xref: /openbmc/linux/net/bluetooth/mgmt.c (revision 76426e23)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3 
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI Management interface */
26 
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_sock.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "mgmt_util.h"
39 
40 #define MGMT_VERSION	1
41 #define MGMT_REVISION	16
42 
43 static const u16 mgmt_commands[] = {
44 	MGMT_OP_READ_INDEX_LIST,
45 	MGMT_OP_READ_INFO,
46 	MGMT_OP_SET_POWERED,
47 	MGMT_OP_SET_DISCOVERABLE,
48 	MGMT_OP_SET_CONNECTABLE,
49 	MGMT_OP_SET_FAST_CONNECTABLE,
50 	MGMT_OP_SET_BONDABLE,
51 	MGMT_OP_SET_LINK_SECURITY,
52 	MGMT_OP_SET_SSP,
53 	MGMT_OP_SET_HS,
54 	MGMT_OP_SET_LE,
55 	MGMT_OP_SET_DEV_CLASS,
56 	MGMT_OP_SET_LOCAL_NAME,
57 	MGMT_OP_ADD_UUID,
58 	MGMT_OP_REMOVE_UUID,
59 	MGMT_OP_LOAD_LINK_KEYS,
60 	MGMT_OP_LOAD_LONG_TERM_KEYS,
61 	MGMT_OP_DISCONNECT,
62 	MGMT_OP_GET_CONNECTIONS,
63 	MGMT_OP_PIN_CODE_REPLY,
64 	MGMT_OP_PIN_CODE_NEG_REPLY,
65 	MGMT_OP_SET_IO_CAPABILITY,
66 	MGMT_OP_PAIR_DEVICE,
67 	MGMT_OP_CANCEL_PAIR_DEVICE,
68 	MGMT_OP_UNPAIR_DEVICE,
69 	MGMT_OP_USER_CONFIRM_REPLY,
70 	MGMT_OP_USER_CONFIRM_NEG_REPLY,
71 	MGMT_OP_USER_PASSKEY_REPLY,
72 	MGMT_OP_USER_PASSKEY_NEG_REPLY,
73 	MGMT_OP_READ_LOCAL_OOB_DATA,
74 	MGMT_OP_ADD_REMOTE_OOB_DATA,
75 	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
76 	MGMT_OP_START_DISCOVERY,
77 	MGMT_OP_STOP_DISCOVERY,
78 	MGMT_OP_CONFIRM_NAME,
79 	MGMT_OP_BLOCK_DEVICE,
80 	MGMT_OP_UNBLOCK_DEVICE,
81 	MGMT_OP_SET_DEVICE_ID,
82 	MGMT_OP_SET_ADVERTISING,
83 	MGMT_OP_SET_BREDR,
84 	MGMT_OP_SET_STATIC_ADDRESS,
85 	MGMT_OP_SET_SCAN_PARAMS,
86 	MGMT_OP_SET_SECURE_CONN,
87 	MGMT_OP_SET_DEBUG_KEYS,
88 	MGMT_OP_SET_PRIVACY,
89 	MGMT_OP_LOAD_IRKS,
90 	MGMT_OP_GET_CONN_INFO,
91 	MGMT_OP_GET_CLOCK_INFO,
92 	MGMT_OP_ADD_DEVICE,
93 	MGMT_OP_REMOVE_DEVICE,
94 	MGMT_OP_LOAD_CONN_PARAM,
95 	MGMT_OP_READ_UNCONF_INDEX_LIST,
96 	MGMT_OP_READ_CONFIG_INFO,
97 	MGMT_OP_SET_EXTERNAL_CONFIG,
98 	MGMT_OP_SET_PUBLIC_ADDRESS,
99 	MGMT_OP_START_SERVICE_DISCOVERY,
100 	MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
101 	MGMT_OP_READ_EXT_INDEX_LIST,
102 	MGMT_OP_READ_ADV_FEATURES,
103 	MGMT_OP_ADD_ADVERTISING,
104 	MGMT_OP_REMOVE_ADVERTISING,
105 	MGMT_OP_GET_ADV_SIZE_INFO,
106 	MGMT_OP_START_LIMITED_DISCOVERY,
107 	MGMT_OP_READ_EXT_INFO,
108 	MGMT_OP_SET_APPEARANCE,
109 	MGMT_OP_SET_BLOCKED_KEYS,
110 	MGMT_OP_SET_WIDEBAND_SPEECH,
111 };
112 
113 static const u16 mgmt_events[] = {
114 	MGMT_EV_CONTROLLER_ERROR,
115 	MGMT_EV_INDEX_ADDED,
116 	MGMT_EV_INDEX_REMOVED,
117 	MGMT_EV_NEW_SETTINGS,
118 	MGMT_EV_CLASS_OF_DEV_CHANGED,
119 	MGMT_EV_LOCAL_NAME_CHANGED,
120 	MGMT_EV_NEW_LINK_KEY,
121 	MGMT_EV_NEW_LONG_TERM_KEY,
122 	MGMT_EV_DEVICE_CONNECTED,
123 	MGMT_EV_DEVICE_DISCONNECTED,
124 	MGMT_EV_CONNECT_FAILED,
125 	MGMT_EV_PIN_CODE_REQUEST,
126 	MGMT_EV_USER_CONFIRM_REQUEST,
127 	MGMT_EV_USER_PASSKEY_REQUEST,
128 	MGMT_EV_AUTH_FAILED,
129 	MGMT_EV_DEVICE_FOUND,
130 	MGMT_EV_DISCOVERING,
131 	MGMT_EV_DEVICE_BLOCKED,
132 	MGMT_EV_DEVICE_UNBLOCKED,
133 	MGMT_EV_DEVICE_UNPAIRED,
134 	MGMT_EV_PASSKEY_NOTIFY,
135 	MGMT_EV_NEW_IRK,
136 	MGMT_EV_NEW_CSRK,
137 	MGMT_EV_DEVICE_ADDED,
138 	MGMT_EV_DEVICE_REMOVED,
139 	MGMT_EV_NEW_CONN_PARAM,
140 	MGMT_EV_UNCONF_INDEX_ADDED,
141 	MGMT_EV_UNCONF_INDEX_REMOVED,
142 	MGMT_EV_NEW_CONFIG_OPTIONS,
143 	MGMT_EV_EXT_INDEX_ADDED,
144 	MGMT_EV_EXT_INDEX_REMOVED,
145 	MGMT_EV_LOCAL_OOB_DATA_UPDATED,
146 	MGMT_EV_ADVERTISING_ADDED,
147 	MGMT_EV_ADVERTISING_REMOVED,
148 	MGMT_EV_EXT_INFO_CHANGED,
149 };
150 
151 static const u16 mgmt_untrusted_commands[] = {
152 	MGMT_OP_READ_INDEX_LIST,
153 	MGMT_OP_READ_INFO,
154 	MGMT_OP_READ_UNCONF_INDEX_LIST,
155 	MGMT_OP_READ_CONFIG_INFO,
156 	MGMT_OP_READ_EXT_INDEX_LIST,
157 	MGMT_OP_READ_EXT_INFO,
158 };
159 
160 static const u16 mgmt_untrusted_events[] = {
161 	MGMT_EV_INDEX_ADDED,
162 	MGMT_EV_INDEX_REMOVED,
163 	MGMT_EV_NEW_SETTINGS,
164 	MGMT_EV_CLASS_OF_DEV_CHANGED,
165 	MGMT_EV_LOCAL_NAME_CHANGED,
166 	MGMT_EV_UNCONF_INDEX_ADDED,
167 	MGMT_EV_UNCONF_INDEX_REMOVED,
168 	MGMT_EV_NEW_CONFIG_OPTIONS,
169 	MGMT_EV_EXT_INDEX_ADDED,
170 	MGMT_EV_EXT_INDEX_REMOVED,
171 	MGMT_EV_EXT_INFO_CHANGED,
172 };
173 
174 #define CACHE_TIMEOUT	msecs_to_jiffies(2 * 1000)
175 
176 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
177 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
178 
179 /* HCI to MGMT error code conversion table */
180 static const u8 mgmt_status_table[] = {
181 	MGMT_STATUS_SUCCESS,
182 	MGMT_STATUS_UNKNOWN_COMMAND,	/* Unknown Command */
183 	MGMT_STATUS_NOT_CONNECTED,	/* No Connection */
184 	MGMT_STATUS_FAILED,		/* Hardware Failure */
185 	MGMT_STATUS_CONNECT_FAILED,	/* Page Timeout */
186 	MGMT_STATUS_AUTH_FAILED,	/* Authentication Failed */
187 	MGMT_STATUS_AUTH_FAILED,	/* PIN or Key Missing */
188 	MGMT_STATUS_NO_RESOURCES,	/* Memory Full */
189 	MGMT_STATUS_TIMEOUT,		/* Connection Timeout */
190 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of Connections */
191 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of SCO Connections */
192 	MGMT_STATUS_ALREADY_CONNECTED,	/* ACL Connection Exists */
193 	MGMT_STATUS_BUSY,		/* Command Disallowed */
194 	MGMT_STATUS_NO_RESOURCES,	/* Rejected Limited Resources */
195 	MGMT_STATUS_REJECTED,		/* Rejected Security */
196 	MGMT_STATUS_REJECTED,		/* Rejected Personal */
197 	MGMT_STATUS_TIMEOUT,		/* Host Timeout */
198 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Feature */
199 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid Parameters */
200 	MGMT_STATUS_DISCONNECTED,	/* OE User Ended Connection */
201 	MGMT_STATUS_NO_RESOURCES,	/* OE Low Resources */
202 	MGMT_STATUS_DISCONNECTED,	/* OE Power Off */
203 	MGMT_STATUS_DISCONNECTED,	/* Connection Terminated */
204 	MGMT_STATUS_BUSY,		/* Repeated Attempts */
205 	MGMT_STATUS_REJECTED,		/* Pairing Not Allowed */
206 	MGMT_STATUS_FAILED,		/* Unknown LMP PDU */
207 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Remote Feature */
208 	MGMT_STATUS_REJECTED,		/* SCO Offset Rejected */
209 	MGMT_STATUS_REJECTED,		/* SCO Interval Rejected */
210 	MGMT_STATUS_REJECTED,		/* Air Mode Rejected */
211 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid LMP Parameters */
212 	MGMT_STATUS_FAILED,		/* Unspecified Error */
213 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported LMP Parameter Value */
214 	MGMT_STATUS_FAILED,		/* Role Change Not Allowed */
215 	MGMT_STATUS_TIMEOUT,		/* LMP Response Timeout */
216 	MGMT_STATUS_FAILED,		/* LMP Error Transaction Collision */
217 	MGMT_STATUS_FAILED,		/* LMP PDU Not Allowed */
218 	MGMT_STATUS_REJECTED,		/* Encryption Mode Not Accepted */
219 	MGMT_STATUS_FAILED,		/* Unit Link Key Used */
220 	MGMT_STATUS_NOT_SUPPORTED,	/* QoS Not Supported */
221 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
222 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
223 	MGMT_STATUS_FAILED,		/* Transaction Collision */
224 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
225 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
226 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
227 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
228 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
229 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
230 	MGMT_STATUS_FAILED,		/* Slot Violation */
231 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
232 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
233 	MGMT_STATUS_NOT_SUPPORTED,	/* Simple Pairing Not Supported */
234 	MGMT_STATUS_BUSY,		/* Host Busy Pairing */
235 	MGMT_STATUS_REJECTED,		/* Rejected, No Suitable Channel */
236 	MGMT_STATUS_BUSY,		/* Controller Busy */
237 	MGMT_STATUS_INVALID_PARAMS,	/* Unsuitable Connection Interval */
238 	MGMT_STATUS_TIMEOUT,		/* Directed Advertising Timeout */
239 	MGMT_STATUS_AUTH_FAILED,	/* Terminated Due to MIC Failure */
240 	MGMT_STATUS_CONNECT_FAILED,	/* Connection Establishment Failed */
241 	MGMT_STATUS_CONNECT_FAILED,	/* MAC Connection Failed */
242 };
243 
244 static u8 mgmt_status(u8 hci_status)
245 {
246 	if (hci_status < ARRAY_SIZE(mgmt_status_table))
247 		return mgmt_status_table[hci_status];
248 
249 	return MGMT_STATUS_FAILED;
250 }
251 
252 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
253 			    u16 len, int flag)
254 {
255 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
256 			       flag, NULL);
257 }
258 
259 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
260 			      u16 len, int flag, struct sock *skip_sk)
261 {
262 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
263 			       flag, skip_sk);
264 }
265 
266 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
267 		      struct sock *skip_sk)
268 {
269 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
270 			       HCI_SOCK_TRUSTED, skip_sk);
271 }
272 
273 static u8 le_addr_type(u8 mgmt_addr_type)
274 {
275 	if (mgmt_addr_type == BDADDR_LE_PUBLIC)
276 		return ADDR_LE_DEV_PUBLIC;
277 	else
278 		return ADDR_LE_DEV_RANDOM;
279 }
280 
281 void mgmt_fill_version_info(void *ver)
282 {
283 	struct mgmt_rp_read_version *rp = ver;
284 
285 	rp->version = MGMT_VERSION;
286 	rp->revision = cpu_to_le16(MGMT_REVISION);
287 }
288 
289 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
290 			u16 data_len)
291 {
292 	struct mgmt_rp_read_version rp;
293 
294 	BT_DBG("sock %p", sk);
295 
296 	mgmt_fill_version_info(&rp);
297 
298 	return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
299 				 &rp, sizeof(rp));
300 }
301 
302 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
303 			 u16 data_len)
304 {
305 	struct mgmt_rp_read_commands *rp;
306 	u16 num_commands, num_events;
307 	size_t rp_size;
308 	int i, err;
309 
310 	BT_DBG("sock %p", sk);
311 
312 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
313 		num_commands = ARRAY_SIZE(mgmt_commands);
314 		num_events = ARRAY_SIZE(mgmt_events);
315 	} else {
316 		num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
317 		num_events = ARRAY_SIZE(mgmt_untrusted_events);
318 	}
319 
320 	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
321 
322 	rp = kmalloc(rp_size, GFP_KERNEL);
323 	if (!rp)
324 		return -ENOMEM;
325 
326 	rp->num_commands = cpu_to_le16(num_commands);
327 	rp->num_events = cpu_to_le16(num_events);
328 
329 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
330 		__le16 *opcode = rp->opcodes;
331 
332 		for (i = 0; i < num_commands; i++, opcode++)
333 			put_unaligned_le16(mgmt_commands[i], opcode);
334 
335 		for (i = 0; i < num_events; i++, opcode++)
336 			put_unaligned_le16(mgmt_events[i], opcode);
337 	} else {
338 		__le16 *opcode = rp->opcodes;
339 
340 		for (i = 0; i < num_commands; i++, opcode++)
341 			put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
342 
343 		for (i = 0; i < num_events; i++, opcode++)
344 			put_unaligned_le16(mgmt_untrusted_events[i], opcode);
345 	}
346 
347 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
348 				rp, rp_size);
349 	kfree(rp);
350 
351 	return err;
352 }
353 
354 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
355 			   u16 data_len)
356 {
357 	struct mgmt_rp_read_index_list *rp;
358 	struct hci_dev *d;
359 	size_t rp_len;
360 	u16 count;
361 	int err;
362 
363 	BT_DBG("sock %p", sk);
364 
365 	read_lock(&hci_dev_list_lock);
366 
367 	count = 0;
368 	list_for_each_entry(d, &hci_dev_list, list) {
369 		if (d->dev_type == HCI_PRIMARY &&
370 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED))
371 			count++;
372 	}
373 
374 	rp_len = sizeof(*rp) + (2 * count);
375 	rp = kmalloc(rp_len, GFP_ATOMIC);
376 	if (!rp) {
377 		read_unlock(&hci_dev_list_lock);
378 		return -ENOMEM;
379 	}
380 
381 	count = 0;
382 	list_for_each_entry(d, &hci_dev_list, list) {
383 		if (hci_dev_test_flag(d, HCI_SETUP) ||
384 		    hci_dev_test_flag(d, HCI_CONFIG) ||
385 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
386 			continue;
387 
388 		/* Devices marked as raw-only are neither configured
389 		 * nor unconfigured controllers.
390 		 */
391 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
392 			continue;
393 
394 		if (d->dev_type == HCI_PRIMARY &&
395 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
396 			rp->index[count++] = cpu_to_le16(d->id);
397 			BT_DBG("Added hci%u", d->id);
398 		}
399 	}
400 
401 	rp->num_controllers = cpu_to_le16(count);
402 	rp_len = sizeof(*rp) + (2 * count);
403 
404 	read_unlock(&hci_dev_list_lock);
405 
406 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
407 				0, rp, rp_len);
408 
409 	kfree(rp);
410 
411 	return err;
412 }
413 
414 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
415 				  void *data, u16 data_len)
416 {
417 	struct mgmt_rp_read_unconf_index_list *rp;
418 	struct hci_dev *d;
419 	size_t rp_len;
420 	u16 count;
421 	int err;
422 
423 	BT_DBG("sock %p", sk);
424 
425 	read_lock(&hci_dev_list_lock);
426 
427 	count = 0;
428 	list_for_each_entry(d, &hci_dev_list, list) {
429 		if (d->dev_type == HCI_PRIMARY &&
430 		    hci_dev_test_flag(d, HCI_UNCONFIGURED))
431 			count++;
432 	}
433 
434 	rp_len = sizeof(*rp) + (2 * count);
435 	rp = kmalloc(rp_len, GFP_ATOMIC);
436 	if (!rp) {
437 		read_unlock(&hci_dev_list_lock);
438 		return -ENOMEM;
439 	}
440 
441 	count = 0;
442 	list_for_each_entry(d, &hci_dev_list, list) {
443 		if (hci_dev_test_flag(d, HCI_SETUP) ||
444 		    hci_dev_test_flag(d, HCI_CONFIG) ||
445 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
446 			continue;
447 
448 		/* Devices marked as raw-only are neither configured
449 		 * nor unconfigured controllers.
450 		 */
451 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
452 			continue;
453 
454 		if (d->dev_type == HCI_PRIMARY &&
455 		    hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
456 			rp->index[count++] = cpu_to_le16(d->id);
457 			BT_DBG("Added hci%u", d->id);
458 		}
459 	}
460 
461 	rp->num_controllers = cpu_to_le16(count);
462 	rp_len = sizeof(*rp) + (2 * count);
463 
464 	read_unlock(&hci_dev_list_lock);
465 
466 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
467 				MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
468 
469 	kfree(rp);
470 
471 	return err;
472 }
473 
474 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
475 			       void *data, u16 data_len)
476 {
477 	struct mgmt_rp_read_ext_index_list *rp;
478 	struct hci_dev *d;
479 	u16 count;
480 	int err;
481 
482 	BT_DBG("sock %p", sk);
483 
484 	read_lock(&hci_dev_list_lock);
485 
486 	count = 0;
487 	list_for_each_entry(d, &hci_dev_list, list) {
488 		if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
489 			count++;
490 	}
491 
492 	rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
493 	if (!rp) {
494 		read_unlock(&hci_dev_list_lock);
495 		return -ENOMEM;
496 	}
497 
498 	count = 0;
499 	list_for_each_entry(d, &hci_dev_list, list) {
500 		if (hci_dev_test_flag(d, HCI_SETUP) ||
501 		    hci_dev_test_flag(d, HCI_CONFIG) ||
502 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
503 			continue;
504 
505 		/* Devices marked as raw-only are neither configured
506 		 * nor unconfigured controllers.
507 		 */
508 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
509 			continue;
510 
511 		if (d->dev_type == HCI_PRIMARY) {
512 			if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
513 				rp->entry[count].type = 0x01;
514 			else
515 				rp->entry[count].type = 0x00;
516 		} else if (d->dev_type == HCI_AMP) {
517 			rp->entry[count].type = 0x02;
518 		} else {
519 			continue;
520 		}
521 
522 		rp->entry[count].bus = d->bus;
523 		rp->entry[count++].index = cpu_to_le16(d->id);
524 		BT_DBG("Added hci%u", d->id);
525 	}
526 
527 	rp->num_controllers = cpu_to_le16(count);
528 
529 	read_unlock(&hci_dev_list_lock);
530 
531 	/* If this command is called at least once, then all the
532 	 * default index and unconfigured index events are disabled
533 	 * and from now on only extended index events are used.
534 	 */
535 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
536 	hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
537 	hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
538 
539 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
540 				MGMT_OP_READ_EXT_INDEX_LIST, 0, rp,
541 				struct_size(rp, entry, count));
542 
543 	kfree(rp);
544 
545 	return err;
546 }
547 
548 static bool is_configured(struct hci_dev *hdev)
549 {
550 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
551 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
552 		return false;
553 
554 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
555 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
556 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
557 		return false;
558 
559 	return true;
560 }
561 
562 static __le32 get_missing_options(struct hci_dev *hdev)
563 {
564 	u32 options = 0;
565 
566 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
567 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
568 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
569 
570 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
571 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
572 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
573 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
574 
575 	return cpu_to_le32(options);
576 }
577 
578 static int new_options(struct hci_dev *hdev, struct sock *skip)
579 {
580 	__le32 options = get_missing_options(hdev);
581 
582 	return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
583 				  sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
584 }
585 
586 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
587 {
588 	__le32 options = get_missing_options(hdev);
589 
590 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
591 				 sizeof(options));
592 }
593 
594 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
595 			    void *data, u16 data_len)
596 {
597 	struct mgmt_rp_read_config_info rp;
598 	u32 options = 0;
599 
600 	BT_DBG("sock %p %s", sk, hdev->name);
601 
602 	hci_dev_lock(hdev);
603 
604 	memset(&rp, 0, sizeof(rp));
605 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
606 
607 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
608 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
609 
610 	if (hdev->set_bdaddr)
611 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
612 
613 	rp.supported_options = cpu_to_le32(options);
614 	rp.missing_options = get_missing_options(hdev);
615 
616 	hci_dev_unlock(hdev);
617 
618 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
619 				 &rp, sizeof(rp));
620 }
621 
622 static u32 get_supported_phys(struct hci_dev *hdev)
623 {
624 	u32 supported_phys = 0;
625 
626 	if (lmp_bredr_capable(hdev)) {
627 		supported_phys |= MGMT_PHY_BR_1M_1SLOT;
628 
629 		if (hdev->features[0][0] & LMP_3SLOT)
630 			supported_phys |= MGMT_PHY_BR_1M_3SLOT;
631 
632 		if (hdev->features[0][0] & LMP_5SLOT)
633 			supported_phys |= MGMT_PHY_BR_1M_5SLOT;
634 
635 		if (lmp_edr_2m_capable(hdev)) {
636 			supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
637 
638 			if (lmp_edr_3slot_capable(hdev))
639 				supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
640 
641 			if (lmp_edr_5slot_capable(hdev))
642 				supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
643 
644 			if (lmp_edr_3m_capable(hdev)) {
645 				supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
646 
647 				if (lmp_edr_3slot_capable(hdev))
648 					supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
649 
650 				if (lmp_edr_5slot_capable(hdev))
651 					supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
652 			}
653 		}
654 	}
655 
656 	if (lmp_le_capable(hdev)) {
657 		supported_phys |= MGMT_PHY_LE_1M_TX;
658 		supported_phys |= MGMT_PHY_LE_1M_RX;
659 
660 		if (hdev->le_features[1] & HCI_LE_PHY_2M) {
661 			supported_phys |= MGMT_PHY_LE_2M_TX;
662 			supported_phys |= MGMT_PHY_LE_2M_RX;
663 		}
664 
665 		if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
666 			supported_phys |= MGMT_PHY_LE_CODED_TX;
667 			supported_phys |= MGMT_PHY_LE_CODED_RX;
668 		}
669 	}
670 
671 	return supported_phys;
672 }
673 
674 static u32 get_selected_phys(struct hci_dev *hdev)
675 {
676 	u32 selected_phys = 0;
677 
678 	if (lmp_bredr_capable(hdev)) {
679 		selected_phys |= MGMT_PHY_BR_1M_1SLOT;
680 
681 		if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
682 			selected_phys |= MGMT_PHY_BR_1M_3SLOT;
683 
684 		if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
685 			selected_phys |= MGMT_PHY_BR_1M_5SLOT;
686 
687 		if (lmp_edr_2m_capable(hdev)) {
688 			if (!(hdev->pkt_type & HCI_2DH1))
689 				selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
690 
691 			if (lmp_edr_3slot_capable(hdev) &&
692 			    !(hdev->pkt_type & HCI_2DH3))
693 				selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
694 
695 			if (lmp_edr_5slot_capable(hdev) &&
696 			    !(hdev->pkt_type & HCI_2DH5))
697 				selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
698 
699 			if (lmp_edr_3m_capable(hdev)) {
700 				if (!(hdev->pkt_type & HCI_3DH1))
701 					selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
702 
703 				if (lmp_edr_3slot_capable(hdev) &&
704 				    !(hdev->pkt_type & HCI_3DH3))
705 					selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
706 
707 				if (lmp_edr_5slot_capable(hdev) &&
708 				    !(hdev->pkt_type & HCI_3DH5))
709 					selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
710 			}
711 		}
712 	}
713 
714 	if (lmp_le_capable(hdev)) {
715 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
716 			selected_phys |= MGMT_PHY_LE_1M_TX;
717 
718 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
719 			selected_phys |= MGMT_PHY_LE_1M_RX;
720 
721 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
722 			selected_phys |= MGMT_PHY_LE_2M_TX;
723 
724 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
725 			selected_phys |= MGMT_PHY_LE_2M_RX;
726 
727 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
728 			selected_phys |= MGMT_PHY_LE_CODED_TX;
729 
730 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
731 			selected_phys |= MGMT_PHY_LE_CODED_RX;
732 	}
733 
734 	return selected_phys;
735 }
736 
737 static u32 get_configurable_phys(struct hci_dev *hdev)
738 {
739 	return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
740 		~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
741 }
742 
743 static u32 get_supported_settings(struct hci_dev *hdev)
744 {
745 	u32 settings = 0;
746 
747 	settings |= MGMT_SETTING_POWERED;
748 	settings |= MGMT_SETTING_BONDABLE;
749 	settings |= MGMT_SETTING_DEBUG_KEYS;
750 	settings |= MGMT_SETTING_CONNECTABLE;
751 	settings |= MGMT_SETTING_DISCOVERABLE;
752 
753 	if (lmp_bredr_capable(hdev)) {
754 		if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
755 			settings |= MGMT_SETTING_FAST_CONNECTABLE;
756 		settings |= MGMT_SETTING_BREDR;
757 		settings |= MGMT_SETTING_LINK_SECURITY;
758 
759 		if (lmp_ssp_capable(hdev)) {
760 			settings |= MGMT_SETTING_SSP;
761 			settings |= MGMT_SETTING_HS;
762 		}
763 
764 		if (lmp_sc_capable(hdev))
765 			settings |= MGMT_SETTING_SECURE_CONN;
766 
767 		if (test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
768 			     &hdev->quirks))
769 			settings |= MGMT_SETTING_WIDEBAND_SPEECH;
770 	}
771 
772 	if (lmp_le_capable(hdev)) {
773 		settings |= MGMT_SETTING_LE;
774 		settings |= MGMT_SETTING_ADVERTISING;
775 		settings |= MGMT_SETTING_SECURE_CONN;
776 		settings |= MGMT_SETTING_PRIVACY;
777 		settings |= MGMT_SETTING_STATIC_ADDRESS;
778 	}
779 
780 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
781 	    hdev->set_bdaddr)
782 		settings |= MGMT_SETTING_CONFIGURATION;
783 
784 	settings |= MGMT_SETTING_PHY_CONFIGURATION;
785 
786 	return settings;
787 }
788 
789 static u32 get_current_settings(struct hci_dev *hdev)
790 {
791 	u32 settings = 0;
792 
793 	if (hdev_is_powered(hdev))
794 		settings |= MGMT_SETTING_POWERED;
795 
796 	if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
797 		settings |= MGMT_SETTING_CONNECTABLE;
798 
799 	if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
800 		settings |= MGMT_SETTING_FAST_CONNECTABLE;
801 
802 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
803 		settings |= MGMT_SETTING_DISCOVERABLE;
804 
805 	if (hci_dev_test_flag(hdev, HCI_BONDABLE))
806 		settings |= MGMT_SETTING_BONDABLE;
807 
808 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
809 		settings |= MGMT_SETTING_BREDR;
810 
811 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
812 		settings |= MGMT_SETTING_LE;
813 
814 	if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
815 		settings |= MGMT_SETTING_LINK_SECURITY;
816 
817 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
818 		settings |= MGMT_SETTING_SSP;
819 
820 	if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
821 		settings |= MGMT_SETTING_HS;
822 
823 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
824 		settings |= MGMT_SETTING_ADVERTISING;
825 
826 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
827 		settings |= MGMT_SETTING_SECURE_CONN;
828 
829 	if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
830 		settings |= MGMT_SETTING_DEBUG_KEYS;
831 
832 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
833 		settings |= MGMT_SETTING_PRIVACY;
834 
835 	/* The current setting for static address has two purposes. The
836 	 * first is to indicate if the static address will be used and
837 	 * the second is to indicate if it is actually set.
838 	 *
839 	 * This means if the static address is not configured, this flag
840 	 * will never be set. If the address is configured, then if the
841 	 * address is actually used decides if the flag is set or not.
842 	 *
843 	 * For single mode LE only controllers and dual-mode controllers
844 	 * with BR/EDR disabled, the existence of the static address will
845 	 * be evaluated.
846 	 */
847 	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
848 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
849 	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
850 		if (bacmp(&hdev->static_addr, BDADDR_ANY))
851 			settings |= MGMT_SETTING_STATIC_ADDRESS;
852 	}
853 
854 	if (hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED))
855 		settings |= MGMT_SETTING_WIDEBAND_SPEECH;
856 
857 	return settings;
858 }
859 
860 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
861 {
862 	return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
863 }
864 
865 static struct mgmt_pending_cmd *pending_find_data(u16 opcode,
866 						  struct hci_dev *hdev,
867 						  const void *data)
868 {
869 	return mgmt_pending_find_data(HCI_CHANNEL_CONTROL, opcode, hdev, data);
870 }
871 
872 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
873 {
874 	struct mgmt_pending_cmd *cmd;
875 
876 	/* If there's a pending mgmt command the flags will not yet have
877 	 * their final values, so check for this first.
878 	 */
879 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
880 	if (cmd) {
881 		struct mgmt_mode *cp = cmd->param;
882 		if (cp->val == 0x01)
883 			return LE_AD_GENERAL;
884 		else if (cp->val == 0x02)
885 			return LE_AD_LIMITED;
886 	} else {
887 		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
888 			return LE_AD_LIMITED;
889 		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
890 			return LE_AD_GENERAL;
891 	}
892 
893 	return 0;
894 }
895 
896 bool mgmt_get_connectable(struct hci_dev *hdev)
897 {
898 	struct mgmt_pending_cmd *cmd;
899 
900 	/* If there's a pending mgmt command the flag will not yet have
901 	 * it's final value, so check for this first.
902 	 */
903 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
904 	if (cmd) {
905 		struct mgmt_mode *cp = cmd->param;
906 
907 		return cp->val;
908 	}
909 
910 	return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
911 }
912 
913 static void service_cache_off(struct work_struct *work)
914 {
915 	struct hci_dev *hdev = container_of(work, struct hci_dev,
916 					    service_cache.work);
917 	struct hci_request req;
918 
919 	if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
920 		return;
921 
922 	hci_req_init(&req, hdev);
923 
924 	hci_dev_lock(hdev);
925 
926 	__hci_req_update_eir(&req);
927 	__hci_req_update_class(&req);
928 
929 	hci_dev_unlock(hdev);
930 
931 	hci_req_run(&req, NULL);
932 }
933 
934 static void rpa_expired(struct work_struct *work)
935 {
936 	struct hci_dev *hdev = container_of(work, struct hci_dev,
937 					    rpa_expired.work);
938 	struct hci_request req;
939 
940 	BT_DBG("");
941 
942 	hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
943 
944 	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
945 		return;
946 
947 	/* The generation of a new RPA and programming it into the
948 	 * controller happens in the hci_req_enable_advertising()
949 	 * function.
