projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: hci_sync: Enable advertising when LL privacy is enabled
[linux-2.6-block.git] / net / bluetooth / hci_event.c
CommitLineData
8e87d142 1/*
1da177e4 2 BlueZ - Bluetooth protocol stack for Linux
2d0a0346 3 Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
1da177e4
LT		 4
5 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License version 2 as
9 published by the Free Software Foundation;
10
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142
YH		 15 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4
LT		 18 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
8e87d142
YH		 20 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4
LT		 22 SOFTWARE IS DISCLAIMED.
23*/
24
25/* Bluetooth HCI event handling. */
26
1da177e4
LT		 27#include <asm/unaligned.h>
28
29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h>
f0d6a0ea 31#include <net/bluetooth/mgmt.h>
7ef9fbf0 32
0857dd3b 33#include "hci_request.h"
23b9ceb7 34#include "hci_debugfs.h"
7024728e 35#include "a2mp.h"
7ef9fbf0 36#include "amp.h"
2ceba539 37#include "smp.h"
145373cb 38#include "msft.h"
01ce70b0 39#include "eir.h"
1da177e4 40
aa5b0345
MH		 41#define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
42 "\x00\x00\x00\x00\x00\x00\x00\x00"
43
c45074d6
LAD		 44#define secs_to_jiffies(_secs) msecs_to_jiffies((_secs) * 1000)
45
1da177e4
LT		 46/* Handle HCI Event packets */
47
adf1d692
SS		 48static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
49 u8 *new_status)
1da177e4 50{
a9de9248 51 __u8 status = *((__u8 *) skb->data);
1da177e4 52
9f1db00c 53 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1da177e4 54
adf1d692
SS		 55 /* It is possible that we receive Inquiry Complete event right
56 * before we receive Inquiry Cancel Command Complete event, in
57 * which case the latter event should have status of Command
58 * Disallowed (0x0c). This should not be treated as error, since
59 * we actually achieve what Inquiry Cancel wants to achieve,
60 * which is to end the last Inquiry session.
61 */
62 if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
63 bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
64 status = 0x00;
65 }
66
67 *new_status = status;
68
82f4785c 69 if (status)
a9de9248 70 return;
1da177e4 71
89352e7d 72 clear_bit(HCI_INQUIRY, &hdev->flags);
4e857c58 73 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3e13fa1e 74 wake_up_bit(&hdev->flags, HCI_INQUIRY);
89352e7d 75
50143a43 76 hci_dev_lock(hdev);
168b8a25
JP		 77 /* Set discovery state to stopped if we're not doing LE active
78 * scanning.
79 */
80 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
81 hdev->le_scan_type != LE_SCAN_ACTIVE)
82 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
50143a43
JH		 83 hci_dev_unlock(hdev);
84
a9de9248
MH		 85 hci_conn_check_pending(hdev);
86}
6bd57416 87
4d93483b
AG		 88static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
89{
90 __u8 status = *((__u8 *) skb->data);
91
9f1db00c 92 BT_DBG("%s status 0x%2.2x", hdev->name, status);
ae854a70
AG		 93
94 if (status)
95 return;
96
a1536da2 97 hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
4d93483b
AG		 98}
99
a9de9248
MH		 100static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
101{
102 __u8 status = *((__u8 *) skb->data);
6bd57416 103
9f1db00c 104 BT_DBG("%s status 0x%2.2x", hdev->name, status);
6bd57416 105
a9de9248
MH		 106 if (status)
107 return;
1da177e4 108
a358dc11 109 hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
ae854a70 110
a9de9248
MH		 111 hci_conn_check_pending(hdev);
112}
113
807deac2
GP		 114static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
115 struct sk_buff *skb)
a9de9248
MH		 116{
117 BT_DBG("%s", hdev->name);
118}
119
120static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
121{
122 struct hci_rp_role_discovery *rp = (void *) skb->data;
123 struct hci_conn *conn;
124
9f1db00c 125 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
a9de9248
MH		 126
127 if (rp->status)
128 return;
129
130 hci_dev_lock(hdev);
131
132 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
40bef302
JH		 133 if (conn)
134 conn->role = rp->role;
a9de9248
MH		 135
136 hci_dev_unlock(hdev);
1da177e4
LT		 137}
138
e4e8e37c
MH		 139static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
140{
141 struct hci_rp_read_link_policy *rp = (void *) skb->data;
142 struct hci_conn *conn;
143
9f1db00c 144 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
e4e8e37c
MH		 145
146 if (rp->status)
147 return;
148
149 hci_dev_lock(hdev);
150
151 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
152 if (conn)
153 conn->link_policy = __le16_to_cpu(rp->policy);
154
155 hci_dev_unlock(hdev);
156}
157
a9de9248 158static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
1da177e4 159{
a9de9248 160 struct hci_rp_write_link_policy *rp = (void *) skb->data;
1da177e4 161 struct hci_conn *conn;
04837f64 162 void *sent;
1da177e4 163
9f1db00c 164 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1da177e4 165
a9de9248
MH		 166 if (rp->status)
167 return;
1da177e4 168
a9de9248
MH		 169 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
170 if (!sent)
171 return;
1da177e4 172
a9de9248 173 hci_dev_lock(hdev);
1da177e4 174
a9de9248 175 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
e4e8e37c 176 if (conn)
83985319 177 conn->link_policy = get_unaligned_le16(sent + 2);
1da177e4 178
a9de9248
MH		 179 hci_dev_unlock(hdev);
180}
1da177e4 181
807deac2
GP		 182static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
183 struct sk_buff *skb)
e4e8e37c
MH		 184{
185 struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
186
9f1db00c 187 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
e4e8e37c
MH		 188
189 if (rp->status)
190 return;
191
192 hdev->link_policy = __le16_to_cpu(rp->policy);
193}
194
807deac2
GP		 195static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
196 struct sk_buff *skb)
e4e8e37c
MH		 197{
198 __u8 status = *((__u8 *) skb->data);
199 void *sent;
200
9f1db00c 201 BT_DBG("%s status 0x%2.2x", hdev->name, status);
e4e8e37c 202
45296acd
MH		 203 if (status)
204 return;
205
e4e8e37c
MH		 206 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
207 if (!sent)
208 return;
209
45296acd 210 hdev->link_policy = get_unaligned_le16(sent);
e4e8e37c
MH		 211}
212
a9de9248
MH		 213static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
214{
215 __u8 status = *((__u8 *) skb->data);
04837f64 216
9f1db00c 217 BT_DBG("%s status 0x%2.2x", hdev->name, status);
04837f64 218
10572132
GP		 219 clear_bit(HCI_RESET, &hdev->flags);
220
8761f9d6
MH		 221 if (status)
222 return;
223
a297e97c 224 /* Reset all non-persistent flags */
eacb44df 225 hci_dev_clear_volatile_flags(hdev);
69775ff6 226
39c5d970
JH		 227 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
228
bbaf444a
JH		 229 hdev->inq_tx_power = HCI_TX_POWER_INVALID;
230 hdev->adv_tx_power = HCI_TX_POWER_INVALID;
3f0f524b
JH		 231
232 memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
233 hdev->adv_data_len = 0;
f8e808bd
MH		 234
235 memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
236 hdev->scan_rsp_data_len = 0;
06f5b778 237
533553f8
MH		 238 hdev->le_scan_type = LE_SCAN_PASSIVE;
239
06f5b778 240 hdev->ssp_debug_mode = 0;
a4d5504d 241
3d4f9c00 242 hci_bdaddr_list_clear(&hdev->le_accept_list);
cfdb0c2d 243 hci_bdaddr_list_clear(&hdev->le_resolv_list);
a9de9248 244}
04837f64 245
c2f0f979
MH		 246static void hci_cc_read_stored_link_key(struct hci_dev *hdev,
247 struct sk_buff *skb)
248{
249 struct hci_rp_read_stored_link_key *rp = (void *)skb->data;
250 struct hci_cp_read_stored_link_key *sent;
251
252 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
253
254 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
255 if (!sent)
256 return;
257
258 if (!rp->status && sent->read_all == 0x01) {
259 hdev->stored_max_keys = rp->max_keys;
260 hdev->stored_num_keys = rp->num_keys;
261 }
262}
263
a9366120
MH		 264static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
265 struct sk_buff *skb)
266{
267 struct hci_rp_delete_stored_link_key *rp = (void *)skb->data;
268
269 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
270
271 if (rp->status)
272 return;
273
274 if (rp->num_keys <= hdev->stored_num_keys)
275 hdev->stored_num_keys -= rp->num_keys;
276 else
277 hdev->stored_num_keys = 0;
278}
279
a9de9248
MH		 280static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
281{
282 __u8 status = *((__u8 *) skb->data);
283 void *sent;
04837f64 284
9f1db00c 285 BT_DBG("%s status 0x%2.2x", hdev->name, status);
04837f64 286
a9de9248
MH		 287 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
288 if (!sent)
289 return;
04837f64 290
56e5cb86
JH		 291 hci_dev_lock(hdev);
292
d7a5a11d 293 if (hci_dev_test_flag(hdev, HCI_MGMT))
f51d5b24 294 mgmt_set_local_name_complete(hdev, sent, status);
28cc7bde
JH		 295 else if (!status)
296 memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
f51d5b24 297
56e5cb86 298 hci_dev_unlock(hdev);
a9de9248
MH		 299}
300
301static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
302{
303 struct hci_rp_read_local_name *rp = (void *) skb->data;
304
9f1db00c 305 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
a9de9248
MH		 306
307 if (rp->status)
308 return;
309
d7a5a11d
MH		 310 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
311 hci_dev_test_flag(hdev, HCI_CONFIG))
db99b5fc 312 memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
a9de9248
MH		 313}
314
315static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
316{
317 __u8 status = *((__u8 *) skb->data);
318 void *sent;
319
9f1db00c 320 BT_DBG("%s status 0x%2.2x", hdev->name, status);
a9de9248
MH		 321
322 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
323 if (!sent)
324 return;
325
5c1a4c8f
JK		 326 hci_dev_lock(hdev);
327
a9de9248
MH		 328 if (!status) {
329 __u8 param = *((__u8 *) sent);
330
331 if (param == AUTH_ENABLED)
332 set_bit(HCI_AUTH, &hdev->flags);
333 else
334 clear_bit(HCI_AUTH, &hdev->flags);
1da177e4 335 }
a9de9248 336
d7a5a11d 337 if (hci_dev_test_flag(hdev, HCI_MGMT))
33ef95ed 338 mgmt_auth_enable_complete(hdev, status);
5c1a4c8f
JK		 339
340 hci_dev_unlock(hdev);
1da177e4
LT		 341}
342
a9de9248 343static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
1da177e4 344{
a9de9248 345 __u8 status = *((__u8 *) skb->data);
45296acd 346 __u8 param;
1da177e4
LT		 347 void *sent;
348
9f1db00c 349 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1da177e4 350
45296acd
MH		 351 if (status)
352 return;
353
a9de9248
MH		 354 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
355 if (!sent)
356 return;
1da177e4 357
45296acd 358 param = *((__u8 *) sent);
a9de9248 359
45296acd
MH		 360 if (param)
361 set_bit(HCI_ENCRYPT, &hdev->flags);
362 else
363 clear_bit(HCI_ENCRYPT, &hdev->flags);
a9de9248 364}
1da177e4 365
a9de9248
MH		 366static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
367{
45296acd
MH		 368 __u8 status = *((__u8 *) skb->data);
369 __u8 param;
a9de9248 370 void *sent;
1da177e4 371
9f1db00c 372 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1da177e4 373
a9de9248
MH		 374 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
375 if (!sent)
376 return;
1da177e4 377
36f7fc7e
JH		 378 param = *((__u8 *) sent);
379
56e5cb86
JH		 380 hci_dev_lock(hdev);
381
fa1bd918 382 if (status) {
2d7cee58
JH		 383 hdev->discov_timeout = 0;
384 goto done;
385 }
386
bc6d2d04 387 if (param & SCAN_INQUIRY)
36f7fc7e 388 set_bit(HCI_ISCAN, &hdev->flags);
bc6d2d04
JH		 389 else
390 clear_bit(HCI_ISCAN, &hdev->flags);
36f7fc7e 391
031547d8 392 if (param & SCAN_PAGE)
36f7fc7e 393 set_bit(HCI_PSCAN, &hdev->flags);
bc6d2d04 394 else
204e3990 395 clear_bit(HCI_PSCAN, &hdev->flags);
1da177e4 396
36f7fc7e 397done:
56e5cb86 398 hci_dev_unlock(hdev);
a9de9248 399}
1da177e4 400
e5b0ad69
APS		 401static void hci_cc_set_event_filter(struct hci_dev *hdev, struct sk_buff *skb)
402{
403 __u8 status = *((__u8 *)skb->data);
404 struct hci_cp_set_event_filter *cp;
405 void *sent;
406
407 BT_DBG("%s status 0x%2.2x", hdev->name, status);
408
409 if (status)
410 return;
411
412 sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
413 if (!sent)
414 return;
415
416 cp = (struct hci_cp_set_event_filter *)sent;
417
418 if (cp->flt_type == HCI_FLT_CLEAR_ALL)
419 hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
420 else
421 hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
422}
423
a9de9248
MH		 424static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
425{
426 struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
1da177e4 427
9f1db00c 428 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1da177e4 429
a9de9248
MH		 430 if (rp->status)
431 return;
1da177e4 432
a9de9248 433 memcpy(hdev->dev_class, rp->dev_class, 3);
1da177e4 434
a9de9248 435 BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
807deac2 436 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
a9de9248 437}
1da177e4 438
a9de9248
MH		 439static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
440{
441 __u8 status = *((__u8 *) skb->data);
442 void *sent;
1da177e4 443
9f1db00c 444 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1da177e4 445
a9de9248
MH		 446 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
447 if (!sent)
448 return;
1da177e4 449
7f9a903c
MH		 450 hci_dev_lock(hdev);
451
452 if (status == 0)
453 memcpy(hdev->dev_class, sent, 3);
454
d7a5a11d 455 if (hci_dev_test_flag(hdev, HCI_MGMT))
7f9a903c
MH		 456 mgmt_set_class_of_dev_complete(hdev, sent, status);
457
458 hci_dev_unlock(hdev);
a9de9248 459}
1da177e4 460
a9de9248
MH		 461static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
462{
463 struct hci_rp_read_voice_setting *rp = (void *) skb->data;
464 __u16 setting;
465
9f1db00c 466 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
a9de9248
MH		 467
468 if (rp->status)
469 return;
470
471 setting = __le16_to_cpu(rp->voice_setting);
472
f383f275 473 if (hdev->voice_setting == setting)
a9de9248
MH		 474 return;
475
476 hdev->voice_setting = setting;
477
9f1db00c 478 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
a9de9248 479
3c54711c 480 if (hdev->notify)
a9de9248 481 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
a9de9248
MH		 482}
483
8fc9ced3
GP		 484static void hci_cc_write_voice_setting(struct hci_dev *hdev,
485 struct sk_buff *skb)
a9de9248
MH		 486{
487 __u8 status = *((__u8 *) skb->data);
f383f275 488 __u16 setting;
a9de9248
MH		 489 void *sent;
490
9f1db00c 491 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1da177e4 492
f383f275
MH		 493 if (status)
494 return;
495
a9de9248
MH		 496 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
497 if (!sent)
498 return;
1da177e4 499
f383f275 500 setting = get_unaligned_le16(sent);
1da177e4 501
f383f275
MH		 502 if (hdev->voice_setting == setting)
503 return;
504
505 hdev->voice_setting = setting;
1da177e4 506
9f1db00c 507 BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
1da177e4 508
3c54711c 509 if (hdev->notify)
f383f275 510 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
1da177e4
LT		 511}
512
b4cb9fb2
MH		 513static void hci_cc_read_num_supported_iac(struct hci_dev *hdev,
514 struct sk_buff *skb)
515{
516 struct hci_rp_read_num_supported_iac *rp = (void *) skb->data;
517
518 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
519
520 if (rp->status)
521 return;
522
523 hdev->num_iac = rp->num_iac;
524
525 BT_DBG("%s num iac %d", hdev->name, hdev->num_iac);
526}
527
333140b5
MH		 528static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
529{
530 __u8 status = *((__u8 *) skb->data);
5ed8eb2f 531 struct hci_cp_write_ssp_mode *sent;
333140b5 532
9f1db00c 533 BT_DBG("%s status 0x%2.2x", hdev->name, status);
333140b5 534
333140b5
MH		 535 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
536 if (!sent)
537 return;
538
5c1a4c8f
JK		 539 hci_dev_lock(hdev);
540
5ed8eb2f
JH		 541 if (!status) {
542 if (sent->mode)
cad718ed 543 hdev->features[1][0] |= LMP_HOST_SSP;
5ed8eb2f 544 else
cad718ed 545 hdev->features[1][0] &= ~LMP_HOST_SSP;
5ed8eb2f
JH		 546 }
547
d7a5a11d 548 if (hci_dev_test_flag(hdev, HCI_MGMT))
5ed8eb2f 549 mgmt_ssp_enable_complete(hdev, sent->mode, status);
c0ecddc2 550 else if (!status) {
5ed8eb2f 551 if (sent->mode)
a1536da2 552 hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
c0ecddc2 553 else
a358dc11 554 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
c0ecddc2 555 }
5c1a4c8f
JK		 556
557 hci_dev_unlock(hdev);
333140b5
MH		 558}
559
eac83dc6
MH		 560static void hci_cc_write_sc_support(struct hci_dev *hdev, struct sk_buff *skb)
561{
562 u8 status = *((u8 *) skb->data);
563 struct hci_cp_write_sc_support *sent;
564
565 BT_DBG("%s status 0x%2.2x", hdev->name, status);
566
567 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
568 if (!sent)
569 return;
570
5c1a4c8f
JK		 571 hci_dev_lock(hdev);
572
eac83dc6
MH		 573 if (!status) {
574 if (sent->support)
575 hdev->features[1][0] |= LMP_HOST_SC;
576 else
577 hdev->features[1][0] &= ~LMP_HOST_SC;
578 }
579
d7a5a11d 580 if (!hci_dev_test_flag(hdev, HCI_MGMT) && !status) {
eac83dc6 581 if (sent->support)
a1536da2 582 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
eac83dc6 583 else
a358dc11 584 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
eac83dc6 585 }
5c1a4c8f
JK		 586
587 hci_dev_unlock(hdev);
eac83dc6
MH		 588}
589
a9de9248
MH		 590static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
591{
592 struct hci_rp_read_local_version *rp = (void *) skb->data;
1143e5a6 593
9f1db00c 594 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1143e5a6 595
a9de9248 596 if (rp->status)
42c6b129 597 return;
1143e5a6 598
d7a5a11d
MH		 599 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
600 hci_dev_test_flag(hdev, HCI_CONFIG)) {
0d5551f5
MH		 601 hdev->hci_ver = rp->hci_ver;
602 hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
603 hdev->lmp_ver = rp->lmp_ver;
604 hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
605 hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
606 }
d5859e22
JH		 607}
608
8fc9ced3
GP		 609static void hci_cc_read_local_commands(struct hci_dev *hdev,
610 struct sk_buff *skb)
a9de9248
MH		 611{
612 struct hci_rp_read_local_commands *rp = (void *) skb->data;
1da177e4 613
9f1db00c 614 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1da177e4 615
6a070e6e
MH		 616 if (rp->status)
617 return;
618
d7a5a11d
MH		 619 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
620 hci_dev_test_flag(hdev, HCI_CONFIG))
2177bab5 621 memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
a9de9248 622}
1da177e4 623
302975cb
SRK		 624static void hci_cc_read_auth_payload_timeout(struct hci_dev *hdev,
625 struct sk_buff *skb)
626{
627 struct hci_rp_read_auth_payload_to *rp = (void *)skb->data;
628 struct hci_conn *conn;
629
630 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
631
632 if (rp->status)
633 return;
634
635 hci_dev_lock(hdev);
636
637 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
638 if (conn)
639 conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
640
641 hci_dev_unlock(hdev);
642}
643
644static void hci_cc_write_auth_payload_timeout(struct hci_dev *hdev,
645 struct sk_buff *skb)
646{
647 struct hci_rp_write_auth_payload_to *rp = (void *)skb->data;
648 struct hci_conn *conn;
649 void *sent;
650
651 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
652
653 if (rp->status)
654 return;
655
656 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
657 if (!sent)
658 return;
659
660 hci_dev_lock(hdev);
661
662 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
663 if (conn)
664 conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
665
666 hci_dev_unlock(hdev);
667}
668
8fc9ced3
GP		 669static void hci_cc_read_local_features(struct hci_dev *hdev,
670 struct sk_buff *skb)
a9de9248
MH		 671{
672 struct hci_rp_read_local_features *rp = (void *) skb->data;
5b7f9909 673
9f1db00c 674 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1da177e4 675
a9de9248
MH		 676 if (rp->status)
677 return;
5b7f9909 678
a9de9248 679 memcpy(hdev->features, rp->features, 8);
5b7f9909 680
a9de9248
MH		 681 /* Adjust default settings according to features
682 * supported by device. */
1da177e4 683
cad718ed 684 if (hdev->features[0][0] & LMP_3SLOT)
a9de9248 685 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
1da177e4 686
cad718ed 687 if (hdev->features[0][0] & LMP_5SLOT)
a9de9248 688 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
1da177e4 689
cad718ed 690 if (hdev->features[0][1] & LMP_HV2) {
a9de9248
MH		 691 hdev->pkt_type |= (HCI_HV2);
692 hdev->esco_type |= (ESCO_HV2);
693 }
1da177e4 694
cad718ed 695 if (hdev->features[0][1] & LMP_HV3) {
a9de9248
MH		 696 hdev->pkt_type |= (HCI_HV3);
697 hdev->esco_type |= (ESCO_HV3);
698 }
1da177e4 699
45db810f 700 if (lmp_esco_capable(hdev))
a9de9248 701 hdev->esco_type |= (ESCO_EV3);
da1f5198 702
cad718ed 703 if (hdev->features[0][4] & LMP_EV4)
a9de9248 704 hdev->esco_type |= (ESCO_EV4);
da1f5198 705
cad718ed 706 if (hdev->features[0][4] & LMP_EV5)
a9de9248 707 hdev->esco_type |= (ESCO_EV5);
1da177e4 708
cad718ed 709 if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
efc7688b
MH		 710 hdev->esco_type |= (ESCO_2EV3);
711
cad718ed 712 if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
efc7688b
MH		 713 hdev->esco_type |= (ESCO_3EV3);
714
cad718ed 715 if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
efc7688b 716 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
a9de9248 717}
1da177e4 718
971e3a4b 719static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
807deac2 720 struct sk_buff *skb)
971e3a4b
AG		 721{
722 struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
723
9f1db00c 724 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
971e3a4b
AG		 725
726 if (rp->status)
42c6b129 727 return;
971e3a4b 728
57af75a8
MH		 729 if (hdev->max_page < rp->max_page)
730 hdev->max_page = rp->max_page;
d2c5d77f 731
cad718ed
JH		 732 if (rp->page < HCI_MAX_PAGES)
733 memcpy(hdev->features[rp->page], rp->features, 8);
971e3a4b
AG		 734}
735
1e89cffb 736static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
807deac2 737 struct sk_buff *skb)
1e89cffb
AE		 738{
739 struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
740
9f1db00c 741 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1e89cffb 742
45296acd
MH		 743 if (rp->status)
744 return;
745
746 hdev->flow_ctl_mode = rp->mode;
1e89cffb
AE		 747}
748
a9de9248
MH		 749static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
750{
751 struct hci_rp_read_buffer_size *rp = (void *) skb->data;
1da177e4 752
9f1db00c 753 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1da177e4 754
a9de9248
MH		 755 if (rp->status)
756 return;
1da177e4 757
a9de9248
MH		 758 hdev->acl_mtu = __le16_to_cpu(rp->acl_mtu);
759 hdev->sco_mtu = rp->sco_mtu;
760 hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
761 hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
762
763 if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
764 hdev->sco_mtu = 64;
765 hdev->sco_pkts = 8;
1da177e4 766 }
a9de9248
MH		 767
768 hdev->acl_cnt = hdev->acl_pkts;
769 hdev->sco_cnt = hdev->sco_pkts;
770
807deac2
GP		 771 BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
772 hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
a9de9248
MH		 773}
774
775static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
776{
777 struct hci_rp_read_bd_addr *rp = (void *) skb->data;
778
9f1db00c 779 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
a9de9248 780
e30d3f5f
MH		 781 if (rp->status)
782 return;
783
784 if (test_bit(HCI_INIT, &hdev->flags))
a9de9248 785 bacpy(&hdev->bdaddr, &rp->bdaddr);
e30d3f5f 786
d7a5a11d 787 if (hci_dev_test_flag(hdev, HCI_SETUP))
e30d3f5f 788 bacpy(&hdev->setup_addr, &rp->bdaddr);
23bb5763
JH		 789}
790
a4790360
MH		 791static void hci_cc_read_local_pairing_opts(struct hci_dev *hdev,
792 struct sk_buff *skb)
793{
794 struct hci_rp_read_local_pairing_opts *rp = (void *) skb->data;
795
796 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
797
798 if (rp->status)
799 return;
800
801 if (hci_dev_test_flag(hdev, HCI_SETUP) ||
802 hci_dev_test_flag(hdev, HCI_CONFIG)) {
803 hdev->pairing_opts = rp->pairing_opts;
804 hdev->max_enc_key_size = rp->max_key_size;
805 }
806}
807
f332ec66
JH		 808static void hci_cc_read_page_scan_activity(struct hci_dev *hdev,
809 struct sk_buff *skb)
810{
811 struct hci_rp_read_page_scan_activity *rp = (void *) skb->data;
812
813 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
814
45296acd
MH		 815 if (rp->status)
816 return;
817
818 if (test_bit(HCI_INIT, &hdev->flags)) {
f332ec66
JH		 819 hdev->page_scan_interval = __le16_to_cpu(rp->interval);
820 hdev->page_scan_window = __le16_to_cpu(rp->window);
821 }
822}
823
4a3ee763
JH		 824static void hci_cc_write_page_scan_activity(struct hci_dev *hdev,
825 struct sk_buff *skb)
826{
827 u8 status = *((u8 *) skb->data);
828 struct hci_cp_write_page_scan_activity *sent;
829
830 BT_DBG("%s status 0x%2.2x", hdev->name, status);
831
832 if (status)
833 return;
834
835 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
836 if (!sent)
837 return;
838
839 hdev->page_scan_interval = __le16_to_cpu(sent->interval);
840 hdev->page_scan_window = __le16_to_cpu(sent->window);
841}
842
f332ec66
JH		 843static void hci_cc_read_page_scan_type(struct hci_dev *hdev,
844 struct sk_buff *skb)
845{
846 struct hci_rp_read_page_scan_type *rp = (void *) skb->data;
847
848 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
849
45296acd
MH		 850 if (rp->status)
851 return;
852
853 if (test_bit(HCI_INIT, &hdev->flags))
f332ec66
JH		 854 hdev->page_scan_type = rp->type;
855}
856
4a3ee763
JH		 857static void hci_cc_write_page_scan_type(struct hci_dev *hdev,
858 struct sk_buff *skb)
859{
860 u8 status = *((u8 *) skb->data);
861 u8 *type;
862
863 BT_DBG("%s status 0x%2.2x", hdev->name, status);
864
865 if (status)
866 return;
867
868 type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
869 if (type)
870 hdev->page_scan_type = *type;
871}
872
350ee4cf 873static void hci_cc_read_data_block_size(struct hci_dev *hdev,
807deac2 874 struct sk_buff *skb)
350ee4cf
AE		 875{
876 struct hci_rp_read_data_block_size *rp = (void *) skb->data;
877
9f1db00c 878 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
350ee4cf
AE		 879
880 if (rp->status)
881 return;
882
883 hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
884 hdev->block_len = __le16_to_cpu(rp->block_len);
885 hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
886
887 hdev->block_cnt = hdev->num_blocks;
888
889 BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
807deac2 890 hdev->block_cnt, hdev->block_len);
350ee4cf
AE		 891}
892
33f35721
JH		 893static void hci_cc_read_clock(struct hci_dev *hdev, struct sk_buff *skb)
894{
895 struct hci_rp_read_clock *rp = (void *) skb->data;
896 struct hci_cp_read_clock *cp;
897 struct hci_conn *conn;
898
899 BT_DBG("%s", hdev->name);
900
901 if (skb->len < sizeof(*rp))
902 return;
903
904 if (rp->status)
905 return;
906
907 hci_dev_lock(hdev);
908
909 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
910 if (!cp)
911 goto unlock;
912
913 if (cp->which == 0x00) {
914 hdev->clock = le32_to_cpu(rp->clock);
915 goto unlock;
916 }
917
918 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
919 if (conn) {
920 conn->clock = le32_to_cpu(rp->clock);
921 conn->clock_accuracy = le16_to_cpu(rp->accuracy);
922 }
923
924unlock:
925 hci_dev_unlock(hdev);
926}
927
928abaa7 928static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
807deac2 929 struct sk_buff *skb)
928abaa7
AE		 930{
931 struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
932
9f1db00c 933 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
928abaa7
AE		 934
935 if (rp->status)
83927882 936 return;
928abaa7
AE		 937
938 hdev->amp_status = rp->amp_status;
939 hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
940 hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
941 hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
942 hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
943 hdev->amp_type = rp->amp_type;
944 hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
945 hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
946 hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
947 hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
928abaa7
AE		 948}
949
d5859e22 950static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
807deac2 951 struct sk_buff *skb)
d5859e22 952{
91c4e9b1 953 struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
d5859e22 954
9f1db00c 955 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
91c4e9b1 956
45296acd
MH		 957 if (rp->status)
958 return;
959
960 hdev->inq_tx_power = rp->tx_power;
d5859e22
JH		 961}
962
00bce3fb
AM		 963static void hci_cc_read_def_err_data_reporting(struct hci_dev *hdev,
964 struct sk_buff *skb)
965{
966 struct hci_rp_read_def_err_data_reporting *rp = (void *)skb->data;
967
968 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
969
970 if (rp->status)
971 return;
972
973 hdev->err_data_reporting = rp->err_data_reporting;
974}
975
976static void hci_cc_write_def_err_data_reporting(struct hci_dev *hdev,
977 struct sk_buff *skb)
978{
979 __u8 status = *((__u8 *)skb->data);
980 struct hci_cp_write_def_err_data_reporting *cp;
981
982 BT_DBG("%s status 0x%2.2x", hdev->name, status);
983
984 if (status)
985 return;
986
987 cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
988 if (!cp)
989 return;
990
991 hdev->err_data_reporting = cp->err_data_reporting;
992}
993
980e1a53
JH		 994static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
995{
996 struct hci_rp_pin_code_reply *rp = (void *) skb->data;
997 struct hci_cp_pin_code_reply *cp;
998 struct hci_conn *conn;
999
9f1db00c 1000 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
980e1a53 1001
56e5cb86
JH		 1002 hci_dev_lock(hdev);
1003
d7a5a11d 1004 if (hci_dev_test_flag(hdev, HCI_MGMT))
744cf19e 1005 mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
980e1a53 1006
fa1bd918 1007 if (rp->status)
56e5cb86 1008 goto unlock;
980e1a53
JH		 1009
1010 cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1011 if (!cp)
56e5cb86 1012 goto unlock;
980e1a53
JH		 1013
1014 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1015 if (conn)
1016 conn->pin_length = cp->pin_len;
56e5cb86
JH		 1017
1018unlock:
1019 hci_dev_unlock(hdev);
980e1a53
JH		 1020}
1021
1022static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
1023{
1024 struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
1025
9f1db00c 1026 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
980e1a53 1027
56e5cb86
JH		 1028 hci_dev_lock(hdev);
1029
d7a5a11d 1030 if (hci_dev_test_flag(hdev, HCI_MGMT))
744cf19e 1031 mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
807deac2 1032 rp->status);
56e5cb86
JH		 1033
1034 hci_dev_unlock(hdev);
980e1a53 1035}
56e5cb86 1036
6ed58ec5
VT		 1037static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
1038 struct sk_buff *skb)
1039{
1040 struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
1041
9f1db00c 1042 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
6ed58ec5
VT		 1043
1044 if (rp->status)
1045 return;
1046
1047 hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1048 hdev->le_pkts = rp->le_max_pkt;
1049
1050 hdev->le_cnt = hdev->le_pkts;
1051
1052 BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
6ed58ec5 1053}
980e1a53 1054
60e77321
JH		 1055static void hci_cc_le_read_local_features(struct hci_dev *hdev,
1056 struct sk_buff *skb)
1057{
1058 struct hci_rp_le_read_local_features *rp = (void *) skb->data;
1059
1060 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1061
45296acd
MH		 1062 if (rp->status)
1063 return;
1064
1065 memcpy(hdev->le_features, rp->features, 8);
60e77321
JH		 1066}
1067
8fa19098
JH		 1068static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
1069 struct sk_buff *skb)
1070{
1071 struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
1072
1073 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1074
45296acd
MH		 1075 if (rp->status)
1076 return;
1077
1078 hdev->adv_tx_power = rp->tx_power;
8fa19098
JH		 1079}
1080
a5c29683
JH		 1081static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
1082{
1083 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1084
9f1db00c 1085 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
a5c29683 1086
56e5cb86
JH		 1087 hci_dev_lock(hdev);
1088
d7a5a11d 1089 if (hci_dev_test_flag(hdev, HCI_MGMT))
04124681
GP		 1090 mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1091 rp->status);
56e5cb86
JH		 1092
1093 hci_dev_unlock(hdev);
a5c29683
JH		 1094}
1095
1096static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
807deac2 1097 struct sk_buff *skb)
a5c29683
JH		 1098{
1099 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1100
9f1db00c 1101 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
a5c29683 1102
56e5cb86
JH		 1103 hci_dev_lock(hdev);
1104
d7a5a11d 1105 if (hci_dev_test_flag(hdev, HCI_MGMT))
744cf19e 1106 mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
04124681 1107 ACL_LINK, 0, rp->status);
56e5cb86
JH		 1108
1109 hci_dev_unlock(hdev);
a5c29683
JH		 1110}
1111
1143d458
BG		 1112static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1113{
1114 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1115
9f1db00c 1116 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1143d458
BG		 1117
1118 hci_dev_lock(hdev);
1119
d7a5a11d 1120 if (hci_dev_test_flag(hdev, HCI_MGMT))
272d90df 1121 mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
04124681 1122 0, rp->status);
1143d458
BG		 1123
1124 hci_dev_unlock(hdev);
1125}
1126
1127static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
807deac2 1128 struct sk_buff *skb)
1143d458
BG		 1129{
1130 struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1131
9f1db00c 1132 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1143d458
BG		 1133
1134 hci_dev_lock(hdev);
1135
d7a5a11d 1136 if (hci_dev_test_flag(hdev, HCI_MGMT))
1143d458 1137 mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
04124681 1138 ACL_LINK, 0, rp->status);
1143d458
BG		 1139
1140 hci_dev_unlock(hdev);
1141}
1142
4d2d2796
MH		 1143static void hci_cc_read_local_oob_data(struct hci_dev *hdev,
1144 struct sk_buff *skb)
c35938b2
SJ		 1145{
1146 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1147
9f1db00c 1148 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
4d2d2796
MH		 1149}
1150
1151static void hci_cc_read_local_oob_ext_data(struct hci_dev *hdev,
1152 struct sk_buff *skb)
1153{
1154 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
1155
1156 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
c35938b2
SJ		 1157}
1158
7a4cd51d
MH		 1159static void hci_cc_le_set_random_addr(struct hci_dev *hdev, struct sk_buff *skb)
1160{
1161 __u8 status = *((__u8 *) skb->data);
1162 bdaddr_t *sent;
1163
1164 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1165
45296acd
MH		 1166 if (status)
1167 return;
1168
7a4cd51d
MH		 1169 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1170 if (!sent)
1171 return;
1172
1173 hci_dev_lock(hdev);
1174
45296acd 1175 bacpy(&hdev->random_addr, sent);
7a4cd51d 1176
c45074d6
LAD		 1177 if (!bacmp(&hdev->rpa, sent)) {
1178 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1179 queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1180 secs_to_jiffies(hdev->rpa_timeout));
1181 }
1182
7a4cd51d
MH		 1183 hci_dev_unlock(hdev);
1184}
1185
0314f286
JK		 1186static void hci_cc_le_set_default_phy(struct hci_dev *hdev, struct sk_buff *skb)
1187{
1188 __u8 status = *((__u8 *) skb->data);
1189 struct hci_cp_le_set_default_phy *cp;
1190
1191 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1192
1193 if (status)
1194 return;
1195
1196 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1197 if (!cp)
1198 return;
1199
1200 hci_dev_lock(hdev);
1201
1202 hdev->le_tx_def_phys = cp->tx_phys;
1203 hdev->le_rx_def_phys = cp->rx_phys;
1204
1205 hci_dev_unlock(hdev);
1206}
1207
a73c046a
JK		 1208static void hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev,
1209 struct sk_buff *skb)
1210{
1211 __u8 status = *((__u8 *) skb->data);
1212 struct hci_cp_le_set_adv_set_rand_addr *cp;
c45074d6 1213 struct adv_info *adv;
a73c046a
JK		 1214
1215 if (status)
1216 return;
1217
1218 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
c45074d6
LAD		 1219 /* Update only in case the adv instance since handle 0x00 shall be using
1220 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1221 * non-extended adverting.
