bluetooth: hid: make Android code conditional
[linux-2.6.git] / net / bluetooth / hci_event.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <linux/module.h>
28
29 #include <linux/types.h>
30 #include <linux/errno.h>
31 #include <linux/kernel.h>
32 #include <linux/slab.h>
33 #include <linux/poll.h>
34 #include <linux/fcntl.h>
35 #include <linux/init.h>
36 #include <linux/skbuff.h>
37 #include <linux/interrupt.h>
38 #include <linux/notifier.h>
39 #include <net/sock.h>
40
41 #include <asm/system.h>
42 #include <linux/uaccess.h>
43 #include <asm/unaligned.h>
44
45 #include <net/bluetooth/bluetooth.h>
46 #include <net/bluetooth/hci_core.h>
47
48 static int enable_le;
49
50 /* Handle HCI Event packets */
51
52 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
53 {
54         __u8 status = *((__u8 *) skb->data);
55
56         BT_DBG("%s status 0x%x", hdev->name, status);
57
58         if (status)
59                 return;
60
61         if (test_and_clear_bit(HCI_INQUIRY, &hdev->flags) &&
62                         test_bit(HCI_MGMT, &hdev->flags))
63                 mgmt_discovering(hdev->id, 0);
64
65         hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status);
66
67         hci_conn_check_pending(hdev);
68 }
69
70 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
71 {
72         __u8 status = *((__u8 *) skb->data);
73
74         BT_DBG("%s status 0x%x", hdev->name, status);
75
76         if (status)
77                 return;
78
79         if (test_and_clear_bit(HCI_INQUIRY, &hdev->flags) &&
80                                 test_bit(HCI_MGMT, &hdev->flags))
81                 mgmt_discovering(hdev->id, 0);
82
83         hci_conn_check_pending(hdev);
84 }
85
86 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, struct sk_buff *skb)
87 {
88         BT_DBG("%s", hdev->name);
89 }
90
91 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
92 {
93         struct hci_rp_role_discovery *rp = (void *) skb->data;
94         struct hci_conn *conn;
95
96         BT_DBG("%s status 0x%x", hdev->name, rp->status);
97
98         if (rp->status)
99                 return;
100
101         hci_dev_lock(hdev);
102
103         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
104         if (conn) {
105                 if (rp->role)
106                         conn->link_mode &= ~HCI_LM_MASTER;
107                 else
108                         conn->link_mode |= HCI_LM_MASTER;
109         }
110
111         hci_dev_unlock(hdev);
112 }
113
114 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
115 {
116         struct hci_rp_read_link_policy *rp = (void *) skb->data;
117         struct hci_conn *conn;
118
119         BT_DBG("%s status 0x%x", hdev->name, rp->status);
120
121         if (rp->status)
122                 return;
123
124         hci_dev_lock(hdev);
125
126         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
127         if (conn)
128                 conn->link_policy = __le16_to_cpu(rp->policy);
129
130         hci_dev_unlock(hdev);
131 }
132
133 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
134 {
135         struct hci_rp_write_link_policy *rp = (void *) skb->data;
136         struct hci_conn *conn;
137         void *sent;
138
139         BT_DBG("%s status 0x%x", hdev->name, rp->status);
140
141         if (rp->status)
142                 return;
143
144         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
145         if (!sent)
146                 return;
147
148         hci_dev_lock(hdev);
149
150         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
151         if (conn)
152                 conn->link_policy = get_unaligned_le16(sent + 2);
153
154         hci_dev_unlock(hdev);
155 }
156
157 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
158 {
159         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
160
161         BT_DBG("%s status 0x%x", hdev->name, rp->status);
162
163         if (rp->status)
164                 return;
165
166         hdev->link_policy = __le16_to_cpu(rp->policy);
167 }
168
169 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
170 {
171         __u8 status = *((__u8 *) skb->data);
172         void *sent;
173
174         BT_DBG("%s status 0x%x", hdev->name, status);
175
176         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
177         if (!sent)
178                 return;
179
180         if (!status)
181                 hdev->link_policy = get_unaligned_le16(sent);
182
183         hci_req_complete(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, status);
184 }
185
186 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
187 {
188         __u8 status = *((__u8 *) skb->data);
189
190         BT_DBG("%s status 0x%x", hdev->name, status);
191
192         clear_bit(HCI_RESET, &hdev->flags);
193
194         hci_req_complete(hdev, HCI_OP_RESET, status);
195 }
196
197 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
198 {
199         __u8 status = *((__u8 *) skb->data);
200         void *sent;
201
202         BT_DBG("%s status 0x%x", hdev->name, status);
203
204         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
205         if (!sent)
206                 return;
207
208         if (test_bit(HCI_MGMT, &hdev->flags))
209                 mgmt_set_local_name_complete(hdev->id, sent, status);
210
211         if (status)
212                 return;
213
214         memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
215 }
216
217 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
218 {
219         struct hci_rp_read_local_name *rp = (void *) skb->data;
220
221         BT_DBG("%s status 0x%x", hdev->name, rp->status);
222
223         if (rp->status)
224                 return;
225
226         memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
227 }
228
229 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
230 {
231         __u8 status = *((__u8 *) skb->data);
232         void *sent;
233
234         BT_DBG("%s status 0x%x", hdev->name, status);
235
236         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
237         if (!sent)
238                 return;
239
240         if (!status) {
241                 __u8 param = *((__u8 *) sent);
242
243                 if (param == AUTH_ENABLED)
244                         set_bit(HCI_AUTH, &hdev->flags);
245                 else
246                         clear_bit(HCI_AUTH, &hdev->flags);
247         }
248
249         hci_req_complete(hdev, HCI_OP_WRITE_AUTH_ENABLE, status);
250 }
251
252 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
253 {
254         __u8 status = *((__u8 *) skb->data);
255         void *sent;
256
257         BT_DBG("%s status 0x%x", hdev->name, status);
258
259         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
260         if (!sent)
261                 return;
262
263         if (!status) {
264                 __u8 param = *((__u8 *) sent);
265
266                 if (param)
267                         set_bit(HCI_ENCRYPT, &hdev->flags);
268                 else
269                         clear_bit(HCI_ENCRYPT, &hdev->flags);
270         }
271
272         hci_req_complete(hdev, HCI_OP_WRITE_ENCRYPT_MODE, status);
273 }
274
275 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
276 {
277         __u8 status = *((__u8 *) skb->data);
278         void *sent;
279
280         BT_DBG("%s status 0x%x", hdev->name, status);
281
282         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
283         if (!sent)
284                 return;
285
286         if (!status) {
287                 __u8 param = *((__u8 *) sent);
288                 int old_pscan, old_iscan;
289
290                 old_pscan = test_and_clear_bit(HCI_PSCAN, &hdev->flags);
291                 old_iscan = test_and_clear_bit(HCI_ISCAN, &hdev->flags);
292
293                 if (param & SCAN_INQUIRY) {
294                         set_bit(HCI_ISCAN, &hdev->flags);
295                         if (!old_iscan)
296                                 mgmt_discoverable(hdev->id, 1);
297                 } else if (old_iscan)
298                         mgmt_discoverable(hdev->id, 0);
299
300                 if (param & SCAN_PAGE) {
301                         set_bit(HCI_PSCAN, &hdev->flags);
302                         if (!old_pscan)
303                                 mgmt_connectable(hdev->id, 1);
304                 } else if (old_pscan)
305                         mgmt_connectable(hdev->id, 0);
306         }
307
308         hci_req_complete(hdev, HCI_OP_WRITE_SCAN_ENABLE, status);
309 }
310
311 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
312 {
313         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
314
315         BT_DBG("%s status 0x%x", hdev->name, rp->status);
316
317         if (rp->status)
318                 return;
319
320         memcpy(hdev->dev_class, rp->dev_class, 3);
321
322         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
323                 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
324 }
325
326 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
327 {
328         __u8 status = *((__u8 *) skb->data);
329         void *sent;
330
331         BT_DBG("%s status 0x%x", hdev->name, status);
332
333         if (status)
334                 return;
335
336         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
337         if (!sent)
338                 return;
339
340         memcpy(hdev->dev_class, sent, 3);
341 }
342
343 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
344 {
345         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
346         __u16 setting;
347
348         BT_DBG("%s status 0x%x", hdev->name, rp->status);
349
350         if (rp->status)
351                 return;
352
353         setting = __le16_to_cpu(rp->voice_setting);
354
355         if (hdev->voice_setting == setting)
356                 return;
357
358         hdev->voice_setting = setting;
359
360         BT_DBG("%s voice setting 0x%04x", hdev->name, setting);
361
362         if (hdev->notify) {
363                 tasklet_disable(&hdev->tx_task);
364                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
365                 tasklet_enable(&hdev->tx_task);
366         }
367 }
368
369 static void hci_cc_write_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
370 {
371         __u8 status = *((__u8 *) skb->data);
372         __u16 setting;
373         void *sent;
374
375         BT_DBG("%s status 0x%x", hdev->name, status);
376
377         if (status)
378                 return;
379
380         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
381         if (!sent)
382                 return;
383
384         setting = get_unaligned_le16(sent);
385
386         if (hdev->voice_setting == setting)
387                 return;
388
389         hdev->voice_setting = setting;
390
391         BT_DBG("%s voice setting 0x%04x", hdev->name, setting);
392
393         if (hdev->notify) {
394                 tasklet_disable(&hdev->tx_task);
395                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
396                 tasklet_enable(&hdev->tx_task);
397         }
398 }
399
400 static void hci_cc_host_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
401 {
402         __u8 status = *((__u8 *) skb->data);
403
404         BT_DBG("%s status 0x%x", hdev->name, status);
405
406         hci_req_complete(hdev, HCI_OP_HOST_BUFFER_SIZE, status);
407 }
408
409 static void hci_cc_read_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
410 {
411         struct hci_rp_read_ssp_mode *rp = (void *) skb->data;
412
413         BT_DBG("%s status 0x%x", hdev->name, rp->status);
414
415         if (rp->status)
416                 return;
417
418         hdev->ssp_mode = rp->mode;
419 }
420
421 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
422 {
423         __u8 status = *((__u8 *) skb->data);
424         void *sent;
425
426         BT_DBG("%s status 0x%x", hdev->name, status);
427
428         if (status)
429                 return;
430
431         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
432         if (!sent)
433                 return;
434
435         hdev->ssp_mode = *((__u8 *) sent);
436 }
437
438 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
439 {
440         if (hdev->features[6] & LMP_EXT_INQ)
441                 return 2;
442
443         if (hdev->features[3] & LMP_RSSI_INQ)
444                 return 1;
445
446         if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
447                                                 hdev->lmp_subver == 0x0757)
448                 return 1;
449
450         if (hdev->manufacturer == 15) {
451                 if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
452                         return 1;
453                 if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
454                         return 1;
455                 if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
456                         return 1;
457         }
458
459         if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
460                                                 hdev->lmp_subver == 0x1805)
461                 return 1;
462
463         return 0;
464 }
465
466 static void hci_setup_inquiry_mode(struct hci_dev *hdev)
467 {
468         u8 mode;
469
470         mode = hci_get_inquiry_mode(hdev);
471
472         hci_send_cmd(hdev, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
473 }
474
475 static void hci_setup_event_mask(struct hci_dev *hdev)
476 {
477         /* The second byte is 0xff instead of 0x9f (two reserved bits
