1
/*
2
   BlueZ - Bluetooth protocol stack for Linux
3
   Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
4
   Copyright 2023-2024 NXP
5

6
   Written 2000,2001 by Maxim Krasnyansky <[email protected]>
7

8
   This program is free software; you can redistribute it and/or modify
9
   it under the terms of the GNU General Public License version 2 as
10
   published by the Free Software Foundation;
11

12
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
13
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
14
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
15
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
16
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
17
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
18
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
19
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20

21
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
22
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
23
   SOFTWARE IS DISCLAIMED.
24
*/
25

26
/* Bluetooth HCI event handling. */
27

28
#include <linux/unaligned.h>
29
#include <linux/crypto.h>
30
#include <crypto/algapi.h>
31

32
#include <net/bluetooth/bluetooth.h>
33
#include <net/bluetooth/hci_core.h>
34
#include <net/bluetooth/mgmt.h>
35

36
#include "hci_debugfs.h"
37
#include "hci_codec.h"
38
#include "smp.h"
39
#include "msft.h"
40
#include "eir.h"
41

42
#define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
43
		 "\x00\x00\x00\x00\x00\x00\x00\x00"
44

45
/* Handle HCI Event packets */
46

47
static void *hci_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
48
			     u8 ev, size_t len)
49
{
50
	void *data;
51

52
	data = skb_pull_data(skb, len);
53
	if (!data)
54
		bt_dev_err(hdev, "Malformed Event: 0x%2.2x", ev);
55

56
	return data;
57
}
58

59
static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
60
			     u16 op, size_t len)
61
{
62
	void *data;
63

64
	data = skb_pull_data(skb, len);
65
	if (!data)
66
		bt_dev_err(hdev, "Malformed Command Complete: 0x%4.4x", op);
67

68
	return data;
69
}
70

71
static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
72
				u8 ev, size_t len)
73
{
74
	void *data;
75

76
	data = skb_pull_data(skb, len);
77
	if (!data)
78
		bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
79

80
	return data;
81
}
82

83
static u8 hci_cc_inquiry_cancel(struct hci_dev *hdev, void *data,
84
				struct sk_buff *skb)
85
{
86
	struct hci_ev_status *rp = data;
87

88
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
89

90
	/* It is possible that we receive Inquiry Complete event right
91
	 * before we receive Inquiry Cancel Command Complete event, in
92
	 * which case the latter event should have status of Command
93
	 * Disallowed. This should not be treated as error, since
94
	 * we actually achieve what Inquiry Cancel wants to achieve,
95
	 * which is to end the last Inquiry session.
96
	 */
97
	if (rp->status == HCI_ERROR_COMMAND_DISALLOWED && !test_bit(HCI_INQUIRY, &hdev->flags)) {
98
		bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
99
		rp->status = 0x00;
100
	}
101

102
	if (rp->status)
103
		return rp->status;
104

105
	clear_bit(HCI_INQUIRY, &hdev->flags);
106
	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
107
	wake_up_bit(&hdev->flags, HCI_INQUIRY);
108

109
	hci_dev_lock(hdev);
110
	/* Set discovery state to stopped if we're not doing LE active
111
	 * scanning.
112
	 */
113
	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
114
	    hdev->le_scan_type != LE_SCAN_ACTIVE)
115
		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
116
	hci_dev_unlock(hdev);
117

118
	return rp->status;
119
}
120

121
static u8 hci_cc_periodic_inq(struct hci_dev *hdev, void *data,
122
			      struct sk_buff *skb)
123
{
124
	struct hci_ev_status *rp = data;
125

126
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
127

128
	if (rp->status)
129
		return rp->status;
130

131
	hci_dev_set_flag(hdev, HCI_PERIODIC_INQ);
132

133
	return rp->status;
134
}
135

136
static u8 hci_cc_exit_periodic_inq(struct hci_dev *hdev, void *data,
137
				   struct sk_buff *skb)
138
{
139
	struct hci_ev_status *rp = data;
140

141
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
142

143
	if (rp->status)
144
		return rp->status;
145

146
	hci_dev_clear_flag(hdev, HCI_PERIODIC_INQ);
147

148
	return rp->status;
149
}
150

151
static u8 hci_cc_remote_name_req_cancel(struct hci_dev *hdev, void *data,
152
					struct sk_buff *skb)
153
{
154
	struct hci_rp_remote_name_req_cancel *rp = data;
155

156
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
157

158
	return rp->status;
159
}
160

161
static u8 hci_cc_role_discovery(struct hci_dev *hdev, void *data,
162
				struct sk_buff *skb)
163
{
164
	struct hci_rp_role_discovery *rp = data;
165
	struct hci_conn *conn;
166

167
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
168

169
	if (rp->status)
170
		return rp->status;
171

172
	hci_dev_lock(hdev);
173

174
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
175
	if (conn)
176
		conn->role = rp->role;
177

178
	hci_dev_unlock(hdev);
179

180
	return rp->status;
181
}
182

183
static u8 hci_cc_read_link_policy(struct hci_dev *hdev, void *data,
184
				  struct sk_buff *skb)
185
{
186
	struct hci_rp_read_link_policy *rp = data;
187
	struct hci_conn *conn;
188

189
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
190

191
	if (rp->status)
192
		return rp->status;
193

194
	hci_dev_lock(hdev);
195

196
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
197
	if (conn)
198
		conn->link_policy = __le16_to_cpu(rp->policy);
199

200
	hci_dev_unlock(hdev);
201

202
	return rp->status;
203
}
204

205
static u8 hci_cc_write_link_policy(struct hci_dev *hdev, void *data,
206
				   struct sk_buff *skb)
207
{
208
	struct hci_rp_write_link_policy *rp = data;
209
	struct hci_conn *conn;
210
	void *sent;
211

212
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
213

214
	if (rp->status)
215
		return rp->status;
216

217
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LINK_POLICY);
218
	if (!sent)
219
		return rp->status;
220

221
	hci_dev_lock(hdev);
222

223
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
224
	if (conn)
225
		conn->link_policy = get_unaligned_le16(sent + 2);
226

227
	hci_dev_unlock(hdev);
228

229
	return rp->status;
230
}
231

232
static u8 hci_cc_read_def_link_policy(struct hci_dev *hdev, void *data,
233
				      struct sk_buff *skb)
234
{
235
	struct hci_rp_read_def_link_policy *rp = data;
236

237
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
238

239
	if (rp->status)
240
		return rp->status;
241

242
	hdev->link_policy = __le16_to_cpu(rp->policy);
243

244
	return rp->status;
245
}
246

247
static u8 hci_cc_write_def_link_policy(struct hci_dev *hdev, void *data,
248
				       struct sk_buff *skb)
249
{
250
	struct hci_ev_status *rp = data;
251
	void *sent;
252

253
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
254

255
	if (rp->status)
256
		return rp->status;
257

258
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_LINK_POLICY);
259
	if (!sent)
260
		return rp->status;
261

262
	hdev->link_policy = get_unaligned_le16(sent);
263

264
	return rp->status;
265
}
266

267
static u8 hci_cc_reset(struct hci_dev *hdev, void *data, struct sk_buff *skb)
268
{
269
	struct hci_ev_status *rp = data;
270

271
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
272

273
	clear_bit(HCI_RESET, &hdev->flags);
274

275
	if (rp->status)
276
		return rp->status;
277

278
	/* Reset all non-persistent flags */
279
	hci_dev_clear_volatile_flags(hdev);
280

281
	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
282

283
	hdev->inq_tx_power = HCI_TX_POWER_INVALID;
284
	hdev->adv_tx_power = HCI_TX_POWER_INVALID;
285

286
	memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
287
	hdev->adv_data_len = 0;
288

289
	memset(hdev->scan_rsp_data, 0, sizeof(hdev->scan_rsp_data));
290
	hdev->scan_rsp_data_len = 0;
291

292
	hdev->le_scan_type = LE_SCAN_PASSIVE;
293

294
	hdev->ssp_debug_mode = 0;
295

296
	hci_bdaddr_list_clear(&hdev->le_accept_list);
297
	hci_bdaddr_list_clear(&hdev->le_resolv_list);
298

299
	return rp->status;
300
}
301

302
static u8 hci_cc_read_stored_link_key(struct hci_dev *hdev, void *data,
303
				      struct sk_buff *skb)
304
{
305
	struct hci_rp_read_stored_link_key *rp = data;
306
	struct hci_cp_read_stored_link_key *sent;
307

308
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
309

310
	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_STORED_LINK_KEY);
311
	if (!sent)
312
		return rp->status;
313

314
	if (!rp->status && sent->read_all == 0x01) {
315
		hdev->stored_max_keys = le16_to_cpu(rp->max_keys);
316
		hdev->stored_num_keys = le16_to_cpu(rp->num_keys);
317
	}
318

319
	return rp->status;
320
}
321

322
static u8 hci_cc_delete_stored_link_key(struct hci_dev *hdev, void *data,
323
					struct sk_buff *skb)
324
{
325
	struct hci_rp_delete_stored_link_key *rp = data;
326
	u16 num_keys;
327

328
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
329

330
	if (rp->status)
331
		return rp->status;
332

333
	num_keys = le16_to_cpu(rp->num_keys);
334

335
	if (num_keys <= hdev->stored_num_keys)
336
		hdev->stored_num_keys -= num_keys;
337
	else
338
		hdev->stored_num_keys = 0;
339

340
	return rp->status;
341
}
342

343
static u8 hci_cc_write_local_name(struct hci_dev *hdev, void *data,
344
				  struct sk_buff *skb)
345
{
346
	struct hci_ev_status *rp = data;
347
	void *sent;
348

349
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
350

351
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
352
	if (!sent)
353
		return rp->status;
354

355
	hci_dev_lock(hdev);
356

357
	if (hci_dev_test_flag(hdev, HCI_MGMT))
358
		mgmt_set_local_name_complete(hdev, sent, rp->status);
359
	else if (!rp->status)
360
		memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
361

362
	hci_dev_unlock(hdev);
363

364
	return rp->status;
365
}
366

367
static u8 hci_cc_read_local_name(struct hci_dev *hdev, void *data,
368
				 struct sk_buff *skb)
369
{
370
	struct hci_rp_read_local_name *rp = data;
371

372
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
373

374
	if (rp->status)
375
		return rp->status;
376

377
	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
378
	    hci_dev_test_flag(hdev, HCI_CONFIG))
379
		memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
380

381
	return rp->status;
382
}
383

384
static u8 hci_cc_write_auth_enable(struct hci_dev *hdev, void *data,
385
				   struct sk_buff *skb)
386
{
387
	struct hci_ev_status *rp = data;
388
	void *sent;
389

390
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
391

392
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_ENABLE);
393
	if (!sent)
394
		return rp->status;
395

396
	hci_dev_lock(hdev);
397

398
	if (!rp->status) {
399
		__u8 param = *((__u8 *) sent);
400

401
		if (param == AUTH_ENABLED)
402
			set_bit(HCI_AUTH, &hdev->flags);
403
		else
404
			clear_bit(HCI_AUTH, &hdev->flags);
405
	}
406

407
	if (hci_dev_test_flag(hdev, HCI_MGMT))
408
		mgmt_auth_enable_complete(hdev, rp->status);
409

410
	hci_dev_unlock(hdev);
411

412
	return rp->status;
413
}
414

415
static u8 hci_cc_write_encrypt_mode(struct hci_dev *hdev, void *data,
416
				    struct sk_buff *skb)
417
{
418
	struct hci_ev_status *rp = data;
419
	__u8 param;
420
	void *sent;
421

422
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
423

424
	if (rp->status)
425
		return rp->status;
426

427
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_ENCRYPT_MODE);
428
	if (!sent)
429
		return rp->status;
430

431
	param = *((__u8 *) sent);
432

433
	if (param)
434
		set_bit(HCI_ENCRYPT, &hdev->flags);
435
	else
436
		clear_bit(HCI_ENCRYPT, &hdev->flags);
437

438
	return rp->status;
439
}
440

441
static u8 hci_cc_write_scan_enable(struct hci_dev *hdev, void *data,
442
				   struct sk_buff *skb)
443
{
444
	struct hci_ev_status *rp = data;
445
	__u8 param;
446
	void *sent;
447

448
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
449

450
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SCAN_ENABLE);
451
	if (!sent)
452
		return rp->status;
453

454
	param = *((__u8 *) sent);
455

456
	hci_dev_lock(hdev);
457

458
	if (rp->status) {
459
		hdev->discov_timeout = 0;
460
		goto done;
461
	}
462

463
	if (param & SCAN_INQUIRY)
464
		set_bit(HCI_ISCAN, &hdev->flags);
465
	else
466
		clear_bit(HCI_ISCAN, &hdev->flags);
467

468
	if (param & SCAN_PAGE)
469
		set_bit(HCI_PSCAN, &hdev->flags);
470
	else
471
		clear_bit(HCI_PSCAN, &hdev->flags);
472

473
done:
474
	hci_dev_unlock(hdev);
475

476
	return rp->status;
477
}
478

479
static u8 hci_cc_set_event_filter(struct hci_dev *hdev, void *data,
480
				  struct sk_buff *skb)
481
{
482
	struct hci_ev_status *rp = data;
483
	struct hci_cp_set_event_filter *cp;
484
	void *sent;
485

486
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
487

488
	if (rp->status)
489
		return rp->status;
490

491
	sent = hci_sent_cmd_data(hdev, HCI_OP_SET_EVENT_FLT);
492
	if (!sent)
493
		return rp->status;
494

495
	cp = (struct hci_cp_set_event_filter *)sent;
496

497
	if (cp->flt_type == HCI_FLT_CLEAR_ALL)
498
		hci_dev_clear_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
499
	else
500
		hci_dev_set_flag(hdev, HCI_EVENT_FILTER_CONFIGURED);
501

502
	return rp->status;
503
}
504

505
static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
506
				   struct sk_buff *skb)
507
{
508
	struct hci_rp_read_class_of_dev *rp = data;
509

510
	if (WARN_ON(!hdev))
511
		return HCI_ERROR_UNSPECIFIED;
512

513
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
514

515
	if (rp->status)
516
		return rp->status;
517

518
	memcpy(hdev->dev_class, rp->dev_class, 3);
519

520
	bt_dev_dbg(hdev, "class 0x%.2x%.2x%.2x", hdev->dev_class[2],
521
		   hdev->dev_class[1], hdev->dev_class[0]);
522

523
	return rp->status;
524
}
525

526
static u8 hci_cc_write_class_of_dev(struct hci_dev *hdev, void *data,
527
				    struct sk_buff *skb)
528
{
529
	struct hci_ev_status *rp = data;
530
	void *sent;
531

532
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
533

534
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_CLASS_OF_DEV);
535
	if (!sent)
536
		return rp->status;
537

538
	hci_dev_lock(hdev);
539

540
	if (!rp->status)
541
		memcpy(hdev->dev_class, sent, 3);
542

543
	if (hci_dev_test_flag(hdev, HCI_MGMT))
544
		mgmt_set_class_of_dev_complete(hdev, sent, rp->status);
545

546
	hci_dev_unlock(hdev);
547

548
	return rp->status;
549
}
550

551
static u8 hci_cc_read_voice_setting(struct hci_dev *hdev, void *data,
552
				    struct sk_buff *skb)
553
{
554
	struct hci_rp_read_voice_setting *rp = data;
555
	__u16 setting;
556

557
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
558

559
	if (rp->status)
560
		return rp->status;
561

562
	setting = __le16_to_cpu(rp->voice_setting);
563

564
	if (hdev->voice_setting == setting)
565
		return rp->status;
566

567
	hdev->voice_setting = setting;
568

569
	bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
570

571
	if (hdev->notify)
572
		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
573

574
	return rp->status;
575
}
576

577
static u8 hci_cc_write_voice_setting(struct hci_dev *hdev, void *data,
578
				     struct sk_buff *skb)
579
{
580
	struct hci_ev_status *rp = data;
581
	__u16 setting;
582
	void *sent;
583

584
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
585

586
	if (rp->status)
587
		return rp->status;
588

589
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_VOICE_SETTING);
590
	if (!sent)
591
		return rp->status;
592

593
	setting = get_unaligned_le16(sent);
594

595
	if (hdev->voice_setting == setting)
596
		return rp->status;
597

598
	hdev->voice_setting = setting;
599

600
	bt_dev_dbg(hdev, "voice setting 0x%4.4x", setting);
601

602
	if (hdev->notify)
603
		hdev->notify(hdev, HCI_NOTIFY_VOICE_SETTING);
604

605
	return rp->status;
606
}
607

608
static u8 hci_cc_read_num_supported_iac(struct hci_dev *hdev, void *data,
609
					struct sk_buff *skb)
610
{
611
	struct hci_rp_read_num_supported_iac *rp = data;
612

613
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
614

615
	if (rp->status)
616
		return rp->status;
617

618
	hdev->num_iac = rp->num_iac;
619

620
	bt_dev_dbg(hdev, "num iac %d", hdev->num_iac);
621

622
	return rp->status;
623
}
624

625
static u8 hci_cc_write_ssp_mode(struct hci_dev *hdev, void *data,
626
				struct sk_buff *skb)
627
{
628
	struct hci_ev_status *rp = data;
629
	struct hci_cp_write_ssp_mode *sent;
630

631
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
632

633
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_MODE);
634
	if (!sent)
635
		return rp->status;
636

637
	hci_dev_lock(hdev);
638

639
	if (!rp->status) {
640
		if (sent->mode)
641
			hdev->features[1][0] |= LMP_HOST_SSP;
642
		else
643
			hdev->features[1][0] &= ~LMP_HOST_SSP;
644
	}
645

646
	if (!rp->status) {
647
		if (sent->mode)
648
			hci_dev_set_flag(hdev, HCI_SSP_ENABLED);
649
		else
650
			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
651
	}
652

653
	hci_dev_unlock(hdev);
654

655
	return rp->status;
656
}
657

658
static u8 hci_cc_write_sc_support(struct hci_dev *hdev, void *data,
659
				  struct sk_buff *skb)
660
{
661
	struct hci_ev_status *rp = data;
662
	struct hci_cp_write_sc_support *sent;
663

664
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
665

666
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SC_SUPPORT);
667
	if (!sent)
668
		return rp->status;
669

670
	hci_dev_lock(hdev);
671

672
	if (!rp->status) {
673
		if (sent->support)
674
			hdev->features[1][0] |= LMP_HOST_SC;
675
		else
676
			hdev->features[1][0] &= ~LMP_HOST_SC;
677
	}
678

679
	if (!hci_dev_test_flag(hdev, HCI_MGMT) && !rp->status) {
680
		if (sent->support)
681
			hci_dev_set_flag(hdev, HCI_SC_ENABLED);
682
		else
683
			hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
684
	}
685

686
	hci_dev_unlock(hdev);
687

688
	return rp->status;
689
}
690

691
static u8 hci_cc_read_local_version(struct hci_dev *hdev, void *data,
692
				    struct sk_buff *skb)
693
{
694
	struct hci_rp_read_local_version *rp = data;
695

696
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
697

698
	if (rp->status)
699
		return rp->status;
700

701
	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
702
	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
703
		hdev->hci_ver = rp->hci_ver;
704
		hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
705
		hdev->lmp_ver = rp->lmp_ver;
706
		hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
707
		hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
708
	}
709

710
	return rp->status;
711
}
712

713
static u8 hci_cc_read_enc_key_size(struct hci_dev *hdev, void *data,
714
				   struct sk_buff *skb)
715
{
716
	struct hci_rp_read_enc_key_size *rp = data;
717
	struct hci_conn *conn;
718
	u16 handle;
719
	u8 status = rp->status;
720

721
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
722

723
	handle = le16_to_cpu(rp->handle);
724

725
	hci_dev_lock(hdev);
726

727
	conn = hci_conn_hash_lookup_handle(hdev, handle);
728
	if (!conn) {
729
		status = 0xFF;
730
		goto done;
731
	}
732

733
	/* While unexpected, the read_enc_key_size command may fail. The most
734
	 * secure approach is to then assume the key size is 0 to force a
735
	 * disconnection.
736
	 */
737
	if (status) {
738
		bt_dev_err(hdev, "failed to read key size for handle %u",
739
			   handle);
740
		conn->enc_key_size = 0;
741
	} else {
742
		u8 *key_enc_size = hci_conn_key_enc_size(conn);
743

744
		conn->enc_key_size = rp->key_size;
745
		status = 0;
746

747
		/* Attempt to check if the key size is too small or if it has
748
		 * been downgraded from the last time it was stored as part of
749
		 * the link_key.
750
		 */
751
		if (conn->enc_key_size < hdev->min_enc_key_size ||
752
		    (key_enc_size && conn->enc_key_size < *key_enc_size)) {
753
			/* As slave role, the conn->state has been set to
754
			 * BT_CONNECTED and l2cap conn req might not be received
755
			 * yet, at this moment the l2cap layer almost does
756
			 * nothing with the non-zero status.
757
			 * So we also clear encrypt related bits, and then the
758
			 * handler of l2cap conn req will get the right secure
759
			 * state at a later time.
760
			 */
761
			status = HCI_ERROR_AUTH_FAILURE;
762
			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
763
			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
764
		}
765

766
		/* Update the key encryption size with the connection one */
767
		if (key_enc_size && *key_enc_size != conn->enc_key_size)
768
			*key_enc_size = conn->enc_key_size;
769
	}
770

771
	hci_encrypt_cfm(conn, status);
772

773
done:
774
	hci_dev_unlock(hdev);
775

776
	return status;
777
}
778

779
static u8 hci_cc_read_local_commands(struct hci_dev *hdev, void *data,
780
				     struct sk_buff *skb)
781
{
782
	struct hci_rp_read_local_commands *rp = data;
783

784
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
785

786
	if (rp->status)
787
		return rp->status;
788

789
	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
790
	    hci_dev_test_flag(hdev, HCI_CONFIG))
791
		memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
792

793
	return rp->status;
794
}
795

796
static u8 hci_cc_read_auth_payload_timeout(struct hci_dev *hdev, void *data,
797
					   struct sk_buff *skb)
798
{
799
	struct hci_rp_read_auth_payload_to *rp = data;
800
	struct hci_conn *conn;
801

802
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
803

804
	if (rp->status)
805
		return rp->status;
806

807
	hci_dev_lock(hdev);
808

809
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
810
	if (conn)
811
		conn->auth_payload_timeout = __le16_to_cpu(rp->timeout);
812

813
	hci_dev_unlock(hdev);
814

815
	return rp->status;
816
}
817

818
static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
819
					    struct sk_buff *skb)
820
{
821
	struct hci_rp_write_auth_payload_to *rp = data;
822
	struct hci_conn *conn;
823
	void *sent;
824

825
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
826

827
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO);
828
	if (!sent)
829
		return rp->status;
830

831
	hci_dev_lock(hdev);
832

833
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
834
	if (!conn) {
835
		rp->status = 0xff;
836
		goto unlock;
837
	}
838

839
	if (!rp->status)
840
		conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
841

842
unlock:
843
	hci_dev_unlock(hdev);
844

845
	return rp->status;
846
}
847

848
static u8 hci_cc_read_local_features(struct hci_dev *hdev, void *data,
849
				     struct sk_buff *skb)
850
{
851
	struct hci_rp_read_local_features *rp = data;
852

853
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
854

855
	if (rp->status)
856
		return rp->status;
857

858
	memcpy(hdev->features, rp->features, 8);
859

860
	/* Adjust default settings according to features
861
	 * supported by device. */
862

863
	if (hdev->features[0][0] & LMP_3SLOT)
864
		hdev->pkt_type |= (HCI_DM3 | HCI_DH3);
865

866
	if (hdev->features[0][0] & LMP_5SLOT)
867
		hdev->pkt_type |= (HCI_DM5 | HCI_DH5);
868

869
	if (hdev->features[0][1] & LMP_HV2) {
870
		hdev->pkt_type  |= (HCI_HV2);
871
		hdev->esco_type |= (ESCO_HV2);
872
	}
873

874
	if (hdev->features[0][1] & LMP_HV3) {
875
		hdev->pkt_type  |= (HCI_HV3);
876
		hdev->esco_type |= (ESCO_HV3);
877
	}
878

879
	if (lmp_esco_capable(hdev))
880
		hdev->esco_type |= (ESCO_EV3);
881

882
	if (hdev->features[0][4] & LMP_EV4)
883
		hdev->esco_type |= (ESCO_EV4);
884

885
	if (hdev->features[0][4] & LMP_EV5)
886
		hdev->esco_type |= (ESCO_EV5);
887

888
	if (hdev->features[0][5] & LMP_EDR_ESCO_2M)
889
		hdev->esco_type |= (ESCO_2EV3);
890

891
	if (hdev->features[0][5] & LMP_EDR_ESCO_3M)
892
		hdev->esco_type |= (ESCO_3EV3);
893

894
	if (hdev->features[0][5] & LMP_EDR_3S_ESCO)
895
		hdev->esco_type |= (ESCO_2EV5 | ESCO_3EV5);
896

897
	return rp->status;
898
}
899

900
static u8 hci_cc_read_local_ext_features(struct hci_dev *hdev, void *data,
901
					 struct sk_buff *skb)
902
{
903
	struct hci_rp_read_local_ext_features *rp = data;
904

905
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
906

907
	if (rp->status)
908
		return rp->status;
909

910
	if (hdev->max_page < rp->max_page) {
911
		if (hci_test_quirk(hdev,
912
				   HCI_QUIRK_BROKEN_LOCAL_EXT_FEATURES_PAGE_2))
913
			bt_dev_warn(hdev, "broken local ext features page 2");
914
		else
915
			hdev->max_page = rp->max_page;
916
	}
917

918
	if (rp->page < HCI_MAX_PAGES)
919
		memcpy(hdev->features[rp->page], rp->features, 8);
920

921
	return rp->status;
922
}
923

924
static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data,
925
				  struct sk_buff *skb)
926
{
927
	struct hci_rp_read_buffer_size *rp = data;
928

929
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
930

931
	if (rp->status)
932
		return rp->status;
933

934
	hdev->acl_mtu  = __le16_to_cpu(rp->acl_mtu);
935
	hdev->sco_mtu  = rp->sco_mtu;
936
	hdev->acl_pkts = __le16_to_cpu(rp->acl_max_pkt);
937
	hdev->sco_pkts = __le16_to_cpu(rp->sco_max_pkt);
938

939
	if (hci_test_quirk(hdev, HCI_QUIRK_FIXUP_BUFFER_SIZE)) {
940
		hdev->sco_mtu  = 64;
941
		hdev->sco_pkts = 8;
942
	}
943

944
	if (!read_voice_setting_capable(hdev))
945
		hdev->sco_pkts = 0;
946

947
	hdev->acl_cnt = hdev->acl_pkts;
948
	hdev->sco_cnt = hdev->sco_pkts;
949

950
	BT_DBG("%s acl mtu %d:%d sco mtu %d:%d", hdev->name, hdev->acl_mtu,
951
	       hdev->acl_pkts, hdev->sco_mtu, hdev->sco_pkts);
952

953
	if (!hdev->acl_mtu || !hdev->acl_pkts)
954
		return HCI_ERROR_INVALID_PARAMETERS;
955

956
	return rp->status;
957
}
958

959
static u8 hci_cc_read_bd_addr(struct hci_dev *hdev, void *data,
960
			      struct sk_buff *skb)
961
{
962
	struct hci_rp_read_bd_addr *rp = data;
963

964
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
965

966
	if (rp->status)
967
		return rp->status;
968

969
	if (test_bit(HCI_INIT, &hdev->flags))
970
		bacpy(&hdev->bdaddr, &rp->bdaddr);
971

972
	if (hci_dev_test_flag(hdev, HCI_SETUP))
973
		bacpy(&hdev->setup_addr, &rp->bdaddr);
974

975
	return rp->status;
976
}
977

978
static u8 hci_cc_read_local_pairing_opts(struct hci_dev *hdev, void *data,
979
					 struct sk_buff *skb)
980
{
981
	struct hci_rp_read_local_pairing_opts *rp = data;
982

983
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
984

985
	if (rp->status)
986
		return rp->status;
987

988
	if (hci_dev_test_flag(hdev, HCI_SETUP) ||
989
	    hci_dev_test_flag(hdev, HCI_CONFIG)) {
990
		hdev->pairing_opts = rp->pairing_opts;
991
		hdev->max_enc_key_size = rp->max_key_size;
992
	}
993

994
	return rp->status;
995
}
996

997
static u8 hci_cc_read_page_scan_activity(struct hci_dev *hdev, void *data,
998
					 struct sk_buff *skb)
999
{
1000
	struct hci_rp_read_page_scan_activity *rp = data;
1001

1002
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1003

1004
	if (rp->status)
1005
		return rp->status;
1006

1007
	if (test_bit(HCI_INIT, &hdev->flags)) {
1008
		hdev->page_scan_interval = __le16_to_cpu(rp->interval);
1009
		hdev->page_scan_window = __le16_to_cpu(rp->window);
1010
	}
1011

1012
	return rp->status;
1013
}
1014

1015
static u8 hci_cc_write_page_scan_activity(struct hci_dev *hdev, void *data,
1016
					  struct sk_buff *skb)
1017
{
1018
	struct hci_ev_status *rp = data;
1019
	struct hci_cp_write_page_scan_activity *sent;
1020

1021
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1022

1023
	if (rp->status)
1024
		return rp->status;
1025

1026
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY);
1027
	if (!sent)
1028
		return rp->status;
1029

1030
	hdev->page_scan_interval = __le16_to_cpu(sent->interval);
1031
	hdev->page_scan_window = __le16_to_cpu(sent->window);
1032

1033
	return rp->status;
1034
}
1035

1036
static u8 hci_cc_read_page_scan_type(struct hci_dev *hdev, void *data,
1037
				     struct sk_buff *skb)
1038
{
1039
	struct hci_rp_read_page_scan_type *rp = data;
1040

1041
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1042

1043
	if (rp->status)
1044
		return rp->status;
1045

1046
	if (test_bit(HCI_INIT, &hdev->flags))
1047
		hdev->page_scan_type = rp->type;
1048

1049
	return rp->status;
1050
}
1051

1052
static u8 hci_cc_write_page_scan_type(struct hci_dev *hdev, void *data,
1053
				      struct sk_buff *skb)
1054
{
1055
	struct hci_ev_status *rp = data;
1056
	u8 *type;
1057

1058
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1059

1060
	if (rp->status)
1061
		return rp->status;
1062

1063
	type = hci_sent_cmd_data(hdev, HCI_OP_WRITE_PAGE_SCAN_TYPE);
1064
	if (type)
1065
		hdev->page_scan_type = *type;
1066

1067
	return rp->status;
1068
}
1069

1070
static u8 hci_cc_read_clock(struct hci_dev *hdev, void *data,
1071
			    struct sk_buff *skb)
1072
{
1073
	struct hci_rp_read_clock *rp = data;
1074
	struct hci_cp_read_clock *cp;
1075
	struct hci_conn *conn;
1076

1077
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1078

1079
	if (rp->status)
1080
		return rp->status;
1081

1082
	hci_dev_lock(hdev);
1083

1084
	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
1085
	if (!cp)
1086
		goto unlock;
1087

1088
	if (cp->which == 0x00) {
1089
		hdev->clock = le32_to_cpu(rp->clock);
1090
		goto unlock;
1091
	}
1092

1093
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
1094
	if (conn) {
1095
		conn->clock = le32_to_cpu(rp->clock);
1096
		conn->clock_accuracy = le16_to_cpu(rp->accuracy);
1097
	}
1098

1099
unlock:
1100
	hci_dev_unlock(hdev);
1101
	return rp->status;
1102
}
1103

1104
static u8 hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev, void *data,
1105
				       struct sk_buff *skb)
1106
{
1107
	struct hci_rp_read_inq_rsp_tx_power *rp = data;
1108

1109
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1110

1111
	if (rp->status)
1112
		return rp->status;
1113

1114
	hdev->inq_tx_power = rp->tx_power;
1115

1116
	return rp->status;
1117
}
1118

1119
static u8 hci_cc_read_def_err_data_reporting(struct hci_dev *hdev, void *data,
1120
					     struct sk_buff *skb)
1121
{
1122
	struct hci_rp_read_def_err_data_reporting *rp = data;
1123

1124
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1125

1126
	if (rp->status)
1127
		return rp->status;
1128

1129
	hdev->err_data_reporting = rp->err_data_reporting;
1130

1131
	return rp->status;
1132
}
1133

1134
static u8 hci_cc_write_def_err_data_reporting(struct hci_dev *hdev, void *data,
1135
					      struct sk_buff *skb)
1136
{
1137
	struct hci_ev_status *rp = data;
1138
	struct hci_cp_write_def_err_data_reporting *cp;
1139

1140
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1141

1142
	if (rp->status)
1143
		return rp->status;
1144

1145
	cp = hci_sent_cmd_data(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING);
1146
	if (!cp)
1147
		return rp->status;
1148

1149
	hdev->err_data_reporting = cp->err_data_reporting;
1150

1151
	return rp->status;
1152
}
1153

1154
static u8 hci_cc_pin_code_reply(struct hci_dev *hdev, void *data,
1155
				struct sk_buff *skb)
1156
{
1157
	struct hci_rp_pin_code_reply *rp = data;
1158
	struct hci_cp_pin_code_reply *cp;
1159
	struct hci_conn *conn;
1160

1161
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1162

1163
	hci_dev_lock(hdev);
1164

1165
	if (hci_dev_test_flag(hdev, HCI_MGMT))
1166
		mgmt_pin_code_reply_complete(hdev, &rp->bdaddr, rp->status);
1167

1168
	if (rp->status)
1169
		goto unlock;
1170

1171
	cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
1172
	if (!cp)
1173
		goto unlock;
1174

1175
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
1176
	if (conn)
1177
		conn->pin_length = cp->pin_len;
1178

1179
unlock:
1180
	hci_dev_unlock(hdev);
1181
	return rp->status;
1182
}
1183

1184
static u8 hci_cc_pin_code_neg_reply(struct hci_dev *hdev, void *data,
1185
				    struct sk_buff *skb)
1186
{
1187
	struct hci_rp_pin_code_neg_reply *rp = data;
1188

1189
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1190

1191
	hci_dev_lock(hdev);
1192

1193
	if (hci_dev_test_flag(hdev, HCI_MGMT))
1194
		mgmt_pin_code_neg_reply_complete(hdev, &rp->bdaddr,
1195
						 rp->status);
1196

1197
	hci_dev_unlock(hdev);
1198

1199
	return rp->status;
1200
}
1201

1202
static u8 hci_cc_le_read_buffer_size(struct hci_dev *hdev, void *data,
1203
				     struct sk_buff *skb)
1204
{
1205
	struct hci_rp_le_read_buffer_size *rp = data;
1206