1222 */
1223 if (!cp || !cp->handle)
a73c046a
JK		 1224 return;
1225
1226 hci_dev_lock(hdev);
1227
c45074d6
LAD		 1228 adv = hci_find_adv_instance(hdev, cp->handle);
1229 if (adv) {
1230 bacpy(&adv->random_addr, &cp->bdaddr);
1231 if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1232 adv->rpa_expired = false;
1233 queue_delayed_work(hdev->workqueue,
1234 &adv->rpa_expired_cb,
1235 secs_to_jiffies(hdev->rpa_timeout));
1236 }
a73c046a
JK		 1237 }
1238
1239 hci_dev_unlock(hdev);
1240}
1241
cba6b758
LAD		 1242static void hci_cc_le_remove_adv_set(struct hci_dev *hdev, struct sk_buff *skb)
1243{
1244 __u8 status = *((__u8 *)skb->data);
1245 u8 *instance;
1246 int err;
1247
1248 if (status)
1249 return;
1250
1251 instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1252 if (!instance)
1253 return;
1254
1255 hci_dev_lock(hdev);
1256
1257 err = hci_remove_adv_instance(hdev, *instance);
1258 if (!err)
1259 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1260 *instance);
1261
1262 hci_dev_unlock(hdev);
1263}
1264
1265static void hci_cc_le_clear_adv_sets(struct hci_dev *hdev, struct sk_buff *skb)
1266{
1267 __u8 status = *((__u8 *)skb->data);
1268 struct adv_info *adv, *n;
1269 int err;
1270
1271 if (status)
1272 return;
1273
1274 if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1275 return;
1276
1277 hci_dev_lock(hdev);
1278
1279 list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1280 u8 instance = adv->instance;
1281
1282 err = hci_remove_adv_instance(hdev, instance);
1283 if (!err)
1284 mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1285 hdev, instance);
1286 }
1287
1288 hci_dev_unlock(hdev);
1289}
1290
7c395ea5
DW		 1291static void hci_cc_le_read_transmit_power(struct hci_dev *hdev,
1292 struct sk_buff *skb)
1293{
1294 struct hci_rp_le_read_transmit_power *rp = (void *)skb->data;
1295
1296 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1297
1298 if (rp->status)
1299 return;
1300
1301 hdev->min_le_tx_power = rp->min_le_tx_power;
1302 hdev->max_le_tx_power = rp->max_le_tx_power;
1303}
1304
c1d5dc4a
JH		 1305static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
1306{
1307 __u8 *sent, status = *((__u8 *) skb->data);
1308
1309 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1310
45296acd 1311 if (status)
c1d5dc4a
JH		 1312 return;
1313
45296acd
MH		 1314 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1315 if (!sent)
3c857757
JH		 1316 return;
1317
c1d5dc4a
JH		 1318 hci_dev_lock(hdev);
1319
49c922bb 1320 /* If we're doing connection initiation as peripheral. Set a
3c857757
JH		 1321 * timeout in case something goes wrong.
1322 */
1323 if (*sent) {
1324 struct hci_conn *conn;
1325
a1536da2 1326 hci_dev_set_flag(hdev, HCI_LE_ADV);
66c417c1 1327
e7d9ab73 1328 conn = hci_lookup_le_connect(hdev);
3c857757
JH		 1329 if (conn)
1330 queue_delayed_work(hdev->workqueue,
1331 &conn->le_conn_timeout,
09ae260b 1332 conn->conn_timeout);
66c417c1 1333 } else {
a358dc11 1334 hci_dev_clear_flag(hdev, HCI_LE_ADV);
3c857757
JH		 1335 }
1336
04b4edcb 1337 hci_dev_unlock(hdev);
c1d5dc4a
JH		 1338}
1339
de181e88
JK		 1340static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
1341 struct sk_buff *skb)
1342{
1343 struct hci_cp_le_set_ext_adv_enable *cp;
10279313 1344 struct hci_cp_ext_adv_set *set;
de181e88 1345 __u8 status = *((__u8 *) skb->data);
10279313 1346 struct adv_info *adv = NULL, *n;
de181e88
JK		 1347
1348 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1349
1350 if (status)
1351 return;
1352
1353 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1354 if (!cp)
1355 return;
1356
10279313
LAD		 1357 set = (void *)cp->data;
1358
de181e88
JK		 1359 hci_dev_lock(hdev);
1360
10279313
LAD		 1361 if (cp->num_of_sets)
1362 adv = hci_find_adv_instance(hdev, set->handle);
1363
de181e88
JK		 1364 if (cp->enable) {
1365 struct hci_conn *conn;
1366
1367 hci_dev_set_flag(hdev, HCI_LE_ADV);
1368
10279313
LAD		 1369 if (adv)
1370 adv->enabled = true;
1371
de181e88
JK		 1372 conn = hci_lookup_le_connect(hdev);
1373 if (conn)
1374 queue_delayed_work(hdev->workqueue,
1375 &conn->le_conn_timeout,
1376 conn->conn_timeout);
45b7749f 1377 } else {
2128939f
AP		 1378 if (cp->num_of_sets) {
1379 if (adv)
1380 adv->enabled = false;
1381
10279313
LAD		 1382 /* If just one instance was disabled check if there are
1383 * any other instance enabled before clearing HCI_LE_ADV
1384 */
1385 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1386 list) {
1387 if (adv->enabled)
1388 goto unlock;
1389 }
1390 } else {
1391 /* All instances shall be considered disabled */
1392 list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1393 list)
1394 adv->enabled = false;
1395 }
1396
45b7749f 1397 hci_dev_clear_flag(hdev, HCI_LE_ADV);
de181e88
JK		 1398 }
1399
10279313 1400unlock:
de181e88
JK		 1401 hci_dev_unlock(hdev);
1402}
1403
533553f8
MH		 1404static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1405{
1406 struct hci_cp_le_set_scan_param *cp;
1407 __u8 status = *((__u8 *) skb->data);
1408
1409 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1410
45296acd
MH		 1411 if (status)
1412 return;
1413
533553f8
MH		 1414 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1415 if (!cp)
1416 return;
1417
1418 hci_dev_lock(hdev);
1419
45296acd 1420 hdev->le_scan_type = cp->type;
533553f8
MH		 1421
1422 hci_dev_unlock(hdev);
1423}
1424
a2344b9e
JK		 1425static void hci_cc_le_set_ext_scan_param(struct hci_dev *hdev,
1426 struct sk_buff *skb)
1427{
1428 struct hci_cp_le_set_ext_scan_params *cp;
1429 __u8 status = *((__u8 *) skb->data);
1430 struct hci_cp_le_scan_phy_params *phy_param;
1431
1432 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1433
1434 if (status)
1435 return;
1436
1437 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1438 if (!cp)
1439 return;
1440
1441 phy_param = (void *)cp->data;
1442
1443 hci_dev_lock(hdev);
1444
1445 hdev->le_scan_type = phy_param->type;
1446
1447 hci_dev_unlock(hdev);
1448}
1449
b9a6328f
JH		 1450static bool has_pending_adv_report(struct hci_dev *hdev)
1451{
1452 struct discovery_state *d = &hdev->discovery;
1453
1454 return bacmp(&d->last_adv_addr, BDADDR_ANY);
1455}
1456
1457static void clear_pending_adv_report(struct hci_dev *hdev)
1458{
1459 struct discovery_state *d = &hdev->discovery;
1460
1461 bacpy(&d->last_adv_addr, BDADDR_ANY);
1462 d->last_adv_data_len = 0;
1463}
1464
1465static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
c70a7e4c
MH		 1466 u8 bdaddr_type, s8 rssi, u32 flags,
1467 u8 *data, u8 len)
b9a6328f
JH		 1468{
1469 struct discovery_state *d = &hdev->discovery;
1470
a2ec905d
AM		 1471 if (len > HCI_MAX_AD_LENGTH)
1472 return;
1473
b9a6328f
JH		 1474 bacpy(&d->last_adv_addr, bdaddr);
1475 d->last_adv_addr_type = bdaddr_type;
ff5cd29f 1476 d->last_adv_rssi = rssi;
c70a7e4c 1477 d->last_adv_flags = flags;
b9a6328f
JH		 1478 memcpy(d->last_adv_data, data, len);
1479 d->last_adv_data_len = len;
1480}
1481
3baef810 1482static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
eb9d91f5 1483{
5c1a4c8f
JK		 1484 hci_dev_lock(hdev);
1485
3baef810 1486 switch (enable) {
76a388be 1487 case LE_SCAN_ENABLE:
a1536da2 1488 hci_dev_set_flag(hdev, HCI_LE_SCAN);
b9a6328f
JH		 1489 if (hdev->le_scan_type == LE_SCAN_ACTIVE)
1490 clear_pending_adv_report(hdev);
68a8aea4
AE		 1491 break;
1492
76a388be 1493 case LE_SCAN_DISABLE:
b9a6328f
JH		 1494 /* We do this here instead of when setting DISCOVERY_STOPPED
1495 * since the latter would potentially require waiting for
1496 * inquiry to stop too.
1497 */
1498 if (has_pending_adv_report(hdev)) {
1499 struct discovery_state *d = &hdev->discovery;
1500
1501 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
ab0aa433 1502 d->last_adv_addr_type, NULL,
c70a7e4c 1503 d->last_adv_rssi, d->last_adv_flags,
ab0aa433 1504 d->last_adv_data,
b9a6328f
JH		 1505 d->last_adv_data_len, NULL, 0);
1506 }
1507
317ac8cb
JH		 1508 /* Cancel this timer so that we don't try to disable scanning
1509 * when it's already disabled.
1510 */
1511 cancel_delayed_work(&hdev->le_scan_disable);
1512
a358dc11 1513 hci_dev_clear_flag(hdev, HCI_LE_SCAN);
e8bb6b97 1514
81ad6fd9
JH		 1515 /* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1516 * interrupted scanning due to a connect request. Mark
e8bb6b97
JH		 1517 * therefore discovery as stopped. If this was not
1518 * because of a connect request advertising might have
1519 * been disabled because of active scanning, so
1520 * re-enable it again if necessary.
81ad6fd9 1521 */
a69d8927 1522 if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
81ad6fd9 1523 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
d7a5a11d 1524 else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
34722277 1525 hdev->discovery.state == DISCOVERY_FINDING)
f2252570 1526 hci_req_reenable_advertising(hdev);
e8bb6b97 1527
68a8aea4
AE		 1528 break;
1529
1530 default:
2064ee33 1531 bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
3baef810 1532 enable);
68a8aea4 1533 break;
35815085 1534 }
5c1a4c8f
JK		 1535
1536 hci_dev_unlock(hdev);
eb9d91f5
AG		 1537}
1538
3baef810
JK		 1539static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1540 struct sk_buff *skb)
1541{
1542 struct hci_cp_le_set_scan_enable *cp;
1543 __u8 status = *((__u8 *) skb->data);
1544
1545 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1546
1547 if (status)
1548 return;
1549
1550 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1551 if (!cp)
1552 return;
1553
1554 le_set_scan_enable_complete(hdev, cp->enable);
1555}
1556
a2344b9e
JK		 1557static void hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev,
1558 struct sk_buff *skb)
1559{
1560 struct hci_cp_le_set_ext_scan_enable *cp;
1561 __u8 status = *((__u8 *) skb->data);
1562
1563 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1564
1565 if (status)
1566 return;
1567
1568 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1569 if (!cp)
1570 return;
1571
1572 le_set_scan_enable_complete(hdev, cp->enable);
1573}
1574
6b49bcb4
JK		 1575static void hci_cc_le_read_num_adv_sets(struct hci_dev *hdev,
1576 struct sk_buff *skb)
1577{
1578 struct hci_rp_le_read_num_supported_adv_sets *rp = (void *) skb->data;
1579
1580 BT_DBG("%s status 0x%2.2x No of Adv sets %u", hdev->name, rp->status,
1581 rp->num_of_sets);
1582
1583 if (rp->status)
1584 return;
1585
1586 hdev->le_num_of_adv_sets = rp->num_of_sets;
1587}
1588
3d4f9c00
AP		 1589static void hci_cc_le_read_accept_list_size(struct hci_dev *hdev,
1590 struct sk_buff *skb)
cf1d081f 1591{
3d4f9c00 1592 struct hci_rp_le_read_accept_list_size *rp = (void *)skb->data;
cf1d081f
JH		 1593
1594 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1595
45296acd
MH		 1596 if (rp->status)
1597 return;
1598
3d4f9c00 1599 hdev->le_accept_list_size = rp->size;
cf1d081f
JH		 1600}
1601
3d4f9c00
AP		 1602static void hci_cc_le_clear_accept_list(struct hci_dev *hdev,
1603 struct sk_buff *skb)
0f36b589
MH		 1604{
1605 __u8 status = *((__u8 *) skb->data);
1606
1607 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1608
45296acd
MH		 1609 if (status)
1610 return;
1611
3d4f9c00 1612 hci_bdaddr_list_clear(&hdev->le_accept_list);
0f36b589
MH		 1613}
1614
3d4f9c00
AP		 1615static void hci_cc_le_add_to_accept_list(struct hci_dev *hdev,
1616 struct sk_buff *skb)
0f36b589 1617{
3d4f9c00 1618 struct hci_cp_le_add_to_accept_list *sent;
0f36b589
MH		 1619 __u8 status = *((__u8 *) skb->data);
1620
1621 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1622
45296acd
MH		 1623 if (status)
1624 return;
1625
3d4f9c00 1626 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
0f36b589
MH		 1627 if (!sent)
1628 return;
1629
3d4f9c00
AP		 1630 hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1631 sent->bdaddr_type);
0f36b589
MH		 1632}
1633
3d4f9c00
AP		 1634static void hci_cc_le_del_from_accept_list(struct hci_dev *hdev,
1635 struct sk_buff *skb)
0f36b589 1636{
3d4f9c00 1637 struct hci_cp_le_del_from_accept_list *sent;
0f36b589
MH		 1638 __u8 status = *((__u8 *) skb->data);
1639
1640 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1641
45296acd
MH		 1642 if (status)
1643 return;
1644
3d4f9c00 1645 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
0f36b589
MH		 1646 if (!sent)
1647 return;
1648
3d4f9c00 1649 hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
dcc36c16 1650 sent->bdaddr_type);
0f36b589
MH		 1651}
1652
9b008c04
JH		 1653static void hci_cc_le_read_supported_states(struct hci_dev *hdev,
1654 struct sk_buff *skb)
1655{
1656 struct hci_rp_le_read_supported_states *rp = (void *) skb->data;
1657
1658 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1659
45296acd
MH		 1660 if (rp->status)
1661 return;
1662
1663 memcpy(hdev->le_states, rp->le_states, 8);
9b008c04
JH		 1664}
1665
a8e1bfaa
MH		 1666static void hci_cc_le_read_def_data_len(struct hci_dev *hdev,
1667 struct sk_buff *skb)
1668{
1669 struct hci_rp_le_read_def_data_len *rp = (void *) skb->data;
1670
1671 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1672
1673 if (rp->status)
1674 return;
1675
1676 hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1677 hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1678}
1679
1680static void hci_cc_le_write_def_data_len(struct hci_dev *hdev,
1681 struct sk_buff *skb)
1682{
1683 struct hci_cp_le_write_def_data_len *sent;
1684 __u8 status = *((__u8 *) skb->data);
1685
1686 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1687
1688 if (status)
1689 return;
1690
1691 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1692 if (!sent)
1693 return;
1694
1695 hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1696 hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1697}
1698
b950aa88
AN		 1699static void hci_cc_le_add_to_resolv_list(struct hci_dev *hdev,
1700 struct sk_buff *skb)
1701{
1702 struct hci_cp_le_add_to_resolv_list *sent;
1703 __u8 status = *((__u8 *) skb->data);
1704
1705 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1706
1707 if (status)
1708 return;
1709
1710 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1711 if (!sent)
1712 return;
1713
1714 hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1715 sent->bdaddr_type, sent->peer_irk,
1716 sent->local_irk);
1717}
1718
1719static void hci_cc_le_del_from_resolv_list(struct hci_dev *hdev,
1720 struct sk_buff *skb)
1721{
1722 struct hci_cp_le_del_from_resolv_list *sent;
1723 __u8 status = *((__u8 *) skb->data);
1724
1725 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1726
1727 if (status)
1728 return;
1729
1730 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
1731 if (!sent)
1732 return;
1733
1734 hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1735 sent->bdaddr_type);
1736}
1737
545f2596
AN		 1738static void hci_cc_le_clear_resolv_list(struct hci_dev *hdev,
1739 struct sk_buff *skb)
1740{
1741 __u8 status = *((__u8 *) skb->data);
1742
1743 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1744
1745 if (status)
1746 return;
1747
1748 hci_bdaddr_list_clear(&hdev->le_resolv_list);
1749}
1750
cfdb0c2d
AN		 1751static void hci_cc_le_read_resolv_list_size(struct hci_dev *hdev,
1752 struct sk_buff *skb)
1753{
1754 struct hci_rp_le_read_resolv_list_size *rp = (void *) skb->data;
1755
1756 BT_DBG("%s status 0x%2.2x size %u", hdev->name, rp->status, rp->size);
1757
1758 if (rp->status)
1759 return;
1760
1761 hdev->le_resolv_list_size = rp->size;
1762}
1763
aa12af77
AN		 1764static void hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev,
1765 struct sk_buff *skb)
1766{
1767 __u8 *sent, status = *((__u8 *) skb->data);
1768
1769 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1770
1771 if (status)
1772 return;
1773
1774 sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
1775 if (!sent)
1776 return;
1777
1778 hci_dev_lock(hdev);
1779
1780 if (*sent)
1781 hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
1782 else
1783 hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
1784
1785 hci_dev_unlock(hdev);
1786}
1787
a8e1bfaa
MH		 1788static void hci_cc_le_read_max_data_len(struct hci_dev *hdev,
1789 struct sk_buff *skb)
1790{
1791 struct hci_rp_le_read_max_data_len *rp = (void *) skb->data;
1792
1793 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1794
1795 if (rp->status)
1796 return;
1797
1798 hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
1799 hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
1800 hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
1801 hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
1802}
1803
6039aa73
GP		 1804static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1805 struct sk_buff *skb)
f9b49306 1806{
06199cf8 1807 struct hci_cp_write_le_host_supported *sent;
f9b49306
AG		 1808 __u8 status = *((__u8 *) skb->data);
1809
9f1db00c 1810 BT_DBG("%s status 0x%2.2x", hdev->name, status);
f9b49306 1811
45296acd
MH		 1812 if (status)
1813 return;
1814
06199cf8 1815 sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
8f984dfa 1816 if (!sent)
f9b49306
AG		 1817 return;
1818
5c1a4c8f
JK		 1819 hci_dev_lock(hdev);
1820
45296acd
MH		 1821 if (sent->le) {
1822 hdev->features[1][0] |= LMP_HOST_LE;
a1536da2 1823 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
45296acd
MH		 1824 } else {
1825 hdev->features[1][0] &= ~LMP_HOST_LE;
a358dc11
MH		 1826 hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
1827 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
8f984dfa 1828 }
45296acd
MH		 1829
1830 if (sent->simul)
1831 hdev->features[1][0] |= LMP_HOST_LE_BREDR;
1832 else
1833 hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
5c1a4c8f
JK		 1834
1835 hci_dev_unlock(hdev);
f9b49306
AG		 1836}
1837
56ed2cb8
JH		 1838static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1839{
1840 struct hci_cp_le_set_adv_param *cp;
1841 u8 status = *((u8 *) skb->data);
1842
1843 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1844
1845 if (status)
1846 return;
1847
1848 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
1849 if (!cp)
1850 return;
1851
1852 hci_dev_lock(hdev);
1853 hdev->adv_addr_type = cp->own_address_type;
1854 hci_dev_unlock(hdev);
1855}
1856
de181e88
JK		 1857static void hci_cc_set_ext_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
1858{
1859 struct hci_rp_le_set_ext_adv_params *rp = (void *) skb->data;
1860 struct hci_cp_le_set_ext_adv_params *cp;
1861 struct adv_info *adv_instance;
1862
1863 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1864
1865 if (rp->status)
1866 return;
1867
1868 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
1869 if (!cp)
1870 return;
1871
1872 hci_dev_lock(hdev);
1873 hdev->adv_addr_type = cp->own_addr_type;
25e70886 1874 if (!cp->handle) {
de181e88
JK		 1875 /* Store in hdev for instance 0 */
1876 hdev->adv_tx_power = rp->tx_power;
1877 } else {
25e70886 1878 adv_instance = hci_find_adv_instance(hdev, cp->handle);
de181e88
JK		 1879 if (adv_instance)
1880 adv_instance->tx_power = rp->tx_power;
1881 }
a0fb3726 1882 /* Update adv data as tx power is known now */
25e70886 1883 hci_req_update_adv_data(hdev, cp->handle);
12410572 1884
de181e88
JK		 1885 hci_dev_unlock(hdev);
1886}
1887
5ae76a94
AK		 1888static void hci_cc_read_rssi(struct hci_dev *hdev, struct sk_buff *skb)
1889{
1890 struct hci_rp_read_rssi *rp = (void *) skb->data;
1891 struct hci_conn *conn;
1892
1893 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1894
1895 if (rp->status)
1896 return;
1897
1898 hci_dev_lock(hdev);
1899
1900 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1901 if (conn)
1902 conn->rssi = rp->rssi;
1903
1904 hci_dev_unlock(hdev);
1905}
1906
5a134fae
AK		 1907static void hci_cc_read_tx_power(struct hci_dev *hdev, struct sk_buff *skb)
1908{
1909 struct hci_cp_read_tx_power *sent;
1910 struct hci_rp_read_tx_power *rp = (void *) skb->data;
1911 struct hci_conn *conn;
1912
1913 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1914
1915 if (rp->status)
1916 return;
1917
1918 sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
1919 if (!sent)
1920 return;
1921
1922 hci_dev_lock(hdev);
1923
1924 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
d0455ed9
AK		 1925 if (!conn)
1926 goto unlock;
1927
1928 switch (sent->type) {
1929 case 0x00:
5a134fae 1930 conn->tx_power = rp->tx_power;
d0455ed9
AK		 1931 break;
1932 case 0x01:
1933 conn->max_tx_power = rp->tx_power;
1934 break;
1935 }
5a134fae 1936
d0455ed9 1937unlock:
5a134fae
AK		 1938 hci_dev_unlock(hdev);
1939}
1940
c50b33c8
MH		 1941static void hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, struct sk_buff *skb)
1942{
1943 u8 status = *((u8 *) skb->data);
1944 u8 *mode;
1945
1946 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1947
1948 if (status)
1949 return;
1950
1951 mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
1952 if (mode)
1953 hdev->ssp_debug_mode = *mode;
1954}
1955
6039aa73 1956static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
a9de9248 1957{
9f1db00c 1958 BT_DBG("%s status 0x%2.2x", hdev->name, status);
a9de9248
MH		 1959
1960 if (status) {
a9de9248 1961 hci_conn_check_pending(hdev);
314b2381
JH		 1962 return;
1963 }
1964
89352e7d 1965 set_bit(HCI_INQUIRY, &hdev->flags);
1da177e4
LT		 1966}
1967
6039aa73 1968static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1da177e4 1969{
a9de9248 1970 struct hci_cp_create_conn *cp;
1da177e4 1971 struct hci_conn *conn;
1da177e4 1972
9f1db00c 1973 BT_DBG("%s status 0x%2.2x", hdev->name, status);
a9de9248
MH		 1974
1975 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1da177e4
LT		 1976 if (!cp)
1977 return;
1978
1979 hci_dev_lock(hdev);
1980
1981 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1982
6ed93dc6 1983 BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
1da177e4
LT		 1984
1985 if (status) {
1986 if (conn && conn->state == BT_CONNECT) {
4c67bc74
MH		 1987 if (status != 0x0c || conn->attempt > 2) {
1988 conn->state = BT_CLOSED;
539c496d 1989 hci_connect_cfm(conn, status);
4c67bc74
MH		 1990 hci_conn_del(conn);
1991 } else
1992 conn->state = BT_CONNECT2;
1da177e4
LT		 1993 }
1994 } else {
1995 if (!conn) {
a5c4e309
JH		 1996 conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr,
1997 HCI_ROLE_MASTER);
1998 if (!conn)
2064ee33 1999 bt_dev_err(hdev, "no memory for new connection");
1da177e4
LT		 2000 }
2001 }
2002
2003 hci_dev_unlock(hdev);
2004}
2005
a9de9248 2006static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1da177e4 2007{
a9de9248
MH		 2008 struct hci_cp_add_sco *cp;
2009 struct hci_conn *acl, *sco;
2010 __u16 handle;
1da177e4 2011
9f1db00c 2012 BT_DBG("%s status 0x%2.2x", hdev->name, status);
b6a0dc82 2013
a9de9248
MH		 2014 if (!status)
2015 return;
1da177e4 2016
a9de9248
MH		 2017 cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2018 if (!cp)
2019 return;
1da177e4 2020
a9de9248 2021 handle = __le16_to_cpu(cp->handle);
1da177e4 2022
9f1db00c 2023 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1da177e4 2024
a9de9248 2025 hci_dev_lock(hdev);
1da177e4 2026
a9de9248 2027 acl = hci_conn_hash_lookup_handle(hdev, handle);
5a08ecce
AE		 2028 if (acl) {
2029 sco = acl->link;
2030 if (sco) {
2031 sco->state = BT_CLOSED;
1da177e4 2032
539c496d 2033 hci_connect_cfm(sco, status);
5a08ecce
AE		 2034 hci_conn_del(sco);
2035 }
a9de9248 2036 }
1da177e4 2037
a9de9248
MH		 2038 hci_dev_unlock(hdev);
2039}
1da177e4 2040
f8558555
MH		 2041static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2042{
2043 struct hci_cp_auth_requested *cp;
2044 struct hci_conn *conn;
2045
9f1db00c 2046 BT_DBG("%s status 0x%2.2x", hdev->name, status);
f8558555
MH		 2047
2048 if (!status)
2049 return;
2050
2051 cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2052 if (!cp)
2053 return;
2054
2055 hci_dev_lock(hdev);
2056
2057 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2058 if (conn) {
2059 if (conn->state == BT_CONFIG) {
539c496d 2060 hci_connect_cfm(conn, status);
76a68ba0 2061 hci_conn_drop(conn);
f8558555
MH		 2062 }
2063 }
2064
2065 hci_dev_unlock(hdev);
2066}
2067
2068static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2069{
2070 struct hci_cp_set_conn_encrypt *cp;
2071 struct hci_conn *conn;
2072
9f1db00c 2073 BT_DBG("%s status 0x%2.2x", hdev->name, status);
f8558555
MH		 2074
2075 if (!status)
2076 return;
2077
2078 cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2079 if (!cp)
2080 return;
2081
2082 hci_dev_lock(hdev);
2083
2084 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2085 if (conn) {
2086 if (conn->state == BT_CONFIG) {
539c496d 2087 hci_connect_cfm(conn, status);
76a68ba0 2088 hci_conn_drop(conn);
f8558555
MH		 2089 }
2090 }
2091
2092 hci_dev_unlock(hdev);
2093}
2094
127178d2 2095static int hci_outgoing_auth_needed(struct hci_dev *hdev,
807deac2 2096 struct hci_conn *conn)
392599b9 2097{
392599b9
JH		 2098 if (conn->state != BT_CONFIG || !conn->out)
2099 return 0;
2100
765c2a96 2101 if (conn->pending_sec_level == BT_SECURITY_SDP)
392599b9
JH		 2102 return 0;
2103
2104 /* Only request authentication for SSP connections or non-SSP
264b8b4e
JH		 2105 * devices with sec_level MEDIUM or HIGH or if MITM protection
2106 * is requested.
