xref: /openbmc/linux/net/bluetooth/mgmt.c (revision aaa746ad)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3 
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI Management interface */
26 
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_sock.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "mgmt_util.h"
39 #include "mgmt_config.h"
40 #include "msft.h"
41 #include "eir.h"
42 #include "aosp.h"
43 
44 #define MGMT_VERSION	1
45 #define MGMT_REVISION	22
46 
47 static const u16 mgmt_commands[] = {
48 	MGMT_OP_READ_INDEX_LIST,
49 	MGMT_OP_READ_INFO,
50 	MGMT_OP_SET_POWERED,
51 	MGMT_OP_SET_DISCOVERABLE,
52 	MGMT_OP_SET_CONNECTABLE,
53 	MGMT_OP_SET_FAST_CONNECTABLE,
54 	MGMT_OP_SET_BONDABLE,
55 	MGMT_OP_SET_LINK_SECURITY,
56 	MGMT_OP_SET_SSP,
57 	MGMT_OP_SET_HS,
58 	MGMT_OP_SET_LE,
59 	MGMT_OP_SET_DEV_CLASS,
60 	MGMT_OP_SET_LOCAL_NAME,
61 	MGMT_OP_ADD_UUID,
62 	MGMT_OP_REMOVE_UUID,
63 	MGMT_OP_LOAD_LINK_KEYS,
64 	MGMT_OP_LOAD_LONG_TERM_KEYS,
65 	MGMT_OP_DISCONNECT,
66 	MGMT_OP_GET_CONNECTIONS,
67 	MGMT_OP_PIN_CODE_REPLY,
68 	MGMT_OP_PIN_CODE_NEG_REPLY,
69 	MGMT_OP_SET_IO_CAPABILITY,
70 	MGMT_OP_PAIR_DEVICE,
71 	MGMT_OP_CANCEL_PAIR_DEVICE,
72 	MGMT_OP_UNPAIR_DEVICE,
73 	MGMT_OP_USER_CONFIRM_REPLY,
74 	MGMT_OP_USER_CONFIRM_NEG_REPLY,
75 	MGMT_OP_USER_PASSKEY_REPLY,
76 	MGMT_OP_USER_PASSKEY_NEG_REPLY,
77 	MGMT_OP_READ_LOCAL_OOB_DATA,
78 	MGMT_OP_ADD_REMOTE_OOB_DATA,
79 	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
80 	MGMT_OP_START_DISCOVERY,
81 	MGMT_OP_STOP_DISCOVERY,
82 	MGMT_OP_CONFIRM_NAME,
83 	MGMT_OP_BLOCK_DEVICE,
84 	MGMT_OP_UNBLOCK_DEVICE,
85 	MGMT_OP_SET_DEVICE_ID,
86 	MGMT_OP_SET_ADVERTISING,
87 	MGMT_OP_SET_BREDR,
88 	MGMT_OP_SET_STATIC_ADDRESS,
89 	MGMT_OP_SET_SCAN_PARAMS,
90 	MGMT_OP_SET_SECURE_CONN,
91 	MGMT_OP_SET_DEBUG_KEYS,
92 	MGMT_OP_SET_PRIVACY,
93 	MGMT_OP_LOAD_IRKS,
94 	MGMT_OP_GET_CONN_INFO,
95 	MGMT_OP_GET_CLOCK_INFO,
96 	MGMT_OP_ADD_DEVICE,
97 	MGMT_OP_REMOVE_DEVICE,
98 	MGMT_OP_LOAD_CONN_PARAM,
99 	MGMT_OP_READ_UNCONF_INDEX_LIST,
100 	MGMT_OP_READ_CONFIG_INFO,
101 	MGMT_OP_SET_EXTERNAL_CONFIG,
102 	MGMT_OP_SET_PUBLIC_ADDRESS,
103 	MGMT_OP_START_SERVICE_DISCOVERY,
104 	MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
105 	MGMT_OP_READ_EXT_INDEX_LIST,
106 	MGMT_OP_READ_ADV_FEATURES,
107 	MGMT_OP_ADD_ADVERTISING,
108 	MGMT_OP_REMOVE_ADVERTISING,
109 	MGMT_OP_GET_ADV_SIZE_INFO,
110 	MGMT_OP_START_LIMITED_DISCOVERY,
111 	MGMT_OP_READ_EXT_INFO,
112 	MGMT_OP_SET_APPEARANCE,
113 	MGMT_OP_GET_PHY_CONFIGURATION,
114 	MGMT_OP_SET_PHY_CONFIGURATION,
115 	MGMT_OP_SET_BLOCKED_KEYS,
116 	MGMT_OP_SET_WIDEBAND_SPEECH,
117 	MGMT_OP_READ_CONTROLLER_CAP,
118 	MGMT_OP_READ_EXP_FEATURES_INFO,
119 	MGMT_OP_SET_EXP_FEATURE,
120 	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
121 	MGMT_OP_SET_DEF_SYSTEM_CONFIG,
122 	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
123 	MGMT_OP_SET_DEF_RUNTIME_CONFIG,
124 	MGMT_OP_GET_DEVICE_FLAGS,
125 	MGMT_OP_SET_DEVICE_FLAGS,
126 	MGMT_OP_READ_ADV_MONITOR_FEATURES,
127 	MGMT_OP_ADD_ADV_PATTERNS_MONITOR,
128 	MGMT_OP_REMOVE_ADV_MONITOR,
129 	MGMT_OP_ADD_EXT_ADV_PARAMS,
130 	MGMT_OP_ADD_EXT_ADV_DATA,
131 	MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI,
132 	MGMT_OP_SET_MESH_RECEIVER,
133 	MGMT_OP_MESH_READ_FEATURES,
134 	MGMT_OP_MESH_SEND,
135 	MGMT_OP_MESH_SEND_CANCEL,
136 };
137 
138 static const u16 mgmt_events[] = {
139 	MGMT_EV_CONTROLLER_ERROR,
140 	MGMT_EV_INDEX_ADDED,
141 	MGMT_EV_INDEX_REMOVED,
142 	MGMT_EV_NEW_SETTINGS,
143 	MGMT_EV_CLASS_OF_DEV_CHANGED,
144 	MGMT_EV_LOCAL_NAME_CHANGED,
145 	MGMT_EV_NEW_LINK_KEY,
146 	MGMT_EV_NEW_LONG_TERM_KEY,
147 	MGMT_EV_DEVICE_CONNECTED,
148 	MGMT_EV_DEVICE_DISCONNECTED,
149 	MGMT_EV_CONNECT_FAILED,
150 	MGMT_EV_PIN_CODE_REQUEST,
151 	MGMT_EV_USER_CONFIRM_REQUEST,
152 	MGMT_EV_USER_PASSKEY_REQUEST,
153 	MGMT_EV_AUTH_FAILED,
154 	MGMT_EV_DEVICE_FOUND,
155 	MGMT_EV_DISCOVERING,
156 	MGMT_EV_DEVICE_BLOCKED,
157 	MGMT_EV_DEVICE_UNBLOCKED,
158 	MGMT_EV_DEVICE_UNPAIRED,
159 	MGMT_EV_PASSKEY_NOTIFY,
160 	MGMT_EV_NEW_IRK,
161 	MGMT_EV_NEW_CSRK,
162 	MGMT_EV_DEVICE_ADDED,
163 	MGMT_EV_DEVICE_REMOVED,
164 	MGMT_EV_NEW_CONN_PARAM,
165 	MGMT_EV_UNCONF_INDEX_ADDED,
166 	MGMT_EV_UNCONF_INDEX_REMOVED,
167 	MGMT_EV_NEW_CONFIG_OPTIONS,
168 	MGMT_EV_EXT_INDEX_ADDED,
169 	MGMT_EV_EXT_INDEX_REMOVED,
170 	MGMT_EV_LOCAL_OOB_DATA_UPDATED,
171 	MGMT_EV_ADVERTISING_ADDED,
172 	MGMT_EV_ADVERTISING_REMOVED,
173 	MGMT_EV_EXT_INFO_CHANGED,
174 	MGMT_EV_PHY_CONFIGURATION_CHANGED,
175 	MGMT_EV_EXP_FEATURE_CHANGED,
176 	MGMT_EV_DEVICE_FLAGS_CHANGED,
177 	MGMT_EV_ADV_MONITOR_ADDED,
178 	MGMT_EV_ADV_MONITOR_REMOVED,
179 	MGMT_EV_CONTROLLER_SUSPEND,
180 	MGMT_EV_CONTROLLER_RESUME,
181 	MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
182 	MGMT_EV_ADV_MONITOR_DEVICE_LOST,
183 };
184 
185 static const u16 mgmt_untrusted_commands[] = {
186 	MGMT_OP_READ_INDEX_LIST,
187 	MGMT_OP_READ_INFO,
188 	MGMT_OP_READ_UNCONF_INDEX_LIST,
189 	MGMT_OP_READ_CONFIG_INFO,
190 	MGMT_OP_READ_EXT_INDEX_LIST,
191 	MGMT_OP_READ_EXT_INFO,
192 	MGMT_OP_READ_CONTROLLER_CAP,
193 	MGMT_OP_READ_EXP_FEATURES_INFO,
194 	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
195 	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
196 };
197 
198 static const u16 mgmt_untrusted_events[] = {
199 	MGMT_EV_INDEX_ADDED,
200 	MGMT_EV_INDEX_REMOVED,
201 	MGMT_EV_NEW_SETTINGS,
202 	MGMT_EV_CLASS_OF_DEV_CHANGED,
203 	MGMT_EV_LOCAL_NAME_CHANGED,
204 	MGMT_EV_UNCONF_INDEX_ADDED,
205 	MGMT_EV_UNCONF_INDEX_REMOVED,
206 	MGMT_EV_NEW_CONFIG_OPTIONS,
207 	MGMT_EV_EXT_INDEX_ADDED,
208 	MGMT_EV_EXT_INDEX_REMOVED,
209 	MGMT_EV_EXT_INFO_CHANGED,
210 	MGMT_EV_EXP_FEATURE_CHANGED,
211 };
212 
213 #define CACHE_TIMEOUT	msecs_to_jiffies(2 * 1000)
214 
215 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
216 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
217 
218 /* HCI to MGMT error code conversion table */
219 static const u8 mgmt_status_table[] = {
220 	MGMT_STATUS_SUCCESS,
221 	MGMT_STATUS_UNKNOWN_COMMAND,	/* Unknown Command */
222 	MGMT_STATUS_NOT_CONNECTED,	/* No Connection */
223 	MGMT_STATUS_FAILED,		/* Hardware Failure */
224 	MGMT_STATUS_CONNECT_FAILED,	/* Page Timeout */
225 	MGMT_STATUS_AUTH_FAILED,	/* Authentication Failed */
226 	MGMT_STATUS_AUTH_FAILED,	/* PIN or Key Missing */
227 	MGMT_STATUS_NO_RESOURCES,	/* Memory Full */
228 	MGMT_STATUS_TIMEOUT,		/* Connection Timeout */
229 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of Connections */
230 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of SCO Connections */
231 	MGMT_STATUS_ALREADY_CONNECTED,	/* ACL Connection Exists */
232 	MGMT_STATUS_BUSY,		/* Command Disallowed */
233 	MGMT_STATUS_NO_RESOURCES,	/* Rejected Limited Resources */
234 	MGMT_STATUS_REJECTED,		/* Rejected Security */
235 	MGMT_STATUS_REJECTED,		/* Rejected Personal */
236 	MGMT_STATUS_TIMEOUT,		/* Host Timeout */
237 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Feature */
238 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid Parameters */
239 	MGMT_STATUS_DISCONNECTED,	/* OE User Ended Connection */
240 	MGMT_STATUS_NO_RESOURCES,	/* OE Low Resources */
241 	MGMT_STATUS_DISCONNECTED,	/* OE Power Off */
242 	MGMT_STATUS_DISCONNECTED,	/* Connection Terminated */
243 	MGMT_STATUS_BUSY,		/* Repeated Attempts */
244 	MGMT_STATUS_REJECTED,		/* Pairing Not Allowed */
245 	MGMT_STATUS_FAILED,		/* Unknown LMP PDU */
246 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Remote Feature */
247 	MGMT_STATUS_REJECTED,		/* SCO Offset Rejected */
248 	MGMT_STATUS_REJECTED,		/* SCO Interval Rejected */
249 	MGMT_STATUS_REJECTED,		/* Air Mode Rejected */
250 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid LMP Parameters */
251 	MGMT_STATUS_FAILED,		/* Unspecified Error */
252 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported LMP Parameter Value */
253 	MGMT_STATUS_FAILED,		/* Role Change Not Allowed */
254 	MGMT_STATUS_TIMEOUT,		/* LMP Response Timeout */
255 	MGMT_STATUS_FAILED,		/* LMP Error Transaction Collision */
256 	MGMT_STATUS_FAILED,		/* LMP PDU Not Allowed */
257 	MGMT_STATUS_REJECTED,		/* Encryption Mode Not Accepted */
258 	MGMT_STATUS_FAILED,		/* Unit Link Key Used */
259 	MGMT_STATUS_NOT_SUPPORTED,	/* QoS Not Supported */
260 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
261 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
262 	MGMT_STATUS_FAILED,		/* Transaction Collision */
263 	MGMT_STATUS_FAILED,		/* Reserved for future use */
264 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
265 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
266 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
267 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
268 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
269 	MGMT_STATUS_FAILED,		/* Reserved for future use */
270 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
271 	MGMT_STATUS_FAILED,		/* Reserved for future use */
272 	MGMT_STATUS_FAILED,		/* Slot Violation */
273 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
274 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
275 	MGMT_STATUS_NOT_SUPPORTED,	/* Simple Pairing Not Supported */
276 	MGMT_STATUS_BUSY,		/* Host Busy Pairing */
277 	MGMT_STATUS_REJECTED,		/* Rejected, No Suitable Channel */
278 	MGMT_STATUS_BUSY,		/* Controller Busy */
279 	MGMT_STATUS_INVALID_PARAMS,	/* Unsuitable Connection Interval */
280 	MGMT_STATUS_TIMEOUT,		/* Directed Advertising Timeout */
281 	MGMT_STATUS_AUTH_FAILED,	/* Terminated Due to MIC Failure */
282 	MGMT_STATUS_CONNECT_FAILED,	/* Connection Establishment Failed */
283 	MGMT_STATUS_CONNECT_FAILED,	/* MAC Connection Failed */
284 };
285 
286 static u8 mgmt_errno_status(int err)
287 {
288 	switch (err) {
289 	case 0:
290 		return MGMT_STATUS_SUCCESS;
291 	case -EPERM:
292 		return MGMT_STATUS_REJECTED;
293 	case -EINVAL:
294 		return MGMT_STATUS_INVALID_PARAMS;
295 	case -EOPNOTSUPP:
296 		return MGMT_STATUS_NOT_SUPPORTED;
297 	case -EBUSY:
298 		return MGMT_STATUS_BUSY;
299 	case -ETIMEDOUT:
300 		return MGMT_STATUS_AUTH_FAILED;
301 	case -ENOMEM:
302 		return MGMT_STATUS_NO_RESOURCES;
303 	case -EISCONN:
304 		return MGMT_STATUS_ALREADY_CONNECTED;
305 	case -ENOTCONN:
306 		return MGMT_STATUS_DISCONNECTED;
307 	}
308 
309 	return MGMT_STATUS_FAILED;
310 }
311 
312 static u8 mgmt_status(int err)
313 {
314 	if (err < 0)
315 		return mgmt_errno_status(err);
316 
317 	if (err < ARRAY_SIZE(mgmt_status_table))
318 		return mgmt_status_table[err];
319 
320 	return MGMT_STATUS_FAILED;
321 }
322 
323 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
324 			    u16 len, int flag)
325 {
326 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
327 			       flag, NULL);
328 }
329 
330 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
331 			      u16 len, int flag, struct sock *skip_sk)
332 {
333 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
334 			       flag, skip_sk);
335 }
336 
337 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
338 		      struct sock *skip_sk)
339 {
340 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
341 			       HCI_SOCK_TRUSTED, skip_sk);
342 }
343 
344 static int mgmt_event_skb(struct sk_buff *skb, struct sock *skip_sk)
345 {
346 	return mgmt_send_event_skb(HCI_CHANNEL_CONTROL, skb, HCI_SOCK_TRUSTED,
347 				   skip_sk);
348 }
349 
350 static u8 le_addr_type(u8 mgmt_addr_type)
351 {
352 	if (mgmt_addr_type == BDADDR_LE_PUBLIC)
353 		return ADDR_LE_DEV_PUBLIC;
354 	else
355 		return ADDR_LE_DEV_RANDOM;
356 }
357 
358 void mgmt_fill_version_info(void *ver)
359 {
360 	struct mgmt_rp_read_version *rp = ver;
361 
362 	rp->version = MGMT_VERSION;
363 	rp->revision = cpu_to_le16(MGMT_REVISION);
364 }
365 
366 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
367 			u16 data_len)
368 {
369 	struct mgmt_rp_read_version rp;
370 
371 	bt_dev_dbg(hdev, "sock %p", sk);
372 
373 	mgmt_fill_version_info(&rp);
374 
375 	return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
376 				 &rp, sizeof(rp));
377 }
378 
379 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
380 			 u16 data_len)
381 {
382 	struct mgmt_rp_read_commands *rp;
383 	u16 num_commands, num_events;
384 	size_t rp_size;
385 	int i, err;
386 
387 	bt_dev_dbg(hdev, "sock %p", sk);
388 
389 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
390 		num_commands = ARRAY_SIZE(mgmt_commands);
391 		num_events = ARRAY_SIZE(mgmt_events);
392 	} else {
393 		num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
394 		num_events = ARRAY_SIZE(mgmt_untrusted_events);
395 	}
396 
397 	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
398 
399 	rp = kmalloc(rp_size, GFP_KERNEL);
400 	if (!rp)
401 		return -ENOMEM;
402 
403 	rp->num_commands = cpu_to_le16(num_commands);
404 	rp->num_events = cpu_to_le16(num_events);
405 
406 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
407 		__le16 *opcode = rp->opcodes;
408 
409 		for (i = 0; i < num_commands; i++, opcode++)
410 			put_unaligned_le16(mgmt_commands[i], opcode);
411 
412 		for (i = 0; i < num_events; i++, opcode++)
413 			put_unaligned_le16(mgmt_events[i], opcode);
414 	} else {
415 		__le16 *opcode = rp->opcodes;
416 
417 		for (i = 0; i < num_commands; i++, opcode++)
418 			put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
419 
420 		for (i = 0; i < num_events; i++, opcode++)
421 			put_unaligned_le16(mgmt_untrusted_events[i], opcode);
422 	}
423 
424 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
425 				rp, rp_size);
426 	kfree(rp);
427 
428 	return err;
429 }
430 
431 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
432 			   u16 data_len)
433 {
434 	struct mgmt_rp_read_index_list *rp;
435 	struct hci_dev *d;
436 	size_t rp_len;
437 	u16 count;
438 	int err;
439 
440 	bt_dev_dbg(hdev, "sock %p", sk);
441 
442 	read_lock(&hci_dev_list_lock);
443 
444 	count = 0;
445 	list_for_each_entry(d, &hci_dev_list, list) {
446 		if (d->dev_type == HCI_PRIMARY &&
447 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED))
448 			count++;
449 	}
450 
451 	rp_len = sizeof(*rp) + (2 * count);
452 	rp = kmalloc(rp_len, GFP_ATOMIC);
453 	if (!rp) {
454 		read_unlock(&hci_dev_list_lock);
455 		return -ENOMEM;
456 	}
457 
458 	count = 0;
459 	list_for_each_entry(d, &hci_dev_list, list) {
460 		if (hci_dev_test_flag(d, HCI_SETUP) ||
461 		    hci_dev_test_flag(d, HCI_CONFIG) ||
462 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
463 			continue;
464 
465 		/* Devices marked as raw-only are neither configured
466 		 * nor unconfigured controllers.
467 		 */
468 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
469 			continue;
470 
471 		if (d->dev_type == HCI_PRIMARY &&
472 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
473 			rp->index[count++] = cpu_to_le16(d->id);
474 			bt_dev_dbg(hdev, "Added hci%u", d->id);
475 		}
476 	}
477 
478 	rp->num_controllers = cpu_to_le16(count);
479 	rp_len = sizeof(*rp) + (2 * count);
480 
481 	read_unlock(&hci_dev_list_lock);
482 
483 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
484 				0, rp, rp_len);
485 
486 	kfree(rp);
487 
488 	return err;
489 }
490 
491 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
492 				  void *data, u16 data_len)
493 {
494 	struct mgmt_rp_read_unconf_index_list *rp;
495 	struct hci_dev *d;
496 	size_t rp_len;
497 	u16 count;
498 	int err;
499 
500 	bt_dev_dbg(hdev, "sock %p", sk);
501 
502 	read_lock(&hci_dev_list_lock);
503 
504 	count = 0;
505 	list_for_each_entry(d, &hci_dev_list, list) {
506 		if (d->dev_type == HCI_PRIMARY &&
507 		    hci_dev_test_flag(d, HCI_UNCONFIGURED))
508 			count++;
509 	}
510 
511 	rp_len = sizeof(*rp) + (2 * count);
512 	rp = kmalloc(rp_len, GFP_ATOMIC);
513 	if (!rp) {
514 		read_unlock(&hci_dev_list_lock);
515 		return -ENOMEM;
516 	}
517 
518 	count = 0;
519 	list_for_each_entry(d, &hci_dev_list, list) {
520 		if (hci_dev_test_flag(d, HCI_SETUP) ||
521 		    hci_dev_test_flag(d, HCI_CONFIG) ||
522 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
523 			continue;
524 
525 		/* Devices marked as raw-only are neither configured
526 		 * nor unconfigured controllers.
527 		 */
528 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
529 			continue;
530 
531 		if (d->dev_type == HCI_PRIMARY &&
532 		    hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
533 			rp->index[count++] = cpu_to_le16(d->id);
534 			bt_dev_dbg(hdev, "Added hci%u", d->id);
535 		}
536 	}
537 
538 	rp->num_controllers = cpu_to_le16(count);
539 	rp_len = sizeof(*rp) + (2 * count);
540 
541 	read_unlock(&hci_dev_list_lock);
542 
543 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
544 				MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
545 
546 	kfree(rp);
547 
548 	return err;
549 }
550 
551 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
552 			       void *data, u16 data_len)
553 {
554 	struct mgmt_rp_read_ext_index_list *rp;
555 	struct hci_dev *d;
556 	u16 count;
557 	int err;
558 
559 	bt_dev_dbg(hdev, "sock %p", sk);
560 
561 	read_lock(&hci_dev_list_lock);
562 
563 	count = 0;
564 	list_for_each_entry(d, &hci_dev_list, list) {
565 		if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
566 			count++;
567 	}
568 
569 	rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
570 	if (!rp) {
571 		read_unlock(&hci_dev_list_lock);
572 		return -ENOMEM;
573 	}
574 
575 	count = 0;
576 	list_for_each_entry(d, &hci_dev_list, list) {
577 		if (hci_dev_test_flag(d, HCI_SETUP) ||
578 		    hci_dev_test_flag(d, HCI_CONFIG) ||
579 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
580 			continue;
581 
582 		/* Devices marked as raw-only are neither configured
583 		 * nor unconfigured controllers.
584 		 */
585 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
586 			continue;
587 
588 		if (d->dev_type == HCI_PRIMARY) {
589 			if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
590 				rp->entry[count].type = 0x01;
591 			else
592 				rp->entry[count].type = 0x00;
593 		} else if (d->dev_type == HCI_AMP) {
594 			rp->entry[count].type = 0x02;
595 		} else {
596 			continue;
597 		}
598 
599 		rp->entry[count].bus = d->bus;
600 		rp->entry[count++].index = cpu_to_le16(d->id);
601 		bt_dev_dbg(hdev, "Added hci%u", d->id);
602 	}
603 
604 	rp->num_controllers = cpu_to_le16(count);
605 
606 	read_unlock(&hci_dev_list_lock);
607 
608 	/* If this command is called at least once, then all the
609 	 * default index and unconfigured index events are disabled
610 	 * and from now on only extended index events are used.
611 	 */
612 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
613 	hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
614 	hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
615 
616 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
617 				MGMT_OP_READ_EXT_INDEX_LIST, 0, rp,
618 				struct_size(rp, entry, count));
619 
620 	kfree(rp);
621 
622 	return err;
623 }
624 
625 static bool is_configured(struct hci_dev *hdev)
626 {
627 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
628 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
629 		return false;
630 
631 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
632 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
633 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
634 		return false;
635 
636 	return true;
637 }
638 
639 static __le32 get_missing_options(struct hci_dev *hdev)
640 {
641 	u32 options = 0;
642 
643 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
644 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
645 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
646 
647 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
648 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
649 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
650 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
651 
652 	return cpu_to_le32(options);
653 }
654 
655 static int new_options(struct hci_dev *hdev, struct sock *skip)
656 {
657 	__le32 options = get_missing_options(hdev);
658 
659 	return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
660 				  sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
661 }
662 
663 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
664 {
665 	__le32 options = get_missing_options(hdev);
666 
667 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
668 				 sizeof(options));
669 }
670 
671 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
672 			    void *data, u16 data_len)
673 {
674 	struct mgmt_rp_read_config_info rp;
675 	u32 options = 0;
676 
677 	bt_dev_dbg(hdev, "sock %p", sk);
678 
679 	hci_dev_lock(hdev);
680 
681 	memset(&rp, 0, sizeof(rp));
682 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
683 
684 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
685 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
686 
687 	if (hdev->set_bdaddr)
688 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
689 
690 	rp.supported_options = cpu_to_le32(options);
691 	rp.missing_options = get_missing_options(hdev);
692 
693 	hci_dev_unlock(hdev);
694 
695 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
696 				 &rp, sizeof(rp));
697 }
698 
699 static u32 get_supported_phys(struct hci_dev *hdev)
700 {
701 	u32 supported_phys = 0;
702 
703 	if (lmp_bredr_capable(hdev)) {
704 		supported_phys |= MGMT_PHY_BR_1M_1SLOT;
705 
706 		if (hdev->features[0][0] & LMP_3SLOT)
707 			supported_phys |= MGMT_PHY_BR_1M_3SLOT;
708 
709 		if (hdev->features[0][0] & LMP_5SLOT)
710 			supported_phys |= MGMT_PHY_BR_1M_5SLOT;
711 
712 		if (lmp_edr_2m_capable(hdev)) {
713 			supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
714 
715 			if (lmp_edr_3slot_capable(hdev))
716 				supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
717 
718 			if (lmp_edr_5slot_capable(hdev))
719 				supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
720 
721 			if (lmp_edr_3m_capable(hdev)) {
722 				supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
723 
724 				if (lmp_edr_3slot_capable(hdev))
725 					supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
726 
727 				if (lmp_edr_5slot_capable(hdev))
728 					supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
729 			}
730 		}
731 	}
732 
733 	if (lmp_le_capable(hdev)) {
734 		supported_phys |= MGMT_PHY_LE_1M_TX;
735 		supported_phys |= MGMT_PHY_LE_1M_RX;
736 
737 		if (hdev->le_features[1] & HCI_LE_PHY_2M) {
738 			supported_phys |= MGMT_PHY_LE_2M_TX;
739 			supported_phys |= MGMT_PHY_LE_2M_RX;
740 		}
741 
742 		if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
743 			supported_phys |= MGMT_PHY_LE_CODED_TX;
744 			supported_phys |= MGMT_PHY_LE_CODED_RX;
745 		}
746 	}
747 
748 	return supported_phys;
749 }
750 
751 static u32 get_selected_phys(struct hci_dev *hdev)
752 {
753 	u32 selected_phys = 0;
754 
755 	if (lmp_bredr_capable(hdev)) {
756 		selected_phys |= MGMT_PHY_BR_1M_1SLOT;
757 
758 		if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
759 			selected_phys |= MGMT_PHY_BR_1M_3SLOT;
760 
761 		if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
762 			selected_phys |= MGMT_PHY_BR_1M_5SLOT;
763 
764 		if (lmp_edr_2m_capable(hdev)) {
765 			if (!(hdev->pkt_type & HCI_2DH1))
766 				selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
767 
768 			if (lmp_edr_3slot_capable(hdev) &&
769 			    !(hdev->pkt_type & HCI_2DH3))
770 				selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
771 
772 			if (lmp_edr_5slot_capable(hdev) &&
773 			    !(hdev->pkt_type & HCI_2DH5))
774 				selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
775 
776 			if (lmp_edr_3m_capable(hdev)) {
777 				if (!(hdev->pkt_type & HCI_3DH1))
778 					selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
779 
780 				if (lmp_edr_3slot_capable(hdev) &&
781 				    !(hdev->pkt_type & HCI_3DH3))
782 					selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
783 
784 				if (lmp_edr_5slot_capable(hdev) &&
785 				    !(hdev->pkt_type & HCI_3DH5))
786 					selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
787 			}
788 		}
789 	}
790 
791 	if (lmp_le_capable(hdev)) {
792 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
793 			selected_phys |= MGMT_PHY_LE_1M_TX;
794 
795 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
796 			selected_phys |= MGMT_PHY_LE_1M_RX;
797 
798 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
799 			selected_phys |= MGMT_PHY_LE_2M_TX;
800 
801 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
802 			selected_phys |= MGMT_PHY_LE_2M_RX;
803 
804 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
805 			selected_phys |= MGMT_PHY_LE_CODED_TX;
806 
807 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
808 			selected_phys |= MGMT_PHY_LE_CODED_RX;
809 	}
810 
811 	return selected_phys;
812 }
813 
814 static u32 get_configurable_phys(struct hci_dev *hdev)
815 {
816 	return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
817 		~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
818 }
819 
820 static u32 get_supported_settings(struct hci_dev *hdev)
821 {
822 	u32 settings = 0;
823 
824 	settings |= MGMT_SETTING_POWERED;
825 	settings |= MGMT_SETTING_BONDABLE;
826 	settings |= MGMT_SETTING_DEBUG_KEYS;
827 	settings |= MGMT_SETTING_CONNECTABLE;
828 	settings |= MGMT_SETTING_DISCOVERABLE;
829 
830 	if (lmp_bredr_capable(hdev)) {
831 		if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
832 			settings |= MGMT_SETTING_FAST_CONNECTABLE;
833 		settings |= MGMT_SETTING_BREDR;
834 		settings |= MGMT_SETTING_LINK_SECURITY;
835 
836 		if (lmp_ssp_capable(hdev)) {
837 			settings |= MGMT_SETTING_SSP;
838 			if (IS_ENABLED(CONFIG_BT_HS))
839 				settings |= MGMT_SETTING_HS;
840 		}
841 
842 		if (lmp_sc_capable(hdev))
843 			settings |= MGMT_SETTING_SECURE_CONN;
844 
845 		if (test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
846 			     &hdev->quirks))
847 			settings |= MGMT_SETTING_WIDEBAND_SPEECH;
848 	}
849 
850 	if (lmp_le_capable(hdev)) {
851 		settings |= MGMT_SETTING_LE;
852 		settings |= MGMT_SETTING_SECURE_CONN;
853 		settings |= MGMT_SETTING_PRIVACY;
854 		settings |= MGMT_SETTING_STATIC_ADDRESS;
855 		settings |= MGMT_SETTING_ADVERTISING;
856 	}
857 
858 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
859 	    hdev->set_bdaddr)
860 		settings |= MGMT_SETTING_CONFIGURATION;
861 
862 	settings |= MGMT_SETTING_PHY_CONFIGURATION;
863 
864 	return settings;
865 }
866 
867 static u32 get_current_settings(struct hci_dev *hdev)
868 {
869 	u32 settings = 0;
870 
871 	if (hdev_is_powered(hdev))
872 		settings |= MGMT_SETTING_POWERED;
873 
874 	if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
875 		settings |= MGMT_SETTING_CONNECTABLE;
876 
877 	if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
878 		settings |= MGMT_SETTING_FAST_CONNECTABLE;
879 
880 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
881 		settings |= MGMT_SETTING_DISCOVERABLE;
882 
883 	if (hci_dev_test_flag(hdev, HCI_BONDABLE))
884 		settings |= MGMT_SETTING_BONDABLE;
885 
886 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
887 		settings |= MGMT_SETTING_BREDR;
888 
889 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
890 		settings |= MGMT_SETTING_LE;
891 
892 	if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
893 		settings |= MGMT_SETTING_LINK_SECURITY;
894 
895 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
896 		settings |= MGMT_SETTING_SSP;
897 
898 	if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
899 		settings |= MGMT_SETTING_HS;
900 
901 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
902 		settings |= MGMT_SETTING_ADVERTISING;
903 
904 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
905 		settings |= MGMT_SETTING_SECURE_CONN;
906 
907 	if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
908 		settings |= MGMT_SETTING_DEBUG_KEYS;
909 
910 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
911 		settings |= MGMT_SETTING_PRIVACY;
912 
913 	/* The current setting for static address has two purposes. The
914 	 * first is to indicate if the static address will be used and
915 	 * the second is to indicate if it is actually set.
916 	 *
917 	 * This means if the static address is not configured, this flag
918 	 * will never be set. If the address is configured, then if the
919 	 * address is actually used decides if the flag is set or not.
920 	 *
921 	 * For single mode LE only controllers and dual-mode controllers
922 	 * with BR/EDR disabled, the existence of the static address will
923 	 * be evaluated.
924 	 */
925 	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
926 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
927 	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
928 		if (bacmp(&hdev->static_addr, BDADDR_ANY))
929 			settings |= MGMT_SETTING_STATIC_ADDRESS;
930 	}
931 
932 	if (hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED))
933 		settings |= MGMT_SETTING_WIDEBAND_SPEECH;
934 
935 	return settings;
936 }
937 
938 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
939 {
940 	return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
941 }
942 
943 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
944 {
945 	struct mgmt_pending_cmd *cmd;
946 
947 	/* If there's a pending mgmt command the flags will not yet have
948 	 * their final values, so check for this first.
949 	 */
950 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
951 	if (cmd) {
952 		struct mgmt_mode *cp = cmd->param;
953 		if (cp->val == 0x01)
954 			return LE_AD_GENERAL;
955 		else if (cp->val == 0x02)
956 			return LE_AD_LIMITED;
957 	} else {
958 		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
959 			return LE_AD_LIMITED;
960 		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
961 			return LE_AD_GENERAL;
962 	}
963 
964 	return 0;
965 }
966 
967 bool mgmt_get_connectable(struct hci_dev *hdev)
968 {
969 	struct mgmt_pending_cmd *cmd;
970 
971 	/* If there's a pending mgmt command the flag will not yet have
972 	 * it's final value, so check for this first.
973 	 */
974 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
975 	if (cmd) {
976 		struct mgmt_mode *cp = cmd->param;
977 
978 		return cp->val;
979 	}
980 
981 	return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
982 }
983 
984 static int service_cache_sync(struct hci_dev *hdev, void *data)
985 {
986 	hci_update_eir_sync(hdev);
987 	hci_update_class_sync(hdev);
988 
989 	return 0;
990 }
991 
992 static void service_cache_off(struct work_struct *work)
993 {
994 	struct hci_dev *hdev = container_of(work, struct hci_dev,
995 					    service_cache.work);
996 
997 	if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
998 		return;
999 
1000 	hci_cmd_sync_queue(hdev, service_cache_sync, NULL, NULL);
1001 }
1002 
1003 static int rpa_expired_sync(struct hci_dev *hdev, void *data)
1004 {
1005 	/* The generation of a new RPA and programming it into the
1006 	 * controller happens in the hci_req_enable_advertising()
1007 	 * function.
1008 	 */
1009 	if (ext_adv_capable(hdev))
1010 		return hci_start_ext_adv_sync(hdev, hdev->cur_adv_instance);
1011 	else
1012 		return hci_enable_advertising_sync(hdev);
1013 }
1014 
1015 static void rpa_expired(struct work_struct *work)
1016 {
1017 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1018 					    rpa_expired.work);
1019 
1020 	bt_dev_dbg(hdev, "");
1021 
1022 	hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1023 
1024 	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
1025 		return;
1026 
1027 	hci_cmd_sync_queue(hdev, rpa_expired_sync, NULL, NULL);
1028 }
1029 
1030 static void discov_off(struct work_struct *work)
1031 {
1032 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1033 					    discov_off.work);
1034 
1035 	bt_dev_dbg(hdev, "");
1036 
1037 	hci_dev_lock(hdev);
1038 
1039 	/* When discoverable timeout triggers, then just make sure
1040 	 * the limited discoverable flag is cleared. Even in the case
1041 	 * of a timeout triggered from general discoverable, it is
1042 	 * safe to unconditionally clear the flag.
1043 	 */
1044 	hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1045 	hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1046 	hdev->discov_timeout = 0;
1047 
1048 	hci_update_discoverable(hdev);
1049 
1050 	mgmt_new_settings(hdev);
1051 
1052 	hci_dev_unlock(hdev);
1053 }
1054 
1055 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev);
1056 
1057 static void mesh_send_complete(struct hci_dev *hdev,
1058 			       struct mgmt_mesh_tx *mesh_tx, bool silent)
1059 {
1060 	u8 handle = mesh_tx->handle;
1061 
1062 	if (!silent)
1063 		mgmt_event(MGMT_EV_MESH_PACKET_CMPLT, hdev, &handle,
1064 			   sizeof(handle), NULL);
1065 
1066 	mgmt_mesh_remove(mesh_tx);
1067 }
1068 
1069 static int mesh_send_done_sync(struct hci_dev *hdev, void *data)
1070 {
1071 	struct mgmt_mesh_tx *mesh_tx;
1072 
1073 	hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
1074 	hci_disable_advertising_sync(hdev);
1075 	mesh_tx = mgmt_mesh_next(hdev, NULL);
1076 
1077 	if (mesh_tx)
1078 		mesh_send_complete(hdev, mesh_tx, false);
1079 
1080 	return 0;
1081 }
1082 
1083 static int mesh_send_sync(struct hci_dev *hdev, void *data);
1084 static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err);
1085 static void mesh_next(struct hci_dev *hdev, void *data, int err)
1086 {
1087 	struct mgmt_mesh_tx *mesh_tx = mgmt_mesh_next(hdev, NULL);
1088 
1089 	if (!mesh_tx)
1090 		return;
1091 
1092 	err = hci_cmd_sync_queue(hdev, mesh_send_sync, mesh_tx,
1093 				 mesh_send_start_complete);
1094 
1095 	if (err < 0)
1096 		mesh_send_complete(hdev, mesh_tx, false);
1097 	else
1098 		hci_dev_set_flag(hdev, HCI_MESH_SENDING);
1099 }
1100 
1101 static void mesh_send_done(struct work_struct *work)
1102 {
1103 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1104 					    mesh_send_done.work);
1105 
1106 	if (!hci_dev_test_flag(hdev, HCI_MESH_SENDING))
1107 		return;
1108 
1109 	hci_cmd_sync_queue(hdev, mesh_send_done_sync, NULL, mesh_next);
1110 }
1111 
1112 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
1113 {
1114 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1115 		return;
1116 
1117 	BT_INFO("MGMT ver %d.%d", MGMT_VERSION, MGMT_REVISION);
1118 
1119 	INIT_DELAYED_WORK(&hdev->discov_off, discov_off);
1120 	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
1121 	INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
1122 	INIT_DELAYED_WORK(&hdev->mesh_send_done, mesh_send_done);
1123 
1124 	/* Non-mgmt controlled devices get this bit set
1125 	 * implicitly so that pairing works for them, however
1126 	 * for mgmt we require user-space to explicitly enable
1127 	 * it
1128 	 */
1129 	hci_dev_clear_flag(hdev, HCI_BONDABLE);
1130 
1131 	hci_dev_set_flag(hdev, HCI_MGMT);
1132 }
1133 
1134 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
1135 				void *data, u16 data_len)
1136 {
1137 	struct mgmt_rp_read_info rp;
1138 
1139 	bt_dev_dbg(hdev, "sock %p", sk);
1140 
1141 	hci_dev_lock(hdev);
1142 
1143 	memset(&rp, 0, sizeof(rp));
1144 
1145 	bacpy(&rp.bdaddr, &hdev->bdaddr);
1146 
1147 	rp.version = hdev->hci_ver;
1148 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
1149 
1150 	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
1151 	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
1152 
1153 	memcpy(rp.dev_class, hdev->dev_class, 3);
1154 
1155 	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
1156 	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
1157 
1158 	hci_dev_unlock(hdev);
1159 
1160 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
1161 				 sizeof(rp));
1162 }
1163 
1164 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
1165 {
1166 	u16 eir_len = 0;
1167 	size_t name_len;
1168 
1169 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1170 		eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1171 					  hdev->dev_class, 3);
1172 
1173 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1174 		eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1175 					  hdev->appearance);
1176 
1177 	name_len = strnlen(hdev->dev_name, sizeof(hdev->dev_name));
1178 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1179 				  hdev->dev_name, name_len);
1180 
1181 	name_len = strnlen(hdev->short_name, sizeof(hdev->short_name));
1182 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1183 				  hdev->short_name, name_len);
1184 
1185 	return eir_len;
1186 }
1187 
1188 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1189 				    void *data, u16 data_len)
1190 {
1191 	char buf[512];
1192 	struct mgmt_rp_read_ext_info *rp = (void *)buf;
1193 	u16 eir_len;
1194 
1195 	bt_dev_dbg(hdev, "sock %p", sk);
1196 
1197 	memset(&buf, 0, sizeof(buf));
1198 
1199 	hci_dev_lock(hdev);
1200 
1201 	bacpy(&rp->bdaddr, &hdev->bdaddr);
1202 
1203 	rp->version = hdev->hci_ver;
1204 	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1205 
1206 	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1207 	rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1208 
1209 
1210 	eir_len = append_eir_data_to_buf(hdev, rp->eir);
1211 	rp->eir_len = cpu_to_le16(eir_len);
1212 
1213 	hci_dev_unlock(hdev);
1214 
1215 	/* If this command is called at least once, then the events
1216 	 * for class of device and local name changes are disabled
1217 	 * and only the new extended controller information event
1218 	 * is used.
1219 	 */
1220 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
1221 	hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1222 	hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1223 
1224 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
1225 				 sizeof(*rp) + eir_len);
1226 }
1227 
1228 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1229 {
1230 	char buf[512];
1231 	struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1232 	u16 eir_len;
1233 
1234 	memset(buf, 0, sizeof(buf));
1235 
1236 	eir_len = append_eir_data_to_buf(hdev, ev->eir);
1237 	ev->eir_len = cpu_to_le16(eir_len);
1238 
1239 	return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
1240 				  sizeof(*ev) + eir_len,
1241 				  HCI_MGMT_EXT_INFO_EVENTS, skip);
1242 }
1243 
1244 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1245 {
1246 	__le32 settings = cpu_to_le32(get_current_settings(hdev));
1247 
1248 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
1249 				 sizeof(settings));
1250 }
1251 
1252 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1253 {
1254 	struct mgmt_ev_advertising_added ev;
1255 
1256 	ev.instance = instance;
1257 
1258 	mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
1259 }
1260 
1261 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1262 			      u8 instance)
1263 {
1264 	struct mgmt_ev_advertising_removed ev;
1265 
1266 	ev.instance = instance;
1267 
1268 	mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
1269 }
1270 
1271 static void cancel_adv_timeout(struct hci_dev *hdev)
1272 {
1273 	if (hdev->adv_instance_timeout) {
1274 		hdev->adv_instance_timeout = 0;
1275 		cancel_delayed_work(&hdev->adv_instance_expire);
1276 	}
1277 }
1278 
1279 /* This function requires the caller holds hdev->lock */
1280 static void restart_le_actions(struct hci_dev *hdev)
1281 {
1282 	struct hci_conn_params *p;
1283 
1284 	list_for_each_entry(p, &hdev->le_conn_params, list) {
1285 		/* Needed for AUTO_OFF case where might not "really"
1286 		 * have been powered off.
