~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/mgmt.c

Version: ~ [ linux-5.5-rc1 ] ~ [ linux-5.4.2 ] ~ [ linux-5.3.15 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.88 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.158 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.206 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.206 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.78 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    BlueZ - Bluetooth protocol stack for Linux
  3 
  4    Copyright (C) 2010  Nokia Corporation
  5    Copyright (C) 2011-2012 Intel Corporation
  6 
  7    This program is free software; you can redistribute it and/or modify
  8    it under the terms of the GNU General Public License version 2 as
  9    published by the Free Software Foundation;
 10 
 11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 19 
 20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 22    SOFTWARE IS DISCLAIMED.
 23 */
 24 
 25 /* Bluetooth HCI Management interface */
 26 
 27 #include <linux/module.h>
 28 #include <asm/unaligned.h>
 29 
 30 #include <net/bluetooth/bluetooth.h>
 31 #include <net/bluetooth/hci_core.h>
 32 #include <net/bluetooth/hci_sock.h>
 33 #include <net/bluetooth/l2cap.h>
 34 #include <net/bluetooth/mgmt.h>
 35 
 36 #include "hci_request.h"
 37 #include "smp.h"
 38 #include "mgmt_util.h"
 39 
 40 #define MGMT_VERSION    1
 41 #define MGMT_REVISION   14
 42 
 43 static const u16 mgmt_commands[] = {
 44         MGMT_OP_READ_INDEX_LIST,
 45         MGMT_OP_READ_INFO,
 46         MGMT_OP_SET_POWERED,
 47         MGMT_OP_SET_DISCOVERABLE,
 48         MGMT_OP_SET_CONNECTABLE,
 49         MGMT_OP_SET_FAST_CONNECTABLE,
 50         MGMT_OP_SET_BONDABLE,
 51         MGMT_OP_SET_LINK_SECURITY,
 52         MGMT_OP_SET_SSP,
 53         MGMT_OP_SET_HS,
 54         MGMT_OP_SET_LE,
 55         MGMT_OP_SET_DEV_CLASS,
 56         MGMT_OP_SET_LOCAL_NAME,
 57         MGMT_OP_ADD_UUID,
 58         MGMT_OP_REMOVE_UUID,
 59         MGMT_OP_LOAD_LINK_KEYS,
 60         MGMT_OP_LOAD_LONG_TERM_KEYS,
 61         MGMT_OP_DISCONNECT,
 62         MGMT_OP_GET_CONNECTIONS,
 63         MGMT_OP_PIN_CODE_REPLY,
 64         MGMT_OP_PIN_CODE_NEG_REPLY,
 65         MGMT_OP_SET_IO_CAPABILITY,
 66         MGMT_OP_PAIR_DEVICE,
 67         MGMT_OP_CANCEL_PAIR_DEVICE,
 68         MGMT_OP_UNPAIR_DEVICE,
 69         MGMT_OP_USER_CONFIRM_REPLY,
 70         MGMT_OP_USER_CONFIRM_NEG_REPLY,
 71         MGMT_OP_USER_PASSKEY_REPLY,
 72         MGMT_OP_USER_PASSKEY_NEG_REPLY,
 73         MGMT_OP_READ_LOCAL_OOB_DATA,
 74         MGMT_OP_ADD_REMOTE_OOB_DATA,
 75         MGMT_OP_REMOVE_REMOTE_OOB_DATA,
 76         MGMT_OP_START_DISCOVERY,
 77         MGMT_OP_STOP_DISCOVERY,
 78         MGMT_OP_CONFIRM_NAME,
 79         MGMT_OP_BLOCK_DEVICE,
 80         MGMT_OP_UNBLOCK_DEVICE,
 81         MGMT_OP_SET_DEVICE_ID,
 82         MGMT_OP_SET_ADVERTISING,
 83         MGMT_OP_SET_BREDR,
 84         MGMT_OP_SET_STATIC_ADDRESS,
 85         MGMT_OP_SET_SCAN_PARAMS,
 86         MGMT_OP_SET_SECURE_CONN,
 87         MGMT_OP_SET_DEBUG_KEYS,
 88         MGMT_OP_SET_PRIVACY,
 89         MGMT_OP_LOAD_IRKS,
 90         MGMT_OP_GET_CONN_INFO,
 91         MGMT_OP_GET_CLOCK_INFO,
 92         MGMT_OP_ADD_DEVICE,
 93         MGMT_OP_REMOVE_DEVICE,
 94         MGMT_OP_LOAD_CONN_PARAM,
 95         MGMT_OP_READ_UNCONF_INDEX_LIST,
 96         MGMT_OP_READ_CONFIG_INFO,
 97         MGMT_OP_SET_EXTERNAL_CONFIG,
 98         MGMT_OP_SET_PUBLIC_ADDRESS,
 99         MGMT_OP_START_SERVICE_DISCOVERY,
100         MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
101         MGMT_OP_READ_EXT_INDEX_LIST,
102         MGMT_OP_READ_ADV_FEATURES,
103         MGMT_OP_ADD_ADVERTISING,
104         MGMT_OP_REMOVE_ADVERTISING,
105         MGMT_OP_GET_ADV_SIZE_INFO,
106         MGMT_OP_START_LIMITED_DISCOVERY,
107         MGMT_OP_READ_EXT_INFO,
108         MGMT_OP_SET_APPEARANCE,
109 };
110 
111 static const u16 mgmt_events[] = {
112         MGMT_EV_CONTROLLER_ERROR,
113         MGMT_EV_INDEX_ADDED,
114         MGMT_EV_INDEX_REMOVED,
115         MGMT_EV_NEW_SETTINGS,
116         MGMT_EV_CLASS_OF_DEV_CHANGED,
117         MGMT_EV_LOCAL_NAME_CHANGED,
118         MGMT_EV_NEW_LINK_KEY,
119         MGMT_EV_NEW_LONG_TERM_KEY,
120         MGMT_EV_DEVICE_CONNECTED,
121         MGMT_EV_DEVICE_DISCONNECTED,
122         MGMT_EV_CONNECT_FAILED,
123         MGMT_EV_PIN_CODE_REQUEST,
124         MGMT_EV_USER_CONFIRM_REQUEST,
125         MGMT_EV_USER_PASSKEY_REQUEST,
126         MGMT_EV_AUTH_FAILED,
127         MGMT_EV_DEVICE_FOUND,
128         MGMT_EV_DISCOVERING,
129         MGMT_EV_DEVICE_BLOCKED,
130         MGMT_EV_DEVICE_UNBLOCKED,
131         MGMT_EV_DEVICE_UNPAIRED,
132         MGMT_EV_PASSKEY_NOTIFY,
133         MGMT_EV_NEW_IRK,
134         MGMT_EV_NEW_CSRK,
135         MGMT_EV_DEVICE_ADDED,
136         MGMT_EV_DEVICE_REMOVED,
137         MGMT_EV_NEW_CONN_PARAM,
138         MGMT_EV_UNCONF_INDEX_ADDED,
139         MGMT_EV_UNCONF_INDEX_REMOVED,
140         MGMT_EV_NEW_CONFIG_OPTIONS,
141         MGMT_EV_EXT_INDEX_ADDED,
142         MGMT_EV_EXT_INDEX_REMOVED,
143         MGMT_EV_LOCAL_OOB_DATA_UPDATED,
144         MGMT_EV_ADVERTISING_ADDED,
145         MGMT_EV_ADVERTISING_REMOVED,
146         MGMT_EV_EXT_INFO_CHANGED,
147 };
148 
149 static const u16 mgmt_untrusted_commands[] = {
150         MGMT_OP_READ_INDEX_LIST,
151         MGMT_OP_READ_INFO,
152         MGMT_OP_READ_UNCONF_INDEX_LIST,
153         MGMT_OP_READ_CONFIG_INFO,
154         MGMT_OP_READ_EXT_INDEX_LIST,
155         MGMT_OP_READ_EXT_INFO,
156 };
157 
158 static const u16 mgmt_untrusted_events[] = {
159         MGMT_EV_INDEX_ADDED,
160         MGMT_EV_INDEX_REMOVED,
161         MGMT_EV_NEW_SETTINGS,
162         MGMT_EV_CLASS_OF_DEV_CHANGED,
163         MGMT_EV_LOCAL_NAME_CHANGED,
164         MGMT_EV_UNCONF_INDEX_ADDED,
165         MGMT_EV_UNCONF_INDEX_REMOVED,
166         MGMT_EV_NEW_CONFIG_OPTIONS,
167         MGMT_EV_EXT_INDEX_ADDED,
168         MGMT_EV_EXT_INDEX_REMOVED,
169         MGMT_EV_EXT_INFO_CHANGED,
170 };
171 
172 #define CACHE_TIMEOUT   msecs_to_jiffies(2 * 1000)
173 
174 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
175                  "\x00\x00\x00\x00\x00\x00\x00\x00"
176 
177 /* HCI to MGMT error code conversion table */
178 static u8 mgmt_status_table[] = {
179         MGMT_STATUS_SUCCESS,
180         MGMT_STATUS_UNKNOWN_COMMAND,    /* Unknown Command */
181         MGMT_STATUS_NOT_CONNECTED,      /* No Connection */
182         MGMT_STATUS_FAILED,             /* Hardware Failure */
183         MGMT_STATUS_CONNECT_FAILED,     /* Page Timeout */
184         MGMT_STATUS_AUTH_FAILED,        /* Authentication Failed */
185         MGMT_STATUS_AUTH_FAILED,        /* PIN or Key Missing */
186         MGMT_STATUS_NO_RESOURCES,       /* Memory Full */
187         MGMT_STATUS_TIMEOUT,            /* Connection Timeout */
188         MGMT_STATUS_NO_RESOURCES,       /* Max Number of Connections */
189         MGMT_STATUS_NO_RESOURCES,       /* Max Number of SCO Connections */
190         MGMT_STATUS_ALREADY_CONNECTED,  /* ACL Connection Exists */
191         MGMT_STATUS_BUSY,               /* Command Disallowed */
192         MGMT_STATUS_NO_RESOURCES,       /* Rejected Limited Resources */
193         MGMT_STATUS_REJECTED,           /* Rejected Security */
194         MGMT_STATUS_REJECTED,           /* Rejected Personal */
195         MGMT_STATUS_TIMEOUT,            /* Host Timeout */
196         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Feature */
197         MGMT_STATUS_INVALID_PARAMS,     /* Invalid Parameters */
198         MGMT_STATUS_DISCONNECTED,       /* OE User Ended Connection */
199         MGMT_STATUS_NO_RESOURCES,       /* OE Low Resources */
200         MGMT_STATUS_DISCONNECTED,       /* OE Power Off */
201         MGMT_STATUS_DISCONNECTED,       /* Connection Terminated */
202         MGMT_STATUS_BUSY,               /* Repeated Attempts */
203         MGMT_STATUS_REJECTED,           /* Pairing Not Allowed */
204         MGMT_STATUS_FAILED,             /* Unknown LMP PDU */
205         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Remote Feature */
206         MGMT_STATUS_REJECTED,           /* SCO Offset Rejected */
207         MGMT_STATUS_REJECTED,           /* SCO Interval Rejected */
208         MGMT_STATUS_REJECTED,           /* Air Mode Rejected */
209         MGMT_STATUS_INVALID_PARAMS,     /* Invalid LMP Parameters */
210         MGMT_STATUS_FAILED,             /* Unspecified Error */
211         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported LMP Parameter Value */
212         MGMT_STATUS_FAILED,             /* Role Change Not Allowed */
213         MGMT_STATUS_TIMEOUT,            /* LMP Response Timeout */
214         MGMT_STATUS_FAILED,             /* LMP Error Transaction Collision */
215         MGMT_STATUS_FAILED,             /* LMP PDU Not Allowed */
216         MGMT_STATUS_REJECTED,           /* Encryption Mode Not Accepted */
217         MGMT_STATUS_FAILED,             /* Unit Link Key Used */
218         MGMT_STATUS_NOT_SUPPORTED,      /* QoS Not Supported */
219         MGMT_STATUS_TIMEOUT,            /* Instant Passed */
220         MGMT_STATUS_NOT_SUPPORTED,      /* Pairing Not Supported */
221         MGMT_STATUS_FAILED,             /* Transaction Collision */
222         MGMT_STATUS_INVALID_PARAMS,     /* Unacceptable Parameter */
223         MGMT_STATUS_REJECTED,           /* QoS Rejected */
224         MGMT_STATUS_NOT_SUPPORTED,      /* Classification Not Supported */
225         MGMT_STATUS_REJECTED,           /* Insufficient Security */
226         MGMT_STATUS_INVALID_PARAMS,     /* Parameter Out Of Range */
227         MGMT_STATUS_BUSY,               /* Role Switch Pending */
228         MGMT_STATUS_FAILED,             /* Slot Violation */
229         MGMT_STATUS_FAILED,             /* Role Switch Failed */
230         MGMT_STATUS_INVALID_PARAMS,     /* EIR Too Large */
231         MGMT_STATUS_NOT_SUPPORTED,      /* Simple Pairing Not Supported */
232         MGMT_STATUS_BUSY,               /* Host Busy Pairing */
233         MGMT_STATUS_REJECTED,           /* Rejected, No Suitable Channel */
234         MGMT_STATUS_BUSY,               /* Controller Busy */
235         MGMT_STATUS_INVALID_PARAMS,     /* Unsuitable Connection Interval */
236         MGMT_STATUS_TIMEOUT,            /* Directed Advertising Timeout */
237         MGMT_STATUS_AUTH_FAILED,        /* Terminated Due to MIC Failure */
238         MGMT_STATUS_CONNECT_FAILED,     /* Connection Establishment Failed */
239         MGMT_STATUS_CONNECT_FAILED,     /* MAC Connection Failed */
240 };
241 
242 static u8 mgmt_status(u8 hci_status)
243 {
244         if (hci_status < ARRAY_SIZE(mgmt_status_table))
245                 return mgmt_status_table[hci_status];
246 
247         return MGMT_STATUS_FAILED;
248 }
249 
250 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
251                             u16 len, int flag)
252 {
253         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
254                                flag, NULL);
255 }
256 
257 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
258                               u16 len, int flag, struct sock *skip_sk)
259 {
260         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
261                                flag, skip_sk);
262 }
263 
264 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
265                       struct sock *skip_sk)
266 {
267         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
268                                HCI_SOCK_TRUSTED, skip_sk);
269 }
270 
271 static u8 le_addr_type(u8 mgmt_addr_type)
272 {
273         if (mgmt_addr_type == BDADDR_LE_PUBLIC)
274                 return ADDR_LE_DEV_PUBLIC;
275         else
276                 return ADDR_LE_DEV_RANDOM;
277 }
278 
279 void mgmt_fill_version_info(void *ver)
280 {
281         struct mgmt_rp_read_version *rp = ver;
282 
283         rp->version = MGMT_VERSION;
284         rp->revision = cpu_to_le16(MGMT_REVISION);
285 }
286 
287 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
288                         u16 data_len)
289 {
290         struct mgmt_rp_read_version rp;
291 
292         BT_DBG("sock %p", sk);
293 
294         mgmt_fill_version_info(&rp);
295 
296         return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
297                                  &rp, sizeof(rp));
298 }
299 
300 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
301                          u16 data_len)
302 {
303         struct mgmt_rp_read_commands *rp;
304         u16 num_commands, num_events;
305         size_t rp_size;
306         int i, err;
307 
308         BT_DBG("sock %p", sk);
309 
310         if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
311                 num_commands = ARRAY_SIZE(mgmt_commands);
312                 num_events = ARRAY_SIZE(mgmt_events);
313         } else {
314                 num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
315                 num_events = ARRAY_SIZE(mgmt_untrusted_events);
316         }
317 
318         rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
319 
320         rp = kmalloc(rp_size, GFP_KERNEL);
321         if (!rp)
322                 return -ENOMEM;
323 
324         rp->num_commands = cpu_to_le16(num_commands);
325         rp->num_events = cpu_to_le16(num_events);
326 
327         if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
328                 __le16 *opcode = rp->opcodes;
329 
330                 for (i = 0; i < num_commands; i++, opcode++)
331                         put_unaligned_le16(mgmt_commands[i], opcode);
332 
333                 for (i = 0; i < num_events; i++, opcode++)
334                         put_unaligned_le16(mgmt_events[i], opcode);
335         } else {
336                 __le16 *opcode = rp->opcodes;
337 
338                 for (i = 0; i < num_commands; i++, opcode++)
339                         put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
340 
341                 for (i = 0; i < num_events; i++, opcode++)
342                         put_unaligned_le16(mgmt_untrusted_events[i], opcode);
343         }
344 
345         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
346                                 rp, rp_size);
347         kfree(rp);
348 
349         return err;
350 }
351 
352 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
353                            u16 data_len)
354 {
355         struct mgmt_rp_read_index_list *rp;
356         struct hci_dev *d;
357         size_t rp_len;
358         u16 count;
359         int err;
360 
361         BT_DBG("sock %p", sk);
362 
363         read_lock(&hci_dev_list_lock);
364 
365         count = 0;
366         list_for_each_entry(d, &hci_dev_list, list) {
367                 if (d->dev_type == HCI_PRIMARY &&
368                     !hci_dev_test_flag(d, HCI_UNCONFIGURED))
369                         count++;
370         }
371 
372         rp_len = sizeof(*rp) + (2 * count);
373         rp = kmalloc(rp_len, GFP_ATOMIC);
374         if (!rp) {
375                 read_unlock(&hci_dev_list_lock);
376                 return -ENOMEM;
377         }
378 
379         count = 0;
380         list_for_each_entry(d, &hci_dev_list, list) {
381                 if (hci_dev_test_flag(d, HCI_SETUP) ||
382                     hci_dev_test_flag(d, HCI_CONFIG) ||
383                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
384                         continue;
385 
386                 /* Devices marked as raw-only are neither configured
387                  * nor unconfigured controllers.
388                  */
389                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
390                         continue;
391 
392                 if (d->dev_type == HCI_PRIMARY &&
393                     !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
394                         rp->index[count++] = cpu_to_le16(d->id);
395                         BT_DBG("Added hci%u", d->id);
396                 }
397         }
398 
399         rp->num_controllers = cpu_to_le16(count);
400         rp_len = sizeof(*rp) + (2 * count);
401 
402         read_unlock(&hci_dev_list_lock);
403 
404         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
405                                 0, rp, rp_len);
406 
407         kfree(rp);
408 
409         return err;
410 }
411 
412 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
413                                   void *data, u16 data_len)
414 {
415         struct mgmt_rp_read_unconf_index_list *rp;
416         struct hci_dev *d;
417         size_t rp_len;
418         u16 count;
419         int err;
420 
421         BT_DBG("sock %p", sk);
422 
423         read_lock(&hci_dev_list_lock);
424 
425         count = 0;
426         list_for_each_entry(d, &hci_dev_list, list) {
427                 if (d->dev_type == HCI_PRIMARY &&
428                     hci_dev_test_flag(d, HCI_UNCONFIGURED))
429                         count++;
430         }
431 
432         rp_len = sizeof(*rp) + (2 * count);
433         rp = kmalloc(rp_len, GFP_ATOMIC);
434         if (!rp) {
435                 read_unlock(&hci_dev_list_lock);
436                 return -ENOMEM;
437         }
438 
439         count = 0;
440         list_for_each_entry(d, &hci_dev_list, list) {
441                 if (hci_dev_test_flag(d, HCI_SETUP) ||
442                     hci_dev_test_flag(d, HCI_CONFIG) ||
443                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
444                         continue;
445 
446                 /* Devices marked as raw-only are neither configured
447                  * nor unconfigured controllers.
448                  */
449                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
450                         continue;
451 
452                 if (d->dev_type == HCI_PRIMARY &&
453                     hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
454                         rp->index[count++] = cpu_to_le16(d->id);
455                         BT_DBG("Added hci%u", d->id);
456                 }
457         }
458 
459         rp->num_controllers = cpu_to_le16(count);
460         rp_len = sizeof(*rp) + (2 * count);
461 
462         read_unlock(&hci_dev_list_lock);
463 
464         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
465                                 MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
466 
467         kfree(rp);
468 
469         return err;
470 }
471 
472 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
473                                void *data, u16 data_len)
474 {
475         struct mgmt_rp_read_ext_index_list *rp;
476         struct hci_dev *d;
477         size_t rp_len;
478         u16 count;
479         int err;
480 
481         BT_DBG("sock %p", sk);
482 
483         read_lock(&hci_dev_list_lock);
484 
485         count = 0;
486         list_for_each_entry(d, &hci_dev_list, list) {
487                 if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
488                         count++;
489         }
490 
491         rp_len = sizeof(*rp) + (sizeof(rp->entry[0]) * count);
492         rp = kmalloc(rp_len, GFP_ATOMIC);
493         if (!rp) {
494                 read_unlock(&hci_dev_list_lock);
495                 return -ENOMEM;
496         }
497 
498         count = 0;
499         list_for_each_entry(d, &hci_dev_list, list) {
500                 if (hci_dev_test_flag(d, HCI_SETUP) ||
501                     hci_dev_test_flag(d, HCI_CONFIG) ||
502                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
503                         continue;
504 
505                 /* Devices marked as raw-only are neither configured
506                  * nor unconfigured controllers.
507                  */
508                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
509                         continue;
510 
511                 if (d->dev_type == HCI_PRIMARY) {
512                         if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
513                                 rp->entry[count].type = 0x01;
514                         else
515                                 rp->entry[count].type = 0x00;
516                 } else if (d->dev_type == HCI_AMP) {
517                         rp->entry[count].type = 0x02;
518                 } else {
519                         continue;
520                 }
521 
522                 rp->entry[count].bus = d->bus;
523                 rp->entry[count++].index = cpu_to_le16(d->id);
524                 BT_DBG("Added hci%u", d->id);
525         }
526 
527         rp->num_controllers = cpu_to_le16(count);
528         rp_len = sizeof(*rp) + (sizeof(rp->entry[0]) * count);
529 
530         read_unlock(&hci_dev_list_lock);
531 
532         /* If this command is called at least once, then all the
533          * default index and unconfigured index events are disabled
534          * and from now on only extended index events are used.