2107 */
807deac2 2108 if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
7e3691e1 2109 conn->pending_sec_level != BT_SECURITY_FIPS &&
264b8b4e
JH		 2110 conn->pending_sec_level != BT_SECURITY_HIGH &&
2111 conn->pending_sec_level != BT_SECURITY_MEDIUM)
392599b9
JH		 2112 return 0;
2113
392599b9
JH		 2114 return 1;
2115}
2116
6039aa73 2117static int hci_resolve_name(struct hci_dev *hdev,
04124681 2118 struct inquiry_entry *e)
30dc78e1
JH		 2119{
2120 struct hci_cp_remote_name_req cp;
2121
2122 memset(&cp, 0, sizeof(cp));
2123
2124 bacpy(&cp.bdaddr, &e->data.bdaddr);
2125 cp.pscan_rep_mode = e->data.pscan_rep_mode;
2126 cp.pscan_mode = e->data.pscan_mode;
2127 cp.clock_offset = e->data.clock_offset;
2128
2129 return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2130}
2131
b644ba33 2132static bool hci_resolve_next_name(struct hci_dev *hdev)
30dc78e1
JH		 2133{
2134 struct discovery_state *discov = &hdev->discovery;
2135 struct inquiry_entry *e;
2136
b644ba33
JH		 2137 if (list_empty(&discov->resolve))
2138 return false;
2139
2140 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
c810089c
RM		 2141 if (!e)
2142 return false;
2143
b644ba33
JH		 2144 if (hci_resolve_name(hdev, e) == 0) {
2145 e->name_state = NAME_PENDING;
2146 return true;
2147 }
2148
2149 return false;
2150}
2151
2152static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
04124681 2153 bdaddr_t *bdaddr, u8 *name, u8 name_len)
b644ba33
JH		 2154{
2155 struct discovery_state *discov = &hdev->discovery;
2156 struct inquiry_entry *e;
2157
60cb49d2
JH		 2158 /* Update the mgmt connected state if necessary. Be careful with
2159 * conn objects that exist but are not (yet) connected however.
2160 * Only those in BT_CONFIG or BT_CONNECTED states can be
2161 * considered connected.
2162 */
2163 if (conn &&
2164 (conn->state == BT_CONFIG || conn->state == BT_CONNECTED) &&
cb77c3ec 2165 !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1c6ed31b 2166 mgmt_device_connected(hdev, conn, name, name_len);
b644ba33
JH		 2167
2168 if (discov->state == DISCOVERY_STOPPED)
2169 return;
2170
30dc78e1
JH		 2171 if (discov->state == DISCOVERY_STOPPING)
2172 goto discov_complete;
2173
2174 if (discov->state != DISCOVERY_RESOLVING)
2175 return;
2176
2177 e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
7cc8380e
RM		 2178 /* If the device was not found in a list of found devices names of which
2179 * are pending. there is no need to continue resolving a next name as it
2180 * will be done upon receiving another Remote Name Request Complete
2181 * Event */
2182 if (!e)
2183 return;
2184
2185 list_del(&e->list);
2186 if (name) {
30dc78e1 2187 e->name_state = NAME_KNOWN;
7cc8380e
RM		 2188 mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
2189 e->data.rssi, name, name_len);
c3e7c0d9
RM		 2190 } else {
2191 e->name_state = NAME_NOT_KNOWN;
30dc78e1
JH		 2192 }
2193
b644ba33 2194 if (hci_resolve_next_name(hdev))
30dc78e1 2195 return;
30dc78e1
JH		 2196
2197discov_complete:
2198 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2199}
2200
a9de9248
MH		 2201static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2202{
127178d2
JH		 2203 struct hci_cp_remote_name_req *cp;
2204 struct hci_conn *conn;
2205
9f1db00c 2206 BT_DBG("%s status 0x%2.2x", hdev->name, status);
127178d2
JH		 2207
2208 /* If successful wait for the name req complete event before
2209 * checking for the need to do authentication */
2210 if (!status)
2211 return;
2212
2213 cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2214 if (!cp)
2215 return;
2216
2217 hci_dev_lock(hdev);
2218
b644ba33
JH		 2219 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2220
d7a5a11d 2221 if (hci_dev_test_flag(hdev, HCI_MGMT))
b644ba33 2222 hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
30dc78e1 2223
79c6c70c
JH		 2224 if (!conn)
2225 goto unlock;
2226
2227 if (!hci_outgoing_auth_needed(hdev, conn))
2228 goto unlock;
2229
51a8efd7 2230 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
c1f23a2b
JB		 2231 struct hci_cp_auth_requested auth_cp;
2232
977f8fce
JH		 2233 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2234
c1f23a2b
JB		 2235 auth_cp.handle = __cpu_to_le16(conn->handle);
2236 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2237 sizeof(auth_cp), &auth_cp);
127178d2
JH		 2238 }
2239
79c6c70c 2240unlock:
127178d2 2241 hci_dev_unlock(hdev);
a9de9248 2242}
1da177e4 2243
769be974
MH		 2244static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2245{
2246 struct hci_cp_read_remote_features *cp;
2247 struct hci_conn *conn;
2248
9f1db00c 2249 BT_DBG("%s status 0x%2.2x", hdev->name, status);
769be974
MH		 2250
2251 if (!status)
2252 return;
2253
2254 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2255 if (!cp)
2256 return;
2257
2258 hci_dev_lock(hdev);
2259
2260 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2261 if (conn) {
2262 if (conn->state == BT_CONFIG) {
539c496d 2263 hci_connect_cfm(conn, status);
76a68ba0 2264 hci_conn_drop(conn);
769be974
MH		 2265 }
2266 }
2267
2268 hci_dev_unlock(hdev);
2269}
2270
2271static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2272{
2273 struct hci_cp_read_remote_ext_features *cp;
2274 struct hci_conn *conn;
2275
9f1db00c 2276 BT_DBG("%s status 0x%2.2x", hdev->name, status);
769be974
MH		 2277
2278 if (!status)
2279 return;
2280
2281 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2282 if (!cp)
2283 return;
2284
2285 hci_dev_lock(hdev);
2286
2287 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2288 if (conn) {
2289 if (conn->state == BT_CONFIG) {
539c496d 2290 hci_connect_cfm(conn, status);
76a68ba0 2291 hci_conn_drop(conn);
769be974
MH		 2292 }
2293 }
2294
2295 hci_dev_unlock(hdev);
2296}
2297
a9de9248
MH		 2298static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2299{
b6a0dc82
MH		 2300 struct hci_cp_setup_sync_conn *cp;
2301 struct hci_conn *acl, *sco;
2302 __u16 handle;
2303
9f1db00c 2304 BT_DBG("%s status 0x%2.2x", hdev->name, status);
b6a0dc82
MH		 2305
2306 if (!status)
2307 return;
2308
2309 cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2310 if (!cp)
2311 return;
2312
2313 handle = __le16_to_cpu(cp->handle);
2314
9f1db00c 2315 BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
b6a0dc82
MH		 2316
2317 hci_dev_lock(hdev);
2318
2319 acl = hci_conn_hash_lookup_handle(hdev, handle);
5a08ecce
AE		 2320 if (acl) {
2321 sco = acl->link;
2322 if (sco) {
2323 sco->state = BT_CLOSED;
b6a0dc82 2324
539c496d 2325 hci_connect_cfm(sco, status);
5a08ecce
AE		 2326 hci_conn_del(sco);
2327 }
b6a0dc82
MH		 2328 }
2329
2330 hci_dev_unlock(hdev);
1da177e4
LT		 2331}
2332
b2af264a
K		 2333static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2334{
2335 struct hci_cp_enhanced_setup_sync_conn *cp;
2336 struct hci_conn *acl, *sco;
2337 __u16 handle;
2338
2339 bt_dev_dbg(hdev, "status 0x%2.2x", status);
2340
2341 if (!status)
2342 return;
2343
2344 cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2345 if (!cp)
2346 return;
2347
2348 handle = __le16_to_cpu(cp->handle);
2349
2350 bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2351
2352 hci_dev_lock(hdev);
2353
2354 acl = hci_conn_hash_lookup_handle(hdev, handle);
2355 if (acl) {
2356 sco = acl->link;
2357 if (sco) {
2358 sco->state = BT_CLOSED;
2359
2360 hci_connect_cfm(sco, status);
2361 hci_conn_del(sco);
2362 }
2363 }
2364
2365 hci_dev_unlock(hdev);
2366}
2367
a9de9248 2368static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1da177e4 2369{
a9de9248
MH		 2370 struct hci_cp_sniff_mode *cp;
2371 struct hci_conn *conn;
1da177e4 2372
9f1db00c 2373 BT_DBG("%s status 0x%2.2x", hdev->name, status);
04837f64 2374
a9de9248
MH		 2375 if (!status)
2376 return;
04837f64 2377
a9de9248
MH		 2378 cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2379 if (!cp)
2380 return;
04837f64 2381
a9de9248 2382 hci_dev_lock(hdev);
04837f64 2383
a9de9248 2384 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
e73439d8 2385 if (conn) {
51a8efd7 2386 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
04837f64 2387
51a8efd7 2388 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
e73439d8
MH		 2389 hci_sco_setup(conn, status);
2390 }
2391
a9de9248
MH		 2392 hci_dev_unlock(hdev);
2393}
04837f64 2394
a9de9248
MH		 2395static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2396{
2397 struct hci_cp_exit_sniff_mode *cp;
2398 struct hci_conn *conn;
04837f64 2399
9f1db00c 2400 BT_DBG("%s status 0x%2.2x", hdev->name, status);
04837f64 2401
a9de9248
MH		 2402 if (!status)
2403 return;
04837f64 2404
a9de9248
MH		 2405 cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2406 if (!cp)
2407 return;
04837f64 2408
a9de9248 2409 hci_dev_lock(hdev);
1da177e4 2410
a9de9248 2411 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
e73439d8 2412 if (conn) {
51a8efd7 2413 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1da177e4 2414
51a8efd7 2415 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
e73439d8
MH		 2416 hci_sco_setup(conn, status);
2417 }
2418
a9de9248 2419 hci_dev_unlock(hdev);
1da177e4
LT		 2420}
2421
88c3df13
JH		 2422static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2423{
2424 struct hci_cp_disconnect *cp;
2425 struct hci_conn *conn;
2426
2427 if (!status)
2428 return;
2429
2430 cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2431 if (!cp)
2432 return;
2433
2434 hci_dev_lock(hdev);
2435
2436 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
b8d29052 2437 if (conn) {
88c3df13 2438 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
04124681 2439 conn->dst_type, status);
88c3df13 2440
1eeaa1ae 2441 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
7087c4f6
LAD		 2442 hdev->cur_adv_instance = conn->adv_instance;
2443 hci_req_reenable_advertising(hdev);
2444 }
2445
b8d29052
JH		 2446 /* If the disconnection failed for any reason, the upper layer
2447 * does not retry to disconnect in current implementation.
2448 * Hence, we need to do some basic cleanup here and re-enable
2449 * advertising if necessary.
2450 */
2451 hci_conn_del(conn);
b8d29052
JH		 2452 }
2453
88c3df13
JH		 2454 hci_dev_unlock(hdev);
2455}
2456
d850bf08 2457static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
4ec4d63b
LAD		 2458{
2459 /* When using controller based address resolution, then the new
2460 * address types 0x02 and 0x03 are used. These types need to be
2461 * converted back into either public address or random address type
2462 */
2463 switch (type) {
2464 case ADDR_LE_DEV_PUBLIC_RESOLVED:
d850bf08
LAD		 2465 if (resolved)
2466 *resolved = true;
4ec4d63b
LAD		 2467 return ADDR_LE_DEV_PUBLIC;
2468 case ADDR_LE_DEV_RANDOM_RESOLVED:
d850bf08
LAD		 2469 if (resolved)
2470 *resolved = true;
4ec4d63b
LAD		 2471 return ADDR_LE_DEV_RANDOM;
2472 }
2473
d850bf08
LAD		 2474 if (resolved)
2475 *resolved = false;
4ec4d63b
LAD		 2476 return type;
2477}
2478
d12fb056
JK		 2479static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2480 u8 peer_addr_type, u8 own_address_type,
2481 u8 filter_policy)
cb1d68f7 2482{
cb1d68f7
JH		 2483 struct hci_conn *conn;
2484
d12fb056
JK		 2485 conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2486 peer_addr_type);
cb1d68f7 2487 if (!conn)
d12fb056 2488 return;
cb1d68f7 2489
d850bf08 2490 own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
b31bc00b 2491
cb1d68f7
JH		 2492 /* Store the initiator and responder address information which
2493 * is needed for SMP. These values will not change during the
2494 * lifetime of the connection.
2495 */
d12fb056
JK		 2496 conn->init_addr_type = own_address_type;
2497 if (own_address_type == ADDR_LE_DEV_RANDOM)
cb1d68f7
JH		 2498 bacpy(&conn->init_addr, &hdev->random_addr);
2499 else
2500 bacpy(&conn->init_addr, &hdev->bdaddr);
2501
d12fb056
JK		 2502 conn->resp_addr_type = peer_addr_type;
2503 bacpy(&conn->resp_addr, peer_addr);
cb1d68f7 2504
9489eca4
JH		 2505 /* We don't want the connection attempt to stick around
2506 * indefinitely since LE doesn't have a page timeout concept
2507 * like BR/EDR. Set a timer for any connection that doesn't use
3d4f9c00 2508 * the accept list for connecting.
9489eca4 2509 */
d12fb056 2510 if (filter_policy == HCI_LE_USE_PEER_ADDR)
9489eca4
JH		 2511 queue_delayed_work(conn->hdev->workqueue,
2512 &conn->le_conn_timeout,
09ae260b 2513 conn->conn_timeout);
d12fb056
JK		 2514}
2515
2516static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2517{
2518 struct hci_cp_le_create_conn *cp;
2519
2520 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2521
2522 /* All connection failure handling is taken care of by the
2523 * hci_le_conn_failed function which is triggered by the HCI
2524 * request completion callbacks used for connecting.
2525 */
2526 if (status)
2527 return;
2528
2529 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2530 if (!cp)
2531 return;
2532
2533 hci_dev_lock(hdev);
2534
2535 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2536 cp->own_address_type, cp->filter_policy);
9489eca4 2537
cb1d68f7
JH		 2538 hci_dev_unlock(hdev);
2539}
2540
4d94f95d
JK		 2541static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2542{
2543 struct hci_cp_le_ext_create_conn *cp;
2544
2545 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2546
2547 /* All connection failure handling is taken care of by the
2548 * hci_le_conn_failed function which is triggered by the HCI
2549 * request completion callbacks used for connecting.
2550 */
2551 if (status)
2552 return;
2553
2554 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2555 if (!cp)
2556 return;
2557
2558 hci_dev_lock(hdev);
2559
2560 cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2561 cp->own_addr_type, cp->filter_policy);
2562
2563 hci_dev_unlock(hdev);
2564}
2565
0fe29fd1
MH		 2566static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2567{
2568 struct hci_cp_le_read_remote_features *cp;
2569 struct hci_conn *conn;
2570
2571 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2572
2573 if (!status)
2574 return;
2575
2576 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2577 if (!cp)
2578 return;
2579
2580 hci_dev_lock(hdev);
2581
2582 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2583 if (conn) {
2584 if (conn->state == BT_CONFIG) {
2585 hci_connect_cfm(conn, status);
2586 hci_conn_drop(conn);
2587 }
2588 }
2589
2590 hci_dev_unlock(hdev);
2591}
2592
81d0c8ad
JH		 2593static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2594{
2595 struct hci_cp_le_start_enc *cp;
2596 struct hci_conn *conn;
2597
2598 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2599
2600 if (!status)
2601 return;
2602
2603 hci_dev_lock(hdev);
2604
2605 cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2606 if (!cp)
2607 goto unlock;
2608
2609 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2610 if (!conn)
2611 goto unlock;
2612
2613 if (conn->state != BT_CONNECTED)
2614 goto unlock;
2615
2616 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2617 hci_conn_drop(conn);
2618
2619unlock:
2620 hci_dev_unlock(hdev);
2621}
2622
50fc85f1
KP		 2623static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2624{
2625 struct hci_cp_switch_role *cp;
2626 struct hci_conn *conn;
2627
2628 BT_DBG("%s status 0x%2.2x", hdev->name, status);
2629
2630 if (!status)
2631 return;
2632
2633 cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2634 if (!cp)
2635 return;
2636
2637 hci_dev_lock(hdev);
2638
2639 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2640 if (conn)
2641 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2642
2643 hci_dev_unlock(hdev);
2644}
2645
6039aa73 2646static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1da177e4
LT		 2647{
2648 __u8 status = *((__u8 *) skb->data);
30dc78e1
JH		 2649 struct discovery_state *discov = &hdev->discovery;
2650 struct inquiry_entry *e;
1da177e4 2651
9f1db00c 2652 BT_DBG("%s status 0x%2.2x", hdev->name, status);
1da177e4 2653
a9de9248 2654 hci_conn_check_pending(hdev);
89352e7d
AG		 2655
2656 if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2657 return;
2658
4e857c58 2659 smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
3e13fa1e
AG		 2660 wake_up_bit(&hdev->flags, HCI_INQUIRY);
2661
d7a5a11d 2662 if (!hci_dev_test_flag(hdev, HCI_MGMT))
30dc78e1
JH		 2663 return;
2664
56e5cb86 2665 hci_dev_lock(hdev);
30dc78e1 2666
343f935b 2667 if (discov->state != DISCOVERY_FINDING)
30dc78e1
JH		 2668 goto unlock;
2669
2670 if (list_empty(&discov->resolve)) {
07d2334a
JP		 2671 /* When BR/EDR inquiry is active and no LE scanning is in
2672 * progress, then change discovery state to indicate completion.
2673 *
2674 * When running LE scanning and BR/EDR inquiry simultaneously
2675 * and the LE scan already finished, then change the discovery
2676 * state to indicate completion.
2677 */
2678 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2679 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2680 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
30dc78e1
JH		 2681 goto unlock;
2682 }
2683
2684 e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2685 if (e && hci_resolve_name(hdev, e) == 0) {
2686 e->name_state = NAME_PENDING;
2687 hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2688 } else {
07d2334a
JP		 2689 /* When BR/EDR inquiry is active and no LE scanning is in
2690 * progress, then change discovery state to indicate completion.
2691 *
2692 * When running LE scanning and BR/EDR inquiry simultaneously
2693 * and the LE scan already finished, then change the discovery
2694 * state to indicate completion.
2695 */
2696 if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2697 !test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks))
2698 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
30dc78e1
JH		 2699 }
2700
2701unlock:
56e5cb86 2702 hci_dev_unlock(hdev);
1da177e4
LT		 2703}
2704
6039aa73 2705static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1da177e4 2706{
45bb4bf0 2707 struct inquiry_data data;
a9de9248 2708 struct inquiry_info *info = (void *) (skb->data + 1);
1da177e4
LT		 2709 int num_rsp = *((__u8 *) skb->data);
2710
2711 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2712
75bbd2ea 2713 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
45bb4bf0
MH		 2714 return;
2715
d7a5a11d 2716 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
1519cc17
AG		 2717 return;
2718
1da177e4 2719 hci_dev_lock(hdev);
45bb4bf0 2720
e17acd40 2721 for (; num_rsp; num_rsp--, info++) {
af58925c 2722 u32 flags;
3175405b 2723
1da177e4
LT		 2724 bacpy(&data.bdaddr, &info->bdaddr);
2725 data.pscan_rep_mode = info->pscan_rep_mode;
2726 data.pscan_period_mode = info->pscan_period_mode;
2727 data.pscan_mode = info->pscan_mode;
2728 memcpy(data.dev_class, info->dev_class, 3);
2729 data.clock_offset = info->clock_offset;
efb2513f 2730 data.rssi = HCI_RSSI_INVALID;
41a96212 2731 data.ssp_mode = 0x00;
3175405b 2732
af58925c
MH		 2733 flags = hci_inquiry_cache_update(hdev, &data, false);
2734
48264f06 2735 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
efb2513f
MH		 2736 info->dev_class, HCI_RSSI_INVALID,
2737 flags, NULL, 0, NULL, 0);
1da177e4 2738 }
45bb4bf0 2739
1da177e4
LT		 2740 hci_dev_unlock(hdev);
2741}
2742
6039aa73 2743static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1da177e4 2744{
a9de9248
MH		 2745 struct hci_ev_conn_complete *ev = (void *) skb->data;
2746 struct hci_conn *conn;
1da177e4
LT		 2747
2748 BT_DBG("%s", hdev->name);
2749
2750 hci_dev_lock(hdev);
2751
2752 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
9499237a 2753 if (!conn) {
a46b7ed4
SS		 2754 /* Connection may not exist if auto-connected. Check the bredr
2755 * allowlist to see if this device is allowed to auto connect.
2756 * If link is an ACL type, create a connection class
4f40afc6 2757 * automatically.
a46b7ed4
SS		 2758 *
2759 * Auto-connect will only occur if the event filter is
2760 * programmed with a given address. Right now, event filter is
2761 * only used during suspend.
