xref: /openbmc/linux/net/bluetooth/mgmt.c (revision 51ad5b54)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3 
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI Management interface */
26 
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_sock.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "mgmt_util.h"
39 
40 #define MGMT_VERSION	1
41 #define MGMT_REVISION	17
42 
43 static const u16 mgmt_commands[] = {
44 	MGMT_OP_READ_INDEX_LIST,
45 	MGMT_OP_READ_INFO,
46 	MGMT_OP_SET_POWERED,
47 	MGMT_OP_SET_DISCOVERABLE,
48 	MGMT_OP_SET_CONNECTABLE,
49 	MGMT_OP_SET_FAST_CONNECTABLE,
50 	MGMT_OP_SET_BONDABLE,
51 	MGMT_OP_SET_LINK_SECURITY,
52 	MGMT_OP_SET_SSP,
53 	MGMT_OP_SET_HS,
54 	MGMT_OP_SET_LE,
55 	MGMT_OP_SET_DEV_CLASS,
56 	MGMT_OP_SET_LOCAL_NAME,
57 	MGMT_OP_ADD_UUID,
58 	MGMT_OP_REMOVE_UUID,
59 	MGMT_OP_LOAD_LINK_KEYS,
60 	MGMT_OP_LOAD_LONG_TERM_KEYS,
61 	MGMT_OP_DISCONNECT,
62 	MGMT_OP_GET_CONNECTIONS,
63 	MGMT_OP_PIN_CODE_REPLY,
64 	MGMT_OP_PIN_CODE_NEG_REPLY,
65 	MGMT_OP_SET_IO_CAPABILITY,
66 	MGMT_OP_PAIR_DEVICE,
67 	MGMT_OP_CANCEL_PAIR_DEVICE,
68 	MGMT_OP_UNPAIR_DEVICE,
69 	MGMT_OP_USER_CONFIRM_REPLY,
70 	MGMT_OP_USER_CONFIRM_NEG_REPLY,
71 	MGMT_OP_USER_PASSKEY_REPLY,
72 	MGMT_OP_USER_PASSKEY_NEG_REPLY,
73 	MGMT_OP_READ_LOCAL_OOB_DATA,
74 	MGMT_OP_ADD_REMOTE_OOB_DATA,
75 	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
76 	MGMT_OP_START_DISCOVERY,
77 	MGMT_OP_STOP_DISCOVERY,
78 	MGMT_OP_CONFIRM_NAME,
79 	MGMT_OP_BLOCK_DEVICE,
80 	MGMT_OP_UNBLOCK_DEVICE,
81 	MGMT_OP_SET_DEVICE_ID,
82 	MGMT_OP_SET_ADVERTISING,
83 	MGMT_OP_SET_BREDR,
84 	MGMT_OP_SET_STATIC_ADDRESS,
85 	MGMT_OP_SET_SCAN_PARAMS,
86 	MGMT_OP_SET_SECURE_CONN,
87 	MGMT_OP_SET_DEBUG_KEYS,
88 	MGMT_OP_SET_PRIVACY,
89 	MGMT_OP_LOAD_IRKS,
90 	MGMT_OP_GET_CONN_INFO,
91 	MGMT_OP_GET_CLOCK_INFO,
92 	MGMT_OP_ADD_DEVICE,
93 	MGMT_OP_REMOVE_DEVICE,
94 	MGMT_OP_LOAD_CONN_PARAM,
95 	MGMT_OP_READ_UNCONF_INDEX_LIST,
96 	MGMT_OP_READ_CONFIG_INFO,
97 	MGMT_OP_SET_EXTERNAL_CONFIG,
98 	MGMT_OP_SET_PUBLIC_ADDRESS,
99 	MGMT_OP_START_SERVICE_DISCOVERY,
100 	MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
101 	MGMT_OP_READ_EXT_INDEX_LIST,
102 	MGMT_OP_READ_ADV_FEATURES,
103 	MGMT_OP_ADD_ADVERTISING,
104 	MGMT_OP_REMOVE_ADVERTISING,
105 	MGMT_OP_GET_ADV_SIZE_INFO,
106 	MGMT_OP_START_LIMITED_DISCOVERY,
107 	MGMT_OP_READ_EXT_INFO,
108 	MGMT_OP_SET_APPEARANCE,
109 	MGMT_OP_SET_BLOCKED_KEYS,
110 	MGMT_OP_SET_WIDEBAND_SPEECH,
111 	MGMT_OP_READ_SECURITY_INFO,
112 	MGMT_OP_READ_EXP_FEATURES_INFO,
113 	MGMT_OP_SET_EXP_FEATURE,
114 };
115 
116 static const u16 mgmt_events[] = {
117 	MGMT_EV_CONTROLLER_ERROR,
118 	MGMT_EV_INDEX_ADDED,
119 	MGMT_EV_INDEX_REMOVED,
120 	MGMT_EV_NEW_SETTINGS,
121 	MGMT_EV_CLASS_OF_DEV_CHANGED,
122 	MGMT_EV_LOCAL_NAME_CHANGED,
123 	MGMT_EV_NEW_LINK_KEY,
124 	MGMT_EV_NEW_LONG_TERM_KEY,
125 	MGMT_EV_DEVICE_CONNECTED,
126 	MGMT_EV_DEVICE_DISCONNECTED,
127 	MGMT_EV_CONNECT_FAILED,
128 	MGMT_EV_PIN_CODE_REQUEST,
129 	MGMT_EV_USER_CONFIRM_REQUEST,
130 	MGMT_EV_USER_PASSKEY_REQUEST,
131 	MGMT_EV_AUTH_FAILED,
132 	MGMT_EV_DEVICE_FOUND,
133 	MGMT_EV_DISCOVERING,
134 	MGMT_EV_DEVICE_BLOCKED,
135 	MGMT_EV_DEVICE_UNBLOCKED,
136 	MGMT_EV_DEVICE_UNPAIRED,
137 	MGMT_EV_PASSKEY_NOTIFY,
138 	MGMT_EV_NEW_IRK,
139 	MGMT_EV_NEW_CSRK,
140 	MGMT_EV_DEVICE_ADDED,
141 	MGMT_EV_DEVICE_REMOVED,
142 	MGMT_EV_NEW_CONN_PARAM,
143 	MGMT_EV_UNCONF_INDEX_ADDED,
144 	MGMT_EV_UNCONF_INDEX_REMOVED,
145 	MGMT_EV_NEW_CONFIG_OPTIONS,
146 	MGMT_EV_EXT_INDEX_ADDED,
147 	MGMT_EV_EXT_INDEX_REMOVED,
148 	MGMT_EV_LOCAL_OOB_DATA_UPDATED,
149 	MGMT_EV_ADVERTISING_ADDED,
150 	MGMT_EV_ADVERTISING_REMOVED,
151 	MGMT_EV_EXT_INFO_CHANGED,
152 	MGMT_EV_PHY_CONFIGURATION_CHANGED,
153 	MGMT_EV_EXP_FEATURE_CHANGED,
154 };
155 
156 static const u16 mgmt_untrusted_commands[] = {
157 	MGMT_OP_READ_INDEX_LIST,
158 	MGMT_OP_READ_INFO,
159 	MGMT_OP_READ_UNCONF_INDEX_LIST,
160 	MGMT_OP_READ_CONFIG_INFO,
161 	MGMT_OP_READ_EXT_INDEX_LIST,
162 	MGMT_OP_READ_EXT_INFO,
163 	MGMT_OP_READ_SECURITY_INFO,
164 	MGMT_OP_READ_EXP_FEATURES_INFO,
165 };
166 
167 static const u16 mgmt_untrusted_events[] = {
168 	MGMT_EV_INDEX_ADDED,
169 	MGMT_EV_INDEX_REMOVED,
170 	MGMT_EV_NEW_SETTINGS,
171 	MGMT_EV_CLASS_OF_DEV_CHANGED,
172 	MGMT_EV_LOCAL_NAME_CHANGED,
173 	MGMT_EV_UNCONF_INDEX_ADDED,
174 	MGMT_EV_UNCONF_INDEX_REMOVED,
175 	MGMT_EV_NEW_CONFIG_OPTIONS,
176 	MGMT_EV_EXT_INDEX_ADDED,
177 	MGMT_EV_EXT_INDEX_REMOVED,
178 	MGMT_EV_EXT_INFO_CHANGED,
179 	MGMT_EV_EXP_FEATURE_CHANGED,
180 };
181 
182 #define CACHE_TIMEOUT	msecs_to_jiffies(2 * 1000)
183 
184 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
185 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
186 
187 /* HCI to MGMT error code conversion table */
188 static const u8 mgmt_status_table[] = {
189 	MGMT_STATUS_SUCCESS,
190 	MGMT_STATUS_UNKNOWN_COMMAND,	/* Unknown Command */
191 	MGMT_STATUS_NOT_CONNECTED,	/* No Connection */
192 	MGMT_STATUS_FAILED,		/* Hardware Failure */
193 	MGMT_STATUS_CONNECT_FAILED,	/* Page Timeout */
194 	MGMT_STATUS_AUTH_FAILED,	/* Authentication Failed */
195 	MGMT_STATUS_AUTH_FAILED,	/* PIN or Key Missing */
196 	MGMT_STATUS_NO_RESOURCES,	/* Memory Full */
197 	MGMT_STATUS_TIMEOUT,		/* Connection Timeout */
198 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of Connections */
199 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of SCO Connections */
200 	MGMT_STATUS_ALREADY_CONNECTED,	/* ACL Connection Exists */
201 	MGMT_STATUS_BUSY,		/* Command Disallowed */
202 	MGMT_STATUS_NO_RESOURCES,	/* Rejected Limited Resources */
203 	MGMT_STATUS_REJECTED,		/* Rejected Security */
204 	MGMT_STATUS_REJECTED,		/* Rejected Personal */
205 	MGMT_STATUS_TIMEOUT,		/* Host Timeout */
206 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Feature */
207 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid Parameters */
208 	MGMT_STATUS_DISCONNECTED,	/* OE User Ended Connection */
209 	MGMT_STATUS_NO_RESOURCES,	/* OE Low Resources */
210 	MGMT_STATUS_DISCONNECTED,	/* OE Power Off */
211 	MGMT_STATUS_DISCONNECTED,	/* Connection Terminated */
212 	MGMT_STATUS_BUSY,		/* Repeated Attempts */
213 	MGMT_STATUS_REJECTED,		/* Pairing Not Allowed */
214 	MGMT_STATUS_FAILED,		/* Unknown LMP PDU */
215 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Remote Feature */
216 	MGMT_STATUS_REJECTED,		/* SCO Offset Rejected */
217 	MGMT_STATUS_REJECTED,		/* SCO Interval Rejected */
218 	MGMT_STATUS_REJECTED,		/* Air Mode Rejected */
219 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid LMP Parameters */
220 	MGMT_STATUS_FAILED,		/* Unspecified Error */
221 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported LMP Parameter Value */
222 	MGMT_STATUS_FAILED,		/* Role Change Not Allowed */
223 	MGMT_STATUS_TIMEOUT,		/* LMP Response Timeout */
224 	MGMT_STATUS_FAILED,		/* LMP Error Transaction Collision */
225 	MGMT_STATUS_FAILED,		/* LMP PDU Not Allowed */
226 	MGMT_STATUS_REJECTED,		/* Encryption Mode Not Accepted */
227 	MGMT_STATUS_FAILED,		/* Unit Link Key Used */
228 	MGMT_STATUS_NOT_SUPPORTED,	/* QoS Not Supported */
229 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
230 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
231 	MGMT_STATUS_FAILED,		/* Transaction Collision */
232 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
233 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
234 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
235 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
236 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
237 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
238 	MGMT_STATUS_FAILED,		/* Slot Violation */
239 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
240 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
241 	MGMT_STATUS_NOT_SUPPORTED,	/* Simple Pairing Not Supported */
242 	MGMT_STATUS_BUSY,		/* Host Busy Pairing */
243 	MGMT_STATUS_REJECTED,		/* Rejected, No Suitable Channel */
244 	MGMT_STATUS_BUSY,		/* Controller Busy */
245 	MGMT_STATUS_INVALID_PARAMS,	/* Unsuitable Connection Interval */
246 	MGMT_STATUS_TIMEOUT,		/* Directed Advertising Timeout */
247 	MGMT_STATUS_AUTH_FAILED,	/* Terminated Due to MIC Failure */
248 	MGMT_STATUS_CONNECT_FAILED,	/* Connection Establishment Failed */
249 	MGMT_STATUS_CONNECT_FAILED,	/* MAC Connection Failed */
250 };
251 
252 static u8 mgmt_status(u8 hci_status)
253 {
254 	if (hci_status < ARRAY_SIZE(mgmt_status_table))
255 		return mgmt_status_table[hci_status];
256 
257 	return MGMT_STATUS_FAILED;
258 }
259 
260 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
261 			    u16 len, int flag)
262 {
263 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
264 			       flag, NULL);
265 }
266 
267 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
268 			      u16 len, int flag, struct sock *skip_sk)
269 {
270 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
271 			       flag, skip_sk);
272 }
273 
274 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
275 		      struct sock *skip_sk)
276 {
277 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
278 			       HCI_SOCK_TRUSTED, skip_sk);
279 }
280 
281 static u8 le_addr_type(u8 mgmt_addr_type)
282 {
283 	if (mgmt_addr_type == BDADDR_LE_PUBLIC)
284 		return ADDR_LE_DEV_PUBLIC;
285 	else
286 		return ADDR_LE_DEV_RANDOM;
287 }
288 
289 void mgmt_fill_version_info(void *ver)
290 {
291 	struct mgmt_rp_read_version *rp = ver;
292 
293 	rp->version = MGMT_VERSION;
294 	rp->revision = cpu_to_le16(MGMT_REVISION);
295 }
296 
297 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
298 			u16 data_len)
299 {
300 	struct mgmt_rp_read_version rp;
301 
302 	bt_dev_dbg(hdev, "sock %p", sk);
303 
304 	mgmt_fill_version_info(&rp);
305 
306 	return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
307 				 &rp, sizeof(rp));
308 }
309 
310 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
311 			 u16 data_len)
312 {
313 	struct mgmt_rp_read_commands *rp;
314 	u16 num_commands, num_events;
315 	size_t rp_size;
316 	int i, err;
317 
318 	bt_dev_dbg(hdev, "sock %p", sk);
319 
320 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
321 		num_commands = ARRAY_SIZE(mgmt_commands);
322 		num_events = ARRAY_SIZE(mgmt_events);
323 	} else {
324 		num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
325 		num_events = ARRAY_SIZE(mgmt_untrusted_events);
326 	}
327 
328 	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
329 
330 	rp = kmalloc(rp_size, GFP_KERNEL);
331 	if (!rp)
332 		return -ENOMEM;
333 
334 	rp->num_commands = cpu_to_le16(num_commands);
335 	rp->num_events = cpu_to_le16(num_events);
336 
337 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
338 		__le16 *opcode = rp->opcodes;
339 
340 		for (i = 0; i < num_commands; i++, opcode++)
341 			put_unaligned_le16(mgmt_commands[i], opcode);
342 
343 		for (i = 0; i < num_events; i++, opcode++)
344 			put_unaligned_le16(mgmt_events[i], opcode);
345 	} else {
346 		__le16 *opcode = rp->opcodes;
347 
348 		for (i = 0; i < num_commands; i++, opcode++)
349 			put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
350 
351 		for (i = 0; i < num_events; i++, opcode++)
352 			put_unaligned_le16(mgmt_untrusted_events[i], opcode);
353 	}
354 
355 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
356 				rp, rp_size);
357 	kfree(rp);
358 
359 	return err;
360 }
361 
362 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
363 			   u16 data_len)
364 {
365 	struct mgmt_rp_read_index_list *rp;
366 	struct hci_dev *d;
367 	size_t rp_len;
368 	u16 count;
369 	int err;
370 
371 	bt_dev_dbg(hdev, "sock %p", sk);
372 
373 	read_lock(&hci_dev_list_lock);
374 
375 	count = 0;
376 	list_for_each_entry(d, &hci_dev_list, list) {
377 		if (d->dev_type == HCI_PRIMARY &&
378 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED))
379 			count++;
380 	}
381 
382 	rp_len = sizeof(*rp) + (2 * count);
383 	rp = kmalloc(rp_len, GFP_ATOMIC);
384 	if (!rp) {
385 		read_unlock(&hci_dev_list_lock);
386 		return -ENOMEM;
387 	}
388 
389 	count = 0;
390 	list_for_each_entry(d, &hci_dev_list, list) {
391 		if (hci_dev_test_flag(d, HCI_SETUP) ||
392 		    hci_dev_test_flag(d, HCI_CONFIG) ||
393 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
394 			continue;
395 
396 		/* Devices marked as raw-only are neither configured
397 		 * nor unconfigured controllers.
398 		 */
399 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
400 			continue;
401 
402 		if (d->dev_type == HCI_PRIMARY &&
403 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
404 			rp->index[count++] = cpu_to_le16(d->id);
405 			bt_dev_dbg(hdev, "Added hci%u", d->id);
406 		}
407 	}
408 
409 	rp->num_controllers = cpu_to_le16(count);
410 	rp_len = sizeof(*rp) + (2 * count);
411 
412 	read_unlock(&hci_dev_list_lock);
413 
414 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
415 				0, rp, rp_len);
416 
417 	kfree(rp);
418 
419 	return err;
420 }
421 
422 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
423 				  void *data, u16 data_len)
424 {
425 	struct mgmt_rp_read_unconf_index_list *rp;
426 	struct hci_dev *d;
427 	size_t rp_len;
428 	u16 count;
429 	int err;
430 
431 	bt_dev_dbg(hdev, "sock %p", sk);
432 
433 	read_lock(&hci_dev_list_lock);
434 
435 	count = 0;
436 	list_for_each_entry(d, &hci_dev_list, list) {
437 		if (d->dev_type == HCI_PRIMARY &&
438 		    hci_dev_test_flag(d, HCI_UNCONFIGURED))
439 			count++;
440 	}
441 
442 	rp_len = sizeof(*rp) + (2 * count);
443 	rp = kmalloc(rp_len, GFP_ATOMIC);
444 	if (!rp) {
445 		read_unlock(&hci_dev_list_lock);
446 		return -ENOMEM;
447 	}
448 
449 	count = 0;
450 	list_for_each_entry(d, &hci_dev_list, list) {
451 		if (hci_dev_test_flag(d, HCI_SETUP) ||
452 		    hci_dev_test_flag(d, HCI_CONFIG) ||
453 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
454 			continue;
455 
456 		/* Devices marked as raw-only are neither configured
457 		 * nor unconfigured controllers.
458 		 */
459 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
460 			continue;
461 
462 		if (d->dev_type == HCI_PRIMARY &&
463 		    hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
464 			rp->index[count++] = cpu_to_le16(d->id);
465 			bt_dev_dbg(hdev, "Added hci%u", d->id);
466 		}
467 	}
468 
469 	rp->num_controllers = cpu_to_le16(count);
470 	rp_len = sizeof(*rp) + (2 * count);
471 
472 	read_unlock(&hci_dev_list_lock);
473 
474 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
475 				MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
476 
477 	kfree(rp);
478 
479 	return err;
480 }
481 
482 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
483 			       void *data, u16 data_len)
484 {
485 	struct mgmt_rp_read_ext_index_list *rp;
486 	struct hci_dev *d;
487 	u16 count;
488 	int err;
489 
490 	bt_dev_dbg(hdev, "sock %p", sk);
491 
492 	read_lock(&hci_dev_list_lock);
493 
494 	count = 0;
495 	list_for_each_entry(d, &hci_dev_list, list) {
496 		if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
497 			count++;
498 	}
499 
500 	rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
501 	if (!rp) {
502 		read_unlock(&hci_dev_list_lock);
503 		return -ENOMEM;
504 	}
505 
506 	count = 0;
507 	list_for_each_entry(d, &hci_dev_list, list) {
508 		if (hci_dev_test_flag(d, HCI_SETUP) ||
509 		    hci_dev_test_flag(d, HCI_CONFIG) ||
510 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
511 			continue;
512 
513 		/* Devices marked as raw-only are neither configured
514 		 * nor unconfigured controllers.
515 		 */
516 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
517 			continue;
518 
519 		if (d->dev_type == HCI_PRIMARY) {
520 			if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
521 				rp->entry[count].type = 0x01;
522 			else
523 				rp->entry[count].type = 0x00;
524 		} else if (d->dev_type == HCI_AMP) {
525 			rp->entry[count].type = 0x02;
526 		} else {
527 			continue;
528 		}
529 
530 		rp->entry[count].bus = d->bus;
531 		rp->entry[count++].index = cpu_to_le16(d->id);
532 		bt_dev_dbg(hdev, "Added hci%u", d->id);
533 	}
534 
535 	rp->num_controllers = cpu_to_le16(count);
536 
537 	read_unlock(&hci_dev_list_lock);
538 
539 	/* If this command is called at least once, then all the
540 	 * default index and unconfigured index events are disabled
541 	 * and from now on only extended index events are used.
542 	 */
543 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
544 	hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
545 	hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
546 
547 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
548 				MGMT_OP_READ_EXT_INDEX_LIST, 0, rp,
549 				struct_size(rp, entry, count));
550 
551 	kfree(rp);
552 
553 	return err;
554 }
555 
556 static bool is_configured(struct hci_dev *hdev)
557 {
558 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
559 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
560 		return false;
561 
562 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
563 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
564 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
565 		return false;
566 
567 	return true;
568 }
569 
570 static __le32 get_missing_options(struct hci_dev *hdev)
571 {
572 	u32 options = 0;
573 
574 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
575 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
576 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
577 
578 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
579 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
580 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
581 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
582 
583 	return cpu_to_le32(options);
584 }
585 
586 static int new_options(struct hci_dev *hdev, struct sock *skip)
587 {
588 	__le32 options = get_missing_options(hdev);
589 
590 	return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
591 				  sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
592 }
593 
594 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
595 {
596 	__le32 options = get_missing_options(hdev);
597 
598 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
599 				 sizeof(options));
600 }
601 
602 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
603 			    void *data, u16 data_len)
604 {
605 	struct mgmt_rp_read_config_info rp;
606 	u32 options = 0;
607 
608 	bt_dev_dbg(hdev, "sock %p", sk);
609 
610 	hci_dev_lock(hdev);
611 
612 	memset(&rp, 0, sizeof(rp));
613 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
614 
615 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
616 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
617 
618 	if (hdev->set_bdaddr)
619 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
620 
621 	rp.supported_options = cpu_to_le32(options);
622 	rp.missing_options = get_missing_options(hdev);
623 
624 	hci_dev_unlock(hdev);
625 
626 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
627 				 &rp, sizeof(rp));
628 }
629 
630 static u32 get_supported_phys(struct hci_dev *hdev)
631 {
632 	u32 supported_phys = 0;
633 
634 	if (lmp_bredr_capable(hdev)) {
635 		supported_phys |= MGMT_PHY_BR_1M_1SLOT;
636 
637 		if (hdev->features[0][0] & LMP_3SLOT)
638 			supported_phys |= MGMT_PHY_BR_1M_3SLOT;
639 
640 		if (hdev->features[0][0] & LMP_5SLOT)
641 			supported_phys |= MGMT_PHY_BR_1M_5SLOT;
642 
643 		if (lmp_edr_2m_capable(hdev)) {
644 			supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
645 
646 			if (lmp_edr_3slot_capable(hdev))
647 				supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
648 
649 			if (lmp_edr_5slot_capable(hdev))
650 				supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
651 
652 			if (lmp_edr_3m_capable(hdev)) {
653 				supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
654 
655 				if (lmp_edr_3slot_capable(hdev))
656 					supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
657 
658 				if (lmp_edr_5slot_capable(hdev))
659 					supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
660 			}
661 		}
662 	}
663 
664 	if (lmp_le_capable(hdev)) {
665 		supported_phys |= MGMT_PHY_LE_1M_TX;
666 		supported_phys |= MGMT_PHY_LE_1M_RX;
667 
668 		if (hdev->le_features[1] & HCI_LE_PHY_2M) {
669 			supported_phys |= MGMT_PHY_LE_2M_TX;
670 			supported_phys |= MGMT_PHY_LE_2M_RX;
671 		}
672 
673 		if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
674 			supported_phys |= MGMT_PHY_LE_CODED_TX;
675 			supported_phys |= MGMT_PHY_LE_CODED_RX;
676 		}
677 	}
678 
679 	return supported_phys;
680 }
681 
682 static u32 get_selected_phys(struct hci_dev *hdev)
683 {
684 	u32 selected_phys = 0;
685 
686 	if (lmp_bredr_capable(hdev)) {
687 		selected_phys |= MGMT_PHY_BR_1M_1SLOT;
688 
689 		if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
690 			selected_phys |= MGMT_PHY_BR_1M_3SLOT;
691 
692 		if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
693 			selected_phys |= MGMT_PHY_BR_1M_5SLOT;
694 
695 		if (lmp_edr_2m_capable(hdev)) {
696 			if (!(hdev->pkt_type & HCI_2DH1))
697 				selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
698 
699 			if (lmp_edr_3slot_capable(hdev) &&
700 			    !(hdev->pkt_type & HCI_2DH3))
701 				selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
702 
703 			if (lmp_edr_5slot_capable(hdev) &&
704 			    !(hdev->pkt_type & HCI_2DH5))
705 				selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
706 
707 			if (lmp_edr_3m_capable(hdev)) {
708 				if (!(hdev->pkt_type & HCI_3DH1))
709 					selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
710 
711 				if (lmp_edr_3slot_capable(hdev) &&
712 				    !(hdev->pkt_type & HCI_3DH3))
713 					selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
714 
715 				if (lmp_edr_5slot_capable(hdev) &&
716 				    !(hdev->pkt_type & HCI_3DH5))
717 					selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
718 			}
719 		}
720 	}
721 
722 	if (lmp_le_capable(hdev)) {
723 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
724 			selected_phys |= MGMT_PHY_LE_1M_TX;
725 
726 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
727 			selected_phys |= MGMT_PHY_LE_1M_RX;
728 
729 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
730 			selected_phys |= MGMT_PHY_LE_2M_TX;
731 
732 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
733 			selected_phys |= MGMT_PHY_LE_2M_RX;
734 
735 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
736 			selected_phys |= MGMT_PHY_LE_CODED_TX;
737 
738 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
739 			selected_phys |= MGMT_PHY_LE_CODED_RX;
740 	}
741 
742 	return selected_phys;
743 }
744 
745 static u32 get_configurable_phys(struct hci_dev *hdev)
746 {
747 	return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
748 		~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
749 }
750 
751 static u32 get_supported_settings(struct hci_dev *hdev)
752 {
753 	u32 settings = 0;
754 
755 	settings |= MGMT_SETTING_POWERED;
756 	settings |= MGMT_SETTING_BONDABLE;
757 	settings |= MGMT_SETTING_DEBUG_KEYS;
758 	settings |= MGMT_SETTING_CONNECTABLE;
759 	settings |= MGMT_SETTING_DISCOVERABLE;
760 
761 	if (lmp_bredr_capable(hdev)) {
762 		if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
763 			settings |= MGMT_SETTING_FAST_CONNECTABLE;
764 		settings |= MGMT_SETTING_BREDR;
765 		settings |= MGMT_SETTING_LINK_SECURITY;
766 
767 		if (lmp_ssp_capable(hdev)) {
768 			settings |= MGMT_SETTING_SSP;
769 			settings |= MGMT_SETTING_HS;
770 		}
771 
772 		if (lmp_sc_capable(hdev))
773 			settings |= MGMT_SETTING_SECURE_CONN;
774 
775 		if (test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
776 			     &hdev->quirks))
777 			settings |= MGMT_SETTING_WIDEBAND_SPEECH;
778 	}
779 
780 	if (lmp_le_capable(hdev)) {
781 		settings |= MGMT_SETTING_LE;
782 		settings |= MGMT_SETTING_ADVERTISING;
783 		settings |= MGMT_SETTING_SECURE_CONN;
784 		settings |= MGMT_SETTING_PRIVACY;
785 		settings |= MGMT_SETTING_STATIC_ADDRESS;
786 	}
787 
788 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
789 	    hdev->set_bdaddr)
790 		settings |= MGMT_SETTING_CONFIGURATION;
791 
792 	settings |= MGMT_SETTING_PHY_CONFIGURATION;
793 
794 	return settings;
795 }
796 
797 static u32 get_current_settings(struct hci_dev *hdev)
798 {
799 	u32 settings = 0;
800 
801 	if (hdev_is_powered(hdev))
802 		settings |= MGMT_SETTING_POWERED;
803 
804 	if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
805 		settings |= MGMT_SETTING_CONNECTABLE;
806 
807 	if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
808 		settings |= MGMT_SETTING_FAST_CONNECTABLE;
809 
810 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
811 		settings |= MGMT_SETTING_DISCOVERABLE;
812 
813 	if (hci_dev_test_flag(hdev, HCI_BONDABLE))
814 		settings |= MGMT_SETTING_BONDABLE;
815 
816 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
817 		settings |= MGMT_SETTING_BREDR;
818 
819 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
820 		settings |= MGMT_SETTING_LE;
821 
822 	if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
823 		settings |= MGMT_SETTING_LINK_SECURITY;
824 
825 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
826 		settings |= MGMT_SETTING_SSP;
827 
828 	if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
829 		settings |= MGMT_SETTING_HS;
830 
831 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
832 		settings |= MGMT_SETTING_ADVERTISING;
833 
834 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
835 		settings |= MGMT_SETTING_SECURE_CONN;
836 
837 	if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
838 		settings |= MGMT_SETTING_DEBUG_KEYS;
839 
840 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
841 		settings |= MGMT_SETTING_PRIVACY;
842 
843 	/* The current setting for static address has two purposes. The
844 	 * first is to indicate if the static address will be used and
845 	 * the second is to indicate if it is actually set.
846 	 *
847 	 * This means if the static address is not configured, this flag
848 	 * will never be set. If the address is configured, then if the
849 	 * address is actually used decides if the flag is set or not.
850 	 *
851 	 * For single mode LE only controllers and dual-mode controllers
852 	 * with BR/EDR disabled, the existence of the static address will
853 	 * be evaluated.
854 	 */
855 	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
856 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
857 	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
858 		if (bacmp(&hdev->static_addr, BDADDR_ANY))
859 			settings |= MGMT_SETTING_STATIC_ADDRESS;
860 	}
861 
862 	if (hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED))
863 		settings |= MGMT_SETTING_WIDEBAND_SPEECH;
864 
865 	return settings;
866 }
867 
868 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
869 {
870 	return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
871 }
872 
873 static struct mgmt_pending_cmd *pending_find_data(u16 opcode,
874 						  struct hci_dev *hdev,
875 						  const void *data)
876 {
877 	return mgmt_pending_find_data(HCI_CHANNEL_CONTROL, opcode, hdev, data);
878 }
879 
880 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
881 {
882 	struct mgmt_pending_cmd *cmd;
883 
884 	/* If there's a pending mgmt command the flags will not yet have
885 	 * their final values, so check for this first.
886 	 */
887 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
888 	if (cmd) {
889 		struct mgmt_mode *cp = cmd->param;
890 		if (cp->val == 0x01)
891 			return LE_AD_GENERAL;
892 		else if (cp->val == 0x02)
893 			return LE_AD_LIMITED;
894 	} else {
895 		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
896 			return LE_AD_LIMITED;
897 		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
898 			return LE_AD_GENERAL;
899 	}
900 
901 	return 0;
902 }
903 
904 bool mgmt_get_connectable(struct hci_dev *hdev)
905 {
906 	struct mgmt_pending_cmd *cmd;
907 
908 	/* If there's a pending mgmt command the flag will not yet have
909 	 * it's final value, so check for this first.
910 	 */
911 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
912 	if (cmd) {
913 		struct mgmt_mode *cp = cmd->param;
914 
915 		return cp->val;
916 	}
917 
918 	return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
919 }
920 
921 static void service_cache_off(struct work_struct *work)
922 {
923 	struct hci_dev *hdev = container_of(work, struct hci_dev,
924 					    service_cache.work);
925 	struct hci_request req;
926 
927 	if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
928 		return;
929 
930 	hci_req_init(&req, hdev);
931 
932 	hci_dev_lock(hdev);
933 
934 	__hci_req_update_eir(&req);
935 	__hci_req_update_class(&req);
936 
937 	hci_dev_unlock(hdev);
938 
939 	hci_req_run(&req, NULL);
940 }
941 
942 static void rpa_expired(struct work_struct *work)
943 {
944 	struct hci_dev *hdev = container_of(work, struct hci_dev,
945 					    rpa_expired.work);
946 	struct hci_request req;
947 
948 	bt_dev_dbg(hdev, "");
949 
950 	hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
951 
952 	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
953 		return;
954 
955 	/* The generation of a new RPA and programming it into the
956 	 * controller happens in the hci_req_enable_advertising()
957 	 * function.