950 	 */
951 	hci_req_init(&req, hdev);
952 	if (ext_adv_capable(hdev))
953 		__hci_req_start_ext_adv(&req, hdev->cur_adv_instance);
954 	else
955 		__hci_req_enable_advertising(&req);
956 	hci_req_run(&req, NULL);
957 }
958 
959 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
960 {
961 	if (hci_dev_test_and_set_flag(hdev, HCI_MGMT))
962 		return;
963 
964 	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
965 	INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
966 
967 	/* Non-mgmt controlled devices get this bit set
968 	 * implicitly so that pairing works for them, however
969 	 * for mgmt we require user-space to explicitly enable
970 	 * it
971 	 */
972 	hci_dev_clear_flag(hdev, HCI_BONDABLE);
973 }
974 
975 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
976 				void *data, u16 data_len)
977 {
978 	struct mgmt_rp_read_info rp;
979 
980 	BT_DBG("sock %p %s", sk, hdev->name);
981 
982 	hci_dev_lock(hdev);
983 
984 	memset(&rp, 0, sizeof(rp));
985 
986 	bacpy(&rp.bdaddr, &hdev->bdaddr);
987 
988 	rp.version = hdev->hci_ver;
989 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
990 
991 	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
992 	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
993 
994 	memcpy(rp.dev_class, hdev->dev_class, 3);
995 
996 	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
997 	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
998 
999 	hci_dev_unlock(hdev);
1000 
1001 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
1002 				 sizeof(rp));
1003 }
1004 
1005 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
1006 {
1007 	u16 eir_len = 0;
1008 	size_t name_len;
1009 
1010 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1011 		eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1012 					  hdev->dev_class, 3);
1013 
1014 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1015 		eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1016 					  hdev->appearance);
1017 
1018 	name_len = strlen(hdev->dev_name);
1019 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1020 				  hdev->dev_name, name_len);
1021 
1022 	name_len = strlen(hdev->short_name);
1023 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1024 				  hdev->short_name, name_len);
1025 
1026 	return eir_len;
1027 }
1028 
1029 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1030 				    void *data, u16 data_len)
1031 {
1032 	char buf[512];
1033 	struct mgmt_rp_read_ext_info *rp = (void *)buf;
1034 	u16 eir_len;
1035 
1036 	BT_DBG("sock %p %s", sk, hdev->name);
1037 
1038 	memset(&buf, 0, sizeof(buf));
1039 
1040 	hci_dev_lock(hdev);
1041 
1042 	bacpy(&rp->bdaddr, &hdev->bdaddr);
1043 
1044 	rp->version = hdev->hci_ver;
1045 	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1046 
1047 	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1048 	rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1049 
1050 
1051 	eir_len = append_eir_data_to_buf(hdev, rp->eir);
1052 	rp->eir_len = cpu_to_le16(eir_len);
1053 
1054 	hci_dev_unlock(hdev);
1055 
1056 	/* If this command is called at least once, then the events
1057 	 * for class of device and local name changes are disabled
1058 	 * and only the new extended controller information event
1059 	 * is used.
1060 	 */
1061 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
1062 	hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1063 	hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1064 
1065 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
1066 				 sizeof(*rp) + eir_len);
1067 }
1068 
1069 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1070 {
1071 	char buf[512];
1072 	struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1073 	u16 eir_len;
1074 
1075 	memset(buf, 0, sizeof(buf));
1076 
1077 	eir_len = append_eir_data_to_buf(hdev, ev->eir);
1078 	ev->eir_len = cpu_to_le16(eir_len);
1079 
1080 	return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
1081 				  sizeof(*ev) + eir_len,
1082 				  HCI_MGMT_EXT_INFO_EVENTS, skip);
1083 }
1084 
1085 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1086 {
1087 	__le32 settings = cpu_to_le32(get_current_settings(hdev));
1088 
1089 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
1090 				 sizeof(settings));
1091 }
1092 
1093 static void clean_up_hci_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1094 {
1095 	BT_DBG("%s status 0x%02x", hdev->name, status);
1096 
1097 	if (hci_conn_count(hdev) == 0) {
1098 		cancel_delayed_work(&hdev->power_off);
1099 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
1100 	}
1101 }
1102 
1103 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1104 {
1105 	struct mgmt_ev_advertising_added ev;
1106 
1107 	ev.instance = instance;
1108 
1109 	mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
1110 }
1111 
1112 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1113 			      u8 instance)
1114 {
1115 	struct mgmt_ev_advertising_removed ev;
1116 
1117 	ev.instance = instance;
1118 
1119 	mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
1120 }
1121 
1122 static void cancel_adv_timeout(struct hci_dev *hdev)
1123 {
1124 	if (hdev->adv_instance_timeout) {
1125 		hdev->adv_instance_timeout = 0;
1126 		cancel_delayed_work(&hdev->adv_instance_expire);
1127 	}
1128 }
1129 
1130 static int clean_up_hci_state(struct hci_dev *hdev)
1131 {
1132 	struct hci_request req;
1133 	struct hci_conn *conn;
1134 	bool discov_stopped;
1135 	int err;
1136 
1137 	hci_req_init(&req, hdev);
1138 
1139 	if (test_bit(HCI_ISCAN, &hdev->flags) ||
1140 	    test_bit(HCI_PSCAN, &hdev->flags)) {
1141 		u8 scan = 0x00;
1142 		hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1143 	}
1144 
1145 	hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, false);
1146 
1147 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1148 		__hci_req_disable_advertising(&req);
1149 
1150 	discov_stopped = hci_req_stop_discovery(&req);
1151 
1152 	list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1153 		/* 0x15 == Terminated due to Power Off */
1154 		__hci_abort_conn(&req, conn, 0x15);
1155 	}
1156 
1157 	err = hci_req_run(&req, clean_up_hci_complete);
1158 	if (!err && discov_stopped)
1159 		hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
1160 
1161 	return err;
1162 }
1163 
1164 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1165 		       u16 len)
1166 {
1167 	struct mgmt_mode *cp = data;
1168 	struct mgmt_pending_cmd *cmd;
1169 	int err;
1170 
1171 	BT_DBG("request for %s", hdev->name);
1172 
1173 	if (cp->val != 0x00 && cp->val != 0x01)
1174 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1175 				       MGMT_STATUS_INVALID_PARAMS);
1176 
1177 	hci_dev_lock(hdev);
1178 
1179 	if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1180 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1181 				      MGMT_STATUS_BUSY);
1182 		goto failed;
1183 	}
1184 
1185 	if (!!cp->val == hdev_is_powered(hdev)) {
1186 		err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1187 		goto failed;
1188 	}
1189 
1190 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1191 	if (!cmd) {
1192 		err = -ENOMEM;
1193 		goto failed;
1194 	}
1195 
1196 	if (cp->val) {
1197 		queue_work(hdev->req_workqueue, &hdev->power_on);
1198 		err = 0;
1199 	} else {
1200 		/* Disconnect connections, stop scans, etc */
1201 		err = clean_up_hci_state(hdev);
1202 		if (!err)
1203 			queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1204 					   HCI_POWER_OFF_TIMEOUT);
1205 
1206 		/* ENODATA means there were no HCI commands queued */
1207 		if (err == -ENODATA) {
1208 			cancel_delayed_work(&hdev->power_off);
1209 			queue_work(hdev->req_workqueue, &hdev->power_off.work);
1210 			err = 0;
1211 		}
1212 	}
1213 
1214 failed:
1215 	hci_dev_unlock(hdev);
1216 	return err;
1217 }
1218 
1219 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1220 {
1221 	__le32 ev = cpu_to_le32(get_current_settings(hdev));
1222 
1223 	return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1224 				  sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1225 }
1226 
1227 int mgmt_new_settings(struct hci_dev *hdev)
1228 {
1229 	return new_settings(hdev, NULL);
1230 }
1231 
1232 struct cmd_lookup {
1233 	struct sock *sk;
1234 	struct hci_dev *hdev;
1235 	u8 mgmt_status;
1236 };
1237 
1238 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1239 {
1240 	struct cmd_lookup *match = data;
1241 
1242 	send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1243 
1244 	list_del(&cmd->list);
1245 
1246 	if (match->sk == NULL) {
1247 		match->sk = cmd->sk;
1248 		sock_hold(match->sk);
1249 	}
1250 
1251 	mgmt_pending_free(cmd);
1252 }
1253 
1254 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1255 {
1256 	u8 *status = data;
1257 
1258 	mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1259 	mgmt_pending_remove(cmd);
1260 }
1261 
1262 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1263 {
1264 	if (cmd->cmd_complete) {
1265 		u8 *status = data;
1266 
1267 		cmd->cmd_complete(cmd, *status);
1268 		mgmt_pending_remove(cmd);
1269 
1270 		return;
1271 	}
1272 
1273 	cmd_status_rsp(cmd, data);
1274 }
1275 
1276 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1277 {
1278 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1279 				 cmd->param, cmd->param_len);
1280 }
1281 
1282 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1283 {
1284 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1285 				 cmd->param, sizeof(struct mgmt_addr_info));
1286 }
1287 
1288 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1289 {
1290 	if (!lmp_bredr_capable(hdev))
1291 		return MGMT_STATUS_NOT_SUPPORTED;
1292 	else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1293 		return MGMT_STATUS_REJECTED;
1294 	else
1295 		return MGMT_STATUS_SUCCESS;
1296 }
1297 
1298 static u8 mgmt_le_support(struct hci_dev *hdev)
1299 {
1300 	if (!lmp_le_capable(hdev))
1301 		return MGMT_STATUS_NOT_SUPPORTED;
1302 	else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1303 		return MGMT_STATUS_REJECTED;
1304 	else
1305 		return MGMT_STATUS_SUCCESS;
1306 }
1307 
1308 void mgmt_set_discoverable_complete(struct hci_dev *hdev, u8 status)
1309 {
1310 	struct mgmt_pending_cmd *cmd;
1311 
1312 	BT_DBG("status 0x%02x", status);
1313 
1314 	hci_dev_lock(hdev);
1315 
1316 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
1317 	if (!cmd)
1318 		goto unlock;
1319 
1320 	if (status) {
1321 		u8 mgmt_err = mgmt_status(status);
1322 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1323 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1324 		goto remove_cmd;
1325 	}
1326 
1327 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1328 	    hdev->discov_timeout > 0) {
1329 		int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1330 		queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1331 	}
1332 
1333 	send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1334 	new_settings(hdev, cmd->sk);
1335 
1336 remove_cmd:
1337 	mgmt_pending_remove(cmd);
1338 
1339 unlock:
1340 	hci_dev_unlock(hdev);
1341 }
1342 
1343 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1344 			    u16 len)
1345 {
1346 	struct mgmt_cp_set_discoverable *cp = data;
1347 	struct mgmt_pending_cmd *cmd;
1348 	u16 timeout;
1349 	int err;
1350 
1351 	BT_DBG("request for %s", hdev->name);
1352 
1353 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1354 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1355 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1356 				       MGMT_STATUS_REJECTED);
1357 
1358 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1359 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1360 				       MGMT_STATUS_INVALID_PARAMS);
1361 
1362 	timeout = __le16_to_cpu(cp->timeout);
1363 
1364 	/* Disabling discoverable requires that no timeout is set,
1365 	 * and enabling limited discoverable requires a timeout.
1366 	 */
1367 	if ((cp->val == 0x00 && timeout > 0) ||
1368 	    (cp->val == 0x02 && timeout == 0))
1369 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1370 				       MGMT_STATUS_INVALID_PARAMS);
1371 
1372 	hci_dev_lock(hdev);
1373 
1374 	if (!hdev_is_powered(hdev) && timeout > 0) {
1375 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1376 				      MGMT_STATUS_NOT_POWERED);
1377 		goto failed;
1378 	}
1379 
1380 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1381 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1382 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1383 				      MGMT_STATUS_BUSY);
1384 		goto failed;
1385 	}
1386 
1387 	if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1388 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1389 				      MGMT_STATUS_REJECTED);
1390 		goto failed;
1391 	}
1392 
1393 	if (hdev->advertising_paused) {
1394 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1395 				      MGMT_STATUS_BUSY);
1396 		goto failed;
1397 	}
1398 
1399 	if (!hdev_is_powered(hdev)) {
1400 		bool changed = false;
1401 
1402 		/* Setting limited discoverable when powered off is
1403 		 * not a valid operation since it requires a timeout
1404 		 * and so no need to check HCI_LIMITED_DISCOVERABLE.
1405 		 */
1406 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1407 			hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1408 			changed = true;
1409 		}
1410 
1411 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1412 		if (err < 0)
1413 			goto failed;
1414 
1415 		if (changed)
1416 			err = new_settings(hdev, sk);
1417 
1418 		goto failed;
1419 	}
1420 
1421 	/* If the current mode is the same, then just update the timeout
1422 	 * value with the new value. And if only the timeout gets updated,
1423 	 * then no need for any HCI transactions.
1424 	 */
1425 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1426 	    (cp->val == 0x02) == hci_dev_test_flag(hdev,
1427 						   HCI_LIMITED_DISCOVERABLE)) {
1428 		cancel_delayed_work(&hdev->discov_off);
1429 		hdev->discov_timeout = timeout;
1430 
1431 		if (cp->val && hdev->discov_timeout > 0) {
1432 			int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1433 			queue_delayed_work(hdev->req_workqueue,
1434 					   &hdev->discov_off, to);
1435 		}
1436 
1437 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1438 		goto failed;
1439 	}
1440 
1441 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1442 	if (!cmd) {
1443 		err = -ENOMEM;
1444 		goto failed;
1445 	}
1446 
1447 	/* Cancel any potential discoverable timeout that might be
1448 	 * still active and store new timeout value. The arming of
1449 	 * the timeout happens in the complete handler.
1450 	 */
1451 	cancel_delayed_work(&hdev->discov_off);
1452 	hdev->discov_timeout = timeout;
1453 
1454 	if (cp->val)
1455 		hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1456 	else
1457 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1458 
1459 	/* Limited discoverable mode */
1460 	if (cp->val == 0x02)
1461 		hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1462 	else
1463 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1464 
1465 	queue_work(hdev->req_workqueue, &hdev->discoverable_update);
1466 	err = 0;
1467 
1468 failed:
1469 	hci_dev_unlock(hdev);
1470 	return err;
1471 }
1472 
1473 void mgmt_set_connectable_complete(struct hci_dev *hdev, u8 status)
1474 {
1475 	struct mgmt_pending_cmd *cmd;
1476 
1477 	BT_DBG("status 0x%02x", status);
1478 
1479 	hci_dev_lock(hdev);
1480 
1481 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1482 	if (!cmd)
1483 		goto unlock;
1484 
1485 	if (status) {
1486 		u8 mgmt_err = mgmt_status(status);
1487 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1488 		goto remove_cmd;
1489 	}
1490 
1491 	send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1492 	new_settings(hdev, cmd->sk);
1493 
1494 remove_cmd:
1495 	mgmt_pending_remove(cmd);
1496 
1497 unlock:
1498 	hci_dev_unlock(hdev);
1499 }
1500 
1501 static int set_connectable_update_settings(struct hci_dev *hdev,
1502 					   struct sock *sk, u8 val)
1503 {
1504 	bool changed = false;
1505 	int err;
1506 
1507 	if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1508 		changed = true;
1509 
1510 	if (val) {
1511 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1512 	} else {
1513 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1514 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1515 	}
1516 
1517 	err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1518 	if (err < 0)
1519 		return err;
1520 
1521 	if (changed) {
1522 		hci_req_update_scan(hdev);
1523 		hci_update_background_scan(hdev);
1524 		return new_settings(hdev, sk);
1525 	}
1526 
1527 	return 0;
1528 }
1529 
1530 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1531 			   u16 len)
1532 {
1533 	struct mgmt_mode *cp = data;
1534 	struct mgmt_pending_cmd *cmd;
1535 	int err;
1536 
1537 	BT_DBG("request for %s", hdev->name);
1538 
1539 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1540 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1541 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1542 				       MGMT_STATUS_REJECTED);
1543 
1544 	if (cp->val != 0x00 && cp->val != 0x01)
1545 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1546 				       MGMT_STATUS_INVALID_PARAMS);
1547 
1548 	hci_dev_lock(hdev);
1549 
1550 	if (!hdev_is_powered(hdev)) {
1551 		err = set_connectable_update_settings(hdev, sk, cp->val);
1552 		goto failed;
1553 	}
1554 
1555 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1556 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1557 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1558 				      MGMT_STATUS_BUSY);
1559 		goto failed;
1560 	}
1561 
1562 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1563 	if (!cmd) {
1564 		err = -ENOMEM;
1565 		goto failed;
1566 	}
1567 
1568 	if (cp->val) {
1569 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1570 	} else {
1571 		if (hdev->discov_timeout > 0)
1572 			cancel_delayed_work(&hdev->discov_off);
1573 
1574 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1575 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1576 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1577 	}
1578 
1579 	queue_work(hdev->req_workqueue, &hdev->connectable_update);
1580 	err = 0;
1581 
1582 failed:
1583 	hci_dev_unlock(hdev);
1584 	return err;
1585 }
1586 
1587 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1588 			u16 len)
1589 {
1590 	struct mgmt_mode *cp = data;
1591 	bool changed;
1592 	int err;
1593 
1594 	BT_DBG("request for %s", hdev->name);
1595 
1596 	if (cp->val != 0x00 && cp->val != 0x01)
1597 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1598 				       MGMT_STATUS_INVALID_PARAMS);
1599 
1600 	hci_dev_lock(hdev);
1601 
1602 	if (cp->val)
1603 		changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1604 	else
1605 		changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1606 
1607 	err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1608 	if (err < 0)
1609 		goto unlock;
1610 
1611 	if (changed) {
1612 		/* In limited privacy mode the change of bondable mode
1613 		 * may affect the local advertising address.
1614 		 */
1615 		if (hdev_is_powered(hdev) &&
1616 		    hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
1617 		    hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1618 		    hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))
1619 			queue_work(hdev->req_workqueue,
1620 				   &hdev->discoverable_update);
1621 
1622 		err = new_settings(hdev, sk);
1623 	}
1624 
1625 unlock:
1626 	hci_dev_unlock(hdev);
1627 	return err;
1628 }
1629 
1630 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1631 			     u16 len)
1632 {
1633 	struct mgmt_mode *cp = data;
1634 	struct mgmt_pending_cmd *cmd;
1635 	u8 val, status;
1636 	int err;
1637 
1638 	BT_DBG("request for %s", hdev->name);
1639 
1640 	status = mgmt_bredr_support(hdev);
1641 	if (status)
1642 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1643 				       status);
1644 
1645 	if (cp->val != 0x00 && cp->val != 0x01)
1646 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1647 				       MGMT_STATUS_INVALID_PARAMS);
1648 
1649 	hci_dev_lock(hdev);
1650 
1651 	if (!hdev_is_powered(hdev)) {
1652 		bool changed = false;
1653 
1654 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1655 			hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1656 			changed = true;
1657 		}
1658 
1659 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1660 		if (err < 0)
1661 			goto failed;
1662 
1663 		if (changed)
1664 			err = new_settings(hdev, sk);
1665 
1666 		goto failed;
1667 	}
1668 
1669 	if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1670 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1671 				      MGMT_STATUS_BUSY);
1672 		goto failed;
1673 	}
1674 
1675 	val = !!cp->val;
1676 
1677 	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1678 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1679 		goto failed;
1680 	}
1681 
1682 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1683 	if (!cmd) {
1684 		err = -ENOMEM;
1685 		goto failed;
1686 	}
1687 
1688 	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1689 	if (err < 0) {
1690 		mgmt_pending_remove(cmd);
1691 		goto failed;
1692 	}
1693 
1694 failed:
1695 	hci_dev_unlock(hdev);
1696 	return err;
1697 }
1698 
1699 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1700 {
1701 	struct mgmt_mode *cp = data;
1702 	struct mgmt_pending_cmd *cmd;
1703 	u8 status;
1704 	int err;
1705 
1706 	BT_DBG("request for %s", hdev->name);
1707 
1708 	status = mgmt_bredr_support(hdev);
1709 	if (status)
1710 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1711 
1712 	if (!lmp_ssp_capable(hdev))
1713 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1714 				       MGMT_STATUS_NOT_SUPPORTED);
1715 
1716 	if (cp->val != 0x00 && cp->val != 0x01)
1717 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1718 				       MGMT_STATUS_INVALID_PARAMS);
1719 
1720 	hci_dev_lock(hdev);
1721 
1722 	if (!hdev_is_powered(hdev)) {
1723 		bool changed;
1724 
1725 		if (cp->val) {
1726 			changed = !hci_dev_test_and_set_flag(hdev,
1727 							     HCI_SSP_ENABLED);
1728 		} else {
1729 			changed = hci_dev_test_and_clear_flag(hdev,
1730 							      HCI_SSP_ENABLED);
1731 			if (!changed)
1732 				changed = hci_dev_test_and_clear_flag(hdev,
1733 								      HCI_HS_ENABLED);
1734 			else
1735 				hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1736 		}
1737 
1738 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1739 		if (err < 0)
1740 			goto failed;
1741 
1742 		if (changed)
1743 			err = new_settings(hdev, sk);
1744 
1745 		goto failed;
1746 	}
1747 
1748 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1749 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1750 				      MGMT_STATUS_BUSY);
1751 		goto failed;
1752 	}
1753 
1754 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
1755 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1756 		goto failed;
1757 	}
1758 
1759 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
1760 	if (!cmd) {
1761 		err = -ENOMEM;
1762 		goto failed;
1763 	}
1764 
1765 	if (!cp->val && hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
1766 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
1767 			     sizeof(cp->val), &cp->val);
1768 
1769 	err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &cp->val);
1770 	if (err < 0) {
1771 		mgmt_pending_remove(cmd);
1772 		goto failed;
1773 	}
1774 
1775 failed:
1776 	hci_dev_unlock(hdev);
1777 	return err;
1778 }
1779 
1780 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1781 {
1782 	struct mgmt_mode *cp = data;
1783 	bool changed;
1784 	u8 status;
1785 	int err;
1786 
1787 	BT_DBG("request for %s", hdev->name);
1788 
1789 	status = mgmt_bredr_support(hdev);
1790 	if (status)
1791 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
1792 
1793 	if (!lmp_ssp_capable(hdev))
1794 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1795 				       MGMT_STATUS_NOT_SUPPORTED);
1796 
1797 	if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
1798 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1799 				       MGMT_STATUS_REJECTED);
1800 
1801 	if (cp->val != 0x00 && cp->val != 0x01)
1802 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1803 				       MGMT_STATUS_INVALID_PARAMS);
1804 
1805 	hci_dev_lock(hdev);
1806 
1807 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1808 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1809 				      MGMT_STATUS_BUSY);
1810 		goto unlock;
1811 	}
1812 
1813 	if (cp->val) {
1814 		changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
1815 	} else {
1816 		if (hdev_is_powered(hdev)) {
1817 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1818 					      MGMT_STATUS_REJECTED);
1819 			goto unlock;
1820 		}
1821 
1822 		changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
1823 	}
1824 
1825 	err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
1826 	if (err < 0)
1827 		goto unlock;
1828 
1829 	if (changed)
1830 		err = new_settings(hdev, sk);
1831 
1832 unlock:
1833 	hci_dev_unlock(hdev);
1834 	return err;
1835 }
1836 
1837 static void le_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1838 {
1839 	struct cmd_lookup match = { NULL, hdev };
1840 
1841 	hci_dev_lock(hdev);
1842 
1843 	if (status) {
1844 		u8 mgmt_err = mgmt_status(status);
1845 
1846 		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
1847 				     &mgmt_err);
1848 		goto unlock;
1849 	}
1850 
1851 	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
1852 
1853 	new_settings(hdev, match.sk);
1854 
1855 	if (match.sk)
1856 		sock_put(match.sk);
1857 
1858 	/* Make sure the controller has a good default for
1859 	 * advertising data. Restrict the update to when LE
1860 	 * has actually been enabled. During power on, the
1861 	 * update in powered_update_hci will take care of it.
1862 	 */
1863 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1864 		struct hci_request req;
1865 		hci_req_init(&req, hdev);
1866 		if (ext_adv_capable(hdev)) {
1867 			int err;
1868 
1869 			err = __hci_req_setup_ext_adv_instance(&req, 0x00);
1870 			if (!err)
1871 				__hci_req_update_scan_rsp_data(&req, 0x00);
1872 		} else {
1873 			__hci_req_update_adv_data(&req, 0x00);
1874 			__hci_req_update_scan_rsp_data(&req, 0x00);
1875 		}
1876 		hci_req_run(&req, NULL);
1877 		hci_update_background_scan(hdev);
1878 	}
1879 
1880 unlock:
1881 	hci_dev_unlock(hdev);
1882 }
1883 
1884 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1885 {
1886 	struct mgmt_mode *cp = data;
1887 	struct hci_cp_write_le_host_supported hci_cp;
1888 	struct mgmt_pending_cmd *cmd;
1889 	struct hci_request req;
1890 	int err;
1891 	u8 val, enabled;
1892 
1893 	BT_DBG("request for %s", hdev->name);
1894 
1895 	if (!lmp_le_capable(hdev))
1896 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1897 				       MGMT_STATUS_NOT_SUPPORTED);
1898 
1899 	if (cp->val != 0x00 && cp->val != 0x01)
1900 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1901 				       MGMT_STATUS_INVALID_PARAMS);
1902 
1903 	/* Bluetooth single mode LE only controllers or dual-mode
1904 	 * controllers configured as LE only devices, do not allow
1905 	 * switching LE off. These have either LE enabled explicitly
1906 	 * or BR/EDR has been previously switched off.
1907 	 *
1908 	 * When trying to enable an already enabled LE, then gracefully
1909 	 * send a positive response. Trying to disable it however will
1910 	 * result into rejection.
1911 	 */
1912 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1913 		if (cp->val == 0x01)
1914 			return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1915 
1916 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1917 				       MGMT_STATUS_REJECTED);
1918 	}
1919 
1920 	hci_dev_lock(hdev);
1921 
1922 	val = !!cp->val;
1923 	enabled = lmp_host_le_capable(hdev);
1924 
1925 	if (!val)
1926 		hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, true);
1927 
1928 	if (!hdev_is_powered(hdev) || val == enabled) {
1929 		bool changed = false;
1930 
1931 		if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1932 			hci_dev_change_flag(hdev, HCI_LE_ENABLED);
1933 			changed = true;
1934 		}
1935 
1936 		if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
1937 			hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1938 			changed = true;
1939 		}
1940 
1941 		err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1942 		if (err < 0)
1943 			goto unlock;
1944 
1945 		if (changed)
1946 			err = new_settings(hdev, sk);
1947 
1948 		goto unlock;
1949 	}
1950 
1951 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
1952 	    pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
1953 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1954 				      MGMT_STATUS_BUSY);
1955 		goto unlock;
1956 	}
1957 
1958 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
1959 	if (!cmd) {
1960 		err = -ENOMEM;
1961 		goto unlock;
1962 	}
1963 
1964 	hci_req_init(&req, hdev);
1965 
1966 	memset(&hci_cp, 0, sizeof(hci_cp));
1967 
1968 	if (val) {
1969 		hci_cp.le = val;
1970 		hci_cp.simul = 0x00;
1971 	} else {
1972 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1973 			__hci_req_disable_advertising(&req);
1974 
1975 		if (ext_adv_capable(hdev))
1976 			__hci_req_clear_ext_adv_sets(&req);
1977 	}
1978 
1979 	hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
1980 		    &hci_cp);
1981 
1982 	err = hci_req_run(&req, le_enable_complete);
1983 	if (err < 0)
1984 		mgmt_pending_remove(cmd);
1985 
1986 unlock:
1987 	hci_dev_unlock(hdev);
1988 	return err;
1989 }
1990 
1991 /* This is a helper function to test for pending mgmt commands that can
1992  * cause CoD or EIR HCI commands. We can only allow one such pending
1993  * mgmt command at a time since otherwise we cannot easily track what
1994  * the current values are, will be, and based on that calculate if a new
1995  * HCI command needs to be sent and if yes with what value.