478          * disabled) since a Broadcom 1.2 dongle doesn't respond to the
479          * command otherwise */
480         u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
481
482         /* CSR 1.1 dongles does not accept any bitfield so don't try to set
483          * any event mask for pre 1.2 devices */
484         if (hdev->lmp_ver <= 1)
485                 return;
486
487         events[4] |= 0x01; /* Flow Specification Complete */
488         events[4] |= 0x02; /* Inquiry Result with RSSI */
489         events[4] |= 0x04; /* Read Remote Extended Features Complete */
490         events[5] |= 0x08; /* Synchronous Connection Complete */
491         events[5] |= 0x10; /* Synchronous Connection Changed */
492
493         if (hdev->features[3] & LMP_RSSI_INQ)
494                 events[4] |= 0x04; /* Inquiry Result with RSSI */
495
496         if (hdev->features[5] & LMP_SNIFF_SUBR)
497                 events[5] |= 0x20; /* Sniff Subrating */
498
499         if (hdev->features[5] & LMP_PAUSE_ENC)
500                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
501
502         if (hdev->features[6] & LMP_EXT_INQ)
503                 events[5] |= 0x40; /* Extended Inquiry Result */
504
505         if (hdev->features[6] & LMP_NO_FLUSH)
506                 events[7] |= 0x01; /* Enhanced Flush Complete */
507
508         if (hdev->features[7] & LMP_LSTO)
509                 events[6] |= 0x80; /* Link Supervision Timeout Changed */
510
511         if (hdev->features[6] & LMP_SIMPLE_PAIR) {
512                 events[6] |= 0x01;      /* IO Capability Request */
513                 events[6] |= 0x02;      /* IO Capability Response */
514                 events[6] |= 0x04;      /* User Confirmation Request */
515                 events[6] |= 0x08;      /* User Passkey Request */
516                 events[6] |= 0x10;      /* Remote OOB Data Request */
517                 events[6] |= 0x20;      /* Simple Pairing Complete */
518                 events[7] |= 0x04;      /* User Passkey Notification */
519                 events[7] |= 0x08;      /* Keypress Notification */
520                 events[7] |= 0x10;      /* Remote Host Supported
521                                          * Features Notification */
522         }
523
524         if (hdev->features[4] & LMP_LE)
525                 events[7] |= 0x20;      /* LE Meta-Event */
526
527         hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
528 }
529
530 static void hci_set_le_support(struct hci_dev *hdev)
531 {
532         struct hci_cp_write_le_host_supported cp;
533
534         memset(&cp, 0, sizeof(cp));
535
536         if (enable_le) {
537                 cp.le = 1;
538                 cp.simul = !!(hdev->features[6] & LMP_SIMUL_LE_BR);
539         }
540
541         hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp), &cp);
542 }
543
544 static void hci_setup(struct hci_dev *hdev)
545 {
546         hci_setup_event_mask(hdev);
547
548         if (hdev->lmp_ver > 1)
549                 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
550
551         if (hdev->features[6] & LMP_SIMPLE_PAIR) {
552                 u8 mode = 0x01;
553                 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, sizeof(mode), &mode);
554         }
555
556         if (hdev->features[3] & LMP_RSSI_INQ)
557                 hci_setup_inquiry_mode(hdev);
558
559         if (hdev->features[7] & LMP_INQ_TX_PWR)
560                 hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
561
562         if (hdev->features[7] & LMP_EXTFEATURES) {
563                 struct hci_cp_read_local_ext_features cp;
564
565                 cp.page = 0x01;
566                 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES,
567                                                         sizeof(cp), &cp);
568         }
569
570         if (hdev->features[4] & LMP_LE)
571                 hci_set_le_support(hdev);
572 }
573
574 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
575 {
576         struct hci_rp_read_local_version *rp = (void *) skb->data;
577
578         BT_DBG("%s status 0x%x", hdev->name, rp->status);
579
580         if (rp->status)
581                 return;
582
583         hdev->hci_ver = rp->hci_ver;
584         hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
585         hdev->lmp_ver = rp->lmp_ver;
586         hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
587         hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
588
589         BT_DBG("%s manufacturer %d hci ver %d:%d", hdev->name,
590                                         hdev->manufacturer,
591                                         hdev->hci_ver, hdev->hci_rev);
592
593         if (test_bit(HCI_INIT, &hdev->flags))
594                 hci_setup(hdev);
595 }
596
597 static void hci_setup_link_policy(struct hci_dev *hdev)
598 {
599         u16 link_policy = 0;
600
601         if (hdev->features[0] & LMP_RSWITCH)
602                 link_policy |= HCI_LP_RSWITCH;
603         if (hdev->features[0] & LMP_HOLD)
604                 link_policy |= HCI_LP_HOLD;
605         if (hdev->features[0] & LMP_SNIFF)
606                 link_policy |= HCI_LP_SNIFF;
607         if (hdev->features[1] & LMP_PARK)
608                 link_policy |= HCI_LP_PARK;
609
610         link_policy = cpu_to_le16(link_policy);
611         hci_send_cmd(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,
612                                         sizeof(link_policy), &link_policy);
613 }
614
615 static void hci_cc_read_local_commands(struct hci_dev *hdev, struct sk_buff *skb)
616 {
617         struct hci_rp_read_local_commands *rp = (void *) skb->data;
618
619         BT_DBG("%s status 0x%x", hdev->name, rp->status);
620
621         if (rp->status)
622                 goto done;
623
624         memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
625
626         if (test_bit(HCI_INIT, &hdev->flags) && (hdev->commands[5] & 0x10))
627                 hci_setup_link_policy(hdev);
628
629 done:
630         hci_req_complete(hdev, HCI_OP_READ_LOCAL_COMMANDS, rp->status);
631 }
632
633 static void hci_cc_read_local_features(struct hci_dev *hdev, struct sk_buff *skb)
634 {
635         struct hci_rp_read_local_features *rp = (void *) skb->data;
636
637         BT_DBG("%s status 0x%x", hdev->name, rp->status);
638
639         if (rp->status)
640                 return;
641
642         memcpy(hdev->features, rp->features, 8);
643
644         /* Adjust default settings according to features
645          * supported by device. */
646
647         if (hdev->features[0] & LMP_3SLOT)
648                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
649
650         if (hdev->features[0] & LMP_5SLOT)
651                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
652
653         if (hdev->features[1] & LMP_HV2) {
654                 hdev->pkt_type  |= (HCI_HV2);
655                 hdev->esco_type |= (ESCO_HV2);
656         }
657
658         if (hdev->features[1] & LMP_HV3) {
659                 hdev->pkt_type  |= (HCI_HV3);
660                 hdev->esco_type |= (ESCO_HV3);
661         }
662
663         if (hdev->features[3] & LMP_ESCO)
664                 hdev->esco_type |= (ESCO_EV3);
665
666         if (hdev->features[4] & LMP_EV4)
667                 hdev->esco_type |= (ESCO_EV4);
668
669         if (hdev->features[4] & LMP_EV5)
670                 hdev->esco_type |= (ESCO_EV5);
671
672         if (hdev->features[5] & LMP_EDR_ESCO_2M)
673                 hdev->esco_type |= (ESCO_2EV3);
674
675         if (hdev->features[5] & LMP_EDR_ESCO_3M)
676                 hdev->esco_type |= (ESCO_3EV3);
677
678         if (hdev->features[5] & LMP_EDR_3S_ESCO)
679                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
680
681         BT_DBG("%s features 0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", hdev->name,
682                                         hdev->features[0], hdev->features[1],
683                                         hdev->features[2], hdev->features[3],
684                                         hdev->features[4], hdev->features[5],
685                                         hdev->features[6], hdev->features[7]);
686 }
687
688 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
689                                                         struct sk_buff *skb)
690 {
691         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
692
693         BT_DBG("%s status 0x%x", hdev->name, rp->status);
694
695         if (rp->status)
696                 return;
697
698         memcpy(hdev->extfeatures, rp->features, 8);
699
700         hci_req_complete(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, rp->status);
701 }
702
703 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
704 {
705         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
706
707         BT_DBG("%s status 0x%x", hdev->name, rp->status);
708
709         if (rp->status)
710                 return;
711
712         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
713         hdev->sco_mtu  = rp->sco_mtu;
714         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
715         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
716
717         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
718                 hdev->sco_mtu  = 64;
719                 hdev->sco_pkts = 8;
720         }
721
722         hdev->acl_cnt = hdev->acl_pkts;
723         hdev->sco_cnt = hdev->sco_pkts;
724
725         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name,
726                                         hdev->acl_mtu, hdev->acl_pkts,
727                                         hdev->sco_mtu, hdev->sco_pkts);
728 }
729
730 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
731 {
732         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
733
734         BT_DBG("%s status 0x%x", hdev->name, rp->status);
735
736         if (!rp->status)
737                 bacpy(&hdev->bdaddr, &rp->bdaddr);
738
739         hci_req_complete(hdev, HCI_OP_READ_BD_ADDR, rp->status);
740 }
741
742 static void hci_cc_write_ca_timeout(struct hci_dev *hdev, struct sk_buff *skb)
743 {
744         __u8 status = *((__u8 *) skb->data);
745
746         BT_DBG("%s status 0x%x", hdev->name, status);
747
748         hci_req_complete(hdev, HCI_OP_WRITE_CA_TIMEOUT, status);
749 }
750
751 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
752                                                         struct sk_buff *skb)
753 {
754         __u8 status = *((__u8 *) skb->data);
755
756         BT_DBG("%s status 0x%x", hdev->name, status);
757
758         hci_req_complete(hdev, HCI_OP_DELETE_STORED_LINK_KEY, status);
759 }
760
761 static void hci_cc_set_event_mask(struct hci_dev *hdev, struct sk_buff *skb)
762 {
763         __u8 status = *((__u8 *) skb->data);
764
765         BT_DBG("%s status 0x%x", hdev->name, status);
766
767         hci_req_complete(hdev, HCI_OP_SET_EVENT_MASK, status);
768 }
769
770 static void hci_cc_write_inquiry_mode(struct hci_dev *hdev,
771                                                         struct sk_buff *skb)
772 {
773         __u8 status = *((__u8 *) skb->data);
774
775         BT_DBG("%s status 0x%x", hdev->name, status);
776
777         hci_req_complete(hdev, HCI_OP_WRITE_INQUIRY_MODE, status);
778 }
779
780 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
781                                                         struct sk_buff *skb)
782 {
783         __u8 status = *((__u8 *) skb->data);
784
785         BT_DBG("%s status 0x%x", hdev->name, status);
786
787         hci_req_complete(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, status);
788 }
789
790 static void hci_cc_set_event_flt(struct hci_dev *hdev, struct sk_buff *skb)
791 {
792         __u8 status = *((__u8 *) skb->data);
793
794         BT_DBG("%s status 0x%x", hdev->name, status);
795
796         hci_req_complete(hdev, HCI_OP_SET_EVENT_FLT, status);
797 }
798
799 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
800 {
801         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
802         struct hci_cp_pin_code_reply *cp;
803         struct hci_conn *conn;
804
805         BT_DBG("%s status 0x%x", hdev->name, rp->status);
806
807         if (test_bit(HCI_MGMT, &hdev->flags))
808                 mgmt_pin_code_reply_complete(hdev->id, &rp->bdaddr, rp->status);
809
810         if (rp->status != 0)
811                 return;
812
813         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
814         if (!cp)
815                 return;
816
817         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
818         if (conn)
819                 conn->pin_length = cp->pin_len;
820 }
821
822 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
823 {
824         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
825
826         BT_DBG("%s status 0x%x", hdev->name, rp->status);
827
828         if (test_bit(HCI_MGMT, &hdev->flags))
829                 mgmt_pin_code_neg_reply_complete(hdev->id, &rp->bdaddr,
830                                                                 rp->status);
831 }
832 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
833                                        struct sk_buff *skb)
834 {
835         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
836
837         BT_DBG("%s status 0x%x", hdev->name, rp->status);
838
839         if (rp->status)
840                 return;
841
842         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
843         hdev->le_pkts = rp->le_max_pkt;
