~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/mgmt.c

Version: ~ [ linux-5.4-rc3 ] ~ [ linux-5.3.6 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.79 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.149 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.196 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.196 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.75 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    BlueZ - Bluetooth protocol stack for Linux
  3 
  4    Copyright (C) 2010  Nokia Corporation
  5    Copyright (C) 2011-2012 Intel Corporation
  6 
  7    This program is free software; you can redistribute it and/or modify
  8    it under the terms of the GNU General Public License version 2 as
  9    published by the Free Software Foundation;
 10 
 11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 19 
 20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 22    SOFTWARE IS DISCLAIMED.
 23 */
 24 
 25 /* Bluetooth HCI Management interface */
 26 
 27 #include <linux/module.h>
 28 #include <asm/unaligned.h>
 29 
 30 #include <net/bluetooth/bluetooth.h>
 31 #include <net/bluetooth/hci_core.h>
 32 #include <net/bluetooth/hci_sock.h>
 33 #include <net/bluetooth/l2cap.h>
 34 #include <net/bluetooth/mgmt.h>
 35 
 36 #include "hci_request.h"
 37 #include "smp.h"
 38 #include "mgmt_util.h"
 39 
 40 #define MGMT_VERSION    1
 41 #define MGMT_REVISION   13
 42 
 43 static const u16 mgmt_commands[] = {
 44         MGMT_OP_READ_INDEX_LIST,
 45         MGMT_OP_READ_INFO,
 46         MGMT_OP_SET_POWERED,
 47         MGMT_OP_SET_DISCOVERABLE,
 48         MGMT_OP_SET_CONNECTABLE,
 49         MGMT_OP_SET_FAST_CONNECTABLE,
 50         MGMT_OP_SET_BONDABLE,
 51         MGMT_OP_SET_LINK_SECURITY,
 52         MGMT_OP_SET_SSP,
 53         MGMT_OP_SET_HS,
 54         MGMT_OP_SET_LE,
 55         MGMT_OP_SET_DEV_CLASS,
 56         MGMT_OP_SET_LOCAL_NAME,
 57         MGMT_OP_ADD_UUID,
 58         MGMT_OP_REMOVE_UUID,
 59         MGMT_OP_LOAD_LINK_KEYS,
 60         MGMT_OP_LOAD_LONG_TERM_KEYS,
 61         MGMT_OP_DISCONNECT,
 62         MGMT_OP_GET_CONNECTIONS,
 63         MGMT_OP_PIN_CODE_REPLY,
 64         MGMT_OP_PIN_CODE_NEG_REPLY,
 65         MGMT_OP_SET_IO_CAPABILITY,
 66         MGMT_OP_PAIR_DEVICE,
 67         MGMT_OP_CANCEL_PAIR_DEVICE,
 68         MGMT_OP_UNPAIR_DEVICE,
 69         MGMT_OP_USER_CONFIRM_REPLY,
 70         MGMT_OP_USER_CONFIRM_NEG_REPLY,
 71         MGMT_OP_USER_PASSKEY_REPLY,
 72         MGMT_OP_USER_PASSKEY_NEG_REPLY,
 73         MGMT_OP_READ_LOCAL_OOB_DATA,
 74         MGMT_OP_ADD_REMOTE_OOB_DATA,
 75         MGMT_OP_REMOVE_REMOTE_OOB_DATA,
 76         MGMT_OP_START_DISCOVERY,
 77         MGMT_OP_STOP_DISCOVERY,
 78         MGMT_OP_CONFIRM_NAME,
 79         MGMT_OP_BLOCK_DEVICE,
 80         MGMT_OP_UNBLOCK_DEVICE,
 81         MGMT_OP_SET_DEVICE_ID,
 82         MGMT_OP_SET_ADVERTISING,
 83         MGMT_OP_SET_BREDR,
 84         MGMT_OP_SET_STATIC_ADDRESS,
 85         MGMT_OP_SET_SCAN_PARAMS,
 86         MGMT_OP_SET_SECURE_CONN,
 87         MGMT_OP_SET_DEBUG_KEYS,
 88         MGMT_OP_SET_PRIVACY,
 89         MGMT_OP_LOAD_IRKS,
 90         MGMT_OP_GET_CONN_INFO,
 91         MGMT_OP_GET_CLOCK_INFO,
 92         MGMT_OP_ADD_DEVICE,
 93         MGMT_OP_REMOVE_DEVICE,
 94         MGMT_OP_LOAD_CONN_PARAM,
 95         MGMT_OP_READ_UNCONF_INDEX_LIST,
 96         MGMT_OP_READ_CONFIG_INFO,
 97         MGMT_OP_SET_EXTERNAL_CONFIG,
 98         MGMT_OP_SET_PUBLIC_ADDRESS,
 99         MGMT_OP_START_SERVICE_DISCOVERY,
100         MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
101         MGMT_OP_READ_EXT_INDEX_LIST,
102         MGMT_OP_READ_ADV_FEATURES,
103         MGMT_OP_ADD_ADVERTISING,
104         MGMT_OP_REMOVE_ADVERTISING,
105         MGMT_OP_GET_ADV_SIZE_INFO,
106         MGMT_OP_START_LIMITED_DISCOVERY,
107 };
108 
109 static const u16 mgmt_events[] = {
110         MGMT_EV_CONTROLLER_ERROR,