958 	 */
959 	hci_req_init(&req, hdev);
960 	if (ext_adv_capable(hdev))
961 		__hci_req_start_ext_adv(&req, hdev->cur_adv_instance);
962 	else
963 		__hci_req_enable_advertising(&req);
964 	hci_req_run(&req, NULL);
965 }
966 
967 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
968 {
969 	if (hci_dev_test_and_set_flag(hdev, HCI_MGMT))
970 		return;
971 
972 	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
973 	INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
974 
975 	/* Non-mgmt controlled devices get this bit set
976 	 * implicitly so that pairing works for them, however
977 	 * for mgmt we require user-space to explicitly enable
978 	 * it
979 	 */
980 	hci_dev_clear_flag(hdev, HCI_BONDABLE);
981 }
982 
983 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
984 				void *data, u16 data_len)
985 {
986 	struct mgmt_rp_read_info rp;
987 
988 	bt_dev_dbg(hdev, "sock %p", sk);
989 
990 	hci_dev_lock(hdev);
991 
992 	memset(&rp, 0, sizeof(rp));
993 
994 	bacpy(&rp.bdaddr, &hdev->bdaddr);
995 
996 	rp.version = hdev->hci_ver;
997 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
998 
999 	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
1000 	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
1001 
1002 	memcpy(rp.dev_class, hdev->dev_class, 3);
1003 
1004 	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
1005 	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
1006 
1007 	hci_dev_unlock(hdev);
1008 
1009 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
1010 				 sizeof(rp));
1011 }
1012 
1013 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
1014 {
1015 	u16 eir_len = 0;
1016 	size_t name_len;
1017 
1018 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1019 		eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1020 					  hdev->dev_class, 3);
1021 
1022 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1023 		eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1024 					  hdev->appearance);
1025 
1026 	name_len = strlen(hdev->dev_name);
1027 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1028 				  hdev->dev_name, name_len);
1029 
1030 	name_len = strlen(hdev->short_name);
1031 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1032 				  hdev->short_name, name_len);
1033 
1034 	return eir_len;
1035 }
1036 
1037 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1038 				    void *data, u16 data_len)
1039 {
1040 	char buf[512];
1041 	struct mgmt_rp_read_ext_info *rp = (void *)buf;
1042 	u16 eir_len;
1043 
1044 	bt_dev_dbg(hdev, "sock %p", sk);
1045 
1046 	memset(&buf, 0, sizeof(buf));
1047 
1048 	hci_dev_lock(hdev);
1049 
1050 	bacpy(&rp->bdaddr, &hdev->bdaddr);
1051 
1052 	rp->version = hdev->hci_ver;
1053 	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1054 
1055 	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1056 	rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1057 
1058 
1059 	eir_len = append_eir_data_to_buf(hdev, rp->eir);
1060 	rp->eir_len = cpu_to_le16(eir_len);
1061 
1062 	hci_dev_unlock(hdev);
1063 
1064 	/* If this command is called at least once, then the events
1065 	 * for class of device and local name changes are disabled
1066 	 * and only the new extended controller information event
1067 	 * is used.
1068 	 */
1069 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
1070 	hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1071 	hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1072 
1073 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
1074 				 sizeof(*rp) + eir_len);
1075 }
1076 
1077 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1078 {
1079 	char buf[512];
1080 	struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1081 	u16 eir_len;
1082 
1083 	memset(buf, 0, sizeof(buf));
1084 
1085 	eir_len = append_eir_data_to_buf(hdev, ev->eir);
1086 	ev->eir_len = cpu_to_le16(eir_len);
1087 
1088 	return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
1089 				  sizeof(*ev) + eir_len,
1090 				  HCI_MGMT_EXT_INFO_EVENTS, skip);
1091 }
1092 
1093 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1094 {
1095 	__le32 settings = cpu_to_le32(get_current_settings(hdev));
1096 
1097 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
1098 				 sizeof(settings));
1099 }
1100 
1101 static void clean_up_hci_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1102 {
1103 	bt_dev_dbg(hdev, "status 0x%02x", status);
1104 
1105 	if (hci_conn_count(hdev) == 0) {
1106 		cancel_delayed_work(&hdev->power_off);
1107 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
1108 	}
1109 }
1110 
1111 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1112 {
1113 	struct mgmt_ev_advertising_added ev;
1114 
1115 	ev.instance = instance;
1116 
1117 	mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
1118 }
1119 
1120 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1121 			      u8 instance)
1122 {
1123 	struct mgmt_ev_advertising_removed ev;
1124 
1125 	ev.instance = instance;
1126 
1127 	mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
1128 }
1129 
1130 static void cancel_adv_timeout(struct hci_dev *hdev)
1131 {
1132 	if (hdev->adv_instance_timeout) {
1133 		hdev->adv_instance_timeout = 0;
1134 		cancel_delayed_work(&hdev->adv_instance_expire);
1135 	}
1136 }
1137 
1138 static int clean_up_hci_state(struct hci_dev *hdev)
1139 {
1140 	struct hci_request req;
1141 	struct hci_conn *conn;
1142 	bool discov_stopped;
1143 	int err;
1144 
1145 	hci_req_init(&req, hdev);
1146 
1147 	if (test_bit(HCI_ISCAN, &hdev->flags) ||
1148 	    test_bit(HCI_PSCAN, &hdev->flags)) {
1149 		u8 scan = 0x00;
1150 		hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1151 	}
1152 
1153 	hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, false);
1154 
1155 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1156 		__hci_req_disable_advertising(&req);
1157 
1158 	discov_stopped = hci_req_stop_discovery(&req);
1159 
1160 	list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1161 		/* 0x15 == Terminated due to Power Off */
1162 		__hci_abort_conn(&req, conn, 0x15);
1163 	}
1164 
1165 	err = hci_req_run(&req, clean_up_hci_complete);
1166 	if (!err && discov_stopped)
1167 		hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
1168 
1169 	return err;
1170 }
1171 
1172 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1173 		       u16 len)
1174 {
1175 	struct mgmt_mode *cp = data;
1176 	struct mgmt_pending_cmd *cmd;
1177 	int err;
1178 
1179 	bt_dev_dbg(hdev, "sock %p", sk);
1180 
1181 	if (cp->val != 0x00 && cp->val != 0x01)
1182 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1183 				       MGMT_STATUS_INVALID_PARAMS);
1184 
1185 	hci_dev_lock(hdev);
1186 
1187 	if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1188 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1189 				      MGMT_STATUS_BUSY);
1190 		goto failed;
1191 	}
1192 
1193 	if (!!cp->val == hdev_is_powered(hdev)) {
1194 		err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1195 		goto failed;
1196 	}
1197 
1198 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1199 	if (!cmd) {
1200 		err = -ENOMEM;
1201 		goto failed;
1202 	}
1203 
1204 	if (cp->val) {
1205 		queue_work(hdev->req_workqueue, &hdev->power_on);
1206 		err = 0;
1207 	} else {
1208 		/* Disconnect connections, stop scans, etc */
1209 		err = clean_up_hci_state(hdev);
1210 		if (!err)
1211 			queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1212 					   HCI_POWER_OFF_TIMEOUT);
1213 
1214 		/* ENODATA means there were no HCI commands queued */
1215 		if (err == -ENODATA) {
1216 			cancel_delayed_work(&hdev->power_off);
1217 			queue_work(hdev->req_workqueue, &hdev->power_off.work);
1218 			err = 0;
1219 		}
1220 	}
1221 
1222 failed:
1223 	hci_dev_unlock(hdev);
1224 	return err;
1225 }
1226 
1227 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1228 {
1229 	__le32 ev = cpu_to_le32(get_current_settings(hdev));
1230 
1231 	return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1232 				  sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1233 }
1234 
1235 int mgmt_new_settings(struct hci_dev *hdev)
1236 {
1237 	return new_settings(hdev, NULL);
1238 }
1239 
1240 struct cmd_lookup {
1241 	struct sock *sk;
1242 	struct hci_dev *hdev;
1243 	u8 mgmt_status;
1244 };
1245 
1246 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1247 {
1248 	struct cmd_lookup *match = data;
1249 
1250 	send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1251 
1252 	list_del(&cmd->list);
1253 
1254 	if (match->sk == NULL) {
1255 		match->sk = cmd->sk;
1256 		sock_hold(match->sk);
1257 	}
1258 
1259 	mgmt_pending_free(cmd);
1260 }
1261 
1262 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1263 {
1264 	u8 *status = data;
1265 
1266 	mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1267 	mgmt_pending_remove(cmd);
1268 }
1269 
1270 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1271 {
1272 	if (cmd->cmd_complete) {
1273 		u8 *status = data;
1274 
1275 		cmd->cmd_complete(cmd, *status);
1276 		mgmt_pending_remove(cmd);
1277 
1278 		return;
1279 	}
1280 
1281 	cmd_status_rsp(cmd, data);
1282 }
1283 
1284 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1285 {
1286 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1287 				 cmd->param, cmd->param_len);
1288 }
1289 
1290 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1291 {
1292 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1293 				 cmd->param, sizeof(struct mgmt_addr_info));
1294 }
1295 
1296 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1297 {
1298 	if (!lmp_bredr_capable(hdev))
1299 		return MGMT_STATUS_NOT_SUPPORTED;
1300 	else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1301 		return MGMT_STATUS_REJECTED;
1302 	else
1303 		return MGMT_STATUS_SUCCESS;
1304 }
1305 
1306 static u8 mgmt_le_support(struct hci_dev *hdev)
1307 {
1308 	if (!lmp_le_capable(hdev))
1309 		return MGMT_STATUS_NOT_SUPPORTED;
1310 	else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1311 		return MGMT_STATUS_REJECTED;
1312 	else
1313 		return MGMT_STATUS_SUCCESS;
1314 }
1315 
1316 void mgmt_set_discoverable_complete(struct hci_dev *hdev, u8 status)
1317 {
1318 	struct mgmt_pending_cmd *cmd;
1319 
1320 	bt_dev_dbg(hdev, "status 0x%02x", status);
1321 
1322 	hci_dev_lock(hdev);
1323 
1324 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
1325 	if (!cmd)
1326 		goto unlock;
1327 
1328 	if (status) {
1329 		u8 mgmt_err = mgmt_status(status);
1330 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1331 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1332 		goto remove_cmd;
1333 	}
1334 
1335 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1336 	    hdev->discov_timeout > 0) {
1337 		int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1338 		queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1339 	}
1340 
1341 	send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1342 	new_settings(hdev, cmd->sk);
1343 
1344 remove_cmd:
1345 	mgmt_pending_remove(cmd);
1346 
1347 unlock:
1348 	hci_dev_unlock(hdev);
1349 }
1350 
1351 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1352 			    u16 len)
1353 {
1354 	struct mgmt_cp_set_discoverable *cp = data;
1355 	struct mgmt_pending_cmd *cmd;
1356 	u16 timeout;
1357 	int err;
1358 
1359 	bt_dev_dbg(hdev, "sock %p", sk);
1360 
1361 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1362 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1363 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1364 				       MGMT_STATUS_REJECTED);
1365 
1366 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1367 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1368 				       MGMT_STATUS_INVALID_PARAMS);
1369 
1370 	timeout = __le16_to_cpu(cp->timeout);
1371 
1372 	/* Disabling discoverable requires that no timeout is set,
1373 	 * and enabling limited discoverable requires a timeout.
1374 	 */
1375 	if ((cp->val == 0x00 && timeout > 0) ||
1376 	    (cp->val == 0x02 && timeout == 0))
1377 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1378 				       MGMT_STATUS_INVALID_PARAMS);
1379 
1380 	hci_dev_lock(hdev);
1381 
1382 	if (!hdev_is_powered(hdev) && timeout > 0) {
1383 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1384 				      MGMT_STATUS_NOT_POWERED);
1385 		goto failed;
1386 	}
1387 
1388 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1389 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1390 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1391 				      MGMT_STATUS_BUSY);
1392 		goto failed;
1393 	}
1394 
1395 	if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1396 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1397 				      MGMT_STATUS_REJECTED);
1398 		goto failed;
1399 	}
1400 
1401 	if (hdev->advertising_paused) {
1402 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1403 				      MGMT_STATUS_BUSY);
1404 		goto failed;
1405 	}
1406 
1407 	if (!hdev_is_powered(hdev)) {
1408 		bool changed = false;
1409 
1410 		/* Setting limited discoverable when powered off is
1411 		 * not a valid operation since it requires a timeout
1412 		 * and so no need to check HCI_LIMITED_DISCOVERABLE.
1413 		 */
1414 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1415 			hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1416 			changed = true;
1417 		}
1418 
1419 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1420 		if (err < 0)
1421 			goto failed;
1422 
1423 		if (changed)
1424 			err = new_settings(hdev, sk);
1425 
1426 		goto failed;
1427 	}
1428 
1429 	/* If the current mode is the same, then just update the timeout
1430 	 * value with the new value. And if only the timeout gets updated,
1431 	 * then no need for any HCI transactions.
1432 	 */
1433 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1434 	    (cp->val == 0x02) == hci_dev_test_flag(hdev,
1435 						   HCI_LIMITED_DISCOVERABLE)) {
1436 		cancel_delayed_work(&hdev->discov_off);
1437 		hdev->discov_timeout = timeout;
1438 
1439 		if (cp->val && hdev->discov_timeout > 0) {
1440 			int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1441 			queue_delayed_work(hdev->req_workqueue,
1442 					   &hdev->discov_off, to);
1443 		}
1444 
1445 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1446 		goto failed;
1447 	}
1448 
1449 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1450 	if (!cmd) {
1451 		err = -ENOMEM;
1452 		goto failed;
1453 	}
1454 
1455 	/* Cancel any potential discoverable timeout that might be
1456 	 * still active and store new timeout value. The arming of
1457 	 * the timeout happens in the complete handler.
1458 	 */
1459 	cancel_delayed_work(&hdev->discov_off);
1460 	hdev->discov_timeout = timeout;
1461 
1462 	if (cp->val)
1463 		hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1464 	else
1465 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1466 
1467 	/* Limited discoverable mode */
1468 	if (cp->val == 0x02)
1469 		hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1470 	else
1471 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1472 
1473 	queue_work(hdev->req_workqueue, &hdev->discoverable_update);
1474 	err = 0;
1475 
1476 failed:
1477 	hci_dev_unlock(hdev);
1478 	return err;
1479 }
1480 
1481 void mgmt_set_connectable_complete(struct hci_dev *hdev, u8 status)
1482 {
1483 	struct mgmt_pending_cmd *cmd;
1484 
1485 	bt_dev_dbg(hdev, "status 0x%02x", status);
1486 
1487 	hci_dev_lock(hdev);
1488 
1489 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1490 	if (!cmd)
1491 		goto unlock;
1492 
1493 	if (status) {
1494 		u8 mgmt_err = mgmt_status(status);
1495 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1496 		goto remove_cmd;
1497 	}
1498 
1499 	send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1500 	new_settings(hdev, cmd->sk);
1501 
1502 remove_cmd:
1503 	mgmt_pending_remove(cmd);
1504 
1505 unlock:
1506 	hci_dev_unlock(hdev);
1507 }
1508 
1509 static int set_connectable_update_settings(struct hci_dev *hdev,
1510 					   struct sock *sk, u8 val)
1511 {
1512 	bool changed = false;
1513 	int err;
1514 
1515 	if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1516 		changed = true;
1517 
1518 	if (val) {
1519 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1520 	} else {
1521 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1522 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1523 	}
1524 
1525 	err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1526 	if (err < 0)
1527 		return err;
1528 
1529 	if (changed) {
1530 		hci_req_update_scan(hdev);
1531 		hci_update_background_scan(hdev);
1532 		return new_settings(hdev, sk);
1533 	}
1534 
1535 	return 0;
1536 }
1537 
1538 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1539 			   u16 len)
1540 {
1541 	struct mgmt_mode *cp = data;
1542 	struct mgmt_pending_cmd *cmd;
1543 	int err;
1544 
1545 	bt_dev_dbg(hdev, "sock %p", sk);
1546 
1547 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1548 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1549 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1550 				       MGMT_STATUS_REJECTED);
1551 
1552 	if (cp->val != 0x00 && cp->val != 0x01)
1553 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1554 				       MGMT_STATUS_INVALID_PARAMS);
1555 
1556 	hci_dev_lock(hdev);
1557 
1558 	if (!hdev_is_powered(hdev)) {
1559 		err = set_connectable_update_settings(hdev, sk, cp->val);
1560 		goto failed;
1561 	}
1562 
1563 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1564 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1565 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1566 				      MGMT_STATUS_BUSY);
1567 		goto failed;
1568 	}
1569 
1570 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1571 	if (!cmd) {
1572 		err = -ENOMEM;
1573 		goto failed;
1574 	}
1575 
1576 	if (cp->val) {
1577 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1578 	} else {
1579 		if (hdev->discov_timeout > 0)
1580 			cancel_delayed_work(&hdev->discov_off);
1581 
1582 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1583 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1584 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1585 	}
1586 
1587 	queue_work(hdev->req_workqueue, &hdev->connectable_update);
1588 	err = 0;
1589 
1590 failed:
1591 	hci_dev_unlock(hdev);
1592 	return err;
1593 }
1594 
1595 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1596 			u16 len)
1597 {
1598 	struct mgmt_mode *cp = data;
1599 	bool changed;
1600 	int err;
1601 
1602 	bt_dev_dbg(hdev, "sock %p", sk);
1603 
1604 	if (cp->val != 0x00 && cp->val != 0x01)
1605 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1606 				       MGMT_STATUS_INVALID_PARAMS);
1607 
1608 	hci_dev_lock(hdev);
1609 
1610 	if (cp->val)
1611 		changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1612 	else
1613 		changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1614 
1615 	err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1616 	if (err < 0)
1617 		goto unlock;
1618 
1619 	if (changed) {
1620 		/* In limited privacy mode the change of bondable mode
1621 		 * may affect the local advertising address.
1622 		 */
1623 		if (hdev_is_powered(hdev) &&
1624 		    hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
1625 		    hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1626 		    hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))
1627 			queue_work(hdev->req_workqueue,
1628 				   &hdev->discoverable_update);
1629 
1630 		err = new_settings(hdev, sk);
1631 	}
1632 
1633 unlock:
1634 	hci_dev_unlock(hdev);
1635 	return err;
1636 }
1637 
1638 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1639 			     u16 len)
1640 {
1641 	struct mgmt_mode *cp = data;
1642 	struct mgmt_pending_cmd *cmd;
1643 	u8 val, status;
1644 	int err;
1645 
1646 	bt_dev_dbg(hdev, "sock %p", sk);
1647 
1648 	status = mgmt_bredr_support(hdev);
1649 	if (status)
1650 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1651 				       status);
1652 
1653 	if (cp->val != 0x00 && cp->val != 0x01)
1654 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1655 				       MGMT_STATUS_INVALID_PARAMS);
1656 
1657 	hci_dev_lock(hdev);
1658 
1659 	if (!hdev_is_powered(hdev)) {
1660 		bool changed = false;
1661 
1662 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1663 			hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1664 			changed = true;
1665 		}
1666 
1667 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1668 		if (err < 0)
1669 			goto failed;
1670 
1671 		if (changed)
1672 			err = new_settings(hdev, sk);
1673 
1674 		goto failed;
1675 	}
1676 
1677 	if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1678 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1679 				      MGMT_STATUS_BUSY);
1680 		goto failed;
1681 	}
1682 
1683 	val = !!cp->val;
1684 
1685 	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1686 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1687 		goto failed;
1688 	}
1689 
1690 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1691 	if (!cmd) {
1692 		err = -ENOMEM;
1693 		goto failed;
1694 	}
1695 
1696 	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1697 	if (err < 0) {
1698 		mgmt_pending_remove(cmd);
1699 		goto failed;
1700 	}
1701 
1702 failed:
1703 	hci_dev_unlock(hdev);
1704 	return err;
1705 }
1706 
1707 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1708 {
1709 	struct mgmt_mode *cp = data;
1710 	struct mgmt_pending_cmd *cmd;
1711 	u8 status;
1712 	int err;
1713 
1714 	bt_dev_dbg(hdev, "sock %p", sk);
1715 
1716 	status = mgmt_bredr_support(hdev);
1717 	if (status)
1718 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1719 
1720 	if (!lmp_ssp_capable(hdev))
1721 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1722 				       MGMT_STATUS_NOT_SUPPORTED);
1723 
1724 	if (cp->val != 0x00 && cp->val != 0x01)
1725 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1726 				       MGMT_STATUS_INVALID_PARAMS);
1727 
1728 	hci_dev_lock(hdev);
1729 
1730 	if (!hdev_is_powered(hdev)) {
1731 		bool changed;
1732 
1733 		if (cp->val) {
1734 			changed = !hci_dev_test_and_set_flag(hdev,
1735 							     HCI_SSP_ENABLED);
1736 		} else {
1737 			changed = hci_dev_test_and_clear_flag(hdev,
1738 							      HCI_SSP_ENABLED);
1739 			if (!changed)
1740 				changed = hci_dev_test_and_clear_flag(hdev,
1741 								      HCI_HS_ENABLED);
1742 			else
1743 				hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1744 		}
1745 
1746 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1747 		if (err < 0)
1748 			goto failed;
1749 
1750 		if (changed)
1751 			err = new_settings(hdev, sk);
1752 
1753 		goto failed;
1754 	}
1755 
1756 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1757 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1758 				      MGMT_STATUS_BUSY);
1759 		goto failed;
1760 	}
1761 
1762 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
1763 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1764 		goto failed;
1765 	}
1766 
1767 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
1768 	if (!cmd) {
1769 		err = -ENOMEM;
1770 		goto failed;
1771 	}
1772 
1773 	if (!cp->val && hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
1774 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
1775 			     sizeof(cp->val), &cp->val);
1776 
1777 	err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &cp->val);
1778 	if (err < 0) {
1779 		mgmt_pending_remove(cmd);
1780 		goto failed;
1781 	}
1782 
1783 failed:
1784 	hci_dev_unlock(hdev);
1785 	return err;
1786 }
1787 
1788 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1789 {
1790 	struct mgmt_mode *cp = data;
1791 	bool changed;
1792 	u8 status;
1793 	int err;
1794 
1795 	bt_dev_dbg(hdev, "sock %p", sk);
1796 
1797 	status = mgmt_bredr_support(hdev);
1798 	if (status)
1799 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
1800 
1801 	if (!lmp_ssp_capable(hdev))
1802 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1803 				       MGMT_STATUS_NOT_SUPPORTED);
1804 
1805 	if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
1806 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1807 				       MGMT_STATUS_REJECTED);
1808 
1809 	if (cp->val != 0x00 && cp->val != 0x01)
1810 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1811 				       MGMT_STATUS_INVALID_PARAMS);
1812 
1813 	hci_dev_lock(hdev);
1814 
1815 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1816 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1817 				      MGMT_STATUS_BUSY);
1818 		goto unlock;
1819 	}
1820 
1821 	if (cp->val) {
1822 		changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
1823 	} else {
1824 		if (hdev_is_powered(hdev)) {
1825 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1826 					      MGMT_STATUS_REJECTED);
1827 			goto unlock;
1828 		}
1829 
1830 		changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
1831 	}
1832 
1833 	err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
1834 	if (err < 0)
1835 		goto unlock;
1836 
1837 	if (changed)
1838 		err = new_settings(hdev, sk);
1839 
1840 unlock:
1841 	hci_dev_unlock(hdev);
1842 	return err;
1843 }
1844 
1845 static void le_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1846 {
1847 	struct cmd_lookup match = { NULL, hdev };
1848 
1849 	hci_dev_lock(hdev);
1850 
1851 	if (status) {
1852 		u8 mgmt_err = mgmt_status(status);
1853 
1854 		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
1855 				     &mgmt_err);
1856 		goto unlock;
1857 	}
1858 
1859 	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
1860 
1861 	new_settings(hdev, match.sk);
1862 
1863 	if (match.sk)
1864 		sock_put(match.sk);
1865 
1866 	/* Make sure the controller has a good default for
1867 	 * advertising data. Restrict the update to when LE
1868 	 * has actually been enabled. During power on, the
1869 	 * update in powered_update_hci will take care of it.
1870 	 */
1871 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1872 		struct hci_request req;
1873 		hci_req_init(&req, hdev);
1874 		if (ext_adv_capable(hdev)) {
1875 			int err;
1876 
1877 			err = __hci_req_setup_ext_adv_instance(&req, 0x00);
1878 			if (!err)
1879 				__hci_req_update_scan_rsp_data(&req, 0x00);
1880 		} else {
1881 			__hci_req_update_adv_data(&req, 0x00);
1882 			__hci_req_update_scan_rsp_data(&req, 0x00);
1883 		}
1884 		hci_req_run(&req, NULL);
1885 		hci_update_background_scan(hdev);
1886 	}
1887 
1888 unlock:
1889 	hci_dev_unlock(hdev);
1890 }
1891 
1892 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1893 {
1894 	struct mgmt_mode *cp = data;
1895 	struct hci_cp_write_le_host_supported hci_cp;
1896 	struct mgmt_pending_cmd *cmd;
1897 	struct hci_request req;
1898 	int err;
1899 	u8 val, enabled;
1900 
1901 	bt_dev_dbg(hdev, "sock %p", sk);
1902 
1903 	if (!lmp_le_capable(hdev))
1904 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1905 				       MGMT_STATUS_NOT_SUPPORTED);
1906 
1907 	if (cp->val != 0x00 && cp->val != 0x01)
1908 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1909 				       MGMT_STATUS_INVALID_PARAMS);
1910 
1911 	/* Bluetooth single mode LE only controllers or dual-mode
1912 	 * controllers configured as LE only devices, do not allow
1913 	 * switching LE off. These have either LE enabled explicitly
1914 	 * or BR/EDR has been previously switched off.
1915 	 *
1916 	 * When trying to enable an already enabled LE, then gracefully
1917 	 * send a positive response. Trying to disable it however will
1918 	 * result into rejection.
1919 	 */
1920 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1921 		if (cp->val == 0x01)
1922 			return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1923 
1924 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1925 				       MGMT_STATUS_REJECTED);
1926 	}
1927 
1928 	hci_dev_lock(hdev);
1929 
1930 	val = !!cp->val;
1931 	enabled = lmp_host_le_capable(hdev);
1932 
1933 	if (!val)
1934 		hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, true);
1935 
1936 	if (!hdev_is_powered(hdev) || val == enabled) {
1937 		bool changed = false;
1938 
1939 		if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1940 			hci_dev_change_flag(hdev, HCI_LE_ENABLED);
1941 			changed = true;
1942 		}
1943 
1944 		if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
1945 			hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1946 			changed = true;
1947 		}
1948 
1949 		err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1950 		if (err < 0)
1951 			goto unlock;
1952 
1953 		if (changed)
1954 			err = new_settings(hdev, sk);
1955 
1956 		goto unlock;
1957 	}
1958 
1959 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
1960 	    pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
1961 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1962 				      MGMT_STATUS_BUSY);
1963 		goto unlock;
1964 	}
1965 
1966 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
1967 	if (!cmd) {
1968 		err = -ENOMEM;
1969 		goto unlock;
1970 	}
1971 
1972 	hci_req_init(&req, hdev);
1973 
1974 	memset(&hci_cp, 0, sizeof(hci_cp));
1975 
1976 	if (val) {
1977 		hci_cp.le = val;
1978 		hci_cp.simul = 0x00;
1979 	} else {
1980 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1981 			__hci_req_disable_advertising(&req);
1982 
1983 		if (ext_adv_capable(hdev))
1984 			__hci_req_clear_ext_adv_sets(&req);
1985 	}
1986 
1987 	hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
1988 		    &hci_cp);
1989 
1990 	err = hci_req_run(&req, le_enable_complete);
1991 	if (err < 0)
1992 		mgmt_pending_remove(cmd);
1993 
1994 unlock:
1995 	hci_dev_unlock(hdev);
1996 	return err;
1997 }
1998 
1999 /* This is a helper function to test for pending mgmt commands that can
2000  * cause CoD or EIR HCI commands. We can only allow one such pending
2001  * mgmt command at a time since otherwise we cannot easily track what
2002  * the current values are, will be, and based on that calculate if a new
2003  * HCI command needs to be sent and if yes with what value.