1207
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1208

1209
	if (rp->status)
1210
		return rp->status;
1211

1212
	hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
1213
	hdev->le_pkts = rp->le_max_pkt;
1214

1215
	hdev->le_cnt = hdev->le_pkts;
1216

1217
	BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
1218

1219
	if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
1220
		return HCI_ERROR_INVALID_PARAMETERS;
1221

1222
	return rp->status;
1223
}
1224

1225
static u8 hci_cc_le_read_local_features(struct hci_dev *hdev, void *data,
1226
					struct sk_buff *skb)
1227
{
1228
	struct hci_rp_le_read_local_features *rp = data;
1229

1230
	BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
1231

1232
	if (rp->status)
1233
		return rp->status;
1234

1235
	memcpy(hdev->le_features, rp->features, 8);
1236

1237
	return rp->status;
1238
}
1239

1240
static u8 hci_cc_le_read_adv_tx_power(struct hci_dev *hdev, void *data,
1241
				      struct sk_buff *skb)
1242
{
1243
	struct hci_rp_le_read_adv_tx_power *rp = data;
1244

1245
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1246

1247
	if (rp->status)
1248
		return rp->status;
1249

1250
	hdev->adv_tx_power = rp->tx_power;
1251

1252
	return rp->status;
1253
}
1254

1255
static u8 hci_cc_user_confirm_reply(struct hci_dev *hdev, void *data,
1256
				    struct sk_buff *skb)
1257
{
1258
	struct hci_rp_user_confirm_reply *rp = data;
1259

1260
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1261

1262
	hci_dev_lock(hdev);
1263

1264
	if (hci_dev_test_flag(hdev, HCI_MGMT))
1265
		mgmt_user_confirm_reply_complete(hdev, &rp->bdaddr, ACL_LINK, 0,
1266
						 rp->status);
1267

1268
	hci_dev_unlock(hdev);
1269

1270
	return rp->status;
1271
}
1272

1273
static u8 hci_cc_user_confirm_neg_reply(struct hci_dev *hdev, void *data,
1274
					struct sk_buff *skb)
1275
{
1276
	struct hci_rp_user_confirm_reply *rp = data;
1277

1278
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1279

1280
	hci_dev_lock(hdev);
1281

1282
	if (hci_dev_test_flag(hdev, HCI_MGMT))
1283
		mgmt_user_confirm_neg_reply_complete(hdev, &rp->bdaddr,
1284
						     ACL_LINK, 0, rp->status);
1285

1286
	hci_dev_unlock(hdev);
1287

1288
	return rp->status;
1289
}
1290

1291
static u8 hci_cc_user_passkey_reply(struct hci_dev *hdev, void *data,
1292
				    struct sk_buff *skb)
1293
{
1294
	struct hci_rp_user_confirm_reply *rp = data;
1295

1296
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1297

1298
	hci_dev_lock(hdev);
1299

1300
	if (hci_dev_test_flag(hdev, HCI_MGMT))
1301
		mgmt_user_passkey_reply_complete(hdev, &rp->bdaddr, ACL_LINK,
1302
						 0, rp->status);
1303

1304
	hci_dev_unlock(hdev);
1305

1306
	return rp->status;
1307
}
1308

1309
static u8 hci_cc_user_passkey_neg_reply(struct hci_dev *hdev, void *data,
1310
					struct sk_buff *skb)
1311
{
1312
	struct hci_rp_user_confirm_reply *rp = data;
1313

1314
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1315

1316
	hci_dev_lock(hdev);
1317

1318
	if (hci_dev_test_flag(hdev, HCI_MGMT))
1319
		mgmt_user_passkey_neg_reply_complete(hdev, &rp->bdaddr,
1320
						     ACL_LINK, 0, rp->status);
1321

1322
	hci_dev_unlock(hdev);
1323

1324
	return rp->status;
1325
}
1326

1327
static u8 hci_cc_read_local_oob_data(struct hci_dev *hdev, void *data,
1328
				     struct sk_buff *skb)
1329
{
1330
	struct hci_rp_read_local_oob_data *rp = data;
1331

1332
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1333

1334
	return rp->status;
1335
}
1336

1337
static u8 hci_cc_read_local_oob_ext_data(struct hci_dev *hdev, void *data,
1338
					 struct sk_buff *skb)
1339
{
1340
	struct hci_rp_read_local_oob_ext_data *rp = data;
1341

1342
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1343

1344
	return rp->status;
1345
}
1346

1347
static u8 hci_cc_le_set_random_addr(struct hci_dev *hdev, void *data,
1348
				    struct sk_buff *skb)
1349
{
1350
	struct hci_ev_status *rp = data;
1351
	bdaddr_t *sent;
1352

1353
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1354

1355
	if (rp->status)
1356
		return rp->status;
1357

1358
	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_RANDOM_ADDR);
1359
	if (!sent)
1360
		return rp->status;
1361

1362
	hci_dev_lock(hdev);
1363

1364
	bacpy(&hdev->random_addr, sent);
1365

1366
	if (!bacmp(&hdev->rpa, sent)) {
1367
		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
1368
		queue_delayed_work(hdev->workqueue, &hdev->rpa_expired,
1369
				   secs_to_jiffies(hdev->rpa_timeout));
1370
	}
1371

1372
	hci_dev_unlock(hdev);
1373

1374
	return rp->status;
1375
}
1376

1377
static u8 hci_cc_le_set_default_phy(struct hci_dev *hdev, void *data,
1378
				    struct sk_buff *skb)
1379
{
1380
	struct hci_ev_status *rp = data;
1381
	struct hci_cp_le_set_default_phy *cp;
1382

1383
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1384

1385
	if (rp->status)
1386
		return rp->status;
1387

1388
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_DEFAULT_PHY);
1389
	if (!cp)
1390
		return rp->status;
1391

1392
	hci_dev_lock(hdev);
1393

1394
	hdev->le_tx_def_phys = cp->tx_phys;
1395
	hdev->le_rx_def_phys = cp->rx_phys;
1396

1397
	hci_dev_unlock(hdev);
1398

1399
	return rp->status;
1400
}
1401

1402
static u8 hci_cc_le_set_adv_set_random_addr(struct hci_dev *hdev, void *data,
1403
					    struct sk_buff *skb)
1404
{
1405
	struct hci_ev_status *rp = data;
1406
	struct hci_cp_le_set_adv_set_rand_addr *cp;
1407
	struct adv_info *adv;
1408

1409
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1410

1411
	if (rp->status)
1412
		return rp->status;
1413

1414
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR);
1415
	/* Update only in case the adv instance since handle 0x00 shall be using
1416
	 * HCI_OP_LE_SET_RANDOM_ADDR since that allows both extended and
1417
	 * non-extended adverting.
1418
	 */
1419
	if (!cp || !cp->handle)
1420
		return rp->status;
1421

1422
	hci_dev_lock(hdev);
1423

1424
	adv = hci_find_adv_instance(hdev, cp->handle);
1425
	if (adv) {
1426
		bacpy(&adv->random_addr, &cp->bdaddr);
1427
		if (!bacmp(&hdev->rpa, &cp->bdaddr)) {
1428
			adv->rpa_expired = false;
1429
			queue_delayed_work(hdev->workqueue,
1430
					   &adv->rpa_expired_cb,
1431
					   secs_to_jiffies(hdev->rpa_timeout));
1432
		}
1433
	}
1434

1435
	hci_dev_unlock(hdev);
1436

1437
	return rp->status;
1438
}
1439

1440
static u8 hci_cc_le_remove_adv_set(struct hci_dev *hdev, void *data,
1441
				   struct sk_buff *skb)
1442
{
1443
	struct hci_ev_status *rp = data;
1444
	u8 *instance;
1445
	int err;
1446

1447
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1448

1449
	if (rp->status)
1450
		return rp->status;
1451

1452
	instance = hci_sent_cmd_data(hdev, HCI_OP_LE_REMOVE_ADV_SET);
1453
	if (!instance)
1454
		return rp->status;
1455

1456
	hci_dev_lock(hdev);
1457

1458
	err = hci_remove_adv_instance(hdev, *instance);
1459
	if (!err)
1460
		mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd), hdev,
1461
					 *instance);
1462

1463
	hci_dev_unlock(hdev);
1464

1465
	return rp->status;
1466
}
1467

1468
static u8 hci_cc_le_clear_adv_sets(struct hci_dev *hdev, void *data,
1469
				   struct sk_buff *skb)
1470
{
1471
	struct hci_ev_status *rp = data;
1472
	struct adv_info *adv, *n;
1473
	int err;
1474

1475
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1476

1477
	if (rp->status)
1478
		return rp->status;
1479

1480
	if (!hci_sent_cmd_data(hdev, HCI_OP_LE_CLEAR_ADV_SETS))
1481
		return rp->status;
1482

1483
	hci_dev_lock(hdev);
1484

1485
	list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
1486
		u8 instance = adv->instance;
1487

1488
		err = hci_remove_adv_instance(hdev, instance);
1489
		if (!err)
1490
			mgmt_advertising_removed(hci_skb_sk(hdev->sent_cmd),
1491
						 hdev, instance);
1492
	}
1493

1494
	hci_dev_unlock(hdev);
1495

1496
	return rp->status;
1497
}
1498

1499
static u8 hci_cc_le_read_transmit_power(struct hci_dev *hdev, void *data,
1500
					struct sk_buff *skb)
1501
{
1502
	struct hci_rp_le_read_transmit_power *rp = data;
1503

1504
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1505

1506
	if (rp->status)
1507
		return rp->status;
1508

1509
	hdev->min_le_tx_power = rp->min_le_tx_power;
1510
	hdev->max_le_tx_power = rp->max_le_tx_power;
1511

1512
	return rp->status;
1513
}
1514

1515
static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data,
1516
				     struct sk_buff *skb)
1517
{
1518
	struct hci_ev_status *rp = data;
1519
	struct hci_cp_le_set_privacy_mode *cp;
1520
	struct hci_conn_params *params;
1521

1522
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1523

1524
	if (rp->status)
1525
		return rp->status;
1526

1527
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PRIVACY_MODE);
1528
	if (!cp)
1529
		return rp->status;
1530

1531
	hci_dev_lock(hdev);
1532

1533
	params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type);
1534
	if (params)
1535
		WRITE_ONCE(params->privacy_mode, cp->mode);
1536

1537
	hci_dev_unlock(hdev);
1538

1539
	return rp->status;
1540
}
1541

1542
static u8 hci_cc_le_set_adv_enable(struct hci_dev *hdev, void *data,
1543
				   struct sk_buff *skb)
1544
{
1545
	struct hci_ev_status *rp = data;
1546
	__u8 *sent;
1547

1548
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1549

1550
	if (rp->status)
1551
		return rp->status;
1552

1553
	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
1554
	if (!sent)
1555
		return rp->status;
1556

1557
	hci_dev_lock(hdev);
1558

1559
	/* If we're doing connection initiation as peripheral. Set a
1560
	 * timeout in case something goes wrong.
1561
	 */
1562
	if (*sent) {
1563
		struct hci_conn *conn;
1564

1565
		hci_dev_set_flag(hdev, HCI_LE_ADV);
1566

1567
		conn = hci_lookup_le_connect(hdev);
1568
		if (conn)
1569
			queue_delayed_work(hdev->workqueue,
1570
					   &conn->le_conn_timeout,
1571
					   conn->conn_timeout);
1572
	} else {
1573
		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1574
	}
1575

1576
	hci_dev_unlock(hdev);
1577

1578
	return rp->status;
1579
}
1580

1581
static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data,
1582
				       struct sk_buff *skb)
1583
{
1584
	struct hci_cp_le_set_ext_adv_enable *cp;
1585
	struct hci_cp_ext_adv_set *set;
1586
	struct adv_info *adv = NULL, *n;
1587
	struct hci_ev_status *rp = data;
1588

1589
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1590

1591
	if (rp->status)
1592
		return rp->status;
1593

1594
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE);
1595
	if (!cp)
1596
		return rp->status;
1597

1598
	set = (void *)cp->data;
1599

1600
	hci_dev_lock(hdev);
1601

1602
	if (cp->num_of_sets)
1603
		adv = hci_find_adv_instance(hdev, set->handle);
1604

1605
	if (cp->enable) {
1606
		struct hci_conn *conn;
1607

1608
		hci_dev_set_flag(hdev, HCI_LE_ADV);
1609

1610
		if (adv && !adv->periodic)
1611
			adv->enabled = true;
1612

1613
		conn = hci_lookup_le_connect(hdev);
1614
		if (conn)
1615
			queue_delayed_work(hdev->workqueue,
1616
					   &conn->le_conn_timeout,
1617
					   conn->conn_timeout);
1618
	} else {
1619
		if (cp->num_of_sets) {
1620
			if (adv)
1621
				adv->enabled = false;
1622

1623
			/* If just one instance was disabled check if there are
1624
			 * any other instance enabled before clearing HCI_LE_ADV
1625
			 */
1626
			list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1627
						 list) {
1628
				if (adv->enabled)
1629
					goto unlock;
1630
			}
1631
		} else {
1632
			/* All instances shall be considered disabled */
1633
			list_for_each_entry_safe(adv, n, &hdev->adv_instances,
1634
						 list)
1635
				adv->enabled = false;
1636
		}
1637

1638
		hci_dev_clear_flag(hdev, HCI_LE_ADV);
1639
	}
1640

1641
unlock:
1642
	hci_dev_unlock(hdev);
1643
	return rp->status;
1644
}
1645

1646
static u8 hci_cc_le_set_scan_param(struct hci_dev *hdev, void *data,
1647
				   struct sk_buff *skb)
1648
{
1649
	struct hci_cp_le_set_scan_param *cp;
1650
	struct hci_ev_status *rp = data;
1651

1652
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1653

1654
	if (rp->status)
1655
		return rp->status;
1656

1657
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_PARAM);
1658
	if (!cp)
1659
		return rp->status;
1660

1661
	hci_dev_lock(hdev);
1662

1663
	hdev->le_scan_type = cp->type;
1664

1665
	hci_dev_unlock(hdev);
1666

1667
	return rp->status;
1668
}
1669

1670
static u8 hci_cc_le_set_ext_scan_param(struct hci_dev *hdev, void *data,
1671
				       struct sk_buff *skb)
1672
{
1673
	struct hci_cp_le_set_ext_scan_params *cp;
1674
	struct hci_ev_status *rp = data;
1675
	struct hci_cp_le_scan_phy_params *phy_param;
1676

1677
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1678

1679
	if (rp->status)
1680
		return rp->status;
1681

1682
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS);
1683
	if (!cp)
1684
		return rp->status;
1685

1686
	phy_param = (void *)cp->data;
1687

1688
	hci_dev_lock(hdev);
1689

1690
	hdev->le_scan_type = phy_param->type;
1691

1692
	hci_dev_unlock(hdev);
1693

1694
	return rp->status;
1695
}
1696

1697
static bool has_pending_adv_report(struct hci_dev *hdev)
1698
{
1699
	struct discovery_state *d = &hdev->discovery;
1700

1701
	return bacmp(&d->last_adv_addr, BDADDR_ANY);
1702
}
1703

1704
static void clear_pending_adv_report(struct hci_dev *hdev)
1705
{
1706
	struct discovery_state *d = &hdev->discovery;
1707

1708
	bacpy(&d->last_adv_addr, BDADDR_ANY);
1709
	d->last_adv_data_len = 0;
1710
}
1711

1712
static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
1713
				     u8 bdaddr_type, s8 rssi, u32 flags,
1714
				     u8 *data, u8 len)
1715
{
1716
	struct discovery_state *d = &hdev->discovery;
1717

1718
	if (len > max_adv_len(hdev))
1719
		return;
1720

1721
	bacpy(&d->last_adv_addr, bdaddr);
1722
	d->last_adv_addr_type = bdaddr_type;
1723
	d->last_adv_rssi = rssi;
1724
	d->last_adv_flags = flags;
1725
	memcpy(d->last_adv_data, data, len);
1726
	d->last_adv_data_len = len;
1727
}
1728

1729
static void le_set_scan_enable_complete(struct hci_dev *hdev, u8 enable)
1730
{
1731
	hci_dev_lock(hdev);
1732

1733
	switch (enable) {
1734
	case LE_SCAN_ENABLE:
1735
		hci_dev_set_flag(hdev, HCI_LE_SCAN);
1736
		if (hdev->le_scan_type == LE_SCAN_ACTIVE) {
1737
			clear_pending_adv_report(hdev);
1738
			hci_discovery_set_state(hdev, DISCOVERY_FINDING);
1739
		}
1740
		break;
1741

1742
	case LE_SCAN_DISABLE:
1743
		/* We do this here instead of when setting DISCOVERY_STOPPED
1744
		 * since the latter would potentially require waiting for
1745
		 * inquiry to stop too.
1746
		 */
1747
		if (has_pending_adv_report(hdev)) {
1748
			struct discovery_state *d = &hdev->discovery;
1749

1750
			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
1751
					  d->last_adv_addr_type, NULL,
1752
					  d->last_adv_rssi, d->last_adv_flags,
1753
					  d->last_adv_data,
1754
					  d->last_adv_data_len, NULL, 0, 0);
1755
		}
1756

1757
		/* Cancel this timer so that we don't try to disable scanning
1758
		 * when it's already disabled.
1759
		 */
1760
		cancel_delayed_work(&hdev->le_scan_disable);
1761

1762
		hci_dev_clear_flag(hdev, HCI_LE_SCAN);
1763

1764
		/* The HCI_LE_SCAN_INTERRUPTED flag indicates that we
1765
		 * interrupted scanning due to a connect request. Mark
1766
		 * therefore discovery as stopped.
1767
		 */
1768
		if (hci_dev_test_and_clear_flag(hdev, HCI_LE_SCAN_INTERRUPTED))
1769
			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
1770
		else if (!hci_dev_test_flag(hdev, HCI_LE_ADV) &&
1771
			 hdev->discovery.state == DISCOVERY_FINDING)
1772
			queue_work(hdev->workqueue, &hdev->reenable_adv_work);
1773

1774
		break;
1775

1776
	default:
1777
		bt_dev_err(hdev, "use of reserved LE_Scan_Enable param %d",
1778
			   enable);
1779
		break;
1780
	}
1781

1782
	hci_dev_unlock(hdev);
1783
}
1784

1785
static u8 hci_cc_le_set_scan_enable(struct hci_dev *hdev, void *data,
1786
				    struct sk_buff *skb)
1787
{
1788
	struct hci_cp_le_set_scan_enable *cp;
1789
	struct hci_ev_status *rp = data;
1790

1791
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1792

1793
	if (rp->status)
1794
		return rp->status;
1795

1796
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_SCAN_ENABLE);
1797
	if (!cp)
1798
		return rp->status;
1799

1800
	le_set_scan_enable_complete(hdev, cp->enable);
1801

1802
	return rp->status;
1803
}
1804

1805
static u8 hci_cc_le_set_ext_scan_enable(struct hci_dev *hdev, void *data,
1806
					struct sk_buff *skb)
1807
{
1808
	struct hci_cp_le_set_ext_scan_enable *cp;
1809
	struct hci_ev_status *rp = data;
1810

1811
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1812

1813
	if (rp->status)
1814
		return rp->status;
1815

1816
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE);
1817
	if (!cp)
1818
		return rp->status;
1819

1820
	le_set_scan_enable_complete(hdev, cp->enable);
1821

1822
	return rp->status;
1823
}
1824

1825
static u8 hci_cc_le_read_num_adv_sets(struct hci_dev *hdev, void *data,
1826
				      struct sk_buff *skb)
1827
{
1828
	struct hci_rp_le_read_num_supported_adv_sets *rp = data;
1829

1830
	bt_dev_dbg(hdev, "status 0x%2.2x No of Adv sets %u", rp->status,
1831
		   rp->num_of_sets);
1832

1833
	if (rp->status)
1834
		return rp->status;
1835

1836
	hdev->le_num_of_adv_sets = rp->num_of_sets;
1837

1838
	return rp->status;
1839
}
1840

1841
static u8 hci_cc_le_read_accept_list_size(struct hci_dev *hdev, void *data,
1842
					  struct sk_buff *skb)
1843
{
1844
	struct hci_rp_le_read_accept_list_size *rp = data;
1845

1846
	bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
1847

1848
	if (rp->status)
1849
		return rp->status;
1850

1851
	hdev->le_accept_list_size = rp->size;
1852

1853
	return rp->status;
1854
}
1855

1856
static u8 hci_cc_le_clear_accept_list(struct hci_dev *hdev, void *data,
1857
				      struct sk_buff *skb)
1858
{
1859
	struct hci_ev_status *rp = data;
1860

1861
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1862

1863
	if (rp->status)
1864
		return rp->status;
1865

1866
	hci_dev_lock(hdev);
1867
	hci_bdaddr_list_clear(&hdev->le_accept_list);
1868
	hci_dev_unlock(hdev);
1869

1870
	return rp->status;
1871
}
1872

1873
static u8 hci_cc_le_add_to_accept_list(struct hci_dev *hdev, void *data,
1874
				       struct sk_buff *skb)
1875
{
1876
	struct hci_cp_le_add_to_accept_list *sent;
1877
	struct hci_ev_status *rp = data;
1878

1879
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1880

1881
	if (rp->status)
1882
		return rp->status;
1883

1884
	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
1885
	if (!sent)
1886
		return rp->status;
1887

1888
	hci_dev_lock(hdev);
1889
	hci_bdaddr_list_add(&hdev->le_accept_list, &sent->bdaddr,
1890
			    sent->bdaddr_type);
1891
	hci_dev_unlock(hdev);
1892

1893
	return rp->status;
1894
}
1895

1896
static u8 hci_cc_le_del_from_accept_list(struct hci_dev *hdev, void *data,
1897
					 struct sk_buff *skb)
1898
{
1899
	struct hci_cp_le_del_from_accept_list *sent;
1900
	struct hci_ev_status *rp = data;
1901

1902
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1903

1904
	if (rp->status)
1905
		return rp->status;
1906

1907
	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST);
1908
	if (!sent)
1909
		return rp->status;
1910

1911
	hci_dev_lock(hdev);
1912
	hci_bdaddr_list_del(&hdev->le_accept_list, &sent->bdaddr,
1913
			    sent->bdaddr_type);
1914
	hci_dev_unlock(hdev);
1915

1916
	return rp->status;
1917
}
1918

1919
static u8 hci_cc_le_read_supported_states(struct hci_dev *hdev, void *data,
1920
					  struct sk_buff *skb)
1921
{
1922
	struct hci_rp_le_read_supported_states *rp = data;
1923

1924
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1925

1926
	if (rp->status)
1927
		return rp->status;
1928

1929
	memcpy(hdev->le_states, rp->le_states, 8);
1930

1931
	return rp->status;
1932
}
1933

1934
static u8 hci_cc_le_read_def_data_len(struct hci_dev *hdev, void *data,
1935
				      struct sk_buff *skb)
1936
{
1937
	struct hci_rp_le_read_def_data_len *rp = data;
1938

1939
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1940

1941
	if (rp->status)
1942
		return rp->status;
1943

1944
	hdev->le_def_tx_len = le16_to_cpu(rp->tx_len);
1945
	hdev->le_def_tx_time = le16_to_cpu(rp->tx_time);
1946

1947
	return rp->status;
1948
}
1949

1950
static u8 hci_cc_le_write_def_data_len(struct hci_dev *hdev, void *data,
1951
				       struct sk_buff *skb)
1952
{
1953
	struct hci_cp_le_write_def_data_len *sent;
1954
	struct hci_ev_status *rp = data;
1955

1956
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1957

1958
	if (rp->status)
1959
		return rp->status;
1960

1961
	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN);
1962
	if (!sent)
1963
		return rp->status;
1964

1965
	hdev->le_def_tx_len = le16_to_cpu(sent->tx_len);
1966
	hdev->le_def_tx_time = le16_to_cpu(sent->tx_time);
1967

1968
	return rp->status;
1969
}
1970

1971
static u8 hci_cc_le_add_to_resolv_list(struct hci_dev *hdev, void *data,
1972
				       struct sk_buff *skb)
1973
{
1974
	struct hci_cp_le_add_to_resolv_list *sent;
1975
	struct hci_ev_status *rp = data;
1976

1977
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
1978

1979
	if (rp->status)
1980
		return rp->status;
1981

1982
	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST);
1983
	if (!sent)
1984
		return rp->status;
1985

1986
	hci_dev_lock(hdev);
1987
	hci_bdaddr_list_add_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
1988
				sent->bdaddr_type, sent->peer_irk,
1989
				sent->local_irk);
1990
	hci_dev_unlock(hdev);
1991

1992
	return rp->status;
1993
}
1994

1995
static u8 hci_cc_le_del_from_resolv_list(struct hci_dev *hdev, void *data,
1996
					 struct sk_buff *skb)
1997
{
1998
	struct hci_cp_le_del_from_resolv_list *sent;
1999
	struct hci_ev_status *rp = data;
2000

2001
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2002

2003
	if (rp->status)
2004
		return rp->status;
2005

2006
	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST);
2007
	if (!sent)
2008
		return rp->status;
2009

2010
	hci_dev_lock(hdev);
2011
	hci_bdaddr_list_del_with_irk(&hdev->le_resolv_list, &sent->bdaddr,
2012
			    sent->bdaddr_type);
2013
	hci_dev_unlock(hdev);
2014

2015
	return rp->status;
2016
}
2017

2018
static u8 hci_cc_le_clear_resolv_list(struct hci_dev *hdev, void *data,
2019
				      struct sk_buff *skb)
2020
{
2021
	struct hci_ev_status *rp = data;
2022

2023
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2024

2025
	if (rp->status)
2026
		return rp->status;
2027

2028
	hci_dev_lock(hdev);
2029
	hci_bdaddr_list_clear(&hdev->le_resolv_list);
2030
	hci_dev_unlock(hdev);
2031

2032
	return rp->status;
2033
}
2034

2035
static u8 hci_cc_le_read_resolv_list_size(struct hci_dev *hdev, void *data,
2036
					  struct sk_buff *skb)
2037
{
2038
	struct hci_rp_le_read_resolv_list_size *rp = data;
2039

2040
	bt_dev_dbg(hdev, "status 0x%2.2x size %u", rp->status, rp->size);
2041

2042
	if (rp->status)
2043
		return rp->status;
2044

2045
	hdev->le_resolv_list_size = rp->size;
2046

2047
	return rp->status;
2048
}
2049

2050
static u8 hci_cc_le_set_addr_resolution_enable(struct hci_dev *hdev, void *data,
2051
					       struct sk_buff *skb)
2052
{
2053
	struct hci_ev_status *rp = data;
2054
	__u8 *sent;
2055

2056
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2057

2058
	if (rp->status)
2059
		return rp->status;
2060

2061
	sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE);
2062
	if (!sent)
2063
		return rp->status;
2064

2065
	hci_dev_lock(hdev);
2066

2067
	if (*sent)
2068
		hci_dev_set_flag(hdev, HCI_LL_RPA_RESOLUTION);
2069
	else
2070
		hci_dev_clear_flag(hdev, HCI_LL_RPA_RESOLUTION);
2071

2072
	hci_dev_unlock(hdev);
2073

2074
	return rp->status;
2075
}
2076

2077
static u8 hci_cc_le_read_max_data_len(struct hci_dev *hdev, void *data,
2078
				      struct sk_buff *skb)
2079
{
2080
	struct hci_rp_le_read_max_data_len *rp = data;
2081

2082
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2083

2084
	if (rp->status)
2085
		return rp->status;
2086

2087
	hdev->le_max_tx_len = le16_to_cpu(rp->tx_len);
2088
	hdev->le_max_tx_time = le16_to_cpu(rp->tx_time);
2089
	hdev->le_max_rx_len = le16_to_cpu(rp->rx_len);
2090
	hdev->le_max_rx_time = le16_to_cpu(rp->rx_time);
2091

2092
	return rp->status;
2093
}
2094

2095
static u8 hci_cc_write_le_host_supported(struct hci_dev *hdev, void *data,
2096
					 struct sk_buff *skb)
2097
{
2098
	struct hci_cp_write_le_host_supported *sent;
2099
	struct hci_ev_status *rp = data;
2100

2101
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2102

2103
	if (rp->status)
2104
		return rp->status;
2105

2106
	sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED);
2107
	if (!sent)
2108
		return rp->status;
2109

2110
	hci_dev_lock(hdev);
2111

2112
	if (sent->le) {
2113
		hdev->features[1][0] |= LMP_HOST_LE;
2114
		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2115
	} else {
2116
		hdev->features[1][0] &= ~LMP_HOST_LE;
2117
		hci_dev_clear_flag(hdev, HCI_LE_ENABLED);
2118
		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2119
	}
2120

2121
	if (sent->simul)
2122
		hdev->features[1][0] |= LMP_HOST_LE_BREDR;
2123
	else
2124
		hdev->features[1][0] &= ~LMP_HOST_LE_BREDR;
2125

2126
	hci_dev_unlock(hdev);
2127

2128
	return rp->status;
2129
}
2130

2131
static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data,
2132
			       struct sk_buff *skb)
2133
{
2134
	struct hci_cp_le_set_adv_param *cp;
2135
	struct hci_ev_status *rp = data;
2136

2137
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2138

2139
	if (rp->status)
2140
		return rp->status;
2141

2142
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
2143
	if (!cp)
2144
		return rp->status;
2145

2146
	hci_dev_lock(hdev);
2147
	hdev->adv_addr_type = cp->own_address_type;
2148
	hci_dev_unlock(hdev);
2149

2150
	return rp->status;
2151
}
2152

2153
static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
2154
			   struct sk_buff *skb)
2155
{
2156
	struct hci_rp_read_rssi *rp = data;
2157
	struct hci_conn *conn;
2158

2159
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2160

2161
	if (rp->status)
2162
		return rp->status;
2163

2164
	hci_dev_lock(hdev);
2165

2166
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2167
	if (conn)
2168
		conn->rssi = rp->rssi;
2169

2170
	hci_dev_unlock(hdev);
2171

2172
	return rp->status;
2173
}
2174

2175
static u8 hci_cc_read_tx_power(struct hci_dev *hdev, void *data,
2176
			       struct sk_buff *skb)
2177
{
2178
	struct hci_cp_read_tx_power *sent;
2179
	struct hci_rp_read_tx_power *rp = data;
2180
	struct hci_conn *conn;
2181

2182
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2183

2184
	if (rp->status)
2185
		return rp->status;
2186

2187
	sent = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
2188
	if (!sent)
2189
		return rp->status;
2190

2191
	hci_dev_lock(hdev);
2192

2193
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(rp->handle));
2194
	if (!conn)
2195
		goto unlock;
2196

2197
	switch (sent->type) {
2198
	case 0x00:
2199
		conn->tx_power = rp->tx_power;
2200
		break;
2201
	case 0x01:
2202
		conn->max_tx_power = rp->tx_power;
2203
		break;
2204
	}
2205

2206
unlock:
2207
	hci_dev_unlock(hdev);
2208
	return rp->status;
2209
}
2210

2211
static u8 hci_cc_write_ssp_debug_mode(struct hci_dev *hdev, void *data,
2212
				      struct sk_buff *skb)
2213
{
2214
	struct hci_ev_status *rp = data;
2215
	u8 *mode;
2216

2217
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
2218

2219
	if (rp->status)
2220
		return rp->status;
2221

2222
	mode = hci_sent_cmd_data(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE);
2223
	if (mode)
2224
		hdev->ssp_debug_mode = *mode;
2225

2226
	return rp->status;
2227
}
2228

2229
static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
2230
{
2231
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2232

2233
	if (status)
2234
		return;
2235

2236
	if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
2237
		set_bit(HCI_INQUIRY, &hdev->flags);
2238
}
2239

2240
static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
2241
{
2242
	struct hci_cp_create_conn *cp;
2243
	struct hci_conn *conn;
2244

2245
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2246

2247
	cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_CONN);
2248
	if (!cp)
2249
		return;
2250

2251
	hci_dev_lock(hdev);
2252

2253
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2254

2255
	bt_dev_dbg(hdev, "bdaddr %pMR hcon %p", &cp->bdaddr, conn);
2256

2257
	if (status) {
2258
		if (conn && conn->state == BT_CONNECT) {
2259
			conn->state = BT_CLOSED;
2260
			hci_connect_cfm(conn, status);
2261
			hci_conn_del(conn);
2262
		}
2263
	} else {
2264
		if (!conn) {
2265
			conn = hci_conn_add_unset(hdev, ACL_LINK, &cp->bdaddr,
2266
						  HCI_ROLE_MASTER);
2267
			if (IS_ERR(conn))
2268
				bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
2269
		}
2270
	}
2271

2272
	hci_dev_unlock(hdev);
2273
}
2274

2275
static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
2276
{
2277
	struct hci_cp_add_sco *cp;
2278
	struct hci_conn *acl;
2279
	struct hci_link *link;
2280
	__u16 handle;
2281

2282
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2283

2284
	if (!status)
2285
		return;
2286

2287
	cp = hci_sent_cmd_data(hdev, HCI_OP_ADD_SCO);
2288
	if (!cp)
2289
		return;
2290

2291
	handle = __le16_to_cpu(cp->handle);
2292

2293
	bt_dev_dbg(hdev, "handle 0x%4.4x", handle);
2294

2295
	hci_dev_lock(hdev);
2296

2297
	acl = hci_conn_hash_lookup_handle(hdev, handle);
2298
	if (acl) {
2299
		link = list_first_entry_or_null(&acl->link_list,
2300
						struct hci_link, list);
2301
		if (link && link->conn) {
2302
			link->conn->state = BT_CLOSED;
2303

2304
			hci_connect_cfm(link->conn, status);
2305
			hci_conn_del(link->conn);
2306
		}
2307
	}
2308

2309
	hci_dev_unlock(hdev);
2310
}
2311

2312
static void hci_cs_auth_requested(struct hci_dev *hdev, __u8 status)
2313
{
2314
	struct hci_cp_auth_requested *cp;
2315
	struct hci_conn *conn;
2316

2317
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2318

2319
	if (!status)
2320
		return;
2321

2322
	cp = hci_sent_cmd_data(hdev, HCI_OP_AUTH_REQUESTED);
2323
	if (!cp)
2324
		return;
2325

2326
	hci_dev_lock(hdev);
2327

2328
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2329
	if (conn) {
2330
		if (conn->state == BT_CONFIG) {
2331
			hci_connect_cfm(conn, status);
2332
			hci_conn_drop(conn);
2333
		}
2334
	}
2335

2336
	hci_dev_unlock(hdev);
2337
}
2338

2339
static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
2340
{
2341
	struct hci_cp_set_conn_encrypt *cp;
2342
	struct hci_conn *conn;
2343

2344
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2345

2346
	if (!status)
2347
		return;
2348

2349
	cp = hci_sent_cmd_data(hdev, HCI_OP_SET_CONN_ENCRYPT);
2350
	if (!cp)
2351
		return;
2352

