xref: /openbmc/linux/net/bluetooth/mgmt.c (revision 151f4e2b)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3 
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI Management interface */
26 
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_sock.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "mgmt_util.h"
39 
40 #define MGMT_VERSION	1
41 #define MGMT_REVISION	14
42 
43 static const u16 mgmt_commands[] = {
44 	MGMT_OP_READ_INDEX_LIST,
45 	MGMT_OP_READ_INFO,
46 	MGMT_OP_SET_POWERED,
47 	MGMT_OP_SET_DISCOVERABLE,
48 	MGMT_OP_SET_CONNECTABLE,
49 	MGMT_OP_SET_FAST_CONNECTABLE,
50 	MGMT_OP_SET_BONDABLE,
51 	MGMT_OP_SET_LINK_SECURITY,
52 	MGMT_OP_SET_SSP,
53 	MGMT_OP_SET_HS,
54 	MGMT_OP_SET_LE,
55 	MGMT_OP_SET_DEV_CLASS,
56 	MGMT_OP_SET_LOCAL_NAME,
57 	MGMT_OP_ADD_UUID,
58 	MGMT_OP_REMOVE_UUID,
59 	MGMT_OP_LOAD_LINK_KEYS,
60 	MGMT_OP_LOAD_LONG_TERM_KEYS,
61 	MGMT_OP_DISCONNECT,
62 	MGMT_OP_GET_CONNECTIONS,
63 	MGMT_OP_PIN_CODE_REPLY,
64 	MGMT_OP_PIN_CODE_NEG_REPLY,
65 	MGMT_OP_SET_IO_CAPABILITY,
66 	MGMT_OP_PAIR_DEVICE,
67 	MGMT_OP_CANCEL_PAIR_DEVICE,
68 	MGMT_OP_UNPAIR_DEVICE,
69 	MGMT_OP_USER_CONFIRM_REPLY,
70 	MGMT_OP_USER_CONFIRM_NEG_REPLY,
71 	MGMT_OP_USER_PASSKEY_REPLY,
72 	MGMT_OP_USER_PASSKEY_NEG_REPLY,
73 	MGMT_OP_READ_LOCAL_OOB_DATA,
74 	MGMT_OP_ADD_REMOTE_OOB_DATA,
75 	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
76 	MGMT_OP_START_DISCOVERY,
77 	MGMT_OP_STOP_DISCOVERY,
78 	MGMT_OP_CONFIRM_NAME,
79 	MGMT_OP_BLOCK_DEVICE,
80 	MGMT_OP_UNBLOCK_DEVICE,
81 	MGMT_OP_SET_DEVICE_ID,
82 	MGMT_OP_SET_ADVERTISING,
83 	MGMT_OP_SET_BREDR,
84 	MGMT_OP_SET_STATIC_ADDRESS,
85 	MGMT_OP_SET_SCAN_PARAMS,
86 	MGMT_OP_SET_SECURE_CONN,
87 	MGMT_OP_SET_DEBUG_KEYS,
88 	MGMT_OP_SET_PRIVACY,
89 	MGMT_OP_LOAD_IRKS,
90 	MGMT_OP_GET_CONN_INFO,
91 	MGMT_OP_GET_CLOCK_INFO,
92 	MGMT_OP_ADD_DEVICE,
93 	MGMT_OP_REMOVE_DEVICE,
94 	MGMT_OP_LOAD_CONN_PARAM,
95 	MGMT_OP_READ_UNCONF_INDEX_LIST,
96 	MGMT_OP_READ_CONFIG_INFO,
97 	MGMT_OP_SET_EXTERNAL_CONFIG,
98 	MGMT_OP_SET_PUBLIC_ADDRESS,
99 	MGMT_OP_START_SERVICE_DISCOVERY,
100 	MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
101 	MGMT_OP_READ_EXT_INDEX_LIST,
102 	MGMT_OP_READ_ADV_FEATURES,
103 	MGMT_OP_ADD_ADVERTISING,
104 	MGMT_OP_REMOVE_ADVERTISING,
105 	MGMT_OP_GET_ADV_SIZE_INFO,
106 	MGMT_OP_START_LIMITED_DISCOVERY,
107 	MGMT_OP_READ_EXT_INFO,
108 	MGMT_OP_SET_APPEARANCE,
109 };
110 
111 static const u16 mgmt_events[] = {
112 	MGMT_EV_CONTROLLER_ERROR,
113 	MGMT_EV_INDEX_ADDED,
114 	MGMT_EV_INDEX_REMOVED,
115 	MGMT_EV_NEW_SETTINGS,
116 	MGMT_EV_CLASS_OF_DEV_CHANGED,
117 	MGMT_EV_LOCAL_NAME_CHANGED,
118 	MGMT_EV_NEW_LINK_KEY,
119 	MGMT_EV_NEW_LONG_TERM_KEY,
120 	MGMT_EV_DEVICE_CONNECTED,
121 	MGMT_EV_DEVICE_DISCONNECTED,
122 	MGMT_EV_CONNECT_FAILED,
123 	MGMT_EV_PIN_CODE_REQUEST,
124 	MGMT_EV_USER_CONFIRM_REQUEST,
125 	MGMT_EV_USER_PASSKEY_REQUEST,
126 	MGMT_EV_AUTH_FAILED,
127 	MGMT_EV_DEVICE_FOUND,
128 	MGMT_EV_DISCOVERING,
129 	MGMT_EV_DEVICE_BLOCKED,
130 	MGMT_EV_DEVICE_UNBLOCKED,
131 	MGMT_EV_DEVICE_UNPAIRED,
132 	MGMT_EV_PASSKEY_NOTIFY,
133 	MGMT_EV_NEW_IRK,
134 	MGMT_EV_NEW_CSRK,
135 	MGMT_EV_DEVICE_ADDED,
136 	MGMT_EV_DEVICE_REMOVED,
137 	MGMT_EV_NEW_CONN_PARAM,
138 	MGMT_EV_UNCONF_INDEX_ADDED,
139 	MGMT_EV_UNCONF_INDEX_REMOVED,
140 	MGMT_EV_NEW_CONFIG_OPTIONS,
141 	MGMT_EV_EXT_INDEX_ADDED,
142 	MGMT_EV_EXT_INDEX_REMOVED,
143 	MGMT_EV_LOCAL_OOB_DATA_UPDATED,
144 	MGMT_EV_ADVERTISING_ADDED,
145 	MGMT_EV_ADVERTISING_REMOVED,
146 	MGMT_EV_EXT_INFO_CHANGED,
147 };
148 
149 static const u16 mgmt_untrusted_commands[] = {
150 	MGMT_OP_READ_INDEX_LIST,
151 	MGMT_OP_READ_INFO,
152 	MGMT_OP_READ_UNCONF_INDEX_LIST,
153 	MGMT_OP_READ_CONFIG_INFO,
154 	MGMT_OP_READ_EXT_INDEX_LIST,
155 	MGMT_OP_READ_EXT_INFO,
156 };
157 
158 static const u16 mgmt_untrusted_events[] = {
159 	MGMT_EV_INDEX_ADDED,
160 	MGMT_EV_INDEX_REMOVED,
161 	MGMT_EV_NEW_SETTINGS,
162 	MGMT_EV_CLASS_OF_DEV_CHANGED,
163 	MGMT_EV_LOCAL_NAME_CHANGED,
164 	MGMT_EV_UNCONF_INDEX_ADDED,
165 	MGMT_EV_UNCONF_INDEX_REMOVED,
166 	MGMT_EV_NEW_CONFIG_OPTIONS,
167 	MGMT_EV_EXT_INDEX_ADDED,
168 	MGMT_EV_EXT_INDEX_REMOVED,
169 	MGMT_EV_EXT_INFO_CHANGED,
170 };
171 
172 #define CACHE_TIMEOUT	msecs_to_jiffies(2 * 1000)
173 
174 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
175 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
176 
177 /* HCI to MGMT error code conversion table */
178 static u8 mgmt_status_table[] = {
179 	MGMT_STATUS_SUCCESS,
180 	MGMT_STATUS_UNKNOWN_COMMAND,	/* Unknown Command */
181 	MGMT_STATUS_NOT_CONNECTED,	/* No Connection */
182 	MGMT_STATUS_FAILED,		/* Hardware Failure */
183 	MGMT_STATUS_CONNECT_FAILED,	/* Page Timeout */
184 	MGMT_STATUS_AUTH_FAILED,	/* Authentication Failed */
185 	MGMT_STATUS_AUTH_FAILED,	/* PIN or Key Missing */
186 	MGMT_STATUS_NO_RESOURCES,	/* Memory Full */
187 	MGMT_STATUS_TIMEOUT,		/* Connection Timeout */
188 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of Connections */
189 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of SCO Connections */
190 	MGMT_STATUS_ALREADY_CONNECTED,	/* ACL Connection Exists */
191 	MGMT_STATUS_BUSY,		/* Command Disallowed */
192 	MGMT_STATUS_NO_RESOURCES,	/* Rejected Limited Resources */
193 	MGMT_STATUS_REJECTED,		/* Rejected Security */
194 	MGMT_STATUS_REJECTED,		/* Rejected Personal */
195 	MGMT_STATUS_TIMEOUT,		/* Host Timeout */
196 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Feature */
197 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid Parameters */
198 	MGMT_STATUS_DISCONNECTED,	/* OE User Ended Connection */
199 	MGMT_STATUS_NO_RESOURCES,	/* OE Low Resources */
200 	MGMT_STATUS_DISCONNECTED,	/* OE Power Off */
201 	MGMT_STATUS_DISCONNECTED,	/* Connection Terminated */
202 	MGMT_STATUS_BUSY,		/* Repeated Attempts */
203 	MGMT_STATUS_REJECTED,		/* Pairing Not Allowed */
204 	MGMT_STATUS_FAILED,		/* Unknown LMP PDU */
205 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Remote Feature */
206 	MGMT_STATUS_REJECTED,		/* SCO Offset Rejected */
207 	MGMT_STATUS_REJECTED,		/* SCO Interval Rejected */
208 	MGMT_STATUS_REJECTED,		/* Air Mode Rejected */
209 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid LMP Parameters */
210 	MGMT_STATUS_FAILED,		/* Unspecified Error */
211 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported LMP Parameter Value */
212 	MGMT_STATUS_FAILED,		/* Role Change Not Allowed */
213 	MGMT_STATUS_TIMEOUT,		/* LMP Response Timeout */
214 	MGMT_STATUS_FAILED,		/* LMP Error Transaction Collision */
215 	MGMT_STATUS_FAILED,		/* LMP PDU Not Allowed */
216 	MGMT_STATUS_REJECTED,		/* Encryption Mode Not Accepted */
217 	MGMT_STATUS_FAILED,		/* Unit Link Key Used */
218 	MGMT_STATUS_NOT_SUPPORTED,	/* QoS Not Supported */
219 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
220 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
221 	MGMT_STATUS_FAILED,		/* Transaction Collision */
222 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
223 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
224 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
225 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
226 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
227 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
228 	MGMT_STATUS_FAILED,		/* Slot Violation */
229 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
230 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
231 	MGMT_STATUS_NOT_SUPPORTED,	/* Simple Pairing Not Supported */
232 	MGMT_STATUS_BUSY,		/* Host Busy Pairing */
233 	MGMT_STATUS_REJECTED,		/* Rejected, No Suitable Channel */
234 	MGMT_STATUS_BUSY,		/* Controller Busy */
235 	MGMT_STATUS_INVALID_PARAMS,	/* Unsuitable Connection Interval */
236 	MGMT_STATUS_TIMEOUT,		/* Directed Advertising Timeout */
237 	MGMT_STATUS_AUTH_FAILED,	/* Terminated Due to MIC Failure */
238 	MGMT_STATUS_CONNECT_FAILED,	/* Connection Establishment Failed */
239 	MGMT_STATUS_CONNECT_FAILED,	/* MAC Connection Failed */
240 };
241 
242 static u8 mgmt_status(u8 hci_status)
243 {
244 	if (hci_status < ARRAY_SIZE(mgmt_status_table))
245 		return mgmt_status_table[hci_status];
246 
247 	return MGMT_STATUS_FAILED;
248 }
249 
250 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
251 			    u16 len, int flag)
252 {
253 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
254 			       flag, NULL);
255 }
256 
257 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
258 			      u16 len, int flag, struct sock *skip_sk)
259 {
260 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
261 			       flag, skip_sk);
262 }
263 
264 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
265 		      struct sock *skip_sk)
266 {
267 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
268 			       HCI_SOCK_TRUSTED, skip_sk);
269 }
270 
271 static u8 le_addr_type(u8 mgmt_addr_type)
272 {
273 	if (mgmt_addr_type == BDADDR_LE_PUBLIC)
274 		return ADDR_LE_DEV_PUBLIC;
275 	else
276 		return ADDR_LE_DEV_RANDOM;
277 }
278 
279 void mgmt_fill_version_info(void *ver)
280 {
281 	struct mgmt_rp_read_version *rp = ver;
282 
283 	rp->version = MGMT_VERSION;
284 	rp->revision = cpu_to_le16(MGMT_REVISION);
285 }
286 
287 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
288 			u16 data_len)
289 {
290 	struct mgmt_rp_read_version rp;
291 
292 	BT_DBG("sock %p", sk);
293 
294 	mgmt_fill_version_info(&rp);
295 
296 	return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
297 				 &rp, sizeof(rp));
298 }
299 
300 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
301 			 u16 data_len)
302 {
303 	struct mgmt_rp_read_commands *rp;
304 	u16 num_commands, num_events;
305 	size_t rp_size;
306 	int i, err;
307 
308 	BT_DBG("sock %p", sk);
309 
310 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
311 		num_commands = ARRAY_SIZE(mgmt_commands);
312 		num_events = ARRAY_SIZE(mgmt_events);
313 	} else {
314 		num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
315 		num_events = ARRAY_SIZE(mgmt_untrusted_events);
316 	}
317 
318 	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
319 
320 	rp = kmalloc(rp_size, GFP_KERNEL);
321 	if (!rp)
322 		return -ENOMEM;
323 
324 	rp->num_commands = cpu_to_le16(num_commands);
325 	rp->num_events = cpu_to_le16(num_events);
326 
327 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
328 		__le16 *opcode = rp->opcodes;
329 
330 		for (i = 0; i < num_commands; i++, opcode++)
331 			put_unaligned_le16(mgmt_commands[i], opcode);
332 
333 		for (i = 0; i < num_events; i++, opcode++)
334 			put_unaligned_le16(mgmt_events[i], opcode);
335 	} else {
336 		__le16 *opcode = rp->opcodes;
337 
338 		for (i = 0; i < num_commands; i++, opcode++)
339 			put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
340 
341 		for (i = 0; i < num_events; i++, opcode++)
342 			put_unaligned_le16(mgmt_untrusted_events[i], opcode);
343 	}
344 
345 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
346 				rp, rp_size);
347 	kfree(rp);
348 
349 	return err;
350 }
351 
352 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
353 			   u16 data_len)
354 {
355 	struct mgmt_rp_read_index_list *rp;
356 	struct hci_dev *d;
357 	size_t rp_len;
358 	u16 count;
359 	int err;
360 
361 	BT_DBG("sock %p", sk);
362 
363 	read_lock(&hci_dev_list_lock);
364 
365 	count = 0;
366 	list_for_each_entry(d, &hci_dev_list, list) {
367 		if (d->dev_type == HCI_PRIMARY &&
368 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED))
369 			count++;
370 	}
371 
372 	rp_len = sizeof(*rp) + (2 * count);
373 	rp = kmalloc(rp_len, GFP_ATOMIC);
374 	if (!rp) {
375 		read_unlock(&hci_dev_list_lock);
376 		return -ENOMEM;
377 	}
378 
379 	count = 0;
380 	list_for_each_entry(d, &hci_dev_list, list) {
381 		if (hci_dev_test_flag(d, HCI_SETUP) ||
382 		    hci_dev_test_flag(d, HCI_CONFIG) ||
383 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
384 			continue;
385 
386 		/* Devices marked as raw-only are neither configured
387 		 * nor unconfigured controllers.
388 		 */
389 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
390 			continue;
391 
392 		if (d->dev_type == HCI_PRIMARY &&
393 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
394 			rp->index[count++] = cpu_to_le16(d->id);
395 			BT_DBG("Added hci%u", d->id);
396 		}
397 	}
398 
399 	rp->num_controllers = cpu_to_le16(count);
400 	rp_len = sizeof(*rp) + (2 * count);
401 
402 	read_unlock(&hci_dev_list_lock);
403 
404 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
405 				0, rp, rp_len);
406 
407 	kfree(rp);
408 
409 	return err;
410 }
411 
412 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
413 				  void *data, u16 data_len)
414 {
415 	struct mgmt_rp_read_unconf_index_list *rp;
416 	struct hci_dev *d;
417 	size_t rp_len;
418 	u16 count;
419 	int err;
420 
421 	BT_DBG("sock %p", sk);
422 
423 	read_lock(&hci_dev_list_lock);
424 
425 	count = 0;
426 	list_for_each_entry(d, &hci_dev_list, list) {
427 		if (d->dev_type == HCI_PRIMARY &&
428 		    hci_dev_test_flag(d, HCI_UNCONFIGURED))
429 			count++;
430 	}
431 
432 	rp_len = sizeof(*rp) + (2 * count);
433 	rp = kmalloc(rp_len, GFP_ATOMIC);
434 	if (!rp) {
435 		read_unlock(&hci_dev_list_lock);
436 		return -ENOMEM;
437 	}
438 
439 	count = 0;
440 	list_for_each_entry(d, &hci_dev_list, list) {
441 		if (hci_dev_test_flag(d, HCI_SETUP) ||
442 		    hci_dev_test_flag(d, HCI_CONFIG) ||
443 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
444 			continue;
445 
446 		/* Devices marked as raw-only are neither configured
447 		 * nor unconfigured controllers.
448 		 */
449 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
450 			continue;
451 
452 		if (d->dev_type == HCI_PRIMARY &&
453 		    hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
454 			rp->index[count++] = cpu_to_le16(d->id);
455 			BT_DBG("Added hci%u", d->id);
456 		}
457 	}
458 
459 	rp->num_controllers = cpu_to_le16(count);
460 	rp_len = sizeof(*rp) + (2 * count);
461 
462 	read_unlock(&hci_dev_list_lock);
463 
464 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
465 				MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
466 
467 	kfree(rp);
468 
469 	return err;
470 }
471 
472 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
473 			       void *data, u16 data_len)
474 {
475 	struct mgmt_rp_read_ext_index_list *rp;
476 	struct hci_dev *d;
477 	u16 count;
478 	int err;
479 
480 	BT_DBG("sock %p", sk);
481 
482 	read_lock(&hci_dev_list_lock);
483 
484 	count = 0;
485 	list_for_each_entry(d, &hci_dev_list, list) {
486 		if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
487 			count++;
488 	}
489 
490 	rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
491 	if (!rp) {
492 		read_unlock(&hci_dev_list_lock);
493 		return -ENOMEM;
494 	}
495 
496 	count = 0;
497 	list_for_each_entry(d, &hci_dev_list, list) {
498 		if (hci_dev_test_flag(d, HCI_SETUP) ||
499 		    hci_dev_test_flag(d, HCI_CONFIG) ||
500 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
501 			continue;
502 
503 		/* Devices marked as raw-only are neither configured
504 		 * nor unconfigured controllers.
505 		 */
506 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
507 			continue;
508 
509 		if (d->dev_type == HCI_PRIMARY) {
510 			if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
511 				rp->entry[count].type = 0x01;
512 			else
513 				rp->entry[count].type = 0x00;
514 		} else if (d->dev_type == HCI_AMP) {
515 			rp->entry[count].type = 0x02;
516 		} else {
517 			continue;
518 		}
519 
520 		rp->entry[count].bus = d->bus;
521 		rp->entry[count++].index = cpu_to_le16(d->id);
522 		BT_DBG("Added hci%u", d->id);
523 	}
524 
525 	rp->num_controllers = cpu_to_le16(count);
526 
527 	read_unlock(&hci_dev_list_lock);
528 
529 	/* If this command is called at least once, then all the
530 	 * default index and unconfigured index events are disabled
531 	 * and from now on only extended index events are used.
532 	 */
533 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
534 	hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
535 	hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
536 
537 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
538 				MGMT_OP_READ_EXT_INDEX_LIST, 0, rp,
539 				struct_size(rp, entry, count));
540 
541 	kfree(rp);
542 
543 	return err;
544 }
545 
546 static bool is_configured(struct hci_dev *hdev)
547 {
548 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
549 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
550 		return false;
551 
552 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
553 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
554 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
555 		return false;
556 
557 	return true;
558 }
559 
560 static __le32 get_missing_options(struct hci_dev *hdev)
561 {
562 	u32 options = 0;
563 
564 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
565 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
566 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
567 
568 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
569 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
570 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
571 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
572 
573 	return cpu_to_le32(options);
574 }
575 
576 static int new_options(struct hci_dev *hdev, struct sock *skip)
577 {
578 	__le32 options = get_missing_options(hdev);
579 
580 	return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
581 				  sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
582 }
583 
584 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
585 {
586 	__le32 options = get_missing_options(hdev);
587 
588 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
589 				 sizeof(options));
590 }
591 
592 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
593 			    void *data, u16 data_len)
594 {
595 	struct mgmt_rp_read_config_info rp;
596 	u32 options = 0;
597 
598 	BT_DBG("sock %p %s", sk, hdev->name);
599 
600 	hci_dev_lock(hdev);
601 
602 	memset(&rp, 0, sizeof(rp));
603 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
604 
605 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
606 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
607 
608 	if (hdev->set_bdaddr)
609 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
610 
611 	rp.supported_options = cpu_to_le32(options);
612 	rp.missing_options = get_missing_options(hdev);
613 
614 	hci_dev_unlock(hdev);
615 
616 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
617 				 &rp, sizeof(rp));
618 }
619 
620 static u32 get_supported_phys(struct hci_dev *hdev)
621 {
622 	u32 supported_phys = 0;
623 
624 	if (lmp_bredr_capable(hdev)) {
625 		supported_phys |= MGMT_PHY_BR_1M_1SLOT;
626 
627 		if (hdev->features[0][0] & LMP_3SLOT)
628 			supported_phys |= MGMT_PHY_BR_1M_3SLOT;
629 
630 		if (hdev->features[0][0] & LMP_5SLOT)
631 			supported_phys |= MGMT_PHY_BR_1M_5SLOT;
632 
633 		if (lmp_edr_2m_capable(hdev)) {
634 			supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
635 
636 			if (lmp_edr_3slot_capable(hdev))
637 				supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
638 
639 			if (lmp_edr_5slot_capable(hdev))
640 				supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
641 
642 			if (lmp_edr_3m_capable(hdev)) {
643 				supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
644 
645 				if (lmp_edr_3slot_capable(hdev))
646 					supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
647 
648 				if (lmp_edr_5slot_capable(hdev))
649 					supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
650 			}
651 		}
652 	}
653 
654 	if (lmp_le_capable(hdev)) {
655 		supported_phys |= MGMT_PHY_LE_1M_TX;
656 		supported_phys |= MGMT_PHY_LE_1M_RX;
657 
658 		if (hdev->le_features[1] & HCI_LE_PHY_2M) {
659 			supported_phys |= MGMT_PHY_LE_2M_TX;
660 			supported_phys |= MGMT_PHY_LE_2M_RX;
661 		}
662 
663 		if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
664 			supported_phys |= MGMT_PHY_LE_CODED_TX;
665 			supported_phys |= MGMT_PHY_LE_CODED_RX;
666 		}
667 	}
668 
669 	return supported_phys;
670 }
671 
672 static u32 get_selected_phys(struct hci_dev *hdev)
673 {
674 	u32 selected_phys = 0;
675 
676 	if (lmp_bredr_capable(hdev)) {
677 		selected_phys |= MGMT_PHY_BR_1M_1SLOT;
678 
679 		if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
680 			selected_phys |= MGMT_PHY_BR_1M_3SLOT;
681 
682 		if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
683 			selected_phys |= MGMT_PHY_BR_1M_5SLOT;
684 
685 		if (lmp_edr_2m_capable(hdev)) {
686 			if (!(hdev->pkt_type & HCI_2DH1))
687 				selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
688 
689 			if (lmp_edr_3slot_capable(hdev) &&
690 			    !(hdev->pkt_type & HCI_2DH3))
691 				selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
692 
693 			if (lmp_edr_5slot_capable(hdev) &&
694 			    !(hdev->pkt_type & HCI_2DH5))
695 				selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
696 
697 			if (lmp_edr_3m_capable(hdev)) {
698 				if (!(hdev->pkt_type & HCI_3DH1))
699 					selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
700 
701 				if (lmp_edr_3slot_capable(hdev) &&
702 				    !(hdev->pkt_type & HCI_3DH3))
703 					selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
704 
705 				if (lmp_edr_5slot_capable(hdev) &&
706 				    !(hdev->pkt_type & HCI_3DH5))
707 					selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
708 			}
709 		}
710 	}
711 
712 	if (lmp_le_capable(hdev)) {
713 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
714 			selected_phys |= MGMT_PHY_LE_1M_TX;
715 
716 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
717 			selected_phys |= MGMT_PHY_LE_1M_RX;
718 
719 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
720 			selected_phys |= MGMT_PHY_LE_2M_TX;
721 
722 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
723 			selected_phys |= MGMT_PHY_LE_2M_RX;
724 
725 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
726 			selected_phys |= MGMT_PHY_LE_CODED_TX;
727 
728 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
729 			selected_phys |= MGMT_PHY_LE_CODED_RX;
730 	}
731 
732 	return selected_phys;
733 }
734 
735 static u32 get_configurable_phys(struct hci_dev *hdev)
736 {
737 	return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
738 		~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
739 }
740 
741 static u32 get_supported_settings(struct hci_dev *hdev)
742 {
743 	u32 settings = 0;
744 
745 	settings |= MGMT_SETTING_POWERED;
746 	settings |= MGMT_SETTING_BONDABLE;
747 	settings |= MGMT_SETTING_DEBUG_KEYS;
748 	settings |= MGMT_SETTING_CONNECTABLE;
749 	settings |= MGMT_SETTING_DISCOVERABLE;
750 
751 	if (lmp_bredr_capable(hdev)) {
752 		if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
753 			settings |= MGMT_SETTING_FAST_CONNECTABLE;
754 		settings |= MGMT_SETTING_BREDR;
755 		settings |= MGMT_SETTING_LINK_SECURITY;
756 
757 		if (lmp_ssp_capable(hdev)) {
758 			settings |= MGMT_SETTING_SSP;
759 			settings |= MGMT_SETTING_HS;
760 		}
761 
762 		if (lmp_sc_capable(hdev))
763 			settings |= MGMT_SETTING_SECURE_CONN;
764 	}
765 
766 	if (lmp_le_capable(hdev)) {
767 		settings |= MGMT_SETTING_LE;
768 		settings |= MGMT_SETTING_ADVERTISING;
769 		settings |= MGMT_SETTING_SECURE_CONN;
770 		settings |= MGMT_SETTING_PRIVACY;
771 		settings |= MGMT_SETTING_STATIC_ADDRESS;
772 	}
773 
774 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
775 	    hdev->set_bdaddr)
776 		settings |= MGMT_SETTING_CONFIGURATION;
777 
778 	settings |= MGMT_SETTING_PHY_CONFIGURATION;
779 
780 	return settings;
781 }
782 
783 static u32 get_current_settings(struct hci_dev *hdev)
784 {
785 	u32 settings = 0;
786 
787 	if (hdev_is_powered(hdev))
788 		settings |= MGMT_SETTING_POWERED;
789 
790 	if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
791 		settings |= MGMT_SETTING_CONNECTABLE;
792 
793 	if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
794 		settings |= MGMT_SETTING_FAST_CONNECTABLE;
795 
796 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
797 		settings |= MGMT_SETTING_DISCOVERABLE;
798 
799 	if (hci_dev_test_flag(hdev, HCI_BONDABLE))
800 		settings |= MGMT_SETTING_BONDABLE;
801 
802 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
803 		settings |= MGMT_SETTING_BREDR;
804 
805 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
806 		settings |= MGMT_SETTING_LE;
807 
808 	if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
809 		settings |= MGMT_SETTING_LINK_SECURITY;
810 
811 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
812 		settings |= MGMT_SETTING_SSP;
813 
814 	if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
815 		settings |= MGMT_SETTING_HS;
816 
817 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
818 		settings |= MGMT_SETTING_ADVERTISING;
819 
820 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
821 		settings |= MGMT_SETTING_SECURE_CONN;
822 
823 	if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
824 		settings |= MGMT_SETTING_DEBUG_KEYS;
825 
826 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
827 		settings |= MGMT_SETTING_PRIVACY;
828 
829 	/* The current setting for static address has two purposes. The
830 	 * first is to indicate if the static address will be used and
831 	 * the second is to indicate if it is actually set.
832 	 *
833 	 * This means if the static address is not configured, this flag
834 	 * will never be set. If the address is configured, then if the
835 	 * address is actually used decides if the flag is set or not.
836 	 *
837 	 * For single mode LE only controllers and dual-mode controllers
838 	 * with BR/EDR disabled, the existence of the static address will
839 	 * be evaluated.
840 	 */
841 	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
842 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
843 	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
844 		if (bacmp(&hdev->static_addr, BDADDR_ANY))
845 			settings |= MGMT_SETTING_STATIC_ADDRESS;
846 	}
847 
848 	return settings;
849 }
850 
851 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
852 {
853 	return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
854 }
855 
856 static struct mgmt_pending_cmd *pending_find_data(u16 opcode,
857 						  struct hci_dev *hdev,
858 						  const void *data)
859 {
860 	return mgmt_pending_find_data(HCI_CHANNEL_CONTROL, opcode, hdev, data);
861 }
862 
863 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
864 {
865 	struct mgmt_pending_cmd *cmd;
866 
867 	/* If there's a pending mgmt command the flags will not yet have
868 	 * their final values, so check for this first.
869 	 */
870 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
871 	if (cmd) {
872 		struct mgmt_mode *cp = cmd->param;
873 		if (cp->val == 0x01)
874 			return LE_AD_GENERAL;
875 		else if (cp->val == 0x02)
876 			return LE_AD_LIMITED;
877 	} else {
878 		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
879 			return LE_AD_LIMITED;
880 		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
881 			return LE_AD_GENERAL;
882 	}
883 
884 	return 0;
885 }
886 
887 bool mgmt_get_connectable(struct hci_dev *hdev)
888 {
889 	struct mgmt_pending_cmd *cmd;
890 
891 	/* If there's a pending mgmt command the flag will not yet have
892 	 * it's final value, so check for this first.
