linux/net/bluetooth/hci_event.c
<<
>>
Prefs
   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
   4
   5   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7   This program is free software; you can redistribute it and/or modify
   8   it under the terms of the GNU General Public License version 2 as
   9   published by the Free Software Foundation;
  10
  11   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22   SOFTWARE IS DISCLAIMED.
  23*/
  24
  25/* Bluetooth HCI event handling. */
  26
  27#include <linux/export.h>
  28#include <asm/unaligned.h>
  29
  30#include <net/bluetooth/bluetooth.h>
  31#include <net/bluetooth/hci_core.h>
  32
  33/* Handle HCI Event packets */
  34
  35static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
  36{
  37        __u8 status = *((__u8 *) skb->data);
  38
  39        BT_DBG("%s status 0x%2.2x", hdev->name, status);
  40
  41        if (status) {
  42                hci_dev_lock(hdev);
  43                mgmt_stop_discovery_failed(hdev, status);
  44                hci_dev_unlock(hdev);
  45                return;
  46        }
  47
  48        clear_bit(HCI_INQUIRY, &hdev->flags);
  49
  50        hci_dev_lock(hdev);
  51        hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
  52        hci_dev_unlock(hdev);
  53
  54        hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status);
  55
  56        hci_conn_check_pending(hdev);
  57}
  58
  59static void hci_cc_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
  60{
  61        __u8 status = *((__u8 *) skb->data);
  62
  63        BT_DBG("%s status 0x%2.2x", hdev->name, status);
  64
  65        if (status)
  66                return;
  67
  68        set_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
  69}
  70
  71static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
  72{
  73        __u8 status = *((__u8 *) skb->data);
  74
  75        BT_DBG("%s status 0x%2.2x", hdev->name, status);
  76
  77        if (status)
  78                return;
  79
  80        clear_bit(HCI_PERIODIC_INQ, &hdev->dev_flags);
  81
  82        hci_conn_check_pending(hdev);
  83}
  84
  85static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev,
  86                                          struct sk_buff *skb)
  87{
  88        BT_DBG("%s", hdev->name);
  89}
  90
  91static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
  92{
  93        struct hci_rp_role_discovery *rp = (void *) skb->data;
  94        struct hci_conn *conn;
  95
  96        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
  97
  98        if (rp->status)
  99                return;
 100
 101        hci_dev_lock(hdev);
 102
 103        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
 104        if (conn) {
 105                if (rp->role)
 106                        conn->link_mode &= ~HCI_LM_MASTER;
 107                else
 108                        conn->link_mode |= HCI_LM_MASTER;
 109        }
 110
 111        hci_dev_unlock(hdev);
 112}
 113
 114static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
 115{
 116        struct hci_rp_read_link_policy *rp = (void *) skb->data;
 117        struct hci_conn *conn;
 118
 119        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 120
 121        if (rp->status)
 122                return;
 123
 124        hci_dev_lock(hdev);
 125
 126        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
 127        if (conn)
 128                conn->link_policy = __le16_to_cpu(rp->policy);
 129
 130        hci_dev_unlock(hdev);
 131}
 132
 133static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
 134{
 135        struct hci_rp_write_link_policy *rp = (void *) skb->data;
 136        struct hci_conn *conn;
 137        void *sent;
 138
 139        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 140
 141        if (rp->status)
 142                return;
 143
 144        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
 145        if (!sent)
 146                return;
 147
 148        hci_dev_lock(hdev);
 149
 150        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
 151        if (conn)
 152                conn->link_policy = get_unaligned_le16(sent + 2);
 153
 154        hci_dev_unlock(hdev);
 155}
 156
 157static void hci_cc_read_def_link_policy(struct hci_dev *hdev,
 158                                        struct sk_buff *skb)
 159{
 160        struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
 161
 162        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 163
 164        if (rp->status)
 165                return;
 166
 167        hdev->link_policy = __le16_to_cpu(rp->policy);
 168}
 169
 170static void hci_cc_write_def_link_policy(struct hci_dev *hdev,
 171                                         struct sk_buff *skb)
 172{
 173        __u8 status = *((__u8 *) skb->data);
 174        void *sent;
 175
 176        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 177
 178        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
 179        if (!sent)
 180                return;
 181
 182        if (!status)
 183                hdev->link_policy = get_unaligned_le16(sent);
 184
 185        hci_req_complete(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, status);
 186}
 187
 188static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
 189{
 190        __u8 status = *((__u8 *) skb->data);
 191
 192        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 193
 194        clear_bit(HCI_RESET, &hdev->flags);
 195
 196        hci_req_complete(hdev, HCI_OP_RESET, status);
 197
 198        /* Reset all non-persistent flags */
 199        hdev->dev_flags &= ~(BIT(HCI_LE_SCAN) | BIT(HCI_PENDING_CLASS) |
 200                             BIT(HCI_PERIODIC_INQ));
 201
 202        hdev->discovery.state = DISCOVERY_STOPPED;
 203}
 204
 205static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
 206{
 207        __u8 status = *((__u8 *) skb->data);
 208        void *sent;
 209
 210        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 211
 212        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
 213        if (!sent)
 214                return;
 215
 216        hci_dev_lock(hdev);
 217
 218        if (test_bit(HCI_MGMT, &hdev->dev_flags))
 219                mgmt_set_local_name_complete(hdev, sent, status);
 220        else if (!status)
 221                memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
 222
 223        hci_dev_unlock(hdev);
 224
 225        hci_req_complete(hdev, HCI_OP_WRITE_LOCAL_NAME, status);
 226}
 227
 228static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
 229{
 230        struct hci_rp_read_local_name *rp = (void *) skb->data;
 231
 232        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 233
 234        if (rp->status)
 235                return;
 236
 237        if (test_bit(HCI_SETUP, &hdev->dev_flags))
 238                memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
 239}
 240
 241static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
 242{
 243        __u8 status = *((__u8 *) skb->data);
 244        void *sent;
 245
 246        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 247
 248        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
 249        if (!sent)
 250                return;
 251
 252        if (!status) {
 253                __u8 param = *((__u8 *) sent);
 254
 255                if (param == AUTH_ENABLED)
 256                        set_bit(HCI_AUTH, &hdev->flags);
 257                else
 258                        clear_bit(HCI_AUTH, &hdev->flags);
 259        }
 260
 261        if (test_bit(HCI_MGMT, &hdev->dev_flags))
 262                mgmt_auth_enable_complete(hdev, status);
 263
 264        hci_req_complete(hdev, HCI_OP_WRITE_AUTH_ENABLE, status);
 265}
 266
 267static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
 268{
 269        __u8 status = *((__u8 *) skb->data);
 270        void *sent;
 271
 272        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 273
 274        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
 275        if (!sent)
 276                return;
 277
 278        if (!status) {
 279                __u8 param = *((__u8 *) sent);
 280
 281                if (param)
 282                        set_bit(HCI_ENCRYPT, &hdev->flags);
 283                else
 284                        clear_bit(HCI_ENCRYPT, &hdev->flags);
 285        }
 286
 287        hci_req_complete(hdev, HCI_OP_WRITE_ENCRYPT_MODE, status);
 288}
 289
 290static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
 291{
 292        __u8 param, status = *((__u8 *) skb->data);
 293        int old_pscan, old_iscan;
 294        void *sent;
 295
 296        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 297
 298        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
 299        if (!sent)
 300                return;
 301
 302        param = *((__u8 *) sent);
 303
 304        hci_dev_lock(hdev);
 305
 306        if (status != 0) {
 307                mgmt_write_scan_failed(hdev, param, status);
 308                hdev->discov_timeout = 0;
 309                goto done;
 310        }
 311
 312        old_pscan = test_and_clear_bit(HCI_PSCAN, &hdev->flags);
 313        old_iscan = test_and_clear_bit(HCI_ISCAN, &hdev->flags);
 314
 315        if (param & SCAN_INQUIRY) {
 316                set_bit(HCI_ISCAN, &hdev->flags);
 317                if (!old_iscan)
 318                        mgmt_discoverable(hdev, 1);
 319                if (hdev->discov_timeout > 0) {
 320                        int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
 321                        queue_delayed_work(hdev->workqueue, &hdev->discov_off,
 322                                           to);
 323                }
 324        } else if (old_iscan)
 325                mgmt_discoverable(hdev, 0);
 326
 327        if (param & SCAN_PAGE) {
 328                set_bit(HCI_PSCAN, &hdev->flags);
 329                if (!old_pscan)
 330                        mgmt_connectable(hdev, 1);
 331        } else if (old_pscan)
 332                mgmt_connectable(hdev, 0);
 333
 334done:
 335        hci_dev_unlock(hdev);
 336        hci_req_complete(hdev, HCI_OP_WRITE_SCAN_ENABLE, status);
 337}
 338
 339static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
 340{
 341        struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
 342
 343        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 344
 345        if (rp->status)
 346                return;
 347
 348        memcpy(hdev->dev_class, rp->dev_class, 3);
 349
 350        BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
 351               hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
 352}
 353
 354static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
 355{
 356        __u8 status = *((__u8 *) skb->data);
 357        void *sent;
 358
 359        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 360
 361        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
 362        if (!sent)
 363                return;
 364
 365        hci_dev_lock(hdev);
 366
 367        if (status == 0)
 368                memcpy(hdev->dev_class, sent, 3);
 369
 370        if (test_bit(HCI_MGMT, &hdev->dev_flags))
 371                mgmt_set_class_of_dev_complete(hdev, sent, status);
 372
 373        hci_dev_unlock(hdev);
 374}
 375
 376static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
 377{
 378        struct hci_rp_read_voice_setting *rp = (void *) skb->data;
 379        __u16 setting;
 380
 381        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 382
 383        if (rp->status)
 384                return;
 385
 386        setting = __le16_to_cpu(rp->voice_setting);
 387
 388        if (hdev->voice_setting == setting)
 389                return;
 390
 391        hdev->voice_setting = setting;
 392
 393        BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
 394
 395        if (hdev->notify)
 396                hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
 397}
 398
 399static void hci_cc_write_voice_setting(struct hci_dev *hdev,
 400                                       struct sk_buff *skb)
 401{
 402        __u8 status = *((__u8 *) skb->data);
 403        __u16 setting;
 404        void *sent;
 405
 406        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 407
 408        if (status)
 409                return;
 410
 411        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
 412        if (!sent)
 413                return;
 414
 415        setting = get_unaligned_le16(sent);
 416
 417        if (hdev->voice_setting == setting)
 418                return;
 419
 420        hdev->voice_setting = setting;
 421
 422        BT_DBG("%s voice setting 0x%4.4x", hdev->name, setting);
 423
 424        if (hdev->notify)
 425                hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
 426}
 427
 428static void hci_cc_host_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
 429{
 430        __u8 status = *((__u8 *) skb->data);
 431
 432        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 433
 434        hci_req_complete(hdev, HCI_OP_HOST_BUFFER_SIZE, status);
 435}
 436
 437static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
 438{
 439        __u8 status = *((__u8 *) skb->data);
 440        void *sent;
 441
 442        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 443
 444        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
 445        if (!sent)
 446                return;
 447
 448        if (test_bit(HCI_MGMT, &hdev->dev_flags))
 449                mgmt_ssp_enable_complete(hdev, *((u8 *) sent), status);
 450        else if (!status) {
 451                if (*((u8 *) sent))
 452                        set_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
 453                else
 454                        clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
 455        }
 456}
 457
 458static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
 459{
 460        if (hdev->features[6] & LMP_EXT_INQ)
 461                return 2;
 462
 463        if (hdev->features[3] & LMP_RSSI_INQ)
 464                return 1;
 465
 466        if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
 467            hdev->lmp_subver == 0x0757)
 468                return 1;
 469
 470        if (hdev->manufacturer == 15) {
 471                if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
 472                        return 1;
 473                if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
 474                        return 1;
 475                if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
 476                        return 1;
 477        }
 478
 479        if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
 480            hdev->lmp_subver == 0x1805)
 481                return 1;
 482
 483        return 0;
 484}
 485
 486static void hci_setup_inquiry_mode(struct hci_dev *hdev)
 487{
 488        u8 mode;
 489
 490        mode = hci_get_inquiry_mode(hdev);
 491
 492        hci_send_cmd(hdev, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
 493}
 494
 495static void hci_setup_event_mask(struct hci_dev *hdev)
 496{
 497        /* The second byte is 0xff instead of 0x9f (two reserved bits
 498         * disabled) since a Broadcom 1.2 dongle doesn't respond to the
 499         * command otherwise */
 500        u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
 501
 502        /* CSR 1.1 dongles does not accept any bitfield so don't try to set
 503         * any event mask for pre 1.2 devices */
 504        if (hdev->hci_ver < BLUETOOTH_VER_1_2)
 505                return;
 506
 507        events[4] |= 0x01; /* Flow Specification Complete */