2353
	hci_dev_lock(hdev);
2354

2355
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2356
	if (conn) {
2357
		if (conn->state == BT_CONFIG) {
2358
			hci_connect_cfm(conn, status);
2359
			hci_conn_drop(conn);
2360
		}
2361
	}
2362

2363
	hci_dev_unlock(hdev);
2364
}
2365

2366
static int hci_outgoing_auth_needed(struct hci_dev *hdev,
2367
				    struct hci_conn *conn)
2368
{
2369
	if (conn->state != BT_CONFIG || !conn->out)
2370
		return 0;
2371

2372
	if (conn->pending_sec_level == BT_SECURITY_SDP)
2373
		return 0;
2374

2375
	/* Only request authentication for SSP connections or non-SSP
2376
	 * devices with sec_level MEDIUM or HIGH or if MITM protection
2377
	 * is requested.
2378
	 */
2379
	if (!hci_conn_ssp_enabled(conn) && !(conn->auth_type & 0x01) &&
2380
	    conn->pending_sec_level != BT_SECURITY_FIPS &&
2381
	    conn->pending_sec_level != BT_SECURITY_HIGH &&
2382
	    conn->pending_sec_level != BT_SECURITY_MEDIUM)
2383
		return 0;
2384

2385
	return 1;
2386
}
2387

2388
static int hci_resolve_name(struct hci_dev *hdev,
2389
				   struct inquiry_entry *e)
2390
{
2391
	struct hci_cp_remote_name_req cp;
2392

2393
	memset(&cp, 0, sizeof(cp));
2394

2395
	bacpy(&cp.bdaddr, &e->data.bdaddr);
2396
	cp.pscan_rep_mode = e->data.pscan_rep_mode;
2397
	cp.pscan_mode = e->data.pscan_mode;
2398
	cp.clock_offset = e->data.clock_offset;
2399

2400
	return hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
2401
}
2402

2403
static bool hci_resolve_next_name(struct hci_dev *hdev)
2404
{
2405
	struct discovery_state *discov = &hdev->discovery;
2406
	struct inquiry_entry *e;
2407

2408
	if (list_empty(&discov->resolve))
2409
		return false;
2410

2411
	/* We should stop if we already spent too much time resolving names. */
2412
	if (time_after(jiffies, discov->name_resolve_timeout)) {
2413
		bt_dev_warn_ratelimited(hdev, "Name resolve takes too long.");
2414
		return false;
2415
	}
2416

2417
	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2418
	if (!e)
2419
		return false;
2420

2421
	if (hci_resolve_name(hdev, e) == 0) {
2422
		e->name_state = NAME_PENDING;
2423
		return true;
2424
	}
2425

2426
	return false;
2427
}
2428

2429
static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
2430
				   bdaddr_t *bdaddr, u8 *name, u8 name_len)
2431
{
2432
	struct discovery_state *discov = &hdev->discovery;
2433
	struct inquiry_entry *e;
2434

2435
	/* Update the mgmt connected state if necessary. Be careful with
2436
	 * conn objects that exist but are not (yet) connected however.
2437
	 * Only those in BT_CONFIG or BT_CONNECTED states can be
2438
	 * considered connected.
2439
	 */
2440
	if (conn && (conn->state == BT_CONFIG || conn->state == BT_CONNECTED))
2441
		mgmt_device_connected(hdev, conn, name, name_len);
2442

2443
	if (discov->state == DISCOVERY_STOPPED)
2444
		return;
2445

2446
	if (discov->state == DISCOVERY_STOPPING)
2447
		goto discov_complete;
2448

2449
	if (discov->state != DISCOVERY_RESOLVING)
2450
		return;
2451

2452
	e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
2453
	/* If the device was not found in a list of found devices names of which
2454
	 * are pending. there is no need to continue resolving a next name as it
2455
	 * will be done upon receiving another Remote Name Request Complete
2456
	 * Event */
2457
	if (!e)
2458
		return;
2459

2460
	list_del(&e->list);
2461

2462
	e->name_state = name ? NAME_KNOWN : NAME_NOT_KNOWN;
2463
	mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00, e->data.rssi,
2464
			 name, name_len);
2465

2466
	if (hci_resolve_next_name(hdev))
2467
		return;
2468

2469
discov_complete:
2470
	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2471
}
2472

2473
static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
2474
{
2475
	struct hci_cp_remote_name_req *cp;
2476
	struct hci_conn *conn;
2477

2478
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2479

2480
	/* If successful wait for the name req complete event before
2481
	 * checking for the need to do authentication */
2482
	if (!status)
2483
		return;
2484

2485
	cp = hci_sent_cmd_data(hdev, HCI_OP_REMOTE_NAME_REQ);
2486
	if (!cp)
2487
		return;
2488

2489
	hci_dev_lock(hdev);
2490

2491
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2492

2493
	if (hci_dev_test_flag(hdev, HCI_MGMT))
2494
		hci_check_pending_name(hdev, conn, &cp->bdaddr, NULL, 0);
2495

2496
	if (!conn)
2497
		goto unlock;
2498

2499
	if (!hci_outgoing_auth_needed(hdev, conn))
2500
		goto unlock;
2501

2502
	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
2503
		struct hci_cp_auth_requested auth_cp;
2504

2505
		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
2506

2507
		auth_cp.handle = __cpu_to_le16(conn->handle);
2508
		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED,
2509
			     sizeof(auth_cp), &auth_cp);
2510
	}
2511

2512
unlock:
2513
	hci_dev_unlock(hdev);
2514
}
2515

2516
static void hci_cs_read_remote_features(struct hci_dev *hdev, __u8 status)
2517
{
2518
	struct hci_cp_read_remote_features *cp;
2519
	struct hci_conn *conn;
2520

2521
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2522

2523
	if (!status)
2524
		return;
2525

2526
	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_FEATURES);
2527
	if (!cp)
2528
		return;
2529

2530
	hci_dev_lock(hdev);
2531

2532
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2533
	if (conn) {
2534
		if (conn->state == BT_CONFIG) {
2535
			hci_connect_cfm(conn, status);
2536
			hci_conn_drop(conn);
2537
		}
2538
	}
2539

2540
	hci_dev_unlock(hdev);
2541
}
2542

2543
static void hci_cs_read_remote_ext_features(struct hci_dev *hdev, __u8 status)
2544
{
2545
	struct hci_cp_read_remote_ext_features *cp;
2546
	struct hci_conn *conn;
2547

2548
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2549

2550
	if (!status)
2551
		return;
2552

2553
	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES);
2554
	if (!cp)
2555
		return;
2556

2557
	hci_dev_lock(hdev);
2558

2559
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2560
	if (conn) {
2561
		if (conn->state == BT_CONFIG) {
2562
			hci_connect_cfm(conn, status);
2563
			hci_conn_drop(conn);
2564
		}
2565
	}
2566

2567
	hci_dev_unlock(hdev);
2568
}
2569

2570
static void hci_setup_sync_conn_status(struct hci_dev *hdev, __u16 handle,
2571
				       __u8 status)
2572
{
2573
	struct hci_conn *acl;
2574
	struct hci_link *link;
2575

2576
	bt_dev_dbg(hdev, "handle 0x%4.4x status 0x%2.2x", handle, status);
2577

2578
	hci_dev_lock(hdev);
2579

2580
	acl = hci_conn_hash_lookup_handle(hdev, handle);
2581
	if (acl) {
2582
		link = list_first_entry_or_null(&acl->link_list,
2583
						struct hci_link, list);
2584
		if (link && link->conn) {
2585
			link->conn->state = BT_CLOSED;
2586

2587
			hci_connect_cfm(link->conn, status);
2588
			hci_conn_del(link->conn);
2589
		}
2590
	}
2591

2592
	hci_dev_unlock(hdev);
2593
}
2594

2595
static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2596
{
2597
	struct hci_cp_setup_sync_conn *cp;
2598

2599
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2600

2601
	if (!status)
2602
		return;
2603

2604
	cp = hci_sent_cmd_data(hdev, HCI_OP_SETUP_SYNC_CONN);
2605
	if (!cp)
2606
		return;
2607

2608
	hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2609
}
2610

2611
static void hci_cs_enhanced_setup_sync_conn(struct hci_dev *hdev, __u8 status)
2612
{
2613
	struct hci_cp_enhanced_setup_sync_conn *cp;
2614

2615
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2616

2617
	if (!status)
2618
		return;
2619

2620
	cp = hci_sent_cmd_data(hdev, HCI_OP_ENHANCED_SETUP_SYNC_CONN);
2621
	if (!cp)
2622
		return;
2623

2624
	hci_setup_sync_conn_status(hdev, __le16_to_cpu(cp->handle), status);
2625
}
2626

2627
static void hci_cs_sniff_mode(struct hci_dev *hdev, __u8 status)
2628
{
2629
	struct hci_cp_sniff_mode *cp;
2630
	struct hci_conn *conn;
2631

2632
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2633

2634
	if (!status)
2635
		return;
2636

2637
	cp = hci_sent_cmd_data(hdev, HCI_OP_SNIFF_MODE);
2638
	if (!cp)
2639
		return;
2640

2641
	hci_dev_lock(hdev);
2642

2643
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2644
	if (conn) {
2645
		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2646

2647
		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2648
			hci_sco_setup(conn, status);
2649
	}
2650

2651
	hci_dev_unlock(hdev);
2652
}
2653

2654
static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
2655
{
2656
	struct hci_cp_exit_sniff_mode *cp;
2657
	struct hci_conn *conn;
2658

2659
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2660

2661
	if (!status)
2662
		return;
2663

2664
	cp = hci_sent_cmd_data(hdev, HCI_OP_EXIT_SNIFF_MODE);
2665
	if (!cp)
2666
		return;
2667

2668
	hci_dev_lock(hdev);
2669

2670
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2671
	if (conn) {
2672
		clear_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags);
2673

2674
		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
2675
			hci_sco_setup(conn, status);
2676
	}
2677

2678
	hci_dev_unlock(hdev);
2679
}
2680

2681
static void hci_cs_disconnect(struct hci_dev *hdev, u8 status)
2682
{
2683
	struct hci_cp_disconnect *cp;
2684
	struct hci_conn_params *params;
2685
	struct hci_conn *conn;
2686
	bool mgmt_conn;
2687

2688
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2689

2690
	/* Wait for HCI_EV_DISCONN_COMPLETE if status 0x00 and not suspended
2691
	 * otherwise cleanup the connection immediately.
2692
	 */
2693
	if (!status && !hdev->suspended)
2694
		return;
2695

2696
	cp = hci_sent_cmd_data(hdev, HCI_OP_DISCONNECT);
2697
	if (!cp)
2698
		return;
2699

2700
	hci_dev_lock(hdev);
2701

2702
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2703
	if (!conn)
2704
		goto unlock;
2705

2706
	if (status && status != HCI_ERROR_UNKNOWN_CONN_ID) {
2707
		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
2708
				       conn->dst_type, status);
2709

2710
		if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
2711
			hdev->cur_adv_instance = conn->adv_instance;
2712
			hci_enable_advertising(hdev);
2713
		}
2714

2715
		/* Inform sockets conn is gone before we delete it */
2716
		hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED);
2717

2718
		goto done;
2719
	}
2720

2721
	/* During suspend, mark connection as closed immediately
2722
	 * since we might not receive HCI_EV_DISCONN_COMPLETE
2723
	 */
2724
	if (hdev->suspended)
2725
		conn->state = BT_CLOSED;
2726

2727
	mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
2728

2729
	if (conn->type == ACL_LINK) {
2730
		if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
2731
			hci_remove_link_key(hdev, &conn->dst);
2732
	}
2733

2734
	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
2735
	if (params) {
2736
		switch (params->auto_connect) {
2737
		case HCI_AUTO_CONN_LINK_LOSS:
2738
			if (cp->reason != HCI_ERROR_CONNECTION_TIMEOUT)
2739
				break;
2740
			fallthrough;
2741

2742
		case HCI_AUTO_CONN_DIRECT:
2743
		case HCI_AUTO_CONN_ALWAYS:
2744
			hci_pend_le_list_del_init(params);
2745
			hci_pend_le_list_add(params, &hdev->pend_le_conns);
2746
			break;
2747

2748
		default:
2749
			break;
2750
		}
2751
	}
2752

2753
	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
2754
				 cp->reason, mgmt_conn);
2755

2756
	hci_disconn_cfm(conn, cp->reason);
2757

2758
done:
2759
	/* If the disconnection failed for any reason, the upper layer
2760
	 * does not retry to disconnect in current implementation.
2761
	 * Hence, we need to do some basic cleanup here and re-enable
2762
	 * advertising if necessary.
2763
	 */
2764
	hci_conn_del(conn);
2765
unlock:
2766
	hci_dev_unlock(hdev);
2767
}
2768

2769
static u8 ev_bdaddr_type(struct hci_dev *hdev, u8 type, bool *resolved)
2770
{
2771
	/* When using controller based address resolution, then the new
2772
	 * address types 0x02 and 0x03 are used. These types need to be
2773
	 * converted back into either public address or random address type
2774
	 */
2775
	switch (type) {
2776
	case ADDR_LE_DEV_PUBLIC_RESOLVED:
2777
		if (resolved)
2778
			*resolved = true;
2779
		return ADDR_LE_DEV_PUBLIC;
2780
	case ADDR_LE_DEV_RANDOM_RESOLVED:
2781
		if (resolved)
2782
			*resolved = true;
2783
		return ADDR_LE_DEV_RANDOM;
2784
	}
2785

2786
	if (resolved)
2787
		*resolved = false;
2788
	return type;
2789
}
2790

2791
static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
2792
			      u8 peer_addr_type, u8 own_address_type,
2793
			      u8 filter_policy)
2794
{
2795
	struct hci_conn *conn;
2796

2797
	conn = hci_conn_hash_lookup_le(hdev, peer_addr,
2798
				       peer_addr_type);
2799
	if (!conn)
2800
		return;
2801

2802
	own_address_type = ev_bdaddr_type(hdev, own_address_type, NULL);
2803

2804
	/* Store the initiator and responder address information which
2805
	 * is needed for SMP. These values will not change during the
2806
	 * lifetime of the connection.
2807
	 */
2808
	conn->init_addr_type = own_address_type;
2809
	if (own_address_type == ADDR_LE_DEV_RANDOM)
2810
		bacpy(&conn->init_addr, &hdev->random_addr);
2811
	else
2812
		bacpy(&conn->init_addr, &hdev->bdaddr);
2813

2814
	conn->resp_addr_type = peer_addr_type;
2815
	bacpy(&conn->resp_addr, peer_addr);
2816
}
2817

2818
static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
2819
{
2820
	struct hci_cp_le_create_conn *cp;
2821

2822
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2823

2824
	/* All connection failure handling is taken care of by the
2825
	 * hci_conn_failed function which is triggered by the HCI
2826
	 * request completion callbacks used for connecting.
2827
	 */
2828
	if (status)
2829
		return;
2830

2831
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
2832
	if (!cp)
2833
		return;
2834

2835
	hci_dev_lock(hdev);
2836

2837
	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2838
			  cp->own_address_type, cp->filter_policy);
2839

2840
	hci_dev_unlock(hdev);
2841
}
2842

2843
static void hci_cs_le_ext_create_conn(struct hci_dev *hdev, u8 status)
2844
{
2845
	struct hci_cp_le_ext_create_conn *cp;
2846

2847
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2848

2849
	/* All connection failure handling is taken care of by the
2850
	 * hci_conn_failed function which is triggered by the HCI
2851
	 * request completion callbacks used for connecting.
2852
	 */
2853
	if (status)
2854
		return;
2855

2856
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_EXT_CREATE_CONN);
2857
	if (!cp)
2858
		return;
2859

2860
	hci_dev_lock(hdev);
2861

2862
	cs_le_create_conn(hdev, &cp->peer_addr, cp->peer_addr_type,
2863
			  cp->own_addr_type, cp->filter_policy);
2864

2865
	hci_dev_unlock(hdev);
2866
}
2867

2868
static void hci_cs_le_read_remote_features(struct hci_dev *hdev, u8 status)
2869
{
2870
	struct hci_cp_le_read_remote_features *cp;
2871
	struct hci_conn *conn;
2872

2873
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2874

2875
	if (!status)
2876
		return;
2877

2878
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_READ_REMOTE_FEATURES);
2879
	if (!cp)
2880
		return;
2881

2882
	hci_dev_lock(hdev);
2883

2884
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2885
	if (conn) {
2886
		if (conn->state == BT_CONFIG) {
2887
			hci_connect_cfm(conn, status);
2888
			hci_conn_drop(conn);
2889
		}
2890
	}
2891

2892
	hci_dev_unlock(hdev);
2893
}
2894

2895
static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
2896
{
2897
	struct hci_cp_le_start_enc *cp;
2898
	struct hci_conn *conn;
2899

2900
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
2901

2902
	if (!status)
2903
		return;
2904

2905
	hci_dev_lock(hdev);
2906

2907
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_START_ENC);
2908
	if (!cp)
2909
		goto unlock;
2910

2911
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
2912
	if (!conn)
2913
		goto unlock;
2914

2915
	if (conn->state != BT_CONNECTED)
2916
		goto unlock;
2917

2918
	hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
2919
	hci_conn_drop(conn);
2920

2921
unlock:
2922
	hci_dev_unlock(hdev);
2923
}
2924

2925
static void hci_cs_switch_role(struct hci_dev *hdev, u8 status)
2926
{
2927
	struct hci_cp_switch_role *cp;
2928
	struct hci_conn *conn;
2929

2930
	BT_DBG("%s status 0x%2.2x", hdev->name, status);
2931

2932
	if (!status)
2933
		return;
2934

2935
	cp = hci_sent_cmd_data(hdev, HCI_OP_SWITCH_ROLE);
2936
	if (!cp)
2937
		return;
2938

2939
	hci_dev_lock(hdev);
2940

2941
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
2942
	if (conn)
2943
		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
2944

2945
	hci_dev_unlock(hdev);
2946
}
2947

2948
static void hci_inquiry_complete_evt(struct hci_dev *hdev, void *data,
2949
				     struct sk_buff *skb)
2950
{
2951
	struct hci_ev_status *ev = data;
2952
	struct discovery_state *discov = &hdev->discovery;
2953
	struct inquiry_entry *e;
2954

2955
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
2956

2957
	if (!test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
2958
		return;
2959

2960
	smp_mb__after_atomic(); /* wake_up_bit advises about this barrier */
2961
	wake_up_bit(&hdev->flags, HCI_INQUIRY);
2962

2963
	if (!hci_dev_test_flag(hdev, HCI_MGMT))
2964
		return;
2965

2966
	hci_dev_lock(hdev);
2967

2968
	if (discov->state != DISCOVERY_FINDING)
2969
		goto unlock;
2970

2971
	if (list_empty(&discov->resolve)) {
2972
		/* When BR/EDR inquiry is active and no LE scanning is in
2973
		 * progress, then change discovery state to indicate completion.
2974
		 *
2975
		 * When running LE scanning and BR/EDR inquiry simultaneously
2976
		 * and the LE scan already finished, then change the discovery
2977
		 * state to indicate completion.
2978
		 */
2979
		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2980
		    !hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY))
2981
			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
2982
		goto unlock;
2983
	}
2984

2985
	e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
2986
	if (e && hci_resolve_name(hdev, e) == 0) {
2987
		e->name_state = NAME_PENDING;
2988
		hci_discovery_set_state(hdev, DISCOVERY_RESOLVING);
2989
		discov->name_resolve_timeout = jiffies + NAME_RESOLVE_DURATION;
2990
	} else {
2991
		/* When BR/EDR inquiry is active and no LE scanning is in
2992
		 * progress, then change discovery state to indicate completion.
2993
		 *
2994
		 * When running LE scanning and BR/EDR inquiry simultaneously
2995
		 * and the LE scan already finished, then change the discovery
2996
		 * state to indicate completion.
2997
		 */
2998
		if (!hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2999
		    !hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY))
3000
			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3001
	}
3002

3003
unlock:
3004
	hci_dev_unlock(hdev);
3005
}
3006

3007
static void hci_inquiry_result_evt(struct hci_dev *hdev, void *edata,
3008
				   struct sk_buff *skb)
3009
{
3010
	struct hci_ev_inquiry_result *ev = edata;
3011
	struct inquiry_data data;
3012
	int i;
3013

3014
	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
3015
			     flex_array_size(ev, info, ev->num)))
3016
		return;
3017

3018
	bt_dev_dbg(hdev, "num %d", ev->num);
3019

3020
	if (!ev->num)
3021
		return;
3022

3023
	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
3024
		return;
3025

3026
	hci_dev_lock(hdev);
3027

3028
	for (i = 0; i < ev->num; i++) {
3029
		struct inquiry_info *info = &ev->info[i];
3030
		u32 flags;
3031

3032
		bacpy(&data.bdaddr, &info->bdaddr);
3033
		data.pscan_rep_mode	= info->pscan_rep_mode;
3034
		data.pscan_period_mode	= info->pscan_period_mode;
3035
		data.pscan_mode		= info->pscan_mode;
3036
		memcpy(data.dev_class, info->dev_class, 3);
3037
		data.clock_offset	= info->clock_offset;
3038
		data.rssi		= HCI_RSSI_INVALID;
3039
		data.ssp_mode		= 0x00;
3040

3041
		flags = hci_inquiry_cache_update(hdev, &data, false);
3042

3043
		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
3044
				  info->dev_class, HCI_RSSI_INVALID,
3045
				  flags, NULL, 0, NULL, 0, 0);
3046
	}
3047

3048
	hci_dev_unlock(hdev);
3049
}
3050

3051
static int hci_read_enc_key_size(struct hci_dev *hdev, struct hci_conn *conn)
3052
{
3053
	struct hci_cp_read_enc_key_size cp;
3054
	u8 *key_enc_size = hci_conn_key_enc_size(conn);
3055

3056
	if (!read_key_size_capable(hdev)) {
3057
		conn->enc_key_size = HCI_LINK_KEY_SIZE;
3058
		return -EOPNOTSUPP;
3059
	}
3060

3061
	bt_dev_dbg(hdev, "hcon %p", conn);
3062

3063
	memset(&cp, 0, sizeof(cp));
3064
	cp.handle = cpu_to_le16(conn->handle);
3065

3066
	/* If the key enc_size is already known, use it as conn->enc_key_size,
3067
	 * otherwise use hdev->min_enc_key_size so the likes of
3068
	 * l2cap_check_enc_key_size don't fail while waiting for
3069
	 * HCI_OP_READ_ENC_KEY_SIZE response.
3070
	 */
3071
	if (key_enc_size && *key_enc_size)
3072
		conn->enc_key_size = *key_enc_size;
3073
	else
3074
		conn->enc_key_size = hdev->min_enc_key_size;
3075

3076
	return hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
3077
}
3078

3079
static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
3080
				  struct sk_buff *skb)
3081
{
3082
	struct hci_ev_conn_complete *ev = data;
3083
	struct hci_conn *conn;
3084
	u8 status = ev->status;
3085

3086
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
3087

3088
	hci_dev_lock(hdev);
3089

3090
	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
3091
	if (!conn) {
3092
		/* In case of error status and there is no connection pending
3093
		 * just unlock as there is nothing to cleanup.
3094
		 */
3095
		if (ev->status)
3096
			goto unlock;
3097

3098
		/* Connection may not exist if auto-connected. Check the bredr
3099
		 * allowlist to see if this device is allowed to auto connect.
3100
		 * If link is an ACL type, create a connection class
3101
		 * automatically.
3102
		 *
3103
		 * Auto-connect will only occur if the event filter is
3104
		 * programmed with a given address. Right now, event filter is
3105
		 * only used during suspend.
3106
		 */
3107
		if (ev->link_type == ACL_LINK &&
3108
		    hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
3109
						      &ev->bdaddr,
3110
						      BDADDR_BREDR)) {
3111
			conn = hci_conn_add_unset(hdev, ev->link_type,
3112
						  &ev->bdaddr, HCI_ROLE_SLAVE);
3113
			if (IS_ERR(conn)) {
3114
				bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
3115
				goto unlock;
3116
			}
3117
		} else {
3118
			if (ev->link_type != SCO_LINK)
3119
				goto unlock;
3120

3121
			conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK,
3122
						       &ev->bdaddr);
3123
			if (!conn)
3124
				goto unlock;
3125

3126
			conn->type = SCO_LINK;
3127
		}
3128
	}
3129

3130
	/* The HCI_Connection_Complete event is only sent once per connection.
3131
	 * Processing it more than once per connection can corrupt kernel memory.
3132
	 *
3133
	 * As the connection handle is set here for the first time, it indicates
3134
	 * whether the connection is already set up.
3135
	 */
3136
	if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
3137
		bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
3138
		goto unlock;
3139
	}
3140

3141
	if (!status) {
3142
		status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
3143
		if (status)
3144
			goto done;
3145

3146
		if (conn->type == ACL_LINK) {
3147
			conn->state = BT_CONFIG;
3148
			hci_conn_hold(conn);
3149

3150
			if (!conn->out && !hci_conn_ssp_enabled(conn) &&
3151
			    !hci_find_link_key(hdev, &ev->bdaddr))
3152
				conn->disc_timeout = HCI_PAIRING_TIMEOUT;
3153
			else
3154
				conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3155
		} else
3156
			conn->state = BT_CONNECTED;
3157

3158
		hci_debugfs_create_conn(conn);
3159
		hci_conn_add_sysfs(conn);
3160

3161
		if (test_bit(HCI_AUTH, &hdev->flags))
3162
			set_bit(HCI_CONN_AUTH, &conn->flags);
3163

3164
		if (test_bit(HCI_ENCRYPT, &hdev->flags))
3165
			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3166

3167
		/* "Link key request" completed ahead of "connect request" completes */
3168
		if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3169
		    ev->link_type == ACL_LINK) {
3170
			struct link_key *key;
3171

3172
			key = hci_find_link_key(hdev, &ev->bdaddr);
3173
			if (key) {
3174
				set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3175
				hci_read_enc_key_size(hdev, conn);
3176
				hci_encrypt_cfm(conn, ev->status);
3177
			}
3178
		}
3179

3180
		/* Get remote features */
3181
		if (conn->type == ACL_LINK) {
3182
			struct hci_cp_read_remote_features cp;
3183
			cp.handle = ev->handle;
3184
			hci_send_cmd(hdev, HCI_OP_READ_REMOTE_FEATURES,
3185
				     sizeof(cp), &cp);
3186

3187
			hci_update_scan(hdev);
3188
		}
3189

3190
		/* Set packet type for incoming connection */
3191
		if (!conn->out && hdev->hci_ver < BLUETOOTH_VER_2_0) {
3192
			struct hci_cp_change_conn_ptype cp;
3193
			cp.handle = ev->handle;
3194
			cp.pkt_type = cpu_to_le16(conn->pkt_type);
3195
			hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE, sizeof(cp),
3196
				     &cp);
3197
		}
3198
	}
3199

3200
	if (conn->type == ACL_LINK)
3201
		hci_sco_setup(conn, ev->status);
3202

3203
done:
3204
	if (status) {
3205
		hci_conn_failed(conn, status);
3206
	} else if (ev->link_type == SCO_LINK) {
3207
		switch (conn->setting & SCO_AIRMODE_MASK) {
3208
		case SCO_AIRMODE_CVSD:
3209
			if (hdev->notify)
3210
				hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
3211
			break;
3212
		}
3213

3214
		hci_connect_cfm(conn, status);
3215
	}
3216

3217
unlock:
3218
	hci_dev_unlock(hdev);
3219
}
3220

3221
static void hci_reject_conn(struct hci_dev *hdev, bdaddr_t *bdaddr)
3222
{
3223
	struct hci_cp_reject_conn_req cp;
3224

3225
	bacpy(&cp.bdaddr, bdaddr);
3226
	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
3227
	hci_send_cmd(hdev, HCI_OP_REJECT_CONN_REQ, sizeof(cp), &cp);
3228
}
3229

3230
static void hci_conn_request_evt(struct hci_dev *hdev, void *data,
3231
				 struct sk_buff *skb)
3232
{
3233
	struct hci_ev_conn_request *ev = data;
3234
	int mask = hdev->link_mode;
3235
	struct inquiry_entry *ie;
3236
	struct hci_conn *conn;
3237
	__u8 flags = 0;
3238

3239
	bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
3240

3241
	/* Reject incoming connection from device with same BD ADDR against
3242
	 * CVE-2020-26555
3243
	 */
3244
	if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
3245
		bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
3246
			   &ev->bdaddr);
3247
		hci_reject_conn(hdev, &ev->bdaddr);
3248
		return;
3249
	}
3250

3251
	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
3252
				      &flags);
3253

3254
	if (!(mask & HCI_LM_ACCEPT)) {
3255
		hci_reject_conn(hdev, &ev->bdaddr);
3256
		return;
3257
	}
3258

3259
	hci_dev_lock(hdev);
3260

3261
	if (hci_bdaddr_list_lookup(&hdev->reject_list, &ev->bdaddr,
3262
				   BDADDR_BREDR)) {
3263
		hci_reject_conn(hdev, &ev->bdaddr);
3264
		goto unlock;
3265
	}
3266

3267
	/* Require HCI_CONNECTABLE or an accept list entry to accept the
3268
	 * connection. These features are only touched through mgmt so
3269
	 * only do the checks if HCI_MGMT is set.
3270
	 */
3271
	if (hci_dev_test_flag(hdev, HCI_MGMT) &&
3272
	    !hci_dev_test_flag(hdev, HCI_CONNECTABLE) &&
3273
	    !hci_bdaddr_list_lookup_with_flags(&hdev->accept_list, &ev->bdaddr,
3274
					       BDADDR_BREDR)) {
3275
		hci_reject_conn(hdev, &ev->bdaddr);
3276
		goto unlock;
3277
	}
3278

3279
	/* Connection accepted */
3280

3281
	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
3282
	if (ie)
3283
		memcpy(ie->data.dev_class, ev->dev_class, 3);
3284

3285
	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type,
3286
			&ev->bdaddr);
3287
	if (!conn) {
3288
		conn = hci_conn_add_unset(hdev, ev->link_type, &ev->bdaddr,
3289
					  HCI_ROLE_SLAVE);
3290
		if (IS_ERR(conn)) {
3291
			bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
3292
			goto unlock;
3293
		}
3294
	}
3295

3296
	memcpy(conn->dev_class, ev->dev_class, 3);
3297

3298
	hci_dev_unlock(hdev);
3299

3300
	if (ev->link_type == ACL_LINK ||
3301
	    (!(flags & HCI_PROTO_DEFER) && !lmp_esco_capable(hdev))) {
3302
		struct hci_cp_accept_conn_req cp;
3303
		conn->state = BT_CONNECT;
3304

3305
		bacpy(&cp.bdaddr, &ev->bdaddr);
3306

3307
		if (lmp_rswitch_capable(hdev) && (mask & HCI_LM_MASTER))
3308
			cp.role = 0x00; /* Become central */
3309
		else
3310
			cp.role = 0x01; /* Remain peripheral */
3311

3312
		hci_send_cmd(hdev, HCI_OP_ACCEPT_CONN_REQ, sizeof(cp), &cp);
3313
	} else if (!(flags & HCI_PROTO_DEFER)) {
3314
		struct hci_cp_accept_sync_conn_req cp;
3315
		conn->state = BT_CONNECT;
3316

3317
		bacpy(&cp.bdaddr, &ev->bdaddr);
3318
		cp.pkt_type = cpu_to_le16(conn->pkt_type);
3319

3320
		cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
3321
		cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
3322
		cp.max_latency    = cpu_to_le16(0xffff);
3323
		cp.content_format = cpu_to_le16(hdev->voice_setting);
3324
		cp.retrans_effort = 0xff;
3325

3326
		hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, sizeof(cp),
3327
			     &cp);
3328
	} else {
3329
		conn->state = BT_CONNECT2;
3330
		hci_connect_cfm(conn, 0);
3331
	}
3332

3333
	return;
3334
unlock:
3335
	hci_dev_unlock(hdev);
3336
}
3337

3338
static u8 hci_to_mgmt_reason(u8 err)
3339
{
3340
	switch (err) {
3341
	case HCI_ERROR_CONNECTION_TIMEOUT:
3342
		return MGMT_DEV_DISCONN_TIMEOUT;
3343
	case HCI_ERROR_REMOTE_USER_TERM:
3344
	case HCI_ERROR_REMOTE_LOW_RESOURCES:
3345
	case HCI_ERROR_REMOTE_POWER_OFF:
3346
		return MGMT_DEV_DISCONN_REMOTE;
3347
	case HCI_ERROR_LOCAL_HOST_TERM:
3348
		return MGMT_DEV_DISCONN_LOCAL_HOST;
3349
	default:
3350
		return MGMT_DEV_DISCONN_UNKNOWN;
3351
	}
3352
}
3353

3354
static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data,
3355
				     struct sk_buff *skb)
3356
{
3357
	struct hci_ev_disconn_complete *ev = data;
3358
	u8 reason;
3359
	struct hci_conn_params *params;
3360
	struct hci_conn *conn;
3361
	bool mgmt_connected;
3362

3363
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3364

3365
	hci_dev_lock(hdev);
3366

3367
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3368
	if (!conn)
3369
		goto unlock;
3370

3371
	if (ev->status) {
3372
		mgmt_disconnect_failed(hdev, &conn->dst, conn->type,
3373
				       conn->dst_type, ev->status);
3374
		goto unlock;
3375
	}
3376

3377
	conn->state = BT_CLOSED;
3378

3379
	mgmt_connected = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags);
3380

3381
	if (test_bit(HCI_CONN_AUTH_FAILURE, &conn->flags))
3382
		reason = MGMT_DEV_DISCONN_AUTH_FAILURE;
3383
	else
3384
		reason = hci_to_mgmt_reason(ev->reason);
3385

3386
	mgmt_device_disconnected(hdev, &conn->dst, conn->type, conn->dst_type,
3387
				reason, mgmt_connected);
3388

3389
	if (conn->type == ACL_LINK) {
3390
		if (test_and_clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags))
3391
			hci_remove_link_key(hdev, &conn->dst);
3392

3393
		hci_update_scan(hdev);
3394
	}
3395

3396
	/* Re-enable passive scanning if disconnected device is marked
3397
	 * as auto-connectable.
3398
	 */
3399
	if (conn->type == LE_LINK) {
3400
		params = hci_conn_params_lookup(hdev, &conn->dst,
3401
						conn->dst_type);
3402
		if (params) {
3403
			switch (params->auto_connect) {
3404
			case HCI_AUTO_CONN_LINK_LOSS:
3405
				if (ev->reason != HCI_ERROR_CONNECTION_TIMEOUT)
3406
					break;
3407
				fallthrough;
3408