1287 		 */
1288 		list_del_init(&p->action);
1289 
1290 		switch (p->auto_connect) {
1291 		case HCI_AUTO_CONN_DIRECT:
1292 		case HCI_AUTO_CONN_ALWAYS:
1293 			list_add(&p->action, &hdev->pend_le_conns);
1294 			break;
1295 		case HCI_AUTO_CONN_REPORT:
1296 			list_add(&p->action, &hdev->pend_le_reports);
1297 			break;
1298 		default:
1299 			break;
1300 		}
1301 	}
1302 }
1303 
1304 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1305 {
1306 	__le32 ev = cpu_to_le32(get_current_settings(hdev));
1307 
1308 	return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1309 				  sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1310 }
1311 
1312 static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
1313 {
1314 	struct mgmt_pending_cmd *cmd = data;
1315 	struct mgmt_mode *cp;
1316 
1317 	/* Make sure cmd still outstanding. */
1318 	if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
1319 		return;
1320 
1321 	cp = cmd->param;
1322 
1323 	bt_dev_dbg(hdev, "err %d", err);
1324 
1325 	if (!err) {
1326 		if (cp->val) {
1327 			hci_dev_lock(hdev);
1328 			restart_le_actions(hdev);
1329 			hci_update_passive_scan(hdev);
1330 			hci_dev_unlock(hdev);
1331 		}
1332 
1333 		send_settings_rsp(cmd->sk, cmd->opcode, hdev);
1334 
1335 		/* Only call new_setting for power on as power off is deferred
1336 		 * to hdev->power_off work which does call hci_dev_do_close.
1337 		 */
1338 		if (cp->val)
1339 			new_settings(hdev, cmd->sk);
1340 	} else {
1341 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED,
1342 				mgmt_status(err));
1343 	}
1344 
1345 	mgmt_pending_remove(cmd);
1346 }
1347 
1348 static int set_powered_sync(struct hci_dev *hdev, void *data)
1349 {
1350 	struct mgmt_pending_cmd *cmd = data;
1351 	struct mgmt_mode *cp = cmd->param;
1352 
1353 	BT_DBG("%s", hdev->name);
1354 
1355 	return hci_set_powered_sync(hdev, cp->val);
1356 }
1357 
1358 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1359 		       u16 len)
1360 {
1361 	struct mgmt_mode *cp = data;
1362 	struct mgmt_pending_cmd *cmd;
1363 	int err;
1364 
1365 	bt_dev_dbg(hdev, "sock %p", sk);
1366 
1367 	if (cp->val != 0x00 && cp->val != 0x01)
1368 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1369 				       MGMT_STATUS_INVALID_PARAMS);
1370 
1371 	hci_dev_lock(hdev);
1372 
1373 	if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1374 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1375 				      MGMT_STATUS_BUSY);
1376 		goto failed;
1377 	}
1378 
1379 	if (!!cp->val == hdev_is_powered(hdev)) {
1380 		err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1381 		goto failed;
1382 	}
1383 
1384 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1385 	if (!cmd) {
1386 		err = -ENOMEM;
1387 		goto failed;
1388 	}
1389 
1390 	err = hci_cmd_sync_queue(hdev, set_powered_sync, cmd,
1391 				 mgmt_set_powered_complete);
1392 
1393 	if (err < 0)
1394 		mgmt_pending_remove(cmd);
1395 
1396 failed:
1397 	hci_dev_unlock(hdev);
1398 	return err;
1399 }
1400 
1401 int mgmt_new_settings(struct hci_dev *hdev)
1402 {
1403 	return new_settings(hdev, NULL);
1404 }
1405 
1406 struct cmd_lookup {
1407 	struct sock *sk;
1408 	struct hci_dev *hdev;
1409 	u8 mgmt_status;
1410 };
1411 
1412 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1413 {
1414 	struct cmd_lookup *match = data;
1415 
1416 	send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1417 
1418 	list_del(&cmd->list);
1419 
1420 	if (match->sk == NULL) {
1421 		match->sk = cmd->sk;
1422 		sock_hold(match->sk);
1423 	}
1424 
1425 	mgmt_pending_free(cmd);
1426 }
1427 
1428 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1429 {
1430 	u8 *status = data;
1431 
1432 	mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1433 	mgmt_pending_remove(cmd);
1434 }
1435 
1436 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1437 {
1438 	if (cmd->cmd_complete) {
1439 		u8 *status = data;
1440 
1441 		cmd->cmd_complete(cmd, *status);
1442 		mgmt_pending_remove(cmd);
1443 
1444 		return;
1445 	}
1446 
1447 	cmd_status_rsp(cmd, data);
1448 }
1449 
1450 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1451 {
1452 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1453 				 cmd->param, cmd->param_len);
1454 }
1455 
1456 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1457 {
1458 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1459 				 cmd->param, sizeof(struct mgmt_addr_info));
1460 }
1461 
1462 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1463 {
1464 	if (!lmp_bredr_capable(hdev))
1465 		return MGMT_STATUS_NOT_SUPPORTED;
1466 	else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1467 		return MGMT_STATUS_REJECTED;
1468 	else
1469 		return MGMT_STATUS_SUCCESS;
1470 }
1471 
1472 static u8 mgmt_le_support(struct hci_dev *hdev)
1473 {
1474 	if (!lmp_le_capable(hdev))
1475 		return MGMT_STATUS_NOT_SUPPORTED;
1476 	else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1477 		return MGMT_STATUS_REJECTED;
1478 	else
1479 		return MGMT_STATUS_SUCCESS;
1480 }
1481 
1482 static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
1483 					   int err)
1484 {
1485 	struct mgmt_pending_cmd *cmd = data;
1486 
1487 	bt_dev_dbg(hdev, "err %d", err);
1488 
1489 	/* Make sure cmd still outstanding. */
1490 	if (cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
1491 		return;
1492 
1493 	hci_dev_lock(hdev);
1494 
1495 	if (err) {
1496 		u8 mgmt_err = mgmt_status(err);
1497 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1498 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1499 		goto done;
1500 	}
1501 
1502 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1503 	    hdev->discov_timeout > 0) {
1504 		int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1505 		queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1506 	}
1507 
1508 	send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1509 	new_settings(hdev, cmd->sk);
1510 
1511 done:
1512 	mgmt_pending_remove(cmd);
1513 	hci_dev_unlock(hdev);
1514 }
1515 
1516 static int set_discoverable_sync(struct hci_dev *hdev, void *data)
1517 {
1518 	BT_DBG("%s", hdev->name);
1519 
1520 	return hci_update_discoverable_sync(hdev);
1521 }
1522 
1523 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1524 			    u16 len)
1525 {
1526 	struct mgmt_cp_set_discoverable *cp = data;
1527 	struct mgmt_pending_cmd *cmd;
1528 	u16 timeout;
1529 	int err;
1530 
1531 	bt_dev_dbg(hdev, "sock %p", sk);
1532 
1533 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1534 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1535 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1536 				       MGMT_STATUS_REJECTED);
1537 
1538 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1539 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1540 				       MGMT_STATUS_INVALID_PARAMS);
1541 
1542 	timeout = __le16_to_cpu(cp->timeout);
1543 
1544 	/* Disabling discoverable requires that no timeout is set,
1545 	 * and enabling limited discoverable requires a timeout.
1546 	 */
1547 	if ((cp->val == 0x00 && timeout > 0) ||
1548 	    (cp->val == 0x02 && timeout == 0))
1549 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1550 				       MGMT_STATUS_INVALID_PARAMS);
1551 
1552 	hci_dev_lock(hdev);
1553 
1554 	if (!hdev_is_powered(hdev) && timeout > 0) {
1555 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1556 				      MGMT_STATUS_NOT_POWERED);
1557 		goto failed;
1558 	}
1559 
1560 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1561 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1562 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1563 				      MGMT_STATUS_BUSY);
1564 		goto failed;
1565 	}
1566 
1567 	if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1568 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1569 				      MGMT_STATUS_REJECTED);
1570 		goto failed;
1571 	}
1572 
1573 	if (hdev->advertising_paused) {
1574 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1575 				      MGMT_STATUS_BUSY);
1576 		goto failed;
1577 	}
1578 
1579 	if (!hdev_is_powered(hdev)) {
1580 		bool changed = false;
1581 
1582 		/* Setting limited discoverable when powered off is
1583 		 * not a valid operation since it requires a timeout
1584 		 * and so no need to check HCI_LIMITED_DISCOVERABLE.
1585 		 */
1586 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1587 			hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1588 			changed = true;
1589 		}
1590 
1591 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1592 		if (err < 0)
1593 			goto failed;
1594 
1595 		if (changed)
1596 			err = new_settings(hdev, sk);
1597 
1598 		goto failed;
1599 	}
1600 
1601 	/* If the current mode is the same, then just update the timeout
1602 	 * value with the new value. And if only the timeout gets updated,
1603 	 * then no need for any HCI transactions.
1604 	 */
1605 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1606 	    (cp->val == 0x02) == hci_dev_test_flag(hdev,
1607 						   HCI_LIMITED_DISCOVERABLE)) {
1608 		cancel_delayed_work(&hdev->discov_off);
1609 		hdev->discov_timeout = timeout;
1610 
1611 		if (cp->val && hdev->discov_timeout > 0) {
1612 			int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1613 			queue_delayed_work(hdev->req_workqueue,
1614 					   &hdev->discov_off, to);
1615 		}
1616 
1617 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1618 		goto failed;
1619 	}
1620 
1621 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1622 	if (!cmd) {
1623 		err = -ENOMEM;
1624 		goto failed;
1625 	}
1626 
1627 	/* Cancel any potential discoverable timeout that might be
1628 	 * still active and store new timeout value. The arming of
1629 	 * the timeout happens in the complete handler.
1630 	 */
1631 	cancel_delayed_work(&hdev->discov_off);
1632 	hdev->discov_timeout = timeout;
1633 
1634 	if (cp->val)
1635 		hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1636 	else
1637 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1638 
1639 	/* Limited discoverable mode */
1640 	if (cp->val == 0x02)
1641 		hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1642 	else
1643 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1644 
1645 	err = hci_cmd_sync_queue(hdev, set_discoverable_sync, cmd,
1646 				 mgmt_set_discoverable_complete);
1647 
1648 	if (err < 0)
1649 		mgmt_pending_remove(cmd);
1650 
1651 failed:
1652 	hci_dev_unlock(hdev);
1653 	return err;
1654 }
1655 
1656 static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
1657 					  int err)
1658 {
1659 	struct mgmt_pending_cmd *cmd = data;
1660 
1661 	bt_dev_dbg(hdev, "err %d", err);
1662 
1663 	/* Make sure cmd still outstanding. */
1664 	if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
1665 		return;
1666 
1667 	hci_dev_lock(hdev);
1668 
1669 	if (err) {
1670 		u8 mgmt_err = mgmt_status(err);
1671 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1672 		goto done;
1673 	}
1674 
1675 	send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1676 	new_settings(hdev, cmd->sk);
1677 
1678 done:
1679 	if (cmd)
1680 		mgmt_pending_remove(cmd);
1681 
1682 	hci_dev_unlock(hdev);
1683 }
1684 
1685 static int set_connectable_update_settings(struct hci_dev *hdev,
1686 					   struct sock *sk, u8 val)
1687 {
1688 	bool changed = false;
1689 	int err;
1690 
1691 	if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1692 		changed = true;
1693 
1694 	if (val) {
1695 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1696 	} else {
1697 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1698 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1699 	}
1700 
1701 	err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1702 	if (err < 0)
1703 		return err;
1704 
1705 	if (changed) {
1706 		hci_update_scan(hdev);
1707 		hci_update_passive_scan(hdev);
1708 		return new_settings(hdev, sk);
1709 	}
1710 
1711 	return 0;
1712 }
1713 
1714 static int set_connectable_sync(struct hci_dev *hdev, void *data)
1715 {
1716 	BT_DBG("%s", hdev->name);
1717 
1718 	return hci_update_connectable_sync(hdev);
1719 }
1720 
1721 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1722 			   u16 len)
1723 {
1724 	struct mgmt_mode *cp = data;
1725 	struct mgmt_pending_cmd *cmd;
1726 	int err;
1727 
1728 	bt_dev_dbg(hdev, "sock %p", sk);
1729 
1730 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1731 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1732 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1733 				       MGMT_STATUS_REJECTED);
1734 
1735 	if (cp->val != 0x00 && cp->val != 0x01)
1736 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1737 				       MGMT_STATUS_INVALID_PARAMS);
1738 
1739 	hci_dev_lock(hdev);
1740 
1741 	if (!hdev_is_powered(hdev)) {
1742 		err = set_connectable_update_settings(hdev, sk, cp->val);
1743 		goto failed;
1744 	}
1745 
1746 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1747 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1748 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1749 				      MGMT_STATUS_BUSY);
1750 		goto failed;
1751 	}
1752 
1753 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1754 	if (!cmd) {
1755 		err = -ENOMEM;
1756 		goto failed;
1757 	}
1758 
1759 	if (cp->val) {
1760 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1761 	} else {
1762 		if (hdev->discov_timeout > 0)
1763 			cancel_delayed_work(&hdev->discov_off);
1764 
1765 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1766 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1767 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1768 	}
1769 
1770 	err = hci_cmd_sync_queue(hdev, set_connectable_sync, cmd,
1771 				 mgmt_set_connectable_complete);
1772 
1773 	if (err < 0)
1774 		mgmt_pending_remove(cmd);
1775 
1776 failed:
1777 	hci_dev_unlock(hdev);
1778 	return err;
1779 }
1780 
1781 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1782 			u16 len)
1783 {
1784 	struct mgmt_mode *cp = data;
1785 	bool changed;
1786 	int err;
1787 
1788 	bt_dev_dbg(hdev, "sock %p", sk);
1789 
1790 	if (cp->val != 0x00 && cp->val != 0x01)
1791 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1792 				       MGMT_STATUS_INVALID_PARAMS);
1793 
1794 	hci_dev_lock(hdev);
1795 
1796 	if (cp->val)
1797 		changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1798 	else
1799 		changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1800 
1801 	err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1802 	if (err < 0)
1803 		goto unlock;
1804 
1805 	if (changed) {
1806 		/* In limited privacy mode the change of bondable mode
1807 		 * may affect the local advertising address.
1808 		 */
1809 		hci_update_discoverable(hdev);
1810 
1811 		err = new_settings(hdev, sk);
1812 	}
1813 
1814 unlock:
1815 	hci_dev_unlock(hdev);
1816 	return err;
1817 }
1818 
1819 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1820 			     u16 len)
1821 {
1822 	struct mgmt_mode *cp = data;
1823 	struct mgmt_pending_cmd *cmd;
1824 	u8 val, status;
1825 	int err;
1826 
1827 	bt_dev_dbg(hdev, "sock %p", sk);
1828 
1829 	status = mgmt_bredr_support(hdev);
1830 	if (status)
1831 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1832 				       status);
1833 
1834 	if (cp->val != 0x00 && cp->val != 0x01)
1835 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1836 				       MGMT_STATUS_INVALID_PARAMS);
1837 
1838 	hci_dev_lock(hdev);
1839 
1840 	if (!hdev_is_powered(hdev)) {
1841 		bool changed = false;
1842 
1843 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1844 			hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1845 			changed = true;
1846 		}
1847 
1848 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1849 		if (err < 0)
1850 			goto failed;
1851 
1852 		if (changed)
1853 			err = new_settings(hdev, sk);
1854 
1855 		goto failed;
1856 	}
1857 
1858 	if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1859 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1860 				      MGMT_STATUS_BUSY);
1861 		goto failed;
1862 	}
1863 
1864 	val = !!cp->val;
1865 
1866 	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1867 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1868 		goto failed;
1869 	}
1870 
1871 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1872 	if (!cmd) {
1873 		err = -ENOMEM;
1874 		goto failed;
1875 	}
1876 
1877 	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1878 	if (err < 0) {
1879 		mgmt_pending_remove(cmd);
1880 		goto failed;
1881 	}
1882 
1883 failed:
1884 	hci_dev_unlock(hdev);
1885 	return err;
1886 }
1887 
1888 static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
1889 {
1890 	struct cmd_lookup match = { NULL, hdev };
1891 	struct mgmt_pending_cmd *cmd = data;
1892 	struct mgmt_mode *cp = cmd->param;
1893 	u8 enable = cp->val;
1894 	bool changed;
1895 
1896 	/* Make sure cmd still outstanding. */
1897 	if (cmd != pending_find(MGMT_OP_SET_SSP, hdev))
1898 		return;
1899 
1900 	if (err) {
1901 		u8 mgmt_err = mgmt_status(err);
1902 
1903 		if (enable && hci_dev_test_and_clear_flag(hdev,
1904 							  HCI_SSP_ENABLED)) {
1905 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1906 			new_settings(hdev, NULL);
1907 		}
1908 
1909 		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
1910 				     &mgmt_err);
1911 		return;
1912 	}
1913 
1914 	if (enable) {
1915 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1916 	} else {
1917 		changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
1918 
1919 		if (!changed)
1920 			changed = hci_dev_test_and_clear_flag(hdev,
1921 							      HCI_HS_ENABLED);
1922 		else
1923 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1924 	}
1925 
1926 	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
1927 
1928 	if (changed)
1929 		new_settings(hdev, match.sk);
1930 
1931 	if (match.sk)
1932 		sock_put(match.sk);
1933 
1934 	hci_update_eir_sync(hdev);
1935 }
1936 
1937 static int set_ssp_sync(struct hci_dev *hdev, void *data)
1938 {
1939 	struct mgmt_pending_cmd *cmd = data;
1940 	struct mgmt_mode *cp = cmd->param;
1941 	bool changed = false;
1942 	int err;
1943 
1944 	if (cp->val)
1945 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1946 
1947 	err = hci_write_ssp_mode_sync(hdev, cp->val);
1948 
1949 	if (!err && changed)
1950 		hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
1951 
1952 	return err;
1953 }
1954 
1955 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1956 {
1957 	struct mgmt_mode *cp = data;
1958 	struct mgmt_pending_cmd *cmd;
1959 	u8 status;
1960 	int err;
1961 
1962 	bt_dev_dbg(hdev, "sock %p", sk);
1963 
1964 	status = mgmt_bredr_support(hdev);
1965 	if (status)
1966 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1967 
1968 	if (!lmp_ssp_capable(hdev))
1969 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1970 				       MGMT_STATUS_NOT_SUPPORTED);
1971 
1972 	if (cp->val != 0x00 && cp->val != 0x01)
1973 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1974 				       MGMT_STATUS_INVALID_PARAMS);
1975 
1976 	hci_dev_lock(hdev);
1977 
1978 	if (!hdev_is_powered(hdev)) {
1979 		bool changed;
1980 
1981 		if (cp->val) {
1982 			changed = !hci_dev_test_and_set_flag(hdev,
1983 							     HCI_SSP_ENABLED);
1984 		} else {
1985 			changed = hci_dev_test_and_clear_flag(hdev,
1986 							      HCI_SSP_ENABLED);
1987 			if (!changed)
1988 				changed = hci_dev_test_and_clear_flag(hdev,
1989 								      HCI_HS_ENABLED);
1990 			else
1991 				hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1992 		}
1993 
1994 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1995 		if (err < 0)
1996 			goto failed;
1997 
1998 		if (changed)
1999 			err = new_settings(hdev, sk);
2000 
2001 		goto failed;
2002 	}
2003 
2004 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
2005 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2006 				      MGMT_STATUS_BUSY);
2007 		goto failed;
2008 	}
2009 
2010 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
2011 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2012 		goto failed;
2013 	}
2014 
2015 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
2016 	if (!cmd)
2017 		err = -ENOMEM;
2018 	else
2019 		err = hci_cmd_sync_queue(hdev, set_ssp_sync, cmd,
2020 					 set_ssp_complete);
2021 
2022 	if (err < 0) {
2023 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2024 				      MGMT_STATUS_FAILED);
2025 
2026 		if (cmd)
2027 			mgmt_pending_remove(cmd);
2028 	}
2029 
2030 failed:
2031 	hci_dev_unlock(hdev);
2032 	return err;
2033 }
2034 
2035 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2036 {
2037 	struct mgmt_mode *cp = data;
2038 	bool changed;
2039 	u8 status;
2040 	int err;
2041 
2042 	bt_dev_dbg(hdev, "sock %p", sk);
2043 
2044 	if (!IS_ENABLED(CONFIG_BT_HS))
2045 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2046 				       MGMT_STATUS_NOT_SUPPORTED);
2047 
2048 	status = mgmt_bredr_support(hdev);
2049 	if (status)
2050 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
2051 
2052 	if (!lmp_ssp_capable(hdev))
2053 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2054 				       MGMT_STATUS_NOT_SUPPORTED);
2055 
2056 	if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
2057 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2058 				       MGMT_STATUS_REJECTED);
2059 
2060 	if (cp->val != 0x00 && cp->val != 0x01)
2061 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2062 				       MGMT_STATUS_INVALID_PARAMS);
2063 
2064 	hci_dev_lock(hdev);
2065 
2066 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
2067 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2068 				      MGMT_STATUS_BUSY);
2069 		goto unlock;
2070 	}
2071 
2072 	if (cp->val) {
2073 		changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
2074 	} else {
2075 		if (hdev_is_powered(hdev)) {
2076 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2077 					      MGMT_STATUS_REJECTED);
2078 			goto unlock;
2079 		}
2080 
2081 		changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
2082 	}
2083 
2084 	err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
2085 	if (err < 0)
2086 		goto unlock;
2087 
2088 	if (changed)
2089 		err = new_settings(hdev, sk);
2090 
2091 unlock:
2092 	hci_dev_unlock(hdev);
2093 	return err;
2094 }
2095 
2096 static void set_le_complete(struct hci_dev *hdev, void *data, int err)
2097 {
2098 	struct cmd_lookup match = { NULL, hdev };
2099 	u8 status = mgmt_status(err);
2100 
2101 	bt_dev_dbg(hdev, "err %d", err);
2102 
2103 	if (status) {
2104 		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
2105 							&status);
2106 		return;
2107 	}
2108 
2109 	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
2110 
2111 	new_settings(hdev, match.sk);
2112 
2113 	if (match.sk)
2114 		sock_put(match.sk);
2115 }
2116 
2117 static int set_le_sync(struct hci_dev *hdev, void *data)
2118 {
2119 	struct mgmt_pending_cmd *cmd = data;
2120 	struct mgmt_mode *cp = cmd->param;
2121 	u8 val = !!cp->val;
2122 	int err;
2123 
2124 	if (!val) {
2125 		hci_clear_adv_instance_sync(hdev, NULL, 0x00, true);
2126 
2127 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
2128 			hci_disable_advertising_sync(hdev);
2129 
2130 		if (ext_adv_capable(hdev))
2131 			hci_remove_ext_adv_instance_sync(hdev, 0, cmd->sk);
2132 	} else {
2133 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2134 	}
2135 
2136 	err = hci_write_le_host_supported_sync(hdev, val, 0);
2137 
2138 	/* Make sure the controller has a good default for
2139 	 * advertising data. Restrict the update to when LE
2140 	 * has actually been enabled. During power on, the
2141 	 * update in powered_update_hci will take care of it.
2142 	 */
2143 	if (!err && hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2144 		if (ext_adv_capable(hdev)) {
2145 			int status;
2146 
2147 			status = hci_setup_ext_adv_instance_sync(hdev, 0x00);
2148 			if (!status)
2149 				hci_update_scan_rsp_data_sync(hdev, 0x00);
2150 		} else {
2151 			hci_update_adv_data_sync(hdev, 0x00);
2152 			hci_update_scan_rsp_data_sync(hdev, 0x00);
2153 		}
2154 
2155 		hci_update_passive_scan(hdev);
2156 	}
2157 
2158 	return err;
2159 }
2160 
2161 static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
2162 {
2163 	struct mgmt_pending_cmd *cmd = data;
2164 	u8 status = mgmt_status(err);
2165 	struct sock *sk = cmd->sk;
2166 
2167 	if (status) {
2168 		mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev,
2169 				     cmd_status_rsp, &status);
2170 		return;
2171 	}
2172 
2173 	mgmt_pending_remove(cmd);
2174 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, 0, NULL, 0);
2175 }
2176 
2177 static int set_mesh_sync(struct hci_dev *hdev, void *data)
2178 {
2179 	struct mgmt_pending_cmd *cmd = data;
2180 	struct mgmt_cp_set_mesh *cp = cmd->param;
2181 	size_t len = cmd->param_len;
2182 
2183 	memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
2184 
2185 	if (cp->enable)
2186 		hci_dev_set_flag(hdev, HCI_MESH);
2187 	else
2188 		hci_dev_clear_flag(hdev, HCI_MESH);
2189 
2190 	len -= sizeof(*cp);
2191 
2192 	/* If filters don't fit, forward all adv pkts */
2193 	if (len <= sizeof(hdev->mesh_ad_types))
2194 		memcpy(hdev->mesh_ad_types, cp->ad_types, len);
2195 
2196 	hci_update_passive_scan_sync(hdev);
2197 	return 0;
2198 }
2199 
2200 static int set_mesh(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2201 {
2202 	struct mgmt_cp_set_mesh *cp = data;
2203 	struct mgmt_pending_cmd *cmd;
2204 	int err = 0;
2205 
2206 	bt_dev_dbg(hdev, "sock %p", sk);
2207 
2208 	if (!lmp_le_capable(hdev) ||
2209 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2210 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2211 				       MGMT_STATUS_NOT_SUPPORTED);
2212 
2213 	if (cp->enable != 0x00 && cp->enable != 0x01)
2214 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2215 				       MGMT_STATUS_INVALID_PARAMS);
2216 
2217 	hci_dev_lock(hdev);
2218 
2219 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_MESH_RECEIVER, hdev, data, len);
2220 	if (!cmd)
2221 		err = -ENOMEM;
2222 	else
2223 		err = hci_cmd_sync_queue(hdev, set_mesh_sync, cmd,
2224 					 set_mesh_complete);
2225 
2226 	if (err < 0) {
2227 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2228 				      MGMT_STATUS_FAILED);
2229 
2230 		if (cmd)
2231 			mgmt_pending_remove(cmd);
2232 	}
2233 
2234 	hci_dev_unlock(hdev);
2235 	return err;
2236 }
2237 
2238 static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err)
2239 {
2240 	struct mgmt_mesh_tx *mesh_tx = data;
2241 	struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2242 	unsigned long mesh_send_interval;
2243 	u8 mgmt_err = mgmt_status(err);
2244 
2245 	/* Report any errors here, but don't report completion */
2246 
2247 	if (mgmt_err) {
2248 		hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
2249 		/* Send Complete Error Code for handle */
2250 		mesh_send_complete(hdev, mesh_tx, false);
2251 		return;
2252 	}
2253 
2254 	mesh_send_interval = msecs_to_jiffies((send->cnt) * 25);
2255 	queue_delayed_work(hdev->req_workqueue, &hdev->mesh_send_done,
2256 			   mesh_send_interval);
2257 }
2258 
2259 static int mesh_send_sync(struct hci_dev *hdev, void *data)
2260 {
2261 	struct mgmt_mesh_tx *mesh_tx = data;
2262 	struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2263 	struct adv_info *adv, *next_instance;
2264 	u8 instance = hdev->le_num_of_adv_sets + 1;
2265 	u16 timeout, duration;
2266 	int err = 0;
2267 
2268 	if (hdev->le_num_of_adv_sets <= hdev->adv_instance_cnt)
2269 		return MGMT_STATUS_BUSY;
2270 
2271 	timeout = 1000;
2272 	duration = send->cnt * INTERVAL_TO_MS(hdev->le_adv_max_interval);
2273 	adv = hci_add_adv_instance(hdev, instance, 0,
2274 				   send->adv_data_len, send->adv_data,
2275 				   0, NULL,
2276 				   timeout, duration,
2277 				   HCI_ADV_TX_POWER_NO_PREFERENCE,
2278 				   hdev->le_adv_min_interval,
2279 				   hdev->le_adv_max_interval,
2280 				   mesh_tx->handle);
2281 
2282 	if (!IS_ERR(adv))
2283 		mesh_tx->instance = instance;
2284 	else
2285 		err = PTR_ERR(adv);
2286 
2287 	if (hdev->cur_adv_instance == instance) {
2288 		/* If the currently advertised instance is being changed then
2289 		 * cancel the current advertising and schedule the next
2290 		 * instance. If there is only one instance then the overridden
2291 		 * advertising data will be visible right away.
2292 		 */
2293 		cancel_adv_timeout(hdev);
2294 
2295 		next_instance = hci_get_next_instance(hdev, instance);
2296 		if (next_instance)
2297 			instance = next_instance->instance;
2298 		else
2299 			instance = 0;
2300 	} else if (hdev->adv_instance_timeout) {
2301 		/* Immediately advertise the new instance if no other, or
2302 		 * let it go naturally from queue if ADV is already happening
2303 		 */
2304 		instance = 0;
2305 	}
2306 
2307 	if (instance)
2308 		return hci_schedule_adv_instance_sync(hdev, instance, true);
2309 
2310 	return err;
2311 }
2312 
2313 static void send_count(struct mgmt_mesh_tx *mesh_tx, void *data)
2314 {
2315 	struct mgmt_rp_mesh_read_features *rp = data;
2316 
2317 	if (rp->used_handles >= rp->max_handles)
2318 		return;
2319 
2320 	rp->handles[rp->used_handles++] = mesh_tx->handle;
2321 }
2322 
2323 static int mesh_features(struct sock *sk, struct hci_dev *hdev,
2324 			 void *data, u16 len)
2325 {
2326 	struct mgmt_rp_mesh_read_features rp;
2327 
2328 	if (!lmp_le_capable(hdev) ||
2329 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2330 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_READ_FEATURES,
2331 				       MGMT_STATUS_NOT_SUPPORTED);
2332 
2333 	memset(&rp, 0, sizeof(rp));
2334 	rp.index = cpu_to_le16(hdev->id);
2335 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2336 		rp.max_handles = MESH_HANDLES_MAX;
2337 
2338 	hci_dev_lock(hdev);
2339 
2340 	if (rp.max_handles)
2341 		mgmt_mesh_foreach(hdev, send_count, &rp, sk);
2342 
2343 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_MESH_READ_FEATURES, 0, &rp,
2344 			  rp.used_handles + sizeof(rp) - MESH_HANDLES_MAX);
2345 
2346 	hci_dev_unlock(hdev);
2347 	return 0;
2348 }
2349 
2350 static int send_cancel(struct hci_dev *hdev, void *data)
2351 {
2352 	struct mgmt_pending_cmd *cmd = data;
2353 	struct mgmt_cp_mesh_send_cancel *cancel = (void *)cmd->param;
2354 	struct mgmt_mesh_tx *mesh_tx;
2355 
2356 	if (!cancel->handle) {
2357 		do {
2358 			mesh_tx = mgmt_mesh_next(hdev, cmd->sk);
2359 
2360 			if (mesh_tx)
2361 				mesh_send_complete(hdev, mesh_tx, false);
2362 		} while (mesh_tx);
2363 	} else {
2364 		mesh_tx = mgmt_mesh_find(hdev, cancel->handle);
2365 
2366 		if (mesh_tx && mesh_tx->sk == cmd->sk)
2367 			mesh_send_complete(hdev, mesh_tx, false);
2368 	}
2369 
2370 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2371 			  0, NULL, 0);
2372 	mgmt_pending_free(cmd);
2373 
2374 	return 0;
2375 }
2376 
2377 static int mesh_send_cancel(struct sock *sk, struct hci_dev *hdev,
2378 			    void *data, u16 len)
2379 {
2380 	struct mgmt_pending_cmd *cmd;
2381 	int err;
2382 
2383 	if (!lmp_le_capable(hdev) ||
2384 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2385 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2386 				       MGMT_STATUS_NOT_SUPPORTED);
2387 
2388 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2389 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2390 				       MGMT_STATUS_REJECTED);
2391 
2392 	hci_dev_lock(hdev);
2393 	cmd = mgmt_pending_new(sk, MGMT_OP_MESH_SEND_CANCEL, hdev, data, len);
2394 	if (!cmd)
2395 		err = -ENOMEM;
2396 	else
2397 		err = hci_cmd_sync_queue(hdev, send_cancel, cmd, NULL);
2398 
2399 	if (err < 0) {
2400 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2401 				      MGMT_STATUS_FAILED);
2402 
2403 		if (cmd)
2404 			mgmt_pending_free(cmd);
2405 	}
2406 
2407 	hci_dev_unlock(hdev);
2408 	return err;
2409 }
2410 
2411 static int mesh_send(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2412 {
2413 	struct mgmt_mesh_tx *mesh_tx;
2414 	struct mgmt_cp_mesh_send *send = data;
2415 	struct mgmt_rp_mesh_read_features rp;
2416 	bool sending;
2417 	int err = 0;
2418 
2419 	if (!lmp_le_capable(hdev) ||
2420 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2421 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2422 				       MGMT_STATUS_NOT_SUPPORTED);
2423 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) ||
2424 	    len <= MGMT_MESH_SEND_SIZE ||
2425 	    len > (MGMT_MESH_SEND_SIZE + 31))
2426 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2427 				       MGMT_STATUS_REJECTED);
2428 
2429 	hci_dev_lock(hdev);
2430 
2431 	memset(&rp, 0, sizeof(rp));
2432 	rp.max_handles = MESH_HANDLES_MAX;
2433 
2434 	mgmt_mesh_foreach(hdev, send_count, &rp, sk);
2435 
2436 	if (rp.max_handles <= rp.used_handles) {
2437 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2438 				      MGMT_STATUS_BUSY);
2439 		goto done;
2440 	}
2441 
2442 	sending = hci_dev_test_flag(hdev, HCI_MESH_SENDING);
2443 	mesh_tx = mgmt_mesh_add(sk, hdev, send, len);
2444 
2445 	if (!mesh_tx)
2446 		err = -ENOMEM;
2447 	else if (!sending)
2448 		err = hci_cmd_sync_queue(hdev, mesh_send_sync, mesh_tx,
2449 					 mesh_send_start_complete);
2450 
2451 	if (err < 0) {
2452 		bt_dev_err(hdev, "Send Mesh Failed %d", err);
2453 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2454 				      MGMT_STATUS_FAILED);
2455 
2456 		if (mesh_tx) {
2457 			if (sending)
2458 				mgmt_mesh_remove(mesh_tx);
2459 		}
2460 	} else {
2461 		hci_dev_set_flag(hdev, HCI_MESH_SENDING);
2462 
2463 		mgmt_cmd_complete(sk, hdev->id, MGMT_OP_MESH_SEND, 0,
2464 				  &mesh_tx->handle, 1);
2465 	}
2466 
2467 done:
2468 	hci_dev_unlock(hdev);
2469 	return err;
2470 }
2471 
2472 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2473 {
2474 	struct mgmt_mode *cp = data;
2475 	struct mgmt_pending_cmd *cmd;
2476 	int err;
2477 	u8 val, enabled;
2478 
2479 	bt_dev_dbg(hdev, "sock %p", sk);
2480 
2481 	if (!lmp_le_capable(hdev))
2482 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2483 				       MGMT_STATUS_NOT_SUPPORTED);
2484 
2485 	if (cp->val != 0x00 && cp->val != 0x01)
2486 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2487 				       MGMT_STATUS_INVALID_PARAMS);
2488 
2489 	/* Bluetooth single mode LE only controllers or dual-mode
2490 	 * controllers configured as LE only devices, do not allow
2491 	 * switching LE off. These have either LE enabled explicitly
2492 	 * or BR/EDR has been previously switched off.
2493 	 *
2494 	 * When trying to enable an already enabled LE, then gracefully
2495 	 * send a positive response. Trying to disable it however will
2496 	 * result into rejection.
2497 	 */
2498 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
2499 		if (cp->val == 0x01)
2500 			return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2501 
2502 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2503 				       MGMT_STATUS_REJECTED);
2504 	}
2505 
2506 	hci_dev_lock(hdev);
2507 
2508 	val = !!cp->val;
2509 	enabled = lmp_host_le_capable(hdev);
2510 
2511 	if (!hdev_is_powered(hdev) || val == enabled) {
2512 		bool changed = false;
2513 
2514 		if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2515 			hci_dev_change_flag(hdev, HCI_LE_ENABLED);
2516 			changed = true;
2517 		}
2518 
2519 		if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
2520 			hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2521 			changed = true;
2522 		}
2523 
2524 		err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2525 		if (err < 0)
2526 			goto unlock;
2527 
2528 		if (changed)
2529 			err = new_settings(hdev, sk);
2530 
2531 		goto unlock;
2532 	}
2533 
2534 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
2535 	    pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
2536 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2537 				      MGMT_STATUS_BUSY);
2538 		goto unlock;
2539 	}
2540 
2541 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
2542 	if (!cmd)
2543 		err = -ENOMEM;
2544 	else
2545 		err = hci_cmd_sync_queue(hdev, set_le_sync, cmd,
2546 					 set_le_complete);
2547 
2548 	if (err < 0) {
2549 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2550 				      MGMT_STATUS_FAILED);
2551 
2552 		if (cmd)
2553 			mgmt_pending_remove(cmd);
2554 	}
2555 
2556 unlock:
2557 	hci_dev_unlock(hdev);
2558 	return err;
2559 }
2560 
2561 /* This is a helper function to test for pending mgmt commands that can
2562  * cause CoD or EIR HCI commands. We can only allow one such pending
2563  * mgmt command at a time since otherwise we cannot easily track what
2564  * the current values are, will be, and based on that calculate if a new
2565  * HCI command needs to be sent and if yes with what value.
2566  */
2567 static bool pending_eir_or_class(struct hci_dev *hdev)
2568 {
2569 	struct mgmt_pending_cmd *cmd;
2570 
2571 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2572 		switch (cmd->opcode) {
2573 		case MGMT_OP_ADD_UUID:
2574 		case MGMT_OP_REMOVE_UUID:
2575 		case MGMT_OP_SET_DEV_CLASS:
2576 		case MGMT_OP_SET_POWERED:
2577 			return true;
2578 		}
2579 	}
2580 
2581 	return false;
2582 }
2583 
2584 static const u8 bluetooth_base_uuid[] = {
2585 			0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2586 			0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2587 };
2588 
2589 static u8 get_uuid_size(const u8 *uuid)
2590 {
2591 	u32 val;
2592 
2593 	if (memcmp(uuid, bluetooth_base_uuid, 12))
2594 		return 128;
2595 
2596 	val = get_unaligned_le32(&uuid[12]);
2597 	if (val > 0xffff)
2598 		return 32;
2599 
2600 	return 16;
2601 }
2602 
2603 static void mgmt_class_complete(struct hci_dev *hdev, void *data, int err)
2604 {
2605 	struct mgmt_pending_cmd *cmd = data;
2606 
2607 	bt_dev_dbg(hdev, "err %d", err);
2608 
2609 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
2610 			  mgmt_status(err), hdev->dev_class, 3);
2611 
2612 	mgmt_pending_free(cmd);
2613 }
2614 
2615 static int add_uuid_sync(struct hci_dev *hdev, void *data)
2616 {
2617 	int err;
2618 
2619 	err = hci_update_class_sync(hdev);
2620 	if (err)
2621 		return err;
2622 
2623 	return hci_update_eir_sync(hdev);
2624 }
2625 
2626 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2627 {
2628 	struct mgmt_cp_add_uuid *cp = data;
2629 	struct mgmt_pending_cmd *cmd;
2630 	struct bt_uuid *uuid;
2631 	int err;
2632 
2633 	bt_dev_dbg(hdev, "sock %p", sk);
2634 
2635 	hci_dev_lock(hdev);
2636 
2637 	if (pending_eir_or_class(hdev)) {
2638 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2639 				      MGMT_STATUS_BUSY);
2640 		goto failed;
2641 	}
2642 
2643 	uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2644 	if (!uuid) {
2645 		err = -ENOMEM;
2646 		goto failed;
2647 	}
2648 
2649 	memcpy(uuid->uuid, cp->uuid, 16);
2650 	uuid->svc_hint = cp->svc_hint;
2651 	uuid->size = get_uuid_size(cp->uuid);
2652 
2653 	list_add_tail(&uuid->list, &hdev->uuids);
2654 
2655 	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2656 	if (!cmd) {
2657 		err = -ENOMEM;
2658 		goto failed;
2659 	}
2660 
2661 	err = hci_cmd_sync_queue(hdev, add_uuid_sync, cmd, mgmt_class_complete);
2662 	if (err < 0) {
2663 		mgmt_pending_free(cmd);
2664 		goto failed;
2665 	}
2666 
2667 failed:
2668 	hci_dev_unlock(hdev);
2669 	return err;
2670 }
2671 
2672 static bool enable_service_cache(struct hci_dev *hdev)
2673 {
2674 	if (!hdev_is_powered(hdev))
2675 		return false;
2676 
2677 	if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2678 		queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2679 				   CACHE_TIMEOUT);
2680 		return true;
2681 	}
2682 
2683 	return false;
2684 }
2685 
2686 static int remove_uuid_sync(struct hci_dev *hdev, void *data)
2687 {
2688 	int err;
2689 
2690 	err = hci_update_class_sync(hdev);
2691 	if (err)
2692 		return err;
2693 
2694 	return hci_update_eir_sync(hdev);
2695 }
2696 
2697 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2698 		       u16 len)
2699 {
2700 	struct mgmt_cp_remove_uuid *cp = data;
2701 	struct mgmt_pending_cmd *cmd;
2702 	struct bt_uuid *match, *tmp;
2703 	static const u8 bt_uuid_any[] = {
2704 		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
2705 	};
2706 	int err, found;
2707 
2708 	bt_dev_dbg(hdev, "sock %p", sk);
2709 
2710 	hci_dev_lock(hdev);
2711 
2712 	if (pending_eir_or_class(hdev)) {
2713 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2714 				      MGMT_STATUS_BUSY);
2715 		goto unlock;
2716 	}
2717 
2718 	if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2719 		hci_uuids_clear(hdev);
2720 
2721 		if (enable_service_cache(hdev)) {
2722 			err = mgmt_cmd_complete(sk, hdev->id,
2723 						MGMT_OP_REMOVE_UUID,
2724 						0, hdev->dev_class, 3);
2725 			goto unlock;
2726 		}
2727 
2728 		goto update_class;
2729 	}
2730 
2731 	found = 0;
2732 
2733 	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2734 		if (memcmp(match->uuid, cp->uuid, 16) != 0)
2735 			continue;
2736 
2737 		list_del(&match->list);
2738 		kfree(match);
2739 		found++;
2740 	}
2741 
2742 	if (found == 0) {
2743 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2744 				      MGMT_STATUS_INVALID_PARAMS);
2745 		goto unlock;
2746 	}
2747 
2748 update_class:
2749 	cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2750 	if (!cmd) {
2751 		err = -ENOMEM;
2752 		goto unlock;
2753 	}
2754 
2755 	err = hci_cmd_sync_queue(hdev, remove_uuid_sync, cmd,
2756 				 mgmt_class_complete);
2757 	if (err < 0)
2758 		mgmt_pending_free(cmd);
2759 
2760 unlock:
2761 	hci_dev_unlock(hdev);
2762 	return err;
2763 }
2764 
2765 static int set_class_sync(struct hci_dev *hdev, void *data)
2766 {
2767 	int err = 0;
2768 
2769 	if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2770 		cancel_delayed_work_sync(&hdev->service_cache);
2771 		err = hci_update_eir_sync(hdev);
2772 	}
2773 
2774 	if (err)
2775 		return err;
2776 
2777 	return hci_update_class_sync(hdev);
2778 }
2779 
2780 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2781 			 u16 len)
2782 {
2783 	struct mgmt_cp_set_dev_class *cp = data;
2784 	struct mgmt_pending_cmd *cmd;
2785 	int err;
2786 
2787 	bt_dev_dbg(hdev, "sock %p", sk);
2788 
2789 	if (!lmp_bredr_capable(hdev))
2790 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2791 				       MGMT_STATUS_NOT_SUPPORTED);
2792 
2793 	hci_dev_lock(hdev);
2794 
2795 	if (pending_eir_or_class(hdev)) {
2796 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2797 				      MGMT_STATUS_BUSY);
2798 		goto unlock;
2799 	}
2800 
2801 	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2802 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2803 				      MGMT_STATUS_INVALID_PARAMS);
2804 		goto unlock;
2805 	}
2806 
2807 	hdev->major_class = cp->major;
2808 	hdev->minor_class = cp->minor;
2809 
2810 	if (!hdev_is_powered(hdev)) {
2811 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2812 					hdev->dev_class, 3);
2813 		goto unlock;
2814 	}
2815 
2816 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2817 	if (!cmd) {
2818 		err = -ENOMEM;
2819 		goto unlock;
2820 	}
2821 
2822 	err = hci_cmd_sync_queue(hdev, set_class_sync, cmd,
2823 				 mgmt_class_complete);
2824 	if (err < 0)
2825 		mgmt_pending_free(cmd);
2826 
2827 unlock:
2828 	hci_dev_unlock(hdev);
2829 	return err;
2830 }
2831 
2832 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2833 			  u16 len)
2834 {
2835 	struct mgmt_cp_load_link_keys *cp = data;
2836 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2837 				   sizeof(struct mgmt_link_key_info));
2838 	u16 key_count, expected_len;
2839 	bool changed;
2840 	int i;
2841 
2842 	bt_dev_dbg(hdev, "sock %p", sk);
2843 
2844 	if (!lmp_bredr_capable(hdev))
2845 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2846 				       MGMT_STATUS_NOT_SUPPORTED);
2847 
2848 	key_count = __le16_to_cpu(cp->key_count);
2849 	if (key_count > max_key_count) {
2850 		bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2851 			   key_count);
2852 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2853 				       MGMT_STATUS_INVALID_PARAMS);
2854 	}
2855 
2856 	expected_len = struct_size(cp, keys, key_count);
2857 	if (expected_len != len) {
2858 		bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2859 			   expected_len, len);
2860 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2861 				       MGMT_STATUS_INVALID_PARAMS);
2862 	}
2863 
2864 	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2865 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2866 				       MGMT_STATUS_INVALID_PARAMS);
2867 
2868 	bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys,
2869 		   key_count);
2870 
2871 	for (i = 0; i < key_count; i++) {
2872 		struct mgmt_link_key_info *key = &cp->keys[i];
2873 
2874 		if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2875 			return mgmt_cmd_status(sk, hdev->id,
2876 					       MGMT_OP_LOAD_LINK_KEYS,
2877 					       MGMT_STATUS_INVALID_PARAMS);
2878 	}
2879 
2880 	hci_dev_lock(hdev);
2881 
2882 	hci_link_keys_clear(hdev);
2883 
2884 	if (cp->debug_keys)
2885 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2886 	else
2887 		changed = hci_dev_test_and_clear_flag(hdev,
2888 						      HCI_KEEP_DEBUG_KEYS);
2889 
2890 	if (changed)
2891 		new_settings(hdev, NULL);
2892 
2893 	for (i = 0; i < key_count; i++) {
2894 		struct mgmt_link_key_info *key = &cp->keys[i];
2895 
2896 		if (hci_is_blocked_key(hdev,
2897 				       HCI_BLOCKED_KEY_TYPE_LINKKEY,
2898 				       key->val)) {
2899 			bt_dev_warn(hdev, "Skipping blocked link key for %pMR",
2900 				    &key->addr.bdaddr);
2901 			continue;
2902 		}
2903 
2904 		/* Always ignore debug keys and require a new pairing if
2905 		 * the user wants to use them.
