xref: /openbmc/linux/net/bluetooth/mgmt.c (revision 867a0e05)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3 
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI Management interface */
26 
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
34 
35 #include "smp.h"
36 
37 #define MGMT_VERSION	1
38 #define MGMT_REVISION	8
39 
40 static const u16 mgmt_commands[] = {
41 	MGMT_OP_READ_INDEX_LIST,
42 	MGMT_OP_READ_INFO,
43 	MGMT_OP_SET_POWERED,
44 	MGMT_OP_SET_DISCOVERABLE,
45 	MGMT_OP_SET_CONNECTABLE,
46 	MGMT_OP_SET_FAST_CONNECTABLE,
47 	MGMT_OP_SET_BONDABLE,
48 	MGMT_OP_SET_LINK_SECURITY,
49 	MGMT_OP_SET_SSP,
50 	MGMT_OP_SET_HS,
51 	MGMT_OP_SET_LE,
52 	MGMT_OP_SET_DEV_CLASS,
53 	MGMT_OP_SET_LOCAL_NAME,
54 	MGMT_OP_ADD_UUID,
55 	MGMT_OP_REMOVE_UUID,
56 	MGMT_OP_LOAD_LINK_KEYS,
57 	MGMT_OP_LOAD_LONG_TERM_KEYS,
58 	MGMT_OP_DISCONNECT,
59 	MGMT_OP_GET_CONNECTIONS,
60 	MGMT_OP_PIN_CODE_REPLY,
61 	MGMT_OP_PIN_CODE_NEG_REPLY,
62 	MGMT_OP_SET_IO_CAPABILITY,
63 	MGMT_OP_PAIR_DEVICE,
64 	MGMT_OP_CANCEL_PAIR_DEVICE,
65 	MGMT_OP_UNPAIR_DEVICE,
66 	MGMT_OP_USER_CONFIRM_REPLY,
67 	MGMT_OP_USER_CONFIRM_NEG_REPLY,
68 	MGMT_OP_USER_PASSKEY_REPLY,
69 	MGMT_OP_USER_PASSKEY_NEG_REPLY,
70 	MGMT_OP_READ_LOCAL_OOB_DATA,
71 	MGMT_OP_ADD_REMOTE_OOB_DATA,
72 	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
73 	MGMT_OP_START_DISCOVERY,
74 	MGMT_OP_STOP_DISCOVERY,
75 	MGMT_OP_CONFIRM_NAME,
76 	MGMT_OP_BLOCK_DEVICE,
77 	MGMT_OP_UNBLOCK_DEVICE,
78 	MGMT_OP_SET_DEVICE_ID,
79 	MGMT_OP_SET_ADVERTISING,
80 	MGMT_OP_SET_BREDR,
81 	MGMT_OP_SET_STATIC_ADDRESS,
82 	MGMT_OP_SET_SCAN_PARAMS,
83 	MGMT_OP_SET_SECURE_CONN,
84 	MGMT_OP_SET_DEBUG_KEYS,
85 	MGMT_OP_SET_PRIVACY,
86 	MGMT_OP_LOAD_IRKS,
87 	MGMT_OP_GET_CONN_INFO,
88 	MGMT_OP_GET_CLOCK_INFO,
89 	MGMT_OP_ADD_DEVICE,
90 	MGMT_OP_REMOVE_DEVICE,
91 	MGMT_OP_LOAD_CONN_PARAM,
92 	MGMT_OP_READ_UNCONF_INDEX_LIST,
93 	MGMT_OP_READ_CONFIG_INFO,
94 	MGMT_OP_SET_EXTERNAL_CONFIG,
95 	MGMT_OP_SET_PUBLIC_ADDRESS,
96 	MGMT_OP_START_SERVICE_DISCOVERY,
97 };
98 
99 static const u16 mgmt_events[] = {
100 	MGMT_EV_CONTROLLER_ERROR,
101 	MGMT_EV_INDEX_ADDED,
102 	MGMT_EV_INDEX_REMOVED,
103 	MGMT_EV_NEW_SETTINGS,
104 	MGMT_EV_CLASS_OF_DEV_CHANGED,
105 	MGMT_EV_LOCAL_NAME_CHANGED,
106 	MGMT_EV_NEW_LINK_KEY,
107 	MGMT_EV_NEW_LONG_TERM_KEY,
108 	MGMT_EV_DEVICE_CONNECTED,
109 	MGMT_EV_DEVICE_DISCONNECTED,
110 	MGMT_EV_CONNECT_FAILED,
111 	MGMT_EV_PIN_CODE_REQUEST,
112 	MGMT_EV_USER_CONFIRM_REQUEST,
113 	MGMT_EV_USER_PASSKEY_REQUEST,
114 	MGMT_EV_AUTH_FAILED,
115 	MGMT_EV_DEVICE_FOUND,
116 	MGMT_EV_DISCOVERING,
117 	MGMT_EV_DEVICE_BLOCKED,
118 	MGMT_EV_DEVICE_UNBLOCKED,
119 	MGMT_EV_DEVICE_UNPAIRED,
120 	MGMT_EV_PASSKEY_NOTIFY,
121 	MGMT_EV_NEW_IRK,
122 	MGMT_EV_NEW_CSRK,
123 	MGMT_EV_DEVICE_ADDED,
124 	MGMT_EV_DEVICE_REMOVED,
125 	MGMT_EV_NEW_CONN_PARAM,
126 	MGMT_EV_UNCONF_INDEX_ADDED,
127 	MGMT_EV_UNCONF_INDEX_REMOVED,
128 	MGMT_EV_NEW_CONFIG_OPTIONS,
129 };
130 
131 #define CACHE_TIMEOUT	msecs_to_jiffies(2 * 1000)
132 
133 struct pending_cmd {
134 	struct list_head list;
135 	u16 opcode;
136 	int index;
137 	void *param;
138 	size_t param_len;
139 	struct sock *sk;
140 	void *user_data;
141 	void (*cmd_complete)(struct pending_cmd *cmd, u8 status);
142 };
143 
144 /* HCI to MGMT error code conversion table */
145 static u8 mgmt_status_table[] = {
146 	MGMT_STATUS_SUCCESS,
147 	MGMT_STATUS_UNKNOWN_COMMAND,	/* Unknown Command */
148 	MGMT_STATUS_NOT_CONNECTED,	/* No Connection */
149 	MGMT_STATUS_FAILED,		/* Hardware Failure */
150 	MGMT_STATUS_CONNECT_FAILED,	/* Page Timeout */
151 	MGMT_STATUS_AUTH_FAILED,	/* Authentication Failed */
152 	MGMT_STATUS_AUTH_FAILED,	/* PIN or Key Missing */
153 	MGMT_STATUS_NO_RESOURCES,	/* Memory Full */
154 	MGMT_STATUS_TIMEOUT,		/* Connection Timeout */
155 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of Connections */
156 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of SCO Connections */
157 	MGMT_STATUS_ALREADY_CONNECTED,	/* ACL Connection Exists */
158 	MGMT_STATUS_BUSY,		/* Command Disallowed */
159 	MGMT_STATUS_NO_RESOURCES,	/* Rejected Limited Resources */
160 	MGMT_STATUS_REJECTED,		/* Rejected Security */
161 	MGMT_STATUS_REJECTED,		/* Rejected Personal */
162 	MGMT_STATUS_TIMEOUT,		/* Host Timeout */
163 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Feature */
164 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid Parameters */
165 	MGMT_STATUS_DISCONNECTED,	/* OE User Ended Connection */
166 	MGMT_STATUS_NO_RESOURCES,	/* OE Low Resources */
167 	MGMT_STATUS_DISCONNECTED,	/* OE Power Off */
168 	MGMT_STATUS_DISCONNECTED,	/* Connection Terminated */
169 	MGMT_STATUS_BUSY,		/* Repeated Attempts */
170 	MGMT_STATUS_REJECTED,		/* Pairing Not Allowed */
171 	MGMT_STATUS_FAILED,		/* Unknown LMP PDU */
172 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Remote Feature */
173 	MGMT_STATUS_REJECTED,		/* SCO Offset Rejected */
174 	MGMT_STATUS_REJECTED,		/* SCO Interval Rejected */
175 	MGMT_STATUS_REJECTED,		/* Air Mode Rejected */
176 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid LMP Parameters */
177 	MGMT_STATUS_FAILED,		/* Unspecified Error */
178 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported LMP Parameter Value */
179 	MGMT_STATUS_FAILED,		/* Role Change Not Allowed */
180 	MGMT_STATUS_TIMEOUT,		/* LMP Response Timeout */
181 	MGMT_STATUS_FAILED,		/* LMP Error Transaction Collision */
182 	MGMT_STATUS_FAILED,		/* LMP PDU Not Allowed */
183 	MGMT_STATUS_REJECTED,		/* Encryption Mode Not Accepted */
184 	MGMT_STATUS_FAILED,		/* Unit Link Key Used */
185 	MGMT_STATUS_NOT_SUPPORTED,	/* QoS Not Supported */
186 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
187 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
188 	MGMT_STATUS_FAILED,		/* Transaction Collision */
189 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
190 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
191 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
192 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
193 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
194 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
195 	MGMT_STATUS_FAILED,		/* Slot Violation */
196 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
197 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
198 	MGMT_STATUS_NOT_SUPPORTED,	/* Simple Pairing Not Supported */
199 	MGMT_STATUS_BUSY,		/* Host Busy Pairing */
200 	MGMT_STATUS_REJECTED,		/* Rejected, No Suitable Channel */
201 	MGMT_STATUS_BUSY,		/* Controller Busy */
202 	MGMT_STATUS_INVALID_PARAMS,	/* Unsuitable Connection Interval */
203 	MGMT_STATUS_TIMEOUT,		/* Directed Advertising Timeout */
204 	MGMT_STATUS_AUTH_FAILED,	/* Terminated Due to MIC Failure */
205 	MGMT_STATUS_CONNECT_FAILED,	/* Connection Establishment Failed */
206 	MGMT_STATUS_CONNECT_FAILED,	/* MAC Connection Failed */
207 };
208 
209 static u8 mgmt_status(u8 hci_status)
210 {
211 	if (hci_status < ARRAY_SIZE(mgmt_status_table))
212 		return mgmt_status_table[hci_status];
213 
214 	return MGMT_STATUS_FAILED;
215 }
216 
217 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 data_len,
218 		      struct sock *skip_sk)
219 {
220 	struct sk_buff *skb;
221 	struct mgmt_hdr *hdr;
222 
223 	skb = alloc_skb(sizeof(*hdr) + data_len, GFP_KERNEL);
224 	if (!skb)
225 		return -ENOMEM;
226 
227 	hdr = (void *) skb_put(skb, sizeof(*hdr));
228 	hdr->opcode = cpu_to_le16(event);
229 	if (hdev)
230 		hdr->index = cpu_to_le16(hdev->id);
231 	else
232 		hdr->index = cpu_to_le16(MGMT_INDEX_NONE);
233 	hdr->len = cpu_to_le16(data_len);
234 
235 	if (data)
236 		memcpy(skb_put(skb, data_len), data, data_len);
237 
238 	/* Time stamp */
239 	__net_timestamp(skb);
240 
241 	hci_send_to_control(skb, skip_sk);
242 	kfree_skb(skb);
243 
244 	return 0;
245 }
246 
247 static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status)
248 {
249 	struct sk_buff *skb;
250 	struct mgmt_hdr *hdr;
251 	struct mgmt_ev_cmd_status *ev;
252 	int err;
253 
254 	BT_DBG("sock %p, index %u, cmd %u, status %u", sk, index, cmd, status);
255 
256 	skb = alloc_skb(sizeof(*hdr) + sizeof(*ev), GFP_KERNEL);
257 	if (!skb)
258 		return -ENOMEM;
259 
260 	hdr = (void *) skb_put(skb, sizeof(*hdr));
261 
262 	hdr->opcode = cpu_to_le16(MGMT_EV_CMD_STATUS);
263 	hdr->index = cpu_to_le16(index);
264 	hdr->len = cpu_to_le16(sizeof(*ev));
265 
266 	ev = (void *) skb_put(skb, sizeof(*ev));
267 	ev->status = status;
268 	ev->opcode = cpu_to_le16(cmd);
269 
270 	err = sock_queue_rcv_skb(sk, skb);
271 	if (err < 0)
272 		kfree_skb(skb);
273 
274 	return err;
275 }
276 
277 static int cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status,
278 			void *rp, size_t rp_len)
279 {
280 	struct sk_buff *skb;
281 	struct mgmt_hdr *hdr;
282 	struct mgmt_ev_cmd_complete *ev;
283 	int err;
284 
285 	BT_DBG("sock %p", sk);
286 
287 	skb = alloc_skb(sizeof(*hdr) + sizeof(*ev) + rp_len, GFP_KERNEL);
288 	if (!skb)
289 		return -ENOMEM;
290 
291 	hdr = (void *) skb_put(skb, sizeof(*hdr));
292 
293 	hdr->opcode = cpu_to_le16(MGMT_EV_CMD_COMPLETE);
294 	hdr->index = cpu_to_le16(index);
295 	hdr->len = cpu_to_le16(sizeof(*ev) + rp_len);
296 
297 	ev = (void *) skb_put(skb, sizeof(*ev) + rp_len);
298 	ev->opcode = cpu_to_le16(cmd);
299 	ev->status = status;
300 
301 	if (rp)
302 		memcpy(ev->data, rp, rp_len);
303 
304 	err = sock_queue_rcv_skb(sk, skb);
305 	if (err < 0)
306 		kfree_skb(skb);
307 
308 	return err;
309 }
310 
311 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
312 			u16 data_len)
313 {
314 	struct mgmt_rp_read_version rp;
315 
316 	BT_DBG("sock %p", sk);
317 
318 	rp.version = MGMT_VERSION;
319 	rp.revision = cpu_to_le16(MGMT_REVISION);
320 
321 	return cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0, &rp,
322 			    sizeof(rp));
323 }
324 
325 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
326 			 u16 data_len)
327 {
328 	struct mgmt_rp_read_commands *rp;
329 	const u16 num_commands = ARRAY_SIZE(mgmt_commands);
330 	const u16 num_events = ARRAY_SIZE(mgmt_events);
331 	__le16 *opcode;
332 	size_t rp_size;
333 	int i, err;
334 
335 	BT_DBG("sock %p", sk);
336 
337 	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
338 
339 	rp = kmalloc(rp_size, GFP_KERNEL);
340 	if (!rp)
341 		return -ENOMEM;
342 
343 	rp->num_commands = cpu_to_le16(num_commands);
344 	rp->num_events = cpu_to_le16(num_events);
345 
346 	for (i = 0, opcode = rp->opcodes; i < num_commands; i++, opcode++)
347 		put_unaligned_le16(mgmt_commands[i], opcode);
348 
349 	for (i = 0; i < num_events; i++, opcode++)
350 		put_unaligned_le16(mgmt_events[i], opcode);
351 
352 	err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0, rp,
353 			   rp_size);
354 	kfree(rp);
355 
356 	return err;
357 }
358 
359 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
360 			   u16 data_len)
361 {
362 	struct mgmt_rp_read_index_list *rp;
363 	struct hci_dev *d;
364 	size_t rp_len;
365 	u16 count;
366 	int err;
367 
368 	BT_DBG("sock %p", sk);
369 
370 	read_lock(&hci_dev_list_lock);
371 
372 	count = 0;
373 	list_for_each_entry(d, &hci_dev_list, list) {
374 		if (d->dev_type == HCI_BREDR &&
375 		    !test_bit(HCI_UNCONFIGURED, &d->dev_flags))
376 			count++;
377 	}
378 
379 	rp_len = sizeof(*rp) + (2 * count);
380 	rp = kmalloc(rp_len, GFP_ATOMIC);
381 	if (!rp) {
382 		read_unlock(&hci_dev_list_lock);
383 		return -ENOMEM;
384 	}
385 
386 	count = 0;
387 	list_for_each_entry(d, &hci_dev_list, list) {
388 		if (test_bit(HCI_SETUP, &d->dev_flags) ||
389 		    test_bit(HCI_CONFIG, &d->dev_flags) ||
390 		    test_bit(HCI_USER_CHANNEL, &d->dev_flags))
391 			continue;
392 
393 		/* Devices marked as raw-only are neither configured
394 		 * nor unconfigured controllers.
395 		 */
396 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
397 			continue;
398 
399 		if (d->dev_type == HCI_BREDR &&
400 		    !test_bit(HCI_UNCONFIGURED, &d->dev_flags)) {
401 			rp->index[count++] = cpu_to_le16(d->id);
402 			BT_DBG("Added hci%u", d->id);
403 		}
404 	}
405 
406 	rp->num_controllers = cpu_to_le16(count);
407 	rp_len = sizeof(*rp) + (2 * count);
408 
409 	read_unlock(&hci_dev_list_lock);
410 
411 	err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp,
412 			   rp_len);
413 
414 	kfree(rp);
415 
416 	return err;
417 }
418 
419 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
420 				  void *data, u16 data_len)
421 {
422 	struct mgmt_rp_read_unconf_index_list *rp;
423 	struct hci_dev *d;
424 	size_t rp_len;
425 	u16 count;
426 	int err;
427 
428 	BT_DBG("sock %p", sk);
429 
430 	read_lock(&hci_dev_list_lock);
431 
432 	count = 0;
433 	list_for_each_entry(d, &hci_dev_list, list) {
434 		if (d->dev_type == HCI_BREDR &&
435 		    test_bit(HCI_UNCONFIGURED, &d->dev_flags))
436 			count++;
437 	}
438 
439 	rp_len = sizeof(*rp) + (2 * count);
440 	rp = kmalloc(rp_len, GFP_ATOMIC);
441 	if (!rp) {
442 		read_unlock(&hci_dev_list_lock);
443 		return -ENOMEM;
444 	}
445 
446 	count = 0;
447 	list_for_each_entry(d, &hci_dev_list, list) {
448 		if (test_bit(HCI_SETUP, &d->dev_flags) ||
449 		    test_bit(HCI_CONFIG, &d->dev_flags) ||
450 		    test_bit(HCI_USER_CHANNEL, &d->dev_flags))
451 			continue;
452 
453 		/* Devices marked as raw-only are neither configured
454 		 * nor unconfigured controllers.
455 		 */
456 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
457 			continue;
458 
459 		if (d->dev_type == HCI_BREDR &&
460 		    test_bit(HCI_UNCONFIGURED, &d->dev_flags)) {
461 			rp->index[count++] = cpu_to_le16(d->id);
462 			BT_DBG("Added hci%u", d->id);
463 		}
464 	}
465 
466 	rp->num_controllers = cpu_to_le16(count);
467 	rp_len = sizeof(*rp) + (2 * count);
468 
469 	read_unlock(&hci_dev_list_lock);
470 
471 	err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_UNCONF_INDEX_LIST,
472 			   0, rp, rp_len);
473 
474 	kfree(rp);
475 
476 	return err;
477 }
478 
479 static bool is_configured(struct hci_dev *hdev)
480 {
481 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
482 	    !test_bit(HCI_EXT_CONFIGURED, &hdev->dev_flags))
483 		return false;
484 
485 	if (test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) &&
486 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
487 		return false;
488 
489 	return true;
490 }
491 
492 static __le32 get_missing_options(struct hci_dev *hdev)
493 {
494 	u32 options = 0;
495 
496 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
497 	    !test_bit(HCI_EXT_CONFIGURED, &hdev->dev_flags))
498 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
499 
500 	if (test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) &&
501 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
502 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
503 
504 	return cpu_to_le32(options);
505 }
506 
507 static int new_options(struct hci_dev *hdev, struct sock *skip)
508 {
509 	__le32 options = get_missing_options(hdev);
510 
511 	return mgmt_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
512 			  sizeof(options), skip);
513 }
514 
515 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
516 {
517 	__le32 options = get_missing_options(hdev);
518 
519 	return cmd_complete(sk, hdev->id, opcode, 0, &options,
520 			    sizeof(options));
521 }
522 
523 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
524 			    void *data, u16 data_len)
525 {
526 	struct mgmt_rp_read_config_info rp;
527 	u32 options = 0;
528 
529 	BT_DBG("sock %p %s", sk, hdev->name);
530 
531 	hci_dev_lock(hdev);
532 
533 	memset(&rp, 0, sizeof(rp));
534 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
535 
536 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
537 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
538 
539 	if (hdev->set_bdaddr)
540 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
541 
542 	rp.supported_options = cpu_to_le32(options);
543 	rp.missing_options = get_missing_options(hdev);
544 
545 	hci_dev_unlock(hdev);
546 
547 	return cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0, &rp,
548 			    sizeof(rp));
549 }
550 
551 static u32 get_supported_settings(struct hci_dev *hdev)
552 {
553 	u32 settings = 0;
554 
555 	settings |= MGMT_SETTING_POWERED;
556 	settings |= MGMT_SETTING_BONDABLE;
557 	settings |= MGMT_SETTING_DEBUG_KEYS;
558 	settings |= MGMT_SETTING_CONNECTABLE;
559 	settings |= MGMT_SETTING_DISCOVERABLE;
560 
561 	if (lmp_bredr_capable(hdev)) {
562 		if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
563 			settings |= MGMT_SETTING_FAST_CONNECTABLE;
564 		settings |= MGMT_SETTING_BREDR;
565 		settings |= MGMT_SETTING_LINK_SECURITY;
566 
567 		if (lmp_ssp_capable(hdev)) {
568 			settings |= MGMT_SETTING_SSP;
569 			settings |= MGMT_SETTING_HS;
570 		}
571 
572 		if (lmp_sc_capable(hdev) ||
573 		    test_bit(HCI_FORCE_SC, &hdev->dbg_flags))
574 			settings |= MGMT_SETTING_SECURE_CONN;
575 	}
576 
577 	if (lmp_le_capable(hdev)) {
578 		settings |= MGMT_SETTING_LE;
579 		settings |= MGMT_SETTING_ADVERTISING;
580 		settings |= MGMT_SETTING_SECURE_CONN;
581 		settings |= MGMT_SETTING_PRIVACY;
582 	}
583 
584 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
585 	    hdev->set_bdaddr)
586 		settings |= MGMT_SETTING_CONFIGURATION;
587 
588 	return settings;
589 }
590 
591 static u32 get_current_settings(struct hci_dev *hdev)
592 {
593 	u32 settings = 0;
594 
595 	if (hdev_is_powered(hdev))
596 		settings |= MGMT_SETTING_POWERED;
597 
598 	if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
599 		settings |= MGMT_SETTING_CONNECTABLE;
600 
601 	if (test_bit(HCI_FAST_CONNECTABLE, &hdev->dev_flags))
602 		settings |= MGMT_SETTING_FAST_CONNECTABLE;
603 
604 	if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
605 		settings |= MGMT_SETTING_DISCOVERABLE;
606 
607 	if (test_bit(HCI_BONDABLE, &hdev->dev_flags))
608 		settings |= MGMT_SETTING_BONDABLE;
609 
610 	if (test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
611 		settings |= MGMT_SETTING_BREDR;
612 
613 	if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
614 		settings |= MGMT_SETTING_LE;
615 
616 	if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags))
617 		settings |= MGMT_SETTING_LINK_SECURITY;
618 
619 	if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
620 		settings |= MGMT_SETTING_SSP;
621 
622 	if (test_bit(HCI_HS_ENABLED, &hdev->dev_flags))
623 		settings |= MGMT_SETTING_HS;
624 
625 	if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
626 		settings |= MGMT_SETTING_ADVERTISING;
627 
628 	if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
629 		settings |= MGMT_SETTING_SECURE_CONN;
630 
631 	if (test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags))
632 		settings |= MGMT_SETTING_DEBUG_KEYS;
633 
634 	if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
635 		settings |= MGMT_SETTING_PRIVACY;
636 
637 	return settings;
638 }
639 
640 #define PNP_INFO_SVCLASS_ID		0x1200
641 
642 static u8 *create_uuid16_list(struct hci_dev *hdev, u8 *data, ptrdiff_t len)
643 {
644 	u8 *ptr = data, *uuids_start = NULL;
645 	struct bt_uuid *uuid;
646 
647 	if (len < 4)
648 		return ptr;
649 
650 	list_for_each_entry(uuid, &hdev->uuids, list) {
651 		u16 uuid16;
652 
653 		if (uuid->size != 16)
654 			continue;
655 
656 		uuid16 = get_unaligned_le16(&uuid->uuid[12]);
657 		if (uuid16 < 0x1100)
658 			continue;
659 
660 		if (uuid16 == PNP_INFO_SVCLASS_ID)
661 			continue;
662 
663 		if (!uuids_start) {
664 			uuids_start = ptr;
665 			uuids_start[0] = 1;
666 			uuids_start[1] = EIR_UUID16_ALL;
667 			ptr += 2;
668 		}
669 
670 		/* Stop if not enough space to put next UUID */
671 		if ((ptr - data) + sizeof(u16) > len) {
672 			uuids_start[1] = EIR_UUID16_SOME;
673 			break;
674 		}
675 
676 		*ptr++ = (uuid16 & 0x00ff);
677 		*ptr++ = (uuid16 & 0xff00) >> 8;
678 		uuids_start[0] += sizeof(uuid16);
679 	}
680 
681 	return ptr;
682 }
683 
684 static u8 *create_uuid32_list(struct hci_dev *hdev, u8 *data, ptrdiff_t len)
685 {
686 	u8 *ptr = data, *uuids_start = NULL;
687 	struct bt_uuid *uuid;
688 
689 	if (len < 6)
690 		return ptr;
691 
692 	list_for_each_entry(uuid, &hdev->uuids, list) {
693 		if (uuid->size != 32)
694 			continue;
695 
696 		if (!uuids_start) {
697 			uuids_start = ptr;
698 			uuids_start[0] = 1;
699 			uuids_start[1] = EIR_UUID32_ALL;
700 			ptr += 2;
701 		}
702 
703 		/* Stop if not enough space to put next UUID */
704 		if ((ptr - data) + sizeof(u32) > len) {
705 			uuids_start[1] = EIR_UUID32_SOME;
706 			break;
707 		}
708 
709 		memcpy(ptr, &uuid->uuid[12], sizeof(u32));
710 		ptr += sizeof(u32);
711 		uuids_start[0] += sizeof(u32);
712 	}
713 
714 	return ptr;
715 }
716 
717 static u8 *create_uuid128_list(struct hci_dev *hdev, u8 *data, ptrdiff_t len)
718 {
719 	u8 *ptr = data, *uuids_start = NULL;
720 	struct bt_uuid *uuid;
721 
722 	if (len < 18)
723 		return ptr;
724 
725 	list_for_each_entry(uuid, &hdev->uuids, list) {
726 		if (uuid->size != 128)
727 			continue;
728 
729 		if (!uuids_start) {
730 			uuids_start = ptr;
731 			uuids_start[0] = 1;
732 			uuids_start[1] = EIR_UUID128_ALL;
733 			ptr += 2;
734 		}
735 
736 		/* Stop if not enough space to put next UUID */
737 		if ((ptr - data) + 16 > len) {
738 			uuids_start[1] = EIR_UUID128_SOME;
739 			break;
740 		}
741 
742 		memcpy(ptr, uuid->uuid, 16);
743 		ptr += 16;
744 		uuids_start[0] += 16;
745 	}
746 
747 	return ptr;
748 }
749 
750 static struct pending_cmd *mgmt_pending_find(u16 opcode, struct hci_dev *hdev)
751 {
752 	struct pending_cmd *cmd;
753 
754 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
755 		if (cmd->opcode == opcode)
756 			return cmd;
757 	}
758 
759 	return NULL;
760 }
761 
762 static struct pending_cmd *mgmt_pending_find_data(u16 opcode,
763 						  struct hci_dev *hdev,
764 						  const void *data)
765 {
766 	struct pending_cmd *cmd;
767 
768 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
769 		if (cmd->user_data != data)
770 			continue;
771 		if (cmd->opcode == opcode)
772 			return cmd;
773 	}
774 
775 	return NULL;
776 }
777 
778 static u8 create_scan_rsp_data(struct hci_dev *hdev, u8 *ptr)
779 {
780 	u8 ad_len = 0;
781 	size_t name_len;
782 
783 	name_len = strlen(hdev->dev_name);
784 	if (name_len > 0) {
785 		size_t max_len = HCI_MAX_AD_LENGTH - ad_len - 2;
786 
787 		if (name_len > max_len) {
788 			name_len = max_len;
789 			ptr[1] = EIR_NAME_SHORT;
790 		} else
791 			ptr[1] = EIR_NAME_COMPLETE;
792 
793 		ptr[0] = name_len + 1;
794 
795 		memcpy(ptr + 2, hdev->dev_name, name_len);
796 
797 		ad_len += (name_len + 2);
798 		ptr += (name_len + 2);
799 	}
800 
801 	return ad_len;
802 }
803 
804 static void update_scan_rsp_data(struct hci_request *req)
805 {
806 	struct hci_dev *hdev = req->hdev;
807 	struct hci_cp_le_set_scan_rsp_data cp;
808 	u8 len;
809 
810 	if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
811 		return;
812 
813 	memset(&cp, 0, sizeof(cp));
814 
815 	len = create_scan_rsp_data(hdev, cp.data);
816 
817 	if (hdev->scan_rsp_data_len == len &&
818 	    memcmp(cp.data, hdev->scan_rsp_data, len) == 0)
819 		return;
820 
821 	memcpy(hdev->scan_rsp_data, cp.data, sizeof(cp.data));
822 	hdev->scan_rsp_data_len = len;
823 
824 	cp.length = len;
825 
826 	hci_req_add(req, HCI_OP_LE_SET_SCAN_RSP_DATA, sizeof(cp), &cp);
827 }
828 
829 static u8 get_adv_discov_flags(struct hci_dev *hdev)
830 {
831 	struct pending_cmd *cmd;
832 
833 	/* If there's a pending mgmt command the flags will not yet have
834 	 * their final values, so check for this first.