3409
			case HCI_AUTO_CONN_DIRECT:
3410
			case HCI_AUTO_CONN_ALWAYS:
3411
				hci_pend_le_list_del_init(params);
3412
				hci_pend_le_list_add(params,
3413
						     &hdev->pend_le_conns);
3414
				hci_update_passive_scan(hdev);
3415
				break;
3416

3417
			default:
3418
				break;
3419
			}
3420
		}
3421
	}
3422

3423
	hci_disconn_cfm(conn, ev->reason);
3424

3425
	/* Re-enable advertising if necessary, since it might
3426
	 * have been disabled by the connection. From the
3427
	 * HCI_LE_Set_Advertise_Enable command description in
3428
	 * the core specification (v4.0):
3429
	 * "The Controller shall continue advertising until the Host
3430
	 * issues an LE_Set_Advertise_Enable command with
3431
	 * Advertising_Enable set to 0x00 (Advertising is disabled)
3432
	 * or until a connection is created or until the Advertising
3433
	 * is timed out due to Directed Advertising."
3434
	 */
3435
	if (conn->type == LE_LINK && conn->role == HCI_ROLE_SLAVE) {
3436
		hdev->cur_adv_instance = conn->adv_instance;
3437
		hci_enable_advertising(hdev);
3438
	}
3439

3440
	hci_conn_del(conn);
3441

3442
unlock:
3443
	hci_dev_unlock(hdev);
3444
}
3445

3446
static void hci_auth_complete_evt(struct hci_dev *hdev, void *data,
3447
				  struct sk_buff *skb)
3448
{
3449
	struct hci_ev_auth_complete *ev = data;
3450
	struct hci_conn *conn;
3451

3452
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3453

3454
	hci_dev_lock(hdev);
3455

3456
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3457
	if (!conn)
3458
		goto unlock;
3459

3460
	if (!ev->status) {
3461
		clear_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3462
		set_bit(HCI_CONN_AUTH, &conn->flags);
3463
		conn->sec_level = conn->pending_sec_level;
3464
	} else {
3465
		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3466
			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3467

3468
		mgmt_auth_failed(conn, ev->status);
3469
	}
3470

3471
	clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3472

3473
	if (conn->state == BT_CONFIG) {
3474
		if (!ev->status && hci_conn_ssp_enabled(conn)) {
3475
			struct hci_cp_set_conn_encrypt cp;
3476
			cp.handle  = ev->handle;
3477
			cp.encrypt = 0x01;
3478
			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3479
				     &cp);
3480
		} else {
3481
			conn->state = BT_CONNECTED;
3482
			hci_connect_cfm(conn, ev->status);
3483
			hci_conn_drop(conn);
3484
		}
3485
	} else {
3486
		hci_auth_cfm(conn, ev->status);
3487

3488
		hci_conn_hold(conn);
3489
		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
3490
		hci_conn_drop(conn);
3491
	}
3492

3493
	if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
3494
		if (!ev->status) {
3495
			struct hci_cp_set_conn_encrypt cp;
3496
			cp.handle  = ev->handle;
3497
			cp.encrypt = 0x01;
3498
			hci_send_cmd(hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
3499
				     &cp);
3500
		} else {
3501
			clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3502
			hci_encrypt_cfm(conn, ev->status);
3503
		}
3504
	}
3505

3506
unlock:
3507
	hci_dev_unlock(hdev);
3508
}
3509

3510
static void hci_remote_name_evt(struct hci_dev *hdev, void *data,
3511
				struct sk_buff *skb)
3512
{
3513
	struct hci_ev_remote_name *ev = data;
3514
	struct hci_conn *conn;
3515

3516
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3517

3518
	hci_dev_lock(hdev);
3519

3520
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
3521

3522
	if (!hci_dev_test_flag(hdev, HCI_MGMT))
3523
		goto check_auth;
3524

3525
	if (ev->status == 0)
3526
		hci_check_pending_name(hdev, conn, &ev->bdaddr, ev->name,
3527
				       strnlen(ev->name, HCI_MAX_NAME_LENGTH));
3528
	else
3529
		hci_check_pending_name(hdev, conn, &ev->bdaddr, NULL, 0);
3530

3531
check_auth:
3532
	if (!conn)
3533
		goto unlock;
3534

3535
	if (!hci_outgoing_auth_needed(hdev, conn))
3536
		goto unlock;
3537

3538
	if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3539
		struct hci_cp_auth_requested cp;
3540

3541
		set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
3542

3543
		cp.handle = __cpu_to_le16(conn->handle);
3544
		hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
3545
	}
3546

3547
unlock:
3548
	hci_dev_unlock(hdev);
3549
}
3550

3551
static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
3552
				   struct sk_buff *skb)
3553
{
3554
	struct hci_ev_encrypt_change *ev = data;
3555
	struct hci_conn *conn;
3556

3557
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3558

3559
	hci_dev_lock(hdev);
3560

3561
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3562
	if (!conn)
3563
		goto unlock;
3564

3565
	if (!ev->status) {
3566
		if (ev->encrypt) {
3567
			/* Encryption implies authentication */
3568
			set_bit(HCI_CONN_AUTH, &conn->flags);
3569
			set_bit(HCI_CONN_ENCRYPT, &conn->flags);
3570
			conn->sec_level = conn->pending_sec_level;
3571

3572
			/* P-256 authentication key implies FIPS */
3573
			if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256)
3574
				set_bit(HCI_CONN_FIPS, &conn->flags);
3575

3576
			if ((conn->type == ACL_LINK && ev->encrypt == 0x02) ||
3577
			    conn->type == LE_LINK)
3578
				set_bit(HCI_CONN_AES_CCM, &conn->flags);
3579
		} else {
3580
			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
3581
			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
3582
		}
3583
	}
3584

3585
	/* We should disregard the current RPA and generate a new one
3586
	 * whenever the encryption procedure fails.
3587
	 */
3588
	if (ev->status && conn->type == LE_LINK) {
3589
		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
3590
		hci_adv_instances_set_rpa_expired(hdev, true);
3591
	}
3592

3593
	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3594

3595
	/* Check link security requirements are met */
3596
	if (!hci_conn_check_link_mode(conn))
3597
		ev->status = HCI_ERROR_AUTH_FAILURE;
3598

3599
	if (ev->status && conn->state == BT_CONNECTED) {
3600
		if (ev->status == HCI_ERROR_PIN_OR_KEY_MISSING)
3601
			set_bit(HCI_CONN_AUTH_FAILURE, &conn->flags);
3602

3603
		/* Notify upper layers so they can cleanup before
3604
		 * disconnecting.
3605
		 */
3606
		hci_encrypt_cfm(conn, ev->status);
3607
		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
3608
		hci_conn_drop(conn);
3609
		goto unlock;
3610
	}
3611

3612
	/* Try reading the encryption key size for encrypted ACL links */
3613
	if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
3614
		if (hci_read_enc_key_size(hdev, conn))
3615
			goto notify;
3616

3617
		goto unlock;
3618
	}
3619

3620
	/* We skip the WRITE_AUTH_PAYLOAD_TIMEOUT for ATS2851 based controllers
3621
	 * to avoid unexpected SMP command errors when pairing.
3622
	 */
3623
	if (hci_test_quirk(hdev, HCI_QUIRK_BROKEN_WRITE_AUTH_PAYLOAD_TIMEOUT))
3624
		goto notify;
3625

3626
	/* Set the default Authenticated Payload Timeout after
3627
	 * an LE Link is established. As per Core Spec v5.0, Vol 2, Part B
3628
	 * Section 3.3, the HCI command WRITE_AUTH_PAYLOAD_TIMEOUT should be
3629
	 * sent when the link is active and Encryption is enabled, the conn
3630
	 * type can be either LE or ACL and controller must support LMP Ping.
3631
	 * Ensure for AES-CCM encryption as well.
3632
	 */
3633
	if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
3634
	    test_bit(HCI_CONN_AES_CCM, &conn->flags) &&
3635
	    ((conn->type == ACL_LINK && lmp_ping_capable(hdev)) ||
3636
	     (conn->type == LE_LINK && (hdev->le_features[0] & HCI_LE_PING)))) {
3637
		struct hci_cp_write_auth_payload_to cp;
3638

3639
		cp.handle = cpu_to_le16(conn->handle);
3640
		cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
3641
		if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
3642
				 sizeof(cp), &cp))
3643
			bt_dev_err(hdev, "write auth payload timeout failed");
3644
	}
3645

3646
notify:
3647
	hci_encrypt_cfm(conn, ev->status);
3648

3649
unlock:
3650
	hci_dev_unlock(hdev);
3651
}
3652

3653
static void hci_change_link_key_complete_evt(struct hci_dev *hdev, void *data,
3654
					     struct sk_buff *skb)
3655
{
3656
	struct hci_ev_change_link_key_complete *ev = data;
3657
	struct hci_conn *conn;
3658

3659
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3660

3661
	hci_dev_lock(hdev);
3662

3663
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3664
	if (conn) {
3665
		if (!ev->status)
3666
			set_bit(HCI_CONN_SECURE, &conn->flags);
3667

3668
		clear_bit(HCI_CONN_AUTH_PEND, &conn->flags);
3669

3670
		hci_key_change_cfm(conn, ev->status);
3671
	}
3672

3673
	hci_dev_unlock(hdev);
3674
}
3675

3676
static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
3677
				    struct sk_buff *skb)
3678
{
3679
	struct hci_ev_remote_features *ev = data;
3680
	struct hci_conn *conn;
3681

3682
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
3683

3684
	hci_dev_lock(hdev);
3685

3686
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
3687
	if (!conn)
3688
		goto unlock;
3689

3690
	if (!ev->status)
3691
		memcpy(conn->features[0], ev->features, 8);
3692

3693
	if (conn->state != BT_CONFIG)
3694
		goto unlock;
3695

3696
	if (!ev->status && lmp_ext_feat_capable(hdev) &&
3697
	    lmp_ext_feat_capable(conn)) {
3698
		struct hci_cp_read_remote_ext_features cp;
3699
		cp.handle = ev->handle;
3700
		cp.page = 0x01;
3701
		hci_send_cmd(hdev, HCI_OP_READ_REMOTE_EXT_FEATURES,
3702
			     sizeof(cp), &cp);
3703
		goto unlock;
3704
	}
3705

3706
	if (!ev->status) {
3707
		struct hci_cp_remote_name_req cp;
3708
		memset(&cp, 0, sizeof(cp));
3709
		bacpy(&cp.bdaddr, &conn->dst);
3710
		cp.pscan_rep_mode = 0x02;
3711
		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
3712
	} else {
3713
		mgmt_device_connected(hdev, conn, NULL, 0);
3714
	}
3715

3716
	if (!hci_outgoing_auth_needed(hdev, conn)) {
3717
		conn->state = BT_CONNECTED;
3718
		hci_connect_cfm(conn, ev->status);
3719
		hci_conn_drop(conn);
3720
	}
3721

3722
unlock:
3723
	hci_dev_unlock(hdev);
3724
}
3725

3726
static inline void handle_cmd_cnt_and_timer(struct hci_dev *hdev, u8 ncmd)
3727
{
3728
	cancel_delayed_work(&hdev->cmd_timer);
3729

3730
	rcu_read_lock();
3731
	if (!test_bit(HCI_RESET, &hdev->flags)) {
3732
		if (ncmd) {
3733
			cancel_delayed_work(&hdev->ncmd_timer);
3734
			atomic_set(&hdev->cmd_cnt, 1);
3735
		} else {
3736
			if (!hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
3737
				queue_delayed_work(hdev->workqueue, &hdev->ncmd_timer,
3738
						   HCI_NCMD_TIMEOUT);
3739
		}
3740
	}
3741
	rcu_read_unlock();
3742
}
3743

3744
static u8 hci_cc_le_read_buffer_size_v2(struct hci_dev *hdev, void *data,
3745
					struct sk_buff *skb)
3746
{
3747
	struct hci_rp_le_read_buffer_size_v2 *rp = data;
3748

3749
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3750

3751
	if (rp->status)
3752
		return rp->status;
3753

3754
	hdev->le_mtu   = __le16_to_cpu(rp->acl_mtu);
3755
	hdev->le_pkts  = rp->acl_max_pkt;
3756
	hdev->iso_mtu  = __le16_to_cpu(rp->iso_mtu);
3757
	hdev->iso_pkts = rp->iso_max_pkt;
3758

3759
	hdev->le_cnt  = hdev->le_pkts;
3760
	hdev->iso_cnt = hdev->iso_pkts;
3761

3762
	BT_DBG("%s acl mtu %d:%d iso mtu %d:%d", hdev->name, hdev->acl_mtu,
3763
	       hdev->acl_pkts, hdev->iso_mtu, hdev->iso_pkts);
3764

3765
	if (hdev->le_mtu && hdev->le_mtu < HCI_MIN_LE_MTU)
3766
		return HCI_ERROR_INVALID_PARAMETERS;
3767

3768
	return rp->status;
3769
}
3770

3771
static void hci_unbound_cis_failed(struct hci_dev *hdev, u8 cig, u8 status)
3772
{
3773
	struct hci_conn *conn, *tmp;
3774

3775
	lockdep_assert_held(&hdev->lock);
3776

3777
	list_for_each_entry_safe(conn, tmp, &hdev->conn_hash.list, list) {
3778
		if (conn->type != CIS_LINK ||
3779
		    conn->state == BT_OPEN || conn->iso_qos.ucast.cig != cig)
3780
			continue;
3781

3782
		if (HCI_CONN_HANDLE_UNSET(conn->handle))
3783
			hci_conn_failed(conn, status);
3784
	}
3785
}
3786

3787
static u8 hci_cc_le_set_cig_params(struct hci_dev *hdev, void *data,
3788
				   struct sk_buff *skb)
3789
{
3790
	struct hci_rp_le_set_cig_params *rp = data;
3791
	struct hci_cp_le_set_cig_params *cp;
3792
	struct hci_conn *conn;
3793
	u8 status = rp->status;
3794
	bool pending = false;
3795
	int i;
3796

3797
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3798

3799
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_CIG_PARAMS);
3800
	if (!rp->status && (!cp || rp->num_handles != cp->num_cis ||
3801
			    rp->cig_id != cp->cig_id)) {
3802
		bt_dev_err(hdev, "unexpected Set CIG Parameters response data");
3803
		status = HCI_ERROR_UNSPECIFIED;
3804
	}
3805

3806
	hci_dev_lock(hdev);
3807

3808
	/* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 4, Part E page 2554
3809
	 *
3810
	 * If the Status return parameter is non-zero, then the state of the CIG
3811
	 * and its CIS configurations shall not be changed by the command. If
3812
	 * the CIG did not already exist, it shall not be created.
3813
	 */
3814
	if (status) {
3815
		/* Keep current configuration, fail only the unbound CIS */
3816
		hci_unbound_cis_failed(hdev, rp->cig_id, status);
3817
		goto unlock;
3818
	}
3819

3820
	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2553
3821
	 *
3822
	 * If the Status return parameter is zero, then the Controller shall
3823
	 * set the Connection_Handle arrayed return parameter to the connection
3824
	 * handle(s) corresponding to the CIS configurations specified in
3825
	 * the CIS_IDs command parameter, in the same order.
3826
	 */
3827
	for (i = 0; i < rp->num_handles; ++i) {
3828
		conn = hci_conn_hash_lookup_cis(hdev, NULL, 0, rp->cig_id,
3829
						cp->cis[i].cis_id);
3830
		if (!conn || !bacmp(&conn->dst, BDADDR_ANY))
3831
			continue;
3832

3833
		if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
3834
			continue;
3835

3836
		if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
3837
			continue;
3838

3839
		if (conn->state == BT_CONNECT)
3840
			pending = true;
3841
	}
3842

3843
unlock:
3844
	if (pending)
3845
		hci_le_create_cis_pending(hdev);
3846

3847
	hci_dev_unlock(hdev);
3848

3849
	return rp->status;
3850
}
3851

3852
static u8 hci_cc_le_setup_iso_path(struct hci_dev *hdev, void *data,
3853
				   struct sk_buff *skb)
3854
{
3855
	struct hci_rp_le_setup_iso_path *rp = data;
3856
	struct hci_cp_le_setup_iso_path *cp;
3857
	struct hci_conn *conn;
3858

3859
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3860

3861
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SETUP_ISO_PATH);
3862
	if (!cp)
3863
		return rp->status;
3864

3865
	hci_dev_lock(hdev);
3866

3867
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(cp->handle));
3868
	if (!conn)
3869
		goto unlock;
3870

3871
	if (rp->status) {
3872
		hci_connect_cfm(conn, rp->status);
3873
		hci_conn_del(conn);
3874
		goto unlock;
3875
	}
3876

3877
	switch (cp->direction) {
3878
	/* Input (Host to Controller) */
3879
	case 0x00:
3880
		/* Only confirm connection if output only */
3881
		if (conn->iso_qos.ucast.out.sdu && !conn->iso_qos.ucast.in.sdu)
3882
			hci_connect_cfm(conn, rp->status);
3883
		break;
3884
	/* Output (Controller to Host) */
3885
	case 0x01:
3886
		/* Confirm connection since conn->iso_qos is always configured
3887
		 * last.
3888
		 */
3889
		hci_connect_cfm(conn, rp->status);
3890

3891
		/* Notify device connected in case it is a BIG Sync */
3892
		if (!rp->status && test_bit(HCI_CONN_BIG_SYNC, &conn->flags))
3893
			mgmt_device_connected(hdev, conn, NULL, 0);
3894

3895
		break;
3896
	}
3897

3898
unlock:
3899
	hci_dev_unlock(hdev);
3900
	return rp->status;
3901
}
3902

3903
static void hci_cs_le_create_big(struct hci_dev *hdev, u8 status)
3904
{
3905
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
3906
}
3907

3908
static u8 hci_cc_set_per_adv_param(struct hci_dev *hdev, void *data,
3909
				   struct sk_buff *skb)
3910
{
3911
	struct hci_ev_status *rp = data;
3912
	struct hci_cp_le_set_per_adv_params *cp;
3913

3914
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3915

3916
	if (rp->status)
3917
		return rp->status;
3918

3919
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS);
3920
	if (!cp)
3921
		return rp->status;
3922

3923
	/* TODO: set the conn state */
3924
	return rp->status;
3925
}
3926

3927
static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data,
3928
				       struct sk_buff *skb)
3929
{
3930
	struct hci_ev_status *rp = data;
3931
	struct hci_cp_le_set_per_adv_enable *cp;
3932
	struct adv_info *adv = NULL, *n;
3933
	u8 per_adv_cnt = 0;
3934

3935
	bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
3936

3937
	if (rp->status)
3938
		return rp->status;
3939

3940
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE);
3941
	if (!cp)
3942
		return rp->status;
3943

3944
	hci_dev_lock(hdev);
3945

3946
	adv = hci_find_adv_instance(hdev, cp->handle);
3947

3948
	if (cp->enable) {
3949
		hci_dev_set_flag(hdev, HCI_LE_PER_ADV);
3950

3951
		if (adv)
3952
			adv->enabled = true;
3953
	} else {
3954
		/* If just one instance was disabled check if there are
3955
		 * any other instance enabled before clearing HCI_LE_PER_ADV.
3956
		 * The current periodic adv instance will be marked as
3957
		 * disabled once extended advertising is also disabled.
3958
		 */
3959
		list_for_each_entry_safe(adv, n, &hdev->adv_instances,
3960
					 list) {
3961
			if (adv->periodic && adv->enabled)
3962
				per_adv_cnt++;
3963
		}
3964

3965
		if (per_adv_cnt > 1)
3966
			goto unlock;
3967

3968
		hci_dev_clear_flag(hdev, HCI_LE_PER_ADV);
3969
	}
3970

3971
unlock:
3972
	hci_dev_unlock(hdev);
3973

3974
	return rp->status;
3975
}
3976

3977
#define HCI_CC_VL(_op, _func, _min, _max) \
3978
{ \
3979
	.op = _op, \
3980
	.func = _func, \
3981
	.min_len = _min, \
3982
	.max_len = _max, \
3983
}
3984

3985
#define HCI_CC(_op, _func, _len) \
3986
	HCI_CC_VL(_op, _func, _len, _len)
3987

3988
#define HCI_CC_STATUS(_op, _func) \
3989
	HCI_CC(_op, _func, sizeof(struct hci_ev_status))
3990

3991
static const struct hci_cc {
3992
	u16  op;
3993
	u8 (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
3994
	u16  min_len;
3995
	u16  max_len;
3996
} hci_cc_table[] = {
3997
	HCI_CC_STATUS(HCI_OP_INQUIRY_CANCEL, hci_cc_inquiry_cancel),
3998
	HCI_CC_STATUS(HCI_OP_PERIODIC_INQ, hci_cc_periodic_inq),
3999
	HCI_CC_STATUS(HCI_OP_EXIT_PERIODIC_INQ, hci_cc_exit_periodic_inq),
4000
	HCI_CC(HCI_OP_REMOTE_NAME_REQ_CANCEL, hci_cc_remote_name_req_cancel,
4001
	       sizeof(struct hci_rp_remote_name_req_cancel)),
4002
	HCI_CC(HCI_OP_ROLE_DISCOVERY, hci_cc_role_discovery,
4003
	       sizeof(struct hci_rp_role_discovery)),
4004
	HCI_CC(HCI_OP_READ_LINK_POLICY, hci_cc_read_link_policy,
4005
	       sizeof(struct hci_rp_read_link_policy)),
4006
	HCI_CC(HCI_OP_WRITE_LINK_POLICY, hci_cc_write_link_policy,
4007
	       sizeof(struct hci_rp_write_link_policy)),
4008
	HCI_CC(HCI_OP_READ_DEF_LINK_POLICY, hci_cc_read_def_link_policy,
4009
	       sizeof(struct hci_rp_read_def_link_policy)),
4010
	HCI_CC_STATUS(HCI_OP_WRITE_DEF_LINK_POLICY,
4011
		      hci_cc_write_def_link_policy),
4012
	HCI_CC_STATUS(HCI_OP_RESET, hci_cc_reset),
4013
	HCI_CC(HCI_OP_READ_STORED_LINK_KEY, hci_cc_read_stored_link_key,
4014
	       sizeof(struct hci_rp_read_stored_link_key)),
4015
	HCI_CC(HCI_OP_DELETE_STORED_LINK_KEY, hci_cc_delete_stored_link_key,
4016
	       sizeof(struct hci_rp_delete_stored_link_key)),
4017
	HCI_CC_STATUS(HCI_OP_WRITE_LOCAL_NAME, hci_cc_write_local_name),
4018
	HCI_CC(HCI_OP_READ_LOCAL_NAME, hci_cc_read_local_name,
4019
	       sizeof(struct hci_rp_read_local_name)),
4020
	HCI_CC_STATUS(HCI_OP_WRITE_AUTH_ENABLE, hci_cc_write_auth_enable),
4021
	HCI_CC_STATUS(HCI_OP_WRITE_ENCRYPT_MODE, hci_cc_write_encrypt_mode),
4022
	HCI_CC_STATUS(HCI_OP_WRITE_SCAN_ENABLE, hci_cc_write_scan_enable),
4023
	HCI_CC_STATUS(HCI_OP_SET_EVENT_FLT, hci_cc_set_event_filter),
4024
	HCI_CC(HCI_OP_READ_CLASS_OF_DEV, hci_cc_read_class_of_dev,
4025
	       sizeof(struct hci_rp_read_class_of_dev)),
4026
	HCI_CC_STATUS(HCI_OP_WRITE_CLASS_OF_DEV, hci_cc_write_class_of_dev),
4027
	HCI_CC(HCI_OP_READ_VOICE_SETTING, hci_cc_read_voice_setting,
4028
	       sizeof(struct hci_rp_read_voice_setting)),
4029
	HCI_CC_STATUS(HCI_OP_WRITE_VOICE_SETTING, hci_cc_write_voice_setting),
4030
	HCI_CC(HCI_OP_READ_NUM_SUPPORTED_IAC, hci_cc_read_num_supported_iac,
4031
	       sizeof(struct hci_rp_read_num_supported_iac)),
4032
	HCI_CC_STATUS(HCI_OP_WRITE_SSP_MODE, hci_cc_write_ssp_mode),
4033
	HCI_CC_STATUS(HCI_OP_WRITE_SC_SUPPORT, hci_cc_write_sc_support),
4034
	HCI_CC(HCI_OP_READ_AUTH_PAYLOAD_TO, hci_cc_read_auth_payload_timeout,
4035
	       sizeof(struct hci_rp_read_auth_payload_to)),
4036
	HCI_CC(HCI_OP_WRITE_AUTH_PAYLOAD_TO, hci_cc_write_auth_payload_timeout,
4037
	       sizeof(struct hci_rp_write_auth_payload_to)),
4038
	HCI_CC(HCI_OP_READ_LOCAL_VERSION, hci_cc_read_local_version,
4039
	       sizeof(struct hci_rp_read_local_version)),
4040
	HCI_CC(HCI_OP_READ_LOCAL_COMMANDS, hci_cc_read_local_commands,
4041
	       sizeof(struct hci_rp_read_local_commands)),
4042
	HCI_CC(HCI_OP_READ_LOCAL_FEATURES, hci_cc_read_local_features,
4043
	       sizeof(struct hci_rp_read_local_features)),
4044
	HCI_CC(HCI_OP_READ_LOCAL_EXT_FEATURES, hci_cc_read_local_ext_features,
4045
	       sizeof(struct hci_rp_read_local_ext_features)),
4046
	HCI_CC(HCI_OP_READ_BUFFER_SIZE, hci_cc_read_buffer_size,
4047
	       sizeof(struct hci_rp_read_buffer_size)),
4048
	HCI_CC(HCI_OP_READ_BD_ADDR, hci_cc_read_bd_addr,
4049
	       sizeof(struct hci_rp_read_bd_addr)),
4050
	HCI_CC(HCI_OP_READ_LOCAL_PAIRING_OPTS, hci_cc_read_local_pairing_opts,
4051
	       sizeof(struct hci_rp_read_local_pairing_opts)),
4052
	HCI_CC(HCI_OP_READ_PAGE_SCAN_ACTIVITY, hci_cc_read_page_scan_activity,
4053
	       sizeof(struct hci_rp_read_page_scan_activity)),
4054
	HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
4055
		      hci_cc_write_page_scan_activity),
4056
	HCI_CC(HCI_OP_READ_PAGE_SCAN_TYPE, hci_cc_read_page_scan_type,
4057
	       sizeof(struct hci_rp_read_page_scan_type)),
4058
	HCI_CC_STATUS(HCI_OP_WRITE_PAGE_SCAN_TYPE, hci_cc_write_page_scan_type),
4059
	HCI_CC(HCI_OP_READ_CLOCK, hci_cc_read_clock,
4060
	       sizeof(struct hci_rp_read_clock)),
4061
	HCI_CC(HCI_OP_READ_ENC_KEY_SIZE, hci_cc_read_enc_key_size,
4062
	       sizeof(struct hci_rp_read_enc_key_size)),
4063
	HCI_CC(HCI_OP_READ_INQ_RSP_TX_POWER, hci_cc_read_inq_rsp_tx_power,
4064
	       sizeof(struct hci_rp_read_inq_rsp_tx_power)),
4065
	HCI_CC(HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4066
	       hci_cc_read_def_err_data_reporting,
4067
	       sizeof(struct hci_rp_read_def_err_data_reporting)),
4068
	HCI_CC_STATUS(HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4069
		      hci_cc_write_def_err_data_reporting),
4070
	HCI_CC(HCI_OP_PIN_CODE_REPLY, hci_cc_pin_code_reply,
4071
	       sizeof(struct hci_rp_pin_code_reply)),
4072
	HCI_CC(HCI_OP_PIN_CODE_NEG_REPLY, hci_cc_pin_code_neg_reply,
4073
	       sizeof(struct hci_rp_pin_code_neg_reply)),
4074
	HCI_CC(HCI_OP_READ_LOCAL_OOB_DATA, hci_cc_read_local_oob_data,
4075
	       sizeof(struct hci_rp_read_local_oob_data)),
4076
	HCI_CC(HCI_OP_READ_LOCAL_OOB_EXT_DATA, hci_cc_read_local_oob_ext_data,
4077
	       sizeof(struct hci_rp_read_local_oob_ext_data)),
4078
	HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE, hci_cc_le_read_buffer_size,
4079
	       sizeof(struct hci_rp_le_read_buffer_size)),
4080
	HCI_CC(HCI_OP_LE_READ_LOCAL_FEATURES, hci_cc_le_read_local_features,
4081
	       sizeof(struct hci_rp_le_read_local_features)),
4082
	HCI_CC(HCI_OP_LE_READ_ADV_TX_POWER, hci_cc_le_read_adv_tx_power,
4083
	       sizeof(struct hci_rp_le_read_adv_tx_power)),
4084
	HCI_CC(HCI_OP_USER_CONFIRM_REPLY, hci_cc_user_confirm_reply,
4085
	       sizeof(struct hci_rp_user_confirm_reply)),
4086
	HCI_CC(HCI_OP_USER_CONFIRM_NEG_REPLY, hci_cc_user_confirm_neg_reply,
4087
	       sizeof(struct hci_rp_user_confirm_reply)),
4088
	HCI_CC(HCI_OP_USER_PASSKEY_REPLY, hci_cc_user_passkey_reply,
4089
	       sizeof(struct hci_rp_user_confirm_reply)),
4090
	HCI_CC(HCI_OP_USER_PASSKEY_NEG_REPLY, hci_cc_user_passkey_neg_reply,
4091
	       sizeof(struct hci_rp_user_confirm_reply)),
4092
	HCI_CC_STATUS(HCI_OP_LE_SET_RANDOM_ADDR, hci_cc_le_set_random_addr),
4093
	HCI_CC_STATUS(HCI_OP_LE_SET_ADV_ENABLE, hci_cc_le_set_adv_enable),
4094
	HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_PARAM, hci_cc_le_set_scan_param),
4095
	HCI_CC_STATUS(HCI_OP_LE_SET_SCAN_ENABLE, hci_cc_le_set_scan_enable),
4096
	HCI_CC(HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4097
	       hci_cc_le_read_accept_list_size,
4098
	       sizeof(struct hci_rp_le_read_accept_list_size)),
4099
	HCI_CC_STATUS(HCI_OP_LE_CLEAR_ACCEPT_LIST, hci_cc_le_clear_accept_list),
4100
	HCI_CC_STATUS(HCI_OP_LE_ADD_TO_ACCEPT_LIST,
4101
		      hci_cc_le_add_to_accept_list),
4102
	HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
4103
		      hci_cc_le_del_from_accept_list),
4104
	HCI_CC(HCI_OP_LE_READ_SUPPORTED_STATES, hci_cc_le_read_supported_states,
4105
	       sizeof(struct hci_rp_le_read_supported_states)),
4106
	HCI_CC(HCI_OP_LE_READ_DEF_DATA_LEN, hci_cc_le_read_def_data_len,
4107
	       sizeof(struct hci_rp_le_read_def_data_len)),
4108
	HCI_CC_STATUS(HCI_OP_LE_WRITE_DEF_DATA_LEN,
4109
		      hci_cc_le_write_def_data_len),
4110
	HCI_CC_STATUS(HCI_OP_LE_ADD_TO_RESOLV_LIST,
4111
		      hci_cc_le_add_to_resolv_list),
4112
	HCI_CC_STATUS(HCI_OP_LE_DEL_FROM_RESOLV_LIST,
4113
		      hci_cc_le_del_from_resolv_list),
4114
	HCI_CC_STATUS(HCI_OP_LE_CLEAR_RESOLV_LIST,
4115
		      hci_cc_le_clear_resolv_list),
4116
	HCI_CC(HCI_OP_LE_READ_RESOLV_LIST_SIZE, hci_cc_le_read_resolv_list_size,
4117
	       sizeof(struct hci_rp_le_read_resolv_list_size)),
4118
	HCI_CC_STATUS(HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
4119
		      hci_cc_le_set_addr_resolution_enable),
4120
	HCI_CC(HCI_OP_LE_READ_MAX_DATA_LEN, hci_cc_le_read_max_data_len,
4121
	       sizeof(struct hci_rp_le_read_max_data_len)),
4122
	HCI_CC_STATUS(HCI_OP_WRITE_LE_HOST_SUPPORTED,
4123
		      hci_cc_write_le_host_supported),
4124
	HCI_CC_STATUS(HCI_OP_LE_SET_ADV_PARAM, hci_cc_set_adv_param),
4125
	HCI_CC(HCI_OP_READ_RSSI, hci_cc_read_rssi,
4126
	       sizeof(struct hci_rp_read_rssi)),
4127
	HCI_CC(HCI_OP_READ_TX_POWER, hci_cc_read_tx_power,
4128
	       sizeof(struct hci_rp_read_tx_power)),
4129
	HCI_CC_STATUS(HCI_OP_WRITE_SSP_DEBUG_MODE, hci_cc_write_ssp_debug_mode),
4130
	HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_PARAMS,
4131
		      hci_cc_le_set_ext_scan_param),
4132
	HCI_CC_STATUS(HCI_OP_LE_SET_EXT_SCAN_ENABLE,
4133
		      hci_cc_le_set_ext_scan_enable),
4134
	HCI_CC_STATUS(HCI_OP_LE_SET_DEFAULT_PHY, hci_cc_le_set_default_phy),
4135
	HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4136
	       hci_cc_le_read_num_adv_sets,
4137
	       sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
4138
	HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
4139
		      hci_cc_le_set_ext_adv_enable),
4140
	HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
4141
		      hci_cc_le_set_adv_set_random_addr),
4142
	HCI_CC_STATUS(HCI_OP_LE_REMOVE_ADV_SET, hci_cc_le_remove_adv_set),
4143
	HCI_CC_STATUS(HCI_OP_LE_CLEAR_ADV_SETS, hci_cc_le_clear_adv_sets),
4144
	HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_PARAMS, hci_cc_set_per_adv_param),
4145
	HCI_CC_STATUS(HCI_OP_LE_SET_PER_ADV_ENABLE,
4146
		      hci_cc_le_set_per_adv_enable),
4147
	HCI_CC(HCI_OP_LE_READ_TRANSMIT_POWER, hci_cc_le_read_transmit_power,
4148
	       sizeof(struct hci_rp_le_read_transmit_power)),
4149
	HCI_CC_STATUS(HCI_OP_LE_SET_PRIVACY_MODE, hci_cc_le_set_privacy_mode),
4150
	HCI_CC(HCI_OP_LE_READ_BUFFER_SIZE_V2, hci_cc_le_read_buffer_size_v2,
4151
	       sizeof(struct hci_rp_le_read_buffer_size_v2)),
4152
	HCI_CC_VL(HCI_OP_LE_SET_CIG_PARAMS, hci_cc_le_set_cig_params,
4153
		  sizeof(struct hci_rp_le_set_cig_params), HCI_MAX_EVENT_SIZE),
4154
	HCI_CC(HCI_OP_LE_SETUP_ISO_PATH, hci_cc_le_setup_iso_path,
4155
	       sizeof(struct hci_rp_le_setup_iso_path)),
4156
};
4157