 508        events[4] |= 0x02; /* Inquiry Result with RSSI */
 509        events[4] |= 0x04; /* Read Remote Extended Features Complete */
 510        events[5] |= 0x08; /* Synchronous Connection Complete */
 511        events[5] |= 0x10; /* Synchronous Connection Changed */
 512
 513        if (hdev->features[3] & LMP_RSSI_INQ)
 514                events[4] |= 0x02; /* Inquiry Result with RSSI */
 515
 516        if (hdev->features[5] & LMP_SNIFF_SUBR)
 517                events[5] |= 0x20; /* Sniff Subrating */
 518
 519        if (hdev->features[5] & LMP_PAUSE_ENC)
 520                events[5] |= 0x80; /* Encryption Key Refresh Complete */
 521
 522        if (hdev->features[6] & LMP_EXT_INQ)
 523                events[5] |= 0x40; /* Extended Inquiry Result */
 524
 525        if (hdev->features[6] & LMP_NO_FLUSH)
 526                events[7] |= 0x01; /* Enhanced Flush Complete */
 527
 528        if (hdev->features[7] & LMP_LSTO)
 529                events[6] |= 0x80; /* Link Supervision Timeout Changed */
 530
 531        if (hdev->features[6] & LMP_SIMPLE_PAIR) {
 532                events[6] |= 0x01;      /* IO Capability Request */
 533                events[6] |= 0x02;      /* IO Capability Response */
 534                events[6] |= 0x04;      /* User Confirmation Request */
 535                events[6] |= 0x08;      /* User Passkey Request */
 536                events[6] |= 0x10;      /* Remote OOB Data Request */
 537                events[6] |= 0x20;      /* Simple Pairing Complete */
 538                events[7] |= 0x04;      /* User Passkey Notification */
 539                events[7] |= 0x08;      /* Keypress Notification */
 540                events[7] |= 0x10;      /* Remote Host Supported
 541                                         * Features Notification */
 542        }
 543
 544        if (hdev->features[4] & LMP_LE)
 545                events[7] |= 0x20;      /* LE Meta-Event */
 546
 547        hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
 548}
 549
 550static void hci_setup(struct hci_dev *hdev)
 551{
 552        if (hdev->dev_type != HCI_BREDR)
 553                return;
 554
 555        hci_setup_event_mask(hdev);
 556
 557        if (hdev->hci_ver > BLUETOOTH_VER_1_1)
 558                hci_send_cmd(hdev, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
 559
 560        if (lmp_ssp_capable(hdev)) {
 561                if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
 562                        u8 mode = 0x01;
 563                        hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE,
 564                                     sizeof(mode), &mode);
 565                } else {
 566                        struct hci_cp_write_eir cp;
 567
 568                        memset(hdev->eir, 0, sizeof(hdev->eir));
 569                        memset(&cp, 0, sizeof(cp));
 570
 571                        hci_send_cmd(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
 572                }
 573        }
 574
 575        if (hdev->features[3] & LMP_RSSI_INQ)
 576                hci_setup_inquiry_mode(hdev);
 577
 578        if (hdev->features[7] & LMP_INQ_TX_PWR)
 579                hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
 580
 581        if (hdev->features[7] & LMP_EXTFEATURES) {
 582                struct hci_cp_read_local_ext_features cp;
 583
 584                cp.page = 0x01;
 585                hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, sizeof(cp),
 586                             &cp);
 587        }
 588
 589        if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags)) {
 590                u8 enable = 1;
 591                hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(enable),
 592                             &enable);
 593        }
 594}
 595
 596static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
 597{
 598        struct hci_rp_read_local_version *rp = (void *) skb->data;
 599
 600        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 601
 602        if (rp->status)
 603                goto done;
 604
 605        hdev->hci_ver = rp->hci_ver;
 606        hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
 607        hdev->lmp_ver = rp->lmp_ver;
 608        hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
 609        hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
 610
 611        BT_DBG("%s manufacturer 0x%4.4x hci ver %d:%d", hdev->name,
 612               hdev->manufacturer, hdev->hci_ver, hdev->hci_rev);
 613
 614        if (test_bit(HCI_INIT, &hdev->flags))
 615                hci_setup(hdev);
 616
 617done:
 618        hci_req_complete(hdev, HCI_OP_READ_LOCAL_VERSION, rp->status);
 619}
 620
 621static void hci_setup_link_policy(struct hci_dev *hdev)
 622{
 623        struct hci_cp_write_def_link_policy cp;
 624        u16 link_policy = 0;
 625
 626        if (hdev->features[0] & LMP_RSWITCH)
 627                link_policy |= HCI_LP_RSWITCH;
 628        if (hdev->features[0] & LMP_HOLD)
 629                link_policy |= HCI_LP_HOLD;
 630        if (hdev->features[0] & LMP_SNIFF)
 631                link_policy |= HCI_LP_SNIFF;
 632        if (hdev->features[1] & LMP_PARK)
 633                link_policy |= HCI_LP_PARK;
 634
 635        cp.policy = cpu_to_le16(link_policy);
 636        hci_send_cmd(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, sizeof(cp), &cp);
 637}
 638
 639static void hci_cc_read_local_commands(struct hci_dev *hdev,
 640                                       struct sk_buff *skb)
 641{
 642        struct hci_rp_read_local_commands *rp = (void *) skb->data;
 643
 644        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 645
 646        if (rp->status)
 647                goto done;
 648
 649        memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
 650
 651        if (test_bit(HCI_INIT, &hdev->flags) && (hdev->commands[5] & 0x10))
 652                hci_setup_link_policy(hdev);
 653
 654done:
 655        hci_req_complete(hdev, HCI_OP_READ_LOCAL_COMMANDS, rp->status);
 656}
 657
 658static void hci_cc_read_local_features(struct hci_dev *hdev,
 659                                       struct sk_buff *skb)
 660{
 661        struct hci_rp_read_local_features *rp = (void *) skb->data;
 662
 663        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 664
 665        if (rp->status)
 666                return;
 667
 668        memcpy(hdev->features, rp->features, 8);
 669
 670        /* Adjust default settings according to features
 671         * supported by device. */
 672
 673        if (hdev->features[0] & LMP_3SLOT)
 674                hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
 675
 676        if (hdev->features[0] & LMP_5SLOT)
 677                hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
 678
 679        if (hdev->features[1] & LMP_HV2) {
 680                hdev->pkt_type  |= (HCI_HV2);
 681                hdev->esco_type |= (ESCO_HV2);
 682        }
 683
 684        if (hdev->features[1] & LMP_HV3) {
 685                hdev->pkt_type  |= (HCI_HV3);
 686                hdev->esco_type |= (ESCO_HV3);
 687        }
 688
 689        if (hdev->features[3] & LMP_ESCO)
 690                hdev->esco_type |= (ESCO_EV3);
 691
 692        if (hdev->features[4] & LMP_EV4)
 693                hdev->esco_type |= (ESCO_EV4);
 694
 695        if (hdev->features[4] & LMP_EV5)
 696                hdev->esco_type |= (ESCO_EV5);
 697
 698        if (hdev->features[5] & LMP_EDR_ESCO_2M)
 699                hdev->esco_type |= (ESCO_2EV3);
 700
 701        if (hdev->features[5] & LMP_EDR_ESCO_3M)
 702                hdev->esco_type |= (ESCO_3EV3);
 703
 704        if (hdev->features[5] & LMP_EDR_3S_ESCO)
 705                hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
 706
 707        BT_DBG("%s features 0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", hdev->name,
 708               hdev->features[0], hdev->features[1],
 709               hdev->features[2], hdev->features[3],
 710               hdev->features[4], hdev->features[5],
 711               hdev->features[6], hdev->features[7]);
 712}
 713
 714static void hci_set_le_support(struct hci_dev *hdev)
 715{
 716        struct hci_cp_write_le_host_supported cp;
 717
 718        memset(&cp, 0, sizeof(cp));
 719
 720        if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
 721                cp.le = 1;
 722                cp.simul = !!(hdev->features[6] & LMP_SIMUL_LE_BR);
 723        }
 724
 725        if (cp.le != !!(hdev->host_features[0] & LMP_HOST_LE))
 726                hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
 727                             &cp);
 728}
 729
 730static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
 731                                           struct sk_buff *skb)
 732{
 733        struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
 734
 735        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 736
 737        if (rp->status)
 738                goto done;
 739
 740        switch (rp->page) {
 741        case 0:
 742                memcpy(hdev->features, rp->features, 8);
 743                break;
 744        case 1:
 745                memcpy(hdev->host_features, rp->features, 8);
 746                break;
 747        }
 748
 749        if (test_bit(HCI_INIT, &hdev->flags) && hdev->features[4] & LMP_LE)
 750                hci_set_le_support(hdev);
 751
 752done:
 753        hci_req_complete(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, rp->status);
 754}
 755
 756static void hci_cc_read_flow_control_mode(struct hci_dev *hdev,
 757                                          struct sk_buff *skb)
 758{
 759        struct hci_rp_read_flow_control_mode *rp = (void *) skb->data;
 760
 761        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 762
 763        if (rp->status)
 764                return;
 765
 766        hdev->flow_ctl_mode = rp->mode;
 767
 768        hci_req_complete(hdev, HCI_OP_READ_FLOW_CONTROL_MODE, rp->status);
 769}
 770
 771static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
 772{
 773        struct hci_rp_read_buffer_size *rp = (void *) skb->data;
 774
 775        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 776
 777        if (rp->status)
 778                return;
 779
 780        hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
 781        hdev->sco_mtu  = rp->sco_mtu;
 782        hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
 783        hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
 784
 785        if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
 786                hdev->sco_mtu  = 64;
 787                hdev->sco_pkts = 8;
 788        }
 789
 790        hdev->acl_cnt = hdev->acl_pkts;
 791        hdev->sco_cnt = hdev->sco_pkts;
 792
 793        BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
 794               hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
 795}
 796
 797static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
 798{
 799        struct hci_rp_read_bd_addr *rp = (void *) skb->data;
 800
 801        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 802
 803        if (!rp->status)
 804                bacpy(&hdev->bdaddr, &rp->bdaddr);
 805
 806        hci_req_complete(hdev, HCI_OP_READ_BD_ADDR, rp->status);
 807}
 808
 809static void hci_cc_read_data_block_size(struct hci_dev *hdev,
 810                                        struct sk_buff *skb)
 811{
 812        struct hci_rp_read_data_block_size *rp = (void *) skb->data;
 813
 814        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 815
 816        if (rp->status)
 817                return;
 818
 819        hdev->block_mtu = __le16_to_cpu(rp->max_acl_len);
 820        hdev->block_len = __le16_to_cpu(rp->block_len);
 821        hdev->num_blocks = __le16_to_cpu(rp->num_blocks);
 822
 823        hdev->block_cnt = hdev->num_blocks;
 824
 825        BT_DBG("%s blk mtu %d cnt %d len %d", hdev->name, hdev->block_mtu,
 826               hdev->block_cnt, hdev->block_len);
 827
 828        hci_req_complete(hdev, HCI_OP_READ_DATA_BLOCK_SIZE, rp->status);
 829}
 830
 831static void hci_cc_write_ca_timeout(struct hci_dev *hdev, struct sk_buff *skb)
 832{
 833        __u8 status = *((__u8 *) skb->data);
 834
 835        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 836
 837        hci_req_complete(hdev, HCI_OP_WRITE_CA_TIMEOUT, status);
 838}
 839
 840static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
 841                                       struct sk_buff *skb)
 842{
 843        struct hci_rp_read_local_amp_info *rp = (void *) skb->data;
 844
 845        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 846
 847        if (rp->status)
 848                return;
 849
 850        hdev->amp_status = rp->amp_status;
 851        hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
 852        hdev->amp_max_bw = __le32_to_cpu(rp->max_bw);
 853        hdev->amp_min_latency = __le32_to_cpu(rp->min_latency);
 854        hdev->amp_max_pdu = __le32_to_cpu(rp->max_pdu);
 855        hdev->amp_type = rp->amp_type;
 856        hdev->amp_pal_cap = __le16_to_cpu(rp->pal_cap);
 857        hdev->amp_assoc_size = __le16_to_cpu(rp->max_assoc_size);
 858        hdev->amp_be_flush_to = __le32_to_cpu(rp->be_flush_to);
 859        hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
 860
 861        hci_req_complete(hdev, HCI_OP_READ_LOCAL_AMP_INFO, rp->status);
 862}
 863
 864static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
 865                                          struct sk_buff *skb)
 866{
 867        __u8 status = *((__u8 *) skb->data);
 868
 869        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 870
 871        hci_req_complete(hdev, HCI_OP_DELETE_STORED_LINK_KEY, status);
 872}
 873
 874static void hci_cc_set_event_mask(struct hci_dev *hdev, struct sk_buff *skb)
 875{
 876        __u8 status = *((__u8 *) skb->data);
 877
 878        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 879
 880        hci_req_complete(hdev, HCI_OP_SET_EVENT_MASK, status);
 881}
 882
 883static void hci_cc_write_inquiry_mode(struct hci_dev *hdev,
 884                                      struct sk_buff *skb)
 885{
 886        __u8 status = *((__u8 *) skb->data);
 887
 888        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 889
 890        hci_req_complete(hdev, HCI_OP_WRITE_INQUIRY_MODE, status);
 891}
 892
 893static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
 894                                         struct sk_buff *skb)
 895{
 896        struct hci_rp_read_inq_rsp_tx_power *rp = (void *) skb->data;
 897
 898        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 899
 900        if (!rp->status)
 901                hdev->inq_tx_power = rp->tx_power;
 902
 903        hci_req_complete(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, rp->status);
 904}
 905
 906static void hci_cc_set_event_flt(struct hci_dev *hdev, struct sk_buff *skb)
 907{
 908        __u8 status = *((__u8 *) skb->data);
 909
 910        BT_DBG("%s status 0x%2.2x", hdev->name, status);
 911
 912        hci_req_complete(hdev, HCI_OP_SET_EVENT_FLT, status);
 913}
 914
 915static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
 916{
 917        struct hci_rp_pin_code_reply *rp = (void *) skb->data;
 918        struct hci_cp_pin_code_reply *cp;
 919        struct hci_conn *conn;
 920
 921        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 922
 923        hci_dev_lock(hdev);
 924
 925        if (test_bit(HCI_MGMT, &hdev->dev_flags))
 926                mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
 927
 928        if (rp->status != 0)
 929                goto unlock;