4f40afc6 2762 */
a46b7ed4 2763 if (ev->link_type == ACL_LINK &&
3d4f9c00 2764 hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
a46b7ed4
SS		 2765 &ev->bdaddr,
2766 BDADDR_BREDR)) {
4f40afc6
APS		 2767 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2768 HCI_ROLE_SLAVE);
2769 if (!conn) {
2770 bt_dev_err(hdev, "no memory for new conn");
2771 goto unlock;
2772 }
2d186fcd
APS		 2773 } else {
2774 if (ev->link_type != SCO_LINK)
2775 goto unlock;
9499237a 2776
2d186fcd
APS		 2777 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
2778 &ev->bdaddr);
2779 if (!conn)
2780 goto unlock;
9499237a 2781
2d186fcd
APS		 2782 conn->type = SCO_LINK;
2783 }
9499237a 2784 }
1da177e4
LT		 2785
2786 if (!ev->status) {
2787 conn->handle = __le16_to_cpu(ev->handle);
769be974
MH		 2788
2789 if (conn->type == ACL_LINK) {
2790 conn->state = BT_CONFIG;
2791 hci_conn_hold(conn);
a9ea3ed9
SJ		 2792
2793 if (!conn->out && !hci_conn_ssp_enabled(conn) &&
2794 !hci_find_link_key(hdev, &ev->bdaddr))
2795 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2796 else
2797 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
769be974
MH		 2798 } else
2799 conn->state = BT_CONNECTED;
1da177e4 2800
23b9ceb7 2801 hci_debugfs_create_conn(conn);
7d0db0a3
MH		 2802 hci_conn_add_sysfs(conn);
2803
1da177e4 2804 if (test_bit(HCI_AUTH, &hdev->flags))
4dae2798 2805 set_bit(HCI_CONN_AUTH, &conn->flags);
1da177e4
LT		 2806
2807 if (test_bit(HCI_ENCRYPT, &hdev->flags))
4dae2798 2808 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
1da177e4 2809
04837f64
MH		 2810 /* Get remote features */
2811 if (conn->type == ACL_LINK) {
2812 struct hci_cp_read_remote_features cp;
2813 cp.handle = ev->handle;
769be974 2814 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
04124681 2815 sizeof(cp), &cp);
22f433dc 2816
01b1cb87 2817 hci_req_update_scan(hdev);
04837f64
MH		 2818 }
2819
1da177e4 2820 /* Set packet type for incoming connection */
d095c1eb 2821 if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
1da177e4
LT		 2822 struct hci_cp_change_conn_ptype cp;
2823 cp.handle = ev->handle;
a8746417 2824 cp.pkt_type = cpu_to_le16(conn->pkt_type);
04124681
GP		 2825 hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
2826 &cp);
1da177e4 2827 }
17d5c04c 2828 } else {
1da177e4 2829 conn->state = BT_CLOSED;
17d5c04c 2830 if (conn->type == ACL_LINK)
64c7b77c 2831 mgmt_connect_failed(hdev, &conn->dst, conn->type,
04124681 2832 conn->dst_type, ev->status);
17d5c04c 2833 }
1da177e4 2834
e73439d8
MH		 2835 if (conn->type == ACL_LINK)
2836 hci_sco_setup(conn, ev->status);
1da177e4 2837
769be974 2838 if (ev->status) {
539c496d 2839 hci_connect_cfm(conn, ev->status);
1da177e4 2840 hci_conn_del(conn);
1f8330ea
SN		 2841 } else if (ev->link_type == SCO_LINK) {
2842 switch (conn->setting & SCO_AIRMODE_MASK) {
2843 case SCO_AIRMODE_CVSD:
2844 if (hdev->notify)
2845 hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
2846 break;
2847 }
2848
539c496d 2849 hci_connect_cfm(conn, ev->status);
1f8330ea 2850 }
1da177e4 2851
a9de9248 2852unlock:
1da177e4 2853 hci_dev_unlock(hdev);
1da177e4 2854
a9de9248 2855 hci_conn_check_pending(hdev);
1da177e4
LT		 2856}
2857
70c46425
JH		 2858static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
2859{
2860 struct hci_cp_reject_conn_req cp;
2861
2862 bacpy(&cp.bdaddr, bdaddr);
2863 cp.reason = HCI_ERROR_REJ_BAD_ADDR;
2864 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
2865}
2866
6039aa73 2867static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1da177e4 2868{
a9de9248
MH		 2869 struct hci_ev_conn_request *ev = (void *) skb->data;
2870 int mask = hdev->link_mode;
70c46425
JH		 2871 struct inquiry_entry *ie;
2872 struct hci_conn *conn;
20714bfe 2873 __u8 flags = 0;
1da177e4 2874
6ed93dc6 2875 BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
807deac2 2876 ev->link_type);
1da177e4 2877
20714bfe
FD		 2878 mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
2879 &flags);
1da177e4 2880
70c46425
JH		 2881 if (!(mask & HCI_LM_ACCEPT)) {
2882 hci_reject_conn(hdev, &ev->bdaddr);
2883 return;
2884 }
2885
3d4f9c00 2886 if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
46c4c941
JH		 2887 BDADDR_BREDR)) {
2888 hci_reject_conn(hdev, &ev->bdaddr);
2889 return;
2890 }
2891
3d4f9c00 2892 /* Require HCI_CONNECTABLE or an accept list entry to accept the
6a8fc95c
JH		 2893 * connection. These features are only touched through mgmt so
2894 * only do the checks if HCI_MGMT is set.
2895 */
d7a5a11d
MH		 2896 if (hci_dev_test_flag(hdev, HCI_MGMT) &&
2897 !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3d4f9c00 2898 !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
8baaa403
APS		 2899 BDADDR_BREDR)) {
2900 hci_reject_conn(hdev, &ev->bdaddr);
2901 return;
70c46425 2902 }
1da177e4 2903
70c46425 2904 /* Connection accepted */
b6a0dc82 2905
70c46425
JH		 2906 hci_dev_lock(hdev);
2907
2908 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2909 if (ie)
2910 memcpy(ie->data.dev_class, ev->dev_class, 3);
c7bdd502 2911
70c46425
JH		 2912 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
2913 &ev->bdaddr);
2914 if (!conn) {
a5c4e309
JH		 2915 conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr,
2916 HCI_ROLE_SLAVE);
a9de9248 2917 if (!conn) {
2064ee33 2918 bt_dev_err(hdev, "no memory for new connection");
70c46425
JH		 2919 hci_dev_unlock(hdev);
2920 return;
1da177e4 2921 }
70c46425 2922 }
b6a0dc82 2923
70c46425 2924 memcpy(conn->dev_class, ev->dev_class, 3);
b6a0dc82 2925
70c46425 2926 hci_dev_unlock(hdev);
1da177e4 2927
70c46425
JH		 2928 if (ev->link_type == ACL_LINK ||
2929 (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
2930 struct hci_cp_accept_conn_req cp;
2931 conn->state = BT_CONNECT;
1da177e4 2932
70c46425 2933 bacpy(&cp.bdaddr, &ev->bdaddr);
b6a0dc82 2934
70c46425 2935 if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
74be523c 2936 cp.role = 0x00; /* Become central */
70c46425 2937 else
74be523c 2938 cp.role = 0x01; /* Remain peripheral */
b6a0dc82 2939
70c46425
JH		 2940 hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
2941 } else if (!(flags & HCI_PROTO_DEFER)) {
2942 struct hci_cp_accept_sync_conn_req cp;
2943 conn->state = BT_CONNECT;
b6a0dc82 2944
70c46425
JH		 2945 bacpy(&cp.bdaddr, &ev->bdaddr);
2946 cp.pkt_type = cpu_to_le16(conn->pkt_type);
b6a0dc82 2947
70c46425
JH		 2948 cp.tx_bandwidth = cpu_to_le32(0x00001f40);
2949 cp.rx_bandwidth = cpu_to_le32(0x00001f40);
2950 cp.max_latency = cpu_to_le16(0xffff);
2951 cp.content_format = cpu_to_le16(hdev->voice_setting);
2952 cp.retrans_effort = 0xff;
1da177e4 2953
70c46425
JH		 2954 hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
2955 &cp);
a9de9248 2956 } else {
70c46425 2957 conn->state = BT_CONNECT2;
539c496d 2958 hci_connect_cfm(conn, 0);
1da177e4 2959 }
1da177e4
LT		 2960}
2961
f0d6a0ea
MA		 2962static u8 hci_to_mgmt_reason(u8 err)
2963{
2964 switch (err) {
2965 case HCI_ERROR_CONNECTION_TIMEOUT:
2966 return MGMT_DEV_DISCONN_TIMEOUT;
2967 case HCI_ERROR_REMOTE_USER_TERM:
2968 case HCI_ERROR_REMOTE_LOW_RESOURCES:
2969 case HCI_ERROR_REMOTE_POWER_OFF:
2970 return MGMT_DEV_DISCONN_REMOTE;
2971 case HCI_ERROR_LOCAL_HOST_TERM:
2972 return MGMT_DEV_DISCONN_LOCAL_HOST;
2973 default:
2974 return MGMT_DEV_DISCONN_UNKNOWN;
2975 }
2976}
2977
6039aa73 2978static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
04837f64 2979{
a9de9248 2980 struct hci_ev_disconn_complete *ev = (void *) skb->data;
160b9251 2981 u8 reason;
9fcb18ef 2982 struct hci_conn_params *params;
04837f64 2983 struct hci_conn *conn;
12d4a3b2 2984 bool mgmt_connected;
04837f64 2985
9f1db00c 2986 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
04837f64
MH		 2987
2988 hci_dev_lock(hdev);
2989
2990 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
f7520543
JH		 2991 if (!conn)
2992 goto unlock;
7d0db0a3 2993
abf54a50
AG		 2994 if (ev->status) {
2995 mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2996 conn->dst_type, ev->status);
2997 goto unlock;
37d9ef76 2998 }
f7520543 2999
3846220b
AG		 3000 conn->state = BT_CLOSED;
3001
12d4a3b2 3002 mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
160b9251
SJ		 3003
3004 if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3005 reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3006 else
3007 reason = hci_to_mgmt_reason(ev->reason);
3008
12d4a3b2
JH		 3009 mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3010 reason, mgmt_connected);
abf54a50 3011
22f433dc
JH		 3012 if (conn->type == ACL_LINK) {
3013 if (test_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3014 hci_remove_link_key(hdev, &conn->dst);
3015
01b1cb87 3016 hci_req_update_scan(hdev);
22f433dc 3017 }
2210246c 3018
9fcb18ef
AG		 3019 params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
3020 if (params) {
3021 switch (params->auto_connect) {
3022 case HCI_AUTO_CONN_LINK_LOSS:
3023 if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3024 break;
19186c7b 3025 fallthrough;
9fcb18ef 3026
4b9e7e75 3027 case HCI_AUTO_CONN_DIRECT:
9fcb18ef 3028 case HCI_AUTO_CONN_ALWAYS:
418025d1
JH		 3029 list_del_init(&params->action);
3030 list_add(&params->action, &hdev->pend_le_conns);
3031 hci_update_background_scan(hdev);
9fcb18ef
AG		 3032 break;
3033
3034 default:
3035 break;
3036 }
3037 }
3038
3a6d576b 3039 hci_disconn_cfm(conn, ev->reason);
3846220b
AG		 3040
3041 /* Re-enable advertising if necessary, since it might
3042 * have been disabled by the connection. From the
3043 * HCI_LE_Set_Advertise_Enable command description in
3044 * the core specification (v4.0):
3045 * "The Controller shall continue advertising until the Host
3046 * issues an LE_Set_Advertise_Enable command with
3047 * Advertising_Enable set to 0x00 (Advertising is disabled)
3048 * or until a connection is created or until the Advertising
3049 * is timed out due to Directed Advertising."
3050 */
1eeaa1ae 3051 if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
7087c4f6 3052 hdev->cur_adv_instance = conn->adv_instance;
f2252570 3053 hci_req_reenable_advertising(hdev);
7087c4f6
LAD		 3054 }
3055
3056 hci_conn_del(conn);
f7520543 3057
83775456
LAD		 3058 /* The suspend notifier is waiting for all devices to disconnect so
3059 * clear the bit from pending tasks and inform the wait queue.
3060 */
3061 if (list_empty(&hdev->conn_hash.list) &&
3062 test_and_clear_bit(SUSPEND_DISCONNECTING, hdev->suspend_tasks)) {
3063 wake_up(&hdev->suspend_wait_q);
3064 }
3065
f7520543 3066unlock:
04837f64
MH		 3067 hci_dev_unlock(hdev);
3068}
3069
6039aa73 3070static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1da177e4 3071{
a9de9248 3072 struct hci_ev_auth_complete *ev = (void *) skb->data;
04837f64 3073 struct hci_conn *conn;
1da177e4 3074
9f1db00c 3075 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
1da177e4
LT		 3076
3077 hci_dev_lock(hdev);
3078
04837f64 3079 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
d7556e20
WR		 3080 if (!conn)
3081 goto unlock;
3082
3083 if (!ev->status) {
160b9251
SJ		 3084 clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3085
aa64a8b5 3086 if (!hci_conn_ssp_enabled(conn) &&
807deac2 3087 test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
2064ee33 3088 bt_dev_info(hdev, "re-auth of legacy device is not possible.");
2a611692 3089 } else {
4dae2798 3090 set_bit(HCI_CONN_AUTH, &conn->flags);
d7556e20 3091 conn->sec_level = conn->pending_sec_level;
2a611692 3092 }
d7556e20 3093 } else {
160b9251
SJ		 3094 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3095 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3096
e1e930f5 3097 mgmt_auth_failed(conn, ev->status);
d7556e20 3098 }
1da177e4 3099
51a8efd7
JH		 3100 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3101 clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
1da177e4 3102
d7556e20 3103 if (conn->state == BT_CONFIG) {
aa64a8b5 3104 if (!ev->status && hci_conn_ssp_enabled(conn)) {
d7556e20
WR		 3105 struct hci_cp_set_conn_encrypt cp;
3106 cp.handle = ev->handle;
3107 cp.encrypt = 0x01;
3108 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
807deac2 3109 &cp);
052b30b0 3110 } else {
d7556e20 3111 conn->state = BT_CONNECTED;
539c496d 3112 hci_connect_cfm(conn, ev->status);
76a68ba0 3113 hci_conn_drop(conn);
052b30b0 3114 }
d7556e20
WR		 3115 } else {
3116 hci_auth_cfm(conn, ev->status);
052b30b0 3117
d7556e20
WR		 3118 hci_conn_hold(conn);
3119 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
76a68ba0 3120 hci_conn_drop(conn);
d7556e20
WR		 3121 }
3122
51a8efd7 3123 if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
d7556e20
WR		 3124 if (!ev->status) {
3125 struct hci_cp_set_conn_encrypt cp;
3126 cp.handle = ev->handle;
3127 cp.encrypt = 0x01;
3128 hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
807deac2 3129 &cp);
d7556e20 3130 } else {
51a8efd7 3131 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3ca44c16 3132 hci_encrypt_cfm(conn, ev->status);
1da177e4
LT		 3133 }
3134 }
3135
d7556e20 3136unlock:
1da177e4
LT		 3137 hci_dev_unlock(hdev);
3138}
3139
6039aa73 3140static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
1da177e4 3141{
127178d2
JH		 3142 struct hci_ev_remote_name *ev = (void *) skb->data;
3143 struct hci_conn *conn;
3144
a9de9248 3145 BT_DBG("%s", hdev->name);
1da177e4 3146
a9de9248 3147 hci_conn_check_pending(hdev);
127178d2
JH		 3148
3149 hci_dev_lock(hdev);
3150
b644ba33 3151 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
30dc78e1 3152
d7a5a11d 3153 if (!hci_dev_test_flag(hdev, HCI_MGMT))
b644ba33 3154 goto check_auth;
a88a9652 3155
b644ba33
JH		 3156 if (ev->status == 0)
3157 hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
04124681 3158 strnlen(ev->name, HCI_MAX_NAME_LENGTH));
b644ba33
JH		 3159 else
3160 hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3161
3162check_auth:
79c6c70c
JH		 3163 if (!conn)
3164 goto unlock;
3165
3166 if (!hci_outgoing_auth_needed(hdev, conn))
3167 goto unlock;
3168
51a8efd7 3169 if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
127178d2 3170 struct hci_cp_auth_requested cp;
977f8fce
JH		 3171
3172 set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3173
127178d2
JH		 3174 cp.handle = __cpu_to_le16(conn->handle);
3175 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3176 }
3177
79c6c70c 3178unlock:
127178d2 3179 hci_dev_unlock(hdev);
a9de9248
MH		 3180}
3181
821f3766
JH		 3182static void read_enc_key_size_complete(struct hci_dev *hdev, u8 status,
3183 u16 opcode, struct sk_buff *skb)
3184{
3185 const struct hci_rp_read_enc_key_size *rp;
3186 struct hci_conn *conn;
3187 u16 handle;
3188
3189 BT_DBG("%s status 0x%02x", hdev->name, status);
3190
3191 if (!skb || skb->len < sizeof(*rp)) {
2064ee33 3192 bt_dev_err(hdev, "invalid read key size response");
821f3766
JH		 3193 return;
3194 }
3195
3196 rp = (void *)skb->data;
3197 handle = le16_to_cpu(rp->handle);
3198
3199 hci_dev_lock(hdev);
3200
3201 conn = hci_conn_hash_lookup_handle(hdev, handle);
3202 if (!conn)
3203 goto unlock;
3204
32b50729
AM		 3205 /* While unexpected, the read_enc_key_size command may fail. The most
3206 * secure approach is to then assume the key size is 0 to force a
3207 * disconnection.
821f3766
JH		 3208 */
3209 if (rp->status) {
2064ee33
MH		 3210 bt_dev_err(hdev, "failed to read key size for handle %u",
3211 handle);
32b50729 3212 conn->enc_key_size = 0;
821f3766
JH		 3213 } else {
3214 conn->enc_key_size = rp->key_size;
3215 }
3216
3ca44c16 3217 hci_encrypt_cfm(conn, 0);
821f3766
JH		 3218
3219unlock:
3220 hci_dev_unlock(hdev);
3221}
3222
6039aa73 3223static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
a9de9248
MH		 3224{
3225 struct hci_ev_encrypt_change *ev = (void *) skb->data;
3226 struct hci_conn *conn;
3227
9f1db00c 3228 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
1da177e4
LT		 3229
3230 hci_dev_lock(hdev);
3231
04837f64 3232 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
dc8357cc
MH		 3233 if (!conn)
3234 goto unlock;
1da177e4 3235
dc8357cc
MH		 3236 if (!ev->status) {
3237 if (ev->encrypt) {
3238 /* Encryption implies authentication */
4dae2798
JH		 3239 set_bit(HCI_CONN_AUTH, &conn->flags);
3240 set_bit(HCI_CONN_ENCRYPT, &conn->flags);
dc8357cc 3241 conn->sec_level = conn->pending_sec_level;
abf76bad 3242
914a6ffe
MH		 3243 /* P-256 authentication key implies FIPS */
3244 if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
4dae2798 3245 set_bit(HCI_CONN_FIPS, &conn->flags);
914a6ffe 3246
abf76bad
MH		 3247 if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3248 conn->type == LE_LINK)
3249 set_bit(HCI_CONN_AES_CCM, &conn->flags);
3250 } else {
4dae2798 3251 clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
abf76bad
MH		 3252 clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3253 }
dc8357cc 3254 }
a7d7723a 3255
7ed3fa20
JH		 3256 /* We should disregard the current RPA and generate a new one
3257 * whenever the encryption procedure fails.
3258 */
a73c046a 3259 if (ev->status && conn->type == LE_LINK) {
a1536da2 3260 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
a73c046a
JK		 3261 hci_adv_instances_set_rpa_expired(hdev, true);
3262 }
7ed3fa20 3263
dc8357cc 3264 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
f8558555 3265
8746f135
LAD		 3266 /* Check link security requirements are met */
3267 if (!hci_conn_check_link_mode(conn))
3268 ev->status = HCI_ERROR_AUTH_FAILURE;
3269
dc8357cc 3270 if (ev->status && conn->state == BT_CONNECTED) {
160b9251
SJ		 3271 if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3272 set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3273
8746f135
LAD		 3274 /* Notify upper layers so they can cleanup before
3275 * disconnecting.
3276 */
3277 hci_encrypt_cfm(conn, ev->status);
dc8357cc
MH		 3278 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3279 hci_conn_drop(conn);
3280 goto unlock;
1da177e4
LT		 3281 }
3282
821f3766
JH		 3283 /* Try reading the encryption key size for encrypted ACL links */
3284 if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3285 struct hci_cp_read_enc_key_size cp;
3286 struct hci_request req;
3287
3288 /* Only send HCI_Read_Encryption_Key_Size if the
3289 * controller really supports it. If it doesn't, assume
3290 * the default size (16).
3291 */
3292 if (!(hdev->commands[20] & 0x10)) {
3293 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3294 goto notify;
3295 }
3296
3297 hci_req_init(&req, hdev);
3298
3299 cp.handle = cpu_to_le16(conn->handle);
3300 hci_req_add(&req, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3301
3302 if (hci_req_run_skb(&req, read_enc_key_size_complete)) {
2064ee33 3303 bt_dev_err(hdev, "sending read key size failed");
821f3766
JH		 3304 conn->enc_key_size = HCI_LINK_KEY_SIZE;
3305 goto notify;
3306 }
3307
3308 goto unlock;
3309 }
3310
302975cb
SRK		 3311 /* Set the default Authenticated Payload Timeout after
3312 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3313 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3314 * sent when the link is active and Encryption is enabled, the conn
3315 * type can be either LE or ACL and controller must support LMP Ping.
3316 * Ensure for AES-CCM encryption as well.