835 	 */
836 	cmd = mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
837 	if (cmd) {
838 		struct mgmt_mode *cp = cmd->param;
839 		if (cp->val == 0x01)
840 			return LE_AD_GENERAL;
841 		else if (cp->val == 0x02)
842 			return LE_AD_LIMITED;
843 	} else {
844 		if (test_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags))
845 			return LE_AD_LIMITED;
846 		else if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
847 			return LE_AD_GENERAL;
848 	}
849 
850 	return 0;
851 }
852 
853 static u8 create_adv_data(struct hci_dev *hdev, u8 *ptr)
854 {
855 	u8 ad_len = 0, flags = 0;
856 
857 	flags |= get_adv_discov_flags(hdev);
858 
859 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
860 		flags |= LE_AD_NO_BREDR;
861 
862 	if (flags) {
863 		BT_DBG("adv flags 0x%02x", flags);
864 
865 		ptr[0] = 2;
866 		ptr[1] = EIR_FLAGS;
867 		ptr[2] = flags;
868 
869 		ad_len += 3;
870 		ptr += 3;
871 	}
872 
873 	if (hdev->adv_tx_power != HCI_TX_POWER_INVALID) {
874 		ptr[0] = 2;
875 		ptr[1] = EIR_TX_POWER;
876 		ptr[2] = (u8) hdev->adv_tx_power;
877 
878 		ad_len += 3;
879 		ptr += 3;
880 	}
881 
882 	return ad_len;
883 }
884 
885 static void update_adv_data(struct hci_request *req)
886 {
887 	struct hci_dev *hdev = req->hdev;
888 	struct hci_cp_le_set_adv_data cp;
889 	u8 len;
890 
891 	if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
892 		return;
893 
894 	memset(&cp, 0, sizeof(cp));
895 
896 	len = create_adv_data(hdev, cp.data);
897 
898 	if (hdev->adv_data_len == len &&
899 	    memcmp(cp.data, hdev->adv_data, len) == 0)
900 		return;
901 
902 	memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
903 	hdev->adv_data_len = len;
904 
905 	cp.length = len;
906 
907 	hci_req_add(req, HCI_OP_LE_SET_ADV_DATA, sizeof(cp), &cp);
908 }
909 
910 int mgmt_update_adv_data(struct hci_dev *hdev)
911 {
912 	struct hci_request req;
913 
914 	hci_req_init(&req, hdev);
915 	update_adv_data(&req);
916 
917 	return hci_req_run(&req, NULL);
918 }
919 
920 static void create_eir(struct hci_dev *hdev, u8 *data)
921 {
922 	u8 *ptr = data;
923 	size_t name_len;
924 
925 	name_len = strlen(hdev->dev_name);
926 
927 	if (name_len > 0) {
928 		/* EIR Data type */
929 		if (name_len > 48) {
930 			name_len = 48;
931 			ptr[1] = EIR_NAME_SHORT;
932 		} else
933 			ptr[1] = EIR_NAME_COMPLETE;
934 
935 		/* EIR Data length */
936 		ptr[0] = name_len + 1;
937 
938 		memcpy(ptr + 2, hdev->dev_name, name_len);
939 
940 		ptr += (name_len + 2);
941 	}
942 
943 	if (hdev->inq_tx_power != HCI_TX_POWER_INVALID) {
944 		ptr[0] = 2;
945 		ptr[1] = EIR_TX_POWER;
946 		ptr[2] = (u8) hdev->inq_tx_power;
947 
948 		ptr += 3;
949 	}
950 
951 	if (hdev->devid_source > 0) {
952 		ptr[0] = 9;
953 		ptr[1] = EIR_DEVICE_ID;
954 
955 		put_unaligned_le16(hdev->devid_source, ptr + 2);
956 		put_unaligned_le16(hdev->devid_vendor, ptr + 4);
957 		put_unaligned_le16(hdev->devid_product, ptr + 6);
958 		put_unaligned_le16(hdev->devid_version, ptr + 8);
959 
960 		ptr += 10;
961 	}
962 
963 	ptr = create_uuid16_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));
964 	ptr = create_uuid32_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));
965 	ptr = create_uuid128_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));
966 }
967 
968 static void update_eir(struct hci_request *req)
969 {
970 	struct hci_dev *hdev = req->hdev;
971 	struct hci_cp_write_eir cp;
972 
973 	if (!hdev_is_powered(hdev))
974 		return;
975 
976 	if (!lmp_ext_inq_capable(hdev))
977 		return;
978 
979 	if (!test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
980 		return;
981 
982 	if (test_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
983 		return;
984 
985 	memset(&cp, 0, sizeof(cp));
986 
987 	create_eir(hdev, cp.data);
988 
989 	if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
990 		return;
991 
992 	memcpy(hdev->eir, cp.data, sizeof(cp.data));
993 
994 	hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
995 }
996 
997 static u8 get_service_classes(struct hci_dev *hdev)
998 {
999 	struct bt_uuid *uuid;
1000 	u8 val = 0;
1001 
1002 	list_for_each_entry(uuid, &hdev->uuids, list)
1003 		val |= uuid->svc_hint;
1004 
1005 	return val;
1006 }
1007 
1008 static void update_class(struct hci_request *req)
1009 {
1010 	struct hci_dev *hdev = req->hdev;
1011 	u8 cod[3];
1012 
1013 	BT_DBG("%s", hdev->name);
1014 
1015 	if (!hdev_is_powered(hdev))
1016 		return;
1017 
1018 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1019 		return;
1020 
1021 	if (test_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
1022 		return;
1023 
1024 	cod[0] = hdev->minor_class;
1025 	cod[1] = hdev->major_class;
1026 	cod[2] = get_service_classes(hdev);
1027 
1028 	if (test_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags))
1029 		cod[1] |= 0x20;
1030 
1031 	if (memcmp(cod, hdev->dev_class, 3) == 0)
1032 		return;
1033 
1034 	hci_req_add(req, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod);
1035 }
1036 
1037 static bool get_connectable(struct hci_dev *hdev)
1038 {
1039 	struct pending_cmd *cmd;
1040 
1041 	/* If there's a pending mgmt command the flag will not yet have
1042 	 * it's final value, so check for this first.
1043 	 */
1044 	cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1045 	if (cmd) {
1046 		struct mgmt_mode *cp = cmd->param;
1047 		return cp->val;
1048 	}
1049 
1050 	return test_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1051 }
1052 
1053 static void disable_advertising(struct hci_request *req)
1054 {
1055 	u8 enable = 0x00;
1056 
1057 	hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
1058 }
1059 
1060 static void enable_advertising(struct hci_request *req)
1061 {
1062 	struct hci_dev *hdev = req->hdev;
1063 	struct hci_cp_le_set_adv_param cp;
1064 	u8 own_addr_type, enable = 0x01;
1065 	bool connectable;
1066 
1067 	if (hci_conn_num(hdev, LE_LINK) > 0)
1068 		return;
1069 
1070 	if (test_bit(HCI_LE_ADV, &hdev->dev_flags))
1071 		disable_advertising(req);
1072 
1073 	/* Clear the HCI_LE_ADV bit temporarily so that the
1074 	 * hci_update_random_address knows that it's safe to go ahead
1075 	 * and write a new random address. The flag will be set back on
1076 	 * as soon as the SET_ADV_ENABLE HCI command completes.
1077 	 */
1078 	clear_bit(HCI_LE_ADV, &hdev->dev_flags);
1079 
1080 	connectable = get_connectable(hdev);
1081 
1082 	/* Set require_privacy to true only when non-connectable
1083 	 * advertising is used. In that case it is fine to use a
1084 	 * non-resolvable private address.
1085 	 */
1086 	if (hci_update_random_address(req, !connectable, &own_addr_type) < 0)
1087 		return;
1088 
1089 	memset(&cp, 0, sizeof(cp));
1090 	cp.min_interval = cpu_to_le16(hdev->le_adv_min_interval);
1091 	cp.max_interval = cpu_to_le16(hdev->le_adv_max_interval);
1092 	cp.type = connectable ? LE_ADV_IND : LE_ADV_NONCONN_IND;
1093 	cp.own_address_type = own_addr_type;
1094 	cp.channel_map = hdev->le_adv_channel_map;
1095 
1096 	hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
1097 
1098 	hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
1099 }
1100 
1101 static void service_cache_off(struct work_struct *work)
1102 {
1103 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1104 					    service_cache.work);
1105 	struct hci_request req;
1106 
1107 	if (!test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
1108 		return;
1109 
1110 	hci_req_init(&req, hdev);
1111 
1112 	hci_dev_lock(hdev);
1113 
1114 	update_eir(&req);
1115 	update_class(&req);
1116 
1117 	hci_dev_unlock(hdev);
1118 
1119 	hci_req_run(&req, NULL);
1120 }
1121 
1122 static void rpa_expired(struct work_struct *work)
1123 {
1124 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1125 					    rpa_expired.work);
1126 	struct hci_request req;
1127 
1128 	BT_DBG("");
1129 
1130 	set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
1131 
1132 	if (!test_bit(HCI_ADVERTISING, &hdev->dev_flags))
1133 		return;
1134 
1135 	/* The generation of a new RPA and programming it into the
1136 	 * controller happens in the enable_advertising() function.
1137 	 */
1138 	hci_req_init(&req, hdev);
1139 	enable_advertising(&req);
1140 	hci_req_run(&req, NULL);
1141 }
1142 
1143 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
1144 {
1145 	if (test_and_set_bit(HCI_MGMT, &hdev->dev_flags))
1146 		return;
1147 
1148 	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
1149 	INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
1150 
1151 	/* Non-mgmt controlled devices get this bit set
1152 	 * implicitly so that pairing works for them, however
1153 	 * for mgmt we require user-space to explicitly enable
1154 	 * it
1155 	 */
1156 	clear_bit(HCI_BONDABLE, &hdev->dev_flags);
1157 }
1158 
1159 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
1160 				void *data, u16 data_len)
1161 {
1162 	struct mgmt_rp_read_info rp;
1163 
1164 	BT_DBG("sock %p %s", sk, hdev->name);
1165 
1166 	hci_dev_lock(hdev);
1167 
1168 	memset(&rp, 0, sizeof(rp));
1169 
1170 	bacpy(&rp.bdaddr, &hdev->bdaddr);
1171 
1172 	rp.version = hdev->hci_ver;
1173 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
1174 
1175 	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
1176 	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
1177 
1178 	memcpy(rp.dev_class, hdev->dev_class, 3);
1179 
1180 	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
1181 	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
1182 
1183 	hci_dev_unlock(hdev);
1184 
1185 	return cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
1186 			    sizeof(rp));
1187 }
1188 
1189 static void mgmt_pending_free(struct pending_cmd *cmd)
1190 {
1191 	sock_put(cmd->sk);
1192 	kfree(cmd->param);
1193 	kfree(cmd);
1194 }
1195 
1196 static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
1197 					    struct hci_dev *hdev, void *data,
1198 					    u16 len)
1199 {
1200 	struct pending_cmd *cmd;
1201 
1202 	cmd = kzalloc(sizeof(*cmd), GFP_KERNEL);
1203 	if (!cmd)
1204 		return NULL;
1205 
1206 	cmd->opcode = opcode;
1207 	cmd->index = hdev->id;
1208 
1209 	cmd->param = kmemdup(data, len, GFP_KERNEL);
1210 	if (!cmd->param) {
1211 		kfree(cmd);
1212 		return NULL;
1213 	}
1214 
1215 	cmd->param_len = len;
1216 
1217 	cmd->sk = sk;
1218 	sock_hold(sk);
1219 
1220 	list_add(&cmd->list, &hdev->mgmt_pending);
1221 
1222 	return cmd;
1223 }
1224 
1225 static void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
1226 				 void (*cb)(struct pending_cmd *cmd,
1227 					    void *data),
1228 				 void *data)
1229 {
1230 	struct pending_cmd *cmd, *tmp;
1231 
1232 	list_for_each_entry_safe(cmd, tmp, &hdev->mgmt_pending, list) {
1233 		if (opcode > 0 && cmd->opcode != opcode)
1234 			continue;
1235 
1236 		cb(cmd, data);
1237 	}
1238 }
1239 
1240 static void mgmt_pending_remove(struct pending_cmd *cmd)
1241 {
1242 	list_del(&cmd->list);
1243 	mgmt_pending_free(cmd);
1244 }
1245 
1246 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1247 {
1248 	__le32 settings = cpu_to_le32(get_current_settings(hdev));
1249 
1250 	return cmd_complete(sk, hdev->id, opcode, 0, &settings,
1251 			    sizeof(settings));
1252 }
1253 
1254 static void clean_up_hci_complete(struct hci_dev *hdev, u8 status)
1255 {
1256 	BT_DBG("%s status 0x%02x", hdev->name, status);
1257 
1258 	if (hci_conn_count(hdev) == 0) {
1259 		cancel_delayed_work(&hdev->power_off);
1260 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
1261 	}
1262 }
1263 
1264 static bool hci_stop_discovery(struct hci_request *req)
1265 {
1266 	struct hci_dev *hdev = req->hdev;
1267 	struct hci_cp_remote_name_req_cancel cp;
1268 	struct inquiry_entry *e;
1269 
1270 	switch (hdev->discovery.state) {
1271 	case DISCOVERY_FINDING:
1272 		if (test_bit(HCI_INQUIRY, &hdev->flags)) {
1273 			hci_req_add(req, HCI_OP_INQUIRY_CANCEL, 0, NULL);
1274 		} else {
1275 			cancel_delayed_work(&hdev->le_scan_disable);
1276 			hci_req_add_le_scan_disable(req);
1277 		}
1278 
1279 		return true;
1280 
1281 	case DISCOVERY_RESOLVING:
1282 		e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,
1283 						     NAME_PENDING);
1284 		if (!e)
1285 			break;
1286 
1287 		bacpy(&cp.bdaddr, &e->data.bdaddr);
1288 		hci_req_add(req, HCI_OP_REMOTE_NAME_REQ_CANCEL, sizeof(cp),
1289 			    &cp);
1290 
1291 		return true;
1292 
1293 	default:
1294 		/* Passive scanning */
1295 		if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
1296 			hci_req_add_le_scan_disable(req);
1297 			return true;
1298 		}
1299 
1300 		break;
1301 	}
1302 
1303 	return false;
1304 }
1305 
1306 static int clean_up_hci_state(struct hci_dev *hdev)
1307 {
1308 	struct hci_request req;
1309 	struct hci_conn *conn;
1310 	bool discov_stopped;
1311 	int err;
1312 
1313 	hci_req_init(&req, hdev);
1314 
1315 	if (test_bit(HCI_ISCAN, &hdev->flags) ||
1316 	    test_bit(HCI_PSCAN, &hdev->flags)) {
1317 		u8 scan = 0x00;
1318 		hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1319 	}
1320 
1321 	if (test_bit(HCI_LE_ADV, &hdev->dev_flags))
1322 		disable_advertising(&req);
1323 
1324 	discov_stopped = hci_stop_discovery(&req);
1325 
1326 	list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1327 		struct hci_cp_disconnect dc;
1328 		struct hci_cp_reject_conn_req rej;
1329 
1330 		switch (conn->state) {
1331 		case BT_CONNECTED:
1332 		case BT_CONFIG:
1333 			dc.handle = cpu_to_le16(conn->handle);
1334 			dc.reason = 0x15; /* Terminated due to Power Off */
1335 			hci_req_add(&req, HCI_OP_DISCONNECT, sizeof(dc), &dc);
1336 			break;
1337 		case BT_CONNECT:
1338 			if (conn->type == LE_LINK)
1339 				hci_req_add(&req, HCI_OP_LE_CREATE_CONN_CANCEL,
1340 					    0, NULL);
1341 			else if (conn->type == ACL_LINK)
1342 				hci_req_add(&req, HCI_OP_CREATE_CONN_CANCEL,
1343 					    6, &conn->dst);
1344 			break;
1345 		case BT_CONNECT2:
1346 			bacpy(&rej.bdaddr, &conn->dst);
1347 			rej.reason = 0x15; /* Terminated due to Power Off */
1348 			if (conn->type == ACL_LINK)
1349 				hci_req_add(&req, HCI_OP_REJECT_CONN_REQ,
1350 					    sizeof(rej), &rej);
1351 			else if (conn->type == SCO_LINK)
1352 				hci_req_add(&req, HCI_OP_REJECT_SYNC_CONN_REQ,
1353 					    sizeof(rej), &rej);
1354 			break;
1355 		}
1356 	}
1357 
1358 	err = hci_req_run(&req, clean_up_hci_complete);
1359 	if (!err && discov_stopped)
1360 		hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
1361 
1362 	return err;
1363 }
1364 
1365 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1366 		       u16 len)
1367 {
1368 	struct mgmt_mode *cp = data;
1369 	struct pending_cmd *cmd;
1370 	int err;
1371 
1372 	BT_DBG("request for %s", hdev->name);
1373 
1374 	if (cp->val != 0x00 && cp->val != 0x01)
1375 		return cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1376 				  MGMT_STATUS_INVALID_PARAMS);
1377 
1378 	hci_dev_lock(hdev);
1379 
1380 	if (mgmt_pending_find(MGMT_OP_SET_POWERED, hdev)) {
1381 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1382 				 MGMT_STATUS_BUSY);
1383 		goto failed;
1384 	}
1385 
1386 	if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
1387 		cancel_delayed_work(&hdev->power_off);
1388 
1389 		if (cp->val) {
1390 			mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev,
1391 					 data, len);
1392 			err = mgmt_powered(hdev, 1);
1393 			goto failed;
1394 		}
1395 	}
1396 
1397 	if (!!cp->val == hdev_is_powered(hdev)) {
1398 		err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1399 		goto failed;
1400 	}
1401 
1402 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1403 	if (!cmd) {
1404 		err = -ENOMEM;
1405 		goto failed;
1406 	}
1407 
1408 	if (cp->val) {
1409 		queue_work(hdev->req_workqueue, &hdev->power_on);
1410 		err = 0;
1411 	} else {
1412 		/* Disconnect connections, stop scans, etc */
1413 		err = clean_up_hci_state(hdev);
1414 		if (!err)
1415 			queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1416 					   HCI_POWER_OFF_TIMEOUT);
1417 
1418 		/* ENODATA means there were no HCI commands queued */
1419 		if (err == -ENODATA) {
1420 			cancel_delayed_work(&hdev->power_off);
1421 			queue_work(hdev->req_workqueue, &hdev->power_off.work);
1422 			err = 0;
1423 		}
1424 	}
1425 
1426 failed:
1427 	hci_dev_unlock(hdev);
1428 	return err;
1429 }
1430 
1431 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1432 {
1433 	__le32 ev;
1434 
1435 	ev = cpu_to_le32(get_current_settings(hdev));
1436 
1437 	return mgmt_event(MGMT_EV_NEW_SETTINGS, hdev, &ev, sizeof(ev), skip);
1438 }
1439 
1440 int mgmt_new_settings(struct hci_dev *hdev)
1441 {
1442 	return new_settings(hdev, NULL);
1443 }
1444 
1445 struct cmd_lookup {
1446 	struct sock *sk;
1447 	struct hci_dev *hdev;
1448 	u8 mgmt_status;
1449 };
1450 
1451 static void settings_rsp(struct pending_cmd *cmd, void *data)
1452 {
1453 	struct cmd_lookup *match = data;
1454 
1455 	send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1456 
1457 	list_del(&cmd->list);
1458 
1459 	if (match->sk == NULL) {
1460 		match->sk = cmd->sk;
1461 		sock_hold(match->sk);
1462 	}
1463 
1464 	mgmt_pending_free(cmd);
1465 }
1466 
1467 static void cmd_status_rsp(struct pending_cmd *cmd, void *data)
1468 {
1469 	u8 *status = data;
1470 
1471 	cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1472 	mgmt_pending_remove(cmd);
1473 }
1474 
1475 static void cmd_complete_rsp(struct pending_cmd *cmd, void *data)
1476 {
1477 	if (cmd->cmd_complete) {
1478 		u8 *status = data;
1479 
1480 		cmd->cmd_complete(cmd, *status);
1481 		mgmt_pending_remove(cmd);
1482 
1483 		return;
1484 	}
1485 
1486 	cmd_status_rsp(cmd, data);
1487 }
1488 
1489 static void generic_cmd_complete(struct pending_cmd *cmd, u8 status)
1490 {
1491 	cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, cmd->param,
1492 		     cmd->param_len);
1493 }
1494 
1495 static void addr_cmd_complete(struct pending_cmd *cmd, u8 status)
1496 {
1497 	cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, cmd->param,
1498 		     sizeof(struct mgmt_addr_info));
1499 }
1500 
1501 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1502 {
1503 	if (!lmp_bredr_capable(hdev))
1504 		return MGMT_STATUS_NOT_SUPPORTED;
1505 	else if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1506 		return MGMT_STATUS_REJECTED;
1507 	else
1508 		return MGMT_STATUS_SUCCESS;
1509 }
1510 
1511 static u8 mgmt_le_support(struct hci_dev *hdev)
1512 {
1513 	if (!lmp_le_capable(hdev))
1514 		return MGMT_STATUS_NOT_SUPPORTED;
1515 	else if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
1516 		return MGMT_STATUS_REJECTED;
1517 	else
1518 		return MGMT_STATUS_SUCCESS;
1519 }
1520 
1521 static void set_discoverable_complete(struct hci_dev *hdev, u8 status)
1522 {
1523 	struct pending_cmd *cmd;
1524 	struct mgmt_mode *cp;
1525 	struct hci_request req;
1526 	bool changed;
1527 
1528 	BT_DBG("status 0x%02x", status);
1529 
1530 	hci_dev_lock(hdev);
1531 
1532 	cmd = mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
1533 	if (!cmd)
1534 		goto unlock;
1535 
1536 	if (status) {
1537 		u8 mgmt_err = mgmt_status(status);
1538 		cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1539 		clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1540 		goto remove_cmd;
1541 	}
1542 
1543 	cp = cmd->param;
1544 	if (cp->val) {
1545 		changed = !test_and_set_bit(HCI_DISCOVERABLE,
1546 					    &hdev->dev_flags);
1547 
1548 		if (hdev->discov_timeout > 0) {
1549 			int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1550 			queue_delayed_work(hdev->workqueue, &hdev->discov_off,
1551 					   to);
1552 		}
1553 	} else {
1554 		changed = test_and_clear_bit(HCI_DISCOVERABLE,
1555 					     &hdev->dev_flags);
1556 	}
1557 
1558 	send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1559 
1560 	if (changed)
1561 		new_settings(hdev, cmd->sk);
1562 
1563 	/* When the discoverable mode gets changed, make sure
1564 	 * that class of device has the limited discoverable
1565 	 * bit correctly set. Also update page scan based on whitelist
1566 	 * entries.
1567 	 */
1568 	hci_req_init(&req, hdev);
1569 	hci_update_page_scan(hdev, &req);
1570 	update_class(&req);
1571 	hci_req_run(&req, NULL);
1572 
1573 remove_cmd:
1574 	mgmt_pending_remove(cmd);
1575 
1576 unlock:
1577 	hci_dev_unlock(hdev);
1578 }
1579 
1580 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1581 			    u16 len)
1582 {
1583 	struct mgmt_cp_set_discoverable *cp = data;
1584 	struct pending_cmd *cmd;
1585 	struct hci_request req;
1586 	u16 timeout;
1587 	u8 scan;
1588 	int err;
1589 
1590 	BT_DBG("request for %s", hdev->name);
1591 
1592 	if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags) &&
1593 	    !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1594 		return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1595 				  MGMT_STATUS_REJECTED);
1596 
1597 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1598 		return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1599 				  MGMT_STATUS_INVALID_PARAMS);
1600 
1601 	timeout = __le16_to_cpu(cp->timeout);
1602 
1603 	/* Disabling discoverable requires that no timeout is set,
1604 	 * and enabling limited discoverable requires a timeout.
1605 	 */
1606 	if ((cp->val == 0x00 && timeout > 0) ||
1607 	    (cp->val == 0x02 && timeout == 0))
1608 		return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1609 				  MGMT_STATUS_INVALID_PARAMS);
1610 
1611 	hci_dev_lock(hdev);
1612 
1613 	if (!hdev_is_powered(hdev) && timeout > 0) {
1614 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1615 				 MGMT_STATUS_NOT_POWERED);
1616 		goto failed;
1617 	}
1618 
1619 	if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1620 	    mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1621 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1622 				 MGMT_STATUS_BUSY);
1623 		goto failed;
1624 	}
1625 
1626 	if (!test_bit(HCI_CONNECTABLE, &hdev->dev_flags)) {
1627 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1628 				 MGMT_STATUS_REJECTED);
1629 		goto failed;
1630 	}
1631 
1632 	if (!hdev_is_powered(hdev)) {
1633 		bool changed = false;
1634 
1635 		/* Setting limited discoverable when powered off is
1636 		 * not a valid operation since it requires a timeout
1637 		 * and so no need to check HCI_LIMITED_DISCOVERABLE.
1638 		 */
1639 		if (!!cp->val != test_bit(HCI_DISCOVERABLE, &hdev->dev_flags)) {
1640 			change_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1641 			changed = true;
1642 		}
1643 
1644 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1645 		if (err < 0)
1646 			goto failed;
1647 
1648 		if (changed)
1649 			err = new_settings(hdev, sk);
1650 
1651 		goto failed;
1652 	}
1653 
1654 	/* If the current mode is the same, then just update the timeout
1655 	 * value with the new value. And if only the timeout gets updated,
1656 	 * then no need for any HCI transactions.
1657 	 */
1658 	if (!!cp->val == test_bit(HCI_DISCOVERABLE, &hdev->dev_flags) &&
1659 	    (cp->val == 0x02) == test_bit(HCI_LIMITED_DISCOVERABLE,
1660 					  &hdev->dev_flags)) {
1661 		cancel_delayed_work(&hdev->discov_off);
1662 		hdev->discov_timeout = timeout;
1663 
1664 		if (cp->val && hdev->discov_timeout > 0) {
1665 			int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1666 			queue_delayed_work(hdev->workqueue, &hdev->discov_off,
1667 					   to);
1668 		}
1669 
1670 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1671 		goto failed;
1672 	}
1673 
1674 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1675 	if (!cmd) {
1676 		err = -ENOMEM;
1677 		goto failed;
1678 	}
1679 
1680 	/* Cancel any potential discoverable timeout that might be
1681 	 * still active and store new timeout value. The arming of
1682 	 * the timeout happens in the complete handler.
1683 	 */
1684 	cancel_delayed_work(&hdev->discov_off);
1685 	hdev->discov_timeout = timeout;
1686 
1687 	/* Limited discoverable mode */
1688 	if (cp->val == 0x02)
1689 		set_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1690 	else
1691 		clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1692 
1693 	hci_req_init(&req, hdev);
1694 
1695 	/* The procedure for LE-only controllers is much simpler - just
1696 	 * update the advertising data.