2906 		 */
2907 		if (key->type == HCI_LK_DEBUG_COMBINATION)
2908 			continue;
2909 
2910 		hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2911 				 key->type, key->pin_len, NULL);
2912 	}
2913 
2914 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2915 
2916 	hci_dev_unlock(hdev);
2917 
2918 	return 0;
2919 }
2920 
2921 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2922 			   u8 addr_type, struct sock *skip_sk)
2923 {
2924 	struct mgmt_ev_device_unpaired ev;
2925 
2926 	bacpy(&ev.addr.bdaddr, bdaddr);
2927 	ev.addr.type = addr_type;
2928 
2929 	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2930 			  skip_sk);
2931 }
2932 
2933 static void unpair_device_complete(struct hci_dev *hdev, void *data, int err)
2934 {
2935 	struct mgmt_pending_cmd *cmd = data;
2936 	struct mgmt_cp_unpair_device *cp = cmd->param;
2937 
2938 	if (!err)
2939 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
2940 
2941 	cmd->cmd_complete(cmd, err);
2942 	mgmt_pending_free(cmd);
2943 }
2944 
2945 static int unpair_device_sync(struct hci_dev *hdev, void *data)
2946 {
2947 	struct mgmt_pending_cmd *cmd = data;
2948 	struct mgmt_cp_unpair_device *cp = cmd->param;
2949 	struct hci_conn *conn;
2950 
2951 	if (cp->addr.type == BDADDR_BREDR)
2952 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2953 					       &cp->addr.bdaddr);
2954 	else
2955 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2956 					       le_addr_type(cp->addr.type));
2957 
2958 	if (!conn)
2959 		return 0;
2960 
2961 	return hci_abort_conn_sync(hdev, conn, HCI_ERROR_REMOTE_USER_TERM);
2962 }
2963 
2964 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2965 			 u16 len)
2966 {
2967 	struct mgmt_cp_unpair_device *cp = data;
2968 	struct mgmt_rp_unpair_device rp;
2969 	struct hci_conn_params *params;
2970 	struct mgmt_pending_cmd *cmd;
2971 	struct hci_conn *conn;
2972 	u8 addr_type;
2973 	int err;
2974 
2975 	memset(&rp, 0, sizeof(rp));
2976 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2977 	rp.addr.type = cp->addr.type;
2978 
2979 	if (!bdaddr_type_is_valid(cp->addr.type))
2980 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2981 					 MGMT_STATUS_INVALID_PARAMS,
2982 					 &rp, sizeof(rp));
2983 
2984 	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2985 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2986 					 MGMT_STATUS_INVALID_PARAMS,
2987 					 &rp, sizeof(rp));
2988 
2989 	hci_dev_lock(hdev);
2990 
2991 	if (!hdev_is_powered(hdev)) {
2992 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2993 					MGMT_STATUS_NOT_POWERED, &rp,
2994 					sizeof(rp));
2995 		goto unlock;
2996 	}
2997 
2998 	if (cp->addr.type == BDADDR_BREDR) {
2999 		/* If disconnection is requested, then look up the
3000 		 * connection. If the remote device is connected, it
3001 		 * will be later used to terminate the link.
3002 		 *
3003 		 * Setting it to NULL explicitly will cause no
3004 		 * termination of the link.
3005 		 */
3006 		if (cp->disconnect)
3007 			conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
3008 						       &cp->addr.bdaddr);
3009 		else
3010 			conn = NULL;
3011 
3012 		err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
3013 		if (err < 0) {
3014 			err = mgmt_cmd_complete(sk, hdev->id,
3015 						MGMT_OP_UNPAIR_DEVICE,
3016 						MGMT_STATUS_NOT_PAIRED, &rp,
3017 						sizeof(rp));
3018 			goto unlock;
3019 		}
3020 
3021 		goto done;
3022 	}
3023 
3024 	/* LE address type */
3025 	addr_type = le_addr_type(cp->addr.type);
3026 
3027 	/* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
3028 	err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
3029 	if (err < 0) {
3030 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
3031 					MGMT_STATUS_NOT_PAIRED, &rp,
3032 					sizeof(rp));
3033 		goto unlock;
3034 	}
3035 
3036 	conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
3037 	if (!conn) {
3038 		hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
3039 		goto done;
3040 	}
3041 
3042 
3043 	/* Defer clearing up the connection parameters until closing to
3044 	 * give a chance of keeping them if a repairing happens.
3045 	 */
3046 	set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3047 
3048 	/* Disable auto-connection parameters if present */
3049 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
3050 	if (params) {
3051 		if (params->explicit_connect)
3052 			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
3053 		else
3054 			params->auto_connect = HCI_AUTO_CONN_DISABLED;
3055 	}
3056 
3057 	/* If disconnection is not requested, then clear the connection
3058 	 * variable so that the link is not terminated.
3059 	 */
3060 	if (!cp->disconnect)
3061 		conn = NULL;
3062 
3063 done:
3064 	/* If the connection variable is set, then termination of the
3065 	 * link is requested.
3066 	 */
3067 	if (!conn) {
3068 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
3069 					&rp, sizeof(rp));
3070 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
3071 		goto unlock;
3072 	}
3073 
3074 	cmd = mgmt_pending_new(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
3075 			       sizeof(*cp));
3076 	if (!cmd) {
3077 		err = -ENOMEM;
3078 		goto unlock;
3079 	}
3080 
3081 	cmd->cmd_complete = addr_cmd_complete;
3082 
3083 	err = hci_cmd_sync_queue(hdev, unpair_device_sync, cmd,
3084 				 unpair_device_complete);
3085 	if (err < 0)
3086 		mgmt_pending_free(cmd);
3087 
3088 unlock:
3089 	hci_dev_unlock(hdev);
3090 	return err;
3091 }
3092 
3093 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
3094 		      u16 len)
3095 {
3096 	struct mgmt_cp_disconnect *cp = data;
3097 	struct mgmt_rp_disconnect rp;
3098 	struct mgmt_pending_cmd *cmd;
3099 	struct hci_conn *conn;
3100 	int err;
3101 
3102 	bt_dev_dbg(hdev, "sock %p", sk);
3103 
3104 	memset(&rp, 0, sizeof(rp));
3105 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
3106 	rp.addr.type = cp->addr.type;
3107 
3108 	if (!bdaddr_type_is_valid(cp->addr.type))
3109 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3110 					 MGMT_STATUS_INVALID_PARAMS,
3111 					 &rp, sizeof(rp));
3112 
3113 	hci_dev_lock(hdev);
3114 
3115 	if (!test_bit(HCI_UP, &hdev->flags)) {
3116 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3117 					MGMT_STATUS_NOT_POWERED, &rp,
3118 					sizeof(rp));
3119 		goto failed;
3120 	}
3121 
3122 	if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
3123 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3124 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
3125 		goto failed;
3126 	}
3127 
3128 	if (cp->addr.type == BDADDR_BREDR)
3129 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
3130 					       &cp->addr.bdaddr);
3131 	else
3132 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
3133 					       le_addr_type(cp->addr.type));
3134 
3135 	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
3136 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3137 					MGMT_STATUS_NOT_CONNECTED, &rp,
3138 					sizeof(rp));
3139 		goto failed;
3140 	}
3141 
3142 	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
3143 	if (!cmd) {
3144 		err = -ENOMEM;
3145 		goto failed;
3146 	}
3147 
3148 	cmd->cmd_complete = generic_cmd_complete;
3149 
3150 	err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
3151 	if (err < 0)
3152 		mgmt_pending_remove(cmd);
3153 
3154 failed:
3155 	hci_dev_unlock(hdev);
3156 	return err;
3157 }
3158 
3159 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
3160 {
3161 	switch (link_type) {
3162 	case LE_LINK:
3163 		switch (addr_type) {
3164 		case ADDR_LE_DEV_PUBLIC:
3165 			return BDADDR_LE_PUBLIC;
3166 
3167 		default:
3168 			/* Fallback to LE Random address type */
3169 			return BDADDR_LE_RANDOM;
3170 		}
3171 
3172 	default:
3173 		/* Fallback to BR/EDR type */
3174 		return BDADDR_BREDR;
3175 	}
3176 }
3177 
3178 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
3179 			   u16 data_len)
3180 {
3181 	struct mgmt_rp_get_connections *rp;
3182 	struct hci_conn *c;
3183 	int err;
3184 	u16 i;
3185 
3186 	bt_dev_dbg(hdev, "sock %p", sk);
3187 
3188 	hci_dev_lock(hdev);
3189 
3190 	if (!hdev_is_powered(hdev)) {
3191 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
3192 				      MGMT_STATUS_NOT_POWERED);
3193 		goto unlock;
3194 	}
3195 
3196 	i = 0;
3197 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
3198 		if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3199 			i++;
3200 	}
3201 
3202 	rp = kmalloc(struct_size(rp, addr, i), GFP_KERNEL);
3203 	if (!rp) {
3204 		err = -ENOMEM;
3205 		goto unlock;
3206 	}
3207 
3208 	i = 0;
3209 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
3210 		if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3211 			continue;
3212 		bacpy(&rp->addr[i].bdaddr, &c->dst);
3213 		rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
3214 		if (c->type == SCO_LINK || c->type == ESCO_LINK)
3215 			continue;
3216 		i++;
3217 	}
3218 
3219 	rp->conn_count = cpu_to_le16(i);
3220 
3221 	/* Recalculate length in case of filtered SCO connections, etc */
3222 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
3223 				struct_size(rp, addr, i));
3224 
3225 	kfree(rp);
3226 
3227 unlock:
3228 	hci_dev_unlock(hdev);
3229 	return err;
3230 }
3231 
3232 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3233 				   struct mgmt_cp_pin_code_neg_reply *cp)
3234 {
3235 	struct mgmt_pending_cmd *cmd;
3236 	int err;
3237 
3238 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
3239 			       sizeof(*cp));
3240 	if (!cmd)
3241 		return -ENOMEM;
3242 
3243 	cmd->cmd_complete = addr_cmd_complete;
3244 
3245 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3246 			   sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
3247 	if (err < 0)
3248 		mgmt_pending_remove(cmd);
3249 
3250 	return err;
3251 }
3252 
3253 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3254 			  u16 len)
3255 {
3256 	struct hci_conn *conn;
3257 	struct mgmt_cp_pin_code_reply *cp = data;
3258 	struct hci_cp_pin_code_reply reply;
3259 	struct mgmt_pending_cmd *cmd;
3260 	int err;
3261 
3262 	bt_dev_dbg(hdev, "sock %p", sk);
3263 
3264 	hci_dev_lock(hdev);
3265 
3266 	if (!hdev_is_powered(hdev)) {
3267 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3268 				      MGMT_STATUS_NOT_POWERED);
3269 		goto failed;
3270 	}
3271 
3272 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
3273 	if (!conn) {
3274 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3275 				      MGMT_STATUS_NOT_CONNECTED);
3276 		goto failed;
3277 	}
3278 
3279 	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
3280 		struct mgmt_cp_pin_code_neg_reply ncp;
3281 
3282 		memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
3283 
3284 		bt_dev_err(hdev, "PIN code is not 16 bytes long");
3285 
3286 		err = send_pin_code_neg_reply(sk, hdev, &ncp);
3287 		if (err >= 0)
3288 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3289 					      MGMT_STATUS_INVALID_PARAMS);
3290 
3291 		goto failed;
3292 	}
3293 
3294 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
3295 	if (!cmd) {
3296 		err = -ENOMEM;
3297 		goto failed;
3298 	}
3299 
3300 	cmd->cmd_complete = addr_cmd_complete;
3301 
3302 	bacpy(&reply.bdaddr, &cp->addr.bdaddr);
3303 	reply.pin_len = cp->pin_len;
3304 	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
3305 
3306 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
3307 	if (err < 0)
3308 		mgmt_pending_remove(cmd);
3309 
3310 failed:
3311 	hci_dev_unlock(hdev);
3312 	return err;
3313 }
3314 
3315 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
3316 			     u16 len)
3317 {
3318 	struct mgmt_cp_set_io_capability *cp = data;
3319 
3320 	bt_dev_dbg(hdev, "sock %p", sk);
3321 
3322 	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
3323 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
3324 				       MGMT_STATUS_INVALID_PARAMS);
3325 
3326 	hci_dev_lock(hdev);
3327 
3328 	hdev->io_capability = cp->io_capability;
3329 
3330 	bt_dev_dbg(hdev, "IO capability set to 0x%02x", hdev->io_capability);
3331 
3332 	hci_dev_unlock(hdev);
3333 
3334 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
3335 				 NULL, 0);
3336 }
3337 
3338 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
3339 {
3340 	struct hci_dev *hdev = conn->hdev;
3341 	struct mgmt_pending_cmd *cmd;
3342 
3343 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
3344 		if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
3345 			continue;
3346 
3347 		if (cmd->user_data != conn)
3348 			continue;
3349 
3350 		return cmd;
3351 	}
3352 
3353 	return NULL;
3354 }
3355 
3356 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
3357 {
3358 	struct mgmt_rp_pair_device rp;
3359 	struct hci_conn *conn = cmd->user_data;
3360 	int err;
3361 
3362 	bacpy(&rp.addr.bdaddr, &conn->dst);
3363 	rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
3364 
3365 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
3366 				status, &rp, sizeof(rp));
3367 
3368 	/* So we don't get further callbacks for this connection */
3369 	conn->connect_cfm_cb = NULL;
3370 	conn->security_cfm_cb = NULL;
3371 	conn->disconn_cfm_cb = NULL;
3372 
3373 	hci_conn_drop(conn);
3374 
3375 	/* The device is paired so there is no need to remove
3376 	 * its connection parameters anymore.
3377 	 */
3378 	clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3379 
3380 	hci_conn_put(conn);
3381 
3382 	return err;
3383 }
3384 
3385 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
3386 {
3387 	u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
3388 	struct mgmt_pending_cmd *cmd;
3389 
3390 	cmd = find_pairing(conn);
3391 	if (cmd) {
3392 		cmd->cmd_complete(cmd, status);
3393 		mgmt_pending_remove(cmd);
3394 	}
3395 }
3396 
3397 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
3398 {
3399 	struct mgmt_pending_cmd *cmd;
3400 
3401 	BT_DBG("status %u", status);
3402 
3403 	cmd = find_pairing(conn);
3404 	if (!cmd) {
3405 		BT_DBG("Unable to find a pending command");
3406 		return;
3407 	}
3408 
3409 	cmd->cmd_complete(cmd, mgmt_status(status));
3410 	mgmt_pending_remove(cmd);
3411 }
3412 
3413 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
3414 {
3415 	struct mgmt_pending_cmd *cmd;
3416 
3417 	BT_DBG("status %u", status);
3418 
3419 	if (!status)
3420 		return;
3421 
3422 	cmd = find_pairing(conn);
3423 	if (!cmd) {
3424 		BT_DBG("Unable to find a pending command");
3425 		return;
3426 	}
3427 
3428 	cmd->cmd_complete(cmd, mgmt_status(status));
3429 	mgmt_pending_remove(cmd);
3430 }
3431 
3432 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3433 		       u16 len)
3434 {
3435 	struct mgmt_cp_pair_device *cp = data;
3436 	struct mgmt_rp_pair_device rp;
3437 	struct mgmt_pending_cmd *cmd;
3438 	u8 sec_level, auth_type;
3439 	struct hci_conn *conn;
3440 	int err;
3441 
3442 	bt_dev_dbg(hdev, "sock %p", sk);
3443 
3444 	memset(&rp, 0, sizeof(rp));
3445 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
3446 	rp.addr.type = cp->addr.type;
3447 
3448 	if (!bdaddr_type_is_valid(cp->addr.type))
3449 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3450 					 MGMT_STATUS_INVALID_PARAMS,
3451 					 &rp, sizeof(rp));
3452 
3453 	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
3454 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3455 					 MGMT_STATUS_INVALID_PARAMS,
3456 					 &rp, sizeof(rp));
3457 
3458 	hci_dev_lock(hdev);
3459 
3460 	if (!hdev_is_powered(hdev)) {
3461 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3462 					MGMT_STATUS_NOT_POWERED, &rp,
3463 					sizeof(rp));
3464 		goto unlock;
3465 	}
3466 
3467 	if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
3468 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3469 					MGMT_STATUS_ALREADY_PAIRED, &rp,
3470 					sizeof(rp));
3471 		goto unlock;
3472 	}
3473 
3474 	sec_level = BT_SECURITY_MEDIUM;
3475 	auth_type = HCI_AT_DEDICATED_BONDING;
3476 
3477 	if (cp->addr.type == BDADDR_BREDR) {
3478 		conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
3479 				       auth_type, CONN_REASON_PAIR_DEVICE);
3480 	} else {
3481 		u8 addr_type = le_addr_type(cp->addr.type);
3482 		struct hci_conn_params *p;
3483 
3484 		/* When pairing a new device, it is expected to remember
3485 		 * this device for future connections. Adding the connection
3486 		 * parameter information ahead of time allows tracking
3487 		 * of the peripheral preferred values and will speed up any
3488 		 * further connection establishment.
3489 		 *
3490 		 * If connection parameters already exist, then they
3491 		 * will be kept and this function does nothing.
3492 		 */
3493 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
3494 
3495 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
3496 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
3497 
3498 		conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr, addr_type,
3499 					   sec_level, HCI_LE_CONN_TIMEOUT,
3500 					   CONN_REASON_PAIR_DEVICE);
3501 	}
3502 
3503 	if (IS_ERR(conn)) {
3504 		int status;
3505 
3506 		if (PTR_ERR(conn) == -EBUSY)
3507 			status = MGMT_STATUS_BUSY;
3508 		else if (PTR_ERR(conn) == -EOPNOTSUPP)
3509 			status = MGMT_STATUS_NOT_SUPPORTED;
3510 		else if (PTR_ERR(conn) == -ECONNREFUSED)
3511 			status = MGMT_STATUS_REJECTED;
3512 		else
3513 			status = MGMT_STATUS_CONNECT_FAILED;
3514 
3515 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3516 					status, &rp, sizeof(rp));
3517 		goto unlock;
3518 	}
3519 
3520 	if (conn->connect_cfm_cb) {
3521 		hci_conn_drop(conn);
3522 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3523 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
3524 		goto unlock;
3525 	}
3526 
3527 	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
3528 	if (!cmd) {
3529 		err = -ENOMEM;
3530 		hci_conn_drop(conn);
3531 		goto unlock;
3532 	}
3533 
3534 	cmd->cmd_complete = pairing_complete;
3535 
3536 	/* For LE, just connecting isn't a proof that the pairing finished */
3537 	if (cp->addr.type == BDADDR_BREDR) {
3538 		conn->connect_cfm_cb = pairing_complete_cb;
3539 		conn->security_cfm_cb = pairing_complete_cb;
3540 		conn->disconn_cfm_cb = pairing_complete_cb;
3541 	} else {
3542 		conn->connect_cfm_cb = le_pairing_complete_cb;
3543 		conn->security_cfm_cb = le_pairing_complete_cb;
3544 		conn->disconn_cfm_cb = le_pairing_complete_cb;
3545 	}
3546 
3547 	conn->io_capability = cp->io_cap;
3548 	cmd->user_data = hci_conn_get(conn);
3549 
3550 	if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
3551 	    hci_conn_security(conn, sec_level, auth_type, true)) {
3552 		cmd->cmd_complete(cmd, 0);
3553 		mgmt_pending_remove(cmd);
3554 	}
3555 
3556 	err = 0;
3557 
3558 unlock:
3559 	hci_dev_unlock(hdev);
3560 	return err;
3561 }
3562 
3563 static int abort_conn_sync(struct hci_dev *hdev, void *data)
3564 {
3565 	struct hci_conn *conn;
3566 	u16 handle = PTR_ERR(data);
3567 
3568 	conn = hci_conn_hash_lookup_handle(hdev, handle);
3569 	if (!conn)
3570 		return 0;
3571 
3572 	return hci_abort_conn_sync(hdev, conn, HCI_ERROR_REMOTE_USER_TERM);
3573 }
3574 
3575 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3576 			      u16 len)
3577 {
3578 	struct mgmt_addr_info *addr = data;
3579 	struct mgmt_pending_cmd *cmd;
3580 	struct hci_conn *conn;
3581 	int err;
3582 
3583 	bt_dev_dbg(hdev, "sock %p", sk);
3584 
3585 	hci_dev_lock(hdev);
3586 
3587 	if (!hdev_is_powered(hdev)) {
3588 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3589 				      MGMT_STATUS_NOT_POWERED);
3590 		goto unlock;
3591 	}
3592 
3593 	cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3594 	if (!cmd) {
3595 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3596 				      MGMT_STATUS_INVALID_PARAMS);
3597 		goto unlock;
3598 	}
3599 
3600 	conn = cmd->user_data;
3601 
3602 	if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3603 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3604 				      MGMT_STATUS_INVALID_PARAMS);
3605 		goto unlock;
3606 	}
3607 
3608 	cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3609 	mgmt_pending_remove(cmd);
3610 
3611 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3612 				addr, sizeof(*addr));
3613 
3614 	/* Since user doesn't want to proceed with the connection, abort any
3615 	 * ongoing pairing and then terminate the link if it was created
3616 	 * because of the pair device action.
3617 	 */
3618 	if (addr->type == BDADDR_BREDR)
3619 		hci_remove_link_key(hdev, &addr->bdaddr);
3620 	else
3621 		smp_cancel_and_remove_pairing(hdev, &addr->bdaddr,
3622 					      le_addr_type(addr->type));
3623 
3624 	if (conn->conn_reason == CONN_REASON_PAIR_DEVICE)
3625 		hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle),
3626 				   NULL);
3627 
3628 unlock:
3629 	hci_dev_unlock(hdev);
3630 	return err;
3631 }
3632 
3633 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3634 			     struct mgmt_addr_info *addr, u16 mgmt_op,
3635 			     u16 hci_op, __le32 passkey)
3636 {
3637 	struct mgmt_pending_cmd *cmd;
3638 	struct hci_conn *conn;
3639 	int err;
3640 
3641 	hci_dev_lock(hdev);
3642 
3643 	if (!hdev_is_powered(hdev)) {
3644 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3645 					MGMT_STATUS_NOT_POWERED, addr,
3646 					sizeof(*addr));
3647 		goto done;
3648 	}
3649 
3650 	if (addr->type == BDADDR_BREDR)
3651 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3652 	else
3653 		conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
3654 					       le_addr_type(addr->type));
3655 
3656 	if (!conn) {
3657 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3658 					MGMT_STATUS_NOT_CONNECTED, addr,
3659 					sizeof(*addr));
3660 		goto done;
3661 	}
3662 
3663 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3664 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3665 		if (!err)
3666 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3667 						MGMT_STATUS_SUCCESS, addr,
3668 						sizeof(*addr));
3669 		else
3670 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3671 						MGMT_STATUS_FAILED, addr,
3672 						sizeof(*addr));
3673 
3674 		goto done;
3675 	}
3676 
3677 	cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3678 	if (!cmd) {
3679 		err = -ENOMEM;
3680 		goto done;
3681 	}
3682 
3683 	cmd->cmd_complete = addr_cmd_complete;
3684 
3685 	/* Continue with pairing via HCI */
3686 	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3687 		struct hci_cp_user_passkey_reply cp;
3688 
3689 		bacpy(&cp.bdaddr, &addr->bdaddr);
3690 		cp.passkey = passkey;
3691 		err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3692 	} else
3693 		err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3694 				   &addr->bdaddr);
3695 
3696 	if (err < 0)
3697 		mgmt_pending_remove(cmd);
3698 
3699 done:
3700 	hci_dev_unlock(hdev);
3701 	return err;
3702 }
3703 
3704 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3705 			      void *data, u16 len)
3706 {
3707 	struct mgmt_cp_pin_code_neg_reply *cp = data;
3708 
3709 	bt_dev_dbg(hdev, "sock %p", sk);
3710 
3711 	return user_pairing_resp(sk, hdev, &cp->addr,
3712 				MGMT_OP_PIN_CODE_NEG_REPLY,
3713 				HCI_OP_PIN_CODE_NEG_REPLY, 0);
3714 }
3715 
3716 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3717 			      u16 len)
3718 {
3719 	struct mgmt_cp_user_confirm_reply *cp = data;
3720 
3721 	bt_dev_dbg(hdev, "sock %p", sk);
3722 
3723 	if (len != sizeof(*cp))
3724 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3725 				       MGMT_STATUS_INVALID_PARAMS);
3726 
3727 	return user_pairing_resp(sk, hdev, &cp->addr,
3728 				 MGMT_OP_USER_CONFIRM_REPLY,
3729 				 HCI_OP_USER_CONFIRM_REPLY, 0);
3730 }
3731 
3732 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3733 				  void *data, u16 len)
3734 {
3735 	struct mgmt_cp_user_confirm_neg_reply *cp = data;
3736 
3737 	bt_dev_dbg(hdev, "sock %p", sk);
3738 
3739 	return user_pairing_resp(sk, hdev, &cp->addr,
3740 				 MGMT_OP_USER_CONFIRM_NEG_REPLY,
3741 				 HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3742 }
3743 
3744 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3745 			      u16 len)
3746 {
3747 	struct mgmt_cp_user_passkey_reply *cp = data;
3748 
3749 	bt_dev_dbg(hdev, "sock %p", sk);
3750 
3751 	return user_pairing_resp(sk, hdev, &cp->addr,
3752 				 MGMT_OP_USER_PASSKEY_REPLY,
3753 				 HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3754 }
3755 
3756 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3757 				  void *data, u16 len)
3758 {
3759 	struct mgmt_cp_user_passkey_neg_reply *cp = data;
3760 
3761 	bt_dev_dbg(hdev, "sock %p", sk);
3762 
3763 	return user_pairing_resp(sk, hdev, &cp->addr,
3764 				 MGMT_OP_USER_PASSKEY_NEG_REPLY,
3765 				 HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3766 }
3767 
3768 static int adv_expire_sync(struct hci_dev *hdev, u32 flags)
3769 {
3770 	struct adv_info *adv_instance;
3771 
3772 	adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3773 	if (!adv_instance)
3774 		return 0;
3775 
3776 	/* stop if current instance doesn't need to be changed */
3777 	if (!(adv_instance->flags & flags))
3778 		return 0;
3779 
3780 	cancel_adv_timeout(hdev);
3781 
3782 	adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3783 	if (!adv_instance)
3784 		return 0;
3785 
3786 	hci_schedule_adv_instance_sync(hdev, adv_instance->instance, true);
3787 
3788 	return 0;
3789 }
3790 
3791 static int name_changed_sync(struct hci_dev *hdev, void *data)
3792 {
3793 	return adv_expire_sync(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3794 }
3795 
3796 static void set_name_complete(struct hci_dev *hdev, void *data, int err)
3797 {
3798 	struct mgmt_pending_cmd *cmd = data;
3799 	struct mgmt_cp_set_local_name *cp = cmd->param;
3800 	u8 status = mgmt_status(err);
3801 
3802 	bt_dev_dbg(hdev, "err %d", err);
3803 
3804 	if (cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
3805 		return;
3806 
3807 	if (status) {
3808 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3809 				status);
3810 	} else {
3811 		mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3812 				  cp, sizeof(*cp));
3813 
3814 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3815 			hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL);
3816 	}
3817 
3818 	mgmt_pending_remove(cmd);
3819 }
3820 
3821 static int set_name_sync(struct hci_dev *hdev, void *data)
3822 {
3823 	if (lmp_bredr_capable(hdev)) {
3824 		hci_update_name_sync(hdev);
3825 		hci_update_eir_sync(hdev);
3826 	}
3827 
3828 	/* The name is stored in the scan response data and so
3829 	 * no need to update the advertising data here.
3830 	 */
3831 	if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3832 		hci_update_scan_rsp_data_sync(hdev, hdev->cur_adv_instance);
3833 
3834 	return 0;
3835 }
3836 
3837 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3838 			  u16 len)
3839 {
3840 	struct mgmt_cp_set_local_name *cp = data;
3841 	struct mgmt_pending_cmd *cmd;
3842 	int err;
3843 
3844 	bt_dev_dbg(hdev, "sock %p", sk);
3845 
3846 	hci_dev_lock(hdev);
3847 
3848 	/* If the old values are the same as the new ones just return a
3849 	 * direct command complete event.
3850 	 */
3851 	if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3852 	    !memcmp(hdev->short_name, cp->short_name,
3853 		    sizeof(hdev->short_name))) {
3854 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3855 					data, len);
3856 		goto failed;
3857 	}
3858 
3859 	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3860 
3861 	if (!hdev_is_powered(hdev)) {
3862 		memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3863 
3864 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3865 					data, len);
3866 		if (err < 0)
3867 			goto failed;
3868 
3869 		err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3870 					 len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3871 		ext_info_changed(hdev, sk);
3872 
3873 		goto failed;
3874 	}
3875 
3876 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3877 	if (!cmd)
3878 		err = -ENOMEM;
3879 	else
3880 		err = hci_cmd_sync_queue(hdev, set_name_sync, cmd,
3881 					 set_name_complete);
3882 
3883 	if (err < 0) {
3884 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3885 				      MGMT_STATUS_FAILED);
3886 
3887 		if (cmd)
3888 			mgmt_pending_remove(cmd);
3889 
3890 		goto failed;
3891 	}
3892 
3893 	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3894 
3895 failed:
3896 	hci_dev_unlock(hdev);
3897 	return err;
3898 }
3899 
3900 static int appearance_changed_sync(struct hci_dev *hdev, void *data)
3901 {
3902 	return adv_expire_sync(hdev, MGMT_ADV_FLAG_APPEARANCE);
3903 }
3904 
3905 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3906 			  u16 len)
3907 {
3908 	struct mgmt_cp_set_appearance *cp = data;
3909 	u16 appearance;
3910 	int err;
3911 
3912 	bt_dev_dbg(hdev, "sock %p", sk);
3913 
3914 	if (!lmp_le_capable(hdev))
3915 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3916 				       MGMT_STATUS_NOT_SUPPORTED);
3917 
3918 	appearance = le16_to_cpu(cp->appearance);
3919 
3920 	hci_dev_lock(hdev);
3921 
3922 	if (hdev->appearance != appearance) {
3923 		hdev->appearance = appearance;
3924 
3925 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3926 			hci_cmd_sync_queue(hdev, appearance_changed_sync, NULL,
3927 					   NULL);
3928 
3929 		ext_info_changed(hdev, sk);
3930 	}
3931 
3932 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3933 				0);
3934 
3935 	hci_dev_unlock(hdev);
3936 
3937 	return err;
3938 }
3939 
3940 static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3941 				 void *data, u16 len)
3942 {
3943 	struct mgmt_rp_get_phy_configuration rp;
3944 
3945 	bt_dev_dbg(hdev, "sock %p", sk);
3946 
3947 	hci_dev_lock(hdev);
3948 
3949 	memset(&rp, 0, sizeof(rp));
3950 
3951 	rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3952 	rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3953 	rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3954 
3955 	hci_dev_unlock(hdev);
3956 
3957 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, 0,
3958 				 &rp, sizeof(rp));
3959 }
3960 
3961 int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3962 {
3963 	struct mgmt_ev_phy_configuration_changed ev;
3964 
3965 	memset(&ev, 0, sizeof(ev));
3966 
3967 	ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3968 
3969 	return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, &ev,
3970 			  sizeof(ev), skip);
3971 }
3972 
3973 static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
3974 {
3975 	struct mgmt_pending_cmd *cmd = data;
3976 	struct sk_buff *skb = cmd->skb;
3977 	u8 status = mgmt_status(err);
3978 
3979 	if (cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
3980 		return;
3981 
3982 	if (!status) {
3983 		if (!skb)
3984 			status = MGMT_STATUS_FAILED;
3985 		else if (IS_ERR(skb))
3986 			status = mgmt_status(PTR_ERR(skb));
3987 		else
3988 			status = mgmt_status(skb->data[0]);
3989 	}
3990 
3991 	bt_dev_dbg(hdev, "status %d", status);
3992 
3993 	if (status) {
3994 		mgmt_cmd_status(cmd->sk, hdev->id,
3995 				MGMT_OP_SET_PHY_CONFIGURATION, status);
3996 	} else {
3997 		mgmt_cmd_complete(cmd->sk, hdev->id,
3998 				  MGMT_OP_SET_PHY_CONFIGURATION, 0,
3999 				  NULL, 0);
4000 
4001 		mgmt_phy_configuration_changed(hdev, cmd->sk);
4002 	}
4003 
4004 	if (skb && !IS_ERR(skb))
4005 		kfree_skb(skb);
4006 
4007 	mgmt_pending_remove(cmd);
4008 }
4009 
4010 static int set_default_phy_sync(struct hci_dev *hdev, void *data)
4011 {
4012 	struct mgmt_pending_cmd *cmd = data;
4013 	struct mgmt_cp_set_phy_configuration *cp = cmd->param;
4014 	struct hci_cp_le_set_default_phy cp_phy;
4015 	u32 selected_phys = __le32_to_cpu(cp->selected_phys);
4016 
4017 	memset(&cp_phy, 0, sizeof(cp_phy));
4018 
4019 	if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
4020 		cp_phy.all_phys |= 0x01;
4021 
4022 	if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
4023 		cp_phy.all_phys |= 0x02;
4024 
4025 	if (selected_phys & MGMT_PHY_LE_1M_TX)
4026 		cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
4027 
4028 	if (selected_phys & MGMT_PHY_LE_2M_TX)
4029 		cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
4030 
4031 	if (selected_phys & MGMT_PHY_LE_CODED_TX)
4032 		cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
4033 
4034 	if (selected_phys & MGMT_PHY_LE_1M_RX)
4035 		cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
4036 
4037 	if (selected_phys & MGMT_PHY_LE_2M_RX)
4038 		cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
4039 
4040 	if (selected_phys & MGMT_PHY_LE_CODED_RX)
4041 		cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
4042 
4043 	cmd->skb =  __hci_cmd_sync(hdev, HCI_OP_LE_SET_DEFAULT_PHY,
4044 				   sizeof(cp_phy), &cp_phy, HCI_CMD_TIMEOUT);
4045 
4046 	return 0;
4047 }
4048 
4049 static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
4050 				 void *data, u16 len)
4051 {
4052 	struct mgmt_cp_set_phy_configuration *cp = data;
4053 	struct mgmt_pending_cmd *cmd;
4054 	u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
4055 	u16 pkt_type = (HCI_DH1 | HCI_DM1);
4056 	bool changed = false;
4057 	int err;
4058 
4059 	bt_dev_dbg(hdev, "sock %p", sk);
4060 
4061 	configurable_phys = get_configurable_phys(hdev);
4062 	supported_phys = get_supported_phys(hdev);
4063 	selected_phys = __le32_to_cpu(cp->selected_phys);
4064 
4065 	if (selected_phys & ~supported_phys)
4066 		return mgmt_cmd_status(sk, hdev->id,
4067 				       MGMT_OP_SET_PHY_CONFIGURATION,
4068 				       MGMT_STATUS_INVALID_PARAMS);
4069 
4070 	unconfigure_phys = supported_phys & ~configurable_phys;
4071 
4072 	if ((selected_phys & unconfigure_phys) != unconfigure_phys)
4073 		return mgmt_cmd_status(sk, hdev->id,
4074 				       MGMT_OP_SET_PHY_CONFIGURATION,
4075 				       MGMT_STATUS_INVALID_PARAMS);
4076 
4077 	if (selected_phys == get_selected_phys(hdev))
4078 		return mgmt_cmd_complete(sk, hdev->id,
4079 					 MGMT_OP_SET_PHY_CONFIGURATION,
4080 					 0, NULL, 0);
4081 
4082 	hci_dev_lock(hdev);
4083 
4084 	if (!hdev_is_powered(hdev)) {
4085 		err = mgmt_cmd_status(sk, hdev->id,
4086 				      MGMT_OP_SET_PHY_CONFIGURATION,
4087 				      MGMT_STATUS_REJECTED);
4088 		goto unlock;
4089 	}
4090 
4091 	if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
4092 		err = mgmt_cmd_status(sk, hdev->id,
4093 				      MGMT_OP_SET_PHY_CONFIGURATION,
4094 				      MGMT_STATUS_BUSY);
4095 		goto unlock;
4096 	}
4097 
4098 	if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
4099 		pkt_type |= (HCI_DH3 | HCI_DM3);
4100 	else
4101 		pkt_type &= ~(HCI_DH3 | HCI_DM3);
4102 
4103 	if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
4104 		pkt_type |= (HCI_DH5 | HCI_DM5);
4105 	else
4106 		pkt_type &= ~(HCI_DH5 | HCI_DM5);
4107 
4108 	if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
4109 		pkt_type &= ~HCI_2DH1;
4110 	else
4111 		pkt_type |= HCI_2DH1;
4112 
4113 	if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
4114 		pkt_type &= ~HCI_2DH3;
4115 	else
4116 		pkt_type |= HCI_2DH3;
4117 
4118 	if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
4119 		pkt_type &= ~HCI_2DH5;
4120 	else
4121 		pkt_type |= HCI_2DH5;
4122 
4123 	if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
4124 		pkt_type &= ~HCI_3DH1;
4125 	else
4126 		pkt_type |= HCI_3DH1;
4127 
4128 	if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
4129 		pkt_type &= ~HCI_3DH3;
4130 	else
4131 		pkt_type |= HCI_3DH3;
4132 
4133 	if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
4134 		pkt_type &= ~HCI_3DH5;
4135 	else
4136 		pkt_type |= HCI_3DH5;
4137 
4138 	if (pkt_type != hdev->pkt_type) {
4139 		hdev->pkt_type = pkt_type;
4140 		changed = true;
4141 	}
4142 
4143 	if ((selected_phys & MGMT_PHY_LE_MASK) ==
4144 	    (get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
4145 		if (changed)
4146 			mgmt_phy_configuration_changed(hdev, sk);
4147 
4148 		err = mgmt_cmd_complete(sk, hdev->id,
4149 					MGMT_OP_SET_PHY_CONFIGURATION,
4150 					0, NULL, 0);
4151 
4152 		goto unlock;
4153 	}
4154 
4155 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
4156 			       len);
4157 	if (!cmd)
4158 		err = -ENOMEM;
4159 	else
4160 		err = hci_cmd_sync_queue(hdev, set_default_phy_sync, cmd,
4161 					 set_default_phy_complete);
4162 
4163 	if (err < 0) {
4164 		err = mgmt_cmd_status(sk, hdev->id,
4165 				      MGMT_OP_SET_PHY_CONFIGURATION,
4166 				      MGMT_STATUS_FAILED);
4167 
4168 		if (cmd)
4169 			mgmt_pending_remove(cmd);
4170 	}
4171 
4172 unlock:
4173 	hci_dev_unlock(hdev);
4174 
4175 	return err;
4176 }
4177 
4178 static int set_blocked_keys(struct sock *sk, struct hci_dev *hdev, void *data,
4179 			    u16 len)
4180 {
4181 	int err = MGMT_STATUS_SUCCESS;
4182 	struct mgmt_cp_set_blocked_keys *keys = data;
4183 	const u16 max_key_count = ((U16_MAX - sizeof(*keys)) /
4184 				   sizeof(struct mgmt_blocked_key_info));
4185 	u16 key_count, expected_len;
4186 	int i;
4187 
4188 	bt_dev_dbg(hdev, "sock %p", sk);
4189 
4190 	key_count = __le16_to_cpu(keys->key_count);
4191 	if (key_count > max_key_count) {
4192 		bt_dev_err(hdev, "too big key_count value %u", key_count);
4193 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4194 				       MGMT_STATUS_INVALID_PARAMS);
4195 	}
4196 
4197 	expected_len = struct_size(keys, keys, key_count);
4198 	if (expected_len != len) {
4199 		bt_dev_err(hdev, "expected %u bytes, got %u bytes",
4200 			   expected_len, len);
4201 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4202 				       MGMT_STATUS_INVALID_PARAMS);
4203 	}
4204 
4205 	hci_dev_lock(hdev);
4206 
4207 	hci_blocked_keys_clear(hdev);
4208 
4209 	for (i = 0; i < key_count; ++i) {
4210 		struct blocked_key *b = kzalloc(sizeof(*b), GFP_KERNEL);
4211 
4212 		if (!b) {
4213 			err = MGMT_STATUS_NO_RESOURCES;
4214 			break;
4215 		}
4216 
4217 		b->type = keys->keys[i].type;
4218 		memcpy(b->val, keys->keys[i].val, sizeof(b->val));
4219 		list_add_rcu(&b->list, &hdev->blocked_keys);
4220 	}
4221 	hci_dev_unlock(hdev);
4222 
4223 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4224 				err, NULL, 0);
4225 }
4226 
4227 static int set_wideband_speech(struct sock *sk, struct hci_dev *hdev,
4228 			       void *data, u16 len)
4229 {
4230 	struct mgmt_mode *cp = data;
4231 	int err;
4232 	bool changed = false;
4233 
4234 	bt_dev_dbg(hdev, "sock %p", sk);
4235 
4236 	if (!test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks))
4237 		return mgmt_cmd_status(sk, hdev->id,
4238 				       MGMT_OP_SET_WIDEBAND_SPEECH,
4239 				       MGMT_STATUS_NOT_SUPPORTED);
4240 
4241 	if (cp->val != 0x00 && cp->val != 0x01)
4242 		return mgmt_cmd_status(sk, hdev->id,
4243 				       MGMT_OP_SET_WIDEBAND_SPEECH,
4244 				       MGMT_STATUS_INVALID_PARAMS);
4245 
4246 	hci_dev_lock(hdev);
4247 
4248 	if (hdev_is_powered(hdev) &&
4249 	    !!cp->val != hci_dev_test_flag(hdev,
4250 					   HCI_WIDEBAND_SPEECH_ENABLED)) {
4251 		err = mgmt_cmd_status(sk, hdev->id,
4252 				      MGMT_OP_SET_WIDEBAND_SPEECH,
4253 				      MGMT_STATUS_REJECTED);
4254 		goto unlock;
4255 	}
4256 
4257 	if (cp->val)
4258 		changed = !hci_dev_test_and_set_flag(hdev,
4259 						   HCI_WIDEBAND_SPEECH_ENABLED);
4260 	else
4261 		changed = hci_dev_test_and_clear_flag(hdev,
4262 						   HCI_WIDEBAND_SPEECH_ENABLED);
4263 
4264 	err = send_settings_rsp(sk, MGMT_OP_SET_WIDEBAND_SPEECH, hdev);
4265 	if (err < 0)
4266 		goto unlock;
4267 
4268 	if (changed)
4269 		err = new_settings(hdev, sk);
4270 
4271 unlock:
4272 	hci_dev_unlock(hdev);
4273 	return err;
4274 }
4275 
4276 static int read_controller_cap(struct sock *sk, struct hci_dev *hdev,
4277 			       void *data, u16 data_len)
4278 {
4279 	char buf[20];
4280 	struct mgmt_rp_read_controller_cap *rp = (void *)buf;
4281 	u16 cap_len = 0;
4282 	u8 flags = 0;
4283 	u8 tx_power_range[2];
4284 
4285 	bt_dev_dbg(hdev, "sock %p", sk);
4286 
4287 	memset(&buf, 0, sizeof(buf));
4288 
4289 	hci_dev_lock(hdev);
4290 
4291 	/* When the Read Simple Pairing Options command is supported, then
4292 	 * the remote public key validation is supported.