844
845         hdev->le_cnt = hdev->le_pkts;
846
847         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
848
849         hci_req_complete(hdev, HCI_OP_LE_READ_BUFFER_SIZE, rp->status);
850 }
851
852 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
853 {
854         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
855
856         BT_DBG("%s status 0x%x", hdev->name, rp->status);
857
858         if (test_bit(HCI_MGMT, &hdev->flags))
859                 mgmt_user_confirm_reply_complete(hdev->id, &rp->bdaddr,
860                                                                 rp->status);
861 }
862
863 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
864                                                         struct sk_buff *skb)
865 {
866         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
867
868         BT_DBG("%s status 0x%x", hdev->name, rp->status);
869
870         if (test_bit(HCI_MGMT, &hdev->flags))
871                 mgmt_user_confirm_neg_reply_complete(hdev->id, &rp->bdaddr,
872                                                                 rp->status);
873 }
874
875 static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
876                                                         struct sk_buff *skb)
877 {
878         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
879
880         BT_DBG("%s status 0x%x", hdev->name, rp->status);
881
882         mgmt_read_local_oob_data_reply_complete(hdev->id, rp->hash,
883                                                 rp->randomizer, rp->status);
884 }
885
886 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
887                                         struct sk_buff *skb)
888 {
889         struct hci_cp_le_set_scan_enable *cp;
890         __u8 status = *((__u8 *) skb->data);
891
892         BT_DBG("%s status 0x%x", hdev->name, status);
893
894         if (status)
895                 return;
896
897         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
898         if (!cp)
899                 return;
900
901         hci_dev_lock(hdev);
902
903         if (cp->enable == 0x01) {
904                 del_timer(&hdev->adv_timer);
905                 hci_adv_entries_clear(hdev);
906         } else if (cp->enable == 0x00) {
907                 mod_timer(&hdev->adv_timer, jiffies + ADV_CLEAR_TIMEOUT);
908         }
909
910         hci_dev_unlock(hdev);
911 }
912
913 static void hci_cc_le_ltk_reply(struct hci_dev *hdev, struct sk_buff *skb)
914 {
915         struct hci_rp_le_ltk_reply *rp = (void *) skb->data;
916
917         BT_DBG("%s status 0x%x", hdev->name, rp->status);
918
919         if (rp->status)
920                 return;
921
922         hci_req_complete(hdev, HCI_OP_LE_LTK_REPLY, rp->status);
923 }
924
925 static void hci_cc_le_ltk_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
926 {
927         struct hci_rp_le_ltk_neg_reply *rp = (void *) skb->data;
928
929         BT_DBG("%s status 0x%x", hdev->name, rp->status);
930
931         if (rp->status)
932                 return;
933
934         hci_req_complete(hdev, HCI_OP_LE_LTK_NEG_REPLY, rp->status);
935 }
936
937 static inline void hci_cc_write_le_host_supported(struct hci_dev *hdev,
938                                                         struct sk_buff *skb)
939 {
940         struct hci_cp_read_local_ext_features cp;
941         __u8 status = *((__u8 *) skb->data);
942
943         BT_DBG("%s status 0x%x", hdev->name, status);
944
945         if (status)
946                 return;
947
948         cp.page = 0x01;
949         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, sizeof(cp), &cp);
950 }
951
952 static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
953 {
954         BT_DBG("%s status 0x%x", hdev->name, status);
955
956         if (status) {
957                 hci_req_complete(hdev, HCI_OP_INQUIRY, status);
958                 hci_conn_check_pending(hdev);
959                 return;
960         }
961
962         if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags) &&
963                                 test_bit(HCI_MGMT, &hdev->flags))
964                 mgmt_discovering(hdev->id, 1);
965 }
966
967 static inline void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
968 {
969         struct hci_cp_create_conn *cp;
970         struct hci_conn *conn;
971
972         BT_DBG("%s status 0x%x", hdev->name, status);
973
974         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
975         if (!cp)
976                 return;
977
978         hci_dev_lock(hdev);
979
980         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
981
982         BT_DBG("%s bdaddr %s conn %p", hdev->name, batostr(&cp->bdaddr), conn);
983
984         if (status) {
985                 if (conn && conn->state == BT_CONNECT) {
986                         if (status != 0x0c || conn->attempt > 2) {
987                                 conn->state = BT_CLOSED;
988                                 hci_proto_connect_cfm(conn, status);
989                                 hci_conn_del(conn);
990                         } else
991                                 conn->state = BT_CONNECT2;
992                 }
993         } else {
994                 if (!conn) {
995                         conn = hci_conn_add(hdev, ACL_LINK, 0, &cp->bdaddr);
996                         if (conn) {
997                                 conn->out = 1;
998                                 conn->link_mode |= HCI_LM_MASTER;
999                         } else
1000                                 BT_ERR("No memory for new connection");
1001                 }
1002         }
1003
1004         hci_dev_unlock(hdev);
1005 }
1006
1007 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1008 {
1009         struct hci_cp_add_sco *cp;
1010         struct hci_conn *acl, *sco;
1011         __u16 handle;
1012
1013         BT_DBG("%s status 0x%x", hdev->name, status);
1014
1015         if (!status)
1016                 return;
1017
1018         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1019         if (!cp)
1020                 return;
1021
1022         handle = __le16_to_cpu(cp->handle);
1023
1024         BT_DBG("%s handle %d", hdev->name, handle);
1025
1026         hci_dev_lock(hdev);
1027
1028         acl = hci_conn_hash_lookup_handle(hdev, handle);
1029         if (acl) {
1030                 sco = acl->link;
1031                 if (sco) {
1032                         sco->state = BT_CLOSED;
1033
1034                         hci_proto_connect_cfm(sco, status);
1035                         hci_conn_del(sco);
1036                 }
1037         }
1038
1039         hci_dev_unlock(hdev);
1040 }
1041
1042 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1043 {
1044         struct hci_cp_auth_requested *cp;
1045         struct hci_conn *conn;
1046
1047         BT_DBG("%s status 0x%x", hdev->name, status);
1048
1049         if (!status)
1050                 return;
1051
1052         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1053         if (!cp)
1054                 return;
1055
1056         hci_dev_lock(hdev);
1057
1058         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1059         if (conn) {
1060                 if (conn->state == BT_CONFIG) {
1061                         hci_proto_connect_cfm(conn, status);
1062                         hci_conn_put(conn);
1063                 }
1064         }
1065
1066         hci_dev_unlock(hdev);
1067 }
1068
1069 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1070 {
1071         struct hci_cp_set_conn_encrypt *cp;
1072         struct hci_conn *conn;
1073
1074         BT_DBG("%s status 0x%x", hdev->name, status);
1075
1076         if (!status)
1077                 return;
1078
1079         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1080         if (!cp)
1081                 return;
1082
1083         hci_dev_lock(hdev);
1084
1085         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1086         if (conn) {
1087                 if (conn->state == BT_CONFIG) {
1088                         hci_proto_connect_cfm(conn, status);
1089                         hci_conn_put(conn);
1090                 }
1091         }
1092
1093         hci_dev_unlock(hdev);
1094 }
1095
1096 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1097                                                         struct hci_conn *conn)
1098 {
1099         if (conn->state != BT_CONFIG || !conn->out)
1100                 return 0;
1101
1102         if (conn->pending_sec_level == BT_SECURITY_SDP)
1103                 return 0;
1104
1105         /* Only request authentication for SSP connections or non-SSP
1106          * devices with sec_level HIGH */
1107         if (!(hdev->ssp_mode > 0 && conn->ssp_mode > 0) &&
1108                                 conn->pending_sec_level != BT_SECURITY_HIGH)
1109                 return 0;
1110
1111         return 1;
1112 }
1113
1114 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1115 {
1116         struct hci_cp_remote_name_req *cp;
1117         struct hci_conn *conn;
1118
1119         BT_DBG("%s status 0x%x", hdev->name, status);
1120
1121         /* If successful wait for the name req complete event before
1122          * checking for the need to do authentication */
1123         if (!status)
1124                 return;
1125
1126         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1127         if (!cp)
1128                 return;
1129
1130         hci_dev_lock(hdev);
1131
1132         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1133         if (!conn)
1134                 goto unlock;
1135
1136         if (!hci_outgoing_auth_needed(hdev, conn))
1137                 goto unlock;
1138
1139         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
1140                 struct hci_cp_auth_requested cp;
1141                 cp.handle = __cpu_to_le16(conn->handle);
1142                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
1143         }
1144
1145 unlock:
1146         hci_dev_unlock(hdev);
1147 }
1148
1149 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1150 {
1151         struct hci_cp_read_remote_features *cp;
1152         struct hci_conn *conn;
1153
1154         BT_DBG("%s status 0x%x", hdev->name, status);
1155
1156         if (!status)
1157                 return;
1158
1159         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1160         if (!cp)
1161                 return;
1162
1163         hci_dev_lock(hdev);
1164
1165         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1166         if (conn) {
1167                 if (conn->state == BT_CONFIG) {
1168                         hci_proto_connect_cfm(conn, status);
1169                         hci_conn_put(conn);
1170                 }
1171         }
1172
1173         hci_dev_unlock(hdev);
1174 }
1175
1176 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1177 {
1178         struct hci_cp_read_remote_ext_features *cp;
1179         struct hci_conn *conn;
1180
1181         BT_DBG("%s status 0x%x", hdev->name, status);
1182
1183         if (!status)
1184                 return;
1185
1186         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1187         if (!cp)
1188                 return;
1189
1190         hci_dev_lock(hdev);
1191
1192         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1193         if (conn) {
1194                 if (conn->state == BT_CONFIG) {
1195                         hci_proto_connect_cfm(conn, status);
1196                         hci_conn_put(conn);
1197                 }
1198         }
1199
1200         hci_dev_unlock(hdev);
1201 }
1202
1203 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1204 {
1205         struct hci_cp_setup_sync_conn *cp;
1206         struct hci_conn *acl, *sco;
1207         __u16 handle;
1208
1209         BT_DBG("%s status 0x%x", hdev->name, status);
1210
1211         if (!status)
1212                 return;
1213
1214         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1215         if (!cp)
1216                 return;
1217
1218         handle = __le16_to_cpu(cp->handle);
1219
1220         BT_DBG("%s handle %d", hdev->name, handle);
1221
1222         hci_dev_lock(hdev);
1223
1224         acl = hci_conn_hash_lookup_handle(hdev, handle);
1225         if (acl) {
1226                 sco = acl->link;
1227                 if (sco) {
1228                         sco->state = BT_CLOSED;
1229
1230                         hci_proto_connect_cfm(sco, status);
1231                         hci_conn_del(sco);
1232                 }
1233         }
1234
1235         hci_dev_unlock(hdev);
1236 }
1237
1238 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1239 {
1240         struct hci_cp_sniff_mode *cp;
1241         struct hci_conn *conn;
1242
1243         BT_DBG("%s status 0x%x", hdev->name, status);
1244
1245         if (!status)
1246                 return;
1247
1248         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1249         if (!cp)
1250                 return;
1251
1252         hci_dev_lock(hdev);
1253
1254         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1255         if (conn) {
1256                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend);
1257
1258                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->pend))
1259                         hci_sco_setup(conn, status);
1260         }
1261
1262         hci_dev_unlock(hdev);
1263 }
1264
1265 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1266 {
1267         struct hci_cp_exit_sniff_mode *cp;
