if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
4687                 if (type == LE_ADV_DIRECT_IND)
4688                         return;
4689
4690                 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
4691                                                bdaddr, bdaddr_type))
4692                         return;
4693
4694                 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
4695                         flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4696                 else
4697                         flags = 0;
4698                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4699                                   rssi, flags, data, len, NULL, 0);
4700                 return;
4701         }
4702
4703         /* When receiving non-connectable or scannable undirected
4704          * advertising reports, this means that the remote device is
4705          * not connectable and then clearly indicate this in the
4706          * device found event.
4707          *
4708          * When receiving a scan response, then there is no way to
4709          * know if the remote device is connectable or not. However
4710          * since scan responses are merged with a previously seen
4711          * advertising report, the flags field from that report
4712          * will be used.
4713          *
4714          * In the really unlikely case that a controller get confused
4715          * and just sends a scan response event, then it is marked as
4716          * not connectable as well.
4717          */
4718         if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
4719             type == LE_ADV_SCAN_RSP)
4720                 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
4721         else
4722                 flags = 0;
4723
4724         /* If there's nothing pending either store the data from this
4725          * event or send an immediate device found event if the data
4726          * should not be stored for later.
4727          */
4728         if (!has_pending_adv_report(hdev)) {
4729                 /* If the report will trigger a SCAN_REQ store it for
4730                  * later merging.
4731                  */
4732                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4733                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4734                                                  rssi, flags, data, len);
4735                         return;
4736                 }
4737
4738                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4739                                   rssi, flags, data, len, NULL, 0);
4740                 return;
4741         }
4742
4743         /* Check if the pending report is for the same device as the new one */
4744         match = (!bacmp(bdaddr, &d->last_adv_addr) &&
4745                  bdaddr_type == d->last_adv_addr_type);
4746
4747         /* If the pending data doesn't match this report or this isn't a
4748          * scan response (e.g. we got a duplicate ADV_IND) then force
4749          * sending of the pending data.
4750          */
4751         if (type != LE_ADV_SCAN_RSP || !match) {
4752                 /* Send out whatever is in the cache, but skip duplicates */
4753                 if (!match)
4754                         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4755                                           d->last_adv_addr_type, NULL,
4756                                           d->last_adv_rssi, d->last_adv_flags,
4757                                           d->last_adv_data,
4758                                           d->last_adv_data_len, NULL, 0);
4759
4760                 /* If the new report will trigger a SCAN_REQ store it for
4761                  * later merging.
4762                  */
4763                 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
4764                         store_pending_adv_report(hdev, bdaddr, bdaddr_type,
4765                                                  rssi, flags, data, len);
4766                         return;
4767                 }
4768
4769                 /* The advertising reports cannot be merged, so clear
4770                  * the pending report and send out a device found event.
4771                  */
4772                 clear_pending_adv_report(hdev);
4773                 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
4774                                   rssi, flags, data, len, NULL, 0);
4775                 return;
4776         }
4777
4778         /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
4779          * the new event is a SCAN_RSP. We can therefore proceed with
4780          * sending a merged device found event.
4781          */
4782         mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
4783                           d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
4784                           d->last_adv_data, d->last_adv_data_len, data, len);
4785         clear_pending_adv_report(hdev);
4786 }
4787
4788 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4789 {
4790         u8 num_reports = skb->data[0];
4791         void *ptr = &skb->data[1];
4792
4793         hci_dev_lock(hdev);
4794
4795         while (num_reports--) {
4796                 struct hci_ev_le_advertising_info *ev = ptr;
4797                 s8 rssi;
4798
4799                 rssi = ev->data[ev->length];
4800                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4801                                    ev->bdaddr_type, NULL, 0, rssi,
4802                                    ev->data, ev->length);
4803
4804                 ptr += sizeof(*ev) + ev->length + 1;
4805         }
4806
4807         hci_dev_unlock(hdev);
4808 }
4809
4810 static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
4811 {
4812         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
4813         struct hci_cp_le_ltk_reply cp;
4814         struct hci_cp_le_ltk_neg_reply neg;
4815         struct hci_conn *conn;
4816         struct smp_ltk *ltk;
4817
4818         BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
4819
4820         hci_dev_lock(hdev);
4821
4822         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4823         if (conn == NULL)
4824                 goto not_found;
4825
4826         ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
4827         if (!ltk)
4828                 goto not_found;
4829
4830         if (smp_ltk_is_sc(ltk)) {
4831                 /* With SC both EDiv and Rand are set to zero */
4832                 if (ev->ediv || ev->rand)
4833                         goto not_found;
4834         } else {
4835                 /* For non-SC keys check that EDiv and Rand match */
4836                 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
4837                         goto not_found;
4838         }
4839
4840         memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
4841         cp.handle = cpu_to_le16(conn->handle);
4842
4843         conn->pending_sec_level = smp_ltk_sec_level(ltk);
4844
4845         conn->enc_key_size = ltk->enc_size;
4846
4847         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
4848
4849         /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
4850          * temporary key used to encrypt a connection following
4851          * pairing. It is used during the Encrypted Session Setup to
4852          * distribute the keys. Later, security can be re-established
4853          * using a distributed LTK.