2004  */
2005 static bool pending_eir_or_class(struct hci_dev *hdev)
2006 {
2007 	struct mgmt_pending_cmd *cmd;
2008 
2009 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2010 		switch (cmd->opcode) {
2011 		case MGMT_OP_ADD_UUID:
2012 		case MGMT_OP_REMOVE_UUID:
2013 		case MGMT_OP_SET_DEV_CLASS:
2014 		case MGMT_OP_SET_POWERED:
2015 			return true;
2016 		}
2017 	}
2018 
2019 	return false;
2020 }
2021 
2022 static const u8 bluetooth_base_uuid[] = {
2023 			0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2024 			0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2025 };
2026 
2027 static u8 get_uuid_size(const u8 *uuid)
2028 {
2029 	u32 val;
2030 
2031 	if (memcmp(uuid, bluetooth_base_uuid, 12))
2032 		return 128;
2033 
2034 	val = get_unaligned_le32(&uuid[12]);
2035 	if (val > 0xffff)
2036 		return 32;
2037 
2038 	return 16;
2039 }
2040 
2041 static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
2042 {
2043 	struct mgmt_pending_cmd *cmd;
2044 
2045 	hci_dev_lock(hdev);
2046 
2047 	cmd = pending_find(mgmt_op, hdev);
2048 	if (!cmd)
2049 		goto unlock;
2050 
2051 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
2052 			  mgmt_status(status), hdev->dev_class, 3);
2053 
2054 	mgmt_pending_remove(cmd);
2055 
2056 unlock:
2057 	hci_dev_unlock(hdev);
2058 }
2059 
2060 static void add_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2061 {
2062 	bt_dev_dbg(hdev, "status 0x%02x", status);
2063 
2064 	mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
2065 }
2066 
2067 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2068 {
2069 	struct mgmt_cp_add_uuid *cp = data;
2070 	struct mgmt_pending_cmd *cmd;
2071 	struct hci_request req;
2072 	struct bt_uuid *uuid;
2073 	int err;
2074 
2075 	bt_dev_dbg(hdev, "sock %p", sk);
2076 
2077 	hci_dev_lock(hdev);
2078 
2079 	if (pending_eir_or_class(hdev)) {
2080 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2081 				      MGMT_STATUS_BUSY);
2082 		goto failed;
2083 	}
2084 
2085 	uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2086 	if (!uuid) {
2087 		err = -ENOMEM;
2088 		goto failed;
2089 	}
2090 
2091 	memcpy(uuid->uuid, cp->uuid, 16);
2092 	uuid->svc_hint = cp->svc_hint;
2093 	uuid->size = get_uuid_size(cp->uuid);
2094 
2095 	list_add_tail(&uuid->list, &hdev->uuids);
2096 
2097 	hci_req_init(&req, hdev);
2098 
2099 	__hci_req_update_class(&req);
2100 	__hci_req_update_eir(&req);
2101 
2102 	err = hci_req_run(&req, add_uuid_complete);
2103 	if (err < 0) {
2104 		if (err != -ENODATA)
2105 			goto failed;
2106 
2107 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
2108 					hdev->dev_class, 3);
2109 		goto failed;
2110 	}
2111 
2112 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2113 	if (!cmd) {
2114 		err = -ENOMEM;
2115 		goto failed;
2116 	}
2117 
2118 	err = 0;
2119 
2120 failed:
2121 	hci_dev_unlock(hdev);
2122 	return err;
2123 }
2124 
2125 static bool enable_service_cache(struct hci_dev *hdev)
2126 {
2127 	if (!hdev_is_powered(hdev))
2128 		return false;
2129 
2130 	if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2131 		queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2132 				   CACHE_TIMEOUT);
2133 		return true;
2134 	}
2135 
2136 	return false;
2137 }
2138 
2139 static void remove_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2140 {
2141 	bt_dev_dbg(hdev, "status 0x%02x", status);
2142 
2143 	mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
2144 }
2145 
2146 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2147 		       u16 len)
2148 {
2149 	struct mgmt_cp_remove_uuid *cp = data;
2150 	struct mgmt_pending_cmd *cmd;
2151 	struct bt_uuid *match, *tmp;
2152 	u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
2153 	struct hci_request req;
2154 	int err, found;
2155 
2156 	bt_dev_dbg(hdev, "sock %p", sk);
2157 
2158 	hci_dev_lock(hdev);
2159 
2160 	if (pending_eir_or_class(hdev)) {
2161 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2162 				      MGMT_STATUS_BUSY);
2163 		goto unlock;
2164 	}
2165 
2166 	if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2167 		hci_uuids_clear(hdev);
2168 
2169 		if (enable_service_cache(hdev)) {
2170 			err = mgmt_cmd_complete(sk, hdev->id,
2171 						MGMT_OP_REMOVE_UUID,
2172 						0, hdev->dev_class, 3);
2173 			goto unlock;
2174 		}
2175 
2176 		goto update_class;
2177 	}
2178 
2179 	found = 0;
2180 
2181 	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2182 		if (memcmp(match->uuid, cp->uuid, 16) != 0)
2183 			continue;
2184 
2185 		list_del(&match->list);
2186 		kfree(match);
2187 		found++;
2188 	}
2189 
2190 	if (found == 0) {
2191 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2192 				      MGMT_STATUS_INVALID_PARAMS);
2193 		goto unlock;
2194 	}
2195 
2196 update_class:
2197 	hci_req_init(&req, hdev);
2198 
2199 	__hci_req_update_class(&req);
2200 	__hci_req_update_eir(&req);
2201 
2202 	err = hci_req_run(&req, remove_uuid_complete);
2203 	if (err < 0) {
2204 		if (err != -ENODATA)
2205 			goto unlock;
2206 
2207 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
2208 					hdev->dev_class, 3);
2209 		goto unlock;
2210 	}
2211 
2212 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2213 	if (!cmd) {
2214 		err = -ENOMEM;
2215 		goto unlock;
2216 	}
2217 
2218 	err = 0;
2219 
2220 unlock:
2221 	hci_dev_unlock(hdev);
2222 	return err;
2223 }
2224 
2225 static void set_class_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2226 {
2227 	bt_dev_dbg(hdev, "status 0x%02x", status);
2228 
2229 	mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
2230 }
2231 
2232 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2233 			 u16 len)
2234 {
2235 	struct mgmt_cp_set_dev_class *cp = data;
2236 	struct mgmt_pending_cmd *cmd;
2237 	struct hci_request req;
2238 	int err;
2239 
2240 	bt_dev_dbg(hdev, "sock %p", sk);
2241 
2242 	if (!lmp_bredr_capable(hdev))
2243 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2244 				       MGMT_STATUS_NOT_SUPPORTED);
2245 
2246 	hci_dev_lock(hdev);
2247 
2248 	if (pending_eir_or_class(hdev)) {
2249 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2250 				      MGMT_STATUS_BUSY);
2251 		goto unlock;
2252 	}
2253 
2254 	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2255 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2256 				      MGMT_STATUS_INVALID_PARAMS);
2257 		goto unlock;
2258 	}
2259 
2260 	hdev->major_class = cp->major;
2261 	hdev->minor_class = cp->minor;
2262 
2263 	if (!hdev_is_powered(hdev)) {
2264 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2265 					hdev->dev_class, 3);
2266 		goto unlock;
2267 	}
2268 
2269 	hci_req_init(&req, hdev);
2270 
2271 	if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2272 		hci_dev_unlock(hdev);
2273 		cancel_delayed_work_sync(&hdev->service_cache);
2274 		hci_dev_lock(hdev);
2275 		__hci_req_update_eir(&req);
2276 	}
2277 
2278 	__hci_req_update_class(&req);
2279 
2280 	err = hci_req_run(&req, set_class_complete);
2281 	if (err < 0) {
2282 		if (err != -ENODATA)
2283 			goto unlock;
2284 
2285 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2286 					hdev->dev_class, 3);
2287 		goto unlock;
2288 	}
2289 
2290 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2291 	if (!cmd) {
2292 		err = -ENOMEM;
2293 		goto unlock;
2294 	}
2295 
2296 	err = 0;
2297 
2298 unlock:
2299 	hci_dev_unlock(hdev);
2300 	return err;
2301 }
2302 
2303 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2304 			  u16 len)
2305 {
2306 	struct mgmt_cp_load_link_keys *cp = data;
2307 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2308 				   sizeof(struct mgmt_link_key_info));
2309 	u16 key_count, expected_len;
2310 	bool changed;
2311 	int i;
2312 
2313 	bt_dev_dbg(hdev, "sock %p", sk);
2314 
2315 	if (!lmp_bredr_capable(hdev))
2316 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2317 				       MGMT_STATUS_NOT_SUPPORTED);
2318 
2319 	key_count = __le16_to_cpu(cp->key_count);
2320 	if (key_count > max_key_count) {
2321 		bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2322 			   key_count);
2323 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2324 				       MGMT_STATUS_INVALID_PARAMS);
2325 	}
2326 
2327 	expected_len = struct_size(cp, keys, key_count);
2328 	if (expected_len != len) {
2329 		bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2330 			   expected_len, len);
2331 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2332 				       MGMT_STATUS_INVALID_PARAMS);
2333 	}
2334 
2335 	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2336 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2337 				       MGMT_STATUS_INVALID_PARAMS);
2338 
2339 	bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys,
2340 		   key_count);
2341 
2342 	for (i = 0; i < key_count; i++) {
2343 		struct mgmt_link_key_info *key = &cp->keys[i];
2344 
2345 		if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2346 			return mgmt_cmd_status(sk, hdev->id,
2347 					       MGMT_OP_LOAD_LINK_KEYS,
2348 					       MGMT_STATUS_INVALID_PARAMS);
2349 	}
2350 
2351 	hci_dev_lock(hdev);
2352 
2353 	hci_link_keys_clear(hdev);
2354 
2355 	if (cp->debug_keys)
2356 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2357 	else
2358 		changed = hci_dev_test_and_clear_flag(hdev,
2359 						      HCI_KEEP_DEBUG_KEYS);
2360 
2361 	if (changed)
2362 		new_settings(hdev, NULL);
2363 
2364 	for (i = 0; i < key_count; i++) {
2365 		struct mgmt_link_key_info *key = &cp->keys[i];
2366 
2367 		if (hci_is_blocked_key(hdev,
2368 				       HCI_BLOCKED_KEY_TYPE_LINKKEY,
2369 				       key->val)) {
2370 			bt_dev_warn(hdev, "Skipping blocked link key for %pMR",
2371 				    &key->addr.bdaddr);
2372 			continue;
2373 		}
2374 
2375 		/* Always ignore debug keys and require a new pairing if
2376 		 * the user wants to use them.
2377 		 */
2378 		if (key->type == HCI_LK_DEBUG_COMBINATION)
2379 			continue;
2380 
2381 		hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2382 				 key->type, key->pin_len, NULL);
2383 	}
2384 
2385 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2386 
2387 	hci_dev_unlock(hdev);
2388 
2389 	return 0;
2390 }
2391 
2392 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2393 			   u8 addr_type, struct sock *skip_sk)
2394 {
2395 	struct mgmt_ev_device_unpaired ev;
2396 
2397 	bacpy(&ev.addr.bdaddr, bdaddr);
2398 	ev.addr.type = addr_type;
2399 
2400 	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2401 			  skip_sk);
2402 }
2403 
2404 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2405 			 u16 len)
2406 {
2407 	struct mgmt_cp_unpair_device *cp = data;
2408 	struct mgmt_rp_unpair_device rp;
2409 	struct hci_conn_params *params;
2410 	struct mgmt_pending_cmd *cmd;
2411 	struct hci_conn *conn;
2412 	u8 addr_type;
2413 	int err;
2414 
2415 	memset(&rp, 0, sizeof(rp));
2416 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2417 	rp.addr.type = cp->addr.type;
2418 
2419 	if (!bdaddr_type_is_valid(cp->addr.type))
2420 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2421 					 MGMT_STATUS_INVALID_PARAMS,
2422 					 &rp, sizeof(rp));
2423 
2424 	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2425 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2426 					 MGMT_STATUS_INVALID_PARAMS,
2427 					 &rp, sizeof(rp));
2428 
2429 	hci_dev_lock(hdev);
2430 
2431 	if (!hdev_is_powered(hdev)) {
2432 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2433 					MGMT_STATUS_NOT_POWERED, &rp,
2434 					sizeof(rp));
2435 		goto unlock;
2436 	}
2437 
2438 	if (cp->addr.type == BDADDR_BREDR) {
2439 		/* If disconnection is requested, then look up the
2440 		 * connection. If the remote device is connected, it
2441 		 * will be later used to terminate the link.
2442 		 *
2443 		 * Setting it to NULL explicitly will cause no
2444 		 * termination of the link.
2445 		 */
2446 		if (cp->disconnect)
2447 			conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2448 						       &cp->addr.bdaddr);
2449 		else
2450 			conn = NULL;
2451 
2452 		err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2453 		if (err < 0) {
2454 			err = mgmt_cmd_complete(sk, hdev->id,
2455 						MGMT_OP_UNPAIR_DEVICE,
2456 						MGMT_STATUS_NOT_PAIRED, &rp,
2457 						sizeof(rp));
2458 			goto unlock;
2459 		}
2460 
2461 		goto done;
2462 	}
2463 
2464 	/* LE address type */
2465 	addr_type = le_addr_type(cp->addr.type);
2466 
2467 	/* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
2468 	err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
2469 	if (err < 0) {
2470 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2471 					MGMT_STATUS_NOT_PAIRED, &rp,
2472 					sizeof(rp));
2473 		goto unlock;
2474 	}
2475 
2476 	conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
2477 	if (!conn) {
2478 		hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2479 		goto done;
2480 	}
2481 
2482 
2483 	/* Defer clearing up the connection parameters until closing to
2484 	 * give a chance of keeping them if a repairing happens.
2485 	 */
2486 	set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2487 
2488 	/* Disable auto-connection parameters if present */
2489 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
2490 	if (params) {
2491 		if (params->explicit_connect)
2492 			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2493 		else
2494 			params->auto_connect = HCI_AUTO_CONN_DISABLED;
2495 	}
2496 
2497 	/* If disconnection is not requested, then clear the connection
2498 	 * variable so that the link is not terminated.
2499 	 */
2500 	if (!cp->disconnect)
2501 		conn = NULL;
2502 
2503 done:
2504 	/* If the connection variable is set, then termination of the
2505 	 * link is requested.
2506 	 */
2507 	if (!conn) {
2508 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
2509 					&rp, sizeof(rp));
2510 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
2511 		goto unlock;
2512 	}
2513 
2514 	cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
2515 			       sizeof(*cp));
2516 	if (!cmd) {
2517 		err = -ENOMEM;
2518 		goto unlock;
2519 	}
2520 
2521 	cmd->cmd_complete = addr_cmd_complete;
2522 
2523 	err = hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
2524 	if (err < 0)
2525 		mgmt_pending_remove(cmd);
2526 
2527 unlock:
2528 	hci_dev_unlock(hdev);
2529 	return err;
2530 }
2531 
2532 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2533 		      u16 len)
2534 {
2535 	struct mgmt_cp_disconnect *cp = data;
2536 	struct mgmt_rp_disconnect rp;
2537 	struct mgmt_pending_cmd *cmd;
2538 	struct hci_conn *conn;
2539 	int err;
2540 
2541 	bt_dev_dbg(hdev, "sock %p", sk);
2542 
2543 	memset(&rp, 0, sizeof(rp));
2544 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2545 	rp.addr.type = cp->addr.type;
2546 
2547 	if (!bdaddr_type_is_valid(cp->addr.type))
2548 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2549 					 MGMT_STATUS_INVALID_PARAMS,
2550 					 &rp, sizeof(rp));
2551 
2552 	hci_dev_lock(hdev);
2553 
2554 	if (!test_bit(HCI_UP, &hdev->flags)) {
2555 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2556 					MGMT_STATUS_NOT_POWERED, &rp,
2557 					sizeof(rp));
2558 		goto failed;
2559 	}
2560 
2561 	if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
2562 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2563 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
2564 		goto failed;
2565 	}
2566 
2567 	if (cp->addr.type == BDADDR_BREDR)
2568 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2569 					       &cp->addr.bdaddr);
2570 	else
2571 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2572 					       le_addr_type(cp->addr.type));
2573 
2574 	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
2575 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2576 					MGMT_STATUS_NOT_CONNECTED, &rp,
2577 					sizeof(rp));
2578 		goto failed;
2579 	}
2580 
2581 	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
2582 	if (!cmd) {
2583 		err = -ENOMEM;
2584 		goto failed;
2585 	}
2586 
2587 	cmd->cmd_complete = generic_cmd_complete;
2588 
2589 	err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2590 	if (err < 0)
2591 		mgmt_pending_remove(cmd);
2592 
2593 failed:
2594 	hci_dev_unlock(hdev);
2595 	return err;
2596 }
2597 
2598 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
2599 {
2600 	switch (link_type) {
2601 	case LE_LINK:
2602 		switch (addr_type) {
2603 		case ADDR_LE_DEV_PUBLIC:
2604 			return BDADDR_LE_PUBLIC;
2605 
2606 		default:
2607 			/* Fallback to LE Random address type */
2608 			return BDADDR_LE_RANDOM;
2609 		}
2610 
2611 	default:
2612 		/* Fallback to BR/EDR type */
2613 		return BDADDR_BREDR;
2614 	}
2615 }
2616 
2617 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
2618 			   u16 data_len)
2619 {
2620 	struct mgmt_rp_get_connections *rp;
2621 	struct hci_conn *c;
2622 	int err;
2623 	u16 i;
2624 
2625 	bt_dev_dbg(hdev, "sock %p", sk);
2626 
2627 	hci_dev_lock(hdev);
2628 
2629 	if (!hdev_is_powered(hdev)) {
2630 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
2631 				      MGMT_STATUS_NOT_POWERED);
2632 		goto unlock;
2633 	}
2634 
2635 	i = 0;
2636 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2637 		if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2638 			i++;
2639 	}
2640 
2641 	rp = kmalloc(struct_size(rp, addr, i), GFP_KERNEL);
2642 	if (!rp) {
2643 		err = -ENOMEM;
2644 		goto unlock;
2645 	}
2646 
2647 	i = 0;
2648 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2649 		if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2650 			continue;
2651 		bacpy(&rp->addr[i].bdaddr, &c->dst);
2652 		rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
2653 		if (c->type == SCO_LINK || c->type == ESCO_LINK)
2654 			continue;
2655 		i++;
2656 	}
2657 
2658 	rp->conn_count = cpu_to_le16(i);
2659 
2660 	/* Recalculate length in case of filtered SCO connections, etc */
2661 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
2662 				struct_size(rp, addr, i));
2663 
2664 	kfree(rp);
2665 
2666 unlock:
2667 	hci_dev_unlock(hdev);
2668 	return err;
2669 }
2670 
2671 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2672 				   struct mgmt_cp_pin_code_neg_reply *cp)
2673 {
2674 	struct mgmt_pending_cmd *cmd;
2675 	int err;
2676 
2677 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
2678 			       sizeof(*cp));
2679 	if (!cmd)
2680 		return -ENOMEM;
2681 
2682 	cmd->cmd_complete = addr_cmd_complete;
2683 
2684 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2685 			   sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
2686 	if (err < 0)
2687 		mgmt_pending_remove(cmd);
2688 
2689 	return err;
2690 }
2691 
2692 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2693 			  u16 len)
2694 {
2695 	struct hci_conn *conn;
2696 	struct mgmt_cp_pin_code_reply *cp = data;
2697 	struct hci_cp_pin_code_reply reply;
2698 	struct mgmt_pending_cmd *cmd;
2699 	int err;
2700 
2701 	bt_dev_dbg(hdev, "sock %p", sk);
2702 
2703 	hci_dev_lock(hdev);
2704 
2705 	if (!hdev_is_powered(hdev)) {
2706 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2707 				      MGMT_STATUS_NOT_POWERED);
2708 		goto failed;
2709 	}
2710 
2711 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
2712 	if (!conn) {
2713 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2714 				      MGMT_STATUS_NOT_CONNECTED);
2715 		goto failed;
2716 	}
2717 
2718 	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
2719 		struct mgmt_cp_pin_code_neg_reply ncp;
2720 
2721 		memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
2722 
2723 		bt_dev_err(hdev, "PIN code is not 16 bytes long");
2724 
2725 		err = send_pin_code_neg_reply(sk, hdev, &ncp);
2726 		if (err >= 0)
2727 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2728 					      MGMT_STATUS_INVALID_PARAMS);
2729 
2730 		goto failed;
2731 	}
2732 
2733 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
2734 	if (!cmd) {
2735 		err = -ENOMEM;
2736 		goto failed;
2737 	}
2738 
2739 	cmd->cmd_complete = addr_cmd_complete;
2740 
2741 	bacpy(&reply.bdaddr, &cp->addr.bdaddr);
2742 	reply.pin_len = cp->pin_len;
2743 	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
2744 
2745 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
2746 	if (err < 0)
2747 		mgmt_pending_remove(cmd);
2748 
2749 failed:
2750 	hci_dev_unlock(hdev);
2751 	return err;
2752 }
2753 
2754 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
2755 			     u16 len)
2756 {
2757 	struct mgmt_cp_set_io_capability *cp = data;
2758 
2759 	bt_dev_dbg(hdev, "sock %p", sk);
2760 
2761 	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
2762 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
2763 				       MGMT_STATUS_INVALID_PARAMS);
2764 
2765 	hci_dev_lock(hdev);
2766 
2767 	hdev->io_capability = cp->io_capability;
2768 
2769 	bt_dev_dbg(hdev, "IO capability set to 0x%02x", hdev->io_capability);
2770 
2771 	hci_dev_unlock(hdev);
2772 
2773 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
2774 				 NULL, 0);
2775 }
2776 
2777 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
2778 {
2779 	struct hci_dev *hdev = conn->hdev;
2780 	struct mgmt_pending_cmd *cmd;
2781 
2782 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2783 		if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
2784 			continue;
2785 
2786 		if (cmd->user_data != conn)
2787 			continue;
2788 
2789 		return cmd;
2790 	}
2791 
2792 	return NULL;
2793 }
2794 
2795 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
2796 {
2797 	struct mgmt_rp_pair_device rp;
2798 	struct hci_conn *conn = cmd->user_data;
2799 	int err;
2800 
2801 	bacpy(&rp.addr.bdaddr, &conn->dst);
2802 	rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
2803 
2804 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
2805 				status, &rp, sizeof(rp));
2806 
2807 	/* So we don't get further callbacks for this connection */
2808 	conn->connect_cfm_cb = NULL;
2809 	conn->security_cfm_cb = NULL;
2810 	conn->disconn_cfm_cb = NULL;
2811 
2812 	hci_conn_drop(conn);
2813 
2814 	/* The device is paired so there is no need to remove
2815 	 * its connection parameters anymore.
2816 	 */
2817 	clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2818 
2819 	hci_conn_put(conn);
2820 
2821 	return err;
2822 }
2823 
2824 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2825 {
2826 	u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2827 	struct mgmt_pending_cmd *cmd;
2828 
2829 	cmd = find_pairing(conn);
2830 	if (cmd) {
2831 		cmd->cmd_complete(cmd, status);
2832 		mgmt_pending_remove(cmd);
2833 	}
2834 }
2835 
2836 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2837 {
2838 	struct mgmt_pending_cmd *cmd;
2839 
2840 	BT_DBG("status %u", status);
2841 
2842 	cmd = find_pairing(conn);
2843 	if (!cmd) {
2844 		BT_DBG("Unable to find a pending command");
2845 		return;
2846 	}
2847 
2848 	cmd->cmd_complete(cmd, mgmt_status(status));
2849 	mgmt_pending_remove(cmd);
2850 }
2851 
2852 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2853 {
2854 	struct mgmt_pending_cmd *cmd;
2855 
2856 	BT_DBG("status %u", status);
2857 
2858 	if (!status)
2859 		return;
2860 
2861 	cmd = find_pairing(conn);
2862 	if (!cmd) {
2863 		BT_DBG("Unable to find a pending command");
2864 		return;
2865 	}
2866 
2867 	cmd->cmd_complete(cmd, mgmt_status(status));
2868 	mgmt_pending_remove(cmd);
2869 }
2870 
2871 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2872 		       u16 len)
2873 {
2874 	struct mgmt_cp_pair_device *cp = data;
2875 	struct mgmt_rp_pair_device rp;
2876 	struct mgmt_pending_cmd *cmd;
2877 	u8 sec_level, auth_type;
2878 	struct hci_conn *conn;
2879 	int err;
2880 
2881 	bt_dev_dbg(hdev, "sock %p", sk);
2882 
2883 	memset(&rp, 0, sizeof(rp));
2884 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2885 	rp.addr.type = cp->addr.type;
2886 
2887 	if (!bdaddr_type_is_valid(cp->addr.type))
2888 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2889 					 MGMT_STATUS_INVALID_PARAMS,
2890 					 &rp, sizeof(rp));
2891 
2892 	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
2893 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2894 					 MGMT_STATUS_INVALID_PARAMS,
2895 					 &rp, sizeof(rp));
2896 
2897 	hci_dev_lock(hdev);
2898 
2899 	if (!hdev_is_powered(hdev)) {
2900 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2901 					MGMT_STATUS_NOT_POWERED, &rp,
2902 					sizeof(rp));
2903 		goto unlock;
2904 	}
2905 
2906 	if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
2907 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2908 					MGMT_STATUS_ALREADY_PAIRED, &rp,
2909 					sizeof(rp));
2910 		goto unlock;
2911 	}
2912 
2913 	sec_level = BT_SECURITY_MEDIUM;
2914 	auth_type = HCI_AT_DEDICATED_BONDING;
2915 
2916 	if (cp->addr.type == BDADDR_BREDR) {
2917 		conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2918 				       auth_type);
2919 	} else {
2920 		u8 addr_type = le_addr_type(cp->addr.type);
2921 		struct hci_conn_params *p;
2922 
2923 		/* When pairing a new device, it is expected to remember
2924 		 * this device for future connections. Adding the connection
2925 		 * parameter information ahead of time allows tracking
2926 		 * of the slave preferred values and will speed up any
2927 		 * further connection establishment.
2928 		 *
2929 		 * If connection parameters already exist, then they
2930 		 * will be kept and this function does nothing.
2931 		 */
2932 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
2933 
2934 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
2935 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
2936 
2937 		conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr,
2938 					   addr_type, sec_level,
2939 					   HCI_LE_CONN_TIMEOUT);
2940 	}
2941 
2942 	if (IS_ERR(conn)) {
2943 		int status;
2944 
2945 		if (PTR_ERR(conn) == -EBUSY)
2946 			status = MGMT_STATUS_BUSY;
2947 		else if (PTR_ERR(conn) == -EOPNOTSUPP)
2948 			status = MGMT_STATUS_NOT_SUPPORTED;
2949 		else if (PTR_ERR(conn) == -ECONNREFUSED)
2950 			status = MGMT_STATUS_REJECTED;
2951 		else
2952 			status = MGMT_STATUS_CONNECT_FAILED;
2953 
2954 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2955 					status, &rp, sizeof(rp));
2956 		goto unlock;
2957 	}
2958 
2959 	if (conn->connect_cfm_cb) {
2960 		hci_conn_drop(conn);
2961 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2962 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
2963 		goto unlock;
2964 	}
2965 
2966 	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
2967 	if (!cmd) {
2968 		err = -ENOMEM;
2969 		hci_conn_drop(conn);
2970 		goto unlock;
2971 	}
2972 
2973 	cmd->cmd_complete = pairing_complete;
2974 
2975 	/* For LE, just connecting isn't a proof that the pairing finished */
2976 	if (cp->addr.type == BDADDR_BREDR) {
2977 		conn->connect_cfm_cb = pairing_complete_cb;
2978 		conn->security_cfm_cb = pairing_complete_cb;
2979 		conn->disconn_cfm_cb = pairing_complete_cb;
2980 	} else {
2981 		conn->connect_cfm_cb = le_pairing_complete_cb;
2982 		conn->security_cfm_cb = le_pairing_complete_cb;
2983 		conn->disconn_cfm_cb = le_pairing_complete_cb;
2984 	}
2985 
2986 	conn->io_capability = cp->io_cap;
2987 	cmd->user_data = hci_conn_get(conn);
2988 
2989 	if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
2990 	    hci_conn_security(conn, sec_level, auth_type, true)) {
2991 		cmd->cmd_complete(cmd, 0);
2992 		mgmt_pending_remove(cmd);
2993 	}
2994 
2995 	err = 0;
2996 
2997 unlock:
2998 	hci_dev_unlock(hdev);
2999 	return err;
3000 }
3001 
3002 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3003 			      u16 len)
3004 {
3005 	struct mgmt_addr_info *addr = data;
3006 	struct mgmt_pending_cmd *cmd;
3007 	struct hci_conn *conn;
3008 	int err;
3009 
3010 	bt_dev_dbg(hdev, "sock %p", sk);
3011 
3012 	hci_dev_lock(hdev);
3013 
3014 	if (!hdev_is_powered(hdev)) {
3015 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3016 				      MGMT_STATUS_NOT_POWERED);
3017 		goto unlock;
3018 	}
3019 
3020 	cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3021 	if (!cmd) {
3022 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3023 				      MGMT_STATUS_INVALID_PARAMS);
3024 		goto unlock;
3025 	}
3026 
3027 	conn = cmd->user_data;
3028 
3029 	if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3030 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3031 				      MGMT_STATUS_INVALID_PARAMS);
3032 		goto unlock;
3033 	}
3034 
3035 	cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3036 	mgmt_pending_remove(cmd);
3037 
3038 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3039 				addr, sizeof(*addr));
3040 unlock:
3041 	hci_dev_unlock(hdev);
3042 	return err;
3043 }
3044 
3045 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3046 			     struct mgmt_addr_info *addr, u16 mgmt_op,
3047 			     u16 hci_op, __le32 passkey)
3048 {
3049 	struct mgmt_pending_cmd *cmd;
3050 	struct hci_conn *conn;
3051 	int err;
3052 
3053 	hci_dev_lock(hdev);
3054 
3055 	if (!hdev_is_powered(hdev)) {
3056 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3057 					MGMT_STATUS_NOT_POWERED, addr,
3058 					sizeof(*addr));
3059 		goto done;
3060 	}
3061 
3062 	if (addr->type == BDADDR_BREDR)
3063 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3064 	else
3065 		conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
3066 					       le_addr_type(addr->type));
3067 
3068 	if (!conn) {
3069 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3070 					MGMT_STATUS_NOT_CONNECTED, addr,
3071 					sizeof(*addr));
3072 		goto done;
3073 	}
3074 
3075 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3076 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3077 		if (!err)
3078 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3079 						MGMT_STATUS_SUCCESS, addr,
3080 						sizeof(*addr));
3081 		else
3082 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3083 						MGMT_STATUS_FAILED, addr,
3084 						sizeof(*addr));
3085 
3086 		goto done;
3087 	}
3088 
3089 	cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3090 	if (!cmd) {
3091 		err = -ENOMEM;
3092 		goto done;
3093 	}
3094 
3095 	cmd->cmd_complete = addr_cmd_complete;
3096 
3097 	/* Continue with pairing via HCI */
3098 	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3099 		struct hci_cp_user_passkey_reply cp;
3100 
3101 		bacpy(&cp.bdaddr, &addr->bdaddr);
3102 		cp.passkey = passkey;
3103 		err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3104 	} else
3105 		err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3106 				   &addr->bdaddr);
3107 
3108 	if (err < 0)
3109 		mgmt_pending_remove(cmd);
3110 
3111 done:
3112 	hci_dev_unlock(hdev);
3113 	return err;
3114 }
3115 
3116 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3117 			      void *data, u16 len)
3118 {
3119 	struct mgmt_cp_pin_code_neg_reply *cp = data;
3120 
3121 	bt_dev_dbg(hdev, "sock %p", sk);
3122 
3123 	return user_pairing_resp(sk, hdev, &cp->addr,
3124 				MGMT_OP_PIN_CODE_NEG_REPLY,
3125 				HCI_OP_PIN_CODE_NEG_REPLY, 0);
3126 }
3127 
3128 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3129 			      u16 len)
3130 {
3131 	struct mgmt_cp_user_confirm_reply *cp = data;
3132 
3133 	bt_dev_dbg(hdev, "sock %p", sk);
3134 
3135 	if (len != sizeof(*cp))
3136 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3137 				       MGMT_STATUS_INVALID_PARAMS);
3138 
3139 	return user_pairing_resp(sk, hdev, &cp->addr,
3140 				 MGMT_OP_USER_CONFIRM_REPLY,
3141 				 HCI_OP_USER_CONFIRM_REPLY, 0);
3142 }
3143 
3144 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3145 				  void *data, u16 len)
3146 {
3147 	struct mgmt_cp_user_confirm_neg_reply *cp = data;
3148 
3149 	bt_dev_dbg(hdev, "sock %p", sk);
3150 
3151 	return user_pairing_resp(sk, hdev, &cp->addr,
3152 				 MGMT_OP_USER_CONFIRM_NEG_REPLY,
3153 				 HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3154 }
3155 
3156 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3157 			      u16 len)
3158 {
3159 	struct mgmt_cp_user_passkey_reply *cp = data;
3160 
3161 	bt_dev_dbg(hdev, "sock %p", sk);
3162 
3163 	return user_pairing_resp(sk, hdev, &cp->addr,
3164 				 MGMT_OP_USER_PASSKEY_REPLY,
3165 				 HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3166 }
3167 
3168 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3169 				  void *data, u16 len)
3170 {
3171 	struct mgmt_cp_user_passkey_neg_reply *cp = data;
3172 
3173 	bt_dev_dbg(hdev, "sock %p", sk);
3174 
3175 	return user_pairing_resp(sk, hdev, &cp->addr,
3176 				 MGMT_OP_USER_PASSKEY_NEG_REPLY,
3177 				 HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3178 }
3179 
3180 static void adv_expire(struct hci_dev *hdev, u32 flags)
3181 {
3182 	struct adv_info *adv_instance;
3183 	struct hci_request req;
3184 	int err;
3185 
3186 	adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3187 	if (!adv_instance)
3188 		return;
3189 
3190 	/* stop if current instance doesn't need to be changed */
3191 	if (!(adv_instance->flags & flags))
3192 		return;
3193 
3194 	cancel_adv_timeout(hdev);
3195 
3196 	adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3197 	if (!adv_instance)
3198 		return;
3199 
3200 	hci_req_init(&req, hdev);
3201 	err = __hci_req_schedule_adv_instance(&req, adv_instance->instance,
3202 					      true);
3203 	if (err)
3204 		return;
3205 
3206 	hci_req_run(&req, NULL);
3207 }
3208 
3209 static void set_name_complete(struct hci_dev *hdev, u8 status, u16 opcode)
3210 {
3211 	struct mgmt_cp_set_local_name *cp;
3212 	struct mgmt_pending_cmd *cmd;
3213 
3214 	bt_dev_dbg(hdev, "status 0x%02x", status);
3215 
3216 	hci_dev_lock(hdev);
3217 
3218 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
3219 	if (!cmd)
3220 		goto unlock;
3221 
3222 	cp = cmd->param;
3223 
3224 	if (status) {
3225 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3226 			        mgmt_status(status));
3227 	} else {
3228 		mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3229 				  cp, sizeof(*cp));
3230 
3231 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3232 			adv_expire(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3233 	}
3234 
3235 	mgmt_pending_remove(cmd);
3236 
3237 unlock:
3238 	hci_dev_unlock(hdev);
3239 }
3240 
3241 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3242 			  u16 len)
3243 {
3244 	struct mgmt_cp_set_local_name *cp = data;
3245 	struct mgmt_pending_cmd *cmd;
3246 	struct hci_request req;
3247 	int err;
3248 
3249 	bt_dev_dbg(hdev, "sock %p", sk);
3250 
3251 	hci_dev_lock(hdev);
3252 
3253 	/* If the old values are the same as the new ones just return a
3254 	 * direct command complete event.
3255 	 */
3256 	if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3257 	    !memcmp(hdev->short_name, cp->short_name,
3258 		    sizeof(hdev->short_name))) {
3259 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3260 					data, len);
3261 		goto failed;
3262 	}
3263 
3264 	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3265 
3266 	if (!hdev_is_powered(hdev)) {
3267 		memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3268 
3269 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3270 					data, len);
3271 		if (err < 0)
3272 			goto failed;
3273 
3274 		err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3275 					 len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3276 		ext_info_changed(hdev, sk);
3277 
3278 		goto failed;
3279 	}
3280 
3281 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3282 	if (!cmd) {
3283 		err = -ENOMEM;
3284 		goto failed;
3285 	}
3286 
3287 	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3288 
3289 	hci_req_init(&req, hdev);
3290 
3291 	if (lmp_bredr_capable(hdev)) {
3292 		__hci_req_update_name(&req);
3293 		__hci_req_update_eir(&req);
3294 	}
3295 
3296 	/* The name is stored in the scan response data and so
3297 	 * no need to udpate the advertising data here.