 930
 931        cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
 932        if (!cp)
 933                goto unlock;
 934
 935        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
 936        if (conn)
 937                conn->pin_length = cp->pin_len;
 938
 939unlock:
 940        hci_dev_unlock(hdev);
 941}
 942
 943static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
 944{
 945        struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
 946
 947        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 948
 949        hci_dev_lock(hdev);
 950
 951        if (test_bit(HCI_MGMT, &hdev->dev_flags))
 952                mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
 953                                                 rp->status);
 954
 955        hci_dev_unlock(hdev);
 956}
 957
 958static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
 959                                       struct sk_buff *skb)
 960{
 961        struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
 962
 963        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 964
 965        if (rp->status)
 966                return;
 967
 968        hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
 969        hdev->le_pkts = rp->le_max_pkt;
 970
 971        hdev->le_cnt = hdev->le_pkts;
 972
 973        BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
 974
 975        hci_req_complete(hdev, HCI_OP_LE_READ_BUFFER_SIZE, rp->status);
 976}
 977
 978static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
 979{
 980        struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
 981
 982        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 983
 984        hci_dev_lock(hdev);
 985
 986        if (test_bit(HCI_MGMT, &hdev->dev_flags))
 987                mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
 988                                                 rp->status);
 989
 990        hci_dev_unlock(hdev);
 991}
 992
 993static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
 994                                          struct sk_buff *skb)
 995{
 996        struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
 997
 998        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 999
1000        hci_dev_lock(hdev);
1001
1002        if (test_bit(HCI_MGMT, &hdev->dev_flags))
1003                mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1004                                                     ACL_LINK, 0, rp->status);
1005
1006        hci_dev_unlock(hdev);
1007}
1008
1009static void hci_cc_user_passkey_reply(struct hci_dev *hdev, struct sk_buff *skb)
1010{
1011        struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1012
1013        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1014
1015        hci_dev_lock(hdev);
1016
1017        if (test_bit(HCI_MGMT, &hdev->dev_flags))
1018                mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1019                                                 0, rp->status);
1020
1021        hci_dev_unlock(hdev);
1022}
1023
1024static void hci_cc_user_passkey_neg_reply(struct hci_dev *hdev,
1025                                          struct sk_buff *skb)
1026{
1027        struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
1028
1029        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1030
1031        hci_dev_lock(hdev);
1032
1033        if (test_bit(HCI_MGMT, &hdev->dev_flags))
1034                mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1035                                                     ACL_LINK, 0, rp->status);
1036
1037        hci_dev_unlock(hdev);
1038}
1039
1040static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
1041                                             struct sk_buff *skb)
1042{
1043        struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
1044
1045        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1046
1047        hci_dev_lock(hdev);
1048        mgmt_read_local_oob_data_reply_complete(hdev, rp->hash,
1049                                                rp->randomizer, rp->status);
1050        hci_dev_unlock(hdev);
1051}
1052
1053static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
1054{
1055        __u8 status = *((__u8 *) skb->data);
1056
1057        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1058
1059        hci_req_complete(hdev, HCI_OP_LE_SET_SCAN_PARAM, status);
1060
1061        if (status) {
1062                hci_dev_lock(hdev);
1063                mgmt_start_discovery_failed(hdev, status);
1064                hci_dev_unlock(hdev);
1065                return;
1066        }
1067}
1068
1069static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
1070                                      struct sk_buff *skb)
1071{
1072        struct hci_cp_le_set_scan_enable *cp;
1073        __u8 status = *((__u8 *) skb->data);
1074
1075        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1076
1077        cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1078        if (!cp)
1079                return;
1080
1081        switch (cp->enable) {
1082        case LE_SCANNING_ENABLED:
1083                hci_req_complete(hdev, HCI_OP_LE_SET_SCAN_ENABLE, status);
1084
1085                if (status) {
1086                        hci_dev_lock(hdev);
1087                        mgmt_start_discovery_failed(hdev, status);
1088                        hci_dev_unlock(hdev);
1089                        return;
1090                }
1091
1092                set_bit(HCI_LE_SCAN, &hdev->dev_flags);
1093
1094                hci_dev_lock(hdev);
1095                hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1096                hci_dev_unlock(hdev);
1097                break;
1098
1099        case LE_SCANNING_DISABLED:
1100                if (status) {
1101                        hci_dev_lock(hdev);
1102                        mgmt_stop_discovery_failed(hdev, status);
1103                        hci_dev_unlock(hdev);
1104                        return;
1105                }
1106
1107                clear_bit(HCI_LE_SCAN, &hdev->dev_flags);
1108
1109                if (hdev->discovery.type == DISCOV_TYPE_INTERLEAVED &&
1110                    hdev->discovery.state == DISCOVERY_FINDING) {
1111                        mgmt_interleaved_discovery(hdev);
1112                } else {
1113                        hci_dev_lock(hdev);
1114                        hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1115                        hci_dev_unlock(hdev);
1116                }
1117
1118                break;
1119
1120        default:
1121                BT_ERR("Used reserved LE_Scan_Enable param %d", cp->enable);
1122                break;
1123        }
1124}
1125
1126static void hci_cc_le_ltk_reply(struct hci_dev *hdev, struct sk_buff *skb)
1127{
1128        struct hci_rp_le_ltk_reply *rp = (void *) skb->data;
1129
1130        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1131
1132        if (rp->status)
1133                return;
1134
1135        hci_req_complete(hdev, HCI_OP_LE_LTK_REPLY, rp->status);
1136}
1137
1138static void hci_cc_le_ltk_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
1139{
1140        struct hci_rp_le_ltk_neg_reply *rp = (void *) skb->data;
1141
1142        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1143
1144        if (rp->status)
1145                return;
1146
1147        hci_req_complete(hdev, HCI_OP_LE_LTK_NEG_REPLY, rp->status);
1148}
1149
1150static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
1151                                           struct sk_buff *skb)
1152{
1153        struct hci_cp_write_le_host_supported *sent;
1154        __u8 status = *((__u8 *) skb->data);
1155
1156        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1157
1158        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
1159        if (!sent)
1160                return;
1161
1162        if (!status) {
1163                if (sent->le)
1164                        hdev->host_features[0] |= LMP_HOST_LE;
1165                else
1166                        hdev->host_features[0] &= ~LMP_HOST_LE;
1167        }
1168
1169        if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
1170            !test_bit(HCI_INIT, &hdev->flags))
1171                mgmt_le_enable_complete(hdev, sent->le, status);
1172
1173        hci_req_complete(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, status);
1174}
1175
1176static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
1177{
1178        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1179
1180        if (status) {
1181                hci_req_complete(hdev, HCI_OP_INQUIRY, status);
1182                hci_conn_check_pending(hdev);
1183                hci_dev_lock(hdev);
1184                if (test_bit(HCI_MGMT, &hdev->dev_flags))
1185                        mgmt_start_discovery_failed(hdev, status);
1186                hci_dev_unlock(hdev);
1187                return;
1188        }
1189
1190        set_bit(HCI_INQUIRY, &hdev->flags);
1191
1192        hci_dev_lock(hdev);
1193        hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1194        hci_dev_unlock(hdev);
1195}
1196
1197static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
1198{
1199        struct hci_cp_create_conn *cp;
1200        struct hci_conn *conn;
1201
1202        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1203
1204        cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
1205        if (!cp)
1206                return;
1207
1208        hci_dev_lock(hdev);
1209
1210        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1211
1212        BT_DBG("%s bdaddr %s hcon %p", hdev->name, batostr(&cp->bdaddr), conn);
1213
1214        if (status) {
1215                if (conn && conn->state == BT_CONNECT) {
1216                        if (status != 0x0c || conn->attempt > 2) {
1217                                conn->state = BT_CLOSED;
1218                                hci_proto_connect_cfm(conn, status);
1219                                hci_conn_del(conn);
1220                        } else
1221                                conn->state = BT_CONNECT2;
1222                }
1223        } else {
1224                if (!conn) {
1225                        conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr);
1226                        if (conn) {
1227                                conn->out = true;
1228                                conn->link_mode |= HCI_LM_MASTER;
1229                        } else
1230                                BT_ERR("No memory for new connection");
1231                }
1232        }
1233
1234        hci_dev_unlock(hdev);
1235}
1236
1237static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1238{
1239        struct hci_cp_add_sco *cp;
1240        struct hci_conn *acl, *sco;
1241        __u16 handle;
1242
1243        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1244
1245        if (!status)
1246                return;
1247
1248        cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1249        if (!cp)
1250                return;
1251
1252        handle = __le16_to_cpu(cp->handle);
1253
1254        BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1255
1256        hci_dev_lock(hdev);
1257
1258        acl = hci_conn_hash_lookup_handle(hdev, handle);
1259        if (acl) {
1260                sco = acl->link;
1261                if (sco) {
1262                        sco->state = BT_CLOSED;
1263
1264                        hci_proto_connect_cfm(sco, status);
1265                        hci_conn_del(sco);
1266                }
1267        }
1268
1269        hci_dev_unlock(hdev);
1270}
1271
1272static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1273{
1274        struct hci_cp_auth_requested *cp;
1275        struct hci_conn *conn;
1276
1277        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1278
1279        if (!status)
1280                return;
1281
1282        cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1283        if (!cp)
1284                return;
1285
1286        hci_dev_lock(hdev);
1287
1288        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1289        if (conn) {
1290                if (conn->state == BT_CONFIG) {
1291                        hci_proto_connect_cfm(conn, status);
1292                        hci_conn_put(conn);
1293                }
1294        }
1295
1296        hci_dev_unlock(hdev);
1297}
1298
1299static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1300{
1301        struct hci_cp_set_conn_encrypt *cp;
1302        struct hci_conn *conn;
1303
1304        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1305
1306        if (!status)
1307                return;
1308
1309        cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1310        if (!cp)
1311                return;
1312
1313        hci_dev_lock(hdev);
1314
1315        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1316        if (conn) {
1317                if (conn->state == BT_CONFIG) {
1318                        hci_proto_connect_cfm(conn, status);
1319                        hci_conn_put(conn);
1320                }
1321        }
1322
1323        hci_dev_unlock(hdev);
1324}
1325
1326static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1327                                    struct hci_conn *conn)
1328{
1329        if (conn->state != BT_CONFIG || !conn->out)
1330                return 0;
1331
1332        if (conn->pending_sec_level == BT_SECURITY_SDP)
1333                return 0;
1334
1335        /* Only request authentication for SSP connections or non-SSP
1336         * devices with sec_level HIGH or if MITM protection is requested */
1337        if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
1338            conn->pending_sec_level != BT_SECURITY_HIGH)
1339                return 0;
1340
1341        return 1;
1342}
1343
1344static int hci_resolve_name(struct hci_dev *hdev,
1345                                   struct inquiry_entry *e)
1346{
1347        struct hci_cp_remote_name_req cp;
1348
1349        memset(&cp, 0, sizeof(cp));
1350
1351        bacpy(&cp.bdaddr, &e->data.bdaddr);
1352        cp.pscan_rep_mode = e->data.pscan_rep_mode;
1353        cp.pscan_mode = e->data.pscan_mode;
1354        cp.clock_offset = e->data.clock_offset;
1355
1356        return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1357}
1358
1359static bool hci_resolve_next_name(struct hci_dev *hdev)
1360{
1361        struct discovery_state *discov = &hdev->discovery;
1362        struct inquiry_entry *e;
1363
1364        if (list_empty(&discov->resolve))
1365                return false;
1366
1367        e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1368        if (!e)
1369                return false;
1370
1371        if (hci_resolve_name(hdev, e) == 0) {
1372                e->name_state = NAME_PENDING;
1373                return true;
1374        }
1375
1376        return false;
1377}
1378
1379static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
1380                                   bdaddr_t *bdaddr, u8 *name, u8 name_len)
1381{
1382        struct discovery_state *discov = &hdev->discovery;
1383        struct inquiry_entry *e;
1384
1385        if (conn && !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
1386                mgmt_device_connected(hdev, bdaddr, ACL_LINK, 0x00, 0, name,
1387                                      name_len, conn->dev_class);
1388
1389        if (discov->state == DISCOVERY_STOPPED)
1390                return;
1391
1392        if (discov->state == DISCOVERY_STOPPING)
1393                goto discov_complete;
1394
1395        if (discov->state != DISCOVERY_RESOLVING)
1396                return;
1397