1697 	 */
1698 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1699 		goto update_ad;
1700 
1701 	scan = SCAN_PAGE;
1702 
1703 	if (cp->val) {
1704 		struct hci_cp_write_current_iac_lap hci_cp;
1705 
1706 		if (cp->val == 0x02) {
1707 			/* Limited discoverable mode */
1708 			hci_cp.num_iac = min_t(u8, hdev->num_iac, 2);
1709 			hci_cp.iac_lap[0] = 0x00;	/* LIAC */
1710 			hci_cp.iac_lap[1] = 0x8b;
1711 			hci_cp.iac_lap[2] = 0x9e;
1712 			hci_cp.iac_lap[3] = 0x33;	/* GIAC */
1713 			hci_cp.iac_lap[4] = 0x8b;
1714 			hci_cp.iac_lap[5] = 0x9e;
1715 		} else {
1716 			/* General discoverable mode */
1717 			hci_cp.num_iac = 1;
1718 			hci_cp.iac_lap[0] = 0x33;	/* GIAC */
1719 			hci_cp.iac_lap[1] = 0x8b;
1720 			hci_cp.iac_lap[2] = 0x9e;
1721 		}
1722 
1723 		hci_req_add(&req, HCI_OP_WRITE_CURRENT_IAC_LAP,
1724 			    (hci_cp.num_iac * 3) + 1, &hci_cp);
1725 
1726 		scan |= SCAN_INQUIRY;
1727 	} else {
1728 		clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1729 	}
1730 
1731 	hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, sizeof(scan), &scan);
1732 
1733 update_ad:
1734 	update_adv_data(&req);
1735 
1736 	err = hci_req_run(&req, set_discoverable_complete);
1737 	if (err < 0)
1738 		mgmt_pending_remove(cmd);
1739 
1740 failed:
1741 	hci_dev_unlock(hdev);
1742 	return err;
1743 }
1744 
1745 static void write_fast_connectable(struct hci_request *req, bool enable)
1746 {
1747 	struct hci_dev *hdev = req->hdev;
1748 	struct hci_cp_write_page_scan_activity acp;
1749 	u8 type;
1750 
1751 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1752 		return;
1753 
1754 	if (hdev->hci_ver < BLUETOOTH_VER_1_2)
1755 		return;
1756 
1757 	if (enable) {
1758 		type = PAGE_SCAN_TYPE_INTERLACED;
1759 
1760 		/* 160 msec page scan interval */
1761 		acp.interval = cpu_to_le16(0x0100);
1762 	} else {
1763 		type = PAGE_SCAN_TYPE_STANDARD;	/* default */
1764 
1765 		/* default 1.28 sec page scan */
1766 		acp.interval = cpu_to_le16(0x0800);
1767 	}
1768 
1769 	acp.window = cpu_to_le16(0x0012);
1770 
1771 	if (__cpu_to_le16(hdev->page_scan_interval) != acp.interval ||
1772 	    __cpu_to_le16(hdev->page_scan_window) != acp.window)
1773 		hci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
1774 			    sizeof(acp), &acp);
1775 
1776 	if (hdev->page_scan_type != type)
1777 		hci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_TYPE, 1, &type);
1778 }
1779 
1780 static void set_connectable_complete(struct hci_dev *hdev, u8 status)
1781 {
1782 	struct pending_cmd *cmd;
1783 	struct mgmt_mode *cp;
1784 	bool conn_changed, discov_changed;
1785 
1786 	BT_DBG("status 0x%02x", status);
1787 
1788 	hci_dev_lock(hdev);
1789 
1790 	cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1791 	if (!cmd)
1792 		goto unlock;
1793 
1794 	if (status) {
1795 		u8 mgmt_err = mgmt_status(status);
1796 		cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1797 		goto remove_cmd;
1798 	}
1799 
1800 	cp = cmd->param;
1801 	if (cp->val) {
1802 		conn_changed = !test_and_set_bit(HCI_CONNECTABLE,
1803 						 &hdev->dev_flags);
1804 		discov_changed = false;
1805 	} else {
1806 		conn_changed = test_and_clear_bit(HCI_CONNECTABLE,
1807 						  &hdev->dev_flags);
1808 		discov_changed = test_and_clear_bit(HCI_DISCOVERABLE,
1809 						    &hdev->dev_flags);
1810 	}
1811 
1812 	send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1813 
1814 	if (conn_changed || discov_changed) {
1815 		new_settings(hdev, cmd->sk);
1816 		hci_update_page_scan(hdev, NULL);
1817 		if (discov_changed)
1818 			mgmt_update_adv_data(hdev);
1819 		hci_update_background_scan(hdev);
1820 	}
1821 
1822 remove_cmd:
1823 	mgmt_pending_remove(cmd);
1824 
1825 unlock:
1826 	hci_dev_unlock(hdev);
1827 }
1828 
1829 static int set_connectable_update_settings(struct hci_dev *hdev,
1830 					   struct sock *sk, u8 val)
1831 {
1832 	bool changed = false;
1833 	int err;
1834 
1835 	if (!!val != test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
1836 		changed = true;
1837 
1838 	if (val) {
1839 		set_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1840 	} else {
1841 		clear_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1842 		clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1843 	}
1844 
1845 	err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1846 	if (err < 0)
1847 		return err;
1848 
1849 	if (changed) {
1850 		hci_update_page_scan(hdev, NULL);
1851 		hci_update_background_scan(hdev);
1852 		return new_settings(hdev, sk);
1853 	}
1854 
1855 	return 0;
1856 }
1857 
1858 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1859 			   u16 len)
1860 {
1861 	struct mgmt_mode *cp = data;
1862 	struct pending_cmd *cmd;
1863 	struct hci_request req;
1864 	u8 scan;
1865 	int err;
1866 
1867 	BT_DBG("request for %s", hdev->name);
1868 
1869 	if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags) &&
1870 	    !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1871 		return cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1872 				  MGMT_STATUS_REJECTED);
1873 
1874 	if (cp->val != 0x00 && cp->val != 0x01)
1875 		return cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1876 				  MGMT_STATUS_INVALID_PARAMS);
1877 
1878 	hci_dev_lock(hdev);
1879 
1880 	if (!hdev_is_powered(hdev)) {
1881 		err = set_connectable_update_settings(hdev, sk, cp->val);
1882 		goto failed;
1883 	}
1884 
1885 	if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1886 	    mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1887 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1888 				 MGMT_STATUS_BUSY);
1889 		goto failed;
1890 	}
1891 
1892 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1893 	if (!cmd) {
1894 		err = -ENOMEM;
1895 		goto failed;
1896 	}
1897 
1898 	hci_req_init(&req, hdev);
1899 
1900 	/* If BR/EDR is not enabled and we disable advertising as a
1901 	 * by-product of disabling connectable, we need to update the
1902 	 * advertising flags.
1903 	 */
1904 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
1905 		if (!cp->val) {
1906 			clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1907 			clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1908 		}
1909 		update_adv_data(&req);
1910 	} else if (cp->val != test_bit(HCI_PSCAN, &hdev->flags)) {
1911 		if (cp->val) {
1912 			scan = SCAN_PAGE;
1913 		} else {
1914 			/* If we don't have any whitelist entries just
1915 			 * disable all scanning. If there are entries
1916 			 * and we had both page and inquiry scanning
1917 			 * enabled then fall back to only page scanning.
1918 			 * Otherwise no changes are needed.
1919 			 */
1920 			if (list_empty(&hdev->whitelist))
1921 				scan = SCAN_DISABLED;
1922 			else if (test_bit(HCI_ISCAN, &hdev->flags))
1923 				scan = SCAN_PAGE;
1924 			else
1925 				goto no_scan_update;
1926 
1927 			if (test_bit(HCI_ISCAN, &hdev->flags) &&
1928 			    hdev->discov_timeout > 0)
1929 				cancel_delayed_work(&hdev->discov_off);
1930 		}
1931 
1932 		hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1933 	}
1934 
1935 no_scan_update:
1936 	/* If we're going from non-connectable to connectable or
1937 	 * vice-versa when fast connectable is enabled ensure that fast
1938 	 * connectable gets disabled. write_fast_connectable won't do
1939 	 * anything if the page scan parameters are already what they
1940 	 * should be.
1941 	 */
1942 	if (cp->val || test_bit(HCI_FAST_CONNECTABLE, &hdev->dev_flags))
1943 		write_fast_connectable(&req, false);
1944 
1945 	/* Update the advertising parameters if necessary */
1946 	if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
1947 		enable_advertising(&req);
1948 
1949 	err = hci_req_run(&req, set_connectable_complete);
1950 	if (err < 0) {
1951 		mgmt_pending_remove(cmd);
1952 		if (err == -ENODATA)
1953 			err = set_connectable_update_settings(hdev, sk,
1954 							      cp->val);
1955 		goto failed;
1956 	}
1957 
1958 failed:
1959 	hci_dev_unlock(hdev);
1960 	return err;
1961 }
1962 
1963 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1964 			u16 len)
1965 {
1966 	struct mgmt_mode *cp = data;
1967 	bool changed;
1968 	int err;
1969 
1970 	BT_DBG("request for %s", hdev->name);
1971 
1972 	if (cp->val != 0x00 && cp->val != 0x01)
1973 		return cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1974 				  MGMT_STATUS_INVALID_PARAMS);
1975 
1976 	hci_dev_lock(hdev);
1977 
1978 	if (cp->val)
1979 		changed = !test_and_set_bit(HCI_BONDABLE, &hdev->dev_flags);
1980 	else
1981 		changed = test_and_clear_bit(HCI_BONDABLE, &hdev->dev_flags);
1982 
1983 	err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1984 	if (err < 0)
1985 		goto unlock;
1986 
1987 	if (changed)
1988 		err = new_settings(hdev, sk);
1989 
1990 unlock:
1991 	hci_dev_unlock(hdev);
1992 	return err;
1993 }
1994 
1995 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1996 			     u16 len)
1997 {
1998 	struct mgmt_mode *cp = data;
1999 	struct pending_cmd *cmd;
2000 	u8 val, status;
2001 	int err;
2002 
2003 	BT_DBG("request for %s", hdev->name);
2004 
2005 	status = mgmt_bredr_support(hdev);
2006 	if (status)
2007 		return cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
2008 				  status);
2009 
2010 	if (cp->val != 0x00 && cp->val != 0x01)
2011 		return cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
2012 				  MGMT_STATUS_INVALID_PARAMS);
2013 
2014 	hci_dev_lock(hdev);
2015 
2016 	if (!hdev_is_powered(hdev)) {
2017 		bool changed = false;
2018 
2019 		if (!!cp->val != test_bit(HCI_LINK_SECURITY,
2020 					  &hdev->dev_flags)) {
2021 			change_bit(HCI_LINK_SECURITY, &hdev->dev_flags);
2022 			changed = true;
2023 		}
2024 
2025 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
2026 		if (err < 0)
2027 			goto failed;
2028 
2029 		if (changed)
2030 			err = new_settings(hdev, sk);
2031 
2032 		goto failed;
2033 	}
2034 
2035 	if (mgmt_pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
2036 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
2037 				 MGMT_STATUS_BUSY);
2038 		goto failed;
2039 	}
2040 
2041 	val = !!cp->val;
2042 
2043 	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
2044 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
2045 		goto failed;
2046 	}
2047 
2048 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
2049 	if (!cmd) {
2050 		err = -ENOMEM;
2051 		goto failed;
2052 	}
2053 
2054 	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
2055 	if (err < 0) {
2056 		mgmt_pending_remove(cmd);
2057 		goto failed;
2058 	}
2059 
2060 failed:
2061 	hci_dev_unlock(hdev);
2062 	return err;
2063 }
2064 
2065 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2066 {
2067 	struct mgmt_mode *cp = data;
2068 	struct pending_cmd *cmd;
2069 	u8 status;
2070 	int err;
2071 
2072 	BT_DBG("request for %s", hdev->name);
2073 
2074 	status = mgmt_bredr_support(hdev);
2075 	if (status)
2076 		return cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
2077 
2078 	if (!lmp_ssp_capable(hdev))
2079 		return cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2080 				  MGMT_STATUS_NOT_SUPPORTED);
2081 
2082 	if (cp->val != 0x00 && cp->val != 0x01)
2083 		return cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2084 				  MGMT_STATUS_INVALID_PARAMS);
2085 
2086 	hci_dev_lock(hdev);
2087 
2088 	if (!hdev_is_powered(hdev)) {
2089 		bool changed;
2090 
2091 		if (cp->val) {
2092 			changed = !test_and_set_bit(HCI_SSP_ENABLED,
2093 						    &hdev->dev_flags);
2094 		} else {
2095 			changed = test_and_clear_bit(HCI_SSP_ENABLED,
2096 						     &hdev->dev_flags);
2097 			if (!changed)
2098 				changed = test_and_clear_bit(HCI_HS_ENABLED,
2099 							     &hdev->dev_flags);
2100 			else
2101 				clear_bit(HCI_HS_ENABLED, &hdev->dev_flags);
2102 		}
2103 
2104 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2105 		if (err < 0)
2106 			goto failed;
2107 
2108 		if (changed)
2109 			err = new_settings(hdev, sk);
2110 
2111 		goto failed;
2112 	}
2113 
2114 	if (mgmt_pending_find(MGMT_OP_SET_SSP, hdev) ||
2115 	    mgmt_pending_find(MGMT_OP_SET_HS, hdev)) {
2116 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2117 				 MGMT_STATUS_BUSY);
2118 		goto failed;
2119 	}
2120 
2121 	if (!!cp->val == test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
2122 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2123 		goto failed;
2124 	}
2125 
2126 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
2127 	if (!cmd) {
2128 		err = -ENOMEM;
2129 		goto failed;
2130 	}
2131 
2132 	if (!cp->val && test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags))
2133 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
2134 			     sizeof(cp->val), &cp->val);
2135 
2136 	err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &cp->val);
2137 	if (err < 0) {
2138 		mgmt_pending_remove(cmd);
2139 		goto failed;
2140 	}
2141 
2142 failed:
2143 	hci_dev_unlock(hdev);
2144 	return err;
2145 }
2146 
2147 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2148 {
2149 	struct mgmt_mode *cp = data;
2150 	bool changed;
2151 	u8 status;
2152 	int err;
2153 
2154 	BT_DBG("request for %s", hdev->name);
2155 
2156 	status = mgmt_bredr_support(hdev);
2157 	if (status)
2158 		return cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
2159 
2160 	if (!lmp_ssp_capable(hdev))
2161 		return cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2162 				  MGMT_STATUS_NOT_SUPPORTED);
2163 
2164 	if (!test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
2165 		return cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2166 				  MGMT_STATUS_REJECTED);
2167 
2168 	if (cp->val != 0x00 && cp->val != 0x01)
2169 		return cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2170 				  MGMT_STATUS_INVALID_PARAMS);
2171 
2172 	hci_dev_lock(hdev);
2173 
2174 	if (cp->val) {
2175 		changed = !test_and_set_bit(HCI_HS_ENABLED, &hdev->dev_flags);
2176 	} else {
2177 		if (hdev_is_powered(hdev)) {
2178 			err = cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2179 					 MGMT_STATUS_REJECTED);
2180 			goto unlock;
2181 		}
2182 
2183 		changed = test_and_clear_bit(HCI_HS_ENABLED, &hdev->dev_flags);
2184 	}
2185 
2186 	err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
2187 	if (err < 0)
2188 		goto unlock;
2189 
2190 	if (changed)
2191 		err = new_settings(hdev, sk);
2192 
2193 unlock:
2194 	hci_dev_unlock(hdev);
2195 	return err;
2196 }
2197 
2198 static void le_enable_complete(struct hci_dev *hdev, u8 status)
2199 {
2200 	struct cmd_lookup match = { NULL, hdev };
2201 
2202 	hci_dev_lock(hdev);
2203 
2204 	if (status) {
2205 		u8 mgmt_err = mgmt_status(status);
2206 
2207 		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
2208 				     &mgmt_err);
2209 		goto unlock;
2210 	}
2211 
2212 	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
2213 
2214 	new_settings(hdev, match.sk);
2215 
2216 	if (match.sk)
2217 		sock_put(match.sk);
2218 
2219 	/* Make sure the controller has a good default for
2220 	 * advertising data. Restrict the update to when LE
2221 	 * has actually been enabled. During power on, the
2222 	 * update in powered_update_hci will take care of it.
2223 	 */
2224 	if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
2225 		struct hci_request req;
2226 
2227 		hci_req_init(&req, hdev);
2228 		update_adv_data(&req);
2229 		update_scan_rsp_data(&req);
2230 		hci_req_run(&req, NULL);
2231 
2232 		hci_update_background_scan(hdev);
2233 	}
2234 
2235 unlock:
2236 	hci_dev_unlock(hdev);
2237 }
2238 
2239 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2240 {
2241 	struct mgmt_mode *cp = data;
2242 	struct hci_cp_write_le_host_supported hci_cp;
2243 	struct pending_cmd *cmd;
2244 	struct hci_request req;
2245 	int err;
2246 	u8 val, enabled;
2247 
2248 	BT_DBG("request for %s", hdev->name);
2249 
2250 	if (!lmp_le_capable(hdev))
2251 		return cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2252 				  MGMT_STATUS_NOT_SUPPORTED);
2253 
2254 	if (cp->val != 0x00 && cp->val != 0x01)
2255 		return cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2256 				  MGMT_STATUS_INVALID_PARAMS);
2257 
2258 	/* LE-only devices do not allow toggling LE on/off */
2259 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
2260 		return cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2261 				  MGMT_STATUS_REJECTED);
2262 
2263 	hci_dev_lock(hdev);
2264 
2265 	val = !!cp->val;
2266 	enabled = lmp_host_le_capable(hdev);
2267 
2268 	if (!hdev_is_powered(hdev) || val == enabled) {
2269 		bool changed = false;
2270 
2271 		if (val != test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
2272 			change_bit(HCI_LE_ENABLED, &hdev->dev_flags);
2273 			changed = true;
2274 		}
2275 
2276 		if (!val && test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
2277 			clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
2278 			changed = true;
2279 		}
2280 
2281 		err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2282 		if (err < 0)
2283 			goto unlock;
2284 
2285 		if (changed)
2286 			err = new_settings(hdev, sk);
2287 
2288 		goto unlock;
2289 	}
2290 
2291 	if (mgmt_pending_find(MGMT_OP_SET_LE, hdev) ||
2292 	    mgmt_pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
2293 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2294 				 MGMT_STATUS_BUSY);
2295 		goto unlock;
2296 	}
2297 
2298 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
2299 	if (!cmd) {
2300 		err = -ENOMEM;
2301 		goto unlock;
2302 	}
2303 
2304 	hci_req_init(&req, hdev);
2305 
2306 	memset(&hci_cp, 0, sizeof(hci_cp));
2307 
2308 	if (val) {
2309 		hci_cp.le = val;
2310 		hci_cp.simul = 0x00;
2311 	} else {
2312 		if (test_bit(HCI_LE_ADV, &hdev->dev_flags))
2313 			disable_advertising(&req);
2314 	}
2315 
2316 	hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
2317 		    &hci_cp);
2318 
2319 	err = hci_req_run(&req, le_enable_complete);
2320 	if (err < 0)
2321 		mgmt_pending_remove(cmd);
2322 
2323 unlock:
2324 	hci_dev_unlock(hdev);
2325 	return err;
2326 }
2327 
2328 /* This is a helper function to test for pending mgmt commands that can
2329  * cause CoD or EIR HCI commands. We can only allow one such pending
2330  * mgmt command at a time since otherwise we cannot easily track what
2331  * the current values are, will be, and based on that calculate if a new
2332  * HCI command needs to be sent and if yes with what value.
2333  */
2334 static bool pending_eir_or_class(struct hci_dev *hdev)
2335 {
2336 	struct pending_cmd *cmd;
2337 
2338 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2339 		switch (cmd->opcode) {
2340 		case MGMT_OP_ADD_UUID:
2341 		case MGMT_OP_REMOVE_UUID:
2342 		case MGMT_OP_SET_DEV_CLASS:
2343 		case MGMT_OP_SET_POWERED:
2344 			return true;
2345 		}
2346 	}
2347 
2348 	return false;
2349 }
2350 
2351 static const u8 bluetooth_base_uuid[] = {
2352 			0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2353 			0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2354 };
2355 
2356 static u8 get_uuid_size(const u8 *uuid)
2357 {
2358 	u32 val;
2359 
2360 	if (memcmp(uuid, bluetooth_base_uuid, 12))
2361 		return 128;
2362 
2363 	val = get_unaligned_le32(&uuid[12]);
2364 	if (val > 0xffff)
2365 		return 32;
2366 
2367 	return 16;
2368 }
2369 
2370 static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
2371 {
2372 	struct pending_cmd *cmd;
2373 
2374 	hci_dev_lock(hdev);
2375 
2376 	cmd = mgmt_pending_find(mgmt_op, hdev);
2377 	if (!cmd)
2378 		goto unlock;
2379 
2380 	cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(status),
2381 		     hdev->dev_class, 3);
2382 
2383 	mgmt_pending_remove(cmd);
2384 
2385 unlock:
2386 	hci_dev_unlock(hdev);
2387 }
2388 
2389 static void add_uuid_complete(struct hci_dev *hdev, u8 status)
2390 {
2391 	BT_DBG("status 0x%02x", status);
2392 
2393 	mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
2394 }
2395 
2396 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2397 {
2398 	struct mgmt_cp_add_uuid *cp = data;
2399 	struct pending_cmd *cmd;
2400 	struct hci_request req;
2401 	struct bt_uuid *uuid;
2402 	int err;
2403 
2404 	BT_DBG("request for %s", hdev->name);
2405 
2406 	hci_dev_lock(hdev);
2407 
2408 	if (pending_eir_or_class(hdev)) {
2409 		err = cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2410 				 MGMT_STATUS_BUSY);
2411 		goto failed;
2412 	}
2413 
2414 	uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2415 	if (!uuid) {
2416 		err = -ENOMEM;
2417 		goto failed;
2418 	}
2419 
2420 	memcpy(uuid->uuid, cp->uuid, 16);
2421 	uuid->svc_hint = cp->svc_hint;
2422 	uuid->size = get_uuid_size(cp->uuid);
2423 
2424 	list_add_tail(&uuid->list, &hdev->uuids);
2425 
2426 	hci_req_init(&req, hdev);
2427 
2428 	update_class(&req);
2429 	update_eir(&req);
2430 
2431 	err = hci_req_run(&req, add_uuid_complete);
2432 	if (err < 0) {
2433 		if (err != -ENODATA)
2434 			goto failed;
2435 
2436 		err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
2437 				   hdev->dev_class, 3);
2438 		goto failed;
2439 	}
2440 
2441 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2442 	if (!cmd) {
2443 		err = -ENOMEM;
2444 		goto failed;
2445 	}
2446 
2447 	err = 0;
2448 
2449 failed:
2450 	hci_dev_unlock(hdev);
2451 	return err;
2452 }
2453 
2454 static bool enable_service_cache(struct hci_dev *hdev)
2455 {
2456 	if (!hdev_is_powered(hdev))
2457 		return false;
2458 
2459 	if (!test_and_set_bit(HCI_SERVICE_CACHE, &hdev->dev_flags)) {
2460 		queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2461 				   CACHE_TIMEOUT);
2462 		return true;
2463 	}
2464 
2465 	return false;
2466 }
2467 
2468 static void remove_uuid_complete(struct hci_dev *hdev, u8 status)
2469 {
2470 	BT_DBG("status 0x%02x", status);
2471 
2472 	mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
2473 }
2474 
2475 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2476 		       u16 len)
2477 {
2478 	struct mgmt_cp_remove_uuid *cp = data;
2479 	struct pending_cmd *cmd;
2480 	struct bt_uuid *match, *tmp;
2481 	u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
2482 	struct hci_request req;
2483 	int err, found;
2484 
2485 	BT_DBG("request for %s", hdev->name);
2486 
2487 	hci_dev_lock(hdev);
2488 
2489 	if (pending_eir_or_class(hdev)) {
2490 		err = cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2491 				 MGMT_STATUS_BUSY);
2492 		goto unlock;
2493 	}
2494 
2495 	if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2496 		hci_uuids_clear(hdev);
2497 
2498 		if (enable_service_cache(hdev)) {
2499 			err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2500 					   0, hdev->dev_class, 3);
2501 			goto unlock;
2502 		}
2503 
2504 		goto update_class;
2505 	}
2506 
2507 	found = 0;
2508 
2509 	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2510 		if (memcmp(match->uuid, cp->uuid, 16) != 0)
2511 			continue;
2512 
2513 		list_del(&match->list);
2514 		kfree(match);
2515 		found++;
2516 	}
2517 
2518 	if (found == 0) {
2519 		err = cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2520 				 MGMT_STATUS_INVALID_PARAMS);
2521 		goto unlock;
2522 	}
2523 
2524 update_class:
2525 	hci_req_init(&req, hdev);
2526 
2527 	update_class(&req);
2528 	update_eir(&req);
2529 
2530 	err = hci_req_run(&req, remove_uuid_complete);
2531 	if (err < 0) {
2532 		if (err != -ENODATA)
2533 			goto unlock;
2534 
2535 		err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
2536 				   hdev->dev_class, 3);
2537 		goto unlock;
2538 	}
2539 
2540 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2541 	if (!cmd) {
2542 		err = -ENOMEM;
2543 		goto unlock;
2544 	}
2545 
2546 	err = 0;
2547 
2548 unlock:
2549 	hci_dev_unlock(hdev);
2550 	return err;
2551 }
2552 
2553 static void set_class_complete(struct hci_dev *hdev, u8 status)
2554 {
2555 	BT_DBG("status 0x%02x", status);
2556 
2557 	mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
2558 }
2559 
2560 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2561 			 u16 len)
2562 {
2563 	struct mgmt_cp_set_dev_class *cp = data;
2564 	struct pending_cmd *cmd;
2565 	struct hci_request req;
2566 	int err;
2567 
2568 	BT_DBG("request for %s", hdev->name);
2569 
2570 	if (!lmp_bredr_capable(hdev))
2571 		return cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2572 				  MGMT_STATUS_NOT_SUPPORTED);
2573 
2574 	hci_dev_lock(hdev);
2575 
2576 	if (pending_eir_or_class(hdev)) {
2577 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2578 				 MGMT_STATUS_BUSY);
2579 		goto unlock;
2580 	}
2581 
2582 	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2583 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2584 				 MGMT_STATUS_INVALID_PARAMS);
2585 		goto unlock;
2586 	}
2587 
2588 	hdev->major_class = cp->major;
2589 	hdev->minor_class = cp->minor;
2590 
2591 	if (!hdev_is_powered(hdev)) {
2592 		err = cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2593 				   hdev->dev_class, 3);
2594 		goto unlock;
2595 	}
2596 
2597 	hci_req_init(&req, hdev);
2598 
2599 	if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags)) {
2600 		hci_dev_unlock(hdev);
2601 		cancel_delayed_work_sync(&hdev->service_cache);
2602 		hci_dev_lock(hdev);
2603 		update_eir(&req);
2604 	}
2605 
2606 	update_class(&req);
2607 
2608 	err = hci_req_run(&req, set_class_complete);
2609 	if (err < 0) {
2610 		if (err != -ENODATA)
2611 			goto unlock;
2612 
2613 		err = cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2614 				   hdev->dev_class, 3);
2615 		goto unlock;
2616 	}
2617 
2618 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2619 	if (!cmd) {
2620 		err = -ENOMEM;
2621 		goto unlock;
2622 	}
2623 
2624 	err = 0;
2625 
2626 unlock:
2627 	hci_dev_unlock(hdev);
2628 	return err;
2629 }
2630 
2631 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2632 			  u16 len)
2633 {
2634 	struct mgmt_cp_load_link_keys *cp = data;
2635 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2636 				   sizeof(struct mgmt_link_key_info));
2637 	u16 key_count, expected_len;
2638 	bool changed;
2639 	int i;
2640 
2641 	BT_DBG("request for %s", hdev->name);
2642 
2643 	if (!lmp_bredr_capable(hdev))
2644 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2645 				  MGMT_STATUS_NOT_SUPPORTED);
2646 
2647 	key_count = __le16_to_cpu(cp->key_count);
2648 	if (key_count > max_key_count) {
2649 		BT_ERR("load_link_keys: too big key_count value %u",
2650 		       key_count);
2651 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2652 				  MGMT_STATUS_INVALID_PARAMS);
2653 	}
2654 
2655 	expected_len = sizeof(*cp) + key_count *
2656 					sizeof(struct mgmt_link_key_info);
2657 	if (expected_len != len) {
2658 		BT_ERR("load_link_keys: expected %u bytes, got %u bytes",
2659 		       expected_len, len);
2660 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2661 				  MGMT_STATUS_INVALID_PARAMS);
2662 	}
2663 
2664 	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2665 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2666 				  MGMT_STATUS_INVALID_PARAMS);
2667 
2668 	BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys,
2669 	       key_count);
2670 
2671 	for (i = 0; i < key_count; i++) {
2672 		struct mgmt_link_key_info *key = &cp->keys[i];
2673 
2674 		if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2675 			return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2676 					  MGMT_STATUS_INVALID_PARAMS);
2677 	}
2678 
2679 	hci_dev_lock(hdev);
2680 
2681 	hci_link_keys_clear(hdev);
2682 
2683 	if (cp->debug_keys)
2684 		changed = !test_and_set_bit(HCI_KEEP_DEBUG_KEYS,
2685 					    &hdev->dev_flags);
2686 	else
2687 		changed = test_and_clear_bit(HCI_KEEP_DEBUG_KEYS,
2688 					     &hdev->dev_flags);
2689 
2690 	if (changed)
2691 		new_settings(hdev, NULL);
2692 
2693 	for (i = 0; i < key_count; i++) {
2694 		struct mgmt_link_key_info *key = &cp->keys[i];
2695 
2696 		/* Always ignore debug keys and require a new pairing if
2697 		 * the user wants to use them.
2698 		 */
2699 		if (key->type == HCI_LK_DEBUG_COMBINATION)
2700 			continue;
2701 
2702 		hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2703 				 key->type, key->pin_len, NULL);
2704 	}
2705 
2706 	cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2707 
2708 	hci_dev_unlock(hdev);
2709 
2710 	return 0;
2711 }
2712 
2713 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2714 			   u8 addr_type, struct sock *skip_sk)
2715 {
2716 	struct mgmt_ev_device_unpaired ev;
2717 
2718 	bacpy(&ev.addr.bdaddr, bdaddr);
2719 	ev.addr.type = addr_type;
2720 
2721 	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2722 			  skip_sk);
2723 }
2724 
2725 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2726 			 u16 len)
2727 {
2728 	struct mgmt_cp_unpair_device *cp = data;
2729 	struct mgmt_rp_unpair_device rp;
2730 	struct hci_cp_disconnect dc;
2731 	struct pending_cmd *cmd;
2732 	struct hci_conn *conn;
2733 	int err;
2734 
2735 	memset(&rp, 0, sizeof(rp));
2736 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2737 	rp.addr.type = cp->addr.type;
2738 
2739 	if (!bdaddr_type_is_valid(cp->addr.type))
2740 		return cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2741 				    MGMT_STATUS_INVALID_PARAMS,
2742 				    &rp, sizeof(rp));
2743 
2744 	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2745 		return cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2746 				    MGMT_STATUS_INVALID_PARAMS,
2747 				    &rp, sizeof(rp));
2748 
2749 	hci_dev_lock(hdev);
2750 
2751 	if (!hdev_is_powered(hdev)) {
2752 		err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2753 				   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
2754 		goto unlock;
2755 	}
2756 
2757 	if (cp->addr.type == BDADDR_BREDR) {
2758 		/* If disconnection is requested, then look up the
2759 		 * connection. If the remote device is connected, it
2760 		 * will be later used to terminate the link.