3298 	 */
3299 	if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3300 		__hci_req_update_scan_rsp_data(&req, hdev->cur_adv_instance);
3301 
3302 	err = hci_req_run(&req, set_name_complete);
3303 	if (err < 0)
3304 		mgmt_pending_remove(cmd);
3305 
3306 failed:
3307 	hci_dev_unlock(hdev);
3308 	return err;
3309 }
3310 
3311 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3312 			  u16 len)
3313 {
3314 	struct mgmt_cp_set_appearance *cp = data;
3315 	u16 appearance;
3316 	int err;
3317 
3318 	bt_dev_dbg(hdev, "sock %p", sk);
3319 
3320 	if (!lmp_le_capable(hdev))
3321 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3322 				       MGMT_STATUS_NOT_SUPPORTED);
3323 
3324 	appearance = le16_to_cpu(cp->appearance);
3325 
3326 	hci_dev_lock(hdev);
3327 
3328 	if (hdev->appearance != appearance) {
3329 		hdev->appearance = appearance;
3330 
3331 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3332 			adv_expire(hdev, MGMT_ADV_FLAG_APPEARANCE);
3333 
3334 		ext_info_changed(hdev, sk);
3335 	}
3336 
3337 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3338 				0);
3339 
3340 	hci_dev_unlock(hdev);
3341 
3342 	return err;
3343 }
3344 
3345 static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3346 				 void *data, u16 len)
3347 {
3348 	struct mgmt_rp_get_phy_confguration rp;
3349 
3350 	bt_dev_dbg(hdev, "sock %p", sk);
3351 
3352 	hci_dev_lock(hdev);
3353 
3354 	memset(&rp, 0, sizeof(rp));
3355 
3356 	rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3357 	rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3358 	rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3359 
3360 	hci_dev_unlock(hdev);
3361 
3362 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, 0,
3363 				 &rp, sizeof(rp));
3364 }
3365 
3366 int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3367 {
3368 	struct mgmt_ev_phy_configuration_changed ev;
3369 
3370 	memset(&ev, 0, sizeof(ev));
3371 
3372 	ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3373 
3374 	return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, &ev,
3375 			  sizeof(ev), skip);
3376 }
3377 
3378 static void set_default_phy_complete(struct hci_dev *hdev, u8 status,
3379 				     u16 opcode, struct sk_buff *skb)
3380 {
3381 	struct mgmt_pending_cmd *cmd;
3382 
3383 	bt_dev_dbg(hdev, "status 0x%02x", status);
3384 
3385 	hci_dev_lock(hdev);
3386 
3387 	cmd = pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev);
3388 	if (!cmd)
3389 		goto unlock;
3390 
3391 	if (status) {
3392 		mgmt_cmd_status(cmd->sk, hdev->id,
3393 				MGMT_OP_SET_PHY_CONFIGURATION,
3394 				mgmt_status(status));
3395 	} else {
3396 		mgmt_cmd_complete(cmd->sk, hdev->id,
3397 				  MGMT_OP_SET_PHY_CONFIGURATION, 0,
3398 				  NULL, 0);
3399 
3400 		mgmt_phy_configuration_changed(hdev, cmd->sk);
3401 	}
3402 
3403 	mgmt_pending_remove(cmd);
3404 
3405 unlock:
3406 	hci_dev_unlock(hdev);
3407 }
3408 
3409 static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3410 				 void *data, u16 len)
3411 {
3412 	struct mgmt_cp_set_phy_confguration *cp = data;
3413 	struct hci_cp_le_set_default_phy cp_phy;
3414 	struct mgmt_pending_cmd *cmd;
3415 	struct hci_request req;
3416 	u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
3417 	u16 pkt_type = (HCI_DH1 | HCI_DM1);
3418 	bool changed = false;
3419 	int err;
3420 
3421 	bt_dev_dbg(hdev, "sock %p", sk);
3422 
3423 	configurable_phys = get_configurable_phys(hdev);
3424 	supported_phys = get_supported_phys(hdev);
3425 	selected_phys = __le32_to_cpu(cp->selected_phys);
3426 
3427 	if (selected_phys & ~supported_phys)
3428 		return mgmt_cmd_status(sk, hdev->id,
3429 				       MGMT_OP_SET_PHY_CONFIGURATION,
3430 				       MGMT_STATUS_INVALID_PARAMS);
3431 
3432 	unconfigure_phys = supported_phys & ~configurable_phys;
3433 
3434 	if ((selected_phys & unconfigure_phys) != unconfigure_phys)
3435 		return mgmt_cmd_status(sk, hdev->id,
3436 				       MGMT_OP_SET_PHY_CONFIGURATION,
3437 				       MGMT_STATUS_INVALID_PARAMS);
3438 
3439 	if (selected_phys == get_selected_phys(hdev))
3440 		return mgmt_cmd_complete(sk, hdev->id,
3441 					 MGMT_OP_SET_PHY_CONFIGURATION,
3442 					 0, NULL, 0);
3443 
3444 	hci_dev_lock(hdev);
3445 
3446 	if (!hdev_is_powered(hdev)) {
3447 		err = mgmt_cmd_status(sk, hdev->id,
3448 				      MGMT_OP_SET_PHY_CONFIGURATION,
3449 				      MGMT_STATUS_REJECTED);
3450 		goto unlock;
3451 	}
3452 
3453 	if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
3454 		err = mgmt_cmd_status(sk, hdev->id,
3455 				      MGMT_OP_SET_PHY_CONFIGURATION,
3456 				      MGMT_STATUS_BUSY);
3457 		goto unlock;
3458 	}
3459 
3460 	if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
3461 		pkt_type |= (HCI_DH3 | HCI_DM3);
3462 	else
3463 		pkt_type &= ~(HCI_DH3 | HCI_DM3);
3464 
3465 	if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
3466 		pkt_type |= (HCI_DH5 | HCI_DM5);
3467 	else
3468 		pkt_type &= ~(HCI_DH5 | HCI_DM5);
3469 
3470 	if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
3471 		pkt_type &= ~HCI_2DH1;
3472 	else
3473 		pkt_type |= HCI_2DH1;
3474 
3475 	if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
3476 		pkt_type &= ~HCI_2DH3;
3477 	else
3478 		pkt_type |= HCI_2DH3;
3479 
3480 	if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
3481 		pkt_type &= ~HCI_2DH5;
3482 	else
3483 		pkt_type |= HCI_2DH5;
3484 
3485 	if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
3486 		pkt_type &= ~HCI_3DH1;
3487 	else
3488 		pkt_type |= HCI_3DH1;
3489 
3490 	if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
3491 		pkt_type &= ~HCI_3DH3;
3492 	else
3493 		pkt_type |= HCI_3DH3;
3494 
3495 	if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
3496 		pkt_type &= ~HCI_3DH5;
3497 	else
3498 		pkt_type |= HCI_3DH5;
3499 
3500 	if (pkt_type != hdev->pkt_type) {
3501 		hdev->pkt_type = pkt_type;
3502 		changed = true;
3503 	}
3504 
3505 	if ((selected_phys & MGMT_PHY_LE_MASK) ==
3506 	    (get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
3507 		if (changed)
3508 			mgmt_phy_configuration_changed(hdev, sk);
3509 
3510 		err = mgmt_cmd_complete(sk, hdev->id,
3511 					MGMT_OP_SET_PHY_CONFIGURATION,
3512 					0, NULL, 0);
3513 
3514 		goto unlock;
3515 	}
3516 
3517 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
3518 			       len);
3519 	if (!cmd) {
3520 		err = -ENOMEM;
3521 		goto unlock;
3522 	}
3523 
3524 	hci_req_init(&req, hdev);
3525 
3526 	memset(&cp_phy, 0, sizeof(cp_phy));
3527 
3528 	if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
3529 		cp_phy.all_phys |= 0x01;
3530 
3531 	if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
3532 		cp_phy.all_phys |= 0x02;
3533 
3534 	if (selected_phys & MGMT_PHY_LE_1M_TX)
3535 		cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
3536 
3537 	if (selected_phys & MGMT_PHY_LE_2M_TX)
3538 		cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
3539 
3540 	if (selected_phys & MGMT_PHY_LE_CODED_TX)
3541 		cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
3542 
3543 	if (selected_phys & MGMT_PHY_LE_1M_RX)
3544 		cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
3545 
3546 	if (selected_phys & MGMT_PHY_LE_2M_RX)
3547 		cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
3548 
3549 	if (selected_phys & MGMT_PHY_LE_CODED_RX)
3550 		cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
3551 
3552 	hci_req_add(&req, HCI_OP_LE_SET_DEFAULT_PHY, sizeof(cp_phy), &cp_phy);
3553 
3554 	err = hci_req_run_skb(&req, set_default_phy_complete);
3555 	if (err < 0)
3556 		mgmt_pending_remove(cmd);
3557 
3558 unlock:
3559 	hci_dev_unlock(hdev);
3560 
3561 	return err;
3562 }
3563 
3564 static int set_blocked_keys(struct sock *sk, struct hci_dev *hdev, void *data,
3565 			    u16 len)
3566 {
3567 	int err = MGMT_STATUS_SUCCESS;
3568 	struct mgmt_cp_set_blocked_keys *keys = data;
3569 	const u16 max_key_count = ((U16_MAX - sizeof(*keys)) /
3570 				   sizeof(struct mgmt_blocked_key_info));
3571 	u16 key_count, expected_len;
3572 	int i;
3573 
3574 	bt_dev_dbg(hdev, "sock %p", sk);
3575 
3576 	key_count = __le16_to_cpu(keys->key_count);
3577 	if (key_count > max_key_count) {
3578 		bt_dev_err(hdev, "too big key_count value %u", key_count);
3579 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3580 				       MGMT_STATUS_INVALID_PARAMS);
3581 	}
3582 
3583 	expected_len = struct_size(keys, keys, key_count);
3584 	if (expected_len != len) {
3585 		bt_dev_err(hdev, "expected %u bytes, got %u bytes",
3586 			   expected_len, len);
3587 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3588 				       MGMT_STATUS_INVALID_PARAMS);
3589 	}
3590 
3591 	hci_dev_lock(hdev);
3592 
3593 	hci_blocked_keys_clear(hdev);
3594 
3595 	for (i = 0; i < keys->key_count; ++i) {
3596 		struct blocked_key *b = kzalloc(sizeof(*b), GFP_KERNEL);
3597 
3598 		if (!b) {
3599 			err = MGMT_STATUS_NO_RESOURCES;
3600 			break;
3601 		}
3602 
3603 		b->type = keys->keys[i].type;
3604 		memcpy(b->val, keys->keys[i].val, sizeof(b->val));
3605 		list_add_rcu(&b->list, &hdev->blocked_keys);
3606 	}
3607 	hci_dev_unlock(hdev);
3608 
3609 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3610 				err, NULL, 0);
3611 }
3612 
3613 static int set_wideband_speech(struct sock *sk, struct hci_dev *hdev,
3614 			       void *data, u16 len)
3615 {
3616 	struct mgmt_mode *cp = data;
3617 	int err;
3618 	bool changed = false;
3619 
3620 	bt_dev_dbg(hdev, "sock %p", sk);
3621 
3622 	if (!test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks))
3623 		return mgmt_cmd_status(sk, hdev->id,
3624 				       MGMT_OP_SET_WIDEBAND_SPEECH,
3625 				       MGMT_STATUS_NOT_SUPPORTED);
3626 
3627 	if (cp->val != 0x00 && cp->val != 0x01)
3628 		return mgmt_cmd_status(sk, hdev->id,
3629 				       MGMT_OP_SET_WIDEBAND_SPEECH,
3630 				       MGMT_STATUS_INVALID_PARAMS);
3631 
3632 	hci_dev_lock(hdev);
3633 
3634 	if (pending_find(MGMT_OP_SET_WIDEBAND_SPEECH, hdev)) {
3635 		err = mgmt_cmd_status(sk, hdev->id,
3636 				      MGMT_OP_SET_WIDEBAND_SPEECH,
3637 				      MGMT_STATUS_BUSY);
3638 		goto unlock;
3639 	}
3640 
3641 	if (hdev_is_powered(hdev) &&
3642 	    !!cp->val != hci_dev_test_flag(hdev,
3643 					   HCI_WIDEBAND_SPEECH_ENABLED)) {
3644 		err = mgmt_cmd_status(sk, hdev->id,
3645 				      MGMT_OP_SET_WIDEBAND_SPEECH,
3646 				      MGMT_STATUS_REJECTED);
3647 		goto unlock;
3648 	}
3649 
3650 	if (cp->val)
3651 		changed = !hci_dev_test_and_set_flag(hdev,
3652 						   HCI_WIDEBAND_SPEECH_ENABLED);
3653 	else
3654 		changed = hci_dev_test_and_clear_flag(hdev,
3655 						   HCI_WIDEBAND_SPEECH_ENABLED);
3656 
3657 	err = send_settings_rsp(sk, MGMT_OP_SET_WIDEBAND_SPEECH, hdev);
3658 	if (err < 0)
3659 		goto unlock;
3660 
3661 	if (changed)
3662 		err = new_settings(hdev, sk);
3663 
3664 unlock:
3665 	hci_dev_unlock(hdev);
3666 	return err;
3667 }
3668 
3669 static int read_security_info(struct sock *sk, struct hci_dev *hdev,
3670 			      void *data, u16 data_len)
3671 {
3672 	char buf[16];
3673 	struct mgmt_rp_read_security_info *rp = (void *)buf;
3674 	u16 sec_len = 0;
3675 	u8 flags = 0;
3676 
3677 	bt_dev_dbg(hdev, "sock %p", sk);
3678 
3679 	memset(&buf, 0, sizeof(buf));
3680 
3681 	hci_dev_lock(hdev);
3682 
3683 	/* When the Read Simple Pairing Options command is supported, then
3684 	 * the remote public key validation is supported.
3685 	 */
3686 	if (hdev->commands[41] & 0x08)
3687 		flags |= 0x01;	/* Remote public key validation (BR/EDR) */
3688 
3689 	flags |= 0x02;		/* Remote public key validation (LE) */
3690 
3691 	/* When the Read Encryption Key Size command is supported, then the
3692 	 * encryption key size is enforced.
3693 	 */
3694 	if (hdev->commands[20] & 0x10)
3695 		flags |= 0x04;	/* Encryption key size enforcement (BR/EDR) */
3696 
3697 	flags |= 0x08;		/* Encryption key size enforcement (LE) */
3698 
3699 	sec_len = eir_append_data(rp->sec, sec_len, 0x01, &flags, 1);
3700 
3701 	/* When the Read Simple Pairing Options command is supported, then
3702 	 * also max encryption key size information is provided.
3703 	 */
3704 	if (hdev->commands[41] & 0x08)
3705 		sec_len = eir_append_le16(rp->sec, sec_len, 0x02,
3706 					  hdev->max_enc_key_size);
3707 
3708 	sec_len = eir_append_le16(rp->sec, sec_len, 0x03, SMP_MAX_ENC_KEY_SIZE);
3709 
3710 	rp->sec_len = cpu_to_le16(sec_len);
3711 
3712 	hci_dev_unlock(hdev);
3713 
3714 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_SECURITY_INFO, 0,
3715 				 rp, sizeof(*rp) + sec_len);
3716 }
3717 
3718 #ifdef CONFIG_BT_FEATURE_DEBUG
3719 /* d4992530-b9ec-469f-ab01-6c481c47da1c */
3720 static const u8 debug_uuid[16] = {
3721 	0x1c, 0xda, 0x47, 0x1c, 0x48, 0x6c, 0x01, 0xab,
3722 	0x9f, 0x46, 0xec, 0xb9, 0x30, 0x25, 0x99, 0xd4,
3723 };
3724 #endif
3725 
3726 static int read_exp_features_info(struct sock *sk, struct hci_dev *hdev,
3727 				  void *data, u16 data_len)
3728 {
3729 	char buf[42];
3730 	struct mgmt_rp_read_exp_features_info *rp = (void *)buf;
3731 	u16 idx = 0;
3732 
3733 	bt_dev_dbg(hdev, "sock %p", sk);
3734 
3735 	memset(&buf, 0, sizeof(buf));
3736 
3737 #ifdef CONFIG_BT_FEATURE_DEBUG
3738 	if (!hdev) {
3739 		u32 flags = bt_dbg_get() ? BIT(0) : 0;
3740 
3741 		memcpy(rp->features[idx].uuid, debug_uuid, 16);
3742 		rp->features[idx].flags = cpu_to_le32(flags);
3743 		idx++;
3744 	}
3745 #endif
3746 
3747 	rp->feature_count = cpu_to_le16(idx);
3748 
3749 	/* After reading the experimental features information, enable
3750 	 * the events to update client on any future change.
3751 	 */
3752 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
3753 
3754 	return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
3755 				 MGMT_OP_READ_EXP_FEATURES_INFO,
3756 				 0, rp, sizeof(*rp) + (20 * idx));
3757 }
3758 
3759 #ifdef CONFIG_BT_FEATURE_DEBUG
3760 static int exp_debug_feature_changed(bool enabled, struct sock *skip)
3761 {
3762 	struct mgmt_ev_exp_feature_changed ev;
3763 
3764 	memset(&ev, 0, sizeof(ev));
3765 	memcpy(ev.uuid, debug_uuid, 16);
3766 	ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
3767 
3768 	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, NULL,
3769 				  &ev, sizeof(ev),
3770 				  HCI_MGMT_EXP_FEATURE_EVENTS, skip);
3771 }
3772 #endif
3773 
3774 static int set_exp_feature(struct sock *sk, struct hci_dev *hdev,
3775 			   void *data, u16 data_len)
3776 {
3777 	struct mgmt_cp_set_exp_feature *cp = data;
3778 	struct mgmt_rp_set_exp_feature rp;
3779 
3780 	bt_dev_dbg(hdev, "sock %p", sk);
3781 
3782 	if (!memcmp(cp->uuid, ZERO_KEY, 16)) {
3783 		memset(rp.uuid, 0, 16);
3784 		rp.flags = cpu_to_le32(0);
3785 
3786 #ifdef CONFIG_BT_FEATURE_DEBUG
3787 		if (!hdev) {
3788 			bool changed = bt_dbg_get();
3789 
3790 			bt_dbg_set(false);
3791 
3792 			if (changed)
3793 				exp_debug_feature_changed(false, sk);
3794 		}
3795 #endif
3796 
3797 		hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
3798 
3799 		return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
3800 					 MGMT_OP_SET_EXP_FEATURE, 0,
3801 					 &rp, sizeof(rp));
3802 	}
3803 
3804 #ifdef CONFIG_BT_FEATURE_DEBUG
3805 	if (!memcmp(cp->uuid, debug_uuid, 16)) {
3806 		bool val, changed;
3807 		int err;
3808 
3809 		/* Command requires to use the non-controller index */
3810 		if (hdev)
3811 			return mgmt_cmd_status(sk, hdev->id,
3812 					       MGMT_OP_SET_EXP_FEATURE,
3813 					       MGMT_STATUS_INVALID_INDEX);
3814 
3815 		/* Parameters are limited to a single octet */
3816 		if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
3817 			return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
3818 					       MGMT_OP_SET_EXP_FEATURE,
3819 					       MGMT_STATUS_INVALID_PARAMS);
3820 
3821 		/* Only boolean on/off is supported */
3822 		if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
3823 			return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
3824 					       MGMT_OP_SET_EXP_FEATURE,
3825 					       MGMT_STATUS_INVALID_PARAMS);
3826 
3827 		val = !!cp->param[0];
3828 		changed = val ? !bt_dbg_get() : bt_dbg_get();
3829 		bt_dbg_set(val);
3830 
3831 		memcpy(rp.uuid, debug_uuid, 16);
3832 		rp.flags = cpu_to_le32(val ? BIT(0) : 0);
3833 
3834 		hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
3835 
3836 		err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
3837 					MGMT_OP_SET_EXP_FEATURE, 0,
3838 					&rp, sizeof(rp));
3839 
3840 		if (changed)
3841 			exp_debug_feature_changed(val, sk);
3842 
3843 		return err;
3844 	}
3845 #endif
3846 
3847 	return mgmt_cmd_status(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
3848 			       MGMT_OP_SET_EXP_FEATURE,
3849 			       MGMT_STATUS_NOT_SUPPORTED);
3850 }
3851 
3852 static void read_local_oob_data_complete(struct hci_dev *hdev, u8 status,
3853 				         u16 opcode, struct sk_buff *skb)
3854 {
3855 	struct mgmt_rp_read_local_oob_data mgmt_rp;
3856 	size_t rp_size = sizeof(mgmt_rp);
3857 	struct mgmt_pending_cmd *cmd;
3858 
3859 	bt_dev_dbg(hdev, "status %u", status);
3860 
3861 	cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev);
3862 	if (!cmd)
3863 		return;
3864 
3865 	if (status || !skb) {
3866 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3867 				status ? mgmt_status(status) : MGMT_STATUS_FAILED);
3868 		goto remove;
3869 	}
3870 
3871 	memset(&mgmt_rp, 0, sizeof(mgmt_rp));
3872 
3873 	if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
3874 		struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
3875 
3876 		if (skb->len < sizeof(*rp)) {
3877 			mgmt_cmd_status(cmd->sk, hdev->id,
3878 					MGMT_OP_READ_LOCAL_OOB_DATA,
3879 					MGMT_STATUS_FAILED);
3880 			goto remove;
3881 		}
3882 
3883 		memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
3884 		memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
3885 
3886 		rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
3887 	} else {
3888 		struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
3889 
3890 		if (skb->len < sizeof(*rp)) {
3891 			mgmt_cmd_status(cmd->sk, hdev->id,
3892 					MGMT_OP_READ_LOCAL_OOB_DATA,
3893 					MGMT_STATUS_FAILED);
3894 			goto remove;
3895 		}
3896 
3897 		memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
3898 		memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
3899 
3900 		memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
3901 		memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
3902 	}
3903 
3904 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3905 			  MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
3906 
3907 remove:
3908 	mgmt_pending_remove(cmd);
3909 }
3910 
3911 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3912 			       void *data, u16 data_len)
3913 {
3914 	struct mgmt_pending_cmd *cmd;
3915 	struct hci_request req;
3916 	int err;
3917 
3918 	bt_dev_dbg(hdev, "sock %p", sk);
3919 
3920 	hci_dev_lock(hdev);
3921 
3922 	if (!hdev_is_powered(hdev)) {
3923 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3924 				      MGMT_STATUS_NOT_POWERED);
3925 		goto unlock;
3926 	}
3927 
3928 	if (!lmp_ssp_capable(hdev)) {
3929 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3930 				      MGMT_STATUS_NOT_SUPPORTED);
3931 		goto unlock;
3932 	}
3933 
3934 	if (pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
3935 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3936 				      MGMT_STATUS_BUSY);
3937 		goto unlock;
3938 	}
3939 
3940 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
3941 	if (!cmd) {
3942 		err = -ENOMEM;
3943 		goto unlock;
3944 	}
3945 
3946 	hci_req_init(&req, hdev);
3947 
3948 	if (bredr_sc_enabled(hdev))
3949 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
3950 	else
3951 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
3952 
3953 	err = hci_req_run_skb(&req, read_local_oob_data_complete);
3954 	if (err < 0)
3955 		mgmt_pending_remove(cmd);
3956 
3957 unlock:
3958 	hci_dev_unlock(hdev);
3959 	return err;
3960 }
3961 
3962 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3963 			       void *data, u16 len)
3964 {
3965 	struct mgmt_addr_info *addr = data;
3966 	int err;
3967 
3968 	bt_dev_dbg(hdev, "sock %p", sk);
3969 
3970 	if (!bdaddr_type_is_valid(addr->type))
3971 		return mgmt_cmd_complete(sk, hdev->id,
3972 					 MGMT_OP_ADD_REMOTE_OOB_DATA,
3973 					 MGMT_STATUS_INVALID_PARAMS,
3974 					 addr, sizeof(*addr));
3975 
3976 	hci_dev_lock(hdev);
3977 
3978 	if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
3979 		struct mgmt_cp_add_remote_oob_data *cp = data;
3980 		u8 status;
3981 
3982 		if (cp->addr.type != BDADDR_BREDR) {
3983 			err = mgmt_cmd_complete(sk, hdev->id,
3984 						MGMT_OP_ADD_REMOTE_OOB_DATA,
3985 						MGMT_STATUS_INVALID_PARAMS,
3986 						&cp->addr, sizeof(cp->addr));
3987 			goto unlock;
3988 		}
3989 
3990 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3991 					      cp->addr.type, cp->hash,
3992 					      cp->rand, NULL, NULL);
3993 		if (err < 0)
3994 			status = MGMT_STATUS_FAILED;
3995 		else
3996 			status = MGMT_STATUS_SUCCESS;
3997 
3998 		err = mgmt_cmd_complete(sk, hdev->id,
3999 					MGMT_OP_ADD_REMOTE_OOB_DATA, status,
4000 					&cp->addr, sizeof(cp->addr));
4001 	} else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
4002 		struct mgmt_cp_add_remote_oob_ext_data *cp = data;
4003 		u8 *rand192, *hash192, *rand256, *hash256;
4004 		u8 status;
4005 
4006 		if (bdaddr_type_is_le(cp->addr.type)) {
4007 			/* Enforce zero-valued 192-bit parameters as
4008 			 * long as legacy SMP OOB isn't implemented.
4009 			 */
4010 			if (memcmp(cp->rand192, ZERO_KEY, 16) ||
4011 			    memcmp(cp->hash192, ZERO_KEY, 16)) {
4012 				err = mgmt_cmd_complete(sk, hdev->id,
4013 							MGMT_OP_ADD_REMOTE_OOB_DATA,
4014 							MGMT_STATUS_INVALID_PARAMS,
4015 							addr, sizeof(*addr));
4016 				goto unlock;
4017 			}
4018 
4019 			rand192 = NULL;
4020 			hash192 = NULL;
4021 		} else {
4022 			/* In case one of the P-192 values is set to zero,
4023 			 * then just disable OOB data for P-192.
4024 			 */
4025 			if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
4026 			    !memcmp(cp->hash192, ZERO_KEY, 16)) {
4027 				rand192 = NULL;
4028 				hash192 = NULL;
4029 			} else {
4030 				rand192 = cp->rand192;
4031 				hash192 = cp->hash192;
4032 			}
4033 		}
4034 
4035 		/* In case one of the P-256 values is set to zero, then just
4036 		 * disable OOB data for P-256.
4037 		 */
4038 		if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
4039 		    !memcmp(cp->hash256, ZERO_KEY, 16)) {
4040 			rand256 = NULL;
4041 			hash256 = NULL;
4042 		} else {
4043 			rand256 = cp->rand256;
4044 			hash256 = cp->hash256;
4045 		}
4046 
4047 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
4048 					      cp->addr.type, hash192, rand192,
4049 					      hash256, rand256);
4050 		if (err < 0)
4051 			status = MGMT_STATUS_FAILED;
4052 		else
4053 			status = MGMT_STATUS_SUCCESS;
4054 
4055 		err = mgmt_cmd_complete(sk, hdev->id,
4056 					MGMT_OP_ADD_REMOTE_OOB_DATA,
4057 					status, &cp->addr, sizeof(cp->addr));
4058 	} else {
4059 		bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
4060 			   len);
4061 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
4062 				      MGMT_STATUS_INVALID_PARAMS);
4063 	}
4064 
4065 unlock:
4066 	hci_dev_unlock(hdev);
4067 	return err;
4068 }
4069 
4070 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
4071 				  void *data, u16 len)
4072 {
4073 	struct mgmt_cp_remove_remote_oob_data *cp = data;
4074 	u8 status;
4075 	int err;
4076 
4077 	bt_dev_dbg(hdev, "sock %p", sk);
4078 
4079 	if (cp->addr.type != BDADDR_BREDR)
4080 		return mgmt_cmd_complete(sk, hdev->id,
4081 					 MGMT_OP_REMOVE_REMOTE_OOB_DATA,
4082 					 MGMT_STATUS_INVALID_PARAMS,
4083 					 &cp->addr, sizeof(cp->addr));
4084 
4085 	hci_dev_lock(hdev);
4086 
4087 	if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
4088 		hci_remote_oob_data_clear(hdev);
4089 		status = MGMT_STATUS_SUCCESS;
4090 		goto done;
4091 	}
4092 
4093 	err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
4094 	if (err < 0)
4095 		status = MGMT_STATUS_INVALID_PARAMS;
4096 	else
4097 		status = MGMT_STATUS_SUCCESS;
4098 
4099 done:
4100 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
4101 				status, &cp->addr, sizeof(cp->addr));
4102 
4103 	hci_dev_unlock(hdev);
4104 	return err;
4105 }
4106 
4107 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
4108 {
4109 	struct mgmt_pending_cmd *cmd;
4110 
4111 	bt_dev_dbg(hdev, "status %d", status);
4112 
4113 	hci_dev_lock(hdev);
4114 
4115 	cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
4116 	if (!cmd)
4117 		cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
4118 
4119 	if (!cmd)
4120 		cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
4121 
4122 	if (cmd) {
4123 		cmd->cmd_complete(cmd, mgmt_status(status));
4124 		mgmt_pending_remove(cmd);
4125 	}
4126 
4127 	hci_dev_unlock(hdev);
4128 
4129 	/* Handle suspend notifier */
4130 	if (test_and_clear_bit(SUSPEND_UNPAUSE_DISCOVERY,
4131 			       hdev->suspend_tasks)) {
4132 		bt_dev_dbg(hdev, "Unpaused discovery");
4133 		wake_up(&hdev->suspend_wait_q);
4134 	}
4135 }
4136 
4137 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
4138 				    uint8_t *mgmt_status)
4139 {
4140 	switch (type) {
4141 	case DISCOV_TYPE_LE:
4142 		*mgmt_status = mgmt_le_support(hdev);
4143 		if (*mgmt_status)
4144 			return false;
4145 		break;
4146 	case DISCOV_TYPE_INTERLEAVED:
4147 		*mgmt_status = mgmt_le_support(hdev);
4148 		if (*mgmt_status)
4149 			return false;
4150 		/* Intentional fall-through */
4151 	case DISCOV_TYPE_BREDR:
4152 		*mgmt_status = mgmt_bredr_support(hdev);
4153 		if (*mgmt_status)
4154 			return false;
4155 		break;
4156 	default:
4157 		*mgmt_status = MGMT_STATUS_INVALID_PARAMS;
4158 		return false;
4159 	}
4160 
4161 	return true;
4162 }
4163 
4164 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
4165 				    u16 op, void *data, u16 len)
4166 {
4167 	struct mgmt_cp_start_discovery *cp = data;
4168 	struct mgmt_pending_cmd *cmd;
4169 	u8 status;
4170 	int err;
4171 
4172 	bt_dev_dbg(hdev, "sock %p", sk);
4173 
4174 	hci_dev_lock(hdev);
4175 
4176 	if (!hdev_is_powered(hdev)) {
4177 		err = mgmt_cmd_complete(sk, hdev->id, op,
4178 					MGMT_STATUS_NOT_POWERED,
4179 					&cp->type, sizeof(cp->type));
4180 		goto failed;
4181 	}
4182 
4183 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
4184 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
4185 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
4186 					&cp->type, sizeof(cp->type));
4187 		goto failed;
4188 	}
4189 
4190 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
4191 		err = mgmt_cmd_complete(sk, hdev->id, op, status,
4192 					&cp->type, sizeof(cp->type));
4193 		goto failed;
4194 	}
4195 
4196 	/* Can't start discovery when it is paused */
4197 	if (hdev->discovery_paused) {
4198 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
4199 					&cp->type, sizeof(cp->type));
4200 		goto failed;
4201 	}
4202 
4203 	/* Clear the discovery filter first to free any previously
4204 	 * allocated memory for the UUID list.
4205 	 */
4206 	hci_discovery_filter_clear(hdev);
4207 
4208 	hdev->discovery.type = cp->type;
4209 	hdev->discovery.report_invalid_rssi = false;
4210 	if (op == MGMT_OP_START_LIMITED_DISCOVERY)
4211 		hdev->discovery.limited = true;
4212 	else
4213 		hdev->discovery.limited = false;
4214 
4215 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
4216 	if (!cmd) {
4217 		err = -ENOMEM;
4218 		goto failed;
4219 	}
4220 
4221 	cmd->cmd_complete = generic_cmd_complete;
4222 
4223 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
4224 	queue_work(hdev->req_workqueue, &hdev->discov_update);
4225 	err = 0;
4226 
4227 failed:
4228 	hci_dev_unlock(hdev);
4229 	return err;
4230 }
4231 
4232 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
4233 			   void *data, u16 len)
4234 {
4235 	return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
4236 					data, len);
4237 }
4238 
4239 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
4240 				   void *data, u16 len)
4241 {
4242 	return start_discovery_internal(sk, hdev,
4243 					MGMT_OP_START_LIMITED_DISCOVERY,
4244 					data, len);
4245 }
4246 
4247 static int service_discovery_cmd_complete(struct mgmt_pending_cmd *cmd,
4248 					  u8 status)
4249 {
4250 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
4251 				 cmd->param, 1);
4252 }
4253 
4254 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
4255 				   void *data, u16 len)
4256 {
4257 	struct mgmt_cp_start_service_discovery *cp = data;
4258 	struct mgmt_pending_cmd *cmd;
4259 	const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
4260 	u16 uuid_count, expected_len;
4261 	u8 status;
4262 	int err;
4263 
4264 	bt_dev_dbg(hdev, "sock %p", sk);
4265 
4266 	hci_dev_lock(hdev);
4267 
4268 	if (!hdev_is_powered(hdev)) {
4269 		err = mgmt_cmd_complete(sk, hdev->id,
4270 					MGMT_OP_START_SERVICE_DISCOVERY,
4271 					MGMT_STATUS_NOT_POWERED,
4272 					&cp->type, sizeof(cp->type));
4273 		goto failed;
4274 	}
4275 
4276 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
4277 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
4278 		err = mgmt_cmd_complete(sk, hdev->id,
4279 					MGMT_OP_START_SERVICE_DISCOVERY,
4280 					MGMT_STATUS_BUSY, &cp->type,
4281 					sizeof(cp->type));
4282 		goto failed;
4283 	}
4284 
4285 	uuid_count = __le16_to_cpu(cp->uuid_count);
4286 	if (uuid_count > max_uuid_count) {
4287 		bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
4288 			   uuid_count);
4289 		err = mgmt_cmd_complete(sk, hdev->id,
4290 					MGMT_OP_START_SERVICE_DISCOVERY,
4291 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
4292 					sizeof(cp->type));
4293 		goto failed;
4294 	}
4295 
4296 	expected_len = sizeof(*cp) + uuid_count * 16;
4297 	if (expected_len != len) {
4298 		bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
4299 			   expected_len, len);
4300 		err = mgmt_cmd_complete(sk, hdev->id,
4301 					MGMT_OP_START_SERVICE_DISCOVERY,
4302 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
4303 					sizeof(cp->type));
4304 		goto failed;
4305 	}
4306 
4307 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
4308 		err = mgmt_cmd_complete(sk, hdev->id,
4309 					MGMT_OP_START_SERVICE_DISCOVERY,
4310 					status, &cp->type, sizeof(cp->type));
4311 		goto failed;
4312 	}
4313 
4314 	cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
4315 			       hdev, data, len);
4316 	if (!cmd) {
4317 		err = -ENOMEM;
4318 		goto failed;
4319 	}
4320 
4321 	cmd->cmd_complete = service_discovery_cmd_complete;
4322 
4323 	/* Clear the discovery filter first to free any previously
4324 	 * allocated memory for the UUID list.
