7ef4eb4435fb4444585e9e8c6b54ef1effd486a9
[linux-2.6.git] / net / bluetooth / hci_event.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
5    Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI event handling. */
26
27 #include <linux/module.h>
28
29 #include <linux/types.h>
30 #include <linux/errno.h>
31 #include <linux/kernel.h>
32 #include <linux/slab.h>
33 #include <linux/poll.h>
34 #include <linux/fcntl.h>
35 #include <linux/init.h>
36 #include <linux/skbuff.h>
37 #include <linux/interrupt.h>
38 #include <linux/notifier.h>
39 #include <net/sock.h>
40
41 #include <asm/system.h>
42 #include <linux/uaccess.h>
43 #include <asm/unaligned.h>
44
45 #include <net/bluetooth/bluetooth.h>
46 #include <net/bluetooth/hci_core.h>
47
48 static int enable_le;
49
50 /* Handle HCI Event packets */
51
52 static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
53 {
54         __u8 status = *((__u8 *) skb->data);
55
56         BT_DBG("%s status 0x%x", hdev->name, status);
57
58         if (status)
59                 return;
60
61         if (test_and_clear_bit(HCI_INQUIRY, &hdev->flags) &&
62                         test_bit(HCI_MGMT, &hdev->flags))
63                 mgmt_discovering(hdev->id, 0);
64
65         hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status);
66
67         hci_conn_check_pending(hdev);
68 }
69
70 static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
71 {
72         __u8 status = *((__u8 *) skb->data);
73
74         BT_DBG("%s status 0x%x", hdev->name, status);
75
76         if (status)
77                 return;
78
79         if (test_and_clear_bit(HCI_INQUIRY, &hdev->flags) &&
80                                 test_bit(HCI_MGMT, &hdev->flags))
81                 mgmt_discovering(hdev->id, 0);
82
83         hci_conn_check_pending(hdev);
84 }
85
86 static void hci_cc_remote_name_req_cancel(struct hci_dev *hdev, struct sk_buff *skb)
87 {
88         BT_DBG("%s", hdev->name);
89 }
90
91 static void hci_cc_role_discovery(struct hci_dev *hdev, struct sk_buff *skb)
92 {
93         struct hci_rp_role_discovery *rp = (void *) skb->data;
94         struct hci_conn *conn;
95
96         BT_DBG("%s status 0x%x", hdev->name, rp->status);
97
98         if (rp->status)
99                 return;
100
101         hci_dev_lock(hdev);
102
103         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
104         if (conn) {
105                 if (rp->role)
106                         conn->link_mode &= ~HCI_LM_MASTER;
107                 else
108                         conn->link_mode |= HCI_LM_MASTER;
109         }
110
111         hci_dev_unlock(hdev);
112 }
113
114 static void hci_cc_read_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
115 {
116         struct hci_rp_read_link_policy *rp = (void *) skb->data;
117         struct hci_conn *conn;
118
119         BT_DBG("%s status 0x%x", hdev->name, rp->status);
120
121         if (rp->status)
122                 return;
123
124         hci_dev_lock(hdev);
125
126         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
127         if (conn)
128                 conn->link_policy = __le16_to_cpu(rp->policy);
129
130         hci_dev_unlock(hdev);
131 }
132
133 static void hci_cc_write_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
134 {
135         struct hci_rp_write_link_policy *rp = (void *) skb->data;
136         struct hci_conn *conn;
137         void *sent;
138
139         BT_DBG("%s status 0x%x", hdev->name, rp->status);
140
141         if (rp->status)
142                 return;
143
144         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
145         if (!sent)
146                 return;
147
148         hci_dev_lock(hdev);
149
150         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
151         if (conn)
152                 conn->link_policy = get_unaligned_le16(sent + 2);
153
154         hci_dev_unlock(hdev);
155 }
156
157 static void hci_cc_read_def_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
158 {
159         struct hci_rp_read_def_link_policy *rp = (void *) skb->data;
160
161         BT_DBG("%s status 0x%x", hdev->name, rp->status);
162
163         if (rp->status)
164                 return;
165
166         hdev->link_policy = __le16_to_cpu(rp->policy);
167 }
168
169 static void hci_cc_write_def_link_policy(struct hci_dev *hdev, struct sk_buff *skb)
170 {
171         __u8 status = *((__u8 *) skb->data);
172         void *sent;
173
174         BT_DBG("%s status 0x%x", hdev->name, status);
175
176         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
177         if (!sent)
178                 return;
179
180         if (!status)
181                 hdev->link_policy = get_unaligned_le16(sent);
182
183         hci_req_complete(hdev, HCI_OP_WRITE_DEF_LINK_POLICY, status);
184 }
185
186 static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
187 {
188         __u8 status = *((__u8 *) skb->data);
189
190         BT_DBG("%s status 0x%x", hdev->name, status);
191
192         clear_bit(HCI_RESET, &hdev->flags);
193
194         hci_req_complete(hdev, HCI_OP_RESET, status);
195 }
196
197 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
198 {
199         __u8 status = *((__u8 *) skb->data);
200         void *sent;
201
202         BT_DBG("%s status 0x%x", hdev->name, status);
203
204         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
205         if (!sent)
206                 return;
207
208         if (test_bit(HCI_MGMT, &hdev->flags))
209                 mgmt_set_local_name_complete(hdev->id, sent, status);
210
211         if (status)
212                 return;
213
214         memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
215 }
216
217 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
218 {
219         struct hci_rp_read_local_name *rp = (void *) skb->data;
220
221         BT_DBG("%s status 0x%x", hdev->name, rp->status);
222
223         if (rp->status)
224                 return;
225
226         memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
227 }
228
229 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
230 {
231         __u8 status = *((__u8 *) skb->data);
232         void *sent;
233
234         BT_DBG("%s status 0x%x", hdev->name, status);
235
236         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
237         if (!sent)
238                 return;
239
240         if (!status) {
241                 __u8 param = *((__u8 *) sent);
242
243                 if (param == AUTH_ENABLED)
244                         set_bit(HCI_AUTH, &hdev->flags);
245                 else
246                         clear_bit(HCI_AUTH, &hdev->flags);
247         }
248
249         hci_req_complete(hdev, HCI_OP_WRITE_AUTH_ENABLE, status);
250 }
251
252 static void hci_cc_write_encrypt_mode(struct hci_dev *hdev, struct sk_buff *skb)
253 {
254         __u8 status = *((__u8 *) skb->data);
255         void *sent;
256
257         BT_DBG("%s status 0x%x", hdev->name, status);
258
259         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
260         if (!sent)
261                 return;
262
263         if (!status) {
264                 __u8 param = *((__u8 *) sent);
265
266                 if (param)
267                         set_bit(HCI_ENCRYPT, &hdev->flags);
268                 else
269                         clear_bit(HCI_ENCRYPT, &hdev->flags);
270         }
271
272         hci_req_complete(hdev, HCI_OP_WRITE_ENCRYPT_MODE, status);
273 }
274
275 static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
276 {
277         __u8 status = *((__u8 *) skb->data);
278         void *sent;
279
280         BT_DBG("%s status 0x%x", hdev->name, status);
281
282         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
283         if (!sent)
284                 return;
285
286         if (!status) {
287                 __u8 param = *((__u8 *) sent);
288                 int old_pscan, old_iscan;
289
290                 old_pscan = test_and_clear_bit(HCI_PSCAN, &hdev->flags);
291                 old_iscan = test_and_clear_bit(HCI_ISCAN, &hdev->flags);
292
293                 if (param & SCAN_INQUIRY) {
294                         set_bit(HCI_ISCAN, &hdev->flags);
295                         if (!old_iscan)
296                                 mgmt_discoverable(hdev->id, 1);
297                 } else if (old_iscan)
298                         mgmt_discoverable(hdev->id, 0);
299
300                 if (param & SCAN_PAGE) {
301                         set_bit(HCI_PSCAN, &hdev->flags);
302                         if (!old_pscan)
303                                 mgmt_connectable(hdev->id, 1);
304                 } else if (old_pscan)
305                         mgmt_connectable(hdev->id, 0);
306         }
307
308         hci_req_complete(hdev, HCI_OP_WRITE_SCAN_ENABLE, status);
309 }
310
311 static void hci_cc_read_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
312 {
313         struct hci_rp_read_class_of_dev *rp = (void *) skb->data;
314
315         BT_DBG("%s status 0x%x", hdev->name, rp->status);
316
317         if (rp->status)
318                 return;
319
320         memcpy(hdev->dev_class, rp->dev_class, 3);
321
322         BT_DBG("%s class 0x%.2x%.2x%.2x", hdev->name,
323                 hdev->dev_class[2], hdev->dev_class[1], hdev->dev_class[0]);
324 }
325
326 static void hci_cc_write_class_of_dev(struct hci_dev *hdev, struct sk_buff *skb)
327 {
328         __u8 status = *((__u8 *) skb->data);
329         void *sent;
330
331         BT_DBG("%s status 0x%x", hdev->name, status);
332
333         if (status)
334                 return;
335
336         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
337         if (!sent)
338                 return;
339
340         memcpy(hdev->dev_class, sent, 3);
341 }
342
343 static void hci_cc_read_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
344 {
345         struct hci_rp_read_voice_setting *rp = (void *) skb->data;
346         __u16 setting;
347
348         BT_DBG("%s status 0x%x", hdev->name, rp->status);
349
350         if (rp->status)
351                 return;
352
353         setting = __le16_to_cpu(rp->voice_setting);
354
355         if (hdev->voice_setting == setting)
356                 return;
357
358         hdev->voice_setting = setting;
359
360         BT_DBG("%s voice setting 0x%04x", hdev->name, setting);
361
362         if (hdev->notify) {
363                 tasklet_disable(&hdev->tx_task);
364                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
365                 tasklet_enable(&hdev->tx_task);
366         }
367 }
368
369 static void hci_cc_write_voice_setting(struct hci_dev *hdev, struct sk_buff *skb)
370 {
371         __u8 status = *((__u8 *) skb->data);
372         __u16 setting;
373         void *sent;
374
375         BT_DBG("%s status 0x%x", hdev->name, status);
376
377         if (status)
378                 return;
379
380         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
381         if (!sent)
382                 return;
383
384         setting = get_unaligned_le16(sent);
385
386         if (hdev->voice_setting == setting)
387                 return;
388
389         hdev->voice_setting = setting;
390
391         BT_DBG("%s voice setting 0x%04x", hdev->name, setting);
392
393         if (hdev->notify) {
394                 tasklet_disable(&hdev->tx_task);
395                 hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
396                 tasklet_enable(&hdev->tx_task);
397         }
398 }
399
400 static void hci_cc_host_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
401 {
402         __u8 status = *((__u8 *) skb->data);
403
404         BT_DBG("%s status 0x%x", hdev->name, status);
405
406         hci_req_complete(hdev, HCI_OP_HOST_BUFFER_SIZE, status);
407 }
408
409 static void hci_cc_read_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
410 {
411         struct hci_rp_read_ssp_mode *rp = (void *) skb->data;
412
413         BT_DBG("%s status 0x%x", hdev->name, rp->status);
414
415         if (rp->status)
416                 return;
417
418         hdev->ssp_mode = rp->mode;
419 }
420
421 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
422 {
423         __u8 status = *((__u8 *) skb->data);
424         void *sent;
425
426         BT_DBG("%s status 0x%x", hdev->name, status);
427
428         if (status)
429                 return;
430
431         sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
432         if (!sent)
433                 return;
434
435         hdev->ssp_mode = *((__u8 *) sent);
436 }
437
438 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
439 {
440         if (hdev->features[6] & LMP_EXT_INQ)
441                 return 2;
442
443         if (hdev->features[3] & LMP_RSSI_INQ)
444                 return 1;
445
446         if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
447                                                 hdev->lmp_subver == 0x0757)
448                 return 1;
449
450         if (hdev->manufacturer == 15) {
451                 if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
452                         return 1;
453                 if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
454                         return 1;
455                 if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
456                         return 1;
457         }
458
459         if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
460                                                 hdev->lmp_subver == 0x1805)
461                 return 1;
462
463         return 0;
464 }
465