2761 		 *
2762 		 * Setting it to NULL explicitly will cause no
2763 		 * termination of the link.
2764 		 */
2765 		if (cp->disconnect)
2766 			conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2767 						       &cp->addr.bdaddr);
2768 		else
2769 			conn = NULL;
2770 
2771 		err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2772 	} else {
2773 		u8 addr_type;
2774 
2775 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK,
2776 					       &cp->addr.bdaddr);
2777 		if (conn) {
2778 			/* Defer clearing up the connection parameters
2779 			 * until closing to give a chance of keeping
2780 			 * them if a repairing happens.
2781 			 */
2782 			set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2783 
2784 			/* If disconnection is not requested, then
2785 			 * clear the connection variable so that the
2786 			 * link is not terminated.
2787 			 */
2788 			if (!cp->disconnect)
2789 				conn = NULL;
2790 		}
2791 
2792 		if (cp->addr.type == BDADDR_LE_PUBLIC)
2793 			addr_type = ADDR_LE_DEV_PUBLIC;
2794 		else
2795 			addr_type = ADDR_LE_DEV_RANDOM;
2796 
2797 		hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
2798 
2799 		err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
2800 	}
2801 
2802 	if (err < 0) {
2803 		err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2804 				   MGMT_STATUS_NOT_PAIRED, &rp, sizeof(rp));
2805 		goto unlock;
2806 	}
2807 
2808 	/* If the connection variable is set, then termination of the
2809 	 * link is requested.
2810 	 */
2811 	if (!conn) {
2812 		err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
2813 				   &rp, sizeof(rp));
2814 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
2815 		goto unlock;
2816 	}
2817 
2818 	cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
2819 			       sizeof(*cp));
2820 	if (!cmd) {
2821 		err = -ENOMEM;
2822 		goto unlock;
2823 	}
2824 
2825 	cmd->cmd_complete = addr_cmd_complete;
2826 
2827 	dc.handle = cpu_to_le16(conn->handle);
2828 	dc.reason = 0x13; /* Remote User Terminated Connection */
2829 	err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
2830 	if (err < 0)
2831 		mgmt_pending_remove(cmd);
2832 
2833 unlock:
2834 	hci_dev_unlock(hdev);
2835 	return err;
2836 }
2837 
2838 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2839 		      u16 len)
2840 {
2841 	struct mgmt_cp_disconnect *cp = data;
2842 	struct mgmt_rp_disconnect rp;
2843 	struct pending_cmd *cmd;
2844 	struct hci_conn *conn;
2845 	int err;
2846 
2847 	BT_DBG("");
2848 
2849 	memset(&rp, 0, sizeof(rp));
2850 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2851 	rp.addr.type = cp->addr.type;
2852 
2853 	if (!bdaddr_type_is_valid(cp->addr.type))
2854 		return cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2855 				    MGMT_STATUS_INVALID_PARAMS,
2856 				    &rp, sizeof(rp));
2857 
2858 	hci_dev_lock(hdev);
2859 
2860 	if (!test_bit(HCI_UP, &hdev->flags)) {
2861 		err = cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2862 				   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
2863 		goto failed;
2864 	}
2865 
2866 	if (mgmt_pending_find(MGMT_OP_DISCONNECT, hdev)) {
2867 		err = cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2868 				   MGMT_STATUS_BUSY, &rp, sizeof(rp));
2869 		goto failed;
2870 	}
2871 
2872 	if (cp->addr.type == BDADDR_BREDR)
2873 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2874 					       &cp->addr.bdaddr);
2875 	else
2876 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
2877 
2878 	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
2879 		err = cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2880 				   MGMT_STATUS_NOT_CONNECTED, &rp, sizeof(rp));
2881 		goto failed;
2882 	}
2883 
2884 	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
2885 	if (!cmd) {
2886 		err = -ENOMEM;
2887 		goto failed;
2888 	}
2889 
2890 	cmd->cmd_complete = generic_cmd_complete;
2891 
2892 	err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2893 	if (err < 0)
2894 		mgmt_pending_remove(cmd);
2895 
2896 failed:
2897 	hci_dev_unlock(hdev);
2898 	return err;
2899 }
2900 
2901 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
2902 {
2903 	switch (link_type) {
2904 	case LE_LINK:
2905 		switch (addr_type) {
2906 		case ADDR_LE_DEV_PUBLIC:
2907 			return BDADDR_LE_PUBLIC;
2908 
2909 		default:
2910 			/* Fallback to LE Random address type */
2911 			return BDADDR_LE_RANDOM;
2912 		}
2913 
2914 	default:
2915 		/* Fallback to BR/EDR type */
2916 		return BDADDR_BREDR;
2917 	}
2918 }
2919 
2920 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
2921 			   u16 data_len)
2922 {
2923 	struct mgmt_rp_get_connections *rp;
2924 	struct hci_conn *c;
2925 	size_t rp_len;
2926 	int err;
2927 	u16 i;
2928 
2929 	BT_DBG("");
2930 
2931 	hci_dev_lock(hdev);
2932 
2933 	if (!hdev_is_powered(hdev)) {
2934 		err = cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
2935 				 MGMT_STATUS_NOT_POWERED);
2936 		goto unlock;
2937 	}
2938 
2939 	i = 0;
2940 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2941 		if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2942 			i++;
2943 	}
2944 
2945 	rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2946 	rp = kmalloc(rp_len, GFP_KERNEL);
2947 	if (!rp) {
2948 		err = -ENOMEM;
2949 		goto unlock;
2950 	}
2951 
2952 	i = 0;
2953 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2954 		if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2955 			continue;
2956 		bacpy(&rp->addr[i].bdaddr, &c->dst);
2957 		rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
2958 		if (c->type == SCO_LINK || c->type == ESCO_LINK)
2959 			continue;
2960 		i++;
2961 	}
2962 
2963 	rp->conn_count = cpu_to_le16(i);
2964 
2965 	/* Recalculate length in case of filtered SCO connections, etc */
2966 	rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2967 
2968 	err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
2969 			   rp_len);
2970 
2971 	kfree(rp);
2972 
2973 unlock:
2974 	hci_dev_unlock(hdev);
2975 	return err;
2976 }
2977 
2978 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2979 				   struct mgmt_cp_pin_code_neg_reply *cp)
2980 {
2981 	struct pending_cmd *cmd;
2982 	int err;
2983 
2984 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
2985 			       sizeof(*cp));
2986 	if (!cmd)
2987 		return -ENOMEM;
2988 
2989 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2990 			   sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
2991 	if (err < 0)
2992 		mgmt_pending_remove(cmd);
2993 
2994 	return err;
2995 }
2996 
2997 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2998 			  u16 len)
2999 {
3000 	struct hci_conn *conn;
3001 	struct mgmt_cp_pin_code_reply *cp = data;
3002 	struct hci_cp_pin_code_reply reply;
3003 	struct pending_cmd *cmd;
3004 	int err;
3005 
3006 	BT_DBG("");
3007 
3008 	hci_dev_lock(hdev);
3009 
3010 	if (!hdev_is_powered(hdev)) {
3011 		err = cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3012 				 MGMT_STATUS_NOT_POWERED);
3013 		goto failed;
3014 	}
3015 
3016 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
3017 	if (!conn) {
3018 		err = cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3019 				 MGMT_STATUS_NOT_CONNECTED);
3020 		goto failed;
3021 	}
3022 
3023 	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
3024 		struct mgmt_cp_pin_code_neg_reply ncp;
3025 
3026 		memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
3027 
3028 		BT_ERR("PIN code is not 16 bytes long");
3029 
3030 		err = send_pin_code_neg_reply(sk, hdev, &ncp);
3031 		if (err >= 0)
3032 			err = cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3033 					 MGMT_STATUS_INVALID_PARAMS);
3034 
3035 		goto failed;
3036 	}
3037 
3038 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
3039 	if (!cmd) {
3040 		err = -ENOMEM;
3041 		goto failed;
3042 	}
3043 
3044 	cmd->cmd_complete = addr_cmd_complete;
3045 
3046 	bacpy(&reply.bdaddr, &cp->addr.bdaddr);
3047 	reply.pin_len = cp->pin_len;
3048 	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
3049 
3050 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
3051 	if (err < 0)
3052 		mgmt_pending_remove(cmd);
3053 
3054 failed:
3055 	hci_dev_unlock(hdev);
3056 	return err;
3057 }
3058 
3059 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
3060 			     u16 len)
3061 {
3062 	struct mgmt_cp_set_io_capability *cp = data;
3063 
3064 	BT_DBG("");
3065 
3066 	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
3067 		return cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
3068 				    MGMT_STATUS_INVALID_PARAMS, NULL, 0);
3069 
3070 	hci_dev_lock(hdev);
3071 
3072 	hdev->io_capability = cp->io_capability;
3073 
3074 	BT_DBG("%s IO capability set to 0x%02x", hdev->name,
3075 	       hdev->io_capability);
3076 
3077 	hci_dev_unlock(hdev);
3078 
3079 	return cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0, NULL,
3080 			    0);
3081 }
3082 
3083 static struct pending_cmd *find_pairing(struct hci_conn *conn)
3084 {
3085 	struct hci_dev *hdev = conn->hdev;
3086 	struct pending_cmd *cmd;
3087 
3088 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
3089 		if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
3090 			continue;
3091 
3092 		if (cmd->user_data != conn)
3093 			continue;
3094 
3095 		return cmd;
3096 	}
3097 
3098 	return NULL;
3099 }
3100 
3101 static void pairing_complete(struct pending_cmd *cmd, u8 status)
3102 {
3103 	struct mgmt_rp_pair_device rp;
3104 	struct hci_conn *conn = cmd->user_data;
3105 
3106 	bacpy(&rp.addr.bdaddr, &conn->dst);
3107 	rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
3108 
3109 	cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE, status,
3110 		     &rp, sizeof(rp));
3111 
3112 	/* So we don't get further callbacks for this connection */
3113 	conn->connect_cfm_cb = NULL;
3114 	conn->security_cfm_cb = NULL;
3115 	conn->disconn_cfm_cb = NULL;
3116 
3117 	hci_conn_drop(conn);
3118 
3119 	/* The device is paired so there is no need to remove
3120 	 * its connection parameters anymore.
3121 	 */
3122 	clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3123 
3124 	hci_conn_put(conn);
3125 }
3126 
3127 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
3128 {
3129 	u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
3130 	struct pending_cmd *cmd;
3131 
3132 	cmd = find_pairing(conn);
3133 	if (cmd) {
3134 		cmd->cmd_complete(cmd, status);
3135 		mgmt_pending_remove(cmd);
3136 	}
3137 }
3138 
3139 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
3140 {
3141 	struct pending_cmd *cmd;
3142 
3143 	BT_DBG("status %u", status);
3144 
3145 	cmd = find_pairing(conn);
3146 	if (!cmd) {
3147 		BT_DBG("Unable to find a pending command");
3148 		return;
3149 	}
3150 
3151 	cmd->cmd_complete(cmd, mgmt_status(status));
3152 	mgmt_pending_remove(cmd);
3153 }
3154 
3155 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
3156 {
3157 	struct pending_cmd *cmd;
3158 
3159 	BT_DBG("status %u", status);
3160 
3161 	if (!status)
3162 		return;
3163 
3164 	cmd = find_pairing(conn);
3165 	if (!cmd) {
3166 		BT_DBG("Unable to find a pending command");
3167 		return;
3168 	}
3169 
3170 	cmd->cmd_complete(cmd, mgmt_status(status));
3171 	mgmt_pending_remove(cmd);
3172 }
3173 
3174 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3175 		       u16 len)
3176 {
3177 	struct mgmt_cp_pair_device *cp = data;
3178 	struct mgmt_rp_pair_device rp;
3179 	struct pending_cmd *cmd;
3180 	u8 sec_level, auth_type;
3181 	struct hci_conn *conn;
3182 	int err;
3183 
3184 	BT_DBG("");
3185 
3186 	memset(&rp, 0, sizeof(rp));
3187 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
3188 	rp.addr.type = cp->addr.type;
3189 
3190 	if (!bdaddr_type_is_valid(cp->addr.type))
3191 		return cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3192 				    MGMT_STATUS_INVALID_PARAMS,
3193 				    &rp, sizeof(rp));
3194 
3195 	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
3196 		return cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3197 				    MGMT_STATUS_INVALID_PARAMS,
3198 				    &rp, sizeof(rp));
3199 
3200 	hci_dev_lock(hdev);
3201 
3202 	if (!hdev_is_powered(hdev)) {
3203 		err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3204 				   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
3205 		goto unlock;
3206 	}
3207 
3208 	sec_level = BT_SECURITY_MEDIUM;
3209 	auth_type = HCI_AT_DEDICATED_BONDING;
3210 
3211 	if (cp->addr.type == BDADDR_BREDR) {
3212 		conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
3213 				       auth_type);
3214 	} else {
3215 		u8 addr_type;
3216 
3217 		/* Convert from L2CAP channel address type to HCI address type
3218 		 */
3219 		if (cp->addr.type == BDADDR_LE_PUBLIC)
3220 			addr_type = ADDR_LE_DEV_PUBLIC;
3221 		else
3222 			addr_type = ADDR_LE_DEV_RANDOM;
3223 
3224 		/* When pairing a new device, it is expected to remember
3225 		 * this device for future connections. Adding the connection
3226 		 * parameter information ahead of time allows tracking
3227 		 * of the slave preferred values and will speed up any
3228 		 * further connection establishment.
3229 		 *
3230 		 * If connection parameters already exist, then they
3231 		 * will be kept and this function does nothing.
3232 		 */
3233 		hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
3234 
3235 		conn = hci_connect_le(hdev, &cp->addr.bdaddr, addr_type,
3236 				      sec_level, HCI_LE_CONN_TIMEOUT,
3237 				      HCI_ROLE_MASTER);
3238 	}
3239 
3240 	if (IS_ERR(conn)) {
3241 		int status;
3242 
3243 		if (PTR_ERR(conn) == -EBUSY)
3244 			status = MGMT_STATUS_BUSY;
3245 		else
3246 			status = MGMT_STATUS_CONNECT_FAILED;
3247 
3248 		err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3249 				   status, &rp,
3250 				   sizeof(rp));
3251 		goto unlock;
3252 	}
3253 
3254 	if (conn->connect_cfm_cb) {
3255 		hci_conn_drop(conn);
3256 		err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3257 				   MGMT_STATUS_BUSY, &rp, sizeof(rp));
3258 		goto unlock;
3259 	}
3260 
3261 	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
3262 	if (!cmd) {
3263 		err = -ENOMEM;
3264 		hci_conn_drop(conn);
3265 		goto unlock;
3266 	}
3267 
3268 	cmd->cmd_complete = pairing_complete;
3269 
3270 	/* For LE, just connecting isn't a proof that the pairing finished */
3271 	if (cp->addr.type == BDADDR_BREDR) {
3272 		conn->connect_cfm_cb = pairing_complete_cb;
3273 		conn->security_cfm_cb = pairing_complete_cb;
3274 		conn->disconn_cfm_cb = pairing_complete_cb;
3275 	} else {
3276 		conn->connect_cfm_cb = le_pairing_complete_cb;
3277 		conn->security_cfm_cb = le_pairing_complete_cb;
3278 		conn->disconn_cfm_cb = le_pairing_complete_cb;
3279 	}
3280 
3281 	conn->io_capability = cp->io_cap;
3282 	cmd->user_data = hci_conn_get(conn);
3283 
3284 	if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
3285 	    hci_conn_security(conn, sec_level, auth_type, true)) {
3286 		cmd->cmd_complete(cmd, 0);
3287 		mgmt_pending_remove(cmd);
3288 	}
3289 
3290 	err = 0;
3291 
3292 unlock:
3293 	hci_dev_unlock(hdev);
3294 	return err;
3295 }
3296 
3297 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3298 			      u16 len)
3299 {
3300 	struct mgmt_addr_info *addr = data;
3301 	struct pending_cmd *cmd;
3302 	struct hci_conn *conn;
3303 	int err;
3304 
3305 	BT_DBG("");
3306 
3307 	hci_dev_lock(hdev);
3308 
3309 	if (!hdev_is_powered(hdev)) {
3310 		err = cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3311 				 MGMT_STATUS_NOT_POWERED);
3312 		goto unlock;
3313 	}
3314 
3315 	cmd = mgmt_pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3316 	if (!cmd) {
3317 		err = cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3318 				 MGMT_STATUS_INVALID_PARAMS);
3319 		goto unlock;
3320 	}
3321 
3322 	conn = cmd->user_data;
3323 
3324 	if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3325 		err = cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3326 				 MGMT_STATUS_INVALID_PARAMS);
3327 		goto unlock;
3328 	}
3329 
3330 	cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3331 	mgmt_pending_remove(cmd);
3332 
3333 	err = cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3334 			   addr, sizeof(*addr));
3335 unlock:
3336 	hci_dev_unlock(hdev);
3337 	return err;
3338 }
3339 
3340 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3341 			     struct mgmt_addr_info *addr, u16 mgmt_op,
3342 			     u16 hci_op, __le32 passkey)
3343 {
3344 	struct pending_cmd *cmd;
3345 	struct hci_conn *conn;
3346 	int err;
3347 
3348 	hci_dev_lock(hdev);
3349 
3350 	if (!hdev_is_powered(hdev)) {
3351 		err = cmd_complete(sk, hdev->id, mgmt_op,
3352 				   MGMT_STATUS_NOT_POWERED, addr,
3353 				   sizeof(*addr));
3354 		goto done;
3355 	}
3356 
3357 	if (addr->type == BDADDR_BREDR)
3358 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3359 	else
3360 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &addr->bdaddr);
3361 
3362 	if (!conn) {
3363 		err = cmd_complete(sk, hdev->id, mgmt_op,
3364 				   MGMT_STATUS_NOT_CONNECTED, addr,
3365 				   sizeof(*addr));
3366 		goto done;
3367 	}
3368 
3369 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3370 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3371 		if (!err)
3372 			err = cmd_complete(sk, hdev->id, mgmt_op,
3373 					   MGMT_STATUS_SUCCESS, addr,
3374 					   sizeof(*addr));
3375 		else
3376 			err = cmd_complete(sk, hdev->id, mgmt_op,
3377 					   MGMT_STATUS_FAILED, addr,
3378 					   sizeof(*addr));
3379 
3380 		goto done;
3381 	}
3382 
3383 	cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3384 	if (!cmd) {
3385 		err = -ENOMEM;
3386 		goto done;
3387 	}
3388 
3389 	cmd->cmd_complete = addr_cmd_complete;
3390 
3391 	/* Continue with pairing via HCI */
3392 	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3393 		struct hci_cp_user_passkey_reply cp;
3394 
3395 		bacpy(&cp.bdaddr, &addr->bdaddr);
3396 		cp.passkey = passkey;
3397 		err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3398 	} else
3399 		err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3400 				   &addr->bdaddr);
3401 
3402 	if (err < 0)
3403 		mgmt_pending_remove(cmd);
3404 
3405 done:
3406 	hci_dev_unlock(hdev);
3407 	return err;
3408 }
3409 
3410 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3411 			      void *data, u16 len)
3412 {
3413 	struct mgmt_cp_pin_code_neg_reply *cp = data;
3414 
3415 	BT_DBG("");
3416 
3417 	return user_pairing_resp(sk, hdev, &cp->addr,
3418 				MGMT_OP_PIN_CODE_NEG_REPLY,
3419 				HCI_OP_PIN_CODE_NEG_REPLY, 0);
3420 }
3421 
3422 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3423 			      u16 len)
3424 {
3425 	struct mgmt_cp_user_confirm_reply *cp = data;
3426 
3427 	BT_DBG("");
3428 
3429 	if (len != sizeof(*cp))
3430 		return cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3431 				  MGMT_STATUS_INVALID_PARAMS);
3432 
3433 	return user_pairing_resp(sk, hdev, &cp->addr,
3434 				 MGMT_OP_USER_CONFIRM_REPLY,
3435 				 HCI_OP_USER_CONFIRM_REPLY, 0);
3436 }
3437 
3438 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3439 				  void *data, u16 len)
3440 {
3441 	struct mgmt_cp_user_confirm_neg_reply *cp = data;
3442 
3443 	BT_DBG("");
3444 
3445 	return user_pairing_resp(sk, hdev, &cp->addr,
3446 				 MGMT_OP_USER_CONFIRM_NEG_REPLY,
3447 				 HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3448 }
3449 
3450 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3451 			      u16 len)
3452 {
3453 	struct mgmt_cp_user_passkey_reply *cp = data;
3454 
3455 	BT_DBG("");
3456 
3457 	return user_pairing_resp(sk, hdev, &cp->addr,
3458 				 MGMT_OP_USER_PASSKEY_REPLY,
3459 				 HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3460 }
3461 
3462 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3463 				  void *data, u16 len)
3464 {
3465 	struct mgmt_cp_user_passkey_neg_reply *cp = data;
3466 
3467 	BT_DBG("");
3468 
3469 	return user_pairing_resp(sk, hdev, &cp->addr,
3470 				 MGMT_OP_USER_PASSKEY_NEG_REPLY,
3471 				 HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3472 }
3473 
3474 static void update_name(struct hci_request *req)
3475 {
3476 	struct hci_dev *hdev = req->hdev;
3477 	struct hci_cp_write_local_name cp;
3478 
3479 	memcpy(cp.name, hdev->dev_name, sizeof(cp.name));
3480 
3481 	hci_req_add(req, HCI_OP_WRITE_LOCAL_NAME, sizeof(cp), &cp);
3482 }
3483 
3484 static void set_name_complete(struct hci_dev *hdev, u8 status)
3485 {
3486 	struct mgmt_cp_set_local_name *cp;
3487 	struct pending_cmd *cmd;
3488 
3489 	BT_DBG("status 0x%02x", status);
3490 
3491 	hci_dev_lock(hdev);
3492 
3493 	cmd = mgmt_pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
3494 	if (!cmd)
3495 		goto unlock;
3496 
3497 	cp = cmd->param;
3498 
3499 	if (status)
3500 		cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3501 			   mgmt_status(status));
3502 	else
3503 		cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3504 			     cp, sizeof(*cp));
3505 
3506 	mgmt_pending_remove(cmd);
3507 
3508 unlock:
3509 	hci_dev_unlock(hdev);
3510 }
3511 
3512 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3513 			  u16 len)
3514 {
3515 	struct mgmt_cp_set_local_name *cp = data;
3516 	struct pending_cmd *cmd;
3517 	struct hci_request req;
3518 	int err;
3519 
3520 	BT_DBG("");
3521 
3522 	hci_dev_lock(hdev);
3523 
3524 	/* If the old values are the same as the new ones just return a
3525 	 * direct command complete event.
3526 	 */
3527 	if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3528 	    !memcmp(hdev->short_name, cp->short_name,
3529 		    sizeof(hdev->short_name))) {
3530 		err = cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3531 				   data, len);
3532 		goto failed;
3533 	}
3534 
3535 	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3536 
3537 	if (!hdev_is_powered(hdev)) {
3538 		memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3539 
3540 		err = cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3541 				   data, len);
3542 		if (err < 0)
3543 			goto failed;
3544 
3545 		err = mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data, len,
3546 				 sk);
3547 
3548 		goto failed;
3549 	}
3550 
3551 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3552 	if (!cmd) {
3553 		err = -ENOMEM;
3554 		goto failed;
3555 	}
3556 
3557 	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3558 
3559 	hci_req_init(&req, hdev);
3560 
3561 	if (lmp_bredr_capable(hdev)) {
3562 		update_name(&req);
3563 		update_eir(&req);
3564 	}
3565 
3566 	/* The name is stored in the scan response data and so
3567 	 * no need to udpate the advertising data here.
3568 	 */
3569 	if (lmp_le_capable(hdev))
3570 		update_scan_rsp_data(&req);
3571 
3572 	err = hci_req_run(&req, set_name_complete);
3573 	if (err < 0)
3574 		mgmt_pending_remove(cmd);
3575 
3576 failed:
3577 	hci_dev_unlock(hdev);
3578 	return err;
3579 }
3580 
3581 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3582 			       void *data, u16 data_len)
3583 {
3584 	struct pending_cmd *cmd;
3585 	int err;
3586 
3587 	BT_DBG("%s", hdev->name);
3588 
3589 	hci_dev_lock(hdev);
3590 
3591 	if (!hdev_is_powered(hdev)) {
3592 		err = cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3593 				 MGMT_STATUS_NOT_POWERED);
3594 		goto unlock;
3595 	}
3596 
3597 	if (!lmp_ssp_capable(hdev)) {
3598 		err = cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3599 				 MGMT_STATUS_NOT_SUPPORTED);
3600 		goto unlock;
3601 	}
3602 
3603 	if (mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
3604 		err = cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3605 				 MGMT_STATUS_BUSY);
3606 		goto unlock;
3607 	}
3608 
3609 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
3610 	if (!cmd) {
3611 		err = -ENOMEM;
3612 		goto unlock;
3613 	}
3614 
3615 	if (bredr_sc_enabled(hdev))
3616 		err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_EXT_DATA,
3617 				   0, NULL);
3618 	else
3619 		err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
3620 
3621 	if (err < 0)
3622 		mgmt_pending_remove(cmd);
3623 
3624 unlock:
3625 	hci_dev_unlock(hdev);
3626 	return err;
3627 }
3628 
3629 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3630 			       void *data, u16 len)
3631 {
3632 	int err;
3633 
3634 	BT_DBG("%s ", hdev->name);
3635 
3636 	hci_dev_lock(hdev);
3637 
3638 	if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
3639 		struct mgmt_cp_add_remote_oob_data *cp = data;
3640 		u8 status;
3641 
3642 		if (cp->addr.type != BDADDR_BREDR) {
3643 			err = cmd_complete(sk, hdev->id,
3644 					   MGMT_OP_ADD_REMOTE_OOB_DATA,
3645 					   MGMT_STATUS_INVALID_PARAMS,
3646 					   &cp->addr, sizeof(cp->addr));
3647 			goto unlock;
3648 		}
3649 
3650 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3651 					      cp->addr.type, cp->hash,
3652 					      cp->rand, NULL, NULL);
3653 		if (err < 0)
3654 			status = MGMT_STATUS_FAILED;
3655 		else
3656 			status = MGMT_STATUS_SUCCESS;
3657 
3658 		err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3659 				   status, &cp->addr, sizeof(cp->addr));
3660 	} else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3661 		struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3662 		u8 *rand192, *hash192;
3663 		u8 status;
3664 
3665 		if (cp->addr.type != BDADDR_BREDR) {
3666 			err = cmd_complete(sk, hdev->id,
3667 					   MGMT_OP_ADD_REMOTE_OOB_DATA,
3668 					   MGMT_STATUS_INVALID_PARAMS,
3669 					   &cp->addr, sizeof(cp->addr));
3670 			goto unlock;
3671 		}
3672 
3673 		if (bdaddr_type_is_le(cp->addr.type)) {
3674 			rand192 = NULL;
3675 			hash192 = NULL;
3676 		} else {
3677 			rand192 = cp->rand192;
3678 			hash192 = cp->hash192;
3679 		}
3680 
3681 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3682 					      cp->addr.type, hash192, rand192,
3683 					      cp->hash256, cp->rand256);
3684 		if (err < 0)
3685 			status = MGMT_STATUS_FAILED;
3686 		else
3687 			status = MGMT_STATUS_SUCCESS;
3688 
3689 		err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3690 				   status, &cp->addr, sizeof(cp->addr));
3691 	} else {
3692 		BT_ERR("add_remote_oob_data: invalid length of %u bytes", len);
3693 		err = cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3694 				 MGMT_STATUS_INVALID_PARAMS);
3695 	}
3696 
3697 unlock:
3698 	hci_dev_unlock(hdev);
3699 	return err;
3700 }
3701 
3702 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3703 				  void *data, u16 len)
3704 {
3705 	struct mgmt_cp_remove_remote_oob_data *cp = data;
3706 	u8 status;
3707 	int err;
3708 
3709 	BT_DBG("%s", hdev->name);
3710 
3711 	if (cp->addr.type != BDADDR_BREDR)
3712 		return cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3713 				    MGMT_STATUS_INVALID_PARAMS,
3714 				    &cp->addr, sizeof(cp->addr));
3715 
3716 	hci_dev_lock(hdev);
3717 
3718 	if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
3719 		hci_remote_oob_data_clear(hdev);
3720 		status = MGMT_STATUS_SUCCESS;
3721 		goto done;
3722 	}
3723 
3724 	err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
3725 	if (err < 0)
3726 		status = MGMT_STATUS_INVALID_PARAMS;
3727 	else
3728 		status = MGMT_STATUS_SUCCESS;
3729 
3730 done:
3731 	err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3732 			   status, &cp->addr, sizeof(cp->addr));
3733 
3734 	hci_dev_unlock(hdev);
3735 	return err;
3736 }
3737 
3738 static bool trigger_discovery(struct hci_request *req, u8 *status)
3739 {
3740 	struct hci_dev *hdev = req->hdev;
3741 	struct hci_cp_le_set_scan_param param_cp;
3742 	struct hci_cp_le_set_scan_enable enable_cp;
3743 	struct hci_cp_inquiry inq_cp;
3744 	/* General inquiry access code (GIAC) */
3745 	u8 lap[3] = { 0x33, 0x8b, 0x9e };
3746 	u8 own_addr_type;
3747 	int err;
3748 
3749 	switch (hdev->discovery.type) {
3750 	case DISCOV_TYPE_BREDR:
3751 		*status = mgmt_bredr_support(hdev);
3752 		if (*status)
3753 			return false;
3754 
3755 		if (test_bit(HCI_INQUIRY, &hdev->flags)) {
3756 			*status = MGMT_STATUS_BUSY;
3757 			return false;
3758 		}
3759 
3760 		hci_inquiry_cache_flush(hdev);
3761 
3762 		memset(&inq_cp, 0, sizeof(inq_cp));
3763 		memcpy(&inq_cp.lap, lap, sizeof(inq_cp.lap));
3764 		inq_cp.length = DISCOV_BREDR_INQUIRY_LEN;
3765 		hci_req_add(req, HCI_OP_INQUIRY, sizeof(inq_cp), &inq_cp);
3766 		break;
3767 
3768 	case DISCOV_TYPE_LE:
3769 	case DISCOV_TYPE_INTERLEAVED:
3770 		*status = mgmt_le_support(hdev);
3771 		if (*status)
3772 			return false;
3773 
3774 		if (hdev->discovery.type == DISCOV_TYPE_INTERLEAVED &&
3775 		    !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
3776 			*status = MGMT_STATUS_NOT_SUPPORTED;
3777 			return false;
3778 		}
3779 
3780 		if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) {
3781 			/* Don't let discovery abort an outgoing
3782 			 * connection attempt that's using directed
3783 			 * advertising.