1268         struct hci_conn *conn;
1269
1270         BT_DBG("%s status 0x%x", hdev->name, status);
1271
1272         if (!status)
1273                 return;
1274
1275         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1276         if (!cp)
1277                 return;
1278
1279         hci_dev_lock(hdev);
1280
1281         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1282         if (conn) {
1283                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend);
1284
1285                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->pend))
1286                         hci_sco_setup(conn, status);
1287         }
1288
1289         hci_dev_unlock(hdev);
1290 }
1291
1292 static void hci_cs_le_create_conn(struct hci_dev *hdev, __u8 status)
1293 {
1294         struct hci_cp_le_create_conn *cp;
1295         struct hci_conn *conn;
1296
1297         BT_DBG("%s status 0x%x", hdev->name, status);
1298
1299         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1300         if (!cp)
1301                 return;
1302
1303         hci_dev_lock(hdev);
1304
1305         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1306
1307         BT_DBG("%s bdaddr %s conn %p", hdev->name, batostr(&cp->peer_addr),
1308                 conn);
1309
1310         if (status) {
1311                 if (conn && conn->state == BT_CONNECT) {
1312                         conn->state = BT_CLOSED;
1313                         hci_proto_connect_cfm(conn, status);
1314                         hci_conn_del(conn);
1315                 }
1316         } else {
1317                 if (!conn) {
1318                         conn = hci_conn_add(hdev, LE_LINK, 0, &cp->peer_addr);
1319                         if (conn) {
1320                                 conn->dst_type = cp->peer_addr_type;
1321                                 conn->out = 1;
1322                         } else {
1323                                 BT_ERR("No memory for new connection");
1324                         }
1325                 }
1326         }
1327
1328         hci_dev_unlock(hdev);
1329 }
1330
1331 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1332 {
1333         BT_DBG("%s status 0x%x", hdev->name, status);
1334 }
1335
1336 static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1337 {
1338         __u8 status = *((__u8 *) skb->data);
1339
1340         BT_DBG("%s status %d", hdev->name, status);
1341
1342         if (test_and_clear_bit(HCI_INQUIRY, &hdev->flags) &&
1343                                 test_bit(HCI_MGMT, &hdev->flags))
1344                 mgmt_discovering(hdev->id, 0);
1345
1346         hci_req_complete(hdev, HCI_OP_INQUIRY, status);
1347
1348         hci_conn_check_pending(hdev);
1349 }
1350
1351 static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1352 {
1353         struct inquiry_data data;
1354         struct inquiry_info *info = (void *) (skb->data + 1);
1355         int num_rsp = *((__u8 *) skb->data);
1356
1357         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
1358
1359         if (!num_rsp)
1360                 return;
1361
1362         hci_dev_lock(hdev);
1363
1364         if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
1365
1366                 if (test_bit(HCI_MGMT, &hdev->flags))
1367                         mgmt_discovering(hdev->id, 1);
1368         }
1369
1370         for (; num_rsp; num_rsp--, info++) {
1371                 bacpy(&data.bdaddr, &info->bdaddr);
1372                 data.pscan_rep_mode     = info->pscan_rep_mode;
1373                 data.pscan_period_mode  = info->pscan_period_mode;
1374                 data.pscan_mode         = info->pscan_mode;
1375                 memcpy(data.dev_class, info->dev_class, 3);
1376                 data.clock_offset       = info->clock_offset;
1377                 data.rssi               = 0x00;
1378                 data.ssp_mode           = 0x00;
1379                 hci_inquiry_cache_update(hdev, &data);
1380                 mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class, 0,
1381                                                                         NULL);
1382         }
1383
1384         hci_dev_unlock(hdev);
1385 }
1386
1387 static inline void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1388 {
1389         struct hci_ev_conn_complete *ev = (void *) skb->data;
1390         struct hci_conn *conn;
1391
1392         BT_DBG("%s", hdev->name);
1393
1394         hci_dev_lock(hdev);
1395
1396         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
1397         if (!conn) {
1398                 if (ev->link_type != SCO_LINK)
1399                         goto unlock;
1400
1401                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
1402                 if (!conn)
1403                         goto unlock;
1404
1405                 conn->type = SCO_LINK;
1406         }
1407
1408         if (!ev->status) {
1409                 conn->handle = __le16_to_cpu(ev->handle);
1410
1411                 if (conn->type == ACL_LINK) {
1412                         conn->state = BT_CONFIG;
1413                         hci_conn_hold(conn);
1414                         conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1415                         mgmt_connected(hdev->id, &ev->bdaddr);
1416                 } else
1417                         conn->state = BT_CONNECTED;
1418
1419                 hci_conn_hold_device(conn);
1420                 hci_conn_add_sysfs(conn);
1421
1422                 if (test_bit(HCI_AUTH, &hdev->flags))
1423                         conn->link_mode |= HCI_LM_AUTH;
1424
1425                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
1426                         conn->link_mode |= HCI_LM_ENCRYPT;
1427
1428                 /* Get remote features */
1429                 if (conn->type == ACL_LINK) {
1430                         struct hci_cp_read_remote_features cp;
1431                         cp.handle = ev->handle;
1432                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
1433                                                         sizeof(cp), &cp);
1434                 }
1435
1436                 /* Set packet type for incoming connection */
1437                 if (!conn->out && hdev->hci_ver < 3) {
1438                         struct hci_cp_change_conn_ptype cp;
1439                         cp.handle = ev->handle;
1440                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
1441                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE,
1442                                                         sizeof(cp), &cp);
1443                 }
1444         } else {
1445                 conn->state = BT_CLOSED;
1446                 if (conn->type == ACL_LINK)
1447                         mgmt_connect_failed(hdev->id, &ev->bdaddr, ev->status);
1448         }
1449
1450         if (conn->type == ACL_LINK)
1451                 hci_sco_setup(conn, ev->status);
1452
1453         if (ev->status) {
1454                 hci_proto_connect_cfm(conn, ev->status);
1455                 hci_conn_del(conn);
1456         } else if (ev->link_type != ACL_LINK)
1457                 hci_proto_connect_cfm(conn, ev->status);
1458
1459 unlock:
1460         hci_dev_unlock(hdev);
1461
1462         hci_conn_check_pending(hdev);
1463 }
1464
1465 static inline bool is_sco_active(struct hci_dev *hdev)
1466 {
1467         if (hci_conn_hash_lookup_state(hdev, SCO_LINK, BT_CONNECTED) ||
1468                         (hci_conn_hash_lookup_state(hdev, ESCO_LINK,
1469                                                     BT_CONNECTED)))
1470                 return true;
1471         return false;
1472 }
1473
1474 static inline void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1475 {
1476         struct hci_ev_conn_request *ev = (void *) skb->data;
1477         int mask = hdev->link_mode;
1478
1479         BT_DBG("%s bdaddr %s type 0x%x", hdev->name,
1480                                         batostr(&ev->bdaddr), ev->link_type);
1481
1482         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type);
1483
1484         if ((mask & HCI_LM_ACCEPT) &&
1485                         !hci_blacklist_lookup(hdev, &ev->bdaddr)) {
1486                 /* Connection accepted */
1487                 struct inquiry_entry *ie;
1488                 struct hci_conn *conn;
1489
1490                 hci_dev_lock(hdev);
1491
1492                 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
1493                 if (ie)
1494                         memcpy(ie->data.dev_class, ev->dev_class, 3);
1495
1496                 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
1497                 if (!conn) {
1498                         /* pkt_type not yet used for incoming connections */
1499                         conn = hci_conn_add(hdev, ev->link_type, 0, &ev->bdaddr);
1500                         if (!conn) {
1501                                 BT_ERR("No memory for new connection");
1502                                 hci_dev_unlock(hdev);
1503                                 return;
1504                         }
1505                 }
1506
1507                 memcpy(conn->dev_class, ev->dev_class, 3);
1508                 conn->state = BT_CONNECT;
1509
1510                 hci_dev_unlock(hdev);
1511
1512                 if (ev->link_type == ACL_LINK || !lmp_esco_capable(hdev)) {
1513                         struct hci_cp_accept_conn_req cp;
1514
1515                         bacpy(&cp.bdaddr, &ev->bdaddr);
1516
1517                         if (lmp_rswitch_capable(hdev) && ((mask & HCI_LM_MASTER)
1518                                                 || is_sco_active(hdev)))
1519                                 cp.role = 0x00; /* Become master */
1520                         else
1521                                 cp.role = 0x01; /* Remain slave */
1522
1523                         hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ,
1524                                                         sizeof(cp), &cp);
1525                 } else {
1526                         struct hci_cp_accept_sync_conn_req cp;
1527
1528                         bacpy(&cp.bdaddr, &ev->bdaddr);
1529                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
1530
1531                         cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
1532                         cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
1533                         cp.max_latency    = cpu_to_le16(0xffff);
1534                         cp.content_format = cpu_to_le16(hdev->voice_setting);
1535                         cp.retrans_effort = 0xff;
1536
1537                         hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
1538                                                         sizeof(cp), &cp);
1539                 }
1540         } else {
1541                 /* Connection rejected */
1542                 struct hci_cp_reject_conn_req cp;
1543
1544                 bacpy(&cp.bdaddr, &ev->bdaddr);
1545                 cp.reason = 0x0f;
1546                 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
1547         }
1548 }
1549
1550 static inline void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1551 {
1552         struct hci_ev_disconn_complete *ev = (void *) skb->data;
1553         struct hci_conn *conn;
1554
1555         BT_DBG("%s status %d", hdev->name, ev->status);
1556
1557         if (ev->status) {
1558                 mgmt_disconnect_failed(hdev->id);
1559                 return;
1560         }
1561
1562         hci_dev_lock(hdev);
1563
1564         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1565         if (!conn)
1566                 goto unlock;
1567
1568         conn->state = BT_CLOSED;
1569
1570         if (conn->type == ACL_LINK || conn->type == LE_LINK)
1571                 mgmt_disconnected(hdev->id, &conn->dst);
1572
1573         hci_proto_disconn_cfm(conn, ev->reason);
1574         hci_conn_del(conn);
1575
1576 unlock:
1577         hci_dev_unlock(hdev);
1578 }
1579
1580 static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1581 {
1582         struct hci_ev_auth_complete *ev = (void *) skb->data;
1583         struct hci_conn *conn;
1584
1585         BT_DBG("%s status %d", hdev->name, ev->status);
1586
1587         hci_dev_lock(hdev);
1588
1589         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1590         if (!conn)
1591                 goto unlock;
1592
1593         if (!ev->status) {
1594                 if (!(conn->ssp_mode > 0 && hdev->ssp_mode > 0) &&
1595                                 test_bit(HCI_CONN_REAUTH_PEND,  &conn->pend)) {
1596                         BT_INFO("re-auth of legacy device is not possible.");
1597                 } else {
1598                         conn->link_mode |= HCI_LM_AUTH;
1599                         conn->sec_level = conn->pending_sec_level;
1600                 }
1601         } else {
1602                 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
1603         }
1604
1605         clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
1606         clear_bit(HCI_CONN_REAUTH_PEND, &conn->pend);
1607
1608         if (conn->state == BT_CONFIG) {
1609                 if (!ev->status && hdev->ssp_mode > 0 && conn->ssp_mode > 0) {
1610                         struct hci_cp_set_conn_encrypt cp;
1611                         cp.handle  = ev->handle;
1612                         cp.encrypt = 0x01;
1613                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1614                                                                         &cp);