466 static void hci_setup_inquiry_mode(struct hci_dev *hdev)
467 {
468         u8 mode;
469
470         mode = hci_get_inquiry_mode(hdev);
471
472         hci_send_cmd(hdev, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
473 }
474
475 static void hci_setup_event_mask(struct hci_dev *hdev)
476 {
477         /* The second byte is 0xff instead of 0x9f (two reserved bits
478          * disabled) since a Broadcom 1.2 dongle doesn't respond to the
479          * command otherwise */
480         u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
481
482         /* CSR 1.1 dongles does not accept any bitfield so don't try to set
483          * any event mask for pre 1.2 devices */
484         if (hdev->lmp_ver <= 1)
485                 return;
486
487         events[4] |= 0x01; /* Flow Specification Complete */
488         events[4] |= 0x02; /* Inquiry Result with RSSI */
489         events[4] |= 0x04; /* Read Remote Extended Features Complete */
490         events[5] |= 0x08; /* Synchronous Connection Complete */
491         events[5] |= 0x10; /* Synchronous Connection Changed */
492
493         if (hdev->features[3] & LMP_RSSI_INQ)
494                 events[4] |= 0x04; /* Inquiry Result with RSSI */
495
496         if (hdev->features[5] & LMP_SNIFF_SUBR)
497                 events[5] |= 0x20; /* Sniff Subrating */
498
499         if (hdev->features[5] & LMP_PAUSE_ENC)
500                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
501
502         if (hdev->features[6] & LMP_EXT_INQ)
503                 events[5] |= 0x40; /* Extended Inquiry Result */
504
505         if (hdev->features[6] & LMP_NO_FLUSH)
506                 events[7] |= 0x01; /* Enhanced Flush Complete */
507
508         if (hdev->features[7] & LMP_LSTO)
509                 events[6] |= 0x80; /* Link Supervision Timeout Changed */
510
511         if (hdev->features[6] & LMP_SIMPLE_PAIR) {
512                 events[6] |= 0x01;      /* IO Capability Request */
513                 events[6] |= 0x02;      /* IO Capability Response */
514                 events[6] |= 0x04;      /* User Confirmation Request */
515                 events[6] |= 0x08;      /* User Passkey Request */
516                 events[6] |= 0x10;      /* Remote OOB Data Request */
517                 events[6] |= 0x20;      /* Simple Pairing Complete */
518                 events[7] |= 0x04;      /* User Passkey Notification */
519                 events[7] |= 0x08;      /* Keypress Notification */
520                 events[7] |= 0x10;      /* Remote Host Supported
521                                          * Features Notification */
522         }
523
524         if (hdev->features[4] & LMP_LE)
525                 events[7] |= 0x20;      /* LE Meta-Event */
526
527         hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
528 }
529
530 static void hci_set_le_support(struct hci_dev *hdev)
531 {
532         struct hci_cp_write_le_host_supported cp;
533
534         memset(&cp, 0, sizeof(cp));
535
536         if (enable_le) {
537                 cp.le = 1;
538                 cp.simul = !!(hdev->features[6] & LMP_SIMUL_LE_BR);
539         }
540
541         hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp), &cp);
542 }
543
544 static void hci_setup(struct hci_dev *hdev)
545 {
546         hci_setup_event_mask(hdev);
547
548         if (hdev->lmp_ver > 1)
549                 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
550
551         if (hdev->features[6] & LMP_SIMPLE_PAIR) {
552                 u8 mode = 0x01;
553                 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, sizeof(mode), &mode);
554         }
555
556         if (hdev->features[3] & LMP_RSSI_INQ)
557                 hci_setup_inquiry_mode(hdev);
558
559         if (hdev->features[7] & LMP_INQ_TX_PWR)
560                 hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
561
562         if (hdev->features[7] & LMP_EXTFEATURES) {
563                 struct hci_cp_read_local_ext_features cp;
564
565                 cp.page = 0x01;
566                 hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES,
567                                                         sizeof(cp), &cp);
568         }
569
570         if (hdev->features[4] & LMP_LE)
571                 hci_set_le_support(hdev);
572 }
573
574 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
575 {
576         struct hci_rp_read_local_version *rp = (void *) skb->data;
577
578         BT_DBG("%s status 0x%x", hdev->name, rp->status);
579
580         if (rp->status)
581                 return;
582
583         hdev->hci_ver = rp->hci_ver;
584         hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
585         hdev->lmp_ver = rp->lmp_ver;
586         hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
587         hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
588
589         BT_DBG("%s manufacturer %d hci ver %d:%d", hdev->name,
590                                         hdev->manufacturer,
591                                         hdev->hci_ver, hdev->hci_rev);
592
593         if (test_bit(HCI_INIT, &hdev->flags))
594                 hci_setup(hdev);
595 }
596
597 static void hci_setup_link_policy(struct hci_dev *hdev)
598 {
599         u16 link_policy = 0;
600
601         if (hdev->features[0] & LMP_RSWITCH)
602                 link_policy |= HCI_LP_RSWITCH;
603         if (hdev->features[0] & LMP_HOLD)
604                 link_policy |= HCI_LP_HOLD;
605         if (hdev->features[0] & LMP_SNIFF)
606                 link_policy |= HCI_LP_SNIFF;
607         if (hdev->features[1] & LMP_PARK)
608                 link_policy |= HCI_LP_PARK;
609
610         link_policy = cpu_to_le16(link_policy);
611         hci_send_cmd(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,
612                                         sizeof(link_policy), &link_policy);
613 }
614
615 static void hci_cc_read_local_commands(struct hci_dev *hdev, struct sk_buff *skb)
616 {
617         struct hci_rp_read_local_commands *rp = (void *) skb->data;
618
619         BT_DBG("%s status 0x%x", hdev->name, rp->status);
620
621         if (rp->status)
622                 goto done;
623
624         memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
625
626         if (test_bit(HCI_INIT, &hdev->flags) && (hdev->commands[5] & 0x10))
627                 hci_setup_link_policy(hdev);
628
629 done:
630         hci_req_complete(hdev, HCI_OP_READ_LOCAL_COMMANDS, rp->status);
631 }
632
633 static void hci_cc_read_local_features(struct hci_dev *hdev, struct sk_buff *skb)
634 {
635         struct hci_rp_read_local_features *rp = (void *) skb->data;
636
637         BT_DBG("%s status 0x%x", hdev->name, rp->status);
638
639         if (rp->status)
640                 return;
641
642         memcpy(hdev->features, rp->features, 8);
643
644         /* Adjust default settings according to features
645          * supported by device. */
646
647         if (hdev->features[0] & LMP_3SLOT)
648                 hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
649
650         if (hdev->features[0] & LMP_5SLOT)
651                 hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
652
653         if (hdev->features[1] & LMP_HV2) {
654                 hdev->pkt_type  |= (HCI_HV2);
655                 hdev->esco_type |= (ESCO_HV2);
656         }
657
658         if (hdev->features[1] & LMP_HV3) {
659                 hdev->pkt_type  |= (HCI_HV3);
660                 hdev->esco_type |= (ESCO_HV3);
661         }
662
663         if (hdev->features[3] & LMP_ESCO)
664                 hdev->esco_type |= (ESCO_EV3);
665
666         if (hdev->features[4] & LMP_EV4)
667                 hdev->esco_type |= (ESCO_EV4);
668
669         if (hdev->features[4] & LMP_EV5)
670                 hdev->esco_type |= (ESCO_EV5);
671
672         if (hdev->features[5] & LMP_EDR_ESCO_2M)
673                 hdev->esco_type |= (ESCO_2EV3);
674
675         if (hdev->features[5] & LMP_EDR_ESCO_3M)
676                 hdev->esco_type |= (ESCO_3EV3);
677
678         if (hdev->features[5] & LMP_EDR_3S_ESCO)
679                 hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
680
681         BT_DBG("%s features 0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x", hdev->name,
682                                         hdev->features[0], hdev->features[1],
683                                         hdev->features[2], hdev->features[3],
684                                         hdev->features[4], hdev->features[5],
685                                         hdev->features[6], hdev->features[7]);
686 }
687
688 static void hci_cc_read_local_ext_features(struct hci_dev *hdev,
689                                                         struct sk_buff *skb)
690 {
691         struct hci_rp_read_local_ext_features *rp = (void *) skb->data;
692
693         BT_DBG("%s status 0x%x", hdev->name, rp->status);
694
695         if (rp->status)
696                 return;
697
698         memcpy(hdev->extfeatures, rp->features, 8);
699
700         hci_req_complete(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, rp->status);
701 }
702
703 static void hci_cc_read_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
704 {
705         struct hci_rp_read_buffer_size *rp = (void *) skb->data;
706
707         BT_DBG("%s status 0x%x", hdev->name, rp->status);
708
709         if (rp->status)
710                 return;
711
712         hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
713         hdev->sco_mtu  = rp->sco_mtu;
714         hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
715         hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
716
717         if (test_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks)) {
718                 hdev->sco_mtu  = 64;
719                 hdev->sco_pkts = 8;
720         }
721
722         hdev->acl_cnt = hdev->acl_pkts;
723         hdev->sco_cnt = hdev->sco_pkts;
724
725         BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name,
726                                         hdev->acl_mtu, hdev->acl_pkts,
727                                         hdev->sco_mtu, hdev->sco_pkts);
728 }
729
730 static void hci_cc_read_bd_addr(struct hci_dev *hdev, struct sk_buff *skb)
731 {
732         struct hci_rp_read_bd_addr *rp = (void *) skb->data;
733
734         BT_DBG("%s status 0x%x", hdev->name, rp->status);
735
736         if (!rp->status)
737                 bacpy(&hdev->bdaddr, &rp->bdaddr);
738
739         hci_req_complete(hdev, HCI_OP_READ_BD_ADDR, rp->status);
740 }
741
742 static void hci_cc_write_ca_timeout(struct hci_dev *hdev, struct sk_buff *skb)
743 {
744         __u8 status = *((__u8 *) skb->data);
745
746         BT_DBG("%s status 0x%x", hdev->name, status);
747
748         hci_req_complete(hdev, HCI_OP_WRITE_CA_TIMEOUT, status);
749 }
750
751 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
752                                                         struct sk_buff *skb)
753 {
754         __u8 status = *((__u8 *) skb->data);
755
756         BT_DBG("%s status 0x%x", hdev->name, status);
757
758         hci_req_complete(hdev, HCI_OP_DELETE_STORED_LINK_KEY, status);
759 }
760
761 static void hci_cc_set_event_mask(struct hci_dev *hdev, struct sk_buff *skb)
762 {
763         __u8 status = *((__u8 *) skb->data);
764
765         BT_DBG("%s status 0x%x", hdev->name, status);
766
767         hci_req_complete(hdev, HCI_OP_SET_EVENT_MASK, status);
768 }
769
770 static void hci_cc_write_inquiry_mode(struct hci_dev *hdev,
771                                                         struct sk_buff *skb)
772 {
773         __u8 status = *((__u8 *) skb->data);
774
775         BT_DBG("%s status 0x%x", hdev->name, status);
776
777         hci_req_complete(hdev, HCI_OP_WRITE_INQUIRY_MODE, status);
778 }
779
780 static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
781                                                         struct sk_buff *skb)
782 {
783         __u8 status = *((__u8 *) skb->data);
784
785         BT_DBG("%s status 0x%x", hdev->name, status);
786
787         hci_req_complete(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, status);
788 }
789
790 static void hci_cc_set_event_flt(struct hci_dev *hdev, struct sk_buff *skb)
791 {
792         __u8 status = *((__u8 *) skb->data);
793
794         BT_DBG("%s status 0x%x", hdev->name, status);
795
796         hci_req_complete(hdev, HCI_OP_SET_EVENT_FLT, status);
797 }
798
799 static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
800 {
801         struct hci_rp_pin_code_reply *rp = (void *) skb->data;
802         struct hci_cp_pin_code_reply *cp;
803         struct hci_conn *conn;
804
805         BT_DBG("%s status 0x%x", hdev->name, rp->status);
806
807         if (test_bit(HCI_MGMT, &hdev->flags))
808                 mgmt_pin_code_reply_complete(hdev->id, &rp->bdaddr, rp->status);
809
810         if (rp->status != 0)
811                 return;
812
813         cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
814         if (!cp)
815                 return;
816
817         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
818         if (conn)
819                 conn->pin_length = cp->pin_len;
820 }
821
822 static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
823 {
824         struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
825
826         BT_DBG("%s status 0x%x", hdev->name, rp->status);
827
828         if (test_bit(HCI_MGMT, &hdev->flags))
829                 mgmt_pin_code_neg_reply_complete(hdev->id, &rp->bdaddr,
830                                                                 rp->status);