535          */
536         hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
537         hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
538         hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
539 
540         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
541                                 MGMT_OP_READ_EXT_INDEX_LIST, 0, rp, rp_len);
542 
543         kfree(rp);
544 
545         return err;
546 }
547 
548 static bool is_configured(struct hci_dev *hdev)
549 {
550         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
551             !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
552                 return false;
553 
554         if (test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) &&
555             !bacmp(&hdev->public_addr, BDADDR_ANY))
556                 return false;
557 
558         return true;
559 }
560 
561 static __le32 get_missing_options(struct hci_dev *hdev)
562 {
563         u32 options = 0;
564 
565         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
566             !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
567                 options |= MGMT_OPTION_EXTERNAL_CONFIG;
568 
569         if (test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) &&
570             !bacmp(&hdev->public_addr, BDADDR_ANY))
571                 options |= MGMT_OPTION_PUBLIC_ADDRESS;
572 
573         return cpu_to_le32(options);
574 }
575 
576 static int new_options(struct hci_dev *hdev, struct sock *skip)
577 {
578         __le32 options = get_missing_options(hdev);
579 
580         return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
581                                   sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
582 }
583 
584 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
585 {
586         __le32 options = get_missing_options(hdev);
587 
588         return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
589                                  sizeof(options));
590 }
591 
592 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
593                             void *data, u16 data_len)
594 {
595         struct mgmt_rp_read_config_info rp;
596         u32 options = 0;
597 
598         BT_DBG("sock %p %s", sk, hdev->name);
599 
600         hci_dev_lock(hdev);
601 
602         memset(&rp, 0, sizeof(rp));
603         rp.manufacturer = cpu_to_le16(hdev->manufacturer);
604 
605         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
606                 options |= MGMT_OPTION_EXTERNAL_CONFIG;
607 
608         if (hdev->set_bdaddr)
609                 options |= MGMT_OPTION_PUBLIC_ADDRESS;
610 
611         rp.supported_options = cpu_to_le32(options);
612         rp.missing_options = get_missing_options(hdev);
613 
614         hci_dev_unlock(hdev);
615 
616         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
617                                  &rp, sizeof(rp));
618 }
619 
620 static u32 get_supported_settings(struct hci_dev *hdev)
621 {
622         u32 settings = 0;
623 
624         settings |= MGMT_SETTING_POWERED;
625         settings |= MGMT_SETTING_BONDABLE;
626         settings |= MGMT_SETTING_DEBUG_KEYS;
627         settings |= MGMT_SETTING_CONNECTABLE;
628         settings |= MGMT_SETTING_DISCOVERABLE;
629 
630         if (lmp_bredr_capable(hdev)) {
631                 if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
632                         settings |= MGMT_SETTING_FAST_CONNECTABLE;
633                 settings |= MGMT_SETTING_BREDR;
634                 settings |= MGMT_SETTING_LINK_SECURITY;
635 
636                 if (lmp_ssp_capable(hdev)) {
637                         settings |= MGMT_SETTING_SSP;
638                         settings |= MGMT_SETTING_HS;
639                 }
640 
641                 if (lmp_sc_capable(hdev))
642                         settings |= MGMT_SETTING_SECURE_CONN;
643         }
644 
645         if (lmp_le_capable(hdev)) {
646                 settings |= MGMT_SETTING_LE;
647                 settings |= MGMT_SETTING_ADVERTISING;
648                 settings |= MGMT_SETTING_SECURE_CONN;
649                 settings |= MGMT_SETTING_PRIVACY;
650                 settings |= MGMT_SETTING_STATIC_ADDRESS;
651         }
652 
653         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
654             hdev->set_bdaddr)
655                 settings |= MGMT_SETTING_CONFIGURATION;
656 
657         return settings;
658 }
659 
660 static u32 get_current_settings(struct hci_dev *hdev)
661 {
662         u32 settings = 0;
663 
664         if (hdev_is_powered(hdev))
665                 settings |= MGMT_SETTING_POWERED;
666 
667         if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
668                 settings |= MGMT_SETTING_CONNECTABLE;
669 
670         if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
671                 settings |= MGMT_SETTING_FAST_CONNECTABLE;
672 
673         if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
674                 settings |= MGMT_SETTING_DISCOVERABLE;
675 
676         if (hci_dev_test_flag(hdev, HCI_BONDABLE))
677                 settings |= MGMT_SETTING_BONDABLE;
678 
679         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
680                 settings |= MGMT_SETTING_BREDR;
681 
682         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
683                 settings |= MGMT_SETTING_LE;
684 
685         if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
686                 settings |= MGMT_SETTING_LINK_SECURITY;
687 
688         if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
689                 settings |= MGMT_SETTING_SSP;
690 
691         if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
692                 settings |= MGMT_SETTING_HS;
693 
694         if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
695                 settings |= MGMT_SETTING_ADVERTISING;
696 
697         if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
698                 settings |= MGMT_SETTING_SECURE_CONN;
699 
700         if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
701                 settings |= MGMT_SETTING_DEBUG_KEYS;
702 
703         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
704                 settings |= MGMT_SETTING_PRIVACY;
705 
706         /* The current setting for static address has two purposes. The
707          * first is to indicate if the static address will be used and
708          * the second is to indicate if it is actually set.
709          *
710          * This means if the static address is not configured, this flag
711          * will never be set. If the address is configured, then if the
712          * address is actually used decides if the flag is set or not.
713          *
714          * For single mode LE only controllers and dual-mode controllers
715          * with BR/EDR disabled, the existence of the static address will
716          * be evaluated.
717          */
718         if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
719             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
720             !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
721                 if (bacmp(&hdev->static_addr, BDADDR_ANY))
722                         settings |= MGMT_SETTING_STATIC_ADDRESS;
723         }
724 
725         return settings;
726 }
727 
728 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
729 {
730         return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
731 }
732 
733 static struct mgmt_pending_cmd *pending_find_data(u16 opcode,
734                                                   struct hci_dev *hdev,
735                                                   const void *data)
736 {
737         return mgmt_pending_find_data(HCI_CHANNEL_CONTROL, opcode, hdev, data);
738 }
739 
740 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
741 {
742         struct mgmt_pending_cmd *cmd;
743 
744         /* If there's a pending mgmt command the flags will not yet have
745          * their final values, so check for this first.
746          */
747         cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
748         if (cmd) {
749                 struct mgmt_mode *cp = cmd->param;
750                 if (cp->val == 0x01)
751                         return LE_AD_GENERAL;
752                 else if (cp->val == 0x02)
753                         return LE_AD_LIMITED;
754         } else {
755                 if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
756                         return LE_AD_LIMITED;
757                 else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
758                         return LE_AD_GENERAL;
759         }
760 
761         return 0;
762 }
763 
764 bool mgmt_get_connectable(struct hci_dev *hdev)
765 {
766         struct mgmt_pending_cmd *cmd;
767 
768         /* If there's a pending mgmt command the flag will not yet have
769          * it's final value, so check for this first.
770          */
771         cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
772         if (cmd) {
773                 struct mgmt_mode *cp = cmd->param;
774 
775                 return cp->val;
776         }
777 
778         return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
779 }
780 
781 static void service_cache_off(struct work_struct *work)
782 {
783         struct hci_dev *hdev = container_of(work, struct hci_dev,
784                                             service_cache.work);
785         struct hci_request req;
786 
787         if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
788                 return;
789 
790         hci_req_init(&req, hdev);
791 
792         hci_dev_lock(hdev);
793 
794         __hci_req_update_eir(&req);
795         __hci_req_update_class(&req);
796 
797         hci_dev_unlock(hdev);
798 
799         hci_req_run(&req, NULL);
800 }
801 
802 static void rpa_expired(struct work_struct *work)
803 {
804         struct hci_dev *hdev = container_of(work, struct hci_dev,
805                                             rpa_expired.work);
806         struct hci_request req;
807 
808         BT_DBG("");
809 
810         hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
811 
812         if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
813                 return;
814 
815         /* The generation of a new RPA and programming it into the
816          * controller happens in the hci_req_enable_advertising()
817          * function.
818          */
819         hci_req_init(&req, hdev);
820         __hci_req_enable_advertising(&req);
821         hci_req_run(&req, NULL);
822 }
823 
824 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
825 {
826         if (hci_dev_test_and_set_flag(hdev, HCI_MGMT))
827                 return;
828 
829         INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
830         INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
831 
832         /* Non-mgmt controlled devices get this bit set
833          * implicitly so that pairing works for them, however
834          * for mgmt we require user-space to explicitly enable
835          * it
836          */
837         hci_dev_clear_flag(hdev, HCI_BONDABLE);
838 }
839 
840 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
841                                 void *data, u16 data_len)
842 {
843         struct mgmt_rp_read_info rp;
844 
845         BT_DBG("sock %p %s", sk, hdev->name);
846 
847         hci_dev_lock(hdev);
848 
849         memset(&rp, 0, sizeof(rp));
850 
851         bacpy(&rp.bdaddr, &hdev->bdaddr);
852 
853         rp.version = hdev->hci_ver;
854         rp.manufacturer = cpu_to_le16(hdev->manufacturer);
855 
856         rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
857         rp.current_settings = cpu_to_le32(get_current_settings(hdev));
858 
859         memcpy(rp.dev_class, hdev->dev_class, 3);
860 
861         memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
862         memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
863 
864         hci_dev_unlock(hdev);
865 
866         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
867                                  sizeof(rp));
868 }
869 
870 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
871 {
872         u16 eir_len = 0;
873         size_t name_len;
874 
875         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
876                 eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
877                                           hdev->dev_class, 3);
878 
879         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
880                 eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
881                                           hdev->appearance);
882 
883         name_len = strlen(hdev->dev_name);
884         eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
885                                   hdev->dev_name, name_len);
886 
887         name_len = strlen(hdev->short_name);
888         eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
889                                   hdev->short_name, name_len);
890 
891         return eir_len;
892 }
893 
894 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
895                                     void *data, u16 data_len)
896 {
897         char buf[512];
898         struct mgmt_rp_read_ext_info *rp = (void *)buf;
899         u16 eir_len;
900 
901         BT_DBG("sock %p %s", sk, hdev->name);
902 
903         memset(&buf, 0, sizeof(buf));
904 
905         hci_dev_lock(hdev);
906 
907         bacpy(&rp->bdaddr, &hdev->bdaddr);
908 
909         rp->version = hdev->hci_ver;
910         rp->manufacturer = cpu_to_le16(hdev->manufacturer);
911 
912         rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
913         rp->current_settings = cpu_to_le32(get_current_settings(hdev));
914 
915 
916         eir_len = append_eir_data_to_buf(hdev, rp->eir);
917         rp->eir_len = cpu_to_le16(eir_len);
918 
919         hci_dev_unlock(hdev);
920 
921         /* If this command is called at least once, then the events
922          * for class of device and local name changes are disabled
923          * and only the new extended controller information event
924          * is used.
925          */
926         hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
927         hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
928         hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
929 
930         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
931                                  sizeof(*rp) + eir_len);
932 }
933 
934 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
935 {
936         char buf[512];
937         struct mgmt_ev_ext_info_changed *ev = (void *)buf;
938         u16 eir_len;
939 
940         memset(buf, 0, sizeof(buf));
941 
942         eir_len = append_eir_data_to_buf(hdev, ev->eir);
943         ev->eir_len = cpu_to_le16(eir_len);
944 
945         return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
946                                   sizeof(*ev) + eir_len,
947                                   HCI_MGMT_EXT_INFO_EVENTS, skip);
948 }
949 
950 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
951 {
952         __le32 settings = cpu_to_le32(get_current_settings(hdev));
953 
954         return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
955                                  sizeof(settings));
956 }
957 
958 static void clean_up_hci_complete(struct hci_dev *hdev, u8 status, u16 opcode)
959 {
960         BT_DBG("%s status 0x%02x", hdev->name, status);
961 
962         if (hci_conn_count(hdev) == 0) {
963                 cancel_delayed_work(&hdev->power_off);
964                 queue_work(hdev->req_workqueue, &hdev->power_off.work);
965         }
966 }
967 
968 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
969 {
970         struct mgmt_ev_advertising_added ev;
971 
972         ev.instance = instance;
973 
974         mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
975 }
976 
977 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
978                               u8 instance)
979 {
980         struct mgmt_ev_advertising_removed ev;
981 
982         ev.instance = instance;
983 
984         mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
985 }
986 
987 static void cancel_adv_timeout(struct hci_dev *hdev)
988 {
989         if (hdev->adv_instance_timeout) {
990                 hdev->adv_instance_timeout = 0;
991                 cancel_delayed_work(&hdev->adv_instance_expire);
992         }
993 }
994 
995 static int clean_up_hci_state(struct hci_dev *hdev)
996 {
997         struct hci_request req;
998         struct hci_conn *conn;
999         bool discov_stopped;
1000         int err;
1001 
1002         hci_req_init(&req, hdev);
1003 
1004         if (test_bit(HCI_ISCAN, &hdev->flags) ||
1005             test_bit(HCI_PSCAN, &hdev->flags)) {
1006                 u8 scan = 0x00;
1007                 hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1008         }
1009 
1010         hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, false);
1011 
1012         if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1013                 __hci_req_disable_advertising(&req);
1014 
1015         discov_stopped = hci_req_stop_discovery(&req);
1016 
1017         list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1018                 /* 0x15 == Terminated due to Power Off */
1019                 __hci_abort_conn(&req, conn, 0x15);
1020         }
1021 
1022         err = hci_req_run(&req, clean_up_hci_complete);
1023         if (!err && discov_stopped)
1024                 hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
1025 
1026         return err;
1027 }
1028 
1029 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1030                        u16 len)
1031 {
1032         struct mgmt_mode *cp = data;
1033         struct mgmt_pending_cmd *cmd;
1034         int err;
1035 
1036         BT_DBG("request for %s", hdev->name);
1037 
1038         if (cp->val != 0x00 && cp->val != 0x01)
1039                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1040                                        MGMT_STATUS_INVALID_PARAMS);
1041 
1042         hci_dev_lock(hdev);
1043 
1044         if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1045                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1046                                       MGMT_STATUS_BUSY);
1047                 goto failed;
1048         }
1049 
1050         if (!!cp->val == hdev_is_powered(hdev)) {
1051                 err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1052                 goto failed;
1053         }
1054 
1055         cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1056         if (!cmd) {
1057                 err = -ENOMEM;
1058                 goto failed;
1059         }
1060 
1061         if (cp->val) {
1062                 queue_work(hdev->req_workqueue, &hdev->power_on);
1063                 err = 0;
1064         } else {
1065                 /* Disconnect connections, stop scans, etc */
1066                 err = clean_up_hci_state(hdev);
1067                 if (!err)
1068                         queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1069                                            HCI_POWER_OFF_TIMEOUT);
1070 
1071                 /* ENODATA means there were no HCI commands queued */
1072                 if (err == -ENODATA) {
1073                         cancel_delayed_work(&hdev->power_off);
1074                         queue_work(hdev->req_workqueue, &hdev->power_off.work);
1075                         err = 0;
1076                 }
1077         }
1078 
1079 failed:
1080         hci_dev_unlock(hdev);
1081         return err;
1082 }
1083 
1084 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1085 {
1086         __le32 ev = cpu_to_le32(get_current_settings(hdev));
1087 
1088         return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1089                                   sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1090 }
1091 
1092 int mgmt_new_settings(struct hci_dev *hdev)
1093 {
1094         return new_settings(hdev, NULL);
1095 }
1096 
1097 struct cmd_lookup {
1098         struct sock *sk;
1099         struct hci_dev *hdev;
1100         u8 mgmt_status;
1101 };
1102 
1103 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1104 {
1105         struct cmd_lookup *match = data;
1106 
1107         send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1108 
1109         list_del(&cmd->list);
1110 
1111         if (match->sk == NULL) {
1112                 match->sk = cmd->sk;
1113                 sock_hold(match->sk);
1114         }
1115 
1116         mgmt_pending_free(cmd);
1117 }
1118 
1119 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1120 {
1121         u8 *status = data;
1122 
1123         mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1124         mgmt_pending_remove(cmd);
1125 }
1126 
1127 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1128 {
1129         if (cmd->cmd_complete) {
1130                 u8 *status = data;
1131 
1132                 cmd->cmd_complete(cmd, *status);
1133                 mgmt_pending_remove(cmd);
1134 
1135                 return;
1136         }
1137 
1138         cmd_status_rsp(cmd, data);
1139 }
1140 
1141 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1142 {
1143         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1144                                  cmd->param, cmd->param_len);
1145 }
1146 
1147 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1148 {
1149         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1150                                  cmd->param, sizeof(struct mgmt_addr_info));
1151 }
1152 
1153 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1154 {
1155         if (!lmp_bredr_capable(hdev))
1156                 return MGMT_STATUS_NOT_SUPPORTED;
1157         else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1158                 return MGMT_STATUS_REJECTED;
1159         else
1160                 return MGMT_STATUS_SUCCESS;
1161 }
1162 
1163 static u8 mgmt_le_support(struct hci_dev *hdev)
1164 {
1165         if (!lmp_le_capable(hdev))
1166                 return MGMT_STATUS_NOT_SUPPORTED;
1167         else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1168                 return MGMT_STATUS_REJECTED;
1169         else
1170                 return MGMT_STATUS_SUCCESS;
1171 }
1172 
1173 void mgmt_set_discoverable_complete(struct hci_dev *hdev, u8 status)
1174 {
1175         struct mgmt_pending_cmd *cmd;
1176 
1177         BT_DBG("status 0x%02x", status);
1178 
1179         hci_dev_lock(hdev);
1180 
1181         cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
1182         if (!cmd)
1183                 goto unlock;
1184 
1185         if (status) {
1186                 u8 mgmt_err = mgmt_status(status);
1187                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1188                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1189                 goto remove_cmd;
1190         }
1191 
1192         if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1193             hdev->discov_timeout > 0) {
1194                 int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1195                 queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1196         }
1197 
1198         send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1199         new_settings(hdev, cmd->sk);
1200 
1201 remove_cmd:
1202         mgmt_pending_remove(cmd);
1203 
1204 unlock:
1205         hci_dev_unlock(hdev);
1206 }
1207 
1208 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1209                             u16 len)
1210 {
1211         struct mgmt_cp_set_discoverable *cp = data;
1212         struct mgmt_pending_cmd *cmd;
1213         u16 timeout;
1214         int err;
1215 
1216         BT_DBG("request for %s", hdev->name);
1217 
1218         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1219             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1220                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1221                                        MGMT_STATUS_REJECTED);
1222 
1223         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1224                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1225                                        MGMT_STATUS_INVALID_PARAMS);
1226 
1227         timeout = __le16_to_cpu(cp->timeout);
1228 
1229         /* Disabling discoverable requires that no timeout is set,
1230          * and enabling limited discoverable requires a timeout.
1231          */
1232         if ((cp->val == 0x00 && timeout > 0) ||
1233             (cp->val == 0x02 && timeout == 0))
1234                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1235                                        MGMT_STATUS_INVALID_PARAMS);
1236 
1237         hci_dev_lock(hdev);
1238 
1239         if (!hdev_is_powered(hdev) && timeout > 0) {
1240                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1241                                       MGMT_STATUS_NOT_POWERED);
1242                 goto failed;
1243         }
1244 
1245         if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1246             pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1247                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1248                                       MGMT_STATUS_BUSY);
1249                 goto failed;
1250         }
1251 
1252         if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1253                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1254                                       MGMT_STATUS_REJECTED);
1255                 goto failed;
1256         }
1257 
1258         if (!hdev_is_powered(hdev)) {
1259                 bool changed = false;
1260 
1261                 /* Setting limited discoverable when powered off is
1262                  * not a valid operation since it requires a timeout
1263                  * and so no need to check HCI_LIMITED_DISCOVERABLE.
1264                  */
1265                 if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1266                         hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1267                         changed = true;
1268                 }
1269 
1270                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1271                 if (err < 0)
1272                         goto failed;
1273 
1274                 if (changed)
1275                         err = new_settings(hdev, sk);
1276 
1277                 goto failed;
1278         }
1279 
1280         /* If the current mode is the same, then just update the timeout
1281          * value with the new value. And if only the timeout gets updated,
1282          * then no need for any HCI transactions.
1283          */
1284         if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1285             (cp->val == 0x02) == hci_dev_test_flag(hdev,
1286                                                    HCI_LIMITED_DISCOVERABLE)) {
1287                 cancel_delayed_work(&hdev->discov_off);
1288                 hdev->discov_timeout = timeout;
1289 
1290                 if (cp->val && hdev->discov_timeout > 0) {
1291                         int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1292                         queue_delayed_work(hdev->req_workqueue,
1293                                            &hdev->discov_off, to);
1294                 }
1295 
1296                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1297                 goto failed;
1298         }
1299 
1300         cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1301         if (!cmd) {
1302                 err = -ENOMEM;
1303                 goto failed;
1304         }
1305 
1306         /* Cancel any potential discoverable timeout that might be
1307          * still active and store new timeout value. The arming of
1308          * the timeout happens in the complete handler.
1309          */
1310         cancel_delayed_work(&hdev->discov_off);
1311         hdev->discov_timeout = timeout;
1312 
1313         if (cp->val)
1314                 hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1315         else
1316                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1317 
1318         /* Limited discoverable mode */
1319         if (cp->val == 0x02)
1320                 hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1321         else
1322                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1323 
1324         queue_work(hdev->req_workqueue, &hdev->discoverable_update);
1325         err = 0;
1326 
1327 failed:
1328         hci_dev_unlock(hdev);
1329         return err;
1330 }
1331 
1332 void mgmt_set_connectable_complete(struct hci_dev *hdev, u8 status)
1333 {
1334         struct mgmt_pending_cmd *cmd;
1335 
1336         BT_DBG("status 0x%02x", status);
1337 
1338         hci_dev_lock(hdev);
1339 
1340         cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1341         if (!cmd)
1342                 goto unlock;
1343 
1344         if (status) {
1345                 u8 mgmt_err = mgmt_status(status);
1346                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1347                 goto remove_cmd;
1348         }
1349 
1350         send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1351         new_settings(hdev, cmd->sk);
1352 
1353 remove_cmd:
1354         mgmt_pending_remove(cmd);
1355 
1356 unlock:
1357         hci_dev_unlock(hdev);
1358 }
1359 
1360 static int set_connectable_update_settings(struct hci_dev *hdev,
1361                                            struct sock *sk, u8 val)
1362 {
1363         bool changed = false;
1364         int err;
1365 
1366         if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1367                 changed = true;
1368 
1369         if (val) {
1370                 hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1371         } else {
1372                 hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1373                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1374         }
1375 
1376         err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1377         if (err < 0)
1378                 return err;
1379 
1380         if (changed) {
1381                 hci_req_update_scan(hdev);
1382                 hci_update_background_scan(hdev);
1383                 return new_settings(hdev, sk);
1384         }
1385 
1386         return 0;
1387 }
1388 
1389 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1390                            u16 len)
1391 {
1392         struct mgmt_mode *cp = data;
1393         struct mgmt_pending_cmd *cmd;
1394         int err;
1395 
1396         BT_DBG("request for %s", hdev->name);
1397 
1398         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1399             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1400                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1401                                        MGMT_STATUS_REJECTED);
1402 
1403         if (cp->val != 0x00 && cp->val != 0x01)
1404                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1405                                        MGMT_STATUS_INVALID_PARAMS);
1406 
1407         hci_dev_lock(hdev);
1408 
1409         if (!hdev_is_powered(hdev)) {
1410                 err = set_connectable_update_settings(hdev, sk, cp->val);
1411                 goto failed;
1412         }
1413 
1414         if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1415             pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1416                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1417                                       MGMT_STATUS_BUSY);
1418                 goto failed;
1419         }
1420 
1421         cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1422         if (!cmd) {
1423                 err = -ENOMEM;
1424                 goto failed;
1425         }
1426 
1427         if (cp->val) {
1428                 hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1429         } else {
1430                 if (hdev->discov_timeout > 0)
1431                         cancel_delayed_work(&hdev->discov_off);
1432 
1433                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1434                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1435                 hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1436         }
1437 
1438         queue_work(hdev->req_workqueue, &hdev->connectable_update);
1439         err = 0;
1440 
1441 failed:
1442         hci_dev_unlock(hdev);
1443         return err;
1444 }
1445 
1446 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1447                         u16 len)
1448 {
1449         struct mgmt_mode *cp = data;
1450         bool changed;
1451         int err;
1452 
1453         BT_DBG("request for %s", hdev->name);
1454 
1455         if (cp->val != 0x00 && cp->val != 0x01)
1456                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1457                                        MGMT_STATUS_INVALID_PARAMS);
1458 
1459         hci_dev_lock(hdev);
1460 
1461         if (cp->val)
1462                 changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1463         else
1464                 changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1465 
1466         err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1467         if (err < 0)
1468                 goto unlock;
1469 
1470         if (changed) {
1471                 /* In limited privacy mode the change of bondable mode
1472                  * may affect the local advertising address.