1615                 } else {
1616                         conn->state = BT_CONNECTED;
1617                         hci_proto_connect_cfm(conn, ev->status);
1618                         hci_conn_put(conn);
1619                 }
1620         } else {
1621                 hci_auth_cfm(conn, ev->status);
1622
1623                 hci_conn_hold(conn);
1624                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1625                 hci_conn_put(conn);
1626         }
1627
1628         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) {
1629                 if (!ev->status) {
1630                         struct hci_cp_set_conn_encrypt cp;
1631                         cp.handle  = ev->handle;
1632                         cp.encrypt = 0x01;
1633                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1634                                                                         &cp);
1635                 } else {
1636                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
1637                         hci_encrypt_cfm(conn, ev->status, 0x00);
1638                 }
1639         }
1640
1641 unlock:
1642         hci_dev_unlock(hdev);
1643 }
1644
1645 static inline void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
1646 {
1647         struct hci_ev_remote_name *ev = (void *) skb->data;
1648         struct hci_conn *conn;
1649
1650         BT_DBG("%s", hdev->name);
1651
1652         hci_conn_check_pending(hdev);
1653
1654         hci_dev_lock(hdev);
1655
1656         if (ev->status == 0 && test_bit(HCI_MGMT, &hdev->flags))
1657                 mgmt_remote_name(hdev->id, &ev->bdaddr, ev->name);
1658
1659         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
1660         if (!conn)
1661                 goto unlock;
1662
1663         if (!hci_outgoing_auth_needed(hdev, conn))
1664                 goto unlock;
1665
1666         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
1667                 struct hci_cp_auth_requested cp;
1668                 cp.handle = __cpu_to_le16(conn->handle);
1669                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
1670         }
1671
1672 unlock:
1673         hci_dev_unlock(hdev);
1674 }
1675
1676 static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
1677 {
1678         struct hci_ev_encrypt_change *ev = (void *) skb->data;
1679         struct hci_conn *conn;
1680
1681         BT_DBG("%s status %d", hdev->name, ev->status);
1682
1683         hci_dev_lock(hdev);
1684
1685         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1686         if (conn) {
1687                 if (!ev->status) {
1688                         if (ev->encrypt) {
1689                                 /* Encryption implies authentication */
1690                                 conn->link_mode |= HCI_LM_AUTH;
1691                                 conn->link_mode |= HCI_LM_ENCRYPT;
1692                                 conn->sec_level = conn->pending_sec_level;
1693                         } else
1694                                 conn->link_mode &= ~HCI_LM_ENCRYPT;
1695                 }
1696
1697                 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
1698
1699                 if (conn->state == BT_CONFIG) {
1700                         if (!ev->status)
1701                                 conn->state = BT_CONNECTED;
1702
1703                         hci_proto_connect_cfm(conn, ev->status);
1704                         hci_conn_put(conn);
1705                 } else
1706                         hci_encrypt_cfm(conn, ev->status, ev->encrypt);
1707         }
1708
1709         hci_dev_unlock(hdev);
1710 }
1711
1712 static inline void hci_change_link_key_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1713 {
1714         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
1715         struct hci_conn *conn;
1716
1717         BT_DBG("%s status %d", hdev->name, ev->status);
1718
1719         hci_dev_lock(hdev);
1720
1721         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1722         if (conn) {
1723                 if (!ev->status)
1724                         conn->link_mode |= HCI_LM_SECURE;
1725
1726                 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
1727
1728                 hci_key_change_cfm(conn, ev->status);
1729         }
1730
1731         hci_dev_unlock(hdev);
1732 }
1733
1734 static inline void hci_remote_features_evt(struct hci_dev *hdev, struct sk_buff *skb)
1735 {
1736         struct hci_ev_remote_features *ev = (void *) skb->data;
1737         struct hci_conn *conn;
1738
1739         BT_DBG("%s status %d", hdev->name, ev->status);
1740
1741         hci_dev_lock(hdev);
1742
1743         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1744         if (!conn)
1745                 goto unlock;
1746
1747         if (!ev->status)
1748                 memcpy(conn->features, ev->features, 8);
1749
1750         if (conn->state != BT_CONFIG)
1751                 goto unlock;
1752
1753         if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) {
1754                 struct hci_cp_read_remote_ext_features cp;
1755                 cp.handle = ev->handle;
1756                 cp.page = 0x01;
1757                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
1758                                                         sizeof(cp), &cp);
1759                 goto unlock;
1760         }
1761
1762         if (!ev->status) {
1763                 struct hci_cp_remote_name_req cp;
1764                 memset(&cp, 0, sizeof(cp));
1765                 bacpy(&cp.bdaddr, &conn->dst);
1766                 cp.pscan_rep_mode = 0x02;
1767                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1768         }
1769
1770         if (!hci_outgoing_auth_needed(hdev, conn)) {
1771                 conn->state = BT_CONNECTED;
1772                 hci_proto_connect_cfm(conn, ev->status);
1773                 hci_conn_put(conn);
1774         }
1775
1776 unlock:
1777         hci_dev_unlock(hdev);
1778 }
1779
1780 static inline void hci_remote_version_evt(struct hci_dev *hdev, struct sk_buff *skb)
1781 {
1782         BT_DBG("%s", hdev->name);
1783 }
1784
1785 static inline void hci_qos_setup_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1786 {
1787         BT_DBG("%s", hdev->name);
1788 }
1789
1790 static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1791 {
1792         struct hci_ev_cmd_complete *ev = (void *) skb->data;
1793         __u16 opcode;
1794
1795         skb_pull(skb, sizeof(*ev));
1796
1797         opcode = __le16_to_cpu(ev->opcode);
1798
1799         switch (opcode) {
1800         case HCI_OP_INQUIRY_CANCEL:
1801                 hci_cc_inquiry_cancel(hdev, skb);
1802                 break;
1803
1804         case HCI_OP_EXIT_PERIODIC_INQ:
1805                 hci_cc_exit_periodic_inq(hdev, skb);
1806                 break;
1807
1808         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
1809                 hci_cc_remote_name_req_cancel(hdev, skb);
1810                 break;
1811
1812         case HCI_OP_ROLE_DISCOVERY:
1813                 hci_cc_role_discovery(hdev, skb);
1814                 break;
1815
1816         case HCI_OP_READ_LINK_POLICY:
1817                 hci_cc_read_link_policy(hdev, skb);
1818                 break;
1819
1820         case HCI_OP_WRITE_LINK_POLICY:
1821                 hci_cc_write_link_policy(hdev, skb);
1822                 break;
1823
1824         case HCI_OP_READ_DEF_LINK_POLICY:
1825                 hci_cc_read_def_link_policy(hdev, skb);
1826                 break;
1827
1828         case HCI_OP_WRITE_DEF_LINK_POLICY:
1829                 hci_cc_write_def_link_policy(hdev, skb);
1830                 break;
1831
1832         case HCI_OP_RESET:
1833                 hci_cc_reset(hdev, skb);
1834                 break;
1835
1836         case HCI_OP_WRITE_LOCAL_NAME:
1837                 hci_cc_write_local_name(hdev, skb);
1838                 break;
1839
1840         case HCI_OP_READ_LOCAL_NAME:
1841                 hci_cc_read_local_name(hdev, skb);
1842                 break;
1843
1844         case HCI_OP_WRITE_AUTH_ENABLE:
1845                 hci_cc_write_auth_enable(hdev, skb);
1846                 break;
1847
1848         case HCI_OP_WRITE_ENCRYPT_MODE:
1849                 hci_cc_write_encrypt_mode(hdev, skb);
1850                 break;
1851
1852         case HCI_OP_WRITE_SCAN_ENABLE:
1853                 hci_cc_write_scan_enable(hdev, skb);
1854                 break;
1855
1856         case HCI_OP_READ_CLASS_OF_DEV:
1857                 hci_cc_read_class_of_dev(hdev, skb);
1858                 break;
1859
1860         case HCI_OP_WRITE_CLASS_OF_DEV:
1861                 hci_cc_write_class_of_dev(hdev, skb);
1862                 break;
1863
1864         case HCI_OP_READ_VOICE_SETTING:
1865                 hci_cc_read_voice_setting(hdev, skb);
1866                 break;
1867
1868         case HCI_OP_WRITE_VOICE_SETTING:
1869                 hci_cc_write_voice_setting(hdev, skb);
1870                 break;
1871
1872         case HCI_OP_HOST_BUFFER_SIZE:
1873                 hci_cc_host_buffer_size(hdev, skb);
1874                 break;
1875
1876         case HCI_OP_READ_SSP_MODE:
1877                 hci_cc_read_ssp_mode(hdev, skb);
1878                 break;
1879
1880         case HCI_OP_WRITE_SSP_MODE:
1881                 hci_cc_write_ssp_mode(hdev, skb);
1882                 break;
1883
1884         case HCI_OP_READ_LOCAL_VERSION:
1885                 hci_cc_read_local_version(hdev, skb);
1886                 break;
1887
1888         case HCI_OP_READ_LOCAL_COMMANDS:
1889                 hci_cc_read_local_commands(hdev, skb);
1890                 break;
1891
1892         case HCI_OP_READ_LOCAL_FEATURES:
1893                 hci_cc_read_local_features(hdev, skb);
1894                 break;
1895
1896         case HCI_OP_READ_LOCAL_EXT_FEATURES:
1897                 hci_cc_read_local_ext_features(hdev, skb);
1898                 break;
1899
1900         case HCI_OP_READ_BUFFER_SIZE:
1901                 hci_cc_read_buffer_size(hdev, skb);
1902                 break;
1903
1904         case HCI_OP_READ_BD_ADDR:
1905                 hci_cc_read_bd_addr(hdev, skb);
1906                 break;
1907
1908         case HCI_OP_WRITE_CA_TIMEOUT:
1909                 hci_cc_write_ca_timeout(hdev, skb);
1910                 break;
1911
1912         case HCI_OP_DELETE_STORED_LINK_KEY:
1913                 hci_cc_delete_stored_link_key(hdev, skb);
1914                 break;
1915
1916         case HCI_OP_SET_EVENT_MASK:
1917                 hci_cc_set_event_mask(hdev, skb);
1918                 break;
1919
1920         case HCI_OP_WRITE_INQUIRY_MODE:
1921                 hci_cc_write_inquiry_mode(hdev, skb);
1922                 break;
1923
1924         case HCI_OP_READ_INQ_RSP_TX_POWER:
1925                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
1926                 break;
1927
1928         case HCI_OP_SET_EVENT_FLT:
1929                 hci_cc_set_event_flt(hdev, skb);
1930                 break;
1931
1932         case HCI_OP_PIN_CODE_REPLY:
1933                 hci_cc_pin_code_reply(hdev, skb);
1934                 break;
1935
1936         case HCI_OP_PIN_CODE_NEG_REPLY:
1937                 hci_cc_pin_code_neg_reply(hdev, skb);
1938                 break;
1939
1940         case HCI_OP_READ_LOCAL_OOB_DATA:
1941                 hci_cc_read_local_oob_data_reply(hdev, skb);
1942                 break;
1943
1944         case HCI_OP_LE_READ_BUFFER_SIZE:
1945                 hci_cc_le_read_buffer_size(hdev, skb);
1946                 break;
1947
1948         case HCI_OP_USER_CONFIRM_REPLY:
1949                 hci_cc_user_confirm_reply(hdev, skb);
1950                 break;
1951
1952         case HCI_OP_USER_CONFIRM_NEG_REPLY:
1953                 hci_cc_user_confirm_neg_reply(hdev, skb);
1954                 break;
1955
1956         case HCI_OP_LE_SET_SCAN_ENABLE:
1957                 hci_cc_le_set_scan_enable(hdev, skb);
1958                 break;
1959
1960         case HCI_OP_LE_LTK_REPLY:
1961                 hci_cc_le_ltk_reply(hdev, skb);
1962                 break;
1963
1964         case HCI_OP_LE_LTK_NEG_REPLY:
1965                 hci_cc_le_ltk_neg_reply(hdev, skb);
1966                 break;
1967
1968         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
1969                 hci_cc_write_le_host_supported(hdev, skb);
1970                 break;
1971
1972         default:
1973                 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1974                 break;
1975         }
1976
1977         if (ev->opcode != HCI_OP_NOP)
1978                 del_timer(&hdev->cmd_timer);
1979
1980         if (ev->ncmd) {
1981                 atomic_set(&hdev->cmd_cnt, 1);
1982                 if (!skb_queue_empty(&hdev->cmd_q))
1983                         tasklet_schedule(&hdev->cmd_task);
1984         }
1985 }
1986
1987 static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
1988 {
1989         struct hci_ev_cmd_status *ev = (void *) skb->data;
1990         __u16 opcode;
1991
1992         skb_pull(skb, sizeof(*ev));
1993
1994         opcode = __le16_to_cpu(ev->opcode);
1995
1996         switch (opcode) {
1997         case HCI_OP_INQUIRY:
1998                 hci_cs_inquiry(hdev, ev->status);
1999                 break;
2000
2001         case HCI_OP_CREATE_CONN:
2002                 hci_cs_create_conn(hdev, ev->status);
2003                 break;
2004