4158
static u8 hci_cc_func(struct hci_dev *hdev, const struct hci_cc *cc,
4159
		      struct sk_buff *skb)
4160
{
4161
	void *data;
4162

4163
	if (skb->len < cc->min_len) {
4164
		bt_dev_err(hdev, "unexpected cc 0x%4.4x length: %u < %u",
4165
			   cc->op, skb->len, cc->min_len);
4166
		return HCI_ERROR_UNSPECIFIED;
4167
	}
4168

4169
	/* Just warn if the length is over max_len size it still be possible to
4170
	 * partially parse the cc so leave to callback to decide if that is
4171
	 * acceptable.
4172
	 */
4173
	if (skb->len > cc->max_len)
4174
		bt_dev_warn(hdev, "unexpected cc 0x%4.4x length: %u > %u",
4175
			    cc->op, skb->len, cc->max_len);
4176

4177
	data = hci_cc_skb_pull(hdev, skb, cc->op, cc->min_len);
4178
	if (!data)
4179
		return HCI_ERROR_UNSPECIFIED;
4180

4181
	return cc->func(hdev, data, skb);
4182
}
4183

4184
static void hci_cmd_complete_evt(struct hci_dev *hdev, void *data,
4185
				 struct sk_buff *skb, u16 *opcode, u8 *status,
4186
				 hci_req_complete_t *req_complete,
4187
				 hci_req_complete_skb_t *req_complete_skb)
4188
{
4189
	struct hci_ev_cmd_complete *ev = data;
4190
	int i;
4191

4192
	*opcode = __le16_to_cpu(ev->opcode);
4193

4194
	bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4195

4196
	for (i = 0; i < ARRAY_SIZE(hci_cc_table); i++) {
4197
		if (hci_cc_table[i].op == *opcode) {
4198
			*status = hci_cc_func(hdev, &hci_cc_table[i], skb);
4199
			break;
4200
		}
4201
	}
4202

4203
	if (i == ARRAY_SIZE(hci_cc_table)) {
4204
		/* Unknown opcode, assume byte 0 contains the status, so
4205
		 * that e.g. __hci_cmd_sync() properly returns errors
4206
		 * for vendor specific commands send by HCI drivers.
4207
		 * If a vendor doesn't actually follow this convention we may
4208
		 * need to introduce a vendor CC table in order to properly set
4209
		 * the status.
4210
		 */
4211
		*status = skb->data[0];
4212
	}
4213

4214
	handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4215

4216
	hci_req_cmd_complete(hdev, *opcode, *status, req_complete,
4217
			     req_complete_skb);
4218

4219
	if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4220
		bt_dev_err(hdev,
4221
			   "unexpected event for opcode 0x%4.4x", *opcode);
4222
		return;
4223
	}
4224

4225
	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4226
		queue_work(hdev->workqueue, &hdev->cmd_work);
4227
}
4228

4229
static void hci_cs_le_create_cis(struct hci_dev *hdev, u8 status)
4230
{
4231
	struct hci_cp_le_create_cis *cp;
4232
	bool pending = false;
4233
	int i;
4234

4235
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
4236

4237
	if (!status)
4238
		return;
4239

4240
	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CIS);
4241
	if (!cp)
4242
		return;
4243

4244
	hci_dev_lock(hdev);
4245

4246
	/* Remove connection if command failed */
4247
	for (i = 0; i < cp->num_cis; i++) {
4248
		struct hci_conn *conn;
4249
		u16 handle;
4250

4251
		handle = __le16_to_cpu(cp->cis[i].cis_handle);
4252

4253
		conn = hci_conn_hash_lookup_handle(hdev, handle);
4254
		if (conn) {
4255
			if (test_and_clear_bit(HCI_CONN_CREATE_CIS,
4256
					       &conn->flags))
4257
				pending = true;
4258
			conn->state = BT_CLOSED;
4259
			hci_connect_cfm(conn, status);
4260
			hci_conn_del(conn);
4261
		}
4262
	}
4263
	cp->num_cis = 0;
4264

4265
	if (pending)
4266
		hci_le_create_cis_pending(hdev);
4267

4268
	hci_dev_unlock(hdev);
4269
}
4270

4271
#define HCI_CS(_op, _func) \
4272
{ \
4273
	.op = _op, \
4274
	.func = _func, \
4275
}
4276

4277
static const struct hci_cs {
4278
	u16  op;
4279
	void (*func)(struct hci_dev *hdev, __u8 status);
4280
} hci_cs_table[] = {
4281
	HCI_CS(HCI_OP_INQUIRY, hci_cs_inquiry),
4282
	HCI_CS(HCI_OP_CREATE_CONN, hci_cs_create_conn),
4283
	HCI_CS(HCI_OP_DISCONNECT, hci_cs_disconnect),
4284
	HCI_CS(HCI_OP_ADD_SCO, hci_cs_add_sco),
4285
	HCI_CS(HCI_OP_AUTH_REQUESTED, hci_cs_auth_requested),
4286
	HCI_CS(HCI_OP_SET_CONN_ENCRYPT, hci_cs_set_conn_encrypt),
4287
	HCI_CS(HCI_OP_REMOTE_NAME_REQ, hci_cs_remote_name_req),
4288
	HCI_CS(HCI_OP_READ_REMOTE_FEATURES, hci_cs_read_remote_features),
4289
	HCI_CS(HCI_OP_READ_REMOTE_EXT_FEATURES,
4290
	       hci_cs_read_remote_ext_features),
4291
	HCI_CS(HCI_OP_SETUP_SYNC_CONN, hci_cs_setup_sync_conn),
4292
	HCI_CS(HCI_OP_ENHANCED_SETUP_SYNC_CONN,
4293
	       hci_cs_enhanced_setup_sync_conn),
4294
	HCI_CS(HCI_OP_SNIFF_MODE, hci_cs_sniff_mode),
4295
	HCI_CS(HCI_OP_EXIT_SNIFF_MODE, hci_cs_exit_sniff_mode),
4296
	HCI_CS(HCI_OP_SWITCH_ROLE, hci_cs_switch_role),
4297
	HCI_CS(HCI_OP_LE_CREATE_CONN, hci_cs_le_create_conn),
4298
	HCI_CS(HCI_OP_LE_READ_REMOTE_FEATURES, hci_cs_le_read_remote_features),
4299
	HCI_CS(HCI_OP_LE_START_ENC, hci_cs_le_start_enc),
4300
	HCI_CS(HCI_OP_LE_EXT_CREATE_CONN, hci_cs_le_ext_create_conn),
4301
	HCI_CS(HCI_OP_LE_CREATE_CIS, hci_cs_le_create_cis),
4302
	HCI_CS(HCI_OP_LE_CREATE_BIG, hci_cs_le_create_big),
4303
};
4304

4305
static void hci_cmd_status_evt(struct hci_dev *hdev, void *data,
4306
			       struct sk_buff *skb, u16 *opcode, u8 *status,
4307
			       hci_req_complete_t *req_complete,
4308
			       hci_req_complete_skb_t *req_complete_skb)
4309
{
4310
	struct hci_ev_cmd_status *ev = data;
4311
	int i;
4312

4313
	*opcode = __le16_to_cpu(ev->opcode);
4314
	*status = ev->status;
4315

4316
	bt_dev_dbg(hdev, "opcode 0x%4.4x", *opcode);
4317

4318
	for (i = 0; i < ARRAY_SIZE(hci_cs_table); i++) {
4319
		if (hci_cs_table[i].op == *opcode) {
4320
			hci_cs_table[i].func(hdev, ev->status);
4321
			break;
4322
		}
4323
	}
4324

4325
	handle_cmd_cnt_and_timer(hdev, ev->ncmd);
4326

4327
	/* Indicate request completion if the command failed. Also, if
4328
	 * we're not waiting for a special event and we get a success
4329
	 * command status we should try to flag the request as completed
4330
	 * (since for this kind of commands there will not be a command
4331
	 * complete event).
4332
	 */
4333
	if (ev->status || (hdev->req_skb && !hci_skb_event(hdev->req_skb))) {
4334
		hci_req_cmd_complete(hdev, *opcode, ev->status, req_complete,
4335
				     req_complete_skb);
4336
		if (hci_dev_test_flag(hdev, HCI_CMD_PENDING)) {
4337
			bt_dev_err(hdev, "unexpected event for opcode 0x%4.4x",
4338
				   *opcode);
4339
			return;
4340
		}
4341
	}
4342

4343
	if (atomic_read(&hdev->cmd_cnt) && !skb_queue_empty(&hdev->cmd_q))
4344
		queue_work(hdev->workqueue, &hdev->cmd_work);
4345
}
4346

4347
static void hci_hardware_error_evt(struct hci_dev *hdev, void *data,
4348
				   struct sk_buff *skb)
4349
{
4350
	struct hci_ev_hardware_error *ev = data;
4351

4352
	bt_dev_dbg(hdev, "code 0x%2.2x", ev->code);
4353

4354
	hdev->hw_error_code = ev->code;
4355

4356
	queue_work(hdev->req_workqueue, &hdev->error_reset);
4357
}
4358

4359
static void hci_role_change_evt(struct hci_dev *hdev, void *data,
4360
				struct sk_buff *skb)
4361
{
4362
	struct hci_ev_role_change *ev = data;
4363
	struct hci_conn *conn;
4364

4365
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4366

4367
	hci_dev_lock(hdev);
4368

4369
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4370
	if (conn) {
4371
		if (!ev->status)
4372
			conn->role = ev->role;
4373

4374
		clear_bit(HCI_CONN_RSWITCH_PEND, &conn->flags);
4375

4376
		hci_role_switch_cfm(conn, ev->status, ev->role);
4377
	}
4378

4379
	hci_dev_unlock(hdev);
4380
}
4381

4382
static void hci_num_comp_pkts_evt(struct hci_dev *hdev, void *data,
4383
				  struct sk_buff *skb)
4384
{
4385
	struct hci_ev_num_comp_pkts *ev = data;
4386
	int i;
4387

4388
	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS,
4389
			     flex_array_size(ev, handles, ev->num)))
4390
		return;
4391

4392
	bt_dev_dbg(hdev, "num %d", ev->num);
4393

4394
	for (i = 0; i < ev->num; i++) {
4395
		struct hci_comp_pkts_info *info = &ev->handles[i];
4396
		struct hci_conn *conn;
4397
		__u16  handle, count;
4398
		unsigned int i;
4399

4400
		handle = __le16_to_cpu(info->handle);
4401
		count  = __le16_to_cpu(info->count);
4402

4403
		conn = hci_conn_hash_lookup_handle(hdev, handle);
4404
		if (!conn)
4405
			continue;
4406

4407
		/* Check if there is really enough packets outstanding before
4408
		 * attempting to decrease the sent counter otherwise it could
4409
		 * underflow..
4410
		 */
4411
		if (conn->sent >= count) {
4412
			conn->sent -= count;
4413
		} else {
4414
			bt_dev_warn(hdev, "hcon %p sent %u < count %u",
4415
				    conn, conn->sent, count);
4416
			conn->sent = 0;
4417
		}
4418

4419
		for (i = 0; i < count; ++i)
4420
			hci_conn_tx_dequeue(conn);
4421

4422
		switch (conn->type) {
4423
		case ACL_LINK:
4424
			hdev->acl_cnt += count;
4425
			if (hdev->acl_cnt > hdev->acl_pkts)
4426
				hdev->acl_cnt = hdev->acl_pkts;
4427
			break;
4428

4429
		case LE_LINK:
4430
			if (hdev->le_pkts) {
4431
				hdev->le_cnt += count;
4432
				if (hdev->le_cnt > hdev->le_pkts)
4433
					hdev->le_cnt = hdev->le_pkts;
4434
			} else {
4435
				hdev->acl_cnt += count;
4436
				if (hdev->acl_cnt > hdev->acl_pkts)
4437
					hdev->acl_cnt = hdev->acl_pkts;
4438
			}
4439
			break;
4440

4441
		case SCO_LINK:
4442
		case ESCO_LINK:
4443
			hdev->sco_cnt += count;
4444
			if (hdev->sco_cnt > hdev->sco_pkts)
4445
				hdev->sco_cnt = hdev->sco_pkts;
4446

4447
			break;
4448

4449
		case CIS_LINK:
4450
		case BIS_LINK:
4451
		case PA_LINK:
4452
			if (hdev->iso_pkts) {
4453
				hdev->iso_cnt += count;
4454
				if (hdev->iso_cnt > hdev->iso_pkts)
4455
					hdev->iso_cnt = hdev->iso_pkts;
4456
			} else if (hdev->le_pkts) {
4457
				hdev->le_cnt += count;
4458
				if (hdev->le_cnt > hdev->le_pkts)
4459
					hdev->le_cnt = hdev->le_pkts;
4460
			} else {
4461
				hdev->acl_cnt += count;
4462
				if (hdev->acl_cnt > hdev->acl_pkts)
4463
					hdev->acl_cnt = hdev->acl_pkts;
4464
			}
4465
			break;
4466

4467
		default:
4468
			bt_dev_err(hdev, "unknown type %d conn %p",
4469
				   conn->type, conn);
4470
			break;
4471
		}
4472
	}
4473

4474
	queue_work(hdev->workqueue, &hdev->tx_work);
4475
}
4476

4477
static void hci_mode_change_evt(struct hci_dev *hdev, void *data,
4478
				struct sk_buff *skb)
4479
{
4480
	struct hci_ev_mode_change *ev = data;
4481
	struct hci_conn *conn;
4482

4483
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4484

4485
	hci_dev_lock(hdev);
4486

4487
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4488
	if (conn) {
4489
		conn->mode = ev->mode;
4490

4491
		if (!test_and_clear_bit(HCI_CONN_MODE_CHANGE_PEND,
4492
					&conn->flags)) {
4493
			if (conn->mode == HCI_CM_ACTIVE)
4494
				set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4495
			else
4496
				clear_bit(HCI_CONN_POWER_SAVE, &conn->flags);
4497
		}
4498

4499
		if (test_and_clear_bit(HCI_CONN_SCO_SETUP_PEND, &conn->flags))
4500
			hci_sco_setup(conn, ev->status);
4501
	}
4502

4503
	hci_dev_unlock(hdev);
4504
}
4505

4506
static void hci_pin_code_request_evt(struct hci_dev *hdev, void *data,
4507
				     struct sk_buff *skb)
4508
{
4509
	struct hci_ev_pin_code_req *ev = data;
4510
	struct hci_conn *conn;
4511

4512
	bt_dev_dbg(hdev, "");
4513

4514
	hci_dev_lock(hdev);
4515

4516
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4517
	if (!conn)
4518
		goto unlock;
4519

4520
	if (conn->state == BT_CONNECTED) {
4521
		hci_conn_hold(conn);
4522
		conn->disc_timeout = HCI_PAIRING_TIMEOUT;
4523
		hci_conn_drop(conn);
4524
	}
4525

4526
	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
4527
	    !test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags)) {
4528
		hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
4529
			     sizeof(ev->bdaddr), &ev->bdaddr);
4530
	} else if (hci_dev_test_flag(hdev, HCI_MGMT)) {
4531
		u8 secure;
4532

4533
		if (conn->pending_sec_level == BT_SECURITY_HIGH)
4534
			secure = 1;
4535
		else
4536
			secure = 0;
4537

4538
		mgmt_pin_code_request(hdev, &ev->bdaddr, secure);
4539
	}
4540

4541
unlock:
4542
	hci_dev_unlock(hdev);
4543
}
4544

4545
static void conn_set_key(struct hci_conn *conn, u8 key_type, u8 pin_len)
4546
{
4547
	if (key_type == HCI_LK_CHANGED_COMBINATION)
4548
		return;
4549

4550
	conn->pin_length = pin_len;
4551
	conn->key_type = key_type;
4552

4553
	switch (key_type) {
4554
	case HCI_LK_LOCAL_UNIT:
4555
	case HCI_LK_REMOTE_UNIT:
4556
	case HCI_LK_DEBUG_COMBINATION:
4557
		return;
4558
	case HCI_LK_COMBINATION:
4559
		if (pin_len == 16)
4560
			conn->pending_sec_level = BT_SECURITY_HIGH;
4561
		else
4562
			conn->pending_sec_level = BT_SECURITY_MEDIUM;
4563
		break;
4564
	case HCI_LK_UNAUTH_COMBINATION_P192:
4565
	case HCI_LK_UNAUTH_COMBINATION_P256:
4566
		conn->pending_sec_level = BT_SECURITY_MEDIUM;
4567
		break;
4568
	case HCI_LK_AUTH_COMBINATION_P192:
4569
		conn->pending_sec_level = BT_SECURITY_HIGH;
4570
		break;
4571
	case HCI_LK_AUTH_COMBINATION_P256:
4572
		conn->pending_sec_level = BT_SECURITY_FIPS;
4573
		break;
4574
	}
4575
}
4576

4577
static void hci_link_key_request_evt(struct hci_dev *hdev, void *data,
4578
				     struct sk_buff *skb)
4579
{
4580
	struct hci_ev_link_key_req *ev = data;
4581
	struct hci_cp_link_key_reply cp;
4582
	struct hci_conn *conn;
4583
	struct link_key *key;
4584

4585
	bt_dev_dbg(hdev, "");
4586

4587
	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4588
		return;
4589

4590
	hci_dev_lock(hdev);
4591

4592
	key = hci_find_link_key(hdev, &ev->bdaddr);
4593
	if (!key) {
4594
		bt_dev_dbg(hdev, "link key not found for %pMR", &ev->bdaddr);
4595
		goto not_found;
4596
	}
4597

4598
	bt_dev_dbg(hdev, "found key type %u for %pMR", key->type, &ev->bdaddr);
4599

4600
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4601
	if (conn) {
4602
		clear_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4603

4604
		if ((key->type == HCI_LK_UNAUTH_COMBINATION_P192 ||
4605
		     key->type == HCI_LK_UNAUTH_COMBINATION_P256) &&
4606
		    conn->auth_type != 0xff && (conn->auth_type & 0x01)) {
4607
			bt_dev_dbg(hdev, "ignoring unauthenticated key");
4608
			goto not_found;
4609
		}
4610

4611
		if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
4612
		    (conn->pending_sec_level == BT_SECURITY_HIGH ||
4613
		     conn->pending_sec_level == BT_SECURITY_FIPS)) {
4614
			bt_dev_dbg(hdev, "ignoring key unauthenticated for high security");
4615
			goto not_found;
4616
		}
4617

4618
		conn_set_key(conn, key->type, key->pin_len);
4619
	}
4620

4621
	bacpy(&cp.bdaddr, &ev->bdaddr);
4622
	memcpy(cp.link_key, key->val, HCI_LINK_KEY_SIZE);
4623

4624
	hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
4625

4626
	hci_dev_unlock(hdev);
4627

4628
	return;
4629

4630
not_found:
4631
	hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
4632
	hci_dev_unlock(hdev);
4633
}
4634

4635
static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
4636
				    struct sk_buff *skb)
4637
{
4638
	struct hci_ev_link_key_notify *ev = data;
4639
	struct hci_conn *conn;
4640
	struct link_key *key;
4641
	bool persistent;
4642
	u8 pin_len = 0;
4643

4644
	bt_dev_dbg(hdev, "");
4645

4646
	hci_dev_lock(hdev);
4647

4648
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
4649
	if (!conn)
4650
		goto unlock;
4651

4652
	/* Ignore NULL link key against CVE-2020-26555 */
4653
	if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
4654
		bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
4655
			   &ev->bdaddr);
4656
		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
4657
		hci_conn_drop(conn);
4658
		goto unlock;
4659
	}
4660

4661
	hci_conn_hold(conn);
4662
	conn->disc_timeout = HCI_DISCONN_TIMEOUT;
4663
	hci_conn_drop(conn);
4664

4665
	set_bit(HCI_CONN_NEW_LINK_KEY, &conn->flags);
4666
	conn_set_key(conn, ev->key_type, conn->pin_length);
4667

4668
	if (!hci_dev_test_flag(hdev, HCI_MGMT))
4669
		goto unlock;
4670

4671
	key = hci_add_link_key(hdev, conn, &ev->bdaddr, ev->link_key,
4672
			        ev->key_type, pin_len, &persistent);
4673
	if (!key)
4674
		goto unlock;
4675

4676
	/* Update connection information since adding the key will have
4677
	 * fixed up the type in the case of changed combination keys.
4678
	 */
4679
	if (ev->key_type == HCI_LK_CHANGED_COMBINATION)
4680
		conn_set_key(conn, key->type, key->pin_len);
4681

4682
	mgmt_new_link_key(hdev, key, persistent);
4683

4684
	/* Keep debug keys around only if the HCI_KEEP_DEBUG_KEYS flag
4685
	 * is set. If it's not set simply remove the key from the kernel
4686
	 * list (we've still notified user space about it but with
4687
	 * store_hint being 0).
4688
	 */
4689
	if (key->type == HCI_LK_DEBUG_COMBINATION &&
4690
	    !hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS)) {
4691
		list_del_rcu(&key->list);
4692
		kfree_rcu(key, rcu);
4693
		goto unlock;
4694
	}
4695

4696
	if (persistent)
4697
		clear_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4698
	else
4699
		set_bit(HCI_CONN_FLUSH_KEY, &conn->flags);
4700

4701
unlock:
4702
	hci_dev_unlock(hdev);
4703
}
4704

4705
static void hci_clock_offset_evt(struct hci_dev *hdev, void *data,
4706
				 struct sk_buff *skb)
4707
{
4708
	struct hci_ev_clock_offset *ev = data;
4709
	struct hci_conn *conn;
4710

4711
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4712

4713
	hci_dev_lock(hdev);
4714

4715
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4716
	if (conn && !ev->status) {
4717
		struct inquiry_entry *ie;
4718

4719
		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4720
		if (ie) {
4721
			ie->data.clock_offset = ev->clock_offset;
4722
			ie->timestamp = jiffies;
4723
		}
4724
	}
4725

4726
	hci_dev_unlock(hdev);
4727
}
4728

4729
static void hci_pkt_type_change_evt(struct hci_dev *hdev, void *data,
4730
				    struct sk_buff *skb)
4731
{
4732
	struct hci_ev_pkt_type_change *ev = data;
4733
	struct hci_conn *conn;
4734

4735
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4736

4737
	hci_dev_lock(hdev);
4738

4739
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4740
	if (conn && !ev->status)
4741
		conn->pkt_type = __le16_to_cpu(ev->pkt_type);
4742

4743
	hci_dev_unlock(hdev);
4744
}
4745

4746
static void hci_pscan_rep_mode_evt(struct hci_dev *hdev, void *data,
4747
				   struct sk_buff *skb)
4748
{
4749
	struct hci_ev_pscan_rep_mode *ev = data;
4750
	struct inquiry_entry *ie;
4751

4752
	bt_dev_dbg(hdev, "");
4753

4754
	hci_dev_lock(hdev);
4755

4756
	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
4757
	if (ie) {
4758
		ie->data.pscan_rep_mode = ev->pscan_rep_mode;
4759
		ie->timestamp = jiffies;
4760
	}
4761

4762
	hci_dev_unlock(hdev);
4763
}
4764

4765
static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, void *edata,
4766
					     struct sk_buff *skb)
4767
{
4768
	struct hci_ev_inquiry_result_rssi *ev = edata;
4769
	struct inquiry_data data;
4770
	int i;
4771

4772
	bt_dev_dbg(hdev, "num_rsp %d", ev->num);
4773

4774
	if (!ev->num)
4775
		return;
4776

4777
	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
4778
		return;
4779

4780
	hci_dev_lock(hdev);
4781

4782
	if (skb->len == array_size(ev->num,
4783
				   sizeof(struct inquiry_info_rssi_pscan))) {
4784
		struct inquiry_info_rssi_pscan *info;
4785

4786
		for (i = 0; i < ev->num; i++) {
4787
			u32 flags;
4788

4789
			info = hci_ev_skb_pull(hdev, skb,
4790
					       HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4791
					       sizeof(*info));
4792
			if (!info) {
4793
				bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4794
					   HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4795
				goto unlock;
4796
			}
4797

4798
			bacpy(&data.bdaddr, &info->bdaddr);
4799
			data.pscan_rep_mode	= info->pscan_rep_mode;
4800
			data.pscan_period_mode	= info->pscan_period_mode;
4801
			data.pscan_mode		= info->pscan_mode;
4802
			memcpy(data.dev_class, info->dev_class, 3);
4803
			data.clock_offset	= info->clock_offset;
4804
			data.rssi		= info->rssi;
4805
			data.ssp_mode		= 0x00;
4806

4807
			flags = hci_inquiry_cache_update(hdev, &data, false);
4808

4809
			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4810
					  info->dev_class, info->rssi,
4811
					  flags, NULL, 0, NULL, 0, 0);
4812
		}
4813
	} else if (skb->len == array_size(ev->num,
4814
					  sizeof(struct inquiry_info_rssi))) {
4815
		struct inquiry_info_rssi *info;
4816

4817
		for (i = 0; i < ev->num; i++) {
4818
			u32 flags;
4819

4820
			info = hci_ev_skb_pull(hdev, skb,
4821
					       HCI_EV_INQUIRY_RESULT_WITH_RSSI,
4822
					       sizeof(*info));
4823
			if (!info) {
4824
				bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4825
					   HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4826
				goto unlock;
4827
			}
4828

4829
			bacpy(&data.bdaddr, &info->bdaddr);
4830
			data.pscan_rep_mode	= info->pscan_rep_mode;
4831
			data.pscan_period_mode	= info->pscan_period_mode;
4832
			data.pscan_mode		= 0x00;
4833
			memcpy(data.dev_class, info->dev_class, 3);
4834
			data.clock_offset	= info->clock_offset;
4835
			data.rssi		= info->rssi;
4836
			data.ssp_mode		= 0x00;
4837

4838
			flags = hci_inquiry_cache_update(hdev, &data, false);
4839

4840
			mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
4841
					  info->dev_class, info->rssi,
4842
					  flags, NULL, 0, NULL, 0, 0);
4843
		}
4844
	} else {
4845
		bt_dev_err(hdev, "Malformed HCI Event: 0x%2.2x",
4846
			   HCI_EV_INQUIRY_RESULT_WITH_RSSI);
4847
	}
4848
unlock:
4849
	hci_dev_unlock(hdev);
4850
}
4851

4852
static void hci_remote_ext_features_evt(struct hci_dev *hdev, void *data,
4853
					struct sk_buff *skb)
4854
{
4855
	struct hci_ev_remote_ext_features *ev = data;
4856
	struct hci_conn *conn;
4857

4858
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
4859

4860
	hci_dev_lock(hdev);
4861

4862
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
4863
	if (!conn)
4864
		goto unlock;
4865

4866
	if (ev->page < HCI_MAX_PAGES)
4867
		memcpy(conn->features[ev->page], ev->features, 8);
4868

4869
	if (!ev->status && ev->page == 0x01) {
4870
		struct inquiry_entry *ie;
4871

4872
		ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
4873
		if (ie)
4874
			ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
4875

4876
		if (ev->features[0] & LMP_HOST_SSP) {
4877
			set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4878
		} else {
4879
			/* It is mandatory by the Bluetooth specification that
4880
			 * Extended Inquiry Results are only used when Secure
4881
			 * Simple Pairing is enabled, but some devices violate
4882
			 * this.
4883
			 *
4884
			 * To make these devices work, the internal SSP
4885
			 * enabled flag needs to be cleared if the remote host
4886
			 * features do not indicate SSP support */
4887
			clear_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
4888
		}
4889

4890
		if (ev->features[0] & LMP_HOST_SC)
4891
			set_bit(HCI_CONN_SC_ENABLED, &conn->flags);
4892
	}
4893

4894
	if (conn->state != BT_CONFIG)
4895
		goto unlock;
4896

4897
	if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
4898
		struct hci_cp_remote_name_req cp;
4899
		memset(&cp, 0, sizeof(cp));
4900
		bacpy(&cp.bdaddr, &conn->dst);
4901
		cp.pscan_rep_mode = 0x02;
4902
		hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ, sizeof(cp), &cp);
4903
	} else {
4904
		mgmt_device_connected(hdev, conn, NULL, 0);
4905
	}
4906

4907
	if (!hci_outgoing_auth_needed(hdev, conn)) {
4908
		conn->state = BT_CONNECTED;
4909
		hci_connect_cfm(conn, ev->status);
4910
		hci_conn_drop(conn);
4911
	}
4912

4913
unlock:
4914
	hci_dev_unlock(hdev);
4915
}
4916

4917
static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
4918
				       struct sk_buff *skb)
4919
{
4920
	struct hci_ev_sync_conn_complete *ev = data;
4921
	struct hci_conn *conn;
4922
	u8 status = ev->status;
4923

4924
	switch (ev->link_type) {
4925
	case SCO_LINK:
4926
	case ESCO_LINK:
4927
		break;
4928
	default:
4929
		/* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
4930
		 * for HCI_Synchronous_Connection_Complete is limited to
4931
		 * either SCO or eSCO
4932
		 */
4933
		bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
4934
		return;
4935
	}
4936

4937
	bt_dev_dbg(hdev, "status 0x%2.2x", status);
4938

4939
	hci_dev_lock(hdev);
4940

4941
	conn = hci_conn_hash_lookup_ba(hdev, ev->link_type, &ev->bdaddr);
4942
	if (!conn) {
4943
		if (ev->link_type == ESCO_LINK)
4944
			goto unlock;
4945

4946
		/* When the link type in the event indicates SCO connection
4947
		 * and lookup of the connection object fails, then check
4948
		 * if an eSCO connection object exists.
4949
		 *
4950
		 * The core limits the synchronous connections to either
4951
		 * SCO or eSCO. The eSCO connection is preferred and tried
4952
		 * to be setup first and until successfully established,
4953
		 * the link type will be hinted as eSCO.
4954
		 */
4955
		conn = hci_conn_hash_lookup_ba(hdev, ESCO_LINK, &ev->bdaddr);
4956
		if (!conn)
4957
			goto unlock;
4958
	}
4959

4960
	/* The HCI_Synchronous_Connection_Complete event is only sent once per connection.
4961
	 * Processing it more than once per connection can corrupt kernel memory.
4962
	 *
4963
	 * As the connection handle is set here for the first time, it indicates
4964
	 * whether the connection is already set up.
4965
	 */
4966
	if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
4967
		bt_dev_err(hdev, "Ignoring HCI_Sync_Conn_Complete event for existing connection");
4968
		goto unlock;
4969
	}
4970

4971
	switch (status) {
4972
	case 0x00:
4973
		status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
4974
		if (status) {
4975
			conn->state = BT_CLOSED;
4976
			break;
4977
		}
4978

4979
		conn->state  = BT_CONNECTED;
4980
		conn->type   = ev->link_type;
4981

4982
		hci_debugfs_create_conn(conn);
4983
		hci_conn_add_sysfs(conn);
4984
		break;
4985

4986
	case 0x10:	/* Connection Accept Timeout */
4987
	case 0x0d:	/* Connection Rejected due to Limited Resources */
4988
	case 0x11:	/* Unsupported Feature or Parameter Value */
4989
	case 0x1c:	/* SCO interval rejected */
4990
	case 0x1a:	/* Unsupported Remote Feature */
4991
	case 0x1e:	/* Invalid LMP Parameters */
4992
	case 0x1f:	/* Unspecified error */
4993
	case 0x20:	/* Unsupported LMP Parameter value */
4994
		if (conn->out) {
4995
			conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
4996
					(hdev->esco_type & EDR_ESCO_MASK);
4997
			if (hci_setup_sync(conn, conn->parent->handle))
4998
				goto unlock;
4999
		}
5000
		fallthrough;
5001

5002
	default:
5003
		conn->state = BT_CLOSED;
5004
		break;
5005
	}
5006

5007
	bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
5008
	/* Notify only in case of SCO over HCI transport data path which
5009
	 * is zero and non-zero value shall be non-HCI transport data path
5010
	 */
5011
	if (conn->codec.data_path == 0 && hdev->notify) {
5012
		switch (ev->air_mode) {
5013
		case 0x02:
5014
			hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
5015
			break;
5016
		case 0x03:
5017
			hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
5018
			break;
5019
		}
5020
	}
5021

5022
	hci_connect_cfm(conn, status);
5023
	if (status)
5024
		hci_conn_del(conn);
5025

5026
unlock:
5027
	hci_dev_unlock(hdev);
5028
}
5029

5030
static inline size_t eir_get_length(u8 *eir, size_t eir_len)
5031
{
5032
	size_t parsed = 0;
5033

5034
	while (parsed < eir_len) {
5035
		u8 field_len = eir[0];
5036

5037
		if (field_len == 0)
5038
			return parsed;
5039

5040
		parsed += field_len + 1;
5041
		eir += field_len + 1;
5042
	}
5043

5044
	return eir_len;
5045
}
5046

5047
static void hci_extended_inquiry_result_evt(struct hci_dev *hdev, void *edata,
5048
					    struct sk_buff *skb)
5049
{
5050
	struct hci_ev_ext_inquiry_result *ev = edata;
5051
	struct inquiry_data data;
5052
	size_t eir_len;
5053
	int i;
5054

5055
	if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
5056
			     flex_array_size(ev, info, ev->num)))
5057
		return;
5058

5059
	bt_dev_dbg(hdev, "num %d", ev->num);
5060

5061
	if (!ev->num)
5062
		return;
5063

5064
	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
5065
		return;
5066

5067
	hci_dev_lock(hdev);
5068

5069
	for (i = 0; i < ev->num; i++) {
5070
		struct extended_inquiry_info *info = &ev->info[i];
5071
		u32 flags;
5072
		bool name_known;
5073

5074
		bacpy(&data.bdaddr, &info->bdaddr);
5075
		data.pscan_rep_mode	= info->pscan_rep_mode;
5076
		data.pscan_period_mode	= info->pscan_period_mode;
5077
		data.pscan_mode		= 0x00;
5078
		memcpy(data.dev_class, info->dev_class, 3);
5079
		data.clock_offset	= info->clock_offset;
5080
		data.rssi		= info->rssi;
5081
		data.ssp_mode		= 0x01;
5082

5083
		if (hci_dev_test_flag(hdev, HCI_MGMT))
5084
			name_known = eir_get_data(info->data,
5085
						  sizeof(info->data),
5086
						  EIR_NAME_COMPLETE, NULL);
5087
		else
5088
			name_known = true;
5089