831 }
832 static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
833                                        struct sk_buff *skb)
834 {
835         struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
836
837         BT_DBG("%s status 0x%x", hdev->name, rp->status);
838
839         if (rp->status)
840                 return;
841
842         hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
843         hdev->le_pkts = rp->le_max_pkt;
844
845         hdev->le_cnt = hdev->le_pkts;
846
847         BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
848
849         hci_req_complete(hdev, HCI_OP_LE_READ_BUFFER_SIZE, rp->status);
850 }
851
852 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
853 {
854         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
855
856         BT_DBG("%s status 0x%x", hdev->name, rp->status);
857
858         if (test_bit(HCI_MGMT, &hdev->flags))
859                 mgmt_user_confirm_reply_complete(hdev->id, &rp->bdaddr,
860                                                                 rp->status);
861 }
862
863 static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
864                                                         struct sk_buff *skb)
865 {
866         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
867
868         BT_DBG("%s status 0x%x", hdev->name, rp->status);
869
870         if (test_bit(HCI_MGMT, &hdev->flags))
871                 mgmt_user_confirm_neg_reply_complete(hdev->id, &rp->bdaddr,
872                                                                 rp->status);
873 }
874
875 static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
876                                                         struct sk_buff *skb)
877 {
878         struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
879
880         BT_DBG("%s status 0x%x", hdev->name, rp->status);
881
882         mgmt_read_local_oob_data_reply_complete(hdev->id, rp->hash,
883                                                 rp->randomizer, rp->status);
884 }
885
886 static void hci_cc_le_set_scan_enable(struct hci_dev *hdev,
887                                         struct sk_buff *skb)
888 {
889         struct hci_cp_le_set_scan_enable *cp;
890         __u8 status = *((__u8 *) skb->data);
891
892         BT_DBG("%s status 0x%x", hdev->name, status);
893
894         if (status)
895                 return;
896
897         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
898         if (!cp)
899                 return;
900
901         hci_dev_lock(hdev);
902
903         if (cp->enable == 0x01) {
904                 del_timer(&hdev->adv_timer);
905                 hci_adv_entries_clear(hdev);
906         } else if (cp->enable == 0x00) {
907                 mod_timer(&hdev->adv_timer, jiffies + ADV_CLEAR_TIMEOUT);
908         }
909
910         hci_dev_unlock(hdev);
911 }
912
913 static void hci_cc_le_ltk_reply(struct hci_dev *hdev, struct sk_buff *skb)
914 {
915         struct hci_rp_le_ltk_reply *rp = (void *) skb->data;
916
917         BT_DBG("%s status 0x%x", hdev->name, rp->status);
918
919         if (rp->status)
920                 return;
921
922         hci_req_complete(hdev, HCI_OP_LE_LTK_REPLY, rp->status);
923 }
924
925 static void hci_cc_le_ltk_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
926 {
927         struct hci_rp_le_ltk_neg_reply *rp = (void *) skb->data;
928
929         BT_DBG("%s status 0x%x", hdev->name, rp->status);
930
931         if (rp->status)
932                 return;
933
934         hci_req_complete(hdev, HCI_OP_LE_LTK_NEG_REPLY, rp->status);
935 }
936
937 static inline void hci_cc_write_le_host_supported(struct hci_dev *hdev,
938                                                         struct sk_buff *skb)
939 {
940         struct hci_cp_read_local_ext_features cp;
941         __u8 status = *((__u8 *) skb->data);
942
943         BT_DBG("%s status 0x%x", hdev->name, status);
944
945         if (status)
946                 return;
947
948         cp.page = 0x01;
949         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES, sizeof(cp), &cp);
950 }
951
952 static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
953 {
954         BT_DBG("%s status 0x%x", hdev->name, status);
955
956         if (status) {
957                 hci_req_complete(hdev, HCI_OP_INQUIRY, status);
958                 hci_conn_check_pending(hdev);
959                 return;
960         }
961
962         if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags) &&
963                                 test_bit(HCI_MGMT, &hdev->flags))
964                 mgmt_discovering(hdev->id, 1);
965 }
966
967 static inline void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
968 {
969         struct hci_cp_create_conn *cp;
970         struct hci_conn *conn;
971
972         BT_DBG("%s status 0x%x", hdev->name, status);
973
974         cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
975         if (!cp)
976                 return;
977
978         hci_dev_lock(hdev);
979
980         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
981
982         BT_DBG("%s bdaddr %s conn %p", hdev->name, batostr(&cp->bdaddr), conn);
983
984         if (status) {
985                 if (conn && conn->state == BT_CONNECT) {
986                         if (status != 0x0c || conn->attempt > 2) {
987                                 conn->state = BT_CLOSED;
988                                 hci_proto_connect_cfm(conn, status);
989                                 hci_conn_del(conn);
990                         } else
991                                 conn->state = BT_CONNECT2;
992                 }
993         } else {
994                 if (!conn) {
995                         conn = hci_conn_add(hdev, ACL_LINK, &cp->bdaddr);
996                         if (conn) {
997                                 conn->out = 1;
998                                 conn->link_mode |= HCI_LM_MASTER;
999                         } else
1000                                 BT_ERR("No memory for new connection");
1001                 }
1002         }
1003
1004         hci_dev_unlock(hdev);
1005 }
1006
1007 static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
1008 {
1009         struct hci_cp_add_sco *cp;
1010         struct hci_conn *acl, *sco;
1011         __u16 handle;
1012
1013         BT_DBG("%s status 0x%x", hdev->name, status);
1014
1015         if (!status)
1016                 return;
1017
1018         cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
1019         if (!cp)
1020                 return;
1021
1022         handle = __le16_to_cpu(cp->handle);
1023
1024         BT_DBG("%s handle %d", hdev->name, handle);
1025
1026         hci_dev_lock(hdev);
1027
1028         acl = hci_conn_hash_lookup_handle(hdev, handle);
1029         if (acl) {
1030                 sco = acl->link;
1031                 if (sco) {
1032                         sco->state = BT_CLOSED;
1033
1034                         hci_proto_connect_cfm(sco, status);
1035                         hci_conn_del(sco);
1036                 }
1037         }
1038
1039         hci_dev_unlock(hdev);
1040 }
1041
1042 static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
1043 {
1044         struct hci_cp_auth_requested *cp;
1045         struct hci_conn *conn;
1046
1047         BT_DBG("%s status 0x%x", hdev->name, status);
1048
1049         if (!status)
1050                 return;
1051
1052         cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
1053         if (!cp)
1054                 return;
1055
1056         hci_dev_lock(hdev);
1057
1058         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1059         if (conn) {
1060                 if (conn->state == BT_CONFIG) {
1061                         hci_proto_connect_cfm(conn, status);
1062                         hci_conn_put(conn);
1063                 }
1064         }
1065
1066         hci_dev_unlock(hdev);
1067 }
1068
1069 static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
1070 {
1071         struct hci_cp_set_conn_encrypt *cp;
1072         struct hci_conn *conn;
1073
1074         BT_DBG("%s status 0x%x", hdev->name, status);
1075
1076         if (!status)
1077                 return;
1078
1079         cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
1080         if (!cp)
1081                 return;
1082
1083         hci_dev_lock(hdev);
1084
1085         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1086         if (conn) {
1087                 if (conn->state == BT_CONFIG) {
1088                         hci_proto_connect_cfm(conn, status);
1089                         hci_conn_put(conn);
1090                 }
1091         }
1092
1093         hci_dev_unlock(hdev);
1094 }
1095
1096 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
1097                                                         struct hci_conn *conn)
1098 {
1099         if (conn->state != BT_CONFIG || !conn->out)
1100                 return 0;
1101
1102         if (conn->pending_sec_level == BT_SECURITY_SDP)
1103                 return 0;
1104
1105         /* Only request authentication for SSP connections or non-SSP
1106          * devices with sec_level HIGH */
1107         if (!(hdev->ssp_mode > 0 && conn->ssp_mode > 0) &&
1108                                 conn->pending_sec_level != BT_SECURITY_HIGH)
1109                 return 0;
1110
1111         return 1;
1112 }
1113
1114 static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
1115 {
1116         struct hci_cp_remote_name_req *cp;
1117         struct hci_conn *conn;
1118
1119         BT_DBG("%s status 0x%x", hdev->name, status);
1120
1121         /* If successful wait for the name req complete event before
1122          * checking for the need to do authentication */
1123         if (!status)
1124                 return;
1125
1126         cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
1127         if (!cp)
1128                 return;
1129
1130         hci_dev_lock(hdev);
1131
1132         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1133         if (!conn)
1134                 goto unlock;
1135
1136         if (!hci_outgoing_auth_needed(hdev, conn))
1137                 goto unlock;
1138
1139         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
1140                 struct hci_cp_auth_requested cp;
1141                 cp.handle = __cpu_to_le16(conn->handle);
1142                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
1143         }
1144
1145 unlock:
1146         hci_dev_unlock(hdev);
1147 }
1148
1149 static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
1150 {
1151         struct hci_cp_read_remote_features *cp;
1152         struct hci_conn *conn;
1153
1154         BT_DBG("%s status 0x%x", hdev->name, status);
1155
1156         if (!status)
1157                 return;
1158
1159         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
1160         if (!cp)
1161                 return;
1162
1163         hci_dev_lock(hdev);
1164
1165         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1166         if (conn) {
1167                 if (conn->state == BT_CONFIG) {
1168                         hci_proto_connect_cfm(conn, status);
1169                         hci_conn_put(conn);
1170                 }
1171         }
1172
1173         hci_dev_unlock(hdev);
1174 }
1175
1176 static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
1177 {
1178         struct hci_cp_read_remote_ext_features *cp;
1179         struct hci_conn *conn;
1180
1181         BT_DBG("%s status 0x%x", hdev->name, status);
1182
1183         if (!status)
1184                 return;
1185
1186         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
1187         if (!cp)
1188                 return;
1189
1190         hci_dev_lock(hdev);
1191
1192         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1193         if (conn) {
1194                 if (conn->state == BT_CONFIG) {
1195                         hci_proto_connect_cfm(conn, status);
1196                         hci_conn_put(conn);
1197                 }
1198         }
1199
1200         hci_dev_unlock(hdev);
1201 }
1202
1203 static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
1204 {
1205         struct hci_cp_setup_sync_conn *cp;
1206         struct hci_conn *acl, *sco;
1207         __u16 handle;
1208
1209         BT_DBG("%s status 0x%x", hdev->name, status);
1210
1211         if (!status)
1212                 return;
1213
1214         cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
1215         if (!cp)
1216                 return;
1217
1218         handle = __le16_to_cpu(cp->handle);
1219
1220         BT_DBG("%s handle %d", hdev->name, handle);
1221
1222         hci_dev_lock(hdev);
1223
1224         acl = hci_conn_hash_lookup_handle(hdev, handle);
1225         if (acl) {
1226                 sco = acl->link;
1227                 if (sco) {
1228                         sco->state = BT_CLOSED;
1229
1230                         hci_proto_connect_cfm(sco, status);
1231                         hci_conn_del(sco);
1232                 }
1233         }
1234
1235         hci_dev_unlock(hdev);
1236 }
1237
1238 static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
1239 {
1240         struct hci_cp_sniff_mode *cp;
1241         struct hci_conn *conn;
1242
1243         BT_DBG("%s status 0x%x", hdev->name, status);
1244
1245         if (!status)
1246                 return;
1247
1248         cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
1249         if (!cp)
1250                 return;
1251