2005         case HCI_OP_ADD_SCO:
2006                 hci_cs_add_sco(hdev, ev->status);
2007                 break;
2008
2009         case HCI_OP_AUTH_REQUESTED:
2010                 hci_cs_auth_requested(hdev, ev->status);
2011                 break;
2012
2013         case HCI_OP_SET_CONN_ENCRYPT:
2014                 hci_cs_set_conn_encrypt(hdev, ev->status);
2015                 break;
2016
2017         case HCI_OP_REMOTE_NAME_REQ:
2018                 hci_cs_remote_name_req(hdev, ev->status);
2019                 break;
2020
2021         case HCI_OP_READ_REMOTE_FEATURES:
2022                 hci_cs_read_remote_features(hdev, ev->status);
2023                 break;
2024
2025         case HCI_OP_READ_REMOTE_EXT_FEATURES:
2026                 hci_cs_read_remote_ext_features(hdev, ev->status);
2027                 break;
2028
2029         case HCI_OP_SETUP_SYNC_CONN:
2030                 hci_cs_setup_sync_conn(hdev, ev->status);
2031                 break;
2032
2033         case HCI_OP_SNIFF_MODE:
2034                 hci_cs_sniff_mode(hdev, ev->status);
2035                 break;
2036
2037         case HCI_OP_EXIT_SNIFF_MODE:
2038                 hci_cs_exit_sniff_mode(hdev, ev->status);
2039                 break;
2040
2041         case HCI_OP_DISCONNECT:
2042                 if (ev->status != 0)
2043                         mgmt_disconnect_failed(hdev->id);
2044                 break;
2045
2046         case HCI_OP_LE_CREATE_CONN:
2047                 hci_cs_le_create_conn(hdev, ev->status);
2048                 break;
2049
2050         case HCI_OP_LE_START_ENC:
2051                 hci_cs_le_start_enc(hdev, ev->status);
2052                 break;
2053
2054         default:
2055                 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
2056                 break;
2057         }
2058
2059         if (ev->opcode != HCI_OP_NOP)
2060                 del_timer(&hdev->cmd_timer);
2061
2062         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2063                 atomic_set(&hdev->cmd_cnt, 1);
2064                 if (!skb_queue_empty(&hdev->cmd_q))
2065                         tasklet_schedule(&hdev->cmd_task);
2066         }
2067 }
2068
2069 static inline void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2070 {
2071         struct hci_ev_role_change *ev = (void *) skb->data;
2072         struct hci_conn *conn;
2073
2074         BT_DBG("%s status %d", hdev->name, ev->status);
2075
2076         hci_dev_lock(hdev);
2077
2078         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2079         if (conn) {
2080                 if (!ev->status) {
2081                         if (ev->role)
2082                                 conn->link_mode &= ~HCI_LM_MASTER;
2083                         else
2084                                 conn->link_mode |= HCI_LM_MASTER;
2085                 }
2086
2087                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->pend);
2088
2089                 hci_role_switch_cfm(conn, ev->status, ev->role);
2090         }
2091
2092         hci_dev_unlock(hdev);
2093 }
2094
2095 static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
2096 {
2097         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2098         __le16 *ptr;
2099         int i;
2100
2101         skb_pull(skb, sizeof(*ev));
2102
2103         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2104
2105         if (skb->len < ev->num_hndl * 4) {
2106                 BT_DBG("%s bad parameters", hdev->name);
2107                 return;
2108         }
2109
2110         tasklet_disable(&hdev->tx_task);
2111
2112         for (i = 0, ptr = (__le16 *) skb->data; i < ev->num_hndl; i++) {
2113                 struct hci_conn *conn;
2114                 __u16  handle, count;
2115
2116                 handle = get_unaligned_le16(ptr++);
2117                 count  = get_unaligned_le16(ptr++);
2118
2119                 conn = hci_conn_hash_lookup_handle(hdev, handle);
2120                 if (conn) {
2121                         conn->sent -= count;
2122
2123                         if (conn->type == ACL_LINK) {
2124                                 hdev->acl_cnt += count;
2125                                 if (hdev->acl_cnt > hdev->acl_pkts)
2126                                         hdev->acl_cnt = hdev->acl_pkts;
2127                         } else if (conn->type == LE_LINK) {
2128                                 if (hdev->le_pkts) {
2129                                         hdev->le_cnt += count;
2130                                         if (hdev->le_cnt > hdev->le_pkts)
2131                                                 hdev->le_cnt = hdev->le_pkts;
2132                                 } else {
2133                                         hdev->acl_cnt += count;
2134                                         if (hdev->acl_cnt > hdev->acl_pkts)
2135                                                 hdev->acl_cnt = hdev->acl_pkts;
2136                                 }
2137                         } else {
2138                                 hdev->sco_cnt += count;
2139                                 if (hdev->sco_cnt > hdev->sco_pkts)
2140                                         hdev->sco_cnt = hdev->sco_pkts;
2141                         }
2142                 }
2143         }
2144
2145         tasklet_schedule(&hdev->tx_task);
2146
2147         tasklet_enable(&hdev->tx_task);
2148 }
2149
2150 static inline void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2151 {
2152         struct hci_ev_mode_change *ev = (void *) skb->data;
2153         struct hci_conn *conn;
2154
2155         BT_DBG("%s status %d", hdev->name, ev->status);
2156
2157         hci_dev_lock(hdev);
2158
2159         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2160         if (conn) {
2161                 conn->mode = ev->mode;
2162                 conn->interval = __le16_to_cpu(ev->interval);
2163
2164                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) {
2165                         if (conn->mode == HCI_CM_ACTIVE)
2166                                 conn->power_save = 1;
2167                         else
2168                                 conn->power_save = 0;
2169                 }
2170
2171                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->pend))
2172                         hci_sco_setup(conn, ev->status);
2173         }
2174
2175         hci_dev_unlock(hdev);
2176 }
2177
2178 static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2179 {
2180         struct hci_ev_pin_code_req *ev = (void *) skb->data;
2181         struct hci_conn *conn;
2182
2183         BT_DBG("%s", hdev->name);
2184
2185         hci_dev_lock(hdev);
2186
2187         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2188         if (conn && conn->state == BT_CONNECTED) {
2189                 hci_conn_hold(conn);
2190                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2191                 hci_conn_put(conn);
2192         }
2193
2194         if (!test_bit(HCI_PAIRABLE, &hdev->flags))
2195                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2196                                         sizeof(ev->bdaddr), &ev->bdaddr);
2197         else if (test_bit(HCI_MGMT, &hdev->flags)) {
2198                 u8 secure;
2199
2200                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
2201                         secure = 1;
2202                 else
2203                         secure = 0;
2204
2205                 mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure);
2206         }
2207
2208         hci_dev_unlock(hdev);
2209 }
2210
2211 static inline void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2212 {
2213         struct hci_ev_link_key_req *ev = (void *) skb->data;
2214         struct hci_cp_link_key_reply cp;
2215         struct hci_conn *conn;
2216         struct link_key *key;
2217
2218         BT_DBG("%s", hdev->name);
2219
2220         if (!test_bit(HCI_LINK_KEYS, &hdev->flags))
2221                 return;
2222
2223         hci_dev_lock(hdev);
2224
2225         key = hci_find_link_key(hdev, &ev->bdaddr);
2226         if (!key) {
2227                 BT_DBG("%s link key not found for %s", hdev->name,
2228                                                         batostr(&ev->bdaddr));
2229                 goto not_found;
2230         }
2231
2232         BT_DBG("%s found key type %u for %s", hdev->name, key->type,
2233                                                         batostr(&ev->bdaddr));
2234
2235         if (!test_bit(HCI_DEBUG_KEYS, &hdev->flags) &&
2236                                 key->type == HCI_LK_DEBUG_COMBINATION) {
2237                 BT_DBG("%s ignoring debug key", hdev->name);
2238                 goto not_found;
2239         }
2240
2241         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2242         if (conn) {
2243                 if (key->type == HCI_LK_UNAUTH_COMBINATION &&
2244                                 conn->auth_type != 0xff &&
2245                                 (conn->auth_type & 0x01)) {
2246                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
2247                         goto not_found;
2248                 }
2249
2250                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
2251                                 conn->pending_sec_level == BT_SECURITY_HIGH) {
2252                         BT_DBG("%s ignoring key unauthenticated for high \
2253                                                         security", hdev->name);
2254                         goto not_found;
2255                 }
2256
2257                 conn->key_type = key->type;
2258                 conn->pin_length = key->pin_len;
2259         }
2260
2261         bacpy(&cp.bdaddr, &ev->bdaddr);
2262         memcpy(cp.link_key, key->val, 16);
2263
2264         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
2265
2266         hci_dev_unlock(hdev);
2267
2268         return;
2269
2270 not_found:
2271         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
2272         hci_dev_unlock(hdev);
2273 }
2274
2275 static inline void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
2276 {
2277         struct hci_ev_link_key_notify *ev = (void *) skb->data;
2278         struct hci_conn *conn;
2279         u8 pin_len = 0;
2280
2281         BT_DBG("%s", hdev->name);
2282
2283         hci_dev_lock(hdev);
2284
2285         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2286         if (conn) {
2287                 hci_conn_hold(conn);
2288                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2289                 pin_len = conn->pin_length;
2290
2291                 if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
2292                         conn->key_type = ev->key_type;
2293
2294                 hci_conn_put(conn);
2295         }
2296
2297         if (test_bit(HCI_LINK_KEYS, &hdev->flags))
2298                 hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key,
2299                                                         ev->key_type, pin_len);
2300
2301         hci_dev_unlock(hdev);
2302 }
2303
2304 static inline void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
2305 {
2306         struct hci_ev_clock_offset *ev = (void *) skb->data;
2307         struct hci_conn *conn;
2308
2309         BT_DBG("%s status %d", hdev->name, ev->status);
2310
2311         hci_dev_lock(hdev);
2312
2313         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2314         if (conn && !ev->status) {
2315                 struct inquiry_entry *ie;
2316
2317                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
2318                 if (ie) {
2319                         ie->data.clock_offset = ev->clock_offset;
2320                         ie->timestamp = jiffies;
2321                 }
2322         }
2323
2324         hci_dev_unlock(hdev);
2325 }
2326
2327 static inline void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2328 {
2329         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
2330         struct hci_conn *conn;
2331
2332         BT_DBG("%s status %d", hdev->name, ev->status);
2333
2334         hci_dev_lock(hdev);
2335
2336         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2337         if (conn && !ev->status)
2338                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
2339
2340         hci_dev_unlock(hdev);
2341 }
2342
2343 static inline void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
2344 {
2345         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
2346         struct inquiry_entry *ie;
2347
2348         BT_DBG("%s", hdev->name);
2349
2350         hci_dev_lock(hdev);
2351
2352         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2353         if (ie) {
2354                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
2355                 ie->timestamp = jiffies;
2356         }
2357
2358         hci_dev_unlock(hdev);
2359 }
2360
2361 static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct sk_buff *skb)
2362 {
2363         struct inquiry_data data;
2364         int num_rsp = *((__u8 *) skb->data);
2365
2366         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2367
2368         if (!num_rsp)
2369                 return;
2370
2371         hci_dev_lock(hdev);
2372
2373         if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
2374
2375                 if (test_bit(HCI_MGMT, &hdev->flags))
2376                         mgmt_discovering(hdev->id, 1);
2377         }
2378