1473                  */
1474                 if (hdev_is_powered(hdev) &&
1475                     hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
1476                     hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1477                     hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))
1478                         queue_work(hdev->req_workqueue,
1479                                    &hdev->discoverable_update);
1480 
1481                 err = new_settings(hdev, sk);
1482         }
1483 
1484 unlock:
1485         hci_dev_unlock(hdev);
1486         return err;
1487 }
1488 
1489 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1490                              u16 len)
1491 {
1492         struct mgmt_mode *cp = data;
1493         struct mgmt_pending_cmd *cmd;
1494         u8 val, status;
1495         int err;
1496 
1497         BT_DBG("request for %s", hdev->name);
1498 
1499         status = mgmt_bredr_support(hdev);
1500         if (status)
1501                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1502                                        status);
1503 
1504         if (cp->val != 0x00 && cp->val != 0x01)
1505                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1506                                        MGMT_STATUS_INVALID_PARAMS);
1507 
1508         hci_dev_lock(hdev);
1509 
1510         if (!hdev_is_powered(hdev)) {
1511                 bool changed = false;
1512 
1513                 if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1514                         hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1515                         changed = true;
1516                 }
1517 
1518                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1519                 if (err < 0)
1520                         goto failed;
1521 
1522                 if (changed)
1523                         err = new_settings(hdev, sk);
1524 
1525                 goto failed;
1526         }
1527 
1528         if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1529                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1530                                       MGMT_STATUS_BUSY);
1531                 goto failed;
1532         }
1533 
1534         val = !!cp->val;
1535 
1536         if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1537                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1538                 goto failed;
1539         }
1540 
1541         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1542         if (!cmd) {
1543                 err = -ENOMEM;
1544                 goto failed;
1545         }
1546 
1547         err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1548         if (err < 0) {
1549                 mgmt_pending_remove(cmd);
1550                 goto failed;
1551         }
1552 
1553 failed:
1554         hci_dev_unlock(hdev);
1555         return err;
1556 }
1557 
1558 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1559 {
1560         struct mgmt_mode *cp = data;
1561         struct mgmt_pending_cmd *cmd;
1562         u8 status;
1563         int err;
1564 
1565         BT_DBG("request for %s", hdev->name);
1566 
1567         status = mgmt_bredr_support(hdev);
1568         if (status)
1569                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1570 
1571         if (!lmp_ssp_capable(hdev))
1572                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1573                                        MGMT_STATUS_NOT_SUPPORTED);
1574 
1575         if (cp->val != 0x00 && cp->val != 0x01)
1576                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1577                                        MGMT_STATUS_INVALID_PARAMS);
1578 
1579         hci_dev_lock(hdev);
1580 
1581         if (!hdev_is_powered(hdev)) {
1582                 bool changed;
1583 
1584                 if (cp->val) {
1585                         changed = !hci_dev_test_and_set_flag(hdev,
1586                                                              HCI_SSP_ENABLED);
1587                 } else {
1588                         changed = hci_dev_test_and_clear_flag(hdev,
1589                                                               HCI_SSP_ENABLED);
1590                         if (!changed)
1591                                 changed = hci_dev_test_and_clear_flag(hdev,
1592                                                                       HCI_HS_ENABLED);
1593                         else
1594                                 hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1595                 }
1596 
1597                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1598                 if (err < 0)
1599                         goto failed;
1600 
1601                 if (changed)
1602                         err = new_settings(hdev, sk);
1603 
1604                 goto failed;
1605         }
1606 
1607         if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1608                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1609                                       MGMT_STATUS_BUSY);
1610                 goto failed;
1611         }
1612 
1613         if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
1614                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1615                 goto failed;
1616         }
1617 
1618         cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
1619         if (!cmd) {
1620                 err = -ENOMEM;
1621                 goto failed;
1622         }
1623 
1624         if (!cp->val && hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
1625                 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
1626                              sizeof(cp->val), &cp->val);
1627 
1628         err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &cp->val);
1629         if (err < 0) {
1630                 mgmt_pending_remove(cmd);
1631                 goto failed;
1632         }
1633 
1634 failed:
1635         hci_dev_unlock(hdev);
1636         return err;
1637 }
1638 
1639 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1640 {
1641         struct mgmt_mode *cp = data;
1642         bool changed;
1643         u8 status;
1644         int err;
1645 
1646         BT_DBG("request for %s", hdev->name);
1647 
1648         status = mgmt_bredr_support(hdev);
1649         if (status)
1650                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
1651 
1652         if (!lmp_ssp_capable(hdev))
1653                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1654                                        MGMT_STATUS_NOT_SUPPORTED);
1655 
1656         if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
1657                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1658                                        MGMT_STATUS_REJECTED);
1659 
1660         if (cp->val != 0x00 && cp->val != 0x01)
1661                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1662                                        MGMT_STATUS_INVALID_PARAMS);
1663 
1664         hci_dev_lock(hdev);
1665 
1666         if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1667                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1668                                       MGMT_STATUS_BUSY);
1669                 goto unlock;
1670         }
1671 
1672         if (cp->val) {
1673                 changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
1674         } else {
1675                 if (hdev_is_powered(hdev)) {
1676                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1677                                               MGMT_STATUS_REJECTED);
1678                         goto unlock;
1679                 }
1680 
1681                 changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
1682         }
1683 
1684         err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
1685         if (err < 0)
1686                 goto unlock;
1687 
1688         if (changed)
1689                 err = new_settings(hdev, sk);
1690 
1691 unlock:
1692         hci_dev_unlock(hdev);
1693         return err;
1694 }
1695 
1696 static void le_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1697 {
1698         struct cmd_lookup match = { NULL, hdev };
1699 
1700         hci_dev_lock(hdev);
1701 
1702         if (status) {
1703                 u8 mgmt_err = mgmt_status(status);
1704 
1705                 mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
1706                                      &mgmt_err);
1707                 goto unlock;
1708         }
1709 
1710         mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
1711 
1712         new_settings(hdev, match.sk);
1713 
1714         if (match.sk)
1715                 sock_put(match.sk);
1716 
1717         /* Make sure the controller has a good default for
1718          * advertising data. Restrict the update to when LE
1719          * has actually been enabled. During power on, the
1720          * update in powered_update_hci will take care of it.
1721          */
1722         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1723                 struct hci_request req;
1724 
1725                 hci_req_init(&req, hdev);
1726                 __hci_req_update_adv_data(&req, 0x00);
1727                 __hci_req_update_scan_rsp_data(&req, 0x00);
1728                 hci_req_run(&req, NULL);
1729                 hci_update_background_scan(hdev);
1730         }
1731 
1732 unlock:
1733         hci_dev_unlock(hdev);
1734 }
1735 
1736 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1737 {
1738         struct mgmt_mode *cp = data;
1739         struct hci_cp_write_le_host_supported hci_cp;
1740         struct mgmt_pending_cmd *cmd;
1741         struct hci_request req;
1742         int err;
1743         u8 val, enabled;
1744 
1745         BT_DBG("request for %s", hdev->name);
1746 
1747         if (!lmp_le_capable(hdev))
1748                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1749                                        MGMT_STATUS_NOT_SUPPORTED);
1750 
1751         if (cp->val != 0x00 && cp->val != 0x01)
1752                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1753                                        MGMT_STATUS_INVALID_PARAMS);
1754 
1755         /* Bluetooth single mode LE only controllers or dual-mode
1756          * controllers configured as LE only devices, do not allow
1757          * switching LE off. These have either LE enabled explicitly
1758          * or BR/EDR has been previously switched off.
1759          *
1760          * When trying to enable an already enabled LE, then gracefully
1761          * send a positive response. Trying to disable it however will
1762          * result into rejection.
1763          */
1764         if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1765                 if (cp->val == 0x01)
1766                         return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1767 
1768                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1769                                        MGMT_STATUS_REJECTED);
1770         }
1771 
1772         hci_dev_lock(hdev);
1773 
1774         val = !!cp->val;
1775         enabled = lmp_host_le_capable(hdev);
1776 
1777         if (!val)
1778                 hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, true);
1779 
1780         if (!hdev_is_powered(hdev) || val == enabled) {
1781                 bool changed = false;
1782 
1783                 if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1784                         hci_dev_change_flag(hdev, HCI_LE_ENABLED);
1785                         changed = true;
1786                 }
1787 
1788                 if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
1789                         hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1790                         changed = true;
1791                 }
1792 
1793                 err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1794                 if (err < 0)
1795                         goto unlock;
1796 
1797                 if (changed)
1798                         err = new_settings(hdev, sk);
1799 
1800                 goto unlock;
1801         }
1802 
1803         if (pending_find(MGMT_OP_SET_LE, hdev) ||
1804             pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
1805                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1806                                       MGMT_STATUS_BUSY);
1807                 goto unlock;
1808         }
1809 
1810         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
1811         if (!cmd) {
1812                 err = -ENOMEM;
1813                 goto unlock;
1814         }
1815 
1816         hci_req_init(&req, hdev);
1817 
1818         memset(&hci_cp, 0, sizeof(hci_cp));
1819 
1820         if (val) {
1821                 hci_cp.le = val;
1822                 hci_cp.simul = 0x00;
1823         } else {
1824                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1825                         __hci_req_disable_advertising(&req);
1826         }
1827 
1828         hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
1829                     &hci_cp);
1830 
1831         err = hci_req_run(&req, le_enable_complete);
1832         if (err < 0)
1833                 mgmt_pending_remove(cmd);
1834 
1835 unlock:
1836         hci_dev_unlock(hdev);
1837         return err;
1838 }
1839 
1840 /* This is a helper function to test for pending mgmt commands that can
1841  * cause CoD or EIR HCI commands. We can only allow one such pending
1842  * mgmt command at a time since otherwise we cannot easily track what
1843  * the current values are, will be, and based on that calculate if a new
1844  * HCI command needs to be sent and if yes with what value.
1845  */
1846 static bool pending_eir_or_class(struct hci_dev *hdev)
1847 {
1848         struct mgmt_pending_cmd *cmd;
1849 
1850         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
1851                 switch (cmd->opcode) {
1852                 case MGMT_OP_ADD_UUID:
1853                 case MGMT_OP_REMOVE_UUID:
1854                 case MGMT_OP_SET_DEV_CLASS:
1855                 case MGMT_OP_SET_POWERED:
1856                         return true;
1857                 }
1858         }
1859 
1860         return false;
1861 }
1862 
1863 static const u8 bluetooth_base_uuid[] = {
1864                         0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
1865                         0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1866 };
1867 
1868 static u8 get_uuid_size(const u8 *uuid)
1869 {
1870         u32 val;
1871 
1872         if (memcmp(uuid, bluetooth_base_uuid, 12))
1873                 return 128;
1874 
1875         val = get_unaligned_le32(&uuid[12]);
1876         if (val > 0xffff)
1877                 return 32;
1878 
1879         return 16;
1880 }
1881 
1882 static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
1883 {
1884         struct mgmt_pending_cmd *cmd;
1885 
1886         hci_dev_lock(hdev);
1887 
1888         cmd = pending_find(mgmt_op, hdev);
1889         if (!cmd)
1890                 goto unlock;
1891 
1892         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
1893                           mgmt_status(status), hdev->dev_class, 3);
1894 
1895         mgmt_pending_remove(cmd);
1896 
1897 unlock:
1898         hci_dev_unlock(hdev);
1899 }
1900 
1901 static void add_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1902 {
1903         BT_DBG("status 0x%02x", status);
1904 
1905         mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
1906 }
1907 
1908 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1909 {
1910         struct mgmt_cp_add_uuid *cp = data;
1911         struct mgmt_pending_cmd *cmd;
1912         struct hci_request req;
1913         struct bt_uuid *uuid;
1914         int err;
1915 
1916         BT_DBG("request for %s", hdev->name);
1917 
1918         hci_dev_lock(hdev);
1919 
1920         if (pending_eir_or_class(hdev)) {
1921                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
1922                                       MGMT_STATUS_BUSY);
1923                 goto failed;
1924         }
1925 
1926         uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
1927         if (!uuid) {
1928                 err = -ENOMEM;
1929                 goto failed;
1930         }
1931 
1932         memcpy(uuid->uuid, cp->uuid, 16);
1933         uuid->svc_hint = cp->svc_hint;
1934         uuid->size = get_uuid_size(cp->uuid);
1935 
1936         list_add_tail(&uuid->list, &hdev->uuids);
1937 
1938         hci_req_init(&req, hdev);
1939 
1940         __hci_req_update_class(&req);
1941         __hci_req_update_eir(&req);
1942 
1943         err = hci_req_run(&req, add_uuid_complete);
1944         if (err < 0) {
1945                 if (err != -ENODATA)
1946                         goto failed;
1947 
1948                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
1949                                         hdev->dev_class, 3);
1950                 goto failed;
1951         }
1952 
1953         cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
1954         if (!cmd) {
1955                 err = -ENOMEM;
1956                 goto failed;
1957         }
1958 
1959         err = 0;
1960 
1961 failed:
1962         hci_dev_unlock(hdev);
1963         return err;
1964 }
1965 
1966 static bool enable_service_cache(struct hci_dev *hdev)
1967 {
1968         if (!hdev_is_powered(hdev))
1969                 return false;
1970 
1971         if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
1972                 queue_delayed_work(hdev->workqueue, &hdev->service_cache,
1973                                    CACHE_TIMEOUT);
1974                 return true;
1975         }
1976 
1977         return false;
1978 }
1979 
1980 static void remove_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1981 {
1982         BT_DBG("status 0x%02x", status);
1983 
1984         mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
1985 }
1986 
1987 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
1988                        u16 len)
1989 {
1990         struct mgmt_cp_remove_uuid *cp = data;
1991         struct mgmt_pending_cmd *cmd;
1992         struct bt_uuid *match, *tmp;
1993         u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
1994         struct hci_request req;
1995         int err, found;
1996 
1997         BT_DBG("request for %s", hdev->name);
1998 
1999         hci_dev_lock(hdev);
2000 
2001         if (pending_eir_or_class(hdev)) {
2002                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2003                                       MGMT_STATUS_BUSY);
2004                 goto unlock;
2005         }
2006 
2007         if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2008                 hci_uuids_clear(hdev);
2009 
2010                 if (enable_service_cache(hdev)) {
2011                         err = mgmt_cmd_complete(sk, hdev->id,
2012                                                 MGMT_OP_REMOVE_UUID,
2013                                                 0, hdev->dev_class, 3);
2014                         goto unlock;
2015                 }
2016 
2017                 goto update_class;
2018         }
2019 
2020         found = 0;
2021 
2022         list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2023                 if (memcmp(match->uuid, cp->uuid, 16) != 0)
2024                         continue;
2025 
2026                 list_del(&match->list);
2027                 kfree(match);
2028                 found++;
2029         }
2030 
2031         if (found == 0) {
2032                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2033                                       MGMT_STATUS_INVALID_PARAMS);
2034                 goto unlock;
2035         }
2036 
2037 update_class:
2038         hci_req_init(&req, hdev);
2039 
2040         __hci_req_update_class(&req);
2041         __hci_req_update_eir(&req);
2042 
2043         err = hci_req_run(&req, remove_uuid_complete);
2044         if (err < 0) {
2045                 if (err != -ENODATA)
2046                         goto unlock;
2047 
2048                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
2049                                         hdev->dev_class, 3);
2050                 goto unlock;
2051         }
2052 
2053         cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2054         if (!cmd) {
2055                 err = -ENOMEM;
2056                 goto unlock;
2057         }
2058 
2059         err = 0;
2060 
2061 unlock:
2062         hci_dev_unlock(hdev);
2063         return err;
2064 }
2065 
2066 static void set_class_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2067 {
2068         BT_DBG("status 0x%02x", status);
2069 
2070         mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
2071 }
2072 
2073 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2074                          u16 len)
2075 {
2076         struct mgmt_cp_set_dev_class *cp = data;
2077         struct mgmt_pending_cmd *cmd;
2078         struct hci_request req;
2079         int err;
2080 
2081         BT_DBG("request for %s", hdev->name);
2082 
2083         if (!lmp_bredr_capable(hdev))
2084                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2085                                        MGMT_STATUS_NOT_SUPPORTED);
2086 
2087         hci_dev_lock(hdev);
2088 
2089         if (pending_eir_or_class(hdev)) {
2090                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2091                                       MGMT_STATUS_BUSY);
2092                 goto unlock;
2093         }
2094 
2095         if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2096                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2097                                       MGMT_STATUS_INVALID_PARAMS);
2098                 goto unlock;
2099         }
2100 
2101         hdev->major_class = cp->major;
2102         hdev->minor_class = cp->minor;
2103 
2104         if (!hdev_is_powered(hdev)) {
2105                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2106                                         hdev->dev_class, 3);
2107                 goto unlock;
2108         }
2109 
2110         hci_req_init(&req, hdev);
2111 
2112         if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2113                 hci_dev_unlock(hdev);
2114                 cancel_delayed_work_sync(&hdev->service_cache);
2115                 hci_dev_lock(hdev);
2116                 __hci_req_update_eir(&req);
2117         }
2118 
2119         __hci_req_update_class(&req);
2120 
2121         err = hci_req_run(&req, set_class_complete);
2122         if (err < 0) {
2123                 if (err != -ENODATA)
2124                         goto unlock;
2125 
2126                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2127                                         hdev->dev_class, 3);
2128                 goto unlock;
2129         }
2130 
2131         cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2132         if (!cmd) {
2133                 err = -ENOMEM;
2134                 goto unlock;
2135         }
2136 
2137         err = 0;
2138 
2139 unlock:
2140         hci_dev_unlock(hdev);
2141         return err;
2142 }
2143 
2144 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2145                           u16 len)
2146 {
2147         struct mgmt_cp_load_link_keys *cp = data;
2148         const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2149                                    sizeof(struct mgmt_link_key_info));
2150         u16 key_count, expected_len;
2151         bool changed;
2152         int i;
2153 
2154         BT_DBG("request for %s", hdev->name);
2155 
2156         if (!lmp_bredr_capable(hdev))
2157                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2158                                        MGMT_STATUS_NOT_SUPPORTED);
2159 
2160         key_count = __le16_to_cpu(cp->key_count);
2161         if (key_count > max_key_count) {
2162                 BT_ERR("load_link_keys: too big key_count value %u",
2163                        key_count);
2164                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2165                                        MGMT_STATUS_INVALID_PARAMS);
2166         }
2167 
2168         expected_len = sizeof(*cp) + key_count *
2169                                         sizeof(struct mgmt_link_key_info);
2170         if (expected_len != len) {
2171                 BT_ERR("load_link_keys: expected %u bytes, got %u bytes",
2172                        expected_len, len);
2173                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2174                                        MGMT_STATUS_INVALID_PARAMS);
2175         }
2176 
2177         if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2178                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2179                                        MGMT_STATUS_INVALID_PARAMS);
2180 
2181         BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys,
2182                key_count);
2183 
2184         for (i = 0; i < key_count; i++) {
2185                 struct mgmt_link_key_info *key = &cp->keys[i];
2186 
2187                 if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2188                         return mgmt_cmd_status(sk, hdev->id,
2189                                                MGMT_OP_LOAD_LINK_KEYS,
2190                                                MGMT_STATUS_INVALID_PARAMS);
2191         }
2192 
2193         hci_dev_lock(hdev);
2194 
2195         hci_link_keys_clear(hdev);
2196 
2197         if (cp->debug_keys)
2198                 changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2199         else
2200                 changed = hci_dev_test_and_clear_flag(hdev,
2201                                                       HCI_KEEP_DEBUG_KEYS);
2202 
2203         if (changed)
2204                 new_settings(hdev, NULL);
2205 
2206         for (i = 0; i < key_count; i++) {
2207                 struct mgmt_link_key_info *key = &cp->keys[i];
2208 
2209                 /* Always ignore debug keys and require a new pairing if
2210                  * the user wants to use them.
2211                  */
2212                 if (key->type == HCI_LK_DEBUG_COMBINATION)
2213                         continue;
2214 
2215                 hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2216                                  key->type, key->pin_len, NULL);
2217         }
2218 
2219         mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2220 
2221         hci_dev_unlock(hdev);
2222 
2223         return 0;
2224 }
2225 
2226 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2227                            u8 addr_type, struct sock *skip_sk)
2228 {
2229         struct mgmt_ev_device_unpaired ev;
2230 
2231         bacpy(&ev.addr.bdaddr, bdaddr);
2232         ev.addr.type = addr_type;
2233 
2234         return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2235                           skip_sk);
2236 }
2237 
2238 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2239                          u16 len)
2240 {
2241         struct mgmt_cp_unpair_device *cp = data;
2242         struct mgmt_rp_unpair_device rp;
2243         struct hci_conn_params *params;
2244         struct mgmt_pending_cmd *cmd;
2245         struct hci_conn *conn;
2246         u8 addr_type;
2247         int err;
2248 
2249         memset(&rp, 0, sizeof(rp));
2250         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2251         rp.addr.type = cp->addr.type;
2252 
2253         if (!bdaddr_type_is_valid(cp->addr.type))
2254                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2255                                          MGMT_STATUS_INVALID_PARAMS,
2256                                          &rp, sizeof(rp));
2257 
2258         if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2259                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2260                                          MGMT_STATUS_INVALID_PARAMS,
2261                                          &rp, sizeof(rp));
2262 
2263         hci_dev_lock(hdev);
2264 
2265         if (!hdev_is_powered(hdev)) {
2266                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2267                                         MGMT_STATUS_NOT_POWERED, &rp,
2268                                         sizeof(rp));
2269                 goto unlock;
2270         }
2271 
2272         if (cp->addr.type == BDADDR_BREDR) {
2273                 /* If disconnection is requested, then look up the
2274                  * connection. If the remote device is connected, it
2275                  * will be later used to terminate the link.
2276                  *
2277                  * Setting it to NULL explicitly will cause no
2278                  * termination of the link.