893 	 */
894 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
895 	if (cmd) {
896 		struct mgmt_mode *cp = cmd->param;
897 
898 		return cp->val;
899 	}
900 
901 	return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
902 }
903 
904 static void service_cache_off(struct work_struct *work)
905 {
906 	struct hci_dev *hdev = container_of(work, struct hci_dev,
907 					    service_cache.work);
908 	struct hci_request req;
909 
910 	if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
911 		return;
912 
913 	hci_req_init(&req, hdev);
914 
915 	hci_dev_lock(hdev);
916 
917 	__hci_req_update_eir(&req);
918 	__hci_req_update_class(&req);
919 
920 	hci_dev_unlock(hdev);
921 
922 	hci_req_run(&req, NULL);
923 }
924 
925 static void rpa_expired(struct work_struct *work)
926 {
927 	struct hci_dev *hdev = container_of(work, struct hci_dev,
928 					    rpa_expired.work);
929 	struct hci_request req;
930 
931 	BT_DBG("");
932 
933 	hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
934 
935 	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
936 		return;
937 
938 	/* The generation of a new RPA and programming it into the
939 	 * controller happens in the hci_req_enable_advertising()
940 	 * function.
941 	 */
942 	hci_req_init(&req, hdev);
943 	if (ext_adv_capable(hdev))
944 		__hci_req_start_ext_adv(&req, hdev->cur_adv_instance);
945 	else
946 		__hci_req_enable_advertising(&req);
947 	hci_req_run(&req, NULL);
948 }
949 
950 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
951 {
952 	if (hci_dev_test_and_set_flag(hdev, HCI_MGMT))
953 		return;
954 
955 	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
956 	INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
957 
958 	/* Non-mgmt controlled devices get this bit set
959 	 * implicitly so that pairing works for them, however
960 	 * for mgmt we require user-space to explicitly enable
961 	 * it
962 	 */
963 	hci_dev_clear_flag(hdev, HCI_BONDABLE);
964 }
965 
966 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
967 				void *data, u16 data_len)
968 {
969 	struct mgmt_rp_read_info rp;
970 
971 	BT_DBG("sock %p %s", sk, hdev->name);
972 
973 	hci_dev_lock(hdev);
974 
975 	memset(&rp, 0, sizeof(rp));
976 
977 	bacpy(&rp.bdaddr, &hdev->bdaddr);
978 
979 	rp.version = hdev->hci_ver;
980 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
981 
982 	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
983 	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
984 
985 	memcpy(rp.dev_class, hdev->dev_class, 3);
986 
987 	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
988 	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
989 
990 	hci_dev_unlock(hdev);
991 
992 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
993 				 sizeof(rp));
994 }
995 
996 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
997 {
998 	u16 eir_len = 0;
999 	size_t name_len;
1000 
1001 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1002 		eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1003 					  hdev->dev_class, 3);
1004 
1005 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1006 		eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1007 					  hdev->appearance);
1008 
1009 	name_len = strlen(hdev->dev_name);
1010 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1011 				  hdev->dev_name, name_len);
1012 
1013 	name_len = strlen(hdev->short_name);
1014 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1015 				  hdev->short_name, name_len);
1016 
1017 	return eir_len;
1018 }
1019 
1020 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1021 				    void *data, u16 data_len)
1022 {
1023 	char buf[512];
1024 	struct mgmt_rp_read_ext_info *rp = (void *)buf;
1025 	u16 eir_len;
1026 
1027 	BT_DBG("sock %p %s", sk, hdev->name);
1028 
1029 	memset(&buf, 0, sizeof(buf));
1030 
1031 	hci_dev_lock(hdev);
1032 
1033 	bacpy(&rp->bdaddr, &hdev->bdaddr);
1034 
1035 	rp->version = hdev->hci_ver;
1036 	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1037 
1038 	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1039 	rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1040 
1041 
1042 	eir_len = append_eir_data_to_buf(hdev, rp->eir);
1043 	rp->eir_len = cpu_to_le16(eir_len);
1044 
1045 	hci_dev_unlock(hdev);
1046 
1047 	/* If this command is called at least once, then the events
1048 	 * for class of device and local name changes are disabled
1049 	 * and only the new extended controller information event
1050 	 * is used.
1051 	 */
1052 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
1053 	hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1054 	hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1055 
1056 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
1057 				 sizeof(*rp) + eir_len);
1058 }
1059 
1060 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1061 {
1062 	char buf[512];
1063 	struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1064 	u16 eir_len;
1065 
1066 	memset(buf, 0, sizeof(buf));
1067 
1068 	eir_len = append_eir_data_to_buf(hdev, ev->eir);
1069 	ev->eir_len = cpu_to_le16(eir_len);
1070 
1071 	return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
1072 				  sizeof(*ev) + eir_len,
1073 				  HCI_MGMT_EXT_INFO_EVENTS, skip);
1074 }
1075 
1076 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1077 {
1078 	__le32 settings = cpu_to_le32(get_current_settings(hdev));
1079 
1080 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
1081 				 sizeof(settings));
1082 }
1083 
1084 static void clean_up_hci_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1085 {
1086 	BT_DBG("%s status 0x%02x", hdev->name, status);
1087 
1088 	if (hci_conn_count(hdev) == 0) {
1089 		cancel_delayed_work(&hdev->power_off);
1090 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
1091 	}
1092 }
1093 
1094 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1095 {
1096 	struct mgmt_ev_advertising_added ev;
1097 
1098 	ev.instance = instance;
1099 
1100 	mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
1101 }
1102 
1103 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1104 			      u8 instance)
1105 {
1106 	struct mgmt_ev_advertising_removed ev;
1107 
1108 	ev.instance = instance;
1109 
1110 	mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
1111 }
1112 
1113 static void cancel_adv_timeout(struct hci_dev *hdev)
1114 {
1115 	if (hdev->adv_instance_timeout) {
1116 		hdev->adv_instance_timeout = 0;
1117 		cancel_delayed_work(&hdev->adv_instance_expire);
1118 	}
1119 }
1120 
1121 static int clean_up_hci_state(struct hci_dev *hdev)
1122 {
1123 	struct hci_request req;
1124 	struct hci_conn *conn;
1125 	bool discov_stopped;
1126 	int err;
1127 
1128 	hci_req_init(&req, hdev);
1129 
1130 	if (test_bit(HCI_ISCAN, &hdev->flags) ||
1131 	    test_bit(HCI_PSCAN, &hdev->flags)) {
1132 		u8 scan = 0x00;
1133 		hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1134 	}
1135 
1136 	hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, false);
1137 
1138 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1139 		__hci_req_disable_advertising(&req);
1140 
1141 	discov_stopped = hci_req_stop_discovery(&req);
1142 
1143 	list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1144 		/* 0x15 == Terminated due to Power Off */
1145 		__hci_abort_conn(&req, conn, 0x15);
1146 	}
1147 
1148 	err = hci_req_run(&req, clean_up_hci_complete);
1149 	if (!err && discov_stopped)
1150 		hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
1151 
1152 	return err;
1153 }
1154 
1155 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1156 		       u16 len)
1157 {
1158 	struct mgmt_mode *cp = data;
1159 	struct mgmt_pending_cmd *cmd;
1160 	int err;
1161 
1162 	BT_DBG("request for %s", hdev->name);
1163 
1164 	if (cp->val != 0x00 && cp->val != 0x01)
1165 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1166 				       MGMT_STATUS_INVALID_PARAMS);
1167 
1168 	hci_dev_lock(hdev);
1169 
1170 	if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1171 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1172 				      MGMT_STATUS_BUSY);
1173 		goto failed;
1174 	}
1175 
1176 	if (!!cp->val == hdev_is_powered(hdev)) {
1177 		err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1178 		goto failed;
1179 	}
1180 
1181 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1182 	if (!cmd) {
1183 		err = -ENOMEM;
1184 		goto failed;
1185 	}
1186 
1187 	if (cp->val) {
1188 		queue_work(hdev->req_workqueue, &hdev->power_on);
1189 		err = 0;
1190 	} else {
1191 		/* Disconnect connections, stop scans, etc */
1192 		err = clean_up_hci_state(hdev);
1193 		if (!err)
1194 			queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1195 					   HCI_POWER_OFF_TIMEOUT);
1196 
1197 		/* ENODATA means there were no HCI commands queued */
1198 		if (err == -ENODATA) {
1199 			cancel_delayed_work(&hdev->power_off);
1200 			queue_work(hdev->req_workqueue, &hdev->power_off.work);
1201 			err = 0;
1202 		}
1203 	}
1204 
1205 failed:
1206 	hci_dev_unlock(hdev);
1207 	return err;
1208 }
1209 
1210 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1211 {
1212 	__le32 ev = cpu_to_le32(get_current_settings(hdev));
1213 
1214 	return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1215 				  sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1216 }
1217 
1218 int mgmt_new_settings(struct hci_dev *hdev)
1219 {
1220 	return new_settings(hdev, NULL);
1221 }
1222 
1223 struct cmd_lookup {
1224 	struct sock *sk;
1225 	struct hci_dev *hdev;
1226 	u8 mgmt_status;
1227 };
1228 
1229 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1230 {
1231 	struct cmd_lookup *match = data;
1232 
1233 	send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1234 
1235 	list_del(&cmd->list);
1236 
1237 	if (match->sk == NULL) {
1238 		match->sk = cmd->sk;
1239 		sock_hold(match->sk);
1240 	}
1241 
1242 	mgmt_pending_free(cmd);
1243 }
1244 
1245 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1246 {
1247 	u8 *status = data;
1248 
1249 	mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1250 	mgmt_pending_remove(cmd);
1251 }
1252 
1253 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1254 {
1255 	if (cmd->cmd_complete) {
1256 		u8 *status = data;
1257 
1258 		cmd->cmd_complete(cmd, *status);
1259 		mgmt_pending_remove(cmd);
1260 
1261 		return;
1262 	}
1263 
1264 	cmd_status_rsp(cmd, data);
1265 }
1266 
1267 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1268 {
1269 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1270 				 cmd->param, cmd->param_len);
1271 }
1272 
1273 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1274 {
1275 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1276 				 cmd->param, sizeof(struct mgmt_addr_info));
1277 }
1278 
1279 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1280 {
1281 	if (!lmp_bredr_capable(hdev))
1282 		return MGMT_STATUS_NOT_SUPPORTED;
1283 	else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1284 		return MGMT_STATUS_REJECTED;
1285 	else
1286 		return MGMT_STATUS_SUCCESS;
1287 }
1288 
1289 static u8 mgmt_le_support(struct hci_dev *hdev)
1290 {
1291 	if (!lmp_le_capable(hdev))
1292 		return MGMT_STATUS_NOT_SUPPORTED;
1293 	else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1294 		return MGMT_STATUS_REJECTED;
1295 	else
1296 		return MGMT_STATUS_SUCCESS;
1297 }
1298 
1299 void mgmt_set_discoverable_complete(struct hci_dev *hdev, u8 status)
1300 {
1301 	struct mgmt_pending_cmd *cmd;
1302 
1303 	BT_DBG("status 0x%02x", status);
1304 
1305 	hci_dev_lock(hdev);
1306 
1307 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
1308 	if (!cmd)
1309 		goto unlock;
1310 
1311 	if (status) {
1312 		u8 mgmt_err = mgmt_status(status);
1313 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1314 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1315 		goto remove_cmd;
1316 	}
1317 
1318 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1319 	    hdev->discov_timeout > 0) {
1320 		int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1321 		queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1322 	}
1323 
1324 	send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1325 	new_settings(hdev, cmd->sk);
1326 
1327 remove_cmd:
1328 	mgmt_pending_remove(cmd);
1329 
1330 unlock:
1331 	hci_dev_unlock(hdev);
1332 }
1333 
1334 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1335 			    u16 len)
1336 {
1337 	struct mgmt_cp_set_discoverable *cp = data;
1338 	struct mgmt_pending_cmd *cmd;
1339 	u16 timeout;
1340 	int err;
1341 
1342 	BT_DBG("request for %s", hdev->name);
1343 
1344 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1345 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1346 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1347 				       MGMT_STATUS_REJECTED);
1348 
1349 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1350 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1351 				       MGMT_STATUS_INVALID_PARAMS);
1352 
1353 	timeout = __le16_to_cpu(cp->timeout);
1354 
1355 	/* Disabling discoverable requires that no timeout is set,
1356 	 * and enabling limited discoverable requires a timeout.
1357 	 */
1358 	if ((cp->val == 0x00 && timeout > 0) ||
1359 	    (cp->val == 0x02 && timeout == 0))
1360 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1361 				       MGMT_STATUS_INVALID_PARAMS);
1362 
1363 	hci_dev_lock(hdev);
1364 
1365 	if (!hdev_is_powered(hdev) && timeout > 0) {
1366 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1367 				      MGMT_STATUS_NOT_POWERED);
1368 		goto failed;
1369 	}
1370 
1371 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1372 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1373 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1374 				      MGMT_STATUS_BUSY);
1375 		goto failed;
1376 	}
1377 
1378 	if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1379 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1380 				      MGMT_STATUS_REJECTED);
1381 		goto failed;
1382 	}
1383 
1384 	if (!hdev_is_powered(hdev)) {
1385 		bool changed = false;
1386 
1387 		/* Setting limited discoverable when powered off is
1388 		 * not a valid operation since it requires a timeout
1389 		 * and so no need to check HCI_LIMITED_DISCOVERABLE.
1390 		 */
1391 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1392 			hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1393 			changed = true;
1394 		}
1395 
1396 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1397 		if (err < 0)
1398 			goto failed;
1399 
1400 		if (changed)
1401 			err = new_settings(hdev, sk);
1402 
1403 		goto failed;
1404 	}
1405 
1406 	/* If the current mode is the same, then just update the timeout
1407 	 * value with the new value. And if only the timeout gets updated,
1408 	 * then no need for any HCI transactions.
1409 	 */
1410 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1411 	    (cp->val == 0x02) == hci_dev_test_flag(hdev,
1412 						   HCI_LIMITED_DISCOVERABLE)) {
1413 		cancel_delayed_work(&hdev->discov_off);
1414 		hdev->discov_timeout = timeout;
1415 
1416 		if (cp->val && hdev->discov_timeout > 0) {
1417 			int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1418 			queue_delayed_work(hdev->req_workqueue,
1419 					   &hdev->discov_off, to);
1420 		}
1421 
1422 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1423 		goto failed;
1424 	}
1425 
1426 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1427 	if (!cmd) {
1428 		err = -ENOMEM;
1429 		goto failed;
1430 	}
1431 
1432 	/* Cancel any potential discoverable timeout that might be
1433 	 * still active and store new timeout value. The arming of
1434 	 * the timeout happens in the complete handler.
1435 	 */
1436 	cancel_delayed_work(&hdev->discov_off);
1437 	hdev->discov_timeout = timeout;
1438 
1439 	if (cp->val)
1440 		hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1441 	else
1442 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1443 
1444 	/* Limited discoverable mode */
1445 	if (cp->val == 0x02)
1446 		hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1447 	else
1448 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1449 
1450 	queue_work(hdev->req_workqueue, &hdev->discoverable_update);
1451 	err = 0;
1452 
1453 failed:
1454 	hci_dev_unlock(hdev);
1455 	return err;
1456 }
1457 
1458 void mgmt_set_connectable_complete(struct hci_dev *hdev, u8 status)
1459 {
1460 	struct mgmt_pending_cmd *cmd;
1461 
1462 	BT_DBG("status 0x%02x", status);
1463 
1464 	hci_dev_lock(hdev);
1465 
1466 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1467 	if (!cmd)
1468 		goto unlock;
1469 
1470 	if (status) {
1471 		u8 mgmt_err = mgmt_status(status);
1472 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1473 		goto remove_cmd;
1474 	}
1475 
1476 	send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1477 	new_settings(hdev, cmd->sk);
1478 
1479 remove_cmd:
1480 	mgmt_pending_remove(cmd);
1481 
1482 unlock:
1483 	hci_dev_unlock(hdev);
1484 }
1485 
1486 static int set_connectable_update_settings(struct hci_dev *hdev,
1487 					   struct sock *sk, u8 val)
1488 {
1489 	bool changed = false;
1490 	int err;
1491 
1492 	if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1493 		changed = true;
1494 
1495 	if (val) {
1496 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1497 	} else {
1498 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1499 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1500 	}
1501 
1502 	err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1503 	if (err < 0)
1504 		return err;
1505 
1506 	if (changed) {
1507 		hci_req_update_scan(hdev);
1508 		hci_update_background_scan(hdev);
1509 		return new_settings(hdev, sk);
1510 	}
1511 
1512 	return 0;
1513 }
1514 
1515 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1516 			   u16 len)
1517 {
1518 	struct mgmt_mode *cp = data;
1519 	struct mgmt_pending_cmd *cmd;
1520 	int err;
1521 
1522 	BT_DBG("request for %s", hdev->name);
1523 
1524 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1525 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1526 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1527 				       MGMT_STATUS_REJECTED);
1528 
1529 	if (cp->val != 0x00 && cp->val != 0x01)
1530 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1531 				       MGMT_STATUS_INVALID_PARAMS);
1532 
1533 	hci_dev_lock(hdev);
1534 
1535 	if (!hdev_is_powered(hdev)) {
1536 		err = set_connectable_update_settings(hdev, sk, cp->val);
1537 		goto failed;
1538 	}
1539 
1540 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1541 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1542 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1543 				      MGMT_STATUS_BUSY);
1544 		goto failed;
1545 	}
1546 
1547 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1548 	if (!cmd) {
1549 		err = -ENOMEM;
1550 		goto failed;
1551 	}
1552 
1553 	if (cp->val) {
1554 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1555 	} else {
1556 		if (hdev->discov_timeout > 0)
1557 			cancel_delayed_work(&hdev->discov_off);
1558 
1559 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1560 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1561 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1562 	}
1563 
1564 	queue_work(hdev->req_workqueue, &hdev->connectable_update);
1565 	err = 0;
1566 
1567 failed:
1568 	hci_dev_unlock(hdev);
1569 	return err;
1570 }
1571 
1572 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1573 			u16 len)
1574 {
1575 	struct mgmt_mode *cp = data;
1576 	bool changed;
1577 	int err;
1578 
1579 	BT_DBG("request for %s", hdev->name);
1580 
1581 	if (cp->val != 0x00 && cp->val != 0x01)
1582 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1583 				       MGMT_STATUS_INVALID_PARAMS);
1584 
1585 	hci_dev_lock(hdev);
1586 
1587 	if (cp->val)
1588 		changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1589 	else
1590 		changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1591 
1592 	err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1593 	if (err < 0)
1594 		goto unlock;
1595 
1596 	if (changed) {
1597 		/* In limited privacy mode the change of bondable mode
1598 		 * may affect the local advertising address.
1599 		 */
1600 		if (hdev_is_powered(hdev) &&
1601 		    hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
1602 		    hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1603 		    hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))
1604 			queue_work(hdev->req_workqueue,
1605 				   &hdev->discoverable_update);
1606 
1607 		err = new_settings(hdev, sk);
1608 	}
1609 
1610 unlock:
1611 	hci_dev_unlock(hdev);
1612 	return err;
1613 }
1614 
1615 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1616 			     u16 len)
1617 {
1618 	struct mgmt_mode *cp = data;
1619 	struct mgmt_pending_cmd *cmd;
1620 	u8 val, status;
1621 	int err;
1622 
1623 	BT_DBG("request for %s", hdev->name);
1624 
1625 	status = mgmt_bredr_support(hdev);
1626 	if (status)
1627 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1628 				       status);
1629 
1630 	if (cp->val != 0x00 && cp->val != 0x01)
1631 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1632 				       MGMT_STATUS_INVALID_PARAMS);
1633 
1634 	hci_dev_lock(hdev);
1635 
1636 	if (!hdev_is_powered(hdev)) {
1637 		bool changed = false;
1638 
1639 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1640 			hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1641 			changed = true;
1642 		}
1643 
1644 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1645 		if (err < 0)
1646 			goto failed;
1647 
1648 		if (changed)
1649 			err = new_settings(hdev, sk);
1650 
1651 		goto failed;
1652 	}
1653 
1654 	if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1655 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1656 				      MGMT_STATUS_BUSY);
1657 		goto failed;
1658 	}
1659 
1660 	val = !!cp->val;
1661 
1662 	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1663 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1664 		goto failed;
1665 	}
1666 
1667 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1668 	if (!cmd) {
1669 		err = -ENOMEM;
1670 		goto failed;
1671 	}
1672 
1673 	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1674 	if (err < 0) {
1675 		mgmt_pending_remove(cmd);
1676 		goto failed;
1677 	}
1678 
1679 failed:
1680 	hci_dev_unlock(hdev);
1681 	return err;
1682 }
1683 
1684 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1685 {
1686 	struct mgmt_mode *cp = data;
1687 	struct mgmt_pending_cmd *cmd;
1688 	u8 status;
1689 	int err;
1690 
1691 	BT_DBG("request for %s", hdev->name);
1692 
1693 	status = mgmt_bredr_support(hdev);
1694 	if (status)
1695 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1696 
1697 	if (!lmp_ssp_capable(hdev))
1698 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1699 				       MGMT_STATUS_NOT_SUPPORTED);
1700 
1701 	if (cp->val != 0x00 && cp->val != 0x01)
1702 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1703 				       MGMT_STATUS_INVALID_PARAMS);
1704 
1705 	hci_dev_lock(hdev);
1706 
1707 	if (!hdev_is_powered(hdev)) {
1708 		bool changed;
1709 
1710 		if (cp->val) {
1711 			changed = !hci_dev_test_and_set_flag(hdev,
1712 							     HCI_SSP_ENABLED);
1713 		} else {
1714 			changed = hci_dev_test_and_clear_flag(hdev,
1715 							      HCI_SSP_ENABLED);
1716 			if (!changed)
1717 				changed = hci_dev_test_and_clear_flag(hdev,
1718 								      HCI_HS_ENABLED);
1719 			else
1720 				hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1721 		}
1722 
1723 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1724 		if (err < 0)
1725 			goto failed;
1726 
1727 		if (changed)
1728 			err = new_settings(hdev, sk);
1729 
1730 		goto failed;
1731 	}
1732 
1733 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1734 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1735 				      MGMT_STATUS_BUSY);
1736 		goto failed;
1737 	}
1738 
1739 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
1740 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1741 		goto failed;
1742 	}
1743 
1744 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
1745 	if (!cmd) {
1746 		err = -ENOMEM;
1747 		goto failed;
1748 	}
1749 
1750 	if (!cp->val && hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
1751 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
1752 			     sizeof(cp->val), &cp->val);
1753 
1754 	err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &cp->val);
1755 	if (err < 0) {
1756 		mgmt_pending_remove(cmd);
1757 		goto failed;
1758 	}
1759 
1760 failed:
1761 	hci_dev_unlock(hdev);
1762 	return err;
1763 }
1764 
1765 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1766 {
1767 	struct mgmt_mode *cp = data;
1768 	bool changed;
1769 	u8 status;
1770 	int err;
1771 
1772 	BT_DBG("request for %s", hdev->name);
1773 
1774 	status = mgmt_bredr_support(hdev);
1775 	if (status)
1776 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
1777 
1778 	if (!lmp_ssp_capable(hdev))
1779 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1780 				       MGMT_STATUS_NOT_SUPPORTED);
1781 
1782 	if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
1783 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1784 				       MGMT_STATUS_REJECTED);
1785 
1786 	if (cp->val != 0x00 && cp->val != 0x01)
1787 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1788 				       MGMT_STATUS_INVALID_PARAMS);
1789 
1790 	hci_dev_lock(hdev);
1791 
1792 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1793 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1794 				      MGMT_STATUS_BUSY);
1795 		goto unlock;
1796 	}
1797 
1798 	if (cp->val) {
1799 		changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
1800 	} else {
1801 		if (hdev_is_powered(hdev)) {
1802 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1803 					      MGMT_STATUS_REJECTED);
1804 			goto unlock;
1805 		}
1806 
1807 		changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
1808 	}
1809 
1810 	err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
1811 	if (err < 0)
1812 		goto unlock;
1813 
1814 	if (changed)
1815 		err = new_settings(hdev, sk);
1816 
1817 unlock:
1818 	hci_dev_unlock(hdev);
1819 	return err;
1820 }
1821 
1822 static void le_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1823 {
1824 	struct cmd_lookup match = { NULL, hdev };
1825 
1826 	hci_dev_lock(hdev);
1827 
1828 	if (status) {
1829 		u8 mgmt_err = mgmt_status(status);
1830 
1831 		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
1832 				     &mgmt_err);
1833 		goto unlock;
1834 	}
1835 
1836 	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
1837 
1838 	new_settings(hdev, match.sk);
1839 
1840 	if (match.sk)
1841 		sock_put(match.sk);
1842 
1843 	/* Make sure the controller has a good default for
1844 	 * advertising data. Restrict the update to when LE
1845 	 * has actually been enabled. During power on, the
1846 	 * update in powered_update_hci will take care of it.
1847 	 */
1848 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1849 		struct hci_request req;
1850 		hci_req_init(&req, hdev);
1851 		if (ext_adv_capable(hdev)) {
1852 			int err;
1853 
1854 			err = __hci_req_setup_ext_adv_instance(&req, 0x00);
1855 			if (!err)
1856 				__hci_req_update_scan_rsp_data(&req, 0x00);
1857 		} else {
1858 			__hci_req_update_adv_data(&req, 0x00);
1859 			__hci_req_update_scan_rsp_data(&req, 0x00);
1860 		}
1861 		hci_req_run(&req, NULL);
1862 		hci_update_background_scan(hdev);
1863 	}
1864 
1865 unlock:
1866 	hci_dev_unlock(hdev);
1867 }
1868 
1869 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1870 {
1871 	struct mgmt_mode *cp = data;
1872 	struct hci_cp_write_le_host_supported hci_cp;
1873 	struct mgmt_pending_cmd *cmd;
1874 	struct hci_request req;
1875 	int err;
1876 	u8 val, enabled;
1877 
1878 	BT_DBG("request for %s", hdev->name);
1879 
1880 	if (!lmp_le_capable(hdev))
1881 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1882 				       MGMT_STATUS_NOT_SUPPORTED);
1883 
1884 	if (cp->val != 0x00 && cp->val != 0x01)
1885 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1886 				       MGMT_STATUS_INVALID_PARAMS);
1887 
1888 	/* Bluetooth single mode LE only controllers or dual-mode
1889 	 * controllers configured as LE only devices, do not allow
1890 	 * switching LE off. These have either LE enabled explicitly
1891 	 * or BR/EDR has been previously switched off.
1892 	 *
1893 	 * When trying to enable an already enabled LE, then gracefully
1894 	 * send a positive response. Trying to disable it however will
1895 	 * result into rejection.
1896 	 */
1897 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1898 		if (cp->val == 0x01)
1899 			return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1900 
1901 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1902 				       MGMT_STATUS_REJECTED);
1903 	}
1904 
1905 	hci_dev_lock(hdev);
1906 
1907 	val = !!cp->val;
1908 	enabled = lmp_host_le_capable(hdev);
1909 
1910 	if (!val)
1911 		hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, true);
1912 
1913 	if (!hdev_is_powered(hdev) || val == enabled) {
1914 		bool changed = false;
1915 
1916 		if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1917 			hci_dev_change_flag(hdev, HCI_LE_ENABLED);
1918 			changed = true;
1919 		}
1920 
1921 		if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
1922 			hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1923 			changed = true;
1924 		}
1925 
1926 		err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1927 		if (err < 0)
1928 			goto unlock;
1929 
1930 		if (changed)
1931 			err = new_settings(hdev, sk);
1932 
1933 		goto unlock;
1934 	}
1935 
1936 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
1937 	    pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
1938 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1939 				      MGMT_STATUS_BUSY);
1940 		goto unlock;
1941 	}
1942 
1943 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
1944 	if (!cmd) {
1945 		err = -ENOMEM;
1946 		goto unlock;
1947 	}
1948 
1949 	hci_req_init(&req, hdev);
1950 
1951 	memset(&hci_cp, 0, sizeof(hci_cp));
1952 
1953 	if (val) {
1954 		hci_cp.le = val;
1955 		hci_cp.simul = 0x00;
1956 	} else {
1957 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1958 			__hci_req_disable_advertising(&req);
1959 
1960 		if (ext_adv_capable(hdev))
1961 			__hci_req_clear_ext_adv_sets(&req);
1962 	}
1963 
1964 	hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
1965 		    &hci_cp);
1966 
1967 	err = hci_req_run(&req, le_enable_complete);
1968 	if (err < 0)
1969 		mgmt_pending_remove(cmd);
1970 
1971 unlock:
1972 	hci_dev_unlock(hdev);
1973 	return err;
1974 }
1975 
1976 /* This is a helper function to test for pending mgmt commands that can
1977  * cause CoD or EIR HCI commands. We can only allow one such pending
1978  * mgmt command at a time since otherwise we cannot easily track what
1979  * the current values are, will be, and based on that calculate if a new
1980  * HCI command needs to be sent and if yes with what value.