4293 	 *
4294 	 * Alternatively, when Microsoft extensions are available, they can
4295 	 * indicate support for public key validation as well.
4296 	 */
4297 	if ((hdev->commands[41] & 0x08) || msft_curve_validity(hdev))
4298 		flags |= 0x01;	/* Remote public key validation (BR/EDR) */
4299 
4300 	flags |= 0x02;		/* Remote public key validation (LE) */
4301 
4302 	/* When the Read Encryption Key Size command is supported, then the
4303 	 * encryption key size is enforced.
4304 	 */
4305 	if (hdev->commands[20] & 0x10)
4306 		flags |= 0x04;	/* Encryption key size enforcement (BR/EDR) */
4307 
4308 	flags |= 0x08;		/* Encryption key size enforcement (LE) */
4309 
4310 	cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_SEC_FLAGS,
4311 				  &flags, 1);
4312 
4313 	/* When the Read Simple Pairing Options command is supported, then
4314 	 * also max encryption key size information is provided.
4315 	 */
4316 	if (hdev->commands[41] & 0x08)
4317 		cap_len = eir_append_le16(rp->cap, cap_len,
4318 					  MGMT_CAP_MAX_ENC_KEY_SIZE,
4319 					  hdev->max_enc_key_size);
4320 
4321 	cap_len = eir_append_le16(rp->cap, cap_len,
4322 				  MGMT_CAP_SMP_MAX_ENC_KEY_SIZE,
4323 				  SMP_MAX_ENC_KEY_SIZE);
4324 
4325 	/* Append the min/max LE tx power parameters if we were able to fetch
4326 	 * it from the controller
4327 	 */
4328 	if (hdev->commands[38] & 0x80) {
4329 		memcpy(&tx_power_range[0], &hdev->min_le_tx_power, 1);
4330 		memcpy(&tx_power_range[1], &hdev->max_le_tx_power, 1);
4331 		cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_LE_TX_PWR,
4332 					  tx_power_range, 2);
4333 	}
4334 
4335 	rp->cap_len = cpu_to_le16(cap_len);
4336 
4337 	hci_dev_unlock(hdev);
4338 
4339 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONTROLLER_CAP, 0,
4340 				 rp, sizeof(*rp) + cap_len);
4341 }
4342 
4343 #ifdef CONFIG_BT_FEATURE_DEBUG
4344 /* d4992530-b9ec-469f-ab01-6c481c47da1c */
4345 static const u8 debug_uuid[16] = {
4346 	0x1c, 0xda, 0x47, 0x1c, 0x48, 0x6c, 0x01, 0xab,
4347 	0x9f, 0x46, 0xec, 0xb9, 0x30, 0x25, 0x99, 0xd4,
4348 };
4349 #endif
4350 
4351 /* 330859bc-7506-492d-9370-9a6f0614037f */
4352 static const u8 quality_report_uuid[16] = {
4353 	0x7f, 0x03, 0x14, 0x06, 0x6f, 0x9a, 0x70, 0x93,
4354 	0x2d, 0x49, 0x06, 0x75, 0xbc, 0x59, 0x08, 0x33,
4355 };
4356 
4357 /* a6695ace-ee7f-4fb9-881a-5fac66c629af */
4358 static const u8 offload_codecs_uuid[16] = {
4359 	0xaf, 0x29, 0xc6, 0x66, 0xac, 0x5f, 0x1a, 0x88,
4360 	0xb9, 0x4f, 0x7f, 0xee, 0xce, 0x5a, 0x69, 0xa6,
4361 };
4362 
4363 /* 671b10b5-42c0-4696-9227-eb28d1b049d6 */
4364 static const u8 le_simultaneous_roles_uuid[16] = {
4365 	0xd6, 0x49, 0xb0, 0xd1, 0x28, 0xeb, 0x27, 0x92,
4366 	0x96, 0x46, 0xc0, 0x42, 0xb5, 0x10, 0x1b, 0x67,
4367 };
4368 
4369 /* 15c0a148-c273-11ea-b3de-0242ac130004 */
4370 static const u8 rpa_resolution_uuid[16] = {
4371 	0x04, 0x00, 0x13, 0xac, 0x42, 0x02, 0xde, 0xb3,
4372 	0xea, 0x11, 0x73, 0xc2, 0x48, 0xa1, 0xc0, 0x15,
4373 };
4374 
4375 /* 6fbaf188-05e0-496a-9885-d6ddfdb4e03e */
4376 static const u8 iso_socket_uuid[16] = {
4377 	0x3e, 0xe0, 0xb4, 0xfd, 0xdd, 0xd6, 0x85, 0x98,
4378 	0x6a, 0x49, 0xe0, 0x05, 0x88, 0xf1, 0xba, 0x6f,
4379 };
4380 
4381 /* 2ce463d7-7a03-4d8d-bf05-5f24e8f36e76 */
4382 static const u8 mgmt_mesh_uuid[16] = {
4383 	0x76, 0x6e, 0xf3, 0xe8, 0x24, 0x5f, 0x05, 0xbf,
4384 	0x8d, 0x4d, 0x03, 0x7a, 0xd7, 0x63, 0xe4, 0x2c,
4385 };
4386 
4387 static int read_exp_features_info(struct sock *sk, struct hci_dev *hdev,
4388 				  void *data, u16 data_len)
4389 {
4390 	struct mgmt_rp_read_exp_features_info *rp;
4391 	size_t len;
4392 	u16 idx = 0;
4393 	u32 flags;
4394 	int status;
4395 
4396 	bt_dev_dbg(hdev, "sock %p", sk);
4397 
4398 	/* Enough space for 7 features */
4399 	len = sizeof(*rp) + (sizeof(rp->features[0]) * 7);
4400 	rp = kzalloc(len, GFP_KERNEL);
4401 	if (!rp)
4402 		return -ENOMEM;
4403 
4404 #ifdef CONFIG_BT_FEATURE_DEBUG
4405 	if (!hdev) {
4406 		flags = bt_dbg_get() ? BIT(0) : 0;
4407 
4408 		memcpy(rp->features[idx].uuid, debug_uuid, 16);
4409 		rp->features[idx].flags = cpu_to_le32(flags);
4410 		idx++;
4411 	}
4412 #endif
4413 
4414 	if (hdev && hci_dev_le_state_simultaneous(hdev)) {
4415 		if (hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES))
4416 			flags = BIT(0);
4417 		else
4418 			flags = 0;
4419 
4420 		memcpy(rp->features[idx].uuid, le_simultaneous_roles_uuid, 16);
4421 		rp->features[idx].flags = cpu_to_le32(flags);
4422 		idx++;
4423 	}
4424 
4425 	if (hdev && ll_privacy_capable(hdev)) {
4426 		if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
4427 			flags = BIT(0) | BIT(1);
4428 		else
4429 			flags = BIT(1);
4430 
4431 		memcpy(rp->features[idx].uuid, rpa_resolution_uuid, 16);
4432 		rp->features[idx].flags = cpu_to_le32(flags);
4433 		idx++;
4434 	}
4435 
4436 	if (hdev && (aosp_has_quality_report(hdev) ||
4437 		     hdev->set_quality_report)) {
4438 		if (hci_dev_test_flag(hdev, HCI_QUALITY_REPORT))
4439 			flags = BIT(0);
4440 		else
4441 			flags = 0;
4442 
4443 		memcpy(rp->features[idx].uuid, quality_report_uuid, 16);
4444 		rp->features[idx].flags = cpu_to_le32(flags);
4445 		idx++;
4446 	}
4447 
4448 	if (hdev && hdev->get_data_path_id) {
4449 		if (hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED))
4450 			flags = BIT(0);
4451 		else
4452 			flags = 0;
4453 
4454 		memcpy(rp->features[idx].uuid, offload_codecs_uuid, 16);
4455 		rp->features[idx].flags = cpu_to_le32(flags);
4456 		idx++;
4457 	}
4458 
4459 	if (IS_ENABLED(CONFIG_BT_LE)) {
4460 		flags = iso_enabled() ? BIT(0) : 0;
4461 		memcpy(rp->features[idx].uuid, iso_socket_uuid, 16);
4462 		rp->features[idx].flags = cpu_to_le32(flags);
4463 		idx++;
4464 	}
4465 
4466 	if (hdev && lmp_le_capable(hdev)) {
4467 		if (hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
4468 			flags = BIT(0);
4469 		else
4470 			flags = 0;
4471 
4472 		memcpy(rp->features[idx].uuid, mgmt_mesh_uuid, 16);
4473 		rp->features[idx].flags = cpu_to_le32(flags);
4474 		idx++;
4475 	}
4476 
4477 	rp->feature_count = cpu_to_le16(idx);
4478 
4479 	/* After reading the experimental features information, enable
4480 	 * the events to update client on any future change.
4481 	 */
4482 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4483 
4484 	status = mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4485 				   MGMT_OP_READ_EXP_FEATURES_INFO,
4486 				   0, rp, sizeof(*rp) + (20 * idx));
4487 
4488 	kfree(rp);
4489 	return status;
4490 }
4491 
4492 static int exp_ll_privacy_feature_changed(bool enabled, struct hci_dev *hdev,
4493 					  struct sock *skip)
4494 {
4495 	struct mgmt_ev_exp_feature_changed ev;
4496 
4497 	memset(&ev, 0, sizeof(ev));
4498 	memcpy(ev.uuid, rpa_resolution_uuid, 16);
4499 	ev.flags = cpu_to_le32((enabled ? BIT(0) : 0) | BIT(1));
4500 
4501 	// Do we need to be atomic with the conn_flags?
4502 	if (enabled && privacy_mode_capable(hdev))
4503 		hdev->conn_flags |= HCI_CONN_FLAG_DEVICE_PRIVACY;
4504 	else
4505 		hdev->conn_flags &= ~HCI_CONN_FLAG_DEVICE_PRIVACY;
4506 
4507 	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4508 				  &ev, sizeof(ev),
4509 				  HCI_MGMT_EXP_FEATURE_EVENTS, skip);
4510 
4511 }
4512 
4513 static int exp_feature_changed(struct hci_dev *hdev, const u8 *uuid,
4514 			       bool enabled, struct sock *skip)
4515 {
4516 	struct mgmt_ev_exp_feature_changed ev;
4517 
4518 	memset(&ev, 0, sizeof(ev));
4519 	memcpy(ev.uuid, uuid, 16);
4520 	ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
4521 
4522 	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4523 				  &ev, sizeof(ev),
4524 				  HCI_MGMT_EXP_FEATURE_EVENTS, skip);
4525 }
4526 
4527 #define EXP_FEAT(_uuid, _set_func)	\
4528 {					\
4529 	.uuid = _uuid,			\
4530 	.set_func = _set_func,		\
4531 }
4532 
4533 /* The zero key uuid is special. Multiple exp features are set through it. */
4534 static int set_zero_key_func(struct sock *sk, struct hci_dev *hdev,
4535 			     struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4536 {
4537 	struct mgmt_rp_set_exp_feature rp;
4538 
4539 	memset(rp.uuid, 0, 16);
4540 	rp.flags = cpu_to_le32(0);
4541 
4542 #ifdef CONFIG_BT_FEATURE_DEBUG
4543 	if (!hdev) {
4544 		bool changed = bt_dbg_get();
4545 
4546 		bt_dbg_set(false);
4547 
4548 		if (changed)
4549 			exp_feature_changed(NULL, ZERO_KEY, false, sk);
4550 	}
4551 #endif
4552 
4553 	if (hdev && use_ll_privacy(hdev) && !hdev_is_powered(hdev)) {
4554 		bool changed;
4555 
4556 		changed = hci_dev_test_and_clear_flag(hdev,
4557 						      HCI_ENABLE_LL_PRIVACY);
4558 		if (changed)
4559 			exp_feature_changed(hdev, rpa_resolution_uuid, false,
4560 					    sk);
4561 	}
4562 
4563 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4564 
4565 	return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4566 				 MGMT_OP_SET_EXP_FEATURE, 0,
4567 				 &rp, sizeof(rp));
4568 }
4569 
4570 #ifdef CONFIG_BT_FEATURE_DEBUG
4571 static int set_debug_func(struct sock *sk, struct hci_dev *hdev,
4572 			  struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4573 {
4574 	struct mgmt_rp_set_exp_feature rp;
4575 
4576 	bool val, changed;
4577 	int err;
4578 
4579 	/* Command requires to use the non-controller index */
4580 	if (hdev)
4581 		return mgmt_cmd_status(sk, hdev->id,
4582 				       MGMT_OP_SET_EXP_FEATURE,
4583 				       MGMT_STATUS_INVALID_INDEX);
4584 
4585 	/* Parameters are limited to a single octet */
4586 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4587 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4588 				       MGMT_OP_SET_EXP_FEATURE,
4589 				       MGMT_STATUS_INVALID_PARAMS);
4590 
4591 	/* Only boolean on/off is supported */
4592 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4593 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4594 				       MGMT_OP_SET_EXP_FEATURE,
4595 				       MGMT_STATUS_INVALID_PARAMS);
4596 
4597 	val = !!cp->param[0];
4598 	changed = val ? !bt_dbg_get() : bt_dbg_get();
4599 	bt_dbg_set(val);
4600 
4601 	memcpy(rp.uuid, debug_uuid, 16);
4602 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4603 
4604 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4605 
4606 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4607 				MGMT_OP_SET_EXP_FEATURE, 0,
4608 				&rp, sizeof(rp));
4609 
4610 	if (changed)
4611 		exp_feature_changed(hdev, debug_uuid, val, sk);
4612 
4613 	return err;
4614 }
4615 #endif
4616 
4617 static int set_mgmt_mesh_func(struct sock *sk, struct hci_dev *hdev,
4618 			      struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4619 {
4620 	struct mgmt_rp_set_exp_feature rp;
4621 	bool val, changed;
4622 	int err;
4623 
4624 	/* Command requires to use the controller index */
4625 	if (!hdev)
4626 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4627 				       MGMT_OP_SET_EXP_FEATURE,
4628 				       MGMT_STATUS_INVALID_INDEX);
4629 
4630 	/* Changes can only be made when controller is powered down */
4631 	if (hdev_is_powered(hdev))
4632 		return mgmt_cmd_status(sk, hdev->id,
4633 				       MGMT_OP_SET_EXP_FEATURE,
4634 				       MGMT_STATUS_REJECTED);
4635 
4636 	/* Parameters are limited to a single octet */
4637 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4638 		return mgmt_cmd_status(sk, hdev->id,
4639 				       MGMT_OP_SET_EXP_FEATURE,
4640 				       MGMT_STATUS_INVALID_PARAMS);
4641 
4642 	/* Only boolean on/off is supported */
4643 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4644 		return mgmt_cmd_status(sk, hdev->id,
4645 				       MGMT_OP_SET_EXP_FEATURE,
4646 				       MGMT_STATUS_INVALID_PARAMS);
4647 
4648 	val = !!cp->param[0];
4649 
4650 	if (val) {
4651 		changed = !hci_dev_test_and_set_flag(hdev,
4652 						     HCI_MESH_EXPERIMENTAL);
4653 	} else {
4654 		hci_dev_clear_flag(hdev, HCI_MESH);
4655 		changed = hci_dev_test_and_clear_flag(hdev,
4656 						      HCI_MESH_EXPERIMENTAL);
4657 	}
4658 
4659 	memcpy(rp.uuid, mgmt_mesh_uuid, 16);
4660 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4661 
4662 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4663 
4664 	err = mgmt_cmd_complete(sk, hdev->id,
4665 				MGMT_OP_SET_EXP_FEATURE, 0,
4666 				&rp, sizeof(rp));
4667 
4668 	if (changed)
4669 		exp_feature_changed(hdev, mgmt_mesh_uuid, val, sk);
4670 
4671 	return err;
4672 }
4673 
4674 static int set_rpa_resolution_func(struct sock *sk, struct hci_dev *hdev,
4675 				   struct mgmt_cp_set_exp_feature *cp,
4676 				   u16 data_len)
4677 {
4678 	struct mgmt_rp_set_exp_feature rp;
4679 	bool val, changed;
4680 	int err;
4681 	u32 flags;
4682 
4683 	/* Command requires to use the controller index */
4684 	if (!hdev)
4685 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4686 				       MGMT_OP_SET_EXP_FEATURE,
4687 				       MGMT_STATUS_INVALID_INDEX);
4688 
4689 	/* Changes can only be made when controller is powered down */
4690 	if (hdev_is_powered(hdev))
4691 		return mgmt_cmd_status(sk, hdev->id,
4692 				       MGMT_OP_SET_EXP_FEATURE,
4693 				       MGMT_STATUS_REJECTED);
4694 
4695 	/* Parameters are limited to a single octet */
4696 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4697 		return mgmt_cmd_status(sk, hdev->id,
4698 				       MGMT_OP_SET_EXP_FEATURE,
4699 				       MGMT_STATUS_INVALID_PARAMS);
4700 
4701 	/* Only boolean on/off is supported */
4702 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4703 		return mgmt_cmd_status(sk, hdev->id,
4704 				       MGMT_OP_SET_EXP_FEATURE,
4705 				       MGMT_STATUS_INVALID_PARAMS);
4706 
4707 	val = !!cp->param[0];
4708 
4709 	if (val) {
4710 		changed = !hci_dev_test_and_set_flag(hdev,
4711 						     HCI_ENABLE_LL_PRIVACY);
4712 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4713 
4714 		/* Enable LL privacy + supported settings changed */
4715 		flags = BIT(0) | BIT(1);
4716 	} else {
4717 		changed = hci_dev_test_and_clear_flag(hdev,
4718 						      HCI_ENABLE_LL_PRIVACY);
4719 
4720 		/* Disable LL privacy + supported settings changed */
4721 		flags = BIT(1);
4722 	}
4723 
4724 	memcpy(rp.uuid, rpa_resolution_uuid, 16);
4725 	rp.flags = cpu_to_le32(flags);
4726 
4727 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4728 
4729 	err = mgmt_cmd_complete(sk, hdev->id,
4730 				MGMT_OP_SET_EXP_FEATURE, 0,
4731 				&rp, sizeof(rp));
4732 
4733 	if (changed)
4734 		exp_ll_privacy_feature_changed(val, hdev, sk);
4735 
4736 	return err;
4737 }
4738 
4739 static int set_quality_report_func(struct sock *sk, struct hci_dev *hdev,
4740 				   struct mgmt_cp_set_exp_feature *cp,
4741 				   u16 data_len)
4742 {
4743 	struct mgmt_rp_set_exp_feature rp;
4744 	bool val, changed;
4745 	int err;
4746 
4747 	/* Command requires to use a valid controller index */
4748 	if (!hdev)
4749 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4750 				       MGMT_OP_SET_EXP_FEATURE,
4751 				       MGMT_STATUS_INVALID_INDEX);
4752 
4753 	/* Parameters are limited to a single octet */
4754 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4755 		return mgmt_cmd_status(sk, hdev->id,
4756 				       MGMT_OP_SET_EXP_FEATURE,
4757 				       MGMT_STATUS_INVALID_PARAMS);
4758 
4759 	/* Only boolean on/off is supported */
4760 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4761 		return mgmt_cmd_status(sk, hdev->id,
4762 				       MGMT_OP_SET_EXP_FEATURE,
4763 				       MGMT_STATUS_INVALID_PARAMS);
4764 
4765 	hci_req_sync_lock(hdev);
4766 
4767 	val = !!cp->param[0];
4768 	changed = (val != hci_dev_test_flag(hdev, HCI_QUALITY_REPORT));
4769 
4770 	if (!aosp_has_quality_report(hdev) && !hdev->set_quality_report) {
4771 		err = mgmt_cmd_status(sk, hdev->id,
4772 				      MGMT_OP_SET_EXP_FEATURE,
4773 				      MGMT_STATUS_NOT_SUPPORTED);
4774 		goto unlock_quality_report;
4775 	}
4776 
4777 	if (changed) {
4778 		if (hdev->set_quality_report)
4779 			err = hdev->set_quality_report(hdev, val);
4780 		else
4781 			err = aosp_set_quality_report(hdev, val);
4782 
4783 		if (err) {
4784 			err = mgmt_cmd_status(sk, hdev->id,
4785 					      MGMT_OP_SET_EXP_FEATURE,
4786 					      MGMT_STATUS_FAILED);
4787 			goto unlock_quality_report;
4788 		}
4789 
4790 		if (val)
4791 			hci_dev_set_flag(hdev, HCI_QUALITY_REPORT);
4792 		else
4793 			hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
4794 	}
4795 
4796 	bt_dev_dbg(hdev, "quality report enable %d changed %d", val, changed);
4797 
4798 	memcpy(rp.uuid, quality_report_uuid, 16);
4799 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4800 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4801 
4802 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_EXP_FEATURE, 0,
4803 				&rp, sizeof(rp));
4804 
4805 	if (changed)
4806 		exp_feature_changed(hdev, quality_report_uuid, val, sk);
4807 
4808 unlock_quality_report:
4809 	hci_req_sync_unlock(hdev);
4810 	return err;
4811 }
4812 
4813 static int set_offload_codec_func(struct sock *sk, struct hci_dev *hdev,
4814 				  struct mgmt_cp_set_exp_feature *cp,
4815 				  u16 data_len)
4816 {
4817 	bool val, changed;
4818 	int err;
4819 	struct mgmt_rp_set_exp_feature rp;
4820 
4821 	/* Command requires to use a valid controller index */
4822 	if (!hdev)
4823 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4824 				       MGMT_OP_SET_EXP_FEATURE,
4825 				       MGMT_STATUS_INVALID_INDEX);
4826 
4827 	/* Parameters are limited to a single octet */
4828 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4829 		return mgmt_cmd_status(sk, hdev->id,
4830 				       MGMT_OP_SET_EXP_FEATURE,
4831 				       MGMT_STATUS_INVALID_PARAMS);
4832 
4833 	/* Only boolean on/off is supported */
4834 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4835 		return mgmt_cmd_status(sk, hdev->id,
4836 				       MGMT_OP_SET_EXP_FEATURE,
4837 				       MGMT_STATUS_INVALID_PARAMS);
4838 
4839 	val = !!cp->param[0];
4840 	changed = (val != hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED));
4841 
4842 	if (!hdev->get_data_path_id) {
4843 		return mgmt_cmd_status(sk, hdev->id,
4844 				       MGMT_OP_SET_EXP_FEATURE,
4845 				       MGMT_STATUS_NOT_SUPPORTED);
4846 	}
4847 
4848 	if (changed) {
4849 		if (val)
4850 			hci_dev_set_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4851 		else
4852 			hci_dev_clear_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4853 	}
4854 
4855 	bt_dev_info(hdev, "offload codecs enable %d changed %d",
4856 		    val, changed);
4857 
4858 	memcpy(rp.uuid, offload_codecs_uuid, 16);
4859 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4860 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4861 	err = mgmt_cmd_complete(sk, hdev->id,
4862 				MGMT_OP_SET_EXP_FEATURE, 0,
4863 				&rp, sizeof(rp));
4864 
4865 	if (changed)
4866 		exp_feature_changed(hdev, offload_codecs_uuid, val, sk);
4867 
4868 	return err;
4869 }
4870 
4871 static int set_le_simultaneous_roles_func(struct sock *sk, struct hci_dev *hdev,
4872 					  struct mgmt_cp_set_exp_feature *cp,
4873 					  u16 data_len)
4874 {
4875 	bool val, changed;
4876 	int err;
4877 	struct mgmt_rp_set_exp_feature rp;
4878 
4879 	/* Command requires to use a valid controller index */
4880 	if (!hdev)
4881 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4882 				       MGMT_OP_SET_EXP_FEATURE,
4883 				       MGMT_STATUS_INVALID_INDEX);
4884 
4885 	/* Parameters are limited to a single octet */
4886 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4887 		return mgmt_cmd_status(sk, hdev->id,
4888 				       MGMT_OP_SET_EXP_FEATURE,
4889 				       MGMT_STATUS_INVALID_PARAMS);
4890 
4891 	/* Only boolean on/off is supported */
4892 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4893 		return mgmt_cmd_status(sk, hdev->id,
4894 				       MGMT_OP_SET_EXP_FEATURE,
4895 				       MGMT_STATUS_INVALID_PARAMS);
4896 
4897 	val = !!cp->param[0];
4898 	changed = (val != hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES));
4899 
4900 	if (!hci_dev_le_state_simultaneous(hdev)) {
4901 		return mgmt_cmd_status(sk, hdev->id,
4902 				       MGMT_OP_SET_EXP_FEATURE,
4903 				       MGMT_STATUS_NOT_SUPPORTED);
4904 	}
4905 
4906 	if (changed) {
4907 		if (val)
4908 			hci_dev_set_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4909 		else
4910 			hci_dev_clear_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4911 	}
4912 
4913 	bt_dev_info(hdev, "LE simultaneous roles enable %d changed %d",
4914 		    val, changed);
4915 
4916 	memcpy(rp.uuid, le_simultaneous_roles_uuid, 16);
4917 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4918 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4919 	err = mgmt_cmd_complete(sk, hdev->id,
4920 				MGMT_OP_SET_EXP_FEATURE, 0,
4921 				&rp, sizeof(rp));
4922 
4923 	if (changed)
4924 		exp_feature_changed(hdev, le_simultaneous_roles_uuid, val, sk);
4925 
4926 	return err;
4927 }
4928 
4929 #ifdef CONFIG_BT_LE
4930 static int set_iso_socket_func(struct sock *sk, struct hci_dev *hdev,
4931 			       struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4932 {
4933 	struct mgmt_rp_set_exp_feature rp;
4934 	bool val, changed = false;
4935 	int err;
4936 
4937 	/* Command requires to use the non-controller index */
4938 	if (hdev)
4939 		return mgmt_cmd_status(sk, hdev->id,
4940 				       MGMT_OP_SET_EXP_FEATURE,
4941 				       MGMT_STATUS_INVALID_INDEX);
4942 
4943 	/* Parameters are limited to a single octet */
4944 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4945 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4946 				       MGMT_OP_SET_EXP_FEATURE,
4947 				       MGMT_STATUS_INVALID_PARAMS);
4948 
4949 	/* Only boolean on/off is supported */
4950 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4951 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4952 				       MGMT_OP_SET_EXP_FEATURE,
4953 				       MGMT_STATUS_INVALID_PARAMS);
4954 
4955 	val = cp->param[0] ? true : false;
4956 	if (val)
4957 		err = iso_init();
4958 	else
4959 		err = iso_exit();
4960 
4961 	if (!err)
4962 		changed = true;
4963 
4964 	memcpy(rp.uuid, iso_socket_uuid, 16);
4965 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4966 
4967 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4968 
4969 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4970 				MGMT_OP_SET_EXP_FEATURE, 0,
4971 				&rp, sizeof(rp));
4972 
4973 	if (changed)
4974 		exp_feature_changed(hdev, iso_socket_uuid, val, sk);
4975 
4976 	return err;
4977 }
4978 #endif
4979 
4980 static const struct mgmt_exp_feature {
4981 	const u8 *uuid;
4982 	int (*set_func)(struct sock *sk, struct hci_dev *hdev,
4983 			struct mgmt_cp_set_exp_feature *cp, u16 data_len);
4984 } exp_features[] = {
4985 	EXP_FEAT(ZERO_KEY, set_zero_key_func),
4986 #ifdef CONFIG_BT_FEATURE_DEBUG
4987 	EXP_FEAT(debug_uuid, set_debug_func),
4988 #endif
4989 	EXP_FEAT(mgmt_mesh_uuid, set_mgmt_mesh_func),
4990 	EXP_FEAT(rpa_resolution_uuid, set_rpa_resolution_func),
4991 	EXP_FEAT(quality_report_uuid, set_quality_report_func),
4992 	EXP_FEAT(offload_codecs_uuid, set_offload_codec_func),
4993 	EXP_FEAT(le_simultaneous_roles_uuid, set_le_simultaneous_roles_func),
4994 #ifdef CONFIG_BT_LE
4995 	EXP_FEAT(iso_socket_uuid, set_iso_socket_func),
4996 #endif
4997 
4998 	/* end with a null feature */
4999 	EXP_FEAT(NULL, NULL)
5000 };
5001 
5002 static int set_exp_feature(struct sock *sk, struct hci_dev *hdev,
5003 			   void *data, u16 data_len)
5004 {
5005 	struct mgmt_cp_set_exp_feature *cp = data;
5006 	size_t i = 0;
5007 
5008 	bt_dev_dbg(hdev, "sock %p", sk);
5009 
5010 	for (i = 0; exp_features[i].uuid; i++) {
5011 		if (!memcmp(cp->uuid, exp_features[i].uuid, 16))
5012 			return exp_features[i].set_func(sk, hdev, cp, data_len);
5013 	}
5014 
5015 	return mgmt_cmd_status(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
5016 			       MGMT_OP_SET_EXP_FEATURE,
5017 			       MGMT_STATUS_NOT_SUPPORTED);
5018 }
5019 
5020 static u32 get_params_flags(struct hci_dev *hdev,
5021 			    struct hci_conn_params *params)
5022 {
5023 	u32 flags = hdev->conn_flags;
5024 
5025 	/* Devices using RPAs can only be programmed in the acceptlist if
5026 	 * LL Privacy has been enable otherwise they cannot mark
5027 	 * HCI_CONN_FLAG_REMOTE_WAKEUP.
5028 	 */
5029 	if ((flags & HCI_CONN_FLAG_REMOTE_WAKEUP) && !use_ll_privacy(hdev) &&
5030 	    hci_find_irk_by_addr(hdev, &params->addr, params->addr_type))
5031 		flags &= ~HCI_CONN_FLAG_REMOTE_WAKEUP;
5032 
5033 	return flags;
5034 }
5035 
5036 static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
5037 			    u16 data_len)
5038 {
5039 	struct mgmt_cp_get_device_flags *cp = data;
5040 	struct mgmt_rp_get_device_flags rp;
5041 	struct bdaddr_list_with_flags *br_params;
5042 	struct hci_conn_params *params;
5043 	u32 supported_flags;
5044 	u32 current_flags = 0;
5045 	u8 status = MGMT_STATUS_INVALID_PARAMS;
5046 
5047 	bt_dev_dbg(hdev, "Get device flags %pMR (type 0x%x)\n",
5048 		   &cp->addr.bdaddr, cp->addr.type);
5049 
5050 	hci_dev_lock(hdev);
5051 
5052 	supported_flags = hdev->conn_flags;
5053 
5054 	memset(&rp, 0, sizeof(rp));
5055 
5056 	if (cp->addr.type == BDADDR_BREDR) {
5057 		br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
5058 							      &cp->addr.bdaddr,
5059 							      cp->addr.type);
5060 		if (!br_params)
5061 			goto done;
5062 
5063 		current_flags = br_params->flags;
5064 	} else {
5065 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5066 						le_addr_type(cp->addr.type));
5067 		if (!params)
5068 			goto done;
5069 
5070 		supported_flags = get_params_flags(hdev, params);
5071 		current_flags = params->flags;
5072 	}
5073 
5074 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5075 	rp.addr.type = cp->addr.type;
5076 	rp.supported_flags = cpu_to_le32(supported_flags);
5077 	rp.current_flags = cpu_to_le32(current_flags);
5078 
5079 	status = MGMT_STATUS_SUCCESS;
5080 
5081 done:
5082 	hci_dev_unlock(hdev);
5083 
5084 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_DEVICE_FLAGS, status,
5085 				&rp, sizeof(rp));
5086 }
5087 
5088 static void device_flags_changed(struct sock *sk, struct hci_dev *hdev,
5089 				 bdaddr_t *bdaddr, u8 bdaddr_type,
5090 				 u32 supported_flags, u32 current_flags)
5091 {
5092 	struct mgmt_ev_device_flags_changed ev;
5093 
5094 	bacpy(&ev.addr.bdaddr, bdaddr);
5095 	ev.addr.type = bdaddr_type;
5096 	ev.supported_flags = cpu_to_le32(supported_flags);
5097 	ev.current_flags = cpu_to_le32(current_flags);
5098 
5099 	mgmt_event(MGMT_EV_DEVICE_FLAGS_CHANGED, hdev, &ev, sizeof(ev), sk);
5100 }
5101 
5102 static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
5103 			    u16 len)
5104 {
5105 	struct mgmt_cp_set_device_flags *cp = data;
5106 	struct bdaddr_list_with_flags *br_params;
5107 	struct hci_conn_params *params;
5108 	u8 status = MGMT_STATUS_INVALID_PARAMS;
5109 	u32 supported_flags;
5110 	u32 current_flags = __le32_to_cpu(cp->current_flags);
5111 
5112 	bt_dev_dbg(hdev, "Set device flags %pMR (type 0x%x) = 0x%x",
5113 		   &cp->addr.bdaddr, cp->addr.type, current_flags);
5114 
5115 	// We should take hci_dev_lock() early, I think.. conn_flags can change
5116 	supported_flags = hdev->conn_flags;
5117 
5118 	if ((supported_flags | current_flags) != supported_flags) {
5119 		bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5120 			    current_flags, supported_flags);
5121 		goto done;
5122 	}
5123 
5124 	hci_dev_lock(hdev);
5125 
5126 	if (cp->addr.type == BDADDR_BREDR) {
5127 		br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
5128 							      &cp->addr.bdaddr,
5129 							      cp->addr.type);
5130 
5131 		if (br_params) {
5132 			br_params->flags = current_flags;
5133 			status = MGMT_STATUS_SUCCESS;
5134 		} else {
5135 			bt_dev_warn(hdev, "No such BR/EDR device %pMR (0x%x)",
5136 				    &cp->addr.bdaddr, cp->addr.type);
5137 		}
5138 
5139 		goto unlock;
5140 	}
5141 
5142 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5143 					le_addr_type(cp->addr.type));
5144 	if (!params) {
5145 		bt_dev_warn(hdev, "No such LE device %pMR (0x%x)",
5146 			    &cp->addr.bdaddr, le_addr_type(cp->addr.type));
5147 		goto unlock;
5148 	}
5149 
5150 	supported_flags = get_params_flags(hdev, params);
5151 
5152 	if ((supported_flags | current_flags) != supported_flags) {
5153 		bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5154 			    current_flags, supported_flags);
5155 		goto unlock;
5156 	}
5157 
5158 	params->flags = current_flags;
5159 	status = MGMT_STATUS_SUCCESS;
5160 
5161 	/* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
5162 	 * has been set.
5163 	 */
5164 	if (params->flags & HCI_CONN_FLAG_DEVICE_PRIVACY)
5165 		hci_update_passive_scan(hdev);
5166 
5167 unlock:
5168 	hci_dev_unlock(hdev);
5169 
5170 done:
5171 	if (status == MGMT_STATUS_SUCCESS)
5172 		device_flags_changed(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
5173 				     supported_flags, current_flags);
5174 
5175 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_FLAGS, status,
5176 				 &cp->addr, sizeof(cp->addr));
5177 }
5178 
5179 static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
5180 				   u16 handle)
5181 {
5182 	struct mgmt_ev_adv_monitor_added ev;
5183 
5184 	ev.monitor_handle = cpu_to_le16(handle);
5185 
5186 	mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, &ev, sizeof(ev), sk);
5187 }
5188 
5189 void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
5190 {
5191 	struct mgmt_ev_adv_monitor_removed ev;
5192 	struct mgmt_pending_cmd *cmd;
5193 	struct sock *sk_skip = NULL;
5194 	struct mgmt_cp_remove_adv_monitor *cp;
5195 
5196 	cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
5197 	if (cmd) {
5198 		cp = cmd->param;
5199 
5200 		if (cp->monitor_handle)
5201 			sk_skip = cmd->sk;
5202 	}
5203 
5204 	ev.monitor_handle = cpu_to_le16(handle);
5205 
5206 	mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk_skip);
5207 }
5208 
5209 static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
5210 				 void *data, u16 len)
5211 {
5212 	struct adv_monitor *monitor = NULL;
5213 	struct mgmt_rp_read_adv_monitor_features *rp = NULL;
5214 	int handle, err;
5215 	size_t rp_size = 0;
5216 	__u32 supported = 0;
5217 	__u32 enabled = 0;
5218 	__u16 num_handles = 0;
5219 	__u16 handles[HCI_MAX_ADV_MONITOR_NUM_HANDLES];
5220 
5221 	BT_DBG("request for %s", hdev->name);
5222 
5223 	hci_dev_lock(hdev);
5224 
5225 	if (msft_monitor_supported(hdev))
5226 		supported |= MGMT_ADV_MONITOR_FEATURE_MASK_OR_PATTERNS;
5227 
5228 	idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
5229 		handles[num_handles++] = monitor->handle;
5230 
5231 	hci_dev_unlock(hdev);
5232 
5233 	rp_size = sizeof(*rp) + (num_handles * sizeof(u16));
5234 	rp = kmalloc(rp_size, GFP_KERNEL);
5235 	if (!rp)
5236 		return -ENOMEM;
5237 
5238 	/* All supported features are currently enabled */
5239 	enabled = supported;
5240 
5241 	rp->supported_features = cpu_to_le32(supported);
5242 	rp->enabled_features = cpu_to_le32(enabled);
5243 	rp->max_num_handles = cpu_to_le16(HCI_MAX_ADV_MONITOR_NUM_HANDLES);
5244 	rp->max_num_patterns = HCI_MAX_ADV_MONITOR_NUM_PATTERNS;
5245 	rp->num_handles = cpu_to_le16(num_handles);
5246 	if (num_handles)
5247 		memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));
5248 
5249 	err = mgmt_cmd_complete(sk, hdev->id,
5250 				MGMT_OP_READ_ADV_MONITOR_FEATURES,
5251 				MGMT_STATUS_SUCCESS, rp, rp_size);
5252 
5253 	kfree(rp);
5254 
5255 	return err;
5256 }
5257 
5258 static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
5259 						   void *data, int status)
5260 {
5261 	struct mgmt_rp_add_adv_patterns_monitor rp;
5262 	struct mgmt_pending_cmd *cmd = data;
5263 	struct adv_monitor *monitor = cmd->user_data;
5264 
5265 	hci_dev_lock(hdev);
5266 
5267 	rp.monitor_handle = cpu_to_le16(monitor->handle);
5268 
5269 	if (!status) {
5270 		mgmt_adv_monitor_added(cmd->sk, hdev, monitor->handle);
5271 		hdev->adv_monitors_cnt++;
5272 		if (monitor->state == ADV_MONITOR_STATE_NOT_REGISTERED)
5273 			monitor->state = ADV_MONITOR_STATE_REGISTERED;
5274 		hci_update_passive_scan(hdev);
5275 	}
5276 
5277 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
5278 			  mgmt_status(status), &rp, sizeof(rp));
5279 	mgmt_pending_remove(cmd);
5280 
5281 	hci_dev_unlock(hdev);
5282 	bt_dev_dbg(hdev, "add monitor %d complete, status %d",
5283 		   rp.monitor_handle, status);
5284 }
5285 
5286 static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
5287 {
5288 	struct mgmt_pending_cmd *cmd = data;
5289 	struct adv_monitor *monitor = cmd->user_data;
5290 
5291 	return hci_add_adv_monitor(hdev, monitor);
5292 }
5293 
5294 static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5295 				      struct adv_monitor *m, u8 status,
5296 				      void *data, u16 len, u16 op)
5297 {
5298 	struct mgmt_pending_cmd *cmd;
5299 	int err;
5300 
5301 	hci_dev_lock(hdev);
5302 
5303 	if (status)
5304 		goto unlock;
5305 
5306 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
5307 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5308 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
5309 	    pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
5310 		status = MGMT_STATUS_BUSY;
5311 		goto unlock;
5312 	}
5313 
5314 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
5315 	if (!cmd) {
5316 		status = MGMT_STATUS_NO_RESOURCES;
5317 		goto unlock;
5318 	}
5319 
5320 	cmd->user_data = m;
5321 	err = hci_cmd_sync_queue(hdev, mgmt_add_adv_patterns_monitor_sync, cmd,
5322 				 mgmt_add_adv_patterns_monitor_complete);
5323 	if (err) {
5324 		if (err == -ENOMEM)
5325 			status = MGMT_STATUS_NO_RESOURCES;
5326 		else
5327 			status = MGMT_STATUS_FAILED;
5328 
5329 		goto unlock;
5330 	}
5331 
5332 	hci_dev_unlock(hdev);
5333 
5334 	return 0;
5335 
5336 unlock:
5337 	hci_free_adv_monitor(hdev, m);
5338 	hci_dev_unlock(hdev);
5339 	return mgmt_cmd_status(sk, hdev->id, op, status);
5340 }
5341 
5342 static void parse_adv_monitor_rssi(struct adv_monitor *m,
5343 				   struct mgmt_adv_rssi_thresholds *rssi)
5344 {
5345 	if (rssi) {
5346 		m->rssi.low_threshold = rssi->low_threshold;
5347 		m->rssi.low_threshold_timeout =
5348 		    __le16_to_cpu(rssi->low_threshold_timeout);
5349 		m->rssi.high_threshold = rssi->high_threshold;
5350 		m->rssi.high_threshold_timeout =
5351 		    __le16_to_cpu(rssi->high_threshold_timeout);
5352 		m->rssi.sampling_period = rssi->sampling_period;
5353 	} else {
5354 		/* Default values. These numbers are the least constricting
5355 		 * parameters for MSFT API to work, so it behaves as if there
5356 		 * are no rssi parameter to consider. May need to be changed
5357 		 * if other API are to be supported.