3317 */
3318 if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3319 test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3320 ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3321 (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3322 struct hci_cp_write_auth_payload_to cp;
3323
3324 cp.handle = cpu_to_le16(conn->handle);
3325 cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3326 hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3327 sizeof(cp), &cp);
3328 }
3329
821f3766 3330notify:
3ca44c16 3331 hci_encrypt_cfm(conn, ev->status);
dc8357cc 3332
a7d7723a 3333unlock:
1da177e4
LT		 3334 hci_dev_unlock(hdev);
3335}
3336
6039aa73
GP		 3337static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
3338 struct sk_buff *skb)
1da177e4 3339{
a9de9248 3340 struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
04837f64 3341 struct hci_conn *conn;
1da177e4 3342
9f1db00c 3343 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
1da177e4
LT		 3344
3345 hci_dev_lock(hdev);
3346
04837f64 3347 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1da177e4
LT		 3348 if (conn) {
3349 if (!ev->status)
4dae2798 3350 set_bit(HCI_CONN_SECURE, &conn->flags);
1da177e4 3351
51a8efd7 3352 clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
1da177e4
LT		 3353
3354 hci_key_change_cfm(conn, ev->status);
3355 }
3356
3357 hci_dev_unlock(hdev);
3358}
3359
6039aa73
GP		 3360static void hci_remote_features_evt(struct hci_dev *hdev,
3361 struct sk_buff *skb)
1da177e4 3362{
a9de9248
MH		 3363 struct hci_ev_remote_features *ev = (void *) skb->data;
3364 struct hci_conn *conn;
3365
9f1db00c 3366 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
a9de9248 3367
a9de9248
MH		 3368 hci_dev_lock(hdev);
3369
3370 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
ccd556fe
JH		 3371 if (!conn)
3372 goto unlock;
769be974 3373
ccd556fe 3374 if (!ev->status)
cad718ed 3375 memcpy(conn->features[0], ev->features, 8);
ccd556fe
JH		 3376
3377 if (conn->state != BT_CONFIG)
3378 goto unlock;
3379
ac363cf9
SJ		 3380 if (!ev->status && lmp_ext_feat_capable(hdev) &&
3381 lmp_ext_feat_capable(conn)) {
ccd556fe
JH		 3382 struct hci_cp_read_remote_ext_features cp;
3383 cp.handle = ev->handle;
3384 cp.page = 0x01;
3385 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
807deac2 3386 sizeof(cp), &cp);
392599b9
JH		 3387 goto unlock;
3388 }
3389
671267bf 3390 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
127178d2
JH		 3391 struct hci_cp_remote_name_req cp;
3392 memset(&cp, 0, sizeof(cp));
3393 bacpy(&cp.bdaddr, &conn->dst);
3394 cp.pscan_rep_mode = 0x02;
3395 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
b644ba33 3396 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1c6ed31b 3397 mgmt_device_connected(hdev, conn, NULL, 0);
392599b9 3398
127178d2 3399 if (!hci_outgoing_auth_needed(hdev, conn)) {
ccd556fe 3400 conn->state = BT_CONNECTED;
539c496d 3401 hci_connect_cfm(conn, ev->status);
76a68ba0 3402 hci_conn_drop(conn);
769be974 3403 }
a9de9248 3404
ccd556fe 3405unlock:
a9de9248 3406 hci_dev_unlock(hdev);
1da177e4
LT		 3407}
3408
ecb71f25 3409static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
de75cd0d 3410{
ecb71f25 3411 cancel_delayed_work(&hdev->cmd_timer);
de75cd0d
MM		 3412
3413 if (!test_bit(HCI_RESET, &hdev->flags)) {
3414 if (ncmd) {
3415 cancel_delayed_work(&hdev->ncmd_timer);
3416 atomic_set(&hdev->cmd_cnt, 1);
3417 } else {
3418 schedule_delayed_work(&hdev->ncmd_timer,
3419 HCI_NCMD_TIMEOUT);
3420 }
3421 }
3422}
3423
e6214487
JH		 3424static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
3425 u16 *opcode, u8 *status,
3426 hci_req_complete_t *req_complete,
3427 hci_req_complete_skb_t *req_complete_skb)
a9de9248
MH		 3428{
3429 struct hci_ev_cmd_complete *ev = (void *) skb->data;
a9de9248 3430
e6214487
JH		 3431 *opcode = __le16_to_cpu(ev->opcode);
3432 *status = skb->data[sizeof(*ev)];
a9de9248 3433
e6214487 3434 skb_pull(skb, sizeof(*ev));
a9de9248 3435
e6214487 3436 switch (*opcode) {
a9de9248 3437 case HCI_OP_INQUIRY_CANCEL:
adf1d692 3438 hci_cc_inquiry_cancel(hdev, skb, status);
a9de9248
MH		 3439 break;
3440
4d93483b
AG		 3441 case HCI_OP_PERIODIC_INQ:
3442 hci_cc_periodic_inq(hdev, skb);
3443 break;
3444
a9de9248
MH		 3445 case HCI_OP_EXIT_PERIODIC_INQ:
3446 hci_cc_exit_periodic_inq(hdev, skb);
3447 break;
3448
3449 case HCI_OP_REMOTE_NAME_REQ_CANCEL:
3450 hci_cc_remote_name_req_cancel(hdev, skb);
3451 break;
3452
3453 case HCI_OP_ROLE_DISCOVERY:
3454 hci_cc_role_discovery(hdev, skb);
3455 break;
3456
e4e8e37c
MH		 3457 case HCI_OP_READ_LINK_POLICY:
3458 hci_cc_read_link_policy(hdev, skb);
3459 break;
3460
a9de9248
MH		 3461 case HCI_OP_WRITE_LINK_POLICY:
3462 hci_cc_write_link_policy(hdev, skb);
3463 break;
3464
e4e8e37c
MH		 3465 case HCI_OP_READ_DEF_LINK_POLICY:
3466 hci_cc_read_def_link_policy(hdev, skb);
3467 break;
3468
3469 case HCI_OP_WRITE_DEF_LINK_POLICY:
3470 hci_cc_write_def_link_policy(hdev, skb);
3471 break;
3472
a9de9248
MH		 3473 case HCI_OP_RESET:
3474 hci_cc_reset(hdev, skb);
3475 break;
3476
c2f0f979
MH		 3477 case HCI_OP_READ_STORED_LINK_KEY:
3478 hci_cc_read_stored_link_key(hdev, skb);
3479 break;
3480
a9366120
MH		 3481 case HCI_OP_DELETE_STORED_LINK_KEY:
3482 hci_cc_delete_stored_link_key(hdev, skb);
3483 break;
3484
a9de9248
MH		 3485 case HCI_OP_WRITE_LOCAL_NAME:
3486 hci_cc_write_local_name(hdev, skb);
3487 break;
3488
3489 case HCI_OP_READ_LOCAL_NAME:
3490 hci_cc_read_local_name(hdev, skb);
3491 break;
3492
3493 case HCI_OP_WRITE_AUTH_ENABLE:
3494 hci_cc_write_auth_enable(hdev, skb);
3495 break;
3496
3497 case HCI_OP_WRITE_ENCRYPT_MODE:
3498 hci_cc_write_encrypt_mode(hdev, skb);
3499 break;
3500
3501 case HCI_OP_WRITE_SCAN_ENABLE:
3502 hci_cc_write_scan_enable(hdev, skb);
3503 break;
3504
e5b0ad69
APS		 3505 case HCI_OP_SET_EVENT_FLT:
3506 hci_cc_set_event_filter(hdev, skb);
3507 break;
3508
a9de9248
MH		 3509 case HCI_OP_READ_CLASS_OF_DEV:
3510 hci_cc_read_class_of_dev(hdev, skb);
3511 break;
3512
3513 case HCI_OP_WRITE_CLASS_OF_DEV:
3514 hci_cc_write_class_of_dev(hdev, skb);
3515 break;
3516
3517 case HCI_OP_READ_VOICE_SETTING:
3518 hci_cc_read_voice_setting(hdev, skb);
3519 break;
3520
3521 case HCI_OP_WRITE_VOICE_SETTING:
3522 hci_cc_write_voice_setting(hdev, skb);
3523 break;
3524
b4cb9fb2
MH		 3525 case HCI_OP_READ_NUM_SUPPORTED_IAC:
3526 hci_cc_read_num_supported_iac(hdev, skb);
3527 break;
3528
333140b5
MH		 3529 case HCI_OP_WRITE_SSP_MODE:
3530 hci_cc_write_ssp_mode(hdev, skb);
3531 break;
3532
eac83dc6
MH		 3533 case HCI_OP_WRITE_SC_SUPPORT:
3534 hci_cc_write_sc_support(hdev, skb);
3535 break;
3536
302975cb
SRK		 3537 case HCI_OP_READ_AUTH_PAYLOAD_TO:
3538 hci_cc_read_auth_payload_timeout(hdev, skb);
3539 break;
3540
3541 case HCI_OP_WRITE_AUTH_PAYLOAD_TO:
3542 hci_cc_write_auth_payload_timeout(hdev, skb);
3543 break;
3544
a9de9248
MH		 3545 case HCI_OP_READ_LOCAL_VERSION:
3546 hci_cc_read_local_version(hdev, skb);
3547 break;
3548
3549 case HCI_OP_READ_LOCAL_COMMANDS:
3550 hci_cc_read_local_commands(hdev, skb);
3551 break;
3552
3553 case HCI_OP_READ_LOCAL_FEATURES:
3554 hci_cc_read_local_features(hdev, skb);
3555 break;
3556
971e3a4b
AG		 3557 case HCI_OP_READ_LOCAL_EXT_FEATURES:
3558 hci_cc_read_local_ext_features(hdev, skb);
3559 break;
3560
a9de9248
MH		 3561 case HCI_OP_READ_BUFFER_SIZE:
3562 hci_cc_read_buffer_size(hdev, skb);
3563 break;
3564
3565 case HCI_OP_READ_BD_ADDR:
3566 hci_cc_read_bd_addr(hdev, skb);
3567 break;
3568
a4790360
MH		 3569 case HCI_OP_READ_LOCAL_PAIRING_OPTS:
3570 hci_cc_read_local_pairing_opts(hdev, skb);
3571 break;
3572
f332ec66
JH		 3573 case HCI_OP_READ_PAGE_SCAN_ACTIVITY:
3574 hci_cc_read_page_scan_activity(hdev, skb);
3575 break;
3576
4a3ee763
JH		 3577 case HCI_OP_WRITE_PAGE_SCAN_ACTIVITY:
3578 hci_cc_write_page_scan_activity(hdev, skb);
3579 break;
3580
f332ec66
JH		 3581 case HCI_OP_READ_PAGE_SCAN_TYPE:
3582 hci_cc_read_page_scan_type(hdev, skb);
3583 break;
3584
4a3ee763
JH		 3585 case HCI_OP_WRITE_PAGE_SCAN_TYPE:
3586 hci_cc_write_page_scan_type(hdev, skb);
3587 break;
3588
350ee4cf
AE		 3589 case HCI_OP_READ_DATA_BLOCK_SIZE:
3590 hci_cc_read_data_block_size(hdev, skb);
3591 break;
3592
1e89cffb
AE		 3593 case HCI_OP_READ_FLOW_CONTROL_MODE:
3594 hci_cc_read_flow_control_mode(hdev, skb);
3595 break;
3596
928abaa7
AE		 3597 case HCI_OP_READ_LOCAL_AMP_INFO:
3598 hci_cc_read_local_amp_info(hdev, skb);
3599 break;
3600
33f35721
JH		 3601 case HCI_OP_READ_CLOCK:
3602 hci_cc_read_clock(hdev, skb);
3603 break;
3604
d5859e22
JH		 3605 case HCI_OP_READ_INQ_RSP_TX_POWER:
3606 hci_cc_read_inq_rsp_tx_power(hdev, skb);
3607 break;
3608
00bce3fb
AM		 3609 case HCI_OP_READ_DEF_ERR_DATA_REPORTING:
3610 hci_cc_read_def_err_data_reporting(hdev, skb);
3611 break;
3612
3613 case HCI_OP_WRITE_DEF_ERR_DATA_REPORTING:
3614 hci_cc_write_def_err_data_reporting(hdev, skb);
3615 break;
3616
980e1a53
JH		 3617 case HCI_OP_PIN_CODE_REPLY:
3618 hci_cc_pin_code_reply(hdev, skb);
3619 break;
3620
3621 case HCI_OP_PIN_CODE_NEG_REPLY:
3622 hci_cc_pin_code_neg_reply(hdev, skb);
3623 break;
3624
c35938b2 3625 case HCI_OP_READ_LOCAL_OOB_DATA:
4d2d2796
MH		 3626 hci_cc_read_local_oob_data(hdev, skb);
3627 break;
3628
3629 case HCI_OP_READ_LOCAL_OOB_EXT_DATA:
3630 hci_cc_read_local_oob_ext_data(hdev, skb);
c35938b2
SJ		 3631 break;
3632
6ed58ec5
VT		 3633 case HCI_OP_LE_READ_BUFFER_SIZE:
3634 hci_cc_le_read_buffer_size(hdev, skb);
3635 break;
3636
60e77321
JH		 3637 case HCI_OP_LE_READ_LOCAL_FEATURES:
3638 hci_cc_le_read_local_features(hdev, skb);
3639 break;
3640
8fa19098
JH		 3641 case HCI_OP_LE_READ_ADV_TX_POWER:
3642 hci_cc_le_read_adv_tx_power(hdev, skb);
3643 break;
3644
a5c29683
JH		 3645 case HCI_OP_USER_CONFIRM_REPLY:
3646 hci_cc_user_confirm_reply(hdev, skb);
3647 break;
3648
3649 case HCI_OP_USER_CONFIRM_NEG_REPLY:
3650 hci_cc_user_confirm_neg_reply(hdev, skb);
3651 break;
3652
1143d458
BG		 3653 case HCI_OP_USER_PASSKEY_REPLY:
3654 hci_cc_user_passkey_reply(hdev, skb);
3655 break;
3656
3657 case HCI_OP_USER_PASSKEY_NEG_REPLY:
3658 hci_cc_user_passkey_neg_reply(hdev, skb);
16cde993 3659 break;
07f7fa5d 3660
7a4cd51d
MH		 3661 case HCI_OP_LE_SET_RANDOM_ADDR:
3662 hci_cc_le_set_random_addr(hdev, skb);
3663 break;
3664
c1d5dc4a
JH		 3665 case HCI_OP_LE_SET_ADV_ENABLE:
3666 hci_cc_le_set_adv_enable(hdev, skb);
3667 break;
3668
533553f8
MH		 3669 case HCI_OP_LE_SET_SCAN_PARAM:
3670 hci_cc_le_set_scan_param(hdev, skb);
3671 break;
3672
eb9d91f5
AG		 3673 case HCI_OP_LE_SET_SCAN_ENABLE:
3674 hci_cc_le_set_scan_enable(hdev, skb);
3675 break;
3676
3d4f9c00
AP		 3677 case HCI_OP_LE_READ_ACCEPT_LIST_SIZE:
3678 hci_cc_le_read_accept_list_size(hdev, skb);
cf1d081f
JH		 3679 break;
3680
3d4f9c00
AP		 3681 case HCI_OP_LE_CLEAR_ACCEPT_LIST:
3682 hci_cc_le_clear_accept_list(hdev, skb);
0f36b589
MH		 3683 break;
3684
3d4f9c00
AP		 3685 case HCI_OP_LE_ADD_TO_ACCEPT_LIST:
3686 hci_cc_le_add_to_accept_list(hdev, skb);
0f36b589
MH		 3687 break;
3688
3d4f9c00
AP		 3689 case HCI_OP_LE_DEL_FROM_ACCEPT_LIST:
3690 hci_cc_le_del_from_accept_list(hdev, skb);
0f36b589
MH		 3691 break;
3692
9b008c04
JH		 3693 case HCI_OP_LE_READ_SUPPORTED_STATES:
3694 hci_cc_le_read_supported_states(hdev, skb);
3695 break;
3696
a8e1bfaa
MH		 3697 case HCI_OP_LE_READ_DEF_DATA_LEN:
3698 hci_cc_le_read_def_data_len(hdev, skb);
3699 break;
3700
3701 case HCI_OP_LE_WRITE_DEF_DATA_LEN:
3702 hci_cc_le_write_def_data_len(hdev, skb);
3703 break;
3704
b950aa88
AN		 3705 case HCI_OP_LE_ADD_TO_RESOLV_LIST:
3706 hci_cc_le_add_to_resolv_list(hdev, skb);
3707 break;
3708
3709 case HCI_OP_LE_DEL_FROM_RESOLV_LIST:
3710 hci_cc_le_del_from_resolv_list(hdev, skb);
3711 break;
3712
545f2596
AN		 3713 case HCI_OP_LE_CLEAR_RESOLV_LIST:
3714 hci_cc_le_clear_resolv_list(hdev, skb);
3715 break;
3716
cfdb0c2d
AN		 3717 case HCI_OP_LE_READ_RESOLV_LIST_SIZE:
3718 hci_cc_le_read_resolv_list_size(hdev, skb);
3719 break;
3720
aa12af77
AN		 3721 case HCI_OP_LE_SET_ADDR_RESOLV_ENABLE:
3722 hci_cc_le_set_addr_resolution_enable(hdev, skb);
3723 break;
3724
a8e1bfaa
MH		 3725 case HCI_OP_LE_READ_MAX_DATA_LEN:
3726 hci_cc_le_read_max_data_len(hdev, skb);
3727 break;
3728
f9b49306
AG		 3729 case HCI_OP_WRITE_LE_HOST_SUPPORTED:
3730 hci_cc_write_le_host_supported(hdev, skb);
3731 break;
3732
56ed2cb8
JH		 3733 case HCI_OP_LE_SET_ADV_PARAM:
3734 hci_cc_set_adv_param(hdev, skb);
3735 break;
3736
5ae76a94
AK		 3737 case HCI_OP_READ_RSSI:
3738 hci_cc_read_rssi(hdev, skb);
3739 break;
3740
5a134fae
AK		 3741 case HCI_OP_READ_TX_POWER:
3742 hci_cc_read_tx_power(hdev, skb);
3743 break;
3744
c50b33c8
MH		 3745 case HCI_OP_WRITE_SSP_DEBUG_MODE:
3746 hci_cc_write_ssp_debug_mode(hdev, skb);
3747 break;
3748
a2344b9e
JK		 3749 case HCI_OP_LE_SET_EXT_SCAN_PARAMS:
3750 hci_cc_le_set_ext_scan_param(hdev, skb);
3751 break;
3752
3753 case HCI_OP_LE_SET_EXT_SCAN_ENABLE:
3754 hci_cc_le_set_ext_scan_enable(hdev, skb);
3755 break;
3756
0314f286
JK		 3757 case HCI_OP_LE_SET_DEFAULT_PHY:
3758 hci_cc_le_set_default_phy(hdev, skb);
3759 break;
3760
6b49bcb4
JK		 3761 case HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS:
3762 hci_cc_le_read_num_adv_sets(hdev, skb);
3763 break;
3764
de181e88
JK		 3765 case HCI_OP_LE_SET_EXT_ADV_PARAMS:
3766 hci_cc_set_ext_adv_param(hdev, skb);
3767 break;
3768
3769 case HCI_OP_LE_SET_EXT_ADV_ENABLE:
3770 hci_cc_le_set_ext_adv_enable(hdev, skb);
3771 break;
3772
a73c046a
JK		 3773 case HCI_OP_LE_SET_ADV_SET_RAND_ADDR:
3774 hci_cc_le_set_adv_set_random_addr(hdev, skb);
3775 break;
3776
cba6b758
LAD		 3777 case HCI_OP_LE_REMOVE_ADV_SET:
3778 hci_cc_le_remove_adv_set(hdev, skb);
3779 break;
3780
3781 case HCI_OP_LE_CLEAR_ADV_SETS:
3782 hci_cc_le_clear_adv_sets(hdev, skb);
3783 break;
3784
7c395ea5
DW		 3785 case HCI_OP_LE_READ_TRANSMIT_POWER:
3786 hci_cc_le_read_transmit_power(hdev, skb);
3787 break;
3788
a9de9248 3789 default:
e6214487 3790 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
a9de9248
MH		 3791 break;
3792 }
3793
ecb71f25 3794 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
600b2150 3795
e6214487
JH		 3796 hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
3797 req_complete_skb);
9238f36a 3798
f80c5dad
JPRV		 3799 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3800 bt_dev_err(hdev,
3801 "unexpected event for opcode 0x%4.4x", *opcode);
3802 return;
3803 }
3804
600b2150
JH		 3805 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3806 queue_work(hdev->workqueue, &hdev->cmd_work);
a9de9248
MH		 3807}
3808
e6214487
JH		 3809static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb,
3810 u16 *opcode, u8 *status,
3811 hci_req_complete_t *req_complete,
3812 hci_req_complete_skb_t *req_complete_skb)
a9de9248
MH		 3813{
3814 struct hci_ev_cmd_status *ev = (void *) skb->data;
a9de9248
MH		 3815
3816 skb_pull(skb, sizeof(*ev));
3817
e6214487
JH		 3818 *opcode = __le16_to_cpu(ev->opcode);
3819 *status = ev->status;
a9de9248 3820
e6214487 3821 switch (*opcode) {
a9de9248
MH		 3822 case HCI_OP_INQUIRY:
3823 hci_cs_inquiry(hdev, ev->status);
3824 break;
3825
3826 case HCI_OP_CREATE_CONN:
3827 hci_cs_create_conn(hdev, ev->status);
3828 break;
3829
9645c76c
KP		 3830 case HCI_OP_DISCONNECT:
3831 hci_cs_disconnect(hdev, ev->status);
3832 break;
3833
a9de9248
MH		 3834 case HCI_OP_ADD_SCO:
3835 hci_cs_add_sco(hdev, ev->status);
3836 break;
3837
f8558555
MH		 3838 case HCI_OP_AUTH_REQUESTED:
3839 hci_cs_auth_requested(hdev, ev->status);
3840 break;
3841
3842 case HCI_OP_SET_CONN_ENCRYPT:
3843 hci_cs_set_conn_encrypt(hdev, ev->status);
3844 break;
3845
a9de9248
MH		 3846 case HCI_OP_REMOTE_NAME_REQ:
3847 hci_cs_remote_name_req(hdev, ev->status);
3848 break;
3849
769be974
MH		 3850 case HCI_OP_READ_REMOTE_FEATURES:
3851 hci_cs_read_remote_features(hdev, ev->status);
3852 break;
3853
3854 case HCI_OP_READ_REMOTE_EXT_FEATURES:
3855 hci_cs_read_remote_ext_features(hdev, ev->status);
3856 break;
3857
a9de9248
MH		 3858 case HCI_OP_SETUP_SYNC_CONN:
3859 hci_cs_setup_sync_conn(hdev, ev->status);
3860 break;
3861
b2af264a
K		 3862 case HCI_OP_ENHANCED_SETUP_SYNC_CONN:
3863 hci_cs_enhanced_setup_sync_conn(hdev, ev->status);
3864 break;
3865
a9de9248
MH		 3866 case HCI_OP_SNIFF_MODE:
3867 hci_cs_sniff_mode(hdev, ev->status);
3868 break;
3869
3870 case HCI_OP_EXIT_SNIFF_MODE:
3871 hci_cs_exit_sniff_mode(hdev, ev->status);
3872 break;
3873
50fc85f1
KP		 3874 case HCI_OP_SWITCH_ROLE:
3875 hci_cs_switch_role(hdev, ev->status);
3876 break;
3877
cb1d68f7
JH		 3878 case HCI_OP_LE_CREATE_CONN:
3879 hci_cs_le_create_conn(hdev, ev->status);
3880 break;
3881
0fe29fd1
MH		 3882 case HCI_OP_LE_READ_REMOTE_FEATURES:
3883 hci_cs_le_read_remote_features(hdev, ev->status);
3884 break;
3885
81d0c8ad
JH		 3886 case HCI_OP_LE_START_ENC:
3887 hci_cs_le_start_enc(hdev, ev->status);
3888 break;
3889
4d94f95d
JK		 3890 case HCI_OP_LE_EXT_CREATE_CONN:
3891 hci_cs_le_ext_create_conn(hdev, ev->status);
3892 break;
3893
a9de9248 3894 default:
e6214487 3895 BT_DBG("%s opcode 0x%4.4x", hdev->name, *opcode);
a9de9248
MH		 3896 break;
3897 }
3898
ecb71f25 3899 handle_cmd_cnt_and_timer(hdev, ev->ncmd);
600b2150 3900
444c6dd5
JH		 3901 /* Indicate request completion if the command failed. Also, if
3902 * we're not waiting for a special event and we get a success
3903 * command status we should try to flag the request as completed
3904 * (since for this kind of commands there will not be a command
3905 * complete event).
3906 */
02350a72 3907 if (ev->status ||
242c0ebd 3908 (hdev->sent_cmd && !bt_cb(hdev->sent_cmd)->hci.req_event))
e6214487
JH		 3909 hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
3910 req_complete_skb);
9238f36a 3911
f80c5dad
JPRV		 3912 if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
3913 bt_dev_err(hdev,
3914 "unexpected event for opcode 0x%4.4x", *opcode);
3915 return;
3916 }
3917
600b2150
JH		 3918 if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
3919 queue_work(hdev->workqueue, &hdev->cmd_work);
a9de9248
MH		 3920}
3921
24dfa343
MH		 3922static void hci_hardware_error_evt(struct hci_dev *hdev, struct sk_buff *skb)
3923{
3924 struct hci_ev_hardware_error *ev = (void *) skb->data;
3925
c7741d16
MH		 3926 hdev->hw_error_code = ev->code;
3927
3928 queue_work(hdev->req_workqueue, &hdev->error_reset);
24dfa343
MH		 3929}
3930
6039aa73 3931static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
a9de9248
MH		 3932{
3933 struct hci_ev_role_change *ev = (void *) skb->data;
3934 struct hci_conn *conn;
3935
9f1db00c 3936 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
a9de9248
MH		 3937
3938 hci_dev_lock(hdev);
3939
3940 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3941 if (conn) {
40bef302
JH		 3942 if (!ev->status)
3943 conn->role = ev->role;
a9de9248 3944
51a8efd7 3945 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
a9de9248
MH		 3946
3947 hci_role_switch_cfm(conn, ev->status, ev->role);
3948 }
3949
3950 hci_dev_unlock(hdev);
3951}
3952
6039aa73 3953static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
a9de9248
MH		 3954{
3955 struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
a9de9248
MH		 3956 int i;
3957
32ac5b9b 3958 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
2064ee33 3959 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
32ac5b9b
AE		 3960 return;
3961 }
3962
16e18342
GS		 3963 if (skb->len < sizeof(*ev) ||
3964 skb->len < struct_size(ev, handles, ev->num_hndl)) {
a9de9248
MH		 3965 BT_DBG("%s bad parameters", hdev->name);
3966 return;
3967 }
3968
c5993de8
AE		 3969 BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
3970
613a1c0c
AE		 3971 for (i = 0; i < ev->num_hndl; i++) {
3972 struct hci_comp_pkts_info *info = &ev->handles[i];
a9de9248
MH		 3973 struct hci_conn *conn;
3974 __u16 handle, count;
3975
613a1c0c
AE		 3976 handle = __le16_to_cpu(info->handle);
3977 count = __le16_to_cpu(info->count);
a9de9248
MH		 3978
3979 conn = hci_conn_hash_lookup_handle(hdev, handle);
f4280918
AE		 3980 if (!conn)
3981 continue;
3982
3983 conn->sent -= count;
3984
3985 switch (conn->type) {
3986 case ACL_LINK:
3987 hdev->acl_cnt += count;
3988 if (hdev->acl_cnt > hdev->acl_pkts)
3989 hdev->acl_cnt = hdev->acl_pkts;
3990 break;
3991
3992 case LE_LINK:
3993 if (hdev->le_pkts) {
3994 hdev->le_cnt += count;
3995 if (hdev->le_cnt > hdev->le_pkts)
3996 hdev->le_cnt = hdev->le_pkts;
3997 } else {
70f23020
AE		 3998 hdev->acl_cnt += count;
3999 if (hdev->acl_cnt > hdev->acl_pkts)
a9de9248 4000 hdev->acl_cnt = hdev->acl_pkts;
a9de9248 4001 }
f4280918
AE		 4002 break;
4003
4004 case SCO_LINK:
4005 hdev->sco_cnt += count;
4006 if (hdev->sco_cnt > hdev->sco_pkts)
4007 hdev->sco_cnt = hdev->sco_pkts;
4008 break;
4009
4010 default:
2064ee33
MH		 4011 bt_dev_err(hdev, "unknown type %d conn %p",
4012 conn->type, conn);
f4280918 4013 break;
a9de9248
MH		 4014 }
4015 }
4016
3eff45ea 4017 queue_work(hdev->workqueue, &hdev->tx_work);
a9de9248
MH		 4018}
4019
76ef7cf7
AE		 4020static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
4021 __u16 handle)
4022{
4023 struct hci_chan *chan;
4024
4025 switch (hdev->dev_type) {
ca8bee5d 4026 case HCI_PRIMARY:
76ef7cf7
AE		 4027 return hci_conn_hash_lookup_handle(hdev, handle);
4028 case HCI_AMP:
4029 chan = hci_chan_lookup_handle(hdev, handle);
4030 if (chan)
4031 return chan->conn;
4032 break;
4033 default:
2064ee33 4034 bt_dev_err(hdev, "unknown dev_type %d", hdev->dev_type);
76ef7cf7
AE		 4035 break;
4036 }
4037
4038 return NULL;
4039}
4040
6039aa73 4041static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
25e89e99
AE		 4042{
4043 struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
4044 int i;
4045
4046 if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
2064ee33 4047 bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode);
25e89e99
AE		 4048 return;
4049 }
4050
16e18342
GS		 4051 if (skb->len < sizeof(*ev) ||
4052 skb->len < struct_size(ev, handles, ev->num_hndl)) {
25e89e99
AE		 4053 BT_DBG("%s bad parameters", hdev->name);
4054 return;
4055 }
4056
4057 BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
807deac2 4058 ev->num_hndl);
25e89e99
AE		 4059
4060 for (i = 0; i < ev->num_hndl; i++) {
4061 struct hci_comp_blocks_info *info = &ev->handles[i];
76ef7cf7 4062 struct hci_conn *conn = NULL;
25e89e99
AE		 4063 __u16 handle, block_count;
4064
4065 handle = __le16_to_cpu(info->handle);
4066 block_count = __le16_to_cpu(info->blocks);
4067
76ef7cf7 4068 conn = __hci_conn_lookup_handle(hdev, handle);
25e89e99
AE		 4069 if (!conn)
4070 continue;
4071
4072 conn->sent -= block_count;
4073
4074 switch (conn->type) {
4075 case ACL_LINK:
bd1eb66b 4076 case AMP_LINK:
25e89e99
AE		 4077 hdev->block_cnt += block_count;
4078 if (hdev->block_cnt > hdev->num_blocks)
4079 hdev->block_cnt = hdev->num_blocks;
4080 break;
4081
4082 default:
2064ee33
MH		 4083 bt_dev_err(hdev, "unknown type %d conn %p",
4084 conn->type, conn);
25e89e99
AE		 4085 break;
4086 }
4087 }
4088
4089 queue_work(hdev->workqueue, &hdev->tx_work);
4090}
4091
6039aa73 4092static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
04837f64 4093{
a9de9248 4094 struct hci_ev_mode_change *ev = (void *) skb->data;
04837f64
MH		 4095 struct hci_conn *conn;
4096
9f1db00c 4097 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
04837f64
MH		 4098
4099 hci_dev_lock(hdev);
4100
4101 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
a9de9248
MH		 4102 if (conn) {
4103 conn->mode = ev->mode;
a9de9248 4104
8fc9ced3
GP		 4105 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4106 &conn->flags)) {
a9de9248 4107 if (conn->mode == HCI_CM_ACTIVE)
58a681ef 4108 set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
a9de9248 4109 else
58a681ef 4110 clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
a9de9248 4111 }
e73439d8 4112
51a8efd7 4113 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
e73439d8 4114 hci_sco_setup(conn, ev->status);
04837f64
MH		 4115 }
4116
4117 hci_dev_unlock(hdev);
4118}
4119
6039aa73 4120static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
a9de9248 4121{
052b30b0
MH		 4122 struct hci_ev_pin_code_req *ev = (void *) skb->data;
4123 struct hci_conn *conn;
4124
a9de9248 4125 BT_DBG("%s", hdev->name);
052b30b0
MH		 4126
4127 hci_dev_lock(hdev);
4128
4129 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
b6f98044
WR		 4130 if (!conn)
4131 goto unlock;
4132
4133 if (conn->state == BT_CONNECTED) {
052b30b0
MH		 4134 hci_conn_hold(conn);
4135 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
76a68ba0 4136 hci_conn_drop(conn);
052b30b0
MH		 4137 }
4138
d7a5a11d 4139 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2f407f0a 4140 !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
03b555e1 4141 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
807deac2 4142 sizeof(ev->bdaddr), &ev->bdaddr);
d7a5a11d 4143 } else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
a770bb5a
WR		 4144 u8 secure;
4145
4146 if (conn->pending_sec_level == BT_SECURITY_HIGH)
4147 secure = 1;
4148 else
4149 secure = 0;
4150
744cf19e 4151 mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
a770bb5a 4152 }
980e1a53 4153
b6f98044 4154unlock:
052b30b0 4155 hci_dev_unlock(hdev);
a9de9248
MH		 4156}
4157
cb6f3f7a
JH		 4158static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4159{
4160 if (key_type == HCI_LK_CHANGED_COMBINATION)
4161 return;
4162
4163 conn->pin_length = pin_len;
4164 conn->key_type = key_type;
4165
4166 switch (key_type) {
4167 case HCI_LK_LOCAL_UNIT:
4168 case HCI_LK_REMOTE_UNIT:
4169 case HCI_LK_DEBUG_COMBINATION:
4170 return;
4171 case HCI_LK_COMBINATION:
4172 if (pin_len == 16)
4173 conn->pending_sec_level = BT_SECURITY_HIGH;
4174 else
4175 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4176 break;
4177 case HCI_LK_UNAUTH_COMBINATION_P192:
4178 case HCI_LK_UNAUTH_COMBINATION_P256:
4179 conn->pending_sec_level = BT_SECURITY_MEDIUM;
4180 break;
4181 case HCI_LK_AUTH_COMBINATION_P192:
4182 conn->pending_sec_level = BT_SECURITY_HIGH;
4183 break;
4184 case HCI_LK_AUTH_COMBINATION_P256:
4185 conn->pending_sec_level = BT_SECURITY_FIPS;
4186 break;
4187 }
4188}
4189
6039aa73 4190static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
a9de9248 4191{
55ed8ca1
JH		 4192 struct hci_ev_link_key_req *ev = (void *) skb->data;
4193 struct hci_cp_link_key_reply cp;
4194 struct hci_conn *conn;
4195 struct link_key *key;
4196
a9de9248 4197 BT_DBG("%s", hdev->name);
55ed8ca1 4198
d7a5a11d 4199 if (!hci_dev_test_flag(hdev, HCI_MGMT))
55ed8ca1
JH		 4200 return;
4201
4202 hci_dev_lock(hdev);
4203
4204 key = hci_find_link_key(hdev, &ev->bdaddr);
4205 if (!key) {
6ed93dc6
AE		 4206 BT_DBG("%s link key not found for %pMR", hdev->name,
4207 &ev->bdaddr);
55ed8ca1
JH		 4208 goto not_found;
4209 }
4210
6ed93dc6
AE		 4211 BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
4212 &ev->bdaddr);
55ed8ca1 4213
55ed8ca1 4214 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
60b83f57 4215 if (conn) {
fe8bc5ac
JH		 4216 clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4217
66138ce8
MH		 4218 if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4219 key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
807deac2 4220 conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
60b83f57
WR		 4221 BT_DBG("%s ignoring unauthenticated key", hdev->name);
4222 goto not_found;
4223 }
55ed8ca1 4224
60b83f57 4225 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
f3fb0b58
JH		 4226 (conn->pending_sec_level == BT_SECURITY_HIGH ||
4227 conn->pending_sec_level == BT_SECURITY_FIPS)) {
8fc9ced3
GP		 4228 BT_DBG("%s ignoring key unauthenticated for high security",
4229 hdev->name);
60b83f57
WR		 4230 goto not_found;
4231 }
4232
cb6f3f7a 4233 conn_set_key(conn, key->type, key->pin_len);
55ed8ca1
JH		 4234 }
4235
4236 bacpy(&cp.bdaddr, &ev->bdaddr);
9b3b4460 4237 memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
55ed8ca1
JH		 4238
4239 hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4240
4241 hci_dev_unlock(hdev);
4242
4243 return;
4244
4245not_found:
4246 hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4247 hci_dev_unlock(hdev);
a9de9248
MH		 4248}
4249
6039aa73 4250static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
a9de9248 4251{
052b30b0
MH		 4252 struct hci_ev_link_key_notify *ev = (void *) skb->data;
4253 struct hci_conn *conn;
7652ff6a
JH		 4254 struct link_key *key;
4255 bool persistent;
55ed8ca1 4256 u8 pin_len = 0;
052b30b0 4257
a9de9248 4258 BT_DBG("%s", hdev->name);
052b30b0
MH		 4259
4260 hci_dev_lock(hdev);
4261
4262 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
82c13d42
JH		 4263 if (!conn)
4264 goto unlock;
4265
4266 hci_conn_hold(conn);
4267 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4268 hci_conn_drop(conn);
4269
fe8bc5ac 4270 set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
82c13d42 4271 conn_set_key(conn, ev->key_type, conn->pin_length);
052b30b0 4272
d7a5a11d 4273 if (!hci_dev_test_flag(hdev, HCI_MGMT))
7652ff6a
JH		 4274 goto unlock;
4275
4276 key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4277 ev->key_type, pin_len, &persistent);
4278 if (!key)
4279 goto unlock;
4280
cb6f3f7a
JH		 4281 /* Update connection information since adding the key will have
4282 * fixed up the type in the case of changed combination keys.