4854          */
4855         if (ltk->type == SMP_STK) {
4856                 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4857                 list_del_rcu(&ltk->list);
4858                 kfree_rcu(ltk, rcu);
4859         } else {
4860                 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
4861         }
4862
4863         hci_dev_unlock(hdev);
4864
4865         return;
4866
4867 not_found:
4868         neg.handle = ev->handle;
4869         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
4870         hci_dev_unlock(hdev);
4871 }
4872
4873 static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
4874                                       u8 reason)
4875 {
4876         struct hci_cp_le_conn_param_req_neg_reply cp;
4877
4878         cp.handle = cpu_to_le16(handle);
4879         cp.reason = reason;
4880
4881         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
4882                      &cp);
4883 }
4884
4885 static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
4886                                              struct sk_buff *skb)
4887 {
4888         struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
4889         struct hci_cp_le_conn_param_req_reply cp;
4890         struct hci_conn *hcon;
4891         u16 handle, min, max, latency, timeout;
4892
4893         handle = le16_to_cpu(ev->handle);
4894         min = le16_to_cpu(ev->interval_min);
4895         max = le16_to_cpu(ev->interval_max);
4896         latency = le16_to_cpu(ev->latency);
4897         timeout = le16_to_cpu(ev->timeout);
4898
4899         hcon = hci_conn_hash_lookup_handle(hdev, handle);
4900         if (!hcon || hcon->state != BT_CONNECTED)
4901                 return send_conn_param_neg_reply(hdev, handle,
4902                                                  HCI_ERROR_UNKNOWN_CONN_ID);
4903
4904         if (hci_check_conn_params(min, max, latency, timeout))
4905                 return send_conn_param_neg_reply(hdev, handle,
4906                                                  HCI_ERROR_INVALID_LL_PARAMS);
4907
4908         if (hcon->role == HCI_ROLE_MASTER) {
4909                 struct hci_conn_params *params;
4910                 u8 store_hint;
4911
4912                 hci_dev_lock(hdev);
4913
4914                 params = hci_conn_params_lookup(hdev, &hcon->dst,
4915                                                 hcon->dst_type);
4916                 if (params) {
4917                         params->conn_min_interval = min;
4918                         params->conn_max_interval = max;
4919                         params->conn_latency = latency;
4920                         params->supervision_timeout = timeout;
4921                         store_hint = 0x01;
4922                 } else{
4923                         store_hint = 0x00;
4924                 }
4925
4926                 hci_dev_unlock(hdev);
4927
4928                 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
4929                                     store_hint, min, max, latency, timeout);
4930         }
4931
4932         cp.handle = ev->handle;
4933         cp.interval_min = ev->interval_min;
4934         cp.interval_max = ev->interval_max;
4935         cp.latency = ev->latency;
4936         cp.timeout = ev->timeout;
4937         cp.min_ce_len = 0;
4938         cp.max_ce_len = 0;
4939
4940         hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
4941 }
4942
4943 static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
4944                                          struct sk_buff *skb)
4945 {
4946         u8 num_reports = skb->data[0];
4947         void *ptr = &skb->data[1];
4948
4949         hci_dev_lock(hdev);
4950
4951         while (num_reports--) {
4952                 struct hci_ev_le_direct_adv_info *ev = ptr;
4953
4954                 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
4955                                    ev->bdaddr_type, &ev->direct_addr,
4956                                    ev->direct_addr_type, ev->rssi, NULL, 0);
4957
4958                 ptr += sizeof(*ev);
4959         }
4960
4961         hci_dev_unlock(hdev);
4962 }
4963
4964 static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
4965 {
4966         struct hci_ev_le_meta *le_ev = (void *) skb->data;
4967