1252         hci_dev_lock(hdev);
1253
1254         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1255         if (conn) {
1256                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend);
1257
1258                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->pend))
1259                         hci_sco_setup(conn, status);
1260         }
1261
1262         hci_dev_unlock(hdev);
1263 }
1264
1265 static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
1266 {
1267         struct hci_cp_exit_sniff_mode *cp;
1268         struct hci_conn *conn;
1269
1270         BT_DBG("%s status 0x%x", hdev->name, status);
1271
1272         if (!status)
1273                 return;
1274
1275         cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
1276         if (!cp)
1277                 return;
1278
1279         hci_dev_lock(hdev);
1280
1281         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
1282         if (conn) {
1283                 clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend);
1284
1285                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->pend))
1286                         hci_sco_setup(conn, status);
1287         }
1288
1289         hci_dev_unlock(hdev);
1290 }
1291
1292 static void hci_cs_le_create_conn(struct hci_dev *hdev, __u8 status)
1293 {
1294         struct hci_cp_le_create_conn *cp;
1295         struct hci_conn *conn;
1296
1297         BT_DBG("%s status 0x%x", hdev->name, status);
1298
1299         cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
1300         if (!cp)
1301                 return;
1302
1303         hci_dev_lock(hdev);
1304
1305         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
1306
1307         BT_DBG("%s bdaddr %s conn %p", hdev->name, batostr(&cp->peer_addr),
1308                 conn);
1309
1310         if (status) {
1311                 if (conn && conn->state == BT_CONNECT) {
1312                         conn->state = BT_CLOSED;
1313                         hci_proto_connect_cfm(conn, status);
1314                         hci_conn_del(conn);
1315                 }
1316         } else {
1317                 if (!conn) {
1318                         conn = hci_conn_add(hdev, LE_LINK, &cp->peer_addr);
1319                         if (conn) {
1320                                 conn->dst_type = cp->peer_addr_type;
1321                                 conn->out = 1;
1322                         } else {
1323                                 BT_ERR("No memory for new connection");
1324                         }
1325                 }
1326         }
1327
1328         hci_dev_unlock(hdev);
1329 }
1330
1331 static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
1332 {
1333         BT_DBG("%s status 0x%x", hdev->name, status);
1334 }
1335
1336 static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1337 {
1338         __u8 status = *((__u8 *) skb->data);
1339
1340         BT_DBG("%s status %d", hdev->name, status);
1341
1342         if (test_and_clear_bit(HCI_INQUIRY, &hdev->flags) &&
1343                                 test_bit(HCI_MGMT, &hdev->flags))
1344                 mgmt_discovering(hdev->id, 0);
1345
1346         hci_req_complete(hdev, HCI_OP_INQUIRY, status);
1347
1348         hci_conn_check_pending(hdev);
1349 }
1350
1351 static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
1352 {
1353         struct inquiry_data data;
1354         struct inquiry_info *info = (void *) (skb->data + 1);
1355         int num_rsp = *((__u8 *) skb->data);
1356
1357         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
1358
1359         if (!num_rsp)
1360                 return;
1361
1362         hci_dev_lock(hdev);
1363
1364         if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
1365
1366                 if (test_bit(HCI_MGMT, &hdev->flags))
1367                         mgmt_discovering(hdev->id, 1);
1368         }
1369
1370         for (; num_rsp; num_rsp--, info++) {
1371                 bacpy(&data.bdaddr, &info->bdaddr);
1372                 data.pscan_rep_mode     = info->pscan_rep_mode;
1373                 data.pscan_period_mode  = info->pscan_period_mode;
1374                 data.pscan_mode         = info->pscan_mode;
1375                 memcpy(data.dev_class, info->dev_class, 3);
1376                 data.clock_offset       = info->clock_offset;
1377                 data.rssi               = 0x00;
1378                 data.ssp_mode           = 0x00;
1379                 hci_inquiry_cache_update(hdev, &data);
1380                 mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class, 0,
1381                                                                         NULL);
1382         }
1383
1384         hci_dev_unlock(hdev);
1385 }
1386
1387 static inline void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1388 {
1389         struct hci_ev_conn_complete *ev = (void *) skb->data;
1390         struct hci_conn *conn;
1391
1392         BT_DBG("%s", hdev->name);
1393
1394         hci_dev_lock(hdev);
1395
1396         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
1397         if (!conn) {
1398                 if (ev->link_type != SCO_LINK)
1399                         goto unlock;
1400
1401                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
1402                 if (!conn)
1403                         goto unlock;
1404
1405                 conn->type = SCO_LINK;
1406         }
1407
1408         if (!ev->status) {
1409                 conn->handle = __le16_to_cpu(ev->handle);
1410
1411                 if (conn->type == ACL_LINK) {
1412                         conn->state = BT_CONFIG;
1413                         hci_conn_hold(conn);
1414                         conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1415                         mgmt_connected(hdev->id, &ev->bdaddr);
1416                 } else
1417                         conn->state = BT_CONNECTED;
1418
1419                 hci_conn_hold_device(conn);
1420                 hci_conn_add_sysfs(conn);
1421
1422                 if (test_bit(HCI_AUTH, &hdev->flags))
1423                         conn->link_mode |= HCI_LM_AUTH;
1424
1425                 if (test_bit(HCI_ENCRYPT, &hdev->flags))
1426                         conn->link_mode |= HCI_LM_ENCRYPT;
1427
1428                 /* Get remote features */
1429                 if (conn->type == ACL_LINK) {
1430                         struct hci_cp_read_remote_features cp;
1431                         cp.handle = ev->handle;
1432                         hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
1433                                                         sizeof(cp), &cp);
1434                 }
1435
1436                 /* Set packet type for incoming connection */
1437                 if (!conn->out && hdev->hci_ver < 3) {
1438                         struct hci_cp_change_conn_ptype cp;
1439                         cp.handle = ev->handle;
1440                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
1441                         hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE,
1442                                                         sizeof(cp), &cp);
1443                 }
1444         } else {
1445                 conn->state = BT_CLOSED;
1446                 if (conn->type == ACL_LINK)
1447                         mgmt_connect_failed(hdev->id, &ev->bdaddr, ev->status);
1448         }
1449
1450         if (conn->type == ACL_LINK)
1451                 hci_sco_setup(conn, ev->status);
1452
1453         if (ev->status) {
1454                 hci_proto_connect_cfm(conn, ev->status);
1455                 hci_conn_del(conn);
1456         } else if (ev->link_type != ACL_LINK)
1457                 hci_proto_connect_cfm(conn, ev->status);
1458
1459 unlock:
1460         hci_dev_unlock(hdev);
1461
1462         hci_conn_check_pending(hdev);
1463 }
1464
1465 static inline void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
1466 {
1467         struct hci_ev_conn_request *ev = (void *) skb->data;
1468         int mask = hdev->link_mode;
1469
1470         BT_DBG("%s bdaddr %s type 0x%x", hdev->name,
1471                                         batostr(&ev->bdaddr), ev->link_type);
1472
1473         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type);
1474
1475         if ((mask & HCI_LM_ACCEPT) &&
1476                         !hci_blacklist_lookup(hdev, &ev->bdaddr)) {
1477                 /* Connection accepted */
1478                 struct inquiry_entry *ie;
1479                 struct hci_conn *conn;
1480
1481                 hci_dev_lock(hdev);
1482
1483                 ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
1484                 if (ie)
1485                         memcpy(ie->data.dev_class, ev->dev_class, 3);
1486
1487                 conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
1488                 if (!conn) {
1489                         conn = hci_conn_add(hdev, ev->link_type, &ev->bdaddr);
1490                         if (!conn) {
1491                                 BT_ERR("No memory for new connection");
1492                                 hci_dev_unlock(hdev);
1493                                 return;
1494                         }
1495                 }
1496
1497                 memcpy(conn->dev_class, ev->dev_class, 3);
1498                 conn->state = BT_CONNECT;
1499
1500                 hci_dev_unlock(hdev);
1501
1502                 if (ev->link_type == ACL_LINK || !lmp_esco_capable(hdev)) {
1503                         struct hci_cp_accept_conn_req cp;
1504
1505                         bacpy(&cp.bdaddr, &ev->bdaddr);
1506
1507                         if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
1508                                 cp.role = 0x00; /* Become master */
1509                         else
1510                                 cp.role = 0x01; /* Remain slave */
1511
1512                         hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ,
1513                                                         sizeof(cp), &cp);
1514                 } else {
1515                         struct hci_cp_accept_sync_conn_req cp;
1516
1517                         bacpy(&cp.bdaddr, &ev->bdaddr);
1518                         cp.pkt_type = cpu_to_le16(conn->pkt_type);
1519
1520                         cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
1521                         cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
1522                         cp.max_latency    = cpu_to_le16(0xffff);
1523                         cp.content_format = cpu_to_le16(hdev->voice_setting);
1524                         cp.retrans_effort = 0xff;
1525
1526                         hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ,
1527                                                         sizeof(cp), &cp);
1528                 }
1529         } else {
1530                 /* Connection rejected */
1531                 struct hci_cp_reject_conn_req cp;
1532
1533                 bacpy(&cp.bdaddr, &ev->bdaddr);
1534                 cp.reason = 0x0f;
1535                 hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
1536         }
1537 }
1538
1539 static inline void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1540 {
1541         struct hci_ev_disconn_complete *ev = (void *) skb->data;
1542         struct hci_conn *conn;
1543
1544         BT_DBG("%s status %d", hdev->name, ev->status);
1545
1546         if (ev->status) {
1547                 mgmt_disconnect_failed(hdev->id);
1548                 return;
1549         }
1550
1551         hci_dev_lock(hdev);
1552
1553         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1554         if (!conn)
1555                 goto unlock;
1556
1557         conn->state = BT_CLOSED;
1558
1559         if (conn->type == ACL_LINK || conn->type == LE_LINK)
1560                 mgmt_disconnected(hdev->id, &conn->dst);
1561
1562         hci_proto_disconn_cfm(conn, ev->reason);
1563         hci_conn_del(conn);
1564
1565 unlock:
1566         hci_dev_unlock(hdev);
1567 }
1568
1569 static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1570 {
1571         struct hci_ev_auth_complete *ev = (void *) skb->data;
1572         struct hci_conn *conn;
1573
1574         BT_DBG("%s status %d", hdev->name, ev->status);
1575
1576         hci_dev_lock(hdev);
1577
1578         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1579         if (!conn)
1580                 goto unlock;
1581
1582         if (!ev->status) {
1583                 if (!(conn->ssp_mode > 0 && hdev->ssp_mode > 0) &&
1584                                 test_bit(HCI_CONN_REAUTH_PEND,  &conn->pend)) {
1585                         BT_INFO("re-auth of legacy device is not possible.");
1586                 } else {
1587                         conn->link_mode |= HCI_LM_AUTH;
1588                         conn->sec_level = conn->pending_sec_level;
1589                 }
1590         } else {
1591                 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
1592         }
1593
1594         clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
1595         clear_bit(HCI_CONN_REAUTH_PEND, &conn->pend);
1596
1597         if (conn->state == BT_CONFIG) {
1598                 if (!ev->status && hdev->ssp_mode > 0 && conn->ssp_mode > 0) {
1599                         struct hci_cp_set_conn_encrypt cp;
1600                         cp.handle  = ev->handle;
1601                         cp.encrypt = 0x01;
1602                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1603                                                                         &cp);