4283 */
4284 if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4285 conn_set_key(conn, key->type, key->pin_len);
4286
7652ff6a 4287 mgmt_new_link_key(hdev, key, persistent);
55ed8ca1 4288
6d5650c4
JH		 4289 /* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4290 * is set. If it's not set simply remove the key from the kernel
4291 * list (we've still notified user space about it but with
4292 * store_hint being 0).
4293 */
4294 if (key->type == HCI_LK_DEBUG_COMBINATION &&
d7a5a11d 4295 !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
0378b597
JH		 4296 list_del_rcu(&key->list);
4297 kfree_rcu(key, rcu);
82c13d42 4298 goto unlock;
6d5650c4 4299 }
7652ff6a 4300
82c13d42
JH		 4301 if (persistent)
4302 clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4303 else
4304 set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4305
7652ff6a 4306unlock:
052b30b0 4307 hci_dev_unlock(hdev);
a9de9248
MH		 4308}
4309
6039aa73 4310static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
1da177e4 4311{
a9de9248 4312 struct hci_ev_clock_offset *ev = (void *) skb->data;
04837f64 4313 struct hci_conn *conn;
1da177e4 4314
9f1db00c 4315 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
1da177e4
LT		 4316
4317 hci_dev_lock(hdev);
4318
04837f64 4319 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1da177e4
LT		 4320 if (conn && !ev->status) {
4321 struct inquiry_entry *ie;
4322
cc11b9c1
AE		 4323 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4324 if (ie) {
1da177e4
LT		 4325 ie->data.clock_offset = ev->clock_offset;
4326 ie->timestamp = jiffies;
4327 }
4328 }
4329
4330 hci_dev_unlock(hdev);
4331}
4332
6039aa73 4333static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
a8746417
MH		 4334{
4335 struct hci_ev_pkt_type_change *ev = (void *) skb->data;
4336 struct hci_conn *conn;
4337
9f1db00c 4338 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
a8746417
MH		 4339
4340 hci_dev_lock(hdev);
4341
4342 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4343 if (conn && !ev->status)
4344 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4345
4346 hci_dev_unlock(hdev);
4347}
4348
6039aa73 4349static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
85a1e930 4350{
a9de9248 4351 struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
85a1e930
MH		 4352 struct inquiry_entry *ie;
4353
4354 BT_DBG("%s", hdev->name);
4355
4356 hci_dev_lock(hdev);
4357
cc11b9c1
AE		 4358 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4359 if (ie) {
85a1e930
MH		 4360 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4361 ie->timestamp = jiffies;
4362 }
4363
4364 hci_dev_unlock(hdev);
4365}
4366
6039aa73
GP		 4367static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
4368 struct sk_buff *skb)
a9de9248
MH		 4369{
4370 struct inquiry_data data;
4371 int num_rsp = *((__u8 *) skb->data);
4372
4373 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
4374
4375 if (!num_rsp)
4376 return;
4377
d7a5a11d 4378 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
1519cc17
AG		 4379 return;
4380
a9de9248
MH		 4381 hci_dev_lock(hdev);
4382
4383 if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
138d22ef
SJ		 4384 struct inquiry_info_with_rssi_and_pscan_mode *info;
4385 info = (void *) (skb->data + 1);
a9de9248 4386
629b49c8
PY		 4387 if (skb->len < num_rsp * sizeof(*info) + 1)
4388 goto unlock;
4389
e17acd40 4390 for (; num_rsp; num_rsp--, info++) {
af58925c
MH		 4391 u32 flags;
4392
a9de9248
MH		 4393 bacpy(&data.bdaddr, &info->bdaddr);
4394 data.pscan_rep_mode = info->pscan_rep_mode;
4395 data.pscan_period_mode = info->pscan_period_mode;
4396 data.pscan_mode = info->pscan_mode;
4397 memcpy(data.dev_class, info->dev_class, 3);
4398 data.clock_offset = info->clock_offset;
4399 data.rssi = info->rssi;
41a96212 4400 data.ssp_mode = 0x00;
3175405b 4401
af58925c
MH		 4402 flags = hci_inquiry_cache_update(hdev, &data, false);
4403
48264f06 4404 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
04124681 4405 info->dev_class, info->rssi,
af58925c 4406 flags, NULL, 0, NULL, 0);
a9de9248
MH		 4407 }
4408 } else {
4409 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
4410
629b49c8
PY		 4411 if (skb->len < num_rsp * sizeof(*info) + 1)
4412 goto unlock;
4413
e17acd40 4414 for (; num_rsp; num_rsp--, info++) {
af58925c
MH		 4415 u32 flags;
4416
a9de9248
MH		 4417 bacpy(&data.bdaddr, &info->bdaddr);
4418 data.pscan_rep_mode = info->pscan_rep_mode;
4419 data.pscan_period_mode = info->pscan_period_mode;
4420 data.pscan_mode = 0x00;
4421 memcpy(data.dev_class, info->dev_class, 3);
4422 data.clock_offset = info->clock_offset;
4423 data.rssi = info->rssi;
41a96212 4424 data.ssp_mode = 0x00;
af58925c
MH		 4425
4426 flags = hci_inquiry_cache_update(hdev, &data, false);
4427
48264f06 4428 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
04124681 4429 info->dev_class, info->rssi,
af58925c 4430 flags, NULL, 0, NULL, 0);
a9de9248
MH		 4431 }
4432 }
4433
629b49c8 4434unlock:
a9de9248
MH		 4435 hci_dev_unlock(hdev);
4436}
4437
6039aa73
GP		 4438static void hci_remote_ext_features_evt(struct hci_dev *hdev,
4439 struct sk_buff *skb)
a9de9248 4440{
41a96212
MH		 4441 struct hci_ev_remote_ext_features *ev = (void *) skb->data;
4442 struct hci_conn *conn;
4443
a9de9248 4444 BT_DBG("%s", hdev->name);
41a96212 4445
41a96212
MH		 4446 hci_dev_lock(hdev);
4447
4448 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
ccd556fe
JH		 4449 if (!conn)
4450 goto unlock;
41a96212 4451
cad718ed
JH		 4452 if (ev->page < HCI_MAX_PAGES)
4453 memcpy(conn->features[ev->page], ev->features, 8);
4454
ccd556fe
JH		 4455 if (!ev->status && ev->page == 0x01) {
4456 struct inquiry_entry *ie;
41a96212 4457
cc11b9c1
AE		 4458 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4459 if (ie)
02b7cc62 4460 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
769be974 4461
bbb0eada 4462 if (ev->features[0] & LMP_HOST_SSP) {
58a681ef 4463 set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
bbb0eada
JK		 4464 } else {
4465 /* It is mandatory by the Bluetooth specification that
4466 * Extended Inquiry Results are only used when Secure
4467 * Simple Pairing is enabled, but some devices violate
4468 * this.
4469 *
4470 * To make these devices work, the internal SSP
4471 * enabled flag needs to be cleared if the remote host
4472 * features do not indicate SSP support */
4473 clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4474 }
eb9a8f3f
MH		 4475
4476 if (ev->features[0] & LMP_HOST_SC)
4477 set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
ccd556fe
JH		 4478 }
4479
4480 if (conn->state != BT_CONFIG)
4481 goto unlock;
4482
671267bf 4483 if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
127178d2
JH		 4484 struct hci_cp_remote_name_req cp;
4485 memset(&cp, 0, sizeof(cp));
4486 bacpy(&cp.bdaddr, &conn->dst);
4487 cp.pscan_rep_mode = 0x02;
4488 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
b644ba33 4489 } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1c6ed31b 4490 mgmt_device_connected(hdev, conn, NULL, 0);
392599b9 4491
127178d2 4492 if (!hci_outgoing_auth_needed(hdev, conn)) {
ccd556fe 4493 conn->state = BT_CONNECTED;
539c496d 4494 hci_connect_cfm(conn, ev->status);
76a68ba0 4495 hci_conn_drop(conn);
41a96212
MH		 4496 }
4497
ccd556fe 4498unlock:
41a96212 4499 hci_dev_unlock(hdev);
a9de9248
MH		 4500}
4501
6039aa73
GP		 4502static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
4503 struct sk_buff *skb)
a9de9248 4504{
b6a0dc82
MH		 4505 struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
4506 struct hci_conn *conn;
f4f9fa0c 4507 unsigned int notify_evt;
b6a0dc82 4508
9f1db00c 4509 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
b6a0dc82
MH		 4510
4511 hci_dev_lock(hdev);
4512
4513 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
9dc0a3af
MH		 4514 if (!conn) {
4515 if (ev->link_type == ESCO_LINK)
4516 goto unlock;
4517
618353b1
KP		 4518 /* When the link type in the event indicates SCO connection
4519 * and lookup of the connection object fails, then check
4520 * if an eSCO connection object exists.
4521 *
4522 * The core limits the synchronous connections to either
4523 * SCO or eSCO. The eSCO connection is preferred and tried
4524 * to be setup first and until successfully established,
4525 * the link type will be hinted as eSCO.
4526 */
9dc0a3af
MH		 4527 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4528 if (!conn)
4529 goto unlock;
9dc0a3af 4530 }
b6a0dc82 4531
732547f9
MH		 4532 switch (ev->status) {
4533 case 0x00:
92fe24a7
DCZX		 4534 /* The synchronous connection complete event should only be
4535 * sent once per new connection. Receiving a successful
4536 * complete event when the connection status is already
4537 * BT_CONNECTED means that the device is misbehaving and sent
4538 * multiple complete event packets for the same new connection.
4539 *
4540 * Registering the device more than once can corrupt kernel
4541 * memory, hence upon detecting this invalid event, we report
4542 * an error and ignore the packet.
4543 */
4544 if (conn->state == BT_CONNECTED) {
4545 bt_dev_err(hdev, "Ignoring connect complete event for existing connection");
4546 goto unlock;
4547 }
4548
b6a0dc82
MH		 4549 conn->handle = __le16_to_cpu(ev->handle);
4550 conn->state = BT_CONNECTED;
618353b1 4551 conn->type = ev->link_type;
7d0db0a3 4552
23b9ceb7 4553 hci_debugfs_create_conn(conn);
7d0db0a3 4554 hci_conn_add_sysfs(conn);
732547f9
MH		 4555 break;
4556
81218d20 4557 case 0x10: /* Connection Accept Timeout */
1a4c958c 4558 case 0x0d: /* Connection Rejected due to Limited Resources */
705e5711 4559 case 0x11: /* Unsupported Feature or Parameter Value */
732547f9 4560 case 0x1c: /* SCO interval rejected */
1038a00b 4561 case 0x1a: /* Unsupported Remote Feature */
56b5453a 4562 case 0x1e: /* Invalid LMP Parameters */
732547f9 4563 case 0x1f: /* Unspecified error */
27539bc4 4564 case 0x20: /* Unsupported LMP Parameter value */
2dea632f 4565 if (conn->out) {
732547f9
MH		 4566 conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4567 (hdev->esco_type & EDR_ESCO_MASK);
2dea632f
FD		 4568 if (hci_setup_sync(conn, conn->link->handle))
4569 goto unlock;
732547f9 4570 }
19186c7b 4571 fallthrough;
732547f9
MH		 4572
4573 default:
b6a0dc82 4574 conn->state = BT_CLOSED;
732547f9
MH		 4575 break;
4576 }
b6a0dc82 4577
1f8330ea
SN		 4578 bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
4579
06d213d8
K		 4580 switch (ev->air_mode) {
4581 case 0x02:
f4f9fa0c 4582 notify_evt = HCI_NOTIFY_ENABLE_SCO_CVSD;
1f8330ea 4583 break;
06d213d8 4584 case 0x03:
f4f9fa0c 4585 notify_evt = HCI_NOTIFY_ENABLE_SCO_TRANSP;
1f8330ea
SN		 4586 break;
4587 }
4588
f4f9fa0c
C		 4589 /* Notify only in case of SCO over HCI transport data path which
4590 * is zero and non-zero value shall be non-HCI transport data path
4591 */
4592 if (conn->codec.data_path == 0) {
4593 if (hdev->notify)
4594 hdev->notify(hdev, notify_evt);
4595 }
4596
539c496d 4597 hci_connect_cfm(conn, ev->status);
b6a0dc82
MH		 4598 if (ev->status)
4599 hci_conn_del(conn);
4600
4601unlock:
4602 hci_dev_unlock(hdev);
a9de9248
MH		 4603}
4604
efdcf8e3
MH		 4605static inline size_t eir_get_length(u8 *eir, size_t eir_len)
4606{
4607 size_t parsed = 0;
4608
4609 while (parsed < eir_len) {
4610 u8 field_len = eir[0];
4611
4612 if (field_len == 0)
4613 return parsed;
4614
4615 parsed += field_len + 1;
4616 eir += field_len + 1;
4617 }
4618
4619 return eir_len;
4620}
4621
6039aa73
GP		 4622static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
4623 struct sk_buff *skb)
1da177e4 4624{
a9de9248
MH		 4625 struct inquiry_data data;
4626 struct extended_inquiry_info *info = (void *) (skb->data + 1);
4627 int num_rsp = *((__u8 *) skb->data);
9d939d94 4628 size_t eir_len;
1da177e4 4629
a9de9248 4630 BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
1da177e4 4631
51c19bf3 4632 if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
a9de9248 4633 return;
1da177e4 4634
d7a5a11d 4635 if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
1519cc17
AG		 4636 return;
4637
a9de9248
MH		 4638 hci_dev_lock(hdev);
4639
e17acd40 4640 for (; num_rsp; num_rsp--, info++) {
af58925c
MH		 4641 u32 flags;
4642 bool name_known;
561aafbc 4643
a9de9248 4644 bacpy(&data.bdaddr, &info->bdaddr);
138d22ef
SJ		 4645 data.pscan_rep_mode = info->pscan_rep_mode;
4646 data.pscan_period_mode = info->pscan_period_mode;
4647 data.pscan_mode = 0x00;
a9de9248 4648 memcpy(data.dev_class, info->dev_class, 3);
138d22ef
SJ		 4649 data.clock_offset = info->clock_offset;
4650 data.rssi = info->rssi;
41a96212 4651 data.ssp_mode = 0x01;
561aafbc 4652
d7a5a11d 4653 if (hci_dev_test_flag(hdev, HCI_MGMT))
0d3b7f64
JH		 4654 name_known = eir_get_data(info->data,
4655 sizeof(info->data),
4656 EIR_NAME_COMPLETE, NULL);
561aafbc
JH		 4657 else
4658 name_known = true;
4659
af58925c
MH		 4660 flags = hci_inquiry_cache_update(hdev, &data, name_known);
4661
9d939d94 4662 eir_len = eir_get_length(info->data, sizeof(info->data));
af58925c 4663
48264f06 4664 mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
af58925c
MH		 4665 info->dev_class, info->rssi,
4666 flags, info->data, eir_len, NULL, 0);
a9de9248
MH		 4667 }
4668
4669 hci_dev_unlock(hdev);
4670}
1da177e4 4671
1c2e0041
JH		 4672static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
4673 struct sk_buff *skb)
4674{
4675 struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
4676 struct hci_conn *conn;
4677
9f1db00c 4678 BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
1c2e0041
JH		 4679 __le16_to_cpu(ev->handle));
4680
4681 hci_dev_lock(hdev);
4682
4683 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4684 if (!conn)
4685 goto unlock;
4686
9eb1fbfa
JH		 4687 /* For BR/EDR the necessary steps are taken through the
4688 * auth_complete event.
4689 */
4690 if (conn->type != LE_LINK)
4691 goto unlock;
4692
1c2e0041
JH		 4693 if (!ev->status)
4694 conn->sec_level = conn->pending_sec_level;
4695
4696 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
4697
4698 if (ev->status && conn->state == BT_CONNECTED) {
bed71748 4699 hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
76a68ba0 4700 hci_conn_drop(conn);
1c2e0041
JH		 4701 goto unlock;
4702 }
4703
4704 if (conn->state == BT_CONFIG) {
4705 if (!ev->status)
4706 conn->state = BT_CONNECTED;
4707
539c496d 4708 hci_connect_cfm(conn, ev->status);
76a68ba0 4709 hci_conn_drop(conn);
1c2e0041
JH		 4710 } else {
4711 hci_auth_cfm(conn, ev->status);
4712
4713 hci_conn_hold(conn);
4714 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
76a68ba0 4715 hci_conn_drop(conn);
1c2e0041
JH		 4716 }
4717
4718unlock:
4719 hci_dev_unlock(hdev);
4720}
4721
6039aa73 4722static u8 hci_get_auth_req(struct hci_conn *conn)
17fa4b9d 4723{
17fa4b9d 4724 /* If remote requests no-bonding follow that lead */
acabae96
MA		 4725 if (conn->remote_auth == HCI_AT_NO_BONDING ||
4726 conn->remote_auth == HCI_AT_NO_BONDING_MITM)
58797bf7 4727 return conn->remote_auth | (conn->auth_type & 0x01);
17fa4b9d 4728
b7f94c88
MA		 4729 /* If both remote and local have enough IO capabilities, require
4730 * MITM protection
4731 */
4732 if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
4733 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
4734 return conn->remote_auth | 0x01;
4735
7e74170a
TM		 4736 /* No MITM protection possible so ignore remote requirement */
4737 return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
17fa4b9d
JH		 4738}
4739
a83ed81e
MH		 4740static u8 bredr_oob_data_present(struct hci_conn *conn)
4741{
4742 struct hci_dev *hdev = conn->hdev;
4743 struct oob_data *data;
4744
4745 data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
4746 if (!data)
4747 return 0x00;
4748
455c2ff0
MH		 4749 if (bredr_sc_enabled(hdev)) {
4750 /* When Secure Connections is enabled, then just
4751 * return the present value stored with the OOB
4752 * data. The stored value contains the right present
4753 * information. However it can only be trusted when
4754 * not in Secure Connection Only mode.
4755 */
4756 if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
4757 return data->present;
659c7fb0 4758
455c2ff0
MH		 4759 /* When Secure Connections Only mode is enabled, then
4760 * the P-256 values are required. If they are not
4761 * available, then do not declare that OOB data is
4762 * present.
659c7fb0 4763 */
455c2ff0
MH		 4764 if (!memcmp(data->rand256, ZERO_KEY, 16) ||
4765 !memcmp(data->hash256, ZERO_KEY, 16))
659c7fb0
MH		 4766 return 0x00;
4767
455c2ff0 4768 return 0x02;
659c7fb0 4769 }
a83ed81e 4770
455c2ff0
MH		 4771 /* When Secure Connections is not enabled or actually
4772 * not supported by the hardware, then check that if
4773 * P-192 data values are present.
4774 */
4775 if (!memcmp(data->rand192, ZERO_KEY, 16) ||
4776 !memcmp(data->hash192, ZERO_KEY, 16))
4777 return 0x00;
4778
4779 return 0x01;
a83ed81e
MH		 4780}
4781
6039aa73 4782static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
0493684e
MH		 4783{
4784 struct hci_ev_io_capa_request *ev = (void *) skb->data;
4785 struct hci_conn *conn;
4786
4787 BT_DBG("%s", hdev->name);
4788
4789 hci_dev_lock(hdev);
4790
4791 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
03b555e1
JH		 4792 if (!conn)
4793 goto unlock;
4794
4795 hci_conn_hold(conn);
4796
d7a5a11d 4797 if (!hci_dev_test_flag(hdev, HCI_MGMT))
03b555e1
JH		 4798 goto unlock;
4799
2f407f0a
JH		 4800 /* Allow pairing if we're pairable, the initiators of the
4801 * pairing or if the remote is not requesting bonding.
4802 */
d7a5a11d 4803 if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
2f407f0a 4804 test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
807deac2 4805 (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
17fa4b9d
JH		 4806 struct hci_cp_io_capability_reply cp;
4807
4808 bacpy(&cp.bdaddr, &ev->bdaddr);
7a7f1e7c
HG		 4809 /* Change the IO capability from KeyboardDisplay
4810 * to DisplayYesNo as it is not supported by BT spec. */
4811 cp.capability = (conn->io_capability == 0x04) ?
a767631a 4812 HCI_IO_DISPLAY_YESNO : conn->io_capability;
b7f94c88
MA		 4813
4814 /* If we are initiators, there is no remote information yet */
4815 if (conn->remote_auth == 0xff) {
b16c6604 4816 /* Request MITM protection if our IO caps allow it
4ad51a75 4817 * except for the no-bonding case.
b16c6604 4818 */
6fd6b915 4819 if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
9f743d74 4820 conn->auth_type != HCI_AT_NO_BONDING)
6c53823a 4821 conn->auth_type |= 0x01;
b7f94c88
MA		 4822 } else {
4823 conn->auth_type = hci_get_auth_req(conn);
b7f94c88 4824 }
17fa4b9d 4825
82c295b1
JH		 4826 /* If we're not bondable, force one of the non-bondable
4827 * authentication requirement values.
4828 */
d7a5a11d 4829 if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
82c295b1
JH		 4830 conn->auth_type &= HCI_AT_NO_BONDING_MITM;
4831
4832 cp.authentication = conn->auth_type;
a83ed81e 4833 cp.oob_data = bredr_oob_data_present(conn);
ce85ee13 4834
17fa4b9d 4835 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
807deac2 4836 sizeof(cp), &cp);
03b555e1
JH		 4837 } else {
4838 struct hci_cp_io_capability_neg_reply cp;
4839
4840 bacpy(&cp.bdaddr, &ev->bdaddr);
9f5a0d7b 4841 cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
0493684e 4842
03b555e1 4843 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
807deac2 4844 sizeof(cp), &cp);
03b555e1
JH		 4845 }
4846
4847unlock:
4848 hci_dev_unlock(hdev);
4849}
4850
6039aa73 4851static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
03b555e1
JH		 4852{
4853 struct hci_ev_io_capa_reply *ev = (void *) skb->data;
4854 struct hci_conn *conn;
4855
4856 BT_DBG("%s", hdev->name);
4857
4858 hci_dev_lock(hdev);
4859
4860 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4861 if (!conn)
4862 goto unlock;
4863
03b555e1 4864 conn->remote_cap = ev->capability;
03b555e1
JH		 4865 conn->remote_auth = ev->authentication;
4866
4867unlock:
0493684e
MH		 4868 hci_dev_unlock(hdev);
4869}
4870
6039aa73
GP		 4871static void hci_user_confirm_request_evt(struct hci_dev *hdev,
4872 struct sk_buff *skb)
a5c29683
JH		 4873{
4874 struct hci_ev_user_confirm_req *ev = (void *) skb->data;
55bc1a37 4875 int loc_mitm, rem_mitm, confirm_hint = 0;
7a828908 4876 struct hci_conn *conn;
a5c29683
JH		 4877
4878 BT_DBG("%s", hdev->name);
4879
4880 hci_dev_lock(hdev);
4881
d7a5a11d 4882 if (!hci_dev_test_flag(hdev, HCI_MGMT))
7a828908 4883 goto unlock;
a5c29683 4884
7a828908
JH		 4885 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4886 if (!conn)
4887 goto unlock;
4888
4889 loc_mitm = (conn->auth_type & 0x01);
4890 rem_mitm = (conn->remote_auth & 0x01);
4891
4892 /* If we require MITM but the remote device can't provide that
6c53823a
JH		 4893 * (it has NoInputNoOutput) then reject the confirmation
4894 * request. We check the security level here since it doesn't
4895 * necessarily match conn->auth_type.
6fd6b915 4896 */
6c53823a
JH		 4897 if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
4898 conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
7a828908
JH		 4899 BT_DBG("Rejecting request: remote device can't provide MITM");
4900 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
807deac2 4901 sizeof(ev->bdaddr), &ev->bdaddr);
7a828908
JH		 4902 goto unlock;
4903 }
4904
4905 /* If no side requires MITM protection; auto-accept */
a767631a
MA		 4906 if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
4907 (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
55bc1a37
JH		 4908
4909 /* If we're not the initiators request authorization to
4910 * proceed from user space (mgmt_user_confirm with
ba15a58b 4911 * confirm_hint set to 1). The exception is if neither
02f3e254
JH		 4912 * side had MITM or if the local IO capability is
4913 * NoInputNoOutput, in which case we do auto-accept
ba15a58b
JH		 4914 */
4915 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
02f3e254 4916 conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
ba15a58b 4917 (loc_mitm || rem_mitm)) {
55bc1a37
JH		 4918 BT_DBG("Confirming auto-accept as acceptor");
4919 confirm_hint = 1;
4920 goto confirm;
4921 }
4922
cee5f20f
HC		 4923 /* If there already exists link key in local host, leave the
4924 * decision to user space since the remote device could be
4925 * legitimate or malicious.