3784 			 */
3785 			if (hci_conn_hash_lookup_state(hdev, LE_LINK,
3786 						       BT_CONNECT)) {
3787 				*status = MGMT_STATUS_REJECTED;
3788 				return false;
3789 			}
3790 
3791 			disable_advertising(req);
3792 		}
3793 
3794 		/* If controller is scanning, it means the background scanning
3795 		 * is running. Thus, we should temporarily stop it in order to
3796 		 * set the discovery scanning parameters.
3797 		 */
3798 		if (test_bit(HCI_LE_SCAN, &hdev->dev_flags))
3799 			hci_req_add_le_scan_disable(req);
3800 
3801 		memset(&param_cp, 0, sizeof(param_cp));
3802 
3803 		/* All active scans will be done with either a resolvable
3804 		 * private address (when privacy feature has been enabled)
3805 		 * or non-resolvable private address.
3806 		 */
3807 		err = hci_update_random_address(req, true, &own_addr_type);
3808 		if (err < 0) {
3809 			*status = MGMT_STATUS_FAILED;
3810 			return false;
3811 		}
3812 
3813 		param_cp.type = LE_SCAN_ACTIVE;
3814 		param_cp.interval = cpu_to_le16(DISCOV_LE_SCAN_INT);
3815 		param_cp.window = cpu_to_le16(DISCOV_LE_SCAN_WIN);
3816 		param_cp.own_address_type = own_addr_type;
3817 		hci_req_add(req, HCI_OP_LE_SET_SCAN_PARAM, sizeof(param_cp),
3818 			    &param_cp);
3819 
3820 		memset(&enable_cp, 0, sizeof(enable_cp));
3821 		enable_cp.enable = LE_SCAN_ENABLE;
3822 		enable_cp.filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
3823 		hci_req_add(req, HCI_OP_LE_SET_SCAN_ENABLE, sizeof(enable_cp),
3824 			    &enable_cp);
3825 		break;
3826 
3827 	default:
3828 		*status = MGMT_STATUS_INVALID_PARAMS;
3829 		return false;
3830 	}
3831 
3832 	return true;
3833 }
3834 
3835 static void start_discovery_complete(struct hci_dev *hdev, u8 status)
3836 {
3837 	struct pending_cmd *cmd;
3838 	unsigned long timeout;
3839 
3840 	BT_DBG("status %d", status);
3841 
3842 	hci_dev_lock(hdev);
3843 
3844 	cmd = mgmt_pending_find(MGMT_OP_START_DISCOVERY, hdev);
3845 	if (!cmd)
3846 		cmd = mgmt_pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
3847 
3848 	if (cmd) {
3849 		cmd->cmd_complete(cmd, mgmt_status(status));
3850 		mgmt_pending_remove(cmd);
3851 	}
3852 
3853 	if (status) {
3854 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3855 		goto unlock;
3856 	}
3857 
3858 	hci_discovery_set_state(hdev, DISCOVERY_FINDING);
3859 
3860 	switch (hdev->discovery.type) {
3861 	case DISCOV_TYPE_LE:
3862 		timeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT);
3863 		break;
3864 	case DISCOV_TYPE_INTERLEAVED:
3865 		timeout = msecs_to_jiffies(hdev->discov_interleaved_timeout);
3866 		break;
3867 	case DISCOV_TYPE_BREDR:
3868 		timeout = 0;
3869 		break;
3870 	default:
3871 		BT_ERR("Invalid discovery type %d", hdev->discovery.type);
3872 		timeout = 0;
3873 		break;
3874 	}
3875 
3876 	if (timeout)
3877 		queue_delayed_work(hdev->workqueue,
3878 				   &hdev->le_scan_disable, timeout);
3879 
3880 unlock:
3881 	hci_dev_unlock(hdev);
3882 }
3883 
3884 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3885 			   void *data, u16 len)
3886 {
3887 	struct mgmt_cp_start_discovery *cp = data;
3888 	struct pending_cmd *cmd;
3889 	struct hci_request req;
3890 	u8 status;
3891 	int err;
3892 
3893 	BT_DBG("%s", hdev->name);
3894 
3895 	hci_dev_lock(hdev);
3896 
3897 	if (!hdev_is_powered(hdev)) {
3898 		err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3899 				   MGMT_STATUS_NOT_POWERED,
3900 				   &cp->type, sizeof(cp->type));
3901 		goto failed;
3902 	}
3903 
3904 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
3905 	    test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) {
3906 		err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3907 				   MGMT_STATUS_BUSY, &cp->type,
3908 				   sizeof(cp->type));
3909 		goto failed;
3910 	}
3911 
3912 	cmd = mgmt_pending_add(sk, MGMT_OP_START_DISCOVERY, hdev, data, len);
3913 	if (!cmd) {
3914 		err = -ENOMEM;
3915 		goto failed;
3916 	}
3917 
3918 	cmd->cmd_complete = generic_cmd_complete;
3919 
3920 	/* Clear the discovery filter first to free any previously
3921 	 * allocated memory for the UUID list.
3922 	 */
3923 	hci_discovery_filter_clear(hdev);
3924 
3925 	hdev->discovery.type = cp->type;
3926 	hdev->discovery.report_invalid_rssi = false;
3927 
3928 	hci_req_init(&req, hdev);
3929 
3930 	if (!trigger_discovery(&req, &status)) {
3931 		err = cmd_complete(sk, hdev->id, MGMT_OP_START_DISCOVERY,
3932 				   status, &cp->type, sizeof(cp->type));
3933 		mgmt_pending_remove(cmd);
3934 		goto failed;
3935 	}
3936 
3937 	err = hci_req_run(&req, start_discovery_complete);
3938 	if (err < 0) {
3939 		mgmt_pending_remove(cmd);
3940 		goto failed;
3941 	}
3942 
3943 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3944 
3945 failed:
3946 	hci_dev_unlock(hdev);
3947 	return err;
3948 }
3949 
3950 static void service_discovery_cmd_complete(struct pending_cmd *cmd, u8 status)
3951 {
3952 	cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, cmd->param, 1);
3953 }
3954 
3955 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
3956 				   void *data, u16 len)
3957 {
3958 	struct mgmt_cp_start_service_discovery *cp = data;
3959 	struct pending_cmd *cmd;
3960 	struct hci_request req;
3961 	const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
3962 	u16 uuid_count, expected_len;
3963 	u8 status;
3964 	int err;
3965 
3966 	BT_DBG("%s", hdev->name);
3967 
3968 	hci_dev_lock(hdev);
3969 
3970 	if (!hdev_is_powered(hdev)) {
3971 		err = cmd_complete(sk, hdev->id,
3972 				   MGMT_OP_START_SERVICE_DISCOVERY,
3973 				   MGMT_STATUS_NOT_POWERED,
3974 				   &cp->type, sizeof(cp->type));
3975 		goto failed;
3976 	}
3977 
3978 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
3979 	    test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) {
3980 		err = cmd_complete(sk, hdev->id,
3981 				   MGMT_OP_START_SERVICE_DISCOVERY,
3982 				   MGMT_STATUS_BUSY, &cp->type,
3983 				   sizeof(cp->type));
3984 		goto failed;
3985 	}
3986 
3987 	uuid_count = __le16_to_cpu(cp->uuid_count);
3988 	if (uuid_count > max_uuid_count) {
3989 		BT_ERR("service_discovery: too big uuid_count value %u",
3990 		       uuid_count);
3991 		err = cmd_complete(sk, hdev->id,
3992 				   MGMT_OP_START_SERVICE_DISCOVERY,
3993 				   MGMT_STATUS_INVALID_PARAMS, &cp->type,
3994 				   sizeof(cp->type));
3995 		goto failed;
3996 	}
3997 
3998 	expected_len = sizeof(*cp) + uuid_count * 16;
3999 	if (expected_len != len) {
4000 		BT_ERR("service_discovery: expected %u bytes, got %u bytes",
4001 		       expected_len, len);
4002 		err = cmd_complete(sk, hdev->id,
4003 				   MGMT_OP_START_SERVICE_DISCOVERY,
4004 				   MGMT_STATUS_INVALID_PARAMS, &cp->type,
4005 				   sizeof(cp->type));
4006 		goto failed;
4007 	}
4008 
4009 	cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
4010 			       hdev, data, len);
4011 	if (!cmd) {
4012 		err = -ENOMEM;
4013 		goto failed;
4014 	}
4015 
4016 	cmd->cmd_complete = service_discovery_cmd_complete;
4017 
4018 	/* Clear the discovery filter first to free any previously
4019 	 * allocated memory for the UUID list.
4020 	 */
4021 	hci_discovery_filter_clear(hdev);
4022 
4023 	hdev->discovery.type = cp->type;
4024 	hdev->discovery.rssi = cp->rssi;
4025 	hdev->discovery.uuid_count = uuid_count;
4026 
4027 	if (uuid_count > 0) {
4028 		hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
4029 						GFP_KERNEL);
4030 		if (!hdev->discovery.uuids) {
4031 			err = cmd_complete(sk, hdev->id,
4032 					   MGMT_OP_START_SERVICE_DISCOVERY,
4033 					   MGMT_STATUS_FAILED,
4034 					   &cp->type, sizeof(cp->type));
4035 			mgmt_pending_remove(cmd);
4036 			goto failed;
4037 		}
4038 	}
4039 
4040 	hci_req_init(&req, hdev);
4041 
4042 	if (!trigger_discovery(&req, &status)) {
4043 		err = cmd_complete(sk, hdev->id,
4044 				   MGMT_OP_START_SERVICE_DISCOVERY,
4045 				   status, &cp->type, sizeof(cp->type));
4046 		mgmt_pending_remove(cmd);
4047 		goto failed;
4048 	}
4049 
4050 	err = hci_req_run(&req, start_discovery_complete);
4051 	if (err < 0) {
4052 		mgmt_pending_remove(cmd);
4053 		goto failed;
4054 	}
4055 
4056 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
4057 
4058 failed:
4059 	hci_dev_unlock(hdev);
4060 	return err;
4061 }
4062 
4063 static void stop_discovery_complete(struct hci_dev *hdev, u8 status)
4064 {
4065 	struct pending_cmd *cmd;
4066 
4067 	BT_DBG("status %d", status);
4068 
4069 	hci_dev_lock(hdev);
4070 
4071 	cmd = mgmt_pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
4072 	if (cmd) {
4073 		cmd->cmd_complete(cmd, mgmt_status(status));
4074 		mgmt_pending_remove(cmd);
4075 	}
4076 
4077 	if (!status)
4078 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
4079 
4080 	hci_dev_unlock(hdev);
4081 }
4082 
4083 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
4084 			  u16 len)
4085 {
4086 	struct mgmt_cp_stop_discovery *mgmt_cp = data;
4087 	struct pending_cmd *cmd;
4088 	struct hci_request req;
4089 	int err;
4090 
4091 	BT_DBG("%s", hdev->name);
4092 
4093 	hci_dev_lock(hdev);
4094 
4095 	if (!hci_discovery_active(hdev)) {
4096 		err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
4097 				   MGMT_STATUS_REJECTED, &mgmt_cp->type,
4098 				   sizeof(mgmt_cp->type));
4099 		goto unlock;
4100 	}
4101 
4102 	if (hdev->discovery.type != mgmt_cp->type) {
4103 		err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
4104 				   MGMT_STATUS_INVALID_PARAMS, &mgmt_cp->type,
4105 				   sizeof(mgmt_cp->type));
4106 		goto unlock;
4107 	}
4108 
4109 	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
4110 	if (!cmd) {
4111 		err = -ENOMEM;
4112 		goto unlock;
4113 	}
4114 
4115 	cmd->cmd_complete = generic_cmd_complete;
4116 
4117 	hci_req_init(&req, hdev);
4118 
4119 	hci_stop_discovery(&req);
4120 
4121 	err = hci_req_run(&req, stop_discovery_complete);
4122 	if (!err) {
4123 		hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
4124 		goto unlock;
4125 	}
4126 
4127 	mgmt_pending_remove(cmd);
4128 
4129 	/* If no HCI commands were sent we're done */
4130 	if (err == -ENODATA) {
4131 		err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY, 0,
4132 				   &mgmt_cp->type, sizeof(mgmt_cp->type));
4133 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
4134 	}
4135 
4136 unlock:
4137 	hci_dev_unlock(hdev);
4138 	return err;
4139 }
4140 
4141 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
4142 			u16 len)
4143 {
4144 	struct mgmt_cp_confirm_name *cp = data;
4145 	struct inquiry_entry *e;
4146 	int err;
4147 
4148 	BT_DBG("%s", hdev->name);
4149 
4150 	hci_dev_lock(hdev);
4151 
4152 	if (!hci_discovery_active(hdev)) {
4153 		err = cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
4154 				   MGMT_STATUS_FAILED, &cp->addr,
4155 				   sizeof(cp->addr));
4156 		goto failed;
4157 	}
4158 
4159 	e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
4160 	if (!e) {
4161 		err = cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
4162 				   MGMT_STATUS_INVALID_PARAMS, &cp->addr,
4163 				   sizeof(cp->addr));
4164 		goto failed;
4165 	}
4166 
4167 	if (cp->name_known) {
4168 		e->name_state = NAME_KNOWN;
4169 		list_del(&e->list);
4170 	} else {
4171 		e->name_state = NAME_NEEDED;
4172 		hci_inquiry_cache_update_resolve(hdev, e);
4173 	}
4174 
4175 	err = cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0, &cp->addr,
4176 			   sizeof(cp->addr));
4177 
4178 failed:
4179 	hci_dev_unlock(hdev);
4180 	return err;
4181 }
4182 
4183 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
4184 			u16 len)
4185 {
4186 	struct mgmt_cp_block_device *cp = data;
4187 	u8 status;
4188 	int err;
4189 
4190 	BT_DBG("%s", hdev->name);
4191 
4192 	if (!bdaddr_type_is_valid(cp->addr.type))
4193 		return cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
4194 				    MGMT_STATUS_INVALID_PARAMS,
4195 				    &cp->addr, sizeof(cp->addr));
4196 
4197 	hci_dev_lock(hdev);
4198 
4199 	err = hci_bdaddr_list_add(&hdev->blacklist, &cp->addr.bdaddr,
4200 				  cp->addr.type);
4201 	if (err < 0) {
4202 		status = MGMT_STATUS_FAILED;
4203 		goto done;
4204 	}
4205 
4206 	mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
4207 		   sk);
4208 	status = MGMT_STATUS_SUCCESS;
4209 
4210 done:
4211 	err = cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
4212 			   &cp->addr, sizeof(cp->addr));
4213 
4214 	hci_dev_unlock(hdev);
4215 
4216 	return err;
4217 }
4218 
4219 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
4220 			  u16 len)
4221 {
4222 	struct mgmt_cp_unblock_device *cp = data;
4223 	u8 status;
4224 	int err;
4225 
4226 	BT_DBG("%s", hdev->name);
4227 
4228 	if (!bdaddr_type_is_valid(cp->addr.type))
4229 		return cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
4230 				    MGMT_STATUS_INVALID_PARAMS,
4231 				    &cp->addr, sizeof(cp->addr));
4232 
4233 	hci_dev_lock(hdev);
4234 
4235 	err = hci_bdaddr_list_del(&hdev->blacklist, &cp->addr.bdaddr,
4236 				  cp->addr.type);
4237 	if (err < 0) {
4238 		status = MGMT_STATUS_INVALID_PARAMS;
4239 		goto done;
4240 	}
4241 
4242 	mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
4243 		   sk);
4244 	status = MGMT_STATUS_SUCCESS;
4245 
4246 done:
4247 	err = cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
4248 			   &cp->addr, sizeof(cp->addr));
4249 
4250 	hci_dev_unlock(hdev);
4251 
4252 	return err;
4253 }
4254 
4255 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
4256 			 u16 len)
4257 {
4258 	struct mgmt_cp_set_device_id *cp = data;
4259 	struct hci_request req;
4260 	int err;
4261 	__u16 source;
4262 
4263 	BT_DBG("%s", hdev->name);
4264 
4265 	source = __le16_to_cpu(cp->source);
4266 
4267 	if (source > 0x0002)
4268 		return cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
4269 				  MGMT_STATUS_INVALID_PARAMS);
4270 
4271 	hci_dev_lock(hdev);
4272 
4273 	hdev->devid_source = source;
4274 	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
4275 	hdev->devid_product = __le16_to_cpu(cp->product);
4276 	hdev->devid_version = __le16_to_cpu(cp->version);
4277 
4278 	err = cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0, NULL, 0);
4279 
4280 	hci_req_init(&req, hdev);
4281 	update_eir(&req);
4282 	hci_req_run(&req, NULL);
4283 
4284 	hci_dev_unlock(hdev);
4285 
4286 	return err;
4287 }
4288 
4289 static void set_advertising_complete(struct hci_dev *hdev, u8 status)
4290 {
4291 	struct cmd_lookup match = { NULL, hdev };
4292 
4293 	hci_dev_lock(hdev);
4294 
4295 	if (status) {
4296 		u8 mgmt_err = mgmt_status(status);
4297 
4298 		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
4299 				     cmd_status_rsp, &mgmt_err);
4300 		goto unlock;
4301 	}
4302 
4303 	if (test_bit(HCI_LE_ADV, &hdev->dev_flags))
4304 		set_bit(HCI_ADVERTISING, &hdev->dev_flags);
4305 	else
4306 		clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
4307 
4308 	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
4309 			     &match);
4310 
4311 	new_settings(hdev, match.sk);
4312 
4313 	if (match.sk)
4314 		sock_put(match.sk);
4315 
4316 unlock:
4317 	hci_dev_unlock(hdev);
4318 }
4319 
4320 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
4321 			   u16 len)
4322 {
4323 	struct mgmt_mode *cp = data;
4324 	struct pending_cmd *cmd;
4325 	struct hci_request req;
4326 	u8 val, enabled, status;
4327 	int err;
4328 
4329 	BT_DBG("request for %s", hdev->name);
4330 
4331 	status = mgmt_le_support(hdev);
4332 	if (status)
4333 		return cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4334 				  status);
4335 
4336 	if (cp->val != 0x00 && cp->val != 0x01)
4337 		return cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4338 				  MGMT_STATUS_INVALID_PARAMS);
4339 
4340 	hci_dev_lock(hdev);
4341 
4342 	val = !!cp->val;
4343 	enabled = test_bit(HCI_ADVERTISING, &hdev->dev_flags);
4344 
4345 	/* The following conditions are ones which mean that we should
4346 	 * not do any HCI communication but directly send a mgmt
4347 	 * response to user space (after toggling the flag if
4348 	 * necessary).
4349 	 */
4350 	if (!hdev_is_powered(hdev) || val == enabled ||
4351 	    hci_conn_num(hdev, LE_LINK) > 0 ||
4352 	    (test_bit(HCI_LE_SCAN, &hdev->dev_flags) &&
4353 	     hdev->le_scan_type == LE_SCAN_ACTIVE)) {
4354 		bool changed = false;
4355 
4356 		if (val != test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
4357 			change_bit(HCI_ADVERTISING, &hdev->dev_flags);
4358 			changed = true;
4359 		}
4360 
4361 		err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
4362 		if (err < 0)
4363 			goto unlock;
4364 
4365 		if (changed)
4366 			err = new_settings(hdev, sk);
4367 
4368 		goto unlock;
4369 	}
4370 
4371 	if (mgmt_pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
4372 	    mgmt_pending_find(MGMT_OP_SET_LE, hdev)) {
4373 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4374 				 MGMT_STATUS_BUSY);
4375 		goto unlock;
4376 	}
4377 
4378 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
4379 	if (!cmd) {
4380 		err = -ENOMEM;
4381 		goto unlock;
4382 	}
4383 
4384 	hci_req_init(&req, hdev);
4385 
4386 	if (val)
4387 		enable_advertising(&req);
4388 	else
4389 		disable_advertising(&req);
4390 
4391 	err = hci_req_run(&req, set_advertising_complete);
4392 	if (err < 0)
4393 		mgmt_pending_remove(cmd);
4394 
4395 unlock:
4396 	hci_dev_unlock(hdev);
4397 	return err;
4398 }
4399 
4400 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
4401 			      void *data, u16 len)
4402 {
4403 	struct mgmt_cp_set_static_address *cp = data;
4404 	int err;
4405 
4406 	BT_DBG("%s", hdev->name);
4407 
4408 	if (!lmp_le_capable(hdev))
4409 		return cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4410 				  MGMT_STATUS_NOT_SUPPORTED);
4411 
4412 	if (hdev_is_powered(hdev))
4413 		return cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4414 				  MGMT_STATUS_REJECTED);
4415 
4416 	if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
4417 		if (!bacmp(&cp->bdaddr, BDADDR_NONE))
4418 			return cmd_status(sk, hdev->id,
4419 					  MGMT_OP_SET_STATIC_ADDRESS,
4420 					  MGMT_STATUS_INVALID_PARAMS);
4421 
4422 		/* Two most significant bits shall be set */
4423 		if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
4424 			return cmd_status(sk, hdev->id,
4425 					  MGMT_OP_SET_STATIC_ADDRESS,
4426 					  MGMT_STATUS_INVALID_PARAMS);
4427 	}
4428 
4429 	hci_dev_lock(hdev);
4430 
4431 	bacpy(&hdev->static_addr, &cp->bdaddr);
4432 
4433 	err = cmd_complete(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS, 0, NULL, 0);
4434 
4435 	hci_dev_unlock(hdev);
4436 
4437 	return err;
4438 }
4439 
4440 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
4441 			   void *data, u16 len)
4442 {
4443 	struct mgmt_cp_set_scan_params *cp = data;
4444 	__u16 interval, window;
4445 	int err;
4446 
4447 	BT_DBG("%s", hdev->name);
4448 
4449 	if (!lmp_le_capable(hdev))
4450 		return cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4451 				  MGMT_STATUS_NOT_SUPPORTED);
4452 
4453 	interval = __le16_to_cpu(cp->interval);
4454 
4455 	if (interval < 0x0004 || interval > 0x4000)
4456 		return cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4457 				  MGMT_STATUS_INVALID_PARAMS);
4458 
4459 	window = __le16_to_cpu(cp->window);
4460 
4461 	if (window < 0x0004 || window > 0x4000)
4462 		return cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4463 				  MGMT_STATUS_INVALID_PARAMS);
4464 
4465 	if (window > interval)
4466 		return cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4467 				  MGMT_STATUS_INVALID_PARAMS);
4468 
4469 	hci_dev_lock(hdev);
4470 
4471 	hdev->le_scan_interval = interval;
4472 	hdev->le_scan_window = window;
4473 
4474 	err = cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0, NULL, 0);
4475 
4476 	/* If background scan is running, restart it so new parameters are
4477 	 * loaded.
4478 	 */
4479 	if (test_bit(HCI_LE_SCAN, &hdev->dev_flags) &&
4480 	    hdev->discovery.state == DISCOVERY_STOPPED) {
4481 		struct hci_request req;
4482 
4483 		hci_req_init(&req, hdev);
4484 
4485 		hci_req_add_le_scan_disable(&req);
4486 		hci_req_add_le_passive_scan(&req);
4487 
4488 		hci_req_run(&req, NULL);
4489 	}
4490 
4491 	hci_dev_unlock(hdev);
4492 
4493 	return err;
4494 }
4495 
4496 static void fast_connectable_complete(struct hci_dev *hdev, u8 status)
4497 {
4498 	struct pending_cmd *cmd;
4499 
4500 	BT_DBG("status 0x%02x", status);
4501 
4502 	hci_dev_lock(hdev);
4503 
4504 	cmd = mgmt_pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4505 	if (!cmd)
4506 		goto unlock;
4507 
4508 	if (status) {
4509 		cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4510 			   mgmt_status(status));
4511 	} else {
4512 		struct mgmt_mode *cp = cmd->param;
4513 
4514 		if (cp->val)
4515 			set_bit(HCI_FAST_CONNECTABLE, &hdev->dev_flags);
4516 		else
4517 			clear_bit(HCI_FAST_CONNECTABLE, &hdev->dev_flags);
4518 
4519 		send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4520 		new_settings(hdev, cmd->sk);
4521 	}
4522 
4523 	mgmt_pending_remove(cmd);
4524 
4525 unlock:
4526 	hci_dev_unlock(hdev);
4527 }
4528 
4529 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
4530 				void *data, u16 len)
4531 {
4532 	struct mgmt_mode *cp = data;
4533 	struct pending_cmd *cmd;
4534 	struct hci_request req;
4535 	int err;
4536 
4537 	BT_DBG("%s", hdev->name);
4538 
4539 	if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags) ||
4540 	    hdev->hci_ver < BLUETOOTH_VER_1_2)
4541 		return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4542 				  MGMT_STATUS_NOT_SUPPORTED);
4543 
4544 	if (cp->val != 0x00 && cp->val != 0x01)
4545 		return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4546 				  MGMT_STATUS_INVALID_PARAMS);
4547 
4548 	if (!hdev_is_powered(hdev))
4549 		return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4550 				  MGMT_STATUS_NOT_POWERED);
4551 
4552 	if (!test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
4553 		return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4554 				  MGMT_STATUS_REJECTED);
4555 
4556 	hci_dev_lock(hdev);
4557 
4558 	if (mgmt_pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev)) {
4559 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4560 				 MGMT_STATUS_BUSY);
4561 		goto unlock;
4562 	}
4563 
4564 	if (!!cp->val == test_bit(HCI_FAST_CONNECTABLE, &hdev->dev_flags)) {
4565 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4566 					hdev);
4567 		goto unlock;
4568 	}
4569 
4570 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev,
4571 			       data, len);
4572 	if (!cmd) {
4573 		err = -ENOMEM;
4574 		goto unlock;
4575 	}
4576 
4577 	hci_req_init(&req, hdev);
4578 
4579 	write_fast_connectable(&req, cp->val);
4580 
4581 	err = hci_req_run(&req, fast_connectable_complete);
4582 	if (err < 0) {
4583 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4584 				 MGMT_STATUS_FAILED);
4585 		mgmt_pending_remove(cmd);
4586 	}
4587 
4588 unlock:
4589 	hci_dev_unlock(hdev);
4590 
4591 	return err;
4592 }
4593 
4594 static void set_bredr_complete(struct hci_dev *hdev, u8 status)
4595 {
4596 	struct pending_cmd *cmd;
4597 
4598 	BT_DBG("status 0x%02x", status);
4599 
4600 	hci_dev_lock(hdev);
4601 
4602 	cmd = mgmt_pending_find(MGMT_OP_SET_BREDR, hdev);
4603 	if (!cmd)
4604 		goto unlock;
4605 
4606 	if (status) {
4607 		u8 mgmt_err = mgmt_status(status);
4608 
4609 		/* We need to restore the flag if related HCI commands
4610 		 * failed.