1981  */
1982 static bool pending_eir_or_class(struct hci_dev *hdev)
1983 {
1984 	struct mgmt_pending_cmd *cmd;
1985 
1986 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
1987 		switch (cmd->opcode) {
1988 		case MGMT_OP_ADD_UUID:
1989 		case MGMT_OP_REMOVE_UUID:
1990 		case MGMT_OP_SET_DEV_CLASS:
1991 		case MGMT_OP_SET_POWERED:
1992 			return true;
1993 		}
1994 	}
1995 
1996 	return false;
1997 }
1998 
1999 static const u8 bluetooth_base_uuid[] = {
2000 			0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2001 			0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2002 };
2003 
2004 static u8 get_uuid_size(const u8 *uuid)
2005 {
2006 	u32 val;
2007 
2008 	if (memcmp(uuid, bluetooth_base_uuid, 12))
2009 		return 128;
2010 
2011 	val = get_unaligned_le32(&uuid[12]);
2012 	if (val > 0xffff)
2013 		return 32;
2014 
2015 	return 16;
2016 }
2017 
2018 static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
2019 {
2020 	struct mgmt_pending_cmd *cmd;
2021 
2022 	hci_dev_lock(hdev);
2023 
2024 	cmd = pending_find(mgmt_op, hdev);
2025 	if (!cmd)
2026 		goto unlock;
2027 
2028 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
2029 			  mgmt_status(status), hdev->dev_class, 3);
2030 
2031 	mgmt_pending_remove(cmd);
2032 
2033 unlock:
2034 	hci_dev_unlock(hdev);
2035 }
2036 
2037 static void add_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2038 {
2039 	BT_DBG("status 0x%02x", status);
2040 
2041 	mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
2042 }
2043 
2044 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2045 {
2046 	struct mgmt_cp_add_uuid *cp = data;
2047 	struct mgmt_pending_cmd *cmd;
2048 	struct hci_request req;
2049 	struct bt_uuid *uuid;
2050 	int err;
2051 
2052 	BT_DBG("request for %s", hdev->name);
2053 
2054 	hci_dev_lock(hdev);
2055 
2056 	if (pending_eir_or_class(hdev)) {
2057 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2058 				      MGMT_STATUS_BUSY);
2059 		goto failed;
2060 	}
2061 
2062 	uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2063 	if (!uuid) {
2064 		err = -ENOMEM;
2065 		goto failed;
2066 	}
2067 
2068 	memcpy(uuid->uuid, cp->uuid, 16);
2069 	uuid->svc_hint = cp->svc_hint;
2070 	uuid->size = get_uuid_size(cp->uuid);
2071 
2072 	list_add_tail(&uuid->list, &hdev->uuids);
2073 
2074 	hci_req_init(&req, hdev);
2075 
2076 	__hci_req_update_class(&req);
2077 	__hci_req_update_eir(&req);
2078 
2079 	err = hci_req_run(&req, add_uuid_complete);
2080 	if (err < 0) {
2081 		if (err != -ENODATA)
2082 			goto failed;
2083 
2084 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
2085 					hdev->dev_class, 3);
2086 		goto failed;
2087 	}
2088 
2089 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2090 	if (!cmd) {
2091 		err = -ENOMEM;
2092 		goto failed;
2093 	}
2094 
2095 	err = 0;
2096 
2097 failed:
2098 	hci_dev_unlock(hdev);
2099 	return err;
2100 }
2101 
2102 static bool enable_service_cache(struct hci_dev *hdev)
2103 {
2104 	if (!hdev_is_powered(hdev))
2105 		return false;
2106 
2107 	if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2108 		queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2109 				   CACHE_TIMEOUT);
2110 		return true;
2111 	}
2112 
2113 	return false;
2114 }
2115 
2116 static void remove_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2117 {
2118 	BT_DBG("status 0x%02x", status);
2119 
2120 	mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
2121 }
2122 
2123 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2124 		       u16 len)
2125 {
2126 	struct mgmt_cp_remove_uuid *cp = data;
2127 	struct mgmt_pending_cmd *cmd;
2128 	struct bt_uuid *match, *tmp;
2129 	u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
2130 	struct hci_request req;
2131 	int err, found;
2132 
2133 	BT_DBG("request for %s", hdev->name);
2134 
2135 	hci_dev_lock(hdev);
2136 
2137 	if (pending_eir_or_class(hdev)) {
2138 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2139 				      MGMT_STATUS_BUSY);
2140 		goto unlock;
2141 	}
2142 
2143 	if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2144 		hci_uuids_clear(hdev);
2145 
2146 		if (enable_service_cache(hdev)) {
2147 			err = mgmt_cmd_complete(sk, hdev->id,
2148 						MGMT_OP_REMOVE_UUID,
2149 						0, hdev->dev_class, 3);
2150 			goto unlock;
2151 		}
2152 
2153 		goto update_class;
2154 	}
2155 
2156 	found = 0;
2157 
2158 	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2159 		if (memcmp(match->uuid, cp->uuid, 16) != 0)
2160 			continue;
2161 
2162 		list_del(&match->list);
2163 		kfree(match);
2164 		found++;
2165 	}
2166 
2167 	if (found == 0) {
2168 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2169 				      MGMT_STATUS_INVALID_PARAMS);
2170 		goto unlock;
2171 	}
2172 
2173 update_class:
2174 	hci_req_init(&req, hdev);
2175 
2176 	__hci_req_update_class(&req);
2177 	__hci_req_update_eir(&req);
2178 
2179 	err = hci_req_run(&req, remove_uuid_complete);
2180 	if (err < 0) {
2181 		if (err != -ENODATA)
2182 			goto unlock;
2183 
2184 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
2185 					hdev->dev_class, 3);
2186 		goto unlock;
2187 	}
2188 
2189 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2190 	if (!cmd) {
2191 		err = -ENOMEM;
2192 		goto unlock;
2193 	}
2194 
2195 	err = 0;
2196 
2197 unlock:
2198 	hci_dev_unlock(hdev);
2199 	return err;
2200 }
2201 
2202 static void set_class_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2203 {
2204 	BT_DBG("status 0x%02x", status);
2205 
2206 	mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
2207 }
2208 
2209 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2210 			 u16 len)
2211 {
2212 	struct mgmt_cp_set_dev_class *cp = data;
2213 	struct mgmt_pending_cmd *cmd;
2214 	struct hci_request req;
2215 	int err;
2216 
2217 	BT_DBG("request for %s", hdev->name);
2218 
2219 	if (!lmp_bredr_capable(hdev))
2220 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2221 				       MGMT_STATUS_NOT_SUPPORTED);
2222 
2223 	hci_dev_lock(hdev);
2224 
2225 	if (pending_eir_or_class(hdev)) {
2226 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2227 				      MGMT_STATUS_BUSY);
2228 		goto unlock;
2229 	}
2230 
2231 	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2232 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2233 				      MGMT_STATUS_INVALID_PARAMS);
2234 		goto unlock;
2235 	}
2236 
2237 	hdev->major_class = cp->major;
2238 	hdev->minor_class = cp->minor;
2239 
2240 	if (!hdev_is_powered(hdev)) {
2241 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2242 					hdev->dev_class, 3);
2243 		goto unlock;
2244 	}
2245 
2246 	hci_req_init(&req, hdev);
2247 
2248 	if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2249 		hci_dev_unlock(hdev);
2250 		cancel_delayed_work_sync(&hdev->service_cache);
2251 		hci_dev_lock(hdev);
2252 		__hci_req_update_eir(&req);
2253 	}
2254 
2255 	__hci_req_update_class(&req);
2256 
2257 	err = hci_req_run(&req, set_class_complete);
2258 	if (err < 0) {
2259 		if (err != -ENODATA)
2260 			goto unlock;
2261 
2262 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2263 					hdev->dev_class, 3);
2264 		goto unlock;
2265 	}
2266 
2267 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2268 	if (!cmd) {
2269 		err = -ENOMEM;
2270 		goto unlock;
2271 	}
2272 
2273 	err = 0;
2274 
2275 unlock:
2276 	hci_dev_unlock(hdev);
2277 	return err;
2278 }
2279 
2280 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2281 			  u16 len)
2282 {
2283 	struct mgmt_cp_load_link_keys *cp = data;
2284 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2285 				   sizeof(struct mgmt_link_key_info));
2286 	u16 key_count, expected_len;
2287 	bool changed;
2288 	int i;
2289 
2290 	BT_DBG("request for %s", hdev->name);
2291 
2292 	if (!lmp_bredr_capable(hdev))
2293 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2294 				       MGMT_STATUS_NOT_SUPPORTED);
2295 
2296 	key_count = __le16_to_cpu(cp->key_count);
2297 	if (key_count > max_key_count) {
2298 		bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2299 			   key_count);
2300 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2301 				       MGMT_STATUS_INVALID_PARAMS);
2302 	}
2303 
2304 	expected_len = struct_size(cp, keys, key_count);
2305 	if (expected_len != len) {
2306 		bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2307 			   expected_len, len);
2308 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2309 				       MGMT_STATUS_INVALID_PARAMS);
2310 	}
2311 
2312 	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2313 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2314 				       MGMT_STATUS_INVALID_PARAMS);
2315 
2316 	BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys,
2317 	       key_count);
2318 
2319 	for (i = 0; i < key_count; i++) {
2320 		struct mgmt_link_key_info *key = &cp->keys[i];
2321 
2322 		if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2323 			return mgmt_cmd_status(sk, hdev->id,
2324 					       MGMT_OP_LOAD_LINK_KEYS,
2325 					       MGMT_STATUS_INVALID_PARAMS);
2326 	}
2327 
2328 	hci_dev_lock(hdev);
2329 
2330 	hci_link_keys_clear(hdev);
2331 
2332 	if (cp->debug_keys)
2333 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2334 	else
2335 		changed = hci_dev_test_and_clear_flag(hdev,
2336 						      HCI_KEEP_DEBUG_KEYS);
2337 
2338 	if (changed)
2339 		new_settings(hdev, NULL);
2340 
2341 	for (i = 0; i < key_count; i++) {
2342 		struct mgmt_link_key_info *key = &cp->keys[i];
2343 
2344 		/* Always ignore debug keys and require a new pairing if
2345 		 * the user wants to use them.
2346 		 */
2347 		if (key->type == HCI_LK_DEBUG_COMBINATION)
2348 			continue;
2349 
2350 		hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2351 				 key->type, key->pin_len, NULL);
2352 	}
2353 
2354 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2355 
2356 	hci_dev_unlock(hdev);
2357 
2358 	return 0;
2359 }
2360 
2361 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2362 			   u8 addr_type, struct sock *skip_sk)
2363 {
2364 	struct mgmt_ev_device_unpaired ev;
2365 
2366 	bacpy(&ev.addr.bdaddr, bdaddr);
2367 	ev.addr.type = addr_type;
2368 
2369 	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2370 			  skip_sk);
2371 }
2372 
2373 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2374 			 u16 len)
2375 {
2376 	struct mgmt_cp_unpair_device *cp = data;
2377 	struct mgmt_rp_unpair_device rp;
2378 	struct hci_conn_params *params;
2379 	struct mgmt_pending_cmd *cmd;
2380 	struct hci_conn *conn;
2381 	u8 addr_type;
2382 	int err;
2383 
2384 	memset(&rp, 0, sizeof(rp));
2385 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2386 	rp.addr.type = cp->addr.type;
2387 
2388 	if (!bdaddr_type_is_valid(cp->addr.type))
2389 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2390 					 MGMT_STATUS_INVALID_PARAMS,
2391 					 &rp, sizeof(rp));
2392 
2393 	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2394 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2395 					 MGMT_STATUS_INVALID_PARAMS,
2396 					 &rp, sizeof(rp));
2397 
2398 	hci_dev_lock(hdev);
2399 
2400 	if (!hdev_is_powered(hdev)) {
2401 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2402 					MGMT_STATUS_NOT_POWERED, &rp,
2403 					sizeof(rp));
2404 		goto unlock;
2405 	}
2406 
2407 	if (cp->addr.type == BDADDR_BREDR) {
2408 		/* If disconnection is requested, then look up the
2409 		 * connection. If the remote device is connected, it
2410 		 * will be later used to terminate the link.
2411 		 *
2412 		 * Setting it to NULL explicitly will cause no
2413 		 * termination of the link.
2414 		 */
2415 		if (cp->disconnect)
2416 			conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2417 						       &cp->addr.bdaddr);
2418 		else
2419 			conn = NULL;
2420 
2421 		err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2422 		if (err < 0) {
2423 			err = mgmt_cmd_complete(sk, hdev->id,
2424 						MGMT_OP_UNPAIR_DEVICE,
2425 						MGMT_STATUS_NOT_PAIRED, &rp,
2426 						sizeof(rp));
2427 			goto unlock;
2428 		}
2429 
2430 		goto done;
2431 	}
2432 
2433 	/* LE address type */
2434 	addr_type = le_addr_type(cp->addr.type);
2435 
2436 	/* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
2437 	err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
2438 	if (err < 0) {
2439 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2440 					MGMT_STATUS_NOT_PAIRED, &rp,
2441 					sizeof(rp));
2442 		goto unlock;
2443 	}
2444 
2445 	conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
2446 	if (!conn) {
2447 		hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2448 		goto done;
2449 	}
2450 
2451 
2452 	/* Defer clearing up the connection parameters until closing to
2453 	 * give a chance of keeping them if a repairing happens.
2454 	 */
2455 	set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2456 
2457 	/* Disable auto-connection parameters if present */
2458 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
2459 	if (params) {
2460 		if (params->explicit_connect)
2461 			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2462 		else
2463 			params->auto_connect = HCI_AUTO_CONN_DISABLED;
2464 	}
2465 
2466 	/* If disconnection is not requested, then clear the connection
2467 	 * variable so that the link is not terminated.
2468 	 */
2469 	if (!cp->disconnect)
2470 		conn = NULL;
2471 
2472 done:
2473 	/* If the connection variable is set, then termination of the
2474 	 * link is requested.
2475 	 */
2476 	if (!conn) {
2477 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
2478 					&rp, sizeof(rp));
2479 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
2480 		goto unlock;
2481 	}
2482 
2483 	cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
2484 			       sizeof(*cp));
2485 	if (!cmd) {
2486 		err = -ENOMEM;
2487 		goto unlock;
2488 	}
2489 
2490 	cmd->cmd_complete = addr_cmd_complete;
2491 
2492 	err = hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
2493 	if (err < 0)
2494 		mgmt_pending_remove(cmd);
2495 
2496 unlock:
2497 	hci_dev_unlock(hdev);
2498 	return err;
2499 }
2500 
2501 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2502 		      u16 len)
2503 {
2504 	struct mgmt_cp_disconnect *cp = data;
2505 	struct mgmt_rp_disconnect rp;
2506 	struct mgmt_pending_cmd *cmd;
2507 	struct hci_conn *conn;
2508 	int err;
2509 
2510 	BT_DBG("");
2511 
2512 	memset(&rp, 0, sizeof(rp));
2513 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2514 	rp.addr.type = cp->addr.type;
2515 
2516 	if (!bdaddr_type_is_valid(cp->addr.type))
2517 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2518 					 MGMT_STATUS_INVALID_PARAMS,
2519 					 &rp, sizeof(rp));
2520 
2521 	hci_dev_lock(hdev);
2522 
2523 	if (!test_bit(HCI_UP, &hdev->flags)) {
2524 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2525 					MGMT_STATUS_NOT_POWERED, &rp,
2526 					sizeof(rp));
2527 		goto failed;
2528 	}
2529 
2530 	if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
2531 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2532 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
2533 		goto failed;
2534 	}
2535 
2536 	if (cp->addr.type == BDADDR_BREDR)
2537 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2538 					       &cp->addr.bdaddr);
2539 	else
2540 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2541 					       le_addr_type(cp->addr.type));
2542 
2543 	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
2544 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2545 					MGMT_STATUS_NOT_CONNECTED, &rp,
2546 					sizeof(rp));
2547 		goto failed;
2548 	}
2549 
2550 	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
2551 	if (!cmd) {
2552 		err = -ENOMEM;
2553 		goto failed;
2554 	}
2555 
2556 	cmd->cmd_complete = generic_cmd_complete;
2557 
2558 	err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2559 	if (err < 0)
2560 		mgmt_pending_remove(cmd);
2561 
2562 failed:
2563 	hci_dev_unlock(hdev);
2564 	return err;
2565 }
2566 
2567 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
2568 {
2569 	switch (link_type) {
2570 	case LE_LINK:
2571 		switch (addr_type) {
2572 		case ADDR_LE_DEV_PUBLIC:
2573 			return BDADDR_LE_PUBLIC;
2574 
2575 		default:
2576 			/* Fallback to LE Random address type */
2577 			return BDADDR_LE_RANDOM;
2578 		}
2579 
2580 	default:
2581 		/* Fallback to BR/EDR type */
2582 		return BDADDR_BREDR;
2583 	}
2584 }
2585 
2586 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
2587 			   u16 data_len)
2588 {
2589 	struct mgmt_rp_get_connections *rp;
2590 	struct hci_conn *c;
2591 	size_t rp_len;
2592 	int err;
2593 	u16 i;
2594 
2595 	BT_DBG("");
2596 
2597 	hci_dev_lock(hdev);
2598 
2599 	if (!hdev_is_powered(hdev)) {
2600 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
2601 				      MGMT_STATUS_NOT_POWERED);
2602 		goto unlock;
2603 	}
2604 
2605 	i = 0;
2606 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2607 		if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2608 			i++;
2609 	}
2610 
2611 	rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2612 	rp = kmalloc(rp_len, GFP_KERNEL);
2613 	if (!rp) {
2614 		err = -ENOMEM;
2615 		goto unlock;
2616 	}
2617 
2618 	i = 0;
2619 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2620 		if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2621 			continue;
2622 		bacpy(&rp->addr[i].bdaddr, &c->dst);
2623 		rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
2624 		if (c->type == SCO_LINK || c->type == ESCO_LINK)
2625 			continue;
2626 		i++;
2627 	}
2628 
2629 	rp->conn_count = cpu_to_le16(i);
2630 
2631 	/* Recalculate length in case of filtered SCO connections, etc */
2632 	rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2633 
2634 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
2635 				rp_len);
2636 
2637 	kfree(rp);
2638 
2639 unlock:
2640 	hci_dev_unlock(hdev);
2641 	return err;
2642 }
2643 
2644 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2645 				   struct mgmt_cp_pin_code_neg_reply *cp)
2646 {
2647 	struct mgmt_pending_cmd *cmd;
2648 	int err;
2649 
2650 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
2651 			       sizeof(*cp));
2652 	if (!cmd)
2653 		return -ENOMEM;
2654 
2655 	cmd->cmd_complete = addr_cmd_complete;
2656 
2657 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2658 			   sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
2659 	if (err < 0)
2660 		mgmt_pending_remove(cmd);
2661 
2662 	return err;
2663 }
2664 
2665 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2666 			  u16 len)
2667 {
2668 	struct hci_conn *conn;
2669 	struct mgmt_cp_pin_code_reply *cp = data;
2670 	struct hci_cp_pin_code_reply reply;
2671 	struct mgmt_pending_cmd *cmd;
2672 	int err;
2673 
2674 	BT_DBG("");
2675 
2676 	hci_dev_lock(hdev);
2677 
2678 	if (!hdev_is_powered(hdev)) {
2679 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2680 				      MGMT_STATUS_NOT_POWERED);
2681 		goto failed;
2682 	}
2683 
2684 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
2685 	if (!conn) {
2686 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2687 				      MGMT_STATUS_NOT_CONNECTED);
2688 		goto failed;
2689 	}
2690 
2691 	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
2692 		struct mgmt_cp_pin_code_neg_reply ncp;
2693 
2694 		memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
2695 
2696 		bt_dev_err(hdev, "PIN code is not 16 bytes long");
2697 
2698 		err = send_pin_code_neg_reply(sk, hdev, &ncp);
2699 		if (err >= 0)
2700 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2701 					      MGMT_STATUS_INVALID_PARAMS);
2702 
2703 		goto failed;
2704 	}
2705 
2706 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
2707 	if (!cmd) {
2708 		err = -ENOMEM;
2709 		goto failed;
2710 	}
2711 
2712 	cmd->cmd_complete = addr_cmd_complete;
2713 
2714 	bacpy(&reply.bdaddr, &cp->addr.bdaddr);
2715 	reply.pin_len = cp->pin_len;
2716 	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
2717 
2718 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
2719 	if (err < 0)
2720 		mgmt_pending_remove(cmd);
2721 
2722 failed:
2723 	hci_dev_unlock(hdev);
2724 	return err;
2725 }
2726 
2727 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
2728 			     u16 len)
2729 {
2730 	struct mgmt_cp_set_io_capability *cp = data;
2731 
2732 	BT_DBG("");
2733 
2734 	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
2735 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
2736 				       MGMT_STATUS_INVALID_PARAMS);
2737 
2738 	hci_dev_lock(hdev);
2739 
2740 	hdev->io_capability = cp->io_capability;
2741 
2742 	BT_DBG("%s IO capability set to 0x%02x", hdev->name,
2743 	       hdev->io_capability);
2744 
2745 	hci_dev_unlock(hdev);
2746 
2747 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
2748 				 NULL, 0);
2749 }
2750 
2751 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
2752 {
2753 	struct hci_dev *hdev = conn->hdev;
2754 	struct mgmt_pending_cmd *cmd;
2755 
2756 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2757 		if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
2758 			continue;
2759 
2760 		if (cmd->user_data != conn)
2761 			continue;
2762 
2763 		return cmd;
2764 	}
2765 
2766 	return NULL;
2767 }
2768 
2769 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
2770 {
2771 	struct mgmt_rp_pair_device rp;
2772 	struct hci_conn *conn = cmd->user_data;
2773 	int err;
2774 
2775 	bacpy(&rp.addr.bdaddr, &conn->dst);
2776 	rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
2777 
2778 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
2779 				status, &rp, sizeof(rp));
2780 
2781 	/* So we don't get further callbacks for this connection */
2782 	conn->connect_cfm_cb = NULL;
2783 	conn->security_cfm_cb = NULL;
2784 	conn->disconn_cfm_cb = NULL;
2785 
2786 	hci_conn_drop(conn);
2787 
2788 	/* The device is paired so there is no need to remove
2789 	 * its connection parameters anymore.
2790 	 */
2791 	clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2792 
2793 	hci_conn_put(conn);
2794 
2795 	return err;
2796 }
2797 
2798 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2799 {
2800 	u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2801 	struct mgmt_pending_cmd *cmd;
2802 
2803 	cmd = find_pairing(conn);
2804 	if (cmd) {
2805 		cmd->cmd_complete(cmd, status);
2806 		mgmt_pending_remove(cmd);
2807 	}
2808 }
2809 
2810 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2811 {
2812 	struct mgmt_pending_cmd *cmd;
2813 
2814 	BT_DBG("status %u", status);
2815 
2816 	cmd = find_pairing(conn);
2817 	if (!cmd) {
2818 		BT_DBG("Unable to find a pending command");
2819 		return;
2820 	}
2821 
2822 	cmd->cmd_complete(cmd, mgmt_status(status));
2823 	mgmt_pending_remove(cmd);
2824 }
2825 
2826 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2827 {
2828 	struct mgmt_pending_cmd *cmd;
2829 
2830 	BT_DBG("status %u", status);
2831 
2832 	if (!status)
2833 		return;
2834 
2835 	cmd = find_pairing(conn);
2836 	if (!cmd) {
2837 		BT_DBG("Unable to find a pending command");
2838 		return;
2839 	}
2840 
2841 	cmd->cmd_complete(cmd, mgmt_status(status));
2842 	mgmt_pending_remove(cmd);
2843 }
2844 
2845 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2846 		       u16 len)
2847 {
2848 	struct mgmt_cp_pair_device *cp = data;
2849 	struct mgmt_rp_pair_device rp;
2850 	struct mgmt_pending_cmd *cmd;
2851 	u8 sec_level, auth_type;
2852 	struct hci_conn *conn;
2853 	int err;
2854 
2855 	BT_DBG("");
2856 
2857 	memset(&rp, 0, sizeof(rp));
2858 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2859 	rp.addr.type = cp->addr.type;
2860 
2861 	if (!bdaddr_type_is_valid(cp->addr.type))
2862 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2863 					 MGMT_STATUS_INVALID_PARAMS,
2864 					 &rp, sizeof(rp));
2865 
2866 	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
2867 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2868 					 MGMT_STATUS_INVALID_PARAMS,
2869 					 &rp, sizeof(rp));
2870 
2871 	hci_dev_lock(hdev);
2872 
2873 	if (!hdev_is_powered(hdev)) {
2874 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2875 					MGMT_STATUS_NOT_POWERED, &rp,
2876 					sizeof(rp));
2877 		goto unlock;
2878 	}
2879 
2880 	if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
2881 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2882 					MGMT_STATUS_ALREADY_PAIRED, &rp,
2883 					sizeof(rp));
2884 		goto unlock;
2885 	}
2886 
2887 	sec_level = BT_SECURITY_MEDIUM;
2888 	auth_type = HCI_AT_DEDICATED_BONDING;
2889 
2890 	if (cp->addr.type == BDADDR_BREDR) {
2891 		conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2892 				       auth_type);
2893 	} else {
2894 		u8 addr_type = le_addr_type(cp->addr.type);
2895 		struct hci_conn_params *p;
2896 
2897 		/* When pairing a new device, it is expected to remember
2898 		 * this device for future connections. Adding the connection
2899 		 * parameter information ahead of time allows tracking
2900 		 * of the slave preferred values and will speed up any
2901 		 * further connection establishment.
2902 		 *
2903 		 * If connection parameters already exist, then they
2904 		 * will be kept and this function does nothing.
2905 		 */
2906 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
2907 
2908 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
2909 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
2910 
2911 		conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr,
2912 					   addr_type, sec_level,
2913 					   HCI_LE_CONN_TIMEOUT);
2914 	}
2915 
2916 	if (IS_ERR(conn)) {
2917 		int status;
2918 
2919 		if (PTR_ERR(conn) == -EBUSY)
2920 			status = MGMT_STATUS_BUSY;
2921 		else if (PTR_ERR(conn) == -EOPNOTSUPP)
2922 			status = MGMT_STATUS_NOT_SUPPORTED;
2923 		else if (PTR_ERR(conn) == -ECONNREFUSED)
2924 			status = MGMT_STATUS_REJECTED;
2925 		else
2926 			status = MGMT_STATUS_CONNECT_FAILED;
2927 
2928 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2929 					status, &rp, sizeof(rp));
2930 		goto unlock;
2931 	}
2932 
2933 	if (conn->connect_cfm_cb) {
2934 		hci_conn_drop(conn);
2935 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2936 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
2937 		goto unlock;
2938 	}
2939 
2940 	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
2941 	if (!cmd) {
2942 		err = -ENOMEM;
2943 		hci_conn_drop(conn);
2944 		goto unlock;
2945 	}
2946 
2947 	cmd->cmd_complete = pairing_complete;
2948 
2949 	/* For LE, just connecting isn't a proof that the pairing finished */
2950 	if (cp->addr.type == BDADDR_BREDR) {
2951 		conn->connect_cfm_cb = pairing_complete_cb;
2952 		conn->security_cfm_cb = pairing_complete_cb;
2953 		conn->disconn_cfm_cb = pairing_complete_cb;
2954 	} else {
2955 		conn->connect_cfm_cb = le_pairing_complete_cb;
2956 		conn->security_cfm_cb = le_pairing_complete_cb;
2957 		conn->disconn_cfm_cb = le_pairing_complete_cb;
2958 	}
2959 
2960 	conn->io_capability = cp->io_cap;
2961 	cmd->user_data = hci_conn_get(conn);
2962 
2963 	if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
2964 	    hci_conn_security(conn, sec_level, auth_type, true)) {
2965 		cmd->cmd_complete(cmd, 0);
2966 		mgmt_pending_remove(cmd);
2967 	}
2968 
2969 	err = 0;
2970 
2971 unlock:
2972 	hci_dev_unlock(hdev);
2973 	return err;
2974 }
2975 
2976 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2977 			      u16 len)
2978 {
2979 	struct mgmt_addr_info *addr = data;
2980 	struct mgmt_pending_cmd *cmd;
2981 	struct hci_conn *conn;
2982 	int err;
2983 
2984 	BT_DBG("");
2985 
2986 	hci_dev_lock(hdev);
2987 
2988 	if (!hdev_is_powered(hdev)) {
2989 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2990 				      MGMT_STATUS_NOT_POWERED);
2991 		goto unlock;
2992 	}
2993 
2994 	cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
2995 	if (!cmd) {
2996 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2997 				      MGMT_STATUS_INVALID_PARAMS);
2998 		goto unlock;
2999 	}
3000 
3001 	conn = cmd->user_data;
3002 
3003 	if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3004 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3005 				      MGMT_STATUS_INVALID_PARAMS);
3006 		goto unlock;
3007 	}
3008 
3009 	cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3010 	mgmt_pending_remove(cmd);
3011 
3012 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3013 				addr, sizeof(*addr));
3014 unlock:
3015 	hci_dev_unlock(hdev);
3016 	return err;
3017 }
3018 
3019 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3020 			     struct mgmt_addr_info *addr, u16 mgmt_op,
3021 			     u16 hci_op, __le32 passkey)
3022 {
3023 	struct mgmt_pending_cmd *cmd;
3024 	struct hci_conn *conn;
3025 	int err;
3026 
3027 	hci_dev_lock(hdev);
3028 
3029 	if (!hdev_is_powered(hdev)) {
3030 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3031 					MGMT_STATUS_NOT_POWERED, addr,
3032 					sizeof(*addr));
3033 		goto done;
3034 	}
3035 
3036 	if (addr->type == BDADDR_BREDR)
3037 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3038 	else
3039 		conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
3040 					       le_addr_type(addr->type));
3041 
3042 	if (!conn) {
3043 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3044 					MGMT_STATUS_NOT_CONNECTED, addr,
3045 					sizeof(*addr));
3046 		goto done;
3047 	}
3048 
3049 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3050 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3051 		if (!err)
3052 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3053 						MGMT_STATUS_SUCCESS, addr,
3054 						sizeof(*addr));
3055 		else
3056 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3057 						MGMT_STATUS_FAILED, addr,
3058 						sizeof(*addr));
3059 
3060 		goto done;
3061 	}
3062 
3063 	cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3064 	if (!cmd) {
3065 		err = -ENOMEM;
3066 		goto done;
3067 	}
3068 
3069 	cmd->cmd_complete = addr_cmd_complete;
3070 
3071 	/* Continue with pairing via HCI */
3072 	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3073 		struct hci_cp_user_passkey_reply cp;
3074 
3075 		bacpy(&cp.bdaddr, &addr->bdaddr);
3076 		cp.passkey = passkey;
3077 		err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3078 	} else
3079 		err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3080 				   &addr->bdaddr);
3081 
3082 	if (err < 0)
3083 		mgmt_pending_remove(cmd);
3084 
3085 done:
3086 	hci_dev_unlock(hdev);
3087 	return err;
3088 }
3089 
3090 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3091 			      void *data, u16 len)
3092 {
3093 	struct mgmt_cp_pin_code_neg_reply *cp = data;
3094 
3095 	BT_DBG("");
3096 
3097 	return user_pairing_resp(sk, hdev, &cp->addr,
3098 				MGMT_OP_PIN_CODE_NEG_REPLY,
3099 				HCI_OP_PIN_CODE_NEG_REPLY, 0);
3100 }
3101 
3102 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3103 			      u16 len)
3104 {
3105 	struct mgmt_cp_user_confirm_reply *cp = data;
3106 
3107 	BT_DBG("");
3108 
3109 	if (len != sizeof(*cp))
3110 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3111 				       MGMT_STATUS_INVALID_PARAMS);
3112 
3113 	return user_pairing_resp(sk, hdev, &cp->addr,
3114 				 MGMT_OP_USER_CONFIRM_REPLY,
3115 				 HCI_OP_USER_CONFIRM_REPLY, 0);
3116 }
3117 
3118 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3119 				  void *data, u16 len)
3120 {
3121 	struct mgmt_cp_user_confirm_neg_reply *cp = data;
3122 
3123 	BT_DBG("");
3124 
3125 	return user_pairing_resp(sk, hdev, &cp->addr,
3126 				 MGMT_OP_USER_CONFIRM_NEG_REPLY,
3127 				 HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3128 }
3129 
3130 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3131 			      u16 len)
3132 {
3133 	struct mgmt_cp_user_passkey_reply *cp = data;
3134 
3135 	BT_DBG("");
3136 
3137 	return user_pairing_resp(sk, hdev, &cp->addr,
3138 				 MGMT_OP_USER_PASSKEY_REPLY,
3139 				 HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3140 }
3141 
3142 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3143 				  void *data, u16 len)
3144 {
3145 	struct mgmt_cp_user_passkey_neg_reply *cp = data;
3146 
3147 	BT_DBG("");
3148 
3149 	return user_pairing_resp(sk, hdev, &cp->addr,
3150 				 MGMT_OP_USER_PASSKEY_NEG_REPLY,
3151 				 HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3152 }
3153 
3154 static void adv_expire(struct hci_dev *hdev, u32 flags)
3155 {
3156 	struct adv_info *adv_instance;
3157 	struct hci_request req;
3158 	int err;
3159 
3160 	adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3161 	if (!adv_instance)
3162 		return;
3163 
3164 	/* stop if current instance doesn't need to be changed */
3165 	if (!(adv_instance->flags & flags))
3166 		return;
3167 
3168 	cancel_adv_timeout(hdev);
3169 
3170 	adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3171 	if (!adv_instance)
3172 		return;
3173 
3174 	hci_req_init(&req, hdev);
3175 	err = __hci_req_schedule_adv_instance(&req, adv_instance->instance,
3176 					      true);
3177 	if (err)
3178 		return;
3179 
3180 	hci_req_run(&req, NULL);
3181 }
3182 
3183 static void set_name_complete(struct hci_dev *hdev, u8 status, u16 opcode)
3184 {
3185 	struct mgmt_cp_set_local_name *cp;
3186 	struct mgmt_pending_cmd *cmd;
3187 
3188 	BT_DBG("status 0x%02x", status);
3189 
3190 	hci_dev_lock(hdev);
3191 
3192 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
3193 	if (!cmd)
3194 		goto unlock;
3195 
3196 	cp = cmd->param;
3197 
3198 	if (status) {
3199 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3200 			        mgmt_status(status));
3201 	} else {
3202 		mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3203 				  cp, sizeof(*cp));
3204 
3205 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3206 			adv_expire(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3207 	}
3208 
3209 	mgmt_pending_remove(cmd);
3210 
3211 unlock:
3212 	hci_dev_unlock(hdev);
3213 }
3214 
3215 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3216 			  u16 len)
3217 {
3218 	struct mgmt_cp_set_local_name *cp = data;
3219 	struct mgmt_pending_cmd *cmd;
3220 	struct hci_request req;
3221 	int err;
3222 
3223 	BT_DBG("");
3224 
3225 	hci_dev_lock(hdev);
3226 
3227 	/* If the old values are the same as the new ones just return a
3228 	 * direct command complete event.