1398        e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
1399        /* If the device was not found in a list of found devices names of which
1400         * are pending. there is no need to continue resolving a next name as it
1401         * will be done upon receiving another Remote Name Request Complete
1402         * Event */
1403        if (!e)
1404                return;
1405
1406        list_del(&e->list);
1407        if (name) {
1408                e->name_state = NAME_KNOWN;
1409                mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
1410                                 e->data.rssi, name, name_len);
1411        } else {
1412                e->name_state = NAME_NOT_KNOWN;
1413        }
1414
1415        if (hci_resolve_next_name(hdev))
1416                return;
1417
1418discov_complete:
1419        hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1420}
1421
1422static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1423{
1424        struct hci_cp_remote_name_req *cp;
1425        struct hci_conn *conn;
1426
1427        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1428
1429        /* If successful wait for the name req complete event before
1430         * checking for the need to do authentication */
1431        if (!status)
1432                return;
1433
1434        cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1435        if (!cp)
1436                return;
1437
1438        hci_dev_lock(hdev);
1439
1440        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1441
1442        if (test_bit(HCI_MGMT, &hdev->dev_flags))
1443                hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
1444
1445        if (!conn)
1446                goto unlock;
1447
1448        if (!hci_outgoing_auth_needed(hdev, conn))
1449                goto unlock;
1450
1451        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1452                struct hci_cp_auth_requested cp;
1453                cp.handle = __cpu_to_le16(conn->handle);
1454                hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
1455        }
1456
1457unlock:
1458        hci_dev_unlock(hdev);
1459}
1460
1461static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1462{
1463        struct hci_cp_read_remote_features *cp;
1464        struct hci_conn *conn;
1465
1466        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1467
1468        if (!status)
1469                return;
1470
1471        cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1472        if (!cp)
1473                return;
1474
1475        hci_dev_lock(hdev);
1476
1477        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1478        if (conn) {
1479                if (conn->state == BT_CONFIG) {
1480                        hci_proto_connect_cfm(conn, status);
1481                        hci_conn_put(conn);
1482                }
1483        }
1484
1485        hci_dev_unlock(hdev);
1486}
1487
1488static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1489{
1490        struct hci_cp_read_remote_ext_features *cp;
1491        struct hci_conn *conn;
1492
1493        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1494
1495        if (!status)
1496                return;
1497
1498        cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1499        if (!cp)
1500                return;
1501
1502        hci_dev_lock(hdev);
1503
1504        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1505        if (conn) {
1506                if (conn->state == BT_CONFIG) {
1507                        hci_proto_connect_cfm(conn, status);
1508                        hci_conn_put(conn);
1509                }
1510        }
1511
1512        hci_dev_unlock(hdev);
1513}
1514
1515static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1516{
1517        struct hci_cp_setup_sync_conn *cp;
1518        struct hci_conn *acl, *sco;
1519        __u16 handle;
1520
1521        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1522
1523        if (!status)
1524                return;
1525
1526        cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1527        if (!cp)
1528                return;
1529
1530        handle = __le16_to_cpu(cp->handle);
1531
1532        BT_DBG("%s handle 0x%4.4x", hdev->name, handle);
1533
1534        hci_dev_lock(hdev);
1535
1536        acl = hci_conn_hash_lookup_handle(hdev, handle);
1537        if (acl) {
1538                sco = acl->link;
1539                if (sco) {
1540                        sco->state = BT_CLOSED;
1541
1542                        hci_proto_connect_cfm(sco, status);
1543                        hci_conn_del(sco);
1544                }
1545        }
1546
1547        hci_dev_unlock(hdev);
1548}
1549
1550static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1551{
1552        struct hci_cp_sniff_mode *cp;
1553        struct hci_conn *conn;
1554
1555        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1556
1557        if (!status)
1558                return;
1559
1560        cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1561        if (!cp)
1562                return;
1563
1564        hci_dev_lock(hdev);
1565
1566        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1567        if (conn) {
1568                clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1569
1570                if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1571                        hci_sco_setup(conn, status);
1572        }
1573
1574        hci_dev_unlock(hdev);
1575}
1576
1577static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1578{
1579        struct hci_cp_exit_sniff_mode *cp;
1580        struct hci_conn *conn;
1581
1582        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1583
1584        if (!status)
1585                return;
1586
1587        cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1588        if (!cp)
1589                return;
1590
1591        hci_dev_lock(hdev);
1592
1593        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1594        if (conn) {
1595                clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
1596
1597                if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
1598                        hci_sco_setup(conn, status);
1599        }
1600
1601        hci_dev_unlock(hdev);
1602}
1603
1604static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
1605{
1606        struct hci_cp_disconnect *cp;
1607        struct hci_conn *conn;
1608
1609        if (!status)
1610                return;
1611
1612        cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
1613        if (!cp)
1614                return;
1615
1616        hci_dev_lock(hdev);
1617
1618        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1619        if (conn)
1620                mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1621                                       conn->dst_type, status);
1622
1623        hci_dev_unlock(hdev);
1624}
1625
1626static void hci_cs_le_create_conn(struct hci_dev *hdev, __u8 status)
1627{
1628        struct hci_cp_le_create_conn *cp;
1629        struct hci_conn *conn;
1630
1631        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1632
1633        cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1634        if (!cp)
1635                return;
1636
1637        hci_dev_lock(hdev);
1638
1639        conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1640
1641        BT_DBG("%s bdaddr %s conn %p", hdev->name, batostr(&cp->peer_addr),
1642               conn);
1643
1644        if (status) {
1645                if (conn && conn->state == BT_CONNECT) {
1646                        conn->state = BT_CLOSED;
1647                        mgmt_connect_failed(hdev, &cp->peer_addr, conn->type,
1648                                            conn->dst_type, status);
1649                        hci_proto_connect_cfm(conn, status);
1650                        hci_conn_del(conn);
1651                }
1652        } else {
1653                if (!conn) {
1654                        conn = hci_conn_add(hdev, LE_LINK, &cp->peer_addr);
1655                        if (conn) {
1656                                conn->dst_type = cp->peer_addr_type;
1657                                conn->out = true;
1658                        } else {
1659                                BT_ERR("No memory for new connection");
1660                        }
1661                }
1662        }
1663
1664        hci_dev_unlock(hdev);
1665}
1666
1667static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1668{
1669        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1670}
1671
1672static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1673{
1674        __u8 status = *((__u8 *) skb->data);
1675        struct discovery_state *discov = &hdev->discovery;
1676        struct inquiry_entry *e;
1677
1678        BT_DBG("%s status 0x%2.2x", hdev->name, status);
1679
1680        hci_req_complete(hdev, HCI_OP_INQUIRY, status);
1681
1682        hci_conn_check_pending(hdev);
1683
1684        if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
1685                return;
1686
1687        if (!test_bit(HCI_MGMT, &hdev->dev_flags))
1688                return;
1689
1690        hci_dev_lock(hdev);
1691
1692        if (discov->state != DISCOVERY_FINDING)
1693                goto unlock;
1694
1695        if (list_empty(&discov->resolve)) {
1696                hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1697                goto unlock;
1698        }
1699
1700        e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
1701        if (e && hci_resolve_name(hdev, e) == 0) {
1702                e->name_state = NAME_PENDING;
1703                hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
1704        } else {
1705                hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1706        }
1707
1708unlock:
1709        hci_dev_unlock(hdev);
1710}
1711
1712static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1713{
1714        struct inquiry_data data;
1715        struct inquiry_info *info = (void *) (skb->data + 1);
1716        int num_rsp = *((__u8 *) skb->data);
1717
1718        BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
1719
1720        if (!num_rsp)
1721                return;
1722
1723        if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
1724                return;
1725
1726        hci_dev_lock(hdev);
1727
1728        for (; num_rsp; num_rsp--, info++) {
1729                bool name_known, ssp;
1730
1731                bacpy(&data.bdaddr, &info->bdaddr);
1732                data.pscan_rep_mode     = info->pscan_rep_mode;
1733                data.pscan_period_mode  = info->pscan_period_mode;
1734                data.pscan_mode         = info->pscan_mode;
1735                memcpy(data.dev_class, info->dev_class, 3);
1736                data.clock_offset       = info->clock_offset;
1737                data.rssi               = 0x00;
1738                data.ssp_mode           = 0x00;
1739
1740                name_known = hci_inquiry_cache_update(hdev, &data, false, &ssp);
1741                mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
1742                                  info->dev_class, 0, !name_known, ssp, NULL,
1743                                  0);
1744        }
1745
1746        hci_dev_unlock(hdev);
1747}
1748
1749static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1750{
1751        struct hci_ev_conn_complete *ev = (void *) skb->data;
1752        struct hci_conn *conn;
1753
1754        BT_DBG("%s", hdev->name);
1755
1756        hci_dev_lock(hdev);
1757
1758        conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
1759        if (!conn) {
1760                if (ev->link_type != SCO_LINK)
1761                        goto unlock;
1762
1763                conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
1764                if (!conn)
1765                        goto unlock;
1766
1767                conn->type = SCO_LINK;
1768        }
1769
1770        if (!ev->status) {
1771                conn->handle = __le16_to_cpu(ev->handle);
1772
1773                if (conn->type == ACL_LINK) {
1774                        conn->state = BT_CONFIG;
1775                        hci_conn_hold(conn);
1776
1777                        if (!conn->out && !hci_conn_ssp_enabled(conn) &&
1778                            !hci_find_link_key(hdev, &ev->bdaddr))
1779                                conn->disc_timeout = HCI_PAIRING_TIMEOUT;
1780                        else
1781                                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1782                } else
1783                        conn->state = BT_CONNECTED;
1784
1785                hci_conn_hold_device(conn);
1786                hci_conn_add_sysfs(conn);
1787
1788                if (test_bit(HCI_AUTH, &hdev->flags))
1789                        conn->link_mode |= HCI_LM_AUTH;
1790
1791                if (test_bit(HCI_ENCRYPT, &hdev->flags))
1792                        conn->link_mode |= HCI_LM_ENCRYPT;
1793
1794                /* Get remote features */
1795                if (conn->type == ACL_LINK) {
1796                        struct hci_cp_read_remote_features cp;
1797                        cp.handle = ev->handle;
1798                        hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
1799                                     sizeof(cp), &cp);
1800                }
1801
1802                /* Set packet type for incoming connection */
1803                if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
1804                        struct hci_cp_change_conn_ptype cp;
1805                        cp.handle = ev->handle;
1806                        cp.pkt_type = cpu_to_le16(conn->pkt_type);
1807                        hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
1808                                     &cp);
1809                }
1810        } else {
1811                conn->state = BT_CLOSED;
1812                if (conn->type == ACL_LINK)
1813                        mgmt_connect_failed(hdev, &ev->bdaddr, conn->type,
1814                                            conn->dst_type, ev->status);
1815        }
1816
1817        if (conn->type == ACL_LINK)
1818                hci_sco_setup(conn, ev->status);
1819
1820        if (ev->status) {
1821                hci_proto_connect_cfm(conn, ev->status);
1822                hci_conn_del(conn);
1823        } else if (ev->link_type != ACL_LINK)
1824                hci_proto_connect_cfm(conn, ev->status);
1825
1826unlock:
1827        hci_dev_unlock(hdev);
1828
1829        hci_conn_check_pending(hdev);
1830}
1831
1832static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1833{
1834        struct hci_ev_conn_request *ev = (void *) skb->data;
1835        int mask = hdev->link_mode;
1836
1837        BT_DBG("%s bdaddr %s type 0x%x", hdev->name, batostr(&ev->bdaddr),
1838               ev->link_type);
1839
1840        mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type);
1841
1842        if ((mask & HCI_LM_ACCEPT) &&
1843            !hci_blacklist_lookup(hdev, &ev->bdaddr)) {
1844                /* Connection accepted */
1845                struct inquiry_entry *ie;
1846                struct hci_conn *conn;
1847
1848                hci_dev_lock(hdev);
1849
1850                ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
1851                if (ie)
1852                        memcpy(ie->data.dev_class, ev->dev_class, 3);
1853
1854                conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
1855                                               &ev->bdaddr);
1856                if (!conn) {
1857                        conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr);