5358 		 */
5359 		m->rssi.low_threshold = -127;
5360 		m->rssi.low_threshold_timeout = 60;
5361 		m->rssi.high_threshold = -127;
5362 		m->rssi.high_threshold_timeout = 0;
5363 		m->rssi.sampling_period = 0;
5364 	}
5365 }
5366 
5367 static u8 parse_adv_monitor_pattern(struct adv_monitor *m, u8 pattern_count,
5368 				    struct mgmt_adv_pattern *patterns)
5369 {
5370 	u8 offset = 0, length = 0;
5371 	struct adv_pattern *p = NULL;
5372 	int i;
5373 
5374 	for (i = 0; i < pattern_count; i++) {
5375 		offset = patterns[i].offset;
5376 		length = patterns[i].length;
5377 		if (offset >= HCI_MAX_AD_LENGTH ||
5378 		    length > HCI_MAX_AD_LENGTH ||
5379 		    (offset + length) > HCI_MAX_AD_LENGTH)
5380 			return MGMT_STATUS_INVALID_PARAMS;
5381 
5382 		p = kmalloc(sizeof(*p), GFP_KERNEL);
5383 		if (!p)
5384 			return MGMT_STATUS_NO_RESOURCES;
5385 
5386 		p->ad_type = patterns[i].ad_type;
5387 		p->offset = patterns[i].offset;
5388 		p->length = patterns[i].length;
5389 		memcpy(p->value, patterns[i].value, p->length);
5390 
5391 		INIT_LIST_HEAD(&p->list);
5392 		list_add(&p->list, &m->patterns);
5393 	}
5394 
5395 	return MGMT_STATUS_SUCCESS;
5396 }
5397 
5398 static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5399 				    void *data, u16 len)
5400 {
5401 	struct mgmt_cp_add_adv_patterns_monitor *cp = data;
5402 	struct adv_monitor *m = NULL;
5403 	u8 status = MGMT_STATUS_SUCCESS;
5404 	size_t expected_size = sizeof(*cp);
5405 
5406 	BT_DBG("request for %s", hdev->name);
5407 
5408 	if (len <= sizeof(*cp)) {
5409 		status = MGMT_STATUS_INVALID_PARAMS;
5410 		goto done;
5411 	}
5412 
5413 	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5414 	if (len != expected_size) {
5415 		status = MGMT_STATUS_INVALID_PARAMS;
5416 		goto done;
5417 	}
5418 
5419 	m = kzalloc(sizeof(*m), GFP_KERNEL);
5420 	if (!m) {
5421 		status = MGMT_STATUS_NO_RESOURCES;
5422 		goto done;
5423 	}
5424 
5425 	INIT_LIST_HEAD(&m->patterns);
5426 
5427 	parse_adv_monitor_rssi(m, NULL);
5428 	status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
5429 
5430 done:
5431 	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5432 					  MGMT_OP_ADD_ADV_PATTERNS_MONITOR);
5433 }
5434 
5435 static int add_adv_patterns_monitor_rssi(struct sock *sk, struct hci_dev *hdev,
5436 					 void *data, u16 len)
5437 {
5438 	struct mgmt_cp_add_adv_patterns_monitor_rssi *cp = data;
5439 	struct adv_monitor *m = NULL;
5440 	u8 status = MGMT_STATUS_SUCCESS;
5441 	size_t expected_size = sizeof(*cp);
5442 
5443 	BT_DBG("request for %s", hdev->name);
5444 
5445 	if (len <= sizeof(*cp)) {
5446 		status = MGMT_STATUS_INVALID_PARAMS;
5447 		goto done;
5448 	}
5449 
5450 	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5451 	if (len != expected_size) {
5452 		status = MGMT_STATUS_INVALID_PARAMS;
5453 		goto done;
5454 	}
5455 
5456 	m = kzalloc(sizeof(*m), GFP_KERNEL);
5457 	if (!m) {
5458 		status = MGMT_STATUS_NO_RESOURCES;
5459 		goto done;
5460 	}
5461 
5462 	INIT_LIST_HEAD(&m->patterns);
5463 
5464 	parse_adv_monitor_rssi(m, &cp->rssi);
5465 	status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
5466 
5467 done:
5468 	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5469 					 MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI);
5470 }
5471 
5472 static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
5473 					     void *data, int status)
5474 {
5475 	struct mgmt_rp_remove_adv_monitor rp;
5476 	struct mgmt_pending_cmd *cmd = data;
5477 	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5478 
5479 	hci_dev_lock(hdev);
5480 
5481 	rp.monitor_handle = cp->monitor_handle;
5482 
5483 	if (!status)
5484 		hci_update_passive_scan(hdev);
5485 
5486 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
5487 			  mgmt_status(status), &rp, sizeof(rp));
5488 	mgmt_pending_remove(cmd);
5489 
5490 	hci_dev_unlock(hdev);
5491 	bt_dev_dbg(hdev, "remove monitor %d complete, status %d",
5492 		   rp.monitor_handle, status);
5493 }
5494 
5495 static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
5496 {
5497 	struct mgmt_pending_cmd *cmd = data;
5498 	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5499 	u16 handle = __le16_to_cpu(cp->monitor_handle);
5500 
5501 	if (!handle)
5502 		return hci_remove_all_adv_monitor(hdev);
5503 
5504 	return hci_remove_single_adv_monitor(hdev, handle);
5505 }
5506 
5507 static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
5508 			      void *data, u16 len)
5509 {
5510 	struct mgmt_pending_cmd *cmd;
5511 	int err, status;
5512 
5513 	hci_dev_lock(hdev);
5514 
5515 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
5516 	    pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
5517 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5518 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
5519 		status = MGMT_STATUS_BUSY;
5520 		goto unlock;
5521 	}
5522 
5523 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
5524 	if (!cmd) {
5525 		status = MGMT_STATUS_NO_RESOURCES;
5526 		goto unlock;
5527 	}
5528 
5529 	err = hci_cmd_sync_queue(hdev, mgmt_remove_adv_monitor_sync, cmd,
5530 				 mgmt_remove_adv_monitor_complete);
5531 
5532 	if (err) {
5533 		mgmt_pending_remove(cmd);
5534 
5535 		if (err == -ENOMEM)
5536 			status = MGMT_STATUS_NO_RESOURCES;
5537 		else
5538 			status = MGMT_STATUS_FAILED;
5539 
5540 		goto unlock;
5541 	}
5542 
5543 	hci_dev_unlock(hdev);
5544 
5545 	return 0;
5546 
5547 unlock:
5548 	hci_dev_unlock(hdev);
5549 	return mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADV_MONITOR,
5550 			       status);
5551 }
5552 
5553 static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
5554 {
5555 	struct mgmt_rp_read_local_oob_data mgmt_rp;
5556 	size_t rp_size = sizeof(mgmt_rp);
5557 	struct mgmt_pending_cmd *cmd = data;
5558 	struct sk_buff *skb = cmd->skb;
5559 	u8 status = mgmt_status(err);
5560 
5561 	if (!status) {
5562 		if (!skb)
5563 			status = MGMT_STATUS_FAILED;
5564 		else if (IS_ERR(skb))
5565 			status = mgmt_status(PTR_ERR(skb));
5566 		else
5567 			status = mgmt_status(skb->data[0]);
5568 	}
5569 
5570 	bt_dev_dbg(hdev, "status %d", status);
5571 
5572 	if (status) {
5573 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
5574 		goto remove;
5575 	}
5576 
5577 	memset(&mgmt_rp, 0, sizeof(mgmt_rp));
5578 
5579 	if (!bredr_sc_enabled(hdev)) {
5580 		struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
5581 
5582 		if (skb->len < sizeof(*rp)) {
5583 			mgmt_cmd_status(cmd->sk, hdev->id,
5584 					MGMT_OP_READ_LOCAL_OOB_DATA,
5585 					MGMT_STATUS_FAILED);
5586 			goto remove;
5587 		}
5588 
5589 		memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
5590 		memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
5591 
5592 		rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
5593 	} else {
5594 		struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
5595 
5596 		if (skb->len < sizeof(*rp)) {
5597 			mgmt_cmd_status(cmd->sk, hdev->id,
5598 					MGMT_OP_READ_LOCAL_OOB_DATA,
5599 					MGMT_STATUS_FAILED);
5600 			goto remove;
5601 		}
5602 
5603 		memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
5604 		memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
5605 
5606 		memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
5607 		memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
5608 	}
5609 
5610 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5611 			  MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
5612 
5613 remove:
5614 	if (skb && !IS_ERR(skb))
5615 		kfree_skb(skb);
5616 
5617 	mgmt_pending_free(cmd);
5618 }
5619 
5620 static int read_local_oob_data_sync(struct hci_dev *hdev, void *data)
5621 {
5622 	struct mgmt_pending_cmd *cmd = data;
5623 
5624 	if (bredr_sc_enabled(hdev))
5625 		cmd->skb = hci_read_local_oob_data_sync(hdev, true, cmd->sk);
5626 	else
5627 		cmd->skb = hci_read_local_oob_data_sync(hdev, false, cmd->sk);
5628 
5629 	if (IS_ERR(cmd->skb))
5630 		return PTR_ERR(cmd->skb);
5631 	else
5632 		return 0;
5633 }
5634 
5635 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
5636 			       void *data, u16 data_len)
5637 {
5638 	struct mgmt_pending_cmd *cmd;
5639 	int err;
5640 
5641 	bt_dev_dbg(hdev, "sock %p", sk);
5642 
5643 	hci_dev_lock(hdev);
5644 
5645 	if (!hdev_is_powered(hdev)) {
5646 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5647 				      MGMT_STATUS_NOT_POWERED);
5648 		goto unlock;
5649 	}
5650 
5651 	if (!lmp_ssp_capable(hdev)) {
5652 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5653 				      MGMT_STATUS_NOT_SUPPORTED);
5654 		goto unlock;
5655 	}
5656 
5657 	cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
5658 	if (!cmd)
5659 		err = -ENOMEM;
5660 	else
5661 		err = hci_cmd_sync_queue(hdev, read_local_oob_data_sync, cmd,
5662 					 read_local_oob_data_complete);
5663 
5664 	if (err < 0) {
5665 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5666 				      MGMT_STATUS_FAILED);
5667 
5668 		if (cmd)
5669 			mgmt_pending_free(cmd);
5670 	}
5671 
5672 unlock:
5673 	hci_dev_unlock(hdev);
5674 	return err;
5675 }
5676 
5677 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5678 			       void *data, u16 len)
5679 {
5680 	struct mgmt_addr_info *addr = data;
5681 	int err;
5682 
5683 	bt_dev_dbg(hdev, "sock %p", sk);
5684 
5685 	if (!bdaddr_type_is_valid(addr->type))
5686 		return mgmt_cmd_complete(sk, hdev->id,
5687 					 MGMT_OP_ADD_REMOTE_OOB_DATA,
5688 					 MGMT_STATUS_INVALID_PARAMS,
5689 					 addr, sizeof(*addr));
5690 
5691 	hci_dev_lock(hdev);
5692 
5693 	if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
5694 		struct mgmt_cp_add_remote_oob_data *cp = data;
5695 		u8 status;
5696 
5697 		if (cp->addr.type != BDADDR_BREDR) {
5698 			err = mgmt_cmd_complete(sk, hdev->id,
5699 						MGMT_OP_ADD_REMOTE_OOB_DATA,
5700 						MGMT_STATUS_INVALID_PARAMS,
5701 						&cp->addr, sizeof(cp->addr));
5702 			goto unlock;
5703 		}
5704 
5705 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
5706 					      cp->addr.type, cp->hash,
5707 					      cp->rand, NULL, NULL);
5708 		if (err < 0)
5709 			status = MGMT_STATUS_FAILED;
5710 		else
5711 			status = MGMT_STATUS_SUCCESS;
5712 
5713 		err = mgmt_cmd_complete(sk, hdev->id,
5714 					MGMT_OP_ADD_REMOTE_OOB_DATA, status,
5715 					&cp->addr, sizeof(cp->addr));
5716 	} else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
5717 		struct mgmt_cp_add_remote_oob_ext_data *cp = data;
5718 		u8 *rand192, *hash192, *rand256, *hash256;
5719 		u8 status;
5720 
5721 		if (bdaddr_type_is_le(cp->addr.type)) {
5722 			/* Enforce zero-valued 192-bit parameters as
5723 			 * long as legacy SMP OOB isn't implemented.
5724 			 */
5725 			if (memcmp(cp->rand192, ZERO_KEY, 16) ||
5726 			    memcmp(cp->hash192, ZERO_KEY, 16)) {
5727 				err = mgmt_cmd_complete(sk, hdev->id,
5728 							MGMT_OP_ADD_REMOTE_OOB_DATA,
5729 							MGMT_STATUS_INVALID_PARAMS,
5730 							addr, sizeof(*addr));
5731 				goto unlock;
5732 			}
5733 
5734 			rand192 = NULL;
5735 			hash192 = NULL;
5736 		} else {
5737 			/* In case one of the P-192 values is set to zero,
5738 			 * then just disable OOB data for P-192.
5739 			 */
5740 			if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
5741 			    !memcmp(cp->hash192, ZERO_KEY, 16)) {
5742 				rand192 = NULL;
5743 				hash192 = NULL;
5744 			} else {
5745 				rand192 = cp->rand192;
5746 				hash192 = cp->hash192;
5747 			}
5748 		}
5749 
5750 		/* In case one of the P-256 values is set to zero, then just
5751 		 * disable OOB data for P-256.
5752 		 */
5753 		if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
5754 		    !memcmp(cp->hash256, ZERO_KEY, 16)) {
5755 			rand256 = NULL;
5756 			hash256 = NULL;
5757 		} else {
5758 			rand256 = cp->rand256;
5759 			hash256 = cp->hash256;
5760 		}
5761 
5762 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
5763 					      cp->addr.type, hash192, rand192,
5764 					      hash256, rand256);
5765 		if (err < 0)
5766 			status = MGMT_STATUS_FAILED;
5767 		else
5768 			status = MGMT_STATUS_SUCCESS;
5769 
5770 		err = mgmt_cmd_complete(sk, hdev->id,
5771 					MGMT_OP_ADD_REMOTE_OOB_DATA,
5772 					status, &cp->addr, sizeof(cp->addr));
5773 	} else {
5774 		bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
5775 			   len);
5776 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
5777 				      MGMT_STATUS_INVALID_PARAMS);
5778 	}
5779 
5780 unlock:
5781 	hci_dev_unlock(hdev);
5782 	return err;
5783 }
5784 
5785 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5786 				  void *data, u16 len)
5787 {
5788 	struct mgmt_cp_remove_remote_oob_data *cp = data;
5789 	u8 status;
5790 	int err;
5791 
5792 	bt_dev_dbg(hdev, "sock %p", sk);
5793 
5794 	if (cp->addr.type != BDADDR_BREDR)
5795 		return mgmt_cmd_complete(sk, hdev->id,
5796 					 MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5797 					 MGMT_STATUS_INVALID_PARAMS,
5798 					 &cp->addr, sizeof(cp->addr));
5799 
5800 	hci_dev_lock(hdev);
5801 
5802 	if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5803 		hci_remote_oob_data_clear(hdev);
5804 		status = MGMT_STATUS_SUCCESS;
5805 		goto done;
5806 	}
5807 
5808 	err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
5809 	if (err < 0)
5810 		status = MGMT_STATUS_INVALID_PARAMS;
5811 	else
5812 		status = MGMT_STATUS_SUCCESS;
5813 
5814 done:
5815 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5816 				status, &cp->addr, sizeof(cp->addr));
5817 
5818 	hci_dev_unlock(hdev);
5819 	return err;
5820 }
5821 
5822 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
5823 {
5824 	struct mgmt_pending_cmd *cmd;
5825 
5826 	bt_dev_dbg(hdev, "status %u", status);
5827 
5828 	hci_dev_lock(hdev);
5829 
5830 	cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
5831 	if (!cmd)
5832 		cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
5833 
5834 	if (!cmd)
5835 		cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
5836 
5837 	if (cmd) {
5838 		cmd->cmd_complete(cmd, mgmt_status(status));
5839 		mgmt_pending_remove(cmd);
5840 	}
5841 
5842 	hci_dev_unlock(hdev);
5843 }
5844 
5845 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
5846 				    uint8_t *mgmt_status)
5847 {
5848 	switch (type) {
5849 	case DISCOV_TYPE_LE:
5850 		*mgmt_status = mgmt_le_support(hdev);
5851 		if (*mgmt_status)
5852 			return false;
5853 		break;
5854 	case DISCOV_TYPE_INTERLEAVED:
5855 		*mgmt_status = mgmt_le_support(hdev);
5856 		if (*mgmt_status)
5857 			return false;
5858 		fallthrough;
5859 	case DISCOV_TYPE_BREDR:
5860 		*mgmt_status = mgmt_bredr_support(hdev);
5861 		if (*mgmt_status)
5862 			return false;
5863 		break;
5864 	default:
5865 		*mgmt_status = MGMT_STATUS_INVALID_PARAMS;
5866 		return false;
5867 	}
5868 
5869 	return true;
5870 }
5871 
5872 static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
5873 {
5874 	struct mgmt_pending_cmd *cmd = data;
5875 
5876 	if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
5877 	    cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
5878 	    cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
5879 		return;
5880 
5881 	bt_dev_dbg(hdev, "err %d", err);
5882 
5883 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
5884 			  cmd->param, 1);
5885 	mgmt_pending_remove(cmd);
5886 
5887 	hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED:
5888 				DISCOVERY_FINDING);
5889 }
5890 
5891 static int start_discovery_sync(struct hci_dev *hdev, void *data)
5892 {
5893 	return hci_start_discovery_sync(hdev);
5894 }
5895 
5896 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
5897 				    u16 op, void *data, u16 len)
5898 {
5899 	struct mgmt_cp_start_discovery *cp = data;
5900 	struct mgmt_pending_cmd *cmd;
5901 	u8 status;
5902 	int err;
5903 
5904 	bt_dev_dbg(hdev, "sock %p", sk);
5905 
5906 	hci_dev_lock(hdev);
5907 
5908 	if (!hdev_is_powered(hdev)) {
5909 		err = mgmt_cmd_complete(sk, hdev->id, op,
5910 					MGMT_STATUS_NOT_POWERED,
5911 					&cp->type, sizeof(cp->type));
5912 		goto failed;
5913 	}
5914 
5915 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
5916 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5917 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5918 					&cp->type, sizeof(cp->type));
5919 		goto failed;
5920 	}
5921 
5922 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
5923 		err = mgmt_cmd_complete(sk, hdev->id, op, status,
5924 					&cp->type, sizeof(cp->type));
5925 		goto failed;
5926 	}
5927 
5928 	/* Can't start discovery when it is paused */
5929 	if (hdev->discovery_paused) {
5930 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5931 					&cp->type, sizeof(cp->type));
5932 		goto failed;
5933 	}
5934 
5935 	/* Clear the discovery filter first to free any previously
5936 	 * allocated memory for the UUID list.
5937 	 */
5938 	hci_discovery_filter_clear(hdev);
5939 
5940 	hdev->discovery.type = cp->type;
5941 	hdev->discovery.report_invalid_rssi = false;
5942 	if (op == MGMT_OP_START_LIMITED_DISCOVERY)
5943 		hdev->discovery.limited = true;
5944 	else
5945 		hdev->discovery.limited = false;
5946 
5947 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
5948 	if (!cmd) {
5949 		err = -ENOMEM;
5950 		goto failed;
5951 	}
5952 
5953 	err = hci_cmd_sync_queue(hdev, start_discovery_sync, cmd,
5954 				 start_discovery_complete);
5955 	if (err < 0) {
5956 		mgmt_pending_remove(cmd);
5957 		goto failed;
5958 	}
5959 
5960 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
5961 
5962 failed:
5963 	hci_dev_unlock(hdev);
5964 	return err;
5965 }
5966 
5967 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
5968 			   void *data, u16 len)
5969 {
5970 	return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
5971 					data, len);
5972 }
5973 
5974 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
5975 				   void *data, u16 len)
5976 {
5977 	return start_discovery_internal(sk, hdev,
5978 					MGMT_OP_START_LIMITED_DISCOVERY,
5979 					data, len);
5980 }
5981 
5982 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
5983 				   void *data, u16 len)
5984 {
5985 	struct mgmt_cp_start_service_discovery *cp = data;
5986 	struct mgmt_pending_cmd *cmd;
5987 	const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
5988 	u16 uuid_count, expected_len;
5989 	u8 status;
5990 	int err;
5991 
5992 	bt_dev_dbg(hdev, "sock %p", sk);
5993 
5994 	hci_dev_lock(hdev);
5995 
5996 	if (!hdev_is_powered(hdev)) {
5997 		err = mgmt_cmd_complete(sk, hdev->id,
5998 					MGMT_OP_START_SERVICE_DISCOVERY,
5999 					MGMT_STATUS_NOT_POWERED,
6000 					&cp->type, sizeof(cp->type));
6001 		goto failed;
6002 	}
6003 
6004 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
6005 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
6006 		err = mgmt_cmd_complete(sk, hdev->id,
6007 					MGMT_OP_START_SERVICE_DISCOVERY,
6008 					MGMT_STATUS_BUSY, &cp->type,
6009 					sizeof(cp->type));
6010 		goto failed;
6011 	}
6012 
6013 	if (hdev->discovery_paused) {
6014 		err = mgmt_cmd_complete(sk, hdev->id,
6015 					MGMT_OP_START_SERVICE_DISCOVERY,
6016 					MGMT_STATUS_BUSY, &cp->type,
6017 					sizeof(cp->type));
6018 		goto failed;
6019 	}
6020 
6021 	uuid_count = __le16_to_cpu(cp->uuid_count);
6022 	if (uuid_count > max_uuid_count) {
6023 		bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
6024 			   uuid_count);
6025 		err = mgmt_cmd_complete(sk, hdev->id,
6026 					MGMT_OP_START_SERVICE_DISCOVERY,
6027 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
6028 					sizeof(cp->type));
6029 		goto failed;
6030 	}
6031 
6032 	expected_len = sizeof(*cp) + uuid_count * 16;
6033 	if (expected_len != len) {
6034 		bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
6035 			   expected_len, len);
6036 		err = mgmt_cmd_complete(sk, hdev->id,
6037 					MGMT_OP_START_SERVICE_DISCOVERY,
6038 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
6039 					sizeof(cp->type));
6040 		goto failed;
6041 	}
6042 
6043 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
6044 		err = mgmt_cmd_complete(sk, hdev->id,
6045 					MGMT_OP_START_SERVICE_DISCOVERY,
6046 					status, &cp->type, sizeof(cp->type));
6047 		goto failed;
6048 	}
6049 
6050 	cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
6051 			       hdev, data, len);
6052 	if (!cmd) {
6053 		err = -ENOMEM;
6054 		goto failed;
6055 	}
6056 
6057 	/* Clear the discovery filter first to free any previously
6058 	 * allocated memory for the UUID list.
6059 	 */
6060 	hci_discovery_filter_clear(hdev);
6061 
6062 	hdev->discovery.result_filtering = true;
6063 	hdev->discovery.type = cp->type;
6064 	hdev->discovery.rssi = cp->rssi;
6065 	hdev->discovery.uuid_count = uuid_count;
6066 
6067 	if (uuid_count > 0) {
6068 		hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
6069 						GFP_KERNEL);
6070 		if (!hdev->discovery.uuids) {
6071 			err = mgmt_cmd_complete(sk, hdev->id,
6072 						MGMT_OP_START_SERVICE_DISCOVERY,
6073 						MGMT_STATUS_FAILED,
6074 						&cp->type, sizeof(cp->type));
6075 			mgmt_pending_remove(cmd);
6076 			goto failed;
6077 		}
6078 	}
6079 
6080 	err = hci_cmd_sync_queue(hdev, start_discovery_sync, cmd,
6081 				 start_discovery_complete);
6082 	if (err < 0) {
6083 		mgmt_pending_remove(cmd);
6084 		goto failed;
6085 	}
6086 
6087 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
6088 
6089 failed:
6090 	hci_dev_unlock(hdev);
6091 	return err;
6092 }
6093 
6094 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
6095 {
6096 	struct mgmt_pending_cmd *cmd;
6097 
6098 	bt_dev_dbg(hdev, "status %u", status);
6099 
6100 	hci_dev_lock(hdev);
6101 
6102 	cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
6103 	if (cmd) {
6104 		cmd->cmd_complete(cmd, mgmt_status(status));
6105 		mgmt_pending_remove(cmd);
6106 	}
6107 
6108 	hci_dev_unlock(hdev);
6109 }
6110 
6111 static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
6112 {
6113 	struct mgmt_pending_cmd *cmd = data;
6114 
6115 	if (cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
6116 		return;
6117 
6118 	bt_dev_dbg(hdev, "err %d", err);
6119 
6120 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
6121 			  cmd->param, 1);
6122 	mgmt_pending_remove(cmd);
6123 
6124 	if (!err)
6125 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
6126 }
6127 
6128 static int stop_discovery_sync(struct hci_dev *hdev, void *data)
6129 {
6130 	return hci_stop_discovery_sync(hdev);
6131 }
6132 
6133 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
6134 			  u16 len)
6135 {
6136 	struct mgmt_cp_stop_discovery *mgmt_cp = data;
6137 	struct mgmt_pending_cmd *cmd;
6138 	int err;
6139 
6140 	bt_dev_dbg(hdev, "sock %p", sk);
6141 
6142 	hci_dev_lock(hdev);
6143 
6144 	if (!hci_discovery_active(hdev)) {
6145 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
6146 					MGMT_STATUS_REJECTED, &mgmt_cp->type,
6147 					sizeof(mgmt_cp->type));
6148 		goto unlock;
6149 	}
6150 
6151 	if (hdev->discovery.type != mgmt_cp->type) {
6152 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
6153 					MGMT_STATUS_INVALID_PARAMS,
6154 					&mgmt_cp->type, sizeof(mgmt_cp->type));
6155 		goto unlock;
6156 	}
6157 
6158 	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
6159 	if (!cmd) {
6160 		err = -ENOMEM;
6161 		goto unlock;
6162 	}
6163 
6164 	err = hci_cmd_sync_queue(hdev, stop_discovery_sync, cmd,
6165 				 stop_discovery_complete);
6166 	if (err < 0) {
6167 		mgmt_pending_remove(cmd);
6168 		goto unlock;
6169 	}
6170 
6171 	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
6172 
6173 unlock:
6174 	hci_dev_unlock(hdev);
6175 	return err;
6176 }
6177 
6178 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
6179 			u16 len)
6180 {
6181 	struct mgmt_cp_confirm_name *cp = data;
6182 	struct inquiry_entry *e;
6183 	int err;
6184 
6185 	bt_dev_dbg(hdev, "sock %p", sk);
6186 
6187 	hci_dev_lock(hdev);
6188 
6189 	if (!hci_discovery_active(hdev)) {
6190 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
6191 					MGMT_STATUS_FAILED, &cp->addr,
6192 					sizeof(cp->addr));
6193 		goto failed;
6194 	}
6195 
6196 	e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
6197 	if (!e) {
6198 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
6199 					MGMT_STATUS_INVALID_PARAMS, &cp->addr,
6200 					sizeof(cp->addr));
6201 		goto failed;
6202 	}
6203 
6204 	if (cp->name_known) {
6205 		e->name_state = NAME_KNOWN;
6206 		list_del(&e->list);
6207 	} else {
6208 		e->name_state = NAME_NEEDED;
6209 		hci_inquiry_cache_update_resolve(hdev, e);
6210 	}
6211 
6212 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
6213 				&cp->addr, sizeof(cp->addr));
6214 
6215 failed:
6216 	hci_dev_unlock(hdev);
6217 	return err;
6218 }
6219 
6220 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
6221 			u16 len)
6222 {
6223 	struct mgmt_cp_block_device *cp = data;
6224 	u8 status;
6225 	int err;
6226 
6227 	bt_dev_dbg(hdev, "sock %p", sk);
6228 
6229 	if (!bdaddr_type_is_valid(cp->addr.type))
6230 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
6231 					 MGMT_STATUS_INVALID_PARAMS,
6232 					 &cp->addr, sizeof(cp->addr));
6233 
6234 	hci_dev_lock(hdev);
6235 
6236 	err = hci_bdaddr_list_add(&hdev->reject_list, &cp->addr.bdaddr,
6237 				  cp->addr.type);
6238 	if (err < 0) {
6239 		status = MGMT_STATUS_FAILED;
6240 		goto done;
6241 	}
6242 
6243 	mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
6244 		   sk);
6245 	status = MGMT_STATUS_SUCCESS;
6246 
6247 done:
6248 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
6249 				&cp->addr, sizeof(cp->addr));
6250 
6251 	hci_dev_unlock(hdev);
6252 
6253 	return err;
6254 }
6255 
6256 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
6257 			  u16 len)
6258 {
6259 	struct mgmt_cp_unblock_device *cp = data;
6260 	u8 status;
6261 	int err;
6262 
6263 	bt_dev_dbg(hdev, "sock %p", sk);
6264 
6265 	if (!bdaddr_type_is_valid(cp->addr.type))
6266 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
6267 					 MGMT_STATUS_INVALID_PARAMS,
6268 					 &cp->addr, sizeof(cp->addr));
6269 
6270 	hci_dev_lock(hdev);
6271 
6272 	err = hci_bdaddr_list_del(&hdev->reject_list, &cp->addr.bdaddr,
6273 				  cp->addr.type);
6274 	if (err < 0) {
6275 		status = MGMT_STATUS_INVALID_PARAMS;
6276 		goto done;
6277 	}
6278 
6279 	mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
6280 		   sk);
6281 	status = MGMT_STATUS_SUCCESS;
6282 
6283 done:
6284 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
6285 				&cp->addr, sizeof(cp->addr));
6286 
6287 	hci_dev_unlock(hdev);
6288 
6289 	return err;
6290 }
6291 
6292 static int set_device_id_sync(struct hci_dev *hdev, void *data)
6293 {
6294 	return hci_update_eir_sync(hdev);
6295 }
6296 
6297 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
6298 			 u16 len)
6299 {
6300 	struct mgmt_cp_set_device_id *cp = data;
6301 	int err;
6302 	__u16 source;
6303 
6304 	bt_dev_dbg(hdev, "sock %p", sk);
6305 
6306 	source = __le16_to_cpu(cp->source);
6307 
6308 	if (source > 0x0002)
6309 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
6310 				       MGMT_STATUS_INVALID_PARAMS);
6311 
6312 	hci_dev_lock(hdev);
6313 
6314 	hdev->devid_source = source;
6315 	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
6316 	hdev->devid_product = __le16_to_cpu(cp->product);
6317 	hdev->devid_version = __le16_to_cpu(cp->version);
6318 
6319 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
6320 				NULL, 0);
6321 
6322 	hci_cmd_sync_queue(hdev, set_device_id_sync, NULL, NULL);
6323 
6324 	hci_dev_unlock(hdev);
6325 
6326 	return err;
6327 }
6328 
6329 static void enable_advertising_instance(struct hci_dev *hdev, int err)
6330 {
6331 	if (err)
6332 		bt_dev_err(hdev, "failed to re-configure advertising %d", err);
6333 	else
6334 		bt_dev_dbg(hdev, "status %d", err);
6335 }
6336 
6337 static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
6338 {
6339 	struct cmd_lookup match = { NULL, hdev };
6340 	u8 instance;
6341 	struct adv_info *adv_instance;
6342 	u8 status = mgmt_status(err);
6343 
6344 	if (status) {
6345 		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
6346 				     cmd_status_rsp, &status);
6347 		return;
6348 	}
6349 
6350 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
6351 		hci_dev_set_flag(hdev, HCI_ADVERTISING);
6352 	else
6353 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
6354 
6355 	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
6356 			     &match);
6357 
6358 	new_settings(hdev, match.sk);
6359 
6360 	if (match.sk)
6361 		sock_put(match.sk);
6362 
6363 	/* If "Set Advertising" was just disabled and instance advertising was
6364 	 * set up earlier, then re-enable multi-instance advertising.
6365 	 */
6366 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
6367 	    list_empty(&hdev->adv_instances))
6368 		return;
6369 
6370 	instance = hdev->cur_adv_instance;
6371 	if (!instance) {
6372 		adv_instance = list_first_entry_or_null(&hdev->adv_instances,
6373 							struct adv_info, list);
6374 		if (!adv_instance)
6375 			return;
6376 
6377 		instance = adv_instance->instance;
6378 	}
6379 
6380 	err = hci_schedule_adv_instance_sync(hdev, instance, true);
6381 
6382 	enable_advertising_instance(hdev, err);
6383 }
6384 
6385 static int set_adv_sync(struct hci_dev *hdev, void *data)
6386 {
6387 	struct mgmt_pending_cmd *cmd = data;
6388 	struct mgmt_mode *cp = cmd->param;
6389 	u8 val = !!cp->val;
6390 
6391 	if (cp->val == 0x02)
6392 		hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6393 	else
6394 		hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6395 
6396 	cancel_adv_timeout(hdev);
6397 
6398 	if (val) {
6399 		/* Switch to instance "0" for the Set Advertising setting.
6400 		 * We cannot use update_[adv|scan_rsp]_data() here as the
6401 		 * HCI_ADVERTISING flag is not yet set.
6402 		 */
6403 		hdev->cur_adv_instance = 0x00;
6404 
6405 		if (ext_adv_capable(hdev)) {
6406 			hci_start_ext_adv_sync(hdev, 0x00);
6407 		} else {
6408 			hci_update_adv_data_sync(hdev, 0x00);
6409 			hci_update_scan_rsp_data_sync(hdev, 0x00);
6410 			hci_enable_advertising_sync(hdev);
6411 		}
6412 	} else {
6413 		hci_disable_advertising_sync(hdev);
6414 	}
6415 
6416 	return 0;
6417 }
6418 
6419 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
6420 			   u16 len)
6421 {
6422 	struct mgmt_mode *cp = data;
6423 	struct mgmt_pending_cmd *cmd;
6424 	u8 val, status;
6425 	int err;
6426 
6427 	bt_dev_dbg(hdev, "sock %p", sk);
6428 
6429 	status = mgmt_le_support(hdev);
6430 	if (status)
6431 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6432 				       status);
6433 
6434 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6435 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6436 				       MGMT_STATUS_INVALID_PARAMS);
6437 
6438 	if (hdev->advertising_paused)
6439 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6440 				       MGMT_STATUS_BUSY);
6441 
6442 	hci_dev_lock(hdev);
6443 
6444 	val = !!cp->val;
6445 
6446 	/* The following conditions are ones which mean that we should
6447 	 * not do any HCI communication but directly send a mgmt
6448 	 * response to user space (after toggling the flag if
6449 	 * necessary).
6450 	 */
6451 	if (!hdev_is_powered(hdev) ||
6452 	    (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
6453 	     (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
6454 	    hci_dev_test_flag(hdev, HCI_MESH) ||
6455 	    hci_conn_num(hdev, LE_LINK) > 0 ||
6456 	    (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6457 	     hdev->le_scan_type == LE_SCAN_ACTIVE)) {
6458 		bool changed;
6459 
6460 		if (cp->val) {
6461 			hdev->cur_adv_instance = 0x00;
6462 			changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
6463 			if (cp->val == 0x02)
6464 				hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6465 			else
6466 				hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6467 		} else {
6468 			changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
6469 			hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6470 		}
6471 
6472 		err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
6473 		if (err < 0)
6474 			goto unlock;
6475 
6476 		if (changed)
6477 			err = new_settings(hdev, sk);
6478 
6479 		goto unlock;
6480 	}
6481 
6482 	if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
6483 	    pending_find(MGMT_OP_SET_LE, hdev)) {
6484 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6485 				      MGMT_STATUS_BUSY);
6486 		goto unlock;
6487 	}
6488 
6489 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
6490 	if (!cmd)
6491 		err = -ENOMEM;
6492 	else
6493 		err = hci_cmd_sync_queue(hdev, set_adv_sync, cmd,
6494 					 set_advertising_complete);
6495 
6496 	if (err < 0 && cmd)
6497 		mgmt_pending_remove(cmd);
6498 
6499 unlock:
6500 	hci_dev_unlock(hdev);
6501 	return err;
6502 }
6503 
6504 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
6505 			      void *data, u16 len)
6506 {
6507 	struct mgmt_cp_set_static_address *cp = data;
6508 	int err;
6509 
6510 	bt_dev_dbg(hdev, "sock %p", sk);
6511 
6512 	if (!lmp_le_capable(hdev))
6513 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6514 				       MGMT_STATUS_NOT_SUPPORTED);
6515 
6516 	if (hdev_is_powered(hdev))
6517 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6518 				       MGMT_STATUS_REJECTED);
6519 
6520 	if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
6521 		if (!bacmp(&cp->bdaddr, BDADDR_NONE))
6522 			return mgmt_cmd_status(sk, hdev->id,
6523 					       MGMT_OP_SET_STATIC_ADDRESS,
6524 					       MGMT_STATUS_INVALID_PARAMS);
6525 
6526 		/* Two most significant bits shall be set */
6527 		if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
6528 			return mgmt_cmd_status(sk, hdev->id,
6529 					       MGMT_OP_SET_STATIC_ADDRESS,
6530 					       MGMT_STATUS_INVALID_PARAMS);
6531 	}
6532 
6533 	hci_dev_lock(hdev);
6534 
6535 	bacpy(&hdev->static_addr, &cp->bdaddr);
6536 
6537 	err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
6538 	if (err < 0)
6539 		goto unlock;
6540 
6541 	err = new_settings(hdev, sk);
6542 
6543 unlock:
6544 	hci_dev_unlock(hdev);
6545 	return err;
6546 }
6547 
6548 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
6549 			   void *data, u16 len)
6550 {
6551 	struct mgmt_cp_set_scan_params *cp = data;
6552 	__u16 interval, window;
6553 	int err;
6554 
6555 	bt_dev_dbg(hdev, "sock %p", sk);
6556 
6557 	if (!lmp_le_capable(hdev))
6558 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6559 				       MGMT_STATUS_NOT_SUPPORTED);
6560 
6561 	interval = __le16_to_cpu(cp->interval);
6562 
6563 	if (interval < 0x0004 || interval > 0x4000)
6564 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6565 				       MGMT_STATUS_INVALID_PARAMS);
6566 
6567 	window = __le16_to_cpu(cp->window);
6568 
6569 	if (window < 0x0004 || window > 0x4000)
6570 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6571 				       MGMT_STATUS_INVALID_PARAMS);
6572 
6573 	if (window > interval)
6574 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6575 				       MGMT_STATUS_INVALID_PARAMS);
6576 
6577 	hci_dev_lock(hdev);
6578 
6579 	hdev->le_scan_interval = interval;
6580 	hdev->le_scan_window = window;
6581 
6582 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
6583 				NULL, 0);
6584 
6585 	/* If background scan is running, restart it so new parameters are
6586 	 * loaded.
6587 	 */
6588 	if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6589 	    hdev->discovery.state == DISCOVERY_STOPPED)
6590 		hci_update_passive_scan(hdev);
6591 
6592 	hci_dev_unlock(hdev);
6593 
6594 	return err;
6595 }
6596 
6597 static void fast_connectable_complete(struct hci_dev *hdev, void *data, int err)
6598 {
6599 	struct mgmt_pending_cmd *cmd = data;
6600 
6601 	bt_dev_dbg(hdev, "err %d", err);
6602 
6603 	if (err) {
6604 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6605 				mgmt_status(err));
6606 	} else {
6607 		struct mgmt_mode *cp = cmd->param;
6608 
6609 		if (cp->val)
6610 			hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
6611 		else
6612 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6613 
6614 		send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6615 		new_settings(hdev, cmd->sk);
6616 	}
6617 
6618 	mgmt_pending_free(cmd);
6619 }
6620 
6621 static int write_fast_connectable_sync(struct hci_dev *hdev, void *data)
6622 {
6623 	struct mgmt_pending_cmd *cmd = data;
6624 	struct mgmt_mode *cp = cmd->param;
6625 
6626 	return hci_write_fast_connectable_sync(hdev, cp->val);
6627 }
6628 
6629 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
6630 				void *data, u16 len)
6631 {
6632 	struct mgmt_mode *cp = data;
6633 	struct mgmt_pending_cmd *cmd;
6634 	int err;
6635 
6636 	bt_dev_dbg(hdev, "sock %p", sk);
6637 
6638 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
6639 	    hdev->hci_ver < BLUETOOTH_VER_1_2)
6640 		return mgmt_cmd_status(sk, hdev->id,
6641 				       MGMT_OP_SET_FAST_CONNECTABLE,
6642 				       MGMT_STATUS_NOT_SUPPORTED);
6643 
6644 	if (cp->val != 0x00 && cp->val != 0x01)
6645 		return mgmt_cmd_status(sk, hdev->id,
6646 				       MGMT_OP_SET_FAST_CONNECTABLE,
6647 				       MGMT_STATUS_INVALID_PARAMS);
6648 
6649 	hci_dev_lock(hdev);
6650 
6651 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
6652 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6653 		goto unlock;
6654 	}
6655 
6656 	if (!hdev_is_powered(hdev)) {
6657 		hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
6658 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6659 		new_settings(hdev, sk);
6660 		goto unlock;
6661 	}
6662 
6663 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev, data,
6664 			       len);
6665 	if (!cmd)
6666 		err = -ENOMEM;
6667 	else
6668 		err = hci_cmd_sync_queue(hdev, write_fast_connectable_sync, cmd,
6669 					 fast_connectable_complete);
6670 
6671 	if (err < 0) {
6672 		mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6673 				MGMT_STATUS_FAILED);
6674 
6675 		if (cmd)
6676 			mgmt_pending_free(cmd);
6677 	}
6678 
6679 unlock:
6680 	hci_dev_unlock(hdev);
6681 
6682 	return err;
6683 }
6684 
6685 static void set_bredr_complete(struct hci_dev *hdev, void *data, int err)
6686 {
6687 	struct mgmt_pending_cmd *cmd = data;
6688 
6689 	bt_dev_dbg(hdev, "err %d", err);
6690 
6691 	if (err) {
6692 		u8 mgmt_err = mgmt_status(err);
6693 
6694 		/* We need to restore the flag if related HCI commands
6695 		 * failed.
6696 		 */
6697 		hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
6698 
6699 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
6700 	} else {
6701 		send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
6702 		new_settings(hdev, cmd->sk);
6703 	}
6704 
6705 	mgmt_pending_free(cmd);
6706 }
6707 
6708 static int set_bredr_sync(struct hci_dev *hdev, void *data)
6709 {
6710 	int status;
6711 
6712 	status = hci_write_fast_connectable_sync(hdev, false);
6713 
6714 	if (!status)
6715 		status = hci_update_scan_sync(hdev);
6716 
6717 	/* Since only the advertising data flags will change, there
6718 	 * is no need to update the scan response data.