3229 	 */
3230 	if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3231 	    !memcmp(hdev->short_name, cp->short_name,
3232 		    sizeof(hdev->short_name))) {
3233 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3234 					data, len);
3235 		goto failed;
3236 	}
3237 
3238 	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3239 
3240 	if (!hdev_is_powered(hdev)) {
3241 		memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3242 
3243 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3244 					data, len);
3245 		if (err < 0)
3246 			goto failed;
3247 
3248 		err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3249 					 len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3250 		ext_info_changed(hdev, sk);
3251 
3252 		goto failed;
3253 	}
3254 
3255 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3256 	if (!cmd) {
3257 		err = -ENOMEM;
3258 		goto failed;
3259 	}
3260 
3261 	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3262 
3263 	hci_req_init(&req, hdev);
3264 
3265 	if (lmp_bredr_capable(hdev)) {
3266 		__hci_req_update_name(&req);
3267 		__hci_req_update_eir(&req);
3268 	}
3269 
3270 	/* The name is stored in the scan response data and so
3271 	 * no need to udpate the advertising data here.
3272 	 */
3273 	if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3274 		__hci_req_update_scan_rsp_data(&req, hdev->cur_adv_instance);
3275 
3276 	err = hci_req_run(&req, set_name_complete);
3277 	if (err < 0)
3278 		mgmt_pending_remove(cmd);
3279 
3280 failed:
3281 	hci_dev_unlock(hdev);
3282 	return err;
3283 }
3284 
3285 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3286 			  u16 len)
3287 {
3288 	struct mgmt_cp_set_appearance *cp = data;
3289 	u16 apperance;
3290 	int err;
3291 
3292 	BT_DBG("");
3293 
3294 	if (!lmp_le_capable(hdev))
3295 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3296 				       MGMT_STATUS_NOT_SUPPORTED);
3297 
3298 	apperance = le16_to_cpu(cp->appearance);
3299 
3300 	hci_dev_lock(hdev);
3301 
3302 	if (hdev->appearance != apperance) {
3303 		hdev->appearance = apperance;
3304 
3305 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3306 			adv_expire(hdev, MGMT_ADV_FLAG_APPEARANCE);
3307 
3308 		ext_info_changed(hdev, sk);
3309 	}
3310 
3311 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3312 				0);
3313 
3314 	hci_dev_unlock(hdev);
3315 
3316 	return err;
3317 }
3318 
3319 static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3320 				 void *data, u16 len)
3321 {
3322 	struct mgmt_rp_get_phy_confguration rp;
3323 
3324 	BT_DBG("sock %p %s", sk, hdev->name);
3325 
3326 	hci_dev_lock(hdev);
3327 
3328 	memset(&rp, 0, sizeof(rp));
3329 
3330 	rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3331 	rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3332 	rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3333 
3334 	hci_dev_unlock(hdev);
3335 
3336 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, 0,
3337 				 &rp, sizeof(rp));
3338 }
3339 
3340 int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3341 {
3342 	struct mgmt_ev_phy_configuration_changed ev;
3343 
3344 	memset(&ev, 0, sizeof(ev));
3345 
3346 	ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3347 
3348 	return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, &ev,
3349 			  sizeof(ev), skip);
3350 }
3351 
3352 static void set_default_phy_complete(struct hci_dev *hdev, u8 status,
3353 				     u16 opcode, struct sk_buff *skb)
3354 {
3355 	struct mgmt_pending_cmd *cmd;
3356 
3357 	BT_DBG("status 0x%02x", status);
3358 
3359 	hci_dev_lock(hdev);
3360 
3361 	cmd = pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev);
3362 	if (!cmd)
3363 		goto unlock;
3364 
3365 	if (status) {
3366 		mgmt_cmd_status(cmd->sk, hdev->id,
3367 				MGMT_OP_SET_PHY_CONFIGURATION,
3368 				mgmt_status(status));
3369 	} else {
3370 		mgmt_cmd_complete(cmd->sk, hdev->id,
3371 				  MGMT_OP_SET_PHY_CONFIGURATION, 0,
3372 				  NULL, 0);
3373 
3374 		mgmt_phy_configuration_changed(hdev, cmd->sk);
3375 	}
3376 
3377 	mgmt_pending_remove(cmd);
3378 
3379 unlock:
3380 	hci_dev_unlock(hdev);
3381 }
3382 
3383 static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3384 				 void *data, u16 len)
3385 {
3386 	struct mgmt_cp_set_phy_confguration *cp = data;
3387 	struct hci_cp_le_set_default_phy cp_phy;
3388 	struct mgmt_pending_cmd *cmd;
3389 	struct hci_request req;
3390 	u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
3391 	u16 pkt_type = (HCI_DH1 | HCI_DM1);
3392 	bool changed = false;
3393 	int err;
3394 
3395 	BT_DBG("sock %p %s", sk, hdev->name);
3396 
3397 	configurable_phys = get_configurable_phys(hdev);
3398 	supported_phys = get_supported_phys(hdev);
3399 	selected_phys = __le32_to_cpu(cp->selected_phys);
3400 
3401 	if (selected_phys & ~supported_phys)
3402 		return mgmt_cmd_status(sk, hdev->id,
3403 				       MGMT_OP_SET_PHY_CONFIGURATION,
3404 				       MGMT_STATUS_INVALID_PARAMS);
3405 
3406 	unconfigure_phys = supported_phys & ~configurable_phys;
3407 
3408 	if ((selected_phys & unconfigure_phys) != unconfigure_phys)
3409 		return mgmt_cmd_status(sk, hdev->id,
3410 				       MGMT_OP_SET_PHY_CONFIGURATION,
3411 				       MGMT_STATUS_INVALID_PARAMS);
3412 
3413 	if (selected_phys == get_selected_phys(hdev))
3414 		return mgmt_cmd_complete(sk, hdev->id,
3415 					 MGMT_OP_SET_PHY_CONFIGURATION,
3416 					 0, NULL, 0);
3417 
3418 	hci_dev_lock(hdev);
3419 
3420 	if (!hdev_is_powered(hdev)) {
3421 		err = mgmt_cmd_status(sk, hdev->id,
3422 				      MGMT_OP_SET_PHY_CONFIGURATION,
3423 				      MGMT_STATUS_REJECTED);
3424 		goto unlock;
3425 	}
3426 
3427 	if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
3428 		err = mgmt_cmd_status(sk, hdev->id,
3429 				      MGMT_OP_SET_PHY_CONFIGURATION,
3430 				      MGMT_STATUS_BUSY);
3431 		goto unlock;
3432 	}
3433 
3434 	if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
3435 		pkt_type |= (HCI_DH3 | HCI_DM3);
3436 	else
3437 		pkt_type &= ~(HCI_DH3 | HCI_DM3);
3438 
3439 	if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
3440 		pkt_type |= (HCI_DH5 | HCI_DM5);
3441 	else
3442 		pkt_type &= ~(HCI_DH5 | HCI_DM5);
3443 
3444 	if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
3445 		pkt_type &= ~HCI_2DH1;
3446 	else
3447 		pkt_type |= HCI_2DH1;
3448 
3449 	if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
3450 		pkt_type &= ~HCI_2DH3;
3451 	else
3452 		pkt_type |= HCI_2DH3;
3453 
3454 	if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
3455 		pkt_type &= ~HCI_2DH5;
3456 	else
3457 		pkt_type |= HCI_2DH5;
3458 
3459 	if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
3460 		pkt_type &= ~HCI_3DH1;
3461 	else
3462 		pkt_type |= HCI_3DH1;
3463 
3464 	if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
3465 		pkt_type &= ~HCI_3DH3;
3466 	else
3467 		pkt_type |= HCI_3DH3;
3468 
3469 	if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
3470 		pkt_type &= ~HCI_3DH5;
3471 	else
3472 		pkt_type |= HCI_3DH5;
3473 
3474 	if (pkt_type != hdev->pkt_type) {
3475 		hdev->pkt_type = pkt_type;
3476 		changed = true;
3477 	}
3478 
3479 	if ((selected_phys & MGMT_PHY_LE_MASK) ==
3480 	    (get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
3481 		if (changed)
3482 			mgmt_phy_configuration_changed(hdev, sk);
3483 
3484 		err = mgmt_cmd_complete(sk, hdev->id,
3485 					MGMT_OP_SET_PHY_CONFIGURATION,
3486 					0, NULL, 0);
3487 
3488 		goto unlock;
3489 	}
3490 
3491 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
3492 			       len);
3493 	if (!cmd) {
3494 		err = -ENOMEM;
3495 		goto unlock;
3496 	}
3497 
3498 	hci_req_init(&req, hdev);
3499 
3500 	memset(&cp_phy, 0, sizeof(cp_phy));
3501 
3502 	if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
3503 		cp_phy.all_phys |= 0x01;
3504 
3505 	if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
3506 		cp_phy.all_phys |= 0x02;
3507 
3508 	if (selected_phys & MGMT_PHY_LE_1M_TX)
3509 		cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
3510 
3511 	if (selected_phys & MGMT_PHY_LE_2M_TX)
3512 		cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
3513 
3514 	if (selected_phys & MGMT_PHY_LE_CODED_TX)
3515 		cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
3516 
3517 	if (selected_phys & MGMT_PHY_LE_1M_RX)
3518 		cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
3519 
3520 	if (selected_phys & MGMT_PHY_LE_2M_RX)
3521 		cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
3522 
3523 	if (selected_phys & MGMT_PHY_LE_CODED_RX)
3524 		cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
3525 
3526 	hci_req_add(&req, HCI_OP_LE_SET_DEFAULT_PHY, sizeof(cp_phy), &cp_phy);
3527 
3528 	err = hci_req_run_skb(&req, set_default_phy_complete);
3529 	if (err < 0)
3530 		mgmt_pending_remove(cmd);
3531 
3532 unlock:
3533 	hci_dev_unlock(hdev);
3534 
3535 	return err;
3536 }
3537 
3538 static void read_local_oob_data_complete(struct hci_dev *hdev, u8 status,
3539 				         u16 opcode, struct sk_buff *skb)
3540 {
3541 	struct mgmt_rp_read_local_oob_data mgmt_rp;
3542 	size_t rp_size = sizeof(mgmt_rp);
3543 	struct mgmt_pending_cmd *cmd;
3544 
3545 	BT_DBG("%s status %u", hdev->name, status);
3546 
3547 	cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev);
3548 	if (!cmd)
3549 		return;
3550 
3551 	if (status || !skb) {
3552 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3553 				status ? mgmt_status(status) : MGMT_STATUS_FAILED);
3554 		goto remove;
3555 	}
3556 
3557 	memset(&mgmt_rp, 0, sizeof(mgmt_rp));
3558 
3559 	if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
3560 		struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
3561 
3562 		if (skb->len < sizeof(*rp)) {
3563 			mgmt_cmd_status(cmd->sk, hdev->id,
3564 					MGMT_OP_READ_LOCAL_OOB_DATA,
3565 					MGMT_STATUS_FAILED);
3566 			goto remove;
3567 		}
3568 
3569 		memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
3570 		memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
3571 
3572 		rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
3573 	} else {
3574 		struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
3575 
3576 		if (skb->len < sizeof(*rp)) {
3577 			mgmt_cmd_status(cmd->sk, hdev->id,
3578 					MGMT_OP_READ_LOCAL_OOB_DATA,
3579 					MGMT_STATUS_FAILED);
3580 			goto remove;
3581 		}
3582 
3583 		memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
3584 		memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
3585 
3586 		memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
3587 		memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
3588 	}
3589 
3590 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3591 			  MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
3592 
3593 remove:
3594 	mgmt_pending_remove(cmd);
3595 }
3596 
3597 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3598 			       void *data, u16 data_len)
3599 {
3600 	struct mgmt_pending_cmd *cmd;
3601 	struct hci_request req;
3602 	int err;
3603 
3604 	BT_DBG("%s", hdev->name);
3605 
3606 	hci_dev_lock(hdev);
3607 
3608 	if (!hdev_is_powered(hdev)) {
3609 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3610 				      MGMT_STATUS_NOT_POWERED);
3611 		goto unlock;
3612 	}
3613 
3614 	if (!lmp_ssp_capable(hdev)) {
3615 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3616 				      MGMT_STATUS_NOT_SUPPORTED);
3617 		goto unlock;
3618 	}
3619 
3620 	if (pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
3621 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3622 				      MGMT_STATUS_BUSY);
3623 		goto unlock;
3624 	}
3625 
3626 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
3627 	if (!cmd) {
3628 		err = -ENOMEM;
3629 		goto unlock;
3630 	}
3631 
3632 	hci_req_init(&req, hdev);
3633 
3634 	if (bredr_sc_enabled(hdev))
3635 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
3636 	else
3637 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
3638 
3639 	err = hci_req_run_skb(&req, read_local_oob_data_complete);
3640 	if (err < 0)
3641 		mgmt_pending_remove(cmd);
3642 
3643 unlock:
3644 	hci_dev_unlock(hdev);
3645 	return err;
3646 }
3647 
3648 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3649 			       void *data, u16 len)
3650 {
3651 	struct mgmt_addr_info *addr = data;
3652 	int err;
3653 
3654 	BT_DBG("%s ", hdev->name);
3655 
3656 	if (!bdaddr_type_is_valid(addr->type))
3657 		return mgmt_cmd_complete(sk, hdev->id,
3658 					 MGMT_OP_ADD_REMOTE_OOB_DATA,
3659 					 MGMT_STATUS_INVALID_PARAMS,
3660 					 addr, sizeof(*addr));
3661 
3662 	hci_dev_lock(hdev);
3663 
3664 	if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
3665 		struct mgmt_cp_add_remote_oob_data *cp = data;
3666 		u8 status;
3667 
3668 		if (cp->addr.type != BDADDR_BREDR) {
3669 			err = mgmt_cmd_complete(sk, hdev->id,
3670 						MGMT_OP_ADD_REMOTE_OOB_DATA,
3671 						MGMT_STATUS_INVALID_PARAMS,
3672 						&cp->addr, sizeof(cp->addr));
3673 			goto unlock;
3674 		}
3675 
3676 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3677 					      cp->addr.type, cp->hash,
3678 					      cp->rand, NULL, NULL);
3679 		if (err < 0)
3680 			status = MGMT_STATUS_FAILED;
3681 		else
3682 			status = MGMT_STATUS_SUCCESS;
3683 
3684 		err = mgmt_cmd_complete(sk, hdev->id,
3685 					MGMT_OP_ADD_REMOTE_OOB_DATA, status,
3686 					&cp->addr, sizeof(cp->addr));
3687 	} else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3688 		struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3689 		u8 *rand192, *hash192, *rand256, *hash256;
3690 		u8 status;
3691 
3692 		if (bdaddr_type_is_le(cp->addr.type)) {
3693 			/* Enforce zero-valued 192-bit parameters as
3694 			 * long as legacy SMP OOB isn't implemented.
3695 			 */
3696 			if (memcmp(cp->rand192, ZERO_KEY, 16) ||
3697 			    memcmp(cp->hash192, ZERO_KEY, 16)) {
3698 				err = mgmt_cmd_complete(sk, hdev->id,
3699 							MGMT_OP_ADD_REMOTE_OOB_DATA,
3700 							MGMT_STATUS_INVALID_PARAMS,
3701 							addr, sizeof(*addr));
3702 				goto unlock;
3703 			}
3704 
3705 			rand192 = NULL;
3706 			hash192 = NULL;
3707 		} else {
3708 			/* In case one of the P-192 values is set to zero,
3709 			 * then just disable OOB data for P-192.
3710 			 */
3711 			if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
3712 			    !memcmp(cp->hash192, ZERO_KEY, 16)) {
3713 				rand192 = NULL;
3714 				hash192 = NULL;
3715 			} else {
3716 				rand192 = cp->rand192;
3717 				hash192 = cp->hash192;
3718 			}
3719 		}
3720 
3721 		/* In case one of the P-256 values is set to zero, then just
3722 		 * disable OOB data for P-256.
3723 		 */
3724 		if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
3725 		    !memcmp(cp->hash256, ZERO_KEY, 16)) {
3726 			rand256 = NULL;
3727 			hash256 = NULL;
3728 		} else {
3729 			rand256 = cp->rand256;
3730 			hash256 = cp->hash256;
3731 		}
3732 
3733 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3734 					      cp->addr.type, hash192, rand192,
3735 					      hash256, rand256);
3736 		if (err < 0)
3737 			status = MGMT_STATUS_FAILED;
3738 		else
3739 			status = MGMT_STATUS_SUCCESS;
3740 
3741 		err = mgmt_cmd_complete(sk, hdev->id,
3742 					MGMT_OP_ADD_REMOTE_OOB_DATA,
3743 					status, &cp->addr, sizeof(cp->addr));
3744 	} else {
3745 		bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
3746 			   len);
3747 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3748 				      MGMT_STATUS_INVALID_PARAMS);
3749 	}
3750 
3751 unlock:
3752 	hci_dev_unlock(hdev);
3753 	return err;
3754 }
3755 
3756 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3757 				  void *data, u16 len)
3758 {
3759 	struct mgmt_cp_remove_remote_oob_data *cp = data;
3760 	u8 status;
3761 	int err;
3762 
3763 	BT_DBG("%s", hdev->name);
3764 
3765 	if (cp->addr.type != BDADDR_BREDR)
3766 		return mgmt_cmd_complete(sk, hdev->id,
3767 					 MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3768 					 MGMT_STATUS_INVALID_PARAMS,
3769 					 &cp->addr, sizeof(cp->addr));
3770 
3771 	hci_dev_lock(hdev);
3772 
3773 	if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
3774 		hci_remote_oob_data_clear(hdev);
3775 		status = MGMT_STATUS_SUCCESS;
3776 		goto done;
3777 	}
3778 
3779 	err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
3780 	if (err < 0)
3781 		status = MGMT_STATUS_INVALID_PARAMS;
3782 	else
3783 		status = MGMT_STATUS_SUCCESS;
3784 
3785 done:
3786 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3787 				status, &cp->addr, sizeof(cp->addr));
3788 
3789 	hci_dev_unlock(hdev);
3790 	return err;
3791 }
3792 
3793 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
3794 {
3795 	struct mgmt_pending_cmd *cmd;
3796 
3797 	BT_DBG("status %d", status);
3798 
3799 	hci_dev_lock(hdev);
3800 
3801 	cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
3802 	if (!cmd)
3803 		cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
3804 
3805 	if (!cmd)
3806 		cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
3807 
3808 	if (cmd) {
3809 		cmd->cmd_complete(cmd, mgmt_status(status));
3810 		mgmt_pending_remove(cmd);
3811 	}
3812 
3813 	hci_dev_unlock(hdev);
3814 }
3815 
3816 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
3817 				    uint8_t *mgmt_status)
3818 {
3819 	switch (type) {
3820 	case DISCOV_TYPE_LE:
3821 		*mgmt_status = mgmt_le_support(hdev);
3822 		if (*mgmt_status)
3823 			return false;
3824 		break;
3825 	case DISCOV_TYPE_INTERLEAVED:
3826 		*mgmt_status = mgmt_le_support(hdev);
3827 		if (*mgmt_status)
3828 			return false;
3829 		/* Intentional fall-through */
3830 	case DISCOV_TYPE_BREDR:
3831 		*mgmt_status = mgmt_bredr_support(hdev);
3832 		if (*mgmt_status)
3833 			return false;
3834 		break;
3835 	default:
3836 		*mgmt_status = MGMT_STATUS_INVALID_PARAMS;
3837 		return false;
3838 	}
3839 
3840 	return true;
3841 }
3842 
3843 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
3844 				    u16 op, void *data, u16 len)
3845 {
3846 	struct mgmt_cp_start_discovery *cp = data;
3847 	struct mgmt_pending_cmd *cmd;
3848 	u8 status;
3849 	int err;
3850 
3851 	BT_DBG("%s", hdev->name);
3852 
3853 	hci_dev_lock(hdev);
3854 
3855 	if (!hdev_is_powered(hdev)) {
3856 		err = mgmt_cmd_complete(sk, hdev->id, op,
3857 					MGMT_STATUS_NOT_POWERED,
3858 					&cp->type, sizeof(cp->type));
3859 		goto failed;
3860 	}
3861 
3862 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
3863 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
3864 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
3865 					&cp->type, sizeof(cp->type));
3866 		goto failed;
3867 	}
3868 
3869 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
3870 		err = mgmt_cmd_complete(sk, hdev->id, op, status,
3871 					&cp->type, sizeof(cp->type));
3872 		goto failed;
3873 	}
3874 
3875 	/* Clear the discovery filter first to free any previously
3876 	 * allocated memory for the UUID list.
3877 	 */
3878 	hci_discovery_filter_clear(hdev);
3879 
3880 	hdev->discovery.type = cp->type;
3881 	hdev->discovery.report_invalid_rssi = false;
3882 	if (op == MGMT_OP_START_LIMITED_DISCOVERY)
3883 		hdev->discovery.limited = true;
3884 	else
3885 		hdev->discovery.limited = false;
3886 
3887 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
3888 	if (!cmd) {
3889 		err = -ENOMEM;
3890 		goto failed;
3891 	}
3892 
3893 	cmd->cmd_complete = generic_cmd_complete;
3894 
3895 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3896 	queue_work(hdev->req_workqueue, &hdev->discov_update);
3897 	err = 0;
3898 
3899 failed:
3900 	hci_dev_unlock(hdev);
3901 	return err;
3902 }
3903 
3904 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3905 			   void *data, u16 len)
3906 {
3907 	return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
3908 					data, len);
3909 }
3910 
3911 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
3912 				   void *data, u16 len)
3913 {
3914 	return start_discovery_internal(sk, hdev,
3915 					MGMT_OP_START_LIMITED_DISCOVERY,
3916 					data, len);
3917 }
3918 
3919 static int service_discovery_cmd_complete(struct mgmt_pending_cmd *cmd,
3920 					  u8 status)
3921 {
3922 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
3923 				 cmd->param, 1);
3924 }
3925 
3926 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
3927 				   void *data, u16 len)
3928 {
3929 	struct mgmt_cp_start_service_discovery *cp = data;
3930 	struct mgmt_pending_cmd *cmd;
3931 	const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
3932 	u16 uuid_count, expected_len;
3933 	u8 status;
3934 	int err;
3935 
3936 	BT_DBG("%s", hdev->name);
3937 
3938 	hci_dev_lock(hdev);
3939 
3940 	if (!hdev_is_powered(hdev)) {
3941 		err = mgmt_cmd_complete(sk, hdev->id,
3942 					MGMT_OP_START_SERVICE_DISCOVERY,
3943 					MGMT_STATUS_NOT_POWERED,
3944 					&cp->type, sizeof(cp->type));
3945 		goto failed;
3946 	}
3947 
3948 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
3949 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
3950 		err = mgmt_cmd_complete(sk, hdev->id,
3951 					MGMT_OP_START_SERVICE_DISCOVERY,
3952 					MGMT_STATUS_BUSY, &cp->type,
3953 					sizeof(cp->type));
3954 		goto failed;
3955 	}
3956 
3957 	uuid_count = __le16_to_cpu(cp->uuid_count);
3958 	if (uuid_count > max_uuid_count) {
3959 		bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
3960 			   uuid_count);
3961 		err = mgmt_cmd_complete(sk, hdev->id,
3962 					MGMT_OP_START_SERVICE_DISCOVERY,
3963 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
3964 					sizeof(cp->type));
3965 		goto failed;
3966 	}
3967 
3968 	expected_len = sizeof(*cp) + uuid_count * 16;
3969 	if (expected_len != len) {
3970 		bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
3971 			   expected_len, len);
3972 		err = mgmt_cmd_complete(sk, hdev->id,
3973 					MGMT_OP_START_SERVICE_DISCOVERY,
3974 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
3975 					sizeof(cp->type));
3976 		goto failed;
3977 	}
3978 
3979 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
3980 		err = mgmt_cmd_complete(sk, hdev->id,
3981 					MGMT_OP_START_SERVICE_DISCOVERY,
3982 					status, &cp->type, sizeof(cp->type));
3983 		goto failed;
3984 	}
3985 
3986 	cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
3987 			       hdev, data, len);
3988 	if (!cmd) {
3989 		err = -ENOMEM;
3990 		goto failed;
3991 	}
3992 
3993 	cmd->cmd_complete = service_discovery_cmd_complete;
3994 
3995 	/* Clear the discovery filter first to free any previously
3996 	 * allocated memory for the UUID list.