111         MGMT_EV_INDEX_ADDED,
112         MGMT_EV_INDEX_REMOVED,
113         MGMT_EV_NEW_SETTINGS,
114         MGMT_EV_CLASS_OF_DEV_CHANGED,
115         MGMT_EV_LOCAL_NAME_CHANGED,
116         MGMT_EV_NEW_LINK_KEY,
117         MGMT_EV_NEW_LONG_TERM_KEY,
118         MGMT_EV_DEVICE_CONNECTED,
119         MGMT_EV_DEVICE_DISCONNECTED,
120         MGMT_EV_CONNECT_FAILED,
121         MGMT_EV_PIN_CODE_REQUEST,
122         MGMT_EV_USER_CONFIRM_REQUEST,
123         MGMT_EV_USER_PASSKEY_REQUEST,
124         MGMT_EV_AUTH_FAILED,
125         MGMT_EV_DEVICE_FOUND,
126         MGMT_EV_DISCOVERING,
127         MGMT_EV_DEVICE_BLOCKED,
128         MGMT_EV_DEVICE_UNBLOCKED,
129         MGMT_EV_DEVICE_UNPAIRED,
130         MGMT_EV_PASSKEY_NOTIFY,
131         MGMT_EV_NEW_IRK,
132         MGMT_EV_NEW_CSRK,
133         MGMT_EV_DEVICE_ADDED,
134         MGMT_EV_DEVICE_REMOVED,
135         MGMT_EV_NEW_CONN_PARAM,
136         MGMT_EV_UNCONF_INDEX_ADDED,
137         MGMT_EV_UNCONF_INDEX_REMOVED,
138         MGMT_EV_NEW_CONFIG_OPTIONS,
139         MGMT_EV_EXT_INDEX_ADDED,
140         MGMT_EV_EXT_INDEX_REMOVED,
141         MGMT_EV_LOCAL_OOB_DATA_UPDATED,
142         MGMT_EV_ADVERTISING_ADDED,
143         MGMT_EV_ADVERTISING_REMOVED,
144 };
145 
146 static const u16 mgmt_untrusted_commands[] = {
147         MGMT_OP_READ_INDEX_LIST,
148         MGMT_OP_READ_INFO,
149         MGMT_OP_READ_UNCONF_INDEX_LIST,
150         MGMT_OP_READ_CONFIG_INFO,
151         MGMT_OP_READ_EXT_INDEX_LIST,
152 };
153 
154 static const u16 mgmt_untrusted_events[] = {
155         MGMT_EV_INDEX_ADDED,
156         MGMT_EV_INDEX_REMOVED,
157         MGMT_EV_NEW_SETTINGS,
158         MGMT_EV_CLASS_OF_DEV_CHANGED,
159         MGMT_EV_LOCAL_NAME_CHANGED,
160         MGMT_EV_UNCONF_INDEX_ADDED,
161         MGMT_EV_UNCONF_INDEX_REMOVED,
162         MGMT_EV_NEW_CONFIG_OPTIONS,
163         MGMT_EV_EXT_INDEX_ADDED,
164         MGMT_EV_EXT_INDEX_REMOVED,
165 };
166 
167 #define CACHE_TIMEOUT   msecs_to_jiffies(2 * 1000)
168 
169 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
170                  "\x00\x00\x00\x00\x00\x00\x00\x00"
171 
172 /* HCI to MGMT error code conversion table */
173 static u8 mgmt_status_table[] = {
174         MGMT_STATUS_SUCCESS,
175         MGMT_STATUS_UNKNOWN_COMMAND,    /* Unknown Command */
176         MGMT_STATUS_NOT_CONNECTED,      /* No Connection */
177         MGMT_STATUS_FAILED,             /* Hardware Failure */
178         MGMT_STATUS_CONNECT_FAILED,     /* Page Timeout */
179         MGMT_STATUS_AUTH_FAILED,        /* Authentication Failed */
180         MGMT_STATUS_AUTH_FAILED,        /* PIN or Key Missing */
181         MGMT_STATUS_NO_RESOURCES,       /* Memory Full */
182         MGMT_STATUS_TIMEOUT,            /* Connection Timeout */
183         MGMT_STATUS_NO_RESOURCES,       /* Max Number of Connections */
184         MGMT_STATUS_NO_RESOURCES,       /* Max Number of SCO Connections */
185         MGMT_STATUS_ALREADY_CONNECTED,  /* ACL Connection Exists */
186         MGMT_STATUS_BUSY,               /* Command Disallowed */
187         MGMT_STATUS_NO_RESOURCES,       /* Rejected Limited Resources */
188         MGMT_STATUS_REJECTED,           /* Rejected Security */
189         MGMT_STATUS_REJECTED,           /* Rejected Personal */
190         MGMT_STATUS_TIMEOUT,            /* Host Timeout */
191         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Feature */
192         MGMT_STATUS_INVALID_PARAMS,     /* Invalid Parameters */
193         MGMT_STATUS_DISCONNECTED,       /* OE User Ended Connection */
194         MGMT_STATUS_NO_RESOURCES,       /* OE Low Resources */
195         MGMT_STATUS_DISCONNECTED,       /* OE Power Off */
196         MGMT_STATUS_DISCONNECTED,       /* Connection Terminated */
197         MGMT_STATUS_BUSY,               /* Repeated Attempts */
198         MGMT_STATUS_REJECTED,           /* Pairing Not Allowed */