2279                  */
2280                 if (cp->disconnect)
2281                         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2282                                                        &cp->addr.bdaddr);
2283                 else
2284                         conn = NULL;
2285 
2286                 err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2287                 if (err < 0) {
2288                         err = mgmt_cmd_complete(sk, hdev->id,
2289                                                 MGMT_OP_UNPAIR_DEVICE,
2290                                                 MGMT_STATUS_NOT_PAIRED, &rp,
2291                                                 sizeof(rp));
2292                         goto unlock;
2293                 }
2294 
2295                 goto done;
2296         }
2297 
2298         /* LE address type */
2299         addr_type = le_addr_type(cp->addr.type);
2300 
2301         hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
2302 
2303         err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
2304         if (err < 0) {
2305                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2306                                         MGMT_STATUS_NOT_PAIRED, &rp,
2307                                         sizeof(rp));
2308                 goto unlock;
2309         }
2310 
2311         conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
2312         if (!conn) {
2313                 hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2314                 goto done;
2315         }
2316 
2317         /* Abort any ongoing SMP pairing */
2318         smp_cancel_pairing(conn);
2319 
2320         /* Defer clearing up the connection parameters until closing to
2321          * give a chance of keeping them if a repairing happens.
2322          */
2323         set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2324 
2325         /* Disable auto-connection parameters if present */
2326         params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
2327         if (params) {
2328                 if (params->explicit_connect)
2329                         params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2330                 else
2331                         params->auto_connect = HCI_AUTO_CONN_DISABLED;
2332         }
2333 
2334         /* If disconnection is not requested, then clear the connection
2335          * variable so that the link is not terminated.
2336          */
2337         if (!cp->disconnect)
2338                 conn = NULL;
2339 
2340 done:
2341         /* If the connection variable is set, then termination of the
2342          * link is requested.
2343          */
2344         if (!conn) {
2345                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
2346                                         &rp, sizeof(rp));
2347                 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
2348                 goto unlock;
2349         }
2350 
2351         cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
2352                                sizeof(*cp));
2353         if (!cmd) {
2354                 err = -ENOMEM;
2355                 goto unlock;
2356         }
2357 
2358         cmd->cmd_complete = addr_cmd_complete;
2359 
2360         err = hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
2361         if (err < 0)
2362                 mgmt_pending_remove(cmd);
2363 
2364 unlock:
2365         hci_dev_unlock(hdev);
2366         return err;
2367 }
2368 
2369 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2370                       u16 len)
2371 {
2372         struct mgmt_cp_disconnect *cp = data;
2373         struct mgmt_rp_disconnect rp;
2374         struct mgmt_pending_cmd *cmd;
2375         struct hci_conn *conn;
2376         int err;
2377 
2378         BT_DBG("");
2379 
2380         memset(&rp, 0, sizeof(rp));
2381         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2382         rp.addr.type = cp->addr.type;
2383 
2384         if (!bdaddr_type_is_valid(cp->addr.type))
2385                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2386                                          MGMT_STATUS_INVALID_PARAMS,
2387                                          &rp, sizeof(rp));
2388 
2389         hci_dev_lock(hdev);
2390 
2391         if (!test_bit(HCI_UP, &hdev->flags)) {
2392                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2393                                         MGMT_STATUS_NOT_POWERED, &rp,
2394                                         sizeof(rp));
2395                 goto failed;
2396         }
2397 
2398         if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
2399                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2400                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
2401                 goto failed;
2402         }
2403 
2404         if (cp->addr.type == BDADDR_BREDR)
2405                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2406                                                &cp->addr.bdaddr);
2407         else
2408                 conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2409                                                le_addr_type(cp->addr.type));
2410 
2411         if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
2412                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2413                                         MGMT_STATUS_NOT_CONNECTED, &rp,
2414                                         sizeof(rp));
2415                 goto failed;
2416         }
2417 
2418         cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
2419         if (!cmd) {
2420                 err = -ENOMEM;
2421                 goto failed;
2422         }
2423 
2424         cmd->cmd_complete = generic_cmd_complete;
2425 
2426         err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2427         if (err < 0)
2428                 mgmt_pending_remove(cmd);
2429 
2430 failed:
2431         hci_dev_unlock(hdev);
2432         return err;
2433 }
2434 
2435 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
2436 {
2437         switch (link_type) {
2438         case LE_LINK:
2439                 switch (addr_type) {
2440                 case ADDR_LE_DEV_PUBLIC:
2441                         return BDADDR_LE_PUBLIC;
2442 
2443                 default:
2444                         /* Fallback to LE Random address type */
2445                         return BDADDR_LE_RANDOM;
2446                 }
2447 
2448         default:
2449                 /* Fallback to BR/EDR type */
2450                 return BDADDR_BREDR;
2451         }
2452 }
2453 
2454 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
2455                            u16 data_len)
2456 {
2457         struct mgmt_rp_get_connections *rp;
2458         struct hci_conn *c;
2459         size_t rp_len;
2460         int err;
2461         u16 i;
2462 
2463         BT_DBG("");
2464 
2465         hci_dev_lock(hdev);
2466 
2467         if (!hdev_is_powered(hdev)) {
2468                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
2469                                       MGMT_STATUS_NOT_POWERED);
2470                 goto unlock;
2471         }
2472 
2473         i = 0;
2474         list_for_each_entry(c, &hdev->conn_hash.list, list) {
2475                 if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2476                         i++;
2477         }
2478 
2479         rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2480         rp = kmalloc(rp_len, GFP_KERNEL);
2481         if (!rp) {
2482                 err = -ENOMEM;
2483                 goto unlock;
2484         }
2485 
2486         i = 0;
2487         list_for_each_entry(c, &hdev->conn_hash.list, list) {
2488                 if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2489                         continue;
2490                 bacpy(&rp->addr[i].bdaddr, &c->dst);
2491                 rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
2492                 if (c->type == SCO_LINK || c->type == ESCO_LINK)
2493                         continue;
2494                 i++;
2495         }
2496 
2497         rp->conn_count = cpu_to_le16(i);
2498 
2499         /* Recalculate length in case of filtered SCO connections, etc */
2500         rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2501 
2502         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
2503                                 rp_len);
2504 
2505         kfree(rp);
2506 
2507 unlock:
2508         hci_dev_unlock(hdev);
2509         return err;
2510 }
2511 
2512 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2513                                    struct mgmt_cp_pin_code_neg_reply *cp)
2514 {
2515         struct mgmt_pending_cmd *cmd;
2516         int err;
2517 
2518         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
2519                                sizeof(*cp));
2520         if (!cmd)
2521                 return -ENOMEM;
2522 
2523         cmd->cmd_complete = addr_cmd_complete;
2524 
2525         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2526                            sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
2527         if (err < 0)
2528                 mgmt_pending_remove(cmd);
2529 
2530         return err;
2531 }
2532 
2533 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2534                           u16 len)
2535 {
2536         struct hci_conn *conn;
2537         struct mgmt_cp_pin_code_reply *cp = data;
2538         struct hci_cp_pin_code_reply reply;
2539         struct mgmt_pending_cmd *cmd;
2540         int err;
2541 
2542         BT_DBG("");
2543 
2544         hci_dev_lock(hdev);
2545 
2546         if (!hdev_is_powered(hdev)) {
2547                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2548                                       MGMT_STATUS_NOT_POWERED);
2549                 goto failed;
2550         }
2551 
2552         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
2553         if (!conn) {
2554                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2555                                       MGMT_STATUS_NOT_CONNECTED);
2556                 goto failed;
2557         }
2558 
2559         if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
2560                 struct mgmt_cp_pin_code_neg_reply ncp;
2561 
2562                 memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
2563 
2564                 BT_ERR("PIN code is not 16 bytes long");
2565 
2566                 err = send_pin_code_neg_reply(sk, hdev, &ncp);
2567                 if (err >= 0)
2568                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2569                                               MGMT_STATUS_INVALID_PARAMS);
2570 
2571                 goto failed;
2572         }
2573 
2574         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
2575         if (!cmd) {
2576                 err = -ENOMEM;
2577                 goto failed;
2578         }
2579 
2580         cmd->cmd_complete = addr_cmd_complete;
2581 
2582         bacpy(&reply.bdaddr, &cp->addr.bdaddr);
2583         reply.pin_len = cp->pin_len;
2584         memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
2585 
2586         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
2587         if (err < 0)
2588                 mgmt_pending_remove(cmd);
2589 
2590 failed:
2591         hci_dev_unlock(hdev);
2592         return err;
2593 }
2594 
2595 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
2596                              u16 len)
2597 {
2598         struct mgmt_cp_set_io_capability *cp = data;
2599 
2600         BT_DBG("");
2601 
2602         if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
2603                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
2604                                        MGMT_STATUS_INVALID_PARAMS);
2605 
2606         hci_dev_lock(hdev);
2607 
2608         hdev->io_capability = cp->io_capability;
2609 
2610         BT_DBG("%s IO capability set to 0x%02x", hdev->name,
2611                hdev->io_capability);
2612 
2613         hci_dev_unlock(hdev);
2614 
2615         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
2616                                  NULL, 0);
2617 }
2618 
2619 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
2620 {
2621         struct hci_dev *hdev = conn->hdev;
2622         struct mgmt_pending_cmd *cmd;
2623 
2624         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2625                 if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
2626                         continue;
2627 
2628                 if (cmd->user_data != conn)
2629                         continue;
2630 
2631                 return cmd;
2632         }
2633 
2634         return NULL;
2635 }
2636 
2637 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
2638 {
2639         struct mgmt_rp_pair_device rp;
2640         struct hci_conn *conn = cmd->user_data;
2641         int err;
2642 
2643         bacpy(&rp.addr.bdaddr, &conn->dst);
2644         rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
2645 
2646         err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
2647                                 status, &rp, sizeof(rp));
2648 
2649         /* So we don't get further callbacks for this connection */
2650         conn->connect_cfm_cb = NULL;
2651         conn->security_cfm_cb = NULL;
2652         conn->disconn_cfm_cb = NULL;
2653 
2654         hci_conn_drop(conn);
2655 
2656         /* The device is paired so there is no need to remove
2657          * its connection parameters anymore.
2658          */
2659         clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2660 
2661         hci_conn_put(conn);
2662 
2663         return err;
2664 }
2665 
2666 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2667 {
2668         u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2669         struct mgmt_pending_cmd *cmd;
2670 
2671         cmd = find_pairing(conn);
2672         if (cmd) {
2673                 cmd->cmd_complete(cmd, status);
2674                 mgmt_pending_remove(cmd);
2675         }
2676 }
2677 
2678 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2679 {
2680         struct mgmt_pending_cmd *cmd;
2681 
2682         BT_DBG("status %u", status);
2683 
2684         cmd = find_pairing(conn);
2685         if (!cmd) {
2686                 BT_DBG("Unable to find a pending command");
2687                 return;
2688         }
2689 
2690         cmd->cmd_complete(cmd, mgmt_status(status));
2691         mgmt_pending_remove(cmd);
2692 }
2693 
2694 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2695 {
2696         struct mgmt_pending_cmd *cmd;
2697 
2698         BT_DBG("status %u", status);
2699 
2700         if (!status)
2701                 return;
2702 
2703         cmd = find_pairing(conn);
2704         if (!cmd) {
2705                 BT_DBG("Unable to find a pending command");
2706                 return;
2707         }
2708 
2709         cmd->cmd_complete(cmd, mgmt_status(status));
2710         mgmt_pending_remove(cmd);
2711 }
2712 
2713 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2714                        u16 len)
2715 {
2716         struct mgmt_cp_pair_device *cp = data;
2717         struct mgmt_rp_pair_device rp;
2718         struct mgmt_pending_cmd *cmd;
2719         u8 sec_level, auth_type;
2720         struct hci_conn *conn;
2721         int err;
2722 
2723         BT_DBG("");
2724 
2725         memset(&rp, 0, sizeof(rp));
2726         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2727         rp.addr.type = cp->addr.type;
2728 
2729         if (!bdaddr_type_is_valid(cp->addr.type))
2730                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2731                                          MGMT_STATUS_INVALID_PARAMS,
2732                                          &rp, sizeof(rp));
2733 
2734         if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
2735                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2736                                          MGMT_STATUS_INVALID_PARAMS,
2737                                          &rp, sizeof(rp));
2738 
2739         hci_dev_lock(hdev);
2740 
2741         if (!hdev_is_powered(hdev)) {
2742                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2743                                         MGMT_STATUS_NOT_POWERED, &rp,
2744                                         sizeof(rp));
2745                 goto unlock;
2746         }
2747 
2748         if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
2749                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2750                                         MGMT_STATUS_ALREADY_PAIRED, &rp,
2751                                         sizeof(rp));
2752                 goto unlock;
2753         }
2754 
2755         sec_level = BT_SECURITY_MEDIUM;
2756         auth_type = HCI_AT_DEDICATED_BONDING;
2757 
2758         if (cp->addr.type == BDADDR_BREDR) {
2759                 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2760                                        auth_type);
2761         } else {
2762                 u8 addr_type = le_addr_type(cp->addr.type);
2763                 struct hci_conn_params *p;
2764 
2765                 /* When pairing a new device, it is expected to remember
2766                  * this device for future connections. Adding the connection
2767                  * parameter information ahead of time allows tracking
2768                  * of the slave preferred values and will speed up any
2769                  * further connection establishment.
2770                  *
2771                  * If connection parameters already exist, then they
2772                  * will be kept and this function does nothing.
2773                  */
2774                 p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
2775 
2776                 if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
2777                         p->auto_connect = HCI_AUTO_CONN_DISABLED;
2778 
2779                 conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr,
2780                                            addr_type, sec_level,
2781                                            HCI_LE_CONN_TIMEOUT);
2782         }
2783 
2784         if (IS_ERR(conn)) {
2785                 int status;
2786 
2787                 if (PTR_ERR(conn) == -EBUSY)
2788                         status = MGMT_STATUS_BUSY;
2789                 else if (PTR_ERR(conn) == -EOPNOTSUPP)
2790                         status = MGMT_STATUS_NOT_SUPPORTED;
2791                 else if (PTR_ERR(conn) == -ECONNREFUSED)
2792                         status = MGMT_STATUS_REJECTED;
2793                 else
2794                         status = MGMT_STATUS_CONNECT_FAILED;
2795 
2796                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2797                                         status, &rp, sizeof(rp));
2798                 goto unlock;
2799         }
2800 
2801         if (conn->connect_cfm_cb) {
2802                 hci_conn_drop(conn);
2803                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2804                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
2805                 goto unlock;
2806         }
2807 
2808         cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
2809         if (!cmd) {
2810                 err = -ENOMEM;
2811                 hci_conn_drop(conn);
2812                 goto unlock;
2813         }
2814 
2815         cmd->cmd_complete = pairing_complete;
2816 
2817         /* For LE, just connecting isn't a proof that the pairing finished */
2818         if (cp->addr.type == BDADDR_BREDR) {
2819                 conn->connect_cfm_cb = pairing_complete_cb;
2820                 conn->security_cfm_cb = pairing_complete_cb;
2821                 conn->disconn_cfm_cb = pairing_complete_cb;
2822         } else {
2823                 conn->connect_cfm_cb = le_pairing_complete_cb;
2824                 conn->security_cfm_cb = le_pairing_complete_cb;
2825                 conn->disconn_cfm_cb = le_pairing_complete_cb;
2826         }
2827 
2828         conn->io_capability = cp->io_cap;
2829         cmd->user_data = hci_conn_get(conn);
2830 
2831         if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
2832             hci_conn_security(conn, sec_level, auth_type, true)) {
2833                 cmd->cmd_complete(cmd, 0);
2834                 mgmt_pending_remove(cmd);
2835         }
2836 
2837         err = 0;
2838 
2839 unlock:
2840         hci_dev_unlock(hdev);
2841         return err;
2842 }
2843 
2844 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2845                               u16 len)
2846 {
2847         struct mgmt_addr_info *addr = data;
2848         struct mgmt_pending_cmd *cmd;
2849         struct hci_conn *conn;
2850         int err;
2851 
2852         BT_DBG("");
2853 
2854         hci_dev_lock(hdev);
2855 
2856         if (!hdev_is_powered(hdev)) {
2857                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2858                                       MGMT_STATUS_NOT_POWERED);
2859                 goto unlock;
2860         }
2861 
2862         cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
2863         if (!cmd) {
2864                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2865                                       MGMT_STATUS_INVALID_PARAMS);
2866                 goto unlock;
2867         }
2868 
2869         conn = cmd->user_data;
2870 
2871         if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
2872                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2873                                       MGMT_STATUS_INVALID_PARAMS);
2874                 goto unlock;
2875         }
2876 
2877         cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
2878         mgmt_pending_remove(cmd);
2879 
2880         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
2881                                 addr, sizeof(*addr));
2882 unlock:
2883         hci_dev_unlock(hdev);
2884         return err;
2885 }
2886 
2887 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
2888                              struct mgmt_addr_info *addr, u16 mgmt_op,
2889                              u16 hci_op, __le32 passkey)
2890 {
2891         struct mgmt_pending_cmd *cmd;
2892         struct hci_conn *conn;
2893         int err;
2894 
2895         hci_dev_lock(hdev);
2896 
2897         if (!hdev_is_powered(hdev)) {
2898                 err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
2899                                         MGMT_STATUS_NOT_POWERED, addr,
2900                                         sizeof(*addr));
2901                 goto done;
2902         }
2903 
2904         if (addr->type == BDADDR_BREDR)
2905                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
2906         else
2907                 conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
2908                                                le_addr_type(addr->type));
2909 
2910         if (!conn) {
2911                 err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
2912                                         MGMT_STATUS_NOT_CONNECTED, addr,
2913                                         sizeof(*addr));
2914                 goto done;
2915         }
2916 
2917         if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
2918                 err = smp_user_confirm_reply(conn, mgmt_op, passkey);
2919                 if (!err)
2920                         err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
2921                                                 MGMT_STATUS_SUCCESS, addr,
2922                                                 sizeof(*addr));
2923                 else
2924                         err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
2925                                                 MGMT_STATUS_FAILED, addr,
2926                                                 sizeof(*addr));
2927 
2928                 goto done;
2929         }
2930 
2931         cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
2932         if (!cmd) {
2933                 err = -ENOMEM;
2934                 goto done;
2935         }
2936 
2937         cmd->cmd_complete = addr_cmd_complete;
2938 
2939         /* Continue with pairing via HCI */
2940         if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
2941                 struct hci_cp_user_passkey_reply cp;
2942 
2943                 bacpy(&cp.bdaddr, &addr->bdaddr);
2944                 cp.passkey = passkey;
2945                 err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
2946         } else
2947                 err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
2948                                    &addr->bdaddr);
2949 
2950         if (err < 0)
2951                 mgmt_pending_remove(cmd);
2952 
2953 done:
2954         hci_dev_unlock(hdev);
2955         return err;
2956 }
2957 
2958 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2959                               void *data, u16 len)
2960 {
2961         struct mgmt_cp_pin_code_neg_reply *cp = data;
2962 
2963         BT_DBG("");
2964 
2965         return user_pairing_resp(sk, hdev, &cp->addr,
2966                                 MGMT_OP_PIN_CODE_NEG_REPLY,
2967                                 HCI_OP_PIN_CODE_NEG_REPLY, 0);
2968 }
2969 
2970 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2971                               u16 len)
2972 {
2973         struct mgmt_cp_user_confirm_reply *cp = data;
2974 
2975         BT_DBG("");
2976 
2977         if (len != sizeof(*cp))
2978                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
2979                                        MGMT_STATUS_INVALID_PARAMS);
2980 
2981         return user_pairing_resp(sk, hdev, &cp->addr,
2982                                  MGMT_OP_USER_CONFIRM_REPLY,
2983                                  HCI_OP_USER_CONFIRM_REPLY, 0);
2984 }
2985 
2986 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
2987                                   void *data, u16 len)
2988 {
2989         struct mgmt_cp_user_confirm_neg_reply *cp = data;
2990 
2991         BT_DBG("");
2992 
2993         return user_pairing_resp(sk, hdev, &cp->addr,
2994                                  MGMT_OP_USER_CONFIRM_NEG_REPLY,
2995                                  HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
2996 }
2997 
2998 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2999                               u16 len)
3000 {
3001         struct mgmt_cp_user_passkey_reply *cp = data;
3002 
3003         BT_DBG("");
3004 
3005         return user_pairing_resp(sk, hdev, &cp->addr,
3006                                  MGMT_OP_USER_PASSKEY_REPLY,
3007                                  HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3008 }
3009 
3010 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3011                                   void *data, u16 len)
3012 {
3013         struct mgmt_cp_user_passkey_neg_reply *cp = data;
3014 
3015         BT_DBG("");
3016 
3017         return user_pairing_resp(sk, hdev, &cp->addr,
3018                                  MGMT_OP_USER_PASSKEY_NEG_REPLY,
3019                                  HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3020 }
3021 
3022 static void adv_expire(struct hci_dev *hdev, u32 flags)
3023 {
3024         struct adv_info *adv_instance;
3025         struct hci_request req;
3026         int err;
3027 
3028         adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3029         if (!adv_instance)
3030                 return;
3031 
3032         /* stop if current instance doesn't need to be changed */
3033         if (!(adv_instance->flags & flags))
3034                 return;
3035 
3036         cancel_adv_timeout(hdev);
3037 
3038         adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3039         if (!adv_instance)
3040                 return;
3041 
3042         hci_req_init(&req, hdev);
3043         err = __hci_req_schedule_adv_instance(&req, adv_instance->instance,
3044                                               true);
3045         if (err)
3046                 return;
3047 
3048         hci_req_run(&req, NULL);
3049 }
3050 
3051 static void set_name_complete(struct hci_dev *hdev, u8 status, u16 opcode)
3052 {
3053         struct mgmt_cp_set_local_name *cp;
3054         struct mgmt_pending_cmd *cmd;
3055 
3056         BT_DBG("status 0x%02x", status);
3057 
3058         hci_dev_lock(hdev);
3059 
3060         cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
3061         if (!cmd)
3062                 goto unlock;
3063 
3064         cp = cmd->param;
3065 
3066         if (status) {
3067                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3068                                 mgmt_status(status));
3069         } else {
3070                 mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3071                                   cp, sizeof(*cp));
3072 
3073                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3074                         adv_expire(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3075         }
3076 
3077         mgmt_pending_remove(cmd);
3078 
3079 unlock:
3080         hci_dev_unlock(hdev);
3081 }
3082 
3083 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3084                           u16 len)
3085 {
3086         struct mgmt_cp_set_local_name *cp = data;
3087         struct mgmt_pending_cmd *cmd;
3088         struct hci_request req;
3089         int err;
3090 
3091         BT_DBG("");
3092 
3093         hci_dev_lock(hdev);
3094 
3095         /* If the old values are the same as the new ones just return a
3096          * direct command complete event.