1996  */
1997 static bool pending_eir_or_class(struct hci_dev *hdev)
1998 {
1999 	struct mgmt_pending_cmd *cmd;
2000 
2001 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2002 		switch (cmd->opcode) {
2003 		case MGMT_OP_ADD_UUID:
2004 		case MGMT_OP_REMOVE_UUID:
2005 		case MGMT_OP_SET_DEV_CLASS:
2006 		case MGMT_OP_SET_POWERED:
2007 			return true;
2008 		}
2009 	}
2010 
2011 	return false;
2012 }
2013 
2014 static const u8 bluetooth_base_uuid[] = {
2015 			0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2016 			0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2017 };
2018 
2019 static u8 get_uuid_size(const u8 *uuid)
2020 {
2021 	u32 val;
2022 
2023 	if (memcmp(uuid, bluetooth_base_uuid, 12))
2024 		return 128;
2025 
2026 	val = get_unaligned_le32(&uuid[12]);
2027 	if (val > 0xffff)
2028 		return 32;
2029 
2030 	return 16;
2031 }
2032 
2033 static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
2034 {
2035 	struct mgmt_pending_cmd *cmd;
2036 
2037 	hci_dev_lock(hdev);
2038 
2039 	cmd = pending_find(mgmt_op, hdev);
2040 	if (!cmd)
2041 		goto unlock;
2042 
2043 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
2044 			  mgmt_status(status), hdev->dev_class, 3);
2045 
2046 	mgmt_pending_remove(cmd);
2047 
2048 unlock:
2049 	hci_dev_unlock(hdev);
2050 }
2051 
2052 static void add_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2053 {
2054 	BT_DBG("status 0x%02x", status);
2055 
2056 	mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
2057 }
2058 
2059 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2060 {
2061 	struct mgmt_cp_add_uuid *cp = data;
2062 	struct mgmt_pending_cmd *cmd;
2063 	struct hci_request req;
2064 	struct bt_uuid *uuid;
2065 	int err;
2066 
2067 	BT_DBG("request for %s", hdev->name);
2068 
2069 	hci_dev_lock(hdev);
2070 
2071 	if (pending_eir_or_class(hdev)) {
2072 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2073 				      MGMT_STATUS_BUSY);
2074 		goto failed;
2075 	}
2076 
2077 	uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2078 	if (!uuid) {
2079 		err = -ENOMEM;
2080 		goto failed;
2081 	}
2082 
2083 	memcpy(uuid->uuid, cp->uuid, 16);
2084 	uuid->svc_hint = cp->svc_hint;
2085 	uuid->size = get_uuid_size(cp->uuid);
2086 
2087 	list_add_tail(&uuid->list, &hdev->uuids);
2088 
2089 	hci_req_init(&req, hdev);
2090 
2091 	__hci_req_update_class(&req);
2092 	__hci_req_update_eir(&req);
2093 
2094 	err = hci_req_run(&req, add_uuid_complete);
2095 	if (err < 0) {
2096 		if (err != -ENODATA)
2097 			goto failed;
2098 
2099 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
2100 					hdev->dev_class, 3);
2101 		goto failed;
2102 	}
2103 
2104 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2105 	if (!cmd) {
2106 		err = -ENOMEM;
2107 		goto failed;
2108 	}
2109 
2110 	err = 0;
2111 
2112 failed:
2113 	hci_dev_unlock(hdev);
2114 	return err;
2115 }
2116 
2117 static bool enable_service_cache(struct hci_dev *hdev)
2118 {
2119 	if (!hdev_is_powered(hdev))
2120 		return false;
2121 
2122 	if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2123 		queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2124 				   CACHE_TIMEOUT);
2125 		return true;
2126 	}
2127 
2128 	return false;
2129 }
2130 
2131 static void remove_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2132 {
2133 	BT_DBG("status 0x%02x", status);
2134 
2135 	mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
2136 }
2137 
2138 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2139 		       u16 len)
2140 {
2141 	struct mgmt_cp_remove_uuid *cp = data;
2142 	struct mgmt_pending_cmd *cmd;
2143 	struct bt_uuid *match, *tmp;
2144 	u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
2145 	struct hci_request req;
2146 	int err, found;
2147 
2148 	BT_DBG("request for %s", hdev->name);
2149 
2150 	hci_dev_lock(hdev);
2151 
2152 	if (pending_eir_or_class(hdev)) {
2153 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2154 				      MGMT_STATUS_BUSY);
2155 		goto unlock;
2156 	}
2157 
2158 	if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2159 		hci_uuids_clear(hdev);
2160 
2161 		if (enable_service_cache(hdev)) {
2162 			err = mgmt_cmd_complete(sk, hdev->id,
2163 						MGMT_OP_REMOVE_UUID,
2164 						0, hdev->dev_class, 3);
2165 			goto unlock;
2166 		}
2167 
2168 		goto update_class;
2169 	}
2170 
2171 	found = 0;
2172 
2173 	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2174 		if (memcmp(match->uuid, cp->uuid, 16) != 0)
2175 			continue;
2176 
2177 		list_del(&match->list);
2178 		kfree(match);
2179 		found++;
2180 	}
2181 
2182 	if (found == 0) {
2183 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2184 				      MGMT_STATUS_INVALID_PARAMS);
2185 		goto unlock;
2186 	}
2187 
2188 update_class:
2189 	hci_req_init(&req, hdev);
2190 
2191 	__hci_req_update_class(&req);
2192 	__hci_req_update_eir(&req);
2193 
2194 	err = hci_req_run(&req, remove_uuid_complete);
2195 	if (err < 0) {
2196 		if (err != -ENODATA)
2197 			goto unlock;
2198 
2199 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
2200 					hdev->dev_class, 3);
2201 		goto unlock;
2202 	}
2203 
2204 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2205 	if (!cmd) {
2206 		err = -ENOMEM;
2207 		goto unlock;
2208 	}
2209 
2210 	err = 0;
2211 
2212 unlock:
2213 	hci_dev_unlock(hdev);
2214 	return err;
2215 }
2216 
2217 static void set_class_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2218 {
2219 	BT_DBG("status 0x%02x", status);
2220 
2221 	mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
2222 }
2223 
2224 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2225 			 u16 len)
2226 {
2227 	struct mgmt_cp_set_dev_class *cp = data;
2228 	struct mgmt_pending_cmd *cmd;
2229 	struct hci_request req;
2230 	int err;
2231 
2232 	BT_DBG("request for %s", hdev->name);
2233 
2234 	if (!lmp_bredr_capable(hdev))
2235 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2236 				       MGMT_STATUS_NOT_SUPPORTED);
2237 
2238 	hci_dev_lock(hdev);
2239 
2240 	if (pending_eir_or_class(hdev)) {
2241 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2242 				      MGMT_STATUS_BUSY);
2243 		goto unlock;
2244 	}
2245 
2246 	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2247 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2248 				      MGMT_STATUS_INVALID_PARAMS);
2249 		goto unlock;
2250 	}
2251 
2252 	hdev->major_class = cp->major;
2253 	hdev->minor_class = cp->minor;
2254 
2255 	if (!hdev_is_powered(hdev)) {
2256 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2257 					hdev->dev_class, 3);
2258 		goto unlock;
2259 	}
2260 
2261 	hci_req_init(&req, hdev);
2262 
2263 	if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2264 		hci_dev_unlock(hdev);
2265 		cancel_delayed_work_sync(&hdev->service_cache);
2266 		hci_dev_lock(hdev);
2267 		__hci_req_update_eir(&req);
2268 	}
2269 
2270 	__hci_req_update_class(&req);
2271 
2272 	err = hci_req_run(&req, set_class_complete);
2273 	if (err < 0) {
2274 		if (err != -ENODATA)
2275 			goto unlock;
2276 
2277 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2278 					hdev->dev_class, 3);
2279 		goto unlock;
2280 	}
2281 
2282 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2283 	if (!cmd) {
2284 		err = -ENOMEM;
2285 		goto unlock;
2286 	}
2287 
2288 	err = 0;
2289 
2290 unlock:
2291 	hci_dev_unlock(hdev);
2292 	return err;
2293 }
2294 
2295 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2296 			  u16 len)
2297 {
2298 	struct mgmt_cp_load_link_keys *cp = data;
2299 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2300 				   sizeof(struct mgmt_link_key_info));
2301 	u16 key_count, expected_len;
2302 	bool changed;
2303 	int i;
2304 
2305 	BT_DBG("request for %s", hdev->name);
2306 
2307 	if (!lmp_bredr_capable(hdev))
2308 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2309 				       MGMT_STATUS_NOT_SUPPORTED);
2310 
2311 	key_count = __le16_to_cpu(cp->key_count);
2312 	if (key_count > max_key_count) {
2313 		bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2314 			   key_count);
2315 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2316 				       MGMT_STATUS_INVALID_PARAMS);
2317 	}
2318 
2319 	expected_len = struct_size(cp, keys, key_count);
2320 	if (expected_len != len) {
2321 		bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2322 			   expected_len, len);
2323 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2324 				       MGMT_STATUS_INVALID_PARAMS);
2325 	}
2326 
2327 	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2328 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2329 				       MGMT_STATUS_INVALID_PARAMS);
2330 
2331 	BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys,
2332 	       key_count);
2333 
2334 	for (i = 0; i < key_count; i++) {
2335 		struct mgmt_link_key_info *key = &cp->keys[i];
2336 
2337 		if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2338 			return mgmt_cmd_status(sk, hdev->id,
2339 					       MGMT_OP_LOAD_LINK_KEYS,
2340 					       MGMT_STATUS_INVALID_PARAMS);
2341 	}
2342 
2343 	hci_dev_lock(hdev);
2344 
2345 	hci_link_keys_clear(hdev);
2346 
2347 	if (cp->debug_keys)
2348 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2349 	else
2350 		changed = hci_dev_test_and_clear_flag(hdev,
2351 						      HCI_KEEP_DEBUG_KEYS);
2352 
2353 	if (changed)
2354 		new_settings(hdev, NULL);
2355 
2356 	for (i = 0; i < key_count; i++) {
2357 		struct mgmt_link_key_info *key = &cp->keys[i];
2358 
2359 		if (hci_is_blocked_key(hdev,
2360 				       HCI_BLOCKED_KEY_TYPE_LINKKEY,
2361 				       key->val)) {
2362 			bt_dev_warn(hdev, "Skipping blocked link key for %pMR",
2363 				    &key->addr.bdaddr);
2364 			continue;
2365 		}
2366 
2367 		/* Always ignore debug keys and require a new pairing if
2368 		 * the user wants to use them.
2369 		 */
2370 		if (key->type == HCI_LK_DEBUG_COMBINATION)
2371 			continue;
2372 
2373 		hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2374 				 key->type, key->pin_len, NULL);
2375 	}
2376 
2377 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2378 
2379 	hci_dev_unlock(hdev);
2380 
2381 	return 0;
2382 }
2383 
2384 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2385 			   u8 addr_type, struct sock *skip_sk)
2386 {
2387 	struct mgmt_ev_device_unpaired ev;
2388 
2389 	bacpy(&ev.addr.bdaddr, bdaddr);
2390 	ev.addr.type = addr_type;
2391 
2392 	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2393 			  skip_sk);
2394 }
2395 
2396 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2397 			 u16 len)
2398 {
2399 	struct mgmt_cp_unpair_device *cp = data;
2400 	struct mgmt_rp_unpair_device rp;
2401 	struct hci_conn_params *params;
2402 	struct mgmt_pending_cmd *cmd;
2403 	struct hci_conn *conn;
2404 	u8 addr_type;
2405 	int err;
2406 
2407 	memset(&rp, 0, sizeof(rp));
2408 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2409 	rp.addr.type = cp->addr.type;
2410 
2411 	if (!bdaddr_type_is_valid(cp->addr.type))
2412 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2413 					 MGMT_STATUS_INVALID_PARAMS,
2414 					 &rp, sizeof(rp));
2415 
2416 	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2417 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2418 					 MGMT_STATUS_INVALID_PARAMS,
2419 					 &rp, sizeof(rp));
2420 
2421 	hci_dev_lock(hdev);
2422 
2423 	if (!hdev_is_powered(hdev)) {
2424 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2425 					MGMT_STATUS_NOT_POWERED, &rp,
2426 					sizeof(rp));
2427 		goto unlock;
2428 	}
2429 
2430 	if (cp->addr.type == BDADDR_BREDR) {
2431 		/* If disconnection is requested, then look up the
2432 		 * connection. If the remote device is connected, it
2433 		 * will be later used to terminate the link.
2434 		 *
2435 		 * Setting it to NULL explicitly will cause no
2436 		 * termination of the link.
2437 		 */
2438 		if (cp->disconnect)
2439 			conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2440 						       &cp->addr.bdaddr);
2441 		else
2442 			conn = NULL;
2443 
2444 		err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2445 		if (err < 0) {
2446 			err = mgmt_cmd_complete(sk, hdev->id,
2447 						MGMT_OP_UNPAIR_DEVICE,
2448 						MGMT_STATUS_NOT_PAIRED, &rp,
2449 						sizeof(rp));
2450 			goto unlock;
2451 		}
2452 
2453 		goto done;
2454 	}
2455 
2456 	/* LE address type */
2457 	addr_type = le_addr_type(cp->addr.type);
2458 
2459 	/* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
2460 	err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
2461 	if (err < 0) {
2462 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2463 					MGMT_STATUS_NOT_PAIRED, &rp,
2464 					sizeof(rp));
2465 		goto unlock;
2466 	}
2467 
2468 	conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
2469 	if (!conn) {
2470 		hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2471 		goto done;
2472 	}
2473 
2474 
2475 	/* Defer clearing up the connection parameters until closing to
2476 	 * give a chance of keeping them if a repairing happens.
2477 	 */
2478 	set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2479 
2480 	/* Disable auto-connection parameters if present */
2481 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
2482 	if (params) {
2483 		if (params->explicit_connect)
2484 			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2485 		else
2486 			params->auto_connect = HCI_AUTO_CONN_DISABLED;
2487 	}
2488 
2489 	/* If disconnection is not requested, then clear the connection
2490 	 * variable so that the link is not terminated.
2491 	 */
2492 	if (!cp->disconnect)
2493 		conn = NULL;
2494 
2495 done:
2496 	/* If the connection variable is set, then termination of the
2497 	 * link is requested.
2498 	 */
2499 	if (!conn) {
2500 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
2501 					&rp, sizeof(rp));
2502 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
2503 		goto unlock;
2504 	}
2505 
2506 	cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
2507 			       sizeof(*cp));
2508 	if (!cmd) {
2509 		err = -ENOMEM;
2510 		goto unlock;
2511 	}
2512 
2513 	cmd->cmd_complete = addr_cmd_complete;
2514 
2515 	err = hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
2516 	if (err < 0)
2517 		mgmt_pending_remove(cmd);
2518 
2519 unlock:
2520 	hci_dev_unlock(hdev);
2521 	return err;
2522 }
2523 
2524 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2525 		      u16 len)
2526 {
2527 	struct mgmt_cp_disconnect *cp = data;
2528 	struct mgmt_rp_disconnect rp;
2529 	struct mgmt_pending_cmd *cmd;
2530 	struct hci_conn *conn;
2531 	int err;
2532 
2533 	BT_DBG("");
2534 
2535 	memset(&rp, 0, sizeof(rp));
2536 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2537 	rp.addr.type = cp->addr.type;
2538 
2539 	if (!bdaddr_type_is_valid(cp->addr.type))
2540 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2541 					 MGMT_STATUS_INVALID_PARAMS,
2542 					 &rp, sizeof(rp));
2543 
2544 	hci_dev_lock(hdev);
2545 
2546 	if (!test_bit(HCI_UP, &hdev->flags)) {
2547 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2548 					MGMT_STATUS_NOT_POWERED, &rp,
2549 					sizeof(rp));
2550 		goto failed;
2551 	}
2552 
2553 	if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
2554 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2555 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
2556 		goto failed;
2557 	}
2558 
2559 	if (cp->addr.type == BDADDR_BREDR)
2560 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2561 					       &cp->addr.bdaddr);
2562 	else
2563 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2564 					       le_addr_type(cp->addr.type));
2565 
2566 	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
2567 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2568 					MGMT_STATUS_NOT_CONNECTED, &rp,
2569 					sizeof(rp));
2570 		goto failed;
2571 	}
2572 
2573 	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
2574 	if (!cmd) {
2575 		err = -ENOMEM;
2576 		goto failed;
2577 	}
2578 
2579 	cmd->cmd_complete = generic_cmd_complete;
2580 
2581 	err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2582 	if (err < 0)
2583 		mgmt_pending_remove(cmd);
2584 
2585 failed:
2586 	hci_dev_unlock(hdev);
2587 	return err;
2588 }
2589 
2590 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
2591 {
2592 	switch (link_type) {
2593 	case LE_LINK:
2594 		switch (addr_type) {
2595 		case ADDR_LE_DEV_PUBLIC:
2596 			return BDADDR_LE_PUBLIC;
2597 
2598 		default:
2599 			/* Fallback to LE Random address type */
2600 			return BDADDR_LE_RANDOM;
2601 		}
2602 
2603 	default:
2604 		/* Fallback to BR/EDR type */
2605 		return BDADDR_BREDR;
2606 	}
2607 }
2608 
2609 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
2610 			   u16 data_len)
2611 {
2612 	struct mgmt_rp_get_connections *rp;
2613 	struct hci_conn *c;
2614 	int err;
2615 	u16 i;
2616 
2617 	BT_DBG("");
2618 
2619 	hci_dev_lock(hdev);
2620 
2621 	if (!hdev_is_powered(hdev)) {
2622 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
2623 				      MGMT_STATUS_NOT_POWERED);
2624 		goto unlock;
2625 	}
2626 
2627 	i = 0;
2628 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2629 		if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2630 			i++;
2631 	}
2632 
2633 	rp = kmalloc(struct_size(rp, addr, i), GFP_KERNEL);
2634 	if (!rp) {
2635 		err = -ENOMEM;
2636 		goto unlock;
2637 	}
2638 
2639 	i = 0;
2640 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2641 		if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2642 			continue;
2643 		bacpy(&rp->addr[i].bdaddr, &c->dst);
2644 		rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
2645 		if (c->type == SCO_LINK || c->type == ESCO_LINK)
2646 			continue;
2647 		i++;
2648 	}
2649 
2650 	rp->conn_count = cpu_to_le16(i);
2651 
2652 	/* Recalculate length in case of filtered SCO connections, etc */
2653 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
2654 				struct_size(rp, addr, i));
2655 
2656 	kfree(rp);
2657 
2658 unlock:
2659 	hci_dev_unlock(hdev);
2660 	return err;
2661 }
2662 
2663 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2664 				   struct mgmt_cp_pin_code_neg_reply *cp)
2665 {
2666 	struct mgmt_pending_cmd *cmd;
2667 	int err;
2668 
2669 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
2670 			       sizeof(*cp));
2671 	if (!cmd)
2672 		return -ENOMEM;
2673 
2674 	cmd->cmd_complete = addr_cmd_complete;
2675 
2676 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2677 			   sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
2678 	if (err < 0)
2679 		mgmt_pending_remove(cmd);
2680 
2681 	return err;
2682 }
2683 
2684 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2685 			  u16 len)
2686 {
2687 	struct hci_conn *conn;
2688 	struct mgmt_cp_pin_code_reply *cp = data;
2689 	struct hci_cp_pin_code_reply reply;
2690 	struct mgmt_pending_cmd *cmd;
2691 	int err;
2692 
2693 	BT_DBG("");
2694 
2695 	hci_dev_lock(hdev);
2696 
2697 	if (!hdev_is_powered(hdev)) {
2698 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2699 				      MGMT_STATUS_NOT_POWERED);
2700 		goto failed;
2701 	}
2702 
2703 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
2704 	if (!conn) {
2705 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2706 				      MGMT_STATUS_NOT_CONNECTED);
2707 		goto failed;
2708 	}
2709 
2710 	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
2711 		struct mgmt_cp_pin_code_neg_reply ncp;
2712 
2713 		memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
2714 
2715 		bt_dev_err(hdev, "PIN code is not 16 bytes long");
2716 
2717 		err = send_pin_code_neg_reply(sk, hdev, &ncp);
2718 		if (err >= 0)
2719 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2720 					      MGMT_STATUS_INVALID_PARAMS);
2721 
2722 		goto failed;
2723 	}
2724 
2725 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
2726 	if (!cmd) {
2727 		err = -ENOMEM;
2728 		goto failed;
2729 	}
2730 
2731 	cmd->cmd_complete = addr_cmd_complete;
2732 
2733 	bacpy(&reply.bdaddr, &cp->addr.bdaddr);
2734 	reply.pin_len = cp->pin_len;
2735 	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
2736 
2737 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
2738 	if (err < 0)
2739 		mgmt_pending_remove(cmd);
2740 
2741 failed:
2742 	hci_dev_unlock(hdev);
2743 	return err;
2744 }
2745 
2746 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
2747 			     u16 len)
2748 {
2749 	struct mgmt_cp_set_io_capability *cp = data;
2750 
2751 	BT_DBG("");
2752 
2753 	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
2754 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
2755 				       MGMT_STATUS_INVALID_PARAMS);
2756 
2757 	hci_dev_lock(hdev);
2758 
2759 	hdev->io_capability = cp->io_capability;
2760 
2761 	BT_DBG("%s IO capability set to 0x%02x", hdev->name,
2762 	       hdev->io_capability);
2763 
2764 	hci_dev_unlock(hdev);
2765 
2766 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
2767 				 NULL, 0);
2768 }
2769 
2770 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
2771 {
2772 	struct hci_dev *hdev = conn->hdev;
2773 	struct mgmt_pending_cmd *cmd;
2774 
2775 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2776 		if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
2777 			continue;
2778 
2779 		if (cmd->user_data != conn)
2780 			continue;
2781 
2782 		return cmd;
2783 	}
2784 
2785 	return NULL;
2786 }
2787 
2788 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
2789 {
2790 	struct mgmt_rp_pair_device rp;
2791 	struct hci_conn *conn = cmd->user_data;
2792 	int err;
2793 
2794 	bacpy(&rp.addr.bdaddr, &conn->dst);
2795 	rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
2796 
2797 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
2798 				status, &rp, sizeof(rp));
2799 
2800 	/* So we don't get further callbacks for this connection */
2801 	conn->connect_cfm_cb = NULL;
2802 	conn->security_cfm_cb = NULL;
2803 	conn->disconn_cfm_cb = NULL;
2804 
2805 	hci_conn_drop(conn);
2806 
2807 	/* The device is paired so there is no need to remove
2808 	 * its connection parameters anymore.
2809 	 */
2810 	clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2811 
2812 	hci_conn_put(conn);
2813 
2814 	return err;
2815 }
2816 
2817 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2818 {
2819 	u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2820 	struct mgmt_pending_cmd *cmd;
2821 
2822 	cmd = find_pairing(conn);
2823 	if (cmd) {
2824 		cmd->cmd_complete(cmd, status);
2825 		mgmt_pending_remove(cmd);
2826 	}
2827 }
2828 
2829 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2830 {
2831 	struct mgmt_pending_cmd *cmd;
2832 
2833 	BT_DBG("status %u", status);
2834 
2835 	cmd = find_pairing(conn);
2836 	if (!cmd) {
2837 		BT_DBG("Unable to find a pending command");
2838 		return;
2839 	}
2840 
2841 	cmd->cmd_complete(cmd, mgmt_status(status));
2842 	mgmt_pending_remove(cmd);
2843 }
2844 
2845 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2846 {
2847 	struct mgmt_pending_cmd *cmd;
2848 
2849 	BT_DBG("status %u", status);
2850 
2851 	if (!status)
2852 		return;
2853 
2854 	cmd = find_pairing(conn);
2855 	if (!cmd) {
2856 		BT_DBG("Unable to find a pending command");
2857 		return;
2858 	}
2859 
2860 	cmd->cmd_complete(cmd, mgmt_status(status));
2861 	mgmt_pending_remove(cmd);
2862 }
2863 
2864 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2865 		       u16 len)
2866 {
2867 	struct mgmt_cp_pair_device *cp = data;
2868 	struct mgmt_rp_pair_device rp;
2869 	struct mgmt_pending_cmd *cmd;
2870 	u8 sec_level, auth_type;
2871 	struct hci_conn *conn;
2872 	int err;
2873 
2874 	BT_DBG("");
2875 
2876 	memset(&rp, 0, sizeof(rp));
2877 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2878 	rp.addr.type = cp->addr.type;
2879 
2880 	if (!bdaddr_type_is_valid(cp->addr.type))
2881 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2882 					 MGMT_STATUS_INVALID_PARAMS,
2883 					 &rp, sizeof(rp));
2884 
2885 	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
2886 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2887 					 MGMT_STATUS_INVALID_PARAMS,
2888 					 &rp, sizeof(rp));
2889 
2890 	hci_dev_lock(hdev);
2891 
2892 	if (!hdev_is_powered(hdev)) {
2893 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2894 					MGMT_STATUS_NOT_POWERED, &rp,
2895 					sizeof(rp));
2896 		goto unlock;
2897 	}
2898 
2899 	if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
2900 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2901 					MGMT_STATUS_ALREADY_PAIRED, &rp,
2902 					sizeof(rp));
2903 		goto unlock;
2904 	}
2905 
2906 	sec_level = BT_SECURITY_MEDIUM;
2907 	auth_type = HCI_AT_DEDICATED_BONDING;
2908 
2909 	if (cp->addr.type == BDADDR_BREDR) {
2910 		conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2911 				       auth_type);
2912 	} else {
2913 		u8 addr_type = le_addr_type(cp->addr.type);
2914 		struct hci_conn_params *p;
2915 
2916 		/* When pairing a new device, it is expected to remember
2917 		 * this device for future connections. Adding the connection
2918 		 * parameter information ahead of time allows tracking
2919 		 * of the slave preferred values and will speed up any
2920 		 * further connection establishment.
2921 		 *
2922 		 * If connection parameters already exist, then they
2923 		 * will be kept and this function does nothing.
2924 		 */
2925 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
2926 
2927 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
2928 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
2929 
2930 		conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr,
2931 					   addr_type, sec_level,
2932 					   HCI_LE_CONN_TIMEOUT);
2933 	}
2934 
2935 	if (IS_ERR(conn)) {
2936 		int status;
2937 
2938 		if (PTR_ERR(conn) == -EBUSY)
2939 			status = MGMT_STATUS_BUSY;
2940 		else if (PTR_ERR(conn) == -EOPNOTSUPP)
2941 			status = MGMT_STATUS_NOT_SUPPORTED;
2942 		else if (PTR_ERR(conn) == -ECONNREFUSED)
2943 			status = MGMT_STATUS_REJECTED;
2944 		else
2945 			status = MGMT_STATUS_CONNECT_FAILED;
2946 
2947 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2948 					status, &rp, sizeof(rp));
2949 		goto unlock;
2950 	}
2951 
2952 	if (conn->connect_cfm_cb) {
2953 		hci_conn_drop(conn);
2954 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2955 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
2956 		goto unlock;
2957 	}
2958 
2959 	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
2960 	if (!cmd) {
2961 		err = -ENOMEM;
2962 		hci_conn_drop(conn);
2963 		goto unlock;
2964 	}
2965 
2966 	cmd->cmd_complete = pairing_complete;
2967 
2968 	/* For LE, just connecting isn't a proof that the pairing finished */
2969 	if (cp->addr.type == BDADDR_BREDR) {
2970 		conn->connect_cfm_cb = pairing_complete_cb;
2971 		conn->security_cfm_cb = pairing_complete_cb;
2972 		conn->disconn_cfm_cb = pairing_complete_cb;
2973 	} else {
2974 		conn->connect_cfm_cb = le_pairing_complete_cb;
2975 		conn->security_cfm_cb = le_pairing_complete_cb;
2976 		conn->disconn_cfm_cb = le_pairing_complete_cb;
2977 	}
2978 
2979 	conn->io_capability = cp->io_cap;
2980 	cmd->user_data = hci_conn_get(conn);
2981 
2982 	if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
2983 	    hci_conn_security(conn, sec_level, auth_type, true)) {
2984 		cmd->cmd_complete(cmd, 0);
2985 		mgmt_pending_remove(cmd);
2986 	}
2987 
2988 	err = 0;
2989 
2990 unlock:
2991 	hci_dev_unlock(hdev);
2992 	return err;
2993 }
2994 
2995 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2996 			      u16 len)
2997 {
2998 	struct mgmt_addr_info *addr = data;
2999 	struct mgmt_pending_cmd *cmd;
3000 	struct hci_conn *conn;
3001 	int err;
3002 
3003 	BT_DBG("");
3004 
3005 	hci_dev_lock(hdev);
3006 
3007 	if (!hdev_is_powered(hdev)) {
3008 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3009 				      MGMT_STATUS_NOT_POWERED);
3010 		goto unlock;
3011 	}
3012 
3013 	cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3014 	if (!cmd) {
3015 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3016 				      MGMT_STATUS_INVALID_PARAMS);
3017 		goto unlock;
3018 	}
3019 
3020 	conn = cmd->user_data;
3021 
3022 	if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3023 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3024 				      MGMT_STATUS_INVALID_PARAMS);
3025 		goto unlock;
3026 	}
3027 
3028 	cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3029 	mgmt_pending_remove(cmd);
3030 
3031 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3032 				addr, sizeof(*addr));
3033 unlock:
3034 	hci_dev_unlock(hdev);
3035 	return err;
3036 }
3037 
3038 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3039 			     struct mgmt_addr_info *addr, u16 mgmt_op,
3040 			     u16 hci_op, __le32 passkey)
3041 {
3042 	struct mgmt_pending_cmd *cmd;
3043 	struct hci_conn *conn;
3044 	int err;
3045 
3046 	hci_dev_lock(hdev);
3047 
3048 	if (!hdev_is_powered(hdev)) {
3049 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3050 					MGMT_STATUS_NOT_POWERED, addr,
3051 					sizeof(*addr));
3052 		goto done;
3053 	}
3054 
3055 	if (addr->type == BDADDR_BREDR)
3056 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3057 	else
3058 		conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
3059 					       le_addr_type(addr->type));
3060 
3061 	if (!conn) {
3062 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3063 					MGMT_STATUS_NOT_CONNECTED, addr,
3064 					sizeof(*addr));
3065 		goto done;
3066 	}
3067 
3068 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3069 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3070 		if (!err)
3071 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3072 						MGMT_STATUS_SUCCESS, addr,
3073 						sizeof(*addr));
3074 		else
3075 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3076 						MGMT_STATUS_FAILED, addr,
3077 						sizeof(*addr));
3078 
3079 		goto done;
3080 	}
3081 
3082 	cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3083 	if (!cmd) {
3084 		err = -ENOMEM;
3085 		goto done;
3086 	}
3087 
3088 	cmd->cmd_complete = addr_cmd_complete;
3089 
3090 	/* Continue with pairing via HCI */
3091 	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3092 		struct hci_cp_user_passkey_reply cp;
3093 
3094 		bacpy(&cp.bdaddr, &addr->bdaddr);
3095 		cp.passkey = passkey;
3096 		err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3097 	} else
3098 		err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3099 				   &addr->bdaddr);
3100 
3101 	if (err < 0)
3102 		mgmt_pending_remove(cmd);
3103 
3104 done:
3105 	hci_dev_unlock(hdev);
3106 	return err;
3107 }
3108 
3109 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3110 			      void *data, u16 len)
3111 {
3112 	struct mgmt_cp_pin_code_neg_reply *cp = data;
3113 
3114 	BT_DBG("");
3115 
3116 	return user_pairing_resp(sk, hdev, &cp->addr,
3117 				MGMT_OP_PIN_CODE_NEG_REPLY,
3118 				HCI_OP_PIN_CODE_NEG_REPLY, 0);
3119 }
3120 
3121 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3122 			      u16 len)
3123 {
3124 	struct mgmt_cp_user_confirm_reply *cp = data;
3125 
3126 	BT_DBG("");
3127 
3128 	if (len != sizeof(*cp))
3129 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3130 				       MGMT_STATUS_INVALID_PARAMS);
3131 
3132 	return user_pairing_resp(sk, hdev, &cp->addr,
3133 				 MGMT_OP_USER_CONFIRM_REPLY,
3134 				 HCI_OP_USER_CONFIRM_REPLY, 0);
3135 }
3136 
3137 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3138 				  void *data, u16 len)
3139 {
3140 	struct mgmt_cp_user_confirm_neg_reply *cp = data;
3141 
3142 	BT_DBG("");
3143 
3144 	return user_pairing_resp(sk, hdev, &cp->addr,
3145 				 MGMT_OP_USER_CONFIRM_NEG_REPLY,
3146 				 HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3147 }
3148 
3149 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3150 			      u16 len)
3151 {
3152 	struct mgmt_cp_user_passkey_reply *cp = data;
3153 
3154 	BT_DBG("");
3155 
3156 	return user_pairing_resp(sk, hdev, &cp->addr,
3157 				 MGMT_OP_USER_PASSKEY_REPLY,
3158 				 HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3159 }
3160 
3161 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3162 				  void *data, u16 len)
3163 {
3164 	struct mgmt_cp_user_passkey_neg_reply *cp = data;
3165 
3166 	BT_DBG("");
3167 
3168 	return user_pairing_resp(sk, hdev, &cp->addr,
3169 				 MGMT_OP_USER_PASSKEY_NEG_REPLY,
3170 				 HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3171 }
3172 
3173 static void adv_expire(struct hci_dev *hdev, u32 flags)
3174 {
3175 	struct adv_info *adv_instance;
3176 	struct hci_request req;
3177 	int err;
3178 
3179 	adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3180 	if (!adv_instance)
3181 		return;
3182 
3183 	/* stop if current instance doesn't need to be changed */
3184 	if (!(adv_instance->flags & flags))
3185 		return;
3186 
3187 	cancel_adv_timeout(hdev);
3188 
3189 	adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3190 	if (!adv_instance)
3191 		return;
3192 
3193 	hci_req_init(&req, hdev);
3194 	err = __hci_req_schedule_adv_instance(&req, adv_instance->instance,
3195 					      true);
3196 	if (err)
3197 		return;
3198 
3199 	hci_req_run(&req, NULL);
3200 }
3201 
3202 static void set_name_complete(struct hci_dev *hdev, u8 status, u16 opcode)
3203 {
3204 	struct mgmt_cp_set_local_name *cp;
3205 	struct mgmt_pending_cmd *cmd;
3206 
3207 	BT_DBG("status 0x%02x", status);
3208 
3209 	hci_dev_lock(hdev);
3210 
3211 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
3212 	if (!cmd)
3213 		goto unlock;
3214 
3215 	cp = cmd->param;
3216 
3217 	if (status) {
3218 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3219 			        mgmt_status(status));
3220 	} else {
3221 		mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3222 				  cp, sizeof(*cp));
3223 
3224 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3225 			adv_expire(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3226 	}
3227 
3228 	mgmt_pending_remove(cmd);
3229 
3230 unlock:
3231 	hci_dev_unlock(hdev);
3232 }
3233 
3234 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3235 			  u16 len)
3236 {
3237 	struct mgmt_cp_set_local_name *cp = data;
3238 	struct mgmt_pending_cmd *cmd;
3239 	struct hci_request req;
3240 	int err;
3241 
3242 	BT_DBG("");
3243 
3244 	hci_dev_lock(hdev);
3245 
3246 	/* If the old values are the same as the new ones just return a
3247 	 * direct command complete event.