199         MGMT_STATUS_FAILED,             /* Unknown LMP PDU */
200         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Remote Feature */
201         MGMT_STATUS_REJECTED,           /* SCO Offset Rejected */
202         MGMT_STATUS_REJECTED,           /* SCO Interval Rejected */
203         MGMT_STATUS_REJECTED,           /* Air Mode Rejected */
204         MGMT_STATUS_INVALID_PARAMS,     /* Invalid LMP Parameters */
205         MGMT_STATUS_FAILED,             /* Unspecified Error */
206         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported LMP Parameter Value */
207         MGMT_STATUS_FAILED,             /* Role Change Not Allowed */
208         MGMT_STATUS_TIMEOUT,            /* LMP Response Timeout */
209         MGMT_STATUS_FAILED,             /* LMP Error Transaction Collision */
210         MGMT_STATUS_FAILED,             /* LMP PDU Not Allowed */
211         MGMT_STATUS_REJECTED,           /* Encryption Mode Not Accepted */
212         MGMT_STATUS_FAILED,             /* Unit Link Key Used */
213         MGMT_STATUS_NOT_SUPPORTED,      /* QoS Not Supported */
214         MGMT_STATUS_TIMEOUT,            /* Instant Passed */
215         MGMT_STATUS_NOT_SUPPORTED,      /* Pairing Not Supported */
216         MGMT_STATUS_FAILED,             /* Transaction Collision */
217         MGMT_STATUS_INVALID_PARAMS,     /* Unacceptable Parameter */
218         MGMT_STATUS_REJECTED,           /* QoS Rejected */
219         MGMT_STATUS_NOT_SUPPORTED,      /* Classification Not Supported */
220         MGMT_STATUS_REJECTED,           /* Insufficient Security */
221         MGMT_STATUS_INVALID_PARAMS,     /* Parameter Out Of Range */
222         MGMT_STATUS_BUSY,               /* Role Switch Pending */
223         MGMT_STATUS_FAILED,             /* Slot Violation */
224         MGMT_STATUS_FAILED,             /* Role Switch Failed */
225         MGMT_STATUS_INVALID_PARAMS,     /* EIR Too Large */
226         MGMT_STATUS_NOT_SUPPORTED,      /* Simple Pairing Not Supported */
227         MGMT_STATUS_BUSY,               /* Host Busy Pairing */
228         MGMT_STATUS_REJECTED,           /* Rejected, No Suitable Channel */
229         MGMT_STATUS_BUSY,               /* Controller Busy */
230         MGMT_STATUS_INVALID_PARAMS,     /* Unsuitable Connection Interval */
231         MGMT_STATUS_TIMEOUT,            /* Directed Advertising Timeout */
232         MGMT_STATUS_AUTH_FAILED,        /* Terminated Due to MIC Failure */
233         MGMT_STATUS_CONNECT_FAILED,     /* Connection Establishment Failed */
234         MGMT_STATUS_CONNECT_FAILED,     /* MAC Connection Failed */
235 };
236 
237 static u8 mgmt_status(u8 hci_status)
238 {
239         if (hci_status < ARRAY_SIZE(mgmt_status_table))
240                 return mgmt_status_table[hci_status];
241 
242         return MGMT_STATUS_FAILED;
243 }
244 
245 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
246                             u16 len, int flag)
247 {
248         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
249                                flag, NULL);
250 }
251 
252 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
253                               u16 len, int flag, struct sock *skip_sk)
254 {
255         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
256                                flag, skip_sk);
257 }
258 
259 static int mgmt_generic_event(u16 event, struct hci_dev *hdev, void *data,
260                               u16 len, struct sock *skip_sk)
261 {
262         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
263                                HCI_MGMT_GENERIC_EVENTS, skip_sk);
264 }
265 
266 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
267                       struct sock *skip_sk)
268 {
269         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
270                                HCI_SOCK_TRUSTED, skip_sk);