3097          */
3098         if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3099             !memcmp(hdev->short_name, cp->short_name,
3100                     sizeof(hdev->short_name))) {
3101                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3102                                         data, len);
3103                 goto failed;
3104         }
3105 
3106         memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3107 
3108         if (!hdev_is_powered(hdev)) {
3109                 memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3110 
3111                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3112                                         data, len);
3113                 if (err < 0)
3114                         goto failed;
3115 
3116                 err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3117                                          len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3118                 ext_info_changed(hdev, sk);
3119 
3120                 goto failed;
3121         }
3122 
3123         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3124         if (!cmd) {
3125                 err = -ENOMEM;
3126                 goto failed;
3127         }
3128 
3129         memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3130 
3131         hci_req_init(&req, hdev);
3132 
3133         if (lmp_bredr_capable(hdev)) {
3134                 __hci_req_update_name(&req);
3135                 __hci_req_update_eir(&req);
3136         }
3137 
3138         /* The name is stored in the scan response data and so
3139          * no need to udpate the advertising data here.
3140          */
3141         if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3142                 __hci_req_update_scan_rsp_data(&req, hdev->cur_adv_instance);
3143 
3144         err = hci_req_run(&req, set_name_complete);
3145         if (err < 0)
3146                 mgmt_pending_remove(cmd);
3147 
3148 failed:
3149         hci_dev_unlock(hdev);
3150         return err;
3151 }
3152 
3153 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3154                           u16 len)
3155 {
3156         struct mgmt_cp_set_appearance *cp = data;
3157         u16 apperance;
3158         int err;
3159 
3160         BT_DBG("");
3161 
3162         if (!lmp_le_capable(hdev))
3163                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3164                                        MGMT_STATUS_NOT_SUPPORTED);
3165 
3166         apperance = le16_to_cpu(cp->appearance);
3167 
3168         hci_dev_lock(hdev);
3169 
3170         if (hdev->appearance != apperance) {
3171                 hdev->appearance = apperance;
3172 
3173                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3174                         adv_expire(hdev, MGMT_ADV_FLAG_APPEARANCE);
3175 
3176                 ext_info_changed(hdev, sk);
3177         }
3178 
3179         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3180                                 0);
3181 
3182         hci_dev_unlock(hdev);
3183 
3184         return err;
3185 }
3186 
3187 static void read_local_oob_data_complete(struct hci_dev *hdev, u8 status,
3188                                          u16 opcode, struct sk_buff *skb)
3189 {
3190         struct mgmt_rp_read_local_oob_data mgmt_rp;
3191         size_t rp_size = sizeof(mgmt_rp);
3192         struct mgmt_pending_cmd *cmd;
3193 
3194         BT_DBG("%s status %u", hdev->name, status);
3195 
3196         cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev);
3197         if (!cmd)
3198                 return;
3199 
3200         if (status || !skb) {
3201                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3202                                 status ? mgmt_status(status) : MGMT_STATUS_FAILED);
3203                 goto remove;
3204         }
3205 
3206         memset(&mgmt_rp, 0, sizeof(mgmt_rp));
3207 
3208         if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
3209                 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
3210 
3211                 if (skb->len < sizeof(*rp)) {
3212                         mgmt_cmd_status(cmd->sk, hdev->id,
3213                                         MGMT_OP_READ_LOCAL_OOB_DATA,
3214                                         MGMT_STATUS_FAILED);
3215                         goto remove;
3216                 }
3217 
3218                 memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
3219                 memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
3220 
3221                 rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
3222         } else {
3223                 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
3224 
3225                 if (skb->len < sizeof(*rp)) {
3226                         mgmt_cmd_status(cmd->sk, hdev->id,
3227                                         MGMT_OP_READ_LOCAL_OOB_DATA,
3228                                         MGMT_STATUS_FAILED);
3229                         goto remove;
3230                 }
3231 
3232                 memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
3233                 memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
3234 
3235                 memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
3236                 memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
3237         }
3238 
3239         mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3240                           MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
3241 
3242 remove:
3243         mgmt_pending_remove(cmd);
3244 }
3245 
3246 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3247                                void *data, u16 data_len)
3248 {
3249         struct mgmt_pending_cmd *cmd;
3250         struct hci_request req;
3251         int err;
3252 
3253         BT_DBG("%s", hdev->name);
3254 
3255         hci_dev_lock(hdev);
3256 
3257         if (!hdev_is_powered(hdev)) {
3258                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3259                                       MGMT_STATUS_NOT_POWERED);
3260                 goto unlock;
3261         }
3262 
3263         if (!lmp_ssp_capable(hdev)) {
3264                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3265                                       MGMT_STATUS_NOT_SUPPORTED);
3266                 goto unlock;
3267         }
3268 
3269         if (pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
3270                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3271                                       MGMT_STATUS_BUSY);
3272                 goto unlock;
3273         }
3274 
3275         cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
3276         if (!cmd) {
3277                 err = -ENOMEM;
3278                 goto unlock;
3279         }
3280 
3281         hci_req_init(&req, hdev);
3282 
3283         if (bredr_sc_enabled(hdev))
3284                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
3285         else
3286                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
3287 
3288         err = hci_req_run_skb(&req, read_local_oob_data_complete);
3289         if (err < 0)
3290                 mgmt_pending_remove(cmd);
3291 
3292 unlock:
3293         hci_dev_unlock(hdev);
3294         return err;
3295 }
3296 
3297 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3298                                void *data, u16 len)
3299 {
3300         struct mgmt_addr_info *addr = data;
3301         int err;
3302 
3303         BT_DBG("%s ", hdev->name);
3304 
3305         if (!bdaddr_type_is_valid(addr->type))
3306                 return mgmt_cmd_complete(sk, hdev->id,
3307                                          MGMT_OP_ADD_REMOTE_OOB_DATA,
3308                                          MGMT_STATUS_INVALID_PARAMS,
3309                                          addr, sizeof(*addr));
3310 
3311         hci_dev_lock(hdev);
3312 
3313         if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
3314                 struct mgmt_cp_add_remote_oob_data *cp = data;
3315                 u8 status;
3316 
3317                 if (cp->addr.type != BDADDR_BREDR) {
3318                         err = mgmt_cmd_complete(sk, hdev->id,
3319                                                 MGMT_OP_ADD_REMOTE_OOB_DATA,
3320                                                 MGMT_STATUS_INVALID_PARAMS,
3321                                                 &cp->addr, sizeof(cp->addr));
3322                         goto unlock;
3323                 }
3324 
3325                 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3326                                               cp->addr.type, cp->hash,
3327                                               cp->rand, NULL, NULL);
3328                 if (err < 0)
3329                         status = MGMT_STATUS_FAILED;
3330                 else
3331                         status = MGMT_STATUS_SUCCESS;
3332 
3333                 err = mgmt_cmd_complete(sk, hdev->id,
3334                                         MGMT_OP_ADD_REMOTE_OOB_DATA, status,
3335                                         &cp->addr, sizeof(cp->addr));
3336         } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3337                 struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3338                 u8 *rand192, *hash192, *rand256, *hash256;
3339                 u8 status;
3340 
3341                 if (bdaddr_type_is_le(cp->addr.type)) {
3342                         /* Enforce zero-valued 192-bit parameters as
3343                          * long as legacy SMP OOB isn't implemented.
3344                          */
3345                         if (memcmp(cp->rand192, ZERO_KEY, 16) ||
3346                             memcmp(cp->hash192, ZERO_KEY, 16)) {
3347                                 err = mgmt_cmd_complete(sk, hdev->id,
3348                                                         MGMT_OP_ADD_REMOTE_OOB_DATA,
3349                                                         MGMT_STATUS_INVALID_PARAMS,
3350                                                         addr, sizeof(*addr));
3351                                 goto unlock;
3352                         }
3353 
3354                         rand192 = NULL;
3355                         hash192 = NULL;
3356                 } else {
3357                         /* In case one of the P-192 values is set to zero,
3358                          * then just disable OOB data for P-192.
3359                          */
3360                         if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
3361                             !memcmp(cp->hash192, ZERO_KEY, 16)) {
3362                                 rand192 = NULL;
3363                                 hash192 = NULL;
3364                         } else {
3365                                 rand192 = cp->rand192;
3366                                 hash192 = cp->hash192;
3367                         }
3368                 }
3369 
3370                 /* In case one of the P-256 values is set to zero, then just
3371                  * disable OOB data for P-256.
3372                  */
3373                 if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
3374                     !memcmp(cp->hash256, ZERO_KEY, 16)) {
3375                         rand256 = NULL;
3376                         hash256 = NULL;
3377                 } else {
3378                         rand256 = cp->rand256;
3379                         hash256 = cp->hash256;
3380                 }
3381 
3382                 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3383                                               cp->addr.type, hash192, rand192,
3384                                               hash256, rand256);
3385                 if (err < 0)
3386                         status = MGMT_STATUS_FAILED;
3387                 else
3388                         status = MGMT_STATUS_SUCCESS;
3389 
3390                 err = mgmt_cmd_complete(sk, hdev->id,
3391                                         MGMT_OP_ADD_REMOTE_OOB_DATA,
3392                                         status, &cp->addr, sizeof(cp->addr));
3393         } else {
3394                 BT_ERR("add_remote_oob_data: invalid length of %u bytes", len);
3395                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3396                                       MGMT_STATUS_INVALID_PARAMS);
3397         }
3398 
3399 unlock:
3400         hci_dev_unlock(hdev);
3401         return err;
3402 }
3403 
3404 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3405                                   void *data, u16 len)
3406 {
3407         struct mgmt_cp_remove_remote_oob_data *cp = data;
3408         u8 status;
3409         int err;
3410 
3411         BT_DBG("%s", hdev->name);
3412 
3413         if (cp->addr.type != BDADDR_BREDR)
3414                 return mgmt_cmd_complete(sk, hdev->id,
3415                                          MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3416                                          MGMT_STATUS_INVALID_PARAMS,
3417                                          &cp->addr, sizeof(cp->addr));
3418 
3419         hci_dev_lock(hdev);
3420 
3421         if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
3422                 hci_remote_oob_data_clear(hdev);
3423                 status = MGMT_STATUS_SUCCESS;
3424                 goto done;
3425         }
3426 
3427         err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
3428         if (err < 0)
3429                 status = MGMT_STATUS_INVALID_PARAMS;
3430         else
3431                 status = MGMT_STATUS_SUCCESS;
3432 
3433 done:
3434         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3435                                 status, &cp->addr, sizeof(cp->addr));
3436 
3437         hci_dev_unlock(hdev);
3438         return err;
3439 }
3440 
3441 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
3442 {
3443         struct mgmt_pending_cmd *cmd;
3444 
3445         BT_DBG("status %d", status);
3446 
3447         hci_dev_lock(hdev);
3448 
3449         cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
3450         if (!cmd)
3451                 cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
3452 
3453         if (!cmd)
3454                 cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
3455 
3456         if (cmd) {
3457                 cmd->cmd_complete(cmd, mgmt_status(status));
3458                 mgmt_pending_remove(cmd);
3459         }
3460 
3461         hci_dev_unlock(hdev);
3462 }
3463 
3464 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
3465                                     uint8_t *mgmt_status)
3466 {
3467         switch (type) {
3468         case DISCOV_TYPE_LE:
3469                 *mgmt_status = mgmt_le_support(hdev);
3470                 if (*mgmt_status)
3471                         return false;
3472                 break;
3473         case DISCOV_TYPE_INTERLEAVED:
3474                 *mgmt_status = mgmt_le_support(hdev);
3475                 if (*mgmt_status)
3476                         return false;
3477                 /* Intentional fall-through */
3478         case DISCOV_TYPE_BREDR:
3479                 *mgmt_status = mgmt_bredr_support(hdev);
3480                 if (*mgmt_status)
3481                         return false;
3482                 break;
3483         default:
3484                 *mgmt_status = MGMT_STATUS_INVALID_PARAMS;
3485                 return false;
3486         }
3487 
3488         return true;
3489 }
3490 
3491 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
3492                                     u16 op, void *data, u16 len)
3493 {
3494         struct mgmt_cp_start_discovery *cp = data;
3495         struct mgmt_pending_cmd *cmd;
3496         u8 status;
3497         int err;
3498 
3499         BT_DBG("%s", hdev->name);
3500 
3501         hci_dev_lock(hdev);
3502 
3503         if (!hdev_is_powered(hdev)) {
3504                 err = mgmt_cmd_complete(sk, hdev->id, op,
3505                                         MGMT_STATUS_NOT_POWERED,
3506                                         &cp->type, sizeof(cp->type));
3507                 goto failed;
3508         }
3509 
3510         if (hdev->discovery.state != DISCOVERY_STOPPED ||
3511             hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
3512                 err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
3513                                         &cp->type, sizeof(cp->type));
3514                 goto failed;
3515         }
3516 
3517         if (!discovery_type_is_valid(hdev, cp->type, &status)) {
3518                 err = mgmt_cmd_complete(sk, hdev->id, op, status,
3519                                         &cp->type, sizeof(cp->type));
3520                 goto failed;
3521         }
3522 
3523         /* Clear the discovery filter first to free any previously
3524          * allocated memory for the UUID list.
3525          */
3526         hci_discovery_filter_clear(hdev);
3527 
3528         hdev->discovery.type = cp->type;
3529         hdev->discovery.report_invalid_rssi = false;
3530         if (op == MGMT_OP_START_LIMITED_DISCOVERY)
3531                 hdev->discovery.limited = true;
3532         else
3533                 hdev->discovery.limited = false;
3534 
3535         cmd = mgmt_pending_add(sk, op, hdev, data, len);
3536         if (!cmd) {
3537                 err = -ENOMEM;
3538                 goto failed;
3539         }
3540 
3541         cmd->cmd_complete = generic_cmd_complete;
3542 
3543         hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3544         queue_work(hdev->req_workqueue, &hdev->discov_update);
3545         err = 0;
3546 
3547 failed:
3548         hci_dev_unlock(hdev);
3549         return err;
3550 }
3551 
3552 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3553                            void *data, u16 len)
3554 {
3555         return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
3556                                         data, len);
3557 }
3558 
3559 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
3560                                    void *data, u16 len)
3561 {
3562         return start_discovery_internal(sk, hdev,
3563                                         MGMT_OP_START_LIMITED_DISCOVERY,
3564                                         data, len);
3565 }
3566 
3567 static int service_discovery_cmd_complete(struct mgmt_pending_cmd *cmd,
3568                                           u8 status)
3569 {
3570         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
3571                                  cmd->param, 1);
3572 }
3573 
3574 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
3575                                    void *data, u16 len)
3576 {
3577         struct mgmt_cp_start_service_discovery *cp = data;
3578         struct mgmt_pending_cmd *cmd;
3579         const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
3580         u16 uuid_count, expected_len;
3581         u8 status;
3582         int err;
3583 
3584         BT_DBG("%s", hdev->name);
3585 
3586         hci_dev_lock(hdev);
3587 
3588         if (!hdev_is_powered(hdev)) {
3589                 err = mgmt_cmd_complete(sk, hdev->id,
3590                                         MGMT_OP_START_SERVICE_DISCOVERY,
3591                                         MGMT_STATUS_NOT_POWERED,
3592                                         &cp->type, sizeof(cp->type));
3593                 goto failed;
3594         }
3595 
3596         if (hdev->discovery.state != DISCOVERY_STOPPED ||
3597             hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
3598                 err = mgmt_cmd_complete(sk, hdev->id,
3599                                         MGMT_OP_START_SERVICE_DISCOVERY,
3600                                         MGMT_STATUS_BUSY, &cp->type,
3601                                         sizeof(cp->type));
3602                 goto failed;
3603         }
3604 
3605         uuid_count = __le16_to_cpu(cp->uuid_count);
3606         if (uuid_count > max_uuid_count) {
3607                 BT_ERR("service_discovery: too big uuid_count value %u",
3608                        uuid_count);
3609                 err = mgmt_cmd_complete(sk, hdev->id,
3610                                         MGMT_OP_START_SERVICE_DISCOVERY,
3611                                         MGMT_STATUS_INVALID_PARAMS, &cp->type,
3612                                         sizeof(cp->type));
3613                 goto failed;
3614         }
3615 
3616         expected_len = sizeof(*cp) + uuid_count * 16;
3617         if (expected_len != len) {
3618                 BT_ERR("service_discovery: expected %u bytes, got %u bytes",
3619                        expected_len, len);
3620                 err = mgmt_cmd_complete(sk, hdev->id,
3621                                         MGMT_OP_START_SERVICE_DISCOVERY,
3622                                         MGMT_STATUS_INVALID_PARAMS, &cp->type,
3623                                         sizeof(cp->type));
3624                 goto failed;
3625         }
3626 
3627         if (!discovery_type_is_valid(hdev, cp->type, &status)) {
3628                 err = mgmt_cmd_complete(sk, hdev->id,
3629                                         MGMT_OP_START_SERVICE_DISCOVERY,
3630                                         status, &cp->type, sizeof(cp->type));
3631                 goto failed;
3632         }
3633 
3634         cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
3635                                hdev, data, len);
3636         if (!cmd) {
3637                 err = -ENOMEM;
3638                 goto failed;
3639         }
3640 
3641         cmd->cmd_complete = service_discovery_cmd_complete;
3642 
3643         /* Clear the discovery filter first to free any previously
3644          * allocated memory for the UUID list.
3645          */
3646         hci_discovery_filter_clear(hdev);
3647 
3648         hdev->discovery.result_filtering = true;
3649         hdev->discovery.type = cp->type;
3650         hdev->discovery.rssi = cp->rssi;
3651         hdev->discovery.uuid_count = uuid_count;
3652 
3653         if (uuid_count > 0) {
3654                 hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
3655                                                 GFP_KERNEL);
3656                 if (!hdev->discovery.uuids) {
3657                         err = mgmt_cmd_complete(sk, hdev->id,
3658                                                 MGMT_OP_START_SERVICE_DISCOVERY,
3659                                                 MGMT_STATUS_FAILED,
3660                                                 &cp->type, sizeof(cp->type));
3661                         mgmt_pending_remove(cmd);
3662                         goto failed;
3663                 }
3664         }
3665 
3666         hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3667         queue_work(hdev->req_workqueue, &hdev->discov_update);
3668         err = 0;
3669 
3670 failed:
3671         hci_dev_unlock(hdev);
3672         return err;
3673 }
3674 
3675 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
3676 {
3677         struct mgmt_pending_cmd *cmd;
3678 
3679         BT_DBG("status %d", status);
3680 
3681         hci_dev_lock(hdev);
3682 
3683         cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
3684         if (cmd) {
3685                 cmd->cmd_complete(cmd, mgmt_status(status));
3686                 mgmt_pending_remove(cmd);
3687         }
3688 
3689         hci_dev_unlock(hdev);
3690 }
3691 
3692 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
3693                           u16 len)
3694 {
3695         struct mgmt_cp_stop_discovery *mgmt_cp = data;
3696         struct mgmt_pending_cmd *cmd;
3697         int err;
3698 
3699         BT_DBG("%s", hdev->name);
3700 
3701         hci_dev_lock(hdev);
3702 
3703         if (!hci_discovery_active(hdev)) {
3704                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
3705                                         MGMT_STATUS_REJECTED, &mgmt_cp->type,
3706                                         sizeof(mgmt_cp->type));
3707                 goto unlock;
3708         }
3709 
3710         if (hdev->discovery.type != mgmt_cp->type) {
3711                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
3712                                         MGMT_STATUS_INVALID_PARAMS,
3713                                         &mgmt_cp->type, sizeof(mgmt_cp->type));
3714                 goto unlock;
3715         }
3716 
3717         cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
3718         if (!cmd) {
3719                 err = -ENOMEM;
3720                 goto unlock;
3721         }
3722 
3723         cmd->cmd_complete = generic_cmd_complete;
3724 
3725         hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
3726         queue_work(hdev->req_workqueue, &hdev->discov_update);
3727         err = 0;
3728 
3729 unlock:
3730         hci_dev_unlock(hdev);
3731         return err;
3732 }
3733 
3734 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
3735                         u16 len)
3736 {
3737         struct mgmt_cp_confirm_name *cp = data;
3738         struct inquiry_entry *e;
3739         int err;
3740 
3741         BT_DBG("%s", hdev->name);
3742 
3743         hci_dev_lock(hdev);
3744 
3745         if (!hci_discovery_active(hdev)) {
3746                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
3747                                         MGMT_STATUS_FAILED, &cp->addr,
3748                                         sizeof(cp->addr));
3749                 goto failed;
3750         }
3751 
3752         e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
3753         if (!e) {
3754                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
3755                                         MGMT_STATUS_INVALID_PARAMS, &cp->addr,
3756                                         sizeof(cp->addr));
3757                 goto failed;
3758         }
3759 
3760         if (cp->name_known) {
3761                 e->name_state = NAME_KNOWN;
3762                 list_del(&e->list);
3763         } else {
3764                 e->name_state = NAME_NEEDED;
3765                 hci_inquiry_cache_update_resolve(hdev, e);
3766         }
3767 
3768         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
3769                                 &cp->addr, sizeof(cp->addr));
3770 
3771 failed:
3772         hci_dev_unlock(hdev);
3773         return err;
3774 }
3775 
3776 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
3777                         u16 len)
3778 {
3779         struct mgmt_cp_block_device *cp = data;
3780         u8 status;
3781         int err;
3782 
3783         BT_DBG("%s", hdev->name);
3784 
3785         if (!bdaddr_type_is_valid(cp->addr.type))
3786                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
3787                                          MGMT_STATUS_INVALID_PARAMS,
3788                                          &cp->addr, sizeof(cp->addr));
3789 
3790         hci_dev_lock(hdev);
3791 
3792         err = hci_bdaddr_list_add(&hdev->blacklist, &cp->addr.bdaddr,
3793                                   cp->addr.type);
3794         if (err < 0) {
3795                 status = MGMT_STATUS_FAILED;
3796                 goto done;
3797         }
3798 
3799         mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
3800                    sk);
3801         status = MGMT_STATUS_SUCCESS;
3802 
3803 done:
3804         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
3805                                 &cp->addr, sizeof(cp->addr));
3806 
3807         hci_dev_unlock(hdev);
3808 
3809         return err;
3810 }
3811 
3812 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
3813                           u16 len)
3814 {
3815         struct mgmt_cp_unblock_device *cp = data;
3816         u8 status;
3817         int err;
3818 
3819         BT_DBG("%s", hdev->name);
3820 
3821         if (!bdaddr_type_is_valid(cp->addr.type))
3822                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
3823                                          MGMT_STATUS_INVALID_PARAMS,
3824                                          &cp->addr, sizeof(cp->addr));
3825 
3826         hci_dev_lock(hdev);
3827 
3828         err = hci_bdaddr_list_del(&hdev->blacklist, &cp->addr.bdaddr,
3829                                   cp->addr.type);
3830         if (err < 0) {
3831                 status = MGMT_STATUS_INVALID_PARAMS;
3832                 goto done;
3833         }
3834 
3835         mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
3836                    sk);
3837         status = MGMT_STATUS_SUCCESS;
3838 
3839 done:
3840         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
3841                                 &cp->addr, sizeof(cp->addr));
3842 
3843         hci_dev_unlock(hdev);
3844 
3845         return err;
3846 }
3847 
3848 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
3849                          u16 len)
3850 {
3851         struct mgmt_cp_set_device_id *cp = data;
3852         struct hci_request req;
3853         int err;
3854         __u16 source;
3855 
3856         BT_DBG("%s", hdev->name);
3857 
3858         source = __le16_to_cpu(cp->source);
3859 
3860         if (source > 0x0002)
3861                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
3862                                        MGMT_STATUS_INVALID_PARAMS);
3863 
3864         hci_dev_lock(hdev);
3865 
3866         hdev->devid_source = source;
3867         hdev->devid_vendor = __le16_to_cpu(cp->vendor);
3868         hdev->devid_product = __le16_to_cpu(cp->product);
3869         hdev->devid_version = __le16_to_cpu(cp->version);
3870 
3871         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
3872                                 NULL, 0);
3873 
3874         hci_req_init(&req, hdev);
3875         __hci_req_update_eir(&req);
3876         hci_req_run(&req, NULL);
3877 
3878         hci_dev_unlock(hdev);
3879 
3880         return err;
3881 }
3882 
3883 static void enable_advertising_instance(struct hci_dev *hdev, u8 status,
3884                                         u16 opcode)
3885 {
3886         BT_DBG("status %d", status);
3887 }
3888 
3889 static void set_advertising_complete(struct hci_dev *hdev, u8 status,
3890                                      u16 opcode)
3891 {
3892         struct cmd_lookup match = { NULL, hdev };
3893         struct hci_request req;
3894         u8 instance;
3895         struct adv_info *adv_instance;
3896         int err;
3897 
3898         hci_dev_lock(hdev);
3899 
3900         if (status) {
3901                 u8 mgmt_err = mgmt_status(status);
3902 
3903                 mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
3904                                      cmd_status_rsp, &mgmt_err);
3905                 goto unlock;
3906         }
3907 
3908         if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3909                 hci_dev_set_flag(hdev, HCI_ADVERTISING);
3910         else
3911                 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
3912 
3913         mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
3914                              &match);
3915 
3916         new_settings(hdev, match.sk);
3917 
3918         if (match.sk)
3919                 sock_put(match.sk);
3920 
3921         /* If "Set Advertising" was just disabled and instance advertising was
3922          * set up earlier, then re-enable multi-instance advertising.