4926 */
4927 if (hci_find_link_key(hdev, &ev->bdaddr)) {
4928 bt_dev_dbg(hdev, "Local host already has link key");
4929 confirm_hint = 1;
4930 goto confirm;
4931 }
4932
9f61656a 4933 BT_DBG("Auto-accept of user confirmation with %ums delay",
807deac2 4934 hdev->auto_accept_delay);
9f61656a
JH		 4935
4936 if (hdev->auto_accept_delay > 0) {
4937 int delay = msecs_to_jiffies(hdev->auto_accept_delay);
7bc18d9d
JH		 4938 queue_delayed_work(conn->hdev->workqueue,
4939 &conn->auto_accept_work, delay);
9f61656a
JH		 4940 goto unlock;
4941 }
4942
7a828908 4943 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
807deac2 4944 sizeof(ev->bdaddr), &ev->bdaddr);
7a828908
JH		 4945 goto unlock;
4946 }
4947
55bc1a37 4948confirm:
39adbffe
JH		 4949 mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
4950 le32_to_cpu(ev->passkey), confirm_hint);
7a828908
JH		 4951
4952unlock:
a5c29683
JH		 4953 hci_dev_unlock(hdev);
4954}
4955
6039aa73
GP		 4956static void hci_user_passkey_request_evt(struct hci_dev *hdev,
4957 struct sk_buff *skb)
1143d458
BG		 4958{
4959 struct hci_ev_user_passkey_req *ev = (void *) skb->data;
4960
4961 BT_DBG("%s", hdev->name);
4962
d7a5a11d 4963 if (hci_dev_test_flag(hdev, HCI_MGMT))
272d90df 4964 mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
1143d458
BG		 4965}
4966
92a25256
JH		 4967static void hci_user_passkey_notify_evt(struct hci_dev *hdev,
4968 struct sk_buff *skb)
4969{
4970 struct hci_ev_user_passkey_notify *ev = (void *) skb->data;
4971 struct hci_conn *conn;
4972
4973 BT_DBG("%s", hdev->name);
4974
4975 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4976 if (!conn)
4977 return;
4978
4979 conn->passkey_notify = __le32_to_cpu(ev->passkey);
4980 conn->passkey_entered = 0;
4981
d7a5a11d 4982 if (hci_dev_test_flag(hdev, HCI_MGMT))
92a25256
JH		 4983 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
4984 conn->dst_type, conn->passkey_notify,
4985 conn->passkey_entered);
4986}
4987
4988static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
4989{
4990 struct hci_ev_keypress_notify *ev = (void *) skb->data;
4991 struct hci_conn *conn;
4992
4993 BT_DBG("%s", hdev->name);
4994
4995 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4996 if (!conn)
4997 return;
4998
4999 switch (ev->type) {
5000 case HCI_KEYPRESS_STARTED:
5001 conn->passkey_entered = 0;
5002 return;
5003
5004 case HCI_KEYPRESS_ENTERED:
5005 conn->passkey_entered++;
5006 break;
5007
5008 case HCI_KEYPRESS_ERASED:
5009 conn->passkey_entered--;
5010 break;
5011
5012 case HCI_KEYPRESS_CLEARED:
5013 conn->passkey_entered = 0;
5014 break;
5015
5016 case HCI_KEYPRESS_COMPLETED:
5017 return;
5018 }
5019
d7a5a11d 5020 if (hci_dev_test_flag(hdev, HCI_MGMT))
92a25256
JH		 5021 mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5022 conn->dst_type, conn->passkey_notify,
5023 conn->passkey_entered);
5024}
5025
6039aa73
GP		 5026static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
5027 struct sk_buff *skb)
0493684e
MH		 5028{
5029 struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
5030 struct hci_conn *conn;
5031
5032 BT_DBG("%s", hdev->name);
5033
5034 hci_dev_lock(hdev);
5035
5036 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2a611692
JH		 5037 if (!conn)
5038 goto unlock;
5039
c1d4fa7a
JH		 5040 /* Reset the authentication requirement to unknown */
5041 conn->remote_auth = 0xff;
5042
2a611692
JH		 5043 /* To avoid duplicate auth_failed events to user space we check
5044 * the HCI_CONN_AUTH_PEND flag which will be set if we
5045 * initiated the authentication. A traditional auth_complete
5046 * event gets always produced as initiator and is also mapped to
5047 * the mgmt_auth_failed event */
fa1bd918 5048 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
e1e930f5 5049 mgmt_auth_failed(conn, ev->status);
0493684e 5050
76a68ba0 5051 hci_conn_drop(conn);
2a611692
JH		 5052
5053unlock:
0493684e
MH		 5054 hci_dev_unlock(hdev);
5055}
5056
6039aa73
GP		 5057static void hci_remote_host_features_evt(struct hci_dev *hdev,
5058 struct sk_buff *skb)
41a96212
MH		 5059{
5060 struct hci_ev_remote_host_features *ev = (void *) skb->data;
5061 struct inquiry_entry *ie;
cad718ed 5062 struct hci_conn *conn;
41a96212
MH		 5063
5064 BT_DBG("%s", hdev->name);
5065
5066 hci_dev_lock(hdev);
5067
cad718ed
JH		 5068 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5069 if (conn)
5070 memcpy(conn->features[1], ev->features, 8);
5071
cc11b9c1
AE		 5072 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5073 if (ie)
02b7cc62 5074 ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
41a96212
MH		 5075
5076 hci_dev_unlock(hdev);
5077}
5078
6039aa73
GP		 5079static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
5080 struct sk_buff *skb)
2763eda6
SJ		 5081{
5082 struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
5083 struct oob_data *data;
5084
5085 BT_DBG("%s", hdev->name);
5086
5087 hci_dev_lock(hdev);
5088
d7a5a11d 5089 if (!hci_dev_test_flag(hdev, HCI_MGMT))
e1ba1f15
SJ		 5090 goto unlock;
5091
6928a924 5092 data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
6665d057
MH		 5093 if (!data) {
5094 struct hci_cp_remote_oob_data_neg_reply cp;
519ca9d0 5095
6665d057
MH		 5096 bacpy(&cp.bdaddr, &ev->bdaddr);
5097 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5098 sizeof(cp), &cp);
5099 goto unlock;
5100 }
2763eda6 5101
6665d057
MH		 5102 if (bredr_sc_enabled(hdev)) {
5103 struct hci_cp_remote_oob_ext_data_reply cp;
519ca9d0 5104
6665d057 5105 bacpy(&cp.bdaddr, &ev->bdaddr);
d7a5a11d 5106 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6665d057
MH		 5107 memset(cp.hash192, 0, sizeof(cp.hash192));
5108 memset(cp.rand192, 0, sizeof(cp.rand192));
5109 } else {
5110 memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5111 memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
519ca9d0 5112 }
6665d057
MH		 5113 memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5114 memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5115
5116 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5117 sizeof(cp), &cp);
2763eda6 5118 } else {
6665d057 5119 struct hci_cp_remote_oob_data_reply cp;
2763eda6
SJ		 5120
5121 bacpy(&cp.bdaddr, &ev->bdaddr);
6665d057
MH		 5122 memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5123 memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5124
5125 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
519ca9d0 5126 sizeof(cp), &cp);
2763eda6
SJ		 5127 }
5128
e1ba1f15 5129unlock:
2763eda6
SJ		 5130 hci_dev_unlock(hdev);
5131}
5132
a77a6a14
AW		 5133#if IS_ENABLED(CONFIG_BT_HS)
5134static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
5135{
5136 struct hci_ev_channel_selected *ev = (void *)skb->data;
5137 struct hci_conn *hcon;
5138
5139 BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
5140
5141 skb_pull(skb, sizeof(*ev));
5142
5143 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5144 if (!hcon)
5145 return;
5146
5147 amp_read_loc_assoc_final_data(hdev, hcon);
5148}
5149
d5e91192
AE		 5150static void hci_phy_link_complete_evt(struct hci_dev *hdev,
5151 struct sk_buff *skb)
5152{
5153 struct hci_ev_phy_link_complete *ev = (void *) skb->data;
5154 struct hci_conn *hcon, *bredr_hcon;
5155
5156 BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
5157 ev->status);
5158
5159 hci_dev_lock(hdev);
5160
5161 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
3ae1dc75
SS		 5162 if (!hcon)
5163 goto unlock;
d5e91192 5164
3ae1dc75
SS		 5165 if (!hcon->amp_mgr)
5166 goto unlock;
6dfccd13 5167
d5e91192
AE		 5168 if (ev->status) {
5169 hci_conn_del(hcon);
3ae1dc75 5170 goto unlock;
d5e91192
AE		 5171 }
5172
5173 bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
5174
5175 hcon->state = BT_CONNECTED;
5176 bacpy(&hcon->dst, &bredr_hcon->dst);
5177
5178 hci_conn_hold(hcon);
5179 hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
76a68ba0 5180 hci_conn_drop(hcon);
d5e91192 5181
23b9ceb7 5182 hci_debugfs_create_conn(hcon);
d5e91192
AE		 5183 hci_conn_add_sysfs(hcon);
5184
cf70ff22 5185 amp_physical_cfm(bredr_hcon, hcon);
d5e91192 5186
3ae1dc75 5187unlock:
cf70ff22 5188 hci_dev_unlock(hdev);
d5e91192
AE		 5189}
5190
27695fb4
AE		 5191static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5192{
5193 struct hci_ev_logical_link_complete *ev = (void *) skb->data;
5194 struct hci_conn *hcon;
5195 struct hci_chan *hchan;
5196 struct amp_mgr *mgr;
5197
5198 BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
5199 hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
5200 ev->status);
5201
5202 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5203 if (!hcon)
5204 return;
5205
5206 /* Create AMP hchan */
5207 hchan = hci_chan_create(hcon);
5208 if (!hchan)
5209 return;
5210
5211 hchan->handle = le16_to_cpu(ev->handle);
5c4c8c95 5212 hchan->amp = true;
27695fb4
AE		 5213
5214 BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
5215
5216 mgr = hcon->amp_mgr;
5217 if (mgr && mgr->bredr_chan) {
5218 struct l2cap_chan *bredr_chan = mgr->bredr_chan;
5219
5220 l2cap_chan_lock(bredr_chan);
5221
5222 bredr_chan->conn->mtu = hdev->block_mtu;
5223 l2cap_logical_cfm(bredr_chan, hchan, 0);
5224 hci_conn_hold(hcon);
5225
5226 l2cap_chan_unlock(bredr_chan);
5227 }
5228}
5229
606e2a10
AE		 5230static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
5231 struct sk_buff *skb)
5232{
5233 struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
5234 struct hci_chan *hchan;
5235
5236 BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
5237 le16_to_cpu(ev->handle), ev->status);
5238
5239 if (ev->status)
5240 return;
5241
5242 hci_dev_lock(hdev);
5243
5244 hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
5c4c8c95 5245 if (!hchan || !hchan->amp)
606e2a10
AE		 5246 goto unlock;
5247
5248 amp_destroy_logical_link(hchan, ev->reason);
5249
5250unlock:
5251 hci_dev_unlock(hdev);
5252}
5253
9eef6b3a
AE		 5254static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
5255 struct sk_buff *skb)
5256{
5257 struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
5258 struct hci_conn *hcon;
5259
5260 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5261
5262 if (ev->status)
5263 return;
5264
5265 hci_dev_lock(hdev);
5266
5267 hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
5268 if (hcon) {
5269 hcon->state = BT_CLOSED;
5270 hci_conn_del(hcon);
5271 }
5272
5273 hci_dev_unlock(hdev);
5274}
a77a6a14 5275#endif
9eef6b3a 5276
cafae4cd
LAD		 5277static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5278 u8 bdaddr_type, bdaddr_t *local_rpa)
5279{
5280 if (conn->out) {
5281 conn->dst_type = bdaddr_type;
5282 conn->resp_addr_type = bdaddr_type;
5283 bacpy(&conn->resp_addr, bdaddr);
5284
5285 /* Check if the controller has set a Local RPA then it must be
5286 * used instead or hdev->rpa.
5287 */
5288 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5289 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5290 bacpy(&conn->init_addr, local_rpa);
5291 } else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5292 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5293 bacpy(&conn->init_addr, &conn->hdev->rpa);
5294 } else {
5295 hci_copy_identity_address(conn->hdev, &conn->init_addr,
5296 &conn->init_addr_type);
5297 }
5298 } else {
5299 conn->resp_addr_type = conn->hdev->adv_addr_type;
5300 /* Check if the controller has set a Local RPA then it must be
5301 * used instead or hdev->rpa.
5302 */
5303 if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5304 conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5305 bacpy(&conn->resp_addr, local_rpa);
5306 } else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5307 /* In case of ext adv, resp_addr will be updated in
5308 * Adv Terminated event.
5309 */
5310 if (!ext_adv_capable(conn->hdev))
5311 bacpy(&conn->resp_addr,
5312 &conn->hdev->random_addr);
5313 } else {
5314 bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5315 }
5316
5317 conn->init_addr_type = bdaddr_type;
5318 bacpy(&conn->init_addr, bdaddr);
5319
5320 /* For incoming connections, set the default minimum
5321 * and maximum connection interval. They will be used
5322 * to check if the parameters are in range and if not
5323 * trigger the connection update procedure.
5324 */
5325 conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5326 conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5327 }
5328}
5329
d12fb056 5330static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
cafae4cd
LAD		 5331 bdaddr_t *bdaddr, u8 bdaddr_type,
5332 bdaddr_t *local_rpa, u8 role, u16 handle,
5333 u16 interval, u16 latency,
5334 u16 supervision_timeout)
fcd89c09 5335{
912b42ef 5336 struct hci_conn_params *params;
fcd89c09 5337 struct hci_conn *conn;
68d6f6de 5338 struct smp_irk *irk;
837d502e 5339 u8 addr_type;
fcd89c09 5340
fcd89c09
VT		 5341 hci_dev_lock(hdev);
5342
fbd96c15
JH		 5343 /* All controllers implicitly stop advertising in the event of a
5344 * connection, so ensure that the state bit is cleared.
5345 */
a358dc11 5346 hci_dev_clear_flag(hdev, HCI_LE_ADV);
fbd96c15 5347
e7d9ab73 5348 conn = hci_lookup_le_connect(hdev);
b62f328b 5349 if (!conn) {
d12fb056 5350 conn = hci_conn_add(hdev, LE_LINK, bdaddr, role);
b62f328b 5351 if (!conn) {
2064ee33 5352 bt_dev_err(hdev, "no memory for new connection");
230fd16a 5353 goto unlock;
b62f328b 5354 }
29b7988a 5355
d12fb056 5356 conn->dst_type = bdaddr_type;
b9b343d2 5357
cb1d68f7 5358 /* If we didn't have a hci_conn object previously
74be523c 5359 * but we're in central role this must be something
3d4f9c00 5360 * initiated using an accept list. Since accept list based
cb1d68f7
JH		 5361 * connections are not "first class citizens" we don't
5362 * have full tracking of them. Therefore, we go ahead
5363 * with a "best effort" approach of determining the
5364 * initiator address based on the HCI_PRIVACY flag.
5365 */
5366 if (conn->out) {
d12fb056
JK		 5367 conn->resp_addr_type = bdaddr_type;
5368 bacpy(&conn->resp_addr, bdaddr);
d7a5a11d 5369 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
cb1d68f7
JH		 5370 conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5371 bacpy(&conn->init_addr, &hdev->rpa);
5372 } else {
5373 hci_copy_identity_address(hdev,
5374 &conn->init_addr,
5375 &conn->init_addr_type);
5376 }
cb1d68f7 5377 }
9489eca4
JH		 5378 } else {
5379 cancel_delayed_work(&conn->le_conn_timeout);
b62f328b 5380 }
fcd89c09 5381
cafae4cd 5382 le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
7be2edbb 5383
edb4b466
MH		 5384 /* Lookup the identity address from the stored connection
5385 * address and address type.
5386 *
5387 * When establishing connections to an identity address, the
5388 * connection procedure will store the resolvable random
5389 * address first. Now if it can be converted back into the
5390 * identity address, start using the identity address from
5391 * now on.
5392 */
5393 irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
68d6f6de
JH		 5394 if (irk) {
5395 bacpy(&conn->dst, &irk->bdaddr);
5396 conn->dst_type = irk->addr_type;
5397 }
5398
d850bf08 5399 conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
79699a70 5400
d12fb056
JK		 5401 if (status) {
5402 hci_le_conn_failed(conn, status);
837d502e
JH		 5403 goto unlock;
5404 }
5405
08853f18
JH		 5406 if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5407 addr_type = BDADDR_LE_PUBLIC;
5408 else
5409 addr_type = BDADDR_LE_RANDOM;
5410
2d3c2260 5411 /* Drop the connection if the device is blocked */
3d4f9c00 5412 if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
2d3c2260 5413 hci_conn_drop(conn);
cd17decb
AG		 5414 goto unlock;
5415 }
5416
b644ba33 5417 if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1c6ed31b 5418 mgmt_device_connected(hdev, conn, NULL, 0);
83bc71b4 5419
7b5c0d52 5420 conn->sec_level = BT_SECURITY_LOW;
d12fb056 5421 conn->handle = handle;
0fe29fd1 5422 conn->state = BT_CONFIG;
fcd89c09 5423
7087c4f6
LAD		 5424 /* Store current advertising instance as connection advertising instance
5425 * when sotfware rotation is in use so it can be re-enabled when
5426 * disconnected.
5427 */
5428 if (!ext_adv_capable(hdev))
5429 conn->adv_instance = hdev->cur_adv_instance;
5430
d12fb056
JK		 5431 conn->le_conn_interval = interval;
5432 conn->le_conn_latency = latency;
5433 conn->le_supv_timeout = supervision_timeout;
e04fde60 5434
23b9ceb7 5435 hci_debugfs_create_conn(conn);
fcd89c09
VT		 5436 hci_conn_add_sysfs(conn);
5437
ef365da1 5438 /* The remote features procedure is defined for central
d17010bf
CIK		 5439 * role only. So only in case of an initiated connection
5440 * request the remote features.
5441 *
ef365da1
AP		 5442 * If the local controller supports peripheral-initiated features
5443 * exchange, then requesting the remote features in peripheral
d17010bf
CIK		 5444 * role is possible. Otherwise just transition into the
5445 * connected state without requesting the remote features.
5446 */
5447 if (conn->out ||
ef365da1 5448 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
d17010bf 5449 struct hci_cp_le_read_remote_features cp;
0fe29fd1 5450
d17010bf 5451 cp.handle = __cpu_to_le16(conn->handle);
0fe29fd1 5452
d17010bf
CIK		 5453 hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5454 sizeof(cp), &cp);
0fe29fd1 5455
d17010bf 5456 hci_conn_hold(conn);
0fe29fd1 5457 } else {
d17010bf 5458 conn->state = BT_CONNECTED;
d12fb056 5459 hci_connect_cfm(conn, status);
0fe29fd1 5460 }
fcd89c09 5461
5477610f
JH		 5462 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5463 conn->dst_type);
f161dd41 5464 if (params) {
95305baa 5465 list_del_init(&params->action);
f161dd41
JH		 5466 if (params->conn) {
5467 hci_conn_drop(params->conn);
f8aaf9b6 5468 hci_conn_put(params->conn);
f161dd41
JH		 5469 params->conn = NULL;
5470 }
5471 }
a4790dbd 5472
fcd89c09 5473unlock:
223683a5 5474 hci_update_background_scan(hdev);
fcd89c09
VT		 5475 hci_dev_unlock(hdev);
5476}
5477
d12fb056
JK		 5478static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
5479{
5480 struct hci_ev_le_conn_complete *ev = (void *) skb->data;
5481
5482 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5483
5484 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
cafae4cd 5485 NULL, ev->role, le16_to_cpu(ev->handle),
d12fb056
JK		 5486 le16_to_cpu(ev->interval),
5487 le16_to_cpu(ev->latency),
5488 le16_to_cpu(ev->supervision_timeout));
5489}
5490
4d94f95d
JK		 5491static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
5492 struct sk_buff *skb)
5493{
5494 struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
5495
5496 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5497
5498 le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
cafae4cd 5499 &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
4d94f95d
JK		 5500 le16_to_cpu(ev->interval),
5501 le16_to_cpu(ev->latency),
5502 le16_to_cpu(ev->supervision_timeout));
5c49bcce 5503
ad383c2c 5504 if (hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION))
5c49bcce 5505 hci_req_disable_address_resolution(hdev);
4d94f95d
JK		 5506}
5507
acf0aeae
JK		 5508static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
5509{
5510 struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
5511 struct hci_conn *conn;
7087c4f6 5512 struct adv_info *adv;
acf0aeae
JK		 5513
5514 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5515
7087c4f6 5516 adv = hci_find_adv_instance(hdev, ev->handle);
23837a6d 5517
7087c4f6 5518 if (ev->status) {
23837a6d
LAD		 5519 if (!adv)
5520 return;
5521
5522 /* Remove advertising as it has been terminated */
5523 hci_remove_adv_instance(hdev, ev->handle);
5524 mgmt_advertising_removed(NULL, hdev, ev->handle);
5525
acf0aeae 5526 return;
23837a6d 5527 }
acf0aeae 5528
7087c4f6
LAD		 5529 if (adv)
5530 adv->enabled = false;
5531
acf0aeae
JK		 5532 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5533 if (conn) {
7087c4f6
LAD		 5534 /* Store handle in the connection so the correct advertising
5535 * instance can be re-enabled when disconnected.
5536 */
5537 conn->adv_instance = ev->handle;
acf0aeae 5538
cafae4cd
LAD		 5539 if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
5540 bacmp(&conn->resp_addr, BDADDR_ANY))
acf0aeae
JK		 5541 return;
5542
25e70886 5543 if (!ev->handle) {
acf0aeae
JK		 5544 bacpy(&conn->resp_addr, &hdev->random_addr);
5545 return;
5546 }
5547
7087c4f6
LAD		 5548 if (adv)
5549 bacpy(&conn->resp_addr, &adv->random_addr);
acf0aeae
JK		 5550 }
5551}
5552
1855d92d
MH		 5553static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
5554 struct sk_buff *skb)
5555{
5556 struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
5557 struct hci_conn *conn;
5558
5559 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5560
5561 if (ev->status)
5562 return;
5563
5564 hci_dev_lock(hdev);
5565
5566 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5567 if (conn) {
5568 conn->le_conn_interval = le16_to_cpu(ev->interval);
5569 conn->le_conn_latency = le16_to_cpu(ev->latency);
5570 conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5571 }
5572
5573 hci_dev_unlock(hdev);
5574}
5575
a4790dbd 5576/* This function requires the caller holds hdev->lock */
fd45ada9
AA		 5577static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5578 bdaddr_t *addr,
d850bf08
LAD		 5579 u8 addr_type, bool addr_resolved,
5580 u8 adv_type, bdaddr_t *direct_rpa)
a4790dbd
AG		 5581{
5582 struct hci_conn *conn;
4b9e7e75 5583 struct hci_conn_params *params;
a4790dbd 5584
1c1abcab
JH		 5585 /* If the event is not connectable don't proceed further */
5586 if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
fd45ada9 5587 return NULL;
1c1abcab
JH		 5588
5589 /* Ignore if the device is blocked */
3d4f9c00 5590 if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type))
fd45ada9 5591 return NULL;
1c1abcab 5592
f99353cf 5593 /* Most controller will fail if we try to create new connections
39bc74ca 5594 * while we have an existing one in peripheral role.
f99353cf 5595 */
39bc74ca 5596 if (hdev->conn_hash.le_num_peripheral > 0 &&
4364f2e9
AM		 5597 (!test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) ||
5598 !(hdev->le_states[3] & 0x10)))
fd45ada9 5599 return NULL;
f99353cf 5600
1c1abcab
JH		 5601 /* If we're not connectable only connect devices that we have in
5602 * our pend_le_conns list.
5603 */
49c50922
JH		 5604 params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5605 addr_type);
4b9e7e75 5606 if (!params)
fd45ada9 5607 return NULL;
4b9e7e75 5608
28a667c9
JP		 5609 if (!params->explicit_connect) {
5610 switch (params->auto_connect) {
5611 case HCI_AUTO_CONN_DIRECT:
5612 /* Only devices advertising with ADV_DIRECT_IND are
5613 * triggering a connection attempt. This is allowing
67ffb185 5614 * incoming connections from peripheral devices.
28a667c9
JP		 5615 */
5616 if (adv_type != LE_ADV_DIRECT_IND)
5617 return NULL;
5618 break;
5619 case HCI_AUTO_CONN_ALWAYS:
5620 /* Devices advertising with ADV_IND or ADV_DIRECT_IND
5621 * are triggering a connection attempt. This means
67ffb185
AP		 5622 * that incoming connections from peripheral device are
5623 * accepted and also outgoing connections to peripheral
28a667c9
JP		 5624 * devices are established when found.
5625 */
5626 break;
5627 default:
fd45ada9 5628 return NULL;
28a667c9 5629 }
4b9e7e75 5630 }
a4790dbd 5631
d850bf08
LAD		 5632 conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
5633 BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
5634 HCI_ROLE_MASTER, direct_rpa);
f161dd41 5635 if (!IS_ERR(conn)) {
28a667c9
JP		 5636 /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5637 * by higher layer that tried to connect, if no then
5638 * store the pointer since we don't really have any
f161dd41
JH		 5639 * other owner of the object besides the params that
5640 * triggered it. This way we can abort the connection if
5641 * the parameters get removed and keep the reference
5642 * count consistent once the connection is established.
5643 */
28a667c9
JP		 5644
5645 if (!params->explicit_connect)
5646 params->conn = hci_conn_get(conn);
5647
fd45ada9 5648 return conn;
f161dd41 5649 }
a4790dbd
AG		 5650
5651 switch (PTR_ERR(conn)) {
5652 case -EBUSY:
5653 /* If hci_connect() returns -EBUSY it means there is already
5654 * an LE connection attempt going on. Since controllers don't
5655 * support more than one connection attempt at the time, we
5656 * don't consider this an error case.
5657 */
5658 break;
5659 default:
5660 BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
fd45ada9 5661 return NULL;
a4790dbd 5662 }
fd45ada9
AA		 5663
5664 return NULL;
a4790dbd
AG		 5665}
5666
4af605d8 5667static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
2f010b55 5668 u8 bdaddr_type, bdaddr_t *direct_addr,
a2ec905d
AM		 5669 u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
5670 bool ext_adv)
4af605d8 5671{
b9a6328f 5672 struct discovery_state *d = &hdev->discovery;
1c1abcab 5673 struct smp_irk *irk;
fd45ada9 5674 struct hci_conn *conn;
d850bf08 5675 bool match, bdaddr_resolved;
c70a7e4c 5676 u32 flags;
1c58e933 5677 u8 *ptr;
6818375e 5678
56b40fbf
JH		 5679 switch (type) {
5680 case LE_ADV_IND:
5681 case LE_ADV_DIRECT_IND:
5682 case LE_ADV_SCAN_IND:
5683 case LE_ADV_NONCONN_IND:
5684 case LE_ADV_SCAN_RSP:
5685 break;
5686 default:
2064ee33
MH		 5687 bt_dev_err_ratelimited(hdev, "unknown advertising packet "
5688 "type: 0x%02x", type);
56b40fbf
JH		 5689 return;
5690 }
5691
a2ec905d
AM		 5692 if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
5693 bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
5694 return;
5695 }
5696
6818375e
SJ		 5697 /* Find the end of the data in case the report contains padded zero
5698 * bytes at the end causing an invalid length value.
5699 *
5700 * When data is NULL, len is 0 so there is no need for extra ptr
5701 * check as 'ptr < data + 0' is already false in such case.
5702 */
5703 for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
5704 if (ptr + 1 + *ptr > data + len)
5705 break;
5706 }
5707
1c58e933
SJ		 5708 /* Adjust for actual length. This handles the case when remote
5709 * device is advertising with incorrect data length.
5710 */
5711 len = ptr - data;
b9a6328f 5712
2f010b55
MH		 5713 /* If the direct address is present, then this report is from
5714 * a LE Direct Advertising Report event. In that case it is
5715 * important to see if the address is matching the local
5716 * controller address.
5717 */
5718 if (direct_addr) {
d850bf08
LAD		 5719 direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
5720 &bdaddr_resolved);
4ec4d63b 5721
2f010b55
MH		 5722 /* Only resolvable random addresses are valid for these
5723 * kind of reports and others can be ignored.
5724 */
5725 if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
5726 return;
5727
5728 /* If the controller is not using resolvable random
5729 * addresses, then this report can be ignored.
5730 */
d7a5a11d 5731 if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
2f010b55
MH		 5732 return;
5733
5734 /* If the local IRK of the controller does not match
5735 * with the resolvable random address provided, then
5736 * this report can be ignored.
5737 */
5738 if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
5739 return;
5740 }
5741
1c1abcab
JH		 5742 /* Check if we need to convert to identity address */
5743 irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
5744 if (irk) {
5745 bdaddr = &irk->bdaddr;
5746 bdaddr_type = irk->addr_type;
5747 }
5748
d850bf08 5749 bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
4ec4d63b 5750
082f2300
SJ		 5751 /* Check if we have been requested to connect to this device.
5752 *
5753 * direct_addr is set only for directed advertising reports (it is NULL
5754 * for advertising reports) and is already verified to be RPA above.
5755 */
d850bf08
LAD		 5756 conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
5757 type, direct_addr);
a2ec905d 5758 if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
fd45ada9
AA		 5759 /* Store report for later inclusion by
5760 * mgmt_device_connected
5761 */
5762 memcpy(conn->le_adv_data, data, len);
5763 conn->le_adv_data_len = len;
5764 }
1c1abcab 5765
0d2bf134
JH		 5766 /* Passive scanning shouldn't trigger any device found events,
5767 * except for devices marked as CONN_REPORT for which we do send
8208f5a9 5768 * device found events, or advertisement monitoring requested.
0d2bf134 5769 */
ca5c4be7 5770 if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
0d2bf134
JH		 5771 if (type == LE_ADV_DIRECT_IND)
5772 return;
5773
3a19b6fe 5774 if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
8208f5a9
MC		 5775 bdaddr, bdaddr_type) &&
5776 idr_is_empty(&hdev->adv_monitors_idr))
0d2bf134
JH		 5777 return;
5778
5779 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
5780 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5781 else
5782 flags = 0;
5783 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
5784 rssi, flags, data, len, NULL, 0);
97bf2e99 5785 return;
ca5c4be7 5786 }
4af605d8 5787
c70a7e4c
MH		 5788 /* When receiving non-connectable or scannable undirected
5789 * advertising reports, this means that the remote device is
5790 * not connectable and then clearly indicate this in the
5791 * device found event.
5792 *
5793 * When receiving a scan response, then there is no way to
5794 * know if the remote device is connectable or not. However
5795 * since scan responses are merged with a previously seen
5796 * advertising report, the flags field from that report
5797 * will be used.
5798 *
5799 * In the really unlikely case that a controller get confused
5800 * and just sends a scan response event, then it is marked as
5801 * not connectable as well.
5802 */
5803 if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND ||
5804 type == LE_ADV_SCAN_RSP)
5805 flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
5806 else
5807 flags = 0;
5808
b9a6328f
JH		 5809 /* If there's nothing pending either store the data from this
5810 * event or send an immediate device found event if the data
5811 * should not be stored for later.
5812 */
a2ec905d 5813 if (!ext_adv && !has_pending_adv_report(hdev)) {
b9a6328f
JH		 5814 /* If the report will trigger a SCAN_REQ store it for
5815 * later merging.
5816 */
5817 if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
5818 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
c70a7e4c 5819 rssi, flags, data, len);
b9a6328f
JH		 5820 return;
5821 }
5822
5823 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
c70a7e4c 5824 rssi, flags, data, len, NULL, 0);
b9a6328f
JH		 5825 return;
5826 }
5827
474ee066
JH		 5828 /* Check if the pending report is for the same device as the new one */
5829 match = (!bacmp(bdaddr, &d->last_adv_addr) &&
5830 bdaddr_type == d->last_adv_addr_type);
5831
b9a6328f
JH		 5832 /* If the pending data doesn't match this report or this isn't a
5833 * scan response (e.g. we got a duplicate ADV_IND) then force
5834 * sending of the pending data.
5835 */
474ee066
JH		 5836 if (type != LE_ADV_SCAN_RSP || !match) {
5837 /* Send out whatever is in the cache, but skip duplicates */
5838 if (!match)
5839 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
ff5cd29f 5840 d->last_adv_addr_type, NULL,
c70a7e4c 5841 d->last_adv_rssi, d->last_adv_flags,
ff5cd29f 5842 d->last_adv_data,
474ee066 5843 d->last_adv_data_len, NULL, 0);
b9a6328f
JH		 5844
5845 /* If the new report will trigger a SCAN_REQ store it for
5846 * later merging.