271 }
272 
273 static u8 le_addr_type(u8 mgmt_addr_type)
274 {
275         if (mgmt_addr_type == BDADDR_LE_PUBLIC)
276                 return ADDR_LE_DEV_PUBLIC;
277         else
278                 return ADDR_LE_DEV_RANDOM;
279 }
280 
281 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
282                         u16 data_len)
283 {
284         struct mgmt_rp_read_version rp;
285 
286         BT_DBG("sock %p", sk);
287 
288         rp.version = MGMT_VERSION;
289         rp.revision = cpu_to_le16(MGMT_REVISION);
290 
291         return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
292                                  &rp, sizeof(rp));
293 }
294 
295 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
296                          u16 data_len)
297 {
298         struct mgmt_rp_read_commands *rp;
299         u16 num_commands, num_events;
300         size_t rp_size;
301         int i, err;
302 
303         BT_DBG("sock %p", sk);
304 
305         if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
306                 num_commands = ARRAY_SIZE(mgmt_commands);
307                 num_events = ARRAY_SIZE(mgmt_events);
308         } else {
309                 num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
310                 num_events = ARRAY_SIZE(mgmt_untrusted_events);
311         }
312 
313         rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
314 
315         rp = kmalloc(rp_size, GFP_KERNEL);
316         if (!rp)
317                 return -ENOMEM;
318 
319         rp->num_commands = cpu_to_le16(num_commands);
320         rp->num_events = cpu_to_le16(num_events);
321 
322         if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
323                 __le16 *opcode = rp->opcodes;
324 
325                 for (i = 0; i < num_commands; i++, opcode++)
326                         put_unaligned_le16(mgmt_commands[i], opcode);
327 
328                 for (i = 0; i < num_events; i++, opcode++)
329                         put_unaligned_le16(mgmt_events[i], opcode);
330         } else {
331                 __le16 *opcode = rp->opcodes;
332 
333                 for (i = 0; i < num_commands; i++, opcode++)
334                         put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
335 
336                 for (i = 0; i < num_events; i++, opcode++)
337                         put_unaligned_le16(mgmt_untrusted_events[i], opcode);
338         }
339 
340         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
341                                 rp, rp_size);
342         kfree(rp);
343 
344         return err;
345 }
346 
347 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
348                            u16 data_len)
349 {
350         struct mgmt_rp_read_index_list *rp;
351         struct hci_dev *d;
352         size_t rp_len;
353         u16 count;
354         int err;
355 
356         BT_DBG("sock %p", sk);
357 
358         read_lock(&hci_dev_list_lock);
359 
360         count = 0;
361         list_for_each_entry(d, &hci_dev_list, list) {
362                 if (d->dev_type == HCI_PRIMARY &&
363                     !hci_dev_test_flag(d, HCI_UNCONFIGURED))
364                         count++;
365         }
366 
367         rp_len = sizeof(*rp) + (2 * count);
368         rp = kmalloc(rp_len, GFP_ATOMIC);
369         if (!rp) {
370                 read_unlock(&hci_dev_list_lock);
371                 return -ENOMEM;
372         }
373 
374         count = 0;
375         list_for_each_entry(d, &hci_dev_list, list) {
376                 if (hci_dev_test_flag(d, HCI_SETUP) ||
377                     hci_dev_test_flag(d, HCI_CONFIG) ||
378                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
379                         continue;
380 
381                 /* Devices marked as raw-only are neither configured
382                  * nor unconfigured controllers.