5090
		flags = hci_inquiry_cache_update(hdev, &data, name_known);
5091

5092
		eir_len = eir_get_length(info->data, sizeof(info->data));
5093

5094
		mgmt_device_found(hdev, &info->bdaddr, ACL_LINK, 0x00,
5095
				  info->dev_class, info->rssi,
5096
				  flags, info->data, eir_len, NULL, 0, 0);
5097
	}
5098

5099
	hci_dev_unlock(hdev);
5100
}
5101

5102
static void hci_key_refresh_complete_evt(struct hci_dev *hdev, void *data,
5103
					 struct sk_buff *skb)
5104
{
5105
	struct hci_ev_key_refresh_complete *ev = data;
5106
	struct hci_conn *conn;
5107

5108
	bt_dev_dbg(hdev, "status 0x%2.2x handle 0x%4.4x", ev->status,
5109
		   __le16_to_cpu(ev->handle));
5110

5111
	hci_dev_lock(hdev);
5112

5113
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5114
	if (!conn)
5115
		goto unlock;
5116

5117
	/* For BR/EDR the necessary steps are taken through the
5118
	 * auth_complete event.
5119
	 */
5120
	if (conn->type != LE_LINK)
5121
		goto unlock;
5122

5123
	if (!ev->status)
5124
		conn->sec_level = conn->pending_sec_level;
5125

5126
	clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
5127

5128
	if (ev->status && conn->state == BT_CONNECTED) {
5129
		hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
5130
		hci_conn_drop(conn);
5131
		goto unlock;
5132
	}
5133

5134
	if (conn->state == BT_CONFIG) {
5135
		if (!ev->status)
5136
			conn->state = BT_CONNECTED;
5137

5138
		hci_connect_cfm(conn, ev->status);
5139
		hci_conn_drop(conn);
5140
	} else {
5141
		hci_auth_cfm(conn, ev->status);
5142

5143
		hci_conn_hold(conn);
5144
		conn->disc_timeout = HCI_DISCONN_TIMEOUT;
5145
		hci_conn_drop(conn);
5146
	}
5147

5148
unlock:
5149
	hci_dev_unlock(hdev);
5150
}
5151

5152
static u8 hci_get_auth_req(struct hci_conn *conn)
5153
{
5154
	/* If remote requests no-bonding follow that lead */
5155
	if (conn->remote_auth == HCI_AT_NO_BONDING ||
5156
	    conn->remote_auth == HCI_AT_NO_BONDING_MITM)
5157
		return conn->remote_auth | (conn->auth_type & 0x01);
5158

5159
	/* If both remote and local have enough IO capabilities, require
5160
	 * MITM protection
5161
	 */
5162
	if (conn->remote_cap != HCI_IO_NO_INPUT_OUTPUT &&
5163
	    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT)
5164
		return conn->remote_auth | 0x01;
5165

5166
	/* No MITM protection possible so ignore remote requirement */
5167
	return (conn->remote_auth & ~0x01) | (conn->auth_type & 0x01);
5168
}
5169

5170
static u8 bredr_oob_data_present(struct hci_conn *conn)
5171
{
5172
	struct hci_dev *hdev = conn->hdev;
5173
	struct oob_data *data;
5174

5175
	data = hci_find_remote_oob_data(hdev, &conn->dst, BDADDR_BREDR);
5176
	if (!data)
5177
		return 0x00;
5178

5179
	if (bredr_sc_enabled(hdev)) {
5180
		/* When Secure Connections is enabled, then just
5181
		 * return the present value stored with the OOB
5182
		 * data. The stored value contains the right present
5183
		 * information. However it can only be trusted when
5184
		 * not in Secure Connection Only mode.
5185
		 */
5186
		if (!hci_dev_test_flag(hdev, HCI_SC_ONLY))
5187
			return data->present;
5188

5189
		/* When Secure Connections Only mode is enabled, then
5190
		 * the P-256 values are required. If they are not
5191
		 * available, then do not declare that OOB data is
5192
		 * present.
5193
		 */
5194
		if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
5195
		    !crypto_memneq(data->hash256, ZERO_KEY, 16))
5196
			return 0x00;
5197

5198
		return 0x02;
5199
	}
5200

5201
	/* When Secure Connections is not enabled or actually
5202
	 * not supported by the hardware, then check that if
5203
	 * P-192 data values are present.
5204
	 */
5205
	if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
5206
	    !crypto_memneq(data->hash192, ZERO_KEY, 16))
5207
		return 0x00;
5208

5209
	return 0x01;
5210
}
5211

5212
static void hci_io_capa_request_evt(struct hci_dev *hdev, void *data,
5213
				    struct sk_buff *skb)
5214
{
5215
	struct hci_ev_io_capa_request *ev = data;
5216
	struct hci_conn *conn;
5217

5218
	bt_dev_dbg(hdev, "");
5219

5220
	hci_dev_lock(hdev);
5221

5222
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5223
	if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
5224
		goto unlock;
5225

5226
	/* Assume remote supports SSP since it has triggered this event */
5227
	set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
5228

5229
	hci_conn_hold(conn);
5230

5231
	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5232
		goto unlock;
5233

5234
	/* Allow pairing if we're pairable, the initiators of the
5235
	 * pairing or if the remote is not requesting bonding.
5236
	 */
5237
	if (hci_dev_test_flag(hdev, HCI_BONDABLE) ||
5238
	    test_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags) ||
5239
	    (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
5240
		struct hci_cp_io_capability_reply cp;
5241

5242
		bacpy(&cp.bdaddr, &ev->bdaddr);
5243
		/* Change the IO capability from KeyboardDisplay
5244
		 * to DisplayYesNo as it is not supported by BT spec. */
5245
		cp.capability = (conn->io_capability == 0x04) ?
5246
				HCI_IO_DISPLAY_YESNO : conn->io_capability;
5247

5248
		/* If we are initiators, there is no remote information yet */
5249
		if (conn->remote_auth == 0xff) {
5250
			/* Request MITM protection if our IO caps allow it
5251
			 * except for the no-bonding case.
5252
			 */
5253
			if (conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
5254
			    conn->auth_type != HCI_AT_NO_BONDING)
5255
				conn->auth_type |= 0x01;
5256
		} else {
5257
			conn->auth_type = hci_get_auth_req(conn);
5258
		}
5259

5260
		/* If we're not bondable, force one of the non-bondable
5261
		 * authentication requirement values.
5262
		 */
5263
		if (!hci_dev_test_flag(hdev, HCI_BONDABLE))
5264
			conn->auth_type &= HCI_AT_NO_BONDING_MITM;
5265

5266
		cp.authentication = conn->auth_type;
5267
		cp.oob_data = bredr_oob_data_present(conn);
5268

5269
		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
5270
			     sizeof(cp), &cp);
5271
	} else {
5272
		struct hci_cp_io_capability_neg_reply cp;
5273

5274
		bacpy(&cp.bdaddr, &ev->bdaddr);
5275
		cp.reason = HCI_ERROR_PAIRING_NOT_ALLOWED;
5276

5277
		hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
5278
			     sizeof(cp), &cp);
5279
	}
5280

5281
unlock:
5282
	hci_dev_unlock(hdev);
5283
}
5284

5285
static void hci_io_capa_reply_evt(struct hci_dev *hdev, void *data,
5286
				  struct sk_buff *skb)
5287
{
5288
	struct hci_ev_io_capa_reply *ev = data;
5289
	struct hci_conn *conn;
5290

5291
	bt_dev_dbg(hdev, "");
5292

5293
	hci_dev_lock(hdev);
5294

5295
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5296
	if (!conn)
5297
		goto unlock;
5298

5299
	conn->remote_cap = ev->capability;
5300
	conn->remote_auth = ev->authentication;
5301

5302
unlock:
5303
	hci_dev_unlock(hdev);
5304
}
5305

5306
static void hci_user_confirm_request_evt(struct hci_dev *hdev, void *data,
5307
					 struct sk_buff *skb)
5308
{
5309
	struct hci_ev_user_confirm_req *ev = data;
5310
	int loc_mitm, rem_mitm, confirm_hint = 0;
5311
	struct hci_conn *conn;
5312

5313
	bt_dev_dbg(hdev, "");
5314

5315
	hci_dev_lock(hdev);
5316

5317
	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5318
		goto unlock;
5319

5320
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5321
	if (!conn)
5322
		goto unlock;
5323

5324
	loc_mitm = (conn->auth_type & 0x01);
5325
	rem_mitm = (conn->remote_auth & 0x01);
5326

5327
	/* If we require MITM but the remote device can't provide that
5328
	 * (it has NoInputNoOutput) then reject the confirmation
5329
	 * request. We check the security level here since it doesn't
5330
	 * necessarily match conn->auth_type.
5331
	 */
5332
	if (conn->pending_sec_level > BT_SECURITY_MEDIUM &&
5333
	    conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) {
5334
		bt_dev_dbg(hdev, "Rejecting request: remote device can't provide MITM");
5335
		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
5336
			     sizeof(ev->bdaddr), &ev->bdaddr);
5337
		goto unlock;
5338
	}
5339

5340
	/* If no side requires MITM protection; use JUST_CFM method */
5341
	if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
5342
	    (!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
5343

5344
		/* If we're not the initiator of request authorization and the
5345
		 * local IO capability is not NoInputNoOutput, use JUST_WORKS
5346
		 * method (mgmt_user_confirm with confirm_hint set to 1).
5347
		 */
5348
		if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
5349
		    conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) {
5350
			bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
5351
			confirm_hint = 1;
5352
			goto confirm;
5353
		}
5354

5355
		/* If there already exists link key in local host, leave the
5356
		 * decision to user space since the remote device could be
5357
		 * legitimate or malicious.
5358
		 */
5359
		if (hci_find_link_key(hdev, &ev->bdaddr)) {
5360
			bt_dev_dbg(hdev, "Local host already has link key");
5361
			confirm_hint = 1;
5362
			goto confirm;
5363
		}
5364

5365
		BT_DBG("Auto-accept of user confirmation with %ums delay",
5366
		       hdev->auto_accept_delay);
5367

5368
		if (hdev->auto_accept_delay > 0) {
5369
			int delay = msecs_to_jiffies(hdev->auto_accept_delay);
5370
			queue_delayed_work(conn->hdev->workqueue,
5371
					   &conn->auto_accept_work, delay);
5372
			goto unlock;
5373
		}
5374

5375
		hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
5376
			     sizeof(ev->bdaddr), &ev->bdaddr);
5377
		goto unlock;
5378
	}
5379

5380
confirm:
5381
	mgmt_user_confirm_request(hdev, &ev->bdaddr, ACL_LINK, 0,
5382
				  le32_to_cpu(ev->passkey), confirm_hint);
5383

5384
unlock:
5385
	hci_dev_unlock(hdev);
5386
}
5387

5388
static void hci_user_passkey_request_evt(struct hci_dev *hdev, void *data,
5389
					 struct sk_buff *skb)
5390
{
5391
	struct hci_ev_user_passkey_req *ev = data;
5392

5393
	bt_dev_dbg(hdev, "");
5394

5395
	if (hci_dev_test_flag(hdev, HCI_MGMT))
5396
		mgmt_user_passkey_request(hdev, &ev->bdaddr, ACL_LINK, 0);
5397
}
5398

5399
static void hci_user_passkey_notify_evt(struct hci_dev *hdev, void *data,
5400
					struct sk_buff *skb)
5401
{
5402
	struct hci_ev_user_passkey_notify *ev = data;
5403
	struct hci_conn *conn;
5404

5405
	bt_dev_dbg(hdev, "");
5406

5407
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5408
	if (!conn)
5409
		return;
5410

5411
	conn->passkey_notify = __le32_to_cpu(ev->passkey);
5412
	conn->passkey_entered = 0;
5413

5414
	if (hci_dev_test_flag(hdev, HCI_MGMT))
5415
		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5416
					 conn->dst_type, conn->passkey_notify,
5417
					 conn->passkey_entered);
5418
}
5419

5420
static void hci_keypress_notify_evt(struct hci_dev *hdev, void *data,
5421
				    struct sk_buff *skb)
5422
{
5423
	struct hci_ev_keypress_notify *ev = data;
5424
	struct hci_conn *conn;
5425

5426
	bt_dev_dbg(hdev, "");
5427

5428
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5429
	if (!conn)
5430
		return;
5431

5432
	switch (ev->type) {
5433
	case HCI_KEYPRESS_STARTED:
5434
		conn->passkey_entered = 0;
5435
		return;
5436

5437
	case HCI_KEYPRESS_ENTERED:
5438
		conn->passkey_entered++;
5439
		break;
5440

5441
	case HCI_KEYPRESS_ERASED:
5442
		conn->passkey_entered--;
5443
		break;
5444

5445
	case HCI_KEYPRESS_CLEARED:
5446
		conn->passkey_entered = 0;
5447
		break;
5448

5449
	case HCI_KEYPRESS_COMPLETED:
5450
		return;
5451
	}
5452

5453
	if (hci_dev_test_flag(hdev, HCI_MGMT))
5454
		mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
5455
					 conn->dst_type, conn->passkey_notify,
5456
					 conn->passkey_entered);
5457
}
5458

5459
static void hci_simple_pair_complete_evt(struct hci_dev *hdev, void *data,
5460
					 struct sk_buff *skb)
5461
{
5462
	struct hci_ev_simple_pair_complete *ev = data;
5463
	struct hci_conn *conn;
5464

5465
	bt_dev_dbg(hdev, "");
5466

5467
	hci_dev_lock(hdev);
5468

5469
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5470
	if (!conn || !hci_conn_ssp_enabled(conn))
5471
		goto unlock;
5472

5473
	/* Reset the authentication requirement to unknown */
5474
	conn->remote_auth = 0xff;
5475

5476
	/* To avoid duplicate auth_failed events to user space we check
5477
	 * the HCI_CONN_AUTH_PEND flag which will be set if we
5478
	 * initiated the authentication. A traditional auth_complete
5479
	 * event gets always produced as initiator and is also mapped to
5480
	 * the mgmt_auth_failed event */
5481
	if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) && ev->status)
5482
		mgmt_auth_failed(conn, ev->status);
5483

5484
	hci_conn_drop(conn);
5485

5486
unlock:
5487
	hci_dev_unlock(hdev);
5488
}
5489

5490
static void hci_remote_host_features_evt(struct hci_dev *hdev, void *data,
5491
					 struct sk_buff *skb)
5492
{
5493
	struct hci_ev_remote_host_features *ev = data;
5494
	struct inquiry_entry *ie;
5495
	struct hci_conn *conn;
5496

5497
	bt_dev_dbg(hdev, "");
5498

5499
	hci_dev_lock(hdev);
5500

5501
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
5502
	if (conn)
5503
		memcpy(conn->features[1], ev->features, 8);
5504

5505
	ie = hci_inquiry_cache_lookup(hdev, &ev->bdaddr);
5506
	if (ie)
5507
		ie->data.ssp_mode = (ev->features[0] & LMP_HOST_SSP);
5508

5509
	hci_dev_unlock(hdev);
5510
}
5511

5512
static void hci_remote_oob_data_request_evt(struct hci_dev *hdev, void *edata,
5513
					    struct sk_buff *skb)
5514
{
5515
	struct hci_ev_remote_oob_data_request *ev = edata;
5516
	struct oob_data *data;
5517

5518
	bt_dev_dbg(hdev, "");
5519

5520
	hci_dev_lock(hdev);
5521

5522
	if (!hci_dev_test_flag(hdev, HCI_MGMT))
5523
		goto unlock;
5524

5525
	data = hci_find_remote_oob_data(hdev, &ev->bdaddr, BDADDR_BREDR);
5526
	if (!data) {
5527
		struct hci_cp_remote_oob_data_neg_reply cp;
5528

5529
		bacpy(&cp.bdaddr, &ev->bdaddr);
5530
		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY,
5531
			     sizeof(cp), &cp);
5532
		goto unlock;
5533
	}
5534

5535
	if (bredr_sc_enabled(hdev)) {
5536
		struct hci_cp_remote_oob_ext_data_reply cp;
5537

5538
		bacpy(&cp.bdaddr, &ev->bdaddr);
5539
		if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5540
			memset(cp.hash192, 0, sizeof(cp.hash192));
5541
			memset(cp.rand192, 0, sizeof(cp.rand192));
5542
		} else {
5543
			memcpy(cp.hash192, data->hash192, sizeof(cp.hash192));
5544
			memcpy(cp.rand192, data->rand192, sizeof(cp.rand192));
5545
		}
5546
		memcpy(cp.hash256, data->hash256, sizeof(cp.hash256));
5547
		memcpy(cp.rand256, data->rand256, sizeof(cp.rand256));
5548

5549
		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_EXT_DATA_REPLY,
5550
			     sizeof(cp), &cp);
5551
	} else {
5552
		struct hci_cp_remote_oob_data_reply cp;
5553

5554
		bacpy(&cp.bdaddr, &ev->bdaddr);
5555
		memcpy(cp.hash, data->hash192, sizeof(cp.hash));
5556
		memcpy(cp.rand, data->rand192, sizeof(cp.rand));
5557

5558
		hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY,
5559
			     sizeof(cp), &cp);
5560
	}
5561

5562
unlock:
5563
	hci_dev_unlock(hdev);
5564
}
5565

5566
static void le_conn_update_addr(struct hci_conn *conn, bdaddr_t *bdaddr,
5567
				u8 bdaddr_type, bdaddr_t *local_rpa)
5568
{
5569
	if (conn->out) {
5570
		conn->dst_type = bdaddr_type;
5571
		conn->resp_addr_type = bdaddr_type;
5572
		bacpy(&conn->resp_addr, bdaddr);
5573

5574
		/* Check if the controller has set a Local RPA then it must be
5575
		 * used instead or hdev->rpa.
5576
		 */
5577
		if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5578
			conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5579
			bacpy(&conn->init_addr, local_rpa);
5580
		} else if (hci_dev_test_flag(conn->hdev, HCI_PRIVACY)) {
5581
			conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5582
			bacpy(&conn->init_addr, &conn->hdev->rpa);
5583
		} else {
5584
			hci_copy_identity_address(conn->hdev, &conn->init_addr,
5585
						  &conn->init_addr_type);
5586
		}
5587
	} else {
5588
		conn->resp_addr_type = conn->hdev->adv_addr_type;
5589
		/* Check if the controller has set a Local RPA then it must be
5590
		 * used instead or hdev->rpa.
5591
		 */
5592
		if (local_rpa && bacmp(local_rpa, BDADDR_ANY)) {
5593
			conn->resp_addr_type = ADDR_LE_DEV_RANDOM;
5594
			bacpy(&conn->resp_addr, local_rpa);
5595
		} else if (conn->hdev->adv_addr_type == ADDR_LE_DEV_RANDOM) {
5596
			/* In case of ext adv, resp_addr will be updated in
5597
			 * Adv Terminated event.
5598
			 */
5599
			if (!ext_adv_capable(conn->hdev))
5600
				bacpy(&conn->resp_addr,
5601
				      &conn->hdev->random_addr);
5602
		} else {
5603
			bacpy(&conn->resp_addr, &conn->hdev->bdaddr);
5604
		}
5605

5606
		conn->init_addr_type = bdaddr_type;
5607
		bacpy(&conn->init_addr, bdaddr);
5608

5609
		/* For incoming connections, set the default minimum
5610
		 * and maximum connection interval. They will be used
5611
		 * to check if the parameters are in range and if not
5612
		 * trigger the connection update procedure.
5613
		 */
5614
		conn->le_conn_min_interval = conn->hdev->le_conn_min_interval;
5615
		conn->le_conn_max_interval = conn->hdev->le_conn_max_interval;
5616
	}
5617
}
5618

5619
static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
5620
				 bdaddr_t *bdaddr, u8 bdaddr_type,
5621
				 bdaddr_t *local_rpa, u8 role, u16 handle,
5622
				 u16 interval, u16 latency,
5623
				 u16 supervision_timeout)
5624
{
5625
	struct hci_conn_params *params;
5626
	struct hci_conn *conn;
5627
	struct smp_irk *irk;
5628
	u8 addr_type;
5629

5630
	hci_dev_lock(hdev);
5631

5632
	/* All controllers implicitly stop advertising in the event of a
5633
	 * connection, so ensure that the state bit is cleared.
5634
	 */
5635
	hci_dev_clear_flag(hdev, HCI_LE_ADV);
5636

5637
	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
5638
	if (!conn) {
5639
		/* In case of error status and there is no connection pending
5640
		 * just unlock as there is nothing to cleanup.
5641
		 */
5642
		if (status)
5643
			goto unlock;
5644

5645
		conn = hci_conn_add_unset(hdev, LE_LINK, bdaddr, role);
5646
		if (IS_ERR(conn)) {
5647
			bt_dev_err(hdev, "connection err: %ld", PTR_ERR(conn));
5648
			goto unlock;
5649
		}
5650

5651
		conn->dst_type = bdaddr_type;
5652

5653
		/* If we didn't have a hci_conn object previously
5654
		 * but we're in central role this must be something
5655
		 * initiated using an accept list. Since accept list based
5656
		 * connections are not "first class citizens" we don't
5657
		 * have full tracking of them. Therefore, we go ahead
5658
		 * with a "best effort" approach of determining the
5659
		 * initiator address based on the HCI_PRIVACY flag.
5660
		 */
5661
		if (conn->out) {
5662
			conn->resp_addr_type = bdaddr_type;
5663
			bacpy(&conn->resp_addr, bdaddr);
5664
			if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5665
				conn->init_addr_type = ADDR_LE_DEV_RANDOM;
5666
				bacpy(&conn->init_addr, &hdev->rpa);
5667
			} else {
5668
				hci_copy_identity_address(hdev,
5669
							  &conn->init_addr,
5670
							  &conn->init_addr_type);
5671
			}
5672
		}
5673
	} else {
5674
		cancel_delayed_work(&conn->le_conn_timeout);
5675
	}
5676

5677
	/* The HCI_LE_Connection_Complete event is only sent once per connection.
5678
	 * Processing it more than once per connection can corrupt kernel memory.
5679
	 *
5680
	 * As the connection handle is set here for the first time, it indicates
5681
	 * whether the connection is already set up.
5682
	 */
5683
	if (!HCI_CONN_HANDLE_UNSET(conn->handle)) {
5684
		bt_dev_err(hdev, "Ignoring HCI_Connection_Complete for existing connection");
5685
		goto unlock;
5686
	}
5687

5688
	le_conn_update_addr(conn, bdaddr, bdaddr_type, local_rpa);
5689

5690
	/* Lookup the identity address from the stored connection
5691
	 * address and address type.
5692
	 *
5693
	 * When establishing connections to an identity address, the
5694
	 * connection procedure will store the resolvable random
5695
	 * address first. Now if it can be converted back into the
5696
	 * identity address, start using the identity address from
5697
	 * now on.
5698
	 */
5699
	irk = hci_get_irk(hdev, &conn->dst, conn->dst_type);
5700
	if (irk) {
5701
		bacpy(&conn->dst, &irk->bdaddr);
5702
		conn->dst_type = irk->addr_type;
5703
	}
5704

5705
	conn->dst_type = ev_bdaddr_type(hdev, conn->dst_type, NULL);
5706

5707
	/* All connection failure handling is taken care of by the
5708
	 * hci_conn_failed function which is triggered by the HCI
5709
	 * request completion callbacks used for connecting.
5710
	 */
5711
	if (status || hci_conn_set_handle(conn, handle))
5712
		goto unlock;
5713

5714
	/* Drop the connection if it has been aborted */
5715
	if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
5716
		hci_conn_drop(conn);
5717
		goto unlock;
5718
	}
5719

5720
	if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
5721
		addr_type = BDADDR_LE_PUBLIC;
5722
	else
5723
		addr_type = BDADDR_LE_RANDOM;
5724

5725
	/* Drop the connection if the device is blocked */
5726
	if (hci_bdaddr_list_lookup(&hdev->reject_list, &conn->dst, addr_type)) {
5727
		hci_conn_drop(conn);
5728
		goto unlock;
5729
	}
5730

5731
	mgmt_device_connected(hdev, conn, NULL, 0);
5732

5733
	conn->sec_level = BT_SECURITY_LOW;
5734
	conn->state = BT_CONFIG;
5735

5736
	/* Store current advertising instance as connection advertising instance
5737
	 * when software rotation is in use so it can be re-enabled when
5738
	 * disconnected.
5739
	 */
5740
	if (!ext_adv_capable(hdev))
5741
		conn->adv_instance = hdev->cur_adv_instance;
5742

5743
	conn->le_conn_interval = interval;
5744
	conn->le_conn_latency = latency;
5745
	conn->le_supv_timeout = supervision_timeout;
5746

5747
	hci_debugfs_create_conn(conn);
5748
	hci_conn_add_sysfs(conn);
5749

5750
	/* The remote features procedure is defined for central
5751
	 * role only. So only in case of an initiated connection
5752
	 * request the remote features.
5753
	 *
5754
	 * If the local controller supports peripheral-initiated features
5755
	 * exchange, then requesting the remote features in peripheral
5756
	 * role is possible. Otherwise just transition into the
5757
	 * connected state without requesting the remote features.
5758
	 */
5759
	if (conn->out ||
5760
	    (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
5761
		struct hci_cp_le_read_remote_features cp;
5762

5763
		cp.handle = __cpu_to_le16(conn->handle);
5764

5765
		hci_send_cmd(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
5766
			     sizeof(cp), &cp);
5767

5768
		hci_conn_hold(conn);
5769
	} else {
5770
		conn->state = BT_CONNECTED;
5771
		hci_connect_cfm(conn, status);
5772
	}
5773

5774
	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
5775
					   conn->dst_type);
5776
	if (params) {
5777
		hci_pend_le_list_del_init(params);
5778
		if (params->conn) {
5779
			hci_conn_drop(params->conn);
5780
			hci_conn_put(params->conn);
5781
			params->conn = NULL;
5782
		}
5783
	}
5784

5785
unlock:
5786
	hci_update_passive_scan(hdev);
5787
	hci_dev_unlock(hdev);
5788
}
5789

5790
static void hci_le_conn_complete_evt(struct hci_dev *hdev, void *data,
5791
				     struct sk_buff *skb)
5792
{
5793
	struct hci_ev_le_conn_complete *ev = data;
5794

5795
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5796

5797
	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5798
			     NULL, ev->role, le16_to_cpu(ev->handle),
5799
			     le16_to_cpu(ev->interval),
5800
			     le16_to_cpu(ev->latency),
5801
			     le16_to_cpu(ev->supervision_timeout));
5802
}
5803

5804
static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev, void *data,
5805
					 struct sk_buff *skb)
5806
{
5807
	struct hci_ev_le_enh_conn_complete *ev = data;
5808

5809
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5810

5811
	le_conn_complete_evt(hdev, ev->status, &ev->bdaddr, ev->bdaddr_type,
5812
			     &ev->local_rpa, ev->role, le16_to_cpu(ev->handle),
5813
			     le16_to_cpu(ev->interval),
5814
			     le16_to_cpu(ev->latency),
5815
			     le16_to_cpu(ev->supervision_timeout));
5816
}
5817

5818
static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data,
5819
				    struct sk_buff *skb)
5820
{
5821
	struct hci_evt_le_ext_adv_set_term *ev = data;
5822
	struct hci_conn *conn;
5823
	struct adv_info *adv, *n;
5824

5825
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5826

5827
	/* The Bluetooth Core 5.3 specification clearly states that this event
5828
	 * shall not be sent when the Host disables the advertising set. So in
5829
	 * case of HCI_ERROR_CANCELLED_BY_HOST, just ignore the event.
5830
	 *
5831
	 * When the Host disables an advertising set, all cleanup is done via
5832
	 * its command callback and not needed to be duplicated here.
5833
	 */
5834
	if (ev->status == HCI_ERROR_CANCELLED_BY_HOST) {
5835
		bt_dev_warn_ratelimited(hdev, "Unexpected advertising set terminated event");
5836
		return;
5837
	}
5838

5839
	hci_dev_lock(hdev);
5840

5841
	adv = hci_find_adv_instance(hdev, ev->handle);
5842

5843
	if (ev->status) {
5844
		if (!adv)
5845
			goto unlock;
5846

5847
		/* Remove advertising as it has been terminated */
5848
		hci_remove_adv_instance(hdev, ev->handle);
5849
		mgmt_advertising_removed(NULL, hdev, ev->handle);
5850

5851
		list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
5852
			if (adv->enabled)
5853
				goto unlock;
5854
		}
5855

5856
		/* We are no longer advertising, clear HCI_LE_ADV */
5857
		hci_dev_clear_flag(hdev, HCI_LE_ADV);
5858
		goto unlock;
5859
	}
5860

5861
	if (adv)
5862
		adv->enabled = false;
5863

5864
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle));
5865
	if (conn) {
5866
		/* Store handle in the connection so the correct advertising
5867
		 * instance can be re-enabled when disconnected.
5868
		 */
5869
		conn->adv_instance = ev->handle;
5870

5871
		if (hdev->adv_addr_type != ADDR_LE_DEV_RANDOM ||
5872
		    bacmp(&conn->resp_addr, BDADDR_ANY))
5873
			goto unlock;
5874

5875
		if (!ev->handle) {
5876
			bacpy(&conn->resp_addr, &hdev->random_addr);
5877
			goto unlock;
5878
		}
5879

5880
		if (adv)
5881
			bacpy(&conn->resp_addr, &adv->random_addr);
5882
	}
5883

5884
unlock:
5885
	hci_dev_unlock(hdev);
5886
}
5887

5888
static void hci_le_conn_update_complete_evt(struct hci_dev *hdev, void *data,
5889
					    struct sk_buff *skb)
5890
{
5891
	struct hci_ev_le_conn_update_complete *ev = data;
5892
	struct hci_conn *conn;
5893

5894
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
5895

5896
	if (ev->status)
5897
		return;
5898

5899
	hci_dev_lock(hdev);
5900

5901
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
5902
	if (conn) {
5903
		conn->le_conn_interval = le16_to_cpu(ev->interval);
5904
		conn->le_conn_latency = le16_to_cpu(ev->latency);
5905
		conn->le_supv_timeout = le16_to_cpu(ev->supervision_timeout);
5906
	}
5907

5908
	hci_dev_unlock(hdev);
5909
}
5910

5911
/* This function requires the caller holds hdev->lock */
5912
static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
5913
					      bdaddr_t *addr,
5914
					      u8 addr_type, bool addr_resolved,
5915
					      u8 adv_type, u8 phy, u8 sec_phy)
5916
{
5917
	struct hci_conn *conn;
5918
	struct hci_conn_params *params;
5919

5920
	/* If the event is not connectable don't proceed further */
5921
	if (adv_type != LE_ADV_IND && adv_type != LE_ADV_DIRECT_IND)
5922
		return NULL;
5923

5924
	/* Ignore if the device is blocked or hdev is suspended */
5925
	if (hci_bdaddr_list_lookup(&hdev->reject_list, addr, addr_type) ||
5926
	    hdev->suspended)
5927
		return NULL;
5928

5929
	/* Most controller will fail if we try to create new connections
5930
	 * while we have an existing one in peripheral role.
5931
	 */
5932
	if (hdev->conn_hash.le_num_peripheral > 0 &&
5933
	    (hci_test_quirk(hdev, HCI_QUIRK_BROKEN_LE_STATES) ||
5934
	     !(hdev->le_states[3] & 0x10)))
5935
		return NULL;
5936

5937
	/* If we're not connectable only connect devices that we have in
5938
	 * our pend_le_conns list.
5939
	 */
5940
	params = hci_pend_le_action_lookup(&hdev->pend_le_conns, addr,
5941
					   addr_type);
5942
	if (!params)
5943
		return NULL;
5944

5945
	if (!params->explicit_connect) {
5946
		switch (params->auto_connect) {
5947
		case HCI_AUTO_CONN_DIRECT:
5948
			/* Only devices advertising with ADV_DIRECT_IND are
5949
			 * triggering a connection attempt. This is allowing
5950
			 * incoming connections from peripheral devices.
5951
			 */
5952
			if (adv_type != LE_ADV_DIRECT_IND)
5953
				return NULL;
5954
			break;
5955
		case HCI_AUTO_CONN_ALWAYS:
5956
			/* Devices advertising with ADV_IND or ADV_DIRECT_IND
5957
			 * are triggering a connection attempt. This means
5958
			 * that incoming connections from peripheral device are
5959
			 * accepted and also outgoing connections to peripheral
5960
			 * devices are established when found.
5961
			 */
5962
			break;
5963
		default:
5964
			return NULL;
5965
		}
5966
	}
5967

5968
	conn = hci_connect_le(hdev, addr, addr_type, addr_resolved,
5969
			      BT_SECURITY_LOW, hdev->def_le_autoconnect_timeout,
5970
			      HCI_ROLE_MASTER, phy, sec_phy);
5971
	if (!IS_ERR(conn)) {
5972
		/* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
5973
		 * by higher layer that tried to connect, if no then
5974
		 * store the pointer since we don't really have any
5975
		 * other owner of the object besides the params that
5976
		 * triggered it. This way we can abort the connection if
5977
		 * the parameters get removed and keep the reference
5978
		 * count consistent once the connection is established.
5979
		 */
5980

5981
		if (!params->explicit_connect)
5982
			params->conn = hci_conn_get(conn);
5983

5984
		return conn;
5985
	}
5986

5987
	switch (PTR_ERR(conn)) {
5988
	case -EBUSY:
5989
		/* If hci_connect() returns -EBUSY it means there is already
5990
		 * an LE connection attempt going on. Since controllers don't
5991
		 * support more than one connection attempt at the time, we
5992
		 * don't consider this an error case.
5993
		 */
5994
		break;
5995
	default:
5996
		BT_DBG("Failed to connect: err %ld", PTR_ERR(conn));
5997
		return NULL;
5998
	}
5999

6000
	return NULL;
6001
}
6002

6003
static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
6004
			       u8 bdaddr_type, bdaddr_t *direct_addr,
6005
			       u8 direct_addr_type, u8 phy, u8 sec_phy, s8 rssi,
6006
			       u8 *data, u8 len, bool ext_adv, bool ctl_time,
6007
			       u64 instant)
6008
{
6009
	struct discovery_state *d = &hdev->discovery;
6010
	struct smp_irk *irk;
6011
	struct hci_conn *conn;
6012
	bool match, bdaddr_resolved;
6013
	u32 flags;
6014
	u8 *ptr;
6015

6016
	switch (type) {
6017
	case LE_ADV_IND:
6018
	case LE_ADV_DIRECT_IND:
6019
	case LE_ADV_SCAN_IND:
6020
	case LE_ADV_NONCONN_IND:
6021
	case LE_ADV_SCAN_RSP:
6022
		break;
6023
	default:
6024
		bt_dev_err_ratelimited(hdev, "unknown advertising packet "
6025
				       "type: 0x%02x", type);
6026
		return;
6027
	}
6028

6029
	if (len > max_adv_len(hdev)) {
6030
		bt_dev_err_ratelimited(hdev,
6031
				       "adv larger than maximum supported");
6032
		return;
6033
	}
6034