4611 		 */
4612 		clear_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
4613 
4614 		cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
4615 	} else {
4616 		send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
4617 		new_settings(hdev, cmd->sk);
4618 	}
4619 
4620 	mgmt_pending_remove(cmd);
4621 
4622 unlock:
4623 	hci_dev_unlock(hdev);
4624 }
4625 
4626 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
4627 {
4628 	struct mgmt_mode *cp = data;
4629 	struct pending_cmd *cmd;
4630 	struct hci_request req;
4631 	int err;
4632 
4633 	BT_DBG("request for %s", hdev->name);
4634 
4635 	if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
4636 		return cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4637 				  MGMT_STATUS_NOT_SUPPORTED);
4638 
4639 	if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
4640 		return cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4641 				  MGMT_STATUS_REJECTED);
4642 
4643 	if (cp->val != 0x00 && cp->val != 0x01)
4644 		return cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4645 				  MGMT_STATUS_INVALID_PARAMS);
4646 
4647 	hci_dev_lock(hdev);
4648 
4649 	if (cp->val == test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
4650 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4651 		goto unlock;
4652 	}
4653 
4654 	if (!hdev_is_powered(hdev)) {
4655 		if (!cp->val) {
4656 			clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
4657 			clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
4658 			clear_bit(HCI_LINK_SECURITY, &hdev->dev_flags);
4659 			clear_bit(HCI_FAST_CONNECTABLE, &hdev->dev_flags);
4660 			clear_bit(HCI_HS_ENABLED, &hdev->dev_flags);
4661 		}
4662 
4663 		change_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
4664 
4665 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4666 		if (err < 0)
4667 			goto unlock;
4668 
4669 		err = new_settings(hdev, sk);
4670 		goto unlock;
4671 	}
4672 
4673 	/* Reject disabling when powered on */
4674 	if (!cp->val) {
4675 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4676 				 MGMT_STATUS_REJECTED);
4677 		goto unlock;
4678 	}
4679 
4680 	if (mgmt_pending_find(MGMT_OP_SET_BREDR, hdev)) {
4681 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4682 				 MGMT_STATUS_BUSY);
4683 		goto unlock;
4684 	}
4685 
4686 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_BREDR, hdev, data, len);
4687 	if (!cmd) {
4688 		err = -ENOMEM;
4689 		goto unlock;
4690 	}
4691 
4692 	/* We need to flip the bit already here so that update_adv_data
4693 	 * generates the correct flags.
4694 	 */
4695 	set_bit(HCI_BREDR_ENABLED, &hdev->dev_flags);
4696 
4697 	hci_req_init(&req, hdev);
4698 
4699 	write_fast_connectable(&req, false);
4700 	hci_update_page_scan(hdev, &req);
4701 
4702 	/* Since only the advertising data flags will change, there
4703 	 * is no need to update the scan response data.
4704 	 */
4705 	update_adv_data(&req);
4706 
4707 	err = hci_req_run(&req, set_bredr_complete);
4708 	if (err < 0)
4709 		mgmt_pending_remove(cmd);
4710 
4711 unlock:
4712 	hci_dev_unlock(hdev);
4713 	return err;
4714 }
4715 
4716 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4717 			   void *data, u16 len)
4718 {
4719 	struct mgmt_mode *cp = data;
4720 	struct pending_cmd *cmd;
4721 	u8 val;
4722 	int err;
4723 
4724 	BT_DBG("request for %s", hdev->name);
4725 
4726 	if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags) &&
4727 	    !lmp_sc_capable(hdev) && !test_bit(HCI_FORCE_SC, &hdev->dbg_flags))
4728 		return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4729 				  MGMT_STATUS_NOT_SUPPORTED);
4730 
4731 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4732 		return cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4733 				  MGMT_STATUS_INVALID_PARAMS);
4734 
4735 	hci_dev_lock(hdev);
4736 
4737 	if (!hdev_is_powered(hdev) ||
4738 	    (!lmp_sc_capable(hdev) &&
4739 	     !test_bit(HCI_FORCE_SC, &hdev->dbg_flags)) ||
4740 	    !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
4741 		bool changed;
4742 
4743 		if (cp->val) {
4744 			changed = !test_and_set_bit(HCI_SC_ENABLED,
4745 						    &hdev->dev_flags);
4746 			if (cp->val == 0x02)
4747 				set_bit(HCI_SC_ONLY, &hdev->dev_flags);
4748 			else
4749 				clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
4750 		} else {
4751 			changed = test_and_clear_bit(HCI_SC_ENABLED,
4752 						     &hdev->dev_flags);
4753 			clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
4754 		}
4755 
4756 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4757 		if (err < 0)
4758 			goto failed;
4759 
4760 		if (changed)
4761 			err = new_settings(hdev, sk);
4762 
4763 		goto failed;
4764 	}
4765 
4766 	if (mgmt_pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
4767 		err = cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4768 				 MGMT_STATUS_BUSY);
4769 		goto failed;
4770 	}
4771 
4772 	val = !!cp->val;
4773 
4774 	if (val == test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
4775 	    (cp->val == 0x02) == test_bit(HCI_SC_ONLY, &hdev->dev_flags)) {
4776 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4777 		goto failed;
4778 	}
4779 
4780 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
4781 	if (!cmd) {
4782 		err = -ENOMEM;
4783 		goto failed;
4784 	}
4785 
4786 	err = hci_send_cmd(hdev, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
4787 	if (err < 0) {
4788 		mgmt_pending_remove(cmd);
4789 		goto failed;
4790 	}
4791 
4792 	if (cp->val == 0x02)
4793 		set_bit(HCI_SC_ONLY, &hdev->dev_flags);
4794 	else
4795 		clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
4796 
4797 failed:
4798 	hci_dev_unlock(hdev);
4799 	return err;
4800 }
4801 
4802 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
4803 			  void *data, u16 len)
4804 {
4805 	struct mgmt_mode *cp = data;
4806 	bool changed, use_changed;
4807 	int err;
4808 
4809 	BT_DBG("request for %s", hdev->name);
4810 
4811 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4812 		return cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
4813 				  MGMT_STATUS_INVALID_PARAMS);
4814 
4815 	hci_dev_lock(hdev);
4816 
4817 	if (cp->val)
4818 		changed = !test_and_set_bit(HCI_KEEP_DEBUG_KEYS,
4819 					    &hdev->dev_flags);
4820 	else
4821 		changed = test_and_clear_bit(HCI_KEEP_DEBUG_KEYS,
4822 					     &hdev->dev_flags);
4823 
4824 	if (cp->val == 0x02)
4825 		use_changed = !test_and_set_bit(HCI_USE_DEBUG_KEYS,
4826 						&hdev->dev_flags);
4827 	else
4828 		use_changed = test_and_clear_bit(HCI_USE_DEBUG_KEYS,
4829 						 &hdev->dev_flags);
4830 
4831 	if (hdev_is_powered(hdev) && use_changed &&
4832 	    test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
4833 		u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
4834 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
4835 			     sizeof(mode), &mode);
4836 	}
4837 
4838 	err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
4839 	if (err < 0)
4840 		goto unlock;
4841 
4842 	if (changed)
4843 		err = new_settings(hdev, sk);
4844 
4845 unlock:
4846 	hci_dev_unlock(hdev);
4847 	return err;
4848 }
4849 
4850 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4851 		       u16 len)
4852 {
4853 	struct mgmt_cp_set_privacy *cp = cp_data;
4854 	bool changed;
4855 	int err;
4856 
4857 	BT_DBG("request for %s", hdev->name);
4858 
4859 	if (!lmp_le_capable(hdev))
4860 		return cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4861 				  MGMT_STATUS_NOT_SUPPORTED);
4862 
4863 	if (cp->privacy != 0x00 && cp->privacy != 0x01)
4864 		return cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4865 				  MGMT_STATUS_INVALID_PARAMS);
4866 
4867 	if (hdev_is_powered(hdev))
4868 		return cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4869 				  MGMT_STATUS_REJECTED);
4870 
4871 	hci_dev_lock(hdev);
4872 
4873 	/* If user space supports this command it is also expected to
4874 	 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
4875 	 */
4876 	set_bit(HCI_RPA_RESOLVING, &hdev->dev_flags);
4877 
4878 	if (cp->privacy) {
4879 		changed = !test_and_set_bit(HCI_PRIVACY, &hdev->dev_flags);
4880 		memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
4881 		set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
4882 	} else {
4883 		changed = test_and_clear_bit(HCI_PRIVACY, &hdev->dev_flags);
4884 		memset(hdev->irk, 0, sizeof(hdev->irk));
4885 		clear_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
4886 	}
4887 
4888 	err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
4889 	if (err < 0)
4890 		goto unlock;
4891 
4892 	if (changed)
4893 		err = new_settings(hdev, sk);
4894 
4895 unlock:
4896 	hci_dev_unlock(hdev);
4897 	return err;
4898 }
4899 
4900 static bool irk_is_valid(struct mgmt_irk_info *irk)
4901 {
4902 	switch (irk->addr.type) {
4903 	case BDADDR_LE_PUBLIC:
4904 		return true;
4905 
4906 	case BDADDR_LE_RANDOM:
4907 		/* Two most significant bits shall be set */
4908 		if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4909 			return false;
4910 		return true;
4911 	}
4912 
4913 	return false;
4914 }
4915 
4916 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4917 		     u16 len)
4918 {
4919 	struct mgmt_cp_load_irks *cp = cp_data;
4920 	const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
4921 				   sizeof(struct mgmt_irk_info));
4922 	u16 irk_count, expected_len;
4923 	int i, err;
4924 
4925 	BT_DBG("request for %s", hdev->name);
4926 
4927 	if (!lmp_le_capable(hdev))
4928 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4929 				  MGMT_STATUS_NOT_SUPPORTED);
4930 
4931 	irk_count = __le16_to_cpu(cp->irk_count);
4932 	if (irk_count > max_irk_count) {
4933 		BT_ERR("load_irks: too big irk_count value %u", irk_count);
4934 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4935 				  MGMT_STATUS_INVALID_PARAMS);
4936 	}
4937 
4938 	expected_len = sizeof(*cp) + irk_count * sizeof(struct mgmt_irk_info);
4939 	if (expected_len != len) {
4940 		BT_ERR("load_irks: expected %u bytes, got %u bytes",
4941 		       expected_len, len);
4942 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4943 				  MGMT_STATUS_INVALID_PARAMS);
4944 	}
4945 
4946 	BT_DBG("%s irk_count %u", hdev->name, irk_count);
4947 
4948 	for (i = 0; i < irk_count; i++) {
4949 		struct mgmt_irk_info *key = &cp->irks[i];
4950 
4951 		if (!irk_is_valid(key))
4952 			return cmd_status(sk, hdev->id,
4953 					  MGMT_OP_LOAD_IRKS,
4954 					  MGMT_STATUS_INVALID_PARAMS);
4955 	}
4956 
4957 	hci_dev_lock(hdev);
4958 
4959 	hci_smp_irks_clear(hdev);
4960 
4961 	for (i = 0; i < irk_count; i++) {
4962 		struct mgmt_irk_info *irk = &cp->irks[i];
4963 		u8 addr_type;
4964 
4965 		if (irk->addr.type == BDADDR_LE_PUBLIC)
4966 			addr_type = ADDR_LE_DEV_PUBLIC;
4967 		else
4968 			addr_type = ADDR_LE_DEV_RANDOM;
4969 
4970 		hci_add_irk(hdev, &irk->addr.bdaddr, addr_type, irk->val,
4971 			    BDADDR_ANY);
4972 	}
4973 
4974 	set_bit(HCI_RPA_RESOLVING, &hdev->dev_flags);
4975 
4976 	err = cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
4977 
4978 	hci_dev_unlock(hdev);
4979 
4980 	return err;
4981 }
4982 
4983 static bool ltk_is_valid(struct mgmt_ltk_info *key)
4984 {
4985 	if (key->master != 0x00 && key->master != 0x01)
4986 		return false;
4987 
4988 	switch (key->addr.type) {
4989 	case BDADDR_LE_PUBLIC:
4990 		return true;
4991 
4992 	case BDADDR_LE_RANDOM:
4993 		/* Two most significant bits shall be set */
4994 		if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4995 			return false;
4996 		return true;
4997 	}
4998 
4999 	return false;
5000 }
5001 
5002 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
5003 			       void *cp_data, u16 len)
5004 {
5005 	struct mgmt_cp_load_long_term_keys *cp = cp_data;
5006 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
5007 				   sizeof(struct mgmt_ltk_info));
5008 	u16 key_count, expected_len;
5009 	int i, err;
5010 
5011 	BT_DBG("request for %s", hdev->name);
5012 
5013 	if (!lmp_le_capable(hdev))
5014 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5015 				  MGMT_STATUS_NOT_SUPPORTED);
5016 
5017 	key_count = __le16_to_cpu(cp->key_count);
5018 	if (key_count > max_key_count) {
5019 		BT_ERR("load_ltks: too big key_count value %u", key_count);
5020 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5021 				  MGMT_STATUS_INVALID_PARAMS);
5022 	}
5023 
5024 	expected_len = sizeof(*cp) + key_count *
5025 					sizeof(struct mgmt_ltk_info);
5026 	if (expected_len != len) {
5027 		BT_ERR("load_keys: expected %u bytes, got %u bytes",
5028 		       expected_len, len);
5029 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
5030 				  MGMT_STATUS_INVALID_PARAMS);
5031 	}
5032 
5033 	BT_DBG("%s key_count %u", hdev->name, key_count);
5034 
5035 	for (i = 0; i < key_count; i++) {
5036 		struct mgmt_ltk_info *key = &cp->keys[i];
5037 
5038 		if (!ltk_is_valid(key))
5039 			return cmd_status(sk, hdev->id,
5040 					  MGMT_OP_LOAD_LONG_TERM_KEYS,
5041 					  MGMT_STATUS_INVALID_PARAMS);
5042 	}
5043 
5044 	hci_dev_lock(hdev);
5045 
5046 	hci_smp_ltks_clear(hdev);
5047 
5048 	for (i = 0; i < key_count; i++) {
5049 		struct mgmt_ltk_info *key = &cp->keys[i];
5050 		u8 type, addr_type, authenticated;
5051 
5052 		if (key->addr.type == BDADDR_LE_PUBLIC)
5053 			addr_type = ADDR_LE_DEV_PUBLIC;
5054 		else
5055 			addr_type = ADDR_LE_DEV_RANDOM;
5056 
5057 		switch (key->type) {
5058 		case MGMT_LTK_UNAUTHENTICATED:
5059 			authenticated = 0x00;
5060 			type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5061 			break;
5062 		case MGMT_LTK_AUTHENTICATED:
5063 			authenticated = 0x01;
5064 			type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
5065 			break;
5066 		case MGMT_LTK_P256_UNAUTH:
5067 			authenticated = 0x00;
5068 			type = SMP_LTK_P256;
5069 			break;
5070 		case MGMT_LTK_P256_AUTH:
5071 			authenticated = 0x01;
5072 			type = SMP_LTK_P256;
5073 			break;
5074 		case MGMT_LTK_P256_DEBUG:
5075 			authenticated = 0x00;
5076 			type = SMP_LTK_P256_DEBUG;
5077 		default:
5078 			continue;
5079 		}
5080 
5081 		hci_add_ltk(hdev, &key->addr.bdaddr, addr_type, type,
5082 			    authenticated, key->val, key->enc_size, key->ediv,
5083 			    key->rand);
5084 	}
5085 
5086 	err = cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
5087 			   NULL, 0);
5088 
5089 	hci_dev_unlock(hdev);
5090 
5091 	return err;
5092 }
5093 
5094 static void conn_info_cmd_complete(struct pending_cmd *cmd, u8 status)
5095 {
5096 	struct hci_conn *conn = cmd->user_data;
5097 	struct mgmt_rp_get_conn_info rp;
5098 
5099 	memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
5100 
5101 	if (status == MGMT_STATUS_SUCCESS) {
5102 		rp.rssi = conn->rssi;
5103 		rp.tx_power = conn->tx_power;
5104 		rp.max_tx_power = conn->max_tx_power;
5105 	} else {
5106 		rp.rssi = HCI_RSSI_INVALID;
5107 		rp.tx_power = HCI_TX_POWER_INVALID;
5108 		rp.max_tx_power = HCI_TX_POWER_INVALID;
5109 	}
5110 
5111 	cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, status,
5112 		     &rp, sizeof(rp));
5113 
5114 	hci_conn_drop(conn);
5115 	hci_conn_put(conn);
5116 }
5117 
5118 static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status)
5119 {
5120 	struct hci_cp_read_rssi *cp;
5121 	struct pending_cmd *cmd;
5122 	struct hci_conn *conn;
5123 	u16 handle;
5124 	u8 status;
5125 
5126 	BT_DBG("status 0x%02x", hci_status);
5127 
5128 	hci_dev_lock(hdev);
5129 
5130 	/* Commands sent in request are either Read RSSI or Read Transmit Power
5131 	 * Level so we check which one was last sent to retrieve connection
5132 	 * handle.  Both commands have handle as first parameter so it's safe to
5133 	 * cast data on the same command struct.
5134 	 *
5135 	 * First command sent is always Read RSSI and we fail only if it fails.
5136 	 * In other case we simply override error to indicate success as we
5137 	 * already remembered if TX power value is actually valid.
5138 	 */
5139 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
5140 	if (!cp) {
5141 		cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
5142 		status = MGMT_STATUS_SUCCESS;
5143 	} else {
5144 		status = mgmt_status(hci_status);
5145 	}
5146 
5147 	if (!cp) {
5148 		BT_ERR("invalid sent_cmd in conn_info response");
5149 		goto unlock;
5150 	}
5151 
5152 	handle = __le16_to_cpu(cp->handle);
5153 	conn = hci_conn_hash_lookup_handle(hdev, handle);
5154 	if (!conn) {
5155 		BT_ERR("unknown handle (%d) in conn_info response", handle);
5156 		goto unlock;
5157 	}
5158 
5159 	cmd = mgmt_pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
5160 	if (!cmd)
5161 		goto unlock;
5162 
5163 	cmd->cmd_complete(cmd, status);
5164 	mgmt_pending_remove(cmd);
5165 
5166 unlock:
5167 	hci_dev_unlock(hdev);
5168 }
5169 
5170 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
5171 			 u16 len)
5172 {
5173 	struct mgmt_cp_get_conn_info *cp = data;
5174 	struct mgmt_rp_get_conn_info rp;
5175 	struct hci_conn *conn;
5176 	unsigned long conn_info_age;
5177 	int err = 0;
5178 
5179 	BT_DBG("%s", hdev->name);
5180 
5181 	memset(&rp, 0, sizeof(rp));
5182 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5183 	rp.addr.type = cp->addr.type;
5184 
5185 	if (!bdaddr_type_is_valid(cp->addr.type))
5186 		return cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5187 				    MGMT_STATUS_INVALID_PARAMS,
5188 				    &rp, sizeof(rp));
5189 
5190 	hci_dev_lock(hdev);
5191 
5192 	if (!hdev_is_powered(hdev)) {
5193 		err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5194 				   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
5195 		goto unlock;
5196 	}
5197 
5198 	if (cp->addr.type == BDADDR_BREDR)
5199 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
5200 					       &cp->addr.bdaddr);
5201 	else
5202 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
5203 
5204 	if (!conn || conn->state != BT_CONNECTED) {
5205 		err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5206 				   MGMT_STATUS_NOT_CONNECTED, &rp, sizeof(rp));
5207 		goto unlock;
5208 	}
5209 
5210 	if (mgmt_pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
5211 		err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5212 				   MGMT_STATUS_BUSY, &rp, sizeof(rp));
5213 		goto unlock;
5214 	}
5215 
5216 	/* To avoid client trying to guess when to poll again for information we
5217 	 * calculate conn info age as random value between min/max set in hdev.
5218 	 */
5219 	conn_info_age = hdev->conn_info_min_age +
5220 			prandom_u32_max(hdev->conn_info_max_age -
5221 					hdev->conn_info_min_age);
5222 
5223 	/* Query controller to refresh cached values if they are too old or were
5224 	 * never read.
5225 	 */
5226 	if (time_after(jiffies, conn->conn_info_timestamp +
5227 		       msecs_to_jiffies(conn_info_age)) ||
5228 	    !conn->conn_info_timestamp) {
5229 		struct hci_request req;
5230 		struct hci_cp_read_tx_power req_txp_cp;
5231 		struct hci_cp_read_rssi req_rssi_cp;
5232 		struct pending_cmd *cmd;
5233 
5234 		hci_req_init(&req, hdev);
5235 		req_rssi_cp.handle = cpu_to_le16(conn->handle);
5236 		hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
5237 			    &req_rssi_cp);
5238 
5239 		/* For LE links TX power does not change thus we don't need to
5240 		 * query for it once value is known.
5241 		 */
5242 		if (!bdaddr_type_is_le(cp->addr.type) ||
5243 		    conn->tx_power == HCI_TX_POWER_INVALID) {
5244 			req_txp_cp.handle = cpu_to_le16(conn->handle);
5245 			req_txp_cp.type = 0x00;
5246 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
5247 				    sizeof(req_txp_cp), &req_txp_cp);
5248 		}
5249 
5250 		/* Max TX power needs to be read only once per connection */
5251 		if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
5252 			req_txp_cp.handle = cpu_to_le16(conn->handle);
5253 			req_txp_cp.type = 0x01;
5254 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
5255 				    sizeof(req_txp_cp), &req_txp_cp);
5256 		}
5257 
5258 		err = hci_req_run(&req, conn_info_refresh_complete);
5259 		if (err < 0)
5260 			goto unlock;
5261 
5262 		cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
5263 				       data, len);
5264 		if (!cmd) {
5265 			err = -ENOMEM;
5266 			goto unlock;
5267 		}
5268 
5269 		hci_conn_hold(conn);
5270 		cmd->user_data = hci_conn_get(conn);
5271 		cmd->cmd_complete = conn_info_cmd_complete;
5272 
5273 		conn->conn_info_timestamp = jiffies;
5274 	} else {
5275 		/* Cache is valid, just reply with values cached in hci_conn */
5276 		rp.rssi = conn->rssi;
5277 		rp.tx_power = conn->tx_power;
5278 		rp.max_tx_power = conn->max_tx_power;
5279 
5280 		err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5281 				   MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
5282 	}
5283 
5284 unlock:
5285 	hci_dev_unlock(hdev);
5286 	return err;
5287 }
5288 
5289 static void clock_info_cmd_complete(struct pending_cmd *cmd, u8 status)
5290 {
5291 	struct hci_conn *conn = cmd->user_data;
5292 	struct mgmt_rp_get_clock_info rp;
5293 	struct hci_dev *hdev;
5294 
5295 	memset(&rp, 0, sizeof(rp));
5296 	memcpy(&rp.addr, &cmd->param, sizeof(rp.addr));
5297 
5298 	if (status)
5299 		goto complete;
5300 
5301 	hdev = hci_dev_get(cmd->index);
5302 	if (hdev) {
5303 		rp.local_clock = cpu_to_le32(hdev->clock);
5304 		hci_dev_put(hdev);
5305 	}
5306 
5307 	if (conn) {
5308 		rp.piconet_clock = cpu_to_le32(conn->clock);
5309 		rp.accuracy = cpu_to_le16(conn->clock_accuracy);
5310 	}
5311 
5312 complete:
5313 	cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp, sizeof(rp));
5314 
5315 	if (conn) {
5316 		hci_conn_drop(conn);
5317 		hci_conn_put(conn);
5318 	}
5319 }
5320 
5321 static void get_clock_info_complete(struct hci_dev *hdev, u8 status)
5322 {
5323 	struct hci_cp_read_clock *hci_cp;
5324 	struct pending_cmd *cmd;
5325 	struct hci_conn *conn;
5326 
5327 	BT_DBG("%s status %u", hdev->name, status);
5328 
5329 	hci_dev_lock(hdev);
5330 
5331 	hci_cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
5332 	if (!hci_cp)
5333 		goto unlock;
5334 
5335 	if (hci_cp->which) {
5336 		u16 handle = __le16_to_cpu(hci_cp->handle);
5337 		conn = hci_conn_hash_lookup_handle(hdev, handle);
5338 	} else {
5339 		conn = NULL;
5340 	}
5341 
5342 	cmd = mgmt_pending_find_data(MGMT_OP_GET_CLOCK_INFO, hdev, conn);
5343 	if (!cmd)
5344 		goto unlock;
5345 
5346 	cmd->cmd_complete(cmd, mgmt_status(status));
5347 	mgmt_pending_remove(cmd);
5348 
5349 unlock:
5350 	hci_dev_unlock(hdev);
5351 }
5352 
5353 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
5354 			 u16 len)
5355 {
5356 	struct mgmt_cp_get_clock_info *cp = data;
5357 	struct mgmt_rp_get_clock_info rp;
5358 	struct hci_cp_read_clock hci_cp;
5359 	struct pending_cmd *cmd;
5360 	struct hci_request req;
5361 	struct hci_conn *conn;
5362 	int err;
5363 
5364 	BT_DBG("%s", hdev->name);
5365 
5366 	memset(&rp, 0, sizeof(rp));
5367 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5368 	rp.addr.type = cp->addr.type;
5369 
5370 	if (cp->addr.type != BDADDR_BREDR)
5371 		return cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5372 				    MGMT_STATUS_INVALID_PARAMS,
5373 				    &rp, sizeof(rp));
5374 
5375 	hci_dev_lock(hdev);
5376 
5377 	if (!hdev_is_powered(hdev)) {
5378 		err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5379 				   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
5380 		goto unlock;
5381 	}
5382 
5383 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5384 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
5385 					       &cp->addr.bdaddr);
5386 		if (!conn || conn->state != BT_CONNECTED) {
5387 			err = cmd_complete(sk, hdev->id,
5388 					   MGMT_OP_GET_CLOCK_INFO,
5389 					   MGMT_STATUS_NOT_CONNECTED,
5390 					   &rp, sizeof(rp));
5391 			goto unlock;
5392 		}
5393 	} else {
5394 		conn = NULL;
5395 	}
5396 
5397 	cmd = mgmt_pending_add(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
5398 	if (!cmd) {
5399 		err = -ENOMEM;
5400 		goto unlock;
5401 	}
5402 
5403 	cmd->cmd_complete = clock_info_cmd_complete;
5404 
5405 	hci_req_init(&req, hdev);
5406 
5407 	memset(&hci_cp, 0, sizeof(hci_cp));
5408 	hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5409 
5410 	if (conn) {
5411 		hci_conn_hold(conn);
5412 		cmd->user_data = hci_conn_get(conn);
5413 
5414 		hci_cp.handle = cpu_to_le16(conn->handle);
5415 		hci_cp.which = 0x01; /* Piconet clock */
5416 		hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5417 	}
5418 
5419 	err = hci_req_run(&req, get_clock_info_complete);
5420 	if (err < 0)
5421 		mgmt_pending_remove(cmd);
5422 
5423 unlock:
5424 	hci_dev_unlock(hdev);
5425 	return err;
5426 }
5427 
5428 static void device_added(struct sock *sk, struct hci_dev *hdev,
5429 			 bdaddr_t *bdaddr, u8 type, u8 action)
5430 {
5431 	struct mgmt_ev_device_added ev;
5432 
5433 	bacpy(&ev.addr.bdaddr, bdaddr);
5434 	ev.addr.type = type;
5435 	ev.action = action;
5436 
5437 	mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
5438 }
5439 
5440 static int add_device(struct sock *sk, struct hci_dev *hdev,
5441 		      void *data, u16 len)
5442 {
5443 	struct mgmt_cp_add_device *cp = data;
5444 	u8 auto_conn, addr_type;
5445 	int err;
5446 
5447 	BT_DBG("%s", hdev->name);
5448 
5449 	if (!bdaddr_type_is_valid(cp->addr.type) ||
5450 	    !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
5451 		return cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5452 				    MGMT_STATUS_INVALID_PARAMS,
5453 				    &cp->addr, sizeof(cp->addr));
5454 
5455 	if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
5456 		return cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5457 				    MGMT_STATUS_INVALID_PARAMS,
5458 				    &cp->addr, sizeof(cp->addr));
5459 
5460 	hci_dev_lock(hdev);
5461 
5462 	if (cp->addr.type == BDADDR_BREDR) {
5463 		/* Only incoming connections action is supported for now */
5464 		if (cp->action != 0x01) {
5465 			err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5466 					   MGMT_STATUS_INVALID_PARAMS,
5467 					   &cp->addr, sizeof(cp->addr));
5468 			goto unlock;
5469 		}
5470 
5471 		err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr,
5472 					  cp->addr.type);
5473 		if (err)
5474 			goto unlock;
5475 
5476 		hci_update_page_scan(hdev, NULL);
5477 
5478 		goto added;
5479 	}
5480 
5481 	if (cp->addr.type == BDADDR_LE_PUBLIC)
5482 		addr_type = ADDR_LE_DEV_PUBLIC;
5483 	else
5484 		addr_type = ADDR_LE_DEV_RANDOM;
5485 
5486 	if (cp->action == 0x02)
5487 		auto_conn = HCI_AUTO_CONN_ALWAYS;
5488 	else if (cp->action == 0x01)
5489 		auto_conn = HCI_AUTO_CONN_DIRECT;
5490 	else
5491 		auto_conn = HCI_AUTO_CONN_REPORT;
5492 
5493 	/* If the connection parameters don't exist for this device,
5494 	 * they will be created and configured with defaults.