4968         skb_pull(skb, sizeof(*le_ev));
4969
4970         switch (le_ev->subevent) {
4971         case HCI_EV_LE_CONN_COMPLETE:
4972                 hci_le_conn_complete_evt(hdev, skb);
4973                 break;
4974
4975         case HCI_EV_LE_CONN_UPDATE_COMPLETE:
4976                 hci_le_conn_update_complete_evt(hdev, skb);
4977                 break;
4978
4979         case HCI_EV_LE_ADVERTISING_REPORT:
4980                 hci_le_adv_report_evt(hdev, skb);
4981                 break;
4982
4983         case HCI_EV_LE_LTK_REQ:
4984                 hci_le_ltk_request_evt(hdev, skb);
4985                 break;
4986
4987         case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
4988                 hci_le_remote_conn_param_req_evt(hdev, skb);
4989                 break;
4990
4991         case HCI_EV_LE_DIRECT_ADV_REPORT:
4992                 hci_le_direct_adv_report_evt(hdev, skb);
4993                 break;
4994
4995         default:
4996                 break;
4997         }
4998 }
4999
5000 static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
5001 {
5002         struct hci_ev_channel_selected *ev = (void *) skb->data;
5003         struct hci_conn *hcon;
5004
5005         BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
5006
5007         skb_pull(skb, sizeof(*ev));
5008
5009         hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5010         if (!hcon)
5011                 return;
5012
5013         amp_read_loc_assoc_final_data(hdev, hcon);
5014 }
5015
5016 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
5017 {
5018         struct hci_event_hdr *hdr = (void *) skb->data;
5019         __u8 event = hdr->evt;
5020
5021         hci_dev_lock(hdev);
5022
5023         /* Received events are (currently) only needed when a request is
5024          * ongoing so avoid unnecessary memory allocation.
5025          */
5026         if (hci_req_pending(hdev)) {
5027                 kfree_skb(hdev->recv_evt);
5028                 hdev->recv_evt = skb_clone(skb, GFP_KERNEL);
5029         }
5030
5031         hci_dev_unlock(hdev);
5032
5033         skb_pull(skb, HCI_EVENT_HDR_SIZE);
5034
5035         if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->req_event == event) {
5036                 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
5037                 u16 opcode = __le16_to_cpu(cmd_hdr->opcode);
5038
5039                 hci_req_cmd_complete(hdev, opcode, 0);
5040         }
5041
5042         switch (event) {
5043         case HCI_EV_INQUIRY_COMPLETE:
5044                 hci_inquiry_complete_evt(hdev, skb);
5045                 break;
5046
5047         case HCI_EV_INQUIRY_RESULT:
5048                 hci_inquiry_result_evt(hdev, skb);
5049                 break;
5050
5051         case HCI_EV_CONN_COMPLETE:
5052                 hci_conn_complete_evt(hdev, skb);
5053                 break;
5054
5055         case HCI_EV_CONN_REQUEST:
5056                 hci_conn_request_evt(hdev, skb);
5057                 break;
5058
5059         case HCI_EV_DISCONN_COMPLETE:
5060                 hci_disconn_complete_evt(hdev, skb);
5061                 break;
5062
5063         case HCI_EV_AUTH_COMPLETE:
5064                 hci_auth_complete_evt(hdev, skb);
5065                 break;
5066
5067         case HCI_EV_REMOTE_NAME:
5068                 hci_remote_name_evt(hdev, skb);
5069                 break;
5070
5071         case HCI_EV_ENCRYPT_CHANGE:
5072                 hci_encrypt_change_evt(hdev, skb);
5073                 break;
5074
5075         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
5076                 hci_change_link_key_complete_evt(hdev, skb);
5077                 break;
5078
5079         case HCI_EV_REMOTE_FEATURES:
5080                 hci_remote_features_evt(hdev, skb);
5081                 break;
5082
5083         case HCI_EV_CMD_COMPLETE:
5084                 hci_cmd_complete_evt(hdev, skb);
5085                 break;
5086
5087         case HCI_EV_CMD_STATUS:
5088                 hci_cmd_status_evt(hdev, skb);
5089                 break;
5090
5091         case HCI_EV_HARDWARE_ERROR:
5092                 hci_hardware_error_evt(hdev, skb);
5093                 break;
5094
5095         case HCI_EV_ROLE_CHANGE:
5096                 hci_role_change_evt(hdev, skb);
5097                 break;