6035
	/* Find the end of the data in case the report contains padded zero
6036
	 * bytes at the end causing an invalid length value.
6037
	 *
6038
	 * When data is NULL, len is 0 so there is no need for extra ptr
6039
	 * check as 'ptr < data + 0' is already false in such case.
6040
	 */
6041
	for (ptr = data; ptr < data + len && *ptr; ptr += *ptr + 1) {
6042
		if (ptr + 1 + *ptr > data + len)
6043
			break;
6044
	}
6045

6046
	/* Adjust for actual length. This handles the case when remote
6047
	 * device is advertising with incorrect data length.
6048
	 */
6049
	len = ptr - data;
6050

6051
	/* If the direct address is present, then this report is from
6052
	 * a LE Direct Advertising Report event. In that case it is
6053
	 * important to see if the address is matching the local
6054
	 * controller address.
6055
	 *
6056
	 * If local privacy is not enable the controller shall not be
6057
	 * generating such event since according to its documentation it is only
6058
	 * valid for filter_policy 0x02 and 0x03, but the fact that it did
6059
	 * generate LE Direct Advertising Report means it is probably broken and
6060
	 * won't generate any other event which can potentially break
6061
	 * auto-connect logic so in case local privacy is not enable this
6062
	 * ignores the direct_addr so it works as a regular report.
6063
	 */
6064
	if (!hci_dev_test_flag(hdev, HCI_MESH) && direct_addr &&
6065
	    hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6066
		direct_addr_type = ev_bdaddr_type(hdev, direct_addr_type,
6067
						  &bdaddr_resolved);
6068

6069
		/* Only resolvable random addresses are valid for these
6070
		 * kind of reports and others can be ignored.
6071
		 */
6072
		if (!hci_bdaddr_is_rpa(direct_addr, direct_addr_type))
6073
			return;
6074

6075
		/* If the local IRK of the controller does not match
6076
		 * with the resolvable random address provided, then
6077
		 * this report can be ignored.
6078
		 */
6079
		if (!smp_irk_matches(hdev, hdev->irk, direct_addr))
6080
			return;
6081
	}
6082

6083
	/* Check if we need to convert to identity address */
6084
	irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
6085
	if (irk) {
6086
		bdaddr = &irk->bdaddr;
6087
		bdaddr_type = irk->addr_type;
6088
	}
6089

6090
	bdaddr_type = ev_bdaddr_type(hdev, bdaddr_type, &bdaddr_resolved);
6091

6092
	/* Check if we have been requested to connect to this device.
6093
	 *
6094
	 * direct_addr is set only for directed advertising reports (it is NULL
6095
	 * for advertising reports) and is already verified to be RPA above.
6096
	 */
6097
	conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, bdaddr_resolved,
6098
				     type, phy, sec_phy);
6099
	if (!ext_adv && conn && type == LE_ADV_IND &&
6100
	    len <= max_adv_len(hdev)) {
6101
		/* Store report for later inclusion by
6102
		 * mgmt_device_connected
6103
		 */
6104
		memcpy(conn->le_adv_data, data, len);
6105
		conn->le_adv_data_len = len;
6106
	}
6107

6108
	if (type == LE_ADV_NONCONN_IND || type == LE_ADV_SCAN_IND)
6109
		flags = MGMT_DEV_FOUND_NOT_CONNECTABLE;
6110
	else
6111
		flags = 0;
6112

6113
	/* All scan results should be sent up for Mesh systems */
6114
	if (hci_dev_test_flag(hdev, HCI_MESH)) {
6115
		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6116
				  rssi, flags, data, len, NULL, 0, instant);
6117
		return;
6118
	}
6119

6120
	/* Passive scanning shouldn't trigger any device found events,
6121
	 * except for devices marked as CONN_REPORT for which we do send
6122
	 * device found events, or advertisement monitoring requested.
6123
	 */
6124
	if (hdev->le_scan_type == LE_SCAN_PASSIVE) {
6125
		if (type == LE_ADV_DIRECT_IND)
6126
			return;
6127

6128
		if (!hci_pend_le_action_lookup(&hdev->pend_le_reports,
6129
					       bdaddr, bdaddr_type) &&
6130
		    idr_is_empty(&hdev->adv_monitors_idr))
6131
			return;
6132

6133
		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6134
				  rssi, flags, data, len, NULL, 0, 0);
6135
		return;
6136
	}
6137

6138
	/* When receiving a scan response, then there is no way to
6139
	 * know if the remote device is connectable or not. However
6140
	 * since scan responses are merged with a previously seen
6141
	 * advertising report, the flags field from that report
6142
	 * will be used.
6143
	 *
6144
	 * In the unlikely case that a controller just sends a scan
6145
	 * response event that doesn't match the pending report, then
6146
	 * it is marked as a standalone SCAN_RSP.
6147
	 */
6148
	if (type == LE_ADV_SCAN_RSP)
6149
		flags = MGMT_DEV_FOUND_SCAN_RSP;
6150

6151
	/* If there's nothing pending either store the data from this
6152
	 * event or send an immediate device found event if the data
6153
	 * should not be stored for later.
6154
	 */
6155
	if (!has_pending_adv_report(hdev)) {
6156
		/* If the report will trigger a SCAN_REQ store it for
6157
		 * later merging.
6158
		 */
6159
		if (!ext_adv && (type == LE_ADV_IND ||
6160
				 type == LE_ADV_SCAN_IND)) {
6161
			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6162
						 rssi, flags, data, len);
6163
			return;
6164
		}
6165

6166
		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6167
				  rssi, flags, data, len, NULL, 0, 0);
6168
		return;
6169
	}
6170

6171
	/* Check if the pending report is for the same device as the new one */
6172
	match = (!bacmp(bdaddr, &d->last_adv_addr) &&
6173
		 bdaddr_type == d->last_adv_addr_type);
6174

6175
	/* If the pending data doesn't match this report or this isn't a
6176
	 * scan response (e.g. we got a duplicate ADV_IND) then force
6177
	 * sending of the pending data.
6178
	 */
6179
	if (type != LE_ADV_SCAN_RSP || !match) {
6180
		/* Send out whatever is in the cache, but skip duplicates */
6181
		if (!match)
6182
			mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6183
					  d->last_adv_addr_type, NULL,
6184
					  d->last_adv_rssi, d->last_adv_flags,
6185
					  d->last_adv_data,
6186
					  d->last_adv_data_len, NULL, 0, 0);
6187

6188
		/* If the new report will trigger a SCAN_REQ store it for
6189
		 * later merging.
6190
		 */
6191
		if (!ext_adv && (type == LE_ADV_IND ||
6192
				 type == LE_ADV_SCAN_IND)) {
6193
			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
6194
						 rssi, flags, data, len);
6195
			return;
6196
		}
6197

6198
		/* The advertising reports cannot be merged, so clear
6199
		 * the pending report and send out a device found event.
6200
		 */
6201
		clear_pending_adv_report(hdev);
6202
		mgmt_device_found(hdev, bdaddr, LE_LINK, bdaddr_type, NULL,
6203
				  rssi, flags, data, len, NULL, 0, 0);
6204
		return;
6205
	}
6206

6207
	/* If we get here we've got a pending ADV_IND or ADV_SCAN_IND and
6208
	 * the new event is a SCAN_RSP. We can therefore proceed with
6209
	 * sending a merged device found event.
6210
	 */
6211
	mgmt_device_found(hdev, &d->last_adv_addr, LE_LINK,
6212
			  d->last_adv_addr_type, NULL, rssi, d->last_adv_flags,
6213
			  d->last_adv_data, d->last_adv_data_len, data, len, 0);
6214
	clear_pending_adv_report(hdev);
6215
}
6216

6217
static void hci_le_adv_report_evt(struct hci_dev *hdev, void *data,
6218
				  struct sk_buff *skb)
6219
{
6220
	struct hci_ev_le_advertising_report *ev = data;
6221
	u64 instant = jiffies;
6222

6223
	if (!ev->num)
6224
		return;
6225

6226
	hci_dev_lock(hdev);
6227

6228
	while (ev->num--) {
6229
		struct hci_ev_le_advertising_info *info;
6230
		s8 rssi;
6231

6232
		info = hci_le_ev_skb_pull(hdev, skb,
6233
					  HCI_EV_LE_ADVERTISING_REPORT,
6234
					  sizeof(*info));
6235
		if (!info)
6236
			break;
6237

6238
		if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ADVERTISING_REPORT,
6239
					info->length + 1))
6240
			break;
6241

6242
		if (info->length <= max_adv_len(hdev)) {
6243
			rssi = info->data[info->length];
6244
			process_adv_report(hdev, info->type, &info->bdaddr,
6245
					   info->bdaddr_type, NULL, 0,
6246
					   HCI_ADV_PHY_1M, 0, rssi,
6247
					   info->data, info->length, false,
6248
					   false, instant);
6249
		} else {
6250
			bt_dev_err(hdev, "Dropping invalid advertising data");
6251
		}
6252
	}
6253

6254
	hci_dev_unlock(hdev);
6255
}
6256

6257
static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
6258
{
6259
	u16 pdu_type = evt_type & ~LE_EXT_ADV_DATA_STATUS_MASK;
6260

6261
	if (!pdu_type)
6262
		return LE_ADV_NONCONN_IND;
6263

6264
	if (evt_type & LE_EXT_ADV_LEGACY_PDU) {
6265
		switch (evt_type) {
6266
		case LE_LEGACY_ADV_IND:
6267
			return LE_ADV_IND;
6268
		case LE_LEGACY_ADV_DIRECT_IND:
6269
			return LE_ADV_DIRECT_IND;
6270
		case LE_LEGACY_ADV_SCAN_IND:
6271
			return LE_ADV_SCAN_IND;
6272
		case LE_LEGACY_NONCONN_IND:
6273
			return LE_ADV_NONCONN_IND;
6274
		case LE_LEGACY_SCAN_RSP_ADV:
6275
		case LE_LEGACY_SCAN_RSP_ADV_SCAN:
6276
			return LE_ADV_SCAN_RSP;
6277
		}
6278

6279
		goto invalid;
6280
	}
6281

6282
	if (evt_type & LE_EXT_ADV_CONN_IND) {
6283
		if (evt_type & LE_EXT_ADV_DIRECT_IND)
6284
			return LE_ADV_DIRECT_IND;
6285

6286
		return LE_ADV_IND;
6287
	}
6288

6289
	if (evt_type & LE_EXT_ADV_SCAN_RSP)
6290
		return LE_ADV_SCAN_RSP;
6291

6292
	if (evt_type & LE_EXT_ADV_SCAN_IND)
6293
		return LE_ADV_SCAN_IND;
6294

6295
	if (evt_type & LE_EXT_ADV_DIRECT_IND)
6296
		return LE_ADV_NONCONN_IND;
6297

6298
invalid:
6299
	bt_dev_err_ratelimited(hdev, "Unknown advertising packet type: 0x%02x",
6300
			       evt_type);
6301

6302
	return LE_ADV_INVALID;
6303
}
6304

6305
static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data,
6306
				      struct sk_buff *skb)
6307
{
6308
	struct hci_ev_le_ext_adv_report *ev = data;
6309
	u64 instant = jiffies;
6310

6311
	if (!ev->num)
6312
		return;
6313

6314
	hci_dev_lock(hdev);
6315

6316
	while (ev->num--) {
6317
		struct hci_ev_le_ext_adv_info *info;
6318
		u8 legacy_evt_type;
6319
		u16 evt_type;
6320

6321
		info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6322
					  sizeof(*info));
6323
		if (!info)
6324
			break;
6325

6326
		if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
6327
					info->length))
6328
			break;
6329

6330
		evt_type = __le16_to_cpu(info->type) & LE_EXT_ADV_EVT_TYPE_MASK;
6331
		legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
6332

6333
		if (hci_test_quirk(hdev,
6334
				   HCI_QUIRK_FIXUP_LE_EXT_ADV_REPORT_PHY)) {
6335
			info->primary_phy &= 0x1f;
6336
			info->secondary_phy &= 0x1f;
6337
		}
6338

6339
		/* Check if PA Sync is pending and if the hci_conn SID has not
6340
		 * been set update it.
6341
		 */
6342
		if (hci_dev_test_flag(hdev, HCI_PA_SYNC)) {
6343
			struct hci_conn *conn;
6344

6345
			conn = hci_conn_hash_lookup_create_pa_sync(hdev);
6346
			if (conn && conn->sid == HCI_SID_INVALID)
6347
				conn->sid = info->sid;
6348
		}
6349

6350
		if (legacy_evt_type != LE_ADV_INVALID) {
6351
			process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
6352
					   info->bdaddr_type, NULL, 0,
6353
					   info->primary_phy,
6354
					   info->secondary_phy,
6355
					   info->rssi, info->data, info->length,
6356
					   !(evt_type & LE_EXT_ADV_LEGACY_PDU),
6357
					   false, instant);
6358
		}
6359
	}
6360

6361
	hci_dev_unlock(hdev);
6362
}
6363

6364
static int hci_le_pa_term_sync(struct hci_dev *hdev, __le16 handle)
6365
{
6366
	struct hci_cp_le_pa_term_sync cp;
6367

6368
	memset(&cp, 0, sizeof(cp));
6369
	cp.handle = handle;
6370

6371
	return hci_send_cmd(hdev, HCI_OP_LE_PA_TERM_SYNC, sizeof(cp), &cp);
6372
}
6373

6374
static void hci_le_pa_sync_established_evt(struct hci_dev *hdev, void *data,
6375
					   struct sk_buff *skb)
6376
{
6377
	struct hci_ev_le_pa_sync_established *ev = data;
6378
	int mask = hdev->link_mode;
6379
	__u8 flags = 0;
6380
	struct hci_conn *pa_sync, *conn;
6381

6382
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6383

6384
	hci_dev_lock(hdev);
6385

6386
	hci_dev_clear_flag(hdev, HCI_PA_SYNC);
6387

6388
	conn = hci_conn_hash_lookup_create_pa_sync(hdev);
6389
	if (!conn) {
6390
		bt_dev_err(hdev,
6391
			   "Unable to find connection for dst %pMR sid 0x%2.2x",
6392
			   &ev->bdaddr, ev->sid);
6393
		goto unlock;
6394
	}
6395

6396
	clear_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags);
6397

6398
	conn->sync_handle = le16_to_cpu(ev->handle);
6399
	conn->sid = HCI_SID_INVALID;
6400

6401
	mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, PA_LINK,
6402
				      &flags);
6403
	if (!(mask & HCI_LM_ACCEPT)) {
6404
		hci_le_pa_term_sync(hdev, ev->handle);
6405
		goto unlock;
6406
	}
6407

6408
	if (!(flags & HCI_PROTO_DEFER))
6409
		goto unlock;
6410

6411
	/* Add connection to indicate PA sync event */
6412
	pa_sync = hci_conn_add_unset(hdev, PA_LINK, BDADDR_ANY,
6413
				     HCI_ROLE_SLAVE);
6414

6415
	if (IS_ERR(pa_sync))
6416
		goto unlock;
6417

6418
	pa_sync->sync_handle = le16_to_cpu(ev->handle);
6419

6420
	if (ev->status) {
6421
		set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
6422

6423
		/* Notify iso layer */
6424
		hci_connect_cfm(pa_sync, ev->status);
6425
	}
6426

6427
unlock:
6428
	hci_dev_unlock(hdev);
6429
}
6430

6431
static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data,
6432
				      struct sk_buff *skb)
6433
{
6434
	struct hci_ev_le_per_adv_report *ev = data;
6435
	int mask = hdev->link_mode;
6436
	__u8 flags = 0;
6437
	struct hci_conn *pa_sync;
6438

6439
	bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
6440

6441
	hci_dev_lock(hdev);
6442

6443
	mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, PA_LINK, &flags);
6444
	if (!(mask & HCI_LM_ACCEPT))
6445
		goto unlock;
6446

6447
	if (!(flags & HCI_PROTO_DEFER))
6448
		goto unlock;
6449

6450
	pa_sync = hci_conn_hash_lookup_pa_sync_handle
6451
			(hdev,
6452
			le16_to_cpu(ev->sync_handle));
6453

6454
	if (!pa_sync)
6455
		goto unlock;
6456

6457
	if (ev->data_status == LE_PA_DATA_COMPLETE &&
6458
	    !test_and_set_bit(HCI_CONN_PA_SYNC, &pa_sync->flags)) {
6459
		/* Notify iso layer */
6460
		hci_connect_cfm(pa_sync, 0);
6461

6462
		/* Notify MGMT layer */
6463
		mgmt_device_connected(hdev, pa_sync, NULL, 0);
6464
	}
6465

6466
unlock:
6467
	hci_dev_unlock(hdev);
6468
}
6469

6470
static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data,
6471
					    struct sk_buff *skb)
6472
{
6473
	struct hci_ev_le_remote_feat_complete *ev = data;
6474
	struct hci_conn *conn;
6475

6476
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6477

6478
	hci_dev_lock(hdev);
6479

6480
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6481
	if (conn) {
6482
		if (!ev->status)
6483
			memcpy(conn->features[0], ev->features, 8);
6484

6485
		if (conn->state == BT_CONFIG) {
6486
			__u8 status;
6487

6488
			/* If the local controller supports peripheral-initiated
6489
			 * features exchange, but the remote controller does
6490
			 * not, then it is possible that the error code 0x1a
6491
			 * for unsupported remote feature gets returned.
6492
			 *
6493
			 * In this specific case, allow the connection to
6494
			 * transition into connected state and mark it as
6495
			 * successful.
6496
			 */
6497
			if (!conn->out && ev->status == HCI_ERROR_UNSUPPORTED_REMOTE_FEATURE &&
6498
			    (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
6499
				status = 0x00;
6500
			else
6501
				status = ev->status;
6502

6503
			conn->state = BT_CONNECTED;
6504
			hci_connect_cfm(conn, status);
6505
			hci_conn_drop(conn);
6506
		}
6507
	}
6508

6509
	hci_dev_unlock(hdev);
6510
}
6511

6512
static void hci_le_ltk_request_evt(struct hci_dev *hdev, void *data,
6513
				   struct sk_buff *skb)
6514
{
6515
	struct hci_ev_le_ltk_req *ev = data;
6516
	struct hci_cp_le_ltk_reply cp;
6517
	struct hci_cp_le_ltk_neg_reply neg;
6518
	struct hci_conn *conn;
6519
	struct smp_ltk *ltk;
6520

6521
	bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6522

6523
	hci_dev_lock(hdev);
6524

6525
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6526
	if (conn == NULL)
6527
		goto not_found;
6528

6529
	ltk = hci_find_ltk(hdev, &conn->dst, conn->dst_type, conn->role);
6530
	if (!ltk)
6531
		goto not_found;
6532

6533
	if (smp_ltk_is_sc(ltk)) {
6534
		/* With SC both EDiv and Rand are set to zero */
6535
		if (ev->ediv || ev->rand)
6536
			goto not_found;
6537
	} else {
6538
		/* For non-SC keys check that EDiv and Rand match */
6539
		if (ev->ediv != ltk->ediv || ev->rand != ltk->rand)
6540
			goto not_found;
6541
	}
6542

6543
	memcpy(cp.ltk, ltk->val, ltk->enc_size);
6544
	memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size);
6545
	cp.handle = cpu_to_le16(conn->handle);
6546

6547
	conn->pending_sec_level = smp_ltk_sec_level(ltk);
6548

6549
	conn->enc_key_size = ltk->enc_size;
6550

6551
	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
6552

6553
	/* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
6554
	 * temporary key used to encrypt a connection following
6555
	 * pairing. It is used during the Encrypted Session Setup to
6556
	 * distribute the keys. Later, security can be re-established
6557
	 * using a distributed LTK.
6558
	 */
6559
	if (ltk->type == SMP_STK) {
6560
		set_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6561
		list_del_rcu(&ltk->list);
6562
		kfree_rcu(ltk, rcu);
6563
	} else {
6564
		clear_bit(HCI_CONN_STK_ENCRYPT, &conn->flags);
6565
	}
6566

6567
	hci_dev_unlock(hdev);
6568

6569
	return;
6570

6571
not_found:
6572
	neg.handle = ev->handle;
6573
	hci_send_cmd(hdev, HCI_OP_LE_LTK_NEG_REPLY, sizeof(neg), &neg);
6574
	hci_dev_unlock(hdev);
6575
}
6576

6577
static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
6578
				      u8 reason)
6579
{
6580
	struct hci_cp_le_conn_param_req_neg_reply cp;
6581

6582
	cp.handle = cpu_to_le16(handle);
6583
	cp.reason = reason;
6584

6585
	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_NEG_REPLY, sizeof(cp),
6586
		     &cp);
6587
}
6588

6589
static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data,
6590
					     struct sk_buff *skb)
6591
{
6592
	struct hci_ev_le_remote_conn_param_req *ev = data;
6593
	struct hci_cp_le_conn_param_req_reply cp;
6594
	struct hci_conn *hcon;
6595
	u16 handle, min, max, latency, timeout;
6596

6597
	bt_dev_dbg(hdev, "handle 0x%4.4x", __le16_to_cpu(ev->handle));
6598

6599
	handle = le16_to_cpu(ev->handle);
6600
	min = le16_to_cpu(ev->interval_min);
6601
	max = le16_to_cpu(ev->interval_max);
6602
	latency = le16_to_cpu(ev->latency);
6603
	timeout = le16_to_cpu(ev->timeout);
6604

6605
	hcon = hci_conn_hash_lookup_handle(hdev, handle);
6606
	if (!hcon || hcon->state != BT_CONNECTED)
6607
		return send_conn_param_neg_reply(hdev, handle,
6608
						 HCI_ERROR_UNKNOWN_CONN_ID);
6609

6610
	if (max > hcon->le_conn_max_interval)
6611
		return send_conn_param_neg_reply(hdev, handle,
6612
						 HCI_ERROR_INVALID_LL_PARAMS);
6613

6614
	if (hci_check_conn_params(min, max, latency, timeout))
6615
		return send_conn_param_neg_reply(hdev, handle,
6616
						 HCI_ERROR_INVALID_LL_PARAMS);
6617

6618
	if (hcon->role == HCI_ROLE_MASTER) {
6619
		struct hci_conn_params *params;
6620
		u8 store_hint;
6621

6622
		hci_dev_lock(hdev);
6623

6624
		params = hci_conn_params_lookup(hdev, &hcon->dst,
6625
						hcon->dst_type);
6626
		if (params) {
6627
			params->conn_min_interval = min;
6628
			params->conn_max_interval = max;
6629
			params->conn_latency = latency;
6630
			params->supervision_timeout = timeout;
6631
			store_hint = 0x01;
6632
		} else {
6633
			store_hint = 0x00;
6634
		}
6635

6636
		hci_dev_unlock(hdev);
6637

6638
		mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type,
6639
				    store_hint, min, max, latency, timeout);
6640
	}
6641

6642
	cp.handle = ev->handle;
6643
	cp.interval_min = ev->interval_min;
6644
	cp.interval_max = ev->interval_max;
6645
	cp.latency = ev->latency;
6646
	cp.timeout = ev->timeout;
6647
	cp.min_ce_len = 0;
6648
	cp.max_ce_len = 0;
6649

6650
	hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp);
6651
}
6652

6653
static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data,
6654
					 struct sk_buff *skb)
6655
{
6656
	struct hci_ev_le_direct_adv_report *ev = data;
6657
	u64 instant = jiffies;
6658
	int i;
6659

6660
	if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_DIRECT_ADV_REPORT,
6661
				flex_array_size(ev, info, ev->num)))
6662
		return;
6663

6664
	if (!ev->num)
6665
		return;
6666

6667
	hci_dev_lock(hdev);
6668

6669
	for (i = 0; i < ev->num; i++) {
6670
		struct hci_ev_le_direct_adv_info *info = &ev->info[i];
6671

6672
		process_adv_report(hdev, info->type, &info->bdaddr,
6673
				   info->bdaddr_type, &info->direct_addr,
6674
				   info->direct_addr_type, HCI_ADV_PHY_1M, 0,
6675
				   info->rssi, NULL, 0, false, false, instant);
6676
	}
6677

6678
	hci_dev_unlock(hdev);
6679
}
6680

6681
static void hci_le_phy_update_evt(struct hci_dev *hdev, void *data,
6682
				  struct sk_buff *skb)
6683
{
6684
	struct hci_ev_le_phy_update_complete *ev = data;
6685
	struct hci_conn *conn;
6686

6687
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6688

6689
	if (ev->status)
6690
		return;
6691

6692
	hci_dev_lock(hdev);
6693

6694
	conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
6695
	if (!conn)
6696
		goto unlock;
6697

6698
	conn->le_tx_phy = ev->tx_phy;
6699
	conn->le_rx_phy = ev->rx_phy;
6700

6701
unlock:
6702
	hci_dev_unlock(hdev);
6703
}
6704

6705
static void hci_le_cis_established_evt(struct hci_dev *hdev, void *data,
6706
				       struct sk_buff *skb)
6707
{
6708
	struct hci_evt_le_cis_established *ev = data;
6709
	struct hci_conn *conn;
6710
	struct bt_iso_qos *qos;
6711
	bool pending = false;
6712
	u16 handle = __le16_to_cpu(ev->handle);
6713
	u32 c_sdu_interval, p_sdu_interval;
6714

6715
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6716

6717
	hci_dev_lock(hdev);
6718

6719
	conn = hci_conn_hash_lookup_handle(hdev, handle);
6720
	if (!conn) {
6721
		bt_dev_err(hdev,
6722
			   "Unable to find connection with handle 0x%4.4x",
6723
			   handle);
6724
		goto unlock;
6725
	}
6726

6727
	if (conn->type != CIS_LINK) {
6728
		bt_dev_err(hdev,
6729
			   "Invalid connection link type handle 0x%4.4x",
6730
			   handle);
6731
		goto unlock;
6732
	}
6733

6734
	qos = &conn->iso_qos;
6735

6736
	pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
6737

6738
	/* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 6, Part G
6739
	 * page 3075:
6740
	 * Transport_Latency_C_To_P = CIG_Sync_Delay + (FT_C_To_P) ×
6741
	 * ISO_Interval + SDU_Interval_C_To_P
6742
	 * ...
6743
	 * SDU_Interval = (CIG_Sync_Delay + (FT) x ISO_Interval) -
6744
	 *					Transport_Latency
6745
	 */
6746
	c_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) +
6747
			 (ev->c_ft * le16_to_cpu(ev->interval) * 1250)) -
6748
			get_unaligned_le24(ev->c_latency);
6749
	p_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) +
6750
			 (ev->p_ft * le16_to_cpu(ev->interval) * 1250)) -
6751
			get_unaligned_le24(ev->p_latency);
6752

6753
	switch (conn->role) {
6754
	case HCI_ROLE_SLAVE:
6755
		qos->ucast.in.interval = c_sdu_interval;
6756
		qos->ucast.out.interval = p_sdu_interval;
6757
		/* Convert Transport Latency (us) to Latency (msec) */
6758
		qos->ucast.in.latency =
6759
			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6760
					  1000);
6761
		qos->ucast.out.latency =
6762
			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6763
					  1000);
6764
		qos->ucast.in.sdu = ev->c_bn ? le16_to_cpu(ev->c_mtu) : 0;
6765
		qos->ucast.out.sdu = ev->p_bn ? le16_to_cpu(ev->p_mtu) : 0;
6766
		qos->ucast.in.phy = ev->c_phy;
6767
		qos->ucast.out.phy = ev->p_phy;
6768
		break;
6769
	case HCI_ROLE_MASTER:
6770
		qos->ucast.in.interval = p_sdu_interval;
6771
		qos->ucast.out.interval = c_sdu_interval;
6772
		/* Convert Transport Latency (us) to Latency (msec) */
6773
		qos->ucast.out.latency =
6774
			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
6775
					  1000);
6776
		qos->ucast.in.latency =
6777
			DIV_ROUND_CLOSEST(get_unaligned_le24(ev->p_latency),
6778
					  1000);
6779
		qos->ucast.out.sdu = ev->c_bn ? le16_to_cpu(ev->c_mtu) : 0;
6780
		qos->ucast.in.sdu = ev->p_bn ? le16_to_cpu(ev->p_mtu) : 0;
6781
		qos->ucast.out.phy = ev->c_phy;
6782
		qos->ucast.in.phy = ev->p_phy;
6783
		break;
6784
	}
6785

6786
	if (!ev->status) {
6787
		conn->state = BT_CONNECTED;
6788
		hci_debugfs_create_conn(conn);
6789
		hci_conn_add_sysfs(conn);
6790
		hci_iso_setup_path(conn);
6791
		goto unlock;
6792
	}
6793

6794
	conn->state = BT_CLOSED;
6795
	hci_connect_cfm(conn, ev->status);
6796
	hci_conn_del(conn);
6797

6798
unlock:
6799
	if (pending)
6800
		hci_le_create_cis_pending(hdev);
6801

6802
	hci_dev_unlock(hdev);
6803
}
6804

6805
static void hci_le_reject_cis(struct hci_dev *hdev, __le16 handle)
6806
{
6807
	struct hci_cp_le_reject_cis cp;
6808

6809
	memset(&cp, 0, sizeof(cp));
6810
	cp.handle = handle;
6811
	cp.reason = HCI_ERROR_REJ_BAD_ADDR;
6812
	hci_send_cmd(hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
6813
}
6814

6815
static void hci_le_accept_cis(struct hci_dev *hdev, __le16 handle)
6816
{
6817
	struct hci_cp_le_accept_cis cp;
6818

6819
	memset(&cp, 0, sizeof(cp));
6820
	cp.handle = handle;
6821
	hci_send_cmd(hdev, HCI_OP_LE_ACCEPT_CIS, sizeof(cp), &cp);
6822
}
6823

6824
static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
6825
			       struct sk_buff *skb)
6826
{
6827
	struct hci_evt_le_cis_req *ev = data;
6828
	u16 acl_handle, cis_handle;
6829
	struct hci_conn *acl, *cis;
6830
	int mask;
6831
	__u8 flags = 0;
6832

6833
	acl_handle = __le16_to_cpu(ev->acl_handle);
6834
	cis_handle = __le16_to_cpu(ev->cis_handle);
6835

6836
	bt_dev_dbg(hdev, "acl 0x%4.4x handle 0x%4.4x cig 0x%2.2x cis 0x%2.2x",
6837
		   acl_handle, cis_handle, ev->cig_id, ev->cis_id);
6838

6839
	hci_dev_lock(hdev);
6840

6841
	acl = hci_conn_hash_lookup_handle(hdev, acl_handle);
6842
	if (!acl)
6843
		goto unlock;
6844

6845
	mask = hci_proto_connect_ind(hdev, &acl->dst, CIS_LINK, &flags);
6846
	if (!(mask & HCI_LM_ACCEPT)) {
6847
		hci_le_reject_cis(hdev, ev->cis_handle);
6848
		goto unlock;
6849
	}
6850

6851
	cis = hci_conn_hash_lookup_handle(hdev, cis_handle);
6852
	if (!cis) {
6853
		cis = hci_conn_add(hdev, CIS_LINK, &acl->dst,
6854
				   HCI_ROLE_SLAVE, cis_handle);
6855
		if (IS_ERR(cis)) {
6856
			hci_le_reject_cis(hdev, ev->cis_handle);
6857
			goto unlock;
6858
		}
6859
	}
6860

6861
	cis->iso_qos.ucast.cig = ev->cig_id;
6862
	cis->iso_qos.ucast.cis = ev->cis_id;
6863

6864
	if (!(flags & HCI_PROTO_DEFER)) {
6865
		hci_le_accept_cis(hdev, ev->cis_handle);
6866
	} else {
6867
		cis->state = BT_CONNECT2;
6868
		hci_connect_cfm(cis, 0);
6869
	}
6870

6871
unlock:
6872
	hci_dev_unlock(hdev);
6873
}
6874

6875
static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
6876
{
6877
	u8 handle = PTR_UINT(data);
6878

6879
	return hci_le_terminate_big_sync(hdev, handle,
6880
					 HCI_ERROR_LOCAL_HOST_TERM);
6881
}
6882

6883
static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
6884
					   struct sk_buff *skb)
6885
{
6886
	struct hci_evt_le_create_big_complete *ev = data;
6887
	struct hci_conn *conn;
6888
	__u8 i = 0;
6889

6890
	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
6891

6892
	if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_CREATE_BIG_COMPLETE,
6893
				flex_array_size(ev, bis_handle, ev->num_bis)))
6894
		return;
6895

6896
	hci_dev_lock(hdev);
6897

6898
	/* Connect all BISes that are bound to the BIG */
6899
	while ((conn = hci_conn_hash_lookup_big_state(hdev, ev->handle,
6900
						      BT_BOUND,
6901
						      HCI_ROLE_MASTER))) {
6902
		if (ev->status) {
6903
			hci_connect_cfm(conn, ev->status);
6904
			hci_conn_del(conn);
6905
			continue;
6906
		}
6907

6908
		if (hci_conn_set_handle(conn,
6909
					__le16_to_cpu(ev->bis_handle[i++])))
6910
			continue;
6911

6912
		conn->state = BT_CONNECTED;
6913
		set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
6914
		hci_debugfs_create_conn(conn);
6915
		hci_conn_add_sysfs(conn);
6916
		hci_iso_setup_path(conn);
6917
	}
6918

6919
	if (!ev->status && !i)
6920
		/* If no BISes have been connected for the BIG,
6921
		 * terminate. This is in case all bound connections
6922
		 * have been closed before the BIG creation
6923
		 * has completed.
6924
		 */
6925
		hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
6926
				   UINT_PTR(ev->handle), NULL);
6927

6928
	hci_dev_unlock(hdev);
6929
}
6930

6931
static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
6932
					    struct sk_buff *skb)
6933
{
6934
	struct hci_evt_le_big_sync_established *ev = data;
6935
	struct hci_conn *bis, *conn;
6936
	int i;
6937

6938
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
6939

6940
	if (!hci_le_ev_skb_pull(hdev, skb, HCI_EVT_LE_BIG_SYNC_ESTABLISHED,
6941
				flex_array_size(ev, bis, ev->num_bis)))
6942
		return;
6943

6944
	hci_dev_lock(hdev);
6945

6946
	conn = hci_conn_hash_lookup_big_sync_pend(hdev, ev->handle,
6947
						  ev->num_bis);
6948
	if (!conn) {
6949
		bt_dev_err(hdev,
6950
			   "Unable to find connection for big 0x%2.2x",
6951
			   ev->handle);
6952
		goto unlock;
6953
	}
6954

6955
	clear_bit(HCI_CONN_CREATE_BIG_SYNC, &conn->flags);
6956

6957
	conn->num_bis = 0;
6958
	memset(conn->bis, 0, sizeof(conn->num_bis));
6959

6960
	for (i = 0; i < ev->num_bis; i++) {
6961
		u16 handle = le16_to_cpu(ev->bis[i]);
6962
		__le32 interval;
6963