1858                        if (!conn) {
1859                                BT_ERR("No memory for new connection");
1860                                hci_dev_unlock(hdev);
1861                                return;
1862                        }
1863                }
1864
1865                memcpy(conn->dev_class, ev->dev_class, 3);
1866                conn->state = BT_CONNECT;
1867
1868                hci_dev_unlock(hdev);
1869
1870                if (ev->link_type == ACL_LINK || !lmp_esco_capable(hdev)) {
1871                        struct hci_cp_accept_conn_req cp;
1872
1873                        bacpy(&cp.bdaddr, &ev->bdaddr);
1874
1875                        if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
1876                                cp.role = 0x00; /* Become master */
1877                        else
1878                                cp.role = 0x01; /* Remain slave */
1879
1880                        hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp),
1881                                     &cp);
1882                } else {
1883                        struct hci_cp_accept_sync_conn_req cp;
1884
1885                        bacpy(&cp.bdaddr, &ev->bdaddr);
1886                        cp.pkt_type = cpu_to_le16(conn->pkt_type);
1887
1888                        cp.tx_bandwidth   = __constant_cpu_to_le32(0x00001f40);
1889                        cp.rx_bandwidth   = __constant_cpu_to_le32(0x00001f40);
1890                        cp.max_latency    = __constant_cpu_to_le16(0xffff);
1891                        cp.content_format = cpu_to_le16(hdev->voice_setting);
1892                        cp.retrans_effort = 0xff;
1893
1894                        hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
1895                                     sizeof(cp), &cp);
1896                }
1897        } else {
1898                /* Connection rejected */
1899                struct hci_cp_reject_conn_req cp;
1900
1901                bacpy(&cp.bdaddr, &ev->bdaddr);
1902                cp.reason = HCI_ERROR_REJ_BAD_ADDR;
1903                hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
1904        }
1905}
1906
1907static void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1908{
1909        struct hci_ev_disconn_complete *ev = (void *) skb->data;
1910        struct hci_conn *conn;
1911
1912        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
1913
1914        hci_dev_lock(hdev);
1915
1916        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1917        if (!conn)
1918                goto unlock;
1919
1920        if (ev->status == 0)
1921                conn->state = BT_CLOSED;
1922
1923        if (test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags) &&
1924            (conn->type == ACL_LINK || conn->type == LE_LINK)) {
1925                if (ev->status != 0)
1926                        mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
1927                                               conn->dst_type, ev->status);
1928                else
1929                        mgmt_device_disconnected(hdev, &conn->dst, conn->type,
1930                                                 conn->dst_type);
1931        }
1932
1933        if (ev->status == 0) {
1934                if (conn->type == ACL_LINK && conn->flush_key)
1935                        hci_remove_link_key(hdev, &conn->dst);
1936                hci_proto_disconn_cfm(conn, ev->reason);
1937                hci_conn_del(conn);
1938        }
1939
1940unlock:
1941        hci_dev_unlock(hdev);
1942}
1943
1944static void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1945{
1946        struct hci_ev_auth_complete *ev = (void *) skb->data;
1947        struct hci_conn *conn;
1948
1949        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
1950
1951        hci_dev_lock(hdev);
1952
1953        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1954        if (!conn)
1955                goto unlock;
1956
1957        if (!ev->status) {
1958                if (!hci_conn_ssp_enabled(conn) &&
1959                    test_bit(HCI_CONN_REAUTH_PEND, &conn->flags)) {
1960                        BT_INFO("re-auth of legacy device is not possible.");
1961                } else {
1962                        conn->link_mode |= HCI_LM_AUTH;
1963                        conn->sec_level = conn->pending_sec_level;
1964                }
1965        } else {
1966                mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
1967                                 ev->status);
1968        }
1969
1970        clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
1971        clear_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
1972
1973        if (conn->state == BT_CONFIG) {
1974                if (!ev->status && hci_conn_ssp_enabled(conn)) {
1975                        struct hci_cp_set_conn_encrypt cp;
1976                        cp.handle  = ev->handle;
1977                        cp.encrypt = 0x01;
1978                        hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1979                                     &cp);
1980                } else {
1981                        conn->state = BT_CONNECTED;
1982                        hci_proto_connect_cfm(conn, ev->status);
1983                        hci_conn_put(conn);
1984                }
1985        } else {
1986                hci_auth_cfm(conn, ev->status);
1987
1988                hci_conn_hold(conn);
1989                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1990                hci_conn_put(conn);
1991        }
1992
1993        if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
1994                if (!ev->status) {
1995                        struct hci_cp_set_conn_encrypt cp;
1996                        cp.handle  = ev->handle;
1997                        cp.encrypt = 0x01;
1998                        hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1999                                     &cp);
2000                } else {
2001                        clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2002                        hci_encrypt_cfm(conn, ev->status, 0x00);
2003                }
2004        }
2005
2006unlock:
2007        hci_dev_unlock(hdev);
2008}
2009
2010static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
2011{
2012        struct hci_ev_remote_name *ev = (void *) skb->data;
2013        struct hci_conn *conn;
2014
2015        BT_DBG("%s", hdev->name);
2016
2017        hci_conn_check_pending(hdev);
2018
2019        hci_dev_lock(hdev);
2020
2021        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2022
2023        if (!test_bit(HCI_MGMT, &hdev->dev_flags))
2024                goto check_auth;
2025
2026        if (ev->status == 0)
2027                hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
2028                                       strnlen(ev->name, HCI_MAX_NAME_LENGTH));
2029        else
2030                hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
2031
2032check_auth:
2033        if (!conn)
2034                goto unlock;
2035
2036        if (!hci_outgoing_auth_needed(hdev, conn))
2037                goto unlock;
2038
2039        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2040                struct hci_cp_auth_requested cp;
2041                cp.handle = __cpu_to_le16(conn->handle);
2042                hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
2043        }
2044
2045unlock:
2046        hci_dev_unlock(hdev);
2047}
2048
2049static void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2050{
2051        struct hci_ev_encrypt_change *ev = (void *) skb->data;
2052        struct hci_conn *conn;
2053
2054        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2055
2056        hci_dev_lock(hdev);
2057
2058        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2059        if (conn) {
2060                if (!ev->status) {
2061                        if (ev->encrypt) {
2062                                /* Encryption implies authentication */
2063                                conn->link_mode |= HCI_LM_AUTH;
2064                                conn->link_mode |= HCI_LM_ENCRYPT;
2065                                conn->sec_level = conn->pending_sec_level;
2066                        } else
2067                                conn->link_mode &= ~HCI_LM_ENCRYPT;
2068                }
2069
2070                clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
2071
2072                if (ev->status && conn->state == BT_CONNECTED) {
2073                        hci_acl_disconn(conn, HCI_ERROR_AUTH_FAILURE);
2074                        hci_conn_put(conn);
2075                        goto unlock;
2076                }
2077
2078                if (conn->state == BT_CONFIG) {
2079                        if (!ev->status)
2080                                conn->state = BT_CONNECTED;
2081
2082                        hci_proto_connect_cfm(conn, ev->status);
2083                        hci_conn_put(conn);
2084                } else
2085                        hci_encrypt_cfm(conn, ev->status, ev->encrypt);
2086        }
2087
2088unlock:
2089        hci_dev_unlock(hdev);
2090}
2091
2092static void hci_change_link_key_complete_evt(struct hci_dev *hdev,
2093                                             struct sk_buff *skb)
2094{
2095        struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
2096        struct hci_conn *conn;
2097
2098        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2099
2100        hci_dev_lock(hdev);
2101
2102        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2103        if (conn) {
2104                if (!ev->status)
2105                        conn->link_mode |= HCI_LM_SECURE;
2106
2107                clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
2108
2109                hci_key_change_cfm(conn, ev->status);
2110        }
2111
2112        hci_dev_unlock(hdev);
2113}
2114
2115static void hci_remote_features_evt(struct hci_dev *hdev,
2116                                    struct sk_buff *skb)
2117{
2118        struct hci_ev_remote_features *ev = (void *) skb->data;
2119        struct hci_conn *conn;
2120
2121        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2122
2123        hci_dev_lock(hdev);
2124
2125        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2126        if (!conn)
2127                goto unlock;
2128
2129        if (!ev->status)
2130                memcpy(conn->features, ev->features, 8);
2131
2132        if (conn->state != BT_CONFIG)
2133                goto unlock;
2134
2135        if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) {
2136                struct hci_cp_read_remote_ext_features cp;
2137                cp.handle = ev->handle;
2138                cp.page = 0x01;
2139                hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
2140                             sizeof(cp), &cp);
2141                goto unlock;
2142        }
2143
2144        if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2145                struct hci_cp_remote_name_req cp;
2146                memset(&cp, 0, sizeof(cp));
2147                bacpy(&cp.bdaddr, &conn->dst);
2148                cp.pscan_rep_mode = 0x02;
2149                hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2150        } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2151                mgmt_device_connected(hdev, &conn->dst, conn->type,
2152                                      conn->dst_type, 0, NULL, 0,
2153                                      conn->dev_class);
2154
2155        if (!hci_outgoing_auth_needed(hdev, conn)) {
2156                conn->state = BT_CONNECTED;
2157                hci_proto_connect_cfm(conn, ev->status);
2158                hci_conn_put(conn);
2159        }
2160
2161unlock:
2162        hci_dev_unlock(hdev);
2163}
2164
2165static void hci_remote_version_evt(struct hci_dev *hdev, struct sk_buff *skb)
2166{
2167        BT_DBG("%s", hdev->name);
2168}
2169
2170static void hci_qos_setup_complete_evt(struct hci_dev *hdev,
2171                                       struct sk_buff *skb)
2172{
2173        BT_DBG("%s", hdev->name);
2174}
2175
2176static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2177{
2178        struct hci_ev_cmd_complete *ev = (void *) skb->data;
2179        __u16 opcode;
2180
2181        skb_pull(skb, sizeof(*ev));
2182
2183        opcode = __le16_to_cpu(ev->opcode);
2184
2185        switch (opcode) {
2186        case HCI_OP_INQUIRY_CANCEL:
2187                hci_cc_inquiry_cancel(hdev, skb);
2188                break;
2189
2190        case HCI_OP_PERIODIC_INQ:
2191                hci_cc_periodic_inq(hdev, skb);
2192                break;
2193
2194        case HCI_OP_EXIT_PERIODIC_INQ:
2195                hci_cc_exit_periodic_inq(hdev, skb);
2196                break;
2197
2198        case HCI_OP_REMOTE_NAME_REQ_CANCEL:
2199                hci_cc_remote_name_req_cancel(hdev, skb);
2200                break;
2201
2202        case HCI_OP_ROLE_DISCOVERY:
2203                hci_cc_role_discovery(hdev, skb);
2204                break;
2205
2206        case HCI_OP_READ_LINK_POLICY:
2207                hci_cc_read_link_policy(hdev, skb);
2208                break;
2209
2210        case HCI_OP_WRITE_LINK_POLICY:
2211                hci_cc_write_link_policy(hdev, skb);
2212                break;
2213
2214        case HCI_OP_READ_DEF_LINK_POLICY:
2215                hci_cc_read_def_link_policy(hdev, skb);
2216                break;
2217
2218        case HCI_OP_WRITE_DEF_LINK_POLICY:
2219                hci_cc_write_def_link_policy(hdev, skb);
2220                break;
2221
2222        case HCI_OP_RESET:
2223                hci_cc_reset(hdev, skb);
2224                break;
2225
2226        case HCI_OP_WRITE_LOCAL_NAME:
2227                hci_cc_write_local_name(hdev, skb);
2228                break;
2229
2230        case HCI_OP_READ_LOCAL_NAME:
2231                hci_cc_read_local_name(hdev, skb);
2232                break;
2233
2234        case HCI_OP_WRITE_AUTH_ENABLE:
2235                hci_cc_write_auth_enable(hdev, skb);
2236                break;
2237
2238        case HCI_OP_WRITE_ENCRYPT_MODE:
2239                hci_cc_write_encrypt_mode(hdev, skb);
2240                break;
2241
2242        case HCI_OP_WRITE_SCAN_ENABLE:
2243                hci_cc_write_scan_enable(hdev, skb);
2244                break;
2245
2246        case HCI_OP_READ_CLASS_OF_DEV:
2247                hci_cc_read_class_of_dev(hdev, skb);
2248                break;
2249
2250        case HCI_OP_WRITE_CLASS_OF_DEV:
2251                hci_cc_write_class_of_dev(hdev, skb);
2252                break;
2253
2254        case HCI_OP_READ_VOICE_SETTING:
2255                hci_cc_read_voice_setting(hdev, skb);
2256                break;
2257
2258        case HCI_OP_WRITE_VOICE_SETTING:
2259                hci_cc_write_voice_setting(hdev, skb);
2260                break;
2261
2262        case HCI_OP_HOST_BUFFER_SIZE:
2263                hci_cc_host_buffer_size(hdev, skb);
2264                break;
2265
2266        case HCI_OP_WRITE_SSP_MODE:
2267                hci_cc_write_ssp_mode(hdev, skb);
2268                break;
2269
2270        case HCI_OP_READ_LOCAL_VERSION:
2271                hci_cc_read_local_version(hdev, skb);
2272                break;
2273
2274        case HCI_OP_READ_LOCAL_COMMANDS:
2275                hci_cc_read_local_commands(hdev, skb);
2276                break;
2277
2278        case HCI_OP_READ_LOCAL_FEATURES:
2279                hci_cc_read_local_features(hdev, skb);
2280                break;
2281
2282        case HCI_OP_READ_LOCAL_EXT_FEATURES:
2283                hci_cc_read_local_ext_features(hdev, skb);
2284                break;
2285