1604                 } else {
1605                         conn->state = BT_CONNECTED;
1606                         hci_proto_connect_cfm(conn, ev->status);
1607                         hci_conn_put(conn);
1608                 }
1609         } else {
1610                 hci_auth_cfm(conn, ev->status);
1611
1612                 hci_conn_hold(conn);
1613                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
1614                 hci_conn_put(conn);
1615         }
1616
1617         if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) {
1618                 if (!ev->status) {
1619                         struct hci_cp_set_conn_encrypt cp;
1620                         cp.handle  = ev->handle;
1621                         cp.encrypt = 0x01;
1622                         hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1623                                                                         &cp);
1624                 } else {
1625                         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
1626                         hci_encrypt_cfm(conn, ev->status, 0x00);
1627                 }
1628         }
1629
1630 unlock:
1631         hci_dev_unlock(hdev);
1632 }
1633
1634 static inline void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb)
1635 {
1636         struct hci_ev_remote_name *ev = (void *) skb->data;
1637         struct hci_conn *conn;
1638
1639         BT_DBG("%s", hdev->name);
1640
1641         hci_conn_check_pending(hdev);
1642
1643         hci_dev_lock(hdev);
1644
1645         if (ev->status == 0 && test_bit(HCI_MGMT, &hdev->flags))
1646                 mgmt_remote_name(hdev->id, &ev->bdaddr, ev->name);
1647
1648         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
1649         if (!conn)
1650                 goto unlock;
1651
1652         if (!hci_outgoing_auth_needed(hdev, conn))
1653                 goto unlock;
1654
1655         if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
1656                 struct hci_cp_auth_requested cp;
1657                 cp.handle = __cpu_to_le16(conn->handle);
1658                 hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
1659         }
1660
1661 unlock:
1662         hci_dev_unlock(hdev);
1663 }
1664
1665 static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
1666 {
1667         struct hci_ev_encrypt_change *ev = (void *) skb->data;
1668         struct hci_conn *conn;
1669
1670         BT_DBG("%s status %d", hdev->name, ev->status);
1671
1672         hci_dev_lock(hdev);
1673
1674         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1675         if (conn) {
1676                 if (!ev->status) {
1677                         if (ev->encrypt) {
1678                                 /* Encryption implies authentication */
1679                                 conn->link_mode |= HCI_LM_AUTH;
1680                                 conn->link_mode |= HCI_LM_ENCRYPT;
1681                                 conn->sec_level = conn->pending_sec_level;
1682                         } else
1683                                 conn->link_mode &= ~HCI_LM_ENCRYPT;
1684                 }
1685
1686                 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend);
1687
1688                 if (conn->state == BT_CONFIG) {
1689                         if (!ev->status)
1690                                 conn->state = BT_CONNECTED;
1691
1692                         hci_proto_connect_cfm(conn, ev->status);
1693                         hci_conn_put(conn);
1694                 } else
1695                         hci_encrypt_cfm(conn, ev->status, ev->encrypt);
1696         }
1697
1698         hci_dev_unlock(hdev);
1699 }
1700
1701 static inline void hci_change_link_key_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1702 {
1703         struct hci_ev_change_link_key_complete *ev = (void *) skb->data;
1704         struct hci_conn *conn;
1705
1706         BT_DBG("%s status %d", hdev->name, ev->status);
1707
1708         hci_dev_lock(hdev);
1709
1710         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1711         if (conn) {
1712                 if (!ev->status)
1713                         conn->link_mode |= HCI_LM_SECURE;
1714
1715                 clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
1716
1717                 hci_key_change_cfm(conn, ev->status);
1718         }
1719
1720         hci_dev_unlock(hdev);
1721 }
1722
1723 static inline void hci_remote_features_evt(struct hci_dev *hdev, struct sk_buff *skb)
1724 {
1725         struct hci_ev_remote_features *ev = (void *) skb->data;
1726         struct hci_conn *conn;
1727
1728         BT_DBG("%s status %d", hdev->name, ev->status);
1729
1730         hci_dev_lock(hdev);
1731
1732         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
1733         if (!conn)
1734                 goto unlock;
1735
1736         if (!ev->status)
1737                 memcpy(conn->features, ev->features, 8);
1738
1739         if (conn->state != BT_CONFIG)
1740                 goto unlock;
1741
1742         if (!ev->status && lmp_ssp_capable(hdev) && lmp_ssp_capable(conn)) {
1743                 struct hci_cp_read_remote_ext_features cp;
1744                 cp.handle = ev->handle;
1745                 cp.page = 0x01;
1746                 hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
1747                                                         sizeof(cp), &cp);
1748                 goto unlock;
1749         }
1750
1751         if (!ev->status) {
1752                 struct hci_cp_remote_name_req cp;
1753                 memset(&cp, 0, sizeof(cp));
1754                 bacpy(&cp.bdaddr, &conn->dst);
1755                 cp.pscan_rep_mode = 0x02;
1756                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
1757         }
1758
1759         if (!hci_outgoing_auth_needed(hdev, conn)) {
1760                 conn->state = BT_CONNECTED;
1761                 hci_proto_connect_cfm(conn, ev->status);
1762                 hci_conn_put(conn);
1763         }
1764
1765 unlock:
1766         hci_dev_unlock(hdev);
1767 }
1768
1769 static inline void hci_remote_version_evt(struct hci_dev *hdev, struct sk_buff *skb)
1770 {
1771         BT_DBG("%s", hdev->name);
1772 }
1773
1774 static inline void hci_qos_setup_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1775 {
1776         BT_DBG("%s", hdev->name);
1777 }
1778
1779 static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
1780 {
1781         struct hci_ev_cmd_complete *ev = (void *) skb->data;
1782         __u16 opcode;
1783
1784         skb_pull(skb, sizeof(*ev));
1785
1786         opcode = __le16_to_cpu(ev->opcode);
1787
1788         switch (opcode) {
1789         case HCI_OP_INQUIRY_CANCEL:
1790                 hci_cc_inquiry_cancel(hdev, skb);
1791                 break;
1792
1793         case HCI_OP_EXIT_PERIODIC_INQ:
1794                 hci_cc_exit_periodic_inq(hdev, skb);
1795                 break;
1796
1797         case HCI_OP_REMOTE_NAME_REQ_CANCEL:
1798                 hci_cc_remote_name_req_cancel(hdev, skb);
1799                 break;
1800
1801         case HCI_OP_ROLE_DISCOVERY:
1802                 hci_cc_role_discovery(hdev, skb);
1803                 break;
1804
1805         case HCI_OP_READ_LINK_POLICY:
1806                 hci_cc_read_link_policy(hdev, skb);
1807                 break;
1808
1809         case HCI_OP_WRITE_LINK_POLICY:
1810                 hci_cc_write_link_policy(hdev, skb);
1811                 break;
1812
1813         case HCI_OP_READ_DEF_LINK_POLICY:
1814                 hci_cc_read_def_link_policy(hdev, skb);
1815                 break;
1816
1817         case HCI_OP_WRITE_DEF_LINK_POLICY:
1818                 hci_cc_write_def_link_policy(hdev, skb);
1819                 break;
1820
1821         case HCI_OP_RESET:
1822                 hci_cc_reset(hdev, skb);
1823                 break;
1824
1825         case HCI_OP_WRITE_LOCAL_NAME:
1826                 hci_cc_write_local_name(hdev, skb);
1827                 break;
1828
1829         case HCI_OP_READ_LOCAL_NAME:
1830                 hci_cc_read_local_name(hdev, skb);
1831                 break;
1832
1833         case HCI_OP_WRITE_AUTH_ENABLE:
1834                 hci_cc_write_auth_enable(hdev, skb);
1835                 break;
1836
1837         case HCI_OP_WRITE_ENCRYPT_MODE:
1838                 hci_cc_write_encrypt_mode(hdev, skb);
1839                 break;
1840
1841         case HCI_OP_WRITE_SCAN_ENABLE:
1842                 hci_cc_write_scan_enable(hdev, skb);
1843                 break;
1844
1845         case HCI_OP_READ_CLASS_OF_DEV:
1846                 hci_cc_read_class_of_dev(hdev, skb);
1847                 break;
1848
1849         case HCI_OP_WRITE_CLASS_OF_DEV:
1850                 hci_cc_write_class_of_dev(hdev, skb);
1851                 break;
1852
1853         case HCI_OP_READ_VOICE_SETTING:
1854                 hci_cc_read_voice_setting(hdev, skb);
1855                 break;
1856
1857         case HCI_OP_WRITE_VOICE_SETTING:
1858                 hci_cc_write_voice_setting(hdev, skb);
1859                 break;
1860
1861         case HCI_OP_HOST_BUFFER_SIZE:
1862                 hci_cc_host_buffer_size(hdev, skb);
1863                 break;
1864
1865         case HCI_OP_READ_SSP_MODE:
1866                 hci_cc_read_ssp_mode(hdev, skb);
1867                 break;
1868
1869         case HCI_OP_WRITE_SSP_MODE:
1870                 hci_cc_write_ssp_mode(hdev, skb);
1871                 break;
1872
1873         case HCI_OP_READ_LOCAL_VERSION:
1874                 hci_cc_read_local_version(hdev, skb);
1875                 break;
1876
1877         case HCI_OP_READ_LOCAL_COMMANDS:
1878                 hci_cc_read_local_commands(hdev, skb);
1879                 break;
1880
1881         case HCI_OP_READ_LOCAL_FEATURES:
1882                 hci_cc_read_local_features(hdev, skb);
1883                 break;
1884
1885         case HCI_OP_READ_LOCAL_EXT_FEATURES:
1886                 hci_cc_read_local_ext_features(hdev, skb);
1887                 break;
1888
1889         case HCI_OP_READ_BUFFER_SIZE:
1890                 hci_cc_read_buffer_size(hdev, skb);
1891                 break;
1892
1893         case HCI_OP_READ_BD_ADDR:
1894                 hci_cc_read_bd_addr(hdev, skb);
1895                 break;
1896
1897         case HCI_OP_WRITE_CA_TIMEOUT:
1898                 hci_cc_write_ca_timeout(hdev, skb);
1899                 break;
1900
1901         case HCI_OP_DELETE_STORED_LINK_KEY:
1902                 hci_cc_delete_stored_link_key(hdev, skb);
1903                 break;
1904
1905         case HCI_OP_SET_EVENT_MASK:
1906                 hci_cc_set_event_mask(hdev, skb);
1907                 break;
1908
1909         case HCI_OP_WRITE_INQUIRY_MODE:
1910                 hci_cc_write_inquiry_mode(hdev, skb);
1911                 break;
1912
1913         case HCI_OP_READ_INQ_RSP_TX_POWER:
1914                 hci_cc_read_inq_rsp_tx_power(hdev, skb);
1915                 break;
1916
1917         case HCI_OP_SET_EVENT_FLT:
1918                 hci_cc_set_event_flt(hdev, skb);
1919                 break;
1920
1921         case HCI_OP_PIN_CODE_REPLY:
1922                 hci_cc_pin_code_reply(hdev, skb);
1923                 break;
1924
1925         case HCI_OP_PIN_CODE_NEG_REPLY:
1926                 hci_cc_pin_code_neg_reply(hdev, skb);
1927                 break;
1928
1929         case HCI_OP_READ_LOCAL_OOB_DATA:
1930                 hci_cc_read_local_oob_data_reply(hdev, skb);
1931                 break;
1932
1933         case HCI_OP_LE_READ_BUFFER_SIZE:
1934                 hci_cc_le_read_buffer_size(hdev, skb);
1935                 break;
1936
1937         case HCI_OP_USER_CONFIRM_REPLY:
1938                 hci_cc_user_confirm_reply(hdev, skb);
1939                 break;
1940
1941         case HCI_OP_USER_CONFIRM_NEG_REPLY:
1942                 hci_cc_user_confirm_neg_reply(hdev, skb);
1943                 break;
1944
1945         case HCI_OP_LE_SET_SCAN_ENABLE:
1946                 hci_cc_le_set_scan_enable(hdev, skb);
1947                 break;
1948
1949         case HCI_OP_LE_LTK_REPLY:
1950                 hci_cc_le_ltk_reply(hdev, skb);
1951                 break;
1952
1953         case HCI_OP_LE_LTK_NEG_REPLY:
1954                 hci_cc_le_ltk_neg_reply(hdev, skb);
1955                 break;
1956
1957         case HCI_OP_WRITE_LE_HOST_SUPPORTED:
1958                 hci_cc_write_le_host_supported(hdev, skb);
1959                 break;
1960
1961         default:
1962                 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
1963                 break;
1964         }
1965
1966         if (ev->opcode != HCI_OP_NOP)
1967                 del_timer(&hdev->cmd_timer);
1968
1969         if (ev->ncmd) {
1970                 atomic_set(&hdev->cmd_cnt, 1);
1971                 if (!skb_queue_empty(&hdev->cmd_q))
1972                         tasklet_schedule(&hdev->cmd_task);
1973         }
1974 }
1975
1976 static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
1977 {
1978         struct hci_ev_cmd_status *ev = (void *) skb->data;
1979         __u16 opcode;
1980
1981         skb_pull(skb, sizeof(*ev));
1982
1983         opcode = __le16_to_cpu(ev->opcode);
1984
1985         switch (opcode) {
1986         case HCI_OP_INQUIRY:
1987                 hci_cs_inquiry(hdev, ev->status);
1988                 break;
1989
1990         case HCI_OP_CREATE_CONN:
1991                 hci_cs_create_conn(hdev, ev->status);
1992                 break;