3997 	 */
3998 	hci_discovery_filter_clear(hdev);
3999 
4000 	hdev->discovery.result_filtering = true;
4001 	hdev->discovery.type = cp->type;
4002 	hdev->discovery.rssi = cp->rssi;
4003 	hdev->discovery.uuid_count = uuid_count;
4004 
4005 	if (uuid_count > 0) {
4006 		hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
4007 						GFP_KERNEL);
4008 		if (!hdev->discovery.uuids) {
4009 			err = mgmt_cmd_complete(sk, hdev->id,
4010 						MGMT_OP_START_SERVICE_DISCOVERY,
4011 						MGMT_STATUS_FAILED,
4012 						&cp->type, sizeof(cp->type));
4013 			mgmt_pending_remove(cmd);
4014 			goto failed;
4015 		}
4016 	}
4017 
4018 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
4019 	queue_work(hdev->req_workqueue, &hdev->discov_update);
4020 	err = 0;
4021 
4022 failed:
4023 	hci_dev_unlock(hdev);
4024 	return err;
4025 }
4026 
4027 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
4028 {
4029 	struct mgmt_pending_cmd *cmd;
4030 
4031 	BT_DBG("status %d", status);
4032 
4033 	hci_dev_lock(hdev);
4034 
4035 	cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
4036 	if (cmd) {
4037 		cmd->cmd_complete(cmd, mgmt_status(status));
4038 		mgmt_pending_remove(cmd);
4039 	}
4040 
4041 	hci_dev_unlock(hdev);
4042 }
4043 
4044 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
4045 			  u16 len)
4046 {
4047 	struct mgmt_cp_stop_discovery *mgmt_cp = data;
4048 	struct mgmt_pending_cmd *cmd;
4049 	int err;
4050 
4051 	BT_DBG("%s", hdev->name);
4052 
4053 	hci_dev_lock(hdev);
4054 
4055 	if (!hci_discovery_active(hdev)) {
4056 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
4057 					MGMT_STATUS_REJECTED, &mgmt_cp->type,
4058 					sizeof(mgmt_cp->type));
4059 		goto unlock;
4060 	}
4061 
4062 	if (hdev->discovery.type != mgmt_cp->type) {
4063 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
4064 					MGMT_STATUS_INVALID_PARAMS,
4065 					&mgmt_cp->type, sizeof(mgmt_cp->type));
4066 		goto unlock;
4067 	}
4068 
4069 	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
4070 	if (!cmd) {
4071 		err = -ENOMEM;
4072 		goto unlock;
4073 	}
4074 
4075 	cmd->cmd_complete = generic_cmd_complete;
4076 
4077 	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
4078 	queue_work(hdev->req_workqueue, &hdev->discov_update);
4079 	err = 0;
4080 
4081 unlock:
4082 	hci_dev_unlock(hdev);
4083 	return err;
4084 }
4085 
4086 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
4087 			u16 len)
4088 {
4089 	struct mgmt_cp_confirm_name *cp = data;
4090 	struct inquiry_entry *e;
4091 	int err;
4092 
4093 	BT_DBG("%s", hdev->name);
4094 
4095 	hci_dev_lock(hdev);
4096 
4097 	if (!hci_discovery_active(hdev)) {
4098 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
4099 					MGMT_STATUS_FAILED, &cp->addr,
4100 					sizeof(cp->addr));
4101 		goto failed;
4102 	}
4103 
4104 	e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
4105 	if (!e) {
4106 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
4107 					MGMT_STATUS_INVALID_PARAMS, &cp->addr,
4108 					sizeof(cp->addr));
4109 		goto failed;
4110 	}
4111 
4112 	if (cp->name_known) {
4113 		e->name_state = NAME_KNOWN;
4114 		list_del(&e->list);
4115 	} else {
4116 		e->name_state = NAME_NEEDED;
4117 		hci_inquiry_cache_update_resolve(hdev, e);
4118 	}
4119 
4120 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
4121 				&cp->addr, sizeof(cp->addr));
4122 
4123 failed:
4124 	hci_dev_unlock(hdev);
4125 	return err;
4126 }
4127 
4128 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
4129 			u16 len)
4130 {
4131 	struct mgmt_cp_block_device *cp = data;
4132 	u8 status;
4133 	int err;
4134 
4135 	BT_DBG("%s", hdev->name);
4136 
4137 	if (!bdaddr_type_is_valid(cp->addr.type))
4138 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
4139 					 MGMT_STATUS_INVALID_PARAMS,
4140 					 &cp->addr, sizeof(cp->addr));
4141 
4142 	hci_dev_lock(hdev);
4143 
4144 	err = hci_bdaddr_list_add(&hdev->blacklist, &cp->addr.bdaddr,
4145 				  cp->addr.type);
4146 	if (err < 0) {
4147 		status = MGMT_STATUS_FAILED;
4148 		goto done;
4149 	}
4150 
4151 	mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
4152 		   sk);
4153 	status = MGMT_STATUS_SUCCESS;
4154 
4155 done:
4156 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
4157 				&cp->addr, sizeof(cp->addr));
4158 
4159 	hci_dev_unlock(hdev);
4160 
4161 	return err;
4162 }
4163 
4164 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
4165 			  u16 len)
4166 {
4167 	struct mgmt_cp_unblock_device *cp = data;
4168 	u8 status;
4169 	int err;
4170 
4171 	BT_DBG("%s", hdev->name);
4172 
4173 	if (!bdaddr_type_is_valid(cp->addr.type))
4174 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
4175 					 MGMT_STATUS_INVALID_PARAMS,
4176 					 &cp->addr, sizeof(cp->addr));
4177 
4178 	hci_dev_lock(hdev);
4179 
4180 	err = hci_bdaddr_list_del(&hdev->blacklist, &cp->addr.bdaddr,
4181 				  cp->addr.type);
4182 	if (err < 0) {
4183 		status = MGMT_STATUS_INVALID_PARAMS;
4184 		goto done;
4185 	}
4186 
4187 	mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
4188 		   sk);
4189 	status = MGMT_STATUS_SUCCESS;
4190 
4191 done:
4192 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
4193 				&cp->addr, sizeof(cp->addr));
4194 
4195 	hci_dev_unlock(hdev);
4196 
4197 	return err;
4198 }
4199 
4200 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
4201 			 u16 len)
4202 {
4203 	struct mgmt_cp_set_device_id *cp = data;
4204 	struct hci_request req;
4205 	int err;
4206 	__u16 source;
4207 
4208 	BT_DBG("%s", hdev->name);
4209 
4210 	source = __le16_to_cpu(cp->source);
4211 
4212 	if (source > 0x0002)
4213 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
4214 				       MGMT_STATUS_INVALID_PARAMS);
4215 
4216 	hci_dev_lock(hdev);
4217 
4218 	hdev->devid_source = source;
4219 	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
4220 	hdev->devid_product = __le16_to_cpu(cp->product);
4221 	hdev->devid_version = __le16_to_cpu(cp->version);
4222 
4223 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
4224 				NULL, 0);
4225 
4226 	hci_req_init(&req, hdev);
4227 	__hci_req_update_eir(&req);
4228 	hci_req_run(&req, NULL);
4229 
4230 	hci_dev_unlock(hdev);
4231 
4232 	return err;
4233 }
4234 
4235 static void enable_advertising_instance(struct hci_dev *hdev, u8 status,
4236 					u16 opcode)
4237 {
4238 	BT_DBG("status %d", status);
4239 }
4240 
4241 static void set_advertising_complete(struct hci_dev *hdev, u8 status,
4242 				     u16 opcode)
4243 {
4244 	struct cmd_lookup match = { NULL, hdev };
4245 	struct hci_request req;
4246 	u8 instance;
4247 	struct adv_info *adv_instance;
4248 	int err;
4249 
4250 	hci_dev_lock(hdev);
4251 
4252 	if (status) {
4253 		u8 mgmt_err = mgmt_status(status);
4254 
4255 		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
4256 				     cmd_status_rsp, &mgmt_err);
4257 		goto unlock;
4258 	}
4259 
4260 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
4261 		hci_dev_set_flag(hdev, HCI_ADVERTISING);
4262 	else
4263 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4264 
4265 	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
4266 			     &match);
4267 
4268 	new_settings(hdev, match.sk);
4269 
4270 	if (match.sk)
4271 		sock_put(match.sk);
4272 
4273 	/* If "Set Advertising" was just disabled and instance advertising was
4274 	 * set up earlier, then re-enable multi-instance advertising.
4275 	 */
4276 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
4277 	    list_empty(&hdev->adv_instances))
4278 		goto unlock;
4279 
4280 	instance = hdev->cur_adv_instance;
4281 	if (!instance) {
4282 		adv_instance = list_first_entry_or_null(&hdev->adv_instances,
4283 							struct adv_info, list);
4284 		if (!adv_instance)
4285 			goto unlock;
4286 
4287 		instance = adv_instance->instance;
4288 	}
4289 
4290 	hci_req_init(&req, hdev);
4291 
4292 	err = __hci_req_schedule_adv_instance(&req, instance, true);
4293 
4294 	if (!err)
4295 		err = hci_req_run(&req, enable_advertising_instance);
4296 
4297 	if (err)
4298 		bt_dev_err(hdev, "failed to re-configure advertising");
4299 
4300 unlock:
4301 	hci_dev_unlock(hdev);
4302 }
4303 
4304 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
4305 			   u16 len)
4306 {
4307 	struct mgmt_mode *cp = data;
4308 	struct mgmt_pending_cmd *cmd;
4309 	struct hci_request req;
4310 	u8 val, status;
4311 	int err;
4312 
4313 	BT_DBG("request for %s", hdev->name);
4314 
4315 	status = mgmt_le_support(hdev);
4316 	if (status)
4317 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4318 				       status);
4319 
4320 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4321 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4322 				       MGMT_STATUS_INVALID_PARAMS);
4323 
4324 	hci_dev_lock(hdev);
4325 
4326 	val = !!cp->val;
4327 
4328 	/* The following conditions are ones which mean that we should
4329 	 * not do any HCI communication but directly send a mgmt
4330 	 * response to user space (after toggling the flag if
4331 	 * necessary).
4332 	 */
4333 	if (!hdev_is_powered(hdev) ||
4334 	    (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
4335 	     (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
4336 	    hci_conn_num(hdev, LE_LINK) > 0 ||
4337 	    (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
4338 	     hdev->le_scan_type == LE_SCAN_ACTIVE)) {
4339 		bool changed;
4340 
4341 		if (cp->val) {
4342 			hdev->cur_adv_instance = 0x00;
4343 			changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
4344 			if (cp->val == 0x02)
4345 				hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4346 			else
4347 				hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4348 		} else {
4349 			changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
4350 			hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4351 		}
4352 
4353 		err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
4354 		if (err < 0)
4355 			goto unlock;
4356 
4357 		if (changed)
4358 			err = new_settings(hdev, sk);
4359 
4360 		goto unlock;
4361 	}
4362 
4363 	if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
4364 	    pending_find(MGMT_OP_SET_LE, hdev)) {
4365 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4366 				      MGMT_STATUS_BUSY);
4367 		goto unlock;
4368 	}
4369 
4370 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
4371 	if (!cmd) {
4372 		err = -ENOMEM;
4373 		goto unlock;
4374 	}
4375 
4376 	hci_req_init(&req, hdev);
4377 
4378 	if (cp->val == 0x02)
4379 		hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4380 	else
4381 		hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4382 
4383 	cancel_adv_timeout(hdev);
4384 
4385 	if (val) {
4386 		/* Switch to instance "0" for the Set Advertising setting.
4387 		 * We cannot use update_[adv|scan_rsp]_data() here as the
4388 		 * HCI_ADVERTISING flag is not yet set.
4389 		 */
4390 		hdev->cur_adv_instance = 0x00;
4391 
4392 		if (ext_adv_capable(hdev)) {
4393 			__hci_req_start_ext_adv(&req, 0x00);
4394 		} else {
4395 			__hci_req_update_adv_data(&req, 0x00);
4396 			__hci_req_update_scan_rsp_data(&req, 0x00);
4397 			__hci_req_enable_advertising(&req);
4398 		}
4399 	} else {
4400 		__hci_req_disable_advertising(&req);
4401 	}
4402 
4403 	err = hci_req_run(&req, set_advertising_complete);
4404 	if (err < 0)
4405 		mgmt_pending_remove(cmd);
4406 
4407 unlock:
4408 	hci_dev_unlock(hdev);
4409 	return err;
4410 }
4411 
4412 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
4413 			      void *data, u16 len)
4414 {
4415 	struct mgmt_cp_set_static_address *cp = data;
4416 	int err;
4417 
4418 	BT_DBG("%s", hdev->name);
4419 
4420 	if (!lmp_le_capable(hdev))
4421 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4422 				       MGMT_STATUS_NOT_SUPPORTED);
4423 
4424 	if (hdev_is_powered(hdev))
4425 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4426 				       MGMT_STATUS_REJECTED);
4427 
4428 	if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
4429 		if (!bacmp(&cp->bdaddr, BDADDR_NONE))
4430 			return mgmt_cmd_status(sk, hdev->id,
4431 					       MGMT_OP_SET_STATIC_ADDRESS,
4432 					       MGMT_STATUS_INVALID_PARAMS);
4433 
4434 		/* Two most significant bits shall be set */
4435 		if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
4436 			return mgmt_cmd_status(sk, hdev->id,
4437 					       MGMT_OP_SET_STATIC_ADDRESS,
4438 					       MGMT_STATUS_INVALID_PARAMS);
4439 	}
4440 
4441 	hci_dev_lock(hdev);
4442 
4443 	bacpy(&hdev->static_addr, &cp->bdaddr);
4444 
4445 	err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
4446 	if (err < 0)
4447 		goto unlock;
4448 
4449 	err = new_settings(hdev, sk);
4450 
4451 unlock:
4452 	hci_dev_unlock(hdev);
4453 	return err;
4454 }
4455 
4456 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
4457 			   void *data, u16 len)
4458 {
4459 	struct mgmt_cp_set_scan_params *cp = data;
4460 	__u16 interval, window;
4461 	int err;
4462 
4463 	BT_DBG("%s", hdev->name);
4464 
4465 	if (!lmp_le_capable(hdev))
4466 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4467 				       MGMT_STATUS_NOT_SUPPORTED);
4468 
4469 	interval = __le16_to_cpu(cp->interval);
4470 
4471 	if (interval < 0x0004 || interval > 0x4000)
4472 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4473 				       MGMT_STATUS_INVALID_PARAMS);
4474 
4475 	window = __le16_to_cpu(cp->window);
4476 
4477 	if (window < 0x0004 || window > 0x4000)
4478 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4479 				       MGMT_STATUS_INVALID_PARAMS);
4480 
4481 	if (window > interval)
4482 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4483 				       MGMT_STATUS_INVALID_PARAMS);
4484 
4485 	hci_dev_lock(hdev);
4486 
4487 	hdev->le_scan_interval = interval;
4488 	hdev->le_scan_window = window;
4489 
4490 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
4491 				NULL, 0);
4492 
4493 	/* If background scan is running, restart it so new parameters are
4494 	 * loaded.
4495 	 */
4496 	if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
4497 	    hdev->discovery.state == DISCOVERY_STOPPED) {
4498 		struct hci_request req;
4499 
4500 		hci_req_init(&req, hdev);
4501 
4502 		hci_req_add_le_scan_disable(&req);
4503 		hci_req_add_le_passive_scan(&req);
4504 
4505 		hci_req_run(&req, NULL);
4506 	}
4507 
4508 	hci_dev_unlock(hdev);
4509 
4510 	return err;
4511 }
4512 
4513 static void fast_connectable_complete(struct hci_dev *hdev, u8 status,
4514 				      u16 opcode)
4515 {
4516 	struct mgmt_pending_cmd *cmd;
4517 
4518 	BT_DBG("status 0x%02x", status);
4519 
4520 	hci_dev_lock(hdev);
4521 
4522 	cmd = pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4523 	if (!cmd)
4524 		goto unlock;
4525 
4526 	if (status) {
4527 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4528 			        mgmt_status(status));
4529 	} else {
4530 		struct mgmt_mode *cp = cmd->param;
4531 
4532 		if (cp->val)
4533 			hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
4534 		else
4535 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
4536 
4537 		send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4538 		new_settings(hdev, cmd->sk);
4539 	}
4540 
4541 	mgmt_pending_remove(cmd);
4542 
4543 unlock:
4544 	hci_dev_unlock(hdev);
4545 }
4546 
4547 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
4548 				void *data, u16 len)
4549 {
4550 	struct mgmt_mode *cp = data;
4551 	struct mgmt_pending_cmd *cmd;
4552 	struct hci_request req;
4553 	int err;
4554 
4555 	BT_DBG("%s", hdev->name);
4556 
4557 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
4558 	    hdev->hci_ver < BLUETOOTH_VER_1_2)
4559 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4560 				       MGMT_STATUS_NOT_SUPPORTED);
4561 
4562 	if (cp->val != 0x00 && cp->val != 0x01)
4563 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4564 				       MGMT_STATUS_INVALID_PARAMS);
4565 
4566 	hci_dev_lock(hdev);
4567 
4568 	if (pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev)) {
4569 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4570 				      MGMT_STATUS_BUSY);
4571 		goto unlock;
4572 	}
4573 
4574 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
4575 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4576 					hdev);
4577 		goto unlock;
4578 	}
4579 
4580 	if (!hdev_is_powered(hdev)) {
4581 		hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
4582 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4583 					hdev);
4584 		new_settings(hdev, sk);
4585 		goto unlock;
4586 	}
4587 
4588 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev,
4589 			       data, len);
4590 	if (!cmd) {
4591 		err = -ENOMEM;
4592 		goto unlock;
4593 	}
4594 
4595 	hci_req_init(&req, hdev);
4596 
4597 	__hci_req_write_fast_connectable(&req, cp->val);
4598 
4599 	err = hci_req_run(&req, fast_connectable_complete);
4600 	if (err < 0) {
4601 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4602 				      MGMT_STATUS_FAILED);
4603 		mgmt_pending_remove(cmd);
4604 	}
4605 
4606 unlock:
4607 	hci_dev_unlock(hdev);
4608 
4609 	return err;
4610 }
4611 
4612 static void set_bredr_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4613 {
4614 	struct mgmt_pending_cmd *cmd;
4615 
4616 	BT_DBG("status 0x%02x", status);
4617 
4618 	hci_dev_lock(hdev);
4619 
4620 	cmd = pending_find(MGMT_OP_SET_BREDR, hdev);
4621 	if (!cmd)
4622 		goto unlock;
4623 
4624 	if (status) {
4625 		u8 mgmt_err = mgmt_status(status);
4626 
4627 		/* We need to restore the flag if related HCI commands
4628 		 * failed.
4629 		 */
4630 		hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
4631 
4632 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
4633 	} else {
4634 		send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
4635 		new_settings(hdev, cmd->sk);
4636 	}
4637 
4638 	mgmt_pending_remove(cmd);
4639 
4640 unlock:
4641 	hci_dev_unlock(hdev);
4642 }
4643 
4644 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
4645 {
4646 	struct mgmt_mode *cp = data;
4647 	struct mgmt_pending_cmd *cmd;
4648 	struct hci_request req;
4649 	int err;
4650 
4651 	BT_DBG("request for %s", hdev->name);
4652 
4653 	if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
4654 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4655 				       MGMT_STATUS_NOT_SUPPORTED);
4656 
4657 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
4658 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4659 				       MGMT_STATUS_REJECTED);
4660 
4661 	if (cp->val != 0x00 && cp->val != 0x01)
4662 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4663 				       MGMT_STATUS_INVALID_PARAMS);
4664 
4665 	hci_dev_lock(hdev);
4666 
4667 	if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
4668 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4669 		goto unlock;
4670 	}
4671 
4672 	if (!hdev_is_powered(hdev)) {
4673 		if (!cp->val) {
4674 			hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
4675 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
4676 			hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
4677 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
4678 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
4679 		}
4680 
4681 		hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
4682 
4683 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4684 		if (err < 0)
4685 			goto unlock;
4686 
4687 		err = new_settings(hdev, sk);
4688 		goto unlock;
4689 	}
4690 
4691 	/* Reject disabling when powered on */
4692 	if (!cp->val) {
4693 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4694 				      MGMT_STATUS_REJECTED);
4695 		goto unlock;
4696 	} else {
4697 		/* When configuring a dual-mode controller to operate
4698 		 * with LE only and using a static address, then switching
4699 		 * BR/EDR back on is not allowed.
4700 		 *
4701 		 * Dual-mode controllers shall operate with the public
4702 		 * address as its identity address for BR/EDR and LE. So
4703 		 * reject the attempt to create an invalid configuration.
4704 		 *
4705 		 * The same restrictions applies when secure connections
4706 		 * has been enabled. For BR/EDR this is a controller feature
4707 		 * while for LE it is a host stack feature. This means that
4708 		 * switching BR/EDR back on when secure connections has been
4709 		 * enabled is not a supported transaction.
4710 		 */
4711 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
4712 		    (bacmp(&hdev->static_addr, BDADDR_ANY) ||
4713 		     hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
4714 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4715 					      MGMT_STATUS_REJECTED);
4716 			goto unlock;
4717 		}
4718 	}
4719 
4720 	if (pending_find(MGMT_OP_SET_BREDR, hdev)) {
4721 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4722 				      MGMT_STATUS_BUSY);
4723 		goto unlock;
4724 	}
4725 
4726 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_BREDR, hdev, data, len);
4727 	if (!cmd) {
4728 		err = -ENOMEM;
4729 		goto unlock;
4730 	}
4731 
4732 	/* We need to flip the bit already here so that
4733 	 * hci_req_update_adv_data generates the correct flags.
4734 	 */
4735 	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
4736 
4737 	hci_req_init(&req, hdev);
4738 
4739 	__hci_req_write_fast_connectable(&req, false);
4740 	__hci_req_update_scan(&req);
4741 
4742 	/* Since only the advertising data flags will change, there
4743 	 * is no need to update the scan response data.
4744 	 */
4745 	__hci_req_update_adv_data(&req, hdev->cur_adv_instance);
4746 
4747 	err = hci_req_run(&req, set_bredr_complete);
4748 	if (err < 0)
4749 		mgmt_pending_remove(cmd);
4750 
4751 unlock:
4752 	hci_dev_unlock(hdev);
4753 	return err;
4754 }
4755 
4756 static void sc_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4757 {
4758 	struct mgmt_pending_cmd *cmd;
4759 	struct mgmt_mode *cp;
4760 
4761 	BT_DBG("%s status %u", hdev->name, status);
4762 
4763 	hci_dev_lock(hdev);
4764 
4765 	cmd = pending_find(MGMT_OP_SET_SECURE_CONN, hdev);
4766 	if (!cmd)
4767 		goto unlock;
4768 
4769 	if (status) {
4770 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
4771 			        mgmt_status(status));
4772 		goto remove;
4773 	}
4774 
4775 	cp = cmd->param;
4776 
4777 	switch (cp->val) {
4778 	case 0x00:
4779 		hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
4780 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4781 		break;
4782 	case 0x01:
4783 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
4784 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4785 		break;
4786 	case 0x02:
4787 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
4788 		hci_dev_set_flag(hdev, HCI_SC_ONLY);
4789 		break;
4790 	}
4791 
4792 	send_settings_rsp(cmd->sk, MGMT_OP_SET_SECURE_CONN, hdev);
4793 	new_settings(hdev, cmd->sk);
4794 
4795 remove:
4796 	mgmt_pending_remove(cmd);
4797 unlock:
4798 	hci_dev_unlock(hdev);
4799 }
4800 
4801 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4802 			   void *data, u16 len)
4803 {
4804 	struct mgmt_mode *cp = data;
4805 	struct mgmt_pending_cmd *cmd;
4806 	struct hci_request req;
4807 	u8 val;
4808 	int err;
4809 
4810 	BT_DBG("request for %s", hdev->name);
4811 
4812 	if (!lmp_sc_capable(hdev) &&
4813 	    !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
4814 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4815 				       MGMT_STATUS_NOT_SUPPORTED);
4816 
4817 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
4818 	    lmp_sc_capable(hdev) &&
4819 	    !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
4820 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4821 				       MGMT_STATUS_REJECTED);
4822 
4823 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4824 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4825 				  MGMT_STATUS_INVALID_PARAMS);
4826 
4827 	hci_dev_lock(hdev);
4828 
4829 	if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
4830 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
4831 		bool changed;
4832 
4833 		if (cp->val) {
4834 			changed = !hci_dev_test_and_set_flag(hdev,
4835 							     HCI_SC_ENABLED);
4836 			if (cp->val == 0x02)
4837 				hci_dev_set_flag(hdev, HCI_SC_ONLY);
4838 			else
4839 				hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4840 		} else {
4841 			changed = hci_dev_test_and_clear_flag(hdev,
4842 							      HCI_SC_ENABLED);
4843 			hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4844 		}
4845 
4846 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4847 		if (err < 0)
4848 			goto failed;
4849 
4850 		if (changed)
4851 			err = new_settings(hdev, sk);
4852 
4853 		goto failed;
4854 	}
4855 
4856 	if (pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
4857 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4858 				      MGMT_STATUS_BUSY);
4859 		goto failed;
4860 	}
4861 
4862 	val = !!cp->val;
4863 
4864 	if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
4865 	    (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4866 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4867 		goto failed;
4868 	}
4869 
4870 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
4871 	if (!cmd) {
4872 		err = -ENOMEM;
4873 		goto failed;
4874 	}
4875 
4876 	hci_req_init(&req, hdev);
4877 	hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
4878 	err = hci_req_run(&req, sc_enable_complete);
4879 	if (err < 0) {
4880 		mgmt_pending_remove(cmd);
4881 		goto failed;
4882 	}
4883 
4884 failed:
4885 	hci_dev_unlock(hdev);
4886 	return err;
4887 }
4888 
4889 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
4890 			  void *data, u16 len)
4891 {
4892 	struct mgmt_mode *cp = data;
4893 	bool changed, use_changed;
4894 	int err;
4895 
4896 	BT_DBG("request for %s", hdev->name);
4897 
4898 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4899 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
4900 				       MGMT_STATUS_INVALID_PARAMS);
4901 
4902 	hci_dev_lock(hdev);
4903 
4904 	if (cp->val)
4905 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
4906 	else
4907 		changed = hci_dev_test_and_clear_flag(hdev,
4908 						      HCI_KEEP_DEBUG_KEYS);
4909 
4910 	if (cp->val == 0x02)
4911 		use_changed = !hci_dev_test_and_set_flag(hdev,
4912 							 HCI_USE_DEBUG_KEYS);
4913 	else
4914 		use_changed = hci_dev_test_and_clear_flag(hdev,
4915 							  HCI_USE_DEBUG_KEYS);
4916 
4917 	if (hdev_is_powered(hdev) && use_changed &&
4918 	    hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
4919 		u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
4920 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
4921 			     sizeof(mode), &mode);
4922 	}
4923 
4924 	err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
4925 	if (err < 0)
4926 		goto unlock;
4927 
4928 	if (changed)
4929 		err = new_settings(hdev, sk);
4930 
4931 unlock:
4932 	hci_dev_unlock(hdev);
4933 	return err;
4934 }
4935 
4936 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4937 		       u16 len)
4938 {
4939 	struct mgmt_cp_set_privacy *cp = cp_data;
4940 	bool changed;
4941 	int err;
4942 
4943 	BT_DBG("request for %s", hdev->name);
4944 
4945 	if (!lmp_le_capable(hdev))
4946 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4947 				       MGMT_STATUS_NOT_SUPPORTED);
4948 
4949 	if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
4950 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4951 				       MGMT_STATUS_INVALID_PARAMS);
4952 
4953 	if (hdev_is_powered(hdev))
4954 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4955 				       MGMT_STATUS_REJECTED);
4956 
4957 	hci_dev_lock(hdev);
4958 
4959 	/* If user space supports this command it is also expected to
4960 	 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
4961 	 */
4962 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
4963 
4964 	if (cp->privacy) {
4965 		changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
4966 		memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
4967 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
4968 		hci_adv_instances_set_rpa_expired(hdev, true);
4969 		if (cp->privacy == 0x02)
4970 			hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
4971 		else
4972 			hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
4973 	} else {
4974 		changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
4975 		memset(hdev->irk, 0, sizeof(hdev->irk));
4976 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
4977 		hci_adv_instances_set_rpa_expired(hdev, false);
4978 		hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
4979 	}
4980 
4981 	err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
4982 	if (err < 0)
4983 		goto unlock;
4984 
4985 	if (changed)
4986 		err = new_settings(hdev, sk);
4987 
4988 unlock:
4989 	hci_dev_unlock(hdev);
4990 	return err;
4991 }
4992 
4993 static bool irk_is_valid(struct mgmt_irk_info *irk)
4994 {
4995 	switch (irk->addr.type) {
4996 	case BDADDR_LE_PUBLIC:
4997 		return true;
4998 
4999 	case BDADDR_LE_RANDOM:
5000 		/* Two most significant bits shall be set */
5001 		if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
5002 			return false;
5003 		return true;
5004 	}
5005 
5006 	return false;
5007 }
5008 
5009 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
5010 		     u16 len)
5011 {
5012 	struct mgmt_cp_load_irks *cp = cp_data;
5013 	const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
5014 				   sizeof(struct mgmt_irk_info));
5015 	u16 irk_count, expected_len;
5016 	int i, err;
5017 
5018 	BT_DBG("request for %s", hdev->name);
5019 
5020 	if (!lmp_le_capable(hdev))
5021 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
5022 				       MGMT_STATUS_NOT_SUPPORTED);
5023 
5024 	irk_count = __le16_to_cpu(cp->irk_count);
5025 	if (irk_count > max_irk_count) {
5026 		bt_dev_err(hdev, "load_irks: too big irk_count value %u",
5027 			   irk_count);
5028 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
5029 				       MGMT_STATUS_INVALID_PARAMS);
5030 	}
5031 
5032 	expected_len = struct_size(cp, irks, irk_count);
5033 	if (expected_len != len) {
5034 		bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
5035 			   expected_len, len);
5036 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
5037 				       MGMT_STATUS_INVALID_PARAMS);
5038 	}
5039 
5040 	BT_DBG("%s irk_count %u", hdev->name, irk_count);
5041 
5042 	for (i = 0; i < irk_count; i++) {
5043 		struct mgmt_irk_info *key = &cp->irks[i];
5044 
5045 		if (!irk_is_valid(key))
5046 			return mgmt_cmd_status(sk, hdev->id,
5047 					       MGMT_OP_LOAD_IRKS,
5048 					       MGMT_STATUS_INVALID_PARAMS);
5049 	}
5050 
5051 	hci_dev_lock(hdev);
5052 
5053 	hci_smp_irks_clear(hdev);
5054 
5055 	for (i = 0; i < irk_count; i++) {
5056 		struct mgmt_irk_info *irk = &cp->irks[i];
5057 
5058 		hci_add_irk(hdev, &irk->addr.bdaddr,
5059 			    le_addr_type(irk->addr.type), irk->val,
5060 			    BDADDR_ANY);
5061 	}
5062 
5063 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
5064 
5065 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
5066 
5067 	hci_dev_unlock(hdev);
5068 
5069 	return err;
5070 }
5071 
5072 static bool ltk_is_valid(struct mgmt_ltk_info *key)
5073 {
5074 	if (key->master != 0x00 && key->master != 0x01)
5075 		return false;
5076 
5077 	switch (key->addr.type) {
5078 	case BDADDR_LE_PUBLIC:
5079 		return true;
5080 
5081 	case BDADDR_LE_RANDOM:
5082 		/* Two most significant bits shall be set */
5083 		if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
5084 			return false;
5085 		return true;
5086 	}
5087 
5088 	return false;
5089 }
5090 
5091 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
5092 			       void *cp_data, u16 len)
5093 {
5094 	struct mgmt_cp_load_long_term_keys *cp = cp_data;
5095 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
5096 				   sizeof(struct mgmt_ltk_info));
5097 	u16 key_count, expected_len;
5098 	int i, err;
5099 
5100 	BT_DBG("request for %s", hdev->name);
5101 
5102 	if (!lmp_le_capable(hdev))
5103 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5104 				       MGMT_STATUS_NOT_SUPPORTED);
5105 
5106 	key_count = __le16_to_cpu(cp->key_count);
5107 	if (key_count > max_key_count) {
5108 		bt_dev_err(hdev, "load_ltks: too big key_count value %u",
5109 			   key_count);
5110 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5111 				       MGMT_STATUS_INVALID_PARAMS);
5112 	}
5113 
5114 	expected_len = struct_size(cp, keys, key_count);
5115 	if (expected_len != len) {
5116 		bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
5117 			   expected_len, len);
5118 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5119 				       MGMT_STATUS_INVALID_PARAMS);
5120 	}
5121 
5122 	BT_DBG("%s key_count %u", hdev->name, key_count);
5123 
5124 	for (i = 0; i < key_count; i++) {
5125 		struct mgmt_ltk_info *key = &cp->keys[i];
5126 
5127 		if (!ltk_is_valid(key))
5128 			return mgmt_cmd_status(sk, hdev->id,
5129 					       MGMT_OP_LOAD_LONG_TERM_KEYS,
5130 					       MGMT_STATUS_INVALID_PARAMS);
5131 	}
5132 
5133 	hci_dev_lock(hdev);
5134 
5135 	hci_smp_ltks_clear(hdev);
5136 
5137 	for (i = 0; i < key_count; i++) {
5138 		struct mgmt_ltk_info *key = &cp->keys[i];
5139 		u8 type, authenticated;
5140 
5141 		switch (key->type) {
5142 		case MGMT_LTK_UNAUTHENTICATED:
5143 			authenticated = 0x00;
5144 			type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5145 			break;
5146 		case MGMT_LTK_AUTHENTICATED:
5147 			authenticated = 0x01;
5148 			type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5149 			break;
5150 		case MGMT_LTK_P256_UNAUTH:
5151 			authenticated = 0x00;
5152 			type = SMP_LTK_P256;
5153 			break;
5154 		case MGMT_LTK_P256_AUTH:
5155 			authenticated = 0x01;
5156 			type = SMP_LTK_P256;
5157 			break;
5158 		case MGMT_LTK_P256_DEBUG:
5159 			authenticated = 0x00;
5160 			type = SMP_LTK_P256_DEBUG;
5161 			/* fall through */
5162 		default:
5163 			continue;
5164 		}
5165 
5166 		hci_add_ltk(hdev, &key->addr.bdaddr,
5167 			    le_addr_type(key->addr.type), type, authenticated,
5168 			    key->val, key->enc_size, key->ediv, key->rand);
5169 	}
5170 
5171 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
5172 			   NULL, 0);
5173 
5174 	hci_dev_unlock(hdev);
5175 
5176 	return err;
5177 }
5178 
5179 static int conn_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
5180 {
5181 	struct hci_conn *conn = cmd->user_data;
5182 	struct mgmt_rp_get_conn_info rp;
5183 	int err;
5184 
5185 	memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
5186 
5187 	if (status == MGMT_STATUS_SUCCESS) {
5188 		rp.rssi = conn->rssi;
5189 		rp.tx_power = conn->tx_power;
5190 		rp.max_tx_power = conn->max_tx_power;
5191 	} else {
5192 		rp.rssi = HCI_RSSI_INVALID;
5193 		rp.tx_power = HCI_TX_POWER_INVALID;
5194 		rp.max_tx_power = HCI_TX_POWER_INVALID;
5195 	}
5196 
5197 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
5198 				status, &rp, sizeof(rp));
5199 
5200 	hci_conn_drop(conn);
5201 	hci_conn_put(conn);
5202 
5203 	return err;
5204 }
5205 
5206 static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status,
5207 				       u16 opcode)
5208 {
5209 	struct hci_cp_read_rssi *cp;
5210 	struct mgmt_pending_cmd *cmd;
5211 	struct hci_conn *conn;
5212 	u16 handle;
5213 	u8 status;
5214 
5215 	BT_DBG("status 0x%02x", hci_status);
5216 
5217 	hci_dev_lock(hdev);
5218 
5219 	/* Commands sent in request are either Read RSSI or Read Transmit Power
5220 	 * Level so we check which one was last sent to retrieve connection
5221 	 * handle.  Both commands have handle as first parameter so it's safe to
5222 	 * cast data on the same command struct.