3923          */
3924         if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
3925             list_empty(&hdev->adv_instances))
3926                 goto unlock;
3927 
3928         instance = hdev->cur_adv_instance;
3929         if (!instance) {
3930                 adv_instance = list_first_entry_or_null(&hdev->adv_instances,
3931                                                         struct adv_info, list);
3932                 if (!adv_instance)
3933                         goto unlock;
3934 
3935                 instance = adv_instance->instance;
3936         }
3937 
3938         hci_req_init(&req, hdev);
3939 
3940         err = __hci_req_schedule_adv_instance(&req, instance, true);
3941 
3942         if (!err)
3943                 err = hci_req_run(&req, enable_advertising_instance);
3944 
3945         if (err)
3946                 BT_ERR("Failed to re-configure advertising");
3947 
3948 unlock:
3949         hci_dev_unlock(hdev);
3950 }
3951 
3952 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
3953                            u16 len)
3954 {
3955         struct mgmt_mode *cp = data;
3956         struct mgmt_pending_cmd *cmd;
3957         struct hci_request req;
3958         u8 val, status;
3959         int err;
3960 
3961         BT_DBG("request for %s", hdev->name);
3962 
3963         status = mgmt_le_support(hdev);
3964         if (status)
3965                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
3966                                        status);
3967 
3968         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
3969                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
3970                                        MGMT_STATUS_INVALID_PARAMS);
3971 
3972         hci_dev_lock(hdev);
3973 
3974         val = !!cp->val;
3975 
3976         /* The following conditions are ones which mean that we should
3977          * not do any HCI communication but directly send a mgmt
3978          * response to user space (after toggling the flag if
3979          * necessary).
3980          */
3981         if (!hdev_is_powered(hdev) ||
3982             (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
3983              (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
3984             hci_conn_num(hdev, LE_LINK) > 0 ||
3985             (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
3986              hdev->le_scan_type == LE_SCAN_ACTIVE)) {
3987                 bool changed;
3988 
3989                 if (cp->val) {
3990                         hdev->cur_adv_instance = 0x00;
3991                         changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
3992                         if (cp->val == 0x02)
3993                                 hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
3994                         else
3995                                 hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
3996                 } else {
3997                         changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
3998                         hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
3999                 }
4000 
4001                 err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
4002                 if (err < 0)
4003                         goto unlock;
4004 
4005                 if (changed)
4006                         err = new_settings(hdev, sk);
4007 
4008                 goto unlock;
4009         }
4010 
4011         if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
4012             pending_find(MGMT_OP_SET_LE, hdev)) {
4013                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
4014                                       MGMT_STATUS_BUSY);
4015                 goto unlock;
4016         }
4017 
4018         cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
4019         if (!cmd) {
4020                 err = -ENOMEM;
4021                 goto unlock;
4022         }
4023 
4024         hci_req_init(&req, hdev);
4025 
4026         if (cp->val == 0x02)
4027                 hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4028         else
4029                 hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
4030 
4031         cancel_adv_timeout(hdev);
4032 
4033         if (val) {
4034                 /* Switch to instance "" for the Set Advertising setting.
4035                  * We cannot use update_[adv|scan_rsp]_data() here as the
4036                  * HCI_ADVERTISING flag is not yet set.
4037                  */
4038                 hdev->cur_adv_instance = 0x00;
4039                 __hci_req_update_adv_data(&req, 0x00);
4040                 __hci_req_update_scan_rsp_data(&req, 0x00);
4041                 __hci_req_enable_advertising(&req);
4042         } else {
4043                 __hci_req_disable_advertising(&req);
4044         }
4045 
4046         err = hci_req_run(&req, set_advertising_complete);
4047         if (err < 0)
4048                 mgmt_pending_remove(cmd);
4049 
4050 unlock:
4051         hci_dev_unlock(hdev);
4052         return err;
4053 }
4054 
4055 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
4056                               void *data, u16 len)
4057 {
4058         struct mgmt_cp_set_static_address *cp = data;
4059         int err;
4060 
4061         BT_DBG("%s", hdev->name);
4062 
4063         if (!lmp_le_capable(hdev))
4064                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4065                                        MGMT_STATUS_NOT_SUPPORTED);
4066 
4067         if (hdev_is_powered(hdev))
4068                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
4069                                        MGMT_STATUS_REJECTED);
4070 
4071         if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
4072                 if (!bacmp(&cp->bdaddr, BDADDR_NONE))
4073                         return mgmt_cmd_status(sk, hdev->id,
4074                                                MGMT_OP_SET_STATIC_ADDRESS,
4075                                                MGMT_STATUS_INVALID_PARAMS);
4076 
4077                 /* Two most significant bits shall be set */
4078                 if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
4079                         return mgmt_cmd_status(sk, hdev->id,
4080                                                MGMT_OP_SET_STATIC_ADDRESS,
4081                                                MGMT_STATUS_INVALID_PARAMS);
4082         }
4083 
4084         hci_dev_lock(hdev);
4085 
4086         bacpy(&hdev->static_addr, &cp->bdaddr);
4087 
4088         err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
4089         if (err < 0)
4090                 goto unlock;
4091 
4092         err = new_settings(hdev, sk);
4093 
4094 unlock:
4095         hci_dev_unlock(hdev);
4096         return err;
4097 }
4098 
4099 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
4100                            void *data, u16 len)
4101 {
4102         struct mgmt_cp_set_scan_params *cp = data;
4103         __u16 interval, window;
4104         int err;
4105 
4106         BT_DBG("%s", hdev->name);
4107 
4108         if (!lmp_le_capable(hdev))
4109                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4110                                        MGMT_STATUS_NOT_SUPPORTED);
4111 
4112         interval = __le16_to_cpu(cp->interval);
4113 
4114         if (interval < 0x0004 || interval > 0x4000)
4115                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4116                                        MGMT_STATUS_INVALID_PARAMS);
4117 
4118         window = __le16_to_cpu(cp->window);
4119 
4120         if (window < 0x0004 || window > 0x4000)
4121                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4122                                        MGMT_STATUS_INVALID_PARAMS);
4123 
4124         if (window > interval)
4125                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
4126                                        MGMT_STATUS_INVALID_PARAMS);
4127 
4128         hci_dev_lock(hdev);
4129 
4130         hdev->le_scan_interval = interval;
4131         hdev->le_scan_window = window;
4132 
4133         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
4134                                 NULL, 0);
4135 
4136         /* If background scan is running, restart it so new parameters are
4137          * loaded.
4138          */
4139         if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
4140             hdev->discovery.state == DISCOVERY_STOPPED) {
4141                 struct hci_request req;
4142 
4143                 hci_req_init(&req, hdev);
4144 
4145                 hci_req_add_le_scan_disable(&req);
4146                 hci_req_add_le_passive_scan(&req);
4147 
4148                 hci_req_run(&req, NULL);
4149         }
4150 
4151         hci_dev_unlock(hdev);
4152 
4153         return err;
4154 }
4155 
4156 static void fast_connectable_complete(struct hci_dev *hdev, u8 status,
4157                                       u16 opcode)
4158 {
4159         struct mgmt_pending_cmd *cmd;
4160 
4161         BT_DBG("status 0x%02x", status);
4162 
4163         hci_dev_lock(hdev);
4164 
4165         cmd = pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4166         if (!cmd)
4167                 goto unlock;
4168 
4169         if (status) {
4170                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4171                                 mgmt_status(status));
4172         } else {
4173                 struct mgmt_mode *cp = cmd->param;
4174 
4175                 if (cp->val)
4176                         hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
4177                 else
4178                         hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
4179 
4180                 send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4181                 new_settings(hdev, cmd->sk);
4182         }
4183 
4184         mgmt_pending_remove(cmd);
4185 
4186 unlock:
4187         hci_dev_unlock(hdev);
4188 }
4189 
4190 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
4191                                 void *data, u16 len)
4192 {
4193         struct mgmt_mode *cp = data;
4194         struct mgmt_pending_cmd *cmd;
4195         struct hci_request req;
4196         int err;
4197 
4198         BT_DBG("%s", hdev->name);
4199 
4200         if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
4201             hdev->hci_ver < BLUETOOTH_VER_1_2)
4202                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4203                                        MGMT_STATUS_NOT_SUPPORTED);
4204 
4205         if (cp->val != 0x00 && cp->val != 0x01)
4206                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4207                                        MGMT_STATUS_INVALID_PARAMS);
4208 
4209         hci_dev_lock(hdev);
4210 
4211         if (pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev)) {
4212                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4213                                       MGMT_STATUS_BUSY);
4214                 goto unlock;
4215         }
4216 
4217         if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
4218                 err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4219                                         hdev);
4220                 goto unlock;
4221         }
4222 
4223         if (!hdev_is_powered(hdev)) {
4224                 hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
4225                 err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4226                                         hdev);
4227                 new_settings(hdev, sk);
4228                 goto unlock;
4229         }
4230 
4231         cmd = mgmt_pending_add(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev,
4232                                data, len);
4233         if (!cmd) {
4234                 err = -ENOMEM;
4235                 goto unlock;
4236         }
4237 
4238         hci_req_init(&req, hdev);
4239 
4240         __hci_req_write_fast_connectable(&req, cp->val);
4241 
4242         err = hci_req_run(&req, fast_connectable_complete);
4243         if (err < 0) {
4244                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4245                                       MGMT_STATUS_FAILED);
4246                 mgmt_pending_remove(cmd);
4247         }
4248 
4249 unlock:
4250         hci_dev_unlock(hdev);
4251 
4252         return err;
4253 }
4254 
4255 static void set_bredr_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4256 {
4257         struct mgmt_pending_cmd *cmd;
4258 
4259         BT_DBG("status 0x%02x", status);
4260 
4261         hci_dev_lock(hdev);
4262 
4263         cmd = pending_find(MGMT_OP_SET_BREDR, hdev);
4264         if (!cmd)
4265                 goto unlock;
4266 
4267         if (status) {
4268                 u8 mgmt_err = mgmt_status(status);
4269 
4270                 /* We need to restore the flag if related HCI commands
4271                  * failed.
4272                  */
4273                 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
4274 
4275                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
4276         } else {
4277                 send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
4278                 new_settings(hdev, cmd->sk);
4279         }
4280 
4281         mgmt_pending_remove(cmd);
4282 
4283 unlock:
4284         hci_dev_unlock(hdev);
4285 }
4286 
4287 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
4288 {
4289         struct mgmt_mode *cp = data;
4290         struct mgmt_pending_cmd *cmd;
4291         struct hci_request req;
4292         int err;
4293 
4294         BT_DBG("request for %s", hdev->name);
4295 
4296         if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
4297                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4298                                        MGMT_STATUS_NOT_SUPPORTED);
4299 
4300         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
4301                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4302                                        MGMT_STATUS_REJECTED);
4303 
4304         if (cp->val != 0x00 && cp->val != 0x01)
4305                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4306                                        MGMT_STATUS_INVALID_PARAMS);
4307 
4308         hci_dev_lock(hdev);
4309 
4310         if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
4311                 err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4312                 goto unlock;
4313         }
4314 
4315         if (!hdev_is_powered(hdev)) {
4316                 if (!cp->val) {
4317                         hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
4318                         hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
4319                         hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
4320                         hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
4321                         hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
4322                 }
4323 
4324                 hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
4325 
4326                 err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4327                 if (err < 0)
4328                         goto unlock;
4329 
4330                 err = new_settings(hdev, sk);
4331                 goto unlock;
4332         }
4333 
4334         /* Reject disabling when powered on */
4335         if (!cp->val) {
4336                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4337                                       MGMT_STATUS_REJECTED);
4338                 goto unlock;
4339         } else {
4340                 /* When configuring a dual-mode controller to operate
4341                  * with LE only and using a static address, then switching
4342                  * BR/EDR back on is not allowed.
4343                  *
4344                  * Dual-mode controllers shall operate with the public
4345                  * address as its identity address for BR/EDR and LE. So
4346                  * reject the attempt to create an invalid configuration.
4347                  *
4348                  * The same restrictions applies when secure connections
4349                  * has been enabled. For BR/EDR this is a controller feature
4350                  * while for LE it is a host stack feature. This means that
4351                  * switching BR/EDR back on when secure connections has been
4352                  * enabled is not a supported transaction.
4353                  */
4354                 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
4355                     (bacmp(&hdev->static_addr, BDADDR_ANY) ||
4356                      hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
4357                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4358                                               MGMT_STATUS_REJECTED);
4359                         goto unlock;
4360                 }
4361         }
4362 
4363         if (pending_find(MGMT_OP_SET_BREDR, hdev)) {
4364                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4365                                       MGMT_STATUS_BUSY);
4366                 goto unlock;
4367         }
4368 
4369         cmd = mgmt_pending_add(sk, MGMT_OP_SET_BREDR, hdev, data, len);
4370         if (!cmd) {
4371                 err = -ENOMEM;
4372                 goto unlock;
4373         }
4374 
4375         /* We need to flip the bit already here so that
4376          * hci_req_update_adv_data generates the correct flags.
4377          */
4378         hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
4379 
4380         hci_req_init(&req, hdev);
4381 
4382         __hci_req_write_fast_connectable(&req, false);
4383         __hci_req_update_scan(&req);
4384 
4385         /* Since only the advertising data flags will change, there
4386          * is no need to update the scan response data.
4387          */
4388         __hci_req_update_adv_data(&req, hdev->cur_adv_instance);
4389 
4390         err = hci_req_run(&req, set_bredr_complete);
4391         if (err < 0)
4392                 mgmt_pending_remove(cmd);
4393 
4394 unlock:
4395         hci_dev_unlock(hdev);
4396         return err;
4397 }
4398 
4399 static void sc_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4400 {
4401         struct mgmt_pending_cmd *cmd;
4402         struct mgmt_mode *cp;
4403 
4404         BT_DBG("%s status %u", hdev->name, status);
4405 
4406         hci_dev_lock(hdev);
4407 
4408         cmd = pending_find(MGMT_OP_SET_SECURE_CONN, hdev);
4409         if (!cmd)
4410                 goto unlock;
4411 
4412         if (status) {
4413                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
4414                                 mgmt_status(status));
4415                 goto remove;
4416         }
4417 
4418         cp = cmd->param;
4419 
4420         switch (cp->val) {
4421         case 0x00:
4422                 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
4423                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4424                 break;
4425         case 0x01:
4426                 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
4427                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4428                 break;
4429         case 0x02:
4430                 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
4431                 hci_dev_set_flag(hdev, HCI_SC_ONLY);
4432                 break;
4433         }
4434 
4435         send_settings_rsp(cmd->sk, MGMT_OP_SET_SECURE_CONN, hdev);
4436         new_settings(hdev, cmd->sk);
4437 
4438 remove:
4439         mgmt_pending_remove(cmd);
4440 unlock:
4441         hci_dev_unlock(hdev);
4442 }
4443 
4444 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4445                            void *data, u16 len)
4446 {
4447         struct mgmt_mode *cp = data;
4448         struct mgmt_pending_cmd *cmd;
4449         struct hci_request req;
4450         u8 val;
4451         int err;
4452 
4453         BT_DBG("request for %s", hdev->name);
4454 
4455         if (!lmp_sc_capable(hdev) &&
4456             !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
4457                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4458                                        MGMT_STATUS_NOT_SUPPORTED);
4459 
4460         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
4461             lmp_sc_capable(hdev) &&
4462             !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
4463                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4464                                        MGMT_STATUS_REJECTED);
4465 
4466         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4467                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4468                                   MGMT_STATUS_INVALID_PARAMS);
4469 
4470         hci_dev_lock(hdev);
4471 
4472         if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
4473             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
4474                 bool changed;
4475 
4476                 if (cp->val) {
4477                         changed = !hci_dev_test_and_set_flag(hdev,
4478                                                              HCI_SC_ENABLED);
4479                         if (cp->val == 0x02)
4480                                 hci_dev_set_flag(hdev, HCI_SC_ONLY);
4481                         else
4482                                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4483                 } else {
4484                         changed = hci_dev_test_and_clear_flag(hdev,
4485                                                               HCI_SC_ENABLED);
4486                         hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4487                 }
4488 
4489                 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4490                 if (err < 0)
4491                         goto failed;
4492 
4493                 if (changed)
4494                         err = new_settings(hdev, sk);
4495 
4496                 goto failed;
4497         }
4498 
4499         if (pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
4500                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4501                                       MGMT_STATUS_BUSY);
4502                 goto failed;
4503         }
4504 
4505         val = !!cp->val;
4506 
4507         if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
4508             (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4509                 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4510                 goto failed;
4511         }
4512 
4513         cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
4514         if (!cmd) {
4515                 err = -ENOMEM;
4516                 goto failed;
4517         }
4518 
4519         hci_req_init(&req, hdev);
4520         hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
4521         err = hci_req_run(&req, sc_enable_complete);
4522         if (err < 0) {
4523                 mgmt_pending_remove(cmd);
4524                 goto failed;
4525         }
4526 
4527 failed:
4528         hci_dev_unlock(hdev);
4529         return err;
4530 }
4531 
4532 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
4533                           void *data, u16 len)
4534 {
4535         struct mgmt_mode *cp = data;
4536         bool changed, use_changed;
4537         int err;
4538 
4539         BT_DBG("request for %s", hdev->name);
4540 
4541         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4542                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
4543                                        MGMT_STATUS_INVALID_PARAMS);
4544 
4545         hci_dev_lock(hdev);
4546 
4547         if (cp->val)
4548                 changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
4549         else
4550                 changed = hci_dev_test_and_clear_flag(hdev,
4551                                                       HCI_KEEP_DEBUG_KEYS);
4552 
4553         if (cp->val == 0x02)
4554                 use_changed = !hci_dev_test_and_set_flag(hdev,
4555                                                          HCI_USE_DEBUG_KEYS);
4556         else
4557                 use_changed = hci_dev_test_and_clear_flag(hdev,
4558                                                           HCI_USE_DEBUG_KEYS);
4559 
4560         if (hdev_is_powered(hdev) && use_changed &&
4561             hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
4562                 u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
4563                 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
4564                              sizeof(mode), &mode);
4565         }
4566 
4567         err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
4568         if (err < 0)
4569                 goto unlock;
4570 
4571         if (changed)
4572                 err = new_settings(hdev, sk);
4573 
4574 unlock:
4575         hci_dev_unlock(hdev);
4576         return err;
4577 }
4578 
4579 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4580                        u16 len)
4581 {
4582         struct mgmt_cp_set_privacy *cp = cp_data;
4583         bool changed;
4584         int err;
4585 
4586         BT_DBG("request for %s", hdev->name);
4587 
4588         if (!lmp_le_capable(hdev))
4589                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4590                                        MGMT_STATUS_NOT_SUPPORTED);
4591 
4592         if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
4593                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4594                                        MGMT_STATUS_INVALID_PARAMS);
4595 
4596         if (hdev_is_powered(hdev))
4597                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4598                                        MGMT_STATUS_REJECTED);
4599 
4600         hci_dev_lock(hdev);
4601 
4602         /* If user space supports this command it is also expected to
4603          * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
4604          */
4605         hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
4606 
4607         if (cp->privacy) {
4608                 changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
4609                 memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
4610                 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
4611                 if (cp->privacy == 0x02)
4612                         hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
4613                 else
4614                         hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
4615         } else {
4616                 changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
4617                 memset(hdev->irk, 0, sizeof(hdev->irk));
4618                 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
4619                 hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
4620         }
4621 
4622         err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
4623         if (err < 0)
4624                 goto unlock;
4625 
4626         if (changed)
4627                 err = new_settings(hdev, sk);
4628 
4629 unlock:
4630         hci_dev_unlock(hdev);
4631         return err;
4632 }
4633 
4634 static bool irk_is_valid(struct mgmt_irk_info *irk)
4635 {
4636         switch (irk->addr.type) {
4637         case BDADDR_LE_PUBLIC:
4638                 return true;
4639 
4640         case BDADDR_LE_RANDOM:
4641                 /* Two most significant bits shall be set */
4642                 if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4643                         return false;
4644                 return true;
4645         }
4646 
4647         return false;
4648 }
4649 
4650 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4651                      u16 len)
4652 {
4653         struct mgmt_cp_load_irks *cp = cp_data;
4654         const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
4655                                    sizeof(struct mgmt_irk_info));
4656         u16 irk_count, expected_len;
4657         int i, err;
4658 
4659         BT_DBG("request for %s", hdev->name);
4660 
4661         if (!lmp_le_capable(hdev))
4662                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4663                                        MGMT_STATUS_NOT_SUPPORTED);
4664 
4665         irk_count = __le16_to_cpu(cp->irk_count);
4666         if (irk_count > max_irk_count) {
4667                 BT_ERR("load_irks: too big irk_count value %u", irk_count);
4668                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4669                                        MGMT_STATUS_INVALID_PARAMS);
4670         }
4671 
4672         expected_len = sizeof(*cp) + irk_count * sizeof(struct mgmt_irk_info);
4673         if (expected_len != len) {
4674                 BT_ERR("load_irks: expected %u bytes, got %u bytes",
4675                        expected_len, len);
4676                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4677                                        MGMT_STATUS_INVALID_PARAMS);
4678         }
4679 
4680         BT_DBG("%s irk_count %u", hdev->name, irk_count);
4681 
4682         for (i = 0; i < irk_count; i++) {
4683                 struct mgmt_irk_info *key = &cp->irks[i];
4684 
4685                 if (!irk_is_valid(key))
4686                         return mgmt_cmd_status(sk, hdev->id,
4687                                                MGMT_OP_LOAD_IRKS,
4688                                                MGMT_STATUS_INVALID_PARAMS);
4689         }
4690 
4691         hci_dev_lock(hdev);
4692 
4693         hci_smp_irks_clear(hdev);
4694 
4695         for (i = 0; i < irk_count; i++) {
4696                 struct mgmt_irk_info *irk = &cp->irks[i];
4697 
4698                 hci_add_irk(hdev, &irk->addr.bdaddr,
4699                             le_addr_type(irk->addr.type), irk->val,
4700                             BDADDR_ANY);
4701         }
4702 
4703         hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
4704 
4705         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
4706 
4707         hci_dev_unlock(hdev);
4708 
4709         return err;
4710 }
4711 
4712 static bool ltk_is_valid(struct mgmt_ltk_info *key)
4713 {
4714         if (key->master != 0x00 && key->master != 0x01)
4715                 return false;
4716 
4717         switch (key->addr.type) {
4718         case BDADDR_LE_PUBLIC:
4719                 return true;
4720 
4721         case BDADDR_LE_RANDOM:
4722                 /* Two most significant bits shall be set */
4723                 if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4724                         return false;
4725                 return true;
4726         }
4727 
4728         return false;
4729 }
4730 
4731 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4732                                void *cp_data, u16 len)
4733 {
4734         struct mgmt_cp_load_long_term_keys *cp = cp_data;
4735         const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
4736                                    sizeof(struct mgmt_ltk_info));
4737         u16 key_count, expected_len;
4738         int i, err;
4739 
4740         BT_DBG("request for %s", hdev->name);
4741 
4742         if (!lmp_le_capable(hdev))
4743                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
4744                                        MGMT_STATUS_NOT_SUPPORTED);
4745 
4746         key_count = __le16_to_cpu(cp->key_count);
4747         if (key_count > max_key_count) {
4748                 BT_ERR("load_ltks: too big key_count value %u", key_count);
4749                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
4750                                        MGMT_STATUS_INVALID_PARAMS);
4751         }
4752 
4753         expected_len = sizeof(*cp) + key_count *
4754                                         sizeof(struct mgmt_ltk_info);
4755         if (expected_len != len) {
4756                 BT_ERR("load_keys: expected %u bytes, got %u bytes",
4757                        expected_len, len);
4758                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
4759                                        MGMT_STATUS_INVALID_PARAMS);
4760         }
4761 
4762         BT_DBG("%s key_count %u", hdev->name, key_count);
4763 
4764         for (i = 0; i < key_count; i++) {
4765                 struct mgmt_ltk_info *key = &cp->keys[i];
4766 
4767                 if (!ltk_is_valid(key))
4768                         return mgmt_cmd_status(sk, hdev->id,
4769                                                MGMT_OP_LOAD_LONG_TERM_KEYS,
4770                                                MGMT_STATUS_INVALID_PARAMS);
4771         }
4772 
4773         hci_dev_lock(hdev);
4774 
4775         hci_smp_ltks_clear(hdev);
4776 
4777         for (i = 0; i < key_count; i++) {
4778                 struct mgmt_ltk_info *key = &cp->keys[i];
4779                 u8 type, authenticated;
4780 
4781                 switch (key->type) {
4782                 case MGMT_LTK_UNAUTHENTICATED:
4783                         authenticated = 0x00;
4784                         type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
4785                         break;
4786                 case MGMT_LTK_AUTHENTICATED:
4787                         authenticated = 0x01;
4788                         type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
4789                         break;
4790                 case MGMT_LTK_P256_UNAUTH:
4791                         authenticated = 0x00;
4792                         type = SMP_LTK_P256;
4793                         break;
4794                 case MGMT_LTK_P256_AUTH:
4795                         authenticated = 0x01;
4796                         type = SMP_LTK_P256;
4797                         break;
4798                 case MGMT_LTK_P256_DEBUG:
4799                         authenticated = 0x00;
4800                         type = SMP_LTK_P256_DEBUG;
4801                 default:
4802                         continue;
4803                 }
4804 
4805                 hci_add_ltk(hdev, &key->addr.bdaddr,
4806                             le_addr_type(key->addr.type), type, authenticated,
4807                             key->val, key->enc_size, key->ediv, key->rand);
4808         }
4809 
4810         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
4811                            NULL, 0);
4812 
4813         hci_dev_unlock(hdev);
4814 
4815         return err;
4816 }
4817 
4818 static int conn_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
4819 {
4820         struct hci_conn *conn = cmd->user_data;
4821         struct mgmt_rp_get_conn_info rp;
4822         int err;
4823 
4824         memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
4825 
4826         if (status == MGMT_STATUS_SUCCESS) {
4827                 rp.rssi = conn->rssi;
4828                 rp.tx_power = conn->tx_power;
4829                 rp.max_tx_power = conn->max_tx_power;
4830         } else {
4831                 rp.rssi = HCI_RSSI_INVALID;
4832                 rp.tx_power = HCI_TX_POWER_INVALID;
4833                 rp.max_tx_power = HCI_TX_POWER_INVALID;
4834         }
4835 
4836         err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
4837                                 status, &rp, sizeof(rp));
4838 
4839         hci_conn_drop(conn);
4840         hci_conn_put(conn);
4841 
4842         return err;
4843 }
4844 
4845 static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status,
4846                                        u16 opcode)
4847 {
4848         struct hci_cp_read_rssi *cp;
4849         struct mgmt_pending_cmd *cmd;
4850         struct hci_conn *conn;
4851         u16 handle;
4852         u8 status;
4853 
4854         BT_DBG("status 0x%02x", hci_status);
4855 
4856         hci_dev_lock(hdev);
4857 
4858         /* Commands sent in request are either Read RSSI or Read Transmit Power
4859          * Level so we check which one was last sent to retrieve connection
4860          * handle.  Both commands have handle as first parameter so it's safe to
4861          * cast data on the same command struct.