3248 	 */
3249 	if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3250 	    !memcmp(hdev->short_name, cp->short_name,
3251 		    sizeof(hdev->short_name))) {
3252 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3253 					data, len);
3254 		goto failed;
3255 	}
3256 
3257 	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3258 
3259 	if (!hdev_is_powered(hdev)) {
3260 		memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3261 
3262 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3263 					data, len);
3264 		if (err < 0)
3265 			goto failed;
3266 
3267 		err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3268 					 len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3269 		ext_info_changed(hdev, sk);
3270 
3271 		goto failed;
3272 	}
3273 
3274 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3275 	if (!cmd) {
3276 		err = -ENOMEM;
3277 		goto failed;
3278 	}
3279 
3280 	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3281 
3282 	hci_req_init(&req, hdev);
3283 
3284 	if (lmp_bredr_capable(hdev)) {
3285 		__hci_req_update_name(&req);
3286 		__hci_req_update_eir(&req);
3287 	}
3288 
3289 	/* The name is stored in the scan response data and so
3290 	 * no need to udpate the advertising data here.
3291 	 */
3292 	if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3293 		__hci_req_update_scan_rsp_data(&req, hdev->cur_adv_instance);
3294 
3295 	err = hci_req_run(&req, set_name_complete);
3296 	if (err < 0)
3297 		mgmt_pending_remove(cmd);
3298 
3299 failed:
3300 	hci_dev_unlock(hdev);
3301 	return err;
3302 }
3303 
3304 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3305 			  u16 len)
3306 {
3307 	struct mgmt_cp_set_appearance *cp = data;
3308 	u16 appearance;
3309 	int err;
3310 
3311 	BT_DBG("");
3312 
3313 	if (!lmp_le_capable(hdev))
3314 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3315 				       MGMT_STATUS_NOT_SUPPORTED);
3316 
3317 	appearance = le16_to_cpu(cp->appearance);
3318 
3319 	hci_dev_lock(hdev);
3320 
3321 	if (hdev->appearance != appearance) {
3322 		hdev->appearance = appearance;
3323 
3324 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3325 			adv_expire(hdev, MGMT_ADV_FLAG_APPEARANCE);
3326 
3327 		ext_info_changed(hdev, sk);
3328 	}
3329 
3330 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3331 				0);
3332 
3333 	hci_dev_unlock(hdev);
3334 
3335 	return err;
3336 }
3337 
3338 static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3339 				 void *data, u16 len)
3340 {
3341 	struct mgmt_rp_get_phy_confguration rp;
3342 
3343 	BT_DBG("sock %p %s", sk, hdev->name);
3344 
3345 	hci_dev_lock(hdev);
3346 
3347 	memset(&rp, 0, sizeof(rp));
3348 
3349 	rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3350 	rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3351 	rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3352 
3353 	hci_dev_unlock(hdev);
3354 
3355 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, 0,
3356 				 &rp, sizeof(rp));
3357 }
3358 
3359 int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3360 {
3361 	struct mgmt_ev_phy_configuration_changed ev;
3362 
3363 	memset(&ev, 0, sizeof(ev));
3364 
3365 	ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3366 
3367 	return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, &ev,
3368 			  sizeof(ev), skip);
3369 }
3370 
3371 static void set_default_phy_complete(struct hci_dev *hdev, u8 status,
3372 				     u16 opcode, struct sk_buff *skb)
3373 {
3374 	struct mgmt_pending_cmd *cmd;
3375 
3376 	BT_DBG("status 0x%02x", status);
3377 
3378 	hci_dev_lock(hdev);
3379 
3380 	cmd = pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev);
3381 	if (!cmd)
3382 		goto unlock;
3383 
3384 	if (status) {
3385 		mgmt_cmd_status(cmd->sk, hdev->id,
3386 				MGMT_OP_SET_PHY_CONFIGURATION,
3387 				mgmt_status(status));
3388 	} else {
3389 		mgmt_cmd_complete(cmd->sk, hdev->id,
3390 				  MGMT_OP_SET_PHY_CONFIGURATION, 0,
3391 				  NULL, 0);
3392 
3393 		mgmt_phy_configuration_changed(hdev, cmd->sk);
3394 	}
3395 
3396 	mgmt_pending_remove(cmd);
3397 
3398 unlock:
3399 	hci_dev_unlock(hdev);
3400 }
3401 
3402 static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3403 				 void *data, u16 len)
3404 {
3405 	struct mgmt_cp_set_phy_confguration *cp = data;
3406 	struct hci_cp_le_set_default_phy cp_phy;
3407 	struct mgmt_pending_cmd *cmd;
3408 	struct hci_request req;
3409 	u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
3410 	u16 pkt_type = (HCI_DH1 | HCI_DM1);
3411 	bool changed = false;
3412 	int err;
3413 
3414 	BT_DBG("sock %p %s", sk, hdev->name);
3415 
3416 	configurable_phys = get_configurable_phys(hdev);
3417 	supported_phys = get_supported_phys(hdev);
3418 	selected_phys = __le32_to_cpu(cp->selected_phys);
3419 
3420 	if (selected_phys & ~supported_phys)
3421 		return mgmt_cmd_status(sk, hdev->id,
3422 				       MGMT_OP_SET_PHY_CONFIGURATION,
3423 				       MGMT_STATUS_INVALID_PARAMS);
3424 
3425 	unconfigure_phys = supported_phys & ~configurable_phys;
3426 
3427 	if ((selected_phys & unconfigure_phys) != unconfigure_phys)
3428 		return mgmt_cmd_status(sk, hdev->id,
3429 				       MGMT_OP_SET_PHY_CONFIGURATION,
3430 				       MGMT_STATUS_INVALID_PARAMS);
3431 
3432 	if (selected_phys == get_selected_phys(hdev))
3433 		return mgmt_cmd_complete(sk, hdev->id,
3434 					 MGMT_OP_SET_PHY_CONFIGURATION,
3435 					 0, NULL, 0);
3436 
3437 	hci_dev_lock(hdev);
3438 
3439 	if (!hdev_is_powered(hdev)) {
3440 		err = mgmt_cmd_status(sk, hdev->id,
3441 				      MGMT_OP_SET_PHY_CONFIGURATION,
3442 				      MGMT_STATUS_REJECTED);
3443 		goto unlock;
3444 	}
3445 
3446 	if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
3447 		err = mgmt_cmd_status(sk, hdev->id,
3448 				      MGMT_OP_SET_PHY_CONFIGURATION,
3449 				      MGMT_STATUS_BUSY);
3450 		goto unlock;
3451 	}
3452 
3453 	if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
3454 		pkt_type |= (HCI_DH3 | HCI_DM3);
3455 	else
3456 		pkt_type &= ~(HCI_DH3 | HCI_DM3);
3457 
3458 	if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
3459 		pkt_type |= (HCI_DH5 | HCI_DM5);
3460 	else
3461 		pkt_type &= ~(HCI_DH5 | HCI_DM5);
3462 
3463 	if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
3464 		pkt_type &= ~HCI_2DH1;
3465 	else
3466 		pkt_type |= HCI_2DH1;
3467 
3468 	if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
3469 		pkt_type &= ~HCI_2DH3;
3470 	else
3471 		pkt_type |= HCI_2DH3;
3472 
3473 	if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
3474 		pkt_type &= ~HCI_2DH5;
3475 	else
3476 		pkt_type |= HCI_2DH5;
3477 
3478 	if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
3479 		pkt_type &= ~HCI_3DH1;
3480 	else
3481 		pkt_type |= HCI_3DH1;
3482 
3483 	if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
3484 		pkt_type &= ~HCI_3DH3;
3485 	else
3486 		pkt_type |= HCI_3DH3;
3487 
3488 	if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
3489 		pkt_type &= ~HCI_3DH5;
3490 	else
3491 		pkt_type |= HCI_3DH5;
3492 
3493 	if (pkt_type != hdev->pkt_type) {
3494 		hdev->pkt_type = pkt_type;
3495 		changed = true;
3496 	}
3497 
3498 	if ((selected_phys & MGMT_PHY_LE_MASK) ==
3499 	    (get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
3500 		if (changed)
3501 			mgmt_phy_configuration_changed(hdev, sk);
3502 
3503 		err = mgmt_cmd_complete(sk, hdev->id,
3504 					MGMT_OP_SET_PHY_CONFIGURATION,
3505 					0, NULL, 0);
3506 
3507 		goto unlock;
3508 	}
3509 
3510 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
3511 			       len);
3512 	if (!cmd) {
3513 		err = -ENOMEM;
3514 		goto unlock;
3515 	}
3516 
3517 	hci_req_init(&req, hdev);
3518 
3519 	memset(&cp_phy, 0, sizeof(cp_phy));
3520 
3521 	if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
3522 		cp_phy.all_phys |= 0x01;
3523 
3524 	if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
3525 		cp_phy.all_phys |= 0x02;
3526 
3527 	if (selected_phys & MGMT_PHY_LE_1M_TX)
3528 		cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
3529 
3530 	if (selected_phys & MGMT_PHY_LE_2M_TX)
3531 		cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
3532 
3533 	if (selected_phys & MGMT_PHY_LE_CODED_TX)
3534 		cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
3535 
3536 	if (selected_phys & MGMT_PHY_LE_1M_RX)
3537 		cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
3538 
3539 	if (selected_phys & MGMT_PHY_LE_2M_RX)
3540 		cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
3541 
3542 	if (selected_phys & MGMT_PHY_LE_CODED_RX)
3543 		cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
3544 
3545 	hci_req_add(&req, HCI_OP_LE_SET_DEFAULT_PHY, sizeof(cp_phy), &cp_phy);
3546 
3547 	err = hci_req_run_skb(&req, set_default_phy_complete);
3548 	if (err < 0)
3549 		mgmt_pending_remove(cmd);
3550 
3551 unlock:
3552 	hci_dev_unlock(hdev);
3553 
3554 	return err;
3555 }
3556 
3557 static int set_blocked_keys(struct sock *sk, struct hci_dev *hdev, void *data,
3558 			    u16 len)
3559 {
3560 	int err = MGMT_STATUS_SUCCESS;
3561 	struct mgmt_cp_set_blocked_keys *keys = data;
3562 	const u16 max_key_count = ((U16_MAX - sizeof(*keys)) /
3563 				   sizeof(struct mgmt_blocked_key_info));
3564 	u16 key_count, expected_len;
3565 	int i;
3566 
3567 	BT_DBG("request for %s", hdev->name);
3568 
3569 	key_count = __le16_to_cpu(keys->key_count);
3570 	if (key_count > max_key_count) {
3571 		bt_dev_err(hdev, "too big key_count value %u", key_count);
3572 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3573 				       MGMT_STATUS_INVALID_PARAMS);
3574 	}
3575 
3576 	expected_len = struct_size(keys, keys, key_count);
3577 	if (expected_len != len) {
3578 		bt_dev_err(hdev, "expected %u bytes, got %u bytes",
3579 			   expected_len, len);
3580 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3581 				       MGMT_STATUS_INVALID_PARAMS);
3582 	}
3583 
3584 	hci_dev_lock(hdev);
3585 
3586 	hci_blocked_keys_clear(hdev);
3587 
3588 	for (i = 0; i < keys->key_count; ++i) {
3589 		struct blocked_key *b = kzalloc(sizeof(*b), GFP_KERNEL);
3590 
3591 		if (!b) {
3592 			err = MGMT_STATUS_NO_RESOURCES;
3593 			break;
3594 		}
3595 
3596 		b->type = keys->keys[i].type;
3597 		memcpy(b->val, keys->keys[i].val, sizeof(b->val));
3598 		list_add_rcu(&b->list, &hdev->blocked_keys);
3599 	}
3600 	hci_dev_unlock(hdev);
3601 
3602 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3603 				err, NULL, 0);
3604 }
3605 
3606 static int set_wideband_speech(struct sock *sk, struct hci_dev *hdev,
3607 			       void *data, u16 len)
3608 {
3609 	struct mgmt_mode *cp = data;
3610 	int err;
3611 	bool changed = false;
3612 
3613 	BT_DBG("request for %s", hdev->name);
3614 
3615 	if (!test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks))
3616 		return mgmt_cmd_status(sk, hdev->id,
3617 				       MGMT_OP_SET_WIDEBAND_SPEECH,
3618 				       MGMT_STATUS_NOT_SUPPORTED);
3619 
3620 	if (cp->val != 0x00 && cp->val != 0x01)
3621 		return mgmt_cmd_status(sk, hdev->id,
3622 				       MGMT_OP_SET_WIDEBAND_SPEECH,
3623 				       MGMT_STATUS_INVALID_PARAMS);
3624 
3625 	hci_dev_lock(hdev);
3626 
3627 	if (pending_find(MGMT_OP_SET_WIDEBAND_SPEECH, hdev)) {
3628 		err = mgmt_cmd_status(sk, hdev->id,
3629 				      MGMT_OP_SET_WIDEBAND_SPEECH,
3630 				      MGMT_STATUS_BUSY);
3631 		goto unlock;
3632 	}
3633 
3634 	if (hdev_is_powered(hdev) &&
3635 	    !!cp->val != hci_dev_test_flag(hdev,
3636 					   HCI_WIDEBAND_SPEECH_ENABLED)) {
3637 		err = mgmt_cmd_status(sk, hdev->id,
3638 				      MGMT_OP_SET_WIDEBAND_SPEECH,
3639 				      MGMT_STATUS_REJECTED);
3640 		goto unlock;
3641 	}
3642 
3643 	if (cp->val)
3644 		changed = !hci_dev_test_and_set_flag(hdev,
3645 						   HCI_WIDEBAND_SPEECH_ENABLED);
3646 	else
3647 		changed = hci_dev_test_and_clear_flag(hdev,
3648 						   HCI_WIDEBAND_SPEECH_ENABLED);
3649 
3650 	err = send_settings_rsp(sk, MGMT_OP_SET_WIDEBAND_SPEECH, hdev);
3651 	if (err < 0)
3652 		goto unlock;
3653 
3654 	if (changed)
3655 		err = new_settings(hdev, sk);
3656 
3657 unlock:
3658 	hci_dev_unlock(hdev);
3659 	return err;
3660 }
3661 
3662 static void read_local_oob_data_complete(struct hci_dev *hdev, u8 status,
3663 				         u16 opcode, struct sk_buff *skb)
3664 {
3665 	struct mgmt_rp_read_local_oob_data mgmt_rp;
3666 	size_t rp_size = sizeof(mgmt_rp);
3667 	struct mgmt_pending_cmd *cmd;
3668 
3669 	BT_DBG("%s status %u", hdev->name, status);
3670 
3671 	cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev);
3672 	if (!cmd)
3673 		return;
3674 
3675 	if (status || !skb) {
3676 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3677 				status ? mgmt_status(status) : MGMT_STATUS_FAILED);
3678 		goto remove;
3679 	}
3680 
3681 	memset(&mgmt_rp, 0, sizeof(mgmt_rp));
3682 
3683 	if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
3684 		struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
3685 
3686 		if (skb->len < sizeof(*rp)) {
3687 			mgmt_cmd_status(cmd->sk, hdev->id,
3688 					MGMT_OP_READ_LOCAL_OOB_DATA,
3689 					MGMT_STATUS_FAILED);
3690 			goto remove;
3691 		}
3692 
3693 		memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
3694 		memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
3695 
3696 		rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
3697 	} else {
3698 		struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
3699 
3700 		if (skb->len < sizeof(*rp)) {
3701 			mgmt_cmd_status(cmd->sk, hdev->id,
3702 					MGMT_OP_READ_LOCAL_OOB_DATA,
3703 					MGMT_STATUS_FAILED);
3704 			goto remove;
3705 		}
3706 
3707 		memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
3708 		memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
3709 
3710 		memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
3711 		memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
3712 	}
3713 
3714 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3715 			  MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
3716 
3717 remove:
3718 	mgmt_pending_remove(cmd);
3719 }
3720 
3721 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3722 			       void *data, u16 data_len)
3723 {
3724 	struct mgmt_pending_cmd *cmd;
3725 	struct hci_request req;
3726 	int err;
3727 
3728 	BT_DBG("%s", hdev->name);
3729 
3730 	hci_dev_lock(hdev);
3731 
3732 	if (!hdev_is_powered(hdev)) {
3733 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3734 				      MGMT_STATUS_NOT_POWERED);
3735 		goto unlock;
3736 	}
3737 
3738 	if (!lmp_ssp_capable(hdev)) {
3739 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3740 				      MGMT_STATUS_NOT_SUPPORTED);
3741 		goto unlock;
3742 	}
3743 
3744 	if (pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
3745 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3746 				      MGMT_STATUS_BUSY);
3747 		goto unlock;
3748 	}
3749 
3750 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
3751 	if (!cmd) {
3752 		err = -ENOMEM;
3753 		goto unlock;
3754 	}
3755 
3756 	hci_req_init(&req, hdev);
3757 
3758 	if (bredr_sc_enabled(hdev))
3759 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
3760 	else
3761 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
3762 
3763 	err = hci_req_run_skb(&req, read_local_oob_data_complete);
3764 	if (err < 0)
3765 		mgmt_pending_remove(cmd);
3766 
3767 unlock:
3768 	hci_dev_unlock(hdev);
3769 	return err;
3770 }
3771 
3772 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3773 			       void *data, u16 len)
3774 {
3775 	struct mgmt_addr_info *addr = data;
3776 	int err;
3777 
3778 	BT_DBG("%s ", hdev->name);
3779 
3780 	if (!bdaddr_type_is_valid(addr->type))
3781 		return mgmt_cmd_complete(sk, hdev->id,
3782 					 MGMT_OP_ADD_REMOTE_OOB_DATA,
3783 					 MGMT_STATUS_INVALID_PARAMS,
3784 					 addr, sizeof(*addr));
3785 
3786 	hci_dev_lock(hdev);
3787 
3788 	if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
3789 		struct mgmt_cp_add_remote_oob_data *cp = data;
3790 		u8 status;
3791 
3792 		if (cp->addr.type != BDADDR_BREDR) {
3793 			err = mgmt_cmd_complete(sk, hdev->id,
3794 						MGMT_OP_ADD_REMOTE_OOB_DATA,
3795 						MGMT_STATUS_INVALID_PARAMS,
3796 						&cp->addr, sizeof(cp->addr));
3797 			goto unlock;
3798 		}
3799 
3800 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3801 					      cp->addr.type, cp->hash,
3802 					      cp->rand, NULL, NULL);
3803 		if (err < 0)
3804 			status = MGMT_STATUS_FAILED;
3805 		else
3806 			status = MGMT_STATUS_SUCCESS;
3807 
3808 		err = mgmt_cmd_complete(sk, hdev->id,
3809 					MGMT_OP_ADD_REMOTE_OOB_DATA, status,
3810 					&cp->addr, sizeof(cp->addr));
3811 	} else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3812 		struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3813 		u8 *rand192, *hash192, *rand256, *hash256;
3814 		u8 status;
3815 
3816 		if (bdaddr_type_is_le(cp->addr.type)) {
3817 			/* Enforce zero-valued 192-bit parameters as
3818 			 * long as legacy SMP OOB isn't implemented.
3819 			 */
3820 			if (memcmp(cp->rand192, ZERO_KEY, 16) ||
3821 			    memcmp(cp->hash192, ZERO_KEY, 16)) {
3822 				err = mgmt_cmd_complete(sk, hdev->id,
3823 							MGMT_OP_ADD_REMOTE_OOB_DATA,
3824 							MGMT_STATUS_INVALID_PARAMS,
3825 							addr, sizeof(*addr));
3826 				goto unlock;
3827 			}
3828 
3829 			rand192 = NULL;
3830 			hash192 = NULL;
3831 		} else {
3832 			/* In case one of the P-192 values is set to zero,
3833 			 * then just disable OOB data for P-192.
3834 			 */
3835 			if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
3836 			    !memcmp(cp->hash192, ZERO_KEY, 16)) {
3837 				rand192 = NULL;
3838 				hash192 = NULL;
3839 			} else {
3840 				rand192 = cp->rand192;
3841 				hash192 = cp->hash192;
3842 			}
3843 		}
3844 
3845 		/* In case one of the P-256 values is set to zero, then just
3846 		 * disable OOB data for P-256.
3847 		 */
3848 		if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
3849 		    !memcmp(cp->hash256, ZERO_KEY, 16)) {
3850 			rand256 = NULL;
3851 			hash256 = NULL;
3852 		} else {
3853 			rand256 = cp->rand256;
3854 			hash256 = cp->hash256;
3855 		}
3856 
3857 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3858 					      cp->addr.type, hash192, rand192,
3859 					      hash256, rand256);
3860 		if (err < 0)
3861 			status = MGMT_STATUS_FAILED;
3862 		else
3863 			status = MGMT_STATUS_SUCCESS;
3864 
3865 		err = mgmt_cmd_complete(sk, hdev->id,
3866 					MGMT_OP_ADD_REMOTE_OOB_DATA,
3867 					status, &cp->addr, sizeof(cp->addr));
3868 	} else {
3869 		bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
3870 			   len);
3871 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3872 				      MGMT_STATUS_INVALID_PARAMS);
3873 	}
3874 
3875 unlock:
3876 	hci_dev_unlock(hdev);
3877 	return err;
3878 }
3879 
3880 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3881 				  void *data, u16 len)
3882 {
3883 	struct mgmt_cp_remove_remote_oob_data *cp = data;
3884 	u8 status;
3885 	int err;
3886 
3887 	BT_DBG("%s", hdev->name);
3888 
3889 	if (cp->addr.type != BDADDR_BREDR)
3890 		return mgmt_cmd_complete(sk, hdev->id,
3891 					 MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3892 					 MGMT_STATUS_INVALID_PARAMS,
3893 					 &cp->addr, sizeof(cp->addr));
3894 
3895 	hci_dev_lock(hdev);
3896 
3897 	if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
3898 		hci_remote_oob_data_clear(hdev);
3899 		status = MGMT_STATUS_SUCCESS;
3900 		goto done;
3901 	}
3902 
3903 	err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
3904 	if (err < 0)
3905 		status = MGMT_STATUS_INVALID_PARAMS;
3906 	else
3907 		status = MGMT_STATUS_SUCCESS;
3908 
3909 done:
3910 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3911 				status, &cp->addr, sizeof(cp->addr));
3912 
3913 	hci_dev_unlock(hdev);
3914 	return err;
3915 }
3916 
3917 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
3918 {
3919 	struct mgmt_pending_cmd *cmd;
3920 
3921 	BT_DBG("status %d", status);
3922 
3923 	hci_dev_lock(hdev);
3924 
3925 	cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
3926 	if (!cmd)
3927 		cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
3928 
3929 	if (!cmd)
3930 		cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
3931 
3932 	if (cmd) {
3933 		cmd->cmd_complete(cmd, mgmt_status(status));
3934 		mgmt_pending_remove(cmd);
3935 	}
3936 
3937 	hci_dev_unlock(hdev);
3938 
3939 	/* Handle suspend notifier */
3940 	if (test_and_clear_bit(SUSPEND_UNPAUSE_DISCOVERY,
3941 			       hdev->suspend_tasks)) {
3942 		bt_dev_dbg(hdev, "Unpaused discovery");
3943 		wake_up(&hdev->suspend_wait_q);
3944 	}
3945 }
3946 
3947 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
3948 				    uint8_t *mgmt_status)
3949 {
3950 	switch (type) {
3951 	case DISCOV_TYPE_LE:
3952 		*mgmt_status = mgmt_le_support(hdev);
3953 		if (*mgmt_status)
3954 			return false;
3955 		break;
3956 	case DISCOV_TYPE_INTERLEAVED:
3957 		*mgmt_status = mgmt_le_support(hdev);
3958 		if (*mgmt_status)
3959 			return false;
3960 		/* Intentional fall-through */
3961 	case DISCOV_TYPE_BREDR:
3962 		*mgmt_status = mgmt_bredr_support(hdev);
3963 		if (*mgmt_status)
3964 			return false;
3965 		break;
3966 	default:
3967 		*mgmt_status = MGMT_STATUS_INVALID_PARAMS;
3968 		return false;
3969 	}
3970 
3971 	return true;
3972 }
3973 
3974 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
3975 				    u16 op, void *data, u16 len)
3976 {
3977 	struct mgmt_cp_start_discovery *cp = data;
3978 	struct mgmt_pending_cmd *cmd;
3979 	u8 status;
3980 	int err;
3981 
3982 	BT_DBG("%s", hdev->name);
3983 
3984 	hci_dev_lock(hdev);
3985 
3986 	if (!hdev_is_powered(hdev)) {
3987 		err = mgmt_cmd_complete(sk, hdev->id, op,
3988 					MGMT_STATUS_NOT_POWERED,
3989 					&cp->type, sizeof(cp->type));
3990 		goto failed;
3991 	}
3992 
3993 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
3994 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
3995 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
3996 					&cp->type, sizeof(cp->type));
3997 		goto failed;
3998 	}
3999 
4000 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
4001 		err = mgmt_cmd_complete(sk, hdev->id, op, status,
4002 					&cp->type, sizeof(cp->type));
4003 		goto failed;
4004 	}
4005 
4006 	/* Can't start discovery when it is paused */
4007 	if (hdev->discovery_paused) {
4008 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
4009 					&cp->type, sizeof(cp->type));
4010 		goto failed;
4011 	}
4012 
4013 	/* Clear the discovery filter first to free any previously
4014 	 * allocated memory for the UUID list.
4015 	 */
4016 	hci_discovery_filter_clear(hdev);
4017 
4018 	hdev->discovery.type = cp->type;
4019 	hdev->discovery.report_invalid_rssi = false;
4020 	if (op == MGMT_OP_START_LIMITED_DISCOVERY)
4021 		hdev->discovery.limited = true;
4022 	else
4023 		hdev->discovery.limited = false;
4024 
4025 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
4026 	if (!cmd) {
4027 		err = -ENOMEM;
4028 		goto failed;
4029 	}
4030 
4031 	cmd->cmd_complete = generic_cmd_complete;
4032 
4033 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
4034 	queue_work(hdev->req_workqueue, &hdev->discov_update);
4035 	err = 0;
4036 
4037 failed:
4038 	hci_dev_unlock(hdev);
4039 	return err;
4040 }
4041 
4042 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
4043 			   void *data, u16 len)
4044 {
4045 	return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
4046 					data, len);
4047 }
4048 
4049 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
4050 				   void *data, u16 len)
4051 {
4052 	return start_discovery_internal(sk, hdev,
4053 					MGMT_OP_START_LIMITED_DISCOVERY,
4054 					data, len);
4055 }
4056 
4057 static int service_discovery_cmd_complete(struct mgmt_pending_cmd *cmd,
4058 					  u8 status)
4059 {
4060 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
4061 				 cmd->param, 1);
4062 }
4063 
4064 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
4065 				   void *data, u16 len)
4066 {
4067 	struct mgmt_cp_start_service_discovery *cp = data;
4068 	struct mgmt_pending_cmd *cmd;
4069 	const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
4070 	u16 uuid_count, expected_len;
4071 	u8 status;
4072 	int err;
4073 
4074 	BT_DBG("%s", hdev->name);
4075 
4076 	hci_dev_lock(hdev);
4077 
4078 	if (!hdev_is_powered(hdev)) {
4079 		err = mgmt_cmd_complete(sk, hdev->id,
4080 					MGMT_OP_START_SERVICE_DISCOVERY,
4081 					MGMT_STATUS_NOT_POWERED,
4082 					&cp->type, sizeof(cp->type));
4083 		goto failed;
4084 	}
4085 
4086 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
4087 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
4088 		err = mgmt_cmd_complete(sk, hdev->id,
4089 					MGMT_OP_START_SERVICE_DISCOVERY,
4090 					MGMT_STATUS_BUSY, &cp->type,
4091 					sizeof(cp->type));
4092 		goto failed;
4093 	}
4094 
4095 	uuid_count = __le16_to_cpu(cp->uuid_count);
4096 	if (uuid_count > max_uuid_count) {
4097 		bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
4098 			   uuid_count);
4099 		err = mgmt_cmd_complete(sk, hdev->id,
4100 					MGMT_OP_START_SERVICE_DISCOVERY,
4101 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
4102 					sizeof(cp->type));
4103 		goto failed;
4104 	}
4105 
4106 	expected_len = sizeof(*cp) + uuid_count * 16;
4107 	if (expected_len != len) {
4108 		bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
4109 			   expected_len, len);
4110 		err = mgmt_cmd_complete(sk, hdev->id,
4111 					MGMT_OP_START_SERVICE_DISCOVERY,
4112 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
4113 					sizeof(cp->type));
4114 		goto failed;
4115 	}
4116 
4117 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
4118 		err = mgmt_cmd_complete(sk, hdev->id,
4119 					MGMT_OP_START_SERVICE_DISCOVERY,
4120 					status, &cp->type, sizeof(cp->type));
4121 		goto failed;
4122 	}
4123 
4124 	cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
4125 			       hdev, data, len);
4126 	if (!cmd) {
4127 		err = -ENOMEM;
4128 		goto failed;
4129 	}
4130 
4131 	cmd->cmd_complete = service_discovery_cmd_complete;
4132 
4133 	/* Clear the discovery filter first to free any previously
4134 	 * allocated memory for the UUID list.