4325 	 */
4326 	hci_discovery_filter_clear(hdev);
4327 
4328 	hdev->discovery.result_filtering = true;
4329 	hdev->discovery.type = cp->type;
4330 	hdev->discovery.rssi = cp->rssi;
4331 	hdev->discovery.uuid_count = uuid_count;
4332 
4333 	if (uuid_count > 0) {
4334 		hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
4335 						GFP_KERNEL);
4336 		if (!hdev->discovery.uuids) {
4337 			err = mgmt_cmd_complete(sk, hdev->id,
4338 						MGMT_OP_START_SERVICE_DISCOVERY,
4339 						MGMT_STATUS_FAILED,
4340 						&cp->type, sizeof(cp->type));
4341 			mgmt_pending_remove(cmd);
4342 			goto failed;
4343 		}
4344 	}
4345 
4346 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
4347 	queue_work(hdev->req_workqueue, &hdev->discov_update);
4348 	err = 0;
4349 
4350 failed:
4351 	hci_dev_unlock(hdev);
4352 	return err;
4353 }
4354 
4355 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
4356 {
4357 	struct mgmt_pending_cmd *cmd;
4358 
4359 	bt_dev_dbg(hdev, "status %d", status);
4360 
4361 	hci_dev_lock(hdev);
4362 
4363 	cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
4364 	if (cmd) {
4365 		cmd->cmd_complete(cmd, mgmt_status(status));
4366 		mgmt_pending_remove(cmd);
4367 	}
4368 
4369 	hci_dev_unlock(hdev);
4370 
4371 	/* Handle suspend notifier */
4372 	if (test_and_clear_bit(SUSPEND_PAUSE_DISCOVERY, hdev->suspend_tasks)) {
4373 		bt_dev_dbg(hdev, "Paused discovery");
4374 		wake_up(&hdev->suspend_wait_q);
4375 	}
4376 }
4377 
4378 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
4379 			  u16 len)
4380 {
4381 	struct mgmt_cp_stop_discovery *mgmt_cp = data;
4382 	struct mgmt_pending_cmd *cmd;
4383 	int err;
4384 
4385 	bt_dev_dbg(hdev, "sock %p", sk);
4386 
4387 	hci_dev_lock(hdev);
4388 
4389 	if (!hci_discovery_active(hdev)) {
4390 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
4391 					MGMT_STATUS_REJECTED, &mgmt_cp->type,
4392 					sizeof(mgmt_cp->type));
4393 		goto unlock;
4394 	}
4395 
4396 	if (hdev->discovery.type != mgmt_cp->type) {
4397 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
4398 					MGMT_STATUS_INVALID_PARAMS,
4399 					&mgmt_cp->type, sizeof(mgmt_cp->type));
4400 		goto unlock;
4401 	}
4402 
4403 	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
4404 	if (!cmd) {
4405 		err = -ENOMEM;
4406 		goto unlock;
4407 	}
4408 
4409 	cmd->cmd_complete = generic_cmd_complete;
4410 
4411 	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
4412 	queue_work(hdev->req_workqueue, &hdev->discov_update);
4413 	err = 0;
4414 
4415 unlock:
4416 	hci_dev_unlock(hdev);
4417 	return err;
4418 }
4419 
4420 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
4421 			u16 len)
4422 {
4423 	struct mgmt_cp_confirm_name *cp = data;
4424 	struct inquiry_entry *e;
4425 	int err;
4426 
4427 	bt_dev_dbg(hdev, "sock %p", sk);
4428 
4429 	hci_dev_lock(hdev);
4430 
4431 	if (!hci_discovery_active(hdev)) {
4432 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
4433 					MGMT_STATUS_FAILED, &cp->addr,
4434 					sizeof(cp->addr));
4435 		goto failed;
4436 	}
4437 
4438 	e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
4439 	if (!e) {
4440 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
4441 					MGMT_STATUS_INVALID_PARAMS, &cp->addr,
4442 					sizeof(cp->addr));
4443 		goto failed;
4444 	}
4445 
4446 	if (cp->name_known) {
4447 		e->name_state = NAME_KNOWN;
4448 		list_del(&e->list);
4449 	} else {
4450 		e->name_state = NAME_NEEDED;
4451 		hci_inquiry_cache_update_resolve(hdev, e);
4452 	}
4453 
4454 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
4455 				&cp->addr, sizeof(cp->addr));
4456 
4457 failed:
4458 	hci_dev_unlock(hdev);
4459 	return err;
4460 }
4461 
4462 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
4463 			u16 len)
4464 {
4465 	struct mgmt_cp_block_device *cp = data;
4466 	u8 status;
4467 	int err;
4468 
4469 	bt_dev_dbg(hdev, "sock %p", sk);
4470 
4471 	if (!bdaddr_type_is_valid(cp->addr.type))
4472 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
4473 					 MGMT_STATUS_INVALID_PARAMS,
4474 					 &cp->addr, sizeof(cp->addr));
4475 
4476 	hci_dev_lock(hdev);
4477 
4478 	err = hci_bdaddr_list_add(&hdev->blacklist, &cp->addr.bdaddr,
4479 				  cp->addr.type);
4480 	if (err < 0) {
4481 		status = MGMT_STATUS_FAILED;
4482 		goto done;
4483 	}
4484 
4485 	mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
4486 		   sk);
4487 	status = MGMT_STATUS_SUCCESS;
4488 
4489 done:
4490 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
4491 				&cp->addr, sizeof(cp->addr));
4492 
4493 	hci_dev_unlock(hdev);
4494 
4495 	return err;
4496 }
4497 
4498 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
4499 			  u16 len)
4500 {
4501 	struct mgmt_cp_unblock_device *cp = data;
4502 	u8 status;
4503 	int err;
4504 
4505 	bt_dev_dbg(hdev, "sock %p", sk);
4506 
4507 	if (!bdaddr_type_is_valid(cp->addr.type))
4508 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
4509 					 MGMT_STATUS_INVALID_PARAMS,
4510 					 &cp->addr, sizeof(cp->addr));
4511 
4512 	hci_dev_lock(hdev);
4513 
4514 	err = hci_bdaddr_list_del(&hdev->blacklist, &cp->addr.bdaddr,
4515 				  cp->addr.type);
4516 	if (err < 0) {
4517 		status = MGMT_STATUS_INVALID_PARAMS;
4518 		goto done;
4519 	}
4520 
4521 	mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
4522 		   sk);
4523 	status = MGMT_STATUS_SUCCESS;
4524 
4525 done:
4526 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
4527 				&cp->addr, sizeof(cp->addr));
4528 
4529 	hci_dev_unlock(hdev);
4530 
4531 	return err;
4532 }
4533 
4534 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
4535 			 u16 len)
4536 {
4537 	struct mgmt_cp_set_device_id *cp = data;
4538 	struct hci_request req;
4539 	int err;
4540 	__u16 source;
4541 
4542 	bt_dev_dbg(hdev, "sock %p", sk);
4543 
4544 	source = __le16_to_cpu(cp->source);
4545 
4546 	if (source > 0x0002)
4547 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
4548 				       MGMT_STATUS_INVALID_PARAMS);
4549 
4550 	hci_dev_lock(hdev);
4551 
4552 	hdev->devid_source = source;
4553 	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
4554 	hdev->devid_product = __le16_to_cpu(cp->product);
4555 	hdev->devid_version = __le16_to_cpu(cp->version);
4556 
4557 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
4558 				NULL, 0);
4559 
4560 	hci_req_init(&req, hdev);
4561 	__hci_req_update_eir(&req);
4562 	hci_req_run(&req, NULL);
4563 
4564 	hci_dev_unlock(hdev);
4565 
4566 	return err;
4567 }
4568 
4569 static void enable_advertising_instance(struct hci_dev *hdev, u8 status,
4570 					u16 opcode)
4571 {
4572 	bt_dev_dbg(hdev, "status %d", status);
4573 }
4574 
4575 static void set_advertising_complete(struct hci_dev *hdev, u8 status,
4576 				     u16 opcode)
4577 {
4578 	struct cmd_lookup match = { NULL, hdev };
4579 	struct hci_request req;
4580 	u8 instance;
4581 	struct adv_info *adv_instance;
4582 	int err;
4583 
4584 	hci_dev_lock(hdev);
4585 
4586 	if (status) {
4587 		u8 mgmt_err = mgmt_status(status);
4588 
4589 		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
4590 				     cmd_status_rsp, &mgmt_err);
4591 		goto unlock;
4592 	}
4593 
4594 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
4595 		hci_dev_set_flag(hdev, HCI_ADVERTISING);
4596 	else
4597 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4598 
4599 	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
4600 			     &match);
4601 
4602 	new_settings(hdev, match.sk);
4603 
4604 	if (match.sk)
4605 		sock_put(match.sk);
4606 
4607 	/* Handle suspend notifier */
4608 	if (test_and_clear_bit(SUSPEND_PAUSE_ADVERTISING,
4609 			       hdev->suspend_tasks)) {
4610 		bt_dev_dbg(hdev, "Paused advertising");
4611 		wake_up(&hdev->suspend_wait_q);
4612 	} else if (test_and_clear_bit(SUSPEND_UNPAUSE_ADVERTISING,
4613 				      hdev->suspend_tasks)) {
4614 		bt_dev_dbg(hdev, "Unpaused advertising");
4615 		wake_up(&hdev->suspend_wait_q);
4616 	}
4617 
4618 	/* If "Set Advertising" was just disabled and instance advertising was
4619 	 * set up earlier, then re-enable multi-instance advertising.
4620 	 */
4621 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
4622 	    list_empty(&hdev->adv_instances))
4623 		goto unlock;
4624 
4625 	instance = hdev->cur_adv_instance;
4626 	if (!instance) {
4627 		adv_instance = list_first_entry_or_null(&hdev->adv_instances,
4628 							struct adv_info, list);
4629 		if (!adv_instance)
4630 			goto unlock;
4631 
4632 		instance = adv_instance->instance;
4633 	}
4634 
4635 	hci_req_init(&req, hdev);
4636 
4637 	err = __hci_req_schedule_adv_instance(&req, instance, true);
4638 
4639 	if (!err)
4640 		err = hci_req_run(&req, enable_advertising_instance);
4641 
4642 	if (err)
4643 		bt_dev_err(hdev, "failed to re-configure advertising");
4644 
4645 unlock:
4646 	hci_dev_unlock(hdev);
4647 }
4648 
4649 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
4650 			   u16 len)
4651 {
4652 	struct mgmt_mode *cp = data;
4653 	struct mgmt_pending_cmd *cmd;
4654 	struct hci_request req;
4655 	u8 val, status;
4656 	int err;
4657 
4658 	bt_dev_dbg(hdev, "sock %p", sk);
4659 
4660 	status = mgmt_le_support(hdev);
4661 	if (status)
4662 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4663 				       status);
4664 
4665 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4666 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4667 				       MGMT_STATUS_INVALID_PARAMS);
4668 
4669 	if (hdev->advertising_paused)
4670 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4671 				       MGMT_STATUS_BUSY);
4672 
4673 	hci_dev_lock(hdev);
4674 
4675 	val = !!cp->val;
4676 
4677 	/* The following conditions are ones which mean that we should
4678 	 * not do any HCI communication but directly send a mgmt
4679 	 * response to user space (after toggling the flag if
4680 	 * necessary).
4681 	 */
4682 	if (!hdev_is_powered(hdev) ||
4683 	    (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
4684 	     (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
4685 	    hci_conn_num(hdev, LE_LINK) > 0 ||
4686 	    (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
4687 	     hdev->le_scan_type == LE_SCAN_ACTIVE)) {
4688 		bool changed;
4689 
4690 		if (cp->val) {
4691 			hdev->cur_adv_instance = 0x00;
4692 			changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
4693 			if (cp->val == 0x02)
4694 				hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4695 			else
4696 				hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4697 		} else {
4698 			changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
4699 			hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4700 		}
4701 
4702 		err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
4703 		if (err < 0)
4704 			goto unlock;
4705 
4706 		if (changed)
4707 			err = new_settings(hdev, sk);
4708 
4709 		goto unlock;
4710 	}
4711 
4712 	if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
4713 	    pending_find(MGMT_OP_SET_LE, hdev)) {
4714 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4715 				      MGMT_STATUS_BUSY);
4716 		goto unlock;
4717 	}
4718 
4719 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
4720 	if (!cmd) {
4721 		err = -ENOMEM;
4722 		goto unlock;
4723 	}
4724 
4725 	hci_req_init(&req, hdev);
4726 
4727 	if (cp->val == 0x02)
4728 		hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4729 	else
4730 		hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4731 
4732 	cancel_adv_timeout(hdev);
4733 
4734 	if (val) {
4735 		/* Switch to instance "0" for the Set Advertising setting.
4736 		 * We cannot use update_[adv|scan_rsp]_data() here as the
4737 		 * HCI_ADVERTISING flag is not yet set.
4738 		 */
4739 		hdev->cur_adv_instance = 0x00;
4740 
4741 		if (ext_adv_capable(hdev)) {
4742 			__hci_req_start_ext_adv(&req, 0x00);
4743 		} else {
4744 			__hci_req_update_adv_data(&req, 0x00);
4745 			__hci_req_update_scan_rsp_data(&req, 0x00);
4746 			__hci_req_enable_advertising(&req);
4747 		}
4748 	} else {
4749 		__hci_req_disable_advertising(&req);
4750 	}
4751 
4752 	err = hci_req_run(&req, set_advertising_complete);
4753 	if (err < 0)
4754 		mgmt_pending_remove(cmd);
4755 
4756 unlock:
4757 	hci_dev_unlock(hdev);
4758 	return err;
4759 }
4760 
4761 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
4762 			      void *data, u16 len)
4763 {
4764 	struct mgmt_cp_set_static_address *cp = data;
4765 	int err;
4766 
4767 	bt_dev_dbg(hdev, "sock %p", sk);
4768 
4769 	if (!lmp_le_capable(hdev))
4770 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4771 				       MGMT_STATUS_NOT_SUPPORTED);
4772 
4773 	if (hdev_is_powered(hdev))
4774 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4775 				       MGMT_STATUS_REJECTED);
4776 
4777 	if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
4778 		if (!bacmp(&cp->bdaddr, BDADDR_NONE))
4779 			return mgmt_cmd_status(sk, hdev->id,
4780 					       MGMT_OP_SET_STATIC_ADDRESS,
4781 					       MGMT_STATUS_INVALID_PARAMS);
4782 
4783 		/* Two most significant bits shall be set */
4784 		if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
4785 			return mgmt_cmd_status(sk, hdev->id,
4786 					       MGMT_OP_SET_STATIC_ADDRESS,
4787 					       MGMT_STATUS_INVALID_PARAMS);
4788 	}
4789 
4790 	hci_dev_lock(hdev);
4791 
4792 	bacpy(&hdev->static_addr, &cp->bdaddr);
4793 
4794 	err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
4795 	if (err < 0)
4796 		goto unlock;
4797 
4798 	err = new_settings(hdev, sk);
4799 
4800 unlock:
4801 	hci_dev_unlock(hdev);
4802 	return err;
4803 }
4804 
4805 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
4806 			   void *data, u16 len)
4807 {
4808 	struct mgmt_cp_set_scan_params *cp = data;
4809 	__u16 interval, window;
4810 	int err;
4811 
4812 	bt_dev_dbg(hdev, "sock %p", sk);
4813 
4814 	if (!lmp_le_capable(hdev))
4815 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4816 				       MGMT_STATUS_NOT_SUPPORTED);
4817 
4818 	interval = __le16_to_cpu(cp->interval);
4819 
4820 	if (interval < 0x0004 || interval > 0x4000)
4821 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4822 				       MGMT_STATUS_INVALID_PARAMS);
4823 
4824 	window = __le16_to_cpu(cp->window);
4825 
4826 	if (window < 0x0004 || window > 0x4000)
4827 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4828 				       MGMT_STATUS_INVALID_PARAMS);
4829 
4830 	if (window > interval)
4831 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4832 				       MGMT_STATUS_INVALID_PARAMS);
4833 
4834 	hci_dev_lock(hdev);
4835 
4836 	hdev->le_scan_interval = interval;
4837 	hdev->le_scan_window = window;
4838 
4839 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
4840 				NULL, 0);
4841 
4842 	/* If background scan is running, restart it so new parameters are
4843 	 * loaded.
4844 	 */
4845 	if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
4846 	    hdev->discovery.state == DISCOVERY_STOPPED) {
4847 		struct hci_request req;
4848 
4849 		hci_req_init(&req, hdev);
4850 
4851 		hci_req_add_le_scan_disable(&req);
4852 		hci_req_add_le_passive_scan(&req);
4853 
4854 		hci_req_run(&req, NULL);
4855 	}
4856 
4857 	hci_dev_unlock(hdev);
4858 
4859 	return err;
4860 }
4861 
4862 static void fast_connectable_complete(struct hci_dev *hdev, u8 status,
4863 				      u16 opcode)
4864 {
4865 	struct mgmt_pending_cmd *cmd;
4866 
4867 	bt_dev_dbg(hdev, "status 0x%02x", status);
4868 
4869 	hci_dev_lock(hdev);
4870 
4871 	cmd = pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4872 	if (!cmd)
4873 		goto unlock;
4874 
4875 	if (status) {
4876 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4877 			        mgmt_status(status));
4878 	} else {
4879 		struct mgmt_mode *cp = cmd->param;
4880 
4881 		if (cp->val)
4882 			hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
4883 		else
4884 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
4885 
4886 		send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4887 		new_settings(hdev, cmd->sk);
4888 	}
4889 
4890 	mgmt_pending_remove(cmd);
4891 
4892 unlock:
4893 	hci_dev_unlock(hdev);
4894 }
4895 
4896 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
4897 				void *data, u16 len)
4898 {
4899 	struct mgmt_mode *cp = data;
4900 	struct mgmt_pending_cmd *cmd;
4901 	struct hci_request req;
4902 	int err;
4903 
4904 	bt_dev_dbg(hdev, "sock %p", sk);
4905 
4906 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
4907 	    hdev->hci_ver < BLUETOOTH_VER_1_2)
4908 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4909 				       MGMT_STATUS_NOT_SUPPORTED);
4910 
4911 	if (cp->val != 0x00 && cp->val != 0x01)
4912 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4913 				       MGMT_STATUS_INVALID_PARAMS);
4914 
4915 	hci_dev_lock(hdev);
4916 
4917 	if (pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev)) {
4918 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4919 				      MGMT_STATUS_BUSY);
4920 		goto unlock;
4921 	}
4922 
4923 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
4924 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4925 					hdev);
4926 		goto unlock;
4927 	}
4928 
4929 	if (!hdev_is_powered(hdev)) {
4930 		hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
4931 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4932 					hdev);
4933 		new_settings(hdev, sk);
4934 		goto unlock;
4935 	}
4936 
4937 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev,
4938 			       data, len);
4939 	if (!cmd) {
4940 		err = -ENOMEM;
4941 		goto unlock;
4942 	}
4943 
4944 	hci_req_init(&req, hdev);
4945 
4946 	__hci_req_write_fast_connectable(&req, cp->val);
4947 
4948 	err = hci_req_run(&req, fast_connectable_complete);
4949 	if (err < 0) {
4950 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4951 				      MGMT_STATUS_FAILED);
4952 		mgmt_pending_remove(cmd);
4953 	}
4954 
4955 unlock:
4956 	hci_dev_unlock(hdev);
4957 
4958 	return err;
4959 }
4960 
4961 static void set_bredr_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4962 {
4963 	struct mgmt_pending_cmd *cmd;
4964 
4965 	bt_dev_dbg(hdev, "status 0x%02x", status);
4966 
4967 	hci_dev_lock(hdev);
4968 
4969 	cmd = pending_find(MGMT_OP_SET_BREDR, hdev);
4970 	if (!cmd)
4971 		goto unlock;
4972 
4973 	if (status) {
4974 		u8 mgmt_err = mgmt_status(status);
4975 
4976 		/* We need to restore the flag if related HCI commands
4977 		 * failed.
4978 		 */
4979 		hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
4980 
4981 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
4982 	} else {
4983 		send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
4984 		new_settings(hdev, cmd->sk);
4985 	}
4986 
4987 	mgmt_pending_remove(cmd);
4988 
4989 unlock:
4990 	hci_dev_unlock(hdev);
4991 }
4992 
4993 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
4994 {
4995 	struct mgmt_mode *cp = data;
4996 	struct mgmt_pending_cmd *cmd;
4997 	struct hci_request req;
4998 	int err;
4999 
5000 	bt_dev_dbg(hdev, "sock %p", sk);
5001 
5002 	if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
5003 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5004 				       MGMT_STATUS_NOT_SUPPORTED);
5005 
5006 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
5007 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5008 				       MGMT_STATUS_REJECTED);
5009 
5010 	if (cp->val != 0x00 && cp->val != 0x01)
5011 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5012 				       MGMT_STATUS_INVALID_PARAMS);
5013 
5014 	hci_dev_lock(hdev);
5015 
5016 	if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
5017 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
5018 		goto unlock;
5019 	}
5020 
5021 	if (!hdev_is_powered(hdev)) {
5022 		if (!cp->val) {
5023 			hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
5024 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
5025 			hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
5026 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
5027 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
5028 		}
5029 
5030 		hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
5031 
5032 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
5033 		if (err < 0)
5034 			goto unlock;
5035 
5036 		err = new_settings(hdev, sk);
5037 		goto unlock;
5038 	}
5039 
5040 	/* Reject disabling when powered on */
5041 	if (!cp->val) {
5042 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5043 				      MGMT_STATUS_REJECTED);
5044 		goto unlock;
5045 	} else {
5046 		/* When configuring a dual-mode controller to operate
5047 		 * with LE only and using a static address, then switching
5048 		 * BR/EDR back on is not allowed.
5049 		 *
5050 		 * Dual-mode controllers shall operate with the public
5051 		 * address as its identity address for BR/EDR and LE. So
5052 		 * reject the attempt to create an invalid configuration.
5053 		 *
5054 		 * The same restrictions applies when secure connections
5055 		 * has been enabled. For BR/EDR this is a controller feature
5056 		 * while for LE it is a host stack feature. This means that
5057 		 * switching BR/EDR back on when secure connections has been
5058 		 * enabled is not a supported transaction.
5059 		 */
5060 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
5061 		    (bacmp(&hdev->static_addr, BDADDR_ANY) ||
5062 		     hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
5063 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5064 					      MGMT_STATUS_REJECTED);
5065 			goto unlock;
5066 		}
5067 	}
5068 
5069 	if (pending_find(MGMT_OP_SET_BREDR, hdev)) {
5070 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5071 				      MGMT_STATUS_BUSY);
5072 		goto unlock;
5073 	}
5074 
5075 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_BREDR, hdev, data, len);
5076 	if (!cmd) {
5077 		err = -ENOMEM;
5078 		goto unlock;
5079 	}
5080 
5081 	/* We need to flip the bit already here so that
5082 	 * hci_req_update_adv_data generates the correct flags.
5083 	 */
5084 	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
5085 
5086 	hci_req_init(&req, hdev);
5087 
5088 	__hci_req_write_fast_connectable(&req, false);
5089 	__hci_req_update_scan(&req);
5090 
5091 	/* Since only the advertising data flags will change, there
5092 	 * is no need to update the scan response data.
5093 	 */
5094 	__hci_req_update_adv_data(&req, hdev->cur_adv_instance);
5095 
5096 	err = hci_req_run(&req, set_bredr_complete);
5097 	if (err < 0)
5098 		mgmt_pending_remove(cmd);
5099 
5100 unlock:
5101 	hci_dev_unlock(hdev);
5102 	return err;
5103 }
5104 
5105 static void sc_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
5106 {
5107 	struct mgmt_pending_cmd *cmd;
5108 	struct mgmt_mode *cp;
5109 
5110 	bt_dev_dbg(hdev, "status %u", status);
5111 
5112 	hci_dev_lock(hdev);
5113 
5114 	cmd = pending_find(MGMT_OP_SET_SECURE_CONN, hdev);
5115 	if (!cmd)
5116 		goto unlock;
5117 
5118 	if (status) {
5119 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
5120 			        mgmt_status(status));
5121 		goto remove;
5122 	}
5123 
5124 	cp = cmd->param;
5125 
5126 	switch (cp->val) {
5127 	case 0x00:
5128 		hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
5129 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
5130 		break;
5131 	case 0x01:
5132 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
5133 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
5134 		break;
5135 	case 0x02:
5136 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
5137 		hci_dev_set_flag(hdev, HCI_SC_ONLY);
5138 		break;
5139 	}
5140 
5141 	send_settings_rsp(cmd->sk, MGMT_OP_SET_SECURE_CONN, hdev);
5142 	new_settings(hdev, cmd->sk);
5143 
5144 remove:
5145 	mgmt_pending_remove(cmd);
5146 unlock:
5147 	hci_dev_unlock(hdev);
5148 }
5149 
5150 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
5151 			   void *data, u16 len)
5152 {
5153 	struct mgmt_mode *cp = data;
5154 	struct mgmt_pending_cmd *cmd;
5155 	struct hci_request req;
5156 	u8 val;
5157 	int err;
5158 
5159 	bt_dev_dbg(hdev, "sock %p", sk);
5160 
5161 	if (!lmp_sc_capable(hdev) &&
5162 	    !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
5163 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
5164 				       MGMT_STATUS_NOT_SUPPORTED);
5165 
5166 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
5167 	    lmp_sc_capable(hdev) &&
5168 	    !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
5169 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
5170 				       MGMT_STATUS_REJECTED);
5171 
5172 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
5173 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
5174 				  MGMT_STATUS_INVALID_PARAMS);
5175 
5176 	hci_dev_lock(hdev);
5177 
5178 	if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
5179 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
5180 		bool changed;
5181 
5182 		if (cp->val) {
5183 			changed = !hci_dev_test_and_set_flag(hdev,
5184 							     HCI_SC_ENABLED);
5185 			if (cp->val == 0x02)
5186 				hci_dev_set_flag(hdev, HCI_SC_ONLY);
5187 			else
5188 				hci_dev_clear_flag(hdev, HCI_SC_ONLY);
5189 		} else {
5190 			changed = hci_dev_test_and_clear_flag(hdev,
5191 							      HCI_SC_ENABLED);
5192 			hci_dev_clear_flag(hdev, HCI_SC_ONLY);
5193 		}
5194 
5195 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
5196 		if (err < 0)
5197 			goto failed;
5198 
5199 		if (changed)
5200 			err = new_settings(hdev, sk);
5201 
5202 		goto failed;
5203 	}
5204 
5205 	if (pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
5206 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
5207 				      MGMT_STATUS_BUSY);
5208 		goto failed;
5209 	}
5210 
5211 	val = !!cp->val;
5212 
5213 	if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
5214 	    (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5215 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
5216 		goto failed;
5217 	}
5218 
5219 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
5220 	if (!cmd) {
5221 		err = -ENOMEM;
5222 		goto failed;
5223 	}
5224 
5225 	hci_req_init(&req, hdev);
5226 	hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
5227 	err = hci_req_run(&req, sc_enable_complete);
5228 	if (err < 0) {
5229 		mgmt_pending_remove(cmd);
5230 		goto failed;
5231 	}
5232 
5233 failed:
5234 	hci_dev_unlock(hdev);
5235 	return err;
5236 }
5237 
5238 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
5239 			  void *data, u16 len)
5240 {
5241 	struct mgmt_mode *cp = data;
5242 	bool changed, use_changed;
5243 	int err;
5244 
5245 	bt_dev_dbg(hdev, "sock %p", sk);
5246 
5247 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
5248 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
5249 				       MGMT_STATUS_INVALID_PARAMS);
5250 
5251 	hci_dev_lock(hdev);
5252 
5253 	if (cp->val)
5254 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
5255 	else
5256 		changed = hci_dev_test_and_clear_flag(hdev,
5257 						      HCI_KEEP_DEBUG_KEYS);
5258 
5259 	if (cp->val == 0x02)
5260 		use_changed = !hci_dev_test_and_set_flag(hdev,
5261 							 HCI_USE_DEBUG_KEYS);
5262 	else
5263 		use_changed = hci_dev_test_and_clear_flag(hdev,
5264 							  HCI_USE_DEBUG_KEYS);
5265 
5266 	if (hdev_is_powered(hdev) && use_changed &&
5267 	    hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
5268 		u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
5269 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
5270 			     sizeof(mode), &mode);
5271 	}
5272 
5273 	err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
5274 	if (err < 0)
5275 		goto unlock;
5276 
5277 	if (changed)
5278 		err = new_settings(hdev, sk);
5279 
5280 unlock:
5281 	hci_dev_unlock(hdev);
5282 	return err;
5283 }
5284 
5285 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
5286 		       u16 len)
5287 {
5288 	struct mgmt_cp_set_privacy *cp = cp_data;
5289 	bool changed;
5290 	int err;
5291 
5292 	bt_dev_dbg(hdev, "sock %p", sk);
5293 
5294 	if (!lmp_le_capable(hdev))
5295 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
5296 				       MGMT_STATUS_NOT_SUPPORTED);
5297 
5298 	if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
5299 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
5300 				       MGMT_STATUS_INVALID_PARAMS);
5301 
5302 	if (hdev_is_powered(hdev))
5303 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
5304 				       MGMT_STATUS_REJECTED);
5305 
5306 	hci_dev_lock(hdev);
5307 
5308 	/* If user space supports this command it is also expected to
5309 	 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
5310 	 */
5311 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
5312 
5313 	if (cp->privacy) {
5314 		changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
5315 		memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
5316 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
5317 		hci_adv_instances_set_rpa_expired(hdev, true);
5318 		if (cp->privacy == 0x02)
5319 			hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
5320 		else
5321 			hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
5322 	} else {
5323 		changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
5324 		memset(hdev->irk, 0, sizeof(hdev->irk));
5325 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
5326 		hci_adv_instances_set_rpa_expired(hdev, false);
5327 		hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
5328 	}
5329 
5330 	err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
5331 	if (err < 0)
5332 		goto unlock;
5333 
5334 	if (changed)
5335 		err = new_settings(hdev, sk);
5336 
5337 unlock:
5338 	hci_dev_unlock(hdev);
5339 	return err;
5340 }
5341 
5342 static bool irk_is_valid(struct mgmt_irk_info *irk)
5343 {
5344 	switch (irk->addr.type) {
5345 	case BDADDR_LE_PUBLIC:
5346 		return true;
5347 
5348 	case BDADDR_LE_RANDOM:
5349 		/* Two most significant bits shall be set */
5350 		if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
5351 			return false;
5352 		return true;
5353 	}
5354 
5355 	return false;
5356 }
5357 
5358 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
5359 		     u16 len)
5360 {
5361 	struct mgmt_cp_load_irks *cp = cp_data;
5362 	const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
5363 				   sizeof(struct mgmt_irk_info));
5364 	u16 irk_count, expected_len;
5365 	int i, err;
5366 
5367 	bt_dev_dbg(hdev, "sock %p", sk);
5368 
5369 	if (!lmp_le_capable(hdev))
5370 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
5371 				       MGMT_STATUS_NOT_SUPPORTED);
5372 
5373 	irk_count = __le16_to_cpu(cp->irk_count);
5374 	if (irk_count > max_irk_count) {
5375 		bt_dev_err(hdev, "load_irks: too big irk_count value %u",
5376 			   irk_count);
5377 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
5378 				       MGMT_STATUS_INVALID_PARAMS);
5379 	}
5380 
5381 	expected_len = struct_size(cp, irks, irk_count);
5382 	if (expected_len != len) {
5383 		bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
5384 			   expected_len, len);
5385 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
5386 				       MGMT_STATUS_INVALID_PARAMS);
5387 	}
5388 
5389 	bt_dev_dbg(hdev, "irk_count %u", irk_count);
5390 
5391 	for (i = 0; i < irk_count; i++) {
5392 		struct mgmt_irk_info *key = &cp->irks[i];
5393 
5394 		if (!irk_is_valid(key))
5395 			return mgmt_cmd_status(sk, hdev->id,
5396 					       MGMT_OP_LOAD_IRKS,
5397 					       MGMT_STATUS_INVALID_PARAMS);
5398 	}
5399 
5400 	hci_dev_lock(hdev);
5401 
5402 	hci_smp_irks_clear(hdev);
5403 
5404 	for (i = 0; i < irk_count; i++) {
5405 		struct mgmt_irk_info *irk = &cp->irks[i];
5406 
5407 		if (hci_is_blocked_key(hdev,
5408 				       HCI_BLOCKED_KEY_TYPE_IRK,
5409 				       irk->val)) {
5410 			bt_dev_warn(hdev, "Skipping blocked IRK for %pMR",
5411 				    &irk->addr.bdaddr);
5412 			continue;
5413 		}
5414 
5415 		hci_add_irk(hdev, &irk->addr.bdaddr,
5416 			    le_addr_type(irk->addr.type), irk->val,
5417 			    BDADDR_ANY);
5418 	}
5419 
5420 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
5421 
5422 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
5423 
5424 	hci_dev_unlock(hdev);
5425 
5426 	return err;
5427 }
5428 
5429 static bool ltk_is_valid(struct mgmt_ltk_info *key)
5430 {
5431 	if (key->master != 0x00 && key->master != 0x01)
5432 		return false;
5433 
5434 	switch (key->addr.type) {
5435 	case BDADDR_LE_PUBLIC:
5436 		return true;
5437 
5438 	case BDADDR_LE_RANDOM:
5439 		/* Two most significant bits shall be set */
5440 		if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
5441 			return false;
5442 		return true;
5443 	}
5444 
5445 	return false;
5446 }
5447 
5448 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
5449 			       void *cp_data, u16 len)
5450 {
5451 	struct mgmt_cp_load_long_term_keys *cp = cp_data;
5452 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
5453 				   sizeof(struct mgmt_ltk_info));
5454 	u16 key_count, expected_len;
5455 	int i, err;
5456 
5457 	bt_dev_dbg(hdev, "sock %p", sk);
5458 
5459 	if (!lmp_le_capable(hdev))
5460 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5461 				       MGMT_STATUS_NOT_SUPPORTED);
5462 
5463 	key_count = __le16_to_cpu(cp->key_count);
5464 	if (key_count > max_key_count) {
5465 		bt_dev_err(hdev, "load_ltks: too big key_count value %u",
5466 			   key_count);
5467 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5468 				       MGMT_STATUS_INVALID_PARAMS);
5469 	}
5470 
5471 	expected_len = struct_size(cp, keys, key_count);
5472 	if (expected_len != len) {
5473 		bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
5474 			   expected_len, len);
5475 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5476 				       MGMT_STATUS_INVALID_PARAMS);
5477 	}
5478 
5479 	bt_dev_dbg(hdev, "key_count %u", key_count);
5480 
5481 	for (i = 0; i < key_count; i++) {
5482 		struct mgmt_ltk_info *key = &cp->keys[i];
5483 
5484 		if (!ltk_is_valid(key))
5485 			return mgmt_cmd_status(sk, hdev->id,
5486 					       MGMT_OP_LOAD_LONG_TERM_KEYS,
5487 					       MGMT_STATUS_INVALID_PARAMS);
5488 	}
5489 
5490 	hci_dev_lock(hdev);
5491 
5492 	hci_smp_ltks_clear(hdev);
5493 
5494 	for (i = 0; i < key_count; i++) {
5495 		struct mgmt_ltk_info *key = &cp->keys[i];
5496 		u8 type, authenticated;
5497 
5498 		if (hci_is_blocked_key(hdev,
5499 				       HCI_BLOCKED_KEY_TYPE_LTK,
5500 				       key->val)) {
5501 			bt_dev_warn(hdev, "Skipping blocked LTK for %pMR",
5502 				    &key->addr.bdaddr);
5503 			continue;
5504 		}
5505 
5506 		switch (key->type) {
5507 		case MGMT_LTK_UNAUTHENTICATED:
5508 			authenticated = 0x00;
5509 			type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5510 			break;
5511 		case MGMT_LTK_AUTHENTICATED:
5512 			authenticated = 0x01;
5513 			type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5514 			break;
5515 		case MGMT_LTK_P256_UNAUTH:
5516 			authenticated = 0x00;
5517 			type = SMP_LTK_P256;
5518 			break;
5519 		case MGMT_LTK_P256_AUTH:
5520 			authenticated = 0x01;
5521 			type = SMP_LTK_P256;
5522 			break;
5523 		case MGMT_LTK_P256_DEBUG:
5524 			authenticated = 0x00;
5525 			type = SMP_LTK_P256_DEBUG;
5526 			/* fall through */
5527 		default:
5528 			continue;
5529 		}
5530 
5531 		hci_add_ltk(hdev, &key->addr.bdaddr,
5532 			    le_addr_type(key->addr.type), type, authenticated,
5533 			    key->val, key->enc_size, key->ediv, key->rand);
5534 	}
5535 
5536 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
5537 			   NULL, 0);
5538 
5539 	hci_dev_unlock(hdev);
5540 
5541 	return err;
5542 }
5543 
5544 static int conn_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
5545 {
5546 	struct hci_conn *conn = cmd->user_data;
5547 	struct mgmt_rp_get_conn_info rp;
5548 	int err;
5549 
5550 	memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
5551 
5552 	if (status == MGMT_STATUS_SUCCESS) {
5553 		rp.rssi = conn->rssi;
5554 		rp.tx_power = conn->tx_power;
5555 		rp.max_tx_power = conn->max_tx_power;
5556 	} else {
5557 		rp.rssi = HCI_RSSI_INVALID;
5558 		rp.tx_power = HCI_TX_POWER_INVALID;
5559 		rp.max_tx_power = HCI_TX_POWER_INVALID;
5560 	}
5561 
5562 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
5563 				status, &rp, sizeof(rp));
5564 
5565 	hci_conn_drop(conn);
5566 	hci_conn_put(conn);
5567 
5568 	return err;
5569 }
5570 
5571 static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status,
5572 				       u16 opcode)
5573 {
5574 	struct hci_cp_read_rssi *cp;
5575 	struct mgmt_pending_cmd *cmd;
5576 	struct hci_conn *conn;
5577 	u16 handle;
5578 	u8 status;
5579 
5580 	bt_dev_dbg(hdev, "status 0x%02x", hci_status);
5581 
5582 	hci_dev_lock(hdev);
5583 
5584 	/* Commands sent in request are either Read RSSI or Read Transmit Power
5585 	 * Level so we check which one was last sent to retrieve connection
5586 	 * handle.  Both commands have handle as first parameter so it's safe to
5587 	 * cast data on the same command struct.