5098
5099         case HCI_EV_NUM_COMP_PKTS:
5100                 hci_num_comp_pkts_evt(hdev, skb);
5101                 break;
5102
5103         case HCI_EV_MODE_CHANGE:
5104                 hci_mode_change_evt(hdev, skb);
5105                 break;
5106
5107         case HCI_EV_PIN_CODE_REQ:
5108                 hci_pin_code_request_evt(hdev, skb);
5109                 break;
5110
5111         case HCI_EV_LINK_KEY_REQ:
5112                 hci_link_key_request_evt(hdev, skb);
5113                 break;
5114
5115         case HCI_EV_LINK_KEY_NOTIFY:
5116                 hci_link_key_notify_evt(hdev, skb);
5117                 break;
5118
5119         case HCI_EV_CLOCK_OFFSET:
5120                 hci_clock_offset_evt(hdev, skb);
5121                 break;
5122
5123         case HCI_EV_PKT_TYPE_CHANGE:
5124                 hci_pkt_type_change_evt(hdev, skb);
5125                 break;
5126
5127         case HCI_EV_PSCAN_REP_MODE:
5128                 hci_pscan_rep_mode_evt(hdev, skb);
5129                 break;
5130
5131         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
5132                 hci_inquiry_result_with_rssi_evt(hdev, skb);
5133                 break;
5134
5135         case HCI_EV_REMOTE_EXT_FEATURES:
5136                 hci_remote_ext_features_evt(hdev, skb);
5137                 break;
5138
5139         case HCI_EV_SYNC_CONN_COMPLETE:
5140                 hci_sync_conn_complete_evt(hdev, skb);
5141                 break;
5142
5143         case HCI_EV_EXTENDED_INQUIRY_RESULT:
5144                 hci_extended_inquiry_result_evt(hdev, skb);
5145                 break;
5146
5147         case HCI_EV_KEY_REFRESH_COMPLETE:
5148                 hci_key_refresh_complete_evt(hdev, skb);
5149                 break;
5150
5151         case HCI_EV_IO_CAPA_REQUEST:
5152                 hci_io_capa_request_evt(hdev, skb);
5153                 break;
5154
5155         case HCI_EV_IO_CAPA_REPLY:
5156                 hci_io_capa_reply_evt(hdev, skb);
5157                 break;
5158
5159         case HCI_EV_USER_CONFIRM_REQUEST:
5160                 hci_user_confirm_request_evt(hdev, skb);
5161                 break;
5162
5163         case HCI_EV_USER_PASSKEY_REQUEST:
5164                 hci_user_passkey_request_evt(hdev, skb);
5165                 break;
5166
5167         case HCI_EV_USER_PASSKEY_NOTIFY:
5168                 hci_user_passkey_notify_evt(hdev, skb);
5169                 break;
5170
5171         case HCI_EV_KEYPRESS_NOTIFY:
5172                 hci_keypress_notify_evt(hdev, skb);
5173                 break;
5174
5175         case HCI_EV_SIMPLE_PAIR_COMPLETE:
5176                 hci_simple_pair_complete_evt(hdev, skb);
5177                 break;
5178
5179         case HCI_EV_REMOTE_HOST_FEATURES:
5180                 hci_remote_host_features_evt(hdev, skb);
5181                 break;
5182
5183         case HCI_EV_LE_META:
5184                 hci_le_meta_evt(hdev, skb);
5185                 break;
5186
5187         case HCI_EV_CHANNEL_SELECTED:
5188                 hci_chan_selected_evt(hdev, skb);
5189                 break;
5190
5191         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
5192                 hci_remote_oob_data_request_evt(hdev, skb);
5193                 break;
5194
5195         case HCI_EV_PHY_LINK_COMPLETE:
5196                 hci_phy_link_complete_evt(hdev, skb);
5197                 break;
5198
5199         case HCI_EV_LOGICAL_LINK_COMPLETE:
5200                 hci_loglink_complete_evt(hdev, skb);
5201                 break;
5202
5203         case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
5204                 hci_disconn_loglink_complete_evt(hdev, skb);
5205                 break;
5206
5207         case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
5208                 hci_disconn_phylink_complete_evt(hdev, skb);
5209                 break;
5210
5211         case HCI_EV_NUM_COMP_BLOCKS:
5212                 hci_num_comp_blocks_evt(hdev, skb);
5213                 break;
5214
5215         default:
5216                 BT_DBG("%s event 0x%2.2x", hdev->name, event);
5217                 break;
5218         }
5219
5220         kfree_skb(skb);
5221         hdev->stat.evt_rx++;
5222 }
Unnamed repository; edit this file 'description' to name the repository.