4135 	 */
4136 	hci_discovery_filter_clear(hdev);
4137 
4138 	hdev->discovery.result_filtering = true;
4139 	hdev->discovery.type = cp->type;
4140 	hdev->discovery.rssi = cp->rssi;
4141 	hdev->discovery.uuid_count = uuid_count;
4142 
4143 	if (uuid_count > 0) {
4144 		hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
4145 						GFP_KERNEL);
4146 		if (!hdev->discovery.uuids) {
4147 			err = mgmt_cmd_complete(sk, hdev->id,
4148 						MGMT_OP_START_SERVICE_DISCOVERY,
4149 						MGMT_STATUS_FAILED,
4150 						&cp->type, sizeof(cp->type));
4151 			mgmt_pending_remove(cmd);
4152 			goto failed;
4153 		}
4154 	}
4155 
4156 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
4157 	queue_work(hdev->req_workqueue, &hdev->discov_update);
4158 	err = 0;
4159 
4160 failed:
4161 	hci_dev_unlock(hdev);
4162 	return err;
4163 }
4164 
4165 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
4166 {
4167 	struct mgmt_pending_cmd *cmd;
4168 
4169 	BT_DBG("status %d", status);
4170 
4171 	hci_dev_lock(hdev);
4172 
4173 	cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
4174 	if (cmd) {
4175 		cmd->cmd_complete(cmd, mgmt_status(status));
4176 		mgmt_pending_remove(cmd);
4177 	}
4178 
4179 	hci_dev_unlock(hdev);
4180 
4181 	/* Handle suspend notifier */
4182 	if (test_and_clear_bit(SUSPEND_PAUSE_DISCOVERY, hdev->suspend_tasks)) {
4183 		bt_dev_dbg(hdev, "Paused discovery");
4184 		wake_up(&hdev->suspend_wait_q);
4185 	}
4186 }
4187 
4188 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
4189 			  u16 len)
4190 {
4191 	struct mgmt_cp_stop_discovery *mgmt_cp = data;
4192 	struct mgmt_pending_cmd *cmd;
4193 	int err;
4194 
4195 	BT_DBG("%s", hdev->name);
4196 
4197 	hci_dev_lock(hdev);
4198 
4199 	if (!hci_discovery_active(hdev)) {
4200 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
4201 					MGMT_STATUS_REJECTED, &mgmt_cp->type,
4202 					sizeof(mgmt_cp->type));
4203 		goto unlock;
4204 	}
4205 
4206 	if (hdev->discovery.type != mgmt_cp->type) {
4207 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
4208 					MGMT_STATUS_INVALID_PARAMS,
4209 					&mgmt_cp->type, sizeof(mgmt_cp->type));
4210 		goto unlock;
4211 	}
4212 
4213 	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
4214 	if (!cmd) {
4215 		err = -ENOMEM;
4216 		goto unlock;
4217 	}
4218 
4219 	cmd->cmd_complete = generic_cmd_complete;
4220 
4221 	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
4222 	queue_work(hdev->req_workqueue, &hdev->discov_update);
4223 	err = 0;
4224 
4225 unlock:
4226 	hci_dev_unlock(hdev);
4227 	return err;
4228 }
4229 
4230 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
4231 			u16 len)
4232 {
4233 	struct mgmt_cp_confirm_name *cp = data;
4234 	struct inquiry_entry *e;
4235 	int err;
4236 
4237 	BT_DBG("%s", hdev->name);
4238 
4239 	hci_dev_lock(hdev);
4240 
4241 	if (!hci_discovery_active(hdev)) {
4242 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
4243 					MGMT_STATUS_FAILED, &cp->addr,
4244 					sizeof(cp->addr));
4245 		goto failed;
4246 	}
4247 
4248 	e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
4249 	if (!e) {
4250 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
4251 					MGMT_STATUS_INVALID_PARAMS, &cp->addr,
4252 					sizeof(cp->addr));
4253 		goto failed;
4254 	}
4255 
4256 	if (cp->name_known) {
4257 		e->name_state = NAME_KNOWN;
4258 		list_del(&e->list);
4259 	} else {
4260 		e->name_state = NAME_NEEDED;
4261 		hci_inquiry_cache_update_resolve(hdev, e);
4262 	}
4263 
4264 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
4265 				&cp->addr, sizeof(cp->addr));
4266 
4267 failed:
4268 	hci_dev_unlock(hdev);
4269 	return err;
4270 }
4271 
4272 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
4273 			u16 len)
4274 {
4275 	struct mgmt_cp_block_device *cp = data;
4276 	u8 status;
4277 	int err;
4278 
4279 	BT_DBG("%s", hdev->name);
4280 
4281 	if (!bdaddr_type_is_valid(cp->addr.type))
4282 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
4283 					 MGMT_STATUS_INVALID_PARAMS,
4284 					 &cp->addr, sizeof(cp->addr));
4285 
4286 	hci_dev_lock(hdev);
4287 
4288 	err = hci_bdaddr_list_add(&hdev->blacklist, &cp->addr.bdaddr,
4289 				  cp->addr.type);
4290 	if (err < 0) {
4291 		status = MGMT_STATUS_FAILED;
4292 		goto done;
4293 	}
4294 
4295 	mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
4296 		   sk);
4297 	status = MGMT_STATUS_SUCCESS;
4298 
4299 done:
4300 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
4301 				&cp->addr, sizeof(cp->addr));
4302 
4303 	hci_dev_unlock(hdev);
4304 
4305 	return err;
4306 }
4307 
4308 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
4309 			  u16 len)
4310 {
4311 	struct mgmt_cp_unblock_device *cp = data;
4312 	u8 status;
4313 	int err;
4314 
4315 	BT_DBG("%s", hdev->name);
4316 
4317 	if (!bdaddr_type_is_valid(cp->addr.type))
4318 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
4319 					 MGMT_STATUS_INVALID_PARAMS,
4320 					 &cp->addr, sizeof(cp->addr));
4321 
4322 	hci_dev_lock(hdev);
4323 
4324 	err = hci_bdaddr_list_del(&hdev->blacklist, &cp->addr.bdaddr,
4325 				  cp->addr.type);
4326 	if (err < 0) {
4327 		status = MGMT_STATUS_INVALID_PARAMS;
4328 		goto done;
4329 	}
4330 
4331 	mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
4332 		   sk);
4333 	status = MGMT_STATUS_SUCCESS;
4334 
4335 done:
4336 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
4337 				&cp->addr, sizeof(cp->addr));
4338 
4339 	hci_dev_unlock(hdev);
4340 
4341 	return err;
4342 }
4343 
4344 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
4345 			 u16 len)
4346 {
4347 	struct mgmt_cp_set_device_id *cp = data;
4348 	struct hci_request req;
4349 	int err;
4350 	__u16 source;
4351 
4352 	BT_DBG("%s", hdev->name);
4353 
4354 	source = __le16_to_cpu(cp->source);
4355 
4356 	if (source > 0x0002)
4357 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
4358 				       MGMT_STATUS_INVALID_PARAMS);
4359 
4360 	hci_dev_lock(hdev);
4361 
4362 	hdev->devid_source = source;
4363 	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
4364 	hdev->devid_product = __le16_to_cpu(cp->product);
4365 	hdev->devid_version = __le16_to_cpu(cp->version);
4366 
4367 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
4368 				NULL, 0);
4369 
4370 	hci_req_init(&req, hdev);
4371 	__hci_req_update_eir(&req);
4372 	hci_req_run(&req, NULL);
4373 
4374 	hci_dev_unlock(hdev);
4375 
4376 	return err;
4377 }
4378 
4379 static void enable_advertising_instance(struct hci_dev *hdev, u8 status,
4380 					u16 opcode)
4381 {
4382 	BT_DBG("status %d", status);
4383 }
4384 
4385 static void set_advertising_complete(struct hci_dev *hdev, u8 status,
4386 				     u16 opcode)
4387 {
4388 	struct cmd_lookup match = { NULL, hdev };
4389 	struct hci_request req;
4390 	u8 instance;
4391 	struct adv_info *adv_instance;
4392 	int err;
4393 
4394 	hci_dev_lock(hdev);
4395 
4396 	if (status) {
4397 		u8 mgmt_err = mgmt_status(status);
4398 
4399 		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
4400 				     cmd_status_rsp, &mgmt_err);
4401 		goto unlock;
4402 	}
4403 
4404 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
4405 		hci_dev_set_flag(hdev, HCI_ADVERTISING);
4406 	else
4407 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4408 
4409 	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
4410 			     &match);
4411 
4412 	new_settings(hdev, match.sk);
4413 
4414 	if (match.sk)
4415 		sock_put(match.sk);
4416 
4417 	/* Handle suspend notifier */
4418 	if (test_and_clear_bit(SUSPEND_PAUSE_ADVERTISING,
4419 			       hdev->suspend_tasks)) {
4420 		bt_dev_dbg(hdev, "Paused advertising");
4421 		wake_up(&hdev->suspend_wait_q);
4422 	} else if (test_and_clear_bit(SUSPEND_UNPAUSE_ADVERTISING,
4423 				      hdev->suspend_tasks)) {
4424 		bt_dev_dbg(hdev, "Unpaused advertising");
4425 		wake_up(&hdev->suspend_wait_q);
4426 	}
4427 
4428 	/* If "Set Advertising" was just disabled and instance advertising was
4429 	 * set up earlier, then re-enable multi-instance advertising.
4430 	 */
4431 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
4432 	    list_empty(&hdev->adv_instances))
4433 		goto unlock;
4434 
4435 	instance = hdev->cur_adv_instance;
4436 	if (!instance) {
4437 		adv_instance = list_first_entry_or_null(&hdev->adv_instances,
4438 							struct adv_info, list);
4439 		if (!adv_instance)
4440 			goto unlock;
4441 
4442 		instance = adv_instance->instance;
4443 	}
4444 
4445 	hci_req_init(&req, hdev);
4446 
4447 	err = __hci_req_schedule_adv_instance(&req, instance, true);
4448 
4449 	if (!err)
4450 		err = hci_req_run(&req, enable_advertising_instance);
4451 
4452 	if (err)
4453 		bt_dev_err(hdev, "failed to re-configure advertising");
4454 
4455 unlock:
4456 	hci_dev_unlock(hdev);
4457 }
4458 
4459 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
4460 			   u16 len)
4461 {
4462 	struct mgmt_mode *cp = data;
4463 	struct mgmt_pending_cmd *cmd;
4464 	struct hci_request req;
4465 	u8 val, status;
4466 	int err;
4467 
4468 	BT_DBG("request for %s", hdev->name);
4469 
4470 	status = mgmt_le_support(hdev);
4471 	if (status)
4472 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4473 				       status);
4474 
4475 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4476 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4477 				       MGMT_STATUS_INVALID_PARAMS);
4478 
4479 	if (hdev->advertising_paused)
4480 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4481 				       MGMT_STATUS_BUSY);
4482 
4483 	hci_dev_lock(hdev);
4484 
4485 	val = !!cp->val;
4486 
4487 	/* The following conditions are ones which mean that we should
4488 	 * not do any HCI communication but directly send a mgmt
4489 	 * response to user space (after toggling the flag if
4490 	 * necessary).
4491 	 */
4492 	if (!hdev_is_powered(hdev) ||
4493 	    (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
4494 	     (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
4495 	    hci_conn_num(hdev, LE_LINK) > 0 ||
4496 	    (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
4497 	     hdev->le_scan_type == LE_SCAN_ACTIVE)) {
4498 		bool changed;
4499 
4500 		if (cp->val) {
4501 			hdev->cur_adv_instance = 0x00;
4502 			changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
4503 			if (cp->val == 0x02)
4504 				hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4505 			else
4506 				hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4507 		} else {
4508 			changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
4509 			hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4510 		}
4511 
4512 		err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
4513 		if (err < 0)
4514 			goto unlock;
4515 
4516 		if (changed)
4517 			err = new_settings(hdev, sk);
4518 
4519 		goto unlock;
4520 	}
4521 
4522 	if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
4523 	    pending_find(MGMT_OP_SET_LE, hdev)) {
4524 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4525 				      MGMT_STATUS_BUSY);
4526 		goto unlock;
4527 	}
4528 
4529 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
4530 	if (!cmd) {
4531 		err = -ENOMEM;
4532 		goto unlock;
4533 	}
4534 
4535 	hci_req_init(&req, hdev);
4536 
4537 	if (cp->val == 0x02)
4538 		hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4539 	else
4540 		hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4541 
4542 	cancel_adv_timeout(hdev);
4543 
4544 	if (val) {
4545 		/* Switch to instance "0" for the Set Advertising setting.
4546 		 * We cannot use update_[adv|scan_rsp]_data() here as the
4547 		 * HCI_ADVERTISING flag is not yet set.
4548 		 */
4549 		hdev->cur_adv_instance = 0x00;
4550 
4551 		if (ext_adv_capable(hdev)) {
4552 			__hci_req_start_ext_adv(&req, 0x00);
4553 		} else {
4554 			__hci_req_update_adv_data(&req, 0x00);
4555 			__hci_req_update_scan_rsp_data(&req, 0x00);
4556 			__hci_req_enable_advertising(&req);
4557 		}
4558 	} else {
4559 		__hci_req_disable_advertising(&req);
4560 	}
4561 
4562 	err = hci_req_run(&req, set_advertising_complete);
4563 	if (err < 0)
4564 		mgmt_pending_remove(cmd);
4565 
4566 unlock:
4567 	hci_dev_unlock(hdev);
4568 	return err;
4569 }
4570 
4571 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
4572 			      void *data, u16 len)
4573 {
4574 	struct mgmt_cp_set_static_address *cp = data;
4575 	int err;
4576 
4577 	BT_DBG("%s", hdev->name);
4578 
4579 	if (!lmp_le_capable(hdev))
4580 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4581 				       MGMT_STATUS_NOT_SUPPORTED);
4582 
4583 	if (hdev_is_powered(hdev))
4584 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4585 				       MGMT_STATUS_REJECTED);
4586 
4587 	if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
4588 		if (!bacmp(&cp->bdaddr, BDADDR_NONE))
4589 			return mgmt_cmd_status(sk, hdev->id,
4590 					       MGMT_OP_SET_STATIC_ADDRESS,
4591 					       MGMT_STATUS_INVALID_PARAMS);
4592 
4593 		/* Two most significant bits shall be set */
4594 		if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
4595 			return mgmt_cmd_status(sk, hdev->id,
4596 					       MGMT_OP_SET_STATIC_ADDRESS,
4597 					       MGMT_STATUS_INVALID_PARAMS);
4598 	}
4599 
4600 	hci_dev_lock(hdev);
4601 
4602 	bacpy(&hdev->static_addr, &cp->bdaddr);
4603 
4604 	err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
4605 	if (err < 0)
4606 		goto unlock;
4607 
4608 	err = new_settings(hdev, sk);
4609 
4610 unlock:
4611 	hci_dev_unlock(hdev);
4612 	return err;
4613 }
4614 
4615 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
4616 			   void *data, u16 len)
4617 {
4618 	struct mgmt_cp_set_scan_params *cp = data;
4619 	__u16 interval, window;
4620 	int err;
4621 
4622 	BT_DBG("%s", hdev->name);
4623 
4624 	if (!lmp_le_capable(hdev))
4625 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4626 				       MGMT_STATUS_NOT_SUPPORTED);
4627 
4628 	interval = __le16_to_cpu(cp->interval);
4629 
4630 	if (interval < 0x0004 || interval > 0x4000)
4631 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4632 				       MGMT_STATUS_INVALID_PARAMS);
4633 
4634 	window = __le16_to_cpu(cp->window);
4635 
4636 	if (window < 0x0004 || window > 0x4000)
4637 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4638 				       MGMT_STATUS_INVALID_PARAMS);
4639 
4640 	if (window > interval)
4641 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4642 				       MGMT_STATUS_INVALID_PARAMS);
4643 
4644 	hci_dev_lock(hdev);
4645 
4646 	hdev->le_scan_interval = interval;
4647 	hdev->le_scan_window = window;
4648 
4649 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
4650 				NULL, 0);
4651 
4652 	/* If background scan is running, restart it so new parameters are
4653 	 * loaded.
4654 	 */
4655 	if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
4656 	    hdev->discovery.state == DISCOVERY_STOPPED) {
4657 		struct hci_request req;
4658 
4659 		hci_req_init(&req, hdev);
4660 
4661 		hci_req_add_le_scan_disable(&req);
4662 		hci_req_add_le_passive_scan(&req);
4663 
4664 		hci_req_run(&req, NULL);
4665 	}
4666 
4667 	hci_dev_unlock(hdev);
4668 
4669 	return err;
4670 }
4671 
4672 static void fast_connectable_complete(struct hci_dev *hdev, u8 status,
4673 				      u16 opcode)
4674 {
4675 	struct mgmt_pending_cmd *cmd;
4676 
4677 	BT_DBG("status 0x%02x", status);
4678 
4679 	hci_dev_lock(hdev);
4680 
4681 	cmd = pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4682 	if (!cmd)
4683 		goto unlock;
4684 
4685 	if (status) {
4686 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4687 			        mgmt_status(status));
4688 	} else {
4689 		struct mgmt_mode *cp = cmd->param;
4690 
4691 		if (cp->val)
4692 			hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
4693 		else
4694 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
4695 
4696 		send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4697 		new_settings(hdev, cmd->sk);
4698 	}
4699 
4700 	mgmt_pending_remove(cmd);
4701 
4702 unlock:
4703 	hci_dev_unlock(hdev);
4704 }
4705 
4706 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
4707 				void *data, u16 len)
4708 {
4709 	struct mgmt_mode *cp = data;
4710 	struct mgmt_pending_cmd *cmd;
4711 	struct hci_request req;
4712 	int err;
4713 
4714 	BT_DBG("%s", hdev->name);
4715 
4716 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
4717 	    hdev->hci_ver < BLUETOOTH_VER_1_2)
4718 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4719 				       MGMT_STATUS_NOT_SUPPORTED);
4720 
4721 	if (cp->val != 0x00 && cp->val != 0x01)
4722 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4723 				       MGMT_STATUS_INVALID_PARAMS);
4724 
4725 	hci_dev_lock(hdev);
4726 
4727 	if (pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev)) {
4728 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4729 				      MGMT_STATUS_BUSY);
4730 		goto unlock;
4731 	}
4732 
4733 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
4734 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4735 					hdev);
4736 		goto unlock;
4737 	}
4738 
4739 	if (!hdev_is_powered(hdev)) {
4740 		hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
4741 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4742 					hdev);
4743 		new_settings(hdev, sk);
4744 		goto unlock;
4745 	}
4746 
4747 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev,
4748 			       data, len);
4749 	if (!cmd) {
4750 		err = -ENOMEM;
4751 		goto unlock;
4752 	}
4753 
4754 	hci_req_init(&req, hdev);
4755 
4756 	__hci_req_write_fast_connectable(&req, cp->val);
4757 
4758 	err = hci_req_run(&req, fast_connectable_complete);
4759 	if (err < 0) {
4760 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4761 				      MGMT_STATUS_FAILED);
4762 		mgmt_pending_remove(cmd);
4763 	}
4764 
4765 unlock:
4766 	hci_dev_unlock(hdev);
4767 
4768 	return err;
4769 }
4770 
4771 static void set_bredr_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4772 {
4773 	struct mgmt_pending_cmd *cmd;
4774 
4775 	BT_DBG("status 0x%02x", status);
4776 
4777 	hci_dev_lock(hdev);
4778 
4779 	cmd = pending_find(MGMT_OP_SET_BREDR, hdev);
4780 	if (!cmd)
4781 		goto unlock;
4782 
4783 	if (status) {
4784 		u8 mgmt_err = mgmt_status(status);
4785 
4786 		/* We need to restore the flag if related HCI commands
4787 		 * failed.
4788 		 */
4789 		hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
4790 
4791 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
4792 	} else {
4793 		send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
4794 		new_settings(hdev, cmd->sk);
4795 	}
4796 
4797 	mgmt_pending_remove(cmd);
4798 
4799 unlock:
4800 	hci_dev_unlock(hdev);
4801 }
4802 
4803 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
4804 {
4805 	struct mgmt_mode *cp = data;
4806 	struct mgmt_pending_cmd *cmd;
4807 	struct hci_request req;
4808 	int err;
4809 
4810 	BT_DBG("request for %s", hdev->name);
4811 
4812 	if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
4813 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4814 				       MGMT_STATUS_NOT_SUPPORTED);
4815 
4816 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
4817 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4818 				       MGMT_STATUS_REJECTED);
4819 
4820 	if (cp->val != 0x00 && cp->val != 0x01)
4821 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4822 				       MGMT_STATUS_INVALID_PARAMS);
4823 
4824 	hci_dev_lock(hdev);
4825 
4826 	if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
4827 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4828 		goto unlock;
4829 	}
4830 
4831 	if (!hdev_is_powered(hdev)) {
4832 		if (!cp->val) {
4833 			hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
4834 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
4835 			hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
4836 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
4837 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
4838 		}
4839 
4840 		hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
4841 
4842 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4843 		if (err < 0)
4844 			goto unlock;
4845 
4846 		err = new_settings(hdev, sk);
4847 		goto unlock;
4848 	}
4849 
4850 	/* Reject disabling when powered on */
4851 	if (!cp->val) {
4852 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4853 				      MGMT_STATUS_REJECTED);
4854 		goto unlock;
4855 	} else {
4856 		/* When configuring a dual-mode controller to operate
4857 		 * with LE only and using a static address, then switching
4858 		 * BR/EDR back on is not allowed.
4859 		 *
4860 		 * Dual-mode controllers shall operate with the public
4861 		 * address as its identity address for BR/EDR and LE. So
4862 		 * reject the attempt to create an invalid configuration.
4863 		 *
4864 		 * The same restrictions applies when secure connections
4865 		 * has been enabled. For BR/EDR this is a controller feature
4866 		 * while for LE it is a host stack feature. This means that
4867 		 * switching BR/EDR back on when secure connections has been
4868 		 * enabled is not a supported transaction.
4869 		 */
4870 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
4871 		    (bacmp(&hdev->static_addr, BDADDR_ANY) ||
4872 		     hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
4873 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4874 					      MGMT_STATUS_REJECTED);
4875 			goto unlock;
4876 		}
4877 	}
4878 
4879 	if (pending_find(MGMT_OP_SET_BREDR, hdev)) {
4880 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4881 				      MGMT_STATUS_BUSY);
4882 		goto unlock;
4883 	}
4884 
4885 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_BREDR, hdev, data, len);
4886 	if (!cmd) {
4887 		err = -ENOMEM;
4888 		goto unlock;
4889 	}
4890 
4891 	/* We need to flip the bit already here so that
4892 	 * hci_req_update_adv_data generates the correct flags.
4893 	 */
4894 	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
4895 
4896 	hci_req_init(&req, hdev);
4897 
4898 	__hci_req_write_fast_connectable(&req, false);
4899 	__hci_req_update_scan(&req);
4900 
4901 	/* Since only the advertising data flags will change, there
4902 	 * is no need to update the scan response data.
4903 	 */
4904 	__hci_req_update_adv_data(&req, hdev->cur_adv_instance);
4905 
4906 	err = hci_req_run(&req, set_bredr_complete);
4907 	if (err < 0)
4908 		mgmt_pending_remove(cmd);
4909 
4910 unlock:
4911 	hci_dev_unlock(hdev);
4912 	return err;
4913 }
4914 
4915 static void sc_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4916 {
4917 	struct mgmt_pending_cmd *cmd;
4918 	struct mgmt_mode *cp;
4919 
4920 	BT_DBG("%s status %u", hdev->name, status);
4921 
4922 	hci_dev_lock(hdev);
4923 
4924 	cmd = pending_find(MGMT_OP_SET_SECURE_CONN, hdev);
4925 	if (!cmd)
4926 		goto unlock;
4927 
4928 	if (status) {
4929 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
4930 			        mgmt_status(status));
4931 		goto remove;
4932 	}
4933 
4934 	cp = cmd->param;
4935 
4936 	switch (cp->val) {
4937 	case 0x00:
4938 		hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
4939 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4940 		break;
4941 	case 0x01:
4942 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
4943 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4944 		break;
4945 	case 0x02:
4946 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
4947 		hci_dev_set_flag(hdev, HCI_SC_ONLY);
4948 		break;
4949 	}
4950 
4951 	send_settings_rsp(cmd->sk, MGMT_OP_SET_SECURE_CONN, hdev);
4952 	new_settings(hdev, cmd->sk);
4953 
4954 remove:
4955 	mgmt_pending_remove(cmd);
4956 unlock:
4957 	hci_dev_unlock(hdev);
4958 }
4959 
4960 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4961 			   void *data, u16 len)
4962 {
4963 	struct mgmt_mode *cp = data;
4964 	struct mgmt_pending_cmd *cmd;
4965 	struct hci_request req;
4966 	u8 val;
4967 	int err;
4968 
4969 	BT_DBG("request for %s", hdev->name);
4970 
4971 	if (!lmp_sc_capable(hdev) &&
4972 	    !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
4973 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4974 				       MGMT_STATUS_NOT_SUPPORTED);
4975 
4976 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
4977 	    lmp_sc_capable(hdev) &&
4978 	    !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
4979 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4980 				       MGMT_STATUS_REJECTED);
4981 
4982 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4983 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4984 				  MGMT_STATUS_INVALID_PARAMS);
4985 
4986 	hci_dev_lock(hdev);
4987 
4988 	if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
4989 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
4990 		bool changed;
4991 
4992 		if (cp->val) {
4993 			changed = !hci_dev_test_and_set_flag(hdev,
4994 							     HCI_SC_ENABLED);
4995 			if (cp->val == 0x02)
4996 				hci_dev_set_flag(hdev, HCI_SC_ONLY);
4997 			else
4998 				hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4999 		} else {
5000 			changed = hci_dev_test_and_clear_flag(hdev,
5001 							      HCI_SC_ENABLED);
5002 			hci_dev_clear_flag(hdev, HCI_SC_ONLY);
5003 		}
5004 
5005 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
5006 		if (err < 0)
5007 			goto failed;
5008 
5009 		if (changed)
5010 			err = new_settings(hdev, sk);
5011 
5012 		goto failed;
5013 	}
5014 
5015 	if (pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
5016 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
5017 				      MGMT_STATUS_BUSY);
5018 		goto failed;
5019 	}
5020 
5021 	val = !!cp->val;
5022 
5023 	if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
5024 	    (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5025 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
5026 		goto failed;
5027 	}
5028 
5029 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
5030 	if (!cmd) {
5031 		err = -ENOMEM;
5032 		goto failed;
5033 	}
5034 
5035 	hci_req_init(&req, hdev);
5036 	hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
5037 	err = hci_req_run(&req, sc_enable_complete);
5038 	if (err < 0) {
5039 		mgmt_pending_remove(cmd);
5040 		goto failed;
5041 	}
5042 
5043 failed:
5044 	hci_dev_unlock(hdev);
5045 	return err;
5046 }
5047 
5048 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
5049 			  void *data, u16 len)
5050 {
5051 	struct mgmt_mode *cp = data;
5052 	bool changed, use_changed;
5053 	int err;
5054 
5055 	BT_DBG("request for %s", hdev->name);
5056 
5057 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
5058 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
5059 				       MGMT_STATUS_INVALID_PARAMS);
5060 
5061 	hci_dev_lock(hdev);
5062 
5063 	if (cp->val)
5064 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
5065 	else
5066 		changed = hci_dev_test_and_clear_flag(hdev,
5067 						      HCI_KEEP_DEBUG_KEYS);
5068 
5069 	if (cp->val == 0x02)
5070 		use_changed = !hci_dev_test_and_set_flag(hdev,
5071 							 HCI_USE_DEBUG_KEYS);
5072 	else
5073 		use_changed = hci_dev_test_and_clear_flag(hdev,
5074 							  HCI_USE_DEBUG_KEYS);
5075 
5076 	if (hdev_is_powered(hdev) && use_changed &&
5077 	    hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
5078 		u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
5079 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
5080 			     sizeof(mode), &mode);
5081 	}
5082 
5083 	err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
5084 	if (err < 0)
5085 		goto unlock;
5086 
5087 	if (changed)
5088 		err = new_settings(hdev, sk);
5089 
5090 unlock:
5091 	hci_dev_unlock(hdev);
5092 	return err;
5093 }
5094 
5095 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
5096 		       u16 len)
5097 {
5098 	struct mgmt_cp_set_privacy *cp = cp_data;
5099 	bool changed;
5100 	int err;
5101 
5102 	BT_DBG("request for %s", hdev->name);
5103 
5104 	if (!lmp_le_capable(hdev))
5105 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
5106 				       MGMT_STATUS_NOT_SUPPORTED);
5107 
5108 	if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
5109 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
5110 				       MGMT_STATUS_INVALID_PARAMS);
5111 
5112 	if (hdev_is_powered(hdev))
5113 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
5114 				       MGMT_STATUS_REJECTED);
5115 
5116 	hci_dev_lock(hdev);
5117 
5118 	/* If user space supports this command it is also expected to
5119 	 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
5120 	 */
5121 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
5122 
5123 	if (cp->privacy) {
5124 		changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
5125 		memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
5126 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
5127 		hci_adv_instances_set_rpa_expired(hdev, true);
5128 		if (cp->privacy == 0x02)
5129 			hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
5130 		else
5131 			hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
5132 	} else {
5133 		changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
5134 		memset(hdev->irk, 0, sizeof(hdev->irk));
5135 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
5136 		hci_adv_instances_set_rpa_expired(hdev, false);
5137 		hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
5138 	}
5139 
5140 	err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
5141 	if (err < 0)
5142 		goto unlock;
5143 
5144 	if (changed)
5145 		err = new_settings(hdev, sk);
5146 
5147 unlock:
5148 	hci_dev_unlock(hdev);
5149 	return err;
5150 }
5151 
5152 static bool irk_is_valid(struct mgmt_irk_info *irk)
5153 {
5154 	switch (irk->addr.type) {
5155 	case BDADDR_LE_PUBLIC:
5156 		return true;
5157 
5158 	case BDADDR_LE_RANDOM:
5159 		/* Two most significant bits shall be set */
5160 		if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
5161 			return false;
5162 		return true;
5163 	}
5164 
5165 	return false;
5166 }
5167 
5168 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
5169 		     u16 len)
5170 {
5171 	struct mgmt_cp_load_irks *cp = cp_data;
5172 	const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
5173 				   sizeof(struct mgmt_irk_info));
5174 	u16 irk_count, expected_len;
5175 	int i, err;
5176 
5177 	BT_DBG("request for %s", hdev->name);
5178 
5179 	if (!lmp_le_capable(hdev))
5180 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
5181 				       MGMT_STATUS_NOT_SUPPORTED);
5182 
5183 	irk_count = __le16_to_cpu(cp->irk_count);
5184 	if (irk_count > max_irk_count) {
5185 		bt_dev_err(hdev, "load_irks: too big irk_count value %u",
5186 			   irk_count);
5187 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
5188 				       MGMT_STATUS_INVALID_PARAMS);
5189 	}
5190 
5191 	expected_len = struct_size(cp, irks, irk_count);
5192 	if (expected_len != len) {
5193 		bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
5194 			   expected_len, len);
5195 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
5196 				       MGMT_STATUS_INVALID_PARAMS);
5197 	}
5198 
5199 	BT_DBG("%s irk_count %u", hdev->name, irk_count);
5200 
5201 	for (i = 0; i < irk_count; i++) {
5202 		struct mgmt_irk_info *key = &cp->irks[i];
5203 
5204 		if (!irk_is_valid(key))
5205 			return mgmt_cmd_status(sk, hdev->id,
5206 					       MGMT_OP_LOAD_IRKS,
5207 					       MGMT_STATUS_INVALID_PARAMS);
5208 	}
5209 
5210 	hci_dev_lock(hdev);
5211 
5212 	hci_smp_irks_clear(hdev);
5213 
5214 	for (i = 0; i < irk_count; i++) {
5215 		struct mgmt_irk_info *irk = &cp->irks[i];
5216 
5217 		if (hci_is_blocked_key(hdev,
5218 				       HCI_BLOCKED_KEY_TYPE_IRK,
5219 				       irk->val)) {
5220 			bt_dev_warn(hdev, "Skipping blocked IRK for %pMR",
5221 				    &irk->addr.bdaddr);
5222 			continue;
5223 		}
5224 
5225 		hci_add_irk(hdev, &irk->addr.bdaddr,
5226 			    le_addr_type(irk->addr.type), irk->val,
5227 			    BDADDR_ANY);
5228 	}
5229 
5230 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
5231 
5232 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
5233 
5234 	hci_dev_unlock(hdev);
5235 
5236 	return err;
5237 }
5238 
5239 static bool ltk_is_valid(struct mgmt_ltk_info *key)
5240 {
5241 	if (key->master != 0x00 && key->master != 0x01)
5242 		return false;
5243 
5244 	switch (key->addr.type) {
5245 	case BDADDR_LE_PUBLIC:
5246 		return true;
5247 
5248 	case BDADDR_LE_RANDOM:
5249 		/* Two most significant bits shall be set */
5250 		if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
5251 			return false;
5252 		return true;
5253 	}
5254 
5255 	return false;
5256 }
5257 
5258 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
5259 			       void *cp_data, u16 len)
5260 {
5261 	struct mgmt_cp_load_long_term_keys *cp = cp_data;
5262 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
5263 				   sizeof(struct mgmt_ltk_info));
5264 	u16 key_count, expected_len;
5265 	int i, err;
5266 
5267 	BT_DBG("request for %s", hdev->name);
5268 
5269 	if (!lmp_le_capable(hdev))
5270 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5271 				       MGMT_STATUS_NOT_SUPPORTED);
5272 
5273 	key_count = __le16_to_cpu(cp->key_count);
5274 	if (key_count > max_key_count) {
5275 		bt_dev_err(hdev, "load_ltks: too big key_count value %u",
5276 			   key_count);
5277 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5278 				       MGMT_STATUS_INVALID_PARAMS);
5279 	}
5280 
5281 	expected_len = struct_size(cp, keys, key_count);
5282 	if (expected_len != len) {
5283 		bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
5284 			   expected_len, len);
5285 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5286 				       MGMT_STATUS_INVALID_PARAMS);
5287 	}
5288 
5289 	BT_DBG("%s key_count %u", hdev->name, key_count);
5290 
5291 	for (i = 0; i < key_count; i++) {
5292 		struct mgmt_ltk_info *key = &cp->keys[i];
5293 
5294 		if (!ltk_is_valid(key))
5295 			return mgmt_cmd_status(sk, hdev->id,
5296 					       MGMT_OP_LOAD_LONG_TERM_KEYS,
5297 					       MGMT_STATUS_INVALID_PARAMS);
5298 	}
5299 
5300 	hci_dev_lock(hdev);
5301 
5302 	hci_smp_ltks_clear(hdev);
5303 
5304 	for (i = 0; i < key_count; i++) {
5305 		struct mgmt_ltk_info *key = &cp->keys[i];
5306 		u8 type, authenticated;
5307 
5308 		if (hci_is_blocked_key(hdev,
5309 				       HCI_BLOCKED_KEY_TYPE_LTK,
5310 				       key->val)) {
5311 			bt_dev_warn(hdev, "Skipping blocked LTK for %pMR",
5312 				    &key->addr.bdaddr);
5313 			continue;
5314 		}
5315 
5316 		switch (key->type) {
5317 		case MGMT_LTK_UNAUTHENTICATED:
5318 			authenticated = 0x00;
5319 			type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5320 			break;
5321 		case MGMT_LTK_AUTHENTICATED:
5322 			authenticated = 0x01;
5323 			type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5324 			break;
5325 		case MGMT_LTK_P256_UNAUTH:
5326 			authenticated = 0x00;
5327 			type = SMP_LTK_P256;
5328 			break;
5329 		case MGMT_LTK_P256_AUTH:
5330 			authenticated = 0x01;
5331 			type = SMP_LTK_P256;
5332 			break;
5333 		case MGMT_LTK_P256_DEBUG:
5334 			authenticated = 0x00;
5335 			type = SMP_LTK_P256_DEBUG;
5336 			/* fall through */
5337 		default:
5338 			continue;
5339 		}
5340 
5341 		hci_add_ltk(hdev, &key->addr.bdaddr,
5342 			    le_addr_type(key->addr.type), type, authenticated,
5343 			    key->val, key->enc_size, key->ediv, key->rand);
5344 	}
5345 
5346 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
5347 			   NULL, 0);
5348 
5349 	hci_dev_unlock(hdev);
5350 
5351 	return err;
5352 }
5353 
5354 static int conn_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
5355 {
5356 	struct hci_conn *conn = cmd->user_data;
5357 	struct mgmt_rp_get_conn_info rp;
5358 	int err;
5359 
5360 	memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
5361 
5362 	if (status == MGMT_STATUS_SUCCESS) {
5363 		rp.rssi = conn->rssi;
5364 		rp.tx_power = conn->tx_power;
5365 		rp.max_tx_power = conn->max_tx_power;
5366 	} else {
5367 		rp.rssi = HCI_RSSI_INVALID;
5368 		rp.tx_power = HCI_TX_POWER_INVALID;
5369 		rp.max_tx_power = HCI_TX_POWER_INVALID;
5370 	}
5371 
5372 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
5373 				status, &rp, sizeof(rp));
5374 
5375 	hci_conn_drop(conn);
5376 	hci_conn_put(conn);
5377 
5378 	return err;
5379 }
5380 
5381 static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status,
5382 				       u16 opcode)
5383 {
5384 	struct hci_cp_read_rssi *cp;
5385 	struct mgmt_pending_cmd *cmd;
5386 	struct hci_conn *conn;
5387 	u16 handle;
5388 	u8 status;
5389 
5390 	BT_DBG("status 0x%02x", hci_status);
5391 
5392 	hci_dev_lock(hdev);
5393 
5394 	/* Commands sent in request are either Read RSSI or Read Transmit Power
5395 	 * Level so we check which one was last sent to retrieve connection
5396 	 * handle.  Both commands have handle as first parameter so it's safe to
5397 	 * cast data on the same command struct.