2286        case HCI_OP_READ_BUFFER_SIZE:
2287                hci_cc_read_buffer_size(hdev, skb);
2288                break;
2289
2290        case HCI_OP_READ_BD_ADDR:
2291                hci_cc_read_bd_addr(hdev, skb);
2292                break;
2293
2294        case HCI_OP_READ_DATA_BLOCK_SIZE:
2295                hci_cc_read_data_block_size(hdev, skb);
2296                break;
2297
2298        case HCI_OP_WRITE_CA_TIMEOUT:
2299                hci_cc_write_ca_timeout(hdev, skb);
2300                break;
2301
2302        case HCI_OP_READ_FLOW_CONTROL_MODE:
2303                hci_cc_read_flow_control_mode(hdev, skb);
2304                break;
2305
2306        case HCI_OP_READ_LOCAL_AMP_INFO:
2307                hci_cc_read_local_amp_info(hdev, skb);
2308                break;
2309
2310        case HCI_OP_DELETE_STORED_LINK_KEY:
2311                hci_cc_delete_stored_link_key(hdev, skb);
2312                break;
2313
2314        case HCI_OP_SET_EVENT_MASK:
2315                hci_cc_set_event_mask(hdev, skb);
2316                break;
2317
2318        case HCI_OP_WRITE_INQUIRY_MODE:
2319                hci_cc_write_inquiry_mode(hdev, skb);
2320                break;
2321
2322        case HCI_OP_READ_INQ_RSP_TX_POWER:
2323                hci_cc_read_inq_rsp_tx_power(hdev, skb);
2324                break;
2325
2326        case HCI_OP_SET_EVENT_FLT:
2327                hci_cc_set_event_flt(hdev, skb);
2328                break;
2329
2330        case HCI_OP_PIN_CODE_REPLY:
2331                hci_cc_pin_code_reply(hdev, skb);
2332                break;
2333
2334        case HCI_OP_PIN_CODE_NEG_REPLY:
2335                hci_cc_pin_code_neg_reply(hdev, skb);
2336                break;
2337
2338        case HCI_OP_READ_LOCAL_OOB_DATA:
2339                hci_cc_read_local_oob_data_reply(hdev, skb);
2340                break;
2341
2342        case HCI_OP_LE_READ_BUFFER_SIZE:
2343                hci_cc_le_read_buffer_size(hdev, skb);
2344                break;
2345
2346        case HCI_OP_USER_CONFIRM_REPLY:
2347                hci_cc_user_confirm_reply(hdev, skb);
2348                break;
2349
2350        case HCI_OP_USER_CONFIRM_NEG_REPLY:
2351                hci_cc_user_confirm_neg_reply(hdev, skb);
2352                break;
2353
2354        case HCI_OP_USER_PASSKEY_REPLY:
2355                hci_cc_user_passkey_reply(hdev, skb);
2356                break;
2357
2358        case HCI_OP_USER_PASSKEY_NEG_REPLY:
2359                hci_cc_user_passkey_neg_reply(hdev, skb);
2360                break;
2361
2362        case HCI_OP_LE_SET_SCAN_PARAM:
2363                hci_cc_le_set_scan_param(hdev, skb);
2364                break;
2365
2366        case HCI_OP_LE_SET_SCAN_ENABLE:
2367                hci_cc_le_set_scan_enable(hdev, skb);
2368                break;
2369
2370        case HCI_OP_LE_LTK_REPLY:
2371                hci_cc_le_ltk_reply(hdev, skb);
2372                break;
2373
2374        case HCI_OP_LE_LTK_NEG_REPLY:
2375                hci_cc_le_ltk_neg_reply(hdev, skb);
2376                break;
2377
2378        case HCI_OP_WRITE_LE_HOST_SUPPORTED:
2379                hci_cc_write_le_host_supported(hdev, skb);
2380                break;
2381
2382        default:
2383                BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2384                break;
2385        }
2386
2387        if (ev->opcode != HCI_OP_NOP)
2388                del_timer(&hdev->cmd_timer);
2389
2390        if (ev->ncmd) {
2391                atomic_set(&hdev->cmd_cnt, 1);
2392                if (!skb_queue_empty(&hdev->cmd_q))
2393                        queue_work(hdev->workqueue, &hdev->cmd_work);
2394        }
2395}
2396
2397static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
2398{
2399        struct hci_ev_cmd_status *ev = (void *) skb->data;
2400        __u16 opcode;
2401
2402        skb_pull(skb, sizeof(*ev));
2403
2404        opcode = __le16_to_cpu(ev->opcode);
2405
2406        switch (opcode) {
2407        case HCI_OP_INQUIRY:
2408                hci_cs_inquiry(hdev, ev->status);
2409                break;
2410
2411        case HCI_OP_CREATE_CONN:
2412                hci_cs_create_conn(hdev, ev->status);
2413                break;
2414
2415        case HCI_OP_ADD_SCO:
2416                hci_cs_add_sco(hdev, ev->status);
2417                break;
2418
2419        case HCI_OP_AUTH_REQUESTED:
2420                hci_cs_auth_requested(hdev, ev->status);
2421                break;
2422
2423        case HCI_OP_SET_CONN_ENCRYPT:
2424                hci_cs_set_conn_encrypt(hdev, ev->status);
2425                break;
2426
2427        case HCI_OP_REMOTE_NAME_REQ:
2428                hci_cs_remote_name_req(hdev, ev->status);
2429                break;
2430
2431        case HCI_OP_READ_REMOTE_FEATURES:
2432                hci_cs_read_remote_features(hdev, ev->status);
2433                break;
2434
2435        case HCI_OP_READ_REMOTE_EXT_FEATURES:
2436                hci_cs_read_remote_ext_features(hdev, ev->status);
2437                break;
2438
2439        case HCI_OP_SETUP_SYNC_CONN:
2440                hci_cs_setup_sync_conn(hdev, ev->status);
2441                break;
2442
2443        case HCI_OP_SNIFF_MODE:
2444                hci_cs_sniff_mode(hdev, ev->status);
2445                break;
2446
2447        case HCI_OP_EXIT_SNIFF_MODE:
2448                hci_cs_exit_sniff_mode(hdev, ev->status);
2449                break;
2450
2451        case HCI_OP_DISCONNECT:
2452                hci_cs_disconnect(hdev, ev->status);
2453                break;
2454
2455        case HCI_OP_LE_CREATE_CONN:
2456                hci_cs_le_create_conn(hdev, ev->status);
2457                break;
2458
2459        case HCI_OP_LE_START_ENC:
2460                hci_cs_le_start_enc(hdev, ev->status);
2461                break;
2462
2463        default:
2464                BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
2465                break;
2466        }
2467
2468        if (ev->opcode != HCI_OP_NOP)
2469                del_timer(&hdev->cmd_timer);
2470
2471        if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2472                atomic_set(&hdev->cmd_cnt, 1);
2473                if (!skb_queue_empty(&hdev->cmd_q))
2474                        queue_work(hdev->workqueue, &hdev->cmd_work);
2475        }
2476}
2477
2478static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2479{
2480        struct hci_ev_role_change *ev = (void *) skb->data;
2481        struct hci_conn *conn;
2482
2483        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2484
2485        hci_dev_lock(hdev);
2486
2487        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2488        if (conn) {
2489                if (!ev->status) {
2490                        if (ev->role)
2491                                conn->link_mode &= ~HCI_LM_MASTER;
2492                        else
2493                                conn->link_mode |= HCI_LM_MASTER;
2494                }
2495
2496                clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2497
2498                hci_role_switch_cfm(conn, ev->status, ev->role);
2499        }
2500
2501        hci_dev_unlock(hdev);
2502}
2503
2504static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
2505{
2506        struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2507        int i;
2508
2509        if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
2510                BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2511                return;
2512        }
2513
2514        if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2515            ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
2516                BT_DBG("%s bad parameters", hdev->name);
2517                return;
2518        }
2519
2520        BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2521
2522        for (i = 0; i < ev->num_hndl; i++) {
2523                struct hci_comp_pkts_info *info = &ev->handles[i];
2524                struct hci_conn *conn;
2525                __u16  handle, count;
2526
2527                handle = __le16_to_cpu(info->handle);
2528                count  = __le16_to_cpu(info->count);
2529
2530                conn = hci_conn_hash_lookup_handle(hdev, handle);
2531                if (!conn)
2532                        continue;
2533
2534                conn->sent -= count;
2535
2536                switch (conn->type) {
2537                case ACL_LINK:
2538                        hdev->acl_cnt += count;
2539                        if (hdev->acl_cnt > hdev->acl_pkts)
2540                                hdev->acl_cnt = hdev->acl_pkts;
2541                        break;
2542
2543                case LE_LINK:
2544                        if (hdev->le_pkts) {
2545                                hdev->le_cnt += count;
2546                                if (hdev->le_cnt > hdev->le_pkts)
2547                                        hdev->le_cnt = hdev->le_pkts;
2548                        } else {
2549                                hdev->acl_cnt += count;
2550                                if (hdev->acl_cnt > hdev->acl_pkts)
2551                                        hdev->acl_cnt = hdev->acl_pkts;
2552                        }
2553                        break;
2554
2555                case SCO_LINK:
2556                        hdev->sco_cnt += count;
2557                        if (hdev->sco_cnt > hdev->sco_pkts)
2558                                hdev->sco_cnt = hdev->sco_pkts;
2559                        break;
2560
2561                default:
2562                        BT_ERR("Unknown type %d conn %p", conn->type, conn);
2563                        break;
2564                }
2565        }
2566
2567        queue_work(hdev->workqueue, &hdev->tx_work);
2568}
2569
2570static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
2571{
2572        struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
2573        int i;
2574
2575        if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_BLOCK_BASED) {
2576                BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
2577                return;
2578        }
2579
2580        if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
2581            ev->num_hndl * sizeof(struct hci_comp_blocks_info)) {
2582                BT_DBG("%s bad parameters", hdev->name);
2583                return;
2584        }
2585
2586        BT_DBG("%s num_blocks %d num_hndl %d", hdev->name, ev->num_blocks,
2587               ev->num_hndl);
2588
2589        for (i = 0; i < ev->num_hndl; i++) {
2590                struct hci_comp_blocks_info *info = &ev->handles[i];
2591                struct hci_conn *conn;
2592                __u16  handle, block_count;
2593
2594                handle = __le16_to_cpu(info->handle);
2595                block_count = __le16_to_cpu(info->blocks);
2596
2597                conn = hci_conn_hash_lookup_handle(hdev, handle);
2598                if (!conn)
2599                        continue;
2600
2601                conn->sent -= block_count;
2602
2603                switch (conn->type) {
2604                case ACL_LINK:
2605                        hdev->block_cnt += block_count;
2606                        if (hdev->block_cnt > hdev->num_blocks)
2607                                hdev->block_cnt = hdev->num_blocks;
2608                        break;
2609
2610                default:
2611                        BT_ERR("Unknown type %d conn %p", conn->type, conn);
2612                        break;
2613                }
2614        }
2615
2616        queue_work(hdev->workqueue, &hdev->tx_work);
2617}
2618
2619static void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2620{
2621        struct hci_ev_mode_change *ev = (void *) skb->data;
2622        struct hci_conn *conn;
2623
2624        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2625
2626        hci_dev_lock(hdev);
2627
2628        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2629        if (conn) {
2630                conn->mode = ev->mode;
2631                conn->interval = __le16_to_cpu(ev->interval);
2632
2633                if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
2634                                        &conn->flags)) {
2635                        if (conn->mode == HCI_CM_ACTIVE)
2636                                set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
2637                        else
2638                                clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
2639                }
2640
2641                if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2642                        hci_sco_setup(conn, ev->status);
2643        }
2644
2645        hci_dev_unlock(hdev);
2646}
2647
2648static void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2649{
2650        struct hci_ev_pin_code_req *ev = (void *) skb->data;
2651        struct hci_conn *conn;
2652
2653        BT_DBG("%s", hdev->name);
2654
2655        hci_dev_lock(hdev);
2656
2657        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2658        if (!conn)
2659                goto unlock;
2660
2661        if (conn->state == BT_CONNECTED) {
2662                hci_conn_hold(conn);
2663                conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2664                hci_conn_put(conn);
2665        }
2666
2667        if (!test_bit(HCI_PAIRABLE, &hdev->dev_flags))
2668                hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2669                             sizeof(ev->bdaddr), &ev->bdaddr);
2670        else if (test_bit(HCI_MGMT, &hdev->dev_flags)) {
2671                u8 secure;
2672
2673                if (conn->pending_sec_level == BT_SECURITY_HIGH)
2674                        secure = 1;
2675                else
2676                        secure = 0;
2677
2678                mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
2679        }
2680
2681unlock:
2682        hci_dev_unlock(hdev);
2683}
2684
2685static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2686{
2687        struct hci_ev_link_key_req *ev = (void *) skb->data;
2688        struct hci_cp_link_key_reply cp;
2689        struct hci_conn *conn;
2690        struct link_key *key;
2691
2692        BT_DBG("%s", hdev->name);
2693
2694        if (!test_bit(HCI_LINK_KEYS, &hdev->dev_flags))
2695                return;
2696
2697        hci_dev_lock(hdev);
2698
2699        key = hci_find_link_key(hdev, &ev->bdaddr);
2700        if (!key) {
2701                BT_DBG("%s link key not found for %s", hdev->name,
2702                       batostr(&ev->bdaddr));
2703                goto not_found;
2704        }
2705
2706        BT_DBG("%s found key type %u for %s", hdev->name, key->type,
2707               batostr(&ev->bdaddr));
2708
2709        if (!test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) &&
2710            key->type == HCI_LK_DEBUG_COMBINATION) {
2711                BT_DBG("%s ignoring debug key", hdev->name);
2712                goto not_found;
2713        }
2714
2715        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2716        if (conn) {
2717                if (key->type == HCI_LK_UNAUTH_COMBINATION &&
2718                    conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
2719                        BT_DBG("%s ignoring unauthenticated key", hdev->name);
2720                        goto not_found;
2721                }
2722
2723                if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
2724                    conn->pending_sec_level == BT_SECURITY_HIGH) {
2725                        BT_DBG("%s ignoring key unauthenticated for high security",
2726                               hdev->name);
2727                        goto not_found;
2728                }
2729