4862          *
4863          * First command sent is always Read RSSI and we fail only if it fails.
4864          * In other case we simply override error to indicate success as we
4865          * already remembered if TX power value is actually valid.
4866          */
4867         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
4868         if (!cp) {
4869                 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
4870                 status = MGMT_STATUS_SUCCESS;
4871         } else {
4872                 status = mgmt_status(hci_status);
4873         }
4874 
4875         if (!cp) {
4876                 BT_ERR("invalid sent_cmd in conn_info response");
4877                 goto unlock;
4878         }
4879 
4880         handle = __le16_to_cpu(cp->handle);
4881         conn = hci_conn_hash_lookup_handle(hdev, handle);
4882         if (!conn) {
4883                 BT_ERR("unknown handle (%d) in conn_info response", handle);
4884                 goto unlock;
4885         }
4886 
4887         cmd = pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
4888         if (!cmd)
4889                 goto unlock;
4890 
4891         cmd->cmd_complete(cmd, status);
4892         mgmt_pending_remove(cmd);
4893 
4894 unlock:
4895         hci_dev_unlock(hdev);
4896 }
4897 
4898 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
4899                          u16 len)
4900 {
4901         struct mgmt_cp_get_conn_info *cp = data;
4902         struct mgmt_rp_get_conn_info rp;
4903         struct hci_conn *conn;
4904         unsigned long conn_info_age;
4905         int err = 0;
4906 
4907         BT_DBG("%s", hdev->name);
4908 
4909         memset(&rp, 0, sizeof(rp));
4910         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4911         rp.addr.type = cp->addr.type;
4912 
4913         if (!bdaddr_type_is_valid(cp->addr.type))
4914                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4915                                          MGMT_STATUS_INVALID_PARAMS,
4916                                          &rp, sizeof(rp));
4917 
4918         hci_dev_lock(hdev);
4919 
4920         if (!hdev_is_powered(hdev)) {
4921                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4922                                         MGMT_STATUS_NOT_POWERED, &rp,
4923                                         sizeof(rp));
4924                 goto unlock;
4925         }
4926 
4927         if (cp->addr.type == BDADDR_BREDR)
4928                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
4929                                                &cp->addr.bdaddr);
4930         else
4931                 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
4932 
4933         if (!conn || conn->state != BT_CONNECTED) {
4934                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4935                                         MGMT_STATUS_NOT_CONNECTED, &rp,
4936                                         sizeof(rp));
4937                 goto unlock;
4938         }
4939 
4940         if (pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
4941                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4942                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
4943                 goto unlock;
4944         }
4945 
4946         /* To avoid client trying to guess when to poll again for information we
4947          * calculate conn info age as random value between min/max set in hdev.
4948          */
4949         conn_info_age = hdev->conn_info_min_age +
4950                         prandom_u32_max(hdev->conn_info_max_age -
4951                                         hdev->conn_info_min_age);
4952 
4953         /* Query controller to refresh cached values if they are too old or were
4954          * never read.
4955          */
4956         if (time_after(jiffies, conn->conn_info_timestamp +
4957                        msecs_to_jiffies(conn_info_age)) ||
4958             !conn->conn_info_timestamp) {
4959                 struct hci_request req;
4960                 struct hci_cp_read_tx_power req_txp_cp;
4961                 struct hci_cp_read_rssi req_rssi_cp;
4962                 struct mgmt_pending_cmd *cmd;
4963 
4964                 hci_req_init(&req, hdev);
4965                 req_rssi_cp.handle = cpu_to_le16(conn->handle);
4966                 hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
4967                             &req_rssi_cp);
4968 
4969                 /* For LE links TX power does not change thus we don't need to
4970                  * query for it once value is known.
4971                  */
4972                 if (!bdaddr_type_is_le(cp->addr.type) ||
4973                     conn->tx_power == HCI_TX_POWER_INVALID) {
4974                         req_txp_cp.handle = cpu_to_le16(conn->handle);
4975                         req_txp_cp.type = 0x00;
4976                         hci_req_add(&req, HCI_OP_READ_TX_POWER,
4977                                     sizeof(req_txp_cp), &req_txp_cp);
4978                 }
4979 
4980                 /* Max TX power needs to be read only once per connection */
4981                 if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
4982                         req_txp_cp.handle = cpu_to_le16(conn->handle);
4983                         req_txp_cp.type = 0x01;
4984                         hci_req_add(&req, HCI_OP_READ_TX_POWER,
4985                                     sizeof(req_txp_cp), &req_txp_cp);
4986                 }
4987 
4988                 err = hci_req_run(&req, conn_info_refresh_complete);
4989                 if (err < 0)
4990                         goto unlock;
4991 
4992                 cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
4993                                        data, len);
4994                 if (!cmd) {
4995                         err = -ENOMEM;
4996                         goto unlock;
4997                 }
4998 
4999                 hci_conn_hold(conn);
5000                 cmd->user_data = hci_conn_get(conn);
5001                 cmd->cmd_complete = conn_info_cmd_complete;
5002 
5003                 conn->conn_info_timestamp = jiffies;
5004         } else {
5005                 /* Cache is valid, just reply with values cached in hci_conn */
5006                 rp.rssi = conn->rssi;
5007                 rp.tx_power = conn->tx_power;
5008                 rp.max_tx_power = conn->max_tx_power;
5009 
5010                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
5011                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
5012         }
5013 
5014 unlock:
5015         hci_dev_unlock(hdev);
5016         return err;
5017 }
5018 
5019 static int clock_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
5020 {
5021         struct hci_conn *conn = cmd->user_data;
5022         struct mgmt_rp_get_clock_info rp;
5023         struct hci_dev *hdev;
5024         int err;
5025 
5026         memset(&rp, 0, sizeof(rp));
5027         memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
5028 
5029         if (status)
5030                 goto complete;
5031 
5032         hdev = hci_dev_get(cmd->index);
5033         if (hdev) {
5034                 rp.local_clock = cpu_to_le32(hdev->clock);
5035                 hci_dev_put(hdev);
5036         }
5037 
5038         if (conn) {
5039                 rp.piconet_clock = cpu_to_le32(conn->clock);
5040                 rp.accuracy = cpu_to_le16(conn->clock_accuracy);
5041         }
5042 
5043 complete:
5044         err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
5045                                 sizeof(rp));
5046 
5047         if (conn) {
5048                 hci_conn_drop(conn);
5049                 hci_conn_put(conn);
5050         }
5051 
5052         return err;
5053 }
5054 
5055 static void get_clock_info_complete(struct hci_dev *hdev, u8 status, u16 opcode)
5056 {
5057         struct hci_cp_read_clock *hci_cp;
5058         struct mgmt_pending_cmd *cmd;
5059         struct hci_conn *conn;
5060 
5061         BT_DBG("%s status %u", hdev->name, status);
5062 
5063         hci_dev_lock(hdev);
5064 
5065         hci_cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
5066         if (!hci_cp)
5067                 goto unlock;
5068 
5069         if (hci_cp->which) {
5070                 u16 handle = __le16_to_cpu(hci_cp->handle);
5071                 conn = hci_conn_hash_lookup_handle(hdev, handle);
5072         } else {
5073                 conn = NULL;
5074         }
5075 
5076         cmd = pending_find_data(MGMT_OP_GET_CLOCK_INFO, hdev, conn);
5077         if (!cmd)
5078                 goto unlock;
5079 
5080         cmd->cmd_complete(cmd, mgmt_status(status));
5081         mgmt_pending_remove(cmd);
5082 
5083 unlock:
5084         hci_dev_unlock(hdev);
5085 }
5086 
5087 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
5088                          u16 len)
5089 {
5090         struct mgmt_cp_get_clock_info *cp = data;
5091         struct mgmt_rp_get_clock_info rp;
5092         struct hci_cp_read_clock hci_cp;
5093         struct mgmt_pending_cmd *cmd;
5094         struct hci_request req;
5095         struct hci_conn *conn;
5096         int err;
5097 
5098         BT_DBG("%s", hdev->name);
5099 
5100         memset(&rp, 0, sizeof(rp));
5101         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5102         rp.addr.type = cp->addr.type;
5103 
5104         if (cp->addr.type != BDADDR_BREDR)
5105                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5106                                          MGMT_STATUS_INVALID_PARAMS,
5107                                          &rp, sizeof(rp));
5108 
5109         hci_dev_lock(hdev);
5110 
5111         if (!hdev_is_powered(hdev)) {
5112                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
5113                                         MGMT_STATUS_NOT_POWERED, &rp,
5114                                         sizeof(rp));
5115                 goto unlock;
5116         }
5117 
5118         if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5119                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
5120                                                &cp->addr.bdaddr);
5121                 if (!conn || conn->state != BT_CONNECTED) {
5122                         err = mgmt_cmd_complete(sk, hdev->id,
5123                                                 MGMT_OP_GET_CLOCK_INFO,
5124                                                 MGMT_STATUS_NOT_CONNECTED,
5125                                                 &rp, sizeof(rp));
5126                         goto unlock;
5127                 }
5128         } else {
5129                 conn = NULL;
5130         }
5131 
5132         cmd = mgmt_pending_add(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
5133         if (!cmd) {
5134                 err = -ENOMEM;
5135                 goto unlock;
5136         }
5137 
5138         cmd->cmd_complete = clock_info_cmd_complete;
5139 
5140         hci_req_init(&req, hdev);
5141 
5142         memset(&hci_cp, 0, sizeof(hci_cp));
5143         hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5144 
5145         if (conn) {
5146                 hci_conn_hold(conn);
5147                 cmd->user_data = hci_conn_get(conn);
5148 
5149                 hci_cp.handle = cpu_to_le16(conn->handle);
5150                 hci_cp.which = 0x01; /* Piconet clock */
5151                 hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
5152         }
5153 
5154         err = hci_req_run(&req, get_clock_info_complete);
5155         if (err < 0)
5156                 mgmt_pending_remove(cmd);
5157 
5158 unlock:
5159         hci_dev_unlock(hdev);
5160         return err;
5161 }
5162 
5163 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
5164 {
5165         struct hci_conn *conn;
5166 
5167         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
5168         if (!conn)
5169                 return false;
5170 
5171         if (conn->dst_type != type)
5172                 return false;
5173 
5174         if (conn->state != BT_CONNECTED)
5175                 return false;
5176 
5177         return true;
5178 }
5179 
5180 /* This function requires the caller holds hdev->lock */
5181 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
5182                                u8 addr_type, u8 auto_connect)
5183 {
5184         struct hci_conn_params *params;
5185 
5186         params = hci_conn_params_add(hdev, addr, addr_type);
5187         if (!params)
5188                 return -EIO;
5189 
5190         if (params->auto_connect == auto_connect)
5191                 return 0;
5192 
5193         list_del_init(&params->action);
5194 
5195         switch (auto_connect) {
5196         case HCI_AUTO_CONN_DISABLED:
5197         case HCI_AUTO_CONN_LINK_LOSS:
5198                 /* If auto connect is being disabled when we're trying to
5199                  * connect to device, keep connecting.
5200                  */
5201                 if (params->explicit_connect)
5202                         list_add(&params->action, &hdev->pend_le_conns);
5203                 break;
5204         case HCI_AUTO_CONN_REPORT:
5205                 if (params->explicit_connect)
5206                         list_add(&params->action, &hdev->pend_le_conns);
5207                 else
5208                         list_add(&params->action, &hdev->pend_le_reports);
5209                 break;
5210         case HCI_AUTO_CONN_DIRECT:
5211         case HCI_AUTO_CONN_ALWAYS:
5212                 if (!is_connected(hdev, addr, addr_type))
5213                         list_add(&params->action, &hdev->pend_le_conns);
5214                 break;
5215         }
5216 
5217         params->auto_connect = auto_connect;
5218 
5219         BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
5220                auto_connect);
5221 
5222         return 0;
5223 }
5224 
5225 static void device_added(struct sock *sk, struct hci_dev *hdev,
5226                          bdaddr_t *bdaddr, u8 type, u8 action)
5227 {
5228         struct mgmt_ev_device_added ev;
5229 
5230         bacpy(&ev.addr.bdaddr, bdaddr);
5231         ev.addr.type = type;
5232         ev.action = action;
5233 
5234         mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
5235 }
5236 
5237 static int add_device(struct sock *sk, struct hci_dev *hdev,
5238                       void *data, u16 len)
5239 {
5240         struct mgmt_cp_add_device *cp = data;
5241         u8 auto_conn, addr_type;
5242         int err;
5243 
5244         BT_DBG("%s", hdev->name);
5245 
5246         if (!bdaddr_type_is_valid(cp->addr.type) ||
5247             !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
5248                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5249                                          MGMT_STATUS_INVALID_PARAMS,
5250                                          &cp->addr, sizeof(cp->addr));
5251 
5252         if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
5253                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5254                                          MGMT_STATUS_INVALID_PARAMS,
5255                                          &cp->addr, sizeof(cp->addr));
5256 
5257         hci_dev_lock(hdev);
5258 
5259         if (cp->addr.type == BDADDR_BREDR) {
5260                 /* Only incoming connections action is supported for now */
5261                 if (cp->action != 0x01) {
5262                         err = mgmt_cmd_complete(sk, hdev->id,
5263                                                 MGMT_OP_ADD_DEVICE,
5264                                                 MGMT_STATUS_INVALID_PARAMS,
5265                                                 &cp->addr, sizeof(cp->addr));
5266                         goto unlock;
5267                 }
5268 
5269                 err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr,
5270                                           cp->addr.type);
5271                 if (err)
5272                         goto unlock;
5273 
5274                 hci_req_update_scan(hdev);
5275 
5276                 goto added;
5277         }
5278 
5279         addr_type = le_addr_type(cp->addr.type);
5280 
5281         if (cp->action == 0x02)
5282                 auto_conn = HCI_AUTO_CONN_ALWAYS;
5283         else if (cp->action == 0x01)
5284                 auto_conn = HCI_AUTO_CONN_DIRECT;
5285         else
5286                 auto_conn = HCI_AUTO_CONN_REPORT;
5287 
5288         /* Kernel internally uses conn_params with resolvable private
5289          * address, but Add Device allows only identity addresses.
5290          * Make sure it is enforced before calling
5291          * hci_conn_params_lookup.
5292          */
5293         if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
5294                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5295                                         MGMT_STATUS_INVALID_PARAMS,
5296                                         &cp->addr, sizeof(cp->addr));
5297                 goto unlock;
5298         }
5299 
5300         /* If the connection parameters don't exist for this device,
5301          * they will be created and configured with defaults.
5302          */
5303         if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
5304                                 auto_conn) < 0) {
5305                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5306                                         MGMT_STATUS_FAILED, &cp->addr,
5307                                         sizeof(cp->addr));
5308                 goto unlock;
5309         }
5310 
5311         hci_update_background_scan(hdev);
5312 
5313 added:
5314         device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
5315 
5316         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5317                                 MGMT_STATUS_SUCCESS, &cp->addr,
5318                                 sizeof(cp->addr));
5319 
5320 unlock:
5321         hci_dev_unlock(hdev);
5322         return err;
5323 }
5324 
5325 static void device_removed(struct sock *sk, struct hci_dev *hdev,
5326                            bdaddr_t *bdaddr, u8 type)
5327 {
5328         struct mgmt_ev_device_removed ev;
5329 
5330         bacpy(&ev.addr.bdaddr, bdaddr);
5331         ev.addr.type = type;
5332 
5333         mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
5334 }
5335 
5336 static int remove_device(struct sock *sk, struct hci_dev *hdev,
5337                          void *data, u16 len)
5338 {
5339         struct mgmt_cp_remove_device *cp = data;
5340         int err;
5341 
5342         BT_DBG("%s", hdev->name);
5343 
5344         hci_dev_lock(hdev);
5345 
5346         if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5347                 struct hci_conn_params *params;
5348                 u8 addr_type;
5349 
5350                 if (!bdaddr_type_is_valid(cp->addr.type)) {
5351                         err = mgmt_cmd_complete(sk, hdev->id,
5352                                                 MGMT_OP_REMOVE_DEVICE,
5353                                                 MGMT_STATUS_INVALID_PARAMS,
5354                                                 &cp->addr, sizeof(cp->addr));
5355                         goto unlock;
5356                 }
5357 
5358                 if (cp->addr.type == BDADDR_BREDR) {
5359                         err = hci_bdaddr_list_del(&hdev->whitelist,
5360                                                   &cp->addr.bdaddr,
5361                                                   cp->addr.type);
5362                         if (err) {
5363                                 err = mgmt_cmd_complete(sk, hdev->id,
5364                                                         MGMT_OP_REMOVE_DEVICE,
5365                                                         MGMT_STATUS_INVALID_PARAMS,
5366                                                         &cp->addr,
5367                                                         sizeof(cp->addr));
5368                                 goto unlock;
5369                         }
5370 
5371                         hci_req_update_scan(hdev);
5372 
5373                         device_removed(sk, hdev, &cp->addr.bdaddr,
5374                                        cp->addr.type);
5375                         goto complete;
5376                 }
5377 
5378                 addr_type = le_addr_type(cp->addr.type);
5379 
5380                 /* Kernel internally uses conn_params with resolvable private
5381                  * address, but Remove Device allows only identity addresses.