6719 	 */
6720 	if (!status)
6721 		status = hci_update_adv_data_sync(hdev, hdev->cur_adv_instance);
6722 
6723 	return status;
6724 }
6725 
6726 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
6727 {
6728 	struct mgmt_mode *cp = data;
6729 	struct mgmt_pending_cmd *cmd;
6730 	int err;
6731 
6732 	bt_dev_dbg(hdev, "sock %p", sk);
6733 
6734 	if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
6735 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6736 				       MGMT_STATUS_NOT_SUPPORTED);
6737 
6738 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6739 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6740 				       MGMT_STATUS_REJECTED);
6741 
6742 	if (cp->val != 0x00 && cp->val != 0x01)
6743 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6744 				       MGMT_STATUS_INVALID_PARAMS);
6745 
6746 	hci_dev_lock(hdev);
6747 
6748 	if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6749 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6750 		goto unlock;
6751 	}
6752 
6753 	if (!hdev_is_powered(hdev)) {
6754 		if (!cp->val) {
6755 			hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
6756 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
6757 			hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
6758 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6759 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
6760 		}
6761 
6762 		hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
6763 
6764 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6765 		if (err < 0)
6766 			goto unlock;
6767 
6768 		err = new_settings(hdev, sk);
6769 		goto unlock;
6770 	}
6771 
6772 	/* Reject disabling when powered on */
6773 	if (!cp->val) {
6774 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6775 				      MGMT_STATUS_REJECTED);
6776 		goto unlock;
6777 	} else {
6778 		/* When configuring a dual-mode controller to operate
6779 		 * with LE only and using a static address, then switching
6780 		 * BR/EDR back on is not allowed.
6781 		 *
6782 		 * Dual-mode controllers shall operate with the public
6783 		 * address as its identity address for BR/EDR and LE. So
6784 		 * reject the attempt to create an invalid configuration.
6785 		 *
6786 		 * The same restrictions applies when secure connections
6787 		 * has been enabled. For BR/EDR this is a controller feature
6788 		 * while for LE it is a host stack feature. This means that
6789 		 * switching BR/EDR back on when secure connections has been
6790 		 * enabled is not a supported transaction.
6791 		 */
6792 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6793 		    (bacmp(&hdev->static_addr, BDADDR_ANY) ||
6794 		     hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
6795 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6796 					      MGMT_STATUS_REJECTED);
6797 			goto unlock;
6798 		}
6799 	}
6800 
6801 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_BREDR, hdev, data, len);
6802 	if (!cmd)
6803 		err = -ENOMEM;
6804 	else
6805 		err = hci_cmd_sync_queue(hdev, set_bredr_sync, cmd,
6806 					 set_bredr_complete);
6807 
6808 	if (err < 0) {
6809 		mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6810 				MGMT_STATUS_FAILED);
6811 		if (cmd)
6812 			mgmt_pending_free(cmd);
6813 
6814 		goto unlock;
6815 	}
6816 
6817 	/* We need to flip the bit already here so that
6818 	 * hci_req_update_adv_data generates the correct flags.
6819 	 */
6820 	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
6821 
6822 unlock:
6823 	hci_dev_unlock(hdev);
6824 	return err;
6825 }
6826 
6827 static void set_secure_conn_complete(struct hci_dev *hdev, void *data, int err)
6828 {
6829 	struct mgmt_pending_cmd *cmd = data;
6830 	struct mgmt_mode *cp;
6831 
6832 	bt_dev_dbg(hdev, "err %d", err);
6833 
6834 	if (err) {
6835 		u8 mgmt_err = mgmt_status(err);
6836 
6837 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
6838 		goto done;
6839 	}
6840 
6841 	cp = cmd->param;
6842 
6843 	switch (cp->val) {
6844 	case 0x00:
6845 		hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
6846 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6847 		break;
6848 	case 0x01:
6849 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6850 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6851 		break;
6852 	case 0x02:
6853 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6854 		hci_dev_set_flag(hdev, HCI_SC_ONLY);
6855 		break;
6856 	}
6857 
6858 	send_settings_rsp(cmd->sk, cmd->opcode, hdev);
6859 	new_settings(hdev, cmd->sk);
6860 
6861 done:
6862 	mgmt_pending_free(cmd);
6863 }
6864 
6865 static int set_secure_conn_sync(struct hci_dev *hdev, void *data)
6866 {
6867 	struct mgmt_pending_cmd *cmd = data;
6868 	struct mgmt_mode *cp = cmd->param;
6869 	u8 val = !!cp->val;
6870 
6871 	/* Force write of val */
6872 	hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6873 
6874 	return hci_write_sc_support_sync(hdev, val);
6875 }
6876 
6877 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
6878 			   void *data, u16 len)
6879 {
6880 	struct mgmt_mode *cp = data;
6881 	struct mgmt_pending_cmd *cmd;
6882 	u8 val;
6883 	int err;
6884 
6885 	bt_dev_dbg(hdev, "sock %p", sk);
6886 
6887 	if (!lmp_sc_capable(hdev) &&
6888 	    !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6889 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6890 				       MGMT_STATUS_NOT_SUPPORTED);
6891 
6892 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6893 	    lmp_sc_capable(hdev) &&
6894 	    !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
6895 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6896 				       MGMT_STATUS_REJECTED);
6897 
6898 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6899 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6900 				       MGMT_STATUS_INVALID_PARAMS);
6901 
6902 	hci_dev_lock(hdev);
6903 
6904 	if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
6905 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6906 		bool changed;
6907 
6908 		if (cp->val) {
6909 			changed = !hci_dev_test_and_set_flag(hdev,
6910 							     HCI_SC_ENABLED);
6911 			if (cp->val == 0x02)
6912 				hci_dev_set_flag(hdev, HCI_SC_ONLY);
6913 			else
6914 				hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6915 		} else {
6916 			changed = hci_dev_test_and_clear_flag(hdev,
6917 							      HCI_SC_ENABLED);
6918 			hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6919 		}
6920 
6921 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6922 		if (err < 0)
6923 			goto failed;
6924 
6925 		if (changed)
6926 			err = new_settings(hdev, sk);
6927 
6928 		goto failed;
6929 	}
6930 
6931 	val = !!cp->val;
6932 
6933 	if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
6934 	    (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6935 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6936 		goto failed;
6937 	}
6938 
6939 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
6940 	if (!cmd)
6941 		err = -ENOMEM;
6942 	else
6943 		err = hci_cmd_sync_queue(hdev, set_secure_conn_sync, cmd,
6944 					 set_secure_conn_complete);
6945 
6946 	if (err < 0) {
6947 		mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6948 				MGMT_STATUS_FAILED);
6949 		if (cmd)
6950 			mgmt_pending_free(cmd);
6951 	}
6952 
6953 failed:
6954 	hci_dev_unlock(hdev);
6955 	return err;
6956 }
6957 
6958 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
6959 			  void *data, u16 len)
6960 {
6961 	struct mgmt_mode *cp = data;
6962 	bool changed, use_changed;
6963 	int err;
6964 
6965 	bt_dev_dbg(hdev, "sock %p", sk);
6966 
6967 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6968 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
6969 				       MGMT_STATUS_INVALID_PARAMS);
6970 
6971 	hci_dev_lock(hdev);
6972 
6973 	if (cp->val)
6974 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
6975 	else
6976 		changed = hci_dev_test_and_clear_flag(hdev,
6977 						      HCI_KEEP_DEBUG_KEYS);
6978 
6979 	if (cp->val == 0x02)
6980 		use_changed = !hci_dev_test_and_set_flag(hdev,
6981 							 HCI_USE_DEBUG_KEYS);
6982 	else
6983 		use_changed = hci_dev_test_and_clear_flag(hdev,
6984 							  HCI_USE_DEBUG_KEYS);
6985 
6986 	if (hdev_is_powered(hdev) && use_changed &&
6987 	    hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
6988 		u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
6989 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
6990 			     sizeof(mode), &mode);
6991 	}
6992 
6993 	err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
6994 	if (err < 0)
6995 		goto unlock;
6996 
6997 	if (changed)
6998 		err = new_settings(hdev, sk);
6999 
7000 unlock:
7001 	hci_dev_unlock(hdev);
7002 	return err;
7003 }
7004 
7005 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
7006 		       u16 len)
7007 {
7008 	struct mgmt_cp_set_privacy *cp = cp_data;
7009 	bool changed;
7010 	int err;
7011 
7012 	bt_dev_dbg(hdev, "sock %p", sk);
7013 
7014 	if (!lmp_le_capable(hdev))
7015 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
7016 				       MGMT_STATUS_NOT_SUPPORTED);
7017 
7018 	if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
7019 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
7020 				       MGMT_STATUS_INVALID_PARAMS);
7021 
7022 	if (hdev_is_powered(hdev))
7023 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
7024 				       MGMT_STATUS_REJECTED);
7025 
7026 	hci_dev_lock(hdev);
7027 
7028 	/* If user space supports this command it is also expected to
7029 	 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
7030 	 */
7031 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
7032 
7033 	if (cp->privacy) {
7034 		changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
7035 		memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
7036 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
7037 		hci_adv_instances_set_rpa_expired(hdev, true);
7038 		if (cp->privacy == 0x02)
7039 			hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
7040 		else
7041 			hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
7042 	} else {
7043 		changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
7044 		memset(hdev->irk, 0, sizeof(hdev->irk));
7045 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
7046 		hci_adv_instances_set_rpa_expired(hdev, false);
7047 		hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
7048 	}
7049 
7050 	err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
7051 	if (err < 0)
7052 		goto unlock;
7053 
7054 	if (changed)
7055 		err = new_settings(hdev, sk);
7056 
7057 unlock:
7058 	hci_dev_unlock(hdev);
7059 	return err;
7060 }
7061 
7062 static bool irk_is_valid(struct mgmt_irk_info *irk)
7063 {
7064 	switch (irk->addr.type) {
7065 	case BDADDR_LE_PUBLIC:
7066 		return true;
7067 
7068 	case BDADDR_LE_RANDOM:
7069 		/* Two most significant bits shall be set */
7070 		if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7071 			return false;
7072 		return true;
7073 	}
7074 
7075 	return false;
7076 }
7077 
7078 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
7079 		     u16 len)
7080 {
7081 	struct mgmt_cp_load_irks *cp = cp_data;
7082 	const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
7083 				   sizeof(struct mgmt_irk_info));
7084 	u16 irk_count, expected_len;
7085 	int i, err;
7086 
7087 	bt_dev_dbg(hdev, "sock %p", sk);
7088 
7089 	if (!lmp_le_capable(hdev))
7090 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7091 				       MGMT_STATUS_NOT_SUPPORTED);
7092 
7093 	irk_count = __le16_to_cpu(cp->irk_count);
7094 	if (irk_count > max_irk_count) {
7095 		bt_dev_err(hdev, "load_irks: too big irk_count value %u",
7096 			   irk_count);
7097 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7098 				       MGMT_STATUS_INVALID_PARAMS);
7099 	}
7100 
7101 	expected_len = struct_size(cp, irks, irk_count);
7102 	if (expected_len != len) {
7103 		bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
7104 			   expected_len, len);
7105 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7106 				       MGMT_STATUS_INVALID_PARAMS);
7107 	}
7108 
7109 	bt_dev_dbg(hdev, "irk_count %u", irk_count);
7110 
7111 	for (i = 0; i < irk_count; i++) {
7112 		struct mgmt_irk_info *key = &cp->irks[i];
7113 
7114 		if (!irk_is_valid(key))
7115 			return mgmt_cmd_status(sk, hdev->id,
7116 					       MGMT_OP_LOAD_IRKS,
7117 					       MGMT_STATUS_INVALID_PARAMS);
7118 	}
7119 
7120 	hci_dev_lock(hdev);
7121 
7122 	hci_smp_irks_clear(hdev);
7123 
7124 	for (i = 0; i < irk_count; i++) {
7125 		struct mgmt_irk_info *irk = &cp->irks[i];
7126 
7127 		if (hci_is_blocked_key(hdev,
7128 				       HCI_BLOCKED_KEY_TYPE_IRK,
7129 				       irk->val)) {
7130 			bt_dev_warn(hdev, "Skipping blocked IRK for %pMR",
7131 				    &irk->addr.bdaddr);
7132 			continue;
7133 		}
7134 
7135 		hci_add_irk(hdev, &irk->addr.bdaddr,
7136 			    le_addr_type(irk->addr.type), irk->val,
7137 			    BDADDR_ANY);
7138 	}
7139 
7140 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
7141 
7142 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
7143 
7144 	hci_dev_unlock(hdev);
7145 
7146 	return err;
7147 }
7148 
7149 static bool ltk_is_valid(struct mgmt_ltk_info *key)
7150 {
7151 	if (key->initiator != 0x00 && key->initiator != 0x01)
7152 		return false;
7153 
7154 	switch (key->addr.type) {
7155 	case BDADDR_LE_PUBLIC:
7156 		return true;
7157 
7158 	case BDADDR_LE_RANDOM:
7159 		/* Two most significant bits shall be set */
7160 		if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7161 			return false;
7162 		return true;
7163 	}
7164 
7165 	return false;
7166 }
7167 
7168 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
7169 			       void *cp_data, u16 len)
7170 {
7171 	struct mgmt_cp_load_long_term_keys *cp = cp_data;
7172 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
7173 				   sizeof(struct mgmt_ltk_info));
7174 	u16 key_count, expected_len;
7175 	int i, err;
7176 
7177 	bt_dev_dbg(hdev, "sock %p", sk);
7178 
7179 	if (!lmp_le_capable(hdev))
7180 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7181 				       MGMT_STATUS_NOT_SUPPORTED);
7182 
7183 	key_count = __le16_to_cpu(cp->key_count);
7184 	if (key_count > max_key_count) {
7185 		bt_dev_err(hdev, "load_ltks: too big key_count value %u",
7186 			   key_count);
7187 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7188 				       MGMT_STATUS_INVALID_PARAMS);
7189 	}
7190 
7191 	expected_len = struct_size(cp, keys, key_count);
7192 	if (expected_len != len) {
7193 		bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
7194 			   expected_len, len);
7195 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7196 				       MGMT_STATUS_INVALID_PARAMS);
7197 	}
7198 
7199 	bt_dev_dbg(hdev, "key_count %u", key_count);
7200 
7201 	for (i = 0; i < key_count; i++) {
7202 		struct mgmt_ltk_info *key = &cp->keys[i];
7203 
7204 		if (!ltk_is_valid(key))
7205 			return mgmt_cmd_status(sk, hdev->id,
7206 					       MGMT_OP_LOAD_LONG_TERM_KEYS,
7207 					       MGMT_STATUS_INVALID_PARAMS);
7208 	}
7209 
7210 	hci_dev_lock(hdev);
7211 
7212 	hci_smp_ltks_clear(hdev);
7213 
7214 	for (i = 0; i < key_count; i++) {
7215 		struct mgmt_ltk_info *key = &cp->keys[i];
7216 		u8 type, authenticated;
7217 
7218 		if (hci_is_blocked_key(hdev,
7219 				       HCI_BLOCKED_KEY_TYPE_LTK,
7220 				       key->val)) {
7221 			bt_dev_warn(hdev, "Skipping blocked LTK for %pMR",
7222 				    &key->addr.bdaddr);
7223 			continue;
7224 		}
7225 
7226 		switch (key->type) {
7227 		case MGMT_LTK_UNAUTHENTICATED:
7228 			authenticated = 0x00;
7229 			type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7230 			break;
7231 		case MGMT_LTK_AUTHENTICATED:
7232 			authenticated = 0x01;
7233 			type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7234 			break;
7235 		case MGMT_LTK_P256_UNAUTH:
7236 			authenticated = 0x00;
7237 			type = SMP_LTK_P256;
7238 			break;
7239 		case MGMT_LTK_P256_AUTH:
7240 			authenticated = 0x01;
7241 			type = SMP_LTK_P256;
7242 			break;
7243 		case MGMT_LTK_P256_DEBUG:
7244 			authenticated = 0x00;
7245 			type = SMP_LTK_P256_DEBUG;
7246 			fallthrough;
7247 		default:
7248 			continue;
7249 		}
7250 
7251 		hci_add_ltk(hdev, &key->addr.bdaddr,
7252 			    le_addr_type(key->addr.type), type, authenticated,
7253 			    key->val, key->enc_size, key->ediv, key->rand);
7254 	}
7255 
7256 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
7257 			   NULL, 0);
7258 
7259 	hci_dev_unlock(hdev);
7260 
7261 	return err;
7262 }
7263 
7264 static void get_conn_info_complete(struct hci_dev *hdev, void *data, int err)
7265 {
7266 	struct mgmt_pending_cmd *cmd = data;
7267 	struct hci_conn *conn = cmd->user_data;
7268 	struct mgmt_cp_get_conn_info *cp = cmd->param;
7269 	struct mgmt_rp_get_conn_info rp;
7270 	u8 status;
7271 
7272 	bt_dev_dbg(hdev, "err %d", err);
7273 
7274 	memcpy(&rp.addr, &cp->addr.bdaddr, sizeof(rp.addr));
7275 
7276 	status = mgmt_status(err);
7277 	if (status == MGMT_STATUS_SUCCESS) {
7278 		rp.rssi = conn->rssi;
7279 		rp.tx_power = conn->tx_power;
7280 		rp.max_tx_power = conn->max_tx_power;
7281 	} else {
7282 		rp.rssi = HCI_RSSI_INVALID;
7283 		rp.tx_power = HCI_TX_POWER_INVALID;
7284 		rp.max_tx_power = HCI_TX_POWER_INVALID;
7285 	}
7286 
7287 	mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, status,
7288 			  &rp, sizeof(rp));
7289 
7290 	mgmt_pending_free(cmd);
7291 }
7292 
7293 static int get_conn_info_sync(struct hci_dev *hdev, void *data)
7294 {
7295 	struct mgmt_pending_cmd *cmd = data;
7296 	struct mgmt_cp_get_conn_info *cp = cmd->param;
7297 	struct hci_conn *conn;
7298 	int err;
7299 	__le16   handle;
7300 
7301 	/* Make sure we are still connected */
7302 	if (cp->addr.type == BDADDR_BREDR)
7303 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7304 					       &cp->addr.bdaddr);
7305 	else
7306 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
7307 
7308 	if (!conn || conn->state != BT_CONNECTED)
7309 		return MGMT_STATUS_NOT_CONNECTED;
7310 
7311 	cmd->user_data = conn;
7312 	handle = cpu_to_le16(conn->handle);
7313 
7314 	/* Refresh RSSI each time */
7315 	err = hci_read_rssi_sync(hdev, handle);
7316 
7317 	/* For LE links TX power does not change thus we don't need to
7318 	 * query for it once value is known.
7319 	 */
7320 	if (!err && (!bdaddr_type_is_le(cp->addr.type) ||
7321 		     conn->tx_power == HCI_TX_POWER_INVALID))
7322 		err = hci_read_tx_power_sync(hdev, handle, 0x00);
7323 
7324 	/* Max TX power needs to be read only once per connection */
7325 	if (!err && conn->max_tx_power == HCI_TX_POWER_INVALID)
7326 		err = hci_read_tx_power_sync(hdev, handle, 0x01);
7327 
7328 	return err;
7329 }
7330 
7331 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
7332 			 u16 len)
7333 {
7334 	struct mgmt_cp_get_conn_info *cp = data;
7335 	struct mgmt_rp_get_conn_info rp;
7336 	struct hci_conn *conn;
7337 	unsigned long conn_info_age;
7338 	int err = 0;
7339 
7340 	bt_dev_dbg(hdev, "sock %p", sk);
7341 
7342 	memset(&rp, 0, sizeof(rp));
7343 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7344 	rp.addr.type = cp->addr.type;
7345 
7346 	if (!bdaddr_type_is_valid(cp->addr.type))
7347 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7348 					 MGMT_STATUS_INVALID_PARAMS,
7349 					 &rp, sizeof(rp));
7350 
7351 	hci_dev_lock(hdev);
7352 
7353 	if (!hdev_is_powered(hdev)) {
7354 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7355 					MGMT_STATUS_NOT_POWERED, &rp,
7356 					sizeof(rp));
7357 		goto unlock;
7358 	}
7359 
7360 	if (cp->addr.type == BDADDR_BREDR)
7361 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7362 					       &cp->addr.bdaddr);
7363 	else
7364 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
7365 
7366 	if (!conn || conn->state != BT_CONNECTED) {
7367 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7368 					MGMT_STATUS_NOT_CONNECTED, &rp,
7369 					sizeof(rp));
7370 		goto unlock;
7371 	}
7372 
7373 	/* To avoid client trying to guess when to poll again for information we
7374 	 * calculate conn info age as random value between min/max set in hdev.
7375 	 */
7376 	conn_info_age = get_random_u32_inclusive(hdev->conn_info_min_age,
7377 						 hdev->conn_info_max_age - 1);
7378 
7379 	/* Query controller to refresh cached values if they are too old or were
7380 	 * never read.
7381 	 */
7382 	if (time_after(jiffies, conn->conn_info_timestamp +
7383 		       msecs_to_jiffies(conn_info_age)) ||
7384 	    !conn->conn_info_timestamp) {
7385 		struct mgmt_pending_cmd *cmd;
7386 
7387 		cmd = mgmt_pending_new(sk, MGMT_OP_GET_CONN_INFO, hdev, data,
7388 				       len);
7389 		if (!cmd) {
7390 			err = -ENOMEM;
7391 		} else {
7392 			err = hci_cmd_sync_queue(hdev, get_conn_info_sync,
7393 						 cmd, get_conn_info_complete);
7394 		}
7395 
7396 		if (err < 0) {
7397 			mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7398 					  MGMT_STATUS_FAILED, &rp, sizeof(rp));
7399 
7400 			if (cmd)
7401 				mgmt_pending_free(cmd);
7402 
7403 			goto unlock;
7404 		}
7405 
7406 		conn->conn_info_timestamp = jiffies;
7407 	} else {
7408 		/* Cache is valid, just reply with values cached in hci_conn */
7409 		rp.rssi = conn->rssi;
7410 		rp.tx_power = conn->tx_power;
7411 		rp.max_tx_power = conn->max_tx_power;
7412 
7413 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7414 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
7415 	}
7416 
7417 unlock:
7418 	hci_dev_unlock(hdev);
7419 	return err;
7420 }
7421 
7422 static void get_clock_info_complete(struct hci_dev *hdev, void *data, int err)
7423 {
7424 	struct mgmt_pending_cmd *cmd = data;
7425 	struct mgmt_cp_get_clock_info *cp = cmd->param;
7426 	struct mgmt_rp_get_clock_info rp;
7427 	struct hci_conn *conn = cmd->user_data;
7428 	u8 status = mgmt_status(err);
7429 
7430 	bt_dev_dbg(hdev, "err %d", err);
7431 
7432 	memset(&rp, 0, sizeof(rp));
7433 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7434 	rp.addr.type = cp->addr.type;
7435 
7436 	if (err)
7437 		goto complete;
7438 
7439 	rp.local_clock = cpu_to_le32(hdev->clock);
7440 
7441 	if (conn) {
7442 		rp.piconet_clock = cpu_to_le32(conn->clock);
7443 		rp.accuracy = cpu_to_le16(conn->clock_accuracy);
7444 	}
7445 
7446 complete:
7447 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
7448 			  sizeof(rp));
7449 
7450 	mgmt_pending_free(cmd);
7451 }
7452 
7453 static int get_clock_info_sync(struct hci_dev *hdev, void *data)
7454 {
7455 	struct mgmt_pending_cmd *cmd = data;
7456 	struct mgmt_cp_get_clock_info *cp = cmd->param;
7457 	struct hci_cp_read_clock hci_cp;
7458 	struct hci_conn *conn;
7459 
7460 	memset(&hci_cp, 0, sizeof(hci_cp));
7461 	hci_read_clock_sync(hdev, &hci_cp);
7462 
7463 	/* Make sure connection still exists */
7464 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
7465 	if (!conn || conn->state != BT_CONNECTED)
7466 		return MGMT_STATUS_NOT_CONNECTED;
7467 
7468 	cmd->user_data = conn;
7469 	hci_cp.handle = cpu_to_le16(conn->handle);
7470 	hci_cp.which = 0x01; /* Piconet clock */
7471 
7472 	return hci_read_clock_sync(hdev, &hci_cp);
7473 }
7474 
7475 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
7476 								u16 len)
7477 {
7478 	struct mgmt_cp_get_clock_info *cp = data;
7479 	struct mgmt_rp_get_clock_info rp;
7480 	struct mgmt_pending_cmd *cmd;
7481 	struct hci_conn *conn;
7482 	int err;
7483 
7484 	bt_dev_dbg(hdev, "sock %p", sk);
7485 
7486 	memset(&rp, 0, sizeof(rp));
7487 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7488 	rp.addr.type = cp->addr.type;
7489 
7490 	if (cp->addr.type != BDADDR_BREDR)
7491 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7492 					 MGMT_STATUS_INVALID_PARAMS,
7493 					 &rp, sizeof(rp));
7494 
7495 	hci_dev_lock(hdev);
7496 
7497 	if (!hdev_is_powered(hdev)) {
7498 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7499 					MGMT_STATUS_NOT_POWERED, &rp,
7500 					sizeof(rp));
7501 		goto unlock;
7502 	}
7503 
7504 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
7505 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7506 					       &cp->addr.bdaddr);
7507 		if (!conn || conn->state != BT_CONNECTED) {
7508 			err = mgmt_cmd_complete(sk, hdev->id,
7509 						MGMT_OP_GET_CLOCK_INFO,
7510 						MGMT_STATUS_NOT_CONNECTED,
7511 						&rp, sizeof(rp));
7512 			goto unlock;
7513 		}
7514 	} else {
7515 		conn = NULL;
7516 	}
7517 
7518 	cmd = mgmt_pending_new(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
7519 	if (!cmd)
7520 		err = -ENOMEM;
7521 	else
7522 		err = hci_cmd_sync_queue(hdev, get_clock_info_sync, cmd,
7523 					 get_clock_info_complete);
7524 
7525 	if (err < 0) {
7526 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7527 					MGMT_STATUS_FAILED, &rp, sizeof(rp));
7528 
7529 		if (cmd)
7530 			mgmt_pending_free(cmd);
7531 	}
7532 
7533 
7534 unlock:
7535 	hci_dev_unlock(hdev);
7536 	return err;
7537 }
7538 
7539 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
7540 {
7541 	struct hci_conn *conn;
7542 
7543 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
7544 	if (!conn)
7545 		return false;
7546 
7547 	if (conn->dst_type != type)
7548 		return false;
7549 
7550 	if (conn->state != BT_CONNECTED)
7551 		return false;
7552 
7553 	return true;
7554 }
7555 
7556 /* This function requires the caller holds hdev->lock */
7557 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
7558 			       u8 addr_type, u8 auto_connect)
7559 {
7560 	struct hci_conn_params *params;
7561 
7562 	params = hci_conn_params_add(hdev, addr, addr_type);
7563 	if (!params)
7564 		return -EIO;
7565 
7566 	if (params->auto_connect == auto_connect)
7567 		return 0;
7568 
7569 	list_del_init(&params->action);
7570 
7571 	switch (auto_connect) {
7572 	case HCI_AUTO_CONN_DISABLED:
7573 	case HCI_AUTO_CONN_LINK_LOSS:
7574 		/* If auto connect is being disabled when we're trying to
7575 		 * connect to device, keep connecting.
7576 		 */
7577 		if (params->explicit_connect)
7578 			list_add(&params->action, &hdev->pend_le_conns);
7579 		break;
7580 	case HCI_AUTO_CONN_REPORT:
7581 		if (params->explicit_connect)
7582 			list_add(&params->action, &hdev->pend_le_conns);
7583 		else
7584 			list_add(&params->action, &hdev->pend_le_reports);
7585 		break;
7586 	case HCI_AUTO_CONN_DIRECT:
7587 	case HCI_AUTO_CONN_ALWAYS:
7588 		if (!is_connected(hdev, addr, addr_type))
7589 			list_add(&params->action, &hdev->pend_le_conns);
7590 		break;
7591 	}
7592 
7593 	params->auto_connect = auto_connect;
7594 
7595 	bt_dev_dbg(hdev, "addr %pMR (type %u) auto_connect %u",
7596 		   addr, addr_type, auto_connect);
7597 
7598 	return 0;
7599 }
7600 
7601 static void device_added(struct sock *sk, struct hci_dev *hdev,
7602 			 bdaddr_t *bdaddr, u8 type, u8 action)
7603 {
7604 	struct mgmt_ev_device_added ev;
7605 
7606 	bacpy(&ev.addr.bdaddr, bdaddr);
7607 	ev.addr.type = type;
7608 	ev.action = action;
7609 
7610 	mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
7611 }
7612 
7613 static int add_device_sync(struct hci_dev *hdev, void *data)
7614 {
7615 	return hci_update_passive_scan_sync(hdev);
7616 }
7617 
7618 static int add_device(struct sock *sk, struct hci_dev *hdev,
7619 		      void *data, u16 len)
7620 {
7621 	struct mgmt_cp_add_device *cp = data;
7622 	u8 auto_conn, addr_type;
7623 	struct hci_conn_params *params;
7624 	int err;
7625 	u32 current_flags = 0;
7626 	u32 supported_flags;
7627 
7628 	bt_dev_dbg(hdev, "sock %p", sk);
7629 
7630 	if (!bdaddr_type_is_valid(cp->addr.type) ||
7631 	    !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
7632 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7633 					 MGMT_STATUS_INVALID_PARAMS,
7634 					 &cp->addr, sizeof(cp->addr));
7635 
7636 	if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
7637 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7638 					 MGMT_STATUS_INVALID_PARAMS,
7639 					 &cp->addr, sizeof(cp->addr));
7640 
7641 	hci_dev_lock(hdev);
7642 
7643 	if (cp->addr.type == BDADDR_BREDR) {
7644 		/* Only incoming connections action is supported for now */
7645 		if (cp->action != 0x01) {
7646 			err = mgmt_cmd_complete(sk, hdev->id,
7647 						MGMT_OP_ADD_DEVICE,
7648 						MGMT_STATUS_INVALID_PARAMS,
7649 						&cp->addr, sizeof(cp->addr));
7650 			goto unlock;
7651 		}
7652 
7653 		err = hci_bdaddr_list_add_with_flags(&hdev->accept_list,
7654 						     &cp->addr.bdaddr,
7655 						     cp->addr.type, 0);
7656 		if (err)
7657 			goto unlock;
7658 
7659 		hci_update_scan(hdev);
7660 
7661 		goto added;
7662 	}
7663 
7664 	addr_type = le_addr_type(cp->addr.type);
7665 
7666 	if (cp->action == 0x02)
7667 		auto_conn = HCI_AUTO_CONN_ALWAYS;
7668 	else if (cp->action == 0x01)
7669 		auto_conn = HCI_AUTO_CONN_DIRECT;
7670 	else
7671 		auto_conn = HCI_AUTO_CONN_REPORT;
7672 
7673 	/* Kernel internally uses conn_params with resolvable private
7674 	 * address, but Add Device allows only identity addresses.
7675 	 * Make sure it is enforced before calling
7676 	 * hci_conn_params_lookup.
7677 	 */
7678 	if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
7679 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7680 					MGMT_STATUS_INVALID_PARAMS,
7681 					&cp->addr, sizeof(cp->addr));
7682 		goto unlock;
7683 	}
7684 
7685 	/* If the connection parameters don't exist for this device,
7686 	 * they will be created and configured with defaults.
7687 	 */
7688 	if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
7689 				auto_conn) < 0) {
7690 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7691 					MGMT_STATUS_FAILED, &cp->addr,
7692 					sizeof(cp->addr));
7693 		goto unlock;
7694 	} else {
7695 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7696 						addr_type);
7697 		if (params)
7698 			current_flags = params->flags;
7699 	}
7700 
7701 	err = hci_cmd_sync_queue(hdev, add_device_sync, NULL, NULL);
7702 	if (err < 0)
7703 		goto unlock;
7704 
7705 added:
7706 	device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
7707 	supported_flags = hdev->conn_flags;
7708 	device_flags_changed(NULL, hdev, &cp->addr.bdaddr, cp->addr.type,
7709 			     supported_flags, current_flags);
7710 
7711 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7712 				MGMT_STATUS_SUCCESS, &cp->addr,
7713 				sizeof(cp->addr));
7714 
7715 unlock:
7716 	hci_dev_unlock(hdev);
7717 	return err;
7718 }
7719 
7720 static void device_removed(struct sock *sk, struct hci_dev *hdev,
7721 			   bdaddr_t *bdaddr, u8 type)
7722 {
7723 	struct mgmt_ev_device_removed ev;
7724 
7725 	bacpy(&ev.addr.bdaddr, bdaddr);
7726 	ev.addr.type = type;
7727 
7728 	mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
7729 }
7730 
7731 static int remove_device_sync(struct hci_dev *hdev, void *data)
7732 {
7733 	return hci_update_passive_scan_sync(hdev);
7734 }
7735 
7736 static int remove_device(struct sock *sk, struct hci_dev *hdev,
7737 			 void *data, u16 len)
7738 {
7739 	struct mgmt_cp_remove_device *cp = data;
7740 	int err;
7741 
7742 	bt_dev_dbg(hdev, "sock %p", sk);
7743 
7744 	hci_dev_lock(hdev);
7745 
7746 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
7747 		struct hci_conn_params *params;
7748 		u8 addr_type;
7749 
7750 		if (!bdaddr_type_is_valid(cp->addr.type)) {
7751 			err = mgmt_cmd_complete(sk, hdev->id,
7752 						MGMT_OP_REMOVE_DEVICE,
7753 						MGMT_STATUS_INVALID_PARAMS,
7754 						&cp->addr, sizeof(cp->addr));
7755 			goto unlock;
7756 		}
7757 
7758 		if (cp->addr.type == BDADDR_BREDR) {
7759 			err = hci_bdaddr_list_del(&hdev->accept_list,
7760 						  &cp->addr.bdaddr,
7761 						  cp->addr.type);
7762 			if (err) {
7763 				err = mgmt_cmd_complete(sk, hdev->id,
7764 							MGMT_OP_REMOVE_DEVICE,
7765 							MGMT_STATUS_INVALID_PARAMS,
7766 							&cp->addr,
7767 							sizeof(cp->addr));
7768 				goto unlock;
7769 			}
7770 
7771 			hci_update_scan(hdev);
7772 
7773 			device_removed(sk, hdev, &cp->addr.bdaddr,
7774 				       cp->addr.type);
7775 			goto complete;
7776 		}
7777 
7778 		addr_type = le_addr_type(cp->addr.type);
7779 
7780 		/* Kernel internally uses conn_params with resolvable private
7781 		 * address, but Remove Device allows only identity addresses.
7782 		 * Make sure it is enforced before calling
7783 		 * hci_conn_params_lookup.
7784 		 */
7785 		if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
7786 			err = mgmt_cmd_complete(sk, hdev->id,
7787 						MGMT_OP_REMOVE_DEVICE,
7788 						MGMT_STATUS_INVALID_PARAMS,
7789 						&cp->addr, sizeof(cp->addr));
7790 			goto unlock;
7791 		}
7792 
7793 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7794 						addr_type);
7795 		if (!params) {
7796 			err = mgmt_cmd_complete(sk, hdev->id,
7797 						MGMT_OP_REMOVE_DEVICE,
7798 						MGMT_STATUS_INVALID_PARAMS,
7799 						&cp->addr, sizeof(cp->addr));
7800 			goto unlock;
7801 		}
7802 
7803 		if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
7804 		    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
7805 			err = mgmt_cmd_complete(sk, hdev->id,
7806 						MGMT_OP_REMOVE_DEVICE,
7807 						MGMT_STATUS_INVALID_PARAMS,
7808 						&cp->addr, sizeof(cp->addr));
7809 			goto unlock;
7810 		}
7811 
7812 		list_del(&params->action);
7813 		list_del(&params->list);
7814 		kfree(params);
7815 
7816 		device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
7817 	} else {
7818 		struct hci_conn_params *p, *tmp;
7819 		struct bdaddr_list *b, *btmp;
7820 
7821 		if (cp->addr.type) {
7822 			err = mgmt_cmd_complete(sk, hdev->id,
7823 						MGMT_OP_REMOVE_DEVICE,
7824 						MGMT_STATUS_INVALID_PARAMS,
7825 						&cp->addr, sizeof(cp->addr));
7826 			goto unlock;
7827 		}
7828 
7829 		list_for_each_entry_safe(b, btmp, &hdev->accept_list, list) {
7830 			device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
7831 			list_del(&b->list);
7832 			kfree(b);
7833 		}
7834 
7835 		hci_update_scan(hdev);
7836 
7837 		list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
7838 			if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
7839 				continue;
7840 			device_removed(sk, hdev, &p->addr, p->addr_type);
7841 			if (p->explicit_connect) {
7842 				p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
7843 				continue;
7844 			}
7845 			list_del(&p->action);
7846 			list_del(&p->list);
7847 			kfree(p);
7848 		}
7849 
7850 		bt_dev_dbg(hdev, "All LE connection parameters were removed");
7851 	}
7852 
7853 	hci_cmd_sync_queue(hdev, remove_device_sync, NULL, NULL);
7854 
7855 complete:
7856 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
7857 				MGMT_STATUS_SUCCESS, &cp->addr,
7858 				sizeof(cp->addr));
7859 unlock:
7860 	hci_dev_unlock(hdev);
7861 	return err;
7862 }
7863 
7864 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
7865 			   u16 len)
7866 {
7867 	struct mgmt_cp_load_conn_param *cp = data;
7868 	const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
7869 				     sizeof(struct mgmt_conn_param));
7870 	u16 param_count, expected_len;
7871 	int i;
7872 
7873 	if (!lmp_le_capable(hdev))
7874 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7875 				       MGMT_STATUS_NOT_SUPPORTED);
7876 
7877 	param_count = __le16_to_cpu(cp->param_count);
7878 	if (param_count > max_param_count) {
7879 		bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
7880 			   param_count);
7881 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7882 				       MGMT_STATUS_INVALID_PARAMS);
7883 	}
7884 
7885 	expected_len = struct_size(cp, params, param_count);
7886 	if (expected_len != len) {
7887 		bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
7888 			   expected_len, len);
7889 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7890 				       MGMT_STATUS_INVALID_PARAMS);
7891 	}
7892 
7893 	bt_dev_dbg(hdev, "param_count %u", param_count);
7894 
7895 	hci_dev_lock(hdev);
7896 
7897 	hci_conn_params_clear_disabled(hdev);
7898 
7899 	for (i = 0; i < param_count; i++) {
7900 		struct mgmt_conn_param *param = &cp->params[i];
7901 		struct hci_conn_params *hci_param;
7902 		u16 min, max, latency, timeout;
7903 		u8 addr_type;
7904 
7905 		bt_dev_dbg(hdev, "Adding %pMR (type %u)", &param->addr.bdaddr,
7906 			   param->addr.type);
7907 
7908 		if (param->addr.type == BDADDR_LE_PUBLIC) {
7909 			addr_type = ADDR_LE_DEV_PUBLIC;
7910 		} else if (param->addr.type == BDADDR_LE_RANDOM) {
7911 			addr_type = ADDR_LE_DEV_RANDOM;
7912 		} else {
7913 			bt_dev_err(hdev, "ignoring invalid connection parameters");
7914 			continue;
7915 		}
7916 
7917 		min = le16_to_cpu(param->min_interval);
7918 		max = le16_to_cpu(param->max_interval);
7919 		latency = le16_to_cpu(param->latency);
7920 		timeout = le16_to_cpu(param->timeout);
7921 
7922 		bt_dev_dbg(hdev, "min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
7923 			   min, max, latency, timeout);
7924 
7925 		if (hci_check_conn_params(min, max, latency, timeout) < 0) {
7926 			bt_dev_err(hdev, "ignoring invalid connection parameters");
7927 			continue;
7928 		}
7929 
7930 		hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
7931 						addr_type);
7932 		if (!hci_param) {
7933 			bt_dev_err(hdev, "failed to add connection parameters");
7934 			continue;
7935 		}
7936 
7937 		hci_param->conn_min_interval = min;
7938 		hci_param->conn_max_interval = max;
7939 		hci_param->conn_latency = latency;
7940 		hci_param->supervision_timeout = timeout;
7941 	}
7942 
7943 	hci_dev_unlock(hdev);
7944 
7945 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
7946 				 NULL, 0);
7947 }
7948 
7949 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
7950 			       void *data, u16 len)
7951 {
7952 	struct mgmt_cp_set_external_config *cp = data;
7953 	bool changed;
7954 	int err;
7955 
7956 	bt_dev_dbg(hdev, "sock %p", sk);
7957 
7958 	if (hdev_is_powered(hdev))
7959 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7960 				       MGMT_STATUS_REJECTED);
7961 
7962 	if (cp->config != 0x00 && cp->config != 0x01)
7963 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7964 				         MGMT_STATUS_INVALID_PARAMS);
7965 
7966 	if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
7967 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7968 				       MGMT_STATUS_NOT_SUPPORTED);
7969 
7970 	hci_dev_lock(hdev);
7971 
7972 	if (cp->config)
7973 		changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
7974 	else
7975 		changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
7976 
7977 	err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
7978 	if (err < 0)
7979 		goto unlock;
7980 
7981 	if (!changed)
7982 		goto unlock;
7983 
7984 	err = new_options(hdev, sk);
7985 
7986 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
7987 		mgmt_index_removed(hdev);
7988 
7989 		if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
7990 			hci_dev_set_flag(hdev, HCI_CONFIG);
7991 			hci_dev_set_flag(hdev, HCI_AUTO_OFF);
7992 
7993 			queue_work(hdev->req_workqueue, &hdev->power_on);
7994 		} else {
7995 			set_bit(HCI_RAW, &hdev->flags);
7996 			mgmt_index_added(hdev);
7997 		}
7998 	}
7999 
8000 unlock:
8001 	hci_dev_unlock(hdev);
8002 	return err;
8003 }
8004 
8005 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
8006 			      void *data, u16 len)
8007 {
8008 	struct mgmt_cp_set_public_address *cp = data;
8009 	bool changed;
8010 	int err;
8011 
8012 	bt_dev_dbg(hdev, "sock %p", sk);
8013 
8014 	if (hdev_is_powered(hdev))
8015 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
8016 				       MGMT_STATUS_REJECTED);
8017 
8018 	if (!bacmp(&cp->bdaddr, BDADDR_ANY))
8019 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
8020 				       MGMT_STATUS_INVALID_PARAMS);
8021 
8022 	if (!hdev->set_bdaddr)
8023 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
8024 				       MGMT_STATUS_NOT_SUPPORTED);
8025 
8026 	hci_dev_lock(hdev);
8027 
8028 	changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
8029 	bacpy(&hdev->public_addr, &cp->bdaddr);
8030 
8031 	err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
8032 	if (err < 0)
8033 		goto unlock;
8034 
8035 	if (!changed)
8036 		goto unlock;
8037 
8038 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
8039 		err = new_options(hdev, sk);
8040 
8041 	if (is_configured(hdev)) {
8042 		mgmt_index_removed(hdev);
8043 
8044 		hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
8045 
8046 		hci_dev_set_flag(hdev, HCI_CONFIG);
8047 		hci_dev_set_flag(hdev, HCI_AUTO_OFF);
8048 
8049 		queue_work(hdev->req_workqueue, &hdev->power_on);
8050 	}
8051 
8052 unlock:
8053 	hci_dev_unlock(hdev);
8054 	return err;
8055 }
8056 
8057 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
8058 					     int err)
8059 {
8060 	const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
8061 	struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
8062 	u8 *h192, *r192, *h256, *r256;
8063 	struct mgmt_pending_cmd *cmd = data;
8064 	struct sk_buff *skb = cmd->skb;
8065 	u8 status = mgmt_status(err);
8066 	u16 eir_len;
8067 
8068 	if (cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
8069 		return;
8070 
8071 	if (!status) {
8072 		if (!skb)
8073 			status = MGMT_STATUS_FAILED;
8074 		else if (IS_ERR(skb))
8075 			status = mgmt_status(PTR_ERR(skb));
8076 		else
8077 			status = mgmt_status(skb->data[0]);
8078 	}
8079 
8080 	bt_dev_dbg(hdev, "status %u", status);
8081 
8082 	mgmt_cp = cmd->param;
8083 
8084 	if (status) {
8085 		status = mgmt_status(status);
8086 		eir_len = 0;
8087 
8088 		h192 = NULL;
8089 		r192 = NULL;
8090 		h256 = NULL;
8091 		r256 = NULL;
8092 	} else if (!bredr_sc_enabled(hdev)) {
8093 		struct hci_rp_read_local_oob_data *rp;
8094 
8095 		if (skb->len != sizeof(*rp)) {
8096 			status = MGMT_STATUS_FAILED;
8097 			eir_len = 0;
8098 		} else {
8099 			status = MGMT_STATUS_SUCCESS;
8100 			rp = (void *)skb->data;
8101 
8102 			eir_len = 5 + 18 + 18;
8103 			h192 = rp->hash;
8104 			r192 = rp->rand;
8105 			h256 = NULL;
8106 			r256 = NULL;
8107 		}
8108 	} else {
8109 		struct hci_rp_read_local_oob_ext_data *rp;
8110 
8111 		if (skb->len != sizeof(*rp)) {
8112 			status = MGMT_STATUS_FAILED;
8113 			eir_len = 0;
8114 		} else {
8115 			status = MGMT_STATUS_SUCCESS;
8116 			rp = (void *)skb->data;
8117 
8118 			if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
8119 				eir_len = 5 + 18 + 18;
8120 				h192 = NULL;
8121 				r192 = NULL;
8122 			} else {
8123 				eir_len = 5 + 18 + 18 + 18 + 18;
8124 				h192 = rp->hash192;
8125 				r192 = rp->rand192;
8126 			}
8127 
8128 			h256 = rp->hash256;
8129 			r256 = rp->rand256;
8130 		}
8131 	}
8132 
8133 	mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
8134 	if (!mgmt_rp)
8135 		goto done;
8136 
8137 	if (eir_len == 0)
8138 		goto send_rsp;
8139 
8140 	eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
8141 				  hdev->dev_class, 3);
8142 
8143 	if (h192 && r192) {
8144 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8145 					  EIR_SSP_HASH_C192, h192, 16);
8146 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8147 					  EIR_SSP_RAND_R192, r192, 16);
8148 	}
8149 
8150 	if (h256 && r256) {
8151 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8152 					  EIR_SSP_HASH_C256, h256, 16);
8153 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8154 					  EIR_SSP_RAND_R256, r256, 16);
8155 	}
8156 
8157 send_rsp:
8158 	mgmt_rp->type = mgmt_cp->type;
8159 	mgmt_rp->eir_len = cpu_to_le16(eir_len);
8160 
8161 	err = mgmt_cmd_complete(cmd->sk, hdev->id,
8162 				MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
8163 				mgmt_rp, sizeof(*mgmt_rp) + eir_len);
8164 	if (err < 0 || status)
8165 		goto done;
8166 
8167 	hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
8168 
8169 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8170 				 mgmt_rp, sizeof(*mgmt_rp) + eir_len,
8171 				 HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
8172 done:
8173 	if (skb && !IS_ERR(skb))
8174 		kfree_skb(skb);
8175 
8176 	kfree(mgmt_rp);
8177 	mgmt_pending_remove(cmd);
8178 }
8179 
8180 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
8181 				  struct mgmt_cp_read_local_oob_ext_data *cp)
8182 {
8183 	struct mgmt_pending_cmd *cmd;
8184 	int err;
8185 
8186 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
8187 			       cp, sizeof(*cp));
8188 	if (!cmd)
8189 		return -ENOMEM;
8190 
8191 	err = hci_cmd_sync_queue(hdev, read_local_oob_data_sync, cmd,
8192 				 read_local_oob_ext_data_complete);
8193 
8194 	if (err < 0) {
8195 		mgmt_pending_remove(cmd);
8196 		return err;
8197 	}
8198 
8199 	return 0;
8200 }
8201 
8202 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
8203 				   void *data, u16 data_len)
8204 {
8205 	struct mgmt_cp_read_local_oob_ext_data *cp = data;
8206 	struct mgmt_rp_read_local_oob_ext_data *rp;
8207 	size_t rp_len;
8208 	u16 eir_len;
8209 	u8 status, flags, role, addr[7], hash[16], rand[16];
8210 	int err;
8211 
8212 	bt_dev_dbg(hdev, "sock %p", sk);
8213 
8214 	if (hdev_is_powered(hdev)) {
8215 		switch (cp->type) {
8216 		case BIT(BDADDR_BREDR):
8217 			status = mgmt_bredr_support(hdev);
8218 			if (status)
8219 				eir_len = 0;
8220 			else
8221 				eir_len = 5;
8222 			break;
8223 		case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8224 			status = mgmt_le_support(hdev);
8225 			if (status)
8226 				eir_len = 0;
8227 			else
8228 				eir_len = 9 + 3 + 18 + 18 + 3;
8229 			break;
8230 		default:
8231 			status = MGMT_STATUS_INVALID_PARAMS;
8232 			eir_len = 0;
8233 			break;
8234 		}
8235 	} else {
8236 		status = MGMT_STATUS_NOT_POWERED;
8237 		eir_len = 0;
8238 	}
8239 
8240 	rp_len = sizeof(*rp) + eir_len;
8241 	rp = kmalloc(rp_len, GFP_ATOMIC);
8242 	if (!rp)
8243 		return -ENOMEM;
8244 
8245 	if (!status && !lmp_ssp_capable(hdev)) {
8246 		status = MGMT_STATUS_NOT_SUPPORTED;
8247 		eir_len = 0;
8248 	}
8249 
8250 	if (status)
8251 		goto complete;
8252 
8253 	hci_dev_lock(hdev);
8254 
8255 	eir_len = 0;
8256 	switch (cp->type) {
8257 	case BIT(BDADDR_BREDR):
8258 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
8259 			err = read_local_ssp_oob_req(hdev, sk, cp);
8260 			hci_dev_unlock(hdev);
8261 			if (!err)
8262 				goto done;
8263 
8264 			status = MGMT_STATUS_FAILED;
8265 			goto complete;
8266 		} else {
8267 			eir_len = eir_append_data(rp->eir, eir_len,
8268 						  EIR_CLASS_OF_DEV,
8269 						  hdev->dev_class, 3);
8270 		}
8271 		break;
8272 	case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8273 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
8274 		    smp_generate_oob(hdev, hash, rand) < 0) {
8275 			hci_dev_unlock(hdev);
8276 			status = MGMT_STATUS_FAILED;
8277 			goto complete;
8278 		}
8279 
8280 		/* This should return the active RPA, but since the RPA
8281 		 * is only programmed on demand, it is really hard to fill
8282 		 * this in at the moment. For now disallow retrieving
8283 		 * local out-of-band data when privacy is in use.