5588 	 *
5589 	 * First command sent is always Read RSSI and we fail only if it fails.
5590 	 * In other case we simply override error to indicate success as we
5591 	 * already remembered if TX power value is actually valid.
5592 	 */
5593 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
5594 	if (!cp) {
5595 		cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
5596 		status = MGMT_STATUS_SUCCESS;
5597 	} else {
5598 		status = mgmt_status(hci_status);
5599 	}
5600 
5601 	if (!cp) {
5602 		bt_dev_err(hdev, "invalid sent_cmd in conn_info response");
5603 		goto unlock;
5604 	}
5605 
5606 	handle = __le16_to_cpu(cp->handle);
5607 	conn = hci_conn_hash_lookup_handle(hdev, handle);
5608 	if (!conn) {
5609 		bt_dev_err(hdev, "unknown handle (%d) in conn_info response",
5610 			   handle);
5611 		goto unlock;
5612 	}
5613 
5614 	cmd = pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
5615 	if (!cmd)
5616 		goto unlock;
5617 
5618 	cmd->cmd_complete(cmd, status);
5619 	mgmt_pending_remove(cmd);
5620 
5621 unlock:
5622 	hci_dev_unlock(hdev);
5623 }
5624 
5625 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
5626 			 u16 len)
5627 {
5628 	struct mgmt_cp_get_conn_info *cp = data;
5629 	struct mgmt_rp_get_conn_info rp;
5630 	struct hci_conn *conn;
5631 	unsigned long conn_info_age;
5632 	int err = 0;
5633 
5634 	bt_dev_dbg(hdev, "sock %p", sk);
5635 
5636 	memset(&rp, 0, sizeof(rp));
5637 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5638 	rp.addr.type = cp->addr.type;
5639 
5640 	if (!bdaddr_type_is_valid(cp->addr.type))
5641 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5642 					 MGMT_STATUS_INVALID_PARAMS,
5643 					 &rp, sizeof(rp));
5644 
5645 	hci_dev_lock(hdev);
5646 
5647 	if (!hdev_is_powered(hdev)) {
5648 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5649 					MGMT_STATUS_NOT_POWERED, &rp,
5650 					sizeof(rp));
5651 		goto unlock;
5652 	}
5653 
5654 	if (cp->addr.type == BDADDR_BREDR)
5655 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
5656 					       &cp->addr.bdaddr);
5657 	else
5658 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
5659 
5660 	if (!conn || conn->state != BT_CONNECTED) {
5661 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5662 					MGMT_STATUS_NOT_CONNECTED, &rp,
5663 					sizeof(rp));
5664 		goto unlock;
5665 	}
5666 
5667 	if (pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
5668 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5669 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
5670 		goto unlock;
5671 	}
5672 
5673 	/* To avoid client trying to guess when to poll again for information we
5674 	 * calculate conn info age as random value between min/max set in hdev.
5675 	 */
5676 	conn_info_age = hdev->conn_info_min_age +
5677 			prandom_u32_max(hdev->conn_info_max_age -
5678 					hdev->conn_info_min_age);
5679 
5680 	/* Query controller to refresh cached values if they are too old or were
5681 	 * never read.
5682 	 */
5683 	if (time_after(jiffies, conn->conn_info_timestamp +
5684 		       msecs_to_jiffies(conn_info_age)) ||
5685 	    !conn->conn_info_timestamp) {
5686 		struct hci_request req;
5687 		struct hci_cp_read_tx_power req_txp_cp;
5688 		struct hci_cp_read_rssi req_rssi_cp;
5689 		struct mgmt_pending_cmd *cmd;
5690 
5691 		hci_req_init(&req, hdev);
5692 		req_rssi_cp.handle = cpu_to_le16(conn->handle);
5693 		hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
5694 			    &req_rssi_cp);
5695 
5696 		/* For LE links TX power does not change thus we don't need to
5697 		 * query for it once value is known.
5698 		 */
5699 		if (!bdaddr_type_is_le(cp->addr.type) ||
5700 		    conn->tx_power == HCI_TX_POWER_INVALID) {
5701 			req_txp_cp.handle = cpu_to_le16(conn->handle);
5702 			req_txp_cp.type = 0x00;
5703 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
5704 				    sizeof(req_txp_cp), &req_txp_cp);
5705 		}
5706 
5707 		/* Max TX power needs to be read only once per connection */
5708 		if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
5709 			req_txp_cp.handle = cpu_to_le16(conn->handle);
5710 			req_txp_cp.type = 0x01;
5711 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
5712 				    sizeof(req_txp_cp), &req_txp_cp);
5713 		}
5714 
5715 		err = hci_req_run(&req, conn_info_refresh_complete);
5716 		if (err < 0)
5717 			goto unlock;
5718 
5719 		cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
5720 				       data, len);
5721 		if (!cmd) {
5722 			err = -ENOMEM;
5723 			goto unlock;
5724 		}
5725 
5726 		hci_conn_hold(conn);
5727 		cmd->user_data = hci_conn_get(conn);
5728 		cmd->cmd_complete = conn_info_cmd_complete;
5729 
5730 		conn->conn_info_timestamp = jiffies;
5731 	} else {
5732 		/* Cache is valid, just reply with values cached in hci_conn */
5733 		rp.rssi = conn->rssi;
5734 		rp.tx_power = conn->tx_power;
5735 		rp.max_tx_power = conn->max_tx_power;
5736 
5737 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5738 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
5739 	}
5740 
5741 unlock:
5742 	hci_dev_unlock(hdev);
5743 	return err;
5744 }
5745 
5746 static int clock_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
5747 {
5748 	struct hci_conn *conn = cmd->user_data;
5749 	struct mgmt_rp_get_clock_info rp;
5750 	struct hci_dev *hdev;
5751 	int err;
5752 
5753 	memset(&rp, 0, sizeof(rp));
5754 	memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
5755 
5756 	if (status)
5757 		goto complete;
5758 
5759 	hdev = hci_dev_get(cmd->index);
5760 	if (hdev) {
5761 		rp.local_clock = cpu_to_le32(hdev->clock);
5762 		hci_dev_put(hdev);
5763 	}
5764 
5765 	if (conn) {
5766 		rp.piconet_clock = cpu_to_le32(conn->clock);
5767 		rp.accuracy = cpu_to_le16(conn->clock_accuracy);
5768 	}
5769 
5770 complete:
5771 	err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
5772 				sizeof(rp));
5773 
5774 	if (conn) {
5775 		hci_conn_drop(conn);
5776 		hci_conn_put(conn);
5777 	}
5778 
5779 	return err;
5780 }
5781 
5782 static void get_clock_info_complete(struct hci_dev *hdev, u8 status, u16 opcode)
5783 {
5784 	struct hci_cp_read_clock *hci_cp;
5785 	struct mgmt_pending_cmd *cmd;
5786 	struct hci_conn *conn;
5787 
5788 	bt_dev_dbg(hdev, "status %u", status);
5789 
5790 	hci_dev_lock(hdev);
5791 
5792 	hci_cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
5793 	if (!hci_cp)
5794 		goto unlock;
5795 
5796 	if (hci_cp->which) {
5797 		u16 handle = __le16_to_cpu(hci_cp->handle);
5798 		conn = hci_conn_hash_lookup_handle(hdev, handle);
5799 	} else {
5800 		conn = NULL;
5801 	}
5802 
5803 	cmd = pending_find_data(MGMT_OP_GET_CLOCK_INFO, hdev, conn);
5804 	if (!cmd)
5805 		goto unlock;
5806 
5807 	cmd->cmd_complete(cmd, mgmt_status(status));
5808 	mgmt_pending_remove(cmd);
5809 
5810 unlock:
5811 	hci_dev_unlock(hdev);
5812 }
5813 
5814 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
5815 			 u16 len)
5816 {
5817 	struct mgmt_cp_get_clock_info *cp = data;
5818 	struct mgmt_rp_get_clock_info rp;
5819 	struct hci_cp_read_clock hci_cp;
5820 	struct mgmt_pending_cmd *cmd;
5821 	struct hci_request req;
5822 	struct hci_conn *conn;
5823 	int err;
5824 
5825 	bt_dev_dbg(hdev, "sock %p", sk);
5826 
5827 	memset(&rp, 0, sizeof(rp));
5828 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5829 	rp.addr.type = cp->addr.type;
5830 
5831 	if (cp->addr.type != BDADDR_BREDR)
5832 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5833 					 MGMT_STATUS_INVALID_PARAMS,
5834 					 &rp, sizeof(rp));
5835 
5836 	hci_dev_lock(hdev);
5837 
5838 	if (!hdev_is_powered(hdev)) {
5839 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5840 					MGMT_STATUS_NOT_POWERED, &rp,
5841 					sizeof(rp));
5842 		goto unlock;
5843 	}
5844 
5845 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5846 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
5847 					       &cp->addr.bdaddr);
5848 		if (!conn || conn->state != BT_CONNECTED) {
5849 			err = mgmt_cmd_complete(sk, hdev->id,
5850 						MGMT_OP_GET_CLOCK_INFO,
5851 						MGMT_STATUS_NOT_CONNECTED,
5852 						&rp, sizeof(rp));
5853 			goto unlock;
5854 		}
5855 	} else {
5856 		conn = NULL;
5857 	}
5858 
5859 	cmd = mgmt_pending_add(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
5860 	if (!cmd) {
5861 		err = -ENOMEM;
5862 		goto unlock;
5863 	}
5864 
5865 	cmd->cmd_complete = clock_info_cmd_complete;
5866 
5867 	hci_req_init(&req, hdev);
5868 
5869 	memset(&hci_cp, 0, sizeof(hci_cp));
5870 	hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5871 
5872 	if (conn) {
5873 		hci_conn_hold(conn);
5874 		cmd->user_data = hci_conn_get(conn);
5875 
5876 		hci_cp.handle = cpu_to_le16(conn->handle);
5877 		hci_cp.which = 0x01; /* Piconet clock */
5878 		hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5879 	}
5880 
5881 	err = hci_req_run(&req, get_clock_info_complete);
5882 	if (err < 0)
5883 		mgmt_pending_remove(cmd);
5884 
5885 unlock:
5886 	hci_dev_unlock(hdev);
5887 	return err;
5888 }
5889 
5890 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
5891 {
5892 	struct hci_conn *conn;
5893 
5894 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
5895 	if (!conn)
5896 		return false;
5897 
5898 	if (conn->dst_type != type)
5899 		return false;
5900 
5901 	if (conn->state != BT_CONNECTED)
5902 		return false;
5903 
5904 	return true;
5905 }
5906 
5907 /* This function requires the caller holds hdev->lock */
5908 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
5909 			       u8 addr_type, u8 auto_connect)
5910 {
5911 	struct hci_conn_params *params;
5912 
5913 	params = hci_conn_params_add(hdev, addr, addr_type);
5914 	if (!params)
5915 		return -EIO;
5916 
5917 	if (params->auto_connect == auto_connect)
5918 		return 0;
5919 
5920 	list_del_init(&params->action);
5921 
5922 	switch (auto_connect) {
5923 	case HCI_AUTO_CONN_DISABLED:
5924 	case HCI_AUTO_CONN_LINK_LOSS:
5925 		/* If auto connect is being disabled when we're trying to
5926 		 * connect to device, keep connecting.
5927 		 */
5928 		if (params->explicit_connect)
5929 			list_add(&params->action, &hdev->pend_le_conns);
5930 		break;
5931 	case HCI_AUTO_CONN_REPORT:
5932 		if (params->explicit_connect)
5933 			list_add(&params->action, &hdev->pend_le_conns);
5934 		else
5935 			list_add(&params->action, &hdev->pend_le_reports);
5936 		break;
5937 	case HCI_AUTO_CONN_DIRECT:
5938 	case HCI_AUTO_CONN_ALWAYS:
5939 		if (!is_connected(hdev, addr, addr_type))
5940 			list_add(&params->action, &hdev->pend_le_conns);
5941 		break;
5942 	}
5943 
5944 	params->auto_connect = auto_connect;
5945 
5946 	bt_dev_dbg(hdev, "addr %pMR (type %u) auto_connect %u",
5947 		   addr, addr_type, auto_connect);
5948 
5949 	return 0;
5950 }
5951 
5952 static void device_added(struct sock *sk, struct hci_dev *hdev,
5953 			 bdaddr_t *bdaddr, u8 type, u8 action)
5954 {
5955 	struct mgmt_ev_device_added ev;
5956 
5957 	bacpy(&ev.addr.bdaddr, bdaddr);
5958 	ev.addr.type = type;
5959 	ev.action = action;
5960 
5961 	mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
5962 }
5963 
5964 static int add_device(struct sock *sk, struct hci_dev *hdev,
5965 		      void *data, u16 len)
5966 {
5967 	struct mgmt_cp_add_device *cp = data;
5968 	u8 auto_conn, addr_type;
5969 	int err;
5970 
5971 	bt_dev_dbg(hdev, "sock %p", sk);
5972 
5973 	if (!bdaddr_type_is_valid(cp->addr.type) ||
5974 	    !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
5975 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5976 					 MGMT_STATUS_INVALID_PARAMS,
5977 					 &cp->addr, sizeof(cp->addr));
5978 
5979 	if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
5980 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5981 					 MGMT_STATUS_INVALID_PARAMS,
5982 					 &cp->addr, sizeof(cp->addr));
5983 
5984 	hci_dev_lock(hdev);
5985 
5986 	if (cp->addr.type == BDADDR_BREDR) {
5987 		/* Only incoming connections action is supported for now */
5988 		if (cp->action != 0x01) {
5989 			err = mgmt_cmd_complete(sk, hdev->id,
5990 						MGMT_OP_ADD_DEVICE,
5991 						MGMT_STATUS_INVALID_PARAMS,
5992 						&cp->addr, sizeof(cp->addr));
5993 			goto unlock;
5994 		}
5995 
5996 		err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr,
5997 					  cp->addr.type);
5998 		if (err)
5999 			goto unlock;
6000 
6001 		hci_req_update_scan(hdev);
6002 
6003 		goto added;
6004 	}
6005 
6006 	addr_type = le_addr_type(cp->addr.type);
6007 
6008 	if (cp->action == 0x02)
6009 		auto_conn = HCI_AUTO_CONN_ALWAYS;
6010 	else if (cp->action == 0x01)
6011 		auto_conn = HCI_AUTO_CONN_DIRECT;
6012 	else
6013 		auto_conn = HCI_AUTO_CONN_REPORT;
6014 
6015 	/* Kernel internally uses conn_params with resolvable private
6016 	 * address, but Add Device allows only identity addresses.
6017 	 * Make sure it is enforced before calling
6018 	 * hci_conn_params_lookup.
6019 	 */
6020 	if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
6021 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6022 					MGMT_STATUS_INVALID_PARAMS,
6023 					&cp->addr, sizeof(cp->addr));
6024 		goto unlock;
6025 	}
6026 
6027 	/* If the connection parameters don't exist for this device,
6028 	 * they will be created and configured with defaults.
6029 	 */
6030 	if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
6031 				auto_conn) < 0) {
6032 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6033 					MGMT_STATUS_FAILED, &cp->addr,
6034 					sizeof(cp->addr));
6035 		goto unlock;
6036 	}
6037 
6038 	hci_update_background_scan(hdev);
6039 
6040 added:
6041 	device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
6042 
6043 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6044 				MGMT_STATUS_SUCCESS, &cp->addr,
6045 				sizeof(cp->addr));
6046 
6047 unlock:
6048 	hci_dev_unlock(hdev);
6049 	return err;
6050 }
6051 
6052 static void device_removed(struct sock *sk, struct hci_dev *hdev,
6053 			   bdaddr_t *bdaddr, u8 type)
6054 {
6055 	struct mgmt_ev_device_removed ev;
6056 
6057 	bacpy(&ev.addr.bdaddr, bdaddr);
6058 	ev.addr.type = type;
6059 
6060 	mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
6061 }
6062 
6063 static int remove_device(struct sock *sk, struct hci_dev *hdev,
6064 			 void *data, u16 len)
6065 {
6066 	struct mgmt_cp_remove_device *cp = data;
6067 	int err;
6068 
6069 	bt_dev_dbg(hdev, "sock %p", sk);
6070 
6071 	hci_dev_lock(hdev);
6072 
6073 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
6074 		struct hci_conn_params *params;
6075 		u8 addr_type;
6076 
6077 		if (!bdaddr_type_is_valid(cp->addr.type)) {
6078 			err = mgmt_cmd_complete(sk, hdev->id,
6079 						MGMT_OP_REMOVE_DEVICE,
6080 						MGMT_STATUS_INVALID_PARAMS,
6081 						&cp->addr, sizeof(cp->addr));
6082 			goto unlock;
6083 		}
6084 
6085 		if (cp->addr.type == BDADDR_BREDR) {
6086 			err = hci_bdaddr_list_del(&hdev->whitelist,
6087 						  &cp->addr.bdaddr,
6088 						  cp->addr.type);
6089 			if (err) {
6090 				err = mgmt_cmd_complete(sk, hdev->id,
6091 							MGMT_OP_REMOVE_DEVICE,
6092 							MGMT_STATUS_INVALID_PARAMS,
6093 							&cp->addr,
6094 							sizeof(cp->addr));
6095 				goto unlock;
6096 			}
6097 
6098 			hci_req_update_scan(hdev);
6099 
6100 			device_removed(sk, hdev, &cp->addr.bdaddr,
6101 				       cp->addr.type);
6102 			goto complete;
6103 		}
6104 
6105 		addr_type = le_addr_type(cp->addr.type);
6106 
6107 		/* Kernel internally uses conn_params with resolvable private
6108 		 * address, but Remove Device allows only identity addresses.
6109 		 * Make sure it is enforced before calling
6110 		 * hci_conn_params_lookup.
6111 		 */
6112 		if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
6113 			err = mgmt_cmd_complete(sk, hdev->id,
6114 						MGMT_OP_REMOVE_DEVICE,
6115 						MGMT_STATUS_INVALID_PARAMS,
6116 						&cp->addr, sizeof(cp->addr));
6117 			goto unlock;
6118 		}
6119 
6120 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
6121 						addr_type);
6122 		if (!params) {
6123 			err = mgmt_cmd_complete(sk, hdev->id,
6124 						MGMT_OP_REMOVE_DEVICE,
6125 						MGMT_STATUS_INVALID_PARAMS,
6126 						&cp->addr, sizeof(cp->addr));
6127 			goto unlock;
6128 		}
6129 
6130 		if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
6131 		    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
6132 			err = mgmt_cmd_complete(sk, hdev->id,
6133 						MGMT_OP_REMOVE_DEVICE,
6134 						MGMT_STATUS_INVALID_PARAMS,
6135 						&cp->addr, sizeof(cp->addr));
6136 			goto unlock;
6137 		}
6138 
6139 		list_del(&params->action);
6140 		list_del(&params->list);
6141 		kfree(params);
6142 		hci_update_background_scan(hdev);
6143 
6144 		device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
6145 	} else {
6146 		struct hci_conn_params *p, *tmp;
6147 		struct bdaddr_list *b, *btmp;
6148 
6149 		if (cp->addr.type) {
6150 			err = mgmt_cmd_complete(sk, hdev->id,
6151 						MGMT_OP_REMOVE_DEVICE,
6152 						MGMT_STATUS_INVALID_PARAMS,
6153 						&cp->addr, sizeof(cp->addr));
6154 			goto unlock;
6155 		}
6156 
6157 		list_for_each_entry_safe(b, btmp, &hdev->whitelist, list) {
6158 			device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
6159 			list_del(&b->list);
6160 			kfree(b);
6161 		}
6162 
6163 		hci_req_update_scan(hdev);
6164 
6165 		list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
6166 			if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
6167 				continue;
6168 			device_removed(sk, hdev, &p->addr, p->addr_type);
6169 			if (p->explicit_connect) {
6170 				p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
6171 				continue;
6172 			}
6173 			list_del(&p->action);
6174 			list_del(&p->list);
6175 			kfree(p);
6176 		}
6177 
6178 		bt_dev_dbg(hdev, "All LE connection parameters were removed");
6179 
6180 		hci_update_background_scan(hdev);
6181 	}
6182 
6183 complete:
6184 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
6185 				MGMT_STATUS_SUCCESS, &cp->addr,
6186 				sizeof(cp->addr));
6187 unlock:
6188 	hci_dev_unlock(hdev);
6189 	return err;
6190 }
6191 
6192 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
6193 			   u16 len)
6194 {
6195 	struct mgmt_cp_load_conn_param *cp = data;
6196 	const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
6197 				     sizeof(struct mgmt_conn_param));
6198 	u16 param_count, expected_len;
6199 	int i;
6200 
6201 	if (!lmp_le_capable(hdev))
6202 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
6203 				       MGMT_STATUS_NOT_SUPPORTED);
6204 
6205 	param_count = __le16_to_cpu(cp->param_count);
6206 	if (param_count > max_param_count) {
6207 		bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
6208 			   param_count);
6209 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
6210 				       MGMT_STATUS_INVALID_PARAMS);
6211 	}
6212 
6213 	expected_len = struct_size(cp, params, param_count);
6214 	if (expected_len != len) {
6215 		bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
6216 			   expected_len, len);
6217 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
6218 				       MGMT_STATUS_INVALID_PARAMS);
6219 	}
6220 
6221 	bt_dev_dbg(hdev, "param_count %u", param_count);
6222 
6223 	hci_dev_lock(hdev);
6224 
6225 	hci_conn_params_clear_disabled(hdev);
6226 
6227 	for (i = 0; i < param_count; i++) {
6228 		struct mgmt_conn_param *param = &cp->params[i];
6229 		struct hci_conn_params *hci_param;
6230 		u16 min, max, latency, timeout;
6231 		u8 addr_type;
6232 
6233 		bt_dev_dbg(hdev, "Adding %pMR (type %u)", &param->addr.bdaddr,
6234 			   param->addr.type);
6235 
6236 		if (param->addr.type == BDADDR_LE_PUBLIC) {
6237 			addr_type = ADDR_LE_DEV_PUBLIC;
6238 		} else if (param->addr.type == BDADDR_LE_RANDOM) {
6239 			addr_type = ADDR_LE_DEV_RANDOM;
6240 		} else {
6241 			bt_dev_err(hdev, "ignoring invalid connection parameters");
6242 			continue;
6243 		}
6244 
6245 		min = le16_to_cpu(param->min_interval);
6246 		max = le16_to_cpu(param->max_interval);
6247 		latency = le16_to_cpu(param->latency);
6248 		timeout = le16_to_cpu(param->timeout);
6249 
6250 		bt_dev_dbg(hdev, "min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
6251 			   min, max, latency, timeout);
6252 
6253 		if (hci_check_conn_params(min, max, latency, timeout) < 0) {
6254 			bt_dev_err(hdev, "ignoring invalid connection parameters");
6255 			continue;
6256 		}
6257 
6258 		hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
6259 						addr_type);
6260 		if (!hci_param) {
6261 			bt_dev_err(hdev, "failed to add connection parameters");
6262 			continue;
6263 		}
6264 
6265 		hci_param->conn_min_interval = min;
6266 		hci_param->conn_max_interval = max;
6267 		hci_param->conn_latency = latency;
6268 		hci_param->supervision_timeout = timeout;
6269 	}
6270 
6271 	hci_dev_unlock(hdev);
6272 
6273 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
6274 				 NULL, 0);
6275 }
6276 
6277 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
6278 			       void *data, u16 len)
6279 {
6280 	struct mgmt_cp_set_external_config *cp = data;
6281 	bool changed;
6282 	int err;
6283 
6284 	bt_dev_dbg(hdev, "sock %p", sk);
6285 
6286 	if (hdev_is_powered(hdev))
6287 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
6288 				       MGMT_STATUS_REJECTED);
6289 
6290 	if (cp->config != 0x00 && cp->config != 0x01)
6291 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
6292 				         MGMT_STATUS_INVALID_PARAMS);
6293 
6294 	if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
6295 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
6296 				       MGMT_STATUS_NOT_SUPPORTED);
6297 
6298 	hci_dev_lock(hdev);
6299 
6300 	if (cp->config)
6301 		changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
6302 	else
6303 		changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
6304 
6305 	err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
6306 	if (err < 0)
6307 		goto unlock;
6308 
6309 	if (!changed)
6310 		goto unlock;
6311 
6312 	err = new_options(hdev, sk);
6313 
6314 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
6315 		mgmt_index_removed(hdev);
6316 
6317 		if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
6318 			hci_dev_set_flag(hdev, HCI_CONFIG);
6319 			hci_dev_set_flag(hdev, HCI_AUTO_OFF);
6320 
6321 			queue_work(hdev->req_workqueue, &hdev->power_on);
6322 		} else {
6323 			set_bit(HCI_RAW, &hdev->flags);
6324 			mgmt_index_added(hdev);
6325 		}
6326 	}
6327 
6328 unlock:
6329 	hci_dev_unlock(hdev);
6330 	return err;
6331 }
6332 
6333 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
6334 			      void *data, u16 len)
6335 {
6336 	struct mgmt_cp_set_public_address *cp = data;
6337 	bool changed;
6338 	int err;
6339 
6340 	bt_dev_dbg(hdev, "sock %p", sk);
6341 
6342 	if (hdev_is_powered(hdev))
6343 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
6344 				       MGMT_STATUS_REJECTED);
6345 
6346 	if (!bacmp(&cp->bdaddr, BDADDR_ANY))
6347 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
6348 				       MGMT_STATUS_INVALID_PARAMS);
6349 
6350 	if (!hdev->set_bdaddr)
6351 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
6352 				       MGMT_STATUS_NOT_SUPPORTED);
6353 
6354 	hci_dev_lock(hdev);
6355 
6356 	changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
6357 	bacpy(&hdev->public_addr, &cp->bdaddr);
6358 
6359 	err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
6360 	if (err < 0)
6361 		goto unlock;
6362 
6363 	if (!changed)
6364 		goto unlock;
6365 
6366 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
6367 		err = new_options(hdev, sk);
6368 
6369 	if (is_configured(hdev)) {
6370 		mgmt_index_removed(hdev);
6371 
6372 		hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
6373 
6374 		hci_dev_set_flag(hdev, HCI_CONFIG);
6375 		hci_dev_set_flag(hdev, HCI_AUTO_OFF);
6376 
6377 		queue_work(hdev->req_workqueue, &hdev->power_on);
6378 	}
6379 
6380 unlock:
6381 	hci_dev_unlock(hdev);
6382 	return err;
6383 }
6384 
6385 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, u8 status,
6386 					     u16 opcode, struct sk_buff *skb)
6387 {
6388 	const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
6389 	struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
6390 	u8 *h192, *r192, *h256, *r256;
6391 	struct mgmt_pending_cmd *cmd;
6392 	u16 eir_len;
6393 	int err;
6394 
6395 	bt_dev_dbg(hdev, "status %u", status);
6396 
6397 	cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev);
6398 	if (!cmd)
6399 		return;
6400 
6401 	mgmt_cp = cmd->param;
6402 
6403 	if (status) {
6404 		status = mgmt_status(status);
6405 		eir_len = 0;
6406 
6407 		h192 = NULL;
6408 		r192 = NULL;
6409 		h256 = NULL;
6410 		r256 = NULL;
6411 	} else if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
6412 		struct hci_rp_read_local_oob_data *rp;
6413 
6414 		if (skb->len != sizeof(*rp)) {
6415 			status = MGMT_STATUS_FAILED;
6416 			eir_len = 0;
6417 		} else {
6418 			status = MGMT_STATUS_SUCCESS;
6419 			rp = (void *)skb->data;
6420 
6421 			eir_len = 5 + 18 + 18;
6422 			h192 = rp->hash;
6423 			r192 = rp->rand;
6424 			h256 = NULL;
6425 			r256 = NULL;
6426 		}
6427 	} else {
6428 		struct hci_rp_read_local_oob_ext_data *rp;
6429 
6430 		if (skb->len != sizeof(*rp)) {
6431 			status = MGMT_STATUS_FAILED;
6432 			eir_len = 0;
6433 		} else {
6434 			status = MGMT_STATUS_SUCCESS;
6435 			rp = (void *)skb->data;
6436 
6437 			if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6438 				eir_len = 5 + 18 + 18;
6439 				h192 = NULL;
6440 				r192 = NULL;
6441 			} else {
6442 				eir_len = 5 + 18 + 18 + 18 + 18;
6443 				h192 = rp->hash192;
6444 				r192 = rp->rand192;
6445 			}
6446 
6447 			h256 = rp->hash256;
6448 			r256 = rp->rand256;
6449 		}
6450 	}
6451 
6452 	mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
6453 	if (!mgmt_rp)
6454 		goto done;
6455 
6456 	if (status)
6457 		goto send_rsp;
6458 
6459 	eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
6460 				  hdev->dev_class, 3);
6461 
6462 	if (h192 && r192) {
6463 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6464 					  EIR_SSP_HASH_C192, h192, 16);
6465 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6466 					  EIR_SSP_RAND_R192, r192, 16);
6467 	}
6468 
6469 	if (h256 && r256) {
6470 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6471 					  EIR_SSP_HASH_C256, h256, 16);
6472 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6473 					  EIR_SSP_RAND_R256, r256, 16);
6474 	}
6475 
6476 send_rsp:
6477 	mgmt_rp->type = mgmt_cp->type;
6478 	mgmt_rp->eir_len = cpu_to_le16(eir_len);
6479 
6480 	err = mgmt_cmd_complete(cmd->sk, hdev->id,
6481 				MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
6482 				mgmt_rp, sizeof(*mgmt_rp) + eir_len);
6483 	if (err < 0 || status)
6484 		goto done;
6485 
6486 	hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
6487 
6488 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
6489 				 mgmt_rp, sizeof(*mgmt_rp) + eir_len,
6490 				 HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
6491 done:
6492 	kfree(mgmt_rp);
6493 	mgmt_pending_remove(cmd);
6494 }
6495 
6496 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
6497 				  struct mgmt_cp_read_local_oob_ext_data *cp)
6498 {
6499 	struct mgmt_pending_cmd *cmd;
6500 	struct hci_request req;
6501 	int err;
6502 
6503 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
6504 			       cp, sizeof(*cp));
6505 	if (!cmd)
6506 		return -ENOMEM;
6507 
6508 	hci_req_init(&req, hdev);
6509 
6510 	if (bredr_sc_enabled(hdev))
6511 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
6512 	else
6513 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
6514 
6515 	err = hci_req_run_skb(&req, read_local_oob_ext_data_complete);
6516 	if (err < 0) {
6517 		mgmt_pending_remove(cmd);
6518 		return err;
6519 	}
6520 
6521 	return 0;
6522 }
6523 
6524 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
6525 				   void *data, u16 data_len)
6526 {
6527 	struct mgmt_cp_read_local_oob_ext_data *cp = data;
6528 	struct mgmt_rp_read_local_oob_ext_data *rp;
6529 	size_t rp_len;
6530 	u16 eir_len;
6531 	u8 status, flags, role, addr[7], hash[16], rand[16];
6532 	int err;
6533 
6534 	bt_dev_dbg(hdev, "sock %p", sk);
6535 
6536 	if (hdev_is_powered(hdev)) {
6537 		switch (cp->type) {
6538 		case BIT(BDADDR_BREDR):
6539 			status = mgmt_bredr_support(hdev);
6540 			if (status)
6541 				eir_len = 0;
6542 			else
6543 				eir_len = 5;
6544 			break;
6545 		case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
6546 			status = mgmt_le_support(hdev);
6547 			if (status)
6548 				eir_len = 0;
6549 			else
6550 				eir_len = 9 + 3 + 18 + 18 + 3;
6551 			break;
6552 		default:
6553 			status = MGMT_STATUS_INVALID_PARAMS;
6554 			eir_len = 0;
6555 			break;
6556 		}
6557 	} else {
6558 		status = MGMT_STATUS_NOT_POWERED;
6559 		eir_len = 0;
6560 	}
6561 
6562 	rp_len = sizeof(*rp) + eir_len;
6563 	rp = kmalloc(rp_len, GFP_ATOMIC);
6564 	if (!rp)
6565 		return -ENOMEM;
6566 
6567 	if (status)
6568 		goto complete;
6569 
6570 	hci_dev_lock(hdev);
6571 
6572 	eir_len = 0;
6573 	switch (cp->type) {
6574 	case BIT(BDADDR_BREDR):
6575 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
6576 			err = read_local_ssp_oob_req(hdev, sk, cp);
6577 			hci_dev_unlock(hdev);
6578 			if (!err)
6579 				goto done;
6580 
6581 			status = MGMT_STATUS_FAILED;
6582 			goto complete;
6583 		} else {
6584 			eir_len = eir_append_data(rp->eir, eir_len,
6585 						  EIR_CLASS_OF_DEV,
6586 						  hdev->dev_class, 3);
6587 		}
6588 		break;
6589 	case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
6590 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
6591 		    smp_generate_oob(hdev, hash, rand) < 0) {
6592 			hci_dev_unlock(hdev);
6593 			status = MGMT_STATUS_FAILED;
6594 			goto complete;
6595 		}
6596 
6597 		/* This should return the active RPA, but since the RPA
6598 		 * is only programmed on demand, it is really hard to fill
6599 		 * this in at the moment. For now disallow retrieving
6600 		 * local out-of-band data when privacy is in use.