5223 	 *
5224 	 * First command sent is always Read RSSI and we fail only if it fails.
5225 	 * In other case we simply override error to indicate success as we
5226 	 * already remembered if TX power value is actually valid.
5227 	 */
5228 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
5229 	if (!cp) {
5230 		cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
5231 		status = MGMT_STATUS_SUCCESS;
5232 	} else {
5233 		status = mgmt_status(hci_status);
5234 	}
5235 
5236 	if (!cp) {
5237 		bt_dev_err(hdev, "invalid sent_cmd in conn_info response");
5238 		goto unlock;
5239 	}
5240 
5241 	handle = __le16_to_cpu(cp->handle);
5242 	conn = hci_conn_hash_lookup_handle(hdev, handle);
5243 	if (!conn) {
5244 		bt_dev_err(hdev, "unknown handle (%d) in conn_info response",
5245 			   handle);
5246 		goto unlock;
5247 	}
5248 
5249 	cmd = pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
5250 	if (!cmd)
5251 		goto unlock;
5252 
5253 	cmd->cmd_complete(cmd, status);
5254 	mgmt_pending_remove(cmd);
5255 
5256 unlock:
5257 	hci_dev_unlock(hdev);
5258 }
5259 
5260 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
5261 			 u16 len)
5262 {
5263 	struct mgmt_cp_get_conn_info *cp = data;
5264 	struct mgmt_rp_get_conn_info rp;
5265 	struct hci_conn *conn;
5266 	unsigned long conn_info_age;
5267 	int err = 0;
5268 
5269 	BT_DBG("%s", hdev->name);
5270 
5271 	memset(&rp, 0, sizeof(rp));
5272 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5273 	rp.addr.type = cp->addr.type;
5274 
5275 	if (!bdaddr_type_is_valid(cp->addr.type))
5276 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5277 					 MGMT_STATUS_INVALID_PARAMS,
5278 					 &rp, sizeof(rp));
5279 
5280 	hci_dev_lock(hdev);
5281 
5282 	if (!hdev_is_powered(hdev)) {
5283 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5284 					MGMT_STATUS_NOT_POWERED, &rp,
5285 					sizeof(rp));
5286 		goto unlock;
5287 	}
5288 
5289 	if (cp->addr.type == BDADDR_BREDR)
5290 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
5291 					       &cp->addr.bdaddr);
5292 	else
5293 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
5294 
5295 	if (!conn || conn->state != BT_CONNECTED) {
5296 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5297 					MGMT_STATUS_NOT_CONNECTED, &rp,
5298 					sizeof(rp));
5299 		goto unlock;
5300 	}
5301 
5302 	if (pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
5303 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5304 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
5305 		goto unlock;
5306 	}
5307 
5308 	/* To avoid client trying to guess when to poll again for information we
5309 	 * calculate conn info age as random value between min/max set in hdev.
5310 	 */
5311 	conn_info_age = hdev->conn_info_min_age +
5312 			prandom_u32_max(hdev->conn_info_max_age -
5313 					hdev->conn_info_min_age);
5314 
5315 	/* Query controller to refresh cached values if they are too old or were
5316 	 * never read.
5317 	 */
5318 	if (time_after(jiffies, conn->conn_info_timestamp +
5319 		       msecs_to_jiffies(conn_info_age)) ||
5320 	    !conn->conn_info_timestamp) {
5321 		struct hci_request req;
5322 		struct hci_cp_read_tx_power req_txp_cp;
5323 		struct hci_cp_read_rssi req_rssi_cp;
5324 		struct mgmt_pending_cmd *cmd;
5325 
5326 		hci_req_init(&req, hdev);
5327 		req_rssi_cp.handle = cpu_to_le16(conn->handle);
5328 		hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
5329 			    &req_rssi_cp);
5330 
5331 		/* For LE links TX power does not change thus we don't need to
5332 		 * query for it once value is known.
5333 		 */
5334 		if (!bdaddr_type_is_le(cp->addr.type) ||
5335 		    conn->tx_power == HCI_TX_POWER_INVALID) {
5336 			req_txp_cp.handle = cpu_to_le16(conn->handle);
5337 			req_txp_cp.type = 0x00;
5338 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
5339 				    sizeof(req_txp_cp), &req_txp_cp);
5340 		}
5341 
5342 		/* Max TX power needs to be read only once per connection */
5343 		if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
5344 			req_txp_cp.handle = cpu_to_le16(conn->handle);
5345 			req_txp_cp.type = 0x01;
5346 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
5347 				    sizeof(req_txp_cp), &req_txp_cp);
5348 		}
5349 
5350 		err = hci_req_run(&req, conn_info_refresh_complete);
5351 		if (err < 0)
5352 			goto unlock;
5353 
5354 		cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
5355 				       data, len);
5356 		if (!cmd) {
5357 			err = -ENOMEM;
5358 			goto unlock;
5359 		}
5360 
5361 		hci_conn_hold(conn);
5362 		cmd->user_data = hci_conn_get(conn);
5363 		cmd->cmd_complete = conn_info_cmd_complete;
5364 
5365 		conn->conn_info_timestamp = jiffies;
5366 	} else {
5367 		/* Cache is valid, just reply with values cached in hci_conn */
5368 		rp.rssi = conn->rssi;
5369 		rp.tx_power = conn->tx_power;
5370 		rp.max_tx_power = conn->max_tx_power;
5371 
5372 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5373 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
5374 	}
5375 
5376 unlock:
5377 	hci_dev_unlock(hdev);
5378 	return err;
5379 }
5380 
5381 static int clock_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
5382 {
5383 	struct hci_conn *conn = cmd->user_data;
5384 	struct mgmt_rp_get_clock_info rp;
5385 	struct hci_dev *hdev;
5386 	int err;
5387 
5388 	memset(&rp, 0, sizeof(rp));
5389 	memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
5390 
5391 	if (status)
5392 		goto complete;
5393 
5394 	hdev = hci_dev_get(cmd->index);
5395 	if (hdev) {
5396 		rp.local_clock = cpu_to_le32(hdev->clock);
5397 		hci_dev_put(hdev);
5398 	}
5399 
5400 	if (conn) {
5401 		rp.piconet_clock = cpu_to_le32(conn->clock);
5402 		rp.accuracy = cpu_to_le16(conn->clock_accuracy);
5403 	}
5404 
5405 complete:
5406 	err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
5407 				sizeof(rp));
5408 
5409 	if (conn) {
5410 		hci_conn_drop(conn);
5411 		hci_conn_put(conn);
5412 	}
5413 
5414 	return err;
5415 }
5416 
5417 static void get_clock_info_complete(struct hci_dev *hdev, u8 status, u16 opcode)
5418 {
5419 	struct hci_cp_read_clock *hci_cp;
5420 	struct mgmt_pending_cmd *cmd;
5421 	struct hci_conn *conn;
5422 
5423 	BT_DBG("%s status %u", hdev->name, status);
5424 
5425 	hci_dev_lock(hdev);
5426 
5427 	hci_cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
5428 	if (!hci_cp)
5429 		goto unlock;
5430 
5431 	if (hci_cp->which) {
5432 		u16 handle = __le16_to_cpu(hci_cp->handle);
5433 		conn = hci_conn_hash_lookup_handle(hdev, handle);
5434 	} else {
5435 		conn = NULL;
5436 	}
5437 
5438 	cmd = pending_find_data(MGMT_OP_GET_CLOCK_INFO, hdev, conn);
5439 	if (!cmd)
5440 		goto unlock;
5441 
5442 	cmd->cmd_complete(cmd, mgmt_status(status));
5443 	mgmt_pending_remove(cmd);
5444 
5445 unlock:
5446 	hci_dev_unlock(hdev);
5447 }
5448 
5449 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
5450 			 u16 len)
5451 {
5452 	struct mgmt_cp_get_clock_info *cp = data;
5453 	struct mgmt_rp_get_clock_info rp;
5454 	struct hci_cp_read_clock hci_cp;
5455 	struct mgmt_pending_cmd *cmd;
5456 	struct hci_request req;
5457 	struct hci_conn *conn;
5458 	int err;
5459 
5460 	BT_DBG("%s", hdev->name);
5461 
5462 	memset(&rp, 0, sizeof(rp));
5463 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5464 	rp.addr.type = cp->addr.type;
5465 
5466 	if (cp->addr.type != BDADDR_BREDR)
5467 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5468 					 MGMT_STATUS_INVALID_PARAMS,
5469 					 &rp, sizeof(rp));
5470 
5471 	hci_dev_lock(hdev);
5472 
5473 	if (!hdev_is_powered(hdev)) {
5474 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5475 					MGMT_STATUS_NOT_POWERED, &rp,
5476 					sizeof(rp));
5477 		goto unlock;
5478 	}
5479 
5480 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5481 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
5482 					       &cp->addr.bdaddr);
5483 		if (!conn || conn->state != BT_CONNECTED) {
5484 			err = mgmt_cmd_complete(sk, hdev->id,
5485 						MGMT_OP_GET_CLOCK_INFO,
5486 						MGMT_STATUS_NOT_CONNECTED,
5487 						&rp, sizeof(rp));
5488 			goto unlock;
5489 		}
5490 	} else {
5491 		conn = NULL;
5492 	}
5493 
5494 	cmd = mgmt_pending_add(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
5495 	if (!cmd) {
5496 		err = -ENOMEM;
5497 		goto unlock;
5498 	}
5499 
5500 	cmd->cmd_complete = clock_info_cmd_complete;
5501 
5502 	hci_req_init(&req, hdev);
5503 
5504 	memset(&hci_cp, 0, sizeof(hci_cp));
5505 	hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5506 
5507 	if (conn) {
5508 		hci_conn_hold(conn);
5509 		cmd->user_data = hci_conn_get(conn);
5510 
5511 		hci_cp.handle = cpu_to_le16(conn->handle);
5512 		hci_cp.which = 0x01; /* Piconet clock */
5513 		hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5514 	}
5515 
5516 	err = hci_req_run(&req, get_clock_info_complete);
5517 	if (err < 0)
5518 		mgmt_pending_remove(cmd);
5519 
5520 unlock:
5521 	hci_dev_unlock(hdev);
5522 	return err;
5523 }
5524 
5525 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
5526 {
5527 	struct hci_conn *conn;
5528 
5529 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
5530 	if (!conn)
5531 		return false;
5532 
5533 	if (conn->dst_type != type)
5534 		return false;
5535 
5536 	if (conn->state != BT_CONNECTED)
5537 		return false;
5538 
5539 	return true;
5540 }
5541 
5542 /* This function requires the caller holds hdev->lock */
5543 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
5544 			       u8 addr_type, u8 auto_connect)
5545 {
5546 	struct hci_conn_params *params;
5547 
5548 	params = hci_conn_params_add(hdev, addr, addr_type);
5549 	if (!params)
5550 		return -EIO;
5551 
5552 	if (params->auto_connect == auto_connect)
5553 		return 0;
5554 
5555 	list_del_init(&params->action);
5556 
5557 	switch (auto_connect) {
5558 	case HCI_AUTO_CONN_DISABLED:
5559 	case HCI_AUTO_CONN_LINK_LOSS:
5560 		/* If auto connect is being disabled when we're trying to
5561 		 * connect to device, keep connecting.
5562 		 */
5563 		if (params->explicit_connect)
5564 			list_add(&params->action, &hdev->pend_le_conns);
5565 		break;
5566 	case HCI_AUTO_CONN_REPORT:
5567 		if (params->explicit_connect)
5568 			list_add(&params->action, &hdev->pend_le_conns);
5569 		else
5570 			list_add(&params->action, &hdev->pend_le_reports);
5571 		break;
5572 	case HCI_AUTO_CONN_DIRECT:
5573 	case HCI_AUTO_CONN_ALWAYS:
5574 		if (!is_connected(hdev, addr, addr_type))
5575 			list_add(&params->action, &hdev->pend_le_conns);
5576 		break;
5577 	}
5578 
5579 	params->auto_connect = auto_connect;
5580 
5581 	BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
5582 	       auto_connect);
5583 
5584 	return 0;
5585 }
5586 
5587 static void device_added(struct sock *sk, struct hci_dev *hdev,
5588 			 bdaddr_t *bdaddr, u8 type, u8 action)
5589 {
5590 	struct mgmt_ev_device_added ev;
5591 
5592 	bacpy(&ev.addr.bdaddr, bdaddr);
5593 	ev.addr.type = type;
5594 	ev.action = action;
5595 
5596 	mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
5597 }
5598 
5599 static int add_device(struct sock *sk, struct hci_dev *hdev,
5600 		      void *data, u16 len)
5601 {
5602 	struct mgmt_cp_add_device *cp = data;
5603 	u8 auto_conn, addr_type;
5604 	int err;
5605 
5606 	BT_DBG("%s", hdev->name);
5607 
5608 	if (!bdaddr_type_is_valid(cp->addr.type) ||
5609 	    !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
5610 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5611 					 MGMT_STATUS_INVALID_PARAMS,
5612 					 &cp->addr, sizeof(cp->addr));
5613 
5614 	if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
5615 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5616 					 MGMT_STATUS_INVALID_PARAMS,
5617 					 &cp->addr, sizeof(cp->addr));
5618 
5619 	hci_dev_lock(hdev);
5620 
5621 	if (cp->addr.type == BDADDR_BREDR) {
5622 		/* Only incoming connections action is supported for now */
5623 		if (cp->action != 0x01) {
5624 			err = mgmt_cmd_complete(sk, hdev->id,
5625 						MGMT_OP_ADD_DEVICE,
5626 						MGMT_STATUS_INVALID_PARAMS,
5627 						&cp->addr, sizeof(cp->addr));
5628 			goto unlock;
5629 		}
5630 
5631 		err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr,
5632 					  cp->addr.type);
5633 		if (err)
5634 			goto unlock;
5635 
5636 		hci_req_update_scan(hdev);
5637 
5638 		goto added;
5639 	}
5640 
5641 	addr_type = le_addr_type(cp->addr.type);
5642 
5643 	if (cp->action == 0x02)
5644 		auto_conn = HCI_AUTO_CONN_ALWAYS;
5645 	else if (cp->action == 0x01)
5646 		auto_conn = HCI_AUTO_CONN_DIRECT;
5647 	else
5648 		auto_conn = HCI_AUTO_CONN_REPORT;
5649 
5650 	/* Kernel internally uses conn_params with resolvable private
5651 	 * address, but Add Device allows only identity addresses.
5652 	 * Make sure it is enforced before calling
5653 	 * hci_conn_params_lookup.
5654 	 */
5655 	if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
5656 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5657 					MGMT_STATUS_INVALID_PARAMS,
5658 					&cp->addr, sizeof(cp->addr));
5659 		goto unlock;
5660 	}
5661 
5662 	/* If the connection parameters don't exist for this device,
5663 	 * they will be created and configured with defaults.
5664 	 */
5665 	if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
5666 				auto_conn) < 0) {
5667 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5668 					MGMT_STATUS_FAILED, &cp->addr,
5669 					sizeof(cp->addr));
5670 		goto unlock;
5671 	}
5672 
5673 	hci_update_background_scan(hdev);
5674 
5675 added:
5676 	device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
5677 
5678 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5679 				MGMT_STATUS_SUCCESS, &cp->addr,
5680 				sizeof(cp->addr));
5681 
5682 unlock:
5683 	hci_dev_unlock(hdev);
5684 	return err;
5685 }
5686 
5687 static void device_removed(struct sock *sk, struct hci_dev *hdev,
5688 			   bdaddr_t *bdaddr, u8 type)
5689 {
5690 	struct mgmt_ev_device_removed ev;
5691 
5692 	bacpy(&ev.addr.bdaddr, bdaddr);
5693 	ev.addr.type = type;
5694 
5695 	mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
5696 }
5697 
5698 static int remove_device(struct sock *sk, struct hci_dev *hdev,
5699 			 void *data, u16 len)
5700 {
5701 	struct mgmt_cp_remove_device *cp = data;
5702 	int err;
5703 
5704 	BT_DBG("%s", hdev->name);
5705 
5706 	hci_dev_lock(hdev);
5707 
5708 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5709 		struct hci_conn_params *params;
5710 		u8 addr_type;
5711 
5712 		if (!bdaddr_type_is_valid(cp->addr.type)) {
5713 			err = mgmt_cmd_complete(sk, hdev->id,
5714 						MGMT_OP_REMOVE_DEVICE,
5715 						MGMT_STATUS_INVALID_PARAMS,
5716 						&cp->addr, sizeof(cp->addr));
5717 			goto unlock;
5718 		}
5719 
5720 		if (cp->addr.type == BDADDR_BREDR) {
5721 			err = hci_bdaddr_list_del(&hdev->whitelist,
5722 						  &cp->addr.bdaddr,
5723 						  cp->addr.type);
5724 			if (err) {
5725 				err = mgmt_cmd_complete(sk, hdev->id,
5726 							MGMT_OP_REMOVE_DEVICE,
5727 							MGMT_STATUS_INVALID_PARAMS,
5728 							&cp->addr,
5729 							sizeof(cp->addr));
5730 				goto unlock;
5731 			}
5732 
5733 			hci_req_update_scan(hdev);
5734 
5735 			device_removed(sk, hdev, &cp->addr.bdaddr,
5736 				       cp->addr.type);
5737 			goto complete;
5738 		}
5739 
5740 		addr_type = le_addr_type(cp->addr.type);
5741 
5742 		/* Kernel internally uses conn_params with resolvable private
5743 		 * address, but Remove Device allows only identity addresses.
5744 		 * Make sure it is enforced before calling
5745 		 * hci_conn_params_lookup.
5746 		 */
5747 		if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
5748 			err = mgmt_cmd_complete(sk, hdev->id,
5749 						MGMT_OP_REMOVE_DEVICE,
5750 						MGMT_STATUS_INVALID_PARAMS,
5751 						&cp->addr, sizeof(cp->addr));
5752 			goto unlock;
5753 		}
5754 
5755 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5756 						addr_type);
5757 		if (!params) {
5758 			err = mgmt_cmd_complete(sk, hdev->id,
5759 						MGMT_OP_REMOVE_DEVICE,
5760 						MGMT_STATUS_INVALID_PARAMS,
5761 						&cp->addr, sizeof(cp->addr));
5762 			goto unlock;
5763 		}
5764 
5765 		if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
5766 		    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
5767 			err = mgmt_cmd_complete(sk, hdev->id,
5768 						MGMT_OP_REMOVE_DEVICE,
5769 						MGMT_STATUS_INVALID_PARAMS,
5770 						&cp->addr, sizeof(cp->addr));
5771 			goto unlock;
5772 		}
5773 
5774 		list_del(&params->action);
5775 		list_del(&params->list);
5776 		kfree(params);
5777 		hci_update_background_scan(hdev);
5778 
5779 		device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
5780 	} else {
5781 		struct hci_conn_params *p, *tmp;
5782 		struct bdaddr_list *b, *btmp;
5783 
5784 		if (cp->addr.type) {
5785 			err = mgmt_cmd_complete(sk, hdev->id,
5786 						MGMT_OP_REMOVE_DEVICE,
5787 						MGMT_STATUS_INVALID_PARAMS,
5788 						&cp->addr, sizeof(cp->addr));
5789 			goto unlock;
5790 		}
5791 
5792 		list_for_each_entry_safe(b, btmp, &hdev->whitelist, list) {
5793 			device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
5794 			list_del(&b->list);
5795 			kfree(b);
5796 		}
5797 
5798 		hci_req_update_scan(hdev);
5799 
5800 		list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
5801 			if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
5802 				continue;
5803 			device_removed(sk, hdev, &p->addr, p->addr_type);
5804 			if (p->explicit_connect) {
5805 				p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
5806 				continue;
5807 			}
5808 			list_del(&p->action);
5809 			list_del(&p->list);
5810 			kfree(p);
5811 		}
5812 
5813 		BT_DBG("All LE connection parameters were removed");
5814 
5815 		hci_update_background_scan(hdev);
5816 	}
5817 
5818 complete:
5819 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
5820 				MGMT_STATUS_SUCCESS, &cp->addr,
5821 				sizeof(cp->addr));
5822 unlock:
5823 	hci_dev_unlock(hdev);
5824 	return err;
5825 }
5826 
5827 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
5828 			   u16 len)
5829 {
5830 	struct mgmt_cp_load_conn_param *cp = data;
5831 	const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
5832 				     sizeof(struct mgmt_conn_param));
5833 	u16 param_count, expected_len;
5834 	int i;
5835 
5836 	if (!lmp_le_capable(hdev))
5837 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5838 				       MGMT_STATUS_NOT_SUPPORTED);
5839 
5840 	param_count = __le16_to_cpu(cp->param_count);
5841 	if (param_count > max_param_count) {
5842 		bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
5843 			   param_count);
5844 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5845 				       MGMT_STATUS_INVALID_PARAMS);
5846 	}
5847 
5848 	expected_len = struct_size(cp, params, param_count);
5849 	if (expected_len != len) {
5850 		bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
5851 			   expected_len, len);
5852 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5853 				       MGMT_STATUS_INVALID_PARAMS);
5854 	}
5855 
5856 	BT_DBG("%s param_count %u", hdev->name, param_count);
5857 
5858 	hci_dev_lock(hdev);
5859 
5860 	hci_conn_params_clear_disabled(hdev);
5861 
5862 	for (i = 0; i < param_count; i++) {
5863 		struct mgmt_conn_param *param = &cp->params[i];
5864 		struct hci_conn_params *hci_param;
5865 		u16 min, max, latency, timeout;
5866 		u8 addr_type;
5867 
5868 		BT_DBG("Adding %pMR (type %u)", &param->addr.bdaddr,
5869 		       param->addr.type);
5870 
5871 		if (param->addr.type == BDADDR_LE_PUBLIC) {
5872 			addr_type = ADDR_LE_DEV_PUBLIC;
5873 		} else if (param->addr.type == BDADDR_LE_RANDOM) {
5874 			addr_type = ADDR_LE_DEV_RANDOM;
5875 		} else {
5876 			bt_dev_err(hdev, "ignoring invalid connection parameters");
5877 			continue;
5878 		}
5879 
5880 		min = le16_to_cpu(param->min_interval);
5881 		max = le16_to_cpu(param->max_interval);
5882 		latency = le16_to_cpu(param->latency);
5883 		timeout = le16_to_cpu(param->timeout);
5884 
5885 		BT_DBG("min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
5886 		       min, max, latency, timeout);
5887 
5888 		if (hci_check_conn_params(min, max, latency, timeout) < 0) {
5889 			bt_dev_err(hdev, "ignoring invalid connection parameters");
5890 			continue;
5891 		}
5892 
5893 		hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
5894 						addr_type);
5895 		if (!hci_param) {
5896 			bt_dev_err(hdev, "failed to add connection parameters");
5897 			continue;
5898 		}
5899 
5900 		hci_param->conn_min_interval = min;
5901 		hci_param->conn_max_interval = max;
5902 		hci_param->conn_latency = latency;
5903 		hci_param->supervision_timeout = timeout;
5904 	}
5905 
5906 	hci_dev_unlock(hdev);
5907 
5908 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
5909 				 NULL, 0);
5910 }
5911 
5912 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
5913 			       void *data, u16 len)
5914 {
5915 	struct mgmt_cp_set_external_config *cp = data;
5916 	bool changed;
5917 	int err;
5918 
5919 	BT_DBG("%s", hdev->name);
5920 
5921 	if (hdev_is_powered(hdev))
5922 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5923 				       MGMT_STATUS_REJECTED);
5924 
5925 	if (cp->config != 0x00 && cp->config != 0x01)
5926 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5927 				         MGMT_STATUS_INVALID_PARAMS);
5928 
5929 	if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
5930 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5931 				       MGMT_STATUS_NOT_SUPPORTED);
5932 
5933 	hci_dev_lock(hdev);
5934 
5935 	if (cp->config)
5936 		changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
5937 	else
5938 		changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
5939 
5940 	err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
5941 	if (err < 0)
5942 		goto unlock;
5943 
5944 	if (!changed)
5945 		goto unlock;
5946 
5947 	err = new_options(hdev, sk);
5948 
5949 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
5950 		mgmt_index_removed(hdev);
5951 
5952 		if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
5953 			hci_dev_set_flag(hdev, HCI_CONFIG);
5954 			hci_dev_set_flag(hdev, HCI_AUTO_OFF);
5955 
5956 			queue_work(hdev->req_workqueue, &hdev->power_on);
5957 		} else {
5958 			set_bit(HCI_RAW, &hdev->flags);
5959 			mgmt_index_added(hdev);
5960 		}
5961 	}
5962 
5963 unlock:
5964 	hci_dev_unlock(hdev);
5965 	return err;
5966 }
5967 
5968 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
5969 			      void *data, u16 len)
5970 {
5971 	struct mgmt_cp_set_public_address *cp = data;
5972 	bool changed;
5973 	int err;
5974 
5975 	BT_DBG("%s", hdev->name);
5976 
5977 	if (hdev_is_powered(hdev))
5978 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5979 				       MGMT_STATUS_REJECTED);
5980 
5981 	if (!bacmp(&cp->bdaddr, BDADDR_ANY))
5982 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5983 				       MGMT_STATUS_INVALID_PARAMS);
5984 
5985 	if (!hdev->set_bdaddr)
5986 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5987 				       MGMT_STATUS_NOT_SUPPORTED);
5988 
5989 	hci_dev_lock(hdev);
5990 
5991 	changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
5992 	bacpy(&hdev->public_addr, &cp->bdaddr);
5993 
5994 	err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
5995 	if (err < 0)
5996 		goto unlock;
5997 
5998 	if (!changed)
5999 		goto unlock;
6000 
6001 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
6002 		err = new_options(hdev, sk);
6003 
6004 	if (is_configured(hdev)) {
6005 		mgmt_index_removed(hdev);
6006 
6007 		hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
6008 
6009 		hci_dev_set_flag(hdev, HCI_CONFIG);
6010 		hci_dev_set_flag(hdev, HCI_AUTO_OFF);
6011 
6012 		queue_work(hdev->req_workqueue, &hdev->power_on);
6013 	}
6014 
6015 unlock:
6016 	hci_dev_unlock(hdev);
6017 	return err;
6018 }
6019 
6020 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, u8 status,
6021 					     u16 opcode, struct sk_buff *skb)
6022 {
6023 	const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
6024 	struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
6025 	u8 *h192, *r192, *h256, *r256;
6026 	struct mgmt_pending_cmd *cmd;
6027 	u16 eir_len;
6028 	int err;
6029 
6030 	BT_DBG("%s status %u", hdev->name, status);
6031 
6032 	cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev);
6033 	if (!cmd)
6034 		return;
6035 
6036 	mgmt_cp = cmd->param;
6037 
6038 	if (status) {
6039 		status = mgmt_status(status);
6040 		eir_len = 0;
6041 
6042 		h192 = NULL;
6043 		r192 = NULL;
6044 		h256 = NULL;
6045 		r256 = NULL;
6046 	} else if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
6047 		struct hci_rp_read_local_oob_data *rp;
6048 
6049 		if (skb->len != sizeof(*rp)) {
6050 			status = MGMT_STATUS_FAILED;
6051 			eir_len = 0;
6052 		} else {
6053 			status = MGMT_STATUS_SUCCESS;
6054 			rp = (void *)skb->data;
6055 
6056 			eir_len = 5 + 18 + 18;
6057 			h192 = rp->hash;
6058 			r192 = rp->rand;
6059 			h256 = NULL;
6060 			r256 = NULL;
6061 		}
6062 	} else {
6063 		struct hci_rp_read_local_oob_ext_data *rp;
6064 
6065 		if (skb->len != sizeof(*rp)) {
6066 			status = MGMT_STATUS_FAILED;
6067 			eir_len = 0;
6068 		} else {
6069 			status = MGMT_STATUS_SUCCESS;
6070 			rp = (void *)skb->data;
6071 
6072 			if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6073 				eir_len = 5 + 18 + 18;
6074 				h192 = NULL;
6075 				r192 = NULL;
6076 			} else {
6077 				eir_len = 5 + 18 + 18 + 18 + 18;
6078 				h192 = rp->hash192;
6079 				r192 = rp->rand192;
6080 			}
6081 
6082 			h256 = rp->hash256;
6083 			r256 = rp->rand256;
6084 		}
6085 	}
6086 
6087 	mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
6088 	if (!mgmt_rp)
6089 		goto done;
6090 
6091 	if (status)
6092 		goto send_rsp;
6093 
6094 	eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
6095 				  hdev->dev_class, 3);
6096 
6097 	if (h192 && r192) {
6098 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6099 					  EIR_SSP_HASH_C192, h192, 16);
6100 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6101 					  EIR_SSP_RAND_R192, r192, 16);
6102 	}
6103 
6104 	if (h256 && r256) {
6105 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6106 					  EIR_SSP_HASH_C256, h256, 16);
6107 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6108 					  EIR_SSP_RAND_R256, r256, 16);
6109 	}
6110 
6111 send_rsp:
6112 	mgmt_rp->type = mgmt_cp->type;
6113 	mgmt_rp->eir_len = cpu_to_le16(eir_len);
6114 
6115 	err = mgmt_cmd_complete(cmd->sk, hdev->id,
6116 				MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
6117 				mgmt_rp, sizeof(*mgmt_rp) + eir_len);
6118 	if (err < 0 || status)
6119 		goto done;
6120 
6121 	hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
6122 
6123 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
6124 				 mgmt_rp, sizeof(*mgmt_rp) + eir_len,
6125 				 HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
6126 done:
6127 	kfree(mgmt_rp);
6128 	mgmt_pending_remove(cmd);
6129 }
6130 
6131 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
6132 				  struct mgmt_cp_read_local_oob_ext_data *cp)
6133 {
6134 	struct mgmt_pending_cmd *cmd;
6135 	struct hci_request req;
6136 	int err;
6137 
6138 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
6139 			       cp, sizeof(*cp));
6140 	if (!cmd)
6141 		return -ENOMEM;
6142 
6143 	hci_req_init(&req, hdev);
6144 
6145 	if (bredr_sc_enabled(hdev))
6146 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
6147 	else
6148 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
6149 
6150 	err = hci_req_run_skb(&req, read_local_oob_ext_data_complete);
6151 	if (err < 0) {
6152 		mgmt_pending_remove(cmd);
6153 		return err;
6154 	}
6155 
6156 	return 0;
6157 }
6158 
6159 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
6160 				   void *data, u16 data_len)
6161 {
6162 	struct mgmt_cp_read_local_oob_ext_data *cp = data;
6163 	struct mgmt_rp_read_local_oob_ext_data *rp;
6164 	size_t rp_len;
6165 	u16 eir_len;
6166 	u8 status, flags, role, addr[7], hash[16], rand[16];
6167 	int err;
6168 
6169 	BT_DBG("%s", hdev->name);
6170 
6171 	if (hdev_is_powered(hdev)) {
6172 		switch (cp->type) {
6173 		case BIT(BDADDR_BREDR):
6174 			status = mgmt_bredr_support(hdev);
6175 			if (status)
6176 				eir_len = 0;
6177 			else
6178 				eir_len = 5;
6179 			break;
6180 		case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
6181 			status = mgmt_le_support(hdev);
6182 			if (status)
6183 				eir_len = 0;
6184 			else
6185 				eir_len = 9 + 3 + 18 + 18 + 3;
6186 			break;
6187 		default:
6188 			status = MGMT_STATUS_INVALID_PARAMS;
6189 			eir_len = 0;
6190 			break;
6191 		}
6192 	} else {
6193 		status = MGMT_STATUS_NOT_POWERED;
6194 		eir_len = 0;
6195 	}
6196 
6197 	rp_len = sizeof(*rp) + eir_len;
6198 	rp = kmalloc(rp_len, GFP_ATOMIC);
6199 	if (!rp)
6200 		return -ENOMEM;
6201 
6202 	if (status)
6203 		goto complete;
6204 
6205 	hci_dev_lock(hdev);
6206 
6207 	eir_len = 0;
6208 	switch (cp->type) {
6209 	case BIT(BDADDR_BREDR):
6210 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
6211 			err = read_local_ssp_oob_req(hdev, sk, cp);
6212 			hci_dev_unlock(hdev);
6213 			if (!err)
6214 				goto done;
6215 
6216 			status = MGMT_STATUS_FAILED;
6217 			goto complete;
6218 		} else {
6219 			eir_len = eir_append_data(rp->eir, eir_len,
6220 						  EIR_CLASS_OF_DEV,
6221 						  hdev->dev_class, 3);
6222 		}
6223 		break;
6224 	case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
6225 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
6226 		    smp_generate_oob(hdev, hash, rand) < 0) {
6227 			hci_dev_unlock(hdev);
6228 			status = MGMT_STATUS_FAILED;
6229 			goto complete;
6230 		}
6231 
6232 		/* This should return the active RPA, but since the RPA
6233 		 * is only programmed on demand, it is really hard to fill
6234 		 * this in at the moment. For now disallow retrieving
6235 		 * local out-of-band data when privacy is in use.