5398 	 *
5399 	 * First command sent is always Read RSSI and we fail only if it fails.
5400 	 * In other case we simply override error to indicate success as we
5401 	 * already remembered if TX power value is actually valid.
5402 	 */
5403 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
5404 	if (!cp) {
5405 		cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
5406 		status = MGMT_STATUS_SUCCESS;
5407 	} else {
5408 		status = mgmt_status(hci_status);
5409 	}
5410 
5411 	if (!cp) {
5412 		bt_dev_err(hdev, "invalid sent_cmd in conn_info response");
5413 		goto unlock;
5414 	}
5415 
5416 	handle = __le16_to_cpu(cp->handle);
5417 	conn = hci_conn_hash_lookup_handle(hdev, handle);
5418 	if (!conn) {
5419 		bt_dev_err(hdev, "unknown handle (%d) in conn_info response",
5420 			   handle);
5421 		goto unlock;
5422 	}
5423 
5424 	cmd = pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
5425 	if (!cmd)
5426 		goto unlock;
5427 
5428 	cmd->cmd_complete(cmd, status);
5429 	mgmt_pending_remove(cmd);
5430 
5431 unlock:
5432 	hci_dev_unlock(hdev);
5433 }
5434 
5435 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
5436 			 u16 len)
5437 {
5438 	struct mgmt_cp_get_conn_info *cp = data;
5439 	struct mgmt_rp_get_conn_info rp;
5440 	struct hci_conn *conn;
5441 	unsigned long conn_info_age;
5442 	int err = 0;
5443 
5444 	BT_DBG("%s", hdev->name);
5445 
5446 	memset(&rp, 0, sizeof(rp));
5447 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5448 	rp.addr.type = cp->addr.type;
5449 
5450 	if (!bdaddr_type_is_valid(cp->addr.type))
5451 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5452 					 MGMT_STATUS_INVALID_PARAMS,
5453 					 &rp, sizeof(rp));
5454 
5455 	hci_dev_lock(hdev);
5456 
5457 	if (!hdev_is_powered(hdev)) {
5458 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5459 					MGMT_STATUS_NOT_POWERED, &rp,
5460 					sizeof(rp));
5461 		goto unlock;
5462 	}
5463 
5464 	if (cp->addr.type == BDADDR_BREDR)
5465 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
5466 					       &cp->addr.bdaddr);
5467 	else
5468 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
5469 
5470 	if (!conn || conn->state != BT_CONNECTED) {
5471 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5472 					MGMT_STATUS_NOT_CONNECTED, &rp,
5473 					sizeof(rp));
5474 		goto unlock;
5475 	}
5476 
5477 	if (pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
5478 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5479 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
5480 		goto unlock;
5481 	}
5482 
5483 	/* To avoid client trying to guess when to poll again for information we
5484 	 * calculate conn info age as random value between min/max set in hdev.
5485 	 */
5486 	conn_info_age = hdev->conn_info_min_age +
5487 			prandom_u32_max(hdev->conn_info_max_age -
5488 					hdev->conn_info_min_age);
5489 
5490 	/* Query controller to refresh cached values if they are too old or were
5491 	 * never read.
5492 	 */
5493 	if (time_after(jiffies, conn->conn_info_timestamp +
5494 		       msecs_to_jiffies(conn_info_age)) ||
5495 	    !conn->conn_info_timestamp) {
5496 		struct hci_request req;
5497 		struct hci_cp_read_tx_power req_txp_cp;
5498 		struct hci_cp_read_rssi req_rssi_cp;
5499 		struct mgmt_pending_cmd *cmd;
5500 
5501 		hci_req_init(&req, hdev);
5502 		req_rssi_cp.handle = cpu_to_le16(conn->handle);
5503 		hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
5504 			    &req_rssi_cp);
5505 
5506 		/* For LE links TX power does not change thus we don't need to
5507 		 * query for it once value is known.
5508 		 */
5509 		if (!bdaddr_type_is_le(cp->addr.type) ||
5510 		    conn->tx_power == HCI_TX_POWER_INVALID) {
5511 			req_txp_cp.handle = cpu_to_le16(conn->handle);
5512 			req_txp_cp.type = 0x00;
5513 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
5514 				    sizeof(req_txp_cp), &req_txp_cp);
5515 		}
5516 
5517 		/* Max TX power needs to be read only once per connection */
5518 		if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
5519 			req_txp_cp.handle = cpu_to_le16(conn->handle);
5520 			req_txp_cp.type = 0x01;
5521 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
5522 				    sizeof(req_txp_cp), &req_txp_cp);
5523 		}
5524 
5525 		err = hci_req_run(&req, conn_info_refresh_complete);
5526 		if (err < 0)
5527 			goto unlock;
5528 
5529 		cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
5530 				       data, len);
5531 		if (!cmd) {
5532 			err = -ENOMEM;
5533 			goto unlock;
5534 		}
5535 
5536 		hci_conn_hold(conn);
5537 		cmd->user_data = hci_conn_get(conn);
5538 		cmd->cmd_complete = conn_info_cmd_complete;
5539 
5540 		conn->conn_info_timestamp = jiffies;
5541 	} else {
5542 		/* Cache is valid, just reply with values cached in hci_conn */
5543 		rp.rssi = conn->rssi;
5544 		rp.tx_power = conn->tx_power;
5545 		rp.max_tx_power = conn->max_tx_power;
5546 
5547 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5548 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
5549 	}
5550 
5551 unlock:
5552 	hci_dev_unlock(hdev);
5553 	return err;
5554 }
5555 
5556 static int clock_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
5557 {
5558 	struct hci_conn *conn = cmd->user_data;
5559 	struct mgmt_rp_get_clock_info rp;
5560 	struct hci_dev *hdev;
5561 	int err;
5562 
5563 	memset(&rp, 0, sizeof(rp));
5564 	memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
5565 
5566 	if (status)
5567 		goto complete;
5568 
5569 	hdev = hci_dev_get(cmd->index);
5570 	if (hdev) {
5571 		rp.local_clock = cpu_to_le32(hdev->clock);
5572 		hci_dev_put(hdev);
5573 	}
5574 
5575 	if (conn) {
5576 		rp.piconet_clock = cpu_to_le32(conn->clock);
5577 		rp.accuracy = cpu_to_le16(conn->clock_accuracy);
5578 	}
5579 
5580 complete:
5581 	err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
5582 				sizeof(rp));
5583 
5584 	if (conn) {
5585 		hci_conn_drop(conn);
5586 		hci_conn_put(conn);
5587 	}
5588 
5589 	return err;
5590 }
5591 
5592 static void get_clock_info_complete(struct hci_dev *hdev, u8 status, u16 opcode)
5593 {
5594 	struct hci_cp_read_clock *hci_cp;
5595 	struct mgmt_pending_cmd *cmd;
5596 	struct hci_conn *conn;
5597 
5598 	BT_DBG("%s status %u", hdev->name, status);
5599 
5600 	hci_dev_lock(hdev);
5601 
5602 	hci_cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
5603 	if (!hci_cp)
5604 		goto unlock;
5605 
5606 	if (hci_cp->which) {
5607 		u16 handle = __le16_to_cpu(hci_cp->handle);
5608 		conn = hci_conn_hash_lookup_handle(hdev, handle);
5609 	} else {
5610 		conn = NULL;
5611 	}
5612 
5613 	cmd = pending_find_data(MGMT_OP_GET_CLOCK_INFO, hdev, conn);
5614 	if (!cmd)
5615 		goto unlock;
5616 
5617 	cmd->cmd_complete(cmd, mgmt_status(status));
5618 	mgmt_pending_remove(cmd);
5619 
5620 unlock:
5621 	hci_dev_unlock(hdev);
5622 }
5623 
5624 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
5625 			 u16 len)
5626 {
5627 	struct mgmt_cp_get_clock_info *cp = data;
5628 	struct mgmt_rp_get_clock_info rp;
5629 	struct hci_cp_read_clock hci_cp;
5630 	struct mgmt_pending_cmd *cmd;
5631 	struct hci_request req;
5632 	struct hci_conn *conn;
5633 	int err;
5634 
5635 	BT_DBG("%s", hdev->name);
5636 
5637 	memset(&rp, 0, sizeof(rp));
5638 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5639 	rp.addr.type = cp->addr.type;
5640 
5641 	if (cp->addr.type != BDADDR_BREDR)
5642 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5643 					 MGMT_STATUS_INVALID_PARAMS,
5644 					 &rp, sizeof(rp));
5645 
5646 	hci_dev_lock(hdev);
5647 
5648 	if (!hdev_is_powered(hdev)) {
5649 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5650 					MGMT_STATUS_NOT_POWERED, &rp,
5651 					sizeof(rp));
5652 		goto unlock;
5653 	}
5654 
5655 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5656 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
5657 					       &cp->addr.bdaddr);
5658 		if (!conn || conn->state != BT_CONNECTED) {
5659 			err = mgmt_cmd_complete(sk, hdev->id,
5660 						MGMT_OP_GET_CLOCK_INFO,
5661 						MGMT_STATUS_NOT_CONNECTED,
5662 						&rp, sizeof(rp));
5663 			goto unlock;
5664 		}
5665 	} else {
5666 		conn = NULL;
5667 	}
5668 
5669 	cmd = mgmt_pending_add(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
5670 	if (!cmd) {
5671 		err = -ENOMEM;
5672 		goto unlock;
5673 	}
5674 
5675 	cmd->cmd_complete = clock_info_cmd_complete;
5676 
5677 	hci_req_init(&req, hdev);
5678 
5679 	memset(&hci_cp, 0, sizeof(hci_cp));
5680 	hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5681 
5682 	if (conn) {
5683 		hci_conn_hold(conn);
5684 		cmd->user_data = hci_conn_get(conn);
5685 
5686 		hci_cp.handle = cpu_to_le16(conn->handle);
5687 		hci_cp.which = 0x01; /* Piconet clock */
5688 		hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5689 	}
5690 
5691 	err = hci_req_run(&req, get_clock_info_complete);
5692 	if (err < 0)
5693 		mgmt_pending_remove(cmd);
5694 
5695 unlock:
5696 	hci_dev_unlock(hdev);
5697 	return err;
5698 }
5699 
5700 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
5701 {
5702 	struct hci_conn *conn;
5703 
5704 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
5705 	if (!conn)
5706 		return false;
5707 
5708 	if (conn->dst_type != type)
5709 		return false;
5710 
5711 	if (conn->state != BT_CONNECTED)
5712 		return false;
5713 
5714 	return true;
5715 }
5716 
5717 /* This function requires the caller holds hdev->lock */
5718 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
5719 			       u8 addr_type, u8 auto_connect)
5720 {
5721 	struct hci_conn_params *params;
5722 
5723 	params = hci_conn_params_add(hdev, addr, addr_type);
5724 	if (!params)
5725 		return -EIO;
5726 
5727 	if (params->auto_connect == auto_connect)
5728 		return 0;
5729 
5730 	list_del_init(&params->action);
5731 
5732 	switch (auto_connect) {
5733 	case HCI_AUTO_CONN_DISABLED:
5734 	case HCI_AUTO_CONN_LINK_LOSS:
5735 		/* If auto connect is being disabled when we're trying to
5736 		 * connect to device, keep connecting.
5737 		 */
5738 		if (params->explicit_connect)
5739 			list_add(&params->action, &hdev->pend_le_conns);
5740 		break;
5741 	case HCI_AUTO_CONN_REPORT:
5742 		if (params->explicit_connect)
5743 			list_add(&params->action, &hdev->pend_le_conns);
5744 		else
5745 			list_add(&params->action, &hdev->pend_le_reports);
5746 		break;
5747 	case HCI_AUTO_CONN_DIRECT:
5748 	case HCI_AUTO_CONN_ALWAYS:
5749 		if (!is_connected(hdev, addr, addr_type))
5750 			list_add(&params->action, &hdev->pend_le_conns);
5751 		break;
5752 	}
5753 
5754 	params->auto_connect = auto_connect;
5755 
5756 	BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
5757 	       auto_connect);
5758 
5759 	return 0;
5760 }
5761 
5762 static void device_added(struct sock *sk, struct hci_dev *hdev,
5763 			 bdaddr_t *bdaddr, u8 type, u8 action)
5764 {
5765 	struct mgmt_ev_device_added ev;
5766 
5767 	bacpy(&ev.addr.bdaddr, bdaddr);
5768 	ev.addr.type = type;
5769 	ev.action = action;
5770 
5771 	mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
5772 }
5773 
5774 static int add_device(struct sock *sk, struct hci_dev *hdev,
5775 		      void *data, u16 len)
5776 {
5777 	struct mgmt_cp_add_device *cp = data;
5778 	u8 auto_conn, addr_type;
5779 	int err;
5780 
5781 	BT_DBG("%s", hdev->name);
5782 
5783 	if (!bdaddr_type_is_valid(cp->addr.type) ||
5784 	    !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
5785 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5786 					 MGMT_STATUS_INVALID_PARAMS,
5787 					 &cp->addr, sizeof(cp->addr));
5788 
5789 	if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
5790 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5791 					 MGMT_STATUS_INVALID_PARAMS,
5792 					 &cp->addr, sizeof(cp->addr));
5793 
5794 	hci_dev_lock(hdev);
5795 
5796 	if (cp->addr.type == BDADDR_BREDR) {
5797 		/* Only incoming connections action is supported for now */
5798 		if (cp->action != 0x01) {
5799 			err = mgmt_cmd_complete(sk, hdev->id,
5800 						MGMT_OP_ADD_DEVICE,
5801 						MGMT_STATUS_INVALID_PARAMS,
5802 						&cp->addr, sizeof(cp->addr));
5803 			goto unlock;
5804 		}
5805 
5806 		err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr,
5807 					  cp->addr.type);
5808 		if (err)
5809 			goto unlock;
5810 
5811 		hci_req_update_scan(hdev);
5812 
5813 		goto added;
5814 	}
5815 
5816 	addr_type = le_addr_type(cp->addr.type);
5817 
5818 	if (cp->action == 0x02)
5819 		auto_conn = HCI_AUTO_CONN_ALWAYS;
5820 	else if (cp->action == 0x01)
5821 		auto_conn = HCI_AUTO_CONN_DIRECT;
5822 	else
5823 		auto_conn = HCI_AUTO_CONN_REPORT;
5824 
5825 	/* Kernel internally uses conn_params with resolvable private
5826 	 * address, but Add Device allows only identity addresses.
5827 	 * Make sure it is enforced before calling
5828 	 * hci_conn_params_lookup.
5829 	 */
5830 	if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
5831 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5832 					MGMT_STATUS_INVALID_PARAMS,
5833 					&cp->addr, sizeof(cp->addr));
5834 		goto unlock;
5835 	}
5836 
5837 	/* If the connection parameters don't exist for this device,
5838 	 * they will be created and configured with defaults.
5839 	 */
5840 	if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
5841 				auto_conn) < 0) {
5842 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5843 					MGMT_STATUS_FAILED, &cp->addr,
5844 					sizeof(cp->addr));
5845 		goto unlock;
5846 	}
5847 
5848 	hci_update_background_scan(hdev);
5849 
5850 added:
5851 	device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
5852 
5853 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5854 				MGMT_STATUS_SUCCESS, &cp->addr,
5855 				sizeof(cp->addr));
5856 
5857 unlock:
5858 	hci_dev_unlock(hdev);
5859 	return err;
5860 }
5861 
5862 static void device_removed(struct sock *sk, struct hci_dev *hdev,
5863 			   bdaddr_t *bdaddr, u8 type)
5864 {
5865 	struct mgmt_ev_device_removed ev;
5866 
5867 	bacpy(&ev.addr.bdaddr, bdaddr);
5868 	ev.addr.type = type;
5869 
5870 	mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
5871 }
5872 
5873 static int remove_device(struct sock *sk, struct hci_dev *hdev,
5874 			 void *data, u16 len)
5875 {
5876 	struct mgmt_cp_remove_device *cp = data;
5877 	int err;
5878 
5879 	BT_DBG("%s", hdev->name);
5880 
5881 	hci_dev_lock(hdev);
5882 
5883 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5884 		struct hci_conn_params *params;
5885 		u8 addr_type;
5886 
5887 		if (!bdaddr_type_is_valid(cp->addr.type)) {
5888 			err = mgmt_cmd_complete(sk, hdev->id,
5889 						MGMT_OP_REMOVE_DEVICE,
5890 						MGMT_STATUS_INVALID_PARAMS,
5891 						&cp->addr, sizeof(cp->addr));
5892 			goto unlock;
5893 		}
5894 
5895 		if (cp->addr.type == BDADDR_BREDR) {
5896 			err = hci_bdaddr_list_del(&hdev->whitelist,
5897 						  &cp->addr.bdaddr,
5898 						  cp->addr.type);
5899 			if (err) {
5900 				err = mgmt_cmd_complete(sk, hdev->id,
5901 							MGMT_OP_REMOVE_DEVICE,
5902 							MGMT_STATUS_INVALID_PARAMS,
5903 							&cp->addr,
5904 							sizeof(cp->addr));
5905 				goto unlock;
5906 			}
5907 
5908 			hci_req_update_scan(hdev);
5909 
5910 			device_removed(sk, hdev, &cp->addr.bdaddr,
5911 				       cp->addr.type);
5912 			goto complete;
5913 		}
5914 
5915 		addr_type = le_addr_type(cp->addr.type);
5916 
5917 		/* Kernel internally uses conn_params with resolvable private
5918 		 * address, but Remove Device allows only identity addresses.
5919 		 * Make sure it is enforced before calling
5920 		 * hci_conn_params_lookup.
5921 		 */
5922 		if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
5923 			err = mgmt_cmd_complete(sk, hdev->id,
5924 						MGMT_OP_REMOVE_DEVICE,
5925 						MGMT_STATUS_INVALID_PARAMS,
5926 						&cp->addr, sizeof(cp->addr));
5927 			goto unlock;
5928 		}
5929 
5930 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5931 						addr_type);
5932 		if (!params) {
5933 			err = mgmt_cmd_complete(sk, hdev->id,
5934 						MGMT_OP_REMOVE_DEVICE,
5935 						MGMT_STATUS_INVALID_PARAMS,
5936 						&cp->addr, sizeof(cp->addr));
5937 			goto unlock;
5938 		}
5939 
5940 		if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
5941 		    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
5942 			err = mgmt_cmd_complete(sk, hdev->id,
5943 						MGMT_OP_REMOVE_DEVICE,
5944 						MGMT_STATUS_INVALID_PARAMS,
5945 						&cp->addr, sizeof(cp->addr));
5946 			goto unlock;
5947 		}
5948 
5949 		list_del(&params->action);
5950 		list_del(&params->list);
5951 		kfree(params);
5952 		hci_update_background_scan(hdev);
5953 
5954 		device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
5955 	} else {
5956 		struct hci_conn_params *p, *tmp;
5957 		struct bdaddr_list *b, *btmp;
5958 
5959 		if (cp->addr.type) {
5960 			err = mgmt_cmd_complete(sk, hdev->id,
5961 						MGMT_OP_REMOVE_DEVICE,
5962 						MGMT_STATUS_INVALID_PARAMS,
5963 						&cp->addr, sizeof(cp->addr));
5964 			goto unlock;
5965 		}
5966 
5967 		list_for_each_entry_safe(b, btmp, &hdev->whitelist, list) {
5968 			device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
5969 			list_del(&b->list);
5970 			kfree(b);
5971 		}
5972 
5973 		hci_req_update_scan(hdev);
5974 
5975 		list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
5976 			if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
5977 				continue;
5978 			device_removed(sk, hdev, &p->addr, p->addr_type);
5979 			if (p->explicit_connect) {
5980 				p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
5981 				continue;
5982 			}
5983 			list_del(&p->action);
5984 			list_del(&p->list);
5985 			kfree(p);
5986 		}
5987 
5988 		BT_DBG("All LE connection parameters were removed");
5989 
5990 		hci_update_background_scan(hdev);
5991 	}
5992 
5993 complete:
5994 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
5995 				MGMT_STATUS_SUCCESS, &cp->addr,
5996 				sizeof(cp->addr));
5997 unlock:
5998 	hci_dev_unlock(hdev);
5999 	return err;
6000 }
6001 
6002 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
6003 			   u16 len)
6004 {
6005 	struct mgmt_cp_load_conn_param *cp = data;
6006 	const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
6007 				     sizeof(struct mgmt_conn_param));
6008 	u16 param_count, expected_len;
6009 	int i;
6010 
6011 	if (!lmp_le_capable(hdev))
6012 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
6013 				       MGMT_STATUS_NOT_SUPPORTED);
6014 
6015 	param_count = __le16_to_cpu(cp->param_count);
6016 	if (param_count > max_param_count) {
6017 		bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
6018 			   param_count);
6019 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
6020 				       MGMT_STATUS_INVALID_PARAMS);
6021 	}
6022 
6023 	expected_len = struct_size(cp, params, param_count);
6024 	if (expected_len != len) {
6025 		bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
6026 			   expected_len, len);
6027 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
6028 				       MGMT_STATUS_INVALID_PARAMS);
6029 	}
6030 
6031 	BT_DBG("%s param_count %u", hdev->name, param_count);
6032 
6033 	hci_dev_lock(hdev);
6034 
6035 	hci_conn_params_clear_disabled(hdev);
6036 
6037 	for (i = 0; i < param_count; i++) {
6038 		struct mgmt_conn_param *param = &cp->params[i];
6039 		struct hci_conn_params *hci_param;
6040 		u16 min, max, latency, timeout;
6041 		u8 addr_type;
6042 
6043 		BT_DBG("Adding %pMR (type %u)", &param->addr.bdaddr,
6044 		       param->addr.type);
6045 
6046 		if (param->addr.type == BDADDR_LE_PUBLIC) {
6047 			addr_type = ADDR_LE_DEV_PUBLIC;
6048 		} else if (param->addr.type == BDADDR_LE_RANDOM) {
6049 			addr_type = ADDR_LE_DEV_RANDOM;
6050 		} else {
6051 			bt_dev_err(hdev, "ignoring invalid connection parameters");
6052 			continue;
6053 		}
6054 
6055 		min = le16_to_cpu(param->min_interval);
6056 		max = le16_to_cpu(param->max_interval);
6057 		latency = le16_to_cpu(param->latency);
6058 		timeout = le16_to_cpu(param->timeout);
6059 
6060 		BT_DBG("min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
6061 		       min, max, latency, timeout);
6062 
6063 		if (hci_check_conn_params(min, max, latency, timeout) < 0) {
6064 			bt_dev_err(hdev, "ignoring invalid connection parameters");
6065 			continue;
6066 		}
6067 
6068 		hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
6069 						addr_type);
6070 		if (!hci_param) {
6071 			bt_dev_err(hdev, "failed to add connection parameters");
6072 			continue;
6073 		}
6074 
6075 		hci_param->conn_min_interval = min;
6076 		hci_param->conn_max_interval = max;
6077 		hci_param->conn_latency = latency;
6078 		hci_param->supervision_timeout = timeout;
6079 	}
6080 
6081 	hci_dev_unlock(hdev);
6082 
6083 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
6084 				 NULL, 0);
6085 }
6086 
6087 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
6088 			       void *data, u16 len)
6089 {
6090 	struct mgmt_cp_set_external_config *cp = data;
6091 	bool changed;
6092 	int err;
6093 
6094 	BT_DBG("%s", hdev->name);
6095 
6096 	if (hdev_is_powered(hdev))
6097 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
6098 				       MGMT_STATUS_REJECTED);
6099 
6100 	if (cp->config != 0x00 && cp->config != 0x01)
6101 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
6102 				         MGMT_STATUS_INVALID_PARAMS);
6103 
6104 	if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
6105 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
6106 				       MGMT_STATUS_NOT_SUPPORTED);
6107 
6108 	hci_dev_lock(hdev);
6109 
6110 	if (cp->config)
6111 		changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
6112 	else
6113 		changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
6114 
6115 	err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
6116 	if (err < 0)
6117 		goto unlock;
6118 
6119 	if (!changed)
6120 		goto unlock;
6121 
6122 	err = new_options(hdev, sk);
6123 
6124 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
6125 		mgmt_index_removed(hdev);
6126 
6127 		if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
6128 			hci_dev_set_flag(hdev, HCI_CONFIG);
6129 			hci_dev_set_flag(hdev, HCI_AUTO_OFF);
6130 
6131 			queue_work(hdev->req_workqueue, &hdev->power_on);
6132 		} else {
6133 			set_bit(HCI_RAW, &hdev->flags);
6134 			mgmt_index_added(hdev);
6135 		}
6136 	}
6137 
6138 unlock:
6139 	hci_dev_unlock(hdev);
6140 	return err;
6141 }
6142 
6143 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
6144 			      void *data, u16 len)
6145 {
6146 	struct mgmt_cp_set_public_address *cp = data;
6147 	bool changed;
6148 	int err;
6149 
6150 	BT_DBG("%s", hdev->name);
6151 
6152 	if (hdev_is_powered(hdev))
6153 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
6154 				       MGMT_STATUS_REJECTED);
6155 
6156 	if (!bacmp(&cp->bdaddr, BDADDR_ANY))
6157 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
6158 				       MGMT_STATUS_INVALID_PARAMS);
6159 
6160 	if (!hdev->set_bdaddr)
6161 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
6162 				       MGMT_STATUS_NOT_SUPPORTED);
6163 
6164 	hci_dev_lock(hdev);
6165 
6166 	changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
6167 	bacpy(&hdev->public_addr, &cp->bdaddr);
6168 
6169 	err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
6170 	if (err < 0)
6171 		goto unlock;
6172 
6173 	if (!changed)
6174 		goto unlock;
6175 
6176 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
6177 		err = new_options(hdev, sk);
6178 
6179 	if (is_configured(hdev)) {
6180 		mgmt_index_removed(hdev);
6181 
6182 		hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
6183 
6184 		hci_dev_set_flag(hdev, HCI_CONFIG);
6185 		hci_dev_set_flag(hdev, HCI_AUTO_OFF);
6186 
6187 		queue_work(hdev->req_workqueue, &hdev->power_on);
6188 	}
6189 
6190 unlock:
6191 	hci_dev_unlock(hdev);
6192 	return err;
6193 }
6194 
6195 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, u8 status,
6196 					     u16 opcode, struct sk_buff *skb)
6197 {
6198 	const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
6199 	struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
6200 	u8 *h192, *r192, *h256, *r256;
6201 	struct mgmt_pending_cmd *cmd;
6202 	u16 eir_len;
6203 	int err;
6204 
6205 	BT_DBG("%s status %u", hdev->name, status);
6206 
6207 	cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev);
6208 	if (!cmd)
6209 		return;
6210 
6211 	mgmt_cp = cmd->param;
6212 
6213 	if (status) {
6214 		status = mgmt_status(status);
6215 		eir_len = 0;
6216 
6217 		h192 = NULL;
6218 		r192 = NULL;
6219 		h256 = NULL;
6220 		r256 = NULL;
6221 	} else if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
6222 		struct hci_rp_read_local_oob_data *rp;
6223 
6224 		if (skb->len != sizeof(*rp)) {
6225 			status = MGMT_STATUS_FAILED;
6226 			eir_len = 0;
6227 		} else {
6228 			status = MGMT_STATUS_SUCCESS;
6229 			rp = (void *)skb->data;
6230 
6231 			eir_len = 5 + 18 + 18;
6232 			h192 = rp->hash;
6233 			r192 = rp->rand;
6234 			h256 = NULL;
6235 			r256 = NULL;
6236 		}
6237 	} else {
6238 		struct hci_rp_read_local_oob_ext_data *rp;
6239 
6240 		if (skb->len != sizeof(*rp)) {
6241 			status = MGMT_STATUS_FAILED;
6242 			eir_len = 0;
6243 		} else {
6244 			status = MGMT_STATUS_SUCCESS;
6245 			rp = (void *)skb->data;
6246 
6247 			if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6248 				eir_len = 5 + 18 + 18;
6249 				h192 = NULL;
6250 				r192 = NULL;
6251 			} else {
6252 				eir_len = 5 + 18 + 18 + 18 + 18;
6253 				h192 = rp->hash192;
6254 				r192 = rp->rand192;
6255 			}
6256 
6257 			h256 = rp->hash256;
6258 			r256 = rp->rand256;
6259 		}
6260 	}
6261 
6262 	mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
6263 	if (!mgmt_rp)
6264 		goto done;
6265 
6266 	if (status)
6267 		goto send_rsp;
6268 
6269 	eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
6270 				  hdev->dev_class, 3);
6271 
6272 	if (h192 && r192) {
6273 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6274 					  EIR_SSP_HASH_C192, h192, 16);
6275 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6276 					  EIR_SSP_RAND_R192, r192, 16);
6277 	}
6278 
6279 	if (h256 && r256) {
6280 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6281 					  EIR_SSP_HASH_C256, h256, 16);
6282 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
6283 					  EIR_SSP_RAND_R256, r256, 16);
6284 	}
6285 
6286 send_rsp:
6287 	mgmt_rp->type = mgmt_cp->type;
6288 	mgmt_rp->eir_len = cpu_to_le16(eir_len);
6289 
6290 	err = mgmt_cmd_complete(cmd->sk, hdev->id,
6291 				MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
6292 				mgmt_rp, sizeof(*mgmt_rp) + eir_len);
6293 	if (err < 0 || status)
6294 		goto done;
6295 
6296 	hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
6297 
6298 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
6299 				 mgmt_rp, sizeof(*mgmt_rp) + eir_len,
6300 				 HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
6301 done:
6302 	kfree(mgmt_rp);
6303 	mgmt_pending_remove(cmd);
6304 }
6305 
6306 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
6307 				  struct mgmt_cp_read_local_oob_ext_data *cp)
6308 {
6309 	struct mgmt_pending_cmd *cmd;
6310 	struct hci_request req;
6311 	int err;
6312 
6313 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
6314 			       cp, sizeof(*cp));
6315 	if (!cmd)
6316 		return -ENOMEM;
6317 
6318 	hci_req_init(&req, hdev);
6319 
6320 	if (bredr_sc_enabled(hdev))
6321 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
6322 	else
6323 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
6324 
6325 	err = hci_req_run_skb(&req, read_local_oob_ext_data_complete);
6326 	if (err < 0) {
6327 		mgmt_pending_remove(cmd);
6328 		return err;
6329 	}
6330 
6331 	return 0;
6332 }
6333 
6334 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
6335 				   void *data, u16 data_len)
6336 {
6337 	struct mgmt_cp_read_local_oob_ext_data *cp = data;
6338 	struct mgmt_rp_read_local_oob_ext_data *rp;
6339 	size_t rp_len;
6340 	u16 eir_len;
6341 	u8 status, flags, role, addr[7], hash[16], rand[16];
6342 	int err;
6343 
6344 	BT_DBG("%s", hdev->name);
6345 
6346 	if (hdev_is_powered(hdev)) {
6347 		switch (cp->type) {
6348 		case BIT(BDADDR_BREDR):
6349 			status = mgmt_bredr_support(hdev);
6350 			if (status)
6351 				eir_len = 0;
6352 			else
6353 				eir_len = 5;
6354 			break;
6355 		case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
6356 			status = mgmt_le_support(hdev);
6357 			if (status)
6358 				eir_len = 0;
6359 			else
6360 				eir_len = 9 + 3 + 18 + 18 + 3;
6361 			break;
6362 		default:
6363 			status = MGMT_STATUS_INVALID_PARAMS;
6364 			eir_len = 0;
6365 			break;
6366 		}
6367 	} else {
6368 		status = MGMT_STATUS_NOT_POWERED;
6369 		eir_len = 0;
6370 	}
6371 
6372 	rp_len = sizeof(*rp) + eir_len;
6373 	rp = kmalloc(rp_len, GFP_ATOMIC);
6374 	if (!rp)
6375 		return -ENOMEM;
6376 
6377 	if (status)
6378 		goto complete;
6379 
6380 	hci_dev_lock(hdev);
6381 
6382 	eir_len = 0;
6383 	switch (cp->type) {
6384 	case BIT(BDADDR_BREDR):
6385 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
6386 			err = read_local_ssp_oob_req(hdev, sk, cp);
6387 			hci_dev_unlock(hdev);
6388 			if (!err)
6389 				goto done;
6390 
6391 			status = MGMT_STATUS_FAILED;
6392 			goto complete;
6393 		} else {
6394 			eir_len = eir_append_data(rp->eir, eir_len,
6395 						  EIR_CLASS_OF_DEV,
6396 						  hdev->dev_class, 3);
6397 		}
6398 		break;
6399 	case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
6400 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
6401 		    smp_generate_oob(hdev, hash, rand) < 0) {
6402 			hci_dev_unlock(hdev);
6403 			status = MGMT_STATUS_FAILED;
6404 			goto complete;
6405 		}
6406 
6407 		/* This should return the active RPA, but since the RPA
6408 		 * is only programmed on demand, it is really hard to fill
6409 		 * this in at the moment. For now disallow retrieving
6410 		 * local out-of-band data when privacy is in use.