5382                  * Make sure it is enforced before calling
5383                  * hci_conn_params_lookup.
5384                  */
5385                 if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
5386                         err = mgmt_cmd_complete(sk, hdev->id,
5387                                                 MGMT_OP_REMOVE_DEVICE,
5388                                                 MGMT_STATUS_INVALID_PARAMS,
5389                                                 &cp->addr, sizeof(cp->addr));
5390                         goto unlock;
5391                 }
5392 
5393                 params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5394                                                 addr_type);
5395                 if (!params) {
5396                         err = mgmt_cmd_complete(sk, hdev->id,
5397                                                 MGMT_OP_REMOVE_DEVICE,
5398                                                 MGMT_STATUS_INVALID_PARAMS,
5399                                                 &cp->addr, sizeof(cp->addr));
5400                         goto unlock;
5401                 }
5402 
5403                 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
5404                     params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
5405                         err = mgmt_cmd_complete(sk, hdev->id,
5406                                                 MGMT_OP_REMOVE_DEVICE,
5407                                                 MGMT_STATUS_INVALID_PARAMS,
5408                                                 &cp->addr, sizeof(cp->addr));
5409                         goto unlock;
5410                 }
5411 
5412                 list_del(&params->action);
5413                 list_del(&params->list);
5414                 kfree(params);
5415                 hci_update_background_scan(hdev);
5416 
5417                 device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
5418         } else {
5419                 struct hci_conn_params *p, *tmp;
5420                 struct bdaddr_list *b, *btmp;
5421 
5422                 if (cp->addr.type) {
5423                         err = mgmt_cmd_complete(sk, hdev->id,
5424                                                 MGMT_OP_REMOVE_DEVICE,
5425                                                 MGMT_STATUS_INVALID_PARAMS,
5426                                                 &cp->addr, sizeof(cp->addr));
5427                         goto unlock;
5428                 }
5429 
5430                 list_for_each_entry_safe(b, btmp, &hdev->whitelist, list) {
5431                         device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
5432                         list_del(&b->list);
5433                         kfree(b);
5434                 }
5435 
5436                 hci_req_update_scan(hdev);
5437 
5438                 list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
5439                         if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
5440                                 continue;
5441                         device_removed(sk, hdev, &p->addr, p->addr_type);
5442                         if (p->explicit_connect) {
5443                                 p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
5444                                 continue;
5445                         }
5446                         list_del(&p->action);
5447                         list_del(&p->list);
5448                         kfree(p);
5449                 }
5450 
5451                 BT_DBG("All LE connection parameters were removed");
5452 
5453                 hci_update_background_scan(hdev);
5454         }
5455 
5456 complete:
5457         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
5458                                 MGMT_STATUS_SUCCESS, &cp->addr,
5459                                 sizeof(cp->addr));
5460 unlock:
5461         hci_dev_unlock(hdev);
5462         return err;
5463 }
5464 
5465 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
5466                            u16 len)
5467 {
5468         struct mgmt_cp_load_conn_param *cp = data;
5469         const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
5470                                      sizeof(struct mgmt_conn_param));
5471         u16 param_count, expected_len;
5472         int i;
5473 
5474         if (!lmp_le_capable(hdev))
5475                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5476                                        MGMT_STATUS_NOT_SUPPORTED);
5477 
5478         param_count = __le16_to_cpu(cp->param_count);
5479         if (param_count > max_param_count) {
5480                 BT_ERR("load_conn_param: too big param_count value %u",
5481                        param_count);
5482                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5483                                        MGMT_STATUS_INVALID_PARAMS);
5484         }
5485 
5486         expected_len = sizeof(*cp) + param_count *
5487                                         sizeof(struct mgmt_conn_param);
5488         if (expected_len != len) {
5489                 BT_ERR("load_conn_param: expected %u bytes, got %u bytes",
5490                        expected_len, len);
5491                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5492                                        MGMT_STATUS_INVALID_PARAMS);
5493         }
5494 
5495         BT_DBG("%s param_count %u", hdev->name, param_count);
5496 
5497         hci_dev_lock(hdev);
5498 
5499         hci_conn_params_clear_disabled(hdev);
5500 
5501         for (i = 0; i < param_count; i++) {
5502                 struct mgmt_conn_param *param = &cp->params[i];
5503                 struct hci_conn_params *hci_param;
5504                 u16 min, max, latency, timeout;
5505                 u8 addr_type;
5506 
5507                 BT_DBG("Adding %pMR (type %u)", &param->addr.bdaddr,
5508                        param->addr.type);
5509 
5510                 if (param->addr.type == BDADDR_LE_PUBLIC) {
5511                         addr_type = ADDR_LE_DEV_PUBLIC;
5512                 } else if (param->addr.type == BDADDR_LE_RANDOM) {
5513                         addr_type = ADDR_LE_DEV_RANDOM;
5514                 } else {
5515                         BT_ERR("Ignoring invalid connection parameters");
5516                         continue;
5517                 }
5518 
5519                 min = le16_to_cpu(param->min_interval);
5520                 max = le16_to_cpu(param->max_interval);
5521                 latency = le16_to_cpu(param->latency);
5522                 timeout = le16_to_cpu(param->timeout);
5523 
5524                 BT_DBG("min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
5525                        min, max, latency, timeout);
5526 
5527                 if (hci_check_conn_params(min, max, latency, timeout) < 0) {
5528                         BT_ERR("Ignoring invalid connection parameters");
5529                         continue;
5530                 }
5531 
5532                 hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
5533                                                 addr_type);
5534                 if (!hci_param) {
5535                         BT_ERR("Failed to add connection parameters");
5536                         continue;
5537                 }
5538 
5539                 hci_param->conn_min_interval = min;
5540                 hci_param->conn_max_interval = max;
5541                 hci_param->conn_latency = latency;
5542                 hci_param->supervision_timeout = timeout;
5543         }
5544 
5545         hci_dev_unlock(hdev);
5546 
5547         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
5548                                  NULL, 0);
5549 }
5550 
5551 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
5552                                void *data, u16 len)
5553 {
5554         struct mgmt_cp_set_external_config *cp = data;
5555         bool changed;
5556         int err;
5557 
5558         BT_DBG("%s", hdev->name);
5559 
5560         if (hdev_is_powered(hdev))
5561                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5562                                        MGMT_STATUS_REJECTED);
5563 
5564         if (cp->config != 0x00 && cp->config != 0x01)
5565                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5566                                          MGMT_STATUS_INVALID_PARAMS);
5567 
5568         if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
5569                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5570                                        MGMT_STATUS_NOT_SUPPORTED);
5571 
5572         hci_dev_lock(hdev);
5573 
5574         if (cp->config)
5575                 changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
5576         else
5577                 changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
5578 
5579         err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
5580         if (err < 0)
5581                 goto unlock;
5582 
5583         if (!changed)
5584                 goto unlock;
5585 
5586         err = new_options(hdev, sk);
5587 
5588         if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
5589                 mgmt_index_removed(hdev);
5590 
5591                 if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
5592                         hci_dev_set_flag(hdev, HCI_CONFIG);
5593                         hci_dev_set_flag(hdev, HCI_AUTO_OFF);
5594 
5595                         queue_work(hdev->req_workqueue, &hdev->power_on);
5596                 } else {
5597                         set_bit(HCI_RAW, &hdev->flags);
5598                         mgmt_index_added(hdev);
5599                 }
5600         }
5601 
5602 unlock:
5603         hci_dev_unlock(hdev);
5604         return err;
5605 }
5606 
5607 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
5608                               void *data, u16 len)
5609 {
5610         struct mgmt_cp_set_public_address *cp = data;
5611         bool changed;
5612         int err;
5613 
5614         BT_DBG("%s", hdev->name);
5615 
5616         if (hdev_is_powered(hdev))
5617                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5618                                        MGMT_STATUS_REJECTED);
5619 
5620         if (!bacmp(&cp->bdaddr, BDADDR_ANY))
5621                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5622                                        MGMT_STATUS_INVALID_PARAMS);
5623 
5624         if (!hdev->set_bdaddr)
5625                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5626                                        MGMT_STATUS_NOT_SUPPORTED);
5627 
5628         hci_dev_lock(hdev);
5629 
5630         changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
5631         bacpy(&hdev->public_addr, &cp->bdaddr);
5632 
5633         err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
5634         if (err < 0)
5635                 goto unlock;
5636 
5637         if (!changed)
5638                 goto unlock;
5639 
5640         if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
5641                 err = new_options(hdev, sk);
5642 
5643         if (is_configured(hdev)) {
5644                 mgmt_index_removed(hdev);
5645 
5646                 hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
5647 
5648                 hci_dev_set_flag(hdev, HCI_CONFIG);
5649                 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
5650 
5651                 queue_work(hdev->req_workqueue, &hdev->power_on);
5652         }
5653 
5654 unlock:
5655         hci_dev_unlock(hdev);
5656         return err;
5657 }
5658 
5659 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, u8 status,
5660                                              u16 opcode, struct sk_buff *skb)
5661 {
5662         const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
5663         struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
5664         u8 *h192, *r192, *h256, *r256;
5665         struct mgmt_pending_cmd *cmd;
5666         u16 eir_len;
5667         int err;
5668 
5669         BT_DBG("%s status %u", hdev->name, status);
5670 
5671         cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev);
5672         if (!cmd)
5673                 return;
5674 
5675         mgmt_cp = cmd->param;
5676 
5677         if (status) {
5678                 status = mgmt_status(status);
5679                 eir_len = 0;
5680 
5681                 h192 = NULL;
5682                 r192 = NULL;
5683                 h256 = NULL;
5684                 r256 = NULL;
5685         } else if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
5686                 struct hci_rp_read_local_oob_data *rp;
5687 
5688                 if (skb->len != sizeof(*rp)) {
5689                         status = MGMT_STATUS_FAILED;
5690                         eir_len = 0;
5691                 } else {
5692                         status = MGMT_STATUS_SUCCESS;
5693                         rp = (void *)skb->data;
5694 
5695                         eir_len = 5 + 18 + 18;
5696                         h192 = rp->hash;
5697                         r192 = rp->rand;
5698                         h256 = NULL;
5699                         r256 = NULL;
5700                 }
5701         } else {
5702                 struct hci_rp_read_local_oob_ext_data *rp;
5703 
5704                 if (skb->len != sizeof(*rp)) {
5705                         status = MGMT_STATUS_FAILED;
5706                         eir_len = 0;
5707                 } else {
5708                         status = MGMT_STATUS_SUCCESS;
5709                         rp = (void *)skb->data;
5710 
5711                         if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5712                                 eir_len = 5 + 18 + 18;
5713                                 h192 = NULL;
5714                                 r192 = NULL;
5715                         } else {
5716                                 eir_len = 5 + 18 + 18 + 18 + 18;
5717                                 h192 = rp->hash192;
5718                                 r192 = rp->rand192;
5719                         }
5720 
5721                         h256 = rp->hash256;
5722                         r256 = rp->rand256;
5723                 }
5724         }
5725 
5726         mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
5727         if (!mgmt_rp)
5728                 goto done;
5729 
5730         if (status)
5731                 goto send_rsp;
5732 
5733         eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
5734                                   hdev->dev_class, 3);
5735 
5736         if (h192 && r192) {
5737                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
5738                                           EIR_SSP_HASH_C192, h192, 16);
5739                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
5740                                           EIR_SSP_RAND_R192, r192, 16);
5741         }
5742 
5743         if (h256 && r256) {
5744                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
5745                                           EIR_SSP_HASH_C256, h256, 16);
5746                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
5747                                           EIR_SSP_RAND_R256, r256, 16);
5748         }
5749 
5750 send_rsp:
5751         mgmt_rp->type = mgmt_cp->type;
5752         mgmt_rp->eir_len = cpu_to_le16(eir_len);
5753 
5754         err = mgmt_cmd_complete(cmd->sk, hdev->id,
5755                                 MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
5756                                 mgmt_rp, sizeof(*mgmt_rp) + eir_len);
5757         if (err < 0 || status)
5758                 goto done;
5759 
5760         hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
5761 
5762         err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
5763                                  mgmt_rp, sizeof(*mgmt_rp) + eir_len,
5764                                  HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
5765 done:
5766         kfree(mgmt_rp);
5767         mgmt_pending_remove(cmd);
5768 }
5769 
5770 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
5771                                   struct mgmt_cp_read_local_oob_ext_data *cp)
5772 {
5773         struct mgmt_pending_cmd *cmd;
5774         struct hci_request req;
5775         int err;
5776 
5777         cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
5778                                cp, sizeof(*cp));
5779         if (!cmd)
5780                 return -ENOMEM;
5781 
5782         hci_req_init(&req, hdev);
5783 
5784         if (bredr_sc_enabled(hdev))
5785                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
5786         else
5787                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
5788 
5789         err = hci_req_run_skb(&req, read_local_oob_ext_data_complete);
5790         if (err < 0) {
5791                 mgmt_pending_remove(cmd);
5792                 return err;
5793         }
5794 
5795         return 0;
5796 }
5797 
5798 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
5799                                    void *data, u16 data_len)
5800 {
5801         struct mgmt_cp_read_local_oob_ext_data *cp = data;
5802         struct mgmt_rp_read_local_oob_ext_data *rp;
5803         size_t rp_len;
5804         u16 eir_len;
5805         u8 status, flags, role, addr[7], hash[16], rand[16];
5806         int err;
5807 
5808         BT_DBG("%s", hdev->name);
5809 
5810         if (hdev_is_powered(hdev)) {
5811                 switch (cp->type) {
5812                 case BIT(BDADDR_BREDR):
5813                         status = mgmt_bredr_support(hdev);
5814                         if (status)
5815                                 eir_len = 0;
5816                         else
5817                                 eir_len = 5;
5818                         break;
5819                 case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
5820                         status = mgmt_le_support(hdev);
5821                         if (status)
5822                                 eir_len = 0;
5823                         else
5824                                 eir_len = 9 + 3 + 18 + 18 + 3;
5825                         break;
5826                 default:
5827                         status = MGMT_STATUS_INVALID_PARAMS;
5828                         eir_len = 0;
5829                         break;
5830                 }
5831         } else {
5832                 status = MGMT_STATUS_NOT_POWERED;
5833                 eir_len = 0;
5834         }
5835 
5836         rp_len = sizeof(*rp) + eir_len;
5837         rp = kmalloc(rp_len, GFP_ATOMIC);
5838         if (!rp)
5839                 return -ENOMEM;
5840 
5841         if (status)
5842                 goto complete;
5843 
5844         hci_dev_lock(hdev);
5845 
5846         eir_len = 0;
5847         switch (cp->type) {
5848         case BIT(BDADDR_BREDR):
5849                 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
5850                         err = read_local_ssp_oob_req(hdev, sk, cp);
5851                         hci_dev_unlock(hdev);
5852                         if (!err)
5853                                 goto done;
5854 
5855                         status = MGMT_STATUS_FAILED;
5856                         goto complete;
5857                 } else {
5858                         eir_len = eir_append_data(rp->eir, eir_len,
5859                                                   EIR_CLASS_OF_DEV,
5860                                                   hdev->dev_class, 3);
5861                 }
5862                 break;
5863         case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
5864                 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
5865                     smp_generate_oob(hdev, hash, rand) < 0) {
5866                         hci_dev_unlock(hdev);
5867                         status = MGMT_STATUS_FAILED;
5868                         goto complete;
5869                 }
5870 
5871                 /* This should return the active RPA, but since the RPA
5872                  * is only programmed on demand, it is really hard to fill
5873                  * this in at the moment. For now disallow retrieving
5874                  * local out-of-band data when privacy is in use.
5875                  *
5876                  * Returning the identity address will not help here since
5877                  * pairing happens before the identity resolving key is
5878                  * known and thus the connection establishment happens
5879                  * based on the RPA and not the identity address.
5880                  */
5881                 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5882                         hci_dev_unlock(hdev);
5883                         status = MGMT_STATUS_REJECTED;
5884                         goto complete;
5885                 }
5886 
5887                 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
5888                    !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
5889                    (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
5890                     bacmp(&hdev->static_addr, BDADDR_ANY))) {
5891                         memcpy(addr, &hdev->static_addr, 6);
5892                         addr[6] = 0x01;
5893                 } else {
5894                         memcpy(addr, &hdev->bdaddr, 6);
5895                         addr[6] = 0x00;
5896                 }
5897 
5898                 eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
5899                                           addr, sizeof(addr));
5900 
5901                 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
5902                         role = 0x02;
5903                 else
5904                         role = 0x01;
5905 
5906                 eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
5907                                           &role, sizeof(role));
5908 
5909                 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
5910                         eir_len = eir_append_data(rp->eir, eir_len,
5911                                                   EIR_LE_SC_CONFIRM,
5912                                                   hash, sizeof(hash));
5913 
5914                         eir_len = eir_append_data(rp->eir, eir_len,
5915                                                   EIR_LE_SC_RANDOM,
5916                                                   rand, sizeof(rand));
5917                 }
5918 
5919                 flags = mgmt_get_adv_discov_flags(hdev);
5920 
5921                 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
5922                         flags |= LE_AD_NO_BREDR;
5923 
5924                 eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
5925                                           &flags, sizeof(flags));
5926                 break;
5927         }
5928 
5929         hci_dev_unlock(hdev);
5930 
5931         hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
5932 
5933         status = MGMT_STATUS_SUCCESS;
5934 
5935 complete:
5936         rp->type = cp->type;
5937         rp->eir_len = cpu_to_le16(eir_len);
5938 
5939         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
5940                                 status, rp, sizeof(*rp) + eir_len);
5941         if (err < 0 || status)
5942                 goto done;
5943 
5944         err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
5945                                  rp, sizeof(*rp) + eir_len,
5946                                  HCI_MGMT_OOB_DATA_EVENTS, sk);
5947 
5948 done:
5949         kfree(rp);
5950 
5951         return err;
5952 }
5953 
5954 static u32 get_supported_adv_flags(struct hci_dev *hdev)
5955 {
5956         u32 flags = 0;
5957 
5958         flags |= MGMT_ADV_FLAG_CONNECTABLE;
5959         flags |= MGMT_ADV_FLAG_DISCOV;
5960         flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
5961         flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
5962         flags |= MGMT_ADV_FLAG_APPEARANCE;
5963         flags |= MGMT_ADV_FLAG_LOCAL_NAME;
5964 
5965         if (hdev->adv_tx_power != HCI_TX_POWER_INVALID)
5966                 flags |= MGMT_ADV_FLAG_TX_POWER;
5967 
5968         return flags;
5969 }
5970 
5971 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
5972                              void *data, u16 data_len)
5973 {
5974         struct mgmt_rp_read_adv_features *rp;
5975         size_t rp_len;
5976         int err;
5977         struct adv_info *adv_instance;
5978         u32 supported_flags;
5979         u8 *instance;
5980 
5981         BT_DBG("%s", hdev->name);
5982 
5983         if (!lmp_le_capable(hdev))
5984                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
5985                                        MGMT_STATUS_REJECTED);
5986 
5987         hci_dev_lock(hdev);
5988 
5989         rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
5990         rp = kmalloc(rp_len, GFP_ATOMIC);
5991         if (!rp) {
5992                 hci_dev_unlock(hdev);
5993                 return -ENOMEM;
5994         }
5995 
5996         supported_flags = get_supported_adv_flags(hdev);
5997 
5998         rp->supported_flags = cpu_to_le32(supported_flags);
5999         rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
6000         rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
6001         rp->max_instances = HCI_MAX_ADV_INSTANCES;
6002         rp->num_instances = hdev->adv_instance_cnt;
6003 
6004         instance = rp->instance;
6005         list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
6006                 *instance = adv_instance->instance;
6007                 instance++;
6008         }
6009 
6010         hci_dev_unlock(hdev);
6011 
6012         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
6013                                 MGMT_STATUS_SUCCESS, rp, rp_len);
6014 
6015         kfree(rp);
6016 
6017         return err;
6018 }
6019 
6020 static u8 calculate_name_len(struct hci_dev *hdev)
6021 {
6022         u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 3];
6023 
6024         return append_local_name(hdev, buf, 0);
6025 }
6026 
6027 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
6028                            bool is_adv_data)
6029 {
6030         u8 max_len = HCI_MAX_AD_LENGTH;
6031 
6032         if (is_adv_data) {
6033                 if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
6034                                  MGMT_ADV_FLAG_LIMITED_DISCOV |
6035                                  MGMT_ADV_FLAG_MANAGED_FLAGS))
6036                         max_len -= 3;
6037 
6038                 if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
6039                         max_len -= 3;
6040         } else {
6041                 if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
6042                         max_len -= calculate_name_len(hdev);
6043 
6044                 if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
6045                         max_len -= 4;
6046         }
6047 
6048         return max_len;
6049 }
6050 
6051 static bool flags_managed(u32 adv_flags)
6052 {
6053         return adv_flags & (MGMT_ADV_FLAG_DISCOV |
6054                             MGMT_ADV_FLAG_LIMITED_DISCOV |
6055                             MGMT_ADV_FLAG_MANAGED_FLAGS);
6056 }
6057 
6058 static bool tx_power_managed(u32 adv_flags)
6059 {
6060         return adv_flags & MGMT_ADV_FLAG_TX_POWER;
6061 }
6062 
6063 static bool name_managed(u32 adv_flags)
6064 {
6065         return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
6066 }
6067 
6068 static bool appearance_managed(u32 adv_flags)
6069 {
6070         return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
6071 }
6072 
6073 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
6074                               u8 len, bool is_adv_data)
6075 {
6076         int i, cur_len;
6077         u8 max_len;
6078 
6079         max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
6080 
6081         if (len > max_len)
6082                 return false;
6083 
6084         /* Make sure that the data is correctly formatted. */
6085         for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
6086                 cur_len = data[i];
6087 
6088                 if (data[i + 1] == EIR_FLAGS &&
6089                     (!is_adv_data || flags_managed(adv_flags)))
6090                         return false;
6091 
6092                 if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
6093                         return false;
6094 
6095                 if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
6096                         return false;
6097 
6098                 if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
6099                         return false;
6100 
6101                 if (data[i + 1] == EIR_APPEARANCE &&
6102                     appearance_managed(adv_flags))
6103                         return false;
6104 
6105                 /* If the current field length would exceed the t