5495 	 */
5496 	if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
5497 				auto_conn) < 0) {
5498 		err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5499 				   MGMT_STATUS_FAILED,
5500 				   &cp->addr, sizeof(cp->addr));
5501 		goto unlock;
5502 	}
5503 
5504 added:
5505 	device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
5506 
5507 	err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5508 			   MGMT_STATUS_SUCCESS, &cp->addr, sizeof(cp->addr));
5509 
5510 unlock:
5511 	hci_dev_unlock(hdev);
5512 	return err;
5513 }
5514 
5515 static void device_removed(struct sock *sk, struct hci_dev *hdev,
5516 			   bdaddr_t *bdaddr, u8 type)
5517 {
5518 	struct mgmt_ev_device_removed ev;
5519 
5520 	bacpy(&ev.addr.bdaddr, bdaddr);
5521 	ev.addr.type = type;
5522 
5523 	mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
5524 }
5525 
5526 static int remove_device(struct sock *sk, struct hci_dev *hdev,
5527 			 void *data, u16 len)
5528 {
5529 	struct mgmt_cp_remove_device *cp = data;
5530 	int err;
5531 
5532 	BT_DBG("%s", hdev->name);
5533 
5534 	hci_dev_lock(hdev);
5535 
5536 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5537 		struct hci_conn_params *params;
5538 		u8 addr_type;
5539 
5540 		if (!bdaddr_type_is_valid(cp->addr.type)) {
5541 			err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
5542 					   MGMT_STATUS_INVALID_PARAMS,
5543 					   &cp->addr, sizeof(cp->addr));
5544 			goto unlock;
5545 		}
5546 
5547 		if (cp->addr.type == BDADDR_BREDR) {
5548 			err = hci_bdaddr_list_del(&hdev->whitelist,
5549 						  &cp->addr.bdaddr,
5550 						  cp->addr.type);
5551 			if (err) {
5552 				err = cmd_complete(sk, hdev->id,
5553 						   MGMT_OP_REMOVE_DEVICE,
5554 						   MGMT_STATUS_INVALID_PARAMS,
5555 						   &cp->addr, sizeof(cp->addr));
5556 				goto unlock;
5557 			}
5558 
5559 			hci_update_page_scan(hdev, NULL);
5560 
5561 			device_removed(sk, hdev, &cp->addr.bdaddr,
5562 				       cp->addr.type);
5563 			goto complete;
5564 		}
5565 
5566 		if (cp->addr.type == BDADDR_LE_PUBLIC)
5567 			addr_type = ADDR_LE_DEV_PUBLIC;
5568 		else
5569 			addr_type = ADDR_LE_DEV_RANDOM;
5570 
5571 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5572 						addr_type);
5573 		if (!params) {
5574 			err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
5575 					   MGMT_STATUS_INVALID_PARAMS,
5576 					   &cp->addr, sizeof(cp->addr));
5577 			goto unlock;
5578 		}
5579 
5580 		if (params->auto_connect == HCI_AUTO_CONN_DISABLED) {
5581 			err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
5582 					   MGMT_STATUS_INVALID_PARAMS,
5583 					   &cp->addr, sizeof(cp->addr));
5584 			goto unlock;
5585 		}
5586 
5587 		list_del(&params->action);
5588 		list_del(&params->list);
5589 		kfree(params);
5590 		hci_update_background_scan(hdev);
5591 
5592 		device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
5593 	} else {
5594 		struct hci_conn_params *p, *tmp;
5595 		struct bdaddr_list *b, *btmp;
5596 
5597 		if (cp->addr.type) {
5598 			err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
5599 					   MGMT_STATUS_INVALID_PARAMS,
5600 					   &cp->addr, sizeof(cp->addr));
5601 			goto unlock;
5602 		}
5603 
5604 		list_for_each_entry_safe(b, btmp, &hdev->whitelist, list) {
5605 			device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
5606 			list_del(&b->list);
5607 			kfree(b);
5608 		}
5609 
5610 		hci_update_page_scan(hdev, NULL);
5611 
5612 		list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
5613 			if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
5614 				continue;
5615 			device_removed(sk, hdev, &p->addr, p->addr_type);
5616 			list_del(&p->action);
5617 			list_del(&p->list);
5618 			kfree(p);
5619 		}
5620 
5621 		BT_DBG("All LE connection parameters were removed");
5622 
5623 		hci_update_background_scan(hdev);
5624 	}
5625 
5626 complete:
5627 	err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
5628 			   MGMT_STATUS_SUCCESS, &cp->addr, sizeof(cp->addr));
5629 
5630 unlock:
5631 	hci_dev_unlock(hdev);
5632 	return err;
5633 }
5634 
5635 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
5636 			   u16 len)
5637 {
5638 	struct mgmt_cp_load_conn_param *cp = data;
5639 	const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
5640 				     sizeof(struct mgmt_conn_param));
5641 	u16 param_count, expected_len;
5642 	int i;
5643 
5644 	if (!lmp_le_capable(hdev))
5645 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5646 				  MGMT_STATUS_NOT_SUPPORTED);
5647 
5648 	param_count = __le16_to_cpu(cp->param_count);
5649 	if (param_count > max_param_count) {
5650 		BT_ERR("load_conn_param: too big param_count value %u",
5651 		       param_count);
5652 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5653 				  MGMT_STATUS_INVALID_PARAMS);
5654 	}
5655 
5656 	expected_len = sizeof(*cp) + param_count *
5657 					sizeof(struct mgmt_conn_param);
5658 	if (expected_len != len) {
5659 		BT_ERR("load_conn_param: expected %u bytes, got %u bytes",
5660 		       expected_len, len);
5661 		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5662 				  MGMT_STATUS_INVALID_PARAMS);
5663 	}
5664 
5665 	BT_DBG("%s param_count %u", hdev->name, param_count);
5666 
5667 	hci_dev_lock(hdev);
5668 
5669 	hci_conn_params_clear_disabled(hdev);
5670 
5671 	for (i = 0; i < param_count; i++) {
5672 		struct mgmt_conn_param *param = &cp->params[i];
5673 		struct hci_conn_params *hci_param;
5674 		u16 min, max, latency, timeout;
5675 		u8 addr_type;
5676 
5677 		BT_DBG("Adding %pMR (type %u)", &param->addr.bdaddr,
5678 		       param->addr.type);
5679 
5680 		if (param->addr.type == BDADDR_LE_PUBLIC) {
5681 			addr_type = ADDR_LE_DEV_PUBLIC;
5682 		} else if (param->addr.type == BDADDR_LE_RANDOM) {
5683 			addr_type = ADDR_LE_DEV_RANDOM;
5684 		} else {
5685 			BT_ERR("Ignoring invalid connection parameters");
5686 			continue;
5687 		}
5688 
5689 		min = le16_to_cpu(param->min_interval);
5690 		max = le16_to_cpu(param->max_interval);
5691 		latency = le16_to_cpu(param->latency);
5692 		timeout = le16_to_cpu(param->timeout);
5693 
5694 		BT_DBG("min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
5695 		       min, max, latency, timeout);
5696 
5697 		if (hci_check_conn_params(min, max, latency, timeout) < 0) {
5698 			BT_ERR("Ignoring invalid connection parameters");
5699 			continue;
5700 		}
5701 
5702 		hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
5703 						addr_type);
5704 		if (!hci_param) {
5705 			BT_ERR("Failed to add connection parameters");
5706 			continue;
5707 		}
5708 
5709 		hci_param->conn_min_interval = min;
5710 		hci_param->conn_max_interval = max;
5711 		hci_param->conn_latency = latency;
5712 		hci_param->supervision_timeout = timeout;
5713 	}
5714 
5715 	hci_dev_unlock(hdev);
5716 
5717 	return cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0, NULL, 0);
5718 }
5719 
5720 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
5721 			       void *data, u16 len)
5722 {
5723 	struct mgmt_cp_set_external_config *cp = data;
5724 	bool changed;
5725 	int err;
5726 
5727 	BT_DBG("%s", hdev->name);
5728 
5729 	if (hdev_is_powered(hdev))
5730 		return cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5731 				  MGMT_STATUS_REJECTED);
5732 
5733 	if (cp->config != 0x00 && cp->config != 0x01)
5734 		return cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5735 				    MGMT_STATUS_INVALID_PARAMS);
5736 
5737 	if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
5738 		return cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5739 				  MGMT_STATUS_NOT_SUPPORTED);
5740 
5741 	hci_dev_lock(hdev);
5742 
5743 	if (cp->config)
5744 		changed = !test_and_set_bit(HCI_EXT_CONFIGURED,
5745 					    &hdev->dev_flags);
5746 	else
5747 		changed = test_and_clear_bit(HCI_EXT_CONFIGURED,
5748 					     &hdev->dev_flags);
5749 
5750 	err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
5751 	if (err < 0)
5752 		goto unlock;
5753 
5754 	if (!changed)
5755 		goto unlock;
5756 
5757 	err = new_options(hdev, sk);
5758 
5759 	if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags) == is_configured(hdev)) {
5760 		mgmt_index_removed(hdev);
5761 
5762 		if (test_and_change_bit(HCI_UNCONFIGURED, &hdev->dev_flags)) {
5763 			set_bit(HCI_CONFIG, &hdev->dev_flags);
5764 			set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
5765 
5766 			queue_work(hdev->req_workqueue, &hdev->power_on);
5767 		} else {
5768 			set_bit(HCI_RAW, &hdev->flags);
5769 			mgmt_index_added(hdev);
5770 		}
5771 	}
5772 
5773 unlock:
5774 	hci_dev_unlock(hdev);
5775 	return err;
5776 }
5777 
5778 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
5779 			      void *data, u16 len)
5780 {
5781 	struct mgmt_cp_set_public_address *cp = data;
5782 	bool changed;
5783 	int err;
5784 
5785 	BT_DBG("%s", hdev->name);
5786 
5787 	if (hdev_is_powered(hdev))
5788 		return cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5789 				  MGMT_STATUS_REJECTED);
5790 
5791 	if (!bacmp(&cp->bdaddr, BDADDR_ANY))
5792 		return cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5793 				  MGMT_STATUS_INVALID_PARAMS);
5794 
5795 	if (!hdev->set_bdaddr)
5796 		return cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5797 				  MGMT_STATUS_NOT_SUPPORTED);
5798 
5799 	hci_dev_lock(hdev);
5800 
5801 	changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
5802 	bacpy(&hdev->public_addr, &cp->bdaddr);
5803 
5804 	err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
5805 	if (err < 0)
5806 		goto unlock;
5807 
5808 	if (!changed)
5809 		goto unlock;
5810 
5811 	if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
5812 		err = new_options(hdev, sk);
5813 
5814 	if (is_configured(hdev)) {
5815 		mgmt_index_removed(hdev);
5816 
5817 		clear_bit(HCI_UNCONFIGURED, &hdev->dev_flags);
5818 
5819 		set_bit(HCI_CONFIG, &hdev->dev_flags);
5820 		set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
5821 
5822 		queue_work(hdev->req_workqueue, &hdev->power_on);
5823 	}
5824 
5825 unlock:
5826 	hci_dev_unlock(hdev);
5827 	return err;
5828 }
5829 
5830 static const struct mgmt_handler {
5831 	int (*func) (struct sock *sk, struct hci_dev *hdev, void *data,
5832 		     u16 data_len);
5833 	bool var_len;
5834 	size_t data_len;
5835 } mgmt_handlers[] = {
5836 	{ NULL }, /* 0x0000 (no command) */
5837 	{ read_version,           false, MGMT_READ_VERSION_SIZE },
5838 	{ read_commands,          false, MGMT_READ_COMMANDS_SIZE },
5839 	{ read_index_list,        false, MGMT_READ_INDEX_LIST_SIZE },
5840 	{ read_controller_info,   false, MGMT_READ_INFO_SIZE },
5841 	{ set_powered,            false, MGMT_SETTING_SIZE },
5842 	{ set_discoverable,       false, MGMT_SET_DISCOVERABLE_SIZE },
5843 	{ set_connectable,        false, MGMT_SETTING_SIZE },
5844 	{ set_fast_connectable,   false, MGMT_SETTING_SIZE },
5845 	{ set_bondable,           false, MGMT_SETTING_SIZE },
5846 	{ set_link_security,      false, MGMT_SETTING_SIZE },
5847 	{ set_ssp,                false, MGMT_SETTING_SIZE },
5848 	{ set_hs,                 false, MGMT_SETTING_SIZE },
5849 	{ set_le,                 false, MGMT_SETTING_SIZE },
5850 	{ set_dev_class,          false, MGMT_SET_DEV_CLASS_SIZE },
5851 	{ set_local_name,         false, MGMT_SET_LOCAL_NAME_SIZE },
5852 	{ add_uuid,               false, MGMT_ADD_UUID_SIZE },
5853 	{ remove_uuid,            false, MGMT_REMOVE_UUID_SIZE },
5854 	{ load_link_keys,         true,  MGMT_LOAD_LINK_KEYS_SIZE },
5855 	{ load_long_term_keys,    true,  MGMT_LOAD_LONG_TERM_KEYS_SIZE },
5856 	{ disconnect,             false, MGMT_DISCONNECT_SIZE },
5857 	{ get_connections,        false, MGMT_GET_CONNECTIONS_SIZE },
5858 	{ pin_code_reply,         false, MGMT_PIN_CODE_REPLY_SIZE },
5859 	{ pin_code_neg_reply,     false, MGMT_PIN_CODE_NEG_REPLY_SIZE },
5860 	{ set_io_capability,      false, MGMT_SET_IO_CAPABILITY_SIZE },
5861 	{ pair_device,            false, MGMT_PAIR_DEVICE_SIZE },
5862 	{ cancel_pair_device,     false, MGMT_CANCEL_PAIR_DEVICE_SIZE },
5863 	{ unpair_device,          false, MGMT_UNPAIR_DEVICE_SIZE },
5864 	{ user_confirm_reply,     false, MGMT_USER_CONFIRM_REPLY_SIZE },
5865 	{ user_confirm_neg_reply, false, MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
5866 	{ user_passkey_reply,     false, MGMT_USER_PASSKEY_REPLY_SIZE },
5867 	{ user_passkey_neg_reply, false, MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
5868 	{ read_local_oob_data,    false, MGMT_READ_LOCAL_OOB_DATA_SIZE },
5869 	{ add_remote_oob_data,    true,  MGMT_ADD_REMOTE_OOB_DATA_SIZE },
5870 	{ remove_remote_oob_data, false, MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
5871 	{ start_discovery,        false, MGMT_START_DISCOVERY_SIZE },
5872 	{ stop_discovery,         false, MGMT_STOP_DISCOVERY_SIZE },
5873 	{ confirm_name,           false, MGMT_CONFIRM_NAME_SIZE },
5874 	{ block_device,           false, MGMT_BLOCK_DEVICE_SIZE },
5875 	{ unblock_device,         false, MGMT_UNBLOCK_DEVICE_SIZE },
5876 	{ set_device_id,          false, MGMT_SET_DEVICE_ID_SIZE },
5877 	{ set_advertising,        false, MGMT_SETTING_SIZE },
5878 	{ set_bredr,              false, MGMT_SETTING_SIZE },
5879 	{ set_static_address,     false, MGMT_SET_STATIC_ADDRESS_SIZE },
5880 	{ set_scan_params,        false, MGMT_SET_SCAN_PARAMS_SIZE },
5881 	{ set_secure_conn,        false, MGMT_SETTING_SIZE },
5882 	{ set_debug_keys,         false, MGMT_SETTING_SIZE },
5883 	{ set_privacy,            false, MGMT_SET_PRIVACY_SIZE },
5884 	{ load_irks,              true,  MGMT_LOAD_IRKS_SIZE },
5885 	{ get_conn_info,          false, MGMT_GET_CONN_INFO_SIZE },
5886 	{ get_clock_info,         false, MGMT_GET_CLOCK_INFO_SIZE },
5887 	{ add_device,             false, MGMT_ADD_DEVICE_SIZE },
5888 	{ remove_device,          false, MGMT_REMOVE_DEVICE_SIZE },
5889 	{ load_conn_param,        true,  MGMT_LOAD_CONN_PARAM_SIZE },
5890 	{ read_unconf_index_list, false, MGMT_READ_UNCONF_INDEX_LIST_SIZE },
5891 	{ read_config_info,       false, MGMT_READ_CONFIG_INFO_SIZE },
5892 	{ set_external_config,    false, MGMT_SET_EXTERNAL_CONFIG_SIZE },
5893 	{ set_public_address,     false, MGMT_SET_PUBLIC_ADDRESS_SIZE },
5894 	{ start_service_discovery,true,  MGMT_START_SERVICE_DISCOVERY_SIZE },
5895 };
5896 
5897 int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
5898 {
5899 	void *buf;
5900 	u8 *cp;
5901 	struct mgmt_hdr *hdr;
5902 	u16 opcode, index, len;
5903 	struct hci_dev *hdev = NULL;
5904 	const struct mgmt_handler *handler;
5905 	int err;
5906 
5907 	BT_DBG("got %zu bytes", msglen);
5908 
5909 	if (msglen < sizeof(*hdr))
5910 		return -EINVAL;
5911 
5912 	buf = kmalloc(msglen, GFP_KERNEL);
5913 	if (!buf)
5914 		return -ENOMEM;
5915 
5916 	if (memcpy_from_msg(buf, msg, msglen)) {
5917 		err = -EFAULT;
5918 		goto done;
5919 	}
5920 
5921 	hdr = buf;
5922 	opcode = __le16_to_cpu(hdr->opcode);
5923 	index = __le16_to_cpu(hdr->index);
5924 	len = __le16_to_cpu(hdr->len);
5925 
5926 	if (len != msglen - sizeof(*hdr)) {
5927 		err = -EINVAL;
5928 		goto done;
5929 	}
5930 
5931 	if (index != MGMT_INDEX_NONE) {
5932 		hdev = hci_dev_get(index);
5933 		if (!hdev) {
5934 			err = cmd_status(sk, index, opcode,
5935 					 MGMT_STATUS_INVALID_INDEX);
5936 			goto done;
5937 		}
5938 
5939 		if (test_bit(HCI_SETUP, &hdev->dev_flags) ||
5940 		    test_bit(HCI_CONFIG, &hdev->dev_flags) ||
5941 		    test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
5942 			err = cmd_status(sk, index, opcode,
5943 					 MGMT_STATUS_INVALID_INDEX);
5944 			goto done;
5945 		}
5946 
5947 		if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags) &&
5948 		    opcode != MGMT_OP_READ_CONFIG_INFO &&
5949 		    opcode != MGMT_OP_SET_EXTERNAL_CONFIG &&
5950 		    opcode != MGMT_OP_SET_PUBLIC_ADDRESS) {
5951 			err = cmd_status(sk, index, opcode,
5952 					 MGMT_STATUS_INVALID_INDEX);
5953 			goto done;
5954 		}
5955 	}
5956 
5957 	if (opcode >= ARRAY_SIZE(mgmt_handlers) ||
5958 	    mgmt_handlers[opcode].func == NULL) {
5959 		BT_DBG("Unknown op %u", opcode);
5960 		err = cmd_status(sk, index, opcode,
5961 				 MGMT_STATUS_UNKNOWN_COMMAND);
5962 		goto done;
5963 	}
5964 
5965 	if (hdev && (opcode <= MGMT_OP_READ_INDEX_LIST ||
5966 		     opcode == MGMT_OP_READ_UNCONF_INDEX_LIST)) {
5967 		err = cmd_status(sk, index, opcode,
5968 				 MGMT_STATUS_INVALID_INDEX);
5969 		goto done;
5970 	}
5971 
5972 	if (!hdev && (opcode > MGMT_OP_READ_INDEX_LIST &&
5973 		      opcode != MGMT_OP_READ_UNCONF_INDEX_LIST)) {
5974 		err = cmd_status(sk, index, opcode,
5975 				 MGMT_STATUS_INVALID_INDEX);
5976 		goto done;
5977 	}
5978 
5979 	handler = &mgmt_handlers[opcode];
5980 
5981 	if ((handler->var_len && len < handler->data_len) ||
5982 	    (!handler->var_len && len != handler->data_len)) {
5983 		err = cmd_status(sk, index, opcode,
5984 				 MGMT_STATUS_INVALID_PARAMS);
5985 		goto done;
5986 	}
5987 
5988 	if (hdev)
5989 		mgmt_init_hdev(sk, hdev);
5990 
5991 	cp = buf + sizeof(*hdr);
5992 
5993 	err = handler->func(sk, hdev, cp, len);
5994 	if (err < 0)
5995 		goto done;
5996 
5997 	err = msglen;
5998 
5999 done:
6000 	if (hdev)
6001 		hci_dev_put(hdev);
6002 
6003 	kfree(buf);
6004 	return err;
6005 }
6006 
6007 void mgmt_index_added(struct hci_dev *hdev)
6008 {
6009 	if (hdev->dev_type != HCI_BREDR)
6010 		return;
6011 
6012 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
6013 		return;
6014 
6015 	if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
6016 		mgmt_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev, NULL, 0, NULL);
6017 	else
6018 		mgmt_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0, NULL);
6019 }
6020 
6021 void mgmt_index_removed(struct hci_dev *hdev)
6022 {
6023 	u8 status = MGMT_STATUS_INVALID_INDEX;
6024 
6025 	if (hdev->dev_type != HCI_BREDR)
6026 		return;
6027 
6028 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
6029 		return;
6030 
6031 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
6032 
6033 	if (test_bit(HCI_UNCONFIGURED, &hdev->dev_flags))
6034 		mgmt_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0, NULL);
6035 	else
6036 		mgmt_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0, NULL);
6037 }
6038 
6039 /* This function requires the caller holds hdev->lock */
6040 static void restart_le_actions(struct hci_dev *hdev)
6041 {
6042 	struct hci_conn_params *p;
6043 
6044 	list_for_each_entry(p, &hdev->le_conn_params, list) {
6045 		/* Needed for AUTO_OFF case where might not "really"
6046 		 * have been powered off.
6047 		 */
6048 		list_del_init(&p->action);
6049 
6050 		switch (p->auto_connect) {
6051 		case HCI_AUTO_CONN_DIRECT:
6052 		case HCI_AUTO_CONN_ALWAYS:
6053 			list_add(&p->action, &hdev->pend_le_conns);
6054 			break;
6055 		case HCI_AUTO_CONN_REPORT:
6056 			list_add(&p->action, &hdev->pend_le_reports);
6057 			break;
6058 		default:
6059 			break;
6060 		}
6061 	}
6062 
6063 	hci_update_background_scan(hdev);
6064 }
6065 
6066 static void powered_complete(struct hci_dev *hdev, u8 status)
6067 {
6068 	struct cmd_lookup match = { NULL, hdev };
6069 
6070 	BT_DBG("status 0x%02x", status);
6071 
6072 	hci_dev_lock(hdev);
6073 
6074 	restart_le_actions(hdev);
6075 
6076 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
6077 
6078 	new_settings(hdev, match.sk);
6079 
6080 	hci_dev_unlock(hdev);
6081 
6082 	if (match.sk)
6083 		sock_put(match.sk);
6084 }
6085 
6086 static int powered_update_hci(struct hci_dev *hdev)
6087 {
6088 	struct hci_request req;
6089 	u8 link_sec;
6090 
6091 	hci_req_init(&req, hdev);
6092 
6093 	if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags) &&
6094 	    !lmp_host_ssp_capable(hdev)) {
6095 		u8 ssp = 1;
6096 
6097 		hci_req_add(&req, HCI_OP_WRITE_SSP_MODE, 1, &ssp);
6098 	}
6099 
6100 	if (bredr_sc_enabled(hdev) && !lmp_host_sc_capable(hdev)) {
6101 		u8 sc = 0x01;
6102 		hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, sizeof(sc), &sc);
6103 	}
6104 
6105 	if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags) &&
6106 	    lmp_bredr_capable(hdev)) {
6107 		struct hci_cp_write_le_host_supported cp;
6108 
6109 		cp.le = 0x01;
6110 		cp.simul = 0x00;
6111 
6112 		/* Check first if we already have the right
6113 		 * host state (host features set)
6114 		 */
6115 		if (cp.le != lmp_host_le_capable(hdev) ||
6116 		    cp.simul != lmp_host_le_br_capable(hdev))
6117 			hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED,
6118 				    sizeof(cp), &cp);
6119 	}
6120 
6121 	if (lmp_le_capable(hdev)) {
6122 		/* Make sure the controller has a good default for
6123 		 * advertising data. This also applies to the case
6124 		 * where BR/EDR was toggled during the AUTO_OFF phase.
6125 		 */
6126 		if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
6127 			update_adv_data(&req);
6128 			update_scan_rsp_data(&req);
6129 		}
6130 
6131 		if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
6132 			enable_advertising(&req);
6133 	}
6134 
6135 	link_sec = test_bit(HCI_LINK_SECURITY, &hdev->dev_flags);
6136 	if (link_sec != test_bit(HCI_AUTH, &hdev->flags))
6137 		hci_req_add(&req, HCI_OP_WRITE_AUTH_ENABLE,
6138 			    sizeof(link_sec), &link_sec);
6139 
6140 	if (lmp_bredr_capable(hdev)) {
6141 		write_fast_connectable(&req, false);
6142 		hci_update_page_scan(hdev, &req);
6143 		update_class(&req);
6144 		update_name(&req);
6145 		update_eir(&req);
6146 	}
6147 
6148 	return hci_req_run(&req, powered_complete);
6149 }
6150 
6151 int mgmt_powered(struct hci_dev *hdev, u8 powered)
6152 {
6153 	struct cmd_lookup match = { NULL, hdev };
6154 	u8 status, zero_cod[] = { 0, 0, 0 };
6155 	int err;
6156 
6157 	if (!test_bit(HCI_MGMT, &hdev->dev_flags))
6158 		return 0;
6159 
6160 	if (powered) {
6161 		if (powered_update_hci(hdev) == 0)
6162 			return 0;
6163 
6164 		mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp,
6165 				     &match);
6166 		goto new_settings;
6167 	}
6168 
6169 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
6170 
6171 	/* If the power off is because of hdev unregistration let
6172 	 * use the appropriate INVALID_INDEX status. Otherwise use
6173 	 * NOT_POWERED. We cover both scenarios here since later in
6174 	 * mgmt_index_removed() any hci_conn callbacks will have already
6175 	 * been triggered, potentially causing misleading DISCONNECTED
6176 	 * status responses.
6177 	 */
6178 	if (test_bit(HCI_UNREGISTER, &hdev->dev_flags))
6179 		status = MGMT_STATUS_INVALID_INDEX;
6180 	else
6181 		status = MGMT_STATUS_NOT_POWERED;
6182 
6183 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
6184 
6185 	if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0)
6186 		mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
6187 			   zero_cod, sizeof(zero_cod), NULL);
6188 
6189 new_settings:
6190 	err = new_settings(hdev, match.sk);
6191 
6192 	if (match.sk)
6193 		sock_put(match.sk);
6194 
6195 	return err;
6196 }
6197 
6198 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
6199 {
6200 	struct pending_cmd *cmd;
6201 	u8 status;
6202 
6203 	cmd = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
6204 	if (!cmd)
6205 		return;
6206 
6207 	if (err == -ERFKILL)
6208 		status = MGMT_STATUS_RFKILLED;
6209 	else
6210 		status = MGMT_STATUS_FAILED;
6211 
6212 	cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
6213 
6214 	mgmt_pending_remove(cmd);
6215 }
6216 
6217 void mgmt_discoverable_timeout(struct hci_dev *hdev)
6218 {
6219 	struct hci_request req;
6220 
6221 	hci_dev_lock(hdev);
6222 
6223 	/* When discoverable timeout triggers, then just make sure
6224 	 * the limited discoverable flag is cleared. Even in the case
6225 	 * of a timeout triggered from general discoverable, it is
6226 	 * safe to unconditionally clear the flag.
6227 	 */
6228 	clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
6229 	clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
6230 
6231 	hci_req_init(&req, hdev);
6232 	if (test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
6233 		u8 scan = SCAN_PAGE;
6234 		hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE,
6235 			    sizeof(scan), &scan);
6236 	}
6237 	update_class(&req);
6238 	update_adv_data(&req);
6239 	hci_req_run(&req, NULL);
6240 
6241 	hdev->discov_timeout = 0;
6242 
6243 	new_settings(hdev, NULL);
6244 
6245 	hci_dev_unlock(hdev);
6246 }
6247 
6248 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
6249 		       bool persistent)
6250 {
6251 	struct mgmt_ev_new_link_key ev;
6252 
6253 	memset(&ev, 0, sizeof(ev));
6254 
6255 	ev.store_hint = persistent;
6256 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
6257 	ev.key.addr.type = BDADDR_BREDR;
6258 	ev.key.type = key->type;
6259 	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
6260 	ev.key.pin_len = key->pin_len;
6261 
6262 	mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
6263 }
6264 
6265 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
6266 {
6267 	switch (ltk->type) {
6268 	case SMP_LTK:
6269 	case SMP_LTK_SLAVE:
6270 		if (ltk->authenticated)
6271 			return MGMT_LTK_AUTHENTICATED;
6272 		return MGMT_LTK_UNAUTHENTICATED;
6273 	case SMP_LTK_P256:
6274 		if (ltk->authenticated)
6275 			return MGMT_LTK_P256_AUTH;
6276 		return MGMT_LTK_P256_UNAUTH;
6277 	case SMP_LTK_P256_DEBUG:
6278 		return MGMT_LTK_P256_DEBUG;
6279 	}
6280 
6281 	return MGMT_LTK_UNAUTHENTICATED;
6282 }
6283 
6284 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
6285 {
6286 	struct mgmt_ev_new_long_term_key ev;
6287 
6288 	memset(&ev, 0, sizeof(ev));
6289 
6290 	/* Devices using resolvable or non-resolvable random addresses
6291 	 * without providing an indentity resolving key don't require
6292 	 * to store long term keys. Their addresses will change the
6293 	 * next time around.