1993
1994         case HCI_OP_ADD_SCO:
1995                 hci_cs_add_sco(hdev, ev->status);
1996                 break;
1997
1998         case HCI_OP_AUTH_REQUESTED:
1999                 hci_cs_auth_requested(hdev, ev->status);
2000                 break;
2001
2002         case HCI_OP_SET_CONN_ENCRYPT:
2003                 hci_cs_set_conn_encrypt(hdev, ev->status);
2004                 break;
2005
2006         case HCI_OP_REMOTE_NAME_REQ:
2007                 hci_cs_remote_name_req(hdev, ev->status);
2008                 break;
2009
2010         case HCI_OP_READ_REMOTE_FEATURES:
2011                 hci_cs_read_remote_features(hdev, ev->status);
2012                 break;
2013
2014         case HCI_OP_READ_REMOTE_EXT_FEATURES:
2015                 hci_cs_read_remote_ext_features(hdev, ev->status);
2016                 break;
2017
2018         case HCI_OP_SETUP_SYNC_CONN:
2019                 hci_cs_setup_sync_conn(hdev, ev->status);
2020                 break;
2021
2022         case HCI_OP_SNIFF_MODE:
2023                 hci_cs_sniff_mode(hdev, ev->status);
2024                 break;
2025
2026         case HCI_OP_EXIT_SNIFF_MODE:
2027                 hci_cs_exit_sniff_mode(hdev, ev->status);
2028                 break;
2029
2030         case HCI_OP_DISCONNECT:
2031                 if (ev->status != 0)
2032                         mgmt_disconnect_failed(hdev->id);
2033                 break;
2034
2035         case HCI_OP_LE_CREATE_CONN:
2036                 hci_cs_le_create_conn(hdev, ev->status);
2037                 break;
2038
2039         case HCI_OP_LE_START_ENC:
2040                 hci_cs_le_start_enc(hdev, ev->status);
2041                 break;
2042
2043         default:
2044                 BT_DBG("%s opcode 0x%x", hdev->name, opcode);
2045                 break;
2046         }
2047
2048         if (ev->opcode != HCI_OP_NOP)
2049                 del_timer(&hdev->cmd_timer);
2050
2051         if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
2052                 atomic_set(&hdev->cmd_cnt, 1);
2053                 if (!skb_queue_empty(&hdev->cmd_q))
2054                         tasklet_schedule(&hdev->cmd_task);
2055         }
2056 }
2057
2058 static inline void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2059 {
2060         struct hci_ev_role_change *ev = (void *) skb->data;
2061         struct hci_conn *conn;
2062
2063         BT_DBG("%s status %d", hdev->name, ev->status);
2064
2065         hci_dev_lock(hdev);
2066
2067         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2068         if (conn) {
2069                 if (!ev->status) {
2070                         if (ev->role)
2071                                 conn->link_mode &= ~HCI_LM_MASTER;
2072                         else
2073                                 conn->link_mode |= HCI_LM_MASTER;
2074                 }
2075
2076                 clear_bit(HCI_CONN_RSWITCH_PEND, &conn->pend);
2077
2078                 hci_role_switch_cfm(conn, ev->status, ev->role);
2079         }
2080
2081         hci_dev_unlock(hdev);
2082 }
2083
2084 static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
2085 {
2086         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
2087         __le16 *ptr;
2088         int i;
2089
2090         skb_pull(skb, sizeof(*ev));
2091
2092         BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
2093
2094         if (skb->len < ev->num_hndl * 4) {
2095                 BT_DBG("%s bad parameters", hdev->name);
2096                 return;
2097         }
2098
2099         tasklet_disable(&hdev->tx_task);
2100
2101         for (i = 0, ptr = (__le16 *) skb->data; i < ev->num_hndl; i++) {
2102                 struct hci_conn *conn;
2103                 __u16  handle, count;
2104
2105                 handle = get_unaligned_le16(ptr++);
2106                 count  = get_unaligned_le16(ptr++);
2107
2108                 conn = hci_conn_hash_lookup_handle(hdev, handle);
2109                 if (conn) {
2110                         conn->sent -= count;
2111
2112                         if (conn->type == ACL_LINK) {
2113                                 hdev->acl_cnt += count;
2114                                 if (hdev->acl_cnt > hdev->acl_pkts)
2115                                         hdev->acl_cnt = hdev->acl_pkts;
2116                         } else if (conn->type == LE_LINK) {
2117                                 if (hdev->le_pkts) {
2118                                         hdev->le_cnt += count;
2119                                         if (hdev->le_cnt > hdev->le_pkts)
2120                                                 hdev->le_cnt = hdev->le_pkts;
2121                                 } else {
2122                                         hdev->acl_cnt += count;
2123                                         if (hdev->acl_cnt > hdev->acl_pkts)
2124                                                 hdev->acl_cnt = hdev->acl_pkts;
2125                                 }
2126                         } else {
2127                                 hdev->sco_cnt += count;
2128                                 if (hdev->sco_cnt > hdev->sco_pkts)
2129                                         hdev->sco_cnt = hdev->sco_pkts;
2130                         }
2131                 }
2132         }
2133
2134         tasklet_schedule(&hdev->tx_task);
2135
2136         tasklet_enable(&hdev->tx_task);
2137 }
2138
2139 static inline void hci_mode_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2140 {
2141         struct hci_ev_mode_change *ev = (void *) skb->data;
2142         struct hci_conn *conn;
2143
2144         BT_DBG("%s status %d", hdev->name, ev->status);
2145
2146         hci_dev_lock(hdev);
2147
2148         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2149         if (conn) {
2150                 conn->mode = ev->mode;
2151                 conn->interval = __le16_to_cpu(ev->interval);
2152
2153                 if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->pend)) {
2154                         if (conn->mode == HCI_CM_ACTIVE)
2155                                 conn->power_save = 1;
2156                         else
2157                                 conn->power_save = 0;
2158                 }
2159
2160                 if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->pend))
2161                         hci_sco_setup(conn, ev->status);
2162         }
2163
2164         hci_dev_unlock(hdev);
2165 }
2166
2167 static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2168 {
2169         struct hci_ev_pin_code_req *ev = (void *) skb->data;
2170         struct hci_conn *conn;
2171
2172         BT_DBG("%s", hdev->name);
2173
2174         hci_dev_lock(hdev);
2175
2176         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2177         if (conn && conn->state == BT_CONNECTED) {
2178                 hci_conn_hold(conn);
2179                 conn->disc_timeout = HCI_PAIRING_TIMEOUT;
2180                 hci_conn_put(conn);
2181         }
2182
2183         if (!test_bit(HCI_PAIRABLE, &hdev->flags))
2184                 hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2185                                         sizeof(ev->bdaddr), &ev->bdaddr);
2186         else if (test_bit(HCI_MGMT, &hdev->flags)) {
2187                 u8 secure;
2188
2189                 if (conn->pending_sec_level == BT_SECURITY_HIGH)
2190                         secure = 1;
2191                 else
2192                         secure = 0;
2193
2194                 mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure);
2195         }
2196
2197         hci_dev_unlock(hdev);
2198 }
2199
2200 static inline void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2201 {
2202         struct hci_ev_link_key_req *ev = (void *) skb->data;
2203         struct hci_cp_link_key_reply cp;
2204         struct hci_conn *conn;
2205         struct link_key *key;
2206
2207         BT_DBG("%s", hdev->name);
2208
2209         if (!test_bit(HCI_LINK_KEYS, &hdev->flags))
2210                 return;
2211
2212         hci_dev_lock(hdev);
2213
2214         key = hci_find_link_key(hdev, &ev->bdaddr);
2215         if (!key) {
2216                 BT_DBG("%s link key not found for %s", hdev->name,
2217                                                         batostr(&ev->bdaddr));
2218                 goto not_found;
2219         }
2220
2221         BT_DBG("%s found key type %u for %s", hdev->name, key->type,
2222                                                         batostr(&ev->bdaddr));
2223
2224         if (!test_bit(HCI_DEBUG_KEYS, &hdev->flags) &&
2225                                 key->type == HCI_LK_DEBUG_COMBINATION) {
2226                 BT_DBG("%s ignoring debug key", hdev->name);
2227                 goto not_found;
2228         }
2229
2230         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2231         if (conn) {
2232                 if (key->type == HCI_LK_UNAUTH_COMBINATION &&
2233                                 conn->auth_type != 0xff &&
2234                                 (conn->auth_type & 0x01)) {
2235                         BT_DBG("%s ignoring unauthenticated key", hdev->name);
2236                         goto not_found;
2237                 }
2238
2239                 if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
2240                                 conn->pending_sec_level == BT_SECURITY_HIGH) {
2241                         BT_DBG("%s ignoring key unauthenticated for high \
2242                                                         security", hdev->name);
2243                         goto not_found;
2244                 }
2245
2246                 conn->key_type = key->type;
2247                 conn->pin_length = key->pin_len;
2248         }
2249
2250         bacpy(&cp.bdaddr, &ev->bdaddr);
2251         memcpy(cp.link_key, key->val, 16);
2252
2253         hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
2254
2255         hci_dev_unlock(hdev);
2256
2257         return;
2258
2259 not_found:
2260         hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
2261         hci_dev_unlock(hdev);
2262 }
2263
2264 static inline void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
2265 {
2266         struct hci_ev_link_key_notify *ev = (void *) skb->data;
2267         struct hci_conn *conn;
2268         u8 pin_len = 0;
2269
2270         BT_DBG("%s", hdev->name);
2271
2272         hci_dev_lock(hdev);
2273
2274         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2275         if (conn) {
2276                 hci_conn_hold(conn);
2277                 conn->disc_timeout = HCI_DISCONN_TIMEOUT;
2278                 pin_len = conn->pin_length;
2279
2280                 if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
2281                         conn->key_type = ev->key_type;
2282
2283                 hci_conn_put(conn);
2284         }
2285
2286         if (test_bit(HCI_LINK_KEYS, &hdev->flags))
2287                 hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key,
2288                                                         ev->key_type, pin_len);
2289
2290         hci_dev_unlock(hdev);
2291 }
2292
2293 static inline void hci_clock_offset_evt(struct hci_dev *hdev, struct sk_buff *skb)
2294 {
2295         struct hci_ev_clock_offset *ev = (void *) skb->data;
2296         struct hci_conn *conn;
2297
2298         BT_DBG("%s status %d", hdev->name, ev->status);
2299
2300         hci_dev_lock(hdev);
2301
2302         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2303         if (conn && !ev->status) {
2304                 struct inquiry_entry *ie;
2305
2306                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
2307                 if (ie) {
2308                         ie->data.clock_offset = ev->clock_offset;
2309                         ie->timestamp = jiffies;
2310                 }
2311         }
2312
2313         hci_dev_unlock(hdev);
2314 }
2315
2316 static inline void hci_pkt_type_change_evt(struct hci_dev *hdev, struct sk_buff *skb)
2317 {
2318         struct hci_ev_pkt_type_change *ev = (void *) skb->data;
2319         struct hci_conn *conn;
2320
2321         BT_DBG("%s status %d", hdev->name, ev->status);
2322
2323         hci_dev_lock(hdev);
2324
2325         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2326         if (conn && !ev->status)
2327                 conn->pkt_type = __le16_to_cpu(ev->pkt_type);
2328
2329         hci_dev_unlock(hdev);
2330 }
2331
2332 static inline void hci_pscan_rep_mode_evt(struct hci_dev *hdev, struct sk_buff *skb)
2333 {
2334         struct hci_ev_pscan_rep_mode *ev = (void *) skb->data;
2335         struct inquiry_entry *ie;
2336
2337         BT_DBG("%s", hdev->name);
2338
2339         hci_dev_lock(hdev);
2340
2341         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2342         if (ie) {
2343                 ie->data.pscan_rep_mode = ev->pscan_rep_mode;
2344                 ie->timestamp = jiffies;
2345         }
2346
2347         hci_dev_unlock(hdev);
2348 }
2349
2350 static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct sk_buff *skb)
2351 {
2352         struct inquiry_data data;
2353         int num_rsp = *((__u8 *) skb->data);
2354
2355         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2356
2357         if (!num_rsp)
2358                 return;
2359
2360         hci_dev_lock(hdev);
2361
2362         if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
2363
2364                 if (test_bit(HCI_MGMT, &hdev->flags))
2365                         mgmt_discovering(hdev->id, 1);