6411 		 *
6412 		 * Returning the identity address will not help here since
6413 		 * pairing happens before the identity resolving key is
6414 		 * known and thus the connection establishment happens
6415 		 * based on the RPA and not the identity address.
6416 		 */
6417 		if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
6418 			hci_dev_unlock(hdev);
6419 			status = MGMT_STATUS_REJECTED;
6420 			goto complete;
6421 		}
6422 
6423 		if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
6424 		   !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
6425 		   (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6426 		    bacmp(&hdev->static_addr, BDADDR_ANY))) {
6427 			memcpy(addr, &hdev->static_addr, 6);
6428 			addr[6] = 0x01;
6429 		} else {
6430 			memcpy(addr, &hdev->bdaddr, 6);
6431 			addr[6] = 0x00;
6432 		}
6433 
6434 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
6435 					  addr, sizeof(addr));
6436 
6437 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
6438 			role = 0x02;
6439 		else
6440 			role = 0x01;
6441 
6442 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
6443 					  &role, sizeof(role));
6444 
6445 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
6446 			eir_len = eir_append_data(rp->eir, eir_len,
6447 						  EIR_LE_SC_CONFIRM,
6448 						  hash, sizeof(hash));
6449 
6450 			eir_len = eir_append_data(rp->eir, eir_len,
6451 						  EIR_LE_SC_RANDOM,
6452 						  rand, sizeof(rand));
6453 		}
6454 
6455 		flags = mgmt_get_adv_discov_flags(hdev);
6456 
6457 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
6458 			flags |= LE_AD_NO_BREDR;
6459 
6460 		eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
6461 					  &flags, sizeof(flags));
6462 		break;
6463 	}
6464 
6465 	hci_dev_unlock(hdev);
6466 
6467 	hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
6468 
6469 	status = MGMT_STATUS_SUCCESS;
6470 
6471 complete:
6472 	rp->type = cp->type;
6473 	rp->eir_len = cpu_to_le16(eir_len);
6474 
6475 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
6476 				status, rp, sizeof(*rp) + eir_len);
6477 	if (err < 0 || status)
6478 		goto done;
6479 
6480 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
6481 				 rp, sizeof(*rp) + eir_len,
6482 				 HCI_MGMT_OOB_DATA_EVENTS, sk);
6483 
6484 done:
6485 	kfree(rp);
6486 
6487 	return err;
6488 }
6489 
6490 static u32 get_supported_adv_flags(struct hci_dev *hdev)
6491 {
6492 	u32 flags = 0;
6493 
6494 	flags |= MGMT_ADV_FLAG_CONNECTABLE;
6495 	flags |= MGMT_ADV_FLAG_DISCOV;
6496 	flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
6497 	flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
6498 	flags |= MGMT_ADV_FLAG_APPEARANCE;
6499 	flags |= MGMT_ADV_FLAG_LOCAL_NAME;
6500 
6501 	/* In extended adv TX_POWER returned from Set Adv Param
6502 	 * will be always valid.
6503 	 */
6504 	if ((hdev->adv_tx_power != HCI_TX_POWER_INVALID) ||
6505 	    ext_adv_capable(hdev))
6506 		flags |= MGMT_ADV_FLAG_TX_POWER;
6507 
6508 	if (ext_adv_capable(hdev)) {
6509 		flags |= MGMT_ADV_FLAG_SEC_1M;
6510 
6511 		if (hdev->le_features[1] & HCI_LE_PHY_2M)
6512 			flags |= MGMT_ADV_FLAG_SEC_2M;
6513 
6514 		if (hdev->le_features[1] & HCI_LE_PHY_CODED)
6515 			flags |= MGMT_ADV_FLAG_SEC_CODED;
6516 	}
6517 
6518 	return flags;
6519 }
6520 
6521 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
6522 			     void *data, u16 data_len)
6523 {
6524 	struct mgmt_rp_read_adv_features *rp;
6525 	size_t rp_len;
6526 	int err;
6527 	struct adv_info *adv_instance;
6528 	u32 supported_flags;
6529 	u8 *instance;
6530 
6531 	BT_DBG("%s", hdev->name);
6532 
6533 	if (!lmp_le_capable(hdev))
6534 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
6535 				       MGMT_STATUS_REJECTED);
6536 
6537 	hci_dev_lock(hdev);
6538 
6539 	rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
6540 	rp = kmalloc(rp_len, GFP_ATOMIC);
6541 	if (!rp) {
6542 		hci_dev_unlock(hdev);
6543 		return -ENOMEM;
6544 	}
6545 
6546 	supported_flags = get_supported_adv_flags(hdev);
6547 
6548 	rp->supported_flags = cpu_to_le32(supported_flags);
6549 	rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
6550 	rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
6551 	rp->max_instances = HCI_MAX_ADV_INSTANCES;
6552 	rp->num_instances = hdev->adv_instance_cnt;
6553 
6554 	instance = rp->instance;
6555 	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
6556 		*instance = adv_instance->instance;
6557 		instance++;
6558 	}
6559 
6560 	hci_dev_unlock(hdev);
6561 
6562 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
6563 				MGMT_STATUS_SUCCESS, rp, rp_len);
6564 
6565 	kfree(rp);
6566 
6567 	return err;
6568 }
6569 
6570 static u8 calculate_name_len(struct hci_dev *hdev)
6571 {
6572 	u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 3];
6573 
6574 	return append_local_name(hdev, buf, 0);
6575 }
6576 
6577 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
6578 			   bool is_adv_data)
6579 {
6580 	u8 max_len = HCI_MAX_AD_LENGTH;
6581 
6582 	if (is_adv_data) {
6583 		if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
6584 				 MGMT_ADV_FLAG_LIMITED_DISCOV |
6585 				 MGMT_ADV_FLAG_MANAGED_FLAGS))
6586 			max_len -= 3;
6587 
6588 		if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
6589 			max_len -= 3;
6590 	} else {
6591 		if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
6592 			max_len -= calculate_name_len(hdev);
6593 
6594 		if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
6595 			max_len -= 4;
6596 	}
6597 
6598 	return max_len;
6599 }
6600 
6601 static bool flags_managed(u32 adv_flags)
6602 {
6603 	return adv_flags & (MGMT_ADV_FLAG_DISCOV |
6604 			    MGMT_ADV_FLAG_LIMITED_DISCOV |
6605 			    MGMT_ADV_FLAG_MANAGED_FLAGS);
6606 }
6607 
6608 static bool tx_power_managed(u32 adv_flags)
6609 {
6610 	return adv_flags & MGMT_ADV_FLAG_TX_POWER;
6611 }
6612 
6613 static bool name_managed(u32 adv_flags)
6614 {
6615 	return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
6616 }
6617 
6618 static bool appearance_managed(u32 adv_flags)
6619 {
6620 	return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
6621 }
6622 
6623 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
6624 			      u8 len, bool is_adv_data)
6625 {
6626 	int i, cur_len;
6627 	u8 max_len;
6628 
6629 	max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
6630 
6631 	if (len > max_len)
6632 		return false;
6633 
6634 	/* Make sure that the data is correctly formatted. */
6635 	for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
6636 		cur_len = data[i];
6637 
6638 		if (data[i + 1] == EIR_FLAGS &&
6639 		    (!is_adv_data || flags_managed(adv_flags)))
6640 			return false;
6641 
6642 		if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
6643 			return false;
6644 
6645 		if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
6646 			return false;
6647 
6648 		if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
6649 			return false;
6650 
6651 		if (data[i + 1] == EIR_APPEARANCE &&
6652 		    appearance_managed(adv_flags))
6653 			return false;
6654 
6655 		/* If the current field length would exceed the total data
6656 		 * length, then it's invalid.
6657 		 */
6658 		if (i + cur_len >= len)
6659 			return false;
6660 	}
6661 
6662 	return true;
6663 }
6664 
6665 static void add_advertising_complete(struct hci_dev *hdev, u8 status,
6666 				     u16 opcode)
6667 {
6668 	struct mgmt_pending_cmd *cmd;
6669 	struct mgmt_cp_add_advertising *cp;
6670 	struct mgmt_rp_add_advertising rp;
6671 	struct adv_info *adv_instance, *n;
6672 	u8 instance;
6673 
6674 	BT_DBG("status %d", status);
6675 
6676 	hci_dev_lock(hdev);
6677 
6678 	cmd = pending_find(MGMT_OP_ADD_ADVERTISING, hdev);
6679 
6680 	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
6681 		if (!adv_instance->pending)
6682 			continue;
6683 
6684 		if (!status) {
6685 			adv_instance->pending = false;
6686 			continue;
6687 		}
6688 
6689 		instance = adv_instance->instance;
6690 
6691 		if (hdev->cur_adv_instance == instance)
6692 			cancel_adv_timeout(hdev);
6693 
6694 		hci_remove_adv_instance(hdev, instance);
6695 		mgmt_advertising_removed(cmd ? cmd->sk : NULL, hdev, instance);
6696 	}
6697 
6698 	if (!cmd)
6699 		goto unlock;
6700 
6701 	cp = cmd->param;
6702 	rp.instance = cp->instance;
6703 
6704 	if (status)
6705 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
6706 				mgmt_status(status));
6707 	else
6708 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
6709 				  mgmt_status(status), &rp, sizeof(rp));
6710 
6711 	mgmt_pending_remove(cmd);
6712 
6713 unlock:
6714 	hci_dev_unlock(hdev);
6715 }
6716 
6717 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
6718 			   void *data, u16 data_len)
6719 {
6720 	struct mgmt_cp_add_advertising *cp = data;
6721 	struct mgmt_rp_add_advertising rp;
6722 	u32 flags;
6723 	u32 supported_flags, phy_flags;
6724 	u8 status;
6725 	u16 timeout, duration;
6726 	unsigned int prev_instance_cnt = hdev->adv_instance_cnt;
6727 	u8 schedule_instance = 0;
6728 	struct adv_info *next_instance;
6729 	int err;
6730 	struct mgmt_pending_cmd *cmd;
6731 	struct hci_request req;
6732 
6733 	BT_DBG("%s", hdev->name);
6734 
6735 	status = mgmt_le_support(hdev);
6736 	if (status)
6737 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6738 				       status);
6739 
6740 	if (cp->instance < 1 || cp->instance > HCI_MAX_ADV_INSTANCES)
6741 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6742 				       MGMT_STATUS_INVALID_PARAMS);
6743 
6744 	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
6745 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6746 				       MGMT_STATUS_INVALID_PARAMS);
6747 
6748 	flags = __le32_to_cpu(cp->flags);
6749 	timeout = __le16_to_cpu(cp->timeout);
6750 	duration = __le16_to_cpu(cp->duration);
6751 
6752 	/* The current implementation only supports a subset of the specified
6753 	 * flags. Also need to check mutual exclusiveness of sec flags.
6754 	 */
6755 	supported_flags = get_supported_adv_flags(hdev);
6756 	phy_flags = flags & MGMT_ADV_FLAG_SEC_MASK;
6757 	if (flags & ~supported_flags ||
6758 	    ((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
6759 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6760 				       MGMT_STATUS_INVALID_PARAMS);
6761 
6762 	hci_dev_lock(hdev);
6763 
6764 	if (timeout && !hdev_is_powered(hdev)) {
6765 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6766 				      MGMT_STATUS_REJECTED);
6767 		goto unlock;
6768 	}
6769 
6770 	if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
6771 	    pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
6772 	    pending_find(MGMT_OP_SET_LE, hdev)) {
6773 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6774 				      MGMT_STATUS_BUSY);
6775 		goto unlock;
6776 	}
6777 
6778 	if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
6779 	    !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
6780 			       cp->scan_rsp_len, false)) {
6781 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6782 				      MGMT_STATUS_INVALID_PARAMS);
6783 		goto unlock;
6784 	}
6785 
6786 	err = hci_add_adv_instance(hdev, cp->instance, flags,
6787 				   cp->adv_data_len, cp->data,
6788 				   cp->scan_rsp_len,
6789 				   cp->data + cp->adv_data_len,
6790 				   timeout, duration);
6791 	if (err < 0) {
6792 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6793 				      MGMT_STATUS_FAILED);
6794 		goto unlock;
6795 	}
6796 
6797 	/* Only trigger an advertising added event if a new instance was
6798 	 * actually added.
6799 	 */
6800 	if (hdev->adv_instance_cnt > prev_instance_cnt)
6801 		mgmt_advertising_added(sk, hdev, cp->instance);
6802 
6803 	if (hdev->cur_adv_instance == cp->instance) {
6804 		/* If the currently advertised instance is being changed then
6805 		 * cancel the current advertising and schedule the next
6806 		 * instance. If there is only one instance then the overridden
6807 		 * advertising data will be visible right away.
6808 		 */
6809 		cancel_adv_timeout(hdev);
6810 
6811 		next_instance = hci_get_next_instance(hdev, cp->instance);
6812 		if (next_instance)
6813 			schedule_instance = next_instance->instance;
6814 	} else if (!hdev->adv_instance_timeout) {
6815 		/* Immediately advertise the new instance if no other
6816 		 * instance is currently being advertised.
6817 		 */
6818 		schedule_instance = cp->instance;
6819 	}
6820 
6821 	/* If the HCI_ADVERTISING flag is set or the device isn't powered or
6822 	 * there is no instance to be advertised then we have no HCI
6823 	 * communication to make. Simply return.
6824 	 */
6825 	if (!hdev_is_powered(hdev) ||
6826 	    hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
6827 	    !schedule_instance) {
6828 		rp.instance = cp->instance;
6829 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6830 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
6831 		goto unlock;
6832 	}
6833 
6834 	/* We're good to go, update advertising data, parameters, and start
6835 	 * advertising.
6836 	 */
6837 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
6838 			       data_len);
6839 	if (!cmd) {
6840 		err = -ENOMEM;
6841 		goto unlock;
6842 	}
6843 
6844 	hci_req_init(&req, hdev);
6845 
6846 	err = __hci_req_schedule_adv_instance(&req, schedule_instance, true);
6847 
6848 	if (!err)
6849 		err = hci_req_run(&req, add_advertising_complete);
6850 
6851 	if (err < 0) {
6852 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6853 				      MGMT_STATUS_FAILED);
6854 		mgmt_pending_remove(cmd);
6855 	}
6856 
6857 unlock:
6858 	hci_dev_unlock(hdev);
6859 
6860 	return err;
6861 }
6862 
6863 static void remove_advertising_complete(struct hci_dev *hdev, u8 status,
6864 					u16 opcode)
6865 {
6866 	struct mgmt_pending_cmd *cmd;
6867 	struct mgmt_cp_remove_advertising *cp;
6868 	struct mgmt_rp_remove_advertising rp;
6869 
6870 	BT_DBG("status %d", status);
6871 
6872 	hci_dev_lock(hdev);
6873 
6874 	/* A failure status here only means that we failed to disable
6875 	 * advertising. Otherwise, the advertising instance has been removed,
6876 	 * so report success.
6877 	 */
6878 	cmd = pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev);
6879 	if (!cmd)
6880 		goto unlock;
6881 
6882 	cp = cmd->param;
6883 	rp.instance = cp->instance;
6884 
6885 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, MGMT_STATUS_SUCCESS,
6886 			  &rp, sizeof(rp));
6887 	mgmt_pending_remove(cmd);
6888 
6889 unlock:
6890 	hci_dev_unlock(hdev);
6891 }
6892 
6893 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
6894 			      void *data, u16 data_len)
6895 {
6896 	struct mgmt_cp_remove_advertising *cp = data;
6897 	struct mgmt_rp_remove_advertising rp;
6898 	struct mgmt_pending_cmd *cmd;
6899 	struct hci_request req;
6900 	int err;
6901 
6902 	BT_DBG("%s", hdev->name);
6903 
6904 	hci_dev_lock(hdev);
6905 
6906 	if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
6907 		err = mgmt_cmd_status(sk, hdev->id,
6908 				      MGMT_OP_REMOVE_ADVERTISING,
6909 				      MGMT_STATUS_INVALID_PARAMS);
6910 		goto unlock;
6911 	}
6912 
6913 	if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
6914 	    pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
6915 	    pending_find(MGMT_OP_SET_LE, hdev)) {
6916 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
6917 				      MGMT_STATUS_BUSY);
6918 		goto unlock;
6919 	}
6920 
6921 	if (list_empty(&hdev->adv_instances)) {
6922 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
6923 				      MGMT_STATUS_INVALID_PARAMS);
6924 		goto unlock;
6925 	}
6926 
6927 	hci_req_init(&req, hdev);
6928 
6929 	hci_req_clear_adv_instance(hdev, sk, &req, cp->instance, true);
6930 
6931 	if (list_empty(&hdev->adv_instances))
6932 		__hci_req_disable_advertising(&req);
6933 
6934 	/* If no HCI commands have been collected so far or the HCI_ADVERTISING
6935 	 * flag is set or the device isn't powered then we have no HCI
6936 	 * communication to make. Simply return.
6937 	 */
6938 	if (skb_queue_empty(&req.cmd_q) ||
6939 	    !hdev_is_powered(hdev) ||
6940 	    hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
6941 		hci_req_purge(&req);
6942 		rp.instance = cp->instance;
6943 		err = mgmt_cmd_complete(sk, hdev->id,
6944 					MGMT_OP_REMOVE_ADVERTISING,
6945 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
6946 		goto unlock;
6947 	}
6948 
6949 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
6950 			       data_len);
6951 	if (!cmd) {
6952 		err = -ENOMEM;
6953 		goto unlock;
6954 	}
6955 
6956 	err = hci_req_run(&req, remove_advertising_complete);
6957 	if (err < 0)
6958 		mgmt_pending_remove(cmd);
6959 
6960 unlock:
6961 	hci_dev_unlock(hdev);
6962 
6963 	return err;
6964 }
6965 
6966 static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
6967 			     void *data, u16 data_len)
6968 {
6969 	struct mgmt_cp_get_adv_size_info *cp = data;
6970 	struct mgmt_rp_get_adv_size_info rp;
6971 	u32 flags, supported_flags;
6972 	int err;
6973 
6974 	BT_DBG("%s", hdev->name);
6975 
6976 	if (!lmp_le_capable(hdev))
6977 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
6978 				       MGMT_STATUS_REJECTED);
6979 
6980 	if (cp->instance < 1 || cp->instance > HCI_MAX_ADV_INSTANCES)
6981 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
6982 				       MGMT_STATUS_INVALID_PARAMS);
6983 
6984 	flags = __le32_to_cpu(cp->flags);
6985 
6986 	/* The current implementation only supports a subset of the specified
6987 	 * flags.
6988 	 */
6989 	supported_flags = get_supported_adv_flags(hdev);
6990 	if (flags & ~supported_flags)
6991 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
6992 				       MGMT_STATUS_INVALID_PARAMS);
6993 
6994 	rp.instance = cp->instance;
6995 	rp.flags = cp->flags;
6996 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
6997 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
6998 
6999 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
7000 				MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
7001 
7002 	return err;
7003 }
7004 
7005 static const struct hci_mgmt_handler mgmt_handlers[] = {
7006 	{ NULL }, /* 0x0000 (no command) */
7007 	{ read_version,            MGMT_READ_VERSION_SIZE,
7008 						HCI_MGMT_NO_HDEV |
7009 						HCI_MGMT_UNTRUSTED },
7010 	{ read_commands,           MGMT_READ_COMMANDS_SIZE,
7011 						HCI_MGMT_NO_HDEV |
7012 						HCI_MGMT_UNTRUSTED },
7013 	{ read_index_list,         MGMT_READ_INDEX_LIST_SIZE,
7014 						HCI_MGMT_NO_HDEV |
7015 						HCI_MGMT_UNTRUSTED },
7016 	{ read_controller_info,    MGMT_READ_INFO_SIZE,
7017 						HCI_MGMT_UNTRUSTED },
7018 	{ set_powered,             MGMT_SETTING_SIZE },
7019 	{ set_discoverable,        MGMT_SET_DISCOVERABLE_SIZE },
7020 	{ set_connectable,         MGMT_SETTING_SIZE },
7021 	{ set_fast_connectable,    MGMT_SETTING_SIZE },
7022 	{ set_bondable,            MGMT_SETTING_SIZE },
7023 	{ set_link_security,       MGMT_SETTING_SIZE },
7024 	{ set_ssp,                 MGMT_SETTING_SIZE },
7025 	{ set_hs,                  MGMT_SETTING_SIZE },
7026 	{ set_le,                  MGMT_SETTING_SIZE },
7027 	{ set_dev_class,           MGMT_SET_DEV_CLASS_SIZE },
7028 	{ set_local_name,          MGMT_SET_LOCAL_NAME_SIZE },
7029 	{ add_uuid,                MGMT_ADD_UUID_SIZE },
7030 	{ remove_uuid,             MGMT_REMOVE_UUID_SIZE },
7031 	{ load_link_keys,          MGMT_LOAD_LINK_KEYS_SIZE,
7032 						HCI_MGMT_VAR_LEN },
7033 	{ load_long_term_keys,     MGMT_LOAD_LONG_TERM_KEYS_SIZE,
7034 						HCI_MGMT_VAR_LEN },
7035 	{ disconnect,              MGMT_DISCONNECT_SIZE },
7036 	{ get_connections,         MGMT_GET_CONNECTIONS_SIZE },
7037 	{ pin_code_reply,          MGMT_PIN_CODE_REPLY_SIZE },
7038 	{ pin_code_neg_reply,      MGMT_PIN_CODE_NEG_REPLY_SIZE },
7039 	{ set_io_capability,       MGMT_SET_IO_CAPABILITY_SIZE },
7040 	{ pair_device,             MGMT_PAIR_DEVICE_SIZE },
7041 	{ cancel_pair_device,      MGMT_CANCEL_PAIR_DEVICE_SIZE },
7042 	{ unpair_device,           MGMT_UNPAIR_DEVICE_SIZE },
7043 	{ user_confirm_reply,      MGMT_USER_CONFIRM_REPLY_SIZE },
7044 	{ user_confirm_neg_reply,  MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
7045 	{ user_passkey_reply,      MGMT_USER_PASSKEY_REPLY_SIZE },
7046 	{ user_passkey_neg_reply,  MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
7047 	{ read_local_oob_data,     MGMT_READ_LOCAL_OOB_DATA_SIZE },
7048 	{ add_remote_oob_data,     MGMT_ADD_REMOTE_OOB_DATA_SIZE,
7049 						HCI_MGMT_VAR_LEN },
7050 	{ remove_remote_oob_data,  MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
7051 	{ start_discovery,         MGMT_START_DISCOVERY_SIZE },
7052 	{ stop_discovery,          MGMT_STOP_DISCOVERY_SIZE },
7053 	{ confirm_name,            MGMT_CONFIRM_NAME_SIZE },
7054 	{ block_device,            MGMT_BLOCK_DEVICE_SIZE },
7055 	{ unblock_device,          MGMT_UNBLOCK_DEVICE_SIZE },
7056 	{ set_device_id,           MGMT_SET_DEVICE_ID_SIZE },
7057 	{ set_advertising,         MGMT_SETTING_SIZE },
7058 	{ set_bredr,               MGMT_SETTING_SIZE },
7059 	{ set_static_address,      MGMT_SET_STATIC_ADDRESS_SIZE },
7060 	{ set_scan_params,         MGMT_SET_SCAN_PARAMS_SIZE },
7061 	{ set_secure_conn,         MGMT_SETTING_SIZE },
7062 	{ set_debug_keys,          MGMT_SETTING_SIZE },
7063 	{ set_privacy,             MGMT_SET_PRIVACY_SIZE },
7064 	{ load_irks,               MGMT_LOAD_IRKS_SIZE,
7065 						HCI_MGMT_VAR_LEN },
7066 	{ get_conn_info,           MGMT_GET_CONN_INFO_SIZE },
7067 	{ get_clock_info,          MGMT_GET_CLOCK_INFO_SIZE },
7068 	{ add_device,              MGMT_ADD_DEVICE_SIZE },
7069 	{ remove_device,           MGMT_REMOVE_DEVICE_SIZE },
7070 	{ load_conn_param,         MGMT_LOAD_CONN_PARAM_SIZE,
7071 						HCI_MGMT_VAR_LEN },
7072 	{ read_unconf_index_list,  MGMT_READ_UNCONF_INDEX_LIST_SIZE,
7073 						HCI_MGMT_NO_HDEV |
7074 						HCI_MGMT_UNTRUSTED },
7075 	{ read_config_info,        MGMT_READ_CONFIG_INFO_SIZE,
7076 						HCI_MGMT_UNCONFIGURED |
7077 						HCI_MGMT_UNTRUSTED },
7078 	{ set_external_config,     MGMT_SET_EXTERNAL_CONFIG_SIZE,
7079 						HCI_MGMT_UNCONFIGURED },
7080 	{ set_public_address,      MGMT_SET_PUBLIC_ADDRESS_SIZE,
7081 						HCI_MGMT_UNCONFIGURED },
7082 	{ start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
7083 						HCI_MGMT_VAR_LEN },
7084 	{ read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
7085 	{ read_ext_index_list,     MGMT_READ_EXT_INDEX_LIST_SIZE,
7086 						HCI_MGMT_NO_HDEV |
7087 						HCI_MGMT_UNTRUSTED },
7088 	{ read_adv_features,       MGMT_READ_ADV_FEATURES_SIZE },
7089 	{ add_advertising,	   MGMT_ADD_ADVERTISING_SIZE,
7090 						HCI_MGMT_VAR_LEN },
7091 	{ remove_advertising,	   MGMT_REMOVE_ADVERTISING_SIZE },
7092 	{ get_adv_size_info,       MGMT_GET_ADV_SIZE_INFO_SIZE },
7093 	{ start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
7094 	{ read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
7095 						HCI_MGMT_UNTRUSTED },
7096 	{ set_appearance,	   MGMT_SET_APPEARANCE_SIZE },
7097 	{ get_phy_configuration,   MGMT_GET_PHY_CONFIGURATION_SIZE },
7098 	{ set_phy_configuration,   MGMT_SET_PHY_CONFIGURATION_SIZE },
7099 	{ set_blocked_keys,	   MGMT_OP_SET_BLOCKED_KEYS_SIZE,
7100 						HCI_MGMT_VAR_LEN },
7101 	{ set_wideband_speech,	   MGMT_SETTING_SIZE },
7102 };
7103 
7104 void mgmt_index_added(struct hci_dev *hdev)
7105 {
7106 	struct mgmt_ev_ext_index ev;
7107 
7108 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
7109 		return;
7110 
7111 	switch (hdev->dev_type) {
7112 	case HCI_PRIMARY:
7113 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
7114 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev,
7115 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
7116 			ev.type = 0x01;
7117 		} else {
7118 			mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0,
7119 					 HCI_MGMT_INDEX_EVENTS);
7120 			ev.type = 0x00;
7121 		}
7122 		break;
7123 	case HCI_AMP:
7124 		ev.type = 0x02;
7125 		break;
7126 	default:
7127 		return;
7128 	}
7129 
7130 	ev.bus = hdev->bus;
7131 
7132 	mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, &ev, sizeof(ev),
7133 			 HCI_MGMT_EXT_INDEX_EVENTS);
7134 }
7135 
7136 void mgmt_index_removed(struct hci_dev *hdev)
7137 {
7138 	struct mgmt_ev_ext_index ev;
7139 	u8 status = MGMT_STATUS_INVALID_INDEX;
7140 
7141 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
7142 		return;
7143 
7144 	switch (hdev->dev_type) {
7145 	case HCI_PRIMARY:
7146 		mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
7147 
7148 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
7149 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
7150 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
7151 			ev.type = 0x01;
7152 		} else {
7153 			mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0,
7154 					 HCI_MGMT_INDEX_EVENTS);
7155 			ev.type = 0x00;
7156 		}
7157 		break;
7158 	case HCI_AMP:
7159 		ev.type = 0x02;
7160 		break;
7161 	default:
7162 		return;
7163 	}
7164 
7165 	ev.bus = hdev->bus;
7166 
7167 	mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, &ev, sizeof(ev),
7168 			 HCI_MGMT_EXT_INDEX_EVENTS);
7169 }
7170 
7171 /* This function requires the caller holds hdev->lock */
7172 static void restart_le_actions(struct hci_dev *hdev)
7173 {
7174 	struct hci_conn_params *p;
7175 
7176 	list_for_each_entry(p, &hdev->le_conn_params, list) {
7177 		/* Needed for AUTO_OFF case where might not "really"
7178 		 * have been powered off.