2730                conn->key_type = key->type;
2731                conn->pin_length = key->pin_len;
2732        }
2733
2734        bacpy(&cp.bdaddr, &ev->bdaddr);
2735        memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
2736
2737        hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
2738
2739        hci_dev_unlock(hdev);
2740
2741        return;
2742
2743not_found:
2744        hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
2745        hci_dev_unlock(hdev);
2746}
2747
2748static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
2749{
2750        struct hci_ev_link_key_notify *ev = (void *) skb->data;
2751        struct hci_conn *conn;
2752        u8 pin_len = 0;
2753
2754        BT_DBG("%s", hdev->name);
2755
2756        hci_dev_lock(hdev);
2757
2758        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2759        if (conn) {
2760                hci_conn_hold(conn);
2761                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2762                pin_len = conn->pin_length;
2763
2764                if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
2765                        conn->key_type = ev->key_type;
2766
2767                hci_conn_put(conn);
2768        }
2769
2770        if (test_bit(HCI_LINK_KEYS, &hdev->dev_flags))
2771                hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key,
2772                                 ev->key_type, pin_len);
2773
2774        hci_dev_unlock(hdev);
2775}
2776
2777static void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
2778{
2779        struct hci_ev_clock_offset *ev = (void *) skb->data;
2780        struct hci_conn *conn;
2781
2782        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2783
2784        hci_dev_lock(hdev);
2785
2786        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2787        if (conn && !ev->status) {
2788                struct inquiry_entry *ie;
2789
2790                ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
2791                if (ie) {
2792                        ie->data.clock_offset = ev->clock_offset;
2793                        ie->timestamp = jiffies;
2794                }
2795        }
2796
2797        hci_dev_unlock(hdev);
2798}
2799
2800static void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2801{
2802        struct hci_ev_pkt_type_change *ev = (void *) skb->data;
2803        struct hci_conn *conn;
2804
2805        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2806
2807        hci_dev_lock(hdev);
2808
2809        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2810        if (conn && !ev->status)
2811                conn->pkt_type = __le16_to_cpu(ev->pkt_type);
2812
2813        hci_dev_unlock(hdev);
2814}
2815
2816static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
2817{
2818        struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
2819        struct inquiry_entry *ie;
2820
2821        BT_DBG("%s", hdev->name);
2822
2823        hci_dev_lock(hdev);
2824
2825        ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2826        if (ie) {
2827                ie->data.pscan_rep_mode = ev->pscan_rep_mode;
2828                ie->timestamp = jiffies;
2829        }
2830
2831        hci_dev_unlock(hdev);
2832}
2833
2834static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
2835                                             struct sk_buff *skb)
2836{
2837        struct inquiry_data data;
2838        int num_rsp = *((__u8 *) skb->data);
2839        bool name_known, ssp;
2840
2841        BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2842
2843        if (!num_rsp)
2844                return;
2845
2846        if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
2847                return;
2848
2849        hci_dev_lock(hdev);
2850
2851        if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
2852                struct inquiry_info_with_rssi_and_pscan_mode *info;
2853                info = (void *) (skb->data + 1);
2854
2855                for (; num_rsp; num_rsp--, info++) {
2856                        bacpy(&data.bdaddr, &info->bdaddr);
2857                        data.pscan_rep_mode     = info->pscan_rep_mode;
2858                        data.pscan_period_mode  = info->pscan_period_mode;
2859                        data.pscan_mode         = info->pscan_mode;
2860                        memcpy(data.dev_class, info->dev_class, 3);
2861                        data.clock_offset       = info->clock_offset;
2862                        data.rssi               = info->rssi;
2863                        data.ssp_mode           = 0x00;
2864
2865                        name_known = hci_inquiry_cache_update(hdev, &data,
2866                                                              false, &ssp);
2867                        mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2868                                          info->dev_class, info->rssi,
2869                                          !name_known, ssp, NULL, 0);
2870                }
2871        } else {
2872                struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
2873
2874                for (; num_rsp; num_rsp--, info++) {
2875                        bacpy(&data.bdaddr, &info->bdaddr);
2876                        data.pscan_rep_mode     = info->pscan_rep_mode;
2877                        data.pscan_period_mode  = info->pscan_period_mode;
2878                        data.pscan_mode         = 0x00;
2879                        memcpy(data.dev_class, info->dev_class, 3);
2880                        data.clock_offset       = info->clock_offset;
2881                        data.rssi               = info->rssi;
2882                        data.ssp_mode           = 0x00;
2883                        name_known = hci_inquiry_cache_update(hdev, &data,
2884                                                              false, &ssp);
2885                        mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
2886                                          info->dev_class, info->rssi,
2887                                          !name_known, ssp, NULL, 0);
2888                }
2889        }
2890
2891        hci_dev_unlock(hdev);
2892}
2893
2894static void hci_remote_ext_features_evt(struct hci_dev *hdev,
2895                                        struct sk_buff *skb)
2896{
2897        struct hci_ev_remote_ext_features *ev = (void *) skb->data;
2898        struct hci_conn *conn;
2899
2900        BT_DBG("%s", hdev->name);
2901
2902        hci_dev_lock(hdev);
2903
2904        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2905        if (!conn)
2906                goto unlock;
2907
2908        if (!ev->status && ev->page == 0x01) {
2909                struct inquiry_entry *ie;
2910
2911                ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
2912                if (ie)
2913                        ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
2914
2915                if (ev->features[0] & LMP_HOST_SSP)
2916                        set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
2917        }
2918
2919        if (conn->state != BT_CONFIG)
2920                goto unlock;
2921
2922        if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
2923                struct hci_cp_remote_name_req cp;
2924                memset(&cp, 0, sizeof(cp));
2925                bacpy(&cp.bdaddr, &conn->dst);
2926                cp.pscan_rep_mode = 0x02;
2927                hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2928        } else if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
2929                mgmt_device_connected(hdev, &conn->dst, conn->type,
2930                                      conn->dst_type, 0, NULL, 0,
2931                                      conn->dev_class);
2932
2933        if (!hci_outgoing_auth_needed(hdev, conn)) {
2934                conn->state = BT_CONNECTED;
2935                hci_proto_connect_cfm(conn, ev->status);
2936                hci_conn_put(conn);
2937        }
2938
2939unlock:
2940        hci_dev_unlock(hdev);
2941}
2942
2943static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
2944                                       struct sk_buff *skb)
2945{
2946        struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
2947        struct hci_conn *conn;
2948
2949        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
2950
2951        hci_dev_lock(hdev);
2952
2953        conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2954        if (!conn) {
2955                if (ev->link_type == ESCO_LINK)
2956                        goto unlock;
2957
2958                conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2959                if (!conn)
2960                        goto unlock;
2961
2962                conn->type = SCO_LINK;
2963        }
2964
2965        switch (ev->status) {
2966        case 0x00:
2967                conn->handle = __le16_to_cpu(ev->handle);
2968                conn->state  = BT_CONNECTED;
2969
2970                hci_conn_hold_device(conn);
2971                hci_conn_add_sysfs(conn);
2972                break;
2973
2974        case 0x11:      /* Unsupported Feature or Parameter Value */
2975        case 0x1c:      /* SCO interval rejected */
2976        case 0x1a:      /* Unsupported Remote Feature */
2977        case 0x1f:      /* Unspecified error */
2978                if (conn->out && conn->attempt < 2) {
2979                        conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
2980                                        (hdev->esco_type & EDR_ESCO_MASK);
2981                        hci_setup_sync(conn, conn->link->handle);
2982                        goto unlock;
2983                }
2984                /* fall through */
2985
2986        default:
2987                conn->state = BT_CLOSED;
2988                break;
2989        }
2990
2991        hci_proto_connect_cfm(conn, ev->status);
2992        if (ev->status)
2993                hci_conn_del(conn);
2994
2995unlock:
2996        hci_dev_unlock(hdev);
2997}
2998
2999static void hci_sync_conn_changed_evt(struct hci_dev *hdev, struct sk_buff *skb)
3000{
3001        BT_DBG("%s", hdev->name);
3002}
3003
3004static void hci_sniff_subrate_evt(struct hci_dev *hdev, struct sk_buff *skb)
3005{
3006        struct hci_ev_sniff_subrate *ev = (void *) skb->data;
3007
3008        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3009}
3010
3011static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
3012                                            struct sk_buff *skb)
3013{
3014        struct inquiry_data data;
3015        struct extended_inquiry_info *info = (void *) (skb->data + 1);
3016        int num_rsp = *((__u8 *) skb->data);
3017        size_t eir_len;
3018
3019        BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
3020
3021        if (!num_rsp)
3022                return;
3023
3024        if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags))
3025                return;
3026
3027        hci_dev_lock(hdev);
3028
3029        for (; num_rsp; num_rsp--, info++) {
3030                bool name_known, ssp;
3031
3032                bacpy(&data.bdaddr, &info->bdaddr);
3033                data.pscan_rep_mode     = info->pscan_rep_mode;
3034                data.pscan_period_mode  = info->pscan_period_mode;
3035                data.pscan_mode         = 0x00;
3036                memcpy(data.dev_class, info->dev_class, 3);
3037                data.clock_offset       = info->clock_offset;
3038                data.rssi               = info->rssi;
3039                data.ssp_mode           = 0x01;
3040
3041                if (test_bit(HCI_MGMT, &hdev->dev_flags))
3042                        name_known = eir_has_data_type(info->data,
3043                                                       sizeof(info->data),
3044                                                       EIR_NAME_COMPLETE);
3045                else
3046                        name_known = true;
3047
3048                name_known = hci_inquiry_cache_update(hdev, &data, name_known,
3049                                                      &ssp);
3050                eir_len = eir_get_length(info->data, sizeof(info->data));
3051                mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3052                                  info->dev_class, info->rssi, !name_known,
3053                                  ssp, info->data, eir_len);
3054        }
3055
3056        hci_dev_unlock(hdev);
3057}
3058
3059static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3060                                         struct sk_buff *skb)
3061{
3062        struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
3063        struct hci_conn *conn;
3064
3065        BT_DBG("%s status 0x%2.2x handle 0x%4.4x", hdev->name, ev->status,
3066               __le16_to_cpu(ev->handle));
3067
3068        hci_dev_lock(hdev);
3069
3070        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3071        if (!conn)
3072                goto unlock;
3073
3074        if (!ev->status)
3075                conn->sec_level = conn->pending_sec_level;
3076
3077        clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3078
3079        if (ev->status && conn->state == BT_CONNECTED) {
3080                hci_acl_disconn(conn, HCI_ERROR_AUTH_FAILURE);
3081                hci_conn_put(conn);
3082                goto unlock;
3083        }
3084
3085        if (conn->state == BT_CONFIG) {
3086                if (!ev->status)
3087                        conn->state = BT_CONNECTED;
3088
3089                hci_proto_connect_cfm(conn, ev->status);
3090                hci_conn_put(conn);
3091        } else {
3092                hci_auth_cfm(conn, ev->status);
3093
3094                hci_conn_hold(conn);
3095                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3096                hci_conn_put(conn);
3097        }
3098
3099unlock:
3100        hci_dev_unlock(hdev);
3101}
3102
3103static u8 hci_get_auth_req(struct hci_conn *conn)
3104{
3105        /* If remote requests dedicated bonding follow that lead */
3106        if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03) {
3107                /* If both remote and local IO capabilities allow MITM
3108                 * protection then require it, otherwise don't */
3109                if (conn->remote_cap == 0x03 || conn->io_capability == 0x03)
3110                        return 0x02;
3111                else
3112                        return 0x03;
3113        }
3114
3115        /* If remote requests no-bonding follow that lead */
3116        if (conn->remote_auth == 0x00 || conn->remote_auth == 0x01)
3117                return conn->remote_auth | (conn->auth_type & 0x01);
3118
3119        return conn->auth_type;
3120}
3121
3122static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3123{
3124        struct hci_ev_io_capa_request *ev = (void *) skb->data;
3125        struct hci_conn *conn;
3126
3127        BT_DBG("%s", hdev->name);
3128
3129        hci_dev_lock(hdev);
3130
3131        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3132        if (!conn)
3133                goto unlock;
3134
3135        hci_conn_hold(conn);
3136
3137        if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3138                goto unlock;
3139
3140        if (test_bit(HCI_PAIRABLE, &hdev->dev_flags) ||
3141            (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
3142                struct hci_cp_io_capability_reply cp;
3143
3144                bacpy(&cp.bdaddr, &ev->bdaddr);
3145                /* Change the IO capability from KeyboardDisplay
3146                 * to DisplayYesNo as it is not supported by BT spec. */
3147                cp.capability = (conn->io_capability == 0x04) ?