6236 		 *
6237 		 * Returning the identity address will not help here since
6238 		 * pairing happens before the identity resolving key is
6239 		 * known and thus the connection establishment happens
6240 		 * based on the RPA and not the identity address.
6241 		 */
6242 		if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6243 			hci_dev_unlock(hdev);
6244 			status = MGMT_STATUS_REJECTED;
6245 			goto complete;
6246 		}
6247 
6248 		if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
6249 		   !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
6250 		   (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6251 		    bacmp(&hdev->static_addr, BDADDR_ANY))) {
6252 			memcpy(addr, &hdev->static_addr, 6);
6253 			addr[6] = 0x01;
6254 		} else {
6255 			memcpy(addr, &hdev->bdaddr, 6);
6256 			addr[6] = 0x00;
6257 		}
6258 
6259 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
6260 					  addr, sizeof(addr));
6261 
6262 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
6263 			role = 0x02;
6264 		else
6265 			role = 0x01;
6266 
6267 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
6268 					  &role, sizeof(role));
6269 
6270 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
6271 			eir_len = eir_append_data(rp->eir, eir_len,
6272 						  EIR_LE_SC_CONFIRM,
6273 						  hash, sizeof(hash));
6274 
6275 			eir_len = eir_append_data(rp->eir, eir_len,
6276 						  EIR_LE_SC_RANDOM,
6277 						  rand, sizeof(rand));
6278 		}
6279 
6280 		flags = mgmt_get_adv_discov_flags(hdev);
6281 
6282 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
6283 			flags |= LE_AD_NO_BREDR;
6284 
6285 		eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
6286 					  &flags, sizeof(flags));
6287 		break;
6288 	}
6289 
6290 	hci_dev_unlock(hdev);
6291 
6292 	hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
6293 
6294 	status = MGMT_STATUS_SUCCESS;
6295 
6296 complete:
6297 	rp->type = cp->type;
6298 	rp->eir_len = cpu_to_le16(eir_len);
6299 
6300 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
6301 				status, rp, sizeof(*rp) + eir_len);
6302 	if (err < 0 || status)
6303 		goto done;
6304 
6305 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
6306 				 rp, sizeof(*rp) + eir_len,
6307 				 HCI_MGMT_OOB_DATA_EVENTS, sk);
6308 
6309 done:
6310 	kfree(rp);
6311 
6312 	return err;
6313 }
6314 
6315 static u32 get_supported_adv_flags(struct hci_dev *hdev)
6316 {
6317 	u32 flags = 0;
6318 
6319 	flags |= MGMT_ADV_FLAG_CONNECTABLE;
6320 	flags |= MGMT_ADV_FLAG_DISCOV;
6321 	flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
6322 	flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
6323 	flags |= MGMT_ADV_FLAG_APPEARANCE;
6324 	flags |= MGMT_ADV_FLAG_LOCAL_NAME;
6325 
6326 	/* In extended adv TX_POWER returned from Set Adv Param
6327 	 * will be always valid.
6328 	 */
6329 	if ((hdev->adv_tx_power != HCI_TX_POWER_INVALID) ||
6330 	    ext_adv_capable(hdev))
6331 		flags |= MGMT_ADV_FLAG_TX_POWER;
6332 
6333 	if (ext_adv_capable(hdev)) {
6334 		flags |= MGMT_ADV_FLAG_SEC_1M;
6335 
6336 		if (hdev->le_features[1] & HCI_LE_PHY_2M)
6337 			flags |= MGMT_ADV_FLAG_SEC_2M;
6338 
6339 		if (hdev->le_features[1] & HCI_LE_PHY_CODED)
6340 			flags |= MGMT_ADV_FLAG_SEC_CODED;
6341 	}
6342 
6343 	return flags;
6344 }
6345 
6346 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
6347 			     void *data, u16 data_len)
6348 {
6349 	struct mgmt_rp_read_adv_features *rp;
6350 	size_t rp_len;
6351 	int err;
6352 	struct adv_info *adv_instance;
6353 	u32 supported_flags;
6354 	u8 *instance;
6355 
6356 	BT_DBG("%s", hdev->name);
6357 
6358 	if (!lmp_le_capable(hdev))
6359 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
6360 				       MGMT_STATUS_REJECTED);
6361 
6362 	hci_dev_lock(hdev);
6363 
6364 	rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
6365 	rp = kmalloc(rp_len, GFP_ATOMIC);
6366 	if (!rp) {
6367 		hci_dev_unlock(hdev);
6368 		return -ENOMEM;
6369 	}
6370 
6371 	supported_flags = get_supported_adv_flags(hdev);
6372 
6373 	rp->supported_flags = cpu_to_le32(supported_flags);
6374 	rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
6375 	rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
6376 	rp->max_instances = HCI_MAX_ADV_INSTANCES;
6377 	rp->num_instances = hdev->adv_instance_cnt;
6378 
6379 	instance = rp->instance;
6380 	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
6381 		*instance = adv_instance->instance;
6382 		instance++;
6383 	}
6384 
6385 	hci_dev_unlock(hdev);
6386 
6387 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
6388 				MGMT_STATUS_SUCCESS, rp, rp_len);
6389 
6390 	kfree(rp);
6391 
6392 	return err;
6393 }
6394 
6395 static u8 calculate_name_len(struct hci_dev *hdev)
6396 {
6397 	u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 3];
6398 
6399 	return append_local_name(hdev, buf, 0);
6400 }
6401 
6402 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
6403 			   bool is_adv_data)
6404 {
6405 	u8 max_len = HCI_MAX_AD_LENGTH;
6406 
6407 	if (is_adv_data) {
6408 		if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
6409 				 MGMT_ADV_FLAG_LIMITED_DISCOV |
6410 				 MGMT_ADV_FLAG_MANAGED_FLAGS))
6411 			max_len -= 3;
6412 
6413 		if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
6414 			max_len -= 3;
6415 	} else {
6416 		if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
6417 			max_len -= calculate_name_len(hdev);
6418 
6419 		if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
6420 			max_len -= 4;
6421 	}
6422 
6423 	return max_len;
6424 }
6425 
6426 static bool flags_managed(u32 adv_flags)
6427 {
6428 	return adv_flags & (MGMT_ADV_FLAG_DISCOV |
6429 			    MGMT_ADV_FLAG_LIMITED_DISCOV |
6430 			    MGMT_ADV_FLAG_MANAGED_FLAGS);
6431 }
6432 
6433 static bool tx_power_managed(u32 adv_flags)
6434 {
6435 	return adv_flags & MGMT_ADV_FLAG_TX_POWER;
6436 }
6437 
6438 static bool name_managed(u32 adv_flags)
6439 {
6440 	return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
6441 }
6442 
6443 static bool appearance_managed(u32 adv_flags)
6444 {
6445 	return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
6446 }
6447 
6448 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
6449 			      u8 len, bool is_adv_data)
6450 {
6451 	int i, cur_len;
6452 	u8 max_len;
6453 
6454 	max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
6455 
6456 	if (len > max_len)
6457 		return false;
6458 
6459 	/* Make sure that the data is correctly formatted. */
6460 	for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
6461 		cur_len = data[i];
6462 
6463 		if (data[i + 1] == EIR_FLAGS &&
6464 		    (!is_adv_data || flags_managed(adv_flags)))
6465 			return false;
6466 
6467 		if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
6468 			return false;
6469 
6470 		if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
6471 			return false;
6472 
6473 		if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
6474 			return false;
6475 
6476 		if (data[i + 1] == EIR_APPEARANCE &&
6477 		    appearance_managed(adv_flags))
6478 			return false;
6479 
6480 		/* If the current field length would exceed the total data
6481 		 * length, then it's invalid.
6482 		 */
6483 		if (i + cur_len >= len)
6484 			return false;
6485 	}
6486 
6487 	return true;
6488 }
6489 
6490 static void add_advertising_complete(struct hci_dev *hdev, u8 status,
6491 				     u16 opcode)
6492 {
6493 	struct mgmt_pending_cmd *cmd;
6494 	struct mgmt_cp_add_advertising *cp;
6495 	struct mgmt_rp_add_advertising rp;
6496 	struct adv_info *adv_instance, *n;
6497 	u8 instance;
6498 
6499 	BT_DBG("status %d", status);
6500 
6501 	hci_dev_lock(hdev);
6502 
6503 	cmd = pending_find(MGMT_OP_ADD_ADVERTISING, hdev);
6504 
6505 	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
6506 		if (!adv_instance->pending)
6507 			continue;
6508 
6509 		if (!status) {
6510 			adv_instance->pending = false;
6511 			continue;
6512 		}
6513 
6514 		instance = adv_instance->instance;
6515 
6516 		if (hdev->cur_adv_instance == instance)
6517 			cancel_adv_timeout(hdev);
6518 
6519 		hci_remove_adv_instance(hdev, instance);
6520 		mgmt_advertising_removed(cmd ? cmd->sk : NULL, hdev, instance);
6521 	}
6522 
6523 	if (!cmd)
6524 		goto unlock;
6525 
6526 	cp = cmd->param;
6527 	rp.instance = cp->instance;
6528 
6529 	if (status)
6530 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
6531 				mgmt_status(status));
6532 	else
6533 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
6534 				  mgmt_status(status), &rp, sizeof(rp));
6535 
6536 	mgmt_pending_remove(cmd);
6537 
6538 unlock:
6539 	hci_dev_unlock(hdev);
6540 }
6541 
6542 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
6543 			   void *data, u16 data_len)
6544 {
6545 	struct mgmt_cp_add_advertising *cp = data;
6546 	struct mgmt_rp_add_advertising rp;
6547 	u32 flags;
6548 	u32 supported_flags, phy_flags;
6549 	u8 status;
6550 	u16 timeout, duration;
6551 	unsigned int prev_instance_cnt = hdev->adv_instance_cnt;
6552 	u8 schedule_instance = 0;
6553 	struct adv_info *next_instance;
6554 	int err;
6555 	struct mgmt_pending_cmd *cmd;
6556 	struct hci_request req;
6557 
6558 	BT_DBG("%s", hdev->name);
6559 
6560 	status = mgmt_le_support(hdev);
6561 	if (status)
6562 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6563 				       status);
6564 
6565 	if (cp->instance < 1 || cp->instance > HCI_MAX_ADV_INSTANCES)
6566 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6567 				       MGMT_STATUS_INVALID_PARAMS);
6568 
6569 	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
6570 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6571 				       MGMT_STATUS_INVALID_PARAMS);
6572 
6573 	flags = __le32_to_cpu(cp->flags);
6574 	timeout = __le16_to_cpu(cp->timeout);
6575 	duration = __le16_to_cpu(cp->duration);
6576 
6577 	/* The current implementation only supports a subset of the specified
6578 	 * flags. Also need to check mutual exclusiveness of sec flags.
6579 	 */
6580 	supported_flags = get_supported_adv_flags(hdev);
6581 	phy_flags = flags & MGMT_ADV_FLAG_SEC_MASK;
6582 	if (flags & ~supported_flags ||
6583 	    ((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
6584 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6585 				       MGMT_STATUS_INVALID_PARAMS);
6586 
6587 	hci_dev_lock(hdev);
6588 
6589 	if (timeout && !hdev_is_powered(hdev)) {
6590 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6591 				      MGMT_STATUS_REJECTED);
6592 		goto unlock;
6593 	}
6594 
6595 	if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
6596 	    pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
6597 	    pending_find(MGMT_OP_SET_LE, hdev)) {
6598 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6599 				      MGMT_STATUS_BUSY);
6600 		goto unlock;
6601 	}
6602 
6603 	if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
6604 	    !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
6605 			       cp->scan_rsp_len, false)) {
6606 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6607 				      MGMT_STATUS_INVALID_PARAMS);
6608 		goto unlock;
6609 	}
6610 
6611 	err = hci_add_adv_instance(hdev, cp->instance, flags,
6612 				   cp->adv_data_len, cp->data,
6613 				   cp->scan_rsp_len,
6614 				   cp->data + cp->adv_data_len,
6615 				   timeout, duration);
6616 	if (err < 0) {
6617 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6618 				      MGMT_STATUS_FAILED);
6619 		goto unlock;
6620 	}
6621 
6622 	/* Only trigger an advertising added event if a new instance was
6623 	 * actually added.
6624 	 */
6625 	if (hdev->adv_instance_cnt > prev_instance_cnt)
6626 		mgmt_advertising_added(sk, hdev, cp->instance);
6627 
6628 	if (hdev->cur_adv_instance == cp->instance) {
6629 		/* If the currently advertised instance is being changed then
6630 		 * cancel the current advertising and schedule the next
6631 		 * instance. If there is only one instance then the overridden
6632 		 * advertising data will be visible right away.
6633 		 */
6634 		cancel_adv_timeout(hdev);
6635 
6636 		next_instance = hci_get_next_instance(hdev, cp->instance);
6637 		if (next_instance)
6638 			schedule_instance = next_instance->instance;
6639 	} else if (!hdev->adv_instance_timeout) {
6640 		/* Immediately advertise the new instance if no other
6641 		 * instance is currently being advertised.
6642 		 */
6643 		schedule_instance = cp->instance;
6644 	}
6645 
6646 	/* If the HCI_ADVERTISING flag is set or the device isn't powered or
6647 	 * there is no instance to be advertised then we have no HCI
6648 	 * communication to make. Simply return.
6649 	 */
6650 	if (!hdev_is_powered(hdev) ||
6651 	    hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
6652 	    !schedule_instance) {
6653 		rp.instance = cp->instance;
6654 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6655 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
6656 		goto unlock;
6657 	}
6658 
6659 	/* We're good to go, update advertising data, parameters, and start
6660 	 * advertising.
6661 	 */
6662 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
6663 			       data_len);
6664 	if (!cmd) {
6665 		err = -ENOMEM;
6666 		goto unlock;
6667 	}
6668 
6669 	hci_req_init(&req, hdev);
6670 
6671 	err = __hci_req_schedule_adv_instance(&req, schedule_instance, true);
6672 
6673 	if (!err)
6674 		err = hci_req_run(&req, add_advertising_complete);
6675 
6676 	if (err < 0)
6677 		mgmt_pending_remove(cmd);
6678 
6679 unlock:
6680 	hci_dev_unlock(hdev);
6681 
6682 	return err;
6683 }
6684 
6685 static void remove_advertising_complete(struct hci_dev *hdev, u8 status,
6686 					u16 opcode)
6687 {
6688 	struct mgmt_pending_cmd *cmd;
6689 	struct mgmt_cp_remove_advertising *cp;
6690 	struct mgmt_rp_remove_advertising rp;
6691 
6692 	BT_DBG("status %d", status);
6693 
6694 	hci_dev_lock(hdev);
6695 
6696 	/* A failure status here only means that we failed to disable
6697 	 * advertising. Otherwise, the advertising instance has been removed,
6698 	 * so report success.
6699 	 */
6700 	cmd = pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev);
6701 	if (!cmd)
6702 		goto unlock;
6703 
6704 	cp = cmd->param;
6705 	rp.instance = cp->instance;
6706 
6707 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, MGMT_STATUS_SUCCESS,
6708 			  &rp, sizeof(rp));
6709 	mgmt_pending_remove(cmd);
6710 
6711 unlock:
6712 	hci_dev_unlock(hdev);
6713 }
6714 
6715 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
6716 			      void *data, u16 data_len)
6717 {
6718 	struct mgmt_cp_remove_advertising *cp = data;
6719 	struct mgmt_rp_remove_advertising rp;
6720 	struct mgmt_pending_cmd *cmd;
6721 	struct hci_request req;
6722 	int err;
6723 
6724 	BT_DBG("%s", hdev->name);
6725 
6726 	hci_dev_lock(hdev);
6727 
6728 	if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
6729 		err = mgmt_cmd_status(sk, hdev->id,
6730 				      MGMT_OP_REMOVE_ADVERTISING,
6731 				      MGMT_STATUS_INVALID_PARAMS);
6732 		goto unlock;
6733 	}
6734 
6735 	if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
6736 	    pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
6737 	    pending_find(MGMT_OP_SET_LE, hdev)) {
6738 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
6739 				      MGMT_STATUS_BUSY);
6740 		goto unlock;
6741 	}
6742 
6743 	if (list_empty(&hdev->adv_instances)) {
6744 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
6745 				      MGMT_STATUS_INVALID_PARAMS);
6746 		goto unlock;
6747 	}
6748 
6749 	hci_req_init(&req, hdev);
6750 
6751 	hci_req_clear_adv_instance(hdev, sk, &req, cp->instance, true);
6752 
6753 	if (list_empty(&hdev->adv_instances))
6754 		__hci_req_disable_advertising(&req);
6755 
6756 	/* If no HCI commands have been collected so far or the HCI_ADVERTISING
6757 	 * flag is set or the device isn't powered then we have no HCI
6758 	 * communication to make. Simply return.
6759 	 */
6760 	if (skb_queue_empty(&req.cmd_q) ||
6761 	    !hdev_is_powered(hdev) ||
6762 	    hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
6763 		hci_req_purge(&req);
6764 		rp.instance = cp->instance;
6765 		err = mgmt_cmd_complete(sk, hdev->id,
6766 					MGMT_OP_REMOVE_ADVERTISING,
6767 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
6768 		goto unlock;
6769 	}
6770 
6771 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
6772 			       data_len);
6773 	if (!cmd) {
6774 		err = -ENOMEM;
6775 		goto unlock;
6776 	}
6777 
6778 	err = hci_req_run(&req, remove_advertising_complete);
6779 	if (err < 0)
6780 		mgmt_pending_remove(cmd);
6781 
6782 unlock:
6783 	hci_dev_unlock(hdev);
6784 
6785 	return err;
6786 }
6787 
6788 static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
6789 			     void *data, u16 data_len)
6790 {
6791 	struct mgmt_cp_get_adv_size_info *cp = data;
6792 	struct mgmt_rp_get_adv_size_info rp;
6793 	u32 flags, supported_flags;
6794 	int err;
6795 
6796 	BT_DBG("%s", hdev->name);
6797 
6798 	if (!lmp_le_capable(hdev))
6799 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
6800 				       MGMT_STATUS_REJECTED);
6801 
6802 	if (cp->instance < 1 || cp->instance > HCI_MAX_ADV_INSTANCES)
6803 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
6804 				       MGMT_STATUS_INVALID_PARAMS);
6805 
6806 	flags = __le32_to_cpu(cp->flags);
6807 
6808 	/* The current implementation only supports a subset of the specified
6809 	 * flags.
6810 	 */
6811 	supported_flags = get_supported_adv_flags(hdev);
6812 	if (flags & ~supported_flags)
6813 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
6814 				       MGMT_STATUS_INVALID_PARAMS);
6815 
6816 	rp.instance = cp->instance;
6817 	rp.flags = cp->flags;
6818 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
6819 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
6820 
6821 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
6822 				MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
6823 
6824 	return err;
6825 }
6826 
6827 static const struct hci_mgmt_handler mgmt_handlers[] = {
6828 	{ NULL }, /* 0x0000 (no command) */
6829 	{ read_version,            MGMT_READ_VERSION_SIZE,
6830 						HCI_MGMT_NO_HDEV |
6831 						HCI_MGMT_UNTRUSTED },
6832 	{ read_commands,           MGMT_READ_COMMANDS_SIZE,
6833 						HCI_MGMT_NO_HDEV |
6834 						HCI_MGMT_UNTRUSTED },
6835 	{ read_index_list,         MGMT_READ_INDEX_LIST_SIZE,
6836 						HCI_MGMT_NO_HDEV |
6837 						HCI_MGMT_UNTRUSTED },
6838 	{ read_controller_info,    MGMT_READ_INFO_SIZE,
6839 						HCI_MGMT_UNTRUSTED },
6840 	{ set_powered,             MGMT_SETTING_SIZE },
6841 	{ set_discoverable,        MGMT_SET_DISCOVERABLE_SIZE },
6842 	{ set_connectable,         MGMT_SETTING_SIZE },
6843 	{ set_fast_connectable,    MGMT_SETTING_SIZE },
6844 	{ set_bondable,            MGMT_SETTING_SIZE },
6845 	{ set_link_security,       MGMT_SETTING_SIZE },
6846 	{ set_ssp,                 MGMT_SETTING_SIZE },
6847 	{ set_hs,                  MGMT_SETTING_SIZE },
6848 	{ set_le,                  MGMT_SETTING_SIZE },
6849 	{ set_dev_class,           MGMT_SET_DEV_CLASS_SIZE },
6850 	{ set_local_name,          MGMT_SET_LOCAL_NAME_SIZE },
6851 	{ add_uuid,                MGMT_ADD_UUID_SIZE },
6852 	{ remove_uuid,             MGMT_REMOVE_UUID_SIZE },
6853 	{ load_link_keys,          MGMT_LOAD_LINK_KEYS_SIZE,
6854 						HCI_MGMT_VAR_LEN },
6855 	{ load_long_term_keys,     MGMT_LOAD_LONG_TERM_KEYS_SIZE,
6856 						HCI_MGMT_VAR_LEN },
6857 	{ disconnect,              MGMT_DISCONNECT_SIZE },
6858 	{ get_connections,         MGMT_GET_CONNECTIONS_SIZE },
6859 	{ pin_code_reply,          MGMT_PIN_CODE_REPLY_SIZE },
6860 	{ pin_code_neg_reply,      MGMT_PIN_CODE_NEG_REPLY_SIZE },
6861 	{ set_io_capability,       MGMT_SET_IO_CAPABILITY_SIZE },
6862 	{ pair_device,             MGMT_PAIR_DEVICE_SIZE },
6863 	{ cancel_pair_device,      MGMT_CANCEL_PAIR_DEVICE_SIZE },
6864 	{ unpair_device,           MGMT_UNPAIR_DEVICE_SIZE },
6865 	{ user_confirm_reply,      MGMT_USER_CONFIRM_REPLY_SIZE },
6866 	{ user_confirm_neg_reply,  MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
6867 	{ user_passkey_reply,      MGMT_USER_PASSKEY_REPLY_SIZE },
6868 	{ user_passkey_neg_reply,  MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
6869 	{ read_local_oob_data,     MGMT_READ_LOCAL_OOB_DATA_SIZE },
6870 	{ add_remote_oob_data,     MGMT_ADD_REMOTE_OOB_DATA_SIZE,
6871 						HCI_MGMT_VAR_LEN },
6872 	{ remove_remote_oob_data,  MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
6873 	{ start_discovery,         MGMT_START_DISCOVERY_SIZE },
6874 	{ stop_discovery,          MGMT_STOP_DISCOVERY_SIZE },
6875 	{ confirm_name,            MGMT_CONFIRM_NAME_SIZE },
6876 	{ block_device,            MGMT_BLOCK_DEVICE_SIZE },
6877 	{ unblock_device,          MGMT_UNBLOCK_DEVICE_SIZE },
6878 	{ set_device_id,           MGMT_SET_DEVICE_ID_SIZE },
6879 	{ set_advertising,         MGMT_SETTING_SIZE },
6880 	{ set_bredr,               MGMT_SETTING_SIZE },
6881 	{ set_static_address,      MGMT_SET_STATIC_ADDRESS_SIZE },
6882 	{ set_scan_params,         MGMT_SET_SCAN_PARAMS_SIZE },
6883 	{ set_secure_conn,         MGMT_SETTING_SIZE },
6884 	{ set_debug_keys,          MGMT_SETTING_SIZE },
6885 	{ set_privacy,             MGMT_SET_PRIVACY_SIZE },
6886 	{ load_irks,               MGMT_LOAD_IRKS_SIZE,
6887 						HCI_MGMT_VAR_LEN },
6888 	{ get_conn_info,           MGMT_GET_CONN_INFO_SIZE },
6889 	{ get_clock_info,          MGMT_GET_CLOCK_INFO_SIZE },
6890 	{ add_device,              MGMT_ADD_DEVICE_SIZE },
6891 	{ remove_device,           MGMT_REMOVE_DEVICE_SIZE },
6892 	{ load_conn_param,         MGMT_LOAD_CONN_PARAM_SIZE,
6893 						HCI_MGMT_VAR_LEN },
6894 	{ read_unconf_index_list,  MGMT_READ_UNCONF_INDEX_LIST_SIZE,
6895 						HCI_MGMT_NO_HDEV |
6896 						HCI_MGMT_UNTRUSTED },
6897 	{ read_config_info,        MGMT_READ_CONFIG_INFO_SIZE,
6898 						HCI_MGMT_UNCONFIGURED |
6899 						HCI_MGMT_UNTRUSTED },
6900 	{ set_external_config,     MGMT_SET_EXTERNAL_CONFIG_SIZE,
6901 						HCI_MGMT_UNCONFIGURED },
6902 	{ set_public_address,      MGMT_SET_PUBLIC_ADDRESS_SIZE,
6903 						HCI_MGMT_UNCONFIGURED },
6904 	{ start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
6905 						HCI_MGMT_VAR_LEN },
6906 	{ read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
6907 	{ read_ext_index_list,     MGMT_READ_EXT_INDEX_LIST_SIZE,
6908 						HCI_MGMT_NO_HDEV |
6909 						HCI_MGMT_UNTRUSTED },
6910 	{ read_adv_features,       MGMT_READ_ADV_FEATURES_SIZE },
6911 	{ add_advertising,	   MGMT_ADD_ADVERTISING_SIZE,
6912 						HCI_MGMT_VAR_LEN },
6913 	{ remove_advertising,	   MGMT_REMOVE_ADVERTISING_SIZE },
6914 	{ get_adv_size_info,       MGMT_GET_ADV_SIZE_INFO_SIZE },
6915 	{ start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
6916 	{ read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
6917 						HCI_MGMT_UNTRUSTED },
6918 	{ set_appearance,	   MGMT_SET_APPEARANCE_SIZE },
6919 	{ get_phy_configuration,   MGMT_GET_PHY_CONFIGURATION_SIZE },
6920 	{ set_phy_configuration,   MGMT_SET_PHY_CONFIGURATION_SIZE },
6921 };
6922 
6923 void mgmt_index_added(struct hci_dev *hdev)
6924 {
6925 	struct mgmt_ev_ext_index ev;
6926 
6927 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
6928 		return;
6929 
6930 	switch (hdev->dev_type) {
6931 	case HCI_PRIMARY:
6932 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
6933 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev,
6934 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
6935 			ev.type = 0x01;
6936 		} else {
6937 			mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0,
6938 					 HCI_MGMT_INDEX_EVENTS);
6939 			ev.type = 0x00;
6940 		}
6941 		break;
6942 	case HCI_AMP:
6943 		ev.type = 0x02;
6944 		break;
6945 	default:
6946 		return;
6947 	}
6948 
6949 	ev.bus = hdev->bus;
6950 
6951 	mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, &ev, sizeof(ev),
6952 			 HCI_MGMT_EXT_INDEX_EVENTS);
6953 }
6954 
6955 void mgmt_index_removed(struct hci_dev *hdev)
6956 {
6957 	struct mgmt_ev_ext_index ev;
6958 	u8 status = MGMT_STATUS_INVALID_INDEX;
6959 
6960 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
6961 		return;
6962 
6963 	switch (hdev->dev_type) {
6964 	case HCI_PRIMARY:
6965 		mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
6966 
6967 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
6968 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
6969 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
6970 			ev.type = 0x01;
6971 		} else {
6972 			mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0,
6973 					 HCI_MGMT_INDEX_EVENTS);
6974 			ev.type = 0x00;
6975 		}
6976 		break;
6977 	case HCI_AMP:
6978 		ev.type = 0x02;
6979 		break;
6980 	default:
6981 		return;
6982 	}
6983 
6984 	ev.bus = hdev->bus;
6985 
6986 	mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, &ev, sizeof(ev),
6987 			 HCI_MGMT_EXT_INDEX_EVENTS);
6988 }
6989 
6990 /* This function requires the caller holds hdev->lock */
6991 static void restart_le_actions(struct hci_dev *hdev)
6992 {
6993 	struct hci_conn_params *p;
6994 
6995 	list_for_each_entry(p, &hdev->le_conn_params, list) {
6996 		/* Needed for AUTO_OFF case where might not "really"
6997 		 * have been powered off.