6601 		 *
6602 		 * Returning the identity address will not help here since
6603 		 * pairing happens before the identity resolving key is
6604 		 * known and thus the connection establishment happens
6605 		 * based on the RPA and not the identity address.
6606 		 */
6607 		if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6608 			hci_dev_unlock(hdev);
6609 			status = MGMT_STATUS_REJECTED;
6610 			goto complete;
6611 		}
6612 
6613 		if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
6614 		   !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
6615 		   (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6616 		    bacmp(&hdev->static_addr, BDADDR_ANY))) {
6617 			memcpy(addr, &hdev->static_addr, 6);
6618 			addr[6] = 0x01;
6619 		} else {
6620 			memcpy(addr, &hdev->bdaddr, 6);
6621 			addr[6] = 0x00;
6622 		}
6623 
6624 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
6625 					  addr, sizeof(addr));
6626 
6627 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
6628 			role = 0x02;
6629 		else
6630 			role = 0x01;
6631 
6632 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
6633 					  &role, sizeof(role));
6634 
6635 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
6636 			eir_len = eir_append_data(rp->eir, eir_len,
6637 						  EIR_LE_SC_CONFIRM,
6638 						  hash, sizeof(hash));
6639 
6640 			eir_len = eir_append_data(rp->eir, eir_len,
6641 						  EIR_LE_SC_RANDOM,
6642 						  rand, sizeof(rand));
6643 		}
6644 
6645 		flags = mgmt_get_adv_discov_flags(hdev);
6646 
6647 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
6648 			flags |= LE_AD_NO_BREDR;
6649 
6650 		eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
6651 					  &flags, sizeof(flags));
6652 		break;
6653 	}
6654 
6655 	hci_dev_unlock(hdev);
6656 
6657 	hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
6658 
6659 	status = MGMT_STATUS_SUCCESS;
6660 
6661 complete:
6662 	rp->type = cp->type;
6663 	rp->eir_len = cpu_to_le16(eir_len);
6664 
6665 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
6666 				status, rp, sizeof(*rp) + eir_len);
6667 	if (err < 0 || status)
6668 		goto done;
6669 
6670 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
6671 				 rp, sizeof(*rp) + eir_len,
6672 				 HCI_MGMT_OOB_DATA_EVENTS, sk);
6673 
6674 done:
6675 	kfree(rp);
6676 
6677 	return err;
6678 }
6679 
6680 static u32 get_supported_adv_flags(struct hci_dev *hdev)
6681 {
6682 	u32 flags = 0;
6683 
6684 	flags |= MGMT_ADV_FLAG_CONNECTABLE;
6685 	flags |= MGMT_ADV_FLAG_DISCOV;
6686 	flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
6687 	flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
6688 	flags |= MGMT_ADV_FLAG_APPEARANCE;
6689 	flags |= MGMT_ADV_FLAG_LOCAL_NAME;
6690 
6691 	/* In extended adv TX_POWER returned from Set Adv Param
6692 	 * will be always valid.
6693 	 */
6694 	if ((hdev->adv_tx_power != HCI_TX_POWER_INVALID) ||
6695 	    ext_adv_capable(hdev))
6696 		flags |= MGMT_ADV_FLAG_TX_POWER;
6697 
6698 	if (ext_adv_capable(hdev)) {
6699 		flags |= MGMT_ADV_FLAG_SEC_1M;
6700 
6701 		if (hdev->le_features[1] & HCI_LE_PHY_2M)
6702 			flags |= MGMT_ADV_FLAG_SEC_2M;
6703 
6704 		if (hdev->le_features[1] & HCI_LE_PHY_CODED)
6705 			flags |= MGMT_ADV_FLAG_SEC_CODED;
6706 	}
6707 
6708 	return flags;
6709 }
6710 
6711 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
6712 			     void *data, u16 data_len)
6713 {
6714 	struct mgmt_rp_read_adv_features *rp;
6715 	size_t rp_len;
6716 	int err;
6717 	struct adv_info *adv_instance;
6718 	u32 supported_flags;
6719 	u8 *instance;
6720 
6721 	bt_dev_dbg(hdev, "sock %p", sk);
6722 
6723 	if (!lmp_le_capable(hdev))
6724 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
6725 				       MGMT_STATUS_REJECTED);
6726 
6727 	hci_dev_lock(hdev);
6728 
6729 	rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
6730 	rp = kmalloc(rp_len, GFP_ATOMIC);
6731 	if (!rp) {
6732 		hci_dev_unlock(hdev);
6733 		return -ENOMEM;
6734 	}
6735 
6736 	supported_flags = get_supported_adv_flags(hdev);
6737 
6738 	rp->supported_flags = cpu_to_le32(supported_flags);
6739 	rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
6740 	rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
6741 	rp->max_instances = HCI_MAX_ADV_INSTANCES;
6742 	rp->num_instances = hdev->adv_instance_cnt;
6743 
6744 	instance = rp->instance;
6745 	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
6746 		*instance = adv_instance->instance;
6747 		instance++;
6748 	}
6749 
6750 	hci_dev_unlock(hdev);
6751 
6752 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
6753 				MGMT_STATUS_SUCCESS, rp, rp_len);
6754 
6755 	kfree(rp);
6756 
6757 	return err;
6758 }
6759 
6760 static u8 calculate_name_len(struct hci_dev *hdev)
6761 {
6762 	u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 3];
6763 
6764 	return append_local_name(hdev, buf, 0);
6765 }
6766 
6767 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
6768 			   bool is_adv_data)
6769 {
6770 	u8 max_len = HCI_MAX_AD_LENGTH;
6771 
6772 	if (is_adv_data) {
6773 		if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
6774 				 MGMT_ADV_FLAG_LIMITED_DISCOV |
6775 				 MGMT_ADV_FLAG_MANAGED_FLAGS))
6776 			max_len -= 3;
6777 
6778 		if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
6779 			max_len -= 3;
6780 	} else {
6781 		if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
6782 			max_len -= calculate_name_len(hdev);
6783 
6784 		if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
6785 			max_len -= 4;
6786 	}
6787 
6788 	return max_len;
6789 }
6790 
6791 static bool flags_managed(u32 adv_flags)
6792 {
6793 	return adv_flags & (MGMT_ADV_FLAG_DISCOV |
6794 			    MGMT_ADV_FLAG_LIMITED_DISCOV |
6795 			    MGMT_ADV_FLAG_MANAGED_FLAGS);
6796 }
6797 
6798 static bool tx_power_managed(u32 adv_flags)
6799 {
6800 	return adv_flags & MGMT_ADV_FLAG_TX_POWER;
6801 }
6802 
6803 static bool name_managed(u32 adv_flags)
6804 {
6805 	return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
6806 }
6807 
6808 static bool appearance_managed(u32 adv_flags)
6809 {
6810 	return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
6811 }
6812 
6813 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
6814 			      u8 len, bool is_adv_data)
6815 {
6816 	int i, cur_len;
6817 	u8 max_len;
6818 
6819 	max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
6820 
6821 	if (len > max_len)
6822 		return false;
6823 
6824 	/* Make sure that the data is correctly formatted. */
6825 	for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
6826 		cur_len = data[i];
6827 
6828 		if (data[i + 1] == EIR_FLAGS &&
6829 		    (!is_adv_data || flags_managed(adv_flags)))
6830 			return false;
6831 
6832 		if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
6833 			return false;
6834 
6835 		if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
6836 			return false;
6837 
6838 		if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
6839 			return false;
6840 
6841 		if (data[i + 1] == EIR_APPEARANCE &&
6842 		    appearance_managed(adv_flags))
6843 			return false;
6844 
6845 		/* If the current field length would exceed the total data
6846 		 * length, then it's invalid.
6847 		 */
6848 		if (i + cur_len >= len)
6849 			return false;
6850 	}
6851 
6852 	return true;
6853 }
6854 
6855 static void add_advertising_complete(struct hci_dev *hdev, u8 status,
6856 				     u16 opcode)
6857 {
6858 	struct mgmt_pending_cmd *cmd;
6859 	struct mgmt_cp_add_advertising *cp;
6860 	struct mgmt_rp_add_advertising rp;
6861 	struct adv_info *adv_instance, *n;
6862 	u8 instance;
6863 
6864 	bt_dev_dbg(hdev, "status %d", status);
6865 
6866 	hci_dev_lock(hdev);
6867 
6868 	cmd = pending_find(MGMT_OP_ADD_ADVERTISING, hdev);
6869 
6870 	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
6871 		if (!adv_instance->pending)
6872 			continue;
6873 
6874 		if (!status) {
6875 			adv_instance->pending = false;
6876 			continue;
6877 		}
6878 
6879 		instance = adv_instance->instance;
6880 
6881 		if (hdev->cur_adv_instance == instance)
6882 			cancel_adv_timeout(hdev);
6883 
6884 		hci_remove_adv_instance(hdev, instance);
6885 		mgmt_advertising_removed(cmd ? cmd->sk : NULL, hdev, instance);
6886 	}
6887 
6888 	if (!cmd)
6889 		goto unlock;
6890 
6891 	cp = cmd->param;
6892 	rp.instance = cp->instance;
6893 
6894 	if (status)
6895 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
6896 				mgmt_status(status));
6897 	else
6898 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
6899 				  mgmt_status(status), &rp, sizeof(rp));
6900 
6901 	mgmt_pending_remove(cmd);
6902 
6903 unlock:
6904 	hci_dev_unlock(hdev);
6905 }
6906 
6907 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
6908 			   void *data, u16 data_len)
6909 {
6910 	struct mgmt_cp_add_advertising *cp = data;
6911 	struct mgmt_rp_add_advertising rp;
6912 	u32 flags;
6913 	u32 supported_flags, phy_flags;
6914 	u8 status;
6915 	u16 timeout, duration;
6916 	unsigned int prev_instance_cnt = hdev->adv_instance_cnt;
6917 	u8 schedule_instance = 0;
6918 	struct adv_info *next_instance;
6919 	int err;
6920 	struct mgmt_pending_cmd *cmd;
6921 	struct hci_request req;
6922 
6923 	bt_dev_dbg(hdev, "sock %p", sk);
6924 
6925 	status = mgmt_le_support(hdev);
6926 	if (status)
6927 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6928 				       status);
6929 
6930 	if (cp->instance < 1 || cp->instance > HCI_MAX_ADV_INSTANCES)
6931 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6932 				       MGMT_STATUS_INVALID_PARAMS);
6933 
6934 	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
6935 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6936 				       MGMT_STATUS_INVALID_PARAMS);
6937 
6938 	flags = __le32_to_cpu(cp->flags);
6939 	timeout = __le16_to_cpu(cp->timeout);
6940 	duration = __le16_to_cpu(cp->duration);
6941 
6942 	/* The current implementation only supports a subset of the specified
6943 	 * flags. Also need to check mutual exclusiveness of sec flags.
6944 	 */
6945 	supported_flags = get_supported_adv_flags(hdev);
6946 	phy_flags = flags & MGMT_ADV_FLAG_SEC_MASK;
6947 	if (flags & ~supported_flags ||
6948 	    ((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
6949 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6950 				       MGMT_STATUS_INVALID_PARAMS);
6951 
6952 	hci_dev_lock(hdev);
6953 
6954 	if (timeout && !hdev_is_powered(hdev)) {
6955 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6956 				      MGMT_STATUS_REJECTED);
6957 		goto unlock;
6958 	}
6959 
6960 	if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
6961 	    pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
6962 	    pending_find(MGMT_OP_SET_LE, hdev)) {
6963 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6964 				      MGMT_STATUS_BUSY);
6965 		goto unlock;
6966 	}
6967 
6968 	if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
6969 	    !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
6970 			       cp->scan_rsp_len, false)) {
6971 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6972 				      MGMT_STATUS_INVALID_PARAMS);
6973 		goto unlock;
6974 	}
6975 
6976 	err = hci_add_adv_instance(hdev, cp->instance, flags,
6977 				   cp->adv_data_len, cp->data,
6978 				   cp->scan_rsp_len,
6979 				   cp->data + cp->adv_data_len,
6980 				   timeout, duration);
6981 	if (err < 0) {
6982 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6983 				      MGMT_STATUS_FAILED);
6984 		goto unlock;
6985 	}
6986 
6987 	/* Only trigger an advertising added event if a new instance was
6988 	 * actually added.
6989 	 */
6990 	if (hdev->adv_instance_cnt > prev_instance_cnt)
6991 		mgmt_advertising_added(sk, hdev, cp->instance);
6992 
6993 	if (hdev->cur_adv_instance == cp->instance) {
6994 		/* If the currently advertised instance is being changed then
6995 		 * cancel the current advertising and schedule the next
6996 		 * instance. If there is only one instance then the overridden
6997 		 * advertising data will be visible right away.
6998 		 */
6999 		cancel_adv_timeout(hdev);
7000 
7001 		next_instance = hci_get_next_instance(hdev, cp->instance);
7002 		if (next_instance)
7003 			schedule_instance = next_instance->instance;
7004 	} else if (!hdev->adv_instance_timeout) {
7005 		/* Immediately advertise the new instance if no other
7006 		 * instance is currently being advertised.
7007 		 */
7008 		schedule_instance = cp->instance;
7009 	}
7010 
7011 	/* If the HCI_ADVERTISING flag is set or the device isn't powered or
7012 	 * there is no instance to be advertised then we have no HCI
7013 	 * communication to make. Simply return.
7014 	 */
7015 	if (!hdev_is_powered(hdev) ||
7016 	    hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
7017 	    !schedule_instance) {
7018 		rp.instance = cp->instance;
7019 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7020 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
7021 		goto unlock;
7022 	}
7023 
7024 	/* We're good to go, update advertising data, parameters, and start
7025 	 * advertising.
7026 	 */
7027 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
7028 			       data_len);
7029 	if (!cmd) {
7030 		err = -ENOMEM;
7031 		goto unlock;
7032 	}
7033 
7034 	hci_req_init(&req, hdev);
7035 
7036 	err = __hci_req_schedule_adv_instance(&req, schedule_instance, true);
7037 
7038 	if (!err)
7039 		err = hci_req_run(&req, add_advertising_complete);
7040 
7041 	if (err < 0) {
7042 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7043 				      MGMT_STATUS_FAILED);
7044 		mgmt_pending_remove(cmd);
7045 	}
7046 
7047 unlock:
7048 	hci_dev_unlock(hdev);
7049 
7050 	return err;
7051 }
7052 
7053 static void remove_advertising_complete(struct hci_dev *hdev, u8 status,
7054 					u16 opcode)
7055 {
7056 	struct mgmt_pending_cmd *cmd;
7057 	struct mgmt_cp_remove_advertising *cp;
7058 	struct mgmt_rp_remove_advertising rp;
7059 
7060 	bt_dev_dbg(hdev, "status %d", status);
7061 
7062 	hci_dev_lock(hdev);
7063 
7064 	/* A failure status here only means that we failed to disable
7065 	 * advertising. Otherwise, the advertising instance has been removed,
7066 	 * so report success.
7067 	 */
7068 	cmd = pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev);
7069 	if (!cmd)
7070 		goto unlock;
7071 
7072 	cp = cmd->param;
7073 	rp.instance = cp->instance;
7074 
7075 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, MGMT_STATUS_SUCCESS,
7076 			  &rp, sizeof(rp));
7077 	mgmt_pending_remove(cmd);
7078 
7079 unlock:
7080 	hci_dev_unlock(hdev);
7081 }
7082 
7083 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
7084 			      void *data, u16 data_len)
7085 {
7086 	struct mgmt_cp_remove_advertising *cp = data;
7087 	struct mgmt_rp_remove_advertising rp;
7088 	struct mgmt_pending_cmd *cmd;
7089 	struct hci_request req;
7090 	int err;
7091 
7092 	bt_dev_dbg(hdev, "sock %p", sk);
7093 
7094 	hci_dev_lock(hdev);
7095 
7096 	if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
7097 		err = mgmt_cmd_status(sk, hdev->id,
7098 				      MGMT_OP_REMOVE_ADVERTISING,
7099 				      MGMT_STATUS_INVALID_PARAMS);
7100 		goto unlock;
7101 	}
7102 
7103 	if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
7104 	    pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
7105 	    pending_find(MGMT_OP_SET_LE, hdev)) {
7106 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
7107 				      MGMT_STATUS_BUSY);
7108 		goto unlock;
7109 	}
7110 
7111 	if (list_empty(&hdev->adv_instances)) {
7112 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
7113 				      MGMT_STATUS_INVALID_PARAMS);
7114 		goto unlock;
7115 	}
7116 
7117 	hci_req_init(&req, hdev);
7118 
7119 	hci_req_clear_adv_instance(hdev, sk, &req, cp->instance, true);
7120 
7121 	if (list_empty(&hdev->adv_instances))
7122 		__hci_req_disable_advertising(&req);
7123 
7124 	/* If no HCI commands have been collected so far or the HCI_ADVERTISING
7125 	 * flag is set or the device isn't powered then we have no HCI
7126 	 * communication to make. Simply return.
7127 	 */
7128 	if (skb_queue_empty(&req.cmd_q) ||
7129 	    !hdev_is_powered(hdev) ||
7130 	    hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
7131 		hci_req_purge(&req);
7132 		rp.instance = cp->instance;
7133 		err = mgmt_cmd_complete(sk, hdev->id,
7134 					MGMT_OP_REMOVE_ADVERTISING,
7135 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
7136 		goto unlock;
7137 	}
7138 
7139 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
7140 			       data_len);
7141 	if (!cmd) {
7142 		err = -ENOMEM;
7143 		goto unlock;
7144 	}
7145 
7146 	err = hci_req_run(&req, remove_advertising_complete);
7147 	if (err < 0)
7148 		mgmt_pending_remove(cmd);
7149 
7150 unlock:
7151 	hci_dev_unlock(hdev);
7152 
7153 	return err;
7154 }
7155 
7156 static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
7157 			     void *data, u16 data_len)
7158 {
7159 	struct mgmt_cp_get_adv_size_info *cp = data;
7160 	struct mgmt_rp_get_adv_size_info rp;
7161 	u32 flags, supported_flags;
7162 	int err;
7163 
7164 	bt_dev_dbg(hdev, "sock %p", sk);
7165 
7166 	if (!lmp_le_capable(hdev))
7167 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
7168 				       MGMT_STATUS_REJECTED);
7169 
7170 	if (cp->instance < 1 || cp->instance > HCI_MAX_ADV_INSTANCES)
7171 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
7172 				       MGMT_STATUS_INVALID_PARAMS);
7173 
7174 	flags = __le32_to_cpu(cp->flags);
7175 
7176 	/* The current implementation only supports a subset of the specified
7177 	 * flags.
7178 	 */
7179 	supported_flags = get_supported_adv_flags(hdev);
7180 	if (flags & ~supported_flags)
7181 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
7182 				       MGMT_STATUS_INVALID_PARAMS);
7183 
7184 	rp.instance = cp->instance;
7185 	rp.flags = cp->flags;
7186 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
7187 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
7188 
7189 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
7190 				MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
7191 
7192 	return err;
7193 }
7194 
7195 static const struct hci_mgmt_handler mgmt_handlers[] = {
7196 	{ NULL }, /* 0x0000 (no command) */
7197 	{ read_version,            MGMT_READ_VERSION_SIZE,
7198 						HCI_MGMT_NO_HDEV |
7199 						HCI_MGMT_UNTRUSTED },
7200 	{ read_commands,           MGMT_READ_COMMANDS_SIZE,
7201 						HCI_MGMT_NO_HDEV |
7202 						HCI_MGMT_UNTRUSTED },
7203 	{ read_index_list,         MGMT_READ_INDEX_LIST_SIZE,
7204 						HCI_MGMT_NO_HDEV |
7205 						HCI_MGMT_UNTRUSTED },
7206 	{ read_controller_info,    MGMT_READ_INFO_SIZE,
7207 						HCI_MGMT_UNTRUSTED },
7208 	{ set_powered,             MGMT_SETTING_SIZE },
7209 	{ set_discoverable,        MGMT_SET_DISCOVERABLE_SIZE },
7210 	{ set_connectable,         MGMT_SETTING_SIZE },
7211 	{ set_fast_connectable,    MGMT_SETTING_SIZE },
7212 	{ set_bondable,            MGMT_SETTING_SIZE },
7213 	{ set_link_security,       MGMT_SETTING_SIZE },
7214 	{ set_ssp,                 MGMT_SETTING_SIZE },
7215 	{ set_hs,                  MGMT_SETTING_SIZE },
7216 	{ set_le,                  MGMT_SETTING_SIZE },
7217 	{ set_dev_class,           MGMT_SET_DEV_CLASS_SIZE },
7218 	{ set_local_name,          MGMT_SET_LOCAL_NAME_SIZE },
7219 	{ add_uuid,                MGMT_ADD_UUID_SIZE },
7220 	{ remove_uuid,             MGMT_REMOVE_UUID_SIZE },
7221 	{ load_link_keys,          MGMT_LOAD_LINK_KEYS_SIZE,
7222 						HCI_MGMT_VAR_LEN },
7223 	{ load_long_term_keys,     MGMT_LOAD_LONG_TERM_KEYS_SIZE,
7224 						HCI_MGMT_VAR_LEN },
7225 	{ disconnect,              MGMT_DISCONNECT_SIZE },
7226 	{ get_connections,         MGMT_GET_CONNECTIONS_SIZE },
7227 	{ pin_code_reply,          MGMT_PIN_CODE_REPLY_SIZE },
7228 	{ pin_code_neg_reply,      MGMT_PIN_CODE_NEG_REPLY_SIZE },
7229 	{ set_io_capability,       MGMT_SET_IO_CAPABILITY_SIZE },
7230 	{ pair_device,             MGMT_PAIR_DEVICE_SIZE },
7231 	{ cancel_pair_device,      MGMT_CANCEL_PAIR_DEVICE_SIZE },
7232 	{ unpair_device,           MGMT_UNPAIR_DEVICE_SIZE },
7233 	{ user_confirm_reply,      MGMT_USER_CONFIRM_REPLY_SIZE },
7234 	{ user_confirm_neg_reply,  MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
7235 	{ user_passkey_reply,      MGMT_USER_PASSKEY_REPLY_SIZE },
7236 	{ user_passkey_neg_reply,  MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
7237 	{ read_local_oob_data,     MGMT_READ_LOCAL_OOB_DATA_SIZE },
7238 	{ add_remote_oob_data,     MGMT_ADD_REMOTE_OOB_DATA_SIZE,
7239 						HCI_MGMT_VAR_LEN },
7240 	{ remove_remote_oob_data,  MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
7241 	{ start_discovery,         MGMT_START_DISCOVERY_SIZE },
7242 	{ stop_discovery,          MGMT_STOP_DISCOVERY_SIZE },
7243 	{ confirm_name,            MGMT_CONFIRM_NAME_SIZE },
7244 	{ block_device,            MGMT_BLOCK_DEVICE_SIZE },
7245 	{ unblock_device,          MGMT_UNBLOCK_DEVICE_SIZE },
7246 	{ set_device_id,           MGMT_SET_DEVICE_ID_SIZE },
7247 	{ set_advertising,         MGMT_SETTING_SIZE },
7248 	{ set_bredr,               MGMT_SETTING_SIZE },
7249 	{ set_static_address,      MGMT_SET_STATIC_ADDRESS_SIZE },
7250 	{ set_scan_params,         MGMT_SET_SCAN_PARAMS_SIZE },
7251 	{ set_secure_conn,         MGMT_SETTING_SIZE },
7252 	{ set_debug_keys,          MGMT_SETTING_SIZE },
7253 	{ set_privacy,             MGMT_SET_PRIVACY_SIZE },
7254 	{ load_irks,               MGMT_LOAD_IRKS_SIZE,
7255 						HCI_MGMT_VAR_LEN },
7256 	{ get_conn_info,           MGMT_GET_CONN_INFO_SIZE },
7257 	{ get_clock_info,          MGMT_GET_CLOCK_INFO_SIZE },
7258 	{ add_device,              MGMT_ADD_DEVICE_SIZE },
7259 	{ remove_device,           MGMT_REMOVE_DEVICE_SIZE },
7260 	{ load_conn_param,         MGMT_LOAD_CONN_PARAM_SIZE,
7261 						HCI_MGMT_VAR_LEN },
7262 	{ read_unconf_index_list,  MGMT_READ_UNCONF_INDEX_LIST_SIZE,
7263 						HCI_MGMT_NO_HDEV |
7264 						HCI_MGMT_UNTRUSTED },
7265 	{ read_config_info,        MGMT_READ_CONFIG_INFO_SIZE,
7266 						HCI_MGMT_UNCONFIGURED |
7267 						HCI_MGMT_UNTRUSTED },
7268 	{ set_external_config,     MGMT_SET_EXTERNAL_CONFIG_SIZE,
7269 						HCI_MGMT_UNCONFIGURED },
7270 	{ set_public_address,      MGMT_SET_PUBLIC_ADDRESS_SIZE,
7271 						HCI_MGMT_UNCONFIGURED },
7272 	{ start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
7273 						HCI_MGMT_VAR_LEN },
7274 	{ read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
7275 	{ read_ext_index_list,     MGMT_READ_EXT_INDEX_LIST_SIZE,
7276 						HCI_MGMT_NO_HDEV |
7277 						HCI_MGMT_UNTRUSTED },
7278 	{ read_adv_features,       MGMT_READ_ADV_FEATURES_SIZE },
7279 	{ add_advertising,	   MGMT_ADD_ADVERTISING_SIZE,
7280 						HCI_MGMT_VAR_LEN },
7281 	{ remove_advertising,	   MGMT_REMOVE_ADVERTISING_SIZE },
7282 	{ get_adv_size_info,       MGMT_GET_ADV_SIZE_INFO_SIZE },
7283 	{ start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
7284 	{ read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
7285 						HCI_MGMT_UNTRUSTED },
7286 	{ set_appearance,	   MGMT_SET_APPEARANCE_SIZE },
7287 	{ get_phy_configuration,   MGMT_GET_PHY_CONFIGURATION_SIZE },
7288 	{ set_phy_configuration,   MGMT_SET_PHY_CONFIGURATION_SIZE },
7289 	{ set_blocked_keys,	   MGMT_OP_SET_BLOCKED_KEYS_SIZE,
7290 						HCI_MGMT_VAR_LEN },
7291 	{ set_wideband_speech,	   MGMT_SETTING_SIZE },
7292 	{ read_security_info,      MGMT_READ_SECURITY_INFO_SIZE,
7293 						HCI_MGMT_UNTRUSTED },
7294 	{ read_exp_features_info,  MGMT_READ_EXP_FEATURES_INFO_SIZE,
7295 						HCI_MGMT_UNTRUSTED |
7296 						HCI_MGMT_HDEV_OPTIONAL },
7297 	{ set_exp_feature,         MGMT_SET_EXP_FEATURE_SIZE,
7298 						HCI_MGMT_VAR_LEN |
7299 						HCI_MGMT_HDEV_OPTIONAL },
7300 };
7301 
7302 void mgmt_index_added(struct hci_dev *hdev)
7303 {
7304 	struct mgmt_ev_ext_index ev;
7305 
7306 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
7307 		return;
7308 
7309 	switch (hdev->dev_type) {
7310 	case HCI_PRIMARY:
7311 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
7312 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev,
7313 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
7314 			ev.type = 0x01;
7315 		} else {
7316 			mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0,
7317 					 HCI_MGMT_INDEX_EVENTS);
7318 			ev.type = 0x00;
7319 		}
7320 		break;
7321 	case HCI_AMP:
7322 		ev.type = 0x02;
7323 		break;
7324 	default:
7325 		return;
7326 	}
7327 
7328 	ev.bus = hdev->bus;
7329 
7330 	mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, &ev, sizeof(ev),
7331 			 HCI_MGMT_EXT_INDEX_EVENTS);
7332 }
7333 
7334 void mgmt_index_removed(struct hci_dev *hdev)
7335 {
7336 	struct mgmt_ev_ext_index ev;
7337 	u8 status = MGMT_STATUS_INVALID_INDEX;
7338 
7339 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
7340 		return;
7341 
7342 	switch (hdev->dev_type) {
7343 	case HCI_PRIMARY:
7344 		mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
7345 
7346 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
7347 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
7348 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
7349 			ev.type = 0x01;
7350 		} else {
7351 			mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0,
7352 					 HCI_MGMT_INDEX_EVENTS);
7353 			ev.type = 0x00;
7354 		}
7355 		break;
7356 	case HCI_AMP:
7357 		ev.type = 0x02;
7358 		break;
7359 	default:
7360 		return;
7361 	}
7362 
7363 	ev.bus = hdev->bus;
7364 
7365 	mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, &ev, sizeof(ev),
7366 			 HCI_MGMT_EXT_INDEX_EVENTS);
7367 }
7368 
7369 /* This function requires the caller holds hdev->lock */
7370 static void restart_le_actions(struct hci_dev *hdev)
7371 {
7372 	struct hci_conn_params *p;
7373 
7374 	list_for_each_entry(p, &hdev->le_conn_params, list) {
7375 		/* Needed for AUTO_OFF case where might not "really"
7376 		 * have been powered off.