2379         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
2380                 struct inquiry_info_with_rssi_and_pscan_mode *info;
2381                 info = (void *) (skb->data + 1);
2382
2383                 for (; num_rsp; num_rsp--, info++) {
2384                         bacpy(&data.bdaddr, &info->bdaddr);
2385                         data.pscan_rep_mode     = info->pscan_rep_mode;
2386                         data.pscan_period_mode  = info->pscan_period_mode;
2387                         data.pscan_mode         = info->pscan_mode;
2388                         memcpy(data.dev_class, info->dev_class, 3);
2389                         data.clock_offset       = info->clock_offset;
2390                         data.rssi               = info->rssi;
2391                         data.ssp_mode           = 0x00;
2392                         hci_inquiry_cache_update(hdev, &data);
2393                         mgmt_device_found(hdev->id, &info->bdaddr,
2394                                                 info->dev_class, info->rssi,
2395                                                 NULL);
2396                 }
2397         } else {
2398                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
2399
2400                 for (; num_rsp; num_rsp--, info++) {
2401                         bacpy(&data.bdaddr, &info->bdaddr);
2402                         data.pscan_rep_mode     = info->pscan_rep_mode;
2403                         data.pscan_period_mode  = info->pscan_period_mode;
2404                         data.pscan_mode         = 0x00;
2405                         memcpy(data.dev_class, info->dev_class, 3);
2406                         data.clock_offset       = info->clock_offset;
2407                         data.rssi               = info->rssi;
2408                         data.ssp_mode           = 0x00;
2409                         hci_inquiry_cache_update(hdev, &data);
2410                         mgmt_device_found(hdev->id, &info->bdaddr,
2411                                                 info->dev_class, info->rssi,
2412                                                 NULL);
2413                 }
2414         }
2415
2416         hci_dev_unlock(hdev);
2417 }
2418
2419 static inline void hci_remote_ext_features_evt(struct hci_dev *hdev, struct sk_buff *skb)
2420 {
2421         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
2422         struct hci_conn *conn;
2423
2424         BT_DBG("%s", hdev->name);
2425
2426         hci_dev_lock(hdev);
2427
2428         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2429         if (!conn)
2430                 goto unlock;
2431
2432         if (!ev->status && ev->page == 0x01) {
2433                 struct inquiry_entry *ie;
2434
2435                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
2436                 if (ie)
2437                         ie->data.ssp_mode = (ev->features[0] & 0x01);
2438
2439                 conn->ssp_mode = (ev->features[0] & 0x01);
2440         }
2441
2442         if (conn->state != BT_CONFIG)
2443                 goto unlock;
2444
2445         if (!ev->status) {
2446                 struct hci_cp_remote_name_req cp;
2447                 memset(&cp, 0, sizeof(cp));
2448                 bacpy(&cp.bdaddr, &conn->dst);
2449                 cp.pscan_rep_mode = 0x02;
2450                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2451         }
2452
2453         if (!hci_outgoing_auth_needed(hdev, conn)) {
2454                 conn->state = BT_CONNECTED;
2455                 hci_proto_connect_cfm(conn, ev->status);
2456                 hci_conn_put(conn);
2457         }
2458
2459 unlock:
2460         hci_dev_unlock(hdev);
2461 }
2462
2463 static inline void hci_sync_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2464 {
2465         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
2466         struct hci_conn *conn;
2467
2468         BT_DBG("%s status %d", hdev->name, ev->status);
2469
2470         hci_dev_lock(hdev);
2471
2472         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2473         if (!conn) {
2474                 if (ev->link_type == ESCO_LINK)
2475                         goto unlock;
2476
2477                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2478                 if (!conn)
2479                         goto unlock;
2480
2481                 conn->type = SCO_LINK;
2482         }
2483
2484         switch (ev->status) {
2485         case 0x00:
2486                 conn->handle = __le16_to_cpu(ev->handle);
2487                 conn->state  = BT_CONNECTED;
2488
2489                 hci_conn_hold_device(conn);
2490                 hci_conn_add_sysfs(conn);
2491                 break;
2492
2493         case 0x10:      /* Connection Accept Timeout */
2494         case 0x11:      /* Unsupported Feature or Parameter Value */
2495         case 0x1c:      /* SCO interval rejected */
2496         case 0x1a:      /* Unsupported Remote Feature */
2497         case 0x1f:      /* Unspecified error */
2498                 if (conn->out && conn->attempt < 2) {
2499                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
2500                                         (hdev->esco_type & EDR_ESCO_MASK);
2501                         hci_setup_sync(conn, conn->link->handle);
2502                         goto unlock;
2503                 }
2504                 /* fall through */
2505
2506         default:
2507                 conn->state = BT_CLOSED;
2508                 break;
2509         }
2510
2511         hci_proto_connect_cfm(conn, ev->status);
2512         if (ev->status)
2513                 hci_conn_del(conn);
2514
2515 unlock:
2516         hci_dev_unlock(hdev);
2517 }
2518
2519 static inline void hci_sync_conn_changed_evt(struct hci_dev *hdev, struct sk_buff *skb)
2520 {
2521         BT_DBG("%s", hdev->name);
2522 }
2523
2524 static inline void hci_sniff_subrate_evt(struct hci_dev *hdev, struct sk_buff *skb)
2525 {
2526         struct hci_ev_sniff_subrate *ev = (void *) skb->data;
2527
2528         BT_DBG("%s status %d", hdev->name, ev->status);
2529 }
2530
2531 static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2532 {
2533         struct inquiry_data data;
2534         struct extended_inquiry_info *info = (void *) (skb->data + 1);
2535         int num_rsp = *((__u8 *) skb->data);
2536
2537         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2538
2539         if (!num_rsp)
2540                 return;
2541
2542         if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
2543
2544                 if (test_bit(HCI_MGMT, &hdev->flags))
2545                         mgmt_discovering(hdev->id, 1);
2546         }
2547
2548         hci_dev_lock(hdev);
2549
2550         for (; num_rsp; num_rsp--, info++) {
2551                 bacpy(&data.bdaddr, &info->bdaddr);
2552                 data.pscan_rep_mode     = info->pscan_rep_mode;
2553                 data.pscan_period_mode  = info->pscan_period_mode;
2554                 data.pscan_mode         = 0x00;
2555                 memcpy(data.dev_class, info->dev_class, 3);
2556                 data.clock_offset       = info->clock_offset;
2557                 data.rssi               = info->rssi;
2558                 data.ssp_mode           = 0x01;
2559                 hci_inquiry_cache_update(hdev, &data);
2560                 mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class,
2561                                                 info->rssi, info->data);
2562         }
2563
2564         hci_dev_unlock(hdev);
2565 }
2566
2567 static inline u8 hci_get_auth_req(struct hci_conn *conn)
2568 {
2569         /* If remote requests dedicated bonding follow that lead */
2570         if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03) {
2571                 /* If both remote and local IO capabilities allow MITM
2572                  * protection then require it, otherwise don't */
2573                 if (conn->remote_cap == 0x03 || conn->io_capability == 0x03)
2574                         return 0x02;
2575                 else
2576                         return 0x03;
2577         }
2578
2579         /* If remote requests no-bonding follow that lead */
2580         if (conn->remote_auth == 0x00 || conn->remote_auth == 0x01)
2581                 return conn->remote_auth | (conn->auth_type & 0x01);
2582
2583         return conn->auth_type;
2584 }
2585
2586 static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2587 {
2588         struct hci_ev_io_capa_request *ev = (void *) skb->data;
2589         struct hci_conn *conn;
2590
2591         BT_DBG("%s", hdev->name);
2592
2593         hci_dev_lock(hdev);
2594
2595         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2596         if (!conn)
2597                 goto unlock;
2598
2599         hci_conn_hold(conn);
2600
2601         if (!test_bit(HCI_MGMT, &hdev->flags))
2602                 goto unlock;
2603
2604         if (test_bit(HCI_PAIRABLE, &hdev->flags) ||
2605                         (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
2606                 struct hci_cp_io_capability_reply cp;
2607
2608                 bacpy(&cp.bdaddr, &ev->bdaddr);
2609                 cp.capability = conn->io_capability;
2610                 conn->auth_type = hci_get_auth_req(conn);
2611                 cp.authentication = conn->auth_type;
2612
2613                 if ((conn->out == 0x01 || conn->remote_oob == 0x01) &&
2614                                 hci_find_remote_oob_data(hdev, &conn->dst))
2615                         cp.oob_data = 0x01;
2616                 else
2617                         cp.oob_data = 0x00;
2618
2619                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
2620                                                         sizeof(cp), &cp);
2621         } else {
2622                 struct hci_cp_io_capability_neg_reply cp;
2623
2624                 bacpy(&cp.bdaddr, &ev->bdaddr);
2625                 cp.reason = 0x18; /* Pairing not allowed */
2626
2627                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
2628                                                         sizeof(cp), &cp);
2629         }
2630
2631 unlock:
2632         hci_dev_unlock(hdev);
2633 }
2634
2635 static inline void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
2636 {
2637         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
2638         struct hci_conn *conn;
2639
2640         BT_DBG("%s", hdev->name);
2641
2642         hci_dev_lock(hdev);
2643
2644         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2645         if (!conn)
2646                 goto unlock;
2647
2648         conn->remote_cap = ev->capability;
2649         conn->remote_oob = ev->oob_data;
2650         conn->remote_auth = ev->authentication;
2651
2652 unlock:
2653         hci_dev_unlock(hdev);
2654 }
2655
2656 static inline void hci_user_confirm_request_evt(struct hci_dev *hdev,
2657                                                         struct sk_buff *skb)
2658 {
2659         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
2660         int loc_mitm, rem_mitm, confirm_hint = 0;
2661         struct hci_conn *conn;
2662
2663         BT_DBG("%s", hdev->name);
2664
2665         hci_dev_lock(hdev);
2666
2667         if (!test_bit(HCI_MGMT, &hdev->flags))
2668                 goto unlock;
2669
2670         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2671         if (!conn)
2672                 goto unlock;
2673
2674         loc_mitm = (conn->auth_type & 0x01);
2675         rem_mitm = (conn->remote_auth & 0x01);
2676
2677         /* If we require MITM but the remote device can't provide that
2678          * (it has NoInputNoOutput) then reject the confirmation
2679          * request. The only exception is when we're dedicated bonding
2680          * initiators (connect_cfm_cb set) since then we always have the MITM
2681          * bit set. */
2682         if (!conn->connect_cfm_cb && loc_mitm && conn->remote_cap == 0x03) {
2683                 BT_DBG("Rejecting request: remote device can't provide MITM");
2684                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
2685                                         sizeof(ev->bdaddr), &ev->bdaddr);
2686                 goto unlock;
2687         }
2688
2689         /* If no side requires MITM protection; auto-accept */
2690         if ((!loc_mitm || conn->remote_cap == 0x03) &&
2691                                 (!rem_mitm || conn->io_capability == 0x03)) {
2692
2693                 /* If we're not the initiators request authorization to
2694                  * proceed from user space (mgmt_user_confirm with
2695                  * confirm_hint set to 1). */
2696                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
2697                         BT_DBG("Confirming auto-accept as acceptor");
2698                         confirm_hint = 1;
2699                         goto confirm;
2700                 }
2701
2702                 BT_DBG("Auto-accept of user confirmation with %ums delay",
2703                                                 hdev->auto_accept_delay);
2704
2705                 if (hdev->auto_accept_delay > 0) {
2706                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
2707                         mod_timer(&conn->auto_accept_timer, jiffies + delay);
2708                         goto unlock;
2709                 }
2710
2711                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
2712                                                 sizeof(ev->bdaddr), &ev->bdaddr);