5847 */
a2ec905d
AM		 5848 if (!ext_adv && (type == LE_ADV_IND ||
5849 type == LE_ADV_SCAN_IND)) {
b9a6328f 5850 store_pending_adv_report(hdev, bdaddr, bdaddr_type,
c70a7e4c 5851 rssi, flags, data, len);
b9a6328f
JH		 5852 return;
5853 }
5854
5855 /* The advertising reports cannot be merged, so clear
5856 * the pending report and send out a device found event.
5857 */
5858 clear_pending_adv_report(hdev);
5c5b93e4 5859 mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
c70a7e4c 5860 rssi, flags, data, len, NULL, 0);
b9a6328f
JH		 5861 return;
5862 }
5863
5864 /* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
5865 * the new event is a SCAN_RSP. We can therefore proceed with
5866 * sending a merged device found event.
5867 */
5868 mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
c70a7e4c 5869 d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
42bd6a56 5870 d->last_adv_data, d->last_adv_data_len, data, len);
b9a6328f 5871 clear_pending_adv_report(hdev);
4af605d8
JH		 5872}
5873
6039aa73 5874static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
9aa04c91 5875{
e95beb41
AG		 5876 u8 num_reports = skb->data[0];
5877 void *ptr = &skb->data[1];
9aa04c91 5878
a4790dbd
AG		 5879 hci_dev_lock(hdev);
5880
e95beb41
AG		 5881 while (num_reports--) {
5882 struct hci_ev_le_advertising_info *ev = ptr;
4af605d8 5883 s8 rssi;
a4790dbd 5884
ee649346
CC		 5885 if (ev->length <= HCI_MAX_AD_LENGTH) {
5886 rssi = ev->data[ev->length];
5887 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
5888 ev->bdaddr_type, NULL, 0, rssi,
a2ec905d 5889 ev->data, ev->length, false);
ee649346
CC		 5890 } else {
5891 bt_dev_err(hdev, "Dropping invalid advertising data");
5892 }
3c9e9195 5893
e95beb41 5894 ptr += sizeof(*ev) + ev->length + 1;
9aa04c91 5895 }
a4790dbd
AG		 5896
5897 hci_dev_unlock(hdev);
9aa04c91
AG		 5898}
5899
657cc646 5900static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
b2cc9761
JK		 5901{
5902 if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
5903 switch (evt_type) {
5904 case LE_LEGACY_ADV_IND:
5905 return LE_ADV_IND;
5906 case LE_LEGACY_ADV_DIRECT_IND:
5907 return LE_ADV_DIRECT_IND;
5908 case LE_LEGACY_ADV_SCAN_IND:
5909 return LE_ADV_SCAN_IND;
5910 case LE_LEGACY_NONCONN_IND:
5911 return LE_ADV_NONCONN_IND;
5912 case LE_LEGACY_SCAN_RSP_ADV:
5913 case LE_LEGACY_SCAN_RSP_ADV_SCAN:
5914 return LE_ADV_SCAN_RSP;
5915 }
5916
657cc646 5917 goto invalid;
b2cc9761
JK		 5918 }
5919
5920 if (evt_type & LE_EXT_ADV_CONN_IND) {
5921 if (evt_type & LE_EXT_ADV_DIRECT_IND)
5922 return LE_ADV_DIRECT_IND;
5923
c215e939 5924 return LE_ADV_IND;
b2cc9761
JK		 5925 }
5926
5927 if (evt_type & LE_EXT_ADV_SCAN_RSP)
5928 return LE_ADV_SCAN_RSP;
5929
5930 if (evt_type & LE_EXT_ADV_SCAN_IND)
c215e939 5931 return LE_ADV_SCAN_IND;
b2cc9761
JK		 5932
5933 if (evt_type == LE_EXT_ADV_NON_CONN_IND ||
5934 evt_type & LE_EXT_ADV_DIRECT_IND)
c215e939 5935 return LE_ADV_NONCONN_IND;
c215e939 5936
657cc646
MH		 5937invalid:
5938 bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
5939 evt_type);
c215e939
JK		 5940
5941 return LE_ADV_INVALID;
5942}
5943
5944static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
5945{
5946 u8 num_reports = skb->data[0];
5947 void *ptr = &skb->data[1];
5948
5949 hci_dev_lock(hdev);
5950
5951 while (num_reports--) {
5952 struct hci_ev_le_ext_adv_report *ev = ptr;
5953 u8 legacy_evt_type;
5954 u16 evt_type;
5955
5956 evt_type = __le16_to_cpu(ev->evt_type);
657cc646 5957 legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
c215e939
JK		 5958 if (legacy_evt_type != LE_ADV_INVALID) {
5959 process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
5960 ev->bdaddr_type, NULL, 0, ev->rssi,
a2ec905d
AM		 5961 ev->data, ev->length,
5962 !(evt_type & LE_EXT_ADV_LEGACY_PDU));
c215e939
JK		 5963 }
5964
cd9151b6 5965 ptr += sizeof(*ev) + ev->length;
c215e939
JK		 5966 }
5967
5968 hci_dev_unlock(hdev);
5969}
5970
0fe29fd1
MH		 5971static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
5972 struct sk_buff *skb)
5973{
5974 struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
5975 struct hci_conn *conn;
5976
5977 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
5978
5979 hci_dev_lock(hdev);
5980
5981 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5982 if (conn) {
5983 if (!ev->status)
5984 memcpy(conn->features[0], ev->features, 8);
5985
5986 if (conn->state == BT_CONFIG) {
5987 __u8 status;
5988
ef365da1 5989 /* If the local controller supports peripheral-initiated
0fe29fd1
MH		 5990 * features exchange, but the remote controller does
5991 * not, then it is possible that the error code 0x1a
5992 * for unsupported remote feature gets returned.
5993 *
5994 * In this specific case, allow the connection to
5995 * transition into connected state and mark it as
5996 * successful.
5997 */
ef365da1
AP		 5998 if (!conn->out && ev->status == 0x1a &&
5999 (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
0fe29fd1
MH		 6000 status = 0x00;
6001 else
6002 status = ev->status;
6003
6004 conn->state = BT_CONNECTED;
6005 hci_connect_cfm(conn, status);
6006 hci_conn_drop(conn);
6007 }
6008 }
6009
6010 hci_dev_unlock(hdev);
6011}
6012
6039aa73 6013static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
a7a595f6
VCG		 6014{
6015 struct hci_ev_le_ltk_req *ev = (void *) skb->data;
6016 struct hci_cp_le_ltk_reply cp;
bea710fe 6017 struct hci_cp_le_ltk_neg_reply neg;
a7a595f6 6018 struct hci_conn *conn;
c9839a11 6019 struct smp_ltk *ltk;
a7a595f6 6020
9f1db00c 6021 BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
a7a595f6
VCG		 6022
6023 hci_dev_lock(hdev);
6024
6025 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
bea710fe
VCG		 6026 if (conn == NULL)
6027 goto not_found;
a7a595f6 6028
f3a73d97 6029 ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
5378bc56 6030 if (!ltk)
bea710fe
VCG		 6031 goto not_found;
6032
5378bc56
JH		 6033 if (smp_ltk_is_sc(ltk)) {
6034 /* With SC both EDiv and Rand are set to zero */
6035 if (ev->ediv || ev->rand)
6036 goto not_found;
6037 } else {
6038 /* For non-SC keys check that EDiv and Rand match */
6039 if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6040 goto not_found;
6041 }
6042
8b76ce34
JH		 6043 memcpy(cp.ltk, ltk->val, ltk->enc_size);
6044 memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
a7a595f6 6045 cp.handle = cpu_to_le16(conn->handle);
c9839a11 6046
a6f7833c 6047 conn->pending_sec_level = smp_ltk_sec_level(ltk);
a7a595f6 6048
89cbb4da 6049 conn->enc_key_size = ltk->enc_size;
a7a595f6
VCG		 6050
6051 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6052
5981a882
CT		 6053 /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6054 * temporary key used to encrypt a connection following
6055 * pairing. It is used during the Encrypted Session Setup to
6056 * distribute the keys. Later, security can be re-established
6057 * using a distributed LTK.
6058 */
2ceba539 6059 if (ltk->type == SMP_STK) {
fe59a05f 6060 set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
970d0f1b
JH		 6061 list_del_rcu(&ltk->list);
6062 kfree_rcu(ltk, rcu);
fe59a05f
JH		 6063 } else {
6064 clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
c9839a11
VCG		 6065 }
6066
a7a595f6 6067 hci_dev_unlock(hdev);
bea710fe
VCG		 6068
6069 return;
6070
6071not_found:
6072 neg.handle = ev->handle;
6073 hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6074 hci_dev_unlock(hdev);
a7a595f6
VCG		 6075}
6076
8e75b46a
AG		 6077static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6078 u8 reason)
6079{
6080 struct hci_cp_le_conn_param_req_neg_reply cp;
6081
6082 cp.handle = cpu_to_le16(handle);
6083 cp.reason = reason;
6084
6085 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6086 &cp);
6087}
6088
6089static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
6090 struct sk_buff *skb)
6091{
6092 struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
6093 struct hci_cp_le_conn_param_req_reply cp;
6094 struct hci_conn *hcon;
6095 u16 handle, min, max, latency, timeout;
6096
6097 handle = le16_to_cpu(ev->handle);
6098 min = le16_to_cpu(ev->interval_min);
6099 max = le16_to_cpu(ev->interval_max);
6100 latency = le16_to_cpu(ev->latency);
6101 timeout = le16_to_cpu(ev->timeout);
6102
6103 hcon = hci_conn_hash_lookup_handle(hdev, handle);
6104 if (!hcon || hcon->state != BT_CONNECTED)
6105 return send_conn_param_neg_reply(hdev, handle,
6106 HCI_ERROR_UNKNOWN_CONN_ID);
6107
6108 if (hci_check_conn_params(min, max, latency, timeout))
6109 return send_conn_param_neg_reply(hdev, handle,
6110 HCI_ERROR_INVALID_LL_PARAMS);
6111
40bef302 6112 if (hcon->role == HCI_ROLE_MASTER) {
348d50b8 6113 struct hci_conn_params *params;
f4869e2a 6114 u8 store_hint;
348d50b8
JH		 6115
6116 hci_dev_lock(hdev);
6117
6118 params = hci_conn_params_lookup(hdev, &hcon->dst,
6119 hcon->dst_type);
6120 if (params) {
6121 params->conn_min_interval = min;
6122 params->conn_max_interval = max;
6123 params->conn_latency = latency;
6124 params->supervision_timeout = timeout;
f4869e2a 6125 store_hint = 0x01;
149b3f13 6126 } else {
f4869e2a 6127 store_hint = 0x00;
348d50b8
JH		 6128 }
6129
6130 hci_dev_unlock(hdev);
6131
f4869e2a
JH		 6132 mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6133 store_hint, min, max, latency, timeout);
348d50b8 6134 }
ffb5a827 6135
8e75b46a
AG		 6136 cp.handle = ev->handle;
6137 cp.interval_min = ev->interval_min;
6138 cp.interval_max = ev->interval_max;
6139 cp.latency = ev->latency;
6140 cp.timeout = ev->timeout;
6141 cp.min_ce_len = 0;
6142 cp.max_ce_len = 0;
6143
6144 hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6145}
6146
2f010b55
MH		 6147static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
6148 struct sk_buff *skb)
6149{
6150 u8 num_reports = skb->data[0];
f7e0e8b2 6151 struct hci_ev_le_direct_adv_info *ev = (void *)&skb->data[1];
2f010b55 6152
f7e0e8b2
PY		 6153 if (!num_reports || skb->len < num_reports * sizeof(*ev) + 1)
6154 return;
2f010b55 6155
f7e0e8b2 6156 hci_dev_lock(hdev);
2f010b55 6157
f7e0e8b2 6158 for (; num_reports; num_reports--, ev++)
2f010b55
MH		 6159 process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
6160 ev->bdaddr_type, &ev->direct_addr,
a2ec905d
AM		 6161 ev->direct_addr_type, ev->rssi, NULL, 0,
6162 false);
2f010b55 6163
2f010b55
MH		 6164 hci_dev_unlock(hdev);
6165}
6166
1efd927d
LAD		 6167static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb)
6168{
6169 struct hci_ev_le_phy_update_complete *ev = (void *) skb->data;
6170 struct hci_conn *conn;
6171
6172 BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
6173
87df8bcc 6174 if (ev->status)
1efd927d
LAD		 6175 return;
6176
6177 hci_dev_lock(hdev);
6178
6179 conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6180 if (!conn)
6181 goto unlock;
6182
6183 conn->le_tx_phy = ev->tx_phy;
6184 conn->le_rx_phy = ev->rx_phy;
6185
6186unlock:
6187 hci_dev_unlock(hdev);
6188}
6189
6039aa73 6190static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
fcd89c09
VT		 6191{
6192 struct hci_ev_le_meta *le_ev = (void *) skb->data;
6193
6194 skb_pull(skb, sizeof(*le_ev));
6195
6196 switch (le_ev->subevent) {
6197 case HCI_EV_LE_CONN_COMPLETE:
6198 hci_le_conn_complete_evt(hdev, skb);
6199 break;
6200
1855d92d
MH		 6201 case HCI_EV_LE_CONN_UPDATE_COMPLETE:
6202 hci_le_conn_update_complete_evt(hdev, skb);
6203 break;
6204
9aa04c91
AG		 6205 case HCI_EV_LE_ADVERTISING_REPORT:
6206 hci_le_adv_report_evt(hdev, skb);
6207 break;
6208
0fe29fd1
MH		 6209 case HCI_EV_LE_REMOTE_FEAT_COMPLETE:
6210 hci_le_remote_feat_complete_evt(hdev, skb);
6211 break;
6212
a7a595f6
VCG		 6213 case HCI_EV_LE_LTK_REQ:
6214 hci_le_ltk_request_evt(hdev, skb);
6215 break;
6216
8e75b46a
AG		 6217 case HCI_EV_LE_REMOTE_CONN_PARAM_REQ:
6218 hci_le_remote_conn_param_req_evt(hdev, skb);
6219 break;
6220
2f010b55
MH		 6221 case HCI_EV_LE_DIRECT_ADV_REPORT:
6222 hci_le_direct_adv_report_evt(hdev, skb);
6223 break;
6224
1efd927d
LAD		 6225 case HCI_EV_LE_PHY_UPDATE_COMPLETE:
6226 hci_le_phy_update_evt(hdev, skb);
6227 break;
6228
c215e939
JK		 6229 case HCI_EV_LE_EXT_ADV_REPORT:
6230 hci_le_ext_adv_report_evt(hdev, skb);
6231 break;
6232
4d94f95d
JK		 6233 case HCI_EV_LE_ENHANCED_CONN_COMPLETE:
6234 hci_le_enh_conn_complete_evt(hdev, skb);
6235 break;
6236
acf0aeae
JK		 6237 case HCI_EV_LE_EXT_ADV_SET_TERM:
6238 hci_le_ext_adv_term_evt(hdev, skb);
6239 break;
6240
fcd89c09
VT		 6241 default:
6242 break;
6243 }
6244}
6245
757aa0b5
JH		 6246static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
6247 u8 event, struct sk_buff *skb)
6248{
6249 struct hci_ev_cmd_complete *ev;
6250 struct hci_event_hdr *hdr;
6251
6252 if (!skb)
6253 return false;
6254
6255 if (skb->len < sizeof(*hdr)) {
2064ee33 6256 bt_dev_err(hdev, "too short HCI event");
757aa0b5
JH		 6257 return false;
6258 }
6259
6260 hdr = (void *) skb->data;
6261 skb_pull(skb, HCI_EVENT_HDR_SIZE);
6262
6263 if (event) {
6264 if (hdr->evt != event)
6265 return false;
6266 return true;
6267 }
6268
91641b79 6269 /* Check if request ended in Command Status - no way to retrieve
1629db9c
JH		 6270 * any extra parameters in this case.
6271 */
6272 if (hdr->evt == HCI_EV_CMD_STATUS)
6273 return false;
6274
757aa0b5 6275 if (hdr->evt != HCI_EV_CMD_COMPLETE) {
2064ee33
MH		 6276 bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
6277 hdr->evt);
757aa0b5
JH		 6278 return false;
6279 }
6280
6281 if (skb->len < sizeof(*ev)) {
2064ee33 6282 bt_dev_err(hdev, "too short cmd_complete event");
757aa0b5
JH		 6283 return false;
6284 }
6285
6286 ev = (void *) skb->data;
6287 skb_pull(skb, sizeof(*ev));
6288
6289 if (opcode != __le16_to_cpu(ev->opcode)) {
6290 BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
6291 __le16_to_cpu(ev->opcode));
6292 return false;
6293 }
6294
6295 return true;
6296}
6297
2f20216c
APS		 6298static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
6299 struct sk_buff *skb)
6300{
6301 struct hci_ev_le_advertising_info *adv;
6302 struct hci_ev_le_direct_adv_info *direct_adv;
6303 struct hci_ev_le_ext_adv_report *ext_adv;
6304 const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
6305 const struct hci_ev_conn_request *conn_request = (void *)skb->data;
6306
6307 hci_dev_lock(hdev);
6308
6309 /* If we are currently suspended and this is the first BT event seen,
6310 * save the wake reason associated with the event.
6311 */
6312 if (!hdev->suspended || hdev->wake_reason)
6313 goto unlock;
6314
6315 /* Default to remote wake. Values for wake_reason are documented in the
6316 * Bluez mgmt api docs.
6317 */
6318 hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
6319
6320 /* Once configured for remote wakeup, we should only wake up for
6321 * reconnections. It's useful to see which device is waking us up so
6322 * keep track of the bdaddr of the connection event that woke us up.
6323 */
6324 if (event == HCI_EV_CONN_REQUEST) {
6325 bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
6326 hdev->wake_addr_type = BDADDR_BREDR;
6327 } else if (event == HCI_EV_CONN_COMPLETE) {
6328 bacpy(&hdev->wake_addr, &conn_request->bdaddr);
6329 hdev->wake_addr_type = BDADDR_BREDR;
6330 } else if (event == HCI_EV_LE_META) {
6331 struct hci_ev_le_meta *le_ev = (void *)skb->data;
6332 u8 subevent = le_ev->subevent;
6333 u8 *ptr = &skb->data[sizeof(*le_ev)];
6334 u8 num_reports = *ptr;
6335
6336 if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
6337 subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
6338 subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
6339 num_reports) {
6340 adv = (void *)(ptr + 1);
6341 direct_adv = (void *)(ptr + 1);
6342 ext_adv = (void *)(ptr + 1);
6343
6344 switch (subevent) {
6345 case HCI_EV_LE_ADVERTISING_REPORT:
6346 bacpy(&hdev->wake_addr, &adv->bdaddr);
6347 hdev->wake_addr_type = adv->bdaddr_type;
6348 break;
6349 case HCI_EV_LE_DIRECT_ADV_REPORT:
6350 bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
6351 hdev->wake_addr_type = direct_adv->bdaddr_type;
6352 break;
6353 case HCI_EV_LE_EXT_ADV_REPORT:
6354 bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
6355 hdev->wake_addr_type = ext_adv->bdaddr_type;
6356 break;
6357 }
6358 }
6359 } else {
6360 hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
6361 }
6362
6363unlock:
6364 hci_dev_unlock(hdev);
6365}
6366
a9de9248
MH		 6367void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
6368{
6369 struct hci_event_hdr *hdr = (void *) skb->data;
e6214487
JH		 6370 hci_req_complete_t req_complete = NULL;
6371 hci_req_complete_skb_t req_complete_skb = NULL;
6372 struct sk_buff *orig_skb = NULL;
757aa0b5 6373 u8 status = 0, event = hdr->evt, req_evt = 0;
e6214487 6374 u16 opcode = HCI_OP_NOP;
a9de9248 6375
08bb4da9
AM		 6376 if (!event) {
6377 bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
6378 goto done;
6379 }
6380
242c0ebd 6381 if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
c1f23a2b 6382 struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
e6214487
JH		 6383 opcode = __le16_to_cpu(cmd_hdr->opcode);
6384 hci_req_cmd_complete(hdev, opcode, status, &req_complete,
6385 &req_complete_skb);
757aa0b5 6386 req_evt = event;
02350a72
JH		 6387 }
6388
e6214487
JH		 6389 /* If it looks like we might end up having to call
6390 * req_complete_skb, store a pristine copy of the skb since the
6391 * various handlers may modify the original one through
6392 * skb_pull() calls, etc.
6393 */
6394 if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
6395 event == HCI_EV_CMD_COMPLETE)
6396 orig_skb = skb_clone(skb, GFP_KERNEL);
6397
6398 skb_pull(skb, HCI_EVENT_HDR_SIZE);
6399
2f20216c
APS		 6400 /* Store wake reason if we're suspended */
6401 hci_store_wake_reason(hdev, event, skb);
6402
a9de9248 6403 switch (event) {
1da177e4
LT		 6404 case HCI_EV_INQUIRY_COMPLETE:
6405 hci_inquiry_complete_evt(hdev, skb);
6406 break;
6407
6408 case HCI_EV_INQUIRY_RESULT:
6409 hci_inquiry_result_evt(hdev, skb);
6410 break;
6411
a9de9248
MH		 6412 case HCI_EV_CONN_COMPLETE:
6413 hci_conn_complete_evt(hdev, skb);
21d9e30e
MH		 6414 break;
6415
1da177e4
LT		 6416 case HCI_EV_CONN_REQUEST:
6417 hci_conn_request_evt(hdev, skb);
6418 break;
6419
1da177e4
LT		 6420 case HCI_EV_DISCONN_COMPLETE:
6421 hci_disconn_complete_evt(hdev, skb);
6422 break;
6423
1da177e4
LT		 6424 case HCI_EV_AUTH_COMPLETE:
6425 hci_auth_complete_evt(hdev, skb);
6426 break;
6427
a9de9248
MH		 6428 case HCI_EV_REMOTE_NAME:
6429 hci_remote_name_evt(hdev, skb);
6430 break;
6431
1da177e4
LT		 6432 case HCI_EV_ENCRYPT_CHANGE:
6433 hci_encrypt_change_evt(hdev, skb);
6434 break;
6435
a9de9248
MH		 6436 case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
6437 hci_change_link_key_complete_evt(hdev, skb);
6438 break;
6439
6440 case HCI_EV_REMOTE_FEATURES:
6441 hci_remote_features_evt(hdev, skb);
6442 break;
6443
a9de9248 6444 case HCI_EV_CMD_COMPLETE:
e6214487
JH		 6445 hci_cmd_complete_evt(hdev, skb, &opcode, &status,
6446 &req_complete, &req_complete_skb);
a9de9248
MH		 6447 break;
6448
6449 case HCI_EV_CMD_STATUS:
e6214487
JH		 6450 hci_cmd_status_evt(hdev, skb, &opcode, &status, &req_complete,
6451 &req_complete_skb);
a9de9248
MH		 6452 break;
6453
24dfa343
MH		 6454 case HCI_EV_HARDWARE_ERROR:
6455 hci_hardware_error_evt(hdev, skb);
6456 break;
6457
a9de9248
MH		 6458 case HCI_EV_ROLE_CHANGE:
6459 hci_role_change_evt(hdev, skb);
6460 break;
6461
6462 case HCI_EV_NUM_COMP_PKTS:
6463 hci_num_comp_pkts_evt(hdev, skb);
6464 break;
6465
6466 case HCI_EV_MODE_CHANGE:
6467 hci_mode_change_evt(hdev, skb);
1da177e4
LT		 6468 break;
6469
6470 case HCI_EV_PIN_CODE_REQ:
6471 hci_pin_code_request_evt(hdev, skb);
6472 break;
6473
6474 case HCI_EV_LINK_KEY_REQ:
6475 hci_link_key_request_evt(hdev, skb);
6476 break;
6477
6478 case HCI_EV_LINK_KEY_NOTIFY:
6479 hci_link_key_notify_evt(hdev, skb);
6480 break;
6481
6482 case HCI_EV_CLOCK_OFFSET:
6483 hci_clock_offset_evt(hdev, skb);
6484 break;
6485
a8746417
MH		 6486 case HCI_EV_PKT_TYPE_CHANGE:
6487 hci_pkt_type_change_evt(hdev, skb);
6488 break;
6489
85a1e930
MH		 6490 case HCI_EV_PSCAN_REP_MODE:
6491 hci_pscan_rep_mode_evt(hdev, skb);
6492 break;
6493
a9de9248
MH		 6494 case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
6495 hci_inquiry_result_with_rssi_evt(hdev, skb);
04837f64
MH		 6496 break;
6497
a9de9248
MH		 6498 case HCI_EV_REMOTE_EXT_FEATURES:
6499 hci_remote_ext_features_evt(hdev, skb);
1da177e4
LT		 6500 break;
6501
a9de9248
MH		 6502 case HCI_EV_SYNC_CONN_COMPLETE:
6503 hci_sync_conn_complete_evt(hdev, skb);
6504 break;
1da177e4 6505
a9de9248
MH		 6506 case HCI_EV_EXTENDED_INQUIRY_RESULT:
6507 hci_extended_inquiry_result_evt(hdev, skb);
6508 break;
1da177e4 6509
1c2e0041
JH		 6510 case HCI_EV_KEY_REFRESH_COMPLETE:
6511 hci_key_refresh_complete_evt(hdev, skb);
6512 break;
6513
0493684e
MH		 6514 case HCI_EV_IO_CAPA_REQUEST:
6515 hci_io_capa_request_evt(hdev, skb);
6516 break;
6517
03b555e1
JH		 6518 case HCI_EV_IO_CAPA_REPLY:
6519 hci_io_capa_reply_evt(hdev, skb);
6520 break;
6521
a5c29683
JH		 6522 case HCI_EV_USER_CONFIRM_REQUEST:
6523 hci_user_confirm_request_evt(hdev, skb);
6524 break;
6525
1143d458
BG		 6526 case HCI_EV_USER_PASSKEY_REQUEST:
6527 hci_user_passkey_request_evt(hdev, skb);
6528 break;
6529
92a25256
JH		 6530 case HCI_EV_USER_PASSKEY_NOTIFY:
6531 hci_user_passkey_notify_evt(hdev, skb);
6532 break;
6533
6534 case HCI_EV_KEYPRESS_NOTIFY:
6535 hci_keypress_notify_evt(hdev, skb);
6536 break;
6537
0493684e
MH		 6538 case HCI_EV_SIMPLE_PAIR_COMPLETE:
6539 hci_simple_pair_complete_evt(hdev, skb);
6540 break;
6541
41a96212
MH		 6542 case HCI_EV_REMOTE_HOST_FEATURES:
6543 hci_remote_host_features_evt(hdev, skb);
6544 break;
6545
fcd89c09
VT		 6546 case HCI_EV_LE_META:
6547 hci_le_meta_evt(hdev, skb);
6548 break;
6549
2763eda6
SJ		 6550 case HCI_EV_REMOTE_OOB_DATA_REQUEST:
6551 hci_remote_oob_data_request_evt(hdev, skb);
6552 break;
6553
a77a6a14
AW		 6554#if IS_ENABLED(CONFIG_BT_HS)
6555 case HCI_EV_CHANNEL_SELECTED:
6556 hci_chan_selected_evt(hdev, skb);
6557 break;
6558
d5e91192
AE		 6559 case HCI_EV_PHY_LINK_COMPLETE:
6560 hci_phy_link_complete_evt(hdev, skb);
6561 break;
6562
27695fb4
AE		 6563 case HCI_EV_LOGICAL_LINK_COMPLETE:
6564 hci_loglink_complete_evt(hdev, skb);
6565 break;
6566
606e2a10
AE		 6567 case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
6568 hci_disconn_loglink_complete_evt(hdev, skb);
6569 break;
6570
9eef6b3a
AE		 6571 case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
6572 hci_disconn_phylink_complete_evt(hdev, skb);
6573 break;
a77a6a14 6574#endif
9eef6b3a 6575
25e89e99
AE		 6576 case HCI_EV_NUM_COMP_BLOCKS:
6577 hci_num_comp_blocks_evt(hdev, skb);
6578 break;
6579
145373cb
MC		 6580 case HCI_EV_VENDOR:
6581 msft_vendor_evt(hdev, skb);
6582 break;
6583
a9de9248 6584 default:
9f1db00c 6585 BT_DBG("%s event 0x%2.2x", hdev->name, event);
1da177e4
LT		 6586 break;
6587 }
6588
757aa0b5 6589 if (req_complete) {
e6214487 6590 req_complete(hdev, status, opcode);
757aa0b5
JH		 6591 } else if (req_complete_skb) {
6592 if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
6593 kfree_skb(orig_skb);
6594 orig_skb = NULL;
6595 }
e6214487 6596 req_complete_skb(hdev, status, opcode, orig_skb);
757aa0b5 6597 }
e6214487 6598
08bb4da9 6599done:
e6214487 6600 kfree_skb(orig_skb);
1da177e4
LT		 6601 kfree_skb(skb);
6602 hdev->stat.evt_rx++;
6603}
Linux 6.x block layer and io_uring tree(s)