6294 	 *
6295 	 * Only when a remote device provides an identity address
6296 	 * make sure the long term key is stored. If the remote
6297 	 * identity is known, the long term keys are internally
6298 	 * mapped to the identity address. So allow static random
6299 	 * and public addresses here.
6300 	 */
6301 	if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
6302 	    (key->bdaddr.b[5] & 0xc0) != 0xc0)
6303 		ev.store_hint = 0x00;
6304 	else
6305 		ev.store_hint = persistent;
6306 
6307 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
6308 	ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
6309 	ev.key.type = mgmt_ltk_type(key);
6310 	ev.key.enc_size = key->enc_size;
6311 	ev.key.ediv = key->ediv;
6312 	ev.key.rand = key->rand;
6313 
6314 	if (key->type == SMP_LTK)
6315 		ev.key.master = 1;
6316 
6317 	memcpy(ev.key.val, key->val, sizeof(key->val));
6318 
6319 	mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
6320 }
6321 
6322 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk)
6323 {
6324 	struct mgmt_ev_new_irk ev;
6325 
6326 	memset(&ev, 0, sizeof(ev));
6327 
6328 	/* For identity resolving keys from devices that are already
6329 	 * using a public address or static random address, do not
6330 	 * ask for storing this key. The identity resolving key really
6331 	 * is only mandatory for devices using resovlable random
6332 	 * addresses.
6333 	 *
6334 	 * Storing all identity resolving keys has the downside that
6335 	 * they will be also loaded on next boot of they system. More
6336 	 * identity resolving keys, means more time during scanning is
6337 	 * needed to actually resolve these addresses.
6338 	 */
6339 	if (bacmp(&irk->rpa, BDADDR_ANY))
6340 		ev.store_hint = 0x01;
6341 	else
6342 		ev.store_hint = 0x00;
6343 
6344 	bacpy(&ev.rpa, &irk->rpa);
6345 	bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
6346 	ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
6347 	memcpy(ev.irk.val, irk->val, sizeof(irk->val));
6348 
6349 	mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
6350 }
6351 
6352 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
6353 		   bool persistent)
6354 {
6355 	struct mgmt_ev_new_csrk ev;
6356 
6357 	memset(&ev, 0, sizeof(ev));
6358 
6359 	/* Devices using resolvable or non-resolvable random addresses
6360 	 * without providing an indentity resolving key don't require
6361 	 * to store signature resolving keys. Their addresses will change
6362 	 * the next time around.
6363 	 *
6364 	 * Only when a remote device provides an identity address
6365 	 * make sure the signature resolving key is stored. So allow
6366 	 * static random and public addresses here.
6367 	 */
6368 	if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
6369 	    (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
6370 		ev.store_hint = 0x00;
6371 	else
6372 		ev.store_hint = persistent;
6373 
6374 	bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
6375 	ev.key.addr.type = link_to_bdaddr(LE_LINK, csrk->bdaddr_type);
6376 	ev.key.master = csrk->master;
6377 	memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
6378 
6379 	mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
6380 }
6381 
6382 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
6383 			 u8 bdaddr_type, u8 store_hint, u16 min_interval,
6384 			 u16 max_interval, u16 latency, u16 timeout)
6385 {
6386 	struct mgmt_ev_new_conn_param ev;
6387 
6388 	if (!hci_is_identity_address(bdaddr, bdaddr_type))
6389 		return;
6390 
6391 	memset(&ev, 0, sizeof(ev));
6392 	bacpy(&ev.addr.bdaddr, bdaddr);
6393 	ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
6394 	ev.store_hint = store_hint;
6395 	ev.min_interval = cpu_to_le16(min_interval);
6396 	ev.max_interval = cpu_to_le16(max_interval);
6397 	ev.latency = cpu_to_le16(latency);
6398 	ev.timeout = cpu_to_le16(timeout);
6399 
6400 	mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
6401 }
6402 
6403 static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type, u8 *data,
6404 				  u8 data_len)
6405 {
6406 	eir[eir_len++] = sizeof(type) + data_len;
6407 	eir[eir_len++] = type;
6408 	memcpy(&eir[eir_len], data, data_len);
6409 	eir_len += data_len;
6410 
6411 	return eir_len;
6412 }
6413 
6414 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
6415 			   u32 flags, u8 *name, u8 name_len)
6416 {
6417 	char buf[512];
6418 	struct mgmt_ev_device_connected *ev = (void *) buf;
6419 	u16 eir_len = 0;
6420 
6421 	bacpy(&ev->addr.bdaddr, &conn->dst);
6422 	ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
6423 
6424 	ev->flags = __cpu_to_le32(flags);
6425 
6426 	/* We must ensure that the EIR Data fields are ordered and
6427 	 * unique. Keep it simple for now and avoid the problem by not
6428 	 * adding any BR/EDR data to the LE adv.
6429 	 */
6430 	if (conn->le_adv_data_len > 0) {
6431 		memcpy(&ev->eir[eir_len],
6432 		       conn->le_adv_data, conn->le_adv_data_len);
6433 		eir_len = conn->le_adv_data_len;
6434 	} else {
6435 		if (name_len > 0)
6436 			eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE,
6437 						  name, name_len);
6438 
6439 		if (memcmp(conn->dev_class, "\0\0\0", 3) != 0)
6440 			eir_len = eir_append_data(ev->eir, eir_len,
6441 						  EIR_CLASS_OF_DEV,
6442 						  conn->dev_class, 3);
6443 	}
6444 
6445 	ev->eir_len = cpu_to_le16(eir_len);
6446 
6447 	mgmt_event(MGMT_EV_DEVICE_CONNECTED, hdev, buf,
6448 		    sizeof(*ev) + eir_len, NULL);
6449 }
6450 
6451 static void disconnect_rsp(struct pending_cmd *cmd, void *data)
6452 {
6453 	struct sock **sk = data;
6454 
6455 	cmd->cmd_complete(cmd, 0);
6456 
6457 	*sk = cmd->sk;
6458 	sock_hold(*sk);
6459 
6460 	mgmt_pending_remove(cmd);
6461 }
6462 
6463 static void unpair_device_rsp(struct pending_cmd *cmd, void *data)
6464 {
6465 	struct hci_dev *hdev = data;
6466 	struct mgmt_cp_unpair_device *cp = cmd->param;
6467 
6468 	device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
6469 
6470 	cmd->cmd_complete(cmd, 0);
6471 	mgmt_pending_remove(cmd);
6472 }
6473 
6474 bool mgmt_powering_down(struct hci_dev *hdev)
6475 {
6476 	struct pending_cmd *cmd;
6477 	struct mgmt_mode *cp;
6478 
6479 	cmd = mgmt_pending_find(MGMT_OP_SET_POWERED, hdev);
6480 	if (!cmd)
6481 		return false;
6482 
6483 	cp = cmd->param;
6484 	if (!cp->val)
6485 		return true;
6486 
6487 	return false;
6488 }
6489 
6490 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
6491 			      u8 link_type, u8 addr_type, u8 reason,
6492 			      bool mgmt_connected)
6493 {
6494 	struct mgmt_ev_device_disconnected ev;
6495 	struct sock *sk = NULL;
6496 
6497 	/* The connection is still in hci_conn_hash so test for 1
6498 	 * instead of 0 to know if this is the last one.
6499 	 */
6500 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
6501 		cancel_delayed_work(&hdev->power_off);
6502 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
6503 	}
6504 
6505 	if (!mgmt_connected)
6506 		return;
6507 
6508 	if (link_type != ACL_LINK && link_type != LE_LINK)
6509 		return;
6510 
6511 	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
6512 
6513 	bacpy(&ev.addr.bdaddr, bdaddr);
6514 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
6515 	ev.reason = reason;
6516 
6517 	mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
6518 
6519 	if (sk)
6520 		sock_put(sk);
6521 
6522 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
6523 			     hdev);
6524 }
6525 
6526 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
6527 			    u8 link_type, u8 addr_type, u8 status)
6528 {
6529 	u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
6530 	struct mgmt_cp_disconnect *cp;
6531 	struct pending_cmd *cmd;
6532 
6533 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
6534 			     hdev);
6535 
6536 	cmd = mgmt_pending_find(MGMT_OP_DISCONNECT, hdev);
6537 	if (!cmd)
6538 		return;
6539 
6540 	cp = cmd->param;
6541 
6542 	if (bacmp(bdaddr, &cp->addr.bdaddr))
6543 		return;
6544 
6545 	if (cp->addr.type != bdaddr_type)
6546 		return;
6547 
6548 	cmd->cmd_complete(cmd, mgmt_status(status));
6549 	mgmt_pending_remove(cmd);
6550 }
6551 
6552 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
6553 			 u8 addr_type, u8 status)
6554 {
6555 	struct mgmt_ev_connect_failed ev;
6556 
6557 	/* The connection is still in hci_conn_hash so test for 1
6558 	 * instead of 0 to know if this is the last one.
6559 	 */
6560 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
6561 		cancel_delayed_work(&hdev->power_off);
6562 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
6563 	}
6564 
6565 	bacpy(&ev.addr.bdaddr, bdaddr);
6566 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
6567 	ev.status = mgmt_status(status);
6568 
6569 	mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
6570 }
6571 
6572 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
6573 {
6574 	struct mgmt_ev_pin_code_request ev;
6575 
6576 	bacpy(&ev.addr.bdaddr, bdaddr);
6577 	ev.addr.type = BDADDR_BREDR;
6578 	ev.secure = secure;
6579 
6580 	mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
6581 }
6582 
6583 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6584 				  u8 status)
6585 {
6586 	struct pending_cmd *cmd;
6587 
6588 	cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
6589 	if (!cmd)
6590 		return;
6591 
6592 	cmd->cmd_complete(cmd, mgmt_status(status));
6593 	mgmt_pending_remove(cmd);
6594 }
6595 
6596 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6597 				      u8 status)
6598 {
6599 	struct pending_cmd *cmd;
6600 
6601 	cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
6602 	if (!cmd)
6603 		return;
6604 
6605 	cmd->cmd_complete(cmd, mgmt_status(status));
6606 	mgmt_pending_remove(cmd);
6607 }
6608 
6609 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
6610 			      u8 link_type, u8 addr_type, u32 value,
6611 			      u8 confirm_hint)
6612 {
6613 	struct mgmt_ev_user_confirm_request ev;
6614 
6615 	BT_DBG("%s", hdev->name);
6616 
6617 	bacpy(&ev.addr.bdaddr, bdaddr);
6618 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
6619 	ev.confirm_hint = confirm_hint;
6620 	ev.value = cpu_to_le32(value);
6621 
6622 	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
6623 			  NULL);
6624 }
6625 
6626 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
6627 			      u8 link_type, u8 addr_type)
6628 {
6629 	struct mgmt_ev_user_passkey_request ev;
6630 
6631 	BT_DBG("%s", hdev->name);
6632 
6633 	bacpy(&ev.addr.bdaddr, bdaddr);
6634 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
6635 
6636 	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
6637 			  NULL);
6638 }
6639 
6640 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6641 				      u8 link_type, u8 addr_type, u8 status,
6642 				      u8 opcode)
6643 {
6644 	struct pending_cmd *cmd;
6645 
6646 	cmd = mgmt_pending_find(opcode, hdev);
6647 	if (!cmd)
6648 		return -ENOENT;
6649 
6650 	cmd->cmd_complete(cmd, mgmt_status(status));
6651 	mgmt_pending_remove(cmd);
6652 
6653 	return 0;
6654 }
6655 
6656 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6657 				     u8 link_type, u8 addr_type, u8 status)
6658 {
6659 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
6660 					  status, MGMT_OP_USER_CONFIRM_REPLY);
6661 }
6662 
6663 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6664 					 u8 link_type, u8 addr_type, u8 status)
6665 {
6666 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
6667 					  status,
6668 					  MGMT_OP_USER_CONFIRM_NEG_REPLY);
6669 }
6670 
6671 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6672 				     u8 link_type, u8 addr_type, u8 status)
6673 {
6674 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
6675 					  status, MGMT_OP_USER_PASSKEY_REPLY);
6676 }
6677 
6678 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
6679 					 u8 link_type, u8 addr_type, u8 status)
6680 {
6681 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
6682 					  status,
6683 					  MGMT_OP_USER_PASSKEY_NEG_REPLY);
6684 }
6685 
6686 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
6687 			     u8 link_type, u8 addr_type, u32 passkey,
6688 			     u8 entered)
6689 {
6690 	struct mgmt_ev_passkey_notify ev;
6691 
6692 	BT_DBG("%s", hdev->name);
6693 
6694 	bacpy(&ev.addr.bdaddr, bdaddr);
6695 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
6696 	ev.passkey = __cpu_to_le32(passkey);
6697 	ev.entered = entered;
6698 
6699 	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
6700 }
6701 
6702 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
6703 {
6704 	struct mgmt_ev_auth_failed ev;
6705 	struct pending_cmd *cmd;
6706 	u8 status = mgmt_status(hci_status);
6707 
6708 	bacpy(&ev.addr.bdaddr, &conn->dst);
6709 	ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
6710 	ev.status = status;
6711 
6712 	cmd = find_pairing(conn);
6713 
6714 	mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
6715 		    cmd ? cmd->sk : NULL);
6716 
6717 	if (cmd) {
6718 		cmd->cmd_complete(cmd, status);
6719 		mgmt_pending_remove(cmd);
6720 	}
6721 }
6722 
6723 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
6724 {
6725 	struct cmd_lookup match = { NULL, hdev };
6726 	bool changed;
6727 
6728 	if (status) {
6729 		u8 mgmt_err = mgmt_status(status);
6730 		mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
6731 				     cmd_status_rsp, &mgmt_err);
6732 		return;
6733 	}
6734 
6735 	if (test_bit(HCI_AUTH, &hdev->flags))
6736 		changed = !test_and_set_bit(HCI_LINK_SECURITY,
6737 					    &hdev->dev_flags);
6738 	else
6739 		changed = test_and_clear_bit(HCI_LINK_SECURITY,
6740 					     &hdev->dev_flags);
6741 
6742 	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
6743 			     &match);
6744 
6745 	if (changed)
6746 		new_settings(hdev, match.sk);
6747 
6748 	if (match.sk)
6749 		sock_put(match.sk);
6750 }
6751 
6752 static void clear_eir(struct hci_request *req)
6753 {
6754 	struct hci_dev *hdev = req->hdev;
6755 	struct hci_cp_write_eir cp;
6756 
6757 	if (!lmp_ext_inq_capable(hdev))
6758 		return;
6759 
6760 	memset(hdev->eir, 0, sizeof(hdev->eir));
6761 
6762 	memset(&cp, 0, sizeof(cp));
6763 
6764 	hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
6765 }
6766 
6767 void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
6768 {
6769 	struct cmd_lookup match = { NULL, hdev };
6770 	struct hci_request req;
6771 	bool changed = false;
6772 
6773 	if (status) {
6774 		u8 mgmt_err = mgmt_status(status);
6775 
6776 		if (enable && test_and_clear_bit(HCI_SSP_ENABLED,
6777 						 &hdev->dev_flags)) {
6778 			clear_bit(HCI_HS_ENABLED, &hdev->dev_flags);
6779 			new_settings(hdev, NULL);
6780 		}
6781 
6782 		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
6783 				     &mgmt_err);
6784 		return;
6785 	}
6786 
6787 	if (enable) {
6788 		changed = !test_and_set_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
6789 	} else {
6790 		changed = test_and_clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
6791 		if (!changed)
6792 			changed = test_and_clear_bit(HCI_HS_ENABLED,
6793 						     &hdev->dev_flags);
6794 		else
6795 			clear_bit(HCI_HS_ENABLED, &hdev->dev_flags);
6796 	}
6797 
6798 	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
6799 
6800 	if (changed)
6801 		new_settings(hdev, match.sk);
6802 
6803 	if (match.sk)
6804 		sock_put(match.sk);
6805 
6806 	hci_req_init(&req, hdev);
6807 
6808 	if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
6809 		if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags))
6810 			hci_req_add(&req, HCI_OP_WRITE_SSP_DEBUG_MODE,
6811 				    sizeof(enable), &enable);
6812 		update_eir(&req);
6813 	} else {
6814 		clear_eir(&req);
6815 	}
6816 
6817 	hci_req_run(&req, NULL);
6818 }
6819 
6820 void mgmt_sc_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
6821 {
6822 	struct cmd_lookup match = { NULL, hdev };
6823 	bool changed = false;
6824 
6825 	if (status) {
6826 		u8 mgmt_err = mgmt_status(status);
6827 
6828 		if (enable) {
6829 			if (test_and_clear_bit(HCI_SC_ENABLED,
6830 					       &hdev->dev_flags))
6831 				new_settings(hdev, NULL);
6832 			clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
6833 		}
6834 
6835 		mgmt_pending_foreach(MGMT_OP_SET_SECURE_CONN, hdev,
6836 				     cmd_status_rsp, &mgmt_err);
6837 		return;
6838 	}
6839 
6840 	if (enable) {
6841 		changed = !test_and_set_bit(HCI_SC_ENABLED, &hdev->dev_flags);
6842 	} else {
6843 		changed = test_and_clear_bit(HCI_SC_ENABLED, &hdev->dev_flags);
6844 		clear_bit(HCI_SC_ONLY, &hdev->dev_flags);
6845 	}
6846 
6847 	mgmt_pending_foreach(MGMT_OP_SET_SECURE_CONN, hdev,
6848 			     settings_rsp, &match);
6849 
6850 	if (changed)
6851 		new_settings(hdev, match.sk);
6852 
6853 	if (match.sk)
6854 		sock_put(match.sk);
6855 }
6856 
6857 static void sk_lookup(struct pending_cmd *cmd, void *data)
6858 {
6859 	struct cmd_lookup *match = data;
6860 
6861 	if (match->sk == NULL) {
6862 		match->sk = cmd->sk;
6863 		sock_hold(match->sk);
6864 	}
6865 }
6866 
6867 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
6868 				    u8 status)
6869 {
6870 	struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
6871 
6872 	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
6873 	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
6874 	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
6875 
6876 	if (!status)
6877 		mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class, 3,
6878 			   NULL);
6879 
6880 	if (match.sk)
6881 		sock_put(match.sk);
6882 }
6883 
6884 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
6885 {
6886 	struct mgmt_cp_set_local_name ev;
6887 	struct pending_cmd *cmd;
6888 
6889 	if (status)
6890 		return;
6891 
6892 	memset(&ev, 0, sizeof(ev));
6893 	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
6894 	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
6895 
6896 	cmd = mgmt_pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
6897 	if (!cmd) {
6898 		memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
6899 
6900 		/* If this is a HCI command related to powering on the
6901 		 * HCI dev don't send any mgmt signals.
6902 		 */
6903 		if (mgmt_pending_find(MGMT_OP_SET_POWERED, hdev))
6904 			return;
6905 	}
6906 
6907 	mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
6908 		   cmd ? cmd->sk : NULL);
6909 }
6910 
6911 void mgmt_read_local_oob_data_complete(struct hci_dev *hdev, u8 *hash192,
6912 				       u8 *rand192, u8 *hash256, u8 *rand256,
6913 				       u8 status)
6914 {
6915 	struct pending_cmd *cmd;
6916 
6917 	BT_DBG("%s status %u", hdev->name, status);
6918 
6919 	cmd = mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev);
6920 	if (!cmd)
6921 		return;
6922 
6923 	if (status) {
6924 		cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
6925 			   mgmt_status(status));
6926 	} else {
6927 		if (bredr_sc_enabled(hdev) && hash256 && rand256) {
6928 			struct mgmt_rp_read_local_oob_ext_data rp;
6929 
6930 			memcpy(rp.hash192, hash192, sizeof(rp.hash192));
6931 			memcpy(rp.rand192, rand192, sizeof(rp.rand192));
6932 
6933 			memcpy(rp.hash256, hash256, sizeof(rp.hash256));
6934 			memcpy(rp.rand256, rand256, sizeof(rp.rand256));
6935 
6936 			cmd_complete(cmd->sk, hdev->id,
6937 				     MGMT_OP_READ_LOCAL_OOB_DATA, 0,
6938 				     &rp, sizeof(rp));
6939 		} else {
6940 			struct mgmt_rp_read_local_oob_data rp;
6941 
6942 			memcpy(rp.hash, hash192, sizeof(rp.hash));
6943 			memcpy(rp.rand, rand192, sizeof(rp.rand));
6944 
6945 			cmd_complete(cmd->sk, hdev->id,
6946 				     MGMT_OP_READ_LOCAL_OOB_DATA, 0,
6947 				     &rp, sizeof(rp));
6948 		}
6949 	}
6950 
6951 	mgmt_pending_remove(cmd);
6952 }
6953 
6954 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
6955 {
6956 	int i;
6957 
6958 	for (i = 0; i < uuid_count; i++) {
6959 		if (!memcmp(uuid, uuids[i], 16))
6960 			return true;
6961 	}
6962 
6963 	return false;
6964 }
6965 
6966 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
6967 {
6968 	u16 parsed = 0;
6969 
6970 	while (parsed < eir_len) {
6971 		u8 field_len = eir[0];
6972 		u8 uuid[16];
6973 		int i;
6974 
6975 		if (field_len == 0)
6976 			break;
6977 
6978 		if (eir_len - parsed < field_len + 1)
6979 			break;
6980 
6981 		switch (eir[1]) {
6982 		case EIR_UUID16_ALL:
6983 		case EIR_UUID16_SOME:
6984 			for (i = 0; i + 3 <= field_len; i += 2) {
6985 				memcpy(uuid, bluetooth_base_uuid, 16);
6986 				uuid[13] = eir[i + 3];
6987 				uuid[12] = eir[i + 2];
6988 				if (has_uuid(uuid, uuid_count, uuids))
6989 					return true;
6990 			}
6991 			break;
6992 		case EIR_UUID32_ALL:
6993 		case EIR_UUID32_SOME:
6994 			for (i = 0; i + 5 <= field_len; i += 4) {
6995 				memcpy(uuid, bluetooth_base_uuid, 16);
6996 				uuid[15] = eir[i + 5];
6997 				uuid[14] = eir[i + 4];
6998 				uuid[13] = eir[i + 3];
6999 				uuid[12] = eir[i + 2];
7000 				if (has_uuid(uuid, uuid_count, uuids))
7001 					return true;
7002 			}
7003 			break;
7004 		case EIR_UUID128_ALL:
7005 		case EIR_UUID128_SOME:
7006 			for (i = 0; i + 17 <= field_len; i += 16) {
7007 				memcpy(uuid, eir + i + 2, 16);
7008 				if (has_uuid(uuid, uuid_count, uuids))
7009 					return true;
7010 			}
7011 			break;
7012 		}
7013 
7014 		parsed += field_len + 1;
7015 		eir += field_len + 1;
7016 	}
7017 
7018 	return false;
7019 }
7020 
7021 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
7022 		       u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
7023 		       u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
7024 {
7025 	char buf[512];
7026 	struct mgmt_ev_device_found *ev = (void *) buf;
7027 	size_t ev_size;
7028 	bool match;
7029 
7030 	/* Don't send events for a non-kernel initiated discovery. With
7031 	 * LE one exception is if we have pend_le_reports > 0 in which
7032 	 * case we're doing passive scanning and want these events.
7033 	 */
7034 	if (!hci_discovery_active(hdev)) {
7035 		if (link_type == ACL_LINK)
7036 			return;
7037 		if (link_type == LE_LINK && list_empty(&hdev->pend_le_reports))
7038 			return;
7039 	}
7040 
7041 	/* When using service discovery with a RSSI threshold, then check
7042 	 * if such a RSSI threshold is specified. If a RSSI threshold has
7043 	 * been specified, then all results with a RSSI smaller than the
7044 	 * RSSI threshold will be dropped.
7045 	 *
7046 	 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
7047 	 * the results are also dropped.
7048 	 */
7049 	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
7050 	    (rssi < hdev->discovery.rssi || rssi == HCI_RSSI_INVALID))
7051 		return;
7052 
7053 	/* Make sure that the buffer is big enough. The 5 extra bytes
7054 	 * are for the potential CoD field.
7055 	 */
7056 	if (sizeof(*ev) + eir_len + scan_rsp_len + 5 > sizeof(buf))
7057 		return;
7058 
7059 	memset(buf, 0, sizeof(buf));
7060 
7061 	/* In case of device discovery with BR/EDR devices (pre 1.2), the
7062 	 * RSSI value was reported as 0 when not available. This behavior
7063 	 * is kept when using device discovery. This is required for full
7064 	 * backwards compatibility with the API.
7065 	 *
7066 	 * However when using service discovery, the value 127 will be
7067 	 * returned when the RSSI is not available.
7068 	 */
7069 	if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi)
7070 		rssi = 0;
7071 
7072 	bacpy(&ev->addr.bdaddr, bdaddr);
7073 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
7074 	ev->rssi = rssi;
7075 	ev->flags = cpu_to_le32(flags);
7076 
7077 	if (eir_len > 0) {
7078 		/* When using service discovery and a list of UUID is
7079 		 * provided, results with no matching UUID should be
7080 		 * dropped. In case there is a match the result is
7081 		 * kept and checking possible scan response data
7082 		 * will be skipped.
7083 		 */
7084 		if (hdev->discovery.uuid_count > 0)
7085 			match = eir_has_uuids(eir, eir_len,
7086 					      hdev->discovery.uuid_count,
7087 					      hdev->discovery.uuids);
7088 		else
7089 			match = true;
7090 
7091 		if (!match && !scan_rsp_len)
7092 			return;
7093 
7094 		/* Copy EIR or advertising data into event */
7095 		memcpy(ev->eir, eir, eir_len);
7096 	} else {
7097 		/* When using service discovery and a list of UUID is
7098 		 * provided, results with empty EIR or advertising data
7099 		 * should be dropped since they do not match any UUID.
7100 		 */
7101 		if (hdev->discovery.uuid_count > 0 && !scan_rsp_len)
7102 			return;
7103 
7104 		match = false;
7105 	}
7106 
7107 	if (dev_class && !eir_has_data_type(ev->eir, eir_len, EIR_CLASS_OF_DEV))
7108 		eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
7109 					  dev_class, 3);
7110 
7111 	if (scan_rsp_len > 0) {
7112 		/* When using service discovery and a list of UUID is
7113 		 * provided, results with no matching UUID should be
7114 		 * dropped if there is no previous match from the
7115 		 * advertising data.
7116 		 */
7117 		if (hdev->discovery.uuid_count > 0) {
7118 			if (!match && !eir_has_uuids(scan_rsp, scan_rsp_len,
7119 						     hdev->discovery.uuid_count,
7120 						     hdev->discovery.uuids))
7121 				return;
7122 		}
7123 
7124 		/* Append scan response data to event */
7125 		memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
7126 	} else {
7127 		/* When using service discovery and a list of UUID is
7128 		 * provided, results with empty scan response and no
7129 		 * previous matched advertising data should be dropped.
7130 		 */
7131 		if (hdev->discovery.uuid_count > 0 && !match)
7132 			return;
7133 	}
7134 
7135 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
7136 	ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
7137 
7138 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL);
7139 }
7140 
7141 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
7142 		      u8 addr_type, s8 rssi, u8 *name, u8 name_len)
7143 {
7144 	struct mgmt_ev_device_found *ev;
7145 	char buf[sizeof(*ev) + HCI_MAX_NAME_LENGTH + 2];
7146 	u16 eir_len;
7147 
7148 	ev = (struct mgmt_ev_device_found *) buf;
7149 
7150 	memset(buf, 0, sizeof(buf));
7151 
7152 	bacpy(&ev->addr.bdaddr, bdaddr);
7153 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
7154 	ev->rssi = rssi;
7155 
7156 	eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name,
7157 				  name_len);
7158 
7159 	ev->eir_len = cpu_to_le16(eir_len);
7160 
7161 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, sizeof(*ev) + eir_len, NULL);
7162 }
7163 
7164 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
7165 {
7166 	struct mgmt_ev_discovering ev;
7167 
7168 	BT_DBG("%s discovering %u", hdev->name, discovering);
7169 
7170 	memset(&ev, 0, sizeof(ev));
7171 	ev.type = hdev->discovery.type;
7172 	ev.discovering = discovering;
7173 
7174 	mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
7175 }
7176 
7177 static void adv_enable_complete(struct hci_dev *hdev, u8 status)
7178 {
7179 	BT_DBG("%s status %u", hdev->name, status);
7180 }
7181 
7182 void mgmt_reenable_advertising(struct hci_dev *hdev)
7183 {
7184 	struct hci_request req;
7185 
7186 	if (!test_bit(HCI_ADVERTISING, &hdev->dev_flags))
7187 		return;
7188 
7189 	hci_req_init(&req, hdev);
7190 	enable_advertising(&req);
7191 	hci_req_run(&req, adv_enable_complete);
7192 }
7193