2713                 goto unlock;
2714         }
2715
2716 confirm:
2717         mgmt_user_confirm_request(hdev->id, &ev->bdaddr, ev->passkey,
2718                                                                 confirm_hint);
2719
2720 unlock:
2721         hci_dev_unlock(hdev);
2722 }
2723
2724 static inline void hci_simple_pair_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2725 {
2726         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
2727         struct hci_conn *conn;
2728
2729         BT_DBG("%s", hdev->name);
2730
2731         hci_dev_lock(hdev);
2732
2733         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2734         if (!conn)
2735                 goto unlock;
2736
2737         /* To avoid duplicate auth_failed events to user space we check
2738          * the HCI_CONN_AUTH_PEND flag which will be set if we
2739          * initiated the authentication. A traditional auth_complete
2740          * event gets always produced as initiator and is also mapped to
2741          * the mgmt_auth_failed event */
2742         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend) && ev->status != 0)
2743                 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
2744
2745         hci_conn_put(conn);
2746
2747 unlock:
2748         hci_dev_unlock(hdev);
2749 }
2750
2751 static inline void hci_remote_host_features_evt(struct hci_dev *hdev, struct sk_buff *skb)
2752 {
2753         struct hci_ev_remote_host_features *ev = (void *) skb->data;
2754         struct inquiry_entry *ie;
2755
2756         BT_DBG("%s", hdev->name);
2757
2758         hci_dev_lock(hdev);
2759
2760         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2761         if (ie)
2762                 ie->data.ssp_mode = (ev->features[0] & 0x01);
2763
2764         hci_dev_unlock(hdev);
2765 }
2766
2767 static inline void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
2768                                                         struct sk_buff *skb)
2769 {
2770         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
2771         struct oob_data *data;
2772
2773         BT_DBG("%s", hdev->name);
2774
2775         hci_dev_lock(hdev);
2776
2777         if (!test_bit(HCI_MGMT, &hdev->flags))
2778                 goto unlock;
2779
2780         data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
2781         if (data) {
2782                 struct hci_cp_remote_oob_data_reply cp;
2783
2784                 bacpy(&cp.bdaddr, &ev->bdaddr);
2785                 memcpy(cp.hash, data->hash, sizeof(cp.hash));
2786                 memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer));
2787
2788                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp),
2789                                                                         &cp);
2790         } else {
2791                 struct hci_cp_remote_oob_data_neg_reply cp;
2792
2793                 bacpy(&cp.bdaddr, &ev->bdaddr);
2794                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp),
2795                                                                         &cp);
2796         }
2797
2798 unlock:
2799         hci_dev_unlock(hdev);
2800 }
2801
2802 static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2803 {
2804         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
2805         struct hci_conn *conn;
2806
2807         BT_DBG("%s status %d", hdev->name, ev->status);
2808
2809         hci_dev_lock(hdev);
2810
2811         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &ev->bdaddr);
2812         if (!conn) {
2813                 conn = hci_conn_add(hdev, LE_LINK, 0, &ev->bdaddr);
2814                 if (!conn) {
2815                         BT_ERR("No memory for new connection");
2816                         hci_dev_unlock(hdev);
2817                         return;
2818                 }
2819
2820                 conn->dst_type = ev->bdaddr_type;
2821         }
2822
2823         if (ev->status) {
2824                 mgmt_connect_failed(hdev->id, &ev->bdaddr, ev->status);
2825                 hci_proto_connect_cfm(conn, ev->status);
2826                 conn->state = BT_CLOSED;
2827                 hci_conn_del(conn);
2828                 goto unlock;
2829         }
2830
2831         mgmt_connected(hdev->id, &ev->bdaddr);
2832
2833         conn->sec_level = BT_SECURITY_LOW;
2834         conn->handle = __le16_to_cpu(ev->handle);
2835         conn->state = BT_CONNECTED;
2836
2837         hci_conn_hold_device(conn);
2838         hci_conn_add_sysfs(conn);
2839
2840         hci_proto_connect_cfm(conn, ev->status);
2841
2842 unlock:
2843         hci_dev_unlock(hdev);
2844 }
2845
2846 static inline void hci_le_adv_report_evt(struct hci_dev *hdev,
2847                                                 struct sk_buff *skb)
2848 {
2849         struct hci_ev_le_advertising_info *ev;
2850         u8 num_reports;
2851
2852         num_reports = skb->data[0];
2853         ev = (void *) &skb->data[1];
2854
2855         hci_dev_lock(hdev);
2856
2857         hci_add_adv_entry(hdev, ev);
2858
2859         while (--num_reports) {
2860                 ev = (void *) (ev->data + ev->length + 1);
2861                 hci_add_adv_entry(hdev, ev);
2862         }
2863
2864         hci_dev_unlock(hdev);
2865 }
2866
2867 static inline void hci_le_ltk_request_evt(struct hci_dev *hdev,
2868                                                 struct sk_buff *skb)
2869 {
2870         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
2871         struct hci_cp_le_ltk_reply cp;
2872         struct hci_cp_le_ltk_neg_reply neg;
2873         struct hci_conn *conn;
2874         struct link_key *ltk;
2875
2876         BT_DBG("%s handle %d", hdev->name, cpu_to_le16(ev->handle));
2877
2878         hci_dev_lock(hdev);
2879
2880         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2881         if (conn == NULL)
2882                 goto not_found;
2883
2884         ltk = hci_find_ltk(hdev, ev->ediv, ev->random);
2885         if (ltk == NULL)
2886                 goto not_found;
2887
2888         memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
2889         cp.handle = cpu_to_le16(conn->handle);
2890         conn->pin_length = ltk->pin_len;
2891
2892         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
2893
2894         hci_dev_unlock(hdev);
2895
2896         return;
2897
2898 not_found:
2899         neg.handle = ev->handle;
2900         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
2901         hci_dev_unlock(hdev);
2902 }
2903
2904 static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2905 {
2906         struct hci_ev_le_meta *le_ev = (void *) skb->data;
2907
2908         skb_pull(skb, sizeof(*le_ev));
2909
2910         switch (le_ev->subevent) {
2911         case HCI_EV_LE_CONN_COMPLETE:
2912                 hci_le_conn_complete_evt(hdev, skb);
2913                 break;
2914
2915         case HCI_EV_LE_ADVERTISING_REPORT:
2916                 hci_le_adv_report_evt(hdev, skb);
2917                 break;
2918
2919         case HCI_EV_LE_LTK_REQ:
2920                 hci_le_ltk_request_evt(hdev, skb);
2921                 break;
2922
2923         default:
2924                 break;
2925         }
2926 }
2927
2928 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
2929 {
2930         struct hci_event_hdr *hdr = (void *) skb->data;
2931         __u8 event = hdr->evt;
2932
2933         skb_pull(skb, HCI_EVENT_HDR_SIZE);
2934
2935         switch (event) {
2936         case HCI_EV_INQUIRY_COMPLETE:
2937                 hci_inquiry_complete_evt(hdev, skb);
2938                 break;
2939
2940         case HCI_EV_INQUIRY_RESULT:
2941                 hci_inquiry_result_evt(hdev, skb);
2942                 break;
2943
2944         case HCI_EV_CONN_COMPLETE:
2945                 hci_conn_complete_evt(hdev, skb);
2946                 break;
2947
2948         case HCI_EV_CONN_REQUEST:
2949                 hci_conn_request_evt(hdev, skb);
2950                 break;
2951
2952         case HCI_EV_DISCONN_COMPLETE:
2953                 hci_disconn_complete_evt(hdev, skb);
2954                 break;
2955
2956         case HCI_EV_AUTH_COMPLETE:
2957                 hci_auth_complete_evt(hdev, skb);
2958                 break;
2959
2960         case HCI_EV_REMOTE_NAME:
2961                 hci_remote_name_evt(hdev, skb);
2962                 break;
2963
2964         case HCI_EV_ENCRYPT_CHANGE:
2965                 hci_encrypt_change_evt(hdev, skb);
2966                 break;
2967
2968         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
2969                 hci_change_link_key_complete_evt(hdev, skb);
2970                 break;
2971
2972         case HCI_EV_REMOTE_FEATURES:
2973                 hci_remote_features_evt(hdev, skb);
2974                 break;
2975
2976         case HCI_EV_REMOTE_VERSION:
2977                 hci_remote_version_evt(hdev, skb);
2978                 break;
2979
2980         case HCI_EV_QOS_SETUP_COMPLETE:
2981                 hci_qos_setup_complete_evt(hdev, skb);
2982                 break;
2983
2984         case HCI_EV_CMD_COMPLETE:
2985                 hci_cmd_complete_evt(hdev, skb);
2986                 break;
2987
2988         case HCI_EV_CMD_STATUS:
2989                 hci_cmd_status_evt(hdev, skb);
2990                 break;
2991
2992         case HCI_EV_ROLE_CHANGE:
2993                 hci_role_change_evt(hdev, skb);
2994                 break;
2995
2996         case HCI_EV_NUM_COMP_PKTS:
2997                 hci_num_comp_pkts_evt(hdev, skb);
2998                 break;
2999
3000         case HCI_EV_MODE_CHANGE:
3001                 hci_mode_change_evt(hdev, skb);
3002                 break;
3003
3004         case HCI_EV_PIN_CODE_REQ:
3005                 hci_pin_code_request_evt(hdev, skb);
3006                 break;
3007
3008         case HCI_EV_LINK_KEY_REQ:
3009                 hci_link_key_request_evt(hdev, skb);
3010                 break;
3011
3012         case HCI_EV_LINK_KEY_NOTIFY:
3013                 hci_link_key_notify_evt(hdev, skb);
3014                 break;
3015
3016         case HCI_EV_CLOCK_OFFSET:
3017                 hci_clock_offset_evt(hdev, skb);
3018                 break;
3019
3020         case HCI_EV_PKT_TYPE_CHANGE:
3021                 hci_pkt_type_change_evt(hdev, skb);
3022                 break;
3023
3024         case HCI_EV_PSCAN_REP_MODE:
3025                 hci_pscan_rep_mode_evt(hdev, skb);
3026                 break;
3027
3028         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
3029                 hci_inquiry_result_with_rssi_evt(hdev, skb);
3030                 break;
3031
3032         case HCI_EV_REMOTE_EXT_FEATURES:
3033                 hci_remote_ext_features_evt(hdev, skb);
3034                 break;
3035
3036         case HCI_EV_SYNC_CONN_COMPLETE:
3037                 hci_sync_conn_complete_evt(hdev, skb);
3038                 break;
3039
3040         case HCI_EV_SYNC_CONN_CHANGED:
3041                 hci_sync_conn_changed_evt(hdev, skb);
3042                 break;
3043
3044         case HCI_EV_SNIFF_SUBRATE:
3045                 hci_sniff_subrate_evt(hdev, skb);
3046                 break;
3047
3048         case HCI_EV_EXTENDED_INQUIRY_RESULT:
3049                 hci_extended_inquiry_result_evt(hdev, skb);
3050                 break;
3051
3052         case HCI_EV_IO_CAPA_REQUEST:
3053                 hci_io_capa_request_evt(hdev, skb);
3054                 break;
3055
3056         case HCI_EV_IO_CAPA_REPLY:
3057                 hci_io_capa_reply_evt(hdev, skb);
3058                 break;
3059
3060         case HCI_EV_USER_CONFIRM_REQUEST:
3061                 hci_user_confirm_request_evt(hdev, skb);
3062                 break;
3063
3064         case HCI_EV_SIMPLE_PAIR_COMPLETE:
3065                 hci_simple_pair_complete_evt(hdev, skb);
3066                 break;
3067
3068         case HCI_EV_REMOTE_HOST_FEATURES:
3069                 hci_remote_host_features_evt(hdev, skb);
3070                 break;
3071
3072         case HCI_EV_LE_META:
3073                 hci_le_meta_evt(hdev, skb);
3074                 break;
3075
3076         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
3077                 hci_remote_oob_data_request_evt(hdev, skb);
3078                 break;
3079
3080         default:
3081                 BT_DBG("%s event 0x%x", hdev->name, event);
3082                 break;
3083         }
3084
3085         kfree_skb(skb);
3086         hdev->stat.evt_rx++;
3087 }
3088
3089 /* Generate internal stack event */
3090 void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
3091 {
3092         struct hci_event_hdr *hdr;
3093         struct hci_ev_stack_internal *ev;
3094         struct sk_buff *skb;
3095
3096         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
3097         if (!skb)
3098                 return;
3099
3100         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
3101         hdr->evt  = HCI_EV_STACK_INTERNAL;
3102         hdr->plen = sizeof(*ev) + dlen;
3103
3104         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
3105         ev->type = type;
3106         memcpy(ev->data, data, dlen);
3107
3108         bt_cb(skb)->incoming = 1;
3109         __net_timestamp(skb);
3110
3111         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
3112         skb->dev = (void *) hdev;
3113         hci_send_to_sock(hdev, skb, NULL);
3114         kfree_skb(skb);
3115 }
3116
3117 module_param(enable_le, bool, 0444);
3118 MODULE_PARM_DESC(enable_le, "Enable LE support");