2366         }
2367
2368         if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
2369                 struct inquiry_info_with_rssi_and_pscan_mode *info;
2370                 info = (void *) (skb->data + 1);
2371
2372                 for (; num_rsp; num_rsp--, info++) {
2373                         bacpy(&data.bdaddr, &info->bdaddr);
2374                         data.pscan_rep_mode     = info->pscan_rep_mode;
2375                         data.pscan_period_mode  = info->pscan_period_mode;
2376                         data.pscan_mode         = info->pscan_mode;
2377                         memcpy(data.dev_class, info->dev_class, 3);
2378                         data.clock_offset       = info->clock_offset;
2379                         data.rssi               = info->rssi;
2380                         data.ssp_mode           = 0x00;
2381                         hci_inquiry_cache_update(hdev, &data);
2382                         mgmt_device_found(hdev->id, &info->bdaddr,
2383                                                 info->dev_class, info->rssi,
2384                                                 NULL);
2385                 }
2386         } else {
2387                 struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
2388
2389                 for (; num_rsp; num_rsp--, info++) {
2390                         bacpy(&data.bdaddr, &info->bdaddr);
2391                         data.pscan_rep_mode     = info->pscan_rep_mode;
2392                         data.pscan_period_mode  = info->pscan_period_mode;
2393                         data.pscan_mode         = 0x00;
2394                         memcpy(data.dev_class, info->dev_class, 3);
2395                         data.clock_offset       = info->clock_offset;
2396                         data.rssi               = info->rssi;
2397                         data.ssp_mode           = 0x00;
2398                         hci_inquiry_cache_update(hdev, &data);
2399                         mgmt_device_found(hdev->id, &info->bdaddr,
2400                                                 info->dev_class, info->rssi,
2401                                                 NULL);
2402                 }
2403         }
2404
2405         hci_dev_unlock(hdev);
2406 }
2407
2408 static inline void hci_remote_ext_features_evt(struct hci_dev *hdev, struct sk_buff *skb)
2409 {
2410         struct hci_ev_remote_ext_features *ev = (void *) skb->data;
2411         struct hci_conn *conn;
2412
2413         BT_DBG("%s", hdev->name);
2414
2415         hci_dev_lock(hdev);
2416
2417         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2418         if (!conn)
2419                 goto unlock;
2420
2421         if (!ev->status && ev->page == 0x01) {
2422                 struct inquiry_entry *ie;
2423
2424                 ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
2425                 if (ie)
2426                         ie->data.ssp_mode = (ev->features[0] & 0x01);
2427
2428                 conn->ssp_mode = (ev->features[0] & 0x01);
2429         }
2430
2431         if (conn->state != BT_CONFIG)
2432                 goto unlock;
2433
2434         if (!ev->status) {
2435                 struct hci_cp_remote_name_req cp;
2436                 memset(&cp, 0, sizeof(cp));
2437                 bacpy(&cp.bdaddr, &conn->dst);
2438                 cp.pscan_rep_mode = 0x02;
2439                 hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2440         }
2441
2442         if (!hci_outgoing_auth_needed(hdev, conn)) {
2443                 conn->state = BT_CONNECTED;
2444                 hci_proto_connect_cfm(conn, ev->status);
2445                 hci_conn_put(conn);
2446         }
2447
2448 unlock:
2449         hci_dev_unlock(hdev);
2450 }
2451
2452 static inline void hci_sync_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2453 {
2454         struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
2455         struct hci_conn *conn;
2456
2457         BT_DBG("%s status %d", hdev->name, ev->status);
2458
2459         hci_dev_lock(hdev);
2460
2461         conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
2462         if (!conn) {
2463                 if (ev->link_type == ESCO_LINK)
2464                         goto unlock;
2465
2466                 conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
2467                 if (!conn)
2468                         goto unlock;
2469
2470                 conn->type = SCO_LINK;
2471         }
2472
2473         switch (ev->status) {
2474         case 0x00:
2475                 conn->handle = __le16_to_cpu(ev->handle);
2476                 conn->state  = BT_CONNECTED;
2477
2478                 hci_conn_hold_device(conn);
2479                 hci_conn_add_sysfs(conn);
2480                 break;
2481
2482         case 0x11:      /* Unsupported Feature or Parameter Value */
2483         case 0x1c:      /* SCO interval rejected */
2484         case 0x1a:      /* Unsupported Remote Feature */
2485         case 0x1f:      /* Unspecified error */
2486                 if (conn->out && conn->attempt < 2) {
2487                         conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
2488                                         (hdev->esco_type & EDR_ESCO_MASK);
2489                         hci_setup_sync(conn, conn->link->handle);
2490                         goto unlock;
2491                 }
2492                 /* fall through */
2493
2494         default:
2495                 conn->state = BT_CLOSED;
2496                 break;
2497         }
2498
2499         hci_proto_connect_cfm(conn, ev->status);
2500         if (ev->status)
2501                 hci_conn_del(conn);
2502
2503 unlock:
2504         hci_dev_unlock(hdev);
2505 }
2506
2507 static inline void hci_sync_conn_changed_evt(struct hci_dev *hdev, struct sk_buff *skb)
2508 {
2509         BT_DBG("%s", hdev->name);
2510 }
2511
2512 static inline void hci_sniff_subrate_evt(struct hci_dev *hdev, struct sk_buff *skb)
2513 {
2514         struct hci_ev_sniff_subrate *ev = (void *) skb->data;
2515
2516         BT_DBG("%s status %d", hdev->name, ev->status);
2517 }
2518
2519 static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
2520 {
2521         struct inquiry_data data;
2522         struct extended_inquiry_info *info = (void *) (skb->data + 1);
2523         int num_rsp = *((__u8 *) skb->data);
2524
2525         BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
2526
2527         if (!num_rsp)
2528                 return;
2529
2530         if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
2531
2532                 if (test_bit(HCI_MGMT, &hdev->flags))
2533                         mgmt_discovering(hdev->id, 1);
2534         }
2535
2536         hci_dev_lock(hdev);
2537
2538         for (; num_rsp; num_rsp--, info++) {
2539                 bacpy(&data.bdaddr, &info->bdaddr);
2540                 data.pscan_rep_mode     = info->pscan_rep_mode;
2541                 data.pscan_period_mode  = info->pscan_period_mode;
2542                 data.pscan_mode         = 0x00;
2543                 memcpy(data.dev_class, info->dev_class, 3);
2544                 data.clock_offset       = info->clock_offset;
2545                 data.rssi               = info->rssi;
2546                 data.ssp_mode           = 0x01;
2547                 hci_inquiry_cache_update(hdev, &data);
2548                 mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class,
2549                                                 info->rssi, info->data);
2550         }
2551
2552         hci_dev_unlock(hdev);
2553 }
2554
2555 static inline u8 hci_get_auth_req(struct hci_conn *conn)
2556 {
2557         /* If remote requests dedicated bonding follow that lead */
2558         if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03) {
2559                 /* If both remote and local IO capabilities allow MITM
2560                  * protection then require it, otherwise don't */
2561                 if (conn->remote_cap == 0x03 || conn->io_capability == 0x03)
2562                         return 0x02;
2563                 else
2564                         return 0x03;
2565         }
2566
2567         /* If remote requests no-bonding follow that lead */
2568         if (conn->remote_auth == 0x00 || conn->remote_auth == 0x01)
2569                 return conn->remote_auth | (conn->auth_type & 0x01);
2570
2571         return conn->auth_type;
2572 }
2573
2574 static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
2575 {
2576         struct hci_ev_io_capa_request *ev = (void *) skb->data;
2577         struct hci_conn *conn;
2578
2579         BT_DBG("%s", hdev->name);
2580
2581         hci_dev_lock(hdev);
2582
2583         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2584         if (!conn)
2585                 goto unlock;
2586
2587         hci_conn_hold(conn);
2588
2589         if (!test_bit(HCI_MGMT, &hdev->flags))
2590                 goto unlock;
2591
2592         if (test_bit(HCI_PAIRABLE, &hdev->flags) ||
2593                         (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
2594                 struct hci_cp_io_capability_reply cp;
2595
2596                 bacpy(&cp.bdaddr, &ev->bdaddr);
2597                 cp.capability = conn->io_capability;
2598                 conn->auth_type = hci_get_auth_req(conn);
2599                 cp.authentication = conn->auth_type;
2600
2601                 if ((conn->out == 0x01 || conn->remote_oob == 0x01) &&
2602                                 hci_find_remote_oob_data(hdev, &conn->dst))
2603                         cp.oob_data = 0x01;
2604                 else
2605                         cp.oob_data = 0x00;
2606
2607                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
2608                                                         sizeof(cp), &cp);
2609         } else {
2610                 struct hci_cp_io_capability_neg_reply cp;
2611
2612                 bacpy(&cp.bdaddr, &ev->bdaddr);
2613                 cp.reason = 0x18; /* Pairing not allowed */
2614
2615                 hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
2616                                                         sizeof(cp), &cp);
2617         }
2618
2619 unlock:
2620         hci_dev_unlock(hdev);
2621 }
2622
2623 static inline void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
2624 {
2625         struct hci_ev_io_capa_reply *ev = (void *) skb->data;
2626         struct hci_conn *conn;
2627
2628         BT_DBG("%s", hdev->name);
2629
2630         hci_dev_lock(hdev);
2631
2632         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2633         if (!conn)
2634                 goto unlock;
2635
2636         conn->remote_cap = ev->capability;
2637         conn->remote_oob = ev->oob_data;
2638         conn->remote_auth = ev->authentication;
2639
2640 unlock:
2641         hci_dev_unlock(hdev);
2642 }
2643
2644 static inline void hci_user_confirm_request_evt(struct hci_dev *hdev,
2645                                                         struct sk_buff *skb)
2646 {
2647         struct hci_ev_user_confirm_req *ev = (void *) skb->data;
2648         int loc_mitm, rem_mitm, confirm_hint = 0;
2649         struct hci_conn *conn;
2650
2651         BT_DBG("%s", hdev->name);
2652
2653         hci_dev_lock(hdev);
2654
2655         if (!test_bit(HCI_MGMT, &hdev->flags))
2656                 goto unlock;
2657
2658         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2659         if (!conn)
2660                 goto unlock;
2661
2662         loc_mitm = (conn->auth_type & 0x01);
2663         rem_mitm = (conn->remote_auth & 0x01);
2664
2665         /* If we require MITM but the remote device can't provide that
2666          * (it has NoInputNoOutput) then reject the confirmation
2667          * request. The only exception is when we're dedicated bonding
2668          * initiators (connect_cfm_cb set) since then we always have the MITM
2669          * bit set. */
2670         if (!conn->connect_cfm_cb && loc_mitm && conn->remote_cap == 0x03) {
2671                 BT_DBG("Rejecting request: remote device can't provide MITM");
2672                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
2673                                         sizeof(ev->bdaddr), &ev->bdaddr);
2674                 goto unlock;
2675         }
2676
2677         /* If no side requires MITM protection; auto-accept */
2678         if ((!loc_mitm || conn->remote_cap == 0x03) &&
2679                                 (!rem_mitm || conn->io_capability == 0x03)) {
2680
2681                 /* If we're not the initiators request authorization to
2682                  * proceed from user space (mgmt_user_confirm with
2683                  * confirm_hint set to 1). */
2684                 if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
2685                         BT_DBG("Confirming auto-accept as acceptor");
2686                         confirm_hint = 1;
2687                         goto confirm;
2688                 }
2689
2690                 BT_DBG("Auto-accept of user confirmation with %ums delay",
2691                                                 hdev->auto_accept_delay);
2692
2693                 if (hdev->auto_accept_delay > 0) {
2694                         int delay = msecs_to_jiffies(hdev->auto_accept_delay);
2695                         mod_timer(&conn->auto_accept_timer, jiffies + delay);
2696                         goto unlock;
2697                 }
2698
2699                 hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
2700                                                 sizeof(ev->bdaddr), &ev->bdaddr);