6964
		bis = hci_conn_hash_lookup_handle(hdev, handle);
6965
		if (!bis) {
6966
			if (handle > HCI_CONN_HANDLE_MAX) {
6967
				bt_dev_dbg(hdev, "ignore too large handle %u", handle);
6968
				continue;
6969
			}
6970
			bis = hci_conn_add(hdev, BIS_LINK, BDADDR_ANY,
6971
					   HCI_ROLE_SLAVE, handle);
6972
			if (IS_ERR(bis))
6973
				continue;
6974
		}
6975

6976
		if (ev->status != 0x42) {
6977
			/* Mark PA sync as established */
6978
			set_bit(HCI_CONN_PA_SYNC, &bis->flags);
6979
			/* Reset cleanup callback of PA Sync so it doesn't
6980
			 * terminate the sync when deleting the connection.
6981
			 */
6982
			conn->cleanup = NULL;
6983
		}
6984

6985
		bis->sync_handle = conn->sync_handle;
6986
		bis->iso_qos.bcast.big = ev->handle;
6987
		memset(&interval, 0, sizeof(interval));
6988
		memcpy(&interval, ev->latency, sizeof(ev->latency));
6989
		bis->iso_qos.bcast.in.interval = le32_to_cpu(interval);
6990
		/* Convert ISO Interval (1.25 ms slots) to latency (ms) */
6991
		bis->iso_qos.bcast.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
6992
		bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
6993

6994
		if (!ev->status) {
6995
			bis->state = BT_CONNECTED;
6996
			set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
6997
			hci_debugfs_create_conn(bis);
6998
			hci_conn_add_sysfs(bis);
6999
			hci_iso_setup_path(bis);
7000
		}
7001
	}
7002

7003
	/* In case BIG sync failed, notify each failed connection to
7004
	 * the user after all hci connections have been added
7005
	 */
7006
	if (ev->status)
7007
		for (i = 0; i < ev->num_bis; i++) {
7008
			u16 handle = le16_to_cpu(ev->bis[i]);
7009

7010
			bis = hci_conn_hash_lookup_handle(hdev, handle);
7011
			if (!bis)
7012
				continue;
7013

7014
			set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags);
7015
			hci_connect_cfm(bis, ev->status);
7016
		}
7017

7018
unlock:
7019
	hci_dev_unlock(hdev);
7020
}
7021

7022
static void hci_le_big_sync_lost_evt(struct hci_dev *hdev, void *data,
7023
				     struct sk_buff *skb)
7024
{
7025
	struct hci_evt_le_big_sync_lost *ev = data;
7026
	struct hci_conn *bis, *conn;
7027
	bool mgmt_conn;
7028

7029
	bt_dev_dbg(hdev, "big handle 0x%2.2x", ev->handle);
7030

7031
	hci_dev_lock(hdev);
7032

7033
	/* Delete the pa sync connection */
7034
	bis = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle);
7035
	if (bis) {
7036
		conn = hci_conn_hash_lookup_pa_sync_handle(hdev,
7037
							   bis->sync_handle);
7038
		if (conn)
7039
			hci_conn_del(conn);
7040
	}
7041

7042
	/* Delete each bis connection */
7043
	while ((bis = hci_conn_hash_lookup_big_state(hdev, ev->handle,
7044
						     BT_CONNECTED,
7045
						     HCI_ROLE_SLAVE))) {
7046
		mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &bis->flags);
7047
		mgmt_device_disconnected(hdev, &bis->dst, bis->type, bis->dst_type,
7048
					 ev->reason, mgmt_conn);
7049

7050
		clear_bit(HCI_CONN_BIG_SYNC, &bis->flags);
7051
		hci_disconn_cfm(bis, ev->reason);
7052
		hci_conn_del(bis);
7053
	}
7054

7055
	hci_dev_unlock(hdev);
7056
}
7057

7058
static void hci_le_big_info_adv_report_evt(struct hci_dev *hdev, void *data,
7059
					   struct sk_buff *skb)
7060
{
7061
	struct hci_evt_le_big_info_adv_report *ev = data;
7062
	int mask = hdev->link_mode;
7063
	__u8 flags = 0;
7064
	struct hci_conn *pa_sync;
7065

7066
	bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle));
7067

7068
	hci_dev_lock(hdev);
7069

7070
	mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, BIS_LINK, &flags);
7071
	if (!(mask & HCI_LM_ACCEPT))
7072
		goto unlock;
7073

7074
	if (!(flags & HCI_PROTO_DEFER))
7075
		goto unlock;
7076

7077
	pa_sync = hci_conn_hash_lookup_pa_sync_handle
7078
			(hdev,
7079
			le16_to_cpu(ev->sync_handle));
7080

7081
	if (!pa_sync)
7082
		goto unlock;
7083

7084
	pa_sync->iso_qos.bcast.encryption = ev->encryption;
7085

7086
	/* Notify iso layer */
7087
	hci_connect_cfm(pa_sync, 0);
7088

7089
unlock:
7090
	hci_dev_unlock(hdev);
7091
}
7092

7093
#define HCI_LE_EV_VL(_op, _func, _min_len, _max_len) \
7094
[_op] = { \
7095
	.func = _func, \
7096
	.min_len = _min_len, \
7097
	.max_len = _max_len, \
7098
}
7099

7100
#define HCI_LE_EV(_op, _func, _len) \
7101
	HCI_LE_EV_VL(_op, _func, _len, _len)
7102

7103
#define HCI_LE_EV_STATUS(_op, _func) \
7104
	HCI_LE_EV(_op, _func, sizeof(struct hci_ev_status))
7105

7106
/* Entries in this table shall have their position according to the subevent
7107
 * opcode they handle so the use of the macros above is recommend since it does
7108
 * attempt to initialize at its proper index using Designated Initializers that
7109
 * way events without a callback function can be omitted.
7110
 */
7111
static const struct hci_le_ev {
7112
	void (*func)(struct hci_dev *hdev, void *data, struct sk_buff *skb);
7113
	u16  min_len;
7114
	u16  max_len;
7115
} hci_le_ev_table[U8_MAX + 1] = {
7116
	/* [0x01 = HCI_EV_LE_CONN_COMPLETE] */
7117
	HCI_LE_EV(HCI_EV_LE_CONN_COMPLETE, hci_le_conn_complete_evt,
7118
		  sizeof(struct hci_ev_le_conn_complete)),
7119
	/* [0x02 = HCI_EV_LE_ADVERTISING_REPORT] */
7120
	HCI_LE_EV_VL(HCI_EV_LE_ADVERTISING_REPORT, hci_le_adv_report_evt,
7121
		     sizeof(struct hci_ev_le_advertising_report),
7122
		     HCI_MAX_EVENT_SIZE),
7123
	/* [0x03 = HCI_EV_LE_CONN_UPDATE_COMPLETE] */
7124
	HCI_LE_EV(HCI_EV_LE_CONN_UPDATE_COMPLETE,
7125
		  hci_le_conn_update_complete_evt,
7126
		  sizeof(struct hci_ev_le_conn_update_complete)),
7127
	/* [0x04 = HCI_EV_LE_REMOTE_FEAT_COMPLETE] */
7128
	HCI_LE_EV(HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7129
		  hci_le_remote_feat_complete_evt,
7130
		  sizeof(struct hci_ev_le_remote_feat_complete)),
7131
	/* [0x05 = HCI_EV_LE_LTK_REQ] */
7132
	HCI_LE_EV(HCI_EV_LE_LTK_REQ, hci_le_ltk_request_evt,
7133
		  sizeof(struct hci_ev_le_ltk_req)),
7134
	/* [0x06 = HCI_EV_LE_REMOTE_CONN_PARAM_REQ] */
7135
	HCI_LE_EV(HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
7136
		  hci_le_remote_conn_param_req_evt,
7137
		  sizeof(struct hci_ev_le_remote_conn_param_req)),
7138
	/* [0x0a = HCI_EV_LE_ENHANCED_CONN_COMPLETE] */
7139
	HCI_LE_EV(HCI_EV_LE_ENHANCED_CONN_COMPLETE,
7140
		  hci_le_enh_conn_complete_evt,
7141
		  sizeof(struct hci_ev_le_enh_conn_complete)),
7142
	/* [0x0b = HCI_EV_LE_DIRECT_ADV_REPORT] */
7143
	HCI_LE_EV_VL(HCI_EV_LE_DIRECT_ADV_REPORT, hci_le_direct_adv_report_evt,
7144
		     sizeof(struct hci_ev_le_direct_adv_report),
7145
		     HCI_MAX_EVENT_SIZE),
7146
	/* [0x0c = HCI_EV_LE_PHY_UPDATE_COMPLETE] */
7147
	HCI_LE_EV(HCI_EV_LE_PHY_UPDATE_COMPLETE, hci_le_phy_update_evt,
7148
		  sizeof(struct hci_ev_le_phy_update_complete)),
7149
	/* [0x0d = HCI_EV_LE_EXT_ADV_REPORT] */
7150
	HCI_LE_EV_VL(HCI_EV_LE_EXT_ADV_REPORT, hci_le_ext_adv_report_evt,
7151
		     sizeof(struct hci_ev_le_ext_adv_report),
7152
		     HCI_MAX_EVENT_SIZE),
7153
	/* [0x0e = HCI_EV_LE_PA_SYNC_ESTABLISHED] */
7154
	HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED,
7155
		  hci_le_pa_sync_established_evt,
7156
		  sizeof(struct hci_ev_le_pa_sync_established)),
7157
	/* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */
7158
	HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT,
7159
				 hci_le_per_adv_report_evt,
7160
				 sizeof(struct hci_ev_le_per_adv_report),
7161
				 HCI_MAX_EVENT_SIZE),
7162
	/* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */
7163
	HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt,
7164
		  sizeof(struct hci_evt_le_ext_adv_set_term)),
7165
	/* [0x19 = HCI_EVT_LE_CIS_ESTABLISHED] */
7166
	HCI_LE_EV(HCI_EVT_LE_CIS_ESTABLISHED, hci_le_cis_established_evt,
7167
		  sizeof(struct hci_evt_le_cis_established)),
7168
	/* [0x1a = HCI_EVT_LE_CIS_REQ] */
7169
	HCI_LE_EV(HCI_EVT_LE_CIS_REQ, hci_le_cis_req_evt,
7170
		  sizeof(struct hci_evt_le_cis_req)),
7171
	/* [0x1b = HCI_EVT_LE_CREATE_BIG_COMPLETE] */
7172
	HCI_LE_EV_VL(HCI_EVT_LE_CREATE_BIG_COMPLETE,
7173
		     hci_le_create_big_complete_evt,
7174
		     sizeof(struct hci_evt_le_create_big_complete),
7175
		     HCI_MAX_EVENT_SIZE),
7176
	/* [0x1d = HCI_EV_LE_BIG_SYNC_ESTABLISHED] */
7177
	HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_ESTABLISHED,
7178
		     hci_le_big_sync_established_evt,
7179
		     sizeof(struct hci_evt_le_big_sync_established),
7180
		     HCI_MAX_EVENT_SIZE),
7181
	/* [0x1e = HCI_EVT_LE_BIG_SYNC_LOST] */
7182
	HCI_LE_EV_VL(HCI_EVT_LE_BIG_SYNC_LOST,
7183
		     hci_le_big_sync_lost_evt,
7184
		     sizeof(struct hci_evt_le_big_sync_lost),
7185
		     HCI_MAX_EVENT_SIZE),
7186
	/* [0x22 = HCI_EVT_LE_BIG_INFO_ADV_REPORT] */
7187
	HCI_LE_EV_VL(HCI_EVT_LE_BIG_INFO_ADV_REPORT,
7188
		     hci_le_big_info_adv_report_evt,
7189
		     sizeof(struct hci_evt_le_big_info_adv_report),
7190
		     HCI_MAX_EVENT_SIZE),
7191
};
7192

7193
static void hci_le_meta_evt(struct hci_dev *hdev, void *data,
7194
			    struct sk_buff *skb, u16 *opcode, u8 *status,
7195
			    hci_req_complete_t *req_complete,
7196
			    hci_req_complete_skb_t *req_complete_skb)
7197
{
7198
	struct hci_ev_le_meta *ev = data;
7199
	const struct hci_le_ev *subev;
7200

7201
	bt_dev_dbg(hdev, "subevent 0x%2.2x", ev->subevent);
7202

7203
	/* Only match event if command OGF is for LE */
7204
	if (hdev->req_skb &&
7205
	   (hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 ||
7206
	    hci_skb_opcode(hdev->req_skb) == HCI_OP_NOP) &&
7207
	    hci_skb_event(hdev->req_skb) == ev->subevent) {
7208
		*opcode = hci_skb_opcode(hdev->req_skb);
7209
		hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete,
7210
				     req_complete_skb);
7211
	}
7212

7213
	subev = &hci_le_ev_table[ev->subevent];
7214
	if (!subev->func)
7215
		return;
7216

7217
	if (skb->len < subev->min_len) {
7218
		bt_dev_err(hdev, "unexpected subevent 0x%2.2x length: %u < %u",
7219
			   ev->subevent, skb->len, subev->min_len);
7220
		return;
7221
	}
7222

7223
	/* Just warn if the length is over max_len size it still be
7224
	 * possible to partially parse the event so leave to callback to
7225
	 * decide if that is acceptable.
7226
	 */
7227
	if (skb->len > subev->max_len)
7228
		bt_dev_warn(hdev, "unexpected subevent 0x%2.2x length: %u > %u",
7229
			    ev->subevent, skb->len, subev->max_len);
7230
	data = hci_le_ev_skb_pull(hdev, skb, ev->subevent, subev->min_len);
7231
	if (!data)
7232
		return;
7233

7234
	subev->func(hdev, data, skb);
7235
}
7236

7237
static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
7238
				 u8 event, struct sk_buff *skb)
7239
{
7240
	struct hci_ev_cmd_complete *ev;
7241
	struct hci_event_hdr *hdr;
7242

7243
	if (!skb)
7244
		return false;
7245

7246
	hdr = hci_ev_skb_pull(hdev, skb, event, sizeof(*hdr));
7247
	if (!hdr)
7248
		return false;
7249

7250
	if (event) {
7251
		if (hdr->evt != event)
7252
			return false;
7253
		return true;
7254
	}
7255

7256
	/* Check if request ended in Command Status - no way to retrieve
7257
	 * any extra parameters in this case.
7258
	 */
7259
	if (hdr->evt == HCI_EV_CMD_STATUS)
7260
		return false;
7261

7262
	if (hdr->evt != HCI_EV_CMD_COMPLETE) {
7263
		bt_dev_err(hdev, "last event is not cmd complete (0x%2.2x)",
7264
			   hdr->evt);
7265
		return false;
7266
	}
7267

7268
	ev = hci_cc_skb_pull(hdev, skb, opcode, sizeof(*ev));
7269
	if (!ev)
7270
		return false;
7271

7272
	if (opcode != __le16_to_cpu(ev->opcode)) {
7273
		BT_DBG("opcode doesn't match (0x%2.2x != 0x%2.2x)", opcode,
7274
		       __le16_to_cpu(ev->opcode));
7275
		return false;
7276
	}
7277

7278
	return true;
7279
}
7280

7281
static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
7282
				  struct sk_buff *skb)
7283
{
7284
	struct hci_ev_le_advertising_info *adv;
7285
	struct hci_ev_le_direct_adv_info *direct_adv;
7286
	struct hci_ev_le_ext_adv_info *ext_adv;
7287
	const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
7288
	const struct hci_ev_conn_request *conn_request = (void *)skb->data;
7289

7290
	hci_dev_lock(hdev);
7291

7292
	/* If we are currently suspended and this is the first BT event seen,
7293
	 * save the wake reason associated with the event.
7294
	 */
7295
	if (!hdev->suspended || hdev->wake_reason)
7296
		goto unlock;
7297

7298
	/* Default to remote wake. Values for wake_reason are documented in the
7299
	 * Bluez mgmt api docs.
7300
	 */
7301
	hdev->wake_reason = MGMT_WAKE_REASON_REMOTE_WAKE;
7302

7303
	/* Once configured for remote wakeup, we should only wake up for
7304
	 * reconnections. It's useful to see which device is waking us up so
7305
	 * keep track of the bdaddr of the connection event that woke us up.
7306
	 */
7307
	if (event == HCI_EV_CONN_REQUEST) {
7308
		bacpy(&hdev->wake_addr, &conn_request->bdaddr);
7309
		hdev->wake_addr_type = BDADDR_BREDR;
7310
	} else if (event == HCI_EV_CONN_COMPLETE) {
7311
		bacpy(&hdev->wake_addr, &conn_complete->bdaddr);
7312
		hdev->wake_addr_type = BDADDR_BREDR;
7313
	} else if (event == HCI_EV_LE_META) {
7314
		struct hci_ev_le_meta *le_ev = (void *)skb->data;
7315
		u8 subevent = le_ev->subevent;
7316
		u8 *ptr = &skb->data[sizeof(*le_ev)];
7317
		u8 num_reports = *ptr;
7318

7319
		if ((subevent == HCI_EV_LE_ADVERTISING_REPORT ||
7320
		     subevent == HCI_EV_LE_DIRECT_ADV_REPORT ||
7321
		     subevent == HCI_EV_LE_EXT_ADV_REPORT) &&
7322
		    num_reports) {
7323
			adv = (void *)(ptr + 1);
7324
			direct_adv = (void *)(ptr + 1);
7325
			ext_adv = (void *)(ptr + 1);
7326

7327
			switch (subevent) {
7328
			case HCI_EV_LE_ADVERTISING_REPORT:
7329
				bacpy(&hdev->wake_addr, &adv->bdaddr);
7330
				hdev->wake_addr_type = adv->bdaddr_type;
7331
				break;
7332
			case HCI_EV_LE_DIRECT_ADV_REPORT:
7333
				bacpy(&hdev->wake_addr, &direct_adv->bdaddr);
7334
				hdev->wake_addr_type = direct_adv->bdaddr_type;
7335
				break;
7336
			case HCI_EV_LE_EXT_ADV_REPORT:
7337
				bacpy(&hdev->wake_addr, &ext_adv->bdaddr);
7338
				hdev->wake_addr_type = ext_adv->bdaddr_type;
7339
				break;
7340
			}
7341
		}
7342
	} else {
7343
		hdev->wake_reason = MGMT_WAKE_REASON_UNEXPECTED;
7344
	}
7345

7346
unlock:
7347
	hci_dev_unlock(hdev);
7348
}
7349

7350
#define HCI_EV_VL(_op, _func, _min_len, _max_len) \
7351
[_op] = { \
7352
	.req = false, \
7353
	.func = _func, \
7354
	.min_len = _min_len, \
7355
	.max_len = _max_len, \
7356
}
7357

7358
#define HCI_EV(_op, _func, _len) \
7359
	HCI_EV_VL(_op, _func, _len, _len)
7360

7361
#define HCI_EV_STATUS(_op, _func) \
7362
	HCI_EV(_op, _func, sizeof(struct hci_ev_status))
7363

7364
#define HCI_EV_REQ_VL(_op, _func, _min_len, _max_len) \
7365
[_op] = { \
7366
	.req = true, \
7367
	.func_req = _func, \
7368
	.min_len = _min_len, \
7369
	.max_len = _max_len, \
7370
}
7371

7372
#define HCI_EV_REQ(_op, _func, _len) \
7373
	HCI_EV_REQ_VL(_op, _func, _len, _len)
7374

7375
/* Entries in this table shall have their position according to the event opcode
7376
 * they handle so the use of the macros above is recommend since it does attempt
7377
 * to initialize at its proper index using Designated Initializers that way
7378
 * events without a callback function don't have entered.
7379
 */
7380
static const struct hci_ev {
7381
	bool req;
7382
	union {
7383
		void (*func)(struct hci_dev *hdev, void *data,
7384
			     struct sk_buff *skb);
7385
		void (*func_req)(struct hci_dev *hdev, void *data,
7386
				 struct sk_buff *skb, u16 *opcode, u8 *status,
7387
				 hci_req_complete_t *req_complete,
7388
				 hci_req_complete_skb_t *req_complete_skb);
7389
	};
7390
	u16  min_len;
7391
	u16  max_len;
7392
} hci_ev_table[U8_MAX + 1] = {
7393
	/* [0x01 = HCI_EV_INQUIRY_COMPLETE] */
7394
	HCI_EV_STATUS(HCI_EV_INQUIRY_COMPLETE, hci_inquiry_complete_evt),
7395
	/* [0x02 = HCI_EV_INQUIRY_RESULT] */
7396
	HCI_EV_VL(HCI_EV_INQUIRY_RESULT, hci_inquiry_result_evt,
7397
		  sizeof(struct hci_ev_inquiry_result), HCI_MAX_EVENT_SIZE),
7398
	/* [0x03 = HCI_EV_CONN_COMPLETE] */
7399
	HCI_EV(HCI_EV_CONN_COMPLETE, hci_conn_complete_evt,
7400
	       sizeof(struct hci_ev_conn_complete)),
7401
	/* [0x04 = HCI_EV_CONN_REQUEST] */
7402
	HCI_EV(HCI_EV_CONN_REQUEST, hci_conn_request_evt,
7403
	       sizeof(struct hci_ev_conn_request)),
7404
	/* [0x05 = HCI_EV_DISCONN_COMPLETE] */
7405
	HCI_EV(HCI_EV_DISCONN_COMPLETE, hci_disconn_complete_evt,
7406
	       sizeof(struct hci_ev_disconn_complete)),
7407
	/* [0x06 = HCI_EV_AUTH_COMPLETE] */
7408
	HCI_EV(HCI_EV_AUTH_COMPLETE, hci_auth_complete_evt,
7409
	       sizeof(struct hci_ev_auth_complete)),
7410
	/* [0x07 = HCI_EV_REMOTE_NAME] */
7411
	HCI_EV(HCI_EV_REMOTE_NAME, hci_remote_name_evt,
7412
	       sizeof(struct hci_ev_remote_name)),
7413
	/* [0x08 = HCI_EV_ENCRYPT_CHANGE] */
7414
	HCI_EV(HCI_EV_ENCRYPT_CHANGE, hci_encrypt_change_evt,
7415
	       sizeof(struct hci_ev_encrypt_change)),
7416
	/* [0x09 = HCI_EV_CHANGE_LINK_KEY_COMPLETE] */
7417
	HCI_EV(HCI_EV_CHANGE_LINK_KEY_COMPLETE,
7418
	       hci_change_link_key_complete_evt,
7419
	       sizeof(struct hci_ev_change_link_key_complete)),
7420
	/* [0x0b = HCI_EV_REMOTE_FEATURES] */
7421
	HCI_EV(HCI_EV_REMOTE_FEATURES, hci_remote_features_evt,
7422
	       sizeof(struct hci_ev_remote_features)),
7423
	/* [0x0e = HCI_EV_CMD_COMPLETE] */
7424
	HCI_EV_REQ_VL(HCI_EV_CMD_COMPLETE, hci_cmd_complete_evt,
7425
		      sizeof(struct hci_ev_cmd_complete), HCI_MAX_EVENT_SIZE),
7426
	/* [0x0f = HCI_EV_CMD_STATUS] */
7427
	HCI_EV_REQ(HCI_EV_CMD_STATUS, hci_cmd_status_evt,
7428
		   sizeof(struct hci_ev_cmd_status)),
7429
	/* [0x10 = HCI_EV_CMD_STATUS] */
7430
	HCI_EV(HCI_EV_HARDWARE_ERROR, hci_hardware_error_evt,
7431
	       sizeof(struct hci_ev_hardware_error)),
7432
	/* [0x12 = HCI_EV_ROLE_CHANGE] */
7433
	HCI_EV(HCI_EV_ROLE_CHANGE, hci_role_change_evt,
7434
	       sizeof(struct hci_ev_role_change)),
7435
	/* [0x13 = HCI_EV_NUM_COMP_PKTS] */
7436
	HCI_EV_VL(HCI_EV_NUM_COMP_PKTS, hci_num_comp_pkts_evt,
7437
		  sizeof(struct hci_ev_num_comp_pkts), HCI_MAX_EVENT_SIZE),
7438
	/* [0x14 = HCI_EV_MODE_CHANGE] */
7439
	HCI_EV(HCI_EV_MODE_CHANGE, hci_mode_change_evt,
7440
	       sizeof(struct hci_ev_mode_change)),
7441
	/* [0x16 = HCI_EV_PIN_CODE_REQ] */
7442
	HCI_EV(HCI_EV_PIN_CODE_REQ, hci_pin_code_request_evt,
7443
	       sizeof(struct hci_ev_pin_code_req)),
7444
	/* [0x17 = HCI_EV_LINK_KEY_REQ] */
7445
	HCI_EV(HCI_EV_LINK_KEY_REQ, hci_link_key_request_evt,
7446
	       sizeof(struct hci_ev_link_key_req)),
7447
	/* [0x18 = HCI_EV_LINK_KEY_NOTIFY] */
7448
	HCI_EV(HCI_EV_LINK_KEY_NOTIFY, hci_link_key_notify_evt,
7449
	       sizeof(struct hci_ev_link_key_notify)),
7450
	/* [0x1c = HCI_EV_CLOCK_OFFSET] */
7451
	HCI_EV(HCI_EV_CLOCK_OFFSET, hci_clock_offset_evt,
7452
	       sizeof(struct hci_ev_clock_offset)),
7453
	/* [0x1d = HCI_EV_PKT_TYPE_CHANGE] */
7454
	HCI_EV(HCI_EV_PKT_TYPE_CHANGE, hci_pkt_type_change_evt,
7455
	       sizeof(struct hci_ev_pkt_type_change)),
7456
	/* [0x20 = HCI_EV_PSCAN_REP_MODE] */
7457
	HCI_EV(HCI_EV_PSCAN_REP_MODE, hci_pscan_rep_mode_evt,
7458
	       sizeof(struct hci_ev_pscan_rep_mode)),
7459
	/* [0x22 = HCI_EV_INQUIRY_RESULT_WITH_RSSI] */
7460
	HCI_EV_VL(HCI_EV_INQUIRY_RESULT_WITH_RSSI,
7461
		  hci_inquiry_result_with_rssi_evt,
7462
		  sizeof(struct hci_ev_inquiry_result_rssi),
7463
		  HCI_MAX_EVENT_SIZE),
7464
	/* [0x23 = HCI_EV_REMOTE_EXT_FEATURES] */
7465
	HCI_EV(HCI_EV_REMOTE_EXT_FEATURES, hci_remote_ext_features_evt,
7466
	       sizeof(struct hci_ev_remote_ext_features)),
7467
	/* [0x2c = HCI_EV_SYNC_CONN_COMPLETE] */
7468
	HCI_EV(HCI_EV_SYNC_CONN_COMPLETE, hci_sync_conn_complete_evt,
7469
	       sizeof(struct hci_ev_sync_conn_complete)),
7470
	/* [0x2f = HCI_EV_EXTENDED_INQUIRY_RESULT] */
7471
	HCI_EV_VL(HCI_EV_EXTENDED_INQUIRY_RESULT,
7472
		  hci_extended_inquiry_result_evt,
7473
		  sizeof(struct hci_ev_ext_inquiry_result), HCI_MAX_EVENT_SIZE),
7474
	/* [0x30 = HCI_EV_KEY_REFRESH_COMPLETE] */
7475
	HCI_EV(HCI_EV_KEY_REFRESH_COMPLETE, hci_key_refresh_complete_evt,
7476
	       sizeof(struct hci_ev_key_refresh_complete)),
7477
	/* [0x31 = HCI_EV_IO_CAPA_REQUEST] */
7478
	HCI_EV(HCI_EV_IO_CAPA_REQUEST, hci_io_capa_request_evt,
7479
	       sizeof(struct hci_ev_io_capa_request)),
7480
	/* [0x32 = HCI_EV_IO_CAPA_REPLY] */
7481
	HCI_EV(HCI_EV_IO_CAPA_REPLY, hci_io_capa_reply_evt,
7482
	       sizeof(struct hci_ev_io_capa_reply)),
7483
	/* [0x33 = HCI_EV_USER_CONFIRM_REQUEST] */
7484
	HCI_EV(HCI_EV_USER_CONFIRM_REQUEST, hci_user_confirm_request_evt,
7485
	       sizeof(struct hci_ev_user_confirm_req)),
7486
	/* [0x34 = HCI_EV_USER_PASSKEY_REQUEST] */
7487
	HCI_EV(HCI_EV_USER_PASSKEY_REQUEST, hci_user_passkey_request_evt,
7488
	       sizeof(struct hci_ev_user_passkey_req)),
7489
	/* [0x35 = HCI_EV_REMOTE_OOB_DATA_REQUEST] */
7490
	HCI_EV(HCI_EV_REMOTE_OOB_DATA_REQUEST, hci_remote_oob_data_request_evt,
7491
	       sizeof(struct hci_ev_remote_oob_data_request)),
7492
	/* [0x36 = HCI_EV_SIMPLE_PAIR_COMPLETE] */
7493
	HCI_EV(HCI_EV_SIMPLE_PAIR_COMPLETE, hci_simple_pair_complete_evt,
7494
	       sizeof(struct hci_ev_simple_pair_complete)),
7495
	/* [0x3b = HCI_EV_USER_PASSKEY_NOTIFY] */
7496
	HCI_EV(HCI_EV_USER_PASSKEY_NOTIFY, hci_user_passkey_notify_evt,
7497
	       sizeof(struct hci_ev_user_passkey_notify)),
7498
	/* [0x3c = HCI_EV_KEYPRESS_NOTIFY] */
7499
	HCI_EV(HCI_EV_KEYPRESS_NOTIFY, hci_keypress_notify_evt,
7500
	       sizeof(struct hci_ev_keypress_notify)),
7501
	/* [0x3d = HCI_EV_REMOTE_HOST_FEATURES] */
7502
	HCI_EV(HCI_EV_REMOTE_HOST_FEATURES, hci_remote_host_features_evt,
7503
	       sizeof(struct hci_ev_remote_host_features)),
7504
	/* [0x3e = HCI_EV_LE_META] */
7505
	HCI_EV_REQ_VL(HCI_EV_LE_META, hci_le_meta_evt,
7506
		      sizeof(struct hci_ev_le_meta), HCI_MAX_EVENT_SIZE),
7507
	/* [0xff = HCI_EV_VENDOR] */
7508
	HCI_EV_VL(HCI_EV_VENDOR, msft_vendor_evt, 0, HCI_MAX_EVENT_SIZE),
7509
};
7510

7511
static void hci_event_func(struct hci_dev *hdev, u8 event, struct sk_buff *skb,
7512
			   u16 *opcode, u8 *status,
7513
			   hci_req_complete_t *req_complete,
7514
			   hci_req_complete_skb_t *req_complete_skb)
7515
{
7516
	const struct hci_ev *ev = &hci_ev_table[event];
7517
	void *data;
7518

7519
	if (!ev->func)
7520
		return;
7521

7522
	if (skb->len < ev->min_len) {
7523
		bt_dev_err(hdev, "unexpected event 0x%2.2x length: %u < %u",
7524
			   event, skb->len, ev->min_len);
7525
		return;
7526
	}
7527

7528
	/* Just warn if the length is over max_len size it still be
7529
	 * possible to partially parse the event so leave to callback to
7530
	 * decide if that is acceptable.
7531
	 */
7532
	if (skb->len > ev->max_len)
7533
		bt_dev_warn_ratelimited(hdev,
7534
					"unexpected event 0x%2.2x length: %u > %u",
7535
					event, skb->len, ev->max_len);
7536

7537
	data = hci_ev_skb_pull(hdev, skb, event, ev->min_len);
7538
	if (!data)
7539
		return;
7540

7541
	if (ev->req)
7542
		ev->func_req(hdev, data, skb, opcode, status, req_complete,
7543
			     req_complete_skb);
7544
	else
7545
		ev->func(hdev, data, skb);
7546
}
7547

7548
void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
7549
{
7550
	struct hci_event_hdr *hdr = (void *) skb->data;
7551
	hci_req_complete_t req_complete = NULL;
7552
	hci_req_complete_skb_t req_complete_skb = NULL;
7553
	struct sk_buff *orig_skb = NULL;
7554
	u8 status = 0, event, req_evt = 0;
7555
	u16 opcode = HCI_OP_NOP;
7556

7557
	if (skb->len < sizeof(*hdr)) {
7558
		bt_dev_err(hdev, "Malformed HCI Event");
7559
		goto done;
7560
	}
7561

7562
	hci_dev_lock(hdev);
7563
	kfree_skb(hdev->recv_event);
7564
	hdev->recv_event = skb_clone(skb, GFP_KERNEL);
7565
	hci_dev_unlock(hdev);
7566

7567
	event = hdr->evt;
7568
	if (!event) {
7569
		bt_dev_warn(hdev, "Received unexpected HCI Event 0x%2.2x",
7570
			    event);
7571
		goto done;
7572
	}
7573

7574
	/* Only match event if command OGF is not for LE */
7575
	if (hdev->req_skb &&
7576
	    hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) != 0x08 &&
7577
	    hci_skb_event(hdev->req_skb) == event) {
7578
		hci_req_cmd_complete(hdev, hci_skb_opcode(hdev->req_skb),
7579
				     status, &req_complete, &req_complete_skb);
7580
		req_evt = event;
7581
	}
7582

7583
	/* If it looks like we might end up having to call
7584
	 * req_complete_skb, store a pristine copy of the skb since the
7585
	 * various handlers may modify the original one through
7586
	 * skb_pull() calls, etc.
7587
	 */
7588
	if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
7589
	    event == HCI_EV_CMD_COMPLETE)
7590
		orig_skb = skb_clone(skb, GFP_KERNEL);
7591

7592
	skb_pull(skb, HCI_EVENT_HDR_SIZE);
7593

7594
	/* Store wake reason if we're suspended */
7595
	hci_store_wake_reason(hdev, event, skb);
7596

7597
	bt_dev_dbg(hdev, "event 0x%2.2x", event);
7598

7599
	hci_event_func(hdev, event, skb, &opcode, &status, &req_complete,
7600
		       &req_complete_skb);
7601

7602
	if (req_complete) {
7603
		req_complete(hdev, status, opcode);
7604
	} else if (req_complete_skb) {
7605
		if (!hci_get_cmd_complete(hdev, opcode, req_evt, orig_skb)) {
7606
			kfree_skb(orig_skb);
7607
			orig_skb = NULL;
7608
		}
7609
		req_complete_skb(hdev, status, opcode, orig_skb);
7610
	}
7611

7612
done:
7613
	kfree_skb(orig_skb);
7614
	kfree_skb(skb);
7615
	hdev->stat.evt_rx++;
7616
}
7617

7618