7377 		 */
7378 		list_del_init(&p->action);
7379 
7380 		switch (p->auto_connect) {
7381 		case HCI_AUTO_CONN_DIRECT:
7382 		case HCI_AUTO_CONN_ALWAYS:
7383 			list_add(&p->action, &hdev->pend_le_conns);
7384 			break;
7385 		case HCI_AUTO_CONN_REPORT:
7386 			list_add(&p->action, &hdev->pend_le_reports);
7387 			break;
7388 		default:
7389 			break;
7390 		}
7391 	}
7392 }
7393 
7394 void mgmt_power_on(struct hci_dev *hdev, int err)
7395 {
7396 	struct cmd_lookup match = { NULL, hdev };
7397 
7398 	bt_dev_dbg(hdev, "err %d", err);
7399 
7400 	hci_dev_lock(hdev);
7401 
7402 	if (!err) {
7403 		restart_le_actions(hdev);
7404 		hci_update_background_scan(hdev);
7405 	}
7406 
7407 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
7408 
7409 	new_settings(hdev, match.sk);
7410 
7411 	if (match.sk)
7412 		sock_put(match.sk);
7413 
7414 	hci_dev_unlock(hdev);
7415 }
7416 
7417 void __mgmt_power_off(struct hci_dev *hdev)
7418 {
7419 	struct cmd_lookup match = { NULL, hdev };
7420 	u8 status, zero_cod[] = { 0, 0, 0 };
7421 
7422 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
7423 
7424 	/* If the power off is because of hdev unregistration let
7425 	 * use the appropriate INVALID_INDEX status. Otherwise use
7426 	 * NOT_POWERED. We cover both scenarios here since later in
7427 	 * mgmt_index_removed() any hci_conn callbacks will have already
7428 	 * been triggered, potentially causing misleading DISCONNECTED
7429 	 * status responses.
7430 	 */
7431 	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
7432 		status = MGMT_STATUS_INVALID_INDEX;
7433 	else
7434 		status = MGMT_STATUS_NOT_POWERED;
7435 
7436 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
7437 
7438 	if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
7439 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
7440 				   zero_cod, sizeof(zero_cod),
7441 				   HCI_MGMT_DEV_CLASS_EVENTS, NULL);
7442 		ext_info_changed(hdev, NULL);
7443 	}
7444 
7445 	new_settings(hdev, match.sk);
7446 
7447 	if (match.sk)
7448 		sock_put(match.sk);
7449 }
7450 
7451 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
7452 {
7453 	struct mgmt_pending_cmd *cmd;
7454 	u8 status;
7455 
7456 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
7457 	if (!cmd)
7458 		return;
7459 
7460 	if (err == -ERFKILL)
7461 		status = MGMT_STATUS_RFKILLED;
7462 	else
7463 		status = MGMT_STATUS_FAILED;
7464 
7465 	mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
7466 
7467 	mgmt_pending_remove(cmd);
7468 }
7469 
7470 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
7471 		       bool persistent)
7472 {
7473 	struct mgmt_ev_new_link_key ev;
7474 
7475 	memset(&ev, 0, sizeof(ev));
7476 
7477 	ev.store_hint = persistent;
7478 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
7479 	ev.key.addr.type = BDADDR_BREDR;
7480 	ev.key.type = key->type;
7481 	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
7482 	ev.key.pin_len = key->pin_len;
7483 
7484 	mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
7485 }
7486 
7487 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
7488 {
7489 	switch (ltk->type) {
7490 	case SMP_LTK:
7491 	case SMP_LTK_SLAVE:
7492 		if (ltk->authenticated)
7493 			return MGMT_LTK_AUTHENTICATED;
7494 		return MGMT_LTK_UNAUTHENTICATED;
7495 	case SMP_LTK_P256:
7496 		if (ltk->authenticated)
7497 			return MGMT_LTK_P256_AUTH;
7498 		return MGMT_LTK_P256_UNAUTH;
7499 	case SMP_LTK_P256_DEBUG:
7500 		return MGMT_LTK_P256_DEBUG;
7501 	}
7502 
7503 	return MGMT_LTK_UNAUTHENTICATED;
7504 }
7505 
7506 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
7507 {
7508 	struct mgmt_ev_new_long_term_key ev;
7509 
7510 	memset(&ev, 0, sizeof(ev));
7511 
7512 	/* Devices using resolvable or non-resolvable random addresses
7513 	 * without providing an identity resolving key don't require
7514 	 * to store long term keys. Their addresses will change the
7515 	 * next time around.
7516 	 *
7517 	 * Only when a remote device provides an identity address
7518 	 * make sure the long term key is stored. If the remote
7519 	 * identity is known, the long term keys are internally
7520 	 * mapped to the identity address. So allow static random
7521 	 * and public addresses here.
7522 	 */
7523 	if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
7524 	    (key->bdaddr.b[5] & 0xc0) != 0xc0)
7525 		ev.store_hint = 0x00;
7526 	else
7527 		ev.store_hint = persistent;
7528 
7529 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
7530 	ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
7531 	ev.key.type = mgmt_ltk_type(key);
7532 	ev.key.enc_size = key->enc_size;
7533 	ev.key.ediv = key->ediv;
7534 	ev.key.rand = key->rand;
7535 
7536 	if (key->type == SMP_LTK)
7537 		ev.key.master = 1;
7538 
7539 	/* Make sure we copy only the significant bytes based on the
7540 	 * encryption key size, and set the rest of the value to zeroes.
7541 	 */
7542 	memcpy(ev.key.val, key->val, key->enc_size);
7543 	memset(ev.key.val + key->enc_size, 0,
7544 	       sizeof(ev.key.val) - key->enc_size);
7545 
7546 	mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
7547 }
7548 
7549 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
7550 {
7551 	struct mgmt_ev_new_irk ev;
7552 
7553 	memset(&ev, 0, sizeof(ev));
7554 
7555 	ev.store_hint = persistent;
7556 
7557 	bacpy(&ev.rpa, &irk->rpa);
7558 	bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
7559 	ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
7560 	memcpy(ev.irk.val, irk->val, sizeof(irk->val));
7561 
7562 	mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
7563 }
7564 
7565 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
7566 		   bool persistent)
7567 {
7568 	struct mgmt_ev_new_csrk ev;
7569 
7570 	memset(&ev, 0, sizeof(ev));
7571 
7572 	/* Devices using resolvable or non-resolvable random addresses
7573 	 * without providing an identity resolving key don't require
7574 	 * to store signature resolving keys. Their addresses will change
7575 	 * the next time around.
7576 	 *
7577 	 * Only when a remote device provides an identity address
7578 	 * make sure the signature resolving key is stored. So allow
7579 	 * static random and public addresses here.
7580 	 */
7581 	if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
7582 	    (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
7583 		ev.store_hint = 0x00;
7584 	else
7585 		ev.store_hint = persistent;
7586 
7587 	bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
7588 	ev.key.addr.type = link_to_bdaddr(LE_LINK, csrk->bdaddr_type);
7589 	ev.key.type = csrk->type;
7590 	memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
7591 
7592 	mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
7593 }
7594 
7595 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
7596 			 u8 bdaddr_type, u8 store_hint, u16 min_interval,
7597 			 u16 max_interval, u16 latency, u16 timeout)
7598 {
7599 	struct mgmt_ev_new_conn_param ev;
7600 
7601 	if (!hci_is_identity_address(bdaddr, bdaddr_type))
7602 		return;
7603 
7604 	memset(&ev, 0, sizeof(ev));
7605 	bacpy(&ev.addr.bdaddr, bdaddr);
7606 	ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
7607 	ev.store_hint = store_hint;
7608 	ev.min_interval = cpu_to_le16(min_interval);
7609 	ev.max_interval = cpu_to_le16(max_interval);
7610 	ev.latency = cpu_to_le16(latency);
7611 	ev.timeout = cpu_to_le16(timeout);
7612 
7613 	mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
7614 }
7615 
7616 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
7617 			   u32 flags, u8 *name, u8 name_len)
7618 {
7619 	char buf[512];
7620 	struct mgmt_ev_device_connected *ev = (void *) buf;
7621 	u16 eir_len = 0;
7622 
7623 	bacpy(&ev->addr.bdaddr, &conn->dst);
7624 	ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
7625 
7626 	ev->flags = __cpu_to_le32(flags);
7627 
7628 	/* We must ensure that the EIR Data fields are ordered and
7629 	 * unique. Keep it simple for now and avoid the problem by not
7630 	 * adding any BR/EDR data to the LE adv.
7631 	 */
7632 	if (conn->le_adv_data_len > 0) {
7633 		memcpy(&ev->eir[eir_len],
7634 		       conn->le_adv_data, conn->le_adv_data_len);
7635 		eir_len = conn->le_adv_data_len;
7636 	} else {
7637 		if (name_len > 0)
7638 			eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE,
7639 						  name, name_len);
7640 
7641 		if (memcmp(conn->dev_class, "\0\0\0", 3) != 0)
7642 			eir_len = eir_append_data(ev->eir, eir_len,
7643 						  EIR_CLASS_OF_DEV,
7644 						  conn->dev_class, 3);
7645 	}
7646 
7647 	ev->eir_len = cpu_to_le16(eir_len);
7648 
7649 	mgmt_event(MGMT_EV_DEVICE_CONNECTED, hdev, buf,
7650 		    sizeof(*ev) + eir_len, NULL);
7651 }
7652 
7653 static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
7654 {
7655 	struct sock **sk = data;
7656 
7657 	cmd->cmd_complete(cmd, 0);
7658 
7659 	*sk = cmd->sk;
7660 	sock_hold(*sk);
7661 
7662 	mgmt_pending_remove(cmd);
7663 }
7664 
7665 static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
7666 {
7667 	struct hci_dev *hdev = data;
7668 	struct mgmt_cp_unpair_device *cp = cmd->param;
7669 
7670 	device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
7671 
7672 	cmd->cmd_complete(cmd, 0);
7673 	mgmt_pending_remove(cmd);
7674 }
7675 
7676 bool mgmt_powering_down(struct hci_dev *hdev)
7677 {
7678 	struct mgmt_pending_cmd *cmd;
7679 	struct mgmt_mode *cp;
7680 
7681 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
7682 	if (!cmd)
7683 		return false;
7684 
7685 	cp = cmd->param;
7686 	if (!cp->val)
7687 		return true;
7688 
7689 	return false;
7690 }
7691 
7692 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
7693 			      u8 link_type, u8 addr_type, u8 reason,
7694 			      bool mgmt_connected)
7695 {
7696 	struct mgmt_ev_device_disconnected ev;
7697 	struct sock *sk = NULL;
7698 
7699 	/* The connection is still in hci_conn_hash so test for 1
7700 	 * instead of 0 to know if this is the last one.
7701 	 */
7702 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
7703 		cancel_delayed_work(&hdev->power_off);
7704 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
7705 	}
7706 
7707 	if (!mgmt_connected)
7708 		return;
7709 
7710 	if (link_type != ACL_LINK && link_type != LE_LINK)
7711 		return;
7712 
7713 	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
7714 
7715 	bacpy(&ev.addr.bdaddr, bdaddr);
7716 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7717 	ev.reason = reason;
7718 
7719 	mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
7720 
7721 	if (sk)
7722 		sock_put(sk);
7723 
7724 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
7725 			     hdev);
7726 }
7727 
7728 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
7729 			    u8 link_type, u8 addr_type, u8 status)
7730 {
7731 	u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
7732 	struct mgmt_cp_disconnect *cp;
7733 	struct mgmt_pending_cmd *cmd;
7734 
7735 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
7736 			     hdev);
7737 
7738 	cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
7739 	if (!cmd)
7740 		return;
7741 
7742 	cp = cmd->param;
7743 
7744 	if (bacmp(bdaddr, &cp->addr.bdaddr))
7745 		return;
7746 
7747 	if (cp->addr.type != bdaddr_type)
7748 		return;
7749 
7750 	cmd->cmd_complete(cmd, mgmt_status(status));
7751 	mgmt_pending_remove(cmd);
7752 }
7753 
7754 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
7755 			 u8 addr_type, u8 status)
7756 {
7757 	struct mgmt_ev_connect_failed ev;
7758 
7759 	/* The connection is still in hci_conn_hash so test for 1
7760 	 * instead of 0 to know if this is the last one.
7761 	 */
7762 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
7763 		cancel_delayed_work(&hdev->power_off);
7764 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
7765 	}
7766 
7767 	bacpy(&ev.addr.bdaddr, bdaddr);
7768 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7769 	ev.status = mgmt_status(status);
7770 
7771 	mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
7772 }
7773 
7774 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
7775 {
7776 	struct mgmt_ev_pin_code_request ev;
7777 
7778 	bacpy(&ev.addr.bdaddr, bdaddr);
7779 	ev.addr.type = BDADDR_BREDR;
7780 	ev.secure = secure;
7781 
7782 	mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
7783 }
7784 
7785 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7786 				  u8 status)
7787 {
7788 	struct mgmt_pending_cmd *cmd;
7789 
7790 	cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
7791 	if (!cmd)
7792 		return;
7793 
7794 	cmd->cmd_complete(cmd, mgmt_status(status));
7795 	mgmt_pending_remove(cmd);
7796 }
7797 
7798 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7799 				      u8 status)
7800 {
7801 	struct mgmt_pending_cmd *cmd;
7802 
7803 	cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
7804 	if (!cmd)
7805 		return;
7806 
7807 	cmd->cmd_complete(cmd, mgmt_status(status));
7808 	mgmt_pending_remove(cmd);
7809 }
7810 
7811 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
7812 			      u8 link_type, u8 addr_type, u32 value,
7813 			      u8 confirm_hint)
7814 {
7815 	struct mgmt_ev_user_confirm_request ev;
7816 
7817 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
7818 
7819 	bacpy(&ev.addr.bdaddr, bdaddr);
7820 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7821 	ev.confirm_hint = confirm_hint;
7822 	ev.value = cpu_to_le32(value);
7823 
7824 	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
7825 			  NULL);
7826 }
7827 
7828 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
7829 			      u8 link_type, u8 addr_type)
7830 {
7831 	struct mgmt_ev_user_passkey_request ev;
7832 
7833 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
7834 
7835 	bacpy(&ev.addr.bdaddr, bdaddr);
7836 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7837 
7838 	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
7839 			  NULL);
7840 }
7841 
7842 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7843 				      u8 link_type, u8 addr_type, u8 status,
7844 				      u8 opcode)
7845 {
7846 	struct mgmt_pending_cmd *cmd;
7847 
7848 	cmd = pending_find(opcode, hdev);
7849 	if (!cmd)
7850 		return -ENOENT;
7851 
7852 	cmd->cmd_complete(cmd, mgmt_status(status));
7853 	mgmt_pending_remove(cmd);
7854 
7855 	return 0;
7856 }
7857 
7858 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7859 				     u8 link_type, u8 addr_type, u8 status)
7860 {
7861 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7862 					  status, MGMT_OP_USER_CONFIRM_REPLY);
7863 }
7864 
7865 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7866 					 u8 link_type, u8 addr_type, u8 status)
7867 {
7868 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7869 					  status,
7870 					  MGMT_OP_USER_CONFIRM_NEG_REPLY);
7871 }
7872 
7873 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7874 				     u8 link_type, u8 addr_type, u8 status)
7875 {
7876 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7877 					  status, MGMT_OP_USER_PASSKEY_REPLY);
7878 }
7879 
7880 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7881 					 u8 link_type, u8 addr_type, u8 status)
7882 {
7883 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7884 					  status,
7885 					  MGMT_OP_USER_PASSKEY_NEG_REPLY);
7886 }
7887 
7888 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
7889 			     u8 link_type, u8 addr_type, u32 passkey,
7890 			     u8 entered)
7891 {
7892 	struct mgmt_ev_passkey_notify ev;
7893 
7894 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
7895 
7896 	bacpy(&ev.addr.bdaddr, bdaddr);
7897 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7898 	ev.passkey = __cpu_to_le32(passkey);
7899 	ev.entered = entered;
7900 
7901 	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
7902 }
7903 
7904 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
7905 {
7906 	struct mgmt_ev_auth_failed ev;
7907 	struct mgmt_pending_cmd *cmd;
7908 	u8 status = mgmt_status(hci_status);
7909 
7910 	bacpy(&ev.addr.bdaddr, &conn->dst);
7911 	ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
7912 	ev.status = status;
7913 
7914 	cmd = find_pairing(conn);
7915 
7916 	mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
7917 		    cmd ? cmd->sk : NULL);
7918 
7919 	if (cmd) {
7920 		cmd->cmd_complete(cmd, status);
7921 		mgmt_pending_remove(cmd);
7922 	}
7923 }
7924 
7925 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
7926 {
7927 	struct cmd_lookup match = { NULL, hdev };
7928 	bool changed;
7929 
7930 	if (status) {
7931 		u8 mgmt_err = mgmt_status(status);
7932 		mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
7933 				     cmd_status_rsp, &mgmt_err);
7934 		return;
7935 	}
7936 
7937 	if (test_bit(HCI_AUTH, &hdev->flags))
7938 		changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
7939 	else
7940 		changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
7941 
7942 	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
7943 			     &match);
7944 
7945 	if (changed)
7946 		new_settings(hdev, match.sk);
7947 
7948 	if (match.sk)
7949 		sock_put(match.sk);
7950 }
7951 
7952 static void clear_eir(struct hci_request *req)
7953 {
7954 	struct hci_dev *hdev = req->hdev;
7955 	struct hci_cp_write_eir cp;
7956 
7957 	if (!lmp_ext_inq_capable(hdev))
7958 		return;
7959 
7960 	memset(hdev->eir, 0, sizeof(hdev->eir));
7961 
7962 	memset(&cp, 0, sizeof(cp));
7963 
7964 	hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
7965 }
7966 
7967 void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
7968 {
7969 	struct cmd_lookup match = { NULL, hdev };
7970 	struct hci_request req;
7971 	bool changed = false;
7972 
7973 	if (status) {
7974 		u8 mgmt_err = mgmt_status(status);
7975 
7976 		if (enable && hci_dev_test_and_clear_flag(hdev,
7977 							  HCI_SSP_ENABLED)) {
7978 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
7979 			new_settings(hdev, NULL);
7980 		}
7981 
7982 		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
7983 				     &mgmt_err);
7984 		return;
7985 	}
7986 
7987 	if (enable) {
7988 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
7989 	} else {
7990 		changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
7991 		if (!changed)
7992 			changed = hci_dev_test_and_clear_flag(hdev,
7993 							      HCI_HS_ENABLED);
7994 		else
7995 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
7996 	}
7997 
7998 	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
7999 
8000 	if (changed)
8001 		new_settings(hdev, match.sk);
8002 
8003 	if (match.sk)
8004 		sock_put(match.sk);
8005 
8006 	hci_req_init(&req, hdev);
8007 
8008 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
8009 		if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
8010 			hci_req_add(&req, HCI_OP_WRITE_SSP_DEBUG_MODE,
8011 				    sizeof(enable), &enable);
8012 		__hci_req_update_eir(&req);
8013 	} else {
8014 		clear_eir(&req);
8015 	}
8016 
8017 	hci_req_run(&req, NULL);
8018 }
8019 
8020 static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
8021 {
8022 	struct cmd_lookup *match = data;
8023 
8024 	if (match->sk == NULL) {
8025 		match->sk = cmd->sk;
8026 		sock_hold(match->sk);
8027 	}
8028 }
8029 
8030 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
8031 				    u8 status)
8032 {
8033 	struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
8034 
8035 	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
8036 	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
8037 	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
8038 
8039 	if (!status) {
8040 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
8041 				   3, HCI_MGMT_DEV_CLASS_EVENTS, NULL);
8042 		ext_info_changed(hdev, NULL);
8043 	}
8044 
8045 	if (match.sk)
8046 		sock_put(match.sk);
8047 }
8048 
8049 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
8050 {
8051 	struct mgmt_cp_set_local_name ev;
8052 	struct mgmt_pending_cmd *cmd;
8053 
8054 	if (status)
8055 		return;
8056 
8057 	memset(&ev, 0, sizeof(ev));
8058 	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
8059 	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
8060 
8061 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
8062 	if (!cmd) {
8063 		memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
8064 
8065 		/* If this is a HCI command related to powering on the
8066 		 * HCI dev don't send any mgmt signals.
8067 		 */
8068 		if (pending_find(MGMT_OP_SET_POWERED, hdev))
8069 			return;
8070 	}
8071 
8072 	mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
8073 			   HCI_MGMT_LOCAL_NAME_EVENTS, cmd ? cmd->sk : NULL);
8074 	ext_info_changed(hdev, cmd ? cmd->sk : NULL);
8075 }
8076 
8077 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
8078 {
8079 	int i;
8080 
8081 	for (i = 0; i < uuid_count; i++) {
8082 		if (!memcmp(uuid, uuids[i], 16))
8083 			return true;
8084 	}
8085 
8086 	return false;
8087 }
8088 
8089 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
8090 {
8091 	u16 parsed = 0;
8092 
8093 	while (parsed < eir_len) {
8094 		u8 field_len = eir[0];
8095 		u8 uuid[16];
8096 		int i;
8097 
8098 		if (field_len == 0)
8099 			break;
8100 
8101 		if (eir_len - parsed < field_len + 1)
8102 			break;
8103 
8104 		switch (eir[1]) {
8105 		case EIR_UUID16_ALL:
8106 		case EIR_UUID16_SOME:
8107 			for (i = 0; i + 3 <= field_len; i += 2) {
8108 				memcpy(uuid, bluetooth_base_uuid, 16);
8109 				uuid[13] = eir[i + 3];
8110 				uuid[12] = eir[i + 2];
8111 				if (has_uuid(uuid, uuid_count, uuids))
8112 					return true;
8113 			}
8114 			break;
8115 		case EIR_UUID32_ALL:
8116 		case EIR_UUID32_SOME:
8117 			for (i = 0; i + 5 <= field_len; i += 4) {
8118 				memcpy(uuid, bluetooth_base_uuid, 16);
8119 				uuid[15] = eir[i + 5];
8120 				uuid[14] = eir[i + 4];
8121 				uuid[13] = eir[i + 3];
8122 				uuid[12] = eir[i + 2];
8123 				if (has_uuid(uuid, uuid_count, uuids))
8124 					return true;
8125 			}
8126 			break;
8127 		case EIR_UUID128_ALL:
8128 		case EIR_UUID128_SOME:
8129 			for (i = 0; i + 17 <= field_len; i += 16) {
8130 				memcpy(uuid, eir + i + 2, 16);
8131 				if (has_uuid(uuid, uuid_count, uuids))
8132 					return true;
8133 			}
8134 			break;
8135 		}
8136 
8137 		parsed += field_len + 1;
8138 		eir += field_len + 1;
8139 	}
8140 
8141 	return false;
8142 }
8143 
8144 static void restart_le_scan(struct hci_dev *hdev)
8145 {
8146 	/* If controller is not scanning we are done. */
8147 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
8148 		return;
8149 
8150 	if (time_after(jiffies + DISCOV_LE_RESTART_DELAY,
8151 		       hdev->discovery.scan_start +
8152 		       hdev->discovery.scan_duration))
8153 		return;
8154 
8155 	queue_delayed_work(hdev->req_workqueue, &hdev->le_scan_restart,
8156 			   DISCOV_LE_RESTART_DELAY);
8157 }
8158 
8159 static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
8160 			    u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
8161 {
8162 	/* If a RSSI threshold has been specified, and
8163 	 * HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
8164 	 * a RSSI smaller than the RSSI threshold will be dropped. If the quirk
8165 	 * is set, let it through for further processing, as we might need to
8166 	 * restart the scan.
8167 	 *
8168 	 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
8169 	 * the results are also dropped.
8170 	 */
8171 	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
8172 	    (rssi == HCI_RSSI_INVALID ||
8173 	    (rssi < hdev->discovery.rssi &&
8174 	     !test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
8175 		return  false;
8176 
8177 	if (hdev->discovery.uuid_count != 0) {
8178 		/* If a list of UUIDs is provided in filter, results with no
8179 		 * matching UUID should be dropped.
8180 		 */
8181 		if (!eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count,
8182 				   hdev->discovery.uuids) &&
8183 		    !eir_has_uuids(scan_rsp, scan_rsp_len,
8184 				   hdev->discovery.uuid_count,
8185 				   hdev->discovery.uuids))
8186 			return false;
8187 	}
8188 
8189 	/* If duplicate filtering does not report RSSI changes, then restart
8190 	 * scanning to ensure updated result with updated RSSI values.
8191 	 */
8192 	if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
8193 		restart_le_scan(hdev);
8194 
8195 		/* Validate RSSI value against the RSSI threshold once more. */
8196 		if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
8197 		    rssi < hdev->discovery.rssi)
8198 			return false;
8199 	}
8200 
8201 	return true;
8202 }
8203 
8204 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
8205 		       u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
8206 		       u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
8207 {
8208 	char buf[512];
8209 	struct mgmt_ev_device_found *ev = (void *)buf;
8210 	size_t ev_size;
8211 
8212 	/* Don't send events for a non-kernel initiated discovery. With
8213 	 * LE one exception is if we have pend_le_reports > 0 in which
8214 	 * case we're doing passive scanning and want these events.
8215 	 */
8216 	if (!hci_discovery_active(hdev)) {
8217 		if (link_type == ACL_LINK)
8218 			return;
8219 		if (link_type == LE_LINK && list_empty(&hdev->pend_le_reports))
8220 			return;
8221 	}
8222 
8223 	if (hdev->discovery.result_filtering) {
8224 		/* We are using service discovery */
8225 		if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
8226 				     scan_rsp_len))
8227 			return;
8228 	}
8229 
8230 	if (hdev->discovery.limited) {
8231 		/* Check for limited discoverable bit */
8232 		if (dev_class) {
8233 			if (!(dev_class[1] & 0x20))
8234 				return;
8235 		} else {
8236 			u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
8237 			if (!flags || !(flags[0] & LE_AD_LIMITED))
8238 				return;
8239 		}
8240 	}
8241 
8242 	/* Make sure that the buffer is big enough. The 5 extra bytes
8243 	 * are for the potential CoD field.
8244 	 */
8245 	if (sizeof(*ev) + eir_len + scan_rsp_len + 5 > sizeof(buf))
8246 		return;
8247 
8248 	memset(buf, 0, sizeof(buf));
8249 
8250 	/* In case of device discovery with BR/EDR devices (pre 1.2), the
8251 	 * RSSI value was reported as 0 when not available. This behavior
8252 	 * is kept when using device discovery. This is required for full
8253 	 * backwards compatibility with the API.
8254 	 *
8255 	 * However when using service discovery, the value 127 will be
8256 	 * returned when the RSSI is not available.
8257 	 */
8258 	if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
8259 	    link_type == ACL_LINK)
8260 		rssi = 0;
8261 
8262 	bacpy(&ev->addr.bdaddr, bdaddr);
8263 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
8264 	ev->rssi = rssi;
8265 	ev->flags = cpu_to_le32(flags);
8266 
8267 	if (eir_len > 0)
8268 		/* Copy EIR or advertising data into event */
8269 		memcpy(ev->eir, eir, eir_len);
8270 
8271 	if (dev_class && !eir_get_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
8272 				       NULL))
8273 		eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
8274 					  dev_class, 3);
8275 
8276 	if (scan_rsp_len > 0)
8277 		/* Append scan response data to event */
8278 		memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
8279 
8280 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
8281 	ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
8282 
8283 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL);
8284 }
8285 
8286 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
8287 		      u8 addr_type, s8 rssi, u8 *name, u8 name_len)
8288 {
8289 	struct mgmt_ev_device_found *ev;
8290 	char buf[sizeof(*ev) + HCI_MAX_NAME_LENGTH + 2];
8291 	u16 eir_len;
8292 
8293 	ev = (struct mgmt_ev_device_found *) buf;
8294 
8295 	memset(buf, 0, sizeof(buf));
8296 
8297 	bacpy(&ev->addr.bdaddr, bdaddr);
8298 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
8299 	ev->rssi = rssi;
8300 
8301 	eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name,
8302 				  name_len);
8303 
8304 	ev->eir_len = cpu_to_le16(eir_len);
8305 
8306 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, sizeof(*ev) + eir_len, NULL);
8307 }
8308 
8309 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
8310 {
8311 	struct mgmt_ev_discovering ev;
8312 
8313 	bt_dev_dbg(hdev, "discovering %u", discovering);
8314 
8315 	memset(&ev, 0, sizeof(ev));
8316 	ev.type = hdev->discovery.type;
8317 	ev.discovering = discovering;
8318 
8319 	mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
8320 }
8321 
8322 static struct hci_mgmt_chan chan = {
8323 	.channel	= HCI_CHANNEL_CONTROL,
8324 	.handler_count	= ARRAY_SIZE(mgmt_handlers),
8325 	.handlers	= mgmt_handlers,
8326 	.hdev_init	= mgmt_init_hdev,
8327 };
8328 
8329 int mgmt_init(void)
8330 {
8331 	return hci_mgmt_chan_register(&chan);
8332 }
8333 
8334 void mgmt_exit(void)
8335 {
8336 	hci_mgmt_chan_unregister(&chan);
8337 }
8338