8284 		 *
8285 		 * Returning the identity address will not help here since
8286 		 * pairing happens before the identity resolving key is
8287 		 * known and thus the connection establishment happens
8288 		 * based on the RPA and not the identity address.
8289 		 */
8290 		if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
8291 			hci_dev_unlock(hdev);
8292 			status = MGMT_STATUS_REJECTED;
8293 			goto complete;
8294 		}
8295 
8296 		if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
8297 		   !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
8298 		   (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
8299 		    bacmp(&hdev->static_addr, BDADDR_ANY))) {
8300 			memcpy(addr, &hdev->static_addr, 6);
8301 			addr[6] = 0x01;
8302 		} else {
8303 			memcpy(addr, &hdev->bdaddr, 6);
8304 			addr[6] = 0x00;
8305 		}
8306 
8307 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
8308 					  addr, sizeof(addr));
8309 
8310 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
8311 			role = 0x02;
8312 		else
8313 			role = 0x01;
8314 
8315 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
8316 					  &role, sizeof(role));
8317 
8318 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
8319 			eir_len = eir_append_data(rp->eir, eir_len,
8320 						  EIR_LE_SC_CONFIRM,
8321 						  hash, sizeof(hash));
8322 
8323 			eir_len = eir_append_data(rp->eir, eir_len,
8324 						  EIR_LE_SC_RANDOM,
8325 						  rand, sizeof(rand));
8326 		}
8327 
8328 		flags = mgmt_get_adv_discov_flags(hdev);
8329 
8330 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
8331 			flags |= LE_AD_NO_BREDR;
8332 
8333 		eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
8334 					  &flags, sizeof(flags));
8335 		break;
8336 	}
8337 
8338 	hci_dev_unlock(hdev);
8339 
8340 	hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
8341 
8342 	status = MGMT_STATUS_SUCCESS;
8343 
8344 complete:
8345 	rp->type = cp->type;
8346 	rp->eir_len = cpu_to_le16(eir_len);
8347 
8348 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
8349 				status, rp, sizeof(*rp) + eir_len);
8350 	if (err < 0 || status)
8351 		goto done;
8352 
8353 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8354 				 rp, sizeof(*rp) + eir_len,
8355 				 HCI_MGMT_OOB_DATA_EVENTS, sk);
8356 
8357 done:
8358 	kfree(rp);
8359 
8360 	return err;
8361 }
8362 
8363 static u32 get_supported_adv_flags(struct hci_dev *hdev)
8364 {
8365 	u32 flags = 0;
8366 
8367 	flags |= MGMT_ADV_FLAG_CONNECTABLE;
8368 	flags |= MGMT_ADV_FLAG_DISCOV;
8369 	flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
8370 	flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
8371 	flags |= MGMT_ADV_FLAG_APPEARANCE;
8372 	flags |= MGMT_ADV_FLAG_LOCAL_NAME;
8373 	flags |= MGMT_ADV_PARAM_DURATION;
8374 	flags |= MGMT_ADV_PARAM_TIMEOUT;
8375 	flags |= MGMT_ADV_PARAM_INTERVALS;
8376 	flags |= MGMT_ADV_PARAM_TX_POWER;
8377 	flags |= MGMT_ADV_PARAM_SCAN_RSP;
8378 
8379 	/* In extended adv TX_POWER returned from Set Adv Param
8380 	 * will be always valid.
8381 	 */
8382 	if (hdev->adv_tx_power != HCI_TX_POWER_INVALID || ext_adv_capable(hdev))
8383 		flags |= MGMT_ADV_FLAG_TX_POWER;
8384 
8385 	if (ext_adv_capable(hdev)) {
8386 		flags |= MGMT_ADV_FLAG_SEC_1M;
8387 		flags |= MGMT_ADV_FLAG_HW_OFFLOAD;
8388 		flags |= MGMT_ADV_FLAG_CAN_SET_TX_POWER;
8389 
8390 		if (hdev->le_features[1] & HCI_LE_PHY_2M)
8391 			flags |= MGMT_ADV_FLAG_SEC_2M;
8392 
8393 		if (hdev->le_features[1] & HCI_LE_PHY_CODED)
8394 			flags |= MGMT_ADV_FLAG_SEC_CODED;
8395 	}
8396 
8397 	return flags;
8398 }
8399 
8400 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
8401 			     void *data, u16 data_len)
8402 {
8403 	struct mgmt_rp_read_adv_features *rp;
8404 	size_t rp_len;
8405 	int err;
8406 	struct adv_info *adv_instance;
8407 	u32 supported_flags;
8408 	u8 *instance;
8409 
8410 	bt_dev_dbg(hdev, "sock %p", sk);
8411 
8412 	if (!lmp_le_capable(hdev))
8413 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
8414 				       MGMT_STATUS_REJECTED);
8415 
8416 	hci_dev_lock(hdev);
8417 
8418 	rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
8419 	rp = kmalloc(rp_len, GFP_ATOMIC);
8420 	if (!rp) {
8421 		hci_dev_unlock(hdev);
8422 		return -ENOMEM;
8423 	}
8424 
8425 	supported_flags = get_supported_adv_flags(hdev);
8426 
8427 	rp->supported_flags = cpu_to_le32(supported_flags);
8428 	rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
8429 	rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
8430 	rp->max_instances = hdev->le_num_of_adv_sets;
8431 	rp->num_instances = hdev->adv_instance_cnt;
8432 
8433 	instance = rp->instance;
8434 	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
8435 		/* Only instances 1-le_num_of_adv_sets are externally visible */
8436 		if (adv_instance->instance <= hdev->adv_instance_cnt) {
8437 			*instance = adv_instance->instance;
8438 			instance++;
8439 		} else {
8440 			rp->num_instances--;
8441 			rp_len--;
8442 		}
8443 	}
8444 
8445 	hci_dev_unlock(hdev);
8446 
8447 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
8448 				MGMT_STATUS_SUCCESS, rp, rp_len);
8449 
8450 	kfree(rp);
8451 
8452 	return err;
8453 }
8454 
8455 static u8 calculate_name_len(struct hci_dev *hdev)
8456 {
8457 	u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 3];
8458 
8459 	return eir_append_local_name(hdev, buf, 0);
8460 }
8461 
8462 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
8463 			   bool is_adv_data)
8464 {
8465 	u8 max_len = HCI_MAX_AD_LENGTH;
8466 
8467 	if (is_adv_data) {
8468 		if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
8469 				 MGMT_ADV_FLAG_LIMITED_DISCOV |
8470 				 MGMT_ADV_FLAG_MANAGED_FLAGS))
8471 			max_len -= 3;
8472 
8473 		if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
8474 			max_len -= 3;
8475 	} else {
8476 		if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
8477 			max_len -= calculate_name_len(hdev);
8478 
8479 		if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
8480 			max_len -= 4;
8481 	}
8482 
8483 	return max_len;
8484 }
8485 
8486 static bool flags_managed(u32 adv_flags)
8487 {
8488 	return adv_flags & (MGMT_ADV_FLAG_DISCOV |
8489 			    MGMT_ADV_FLAG_LIMITED_DISCOV |
8490 			    MGMT_ADV_FLAG_MANAGED_FLAGS);
8491 }
8492 
8493 static bool tx_power_managed(u32 adv_flags)
8494 {
8495 	return adv_flags & MGMT_ADV_FLAG_TX_POWER;
8496 }
8497 
8498 static bool name_managed(u32 adv_flags)
8499 {
8500 	return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
8501 }
8502 
8503 static bool appearance_managed(u32 adv_flags)
8504 {
8505 	return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
8506 }
8507 
8508 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
8509 			      u8 len, bool is_adv_data)
8510 {
8511 	int i, cur_len;
8512 	u8 max_len;
8513 
8514 	max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
8515 
8516 	if (len > max_len)
8517 		return false;
8518 
8519 	/* Make sure that the data is correctly formatted. */
8520 	for (i = 0; i < len; i += (cur_len + 1)) {
8521 		cur_len = data[i];
8522 
8523 		if (!cur_len)
8524 			continue;
8525 
8526 		if (data[i + 1] == EIR_FLAGS &&
8527 		    (!is_adv_data || flags_managed(adv_flags)))
8528 			return false;
8529 
8530 		if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
8531 			return false;
8532 
8533 		if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
8534 			return false;
8535 
8536 		if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
8537 			return false;
8538 
8539 		if (data[i + 1] == EIR_APPEARANCE &&
8540 		    appearance_managed(adv_flags))
8541 			return false;
8542 
8543 		/* If the current field length would exceed the total data
8544 		 * length, then it's invalid.
8545 		 */
8546 		if (i + cur_len >= len)
8547 			return false;
8548 	}
8549 
8550 	return true;
8551 }
8552 
8553 static bool requested_adv_flags_are_valid(struct hci_dev *hdev, u32 adv_flags)
8554 {
8555 	u32 supported_flags, phy_flags;
8556 
8557 	/* The current implementation only supports a subset of the specified
8558 	 * flags. Also need to check mutual exclusiveness of sec flags.
8559 	 */
8560 	supported_flags = get_supported_adv_flags(hdev);
8561 	phy_flags = adv_flags & MGMT_ADV_FLAG_SEC_MASK;
8562 	if (adv_flags & ~supported_flags ||
8563 	    ((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
8564 		return false;
8565 
8566 	return true;
8567 }
8568 
8569 static bool adv_busy(struct hci_dev *hdev)
8570 {
8571 	return pending_find(MGMT_OP_SET_LE, hdev);
8572 }
8573 
8574 static void add_adv_complete(struct hci_dev *hdev, struct sock *sk, u8 instance,
8575 			     int err)
8576 {
8577 	struct adv_info *adv, *n;
8578 
8579 	bt_dev_dbg(hdev, "err %d", err);
8580 
8581 	hci_dev_lock(hdev);
8582 
8583 	list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
8584 		u8 instance;
8585 
8586 		if (!adv->pending)
8587 			continue;
8588 
8589 		if (!err) {
8590 			adv->pending = false;
8591 			continue;
8592 		}
8593 
8594 		instance = adv->instance;
8595 
8596 		if (hdev->cur_adv_instance == instance)
8597 			cancel_adv_timeout(hdev);
8598 
8599 		hci_remove_adv_instance(hdev, instance);
8600 		mgmt_advertising_removed(sk, hdev, instance);
8601 	}
8602 
8603 	hci_dev_unlock(hdev);
8604 }
8605 
8606 static void add_advertising_complete(struct hci_dev *hdev, void *data, int err)
8607 {
8608 	struct mgmt_pending_cmd *cmd = data;
8609 	struct mgmt_cp_add_advertising *cp = cmd->param;
8610 	struct mgmt_rp_add_advertising rp;
8611 
8612 	memset(&rp, 0, sizeof(rp));
8613 
8614 	rp.instance = cp->instance;
8615 
8616 	if (err)
8617 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8618 				mgmt_status(err));
8619 	else
8620 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8621 				  mgmt_status(err), &rp, sizeof(rp));
8622 
8623 	add_adv_complete(hdev, cmd->sk, cp->instance, err);
8624 
8625 	mgmt_pending_free(cmd);
8626 }
8627 
8628 static int add_advertising_sync(struct hci_dev *hdev, void *data)
8629 {
8630 	struct mgmt_pending_cmd *cmd = data;
8631 	struct mgmt_cp_add_advertising *cp = cmd->param;
8632 
8633 	return hci_schedule_adv_instance_sync(hdev, cp->instance, true);
8634 }
8635 
8636 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
8637 			   void *data, u16 data_len)
8638 {
8639 	struct mgmt_cp_add_advertising *cp = data;
8640 	struct mgmt_rp_add_advertising rp;
8641 	u32 flags;
8642 	u8 status;
8643 	u16 timeout, duration;
8644 	unsigned int prev_instance_cnt;
8645 	u8 schedule_instance = 0;
8646 	struct adv_info *adv, *next_instance;
8647 	int err;
8648 	struct mgmt_pending_cmd *cmd;
8649 
8650 	bt_dev_dbg(hdev, "sock %p", sk);
8651 
8652 	status = mgmt_le_support(hdev);
8653 	if (status)
8654 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8655 				       status);
8656 
8657 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8658 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8659 				       MGMT_STATUS_INVALID_PARAMS);
8660 
8661 	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
8662 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8663 				       MGMT_STATUS_INVALID_PARAMS);
8664 
8665 	flags = __le32_to_cpu(cp->flags);
8666 	timeout = __le16_to_cpu(cp->timeout);
8667 	duration = __le16_to_cpu(cp->duration);
8668 
8669 	if (!requested_adv_flags_are_valid(hdev, flags))
8670 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8671 				       MGMT_STATUS_INVALID_PARAMS);
8672 
8673 	hci_dev_lock(hdev);
8674 
8675 	if (timeout && !hdev_is_powered(hdev)) {
8676 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8677 				      MGMT_STATUS_REJECTED);
8678 		goto unlock;
8679 	}
8680 
8681 	if (adv_busy(hdev)) {
8682 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8683 				      MGMT_STATUS_BUSY);
8684 		goto unlock;
8685 	}
8686 
8687 	if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
8688 	    !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
8689 			       cp->scan_rsp_len, false)) {
8690 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8691 				      MGMT_STATUS_INVALID_PARAMS);
8692 		goto unlock;
8693 	}
8694 
8695 	prev_instance_cnt = hdev->adv_instance_cnt;
8696 
8697 	adv = hci_add_adv_instance(hdev, cp->instance, flags,
8698 				   cp->adv_data_len, cp->data,
8699 				   cp->scan_rsp_len,
8700 				   cp->data + cp->adv_data_len,
8701 				   timeout, duration,
8702 				   HCI_ADV_TX_POWER_NO_PREFERENCE,
8703 				   hdev->le_adv_min_interval,
8704 				   hdev->le_adv_max_interval, 0);
8705 	if (IS_ERR(adv)) {
8706 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8707 				      MGMT_STATUS_FAILED);
8708 		goto unlock;
8709 	}
8710 
8711 	/* Only trigger an advertising added event if a new instance was
8712 	 * actually added.
8713 	 */
8714 	if (hdev->adv_instance_cnt > prev_instance_cnt)
8715 		mgmt_advertising_added(sk, hdev, cp->instance);
8716 
8717 	if (hdev->cur_adv_instance == cp->instance) {
8718 		/* If the currently advertised instance is being changed then
8719 		 * cancel the current advertising and schedule the next
8720 		 * instance. If there is only one instance then the overridden
8721 		 * advertising data will be visible right away.
8722 		 */
8723 		cancel_adv_timeout(hdev);
8724 
8725 		next_instance = hci_get_next_instance(hdev, cp->instance);
8726 		if (next_instance)
8727 			schedule_instance = next_instance->instance;
8728 	} else if (!hdev->adv_instance_timeout) {
8729 		/* Immediately advertise the new instance if no other
8730 		 * instance is currently being advertised.
8731 		 */
8732 		schedule_instance = cp->instance;
8733 	}
8734 
8735 	/* If the HCI_ADVERTISING flag is set or the device isn't powered or
8736 	 * there is no instance to be advertised then we have no HCI
8737 	 * communication to make. Simply return.
8738 	 */
8739 	if (!hdev_is_powered(hdev) ||
8740 	    hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
8741 	    !schedule_instance) {
8742 		rp.instance = cp->instance;
8743 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8744 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8745 		goto unlock;
8746 	}
8747 
8748 	/* We're good to go, update advertising data, parameters, and start
8749 	 * advertising.
8750 	 */
8751 	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
8752 			       data_len);
8753 	if (!cmd) {
8754 		err = -ENOMEM;
8755 		goto unlock;
8756 	}
8757 
8758 	cp->instance = schedule_instance;
8759 
8760 	err = hci_cmd_sync_queue(hdev, add_advertising_sync, cmd,
8761 				 add_advertising_complete);
8762 	if (err < 0)
8763 		mgmt_pending_free(cmd);
8764 
8765 unlock:
8766 	hci_dev_unlock(hdev);
8767 
8768 	return err;
8769 }
8770 
8771 static void add_ext_adv_params_complete(struct hci_dev *hdev, void *data,
8772 					int err)
8773 {
8774 	struct mgmt_pending_cmd *cmd = data;
8775 	struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8776 	struct mgmt_rp_add_ext_adv_params rp;
8777 	struct adv_info *adv;
8778 	u32 flags;
8779 
8780 	BT_DBG("%s", hdev->name);
8781 
8782 	hci_dev_lock(hdev);
8783 
8784 	adv = hci_find_adv_instance(hdev, cp->instance);
8785 	if (!adv)
8786 		goto unlock;
8787 
8788 	rp.instance = cp->instance;
8789 	rp.tx_power = adv->tx_power;
8790 
8791 	/* While we're at it, inform userspace of the available space for this
8792 	 * advertisement, given the flags that will be used.
8793 	 */
8794 	flags = __le32_to_cpu(cp->flags);
8795 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8796 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8797 
8798 	if (err) {
8799 		/* If this advertisement was previously advertising and we
8800 		 * failed to update it, we signal that it has been removed and
8801 		 * delete its structure
8802 		 */
8803 		if (!adv->pending)
8804 			mgmt_advertising_removed(cmd->sk, hdev, cp->instance);
8805 
8806 		hci_remove_adv_instance(hdev, cp->instance);
8807 
8808 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8809 				mgmt_status(err));
8810 	} else {
8811 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8812 				  mgmt_status(err), &rp, sizeof(rp));
8813 	}
8814 
8815 unlock:
8816 	if (cmd)
8817 		mgmt_pending_free(cmd);
8818 
8819 	hci_dev_unlock(hdev);
8820 }
8821 
8822 static int add_ext_adv_params_sync(struct hci_dev *hdev, void *data)
8823 {
8824 	struct mgmt_pending_cmd *cmd = data;
8825 	struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8826 
8827 	return hci_setup_ext_adv_instance_sync(hdev, cp->instance);
8828 }
8829 
8830 static int add_ext_adv_params(struct sock *sk, struct hci_dev *hdev,
8831 			      void *data, u16 data_len)
8832 {
8833 	struct mgmt_cp_add_ext_adv_params *cp = data;
8834 	struct mgmt_rp_add_ext_adv_params rp;
8835 	struct mgmt_pending_cmd *cmd = NULL;
8836 	struct adv_info *adv;
8837 	u32 flags, min_interval, max_interval;
8838 	u16 timeout, duration;
8839 	u8 status;
8840 	s8 tx_power;
8841 	int err;
8842 
8843 	BT_DBG("%s", hdev->name);
8844 
8845 	status = mgmt_le_support(hdev);
8846 	if (status)
8847 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8848 				       status);
8849 
8850 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8851 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8852 				       MGMT_STATUS_INVALID_PARAMS);
8853 
8854 	/* The purpose of breaking add_advertising into two separate MGMT calls
8855 	 * for params and data is to allow more parameters to be added to this
8856 	 * structure in the future. For this reason, we verify that we have the
8857 	 * bare minimum structure we know of when the interface was defined. Any
8858 	 * extra parameters we don't know about will be ignored in this request.
8859 	 */
8860 	if (data_len < MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE)
8861 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8862 				       MGMT_STATUS_INVALID_PARAMS);
8863 
8864 	flags = __le32_to_cpu(cp->flags);
8865 
8866 	if (!requested_adv_flags_are_valid(hdev, flags))
8867 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8868 				       MGMT_STATUS_INVALID_PARAMS);
8869 
8870 	hci_dev_lock(hdev);
8871 
8872 	/* In new interface, we require that we are powered to register */
8873 	if (!hdev_is_powered(hdev)) {
8874 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8875 				      MGMT_STATUS_REJECTED);
8876 		goto unlock;
8877 	}
8878 
8879 	if (adv_busy(hdev)) {
8880 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8881 				      MGMT_STATUS_BUSY);
8882 		goto unlock;
8883 	}
8884 
8885 	/* Parse defined parameters from request, use defaults otherwise */
8886 	timeout = (flags & MGMT_ADV_PARAM_TIMEOUT) ?
8887 		  __le16_to_cpu(cp->timeout) : 0;
8888 
8889 	duration = (flags & MGMT_ADV_PARAM_DURATION) ?
8890 		   __le16_to_cpu(cp->duration) :
8891 		   hdev->def_multi_adv_rotation_duration;
8892 
8893 	min_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8894 		       __le32_to_cpu(cp->min_interval) :
8895 		       hdev->le_adv_min_interval;
8896 
8897 	max_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8898 		       __le32_to_cpu(cp->max_interval) :
8899 		       hdev->le_adv_max_interval;
8900 
8901 	tx_power = (flags & MGMT_ADV_PARAM_TX_POWER) ?
8902 		   cp->tx_power :
8903 		   HCI_ADV_TX_POWER_NO_PREFERENCE;
8904 
8905 	/* Create advertising instance with no advertising or response data */
8906 	adv = hci_add_adv_instance(hdev, cp->instance, flags, 0, NULL, 0, NULL,
8907 				   timeout, duration, tx_power, min_interval,
8908 				   max_interval, 0);
8909 
8910 	if (IS_ERR(adv)) {
8911 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8912 				      MGMT_STATUS_FAILED);
8913 		goto unlock;
8914 	}
8915 
8916 	/* Submit request for advertising params if ext adv available */
8917 	if (ext_adv_capable(hdev)) {
8918 		cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_PARAMS, hdev,
8919 				       data, data_len);
8920 		if (!cmd) {
8921 			err = -ENOMEM;
8922 			hci_remove_adv_instance(hdev, cp->instance);
8923 			goto unlock;
8924 		}
8925 
8926 		err = hci_cmd_sync_queue(hdev, add_ext_adv_params_sync, cmd,
8927 					 add_ext_adv_params_complete);
8928 		if (err < 0)
8929 			mgmt_pending_free(cmd);
8930 	} else {
8931 		rp.instance = cp->instance;
8932 		rp.tx_power = HCI_ADV_TX_POWER_NO_PREFERENCE;
8933 		rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8934 		rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8935 		err = mgmt_cmd_complete(sk, hdev->id,
8936 					MGMT_OP_ADD_EXT_ADV_PARAMS,
8937 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8938 	}
8939 
8940 unlock:
8941 	hci_dev_unlock(hdev);
8942 
8943 	return err;
8944 }
8945 
8946 static void add_ext_adv_data_complete(struct hci_dev *hdev, void *data, int err)
8947 {
8948 	struct mgmt_pending_cmd *cmd = data;
8949 	struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8950 	struct mgmt_rp_add_advertising rp;
8951 
8952 	add_adv_complete(hdev, cmd->sk, cp->instance, err);
8953 
8954 	memset(&rp, 0, sizeof(rp));
8955 
8956 	rp.instance = cp->instance;
8957 
8958 	if (err)
8959 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8960 				mgmt_status(err));
8961 	else
8962 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8963 				  mgmt_status(err), &rp, sizeof(rp));
8964 
8965 	mgmt_pending_free(cmd);
8966 }
8967 
8968 static int add_ext_adv_data_sync(struct hci_dev *hdev, void *data)
8969 {
8970 	struct mgmt_pending_cmd *cmd = data;
8971 	struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8972 	int err;
8973 
8974 	if (ext_adv_capable(hdev)) {
8975 		err = hci_update_adv_data_sync(hdev, cp->instance);
8976 		if (err)
8977 			return err;
8978 
8979 		err = hci_update_scan_rsp_data_sync(hdev, cp->instance);
8980 		if (err)
8981 			return err;
8982 
8983 		return hci_enable_ext_advertising_sync(hdev, cp->instance);
8984 	}
8985 
8986 	return hci_schedule_adv_instance_sync(hdev, cp->instance, true);
8987 }
8988 
8989 static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
8990 			    u16 data_len)
8991 {
8992 	struct mgmt_cp_add_ext_adv_data *cp = data;
8993 	struct mgmt_rp_add_ext_adv_data rp;
8994 	u8 schedule_instance = 0;
8995 	struct adv_info *next_instance;
8996 	struct adv_info *adv_instance;
8997 	int err = 0;
8998 	struct mgmt_pending_cmd *cmd;
8999 
9000 	BT_DBG("%s", hdev->name);
9001 
9002 	hci_dev_lock(hdev);
9003 
9004 	adv_instance = hci_find_adv_instance(hdev, cp->instance);
9005 
9006 	if (!adv_instance) {
9007 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9008 				      MGMT_STATUS_INVALID_PARAMS);
9009 		goto unlock;
9010 	}
9011 
9012 	/* In new interface, we require that we are powered to register */
9013 	if (!hdev_is_powered(hdev)) {
9014 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9015 				      MGMT_STATUS_REJECTED);
9016 		goto clear_new_instance;
9017 	}
9018 
9019 	if (adv_busy(hdev)) {
9020 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9021 				      MGMT_STATUS_BUSY);
9022 		goto clear_new_instance;
9023 	}
9024 
9025 	/* Validate new data */
9026 	if (!tlv_data_is_valid(hdev, adv_instance->flags, cp->data,
9027 			       cp->adv_data_len, true) ||
9028 	    !tlv_data_is_valid(hdev, adv_instance->flags, cp->data +
9029 			       cp->adv_data_len, cp->scan_rsp_len, false)) {
9030 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9031 				      MGMT_STATUS_INVALID_PARAMS);
9032 		goto clear_new_instance;
9033 	}
9034 
9035 	/* Set the data in the advertising instance */
9036 	hci_set_adv_instance_data(hdev, cp->instance, cp->adv_data_len,
9037 				  cp->data, cp->scan_rsp_len,
9038 				  cp->data + cp->adv_data_len);
9039 
9040 	/* If using software rotation, determine next instance to use */
9041 	if (hdev->cur_adv_instance == cp->instance) {
9042 		/* If the currently advertised instance is being changed
9043 		 * then cancel the current advertising and schedule the
9044 		 * next instance. If there is only one instance then the
9045 		 * overridden advertising data will be visible right
9046 		 * away
9047 		 */
9048 		cancel_adv_timeout(hdev);
9049 
9050 		next_instance = hci_get_next_instance(hdev, cp->instance);
9051 		if (next_instance)
9052 			schedule_instance = next_instance->instance;
9053 	} else if (!hdev->adv_instance_timeout) {
9054 		/* Immediately advertise the new instance if no other
9055 		 * instance is currently being advertised.
9056 		 */
9057 		schedule_instance = cp->instance;
9058 	}
9059 
9060 	/* If the HCI_ADVERTISING flag is set or there is no instance to
9061 	 * be advertised then we have no HCI communication to make.
9062 	 * Simply return.
9063 	 */
9064 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) || !schedule_instance) {
9065 		if (adv_instance->pending) {
9066 			mgmt_advertising_added(sk, hdev, cp->instance);
9067 			adv_instance->pending = false;
9068 		}
9069 		rp.instance = cp->instance;
9070 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9071 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9072 		goto unlock;
9073 	}
9074 
9075 	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_DATA, hdev, data,
9076 			       data_len);
9077 	if (!cmd) {
9078 		err = -ENOMEM;
9079 		goto clear_new_instance;
9080 	}
9081 
9082 	err = hci_cmd_sync_queue(hdev, add_ext_adv_data_sync, cmd,
9083 				 add_ext_adv_data_complete);
9084 	if (err < 0) {
9085 		mgmt_pending_free(cmd);
9086 		goto clear_new_instance;
9087 	}
9088 
9089 	/* We were successful in updating data, so trigger advertising_added
9090 	 * event if this is an instance that wasn't previously advertising. If
9091 	 * a failure occurs in the requests we initiated, we will remove the
9092 	 * instance again in add_advertising_complete
9093 	 */
9094 	if (adv_instance->pending)
9095 		mgmt_advertising_added(sk, hdev, cp->instance);
9096 
9097 	goto unlock;
9098 
9099 clear_new_instance:
9100 	hci_remove_adv_instance(hdev, cp->instance);
9101 
9102 unlock:
9103 	hci_dev_unlock(hdev);
9104 
9105 	return err;
9106 }
9107 
9108 static void remove_advertising_complete(struct hci_dev *hdev, void *data,
9109 					int err)
9110 {
9111 	struct mgmt_pending_cmd *cmd = data;
9112 	struct mgmt_cp_remove_advertising *cp = cmd->param;
9113 	struct mgmt_rp_remove_advertising rp;
9114 
9115 	bt_dev_dbg(hdev, "err %d", err);
9116 
9117 	memset(&rp, 0, sizeof(rp));
9118 	rp.instance = cp->instance;
9119 
9120 	if (err)
9121 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
9122 				mgmt_status(err));
9123 	else
9124 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
9125 				  MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9126 
9127 	mgmt_pending_free(cmd);
9128 }
9129 
9130 static int remove_advertising_sync(struct hci_dev *hdev, void *data)
9131 {
9132 	struct mgmt_pending_cmd *cmd = data;
9133 	struct mgmt_cp_remove_advertising *cp = cmd->param;
9134 	int err;
9135 
9136 	err = hci_remove_advertising_sync(hdev, cmd->sk, cp->instance, true);
9137 	if (err)
9138 		return err;
9139 
9140 	if (list_empty(&hdev->adv_instances))
9141 		err = hci_disable_advertising_sync(hdev);
9142 
9143 	return err;
9144 }
9145 
9146 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
9147 			      void *data, u16 data_len)
9148 {
9149 	struct mgmt_cp_remove_advertising *cp = data;
9150 	struct mgmt_pending_cmd *cmd;
9151 	int err;
9152 
9153 	bt_dev_dbg(hdev, "sock %p", sk);
9154 
9155 	hci_dev_lock(hdev);
9156 
9157 	if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
9158 		err = mgmt_cmd_status(sk, hdev->id,
9159 				      MGMT_OP_REMOVE_ADVERTISING,
9160 				      MGMT_STATUS_INVALID_PARAMS);
9161 		goto unlock;
9162 	}
9163 
9164 	if (pending_find(MGMT_OP_SET_LE, hdev)) {
9165 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9166 				      MGMT_STATUS_BUSY);
9167 		goto unlock;
9168 	}
9169 
9170 	if (list_empty(&hdev->adv_instances)) {
9171 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9172 				      MGMT_STATUS_INVALID_PARAMS);
9173 		goto unlock;
9174 	}
9175 
9176 	cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
9177 			       data_len);
9178 	if (!cmd) {
9179 		err = -ENOMEM;
9180 		goto unlock;
9181 	}
9182 
9183 	err = hci_cmd_sync_queue(hdev, remove_advertising_sync, cmd,
9184 				 remove_advertising_complete);
9185 	if (err < 0)
9186 		mgmt_pending_free(cmd);
9187 
9188 unlock:
9189 	hci_dev_unlock(hdev);
9190 
9191 	return err;
9192 }
9193 
9194 static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
9195 			     void *data, u16 data_len)
9196 {
9197 	struct mgmt_cp_get_adv_size_info *cp = data;
9198 	struct mgmt_rp_get_adv_size_info rp;
9199 	u32 flags, supported_flags;
9200 
9201 	bt_dev_dbg(hdev, "sock %p", sk);
9202 
9203 	if (!lmp_le_capable(hdev))
9204 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9205 				       MGMT_STATUS_REJECTED);
9206 
9207 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
9208 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9209 				       MGMT_STATUS_INVALID_PARAMS);
9210 
9211 	flags = __le32_to_cpu(cp->flags);
9212 
9213 	/* The current implementation only supports a subset of the specified
9214 	 * flags.