3148                                                0x01 : conn->io_capability;
3149                conn->auth_type = hci_get_auth_req(conn);
3150                cp.authentication = conn->auth_type;
3151
3152                if (hci_find_remote_oob_data(hdev, &conn->dst) &&
3153                    (conn->out || test_bit(HCI_CONN_REMOTE_OOB, &conn->flags)))
3154                        cp.oob_data = 0x01;
3155                else
3156                        cp.oob_data = 0x00;
3157
3158                hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
3159                             sizeof(cp), &cp);
3160        } else {
3161                struct hci_cp_io_capability_neg_reply cp;
3162
3163                bacpy(&cp.bdaddr, &ev->bdaddr);
3164                cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
3165
3166                hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
3167                             sizeof(cp), &cp);
3168        }
3169
3170unlock:
3171        hci_dev_unlock(hdev);
3172}
3173
3174static void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
3175{
3176        struct hci_ev_io_capa_reply *ev = (void *) skb->data;
3177        struct hci_conn *conn;
3178
3179        BT_DBG("%s", hdev->name);
3180
3181        hci_dev_lock(hdev);
3182
3183        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3184        if (!conn)
3185                goto unlock;
3186
3187        conn->remote_cap = ev->capability;
3188        conn->remote_auth = ev->authentication;
3189        if (ev->oob_data)
3190                set_bit(HCI_CONN_REMOTE_OOB, &conn->flags);
3191
3192unlock:
3193        hci_dev_unlock(hdev);
3194}
3195
3196static void hci_user_confirm_request_evt(struct hci_dev *hdev,
3197                                         struct sk_buff *skb)
3198{
3199        struct hci_ev_user_confirm_req *ev = (void *) skb->data;
3200        int loc_mitm, rem_mitm, confirm_hint = 0;
3201        struct hci_conn *conn;
3202
3203        BT_DBG("%s", hdev->name);
3204
3205        hci_dev_lock(hdev);
3206
3207        if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3208                goto unlock;
3209
3210        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3211        if (!conn)
3212                goto unlock;
3213
3214        loc_mitm = (conn->auth_type & 0x01);
3215        rem_mitm = (conn->remote_auth & 0x01);
3216
3217        /* If we require MITM but the remote device can't provide that
3218         * (it has NoInputNoOutput) then reject the confirmation
3219         * request. The only exception is when we're dedicated bonding
3220         * initiators (connect_cfm_cb set) since then we always have the MITM
3221         * bit set. */
3222        if (!conn->connect_cfm_cb && loc_mitm && conn->remote_cap == 0x03) {
3223                BT_DBG("Rejecting request: remote device can't provide MITM");
3224                hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
3225                             sizeof(ev->bdaddr), &ev->bdaddr);
3226                goto unlock;
3227        }
3228
3229        /* If no side requires MITM protection; auto-accept */
3230        if ((!loc_mitm || conn->remote_cap == 0x03) &&
3231            (!rem_mitm || conn->io_capability == 0x03)) {
3232
3233                /* If we're not the initiators request authorization to
3234                 * proceed from user space (mgmt_user_confirm with
3235                 * confirm_hint set to 1). */
3236                if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3237                        BT_DBG("Confirming auto-accept as acceptor");
3238                        confirm_hint = 1;
3239                        goto confirm;
3240                }
3241
3242                BT_DBG("Auto-accept of user confirmation with %ums delay",
3243                       hdev->auto_accept_delay);
3244
3245                if (hdev->auto_accept_delay > 0) {
3246                        int delay = msecs_to_jiffies(hdev->auto_accept_delay);
3247                        mod_timer(&conn->auto_accept_timer, jiffies + delay);
3248                        goto unlock;
3249                }
3250
3251                hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
3252                             sizeof(ev->bdaddr), &ev->bdaddr);
3253                goto unlock;
3254        }
3255
3256confirm:
3257        mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0, ev->passkey,
3258                                  confirm_hint);
3259
3260unlock:
3261        hci_dev_unlock(hdev);
3262}
3263
3264static void hci_user_passkey_request_evt(struct hci_dev *hdev,
3265                                         struct sk_buff *skb)
3266{
3267        struct hci_ev_user_passkey_req *ev = (void *) skb->data;
3268
3269        BT_DBG("%s", hdev->name);
3270
3271        hci_dev_lock(hdev);
3272
3273        if (test_bit(HCI_MGMT, &hdev->dev_flags))
3274                mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
3275
3276        hci_dev_unlock(hdev);
3277}
3278
3279static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
3280                                         struct sk_buff *skb)
3281{
3282        struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
3283        struct hci_conn *conn;
3284
3285        BT_DBG("%s", hdev->name);
3286
3287        hci_dev_lock(hdev);
3288
3289        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3290        if (!conn)
3291                goto unlock;
3292
3293        /* To avoid duplicate auth_failed events to user space we check
3294         * the HCI_CONN_AUTH_PEND flag which will be set if we
3295         * initiated the authentication. A traditional auth_complete
3296         * event gets always produced as initiator and is also mapped to
3297         * the mgmt_auth_failed event */
3298        if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status != 0)
3299                mgmt_auth_failed(hdev, &conn->dst, conn->type, conn->dst_type,
3300                                 ev->status);
3301
3302        hci_conn_put(conn);
3303
3304unlock:
3305        hci_dev_unlock(hdev);
3306}
3307
3308static void hci_remote_host_features_evt(struct hci_dev *hdev,
3309                                         struct sk_buff *skb)
3310{
3311        struct hci_ev_remote_host_features *ev = (void *) skb->data;
3312        struct inquiry_entry *ie;
3313
3314        BT_DBG("%s", hdev->name);
3315
3316        hci_dev_lock(hdev);
3317
3318        ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3319        if (ie)
3320                ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
3321
3322        hci_dev_unlock(hdev);
3323}
3324
3325static void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
3326                                            struct sk_buff *skb)
3327{
3328        struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
3329        struct oob_data *data;
3330
3331        BT_DBG("%s", hdev->name);
3332
3333        hci_dev_lock(hdev);
3334
3335        if (!test_bit(HCI_MGMT, &hdev->dev_flags))
3336                goto unlock;
3337
3338        data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
3339        if (data) {
3340                struct hci_cp_remote_oob_data_reply cp;
3341
3342                bacpy(&cp.bdaddr, &ev->bdaddr);
3343                memcpy(cp.hash, data->hash, sizeof(cp.hash));
3344                memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer));
3345
3346                hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp),
3347                             &cp);
3348        } else {
3349                struct hci_cp_remote_oob_data_neg_reply cp;
3350
3351                bacpy(&cp.bdaddr, &ev->bdaddr);
3352                hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp),
3353                             &cp);
3354        }
3355
3356unlock:
3357        hci_dev_unlock(hdev);
3358}
3359
3360static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
3361{
3362        struct hci_ev_le_conn_complete *ev = (void *) skb->data;
3363        struct hci_conn *conn;
3364
3365        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
3366
3367        hci_dev_lock(hdev);
3368
3369        if (ev->status) {
3370                conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
3371                if (!conn)
3372                        goto unlock;
3373
3374                mgmt_connect_failed(hdev, &conn->dst, conn->type,
3375                                    conn->dst_type, ev->status);
3376                hci_proto_connect_cfm(conn, ev->status);
3377                conn->state = BT_CLOSED;
3378                hci_conn_del(conn);
3379                goto unlock;
3380        }
3381
3382        conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &ev->bdaddr);
3383        if (!conn) {
3384                conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr);
3385                if (!conn) {
3386                        BT_ERR("No memory for new connection");
3387                        hci_dev_unlock(hdev);
3388                        return;
3389                }
3390
3391                conn->dst_type = ev->bdaddr_type;
3392        }
3393
3394        if (!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
3395                mgmt_device_connected(hdev, &ev->bdaddr, conn->type,
3396                                      conn->dst_type, 0, NULL, 0, NULL);
3397
3398        conn->sec_level = BT_SECURITY_LOW;
3399        conn->handle = __le16_to_cpu(ev->handle);
3400        conn->state = BT_CONNECTED;
3401
3402        hci_conn_hold_device(conn);
3403        hci_conn_add_sysfs(conn);
3404
3405        hci_proto_connect_cfm(conn, ev->status);
3406
3407unlock:
3408        hci_dev_unlock(hdev);
3409}
3410
3411static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
3412{
3413        u8 num_reports = skb->data[0];
3414        void *ptr = &skb->data[1];
3415        s8 rssi;
3416
3417        hci_dev_lock(hdev);
3418
3419        while (num_reports--) {
3420                struct hci_ev_le_advertising_info *ev = ptr;
3421
3422                rssi = ev->data[ev->length];
3423                mgmt_device_found(hdev, &ev->bdaddr, LE_LINK, ev->bdaddr_type,
3424                                  NULL, rssi, 0, 1, ev->data, ev->length);
3425
3426                ptr += sizeof(*ev) + ev->length + 1;
3427        }
3428
3429        hci_dev_unlock(hdev);
3430}
3431
3432static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
3433{
3434        struct hci_ev_le_ltk_req *ev = (void *) skb->data;
3435        struct hci_cp_le_ltk_reply cp;
3436        struct hci_cp_le_ltk_neg_reply neg;
3437        struct hci_conn *conn;
3438        struct smp_ltk *ltk;
3439
3440        BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
3441
3442        hci_dev_lock(hdev);
3443
3444        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3445        if (conn == NULL)
3446                goto not_found;
3447
3448        ltk = hci_find_ltk(hdev, ev->ediv, ev->random);
3449        if (ltk == NULL)
3450                goto not_found;
3451
3452        memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
3453        cp.handle = cpu_to_le16(conn->handle);
3454
3455        if (ltk->authenticated)
3456                conn->sec_level = BT_SECURITY_HIGH;
3457
3458        hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
3459
3460        if (ltk->type & HCI_SMP_STK) {
3461                list_del(&ltk->list);
3462                kfree(ltk);
3463        }
3464
3465        hci_dev_unlock(hdev);
3466
3467        return;
3468
3469not_found:
3470        neg.handle = ev->handle;
3471        hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
3472        hci_dev_unlock(hdev);
3473}
3474
3475static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
3476{
3477        struct hci_ev_le_meta *le_ev = (void *) skb->data;
3478
3479        skb_pull(skb, sizeof(*le_ev));
3480
3481        switch (le_ev->subevent) {
3482        case HCI_EV_LE_CONN_COMPLETE:
3483                hci_le_conn_complete_evt(hdev, skb);
3484                break;
3485
3486        case HCI_EV_LE_ADVERTISING_REPORT:
3487                hci_le_adv_report_evt(hdev, skb);
3488                break;
3489
3490        case HCI_EV_LE_LTK_REQ:
3491                hci_le_ltk_request_evt(hdev, skb);
3492                break;
3493
3494        default:
3495                break;
3496        }
3497}
3498
3499void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
3500{
3501        struct hci_event_hdr *hdr = (void *) skb->data;
3502        __u8 event = hdr->evt;
3503
3504        skb_pull(skb, HCI_EVENT_HDR_SIZE);
3505
3506        switch (event) {
3507        case HCI_EV_INQUIRY_COMPLETE:
3508                hci_inquiry_complete_evt(hdev, skb);
3509                break;
3510
3511        case HCI_EV_INQUIRY_RESULT:
3512                hci_inquiry_result_evt(hdev, skb);
3513                break;
3514
3515        case HCI_EV_CONN_COMPLETE:
3516                hci_conn_complete_evt(hdev, skb);
3517                break;
3518
3519        case HCI_EV_CONN_REQUEST:
3520                hci_conn_request_evt(hdev, skb);
3521                break;
3522
3523        case HCI_EV_DISCONN_COMPLETE:
3524                hci_disconn_complete_evt(hdev, skb);
3525                break;
3526
3527        case HCI_EV_AUTH_COMPLETE:
3528                hci_auth_complete_evt(hdev, skb);
3529                break;
3530
3531        case HCI_EV_REMOTE_NAME:
3532                hci_remote_name_evt(hdev, skb);
3533                break;
3534
3535        case HCI_EV_ENCRYPT_CHANGE:
3536                hci_encrypt_change_evt(hdev, skb);
3537                break;
3538
3539        case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
3540                hci_change_link_key_complete_evt(hdev, skb);
3541                break;
3542
3543        case HCI_EV_REMOTE_FEATURES:
3544                hci_remote_features_evt(hdev, skb);
3545                break;
3546
3547        case HCI_EV_REMOTE_VERSION:
3548                hci_remote_version_evt(hdev, skb);
3549                break;
3550
3551        case HCI_EV_QOS_SETUP_COMPLETE:
3552                hci_qos_setup_complete_evt(hdev, skb);
3553                break;
3554
3555        case HCI_EV_CMD_COMPLETE:
3556                hci_cmd_complete_evt(hdev, skb);
3557                break;
3558
3559        case HCI_EV_CMD_STATUS:
3560                hci_cmd_status_evt(hdev, skb);
3561                break;
3562
3563        case HCI_EV_ROLE_CHANGE:
3564                hci_role_change_evt(hdev, skb);
3565                break;
3566
3567        case HCI_EV_NUM_COMP_PKTS:
3568                hci_num_comp_pkts_evt(hdev, skb);
3569                break;
3570
3571        case HCI_EV_MODE_CHANGE:
3572                hci_mode_change_evt(hdev, skb);
3573                break;
3574
3575        case HCI_EV_PIN_CODE_REQ:
3576                hci_pin_code_request_evt(hdev, skb);
3577                break;
3578
3579        case HCI_EV_LINK_KEY_REQ:
3580                hci_link_key_request_evt(hdev, skb);
3581                break;
3582
3583        case HCI_EV_LINK_KEY_NOTIFY:
3584                hci_link_key_notify_evt(hdev, skb);
3585                break;
3586
3587        case HCI_EV_CLOCK_OFFSET:
3588                hci_clock_offset_evt(hdev, skb);
3589                break;
3590
3591        case HCI_EV_PKT_TYPE_CHANGE:
3592                hci_pkt_type_change_evt(hdev, skb);
3593                break;
3594
3595        case HCI_EV_PSCAN_REP_MODE:
3596                hci_pscan_rep_mode_evt(hdev, skb);
3597                break;
3598
3599        case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
3600                hci_inquiry_result_with_rssi_evt(hdev, skb);
3601                break;
3602
3603        case HCI_EV_REMOTE_EXT_FEATURES:
3604                hci_remote_ext_features_evt(hdev, skb);
3605                break;
3606
3607        case HCI_EV_SYNC_CONN_COMPLETE:
3608                hci_sync_conn_complete_evt(hdev, skb);
3609                break;
3610
3611        case HCI_EV_SYNC_CONN_CHANGED:
3612                hci_sync_conn_changed_evt(hdev, skb);
3613                break;
3614
3615        case HCI_EV_SNIFF_SUBRATE:
3616                hci_sniff_subrate_evt(hdev, skb);
3617                break;
3618
3619        case HCI_EV_EXTENDED_INQUIRY_RESULT:
3620                hci_extended_inquiry_result_evt(hdev, skb);
3621                break;
3622
3623        case HCI_EV_KEY_REFRESH_COMPLETE:
3624                hci_key_refresh_complete_evt(hdev, skb);
3625                break;
3626
3627        case HCI_EV_IO_CAPA_REQUEST:
3628                hci_io_capa_request_evt(hdev, skb);
3629                break;
3630
3631        case HCI_EV_IO_CAPA_REPLY:
3632                hci_io_capa_reply_evt(hdev, skb);
3633                break;
3634
3635        case HCI_EV_USER_CONFIRM_REQUEST:
3636                hci_user_confirm_request_evt(hdev, skb);
3637                break;
3638
3639        case HCI_EV_USER_PASSKEY_REQUEST:
3640                hci_user_passkey_request_evt(hdev, skb);
3641                break;
3642
3643        case HCI_EV_SIMPLE_PAIR_COMPLETE:
3644                hci_simple_pair_complete_evt(hdev, skb);
3645                break;
3646
3647        case HCI_EV_REMOTE_HOST_FEATURES:
3648                hci_remote_host_features_evt(hdev, skb);
3649                break;
3650
3651        case HCI_EV_LE_META:
3652                hci_le_meta_evt(hdev, skb);
3653                break;
3654
3655        case HCI_EV_REMOTE_OOB_DATA_REQUEST:
3656                hci_remote_oob_data_request_evt(hdev, skb);
3657                break;
3658
3659        case HCI_EV_NUM_COMP_BLOCKS:
3660                hci_num_comp_blocks_evt(hdev, skb);
3661                break;
3662
3663        default:
3664                BT_DBG("%s event 0x%2.2x", hdev->name, event);
3665                break;
3666        }
3667
3668        kfree_skb(skb);
3669        hdev->stat.evt_rx++;
3670}
3671
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.