6998 		 */
6999 		list_del_init(&p->action);
7000 
7001 		switch (p->auto_connect) {
7002 		case HCI_AUTO_CONN_DIRECT:
7003 		case HCI_AUTO_CONN_ALWAYS:
7004 			list_add(&p->action, &hdev->pend_le_conns);
7005 			break;
7006 		case HCI_AUTO_CONN_REPORT:
7007 			list_add(&p->action, &hdev->pend_le_reports);
7008 			break;
7009 		default:
7010 			break;
7011 		}
7012 	}
7013 }
7014 
7015 void mgmt_power_on(struct hci_dev *hdev, int err)
7016 {
7017 	struct cmd_lookup match = { NULL, hdev };
7018 
7019 	BT_DBG("err %d", err);
7020 
7021 	hci_dev_lock(hdev);
7022 
7023 	if (!err) {
7024 		restart_le_actions(hdev);
7025 		hci_update_background_scan(hdev);
7026 	}
7027 
7028 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
7029 
7030 	new_settings(hdev, match.sk);
7031 
7032 	if (match.sk)
7033 		sock_put(match.sk);
7034 
7035 	hci_dev_unlock(hdev);
7036 }
7037 
7038 void __mgmt_power_off(struct hci_dev *hdev)
7039 {
7040 	struct cmd_lookup match = { NULL, hdev };
7041 	u8 status, zero_cod[] = { 0, 0, 0 };
7042 
7043 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
7044 
7045 	/* If the power off is because of hdev unregistration let
7046 	 * use the appropriate INVALID_INDEX status. Otherwise use
7047 	 * NOT_POWERED. We cover both scenarios here since later in
7048 	 * mgmt_index_removed() any hci_conn callbacks will have already
7049 	 * been triggered, potentially causing misleading DISCONNECTED
7050 	 * status responses.
7051 	 */
7052 	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
7053 		status = MGMT_STATUS_INVALID_INDEX;
7054 	else
7055 		status = MGMT_STATUS_NOT_POWERED;
7056 
7057 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
7058 
7059 	if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
7060 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
7061 				   zero_cod, sizeof(zero_cod),
7062 				   HCI_MGMT_DEV_CLASS_EVENTS, NULL);
7063 		ext_info_changed(hdev, NULL);
7064 	}
7065 
7066 	new_settings(hdev, match.sk);
7067 
7068 	if (match.sk)
7069 		sock_put(match.sk);
7070 }
7071 
7072 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
7073 {
7074 	struct mgmt_pending_cmd *cmd;
7075 	u8 status;
7076 
7077 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
7078 	if (!cmd)
7079 		return;
7080 
7081 	if (err == -ERFKILL)
7082 		status = MGMT_STATUS_RFKILLED;
7083 	else
7084 		status = MGMT_STATUS_FAILED;
7085 
7086 	mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
7087 
7088 	mgmt_pending_remove(cmd);
7089 }
7090 
7091 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
7092 		       bool persistent)
7093 {
7094 	struct mgmt_ev_new_link_key ev;
7095 
7096 	memset(&ev, 0, sizeof(ev));
7097 
7098 	ev.store_hint = persistent;
7099 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
7100 	ev.key.addr.type = BDADDR_BREDR;
7101 	ev.key.type = key->type;
7102 	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
7103 	ev.key.pin_len = key->pin_len;
7104 
7105 	mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
7106 }
7107 
7108 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
7109 {
7110 	switch (ltk->type) {
7111 	case SMP_LTK:
7112 	case SMP_LTK_SLAVE:
7113 		if (ltk->authenticated)
7114 			return MGMT_LTK_AUTHENTICATED;
7115 		return MGMT_LTK_UNAUTHENTICATED;
7116 	case SMP_LTK_P256:
7117 		if (ltk->authenticated)
7118 			return MGMT_LTK_P256_AUTH;
7119 		return MGMT_LTK_P256_UNAUTH;
7120 	case SMP_LTK_P256_DEBUG:
7121 		return MGMT_LTK_P256_DEBUG;
7122 	}
7123 
7124 	return MGMT_LTK_UNAUTHENTICATED;
7125 }
7126 
7127 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
7128 {
7129 	struct mgmt_ev_new_long_term_key ev;
7130 
7131 	memset(&ev, 0, sizeof(ev));
7132 
7133 	/* Devices using resolvable or non-resolvable random addresses
7134 	 * without providing an identity resolving key don't require
7135 	 * to store long term keys. Their addresses will change the
7136 	 * next time around.
7137 	 *
7138 	 * Only when a remote device provides an identity address
7139 	 * make sure the long term key is stored. If the remote
7140 	 * identity is known, the long term keys are internally
7141 	 * mapped to the identity address. So allow static random
7142 	 * and public addresses here.
7143 	 */
7144 	if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
7145 	    (key->bdaddr.b[5] & 0xc0) != 0xc0)
7146 		ev.store_hint = 0x00;
7147 	else
7148 		ev.store_hint = persistent;
7149 
7150 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
7151 	ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
7152 	ev.key.type = mgmt_ltk_type(key);
7153 	ev.key.enc_size = key->enc_size;
7154 	ev.key.ediv = key->ediv;
7155 	ev.key.rand = key->rand;
7156 
7157 	if (key->type == SMP_LTK)
7158 		ev.key.master = 1;
7159 
7160 	/* Make sure we copy only the significant bytes based on the
7161 	 * encryption key size, and set the rest of the value to zeroes.
7162 	 */
7163 	memcpy(ev.key.val, key->val, key->enc_size);
7164 	memset(ev.key.val + key->enc_size, 0,
7165 	       sizeof(ev.key.val) - key->enc_size);
7166 
7167 	mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
7168 }
7169 
7170 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
7171 {
7172 	struct mgmt_ev_new_irk ev;
7173 
7174 	memset(&ev, 0, sizeof(ev));
7175 
7176 	ev.store_hint = persistent;
7177 
7178 	bacpy(&ev.rpa, &irk->rpa);
7179 	bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
7180 	ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
7181 	memcpy(ev.irk.val, irk->val, sizeof(irk->val));
7182 
7183 	mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
7184 }
7185 
7186 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
7187 		   bool persistent)
7188 {
7189 	struct mgmt_ev_new_csrk ev;
7190 
7191 	memset(&ev, 0, sizeof(ev));
7192 
7193 	/* Devices using resolvable or non-resolvable random addresses
7194 	 * without providing an identity resolving key don't require
7195 	 * to store signature resolving keys. Their addresses will change
7196 	 * the next time around.
7197 	 *
7198 	 * Only when a remote device provides an identity address
7199 	 * make sure the signature resolving key is stored. So allow
7200 	 * static random and public addresses here.
7201 	 */
7202 	if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
7203 	    (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
7204 		ev.store_hint = 0x00;
7205 	else
7206 		ev.store_hint = persistent;
7207 
7208 	bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
7209 	ev.key.addr.type = link_to_bdaddr(LE_LINK, csrk->bdaddr_type);
7210 	ev.key.type = csrk->type;
7211 	memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
7212 
7213 	mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
7214 }
7215 
7216 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
7217 			 u8 bdaddr_type, u8 store_hint, u16 min_interval,
7218 			 u16 max_interval, u16 latency, u16 timeout)
7219 {
7220 	struct mgmt_ev_new_conn_param ev;
7221 
7222 	if (!hci_is_identity_address(bdaddr, bdaddr_type))
7223 		return;
7224 
7225 	memset(&ev, 0, sizeof(ev));
7226 	bacpy(&ev.addr.bdaddr, bdaddr);
7227 	ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
7228 	ev.store_hint = store_hint;
7229 	ev.min_interval = cpu_to_le16(min_interval);
7230 	ev.max_interval = cpu_to_le16(max_interval);
7231 	ev.latency = cpu_to_le16(latency);
7232 	ev.timeout = cpu_to_le16(timeout);
7233 
7234 	mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
7235 }
7236 
7237 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
7238 			   u32 flags, u8 *name, u8 name_len)
7239 {
7240 	char buf[512];
7241 	struct mgmt_ev_device_connected *ev = (void *) buf;
7242 	u16 eir_len = 0;
7243 
7244 	bacpy(&ev->addr.bdaddr, &conn->dst);
7245 	ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
7246 
7247 	ev->flags = __cpu_to_le32(flags);
7248 
7249 	/* We must ensure that the EIR Data fields are ordered and
7250 	 * unique. Keep it simple for now and avoid the problem by not
7251 	 * adding any BR/EDR data to the LE adv.
7252 	 */
7253 	if (conn->le_adv_data_len > 0) {
7254 		memcpy(&ev->eir[eir_len],
7255 		       conn->le_adv_data, conn->le_adv_data_len);
7256 		eir_len = conn->le_adv_data_len;
7257 	} else {
7258 		if (name_len > 0)
7259 			eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE,
7260 						  name, name_len);
7261 
7262 		if (memcmp(conn->dev_class, "\0\0\0", 3) != 0)
7263 			eir_len = eir_append_data(ev->eir, eir_len,
7264 						  EIR_CLASS_OF_DEV,
7265 						  conn->dev_class, 3);
7266 	}
7267 
7268 	ev->eir_len = cpu_to_le16(eir_len);
7269 
7270 	mgmt_event(MGMT_EV_DEVICE_CONNECTED, hdev, buf,
7271 		    sizeof(*ev) + eir_len, NULL);
7272 }
7273 
7274 static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
7275 {
7276 	struct sock **sk = data;
7277 
7278 	cmd->cmd_complete(cmd, 0);
7279 
7280 	*sk = cmd->sk;
7281 	sock_hold(*sk);
7282 
7283 	mgmt_pending_remove(cmd);
7284 }
7285 
7286 static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
7287 {
7288 	struct hci_dev *hdev = data;
7289 	struct mgmt_cp_unpair_device *cp = cmd->param;
7290 
7291 	device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
7292 
7293 	cmd->cmd_complete(cmd, 0);
7294 	mgmt_pending_remove(cmd);
7295 }
7296 
7297 bool mgmt_powering_down(struct hci_dev *hdev)
7298 {
7299 	struct mgmt_pending_cmd *cmd;
7300 	struct mgmt_mode *cp;
7301 
7302 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
7303 	if (!cmd)
7304 		return false;
7305 
7306 	cp = cmd->param;
7307 	if (!cp->val)
7308 		return true;
7309 
7310 	return false;
7311 }
7312 
7313 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
7314 			      u8 link_type, u8 addr_type, u8 reason,
7315 			      bool mgmt_connected)
7316 {
7317 	struct mgmt_ev_device_disconnected ev;
7318 	struct sock *sk = NULL;
7319 
7320 	/* The connection is still in hci_conn_hash so test for 1
7321 	 * instead of 0 to know if this is the last one.
7322 	 */
7323 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
7324 		cancel_delayed_work(&hdev->power_off);
7325 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
7326 	}
7327 
7328 	if (!mgmt_connected)
7329 		return;
7330 
7331 	if (link_type != ACL_LINK && link_type != LE_LINK)
7332 		return;
7333 
7334 	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
7335 
7336 	bacpy(&ev.addr.bdaddr, bdaddr);
7337 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7338 	ev.reason = reason;
7339 
7340 	mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
7341 
7342 	if (sk)
7343 		sock_put(sk);
7344 
7345 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
7346 			     hdev);
7347 }
7348 
7349 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
7350 			    u8 link_type, u8 addr_type, u8 status)
7351 {
7352 	u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
7353 	struct mgmt_cp_disconnect *cp;
7354 	struct mgmt_pending_cmd *cmd;
7355 
7356 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
7357 			     hdev);
7358 
7359 	cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
7360 	if (!cmd)
7361 		return;
7362 
7363 	cp = cmd->param;
7364 
7365 	if (bacmp(bdaddr, &cp->addr.bdaddr))
7366 		return;
7367 
7368 	if (cp->addr.type != bdaddr_type)
7369 		return;
7370 
7371 	cmd->cmd_complete(cmd, mgmt_status(status));
7372 	mgmt_pending_remove(cmd);
7373 }
7374 
7375 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
7376 			 u8 addr_type, u8 status)
7377 {
7378 	struct mgmt_ev_connect_failed ev;
7379 
7380 	/* The connection is still in hci_conn_hash so test for 1
7381 	 * instead of 0 to know if this is the last one.
7382 	 */
7383 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
7384 		cancel_delayed_work(&hdev->power_off);
7385 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
7386 	}
7387 
7388 	bacpy(&ev.addr.bdaddr, bdaddr);
7389 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7390 	ev.status = mgmt_status(status);
7391 
7392 	mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
7393 }
7394 
7395 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
7396 {
7397 	struct mgmt_ev_pin_code_request ev;
7398 
7399 	bacpy(&ev.addr.bdaddr, bdaddr);
7400 	ev.addr.type = BDADDR_BREDR;
7401 	ev.secure = secure;
7402 
7403 	mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
7404 }
7405 
7406 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7407 				  u8 status)
7408 {
7409 	struct mgmt_pending_cmd *cmd;
7410 
7411 	cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
7412 	if (!cmd)
7413 		return;
7414 
7415 	cmd->cmd_complete(cmd, mgmt_status(status));
7416 	mgmt_pending_remove(cmd);
7417 }
7418 
7419 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7420 				      u8 status)
7421 {
7422 	struct mgmt_pending_cmd *cmd;
7423 
7424 	cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
7425 	if (!cmd)
7426 		return;
7427 
7428 	cmd->cmd_complete(cmd, mgmt_status(status));
7429 	mgmt_pending_remove(cmd);
7430 }
7431 
7432 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
7433 			      u8 link_type, u8 addr_type, u32 value,
7434 			      u8 confirm_hint)
7435 {
7436 	struct mgmt_ev_user_confirm_request ev;
7437 
7438 	BT_DBG("%s", hdev->name);
7439 
7440 	bacpy(&ev.addr.bdaddr, bdaddr);
7441 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7442 	ev.confirm_hint = confirm_hint;
7443 	ev.value = cpu_to_le32(value);
7444 
7445 	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
7446 			  NULL);
7447 }
7448 
7449 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
7450 			      u8 link_type, u8 addr_type)
7451 {
7452 	struct mgmt_ev_user_passkey_request ev;
7453 
7454 	BT_DBG("%s", hdev->name);
7455 
7456 	bacpy(&ev.addr.bdaddr, bdaddr);
7457 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7458 
7459 	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
7460 			  NULL);
7461 }
7462 
7463 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7464 				      u8 link_type, u8 addr_type, u8 status,
7465 				      u8 opcode)
7466 {
7467 	struct mgmt_pending_cmd *cmd;
7468 
7469 	cmd = pending_find(opcode, hdev);
7470 	if (!cmd)
7471 		return -ENOENT;
7472 
7473 	cmd->cmd_complete(cmd, mgmt_status(status));
7474 	mgmt_pending_remove(cmd);
7475 
7476 	return 0;
7477 }
7478 
7479 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7480 				     u8 link_type, u8 addr_type, u8 status)
7481 {
7482 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7483 					  status, MGMT_OP_USER_CONFIRM_REPLY);
7484 }
7485 
7486 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7487 					 u8 link_type, u8 addr_type, u8 status)
7488 {
7489 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7490 					  status,
7491 					  MGMT_OP_USER_CONFIRM_NEG_REPLY);
7492 }
7493 
7494 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7495 				     u8 link_type, u8 addr_type, u8 status)
7496 {
7497 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7498 					  status, MGMT_OP_USER_PASSKEY_REPLY);
7499 }
7500 
7501 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7502 					 u8 link_type, u8 addr_type, u8 status)
7503 {
7504 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7505 					  status,
7506 					  MGMT_OP_USER_PASSKEY_NEG_REPLY);
7507 }
7508 
7509 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
7510 			     u8 link_type, u8 addr_type, u32 passkey,
7511 			     u8 entered)
7512 {
7513 	struct mgmt_ev_passkey_notify ev;
7514 
7515 	BT_DBG("%s", hdev->name);
7516 
7517 	bacpy(&ev.addr.bdaddr, bdaddr);
7518 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7519 	ev.passkey = __cpu_to_le32(passkey);
7520 	ev.entered = entered;
7521 
7522 	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
7523 }
7524 
7525 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
7526 {
7527 	struct mgmt_ev_auth_failed ev;
7528 	struct mgmt_pending_cmd *cmd;
7529 	u8 status = mgmt_status(hci_status);
7530 
7531 	bacpy(&ev.addr.bdaddr, &conn->dst);
7532 	ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
7533 	ev.status = status;
7534 
7535 	cmd = find_pairing(conn);
7536 
7537 	mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
7538 		    cmd ? cmd->sk : NULL);
7539 
7540 	if (cmd) {
7541 		cmd->cmd_complete(cmd, status);
7542 		mgmt_pending_remove(cmd);
7543 	}
7544 }
7545 
7546 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
7547 {
7548 	struct cmd_lookup match = { NULL, hdev };
7549 	bool changed;
7550 
7551 	if (status) {
7552 		u8 mgmt_err = mgmt_status(status);
7553 		mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
7554 				     cmd_status_rsp, &mgmt_err);
7555 		return;
7556 	}
7557 
7558 	if (test_bit(HCI_AUTH, &hdev->flags))
7559 		changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
7560 	else
7561 		changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
7562 
7563 	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
7564 			     &match);
7565 
7566 	if (changed)
7567 		new_settings(hdev, match.sk);
7568 
7569 	if (match.sk)
7570 		sock_put(match.sk);
7571 }
7572 
7573 static void clear_eir(struct hci_request *req)
7574 {
7575 	struct hci_dev *hdev = req->hdev;
7576 	struct hci_cp_write_eir cp;
7577 
7578 	if (!lmp_ext_inq_capable(hdev))
7579 		return;
7580 
7581 	memset(hdev->eir, 0, sizeof(hdev->eir));
7582 
7583 	memset(&cp, 0, sizeof(cp));
7584 
7585 	hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
7586 }
7587 
7588 void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
7589 {
7590 	struct cmd_lookup match = { NULL, hdev };
7591 	struct hci_request req;
7592 	bool changed = false;
7593 
7594 	if (status) {
7595 		u8 mgmt_err = mgmt_status(status);
7596 
7597 		if (enable && hci_dev_test_and_clear_flag(hdev,
7598 							  HCI_SSP_ENABLED)) {
7599 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
7600 			new_settings(hdev, NULL);
7601 		}
7602 
7603 		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
7604 				     &mgmt_err);
7605 		return;
7606 	}
7607 
7608 	if (enable) {
7609 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
7610 	} else {
7611 		changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
7612 		if (!changed)
7613 			changed = hci_dev_test_and_clear_flag(hdev,
7614 							      HCI_HS_ENABLED);
7615 		else
7616 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
7617 	}
7618 
7619 	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
7620 
7621 	if (changed)
7622 		new_settings(hdev, match.sk);
7623 
7624 	if (match.sk)
7625 		sock_put(match.sk);
7626 
7627 	hci_req_init(&req, hdev);
7628 
7629 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
7630 		if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
7631 			hci_req_add(&req, HCI_OP_WRITE_SSP_DEBUG_MODE,
7632 				    sizeof(enable), &enable);
7633 		__hci_req_update_eir(&req);
7634 	} else {
7635 		clear_eir(&req);
7636 	}
7637 
7638 	hci_req_run(&req, NULL);
7639 }
7640 
7641 static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
7642 {
7643 	struct cmd_lookup *match = data;
7644 
7645 	if (match->sk == NULL) {
7646 		match->sk = cmd->sk;
7647 		sock_hold(match->sk);
7648 	}
7649 }
7650 
7651 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
7652 				    u8 status)
7653 {
7654 	struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
7655 
7656 	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
7657 	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
7658 	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
7659 
7660 	if (!status) {
7661 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
7662 				   3, HCI_MGMT_DEV_CLASS_EVENTS, NULL);
7663 		ext_info_changed(hdev, NULL);
7664 	}
7665 
7666 	if (match.sk)
7667 		sock_put(match.sk);
7668 }
7669 
7670 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
7671 {
7672 	struct mgmt_cp_set_local_name ev;
7673 	struct mgmt_pending_cmd *cmd;
7674 
7675 	if (status)
7676 		return;
7677 
7678 	memset(&ev, 0, sizeof(ev));
7679 	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
7680 	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
7681 
7682 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
7683 	if (!cmd) {
7684 		memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
7685 
7686 		/* If this is a HCI command related to powering on the
7687 		 * HCI dev don't send any mgmt signals.
7688 		 */
7689 		if (pending_find(MGMT_OP_SET_POWERED, hdev))
7690 			return;
7691 	}
7692 
7693 	mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
7694 			   HCI_MGMT_LOCAL_NAME_EVENTS, cmd ? cmd->sk : NULL);
7695 	ext_info_changed(hdev, cmd ? cmd->sk : NULL);
7696 }
7697 
7698 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
7699 {
7700 	int i;
7701 
7702 	for (i = 0; i < uuid_count; i++) {
7703 		if (!memcmp(uuid, uuids[i], 16))
7704 			return true;
7705 	}
7706 
7707 	return false;
7708 }
7709 
7710 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
7711 {
7712 	u16 parsed = 0;
7713 
7714 	while (parsed < eir_len) {
7715 		u8 field_len = eir[0];
7716 		u8 uuid[16];
7717 		int i;
7718 
7719 		if (field_len == 0)
7720 			break;
7721 
7722 		if (eir_len - parsed < field_len + 1)
7723 			break;
7724 
7725 		switch (eir[1]) {
7726 		case EIR_UUID16_ALL:
7727 		case EIR_UUID16_SOME:
7728 			for (i = 0; i + 3 <= field_len; i += 2) {
7729 				memcpy(uuid, bluetooth_base_uuid, 16);
7730 				uuid[13] = eir[i + 3];
7731 				uuid[12] = eir[i + 2];
7732 				if (has_uuid(uuid, uuid_count, uuids))
7733 					return true;
7734 			}
7735 			break;
7736 		case EIR_UUID32_ALL:
7737 		case EIR_UUID32_SOME:
7738 			for (i = 0; i + 5 <= field_len; i += 4) {
7739 				memcpy(uuid, bluetooth_base_uuid, 16);
7740 				uuid[15] = eir[i + 5];
7741 				uuid[14] = eir[i + 4];
7742 				uuid[13] = eir[i + 3];
7743 				uuid[12] = eir[i + 2];
7744 				if (has_uuid(uuid, uuid_count, uuids))
7745 					return true;
7746 			}
7747 			break;
7748 		case EIR_UUID128_ALL:
7749 		case EIR_UUID128_SOME:
7750 			for (i = 0; i + 17 <= field_len; i += 16) {
7751 				memcpy(uuid, eir + i + 2, 16);
7752 				if (has_uuid(uuid, uuid_count, uuids))
7753 					return true;
7754 			}
7755 			break;
7756 		}
7757 
7758 		parsed += field_len + 1;
7759 		eir += field_len + 1;
7760 	}
7761 
7762 	return false;
7763 }
7764 
7765 static void restart_le_scan(struct hci_dev *hdev)
7766 {
7767 	/* If controller is not scanning we are done. */
7768 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
7769 		return;
7770 
7771 	if (time_after(jiffies + DISCOV_LE_RESTART_DELAY,
7772 		       hdev->discovery.scan_start +
7773 		       hdev->discovery.scan_duration))
7774 		return;
7775 
7776 	queue_delayed_work(hdev->req_workqueue, &hdev->le_scan_restart,
7777 			   DISCOV_LE_RESTART_DELAY);
7778 }
7779 
7780 static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
7781 			    u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
7782 {
7783 	/* If a RSSI threshold has been specified, and
7784 	 * HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
7785 	 * a RSSI smaller than the RSSI threshold will be dropped. If the quirk
7786 	 * is set, let it through for further processing, as we might need to
7787 	 * restart the scan.
7788 	 *
7789 	 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
7790 	 * the results are also dropped.
7791 	 */
7792 	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
7793 	    (rssi == HCI_RSSI_INVALID ||
7794 	    (rssi < hdev->discovery.rssi &&
7795 	     !test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
7796 		return  false;
7797 
7798 	if (hdev->discovery.uuid_count != 0) {
7799 		/* If a list of UUIDs is provided in filter, results with no
7800 		 * matching UUID should be dropped.
7801 		 */
7802 		if (!eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count,
7803 				   hdev->discovery.uuids) &&
7804 		    !eir_has_uuids(scan_rsp, scan_rsp_len,
7805 				   hdev->discovery.uuid_count,
7806 				   hdev->discovery.uuids))
7807 			return false;
7808 	}
7809 
7810 	/* If duplicate filtering does not report RSSI changes, then restart
7811 	 * scanning to ensure updated result with updated RSSI values.
7812 	 */
7813 	if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
7814 		restart_le_scan(hdev);
7815 
7816 		/* Validate RSSI value against the RSSI threshold once more. */
7817 		if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
7818 		    rssi < hdev->discovery.rssi)
7819 			return false;
7820 	}
7821 
7822 	return true;
7823 }
7824 
7825 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
7826 		       u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
7827 		       u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
7828 {
7829 	char buf[512];
7830 	struct mgmt_ev_device_found *ev = (void *)buf;
7831 	size_t ev_size;
7832 
7833 	/* Don't send events for a non-kernel initiated discovery. With
7834 	 * LE one exception is if we have pend_le_reports > 0 in which
7835 	 * case we're doing passive scanning and want these events.
7836 	 */
7837 	if (!hci_discovery_active(hdev)) {
7838 		if (link_type == ACL_LINK)
7839 			return;
7840 		if (link_type == LE_LINK && list_empty(&hdev->pend_le_reports))
7841 			return;
7842 	}
7843 
7844 	if (hdev->discovery.result_filtering) {
7845 		/* We are using service discovery */
7846 		if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
7847 				     scan_rsp_len))
7848 			return;
7849 	}
7850 
7851 	if (hdev->discovery.limited) {
7852 		/* Check for limited discoverable bit */
7853 		if (dev_class) {
7854 			if (!(dev_class[1] & 0x20))
7855 				return;
7856 		} else {
7857 			u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
7858 			if (!flags || !(flags[0] & LE_AD_LIMITED))
7859 				return;
7860 		}
7861 	}
7862 
7863 	/* Make sure that the buffer is big enough. The 5 extra bytes
7864 	 * are for the potential CoD field.
7865 	 */
7866 	if (sizeof(*ev) + eir_len + scan_rsp_len + 5 > sizeof(buf))
7867 		return;
7868 
7869 	memset(buf, 0, sizeof(buf));
7870 
7871 	/* In case of device discovery with BR/EDR devices (pre 1.2), the
7872 	 * RSSI value was reported as 0 when not available. This behavior
7873 	 * is kept when using device discovery. This is required for full
7874 	 * backwards compatibility with the API.
7875 	 *
7876 	 * However when using service discovery, the value 127 will be
7877 	 * returned when the RSSI is not available.
7878 	 */
7879 	if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
7880 	    link_type == ACL_LINK)
7881 		rssi = 0;
7882 
7883 	bacpy(&ev->addr.bdaddr, bdaddr);
7884 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
7885 	ev->rssi = rssi;
7886 	ev->flags = cpu_to_le32(flags);
7887 
7888 	if (eir_len > 0)
7889 		/* Copy EIR or advertising data into event */
7890 		memcpy(ev->eir, eir, eir_len);
7891 
7892 	if (dev_class && !eir_get_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
7893 				       NULL))
7894 		eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
7895 					  dev_class, 3);
7896 
7897 	if (scan_rsp_len > 0)
7898 		/* Append scan response data to event */
7899 		memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
7900 
7901 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
7902 	ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
7903 
7904 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL);
7905 }
7906 
7907 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
7908 		      u8 addr_type, s8 rssi, u8 *name, u8 name_len)
7909 {
7910 	struct mgmt_ev_device_found *ev;
7911 	char buf[sizeof(*ev) + HCI_MAX_NAME_LENGTH + 2];
7912 	u16 eir_len;
7913 
7914 	ev = (struct mgmt_ev_device_found *) buf;
7915 
7916 	memset(buf, 0, sizeof(buf));
7917 
7918 	bacpy(&ev->addr.bdaddr, bdaddr);
7919 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
7920 	ev->rssi = rssi;
7921 
7922 	eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name,
7923 				  name_len);
7924 
7925 	ev->eir_len = cpu_to_le16(eir_len);
7926 
7927 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, sizeof(*ev) + eir_len, NULL);
7928 }
7929 
7930 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
7931 {
7932 	struct mgmt_ev_discovering ev;
7933 
7934 	BT_DBG("%s discovering %u", hdev->name, discovering);
7935 
7936 	memset(&ev, 0, sizeof(ev));
7937 	ev.type = hdev->discovery.type;
7938 	ev.discovering = discovering;
7939 
7940 	mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
7941 }
7942 
7943 static struct hci_mgmt_chan chan = {
7944 	.channel	= HCI_CHANNEL_CONTROL,
7945 	.handler_count	= ARRAY_SIZE(mgmt_handlers),
7946 	.handlers	= mgmt_handlers,
7947 	.hdev_init	= mgmt_init_hdev,
7948 };
7949 
7950 int mgmt_init(void)
7951 {
7952 	return hci_mgmt_chan_register(&chan);
7953 }
7954 
7955 void mgmt_exit(void)
7956 {
7957 	hci_mgmt_chan_unregister(&chan);
7958 }
7959