7179 		 */
7180 		list_del_init(&p->action);
7181 
7182 		switch (p->auto_connect) {
7183 		case HCI_AUTO_CONN_DIRECT:
7184 		case HCI_AUTO_CONN_ALWAYS:
7185 			list_add(&p->action, &hdev->pend_le_conns);
7186 			break;
7187 		case HCI_AUTO_CONN_REPORT:
7188 			list_add(&p->action, &hdev->pend_le_reports);
7189 			break;
7190 		default:
7191 			break;
7192 		}
7193 	}
7194 }
7195 
7196 void mgmt_power_on(struct hci_dev *hdev, int err)
7197 {
7198 	struct cmd_lookup match = { NULL, hdev };
7199 
7200 	BT_DBG("err %d", err);
7201 
7202 	hci_dev_lock(hdev);
7203 
7204 	if (!err) {
7205 		restart_le_actions(hdev);
7206 		hci_update_background_scan(hdev);
7207 	}
7208 
7209 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
7210 
7211 	new_settings(hdev, match.sk);
7212 
7213 	if (match.sk)
7214 		sock_put(match.sk);
7215 
7216 	hci_dev_unlock(hdev);
7217 }
7218 
7219 void __mgmt_power_off(struct hci_dev *hdev)
7220 {
7221 	struct cmd_lookup match = { NULL, hdev };
7222 	u8 status, zero_cod[] = { 0, 0, 0 };
7223 
7224 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
7225 
7226 	/* If the power off is because of hdev unregistration let
7227 	 * use the appropriate INVALID_INDEX status. Otherwise use
7228 	 * NOT_POWERED. We cover both scenarios here since later in
7229 	 * mgmt_index_removed() any hci_conn callbacks will have already
7230 	 * been triggered, potentially causing misleading DISCONNECTED
7231 	 * status responses.
7232 	 */
7233 	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
7234 		status = MGMT_STATUS_INVALID_INDEX;
7235 	else
7236 		status = MGMT_STATUS_NOT_POWERED;
7237 
7238 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
7239 
7240 	if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
7241 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
7242 				   zero_cod, sizeof(zero_cod),
7243 				   HCI_MGMT_DEV_CLASS_EVENTS, NULL);
7244 		ext_info_changed(hdev, NULL);
7245 	}
7246 
7247 	new_settings(hdev, match.sk);
7248 
7249 	if (match.sk)
7250 		sock_put(match.sk);
7251 }
7252 
7253 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
7254 {
7255 	struct mgmt_pending_cmd *cmd;
7256 	u8 status;
7257 
7258 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
7259 	if (!cmd)
7260 		return;
7261 
7262 	if (err == -ERFKILL)
7263 		status = MGMT_STATUS_RFKILLED;
7264 	else
7265 		status = MGMT_STATUS_FAILED;
7266 
7267 	mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
7268 
7269 	mgmt_pending_remove(cmd);
7270 }
7271 
7272 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
7273 		       bool persistent)
7274 {
7275 	struct mgmt_ev_new_link_key ev;
7276 
7277 	memset(&ev, 0, sizeof(ev));
7278 
7279 	ev.store_hint = persistent;
7280 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
7281 	ev.key.addr.type = BDADDR_BREDR;
7282 	ev.key.type = key->type;
7283 	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
7284 	ev.key.pin_len = key->pin_len;
7285 
7286 	mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
7287 }
7288 
7289 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
7290 {
7291 	switch (ltk->type) {
7292 	case SMP_LTK:
7293 	case SMP_LTK_SLAVE:
7294 		if (ltk->authenticated)
7295 			return MGMT_LTK_AUTHENTICATED;
7296 		return MGMT_LTK_UNAUTHENTICATED;
7297 	case SMP_LTK_P256:
7298 		if (ltk->authenticated)
7299 			return MGMT_LTK_P256_AUTH;
7300 		return MGMT_LTK_P256_UNAUTH;
7301 	case SMP_LTK_P256_DEBUG:
7302 		return MGMT_LTK_P256_DEBUG;
7303 	}
7304 
7305 	return MGMT_LTK_UNAUTHENTICATED;
7306 }
7307 
7308 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
7309 {
7310 	struct mgmt_ev_new_long_term_key ev;
7311 
7312 	memset(&ev, 0, sizeof(ev));
7313 
7314 	/* Devices using resolvable or non-resolvable random addresses
7315 	 * without providing an identity resolving key don't require
7316 	 * to store long term keys. Their addresses will change the
7317 	 * next time around.
7318 	 *
7319 	 * Only when a remote device provides an identity address
7320 	 * make sure the long term key is stored. If the remote
7321 	 * identity is known, the long term keys are internally
7322 	 * mapped to the identity address. So allow static random
7323 	 * and public addresses here.
7324 	 */
7325 	if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
7326 	    (key->bdaddr.b[5] & 0xc0) != 0xc0)
7327 		ev.store_hint = 0x00;
7328 	else
7329 		ev.store_hint = persistent;
7330 
7331 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
7332 	ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
7333 	ev.key.type = mgmt_ltk_type(key);
7334 	ev.key.enc_size = key->enc_size;
7335 	ev.key.ediv = key->ediv;
7336 	ev.key.rand = key->rand;
7337 
7338 	if (key->type == SMP_LTK)
7339 		ev.key.master = 1;
7340 
7341 	/* Make sure we copy only the significant bytes based on the
7342 	 * encryption key size, and set the rest of the value to zeroes.
7343 	 */
7344 	memcpy(ev.key.val, key->val, key->enc_size);
7345 	memset(ev.key.val + key->enc_size, 0,
7346 	       sizeof(ev.key.val) - key->enc_size);
7347 
7348 	mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
7349 }
7350 
7351 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
7352 {
7353 	struct mgmt_ev_new_irk ev;
7354 
7355 	memset(&ev, 0, sizeof(ev));
7356 
7357 	ev.store_hint = persistent;
7358 
7359 	bacpy(&ev.rpa, &irk->rpa);
7360 	bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
7361 	ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
7362 	memcpy(ev.irk.val, irk->val, sizeof(irk->val));
7363 
7364 	mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
7365 }
7366 
7367 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
7368 		   bool persistent)
7369 {
7370 	struct mgmt_ev_new_csrk ev;
7371 
7372 	memset(&ev, 0, sizeof(ev));
7373 
7374 	/* Devices using resolvable or non-resolvable random addresses
7375 	 * without providing an identity resolving key don't require
7376 	 * to store signature resolving keys. Their addresses will change
7377 	 * the next time around.
7378 	 *
7379 	 * Only when a remote device provides an identity address
7380 	 * make sure the signature resolving key is stored. So allow
7381 	 * static random and public addresses here.
7382 	 */
7383 	if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
7384 	    (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
7385 		ev.store_hint = 0x00;
7386 	else
7387 		ev.store_hint = persistent;
7388 
7389 	bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
7390 	ev.key.addr.type = link_to_bdaddr(LE_LINK, csrk->bdaddr_type);
7391 	ev.key.type = csrk->type;
7392 	memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
7393 
7394 	mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
7395 }
7396 
7397 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
7398 			 u8 bdaddr_type, u8 store_hint, u16 min_interval,
7399 			 u16 max_interval, u16 latency, u16 timeout)
7400 {
7401 	struct mgmt_ev_new_conn_param ev;
7402 
7403 	if (!hci_is_identity_address(bdaddr, bdaddr_type))
7404 		return;
7405 
7406 	memset(&ev, 0, sizeof(ev));
7407 	bacpy(&ev.addr.bdaddr, bdaddr);
7408 	ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
7409 	ev.store_hint = store_hint;
7410 	ev.min_interval = cpu_to_le16(min_interval);
7411 	ev.max_interval = cpu_to_le16(max_interval);
7412 	ev.latency = cpu_to_le16(latency);
7413 	ev.timeout = cpu_to_le16(timeout);
7414 
7415 	mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
7416 }
7417 
7418 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
7419 			   u32 flags, u8 *name, u8 name_len)
7420 {
7421 	char buf[512];
7422 	struct mgmt_ev_device_connected *ev = (void *) buf;
7423 	u16 eir_len = 0;
7424 
7425 	bacpy(&ev->addr.bdaddr, &conn->dst);
7426 	ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
7427 
7428 	ev->flags = __cpu_to_le32(flags);
7429 
7430 	/* We must ensure that the EIR Data fields are ordered and
7431 	 * unique. Keep it simple for now and avoid the problem by not
7432 	 * adding any BR/EDR data to the LE adv.
7433 	 */
7434 	if (conn->le_adv_data_len > 0) {
7435 		memcpy(&ev->eir[eir_len],
7436 		       conn->le_adv_data, conn->le_adv_data_len);
7437 		eir_len = conn->le_adv_data_len;
7438 	} else {
7439 		if (name_len > 0)
7440 			eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE,
7441 						  name, name_len);
7442 
7443 		if (memcmp(conn->dev_class, "\0\0\0", 3) != 0)
7444 			eir_len = eir_append_data(ev->eir, eir_len,
7445 						  EIR_CLASS_OF_DEV,
7446 						  conn->dev_class, 3);
7447 	}
7448 
7449 	ev->eir_len = cpu_to_le16(eir_len);
7450 
7451 	mgmt_event(MGMT_EV_DEVICE_CONNECTED, hdev, buf,
7452 		    sizeof(*ev) + eir_len, NULL);
7453 }
7454 
7455 static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
7456 {
7457 	struct sock **sk = data;
7458 
7459 	cmd->cmd_complete(cmd, 0);
7460 
7461 	*sk = cmd->sk;
7462 	sock_hold(*sk);
7463 
7464 	mgmt_pending_remove(cmd);
7465 }
7466 
7467 static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
7468 {
7469 	struct hci_dev *hdev = data;
7470 	struct mgmt_cp_unpair_device *cp = cmd->param;
7471 
7472 	device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
7473 
7474 	cmd->cmd_complete(cmd, 0);
7475 	mgmt_pending_remove(cmd);
7476 }
7477 
7478 bool mgmt_powering_down(struct hci_dev *hdev)
7479 {
7480 	struct mgmt_pending_cmd *cmd;
7481 	struct mgmt_mode *cp;
7482 
7483 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
7484 	if (!cmd)
7485 		return false;
7486 
7487 	cp = cmd->param;
7488 	if (!cp->val)
7489 		return true;
7490 
7491 	return false;
7492 }
7493 
7494 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
7495 			      u8 link_type, u8 addr_type, u8 reason,
7496 			      bool mgmt_connected)
7497 {
7498 	struct mgmt_ev_device_disconnected ev;
7499 	struct sock *sk = NULL;
7500 
7501 	/* The connection is still in hci_conn_hash so test for 1
7502 	 * instead of 0 to know if this is the last one.
7503 	 */
7504 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
7505 		cancel_delayed_work(&hdev->power_off);
7506 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
7507 	}
7508 
7509 	if (!mgmt_connected)
7510 		return;
7511 
7512 	if (link_type != ACL_LINK && link_type != LE_LINK)
7513 		return;
7514 
7515 	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
7516 
7517 	bacpy(&ev.addr.bdaddr, bdaddr);
7518 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7519 	ev.reason = reason;
7520 
7521 	mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
7522 
7523 	if (sk)
7524 		sock_put(sk);
7525 
7526 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
7527 			     hdev);
7528 }
7529 
7530 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
7531 			    u8 link_type, u8 addr_type, u8 status)
7532 {
7533 	u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
7534 	struct mgmt_cp_disconnect *cp;
7535 	struct mgmt_pending_cmd *cmd;
7536 
7537 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
7538 			     hdev);
7539 
7540 	cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
7541 	if (!cmd)
7542 		return;
7543 
7544 	cp = cmd->param;
7545 
7546 	if (bacmp(bdaddr, &cp->addr.bdaddr))
7547 		return;
7548 
7549 	if (cp->addr.type != bdaddr_type)
7550 		return;
7551 
7552 	cmd->cmd_complete(cmd, mgmt_status(status));
7553 	mgmt_pending_remove(cmd);
7554 }
7555 
7556 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
7557 			 u8 addr_type, u8 status)
7558 {
7559 	struct mgmt_ev_connect_failed ev;
7560 
7561 	/* The connection is still in hci_conn_hash so test for 1
7562 	 * instead of 0 to know if this is the last one.
7563 	 */
7564 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
7565 		cancel_delayed_work(&hdev->power_off);
7566 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
7567 	}
7568 
7569 	bacpy(&ev.addr.bdaddr, bdaddr);
7570 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7571 	ev.status = mgmt_status(status);
7572 
7573 	mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
7574 }
7575 
7576 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
7577 {
7578 	struct mgmt_ev_pin_code_request ev;
7579 
7580 	bacpy(&ev.addr.bdaddr, bdaddr);
7581 	ev.addr.type = BDADDR_BREDR;
7582 	ev.secure = secure;
7583 
7584 	mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
7585 }
7586 
7587 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7588 				  u8 status)
7589 {
7590 	struct mgmt_pending_cmd *cmd;
7591 
7592 	cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
7593 	if (!cmd)
7594 		return;
7595 
7596 	cmd->cmd_complete(cmd, mgmt_status(status));
7597 	mgmt_pending_remove(cmd);
7598 }
7599 
7600 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7601 				      u8 status)
7602 {
7603 	struct mgmt_pending_cmd *cmd;
7604 
7605 	cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
7606 	if (!cmd)
7607 		return;
7608 
7609 	cmd->cmd_complete(cmd, mgmt_status(status));
7610 	mgmt_pending_remove(cmd);
7611 }
7612 
7613 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
7614 			      u8 link_type, u8 addr_type, u32 value,
7615 			      u8 confirm_hint)
7616 {
7617 	struct mgmt_ev_user_confirm_request ev;
7618 
7619 	BT_DBG("%s", hdev->name);
7620 
7621 	bacpy(&ev.addr.bdaddr, bdaddr);
7622 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7623 	ev.confirm_hint = confirm_hint;
7624 	ev.value = cpu_to_le32(value);
7625 
7626 	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
7627 			  NULL);
7628 }
7629 
7630 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
7631 			      u8 link_type, u8 addr_type)
7632 {
7633 	struct mgmt_ev_user_passkey_request ev;
7634 
7635 	BT_DBG("%s", hdev->name);
7636 
7637 	bacpy(&ev.addr.bdaddr, bdaddr);
7638 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7639 
7640 	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
7641 			  NULL);
7642 }
7643 
7644 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7645 				      u8 link_type, u8 addr_type, u8 status,
7646 				      u8 opcode)
7647 {
7648 	struct mgmt_pending_cmd *cmd;
7649 
7650 	cmd = pending_find(opcode, hdev);
7651 	if (!cmd)
7652 		return -ENOENT;
7653 
7654 	cmd->cmd_complete(cmd, mgmt_status(status));
7655 	mgmt_pending_remove(cmd);
7656 
7657 	return 0;
7658 }
7659 
7660 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7661 				     u8 link_type, u8 addr_type, u8 status)
7662 {
7663 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7664 					  status, MGMT_OP_USER_CONFIRM_REPLY);
7665 }
7666 
7667 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7668 					 u8 link_type, u8 addr_type, u8 status)
7669 {
7670 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7671 					  status,
7672 					  MGMT_OP_USER_CONFIRM_NEG_REPLY);
7673 }
7674 
7675 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7676 				     u8 link_type, u8 addr_type, u8 status)
7677 {
7678 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7679 					  status, MGMT_OP_USER_PASSKEY_REPLY);
7680 }
7681 
7682 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
7683 					 u8 link_type, u8 addr_type, u8 status)
7684 {
7685 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
7686 					  status,
7687 					  MGMT_OP_USER_PASSKEY_NEG_REPLY);
7688 }
7689 
7690 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
7691 			     u8 link_type, u8 addr_type, u32 passkey,
7692 			     u8 entered)
7693 {
7694 	struct mgmt_ev_passkey_notify ev;
7695 
7696 	BT_DBG("%s", hdev->name);
7697 
7698 	bacpy(&ev.addr.bdaddr, bdaddr);
7699 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
7700 	ev.passkey = __cpu_to_le32(passkey);
7701 	ev.entered = entered;
7702 
7703 	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
7704 }
7705 
7706 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
7707 {
7708 	struct mgmt_ev_auth_failed ev;
7709 	struct mgmt_pending_cmd *cmd;
7710 	u8 status = mgmt_status(hci_status);
7711 
7712 	bacpy(&ev.addr.bdaddr, &conn->dst);
7713 	ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
7714 	ev.status = status;
7715 
7716 	cmd = find_pairing(conn);
7717 
7718 	mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
7719 		    cmd ? cmd->sk : NULL);
7720 
7721 	if (cmd) {
7722 		cmd->cmd_complete(cmd, status);
7723 		mgmt_pending_remove(cmd);
7724 	}
7725 }
7726 
7727 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
7728 {
7729 	struct cmd_lookup match = { NULL, hdev };
7730 	bool changed;
7731 
7732 	if (status) {
7733 		u8 mgmt_err = mgmt_status(status);
7734 		mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
7735 				     cmd_status_rsp, &mgmt_err);
7736 		return;
7737 	}
7738 
7739 	if (test_bit(HCI_AUTH, &hdev->flags))
7740 		changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
7741 	else
7742 		changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
7743 
7744 	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
7745 			     &match);
7746 
7747 	if (changed)
7748 		new_settings(hdev, match.sk);
7749 
7750 	if (match.sk)
7751 		sock_put(match.sk);
7752 }
7753 
7754 static void clear_eir(struct hci_request *req)
7755 {
7756 	struct hci_dev *hdev = req->hdev;
7757 	struct hci_cp_write_eir cp;
7758 
7759 	if (!lmp_ext_inq_capable(hdev))
7760 		return;
7761 
7762 	memset(hdev->eir, 0, sizeof(hdev->eir));
7763 
7764 	memset(&cp, 0, sizeof(cp));
7765 
7766 	hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
7767 }
7768 
7769 void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
7770 {
7771 	struct cmd_lookup match = { NULL, hdev };
7772 	struct hci_request req;
7773 	bool changed = false;
7774 
7775 	if (status) {
7776 		u8 mgmt_err = mgmt_status(status);
7777 
7778 		if (enable && hci_dev_test_and_clear_flag(hdev,
7779 							  HCI_SSP_ENABLED)) {
7780 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
7781 			new_settings(hdev, NULL);
7782 		}
7783 
7784 		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
7785 				     &mgmt_err);
7786 		return;
7787 	}
7788 
7789 	if (enable) {
7790 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
7791 	} else {
7792 		changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
7793 		if (!changed)
7794 			changed = hci_dev_test_and_clear_flag(hdev,
7795 							      HCI_HS_ENABLED);
7796 		else
7797 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
7798 	}
7799 
7800 	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
7801 
7802 	if (changed)
7803 		new_settings(hdev, match.sk);
7804 
7805 	if (match.sk)
7806 		sock_put(match.sk);
7807 
7808 	hci_req_init(&req, hdev);
7809 
7810 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
7811 		if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
7812 			hci_req_add(&req, HCI_OP_WRITE_SSP_DEBUG_MODE,
7813 				    sizeof(enable), &enable);
7814 		__hci_req_update_eir(&req);
7815 	} else {
7816 		clear_eir(&req);
7817 	}
7818 
7819 	hci_req_run(&req, NULL);
7820 }
7821 
7822 static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
7823 {
7824 	struct cmd_lookup *match = data;
7825 
7826 	if (match->sk == NULL) {
7827 		match->sk = cmd->sk;
7828 		sock_hold(match->sk);
7829 	}
7830 }
7831 
7832 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
7833 				    u8 status)
7834 {
7835 	struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
7836 
7837 	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
7838 	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
7839 	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
7840 
7841 	if (!status) {
7842 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
7843 				   3, HCI_MGMT_DEV_CLASS_EVENTS, NULL);
7844 		ext_info_changed(hdev, NULL);
7845 	}
7846 
7847 	if (match.sk)
7848 		sock_put(match.sk);
7849 }
7850 
7851 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
7852 {
7853 	struct mgmt_cp_set_local_name ev;
7854 	struct mgmt_pending_cmd *cmd;
7855 
7856 	if (status)
7857 		return;
7858 
7859 	memset(&ev, 0, sizeof(ev));
7860 	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
7861 	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
7862 
7863 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
7864 	if (!cmd) {
7865 		memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
7866 
7867 		/* If this is a HCI command related to powering on the
7868 		 * HCI dev don't send any mgmt signals.
7869 		 */
7870 		if (pending_find(MGMT_OP_SET_POWERED, hdev))
7871 			return;
7872 	}
7873 
7874 	mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
7875 			   HCI_MGMT_LOCAL_NAME_EVENTS, cmd ? cmd->sk : NULL);
7876 	ext_info_changed(hdev, cmd ? cmd->sk : NULL);
7877 }
7878 
7879 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
7880 {
7881 	int i;
7882 
7883 	for (i = 0; i < uuid_count; i++) {
7884 		if (!memcmp(uuid, uuids[i], 16))
7885 			return true;
7886 	}
7887 
7888 	return false;
7889 }
7890 
7891 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
7892 {
7893 	u16 parsed = 0;
7894 
7895 	while (parsed < eir_len) {
7896 		u8 field_len = eir[0];
7897 		u8 uuid[16];
7898 		int i;
7899 
7900 		if (field_len == 0)
7901 			break;
7902 
7903 		if (eir_len - parsed < field_len + 1)
7904 			break;
7905 
7906 		switch (eir[1]) {
7907 		case EIR_UUID16_ALL:
7908 		case EIR_UUID16_SOME:
7909 			for (i = 0; i + 3 <= field_len; i += 2) {
7910 				memcpy(uuid, bluetooth_base_uuid, 16);
7911 				uuid[13] = eir[i + 3];
7912 				uuid[12] = eir[i + 2];
7913 				if (has_uuid(uuid, uuid_count, uuids))
7914 					return true;
7915 			}
7916 			break;
7917 		case EIR_UUID32_ALL:
7918 		case EIR_UUID32_SOME:
7919 			for (i = 0; i + 5 <= field_len; i += 4) {
7920 				memcpy(uuid, bluetooth_base_uuid, 16);
7921 				uuid[15] = eir[i + 5];
7922 				uuid[14] = eir[i + 4];
7923 				uuid[13] = eir[i + 3];
7924 				uuid[12] = eir[i + 2];
7925 				if (has_uuid(uuid, uuid_count, uuids))
7926 					return true;
7927 			}
7928 			break;
7929 		case EIR_UUID128_ALL:
7930 		case EIR_UUID128_SOME:
7931 			for (i = 0; i + 17 <= field_len; i += 16) {
7932 				memcpy(uuid, eir + i + 2, 16);
7933 				if (has_uuid(uuid, uuid_count, uuids))
7934 					return true;
7935 			}
7936 			break;
7937 		}
7938 
7939 		parsed += field_len + 1;
7940 		eir += field_len + 1;
7941 	}
7942 
7943 	return false;
7944 }
7945 
7946 static void restart_le_scan(struct hci_dev *hdev)
7947 {
7948 	/* If controller is not scanning we are done. */
7949 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
7950 		return;
7951 
7952 	if (time_after(jiffies + DISCOV_LE_RESTART_DELAY,
7953 		       hdev->discovery.scan_start +
7954 		       hdev->discovery.scan_duration))
7955 		return;
7956 
7957 	queue_delayed_work(hdev->req_workqueue, &hdev->le_scan_restart,
7958 			   DISCOV_LE_RESTART_DELAY);
7959 }
7960 
7961 static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
7962 			    u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
7963 {
7964 	/* If a RSSI threshold has been specified, and
7965 	 * HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
7966 	 * a RSSI smaller than the RSSI threshold will be dropped. If the quirk
7967 	 * is set, let it through for further processing, as we might need to
7968 	 * restart the scan.
7969 	 *
7970 	 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
7971 	 * the results are also dropped.
7972 	 */
7973 	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
7974 	    (rssi == HCI_RSSI_INVALID ||
7975 	    (rssi < hdev->discovery.rssi &&
7976 	     !test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
7977 		return  false;
7978 
7979 	if (hdev->discovery.uuid_count != 0) {
7980 		/* If a list of UUIDs is provided in filter, results with no
7981 		 * matching UUID should be dropped.
7982 		 */
7983 		if (!eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count,
7984 				   hdev->discovery.uuids) &&
7985 		    !eir_has_uuids(scan_rsp, scan_rsp_len,
7986 				   hdev->discovery.uuid_count,
7987 				   hdev->discovery.uuids))
7988 			return false;
7989 	}
7990 
7991 	/* If duplicate filtering does not report RSSI changes, then restart
7992 	 * scanning to ensure updated result with updated RSSI values.
7993 	 */
7994 	if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
7995 		restart_le_scan(hdev);
7996 
7997 		/* Validate RSSI value against the RSSI threshold once more. */
7998 		if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
7999 		    rssi < hdev->discovery.rssi)
8000 			return false;
8001 	}
8002 
8003 	return true;
8004 }
8005 
8006 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
8007 		       u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
8008 		       u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
8009 {
8010 	char buf[512];
8011 	struct mgmt_ev_device_found *ev = (void *)buf;
8012 	size_t ev_size;
8013 
8014 	/* Don't send events for a non-kernel initiated discovery. With
8015 	 * LE one exception is if we have pend_le_reports > 0 in which
8016 	 * case we're doing passive scanning and want these events.
8017 	 */
8018 	if (!hci_discovery_active(hdev)) {
8019 		if (link_type == ACL_LINK)
8020 			return;
8021 		if (link_type == LE_LINK && list_empty(&hdev->pend_le_reports))
8022 			return;
8023 	}
8024 
8025 	if (hdev->discovery.result_filtering) {
8026 		/* We are using service discovery */
8027 		if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
8028 				     scan_rsp_len))
8029 			return;
8030 	}
8031 
8032 	if (hdev->discovery.limited) {
8033 		/* Check for limited discoverable bit */
8034 		if (dev_class) {
8035 			if (!(dev_class[1] & 0x20))
8036 				return;
8037 		} else {
8038 			u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
8039 			if (!flags || !(flags[0] & LE_AD_LIMITED))
8040 				return;
8041 		}
8042 	}
8043 
8044 	/* Make sure that the buffer is big enough. The 5 extra bytes
8045 	 * are for the potential CoD field.
8046 	 */
8047 	if (sizeof(*ev) + eir_len + scan_rsp_len + 5 > sizeof(buf))
8048 		return;
8049 
8050 	memset(buf, 0, sizeof(buf));
8051 
8052 	/* In case of device discovery with BR/EDR devices (pre 1.2), the
8053 	 * RSSI value was reported as 0 when not available. This behavior
8054 	 * is kept when using device discovery. This is required for full
8055 	 * backwards compatibility with the API.
8056 	 *
8057 	 * However when using service discovery, the value 127 will be
8058 	 * returned when the RSSI is not available.
8059 	 */
8060 	if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
8061 	    link_type == ACL_LINK)
8062 		rssi = 0;
8063 
8064 	bacpy(&ev->addr.bdaddr, bdaddr);
8065 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
8066 	ev->rssi = rssi;
8067 	ev->flags = cpu_to_le32(flags);
8068 
8069 	if (eir_len > 0)
8070 		/* Copy EIR or advertising data into event */
8071 		memcpy(ev->eir, eir, eir_len);
8072 
8073 	if (dev_class && !eir_get_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
8074 				       NULL))
8075 		eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
8076 					  dev_class, 3);
8077 
8078 	if (scan_rsp_len > 0)
8079 		/* Append scan response data to event */
8080 		memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
8081 
8082 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
8083 	ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
8084 
8085 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL);
8086 }
8087 
8088 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
8089 		      u8 addr_type, s8 rssi, u8 *name, u8 name_len)
8090 {
8091 	struct mgmt_ev_device_found *ev;
8092 	char buf[sizeof(*ev) + HCI_MAX_NAME_LENGTH + 2];
8093 	u16 eir_len;
8094 
8095 	ev = (struct mgmt_ev_device_found *) buf;
8096 
8097 	memset(buf, 0, sizeof(buf));
8098 
8099 	bacpy(&ev->addr.bdaddr, bdaddr);
8100 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
8101 	ev->rssi = rssi;
8102 
8103 	eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name,
8104 				  name_len);
8105 
8106 	ev->eir_len = cpu_to_le16(eir_len);
8107 
8108 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, sizeof(*ev) + eir_len, NULL);
8109 }
8110 
8111 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
8112 {
8113 	struct mgmt_ev_discovering ev;
8114 
8115 	BT_DBG("%s discovering %u", hdev->name, discovering);
8116 
8117 	memset(&ev, 0, sizeof(ev));
8118 	ev.type = hdev->discovery.type;
8119 	ev.discovering = discovering;
8120 
8121 	mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
8122 }
8123 
8124 static struct hci_mgmt_chan chan = {
8125 	.channel	= HCI_CHANNEL_CONTROL,
8126 	.handler_count	= ARRAY_SIZE(mgmt_handlers),
8127 	.handlers	= mgmt_handlers,
8128 	.hdev_init	= mgmt_init_hdev,
8129 };
8130 
8131 int mgmt_init(void)
8132 {
8133 	return hci_mgmt_chan_register(&chan);
8134 }
8135 
8136 void mgmt_exit(void)
8137 {
8138 	hci_mgmt_chan_unregister(&chan);
8139 }
8140