9215 	 */
9216 	supported_flags = get_supported_adv_flags(hdev);
9217 	if (flags & ~supported_flags)
9218 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9219 				       MGMT_STATUS_INVALID_PARAMS);
9220 
9221 	rp.instance = cp->instance;
9222 	rp.flags = cp->flags;
9223 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
9224 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
9225 
9226 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9227 				 MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9228 }
9229 
9230 static const struct hci_mgmt_handler mgmt_handlers[] = {
9231 	{ NULL }, /* 0x0000 (no command) */
9232 	{ read_version,            MGMT_READ_VERSION_SIZE,
9233 						HCI_MGMT_NO_HDEV |
9234 						HCI_MGMT_UNTRUSTED },
9235 	{ read_commands,           MGMT_READ_COMMANDS_SIZE,
9236 						HCI_MGMT_NO_HDEV |
9237 						HCI_MGMT_UNTRUSTED },
9238 	{ read_index_list,         MGMT_READ_INDEX_LIST_SIZE,
9239 						HCI_MGMT_NO_HDEV |
9240 						HCI_MGMT_UNTRUSTED },
9241 	{ read_controller_info,    MGMT_READ_INFO_SIZE,
9242 						HCI_MGMT_UNTRUSTED },
9243 	{ set_powered,             MGMT_SETTING_SIZE },
9244 	{ set_discoverable,        MGMT_SET_DISCOVERABLE_SIZE },
9245 	{ set_connectable,         MGMT_SETTING_SIZE },
9246 	{ set_fast_connectable,    MGMT_SETTING_SIZE },
9247 	{ set_bondable,            MGMT_SETTING_SIZE },
9248 	{ set_link_security,       MGMT_SETTING_SIZE },
9249 	{ set_ssp,                 MGMT_SETTING_SIZE },
9250 	{ set_hs,                  MGMT_SETTING_SIZE },
9251 	{ set_le,                  MGMT_SETTING_SIZE },
9252 	{ set_dev_class,           MGMT_SET_DEV_CLASS_SIZE },
9253 	{ set_local_name,          MGMT_SET_LOCAL_NAME_SIZE },
9254 	{ add_uuid,                MGMT_ADD_UUID_SIZE },
9255 	{ remove_uuid,             MGMT_REMOVE_UUID_SIZE },
9256 	{ load_link_keys,          MGMT_LOAD_LINK_KEYS_SIZE,
9257 						HCI_MGMT_VAR_LEN },
9258 	{ load_long_term_keys,     MGMT_LOAD_LONG_TERM_KEYS_SIZE,
9259 						HCI_MGMT_VAR_LEN },
9260 	{ disconnect,              MGMT_DISCONNECT_SIZE },
9261 	{ get_connections,         MGMT_GET_CONNECTIONS_SIZE },
9262 	{ pin_code_reply,          MGMT_PIN_CODE_REPLY_SIZE },
9263 	{ pin_code_neg_reply,      MGMT_PIN_CODE_NEG_REPLY_SIZE },
9264 	{ set_io_capability,       MGMT_SET_IO_CAPABILITY_SIZE },
9265 	{ pair_device,             MGMT_PAIR_DEVICE_SIZE },
9266 	{ cancel_pair_device,      MGMT_CANCEL_PAIR_DEVICE_SIZE },
9267 	{ unpair_device,           MGMT_UNPAIR_DEVICE_SIZE },
9268 	{ user_confirm_reply,      MGMT_USER_CONFIRM_REPLY_SIZE },
9269 	{ user_confirm_neg_reply,  MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
9270 	{ user_passkey_reply,      MGMT_USER_PASSKEY_REPLY_SIZE },
9271 	{ user_passkey_neg_reply,  MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
9272 	{ read_local_oob_data,     MGMT_READ_LOCAL_OOB_DATA_SIZE },
9273 	{ add_remote_oob_data,     MGMT_ADD_REMOTE_OOB_DATA_SIZE,
9274 						HCI_MGMT_VAR_LEN },
9275 	{ remove_remote_oob_data,  MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
9276 	{ start_discovery,         MGMT_START_DISCOVERY_SIZE },
9277 	{ stop_discovery,          MGMT_STOP_DISCOVERY_SIZE },
9278 	{ confirm_name,            MGMT_CONFIRM_NAME_SIZE },
9279 	{ block_device,            MGMT_BLOCK_DEVICE_SIZE },
9280 	{ unblock_device,          MGMT_UNBLOCK_DEVICE_SIZE },
9281 	{ set_device_id,           MGMT_SET_DEVICE_ID_SIZE },
9282 	{ set_advertising,         MGMT_SETTING_SIZE },
9283 	{ set_bredr,               MGMT_SETTING_SIZE },
9284 	{ set_static_address,      MGMT_SET_STATIC_ADDRESS_SIZE },
9285 	{ set_scan_params,         MGMT_SET_SCAN_PARAMS_SIZE },
9286 	{ set_secure_conn,         MGMT_SETTING_SIZE },
9287 	{ set_debug_keys,          MGMT_SETTING_SIZE },
9288 	{ set_privacy,             MGMT_SET_PRIVACY_SIZE },
9289 	{ load_irks,               MGMT_LOAD_IRKS_SIZE,
9290 						HCI_MGMT_VAR_LEN },
9291 	{ get_conn_info,           MGMT_GET_CONN_INFO_SIZE },
9292 	{ get_clock_info,          MGMT_GET_CLOCK_INFO_SIZE },
9293 	{ add_device,              MGMT_ADD_DEVICE_SIZE },
9294 	{ remove_device,           MGMT_REMOVE_DEVICE_SIZE },
9295 	{ load_conn_param,         MGMT_LOAD_CONN_PARAM_SIZE,
9296 						HCI_MGMT_VAR_LEN },
9297 	{ read_unconf_index_list,  MGMT_READ_UNCONF_INDEX_LIST_SIZE,
9298 						HCI_MGMT_NO_HDEV |
9299 						HCI_MGMT_UNTRUSTED },
9300 	{ read_config_info,        MGMT_READ_CONFIG_INFO_SIZE,
9301 						HCI_MGMT_UNCONFIGURED |
9302 						HCI_MGMT_UNTRUSTED },
9303 	{ set_external_config,     MGMT_SET_EXTERNAL_CONFIG_SIZE,
9304 						HCI_MGMT_UNCONFIGURED },
9305 	{ set_public_address,      MGMT_SET_PUBLIC_ADDRESS_SIZE,
9306 						HCI_MGMT_UNCONFIGURED },
9307 	{ start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
9308 						HCI_MGMT_VAR_LEN },
9309 	{ read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
9310 	{ read_ext_index_list,     MGMT_READ_EXT_INDEX_LIST_SIZE,
9311 						HCI_MGMT_NO_HDEV |
9312 						HCI_MGMT_UNTRUSTED },
9313 	{ read_adv_features,       MGMT_READ_ADV_FEATURES_SIZE },
9314 	{ add_advertising,	   MGMT_ADD_ADVERTISING_SIZE,
9315 						HCI_MGMT_VAR_LEN },
9316 	{ remove_advertising,	   MGMT_REMOVE_ADVERTISING_SIZE },
9317 	{ get_adv_size_info,       MGMT_GET_ADV_SIZE_INFO_SIZE },
9318 	{ start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
9319 	{ read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
9320 						HCI_MGMT_UNTRUSTED },
9321 	{ set_appearance,	   MGMT_SET_APPEARANCE_SIZE },
9322 	{ get_phy_configuration,   MGMT_GET_PHY_CONFIGURATION_SIZE },
9323 	{ set_phy_configuration,   MGMT_SET_PHY_CONFIGURATION_SIZE },
9324 	{ set_blocked_keys,	   MGMT_OP_SET_BLOCKED_KEYS_SIZE,
9325 						HCI_MGMT_VAR_LEN },
9326 	{ set_wideband_speech,	   MGMT_SETTING_SIZE },
9327 	{ read_controller_cap,     MGMT_READ_CONTROLLER_CAP_SIZE,
9328 						HCI_MGMT_UNTRUSTED },
9329 	{ read_exp_features_info,  MGMT_READ_EXP_FEATURES_INFO_SIZE,
9330 						HCI_MGMT_UNTRUSTED |
9331 						HCI_MGMT_HDEV_OPTIONAL },
9332 	{ set_exp_feature,         MGMT_SET_EXP_FEATURE_SIZE,
9333 						HCI_MGMT_VAR_LEN |
9334 						HCI_MGMT_HDEV_OPTIONAL },
9335 	{ read_def_system_config,  MGMT_READ_DEF_SYSTEM_CONFIG_SIZE,
9336 						HCI_MGMT_UNTRUSTED },
9337 	{ set_def_system_config,   MGMT_SET_DEF_SYSTEM_CONFIG_SIZE,
9338 						HCI_MGMT_VAR_LEN },
9339 	{ read_def_runtime_config, MGMT_READ_DEF_RUNTIME_CONFIG_SIZE,
9340 						HCI_MGMT_UNTRUSTED },
9341 	{ set_def_runtime_config,  MGMT_SET_DEF_RUNTIME_CONFIG_SIZE,
9342 						HCI_MGMT_VAR_LEN },
9343 	{ get_device_flags,        MGMT_GET_DEVICE_FLAGS_SIZE },
9344 	{ set_device_flags,        MGMT_SET_DEVICE_FLAGS_SIZE },
9345 	{ read_adv_mon_features,   MGMT_READ_ADV_MONITOR_FEATURES_SIZE },
9346 	{ add_adv_patterns_monitor,MGMT_ADD_ADV_PATTERNS_MONITOR_SIZE,
9347 						HCI_MGMT_VAR_LEN },
9348 	{ remove_adv_monitor,      MGMT_REMOVE_ADV_MONITOR_SIZE },
9349 	{ add_ext_adv_params,      MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE,
9350 						HCI_MGMT_VAR_LEN },
9351 	{ add_ext_adv_data,        MGMT_ADD_EXT_ADV_DATA_SIZE,
9352 						HCI_MGMT_VAR_LEN },
9353 	{ add_adv_patterns_monitor_rssi,
9354 				   MGMT_ADD_ADV_PATTERNS_MONITOR_RSSI_SIZE },
9355 	{ set_mesh,                MGMT_SET_MESH_RECEIVER_SIZE,
9356 						HCI_MGMT_VAR_LEN },
9357 	{ mesh_features,           MGMT_MESH_READ_FEATURES_SIZE },
9358 	{ mesh_send,               MGMT_MESH_SEND_SIZE,
9359 						HCI_MGMT_VAR_LEN },
9360 	{ mesh_send_cancel,        MGMT_MESH_SEND_CANCEL_SIZE },
9361 };
9362 
9363 void mgmt_index_added(struct hci_dev *hdev)
9364 {
9365 	struct mgmt_ev_ext_index ev;
9366 
9367 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9368 		return;
9369 
9370 	switch (hdev->dev_type) {
9371 	case HCI_PRIMARY:
9372 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9373 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev,
9374 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
9375 			ev.type = 0x01;
9376 		} else {
9377 			mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0,
9378 					 HCI_MGMT_INDEX_EVENTS);
9379 			ev.type = 0x00;
9380 		}
9381 		break;
9382 	case HCI_AMP:
9383 		ev.type = 0x02;
9384 		break;
9385 	default:
9386 		return;
9387 	}
9388 
9389 	ev.bus = hdev->bus;
9390 
9391 	mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, &ev, sizeof(ev),
9392 			 HCI_MGMT_EXT_INDEX_EVENTS);
9393 }
9394 
9395 void mgmt_index_removed(struct hci_dev *hdev)
9396 {
9397 	struct mgmt_ev_ext_index ev;
9398 	u8 status = MGMT_STATUS_INVALID_INDEX;
9399 
9400 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9401 		return;
9402 
9403 	switch (hdev->dev_type) {
9404 	case HCI_PRIMARY:
9405 		mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
9406 
9407 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9408 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
9409 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
9410 			ev.type = 0x01;
9411 		} else {
9412 			mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0,
9413 					 HCI_MGMT_INDEX_EVENTS);
9414 			ev.type = 0x00;
9415 		}
9416 		break;
9417 	case HCI_AMP:
9418 		ev.type = 0x02;
9419 		break;
9420 	default:
9421 		return;
9422 	}
9423 
9424 	ev.bus = hdev->bus;
9425 
9426 	mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, &ev, sizeof(ev),
9427 			 HCI_MGMT_EXT_INDEX_EVENTS);
9428 
9429 	/* Cancel any remaining timed work */
9430 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
9431 		return;
9432 	cancel_delayed_work_sync(&hdev->discov_off);
9433 	cancel_delayed_work_sync(&hdev->service_cache);
9434 	cancel_delayed_work_sync(&hdev->rpa_expired);
9435 }
9436 
9437 void mgmt_power_on(struct hci_dev *hdev, int err)
9438 {
9439 	struct cmd_lookup match = { NULL, hdev };
9440 
9441 	bt_dev_dbg(hdev, "err %d", err);
9442 
9443 	hci_dev_lock(hdev);
9444 
9445 	if (!err) {
9446 		restart_le_actions(hdev);
9447 		hci_update_passive_scan(hdev);
9448 	}
9449 
9450 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
9451 
9452 	new_settings(hdev, match.sk);
9453 
9454 	if (match.sk)
9455 		sock_put(match.sk);
9456 
9457 	hci_dev_unlock(hdev);
9458 }
9459 
9460 void __mgmt_power_off(struct hci_dev *hdev)
9461 {
9462 	struct cmd_lookup match = { NULL, hdev };
9463 	u8 status, zero_cod[] = { 0, 0, 0 };
9464 
9465 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
9466 
9467 	/* If the power off is because of hdev unregistration let
9468 	 * use the appropriate INVALID_INDEX status. Otherwise use
9469 	 * NOT_POWERED. We cover both scenarios here since later in
9470 	 * mgmt_index_removed() any hci_conn callbacks will have already
9471 	 * been triggered, potentially causing misleading DISCONNECTED
9472 	 * status responses.
9473 	 */
9474 	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
9475 		status = MGMT_STATUS_INVALID_INDEX;
9476 	else
9477 		status = MGMT_STATUS_NOT_POWERED;
9478 
9479 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
9480 
9481 	if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
9482 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
9483 				   zero_cod, sizeof(zero_cod),
9484 				   HCI_MGMT_DEV_CLASS_EVENTS, NULL);
9485 		ext_info_changed(hdev, NULL);
9486 	}
9487 
9488 	new_settings(hdev, match.sk);
9489 
9490 	if (match.sk)
9491 		sock_put(match.sk);
9492 }
9493 
9494 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
9495 {
9496 	struct mgmt_pending_cmd *cmd;
9497 	u8 status;
9498 
9499 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9500 	if (!cmd)
9501 		return;
9502 
9503 	if (err == -ERFKILL)
9504 		status = MGMT_STATUS_RFKILLED;
9505 	else
9506 		status = MGMT_STATUS_FAILED;
9507 
9508 	mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
9509 
9510 	mgmt_pending_remove(cmd);
9511 }
9512 
9513 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
9514 		       bool persistent)
9515 {
9516 	struct mgmt_ev_new_link_key ev;
9517 
9518 	memset(&ev, 0, sizeof(ev));
9519 
9520 	ev.store_hint = persistent;
9521 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
9522 	ev.key.addr.type = BDADDR_BREDR;
9523 	ev.key.type = key->type;
9524 	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
9525 	ev.key.pin_len = key->pin_len;
9526 
9527 	mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
9528 }
9529 
9530 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
9531 {
9532 	switch (ltk->type) {
9533 	case SMP_LTK:
9534 	case SMP_LTK_RESPONDER:
9535 		if (ltk->authenticated)
9536 			return MGMT_LTK_AUTHENTICATED;
9537 		return MGMT_LTK_UNAUTHENTICATED;
9538 	case SMP_LTK_P256:
9539 		if (ltk->authenticated)
9540 			return MGMT_LTK_P256_AUTH;
9541 		return MGMT_LTK_P256_UNAUTH;
9542 	case SMP_LTK_P256_DEBUG:
9543 		return MGMT_LTK_P256_DEBUG;
9544 	}
9545 
9546 	return MGMT_LTK_UNAUTHENTICATED;
9547 }
9548 
9549 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
9550 {
9551 	struct mgmt_ev_new_long_term_key ev;
9552 
9553 	memset(&ev, 0, sizeof(ev));
9554 
9555 	/* Devices using resolvable or non-resolvable random addresses
9556 	 * without providing an identity resolving key don't require
9557 	 * to store long term keys. Their addresses will change the
9558 	 * next time around.
9559 	 *
9560 	 * Only when a remote device provides an identity address
9561 	 * make sure the long term key is stored. If the remote
9562 	 * identity is known, the long term keys are internally
9563 	 * mapped to the identity address. So allow static random
9564 	 * and public addresses here.
9565 	 */
9566 	if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9567 	    (key->bdaddr.b[5] & 0xc0) != 0xc0)
9568 		ev.store_hint = 0x00;
9569 	else
9570 		ev.store_hint = persistent;
9571 
9572 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
9573 	ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
9574 	ev.key.type = mgmt_ltk_type(key);
9575 	ev.key.enc_size = key->enc_size;
9576 	ev.key.ediv = key->ediv;
9577 	ev.key.rand = key->rand;
9578 
9579 	if (key->type == SMP_LTK)
9580 		ev.key.initiator = 1;
9581 
9582 	/* Make sure we copy only the significant bytes based on the
9583 	 * encryption key size, and set the rest of the value to zeroes.
9584 	 */
9585 	memcpy(ev.key.val, key->val, key->enc_size);
9586 	memset(ev.key.val + key->enc_size, 0,
9587 	       sizeof(ev.key.val) - key->enc_size);
9588 
9589 	mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
9590 }
9591 
9592 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
9593 {
9594 	struct mgmt_ev_new_irk ev;
9595 
9596 	memset(&ev, 0, sizeof(ev));
9597 
9598 	ev.store_hint = persistent;
9599 
9600 	bacpy(&ev.rpa, &irk->rpa);
9601 	bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
9602 	ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
9603 	memcpy(ev.irk.val, irk->val, sizeof(irk->val));
9604 
9605 	mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
9606 }
9607 
9608 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
9609 		   bool persistent)
9610 {
9611 	struct mgmt_ev_new_csrk ev;
9612 
9613 	memset(&ev, 0, sizeof(ev));
9614 
9615 	/* Devices using resolvable or non-resolvable random addresses
9616 	 * without providing an identity resolving key don't require
9617 	 * to store signature resolving keys. Their addresses will change
9618 	 * the next time around.
9619 	 *
9620 	 * Only when a remote device provides an identity address
9621 	 * make sure the signature resolving key is stored. So allow
9622 	 * static random and public addresses here.
9623 	 */
9624 	if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9625 	    (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
9626 		ev.store_hint = 0x00;
9627 	else
9628 		ev.store_hint = persistent;
9629 
9630 	bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
9631 	ev.key.addr.type = link_to_bdaddr(LE_LINK, csrk->bdaddr_type);
9632 	ev.key.type = csrk->type;
9633 	memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
9634 
9635 	mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
9636 }
9637 
9638 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
9639 			 u8 bdaddr_type, u8 store_hint, u16 min_interval,
9640 			 u16 max_interval, u16 latency, u16 timeout)
9641 {
9642 	struct mgmt_ev_new_conn_param ev;
9643 
9644 	if (!hci_is_identity_address(bdaddr, bdaddr_type))
9645 		return;
9646 
9647 	memset(&ev, 0, sizeof(ev));
9648 	bacpy(&ev.addr.bdaddr, bdaddr);
9649 	ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
9650 	ev.store_hint = store_hint;
9651 	ev.min_interval = cpu_to_le16(min_interval);
9652 	ev.max_interval = cpu_to_le16(max_interval);
9653 	ev.latency = cpu_to_le16(latency);
9654 	ev.timeout = cpu_to_le16(timeout);
9655 
9656 	mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
9657 }
9658 
9659 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
9660 			   u8 *name, u8 name_len)
9661 {
9662 	struct sk_buff *skb;
9663 	struct mgmt_ev_device_connected *ev;
9664 	u16 eir_len = 0;
9665 	u32 flags = 0;
9666 
9667 	/* allocate buff for LE or BR/EDR adv */
9668 	if (conn->le_adv_data_len > 0)
9669 		skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9670 				     sizeof(*ev) + conn->le_adv_data_len);
9671 	else
9672 		skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9673 				     sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0) +
9674 				     eir_precalc_len(sizeof(conn->dev_class)));
9675 
9676 	ev = skb_put(skb, sizeof(*ev));
9677 	bacpy(&ev->addr.bdaddr, &conn->dst);
9678 	ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9679 
9680 	if (conn->out)
9681 		flags |= MGMT_DEV_FOUND_INITIATED_CONN;
9682 
9683 	ev->flags = __cpu_to_le32(flags);
9684 
9685 	/* We must ensure that the EIR Data fields are ordered and
9686 	 * unique. Keep it simple for now and avoid the problem by not
9687 	 * adding any BR/EDR data to the LE adv.
9688 	 */
9689 	if (conn->le_adv_data_len > 0) {
9690 		skb_put_data(skb, conn->le_adv_data, conn->le_adv_data_len);
9691 		eir_len = conn->le_adv_data_len;
9692 	} else {
9693 		if (name)
9694 			eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
9695 
9696 		if (memcmp(conn->dev_class, "\0\0\0", sizeof(conn->dev_class)))
9697 			eir_len += eir_skb_put_data(skb, EIR_CLASS_OF_DEV,
9698 						    conn->dev_class, sizeof(conn->dev_class));
9699 	}
9700 
9701 	ev->eir_len = cpu_to_le16(eir_len);
9702 
9703 	mgmt_event_skb(skb, NULL);
9704 }
9705 
9706 static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
9707 {
9708 	struct sock **sk = data;
9709 
9710 	cmd->cmd_complete(cmd, 0);
9711 
9712 	*sk = cmd->sk;
9713 	sock_hold(*sk);
9714 
9715 	mgmt_pending_remove(cmd);
9716 }
9717 
9718 static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
9719 {
9720 	struct hci_dev *hdev = data;
9721 	struct mgmt_cp_unpair_device *cp = cmd->param;
9722 
9723 	device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
9724 
9725 	cmd->cmd_complete(cmd, 0);
9726 	mgmt_pending_remove(cmd);
9727 }
9728 
9729 bool mgmt_powering_down(struct hci_dev *hdev)
9730 {
9731 	struct mgmt_pending_cmd *cmd;
9732 	struct mgmt_mode *cp;
9733 
9734 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9735 	if (!cmd)
9736 		return false;
9737 
9738 	cp = cmd->param;
9739 	if (!cp->val)
9740 		return true;
9741 
9742 	return false;
9743 }
9744 
9745 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
9746 			      u8 link_type, u8 addr_type, u8 reason,
9747 			      bool mgmt_connected)
9748 {
9749 	struct mgmt_ev_device_disconnected ev;
9750 	struct sock *sk = NULL;
9751 
9752 	/* The connection is still in hci_conn_hash so test for 1
9753 	 * instead of 0 to know if this is the last one.
9754 	 */
9755 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
9756 		cancel_delayed_work(&hdev->power_off);
9757 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
9758 	}
9759 
9760 	if (!mgmt_connected)
9761 		return;
9762 
9763 	if (link_type != ACL_LINK && link_type != LE_LINK)
9764 		return;
9765 
9766 	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
9767 
9768 	bacpy(&ev.addr.bdaddr, bdaddr);
9769 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9770 	ev.reason = reason;
9771 
9772 	/* Report disconnects due to suspend */
9773 	if (hdev->suspended)
9774 		ev.reason = MGMT_DEV_DISCONN_LOCAL_HOST_SUSPEND;
9775 
9776 	mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
9777 
9778 	if (sk)
9779 		sock_put(sk);
9780 
9781 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9782 			     hdev);
9783 }
9784 
9785 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
9786 			    u8 link_type, u8 addr_type, u8 status)
9787 {
9788 	u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
9789 	struct mgmt_cp_disconnect *cp;
9790 	struct mgmt_pending_cmd *cmd;
9791 
9792 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9793 			     hdev);
9794 
9795 	cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
9796 	if (!cmd)
9797 		return;
9798 
9799 	cp = cmd->param;
9800 
9801 	if (bacmp(bdaddr, &cp->addr.bdaddr))
9802 		return;
9803 
9804 	if (cp->addr.type != bdaddr_type)
9805 		return;
9806 
9807 	cmd->cmd_complete(cmd, mgmt_status(status));
9808 	mgmt_pending_remove(cmd);
9809 }
9810 
9811 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9812 			 u8 addr_type, u8 status)
9813 {
9814 	struct mgmt_ev_connect_failed ev;
9815 
9816 	/* The connection is still in hci_conn_hash so test for 1
9817 	 * instead of 0 to know if this is the last one.
9818 	 */
9819 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
9820 		cancel_delayed_work(&hdev->power_off);
9821 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
9822 	}
9823 
9824 	bacpy(&ev.addr.bdaddr, bdaddr);
9825 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9826 	ev.status = mgmt_status(status);
9827 
9828 	mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
9829 }
9830 
9831 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
9832 {
9833 	struct mgmt_ev_pin_code_request ev;
9834 
9835 	bacpy(&ev.addr.bdaddr, bdaddr);
9836 	ev.addr.type = BDADDR_BREDR;
9837 	ev.secure = secure;
9838 
9839 	mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
9840 }
9841 
9842 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9843 				  u8 status)
9844 {
9845 	struct mgmt_pending_cmd *cmd;
9846 
9847 	cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
9848 	if (!cmd)
9849 		return;
9850 
9851 	cmd->cmd_complete(cmd, mgmt_status(status));
9852 	mgmt_pending_remove(cmd);
9853 }
9854 
9855 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9856 				      u8 status)
9857 {
9858 	struct mgmt_pending_cmd *cmd;
9859 
9860 	cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
9861 	if (!cmd)
9862 		return;
9863 
9864 	cmd->cmd_complete(cmd, mgmt_status(status));
9865 	mgmt_pending_remove(cmd);
9866 }
9867 
9868 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9869 			      u8 link_type, u8 addr_type, u32 value,
9870 			      u8 confirm_hint)
9871 {
9872 	struct mgmt_ev_user_confirm_request ev;
9873 
9874 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9875 
9876 	bacpy(&ev.addr.bdaddr, bdaddr);
9877 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9878 	ev.confirm_hint = confirm_hint;
9879 	ev.value = cpu_to_le32(value);
9880 
9881 	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
9882 			  NULL);
9883 }
9884 
9885 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9886 			      u8 link_type, u8 addr_type)
9887 {
9888 	struct mgmt_ev_user_passkey_request ev;
9889 
9890 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9891 
9892 	bacpy(&ev.addr.bdaddr, bdaddr);
9893 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9894 
9895 	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
9896 			  NULL);
9897 }
9898 
9899 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9900 				      u8 link_type, u8 addr_type, u8 status,
9901 				      u8 opcode)
9902 {
9903 	struct mgmt_pending_cmd *cmd;
9904 
9905 	cmd = pending_find(opcode, hdev);
9906 	if (!cmd)
9907 		return -ENOENT;
9908 
9909 	cmd->cmd_complete(cmd, mgmt_status(status));
9910 	mgmt_pending_remove(cmd);
9911 
9912 	return 0;
9913 }
9914 
9915 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9916 				     u8 link_type, u8 addr_type, u8 status)
9917 {
9918 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9919 					  status, MGMT_OP_USER_CONFIRM_REPLY);
9920 }
9921 
9922 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9923 					 u8 link_type, u8 addr_type, u8 status)
9924 {
9925 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9926 					  status,
9927 					  MGMT_OP_USER_CONFIRM_NEG_REPLY);
9928 }
9929 
9930 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9931 				     u8 link_type, u8 addr_type, u8 status)
9932 {
9933 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9934 					  status, MGMT_OP_USER_PASSKEY_REPLY);
9935 }
9936 
9937 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9938 					 u8 link_type, u8 addr_type, u8 status)
9939 {
9940 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9941 					  status,
9942 					  MGMT_OP_USER_PASSKEY_NEG_REPLY);
9943 }
9944 
9945 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
9946 			     u8 link_type, u8 addr_type, u32 passkey,
9947 			     u8 entered)
9948 {
9949 	struct mgmt_ev_passkey_notify ev;
9950 
9951 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9952 
9953 	bacpy(&ev.addr.bdaddr, bdaddr);
9954 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9955 	ev.passkey = __cpu_to_le32(passkey);
9956 	ev.entered = entered;
9957 
9958 	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
9959 }
9960 
9961 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
9962 {
9963 	struct mgmt_ev_auth_failed ev;
9964 	struct mgmt_pending_cmd *cmd;
9965 	u8 status = mgmt_status(hci_status);
9966 
9967 	bacpy(&ev.addr.bdaddr, &conn->dst);
9968 	ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9969 	ev.status = status;
9970 
9971 	cmd = find_pairing(conn);
9972 
9973 	mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
9974 		    cmd ? cmd->sk : NULL);
9975 
9976 	if (cmd) {
9977 		cmd->cmd_complete(cmd, status);
9978 		mgmt_pending_remove(cmd);
9979 	}
9980 }
9981 
9982 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
9983 {
9984 	struct cmd_lookup match = { NULL, hdev };
9985 	bool changed;
9986 
9987 	if (status) {
9988 		u8 mgmt_err = mgmt_status(status);
9989 		mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
9990 				     cmd_status_rsp, &mgmt_err);
9991 		return;
9992 	}
9993 
9994 	if (test_bit(HCI_AUTH, &hdev->flags))
9995 		changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
9996 	else
9997 		changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
9998 
9999 	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
10000 			     &match);
10001 
10002 	if (changed)
10003 		new_settings(hdev, match.sk);
10004 
10005 	if (match.sk)
10006 		sock_put(match.sk);
10007 }
10008 
10009 static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
10010 {
10011 	struct cmd_lookup *match = data;
10012 
10013 	if (match->sk == NULL) {
10014 		match->sk = cmd->sk;
10015 		sock_hold(match->sk);
10016 	}
10017 }
10018 
10019 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
10020 				    u8 status)
10021 {
10022 	struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
10023 
10024 	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
10025 	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
10026 	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
10027 
10028 	if (!status) {
10029 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
10030 				   3, HCI_MGMT_DEV_CLASS_EVENTS, NULL);
10031 		ext_info_changed(hdev, NULL);
10032 	}
10033 
10034 	if (match.sk)
10035 		sock_put(match.sk);
10036 }
10037 
10038 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
10039 {
10040 	struct mgmt_cp_set_local_name ev;
10041 	struct mgmt_pending_cmd *cmd;
10042 
10043 	if (status)
10044 		return;
10045 
10046 	memset(&ev, 0, sizeof(ev));
10047 	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
10048 	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
10049 
10050 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
10051 	if (!cmd) {
10052 		memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
10053 
10054 		/* If this is a HCI command related to powering on the
10055 		 * HCI dev don't send any mgmt signals.
10056 		 */
10057 		if (pending_find(MGMT_OP_SET_POWERED, hdev))
10058 			return;
10059 	}
10060 
10061 	mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
10062 			   HCI_MGMT_LOCAL_NAME_EVENTS, cmd ? cmd->sk : NULL);
10063 	ext_info_changed(hdev, cmd ? cmd->sk : NULL);
10064 }
10065 
10066 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
10067 {
10068 	int i;
10069 
10070 	for (i = 0; i < uuid_count; i++) {
10071 		if (!memcmp(uuid, uuids[i], 16))
10072 			return true;
10073 	}
10074 
10075 	return false;
10076 }
10077 
10078 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
10079 {
10080 	u16 parsed = 0;
10081 
10082 	while (parsed < eir_len) {
10083 		u8 field_len = eir[0];
10084 		u8 uuid[16];
10085 		int i;
10086 
10087 		if (field_len == 0)
10088 			break;
10089 
10090 		if (eir_len - parsed < field_len + 1)
10091 			break;
10092 
10093 		switch (eir[1]) {
10094 		case EIR_UUID16_ALL:
10095 		case EIR_UUID16_SOME:
10096 			for (i = 0; i + 3 <= field_len; i += 2) {
10097 				memcpy(uuid, bluetooth_base_uuid, 16);
10098 				uuid[13] = eir[i + 3];
10099 				uuid[12] = eir[i + 2];
10100 				if (has_uuid(uuid, uuid_count, uuids))
10101 					return true;
10102 			}
10103 			break;
10104 		case EIR_UUID32_ALL:
10105 		case EIR_UUID32_SOME:
10106 			for (i = 0; i + 5 <= field_len; i += 4) {
10107 				memcpy(uuid, bluetooth_base_uuid, 16);
10108 				uuid[15] = eir[i + 5];
10109 				uuid[14] = eir[i + 4];
10110 				uuid[13] = eir[i + 3];
10111 				uuid[12] = eir[i + 2];
10112 				if (has_uuid(uuid, uuid_count, uuids))
10113 					return true;
10114 			}
10115 			break;
10116 		case EIR_UUID128_ALL:
10117 		case EIR_UUID128_SOME:
10118 			for (i = 0; i + 17 <= field_len; i += 16) {
10119 				memcpy(uuid, eir + i + 2, 16);
10120 				if (has_uuid(uuid, uuid_count, uuids))
10121 					return true;
10122 			}
10123 			break;
10124 		}
10125 
10126 		parsed += field_len + 1;
10127 		eir += field_len + 1;
10128 	}
10129 
10130 	return false;
10131 }
10132 
10133 static void restart_le_scan(struct hci_dev *hdev)
10134 {
10135 	/* If controller is not scanning we are done. */
10136 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
10137 		return;
10138 
10139 	if (time_after(jiffies + DISCOV_LE_RESTART_DELAY,
10140 		       hdev->discovery.scan_start +
10141 		       hdev->discovery.scan_duration))
10142 		return;
10143 
10144 	queue_delayed_work(hdev->req_workqueue, &hdev->le_scan_restart,
10145 			   DISCOV_LE_RESTART_DELAY);
10146 }
10147 
10148 static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
10149 			    u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
10150 {
10151 	/* If a RSSI threshold has been specified, and
10152 	 * HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
10153 	 * a RSSI smaller than the RSSI threshold will be dropped. If the quirk
10154 	 * is set, let it through for further processing, as we might need to
10155 	 * restart the scan.
10156 	 *
10157 	 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
10158 	 * the results are also dropped.
10159 	 */
10160 	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10161 	    (rssi == HCI_RSSI_INVALID ||
10162 	    (rssi < hdev->discovery.rssi &&
10163 	     !test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
10164 		return  false;
10165 
10166 	if (hdev->discovery.uuid_count != 0) {
10167 		/* If a list of UUIDs is provided in filter, results with no
10168 		 * matching UUID should be dropped.
10169 		 */
10170 		if (!eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count,
10171 				   hdev->discovery.uuids) &&
10172 		    !eir_has_uuids(scan_rsp, scan_rsp_len,
10173 				   hdev->discovery.uuid_count,
10174 				   hdev->discovery.uuids))
10175 			return false;
10176 	}
10177 
10178 	/* If duplicate filtering does not report RSSI changes, then restart
10179 	 * scanning to ensure updated result with updated RSSI values.
10180 	 */
10181 	if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
10182 		restart_le_scan(hdev);
10183 
10184 		/* Validate RSSI value against the RSSI threshold once more. */
10185 		if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10186 		    rssi < hdev->discovery.rssi)
10187 			return false;
10188 	}
10189 
10190 	return true;
10191 }
10192 
10193 void mgmt_adv_monitor_device_lost(struct hci_dev *hdev, u16 handle,
10194 				  bdaddr_t *bdaddr, u8 addr_type)
10195 {
10196 	struct mgmt_ev_adv_monitor_device_lost ev;
10197 
10198 	ev.monitor_handle = cpu_to_le16(handle);
10199 	bacpy(&ev.addr.bdaddr, bdaddr);
10200 	ev.addr.type = addr_type;
10201 
10202 	mgmt_event(MGMT_EV_ADV_MONITOR_DEVICE_LOST, hdev, &ev, sizeof(ev),
10203 		   NULL);
10204 }
10205 
10206 static void mgmt_send_adv_monitor_device_found(struct hci_dev *hdev,
10207 					       struct sk_buff *skb,
10208 					       struct sock *skip_sk,
10209 					       u16 handle)
10210 {
10211 	struct sk_buff *advmon_skb;
10212 	size_t advmon_skb_len;
10213 	__le16 *monitor_handle;
10214 
10215 	if (!skb)
10216 		return;
10217 
10218 	advmon_skb_len = (sizeof(struct mgmt_ev_adv_monitor_device_found) -
10219 			  sizeof(struct mgmt_ev_device_found)) + skb->len;
10220 	advmon_skb = mgmt_alloc_skb(hdev, MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
10221 				    advmon_skb_len);
10222 	if (!advmon_skb)
10223 		return;
10224 
10225 	/* ADV_MONITOR_DEVICE_FOUND is similar to DEVICE_FOUND event except
10226 	 * that it also has 'monitor_handle'. Make a copy of DEVICE_FOUND and
10227 	 * store monitor_handle of the matched monitor.
10228 	 */
10229 	monitor_handle = skb_put(advmon_skb, sizeof(*monitor_handle));
10230 	*monitor_handle = cpu_to_le16(handle);
10231 	skb_put_data(advmon_skb, skb->data, skb->len);
10232 
10233 	mgmt_event_skb(advmon_skb, skip_sk);
10234 }
10235 
10236 static void mgmt_adv_monitor_device_found(struct hci_dev *hdev,
10237 					  bdaddr_t *bdaddr, bool report_device,
10238 					  struct sk_buff *skb,
10239 					  struct sock *skip_sk)
10240 {
10241 	struct monitored_device *dev, *tmp;
10242 	bool matched = false;
10243 	bool notified = false;
10244 
10245 	/* We have received the Advertisement Report because:
10246 	 * 1. the kernel has initiated active discovery
10247 	 * 2. if not, we have pend_le_reports > 0 in which case we are doing
10248 	 *    passive scanning
10249 	 * 3. if none of the above is true, we have one or more active
10250 	 *    Advertisement Monitor
10251 	 *
10252 	 * For case 1 and 2, report all advertisements via MGMT_EV_DEVICE_FOUND
10253 	 * and report ONLY one advertisement per device for the matched Monitor
10254 	 * via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10255 	 *
10256 	 * For case 3, since we are not active scanning and all advertisements
10257 	 * received are due to a matched Advertisement Monitor, report all
10258 	 * advertisements ONLY via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10259 	 */
10260 	if (report_device && !hdev->advmon_pend_notify) {
10261 		mgmt_event_skb(skb, skip_sk);
10262 		return;
10263 	}
10264 
10265 	hdev->advmon_pend_notify = false;
10266 
10267 	list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices, list) {
10268 		if (!bacmp(&dev->bdaddr, bdaddr)) {
10269 			matched = true;
10270 
10271 			if (!dev->notified) {
10272 				mgmt_send_adv_monitor_device_found(hdev, skb,
10273 								   skip_sk,
10274 								   dev->handle);
10275 				notified = true;
10276 				dev->notified = true;
10277 			}
10278 		}
10279 
10280 		if (!dev->notified)
10281 			hdev->advmon_pend_notify = true;
10282 	}
10283 
10284 	if (!report_device &&
10285 	    ((matched && !notified) || !msft_monitor_supported(hdev))) {
10286 		/* Handle 0 indicates that we are not active scanning and this
10287 		 * is a subsequent advertisement report for an already matched
10288 		 * Advertisement Monitor or the controller offloading support
10289 		 * is not available.
10290 		 */
10291 		mgmt_send_adv_monitor_device_found(hdev, skb, skip_sk, 0);
10292 	}
10293 
10294 	if (report_device)
10295 		mgmt_event_skb(skb, skip_sk);
10296 	else
10297 		kfree_skb(skb);
10298 }
10299 
10300 static void mesh_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr,
10301 			      u8 addr_type, s8 rssi, u32 flags, u8 *eir,
10302 			      u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10303 			      u64 instant)
10304 {
10305 	struct sk_buff *skb;
10306 	struct mgmt_ev_mesh_device_found *ev;
10307 	int i, j;
10308 
10309 	if (!hdev->mesh_ad_types[0])
10310 		goto accepted;
10311 
10312 	/* Scan for requested AD types */
10313 	if (eir_len > 0) {
10314 		for (i = 0; i + 1 < eir_len; i += eir[i] + 1) {
10315 			for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10316 				if (!hdev->mesh_ad_types[j])
10317 					break;
10318 
10319 				if (hdev->mesh_ad_types[j] == eir[i + 1])
10320 					goto accepted;
10321 			}
10322 		}
10323 	}
10324 
10325 	if (scan_rsp_len > 0) {
10326 		for (i = 0; i + 1 < scan_rsp_len; i += scan_rsp[i] + 1) {
10327 			for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10328 				if (!hdev->mesh_ad_types[j])
10329 					break;
10330 
10331 				if (hdev->mesh_ad_types[j] == scan_rsp[i + 1])
10332 					goto accepted;
10333 			}
10334 		}
10335 	}
10336 
10337 	return;
10338 
10339 accepted:
10340 	skb = mgmt_alloc_skb(hdev, MGMT_EV_MESH_DEVICE_FOUND,
10341 			     sizeof(*ev) + eir_len + scan_rsp_len);
10342 	if (!skb)
10343 		return;
10344 
10345 	ev = skb_put(skb, sizeof(*ev));
10346 
10347 	bacpy(&ev->addr.bdaddr, bdaddr);
10348 	ev->addr.type = link_to_bdaddr(LE_LINK, addr_type);
10349 	ev->rssi = rssi;
10350 	ev->flags = cpu_to_le32(flags);
10351 	ev->instant = cpu_to_le64(instant);
10352 
10353 	if (eir_len > 0)
10354 		/* Copy EIR or advertising data into event */
10355 		skb_put_data(skb, eir, eir_len);
10356 
10357 	if (scan_rsp_len > 0)
10358 		/* Append scan response data to event */
10359 		skb_put_data(skb, scan_rsp, scan_rsp_len);
10360 
10361 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10362 
10363 	mgmt_event_skb(skb, NULL);
10364 }
10365 
10366 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10367 		       u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
10368 		       u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10369 		       u64 instant)
10370 {
10371 	struct sk_buff *skb;
10372 	struct mgmt_ev_device_found *ev;
10373 	bool report_device = hci_discovery_active(hdev);
10374 
10375 	if (hci_dev_test_flag(hdev, HCI_MESH) && link_type == LE_LINK)
10376 		mesh_device_found(hdev, bdaddr, addr_type, rssi, flags,
10377 				  eir, eir_len, scan_rsp, scan_rsp_len,
10378 				  instant);
10379 
10380 	/* Don't send events for a non-kernel initiated discovery. With
10381 	 * LE one exception is if we have pend_le_reports > 0 in which
10382 	 * case we're doing passive scanning and want these events.
10383 	 */
10384 	if (!hci_discovery_active(hdev)) {
10385 		if (link_type == ACL_LINK)
10386 			return;
10387 		if (link_type == LE_LINK && !list_empty(&hdev->pend_le_reports))
10388 			report_device = true;
10389 		else if (!hci_is_adv_monitoring(hdev))
10390 			return;
10391 	}
10392 
10393 	if (hdev->discovery.result_filtering) {
10394 		/* We are using service discovery */
10395 		if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
10396 				     scan_rsp_len))
10397 			return;
10398 	}
10399 
10400 	if (hdev->discovery.limited) {
10401 		/* Check for limited discoverable bit */
10402 		if (dev_class) {
10403 			if (!(dev_class[1] & 0x20))
10404 				return;
10405 		} else {
10406 			u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
10407 			if (!flags || !(flags[0] & LE_AD_LIMITED))
10408 				return;
10409 		}
10410 	}
10411 
10412 	/* Allocate skb. The 5 extra bytes are for the potential CoD field */
10413 	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10414 			     sizeof(*ev) + eir_len + scan_rsp_len + 5);
10415 	if (!skb)
10416 		return;
10417 
10418 	ev = skb_put(skb, sizeof(*ev));
10419 
10420 	/* In case of device discovery with BR/EDR devices (pre 1.2), the
10421 	 * RSSI value was reported as 0 when not available. This behavior
10422 	 * is kept when using device discovery. This is required for full
10423 	 * backwards compatibility with the API.
10424 	 *
10425 	 * However when using service discovery, the value 127 will be
10426 	 * returned when the RSSI is not available.
10427 	 */
10428 	if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
10429 	    link_type == ACL_LINK)
10430 		rssi = 0;
10431 
10432 	bacpy(&ev->addr.bdaddr, bdaddr);
10433 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
10434 	ev->rssi = rssi;
10435 	ev->flags = cpu_to_le32(flags);
10436 
10437 	if (eir_len > 0)
10438 		/* Copy EIR or advertising data into event */
10439 		skb_put_data(skb, eir, eir_len);
10440 
10441 	if (dev_class && !eir_get_data(eir, eir_len, EIR_CLASS_OF_DEV, NULL)) {
10442 		u8 eir_cod[5];
10443 
10444 		eir_len += eir_append_data(eir_cod, 0, EIR_CLASS_OF_DEV,
10445 					   dev_class, 3);
10446 		skb_put_data(skb, eir_cod, sizeof(eir_cod));
10447 	}
10448 
10449 	if (scan_rsp_len > 0)
10450 		/* Append scan response data to event */
10451 		skb_put_data(skb, scan_rsp, scan_rsp_len);
10452 
10453 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10454 
10455 	mgmt_adv_monitor_device_found(hdev, bdaddr, report_device, skb, NULL);
10456 }
10457 
10458 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10459 		      u8 addr_type, s8 rssi, u8 *name, u8 name_len)
10460 {
10461 	struct sk_buff *skb;
10462 	struct mgmt_ev_device_found *ev;
10463 	u16 eir_len = 0;
10464 	u32 flags = 0;
10465 
10466 	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10467 			     sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0));
10468 
10469 	ev = skb_put(skb, sizeof(*ev));
10470 	bacpy(&ev->addr.bdaddr, bdaddr);
10471 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
10472 	ev->rssi = rssi;
10473 
10474 	if (name)
10475 		eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
10476 	else
10477 		flags = MGMT_DEV_FOUND_NAME_REQUEST_FAILED;
10478 
10479 	ev->eir_len = cpu_to_le16(eir_len);
10480 	ev->flags = cpu_to_le32(flags);
10481 
10482 	mgmt_event_skb(skb, NULL);
10483 }
10484 
10485 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
10486 {
10487 	struct mgmt_ev_discovering ev;
10488 
10489 	bt_dev_dbg(hdev, "discovering %u", discovering);
10490 
10491 	memset(&ev, 0, sizeof(ev));
10492 	ev.type = hdev->discovery.type;
10493 	ev.discovering = discovering;
10494 
10495 	mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
10496 }
10497 
10498 void mgmt_suspending(struct hci_dev *hdev, u8 state)
10499 {
10500 	struct mgmt_ev_controller_suspend ev;
10501 
10502 	ev.suspend_state = state;
10503 	mgmt_event(MGMT_EV_CONTROLLER_SUSPEND, hdev, &ev, sizeof(ev), NULL);
10504 }
10505 
10506 void mgmt_resuming(struct hci_dev *hdev, u8 reason, bdaddr_t *bdaddr,
10507 		   u8 addr_type)
10508 {
10509 	struct mgmt_ev_controller_resume ev;
10510 
10511 	ev.wake_reason = reason;
10512 	if (bdaddr) {
10513 		bacpy(&ev.addr.bdaddr, bdaddr);
10514 		ev.addr.type = addr_type;
10515 	} else {
10516 		memset(&ev.addr, 0, sizeof(ev.addr));
10517 	}
10518 
10519 	mgmt_event(MGMT_EV_CONTROLLER_RESUME, hdev, &ev, sizeof(ev), NULL);
10520 }
10521 
10522 static struct hci_mgmt_chan chan = {
10523 	.channel	= HCI_CHANNEL_CONTROL,
10524 	.handler_count	= ARRAY_SIZE(mgmt_handlers),
10525 	.handlers	= mgmt_handlers,
10526 	.hdev_init	= mgmt_init_hdev,
10527 };
10528 
10529 int mgmt_init(void)
10530 {
10531 	return hci_mgmt_chan_register(&chan);
10532 }
10533 
10534 void mgmt_exit(void)
10535 {
10536 	hci_mgmt_chan_unregister(&chan);
10537 }
10538 
10539 void mgmt_cleanup(struct sock *sk)
10540 {
10541 	struct mgmt_mesh_tx *mesh_tx;
10542 	struct hci_dev *hdev;
10543 
10544 	read_lock(&hci_dev_list_lock);
10545 
10546 	list_for_each_entry(hdev, &hci_dev_list, list) {
10547 		do {
10548 			mesh_tx = mgmt_mesh_next(hdev, sk);
10549 
10550 			if (mesh_tx)
10551 				mesh_send_complete(hdev, mesh_tx, true);
10552 		} while (mesh_tx);
10553 	}
10554 
10555 	read_unlock(&hci_dev_list_lock);
10556 }
10557