2701                 goto unlock;
2702         }
2703
2704 confirm:
2705         mgmt_user_confirm_request(hdev->id, &ev->bdaddr, ev->passkey,
2706                                                                 confirm_hint);
2707
2708 unlock:
2709         hci_dev_unlock(hdev);
2710 }
2711
2712 static inline void hci_simple_pair_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2713 {
2714         struct hci_ev_simple_pair_complete *ev = (void *) skb->data;
2715         struct hci_conn *conn;
2716
2717         BT_DBG("%s", hdev->name);
2718
2719         hci_dev_lock(hdev);
2720
2721         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
2722         if (!conn)
2723                 goto unlock;
2724
2725         /* To avoid duplicate auth_failed events to user space we check
2726          * the HCI_CONN_AUTH_PEND flag which will be set if we
2727          * initiated the authentication. A traditional auth_complete
2728          * event gets always produced as initiator and is also mapped to
2729          * the mgmt_auth_failed event */
2730         if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend) && ev->status != 0)
2731                 mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
2732
2733         hci_conn_put(conn);
2734
2735 unlock:
2736         hci_dev_unlock(hdev);
2737 }
2738
2739 static inline void hci_remote_host_features_evt(struct hci_dev *hdev, struct sk_buff *skb)
2740 {
2741         struct hci_ev_remote_host_features *ev = (void *) skb->data;
2742         struct inquiry_entry *ie;
2743
2744         BT_DBG("%s", hdev->name);
2745
2746         hci_dev_lock(hdev);
2747
2748         ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
2749         if (ie)
2750                 ie->data.ssp_mode = (ev->features[0] & 0x01);
2751
2752         hci_dev_unlock(hdev);
2753 }
2754
2755 static inline void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
2756                                                         struct sk_buff *skb)
2757 {
2758         struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
2759         struct oob_data *data;
2760
2761         BT_DBG("%s", hdev->name);
2762
2763         hci_dev_lock(hdev);
2764
2765         if (!test_bit(HCI_MGMT, &hdev->flags))
2766                 goto unlock;
2767
2768         data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
2769         if (data) {
2770                 struct hci_cp_remote_oob_data_reply cp;
2771
2772                 bacpy(&cp.bdaddr, &ev->bdaddr);
2773                 memcpy(cp.hash, data->hash, sizeof(cp.hash));
2774                 memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer));
2775
2776                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp),
2777                                                                         &cp);
2778         } else {
2779                 struct hci_cp_remote_oob_data_neg_reply cp;
2780
2781                 bacpy(&cp.bdaddr, &ev->bdaddr);
2782                 hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp),
2783                                                                         &cp);
2784         }
2785
2786 unlock:
2787         hci_dev_unlock(hdev);
2788 }
2789
2790 static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
2791 {
2792         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
2793         struct hci_conn *conn;
2794
2795         BT_DBG("%s status %d", hdev->name, ev->status);
2796
2797         hci_dev_lock(hdev);
2798
2799         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &ev->bdaddr);
2800         if (!conn) {
2801                 conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr);
2802                 if (!conn) {
2803                         BT_ERR("No memory for new connection");
2804                         hci_dev_unlock(hdev);
2805                         return;
2806                 }
2807
2808                 conn->dst_type = ev->bdaddr_type;
2809         }
2810
2811         if (ev->status) {
2812                 mgmt_connect_failed(hdev->id, &ev->bdaddr, ev->status);
2813                 hci_proto_connect_cfm(conn, ev->status);
2814                 conn->state = BT_CLOSED;
2815                 hci_conn_del(conn);
2816                 goto unlock;
2817         }
2818
2819         mgmt_connected(hdev->id, &ev->bdaddr);
2820
2821         conn->sec_level = BT_SECURITY_LOW;
2822         conn->handle = __le16_to_cpu(ev->handle);
2823         conn->state = BT_CONNECTED;
2824
2825         hci_conn_hold_device(conn);
2826         hci_conn_add_sysfs(conn);
2827
2828         hci_proto_connect_cfm(conn, ev->status);
2829
2830 unlock:
2831         hci_dev_unlock(hdev);
2832 }
2833
2834 static inline void hci_le_adv_report_evt(struct hci_dev *hdev,
2835                                                 struct sk_buff *skb)
2836 {
2837         struct hci_ev_le_advertising_info *ev;
2838         u8 num_reports;
2839
2840         num_reports = skb->data[0];
2841         ev = (void *) &skb->data[1];
2842
2843         hci_dev_lock(hdev);
2844
2845         hci_add_adv_entry(hdev, ev);
2846
2847         while (--num_reports) {
2848                 ev = (void *) (ev->data + ev->length + 1);
2849                 hci_add_adv_entry(hdev, ev);
2850         }
2851
2852         hci_dev_unlock(hdev);
2853 }
2854
2855 static inline void hci_le_ltk_request_evt(struct hci_dev *hdev,
2856                                                 struct sk_buff *skb)
2857 {
2858         struct hci_ev_le_ltk_req *ev = (void *) skb->data;
2859         struct hci_cp_le_ltk_reply cp;
2860         struct hci_cp_le_ltk_neg_reply neg;
2861         struct hci_conn *conn;
2862         struct link_key *ltk;
2863
2864         BT_DBG("%s handle %d", hdev->name, cpu_to_le16(ev->handle));
2865
2866         hci_dev_lock(hdev);
2867
2868         conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
2869         if (conn == NULL)
2870                 goto not_found;
2871
2872         ltk = hci_find_ltk(hdev, ev->ediv, ev->random);
2873         if (ltk == NULL)
2874                 goto not_found;
2875
2876         memcpy(cp.ltk, ltk->val, sizeof(ltk->val));
2877         cp.handle = cpu_to_le16(conn->handle);
2878         conn->pin_length = ltk->pin_len;
2879
2880         hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
2881
2882         hci_dev_unlock(hdev);
2883
2884         return;
2885
2886 not_found:
2887         neg.handle = ev->handle;
2888         hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
2889         hci_dev_unlock(hdev);
2890 }
2891
2892 static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
2893 {
2894         struct hci_ev_le_meta *le_ev = (void *) skb->data;
2895
2896         skb_pull(skb, sizeof(*le_ev));
2897
2898         switch (le_ev->subevent) {
2899         case HCI_EV_LE_CONN_COMPLETE:
2900                 hci_le_conn_complete_evt(hdev, skb);
2901                 break;
2902
2903         case HCI_EV_LE_ADVERTISING_REPORT:
2904                 hci_le_adv_report_evt(hdev, skb);
2905                 break;
2906
2907         case HCI_EV_LE_LTK_REQ:
2908                 hci_le_ltk_request_evt(hdev, skb);
2909                 break;
2910
2911         default:
2912                 break;
2913         }
2914 }
2915
2916 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
2917 {
2918         struct hci_event_hdr *hdr = (void *) skb->data;
2919         __u8 event = hdr->evt;
2920
2921         skb_pull(skb, HCI_EVENT_HDR_SIZE);
2922
2923         switch (event) {
2924         case HCI_EV_INQUIRY_COMPLETE:
2925                 hci_inquiry_complete_evt(hdev, skb);
2926                 break;
2927
2928         case HCI_EV_INQUIRY_RESULT:
2929                 hci_inquiry_result_evt(hdev, skb);
2930                 break;
2931
2932         case HCI_EV_CONN_COMPLETE:
2933                 hci_conn_complete_evt(hdev, skb);
2934                 break;
2935
2936         case HCI_EV_CONN_REQUEST:
2937                 hci_conn_request_evt(hdev, skb);
2938                 break;
2939
2940         case HCI_EV_DISCONN_COMPLETE:
2941                 hci_disconn_complete_evt(hdev, skb);
2942                 break;
2943
2944         case HCI_EV_AUTH_COMPLETE:
2945                 hci_auth_complete_evt(hdev, skb);
2946                 break;
2947
2948         case HCI_EV_REMOTE_NAME:
2949                 hci_remote_name_evt(hdev, skb);
2950                 break;
2951
2952         case HCI_EV_ENCRYPT_CHANGE:
2953                 hci_encrypt_change_evt(hdev, skb);
2954                 break;
2955
2956         case HCI_EV_CHANGE_LINK_KEY_COMPLETE:
2957                 hci_change_link_key_complete_evt(hdev, skb);
2958                 break;
2959
2960         case HCI_EV_REMOTE_FEATURES:
2961                 hci_remote_features_evt(hdev, skb);
2962                 break;
2963
2964         case HCI_EV_REMOTE_VERSION:
2965                 hci_remote_version_evt(hdev, skb);
2966                 break;
2967
2968         case HCI_EV_QOS_SETUP_COMPLETE:
2969                 hci_qos_setup_complete_evt(hdev, skb);
2970                 break;
2971
2972         case HCI_EV_CMD_COMPLETE:
2973                 hci_cmd_complete_evt(hdev, skb);
2974                 break;
2975
2976         case HCI_EV_CMD_STATUS:
2977                 hci_cmd_status_evt(hdev, skb);
2978                 break;
2979
2980         case HCI_EV_ROLE_CHANGE:
2981                 hci_role_change_evt(hdev, skb);
2982                 break;
2983
2984         case HCI_EV_NUM_COMP_PKTS:
2985                 hci_num_comp_pkts_evt(hdev, skb);
2986                 break;
2987
2988         case HCI_EV_MODE_CHANGE:
2989                 hci_mode_change_evt(hdev, skb);
2990                 break;
2991
2992         case HCI_EV_PIN_CODE_REQ:
2993                 hci_pin_code_request_evt(hdev, skb);
2994                 break;
2995
2996         case HCI_EV_LINK_KEY_REQ:
2997                 hci_link_key_request_evt(hdev, skb);
2998                 break;
2999
3000         case HCI_EV_LINK_KEY_NOTIFY:
3001                 hci_link_key_notify_evt(hdev, skb);
3002                 break;
3003
3004         case HCI_EV_CLOCK_OFFSET:
3005                 hci_clock_offset_evt(hdev, skb);
3006                 break;
3007
3008         case HCI_EV_PKT_TYPE_CHANGE:
3009                 hci_pkt_type_change_evt(hdev, skb);
3010                 break;
3011
3012         case HCI_EV_PSCAN_REP_MODE:
3013                 hci_pscan_rep_mode_evt(hdev, skb);
3014                 break;
3015
3016         case HCI_EV_INQUIRY_RESULT_WITH_RSSI:
3017                 hci_inquiry_result_with_rssi_evt(hdev, skb);
3018                 break;
3019
3020         case HCI_EV_REMOTE_EXT_FEATURES:
3021                 hci_remote_ext_features_evt(hdev, skb);
3022                 break;
3023
3024         case HCI_EV_SYNC_CONN_COMPLETE:
3025                 hci_sync_conn_complete_evt(hdev, skb);
3026                 break;
3027
3028         case HCI_EV_SYNC_CONN_CHANGED:
3029                 hci_sync_conn_changed_evt(hdev, skb);
3030                 break;
3031
3032         case HCI_EV_SNIFF_SUBRATE:
3033                 hci_sniff_subrate_evt(hdev, skb);
3034                 break;
3035
3036         case HCI_EV_EXTENDED_INQUIRY_RESULT:
3037                 hci_extended_inquiry_result_evt(hdev, skb);
3038                 break;
3039
3040         case HCI_EV_IO_CAPA_REQUEST:
3041                 hci_io_capa_request_evt(hdev, skb);
3042                 break;
3043
3044         case HCI_EV_IO_CAPA_REPLY:
3045                 hci_io_capa_reply_evt(hdev, skb);
3046                 break;
3047
3048         case HCI_EV_USER_CONFIRM_REQUEST:
3049                 hci_user_confirm_request_evt(hdev, skb);
3050                 break;
3051
3052         case HCI_EV_SIMPLE_PAIR_COMPLETE:
3053                 hci_simple_pair_complete_evt(hdev, skb);
3054                 break;
3055
3056         case HCI_EV_REMOTE_HOST_FEATURES:
3057                 hci_remote_host_features_evt(hdev, skb);
3058                 break;
3059
3060         case HCI_EV_LE_META:
3061                 hci_le_meta_evt(hdev, skb);
3062                 break;
3063
3064         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
3065                 hci_remote_oob_data_request_evt(hdev, skb);
3066                 break;
3067
3068         default:
3069                 BT_DBG("%s event 0x%x", hdev->name, event);
3070                 break;
3071         }
3072
3073         kfree_skb(skb);
3074         hdev->stat.evt_rx++;
3075 }
3076
3077 /* Generate internal stack event */
3078 void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
3079 {
3080         struct hci_event_hdr *hdr;
3081         struct hci_ev_stack_internal *ev;
3082         struct sk_buff *skb;
3083
3084         skb = bt_skb_alloc(HCI_EVENT_HDR_SIZE + sizeof(*ev) + dlen, GFP_ATOMIC);
3085         if (!skb)
3086                 return;
3087
3088         hdr = (void *) skb_put(skb, HCI_EVENT_HDR_SIZE);
3089         hdr->evt  = HCI_EV_STACK_INTERNAL;
3090         hdr->plen = sizeof(*ev) + dlen;
3091
3092         ev  = (void *) skb_put(skb, sizeof(*ev) + dlen);
3093         ev->type = type;
3094         memcpy(ev->data, data, dlen);
3095
3096         bt_cb(skb)->incoming = 1;
3097         __net_timestamp(skb);
3098
3099         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
3100         skb->dev = (void *) hdev;
3101         hci_send_to_sock(hdev, skb, NULL);
3102         kfree_skb(skb);
3103 }
3104
3105 module_param(enable_le, bool, 0444);
3106 MODULE_PARM_DESC(enable_le, "Enable LE support");