383                  */
384                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
385                         continue;
386 
387                 if (d->dev_type == HCI_PRIMARY &&
388                     !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
389                         rp->index[count++] = cpu_to_le16(d->id);
390                         BT_DBG("Added hci%u", d->id);
391                 }
392         }
393 
394         rp->num_controllers = cpu_to_le16(count);
395         rp_len = sizeof(*rp) + (2 * count);
396 
397         read_unlock(&hci_dev_list_lock);
398 
399         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
400                                 0, rp, rp_len);
401 
402         kfree(rp);
403 
404         return err;
405 }
406 
407 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
408                                   void *data, u16 data_len)
409 {
410         struct mgmt_rp_read_unconf_index_list *rp;
411         struct hci_dev *d;
412         size_t rp_len;
413         u16 count;
414         int err;
415 
416         BT_DBG("sock %p", sk);
417 
418         read_lock(&hci_dev_list_lock);
419 
420         count = 0;
421         list_for_each_entry(d, &hci_dev_list, list) {
422                 if (d->dev_type == HCI_PRIMARY &&
423                     hci_dev_test_flag(d, HCI_UNCONFIGURED))
424                         count++;
425         }
426 
427         rp_len = sizeof(*rp) + (2 * count);
428         rp = kmalloc(rp_len, GFP_ATOMIC);
429         if (!rp) {
430                 read_unlock(&hci_dev_list_lock);
431                 return -ENOMEM;
432         }
433 
434         count = 0;
435         list_for_each_entry(d, &hci_dev_list, list) {
436                 if (hci_dev_test_flag(d, HCI_SETUP) ||
437                     hci_dev_test_flag(d, HCI_CONFIG) ||
438                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
439                         continue;
440 
441                 /* Devices marked as raw-only are neither configured
442                  * nor unconfigured controllers.
443                  */
444                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
445                         continue;
446 
447                 if (d->dev_type == HCI_PRIMARY &&
448                     hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
449                         rp->index[count++] = cpu_to_le16(d->id);
450                         BT_DBG("Added hci%u", d->id);
451                 }
452         }
453 
454         rp->num_controllers = cpu_to_le16(count);
455         rp_len = sizeof(*rp) + (2 * count);
456 
457         read_unlock(&hci_dev_list_lock);
458 
459         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
460                                 MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
461 
462         kfree(rp);
463 
464         return err;
465 }
466 
467 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
468                                void *data, u16 data_len)
469 {
470         struct mgmt_rp_read_ext_index_list *rp;
471         struct hci_dev *d;
472         size_t rp_len;
473         u16 count;
474         int err;
475 
476         BT_DBG("sock %p", sk);
477 
478         read_lock(&hci_dev_list_lock);
479 
480         count = 0;
481         list_for_each_entry(d, &hci_dev_list, list) {
482                 if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
483                         count++;
484         }
485 
486         rp_len = sizeof(*rp) + (sizeof(rp->entry[0]) * count);
487         rp = kmalloc(rp_len, GFP_ATOMIC);
488         if (!rp) {
489                 read_unlock(&hci_dev_list_lock);
490                 return -ENOMEM;
491         }
492 
493         count = 0;
494         list_for_each_entry(d, &hci_dev_list, list) {
495                 if (hci_dev_test_flag(d, HCI_SETUP) ||
496                     hci_dev_test_flag(d, HCI_CONFIG) ||
497                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
498                         continue;
499 
500                 /* Devices marked as raw-only are neither configured
501                  * nor unconfigured controllers.
502                  */
503                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
504                         continue;
505 
506                 if (d->dev_type == HCI_PRIMARY) {
507                         if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
508                                 rp->entry[count].type = 0x01;
509                         else
510                                 rp->entry[count].type = 0x00;
511                 } else if (d->dev_type == HCI_AMP) {
512                         rp->entry[count].type = 0x02;
513                 } else {
514                         continue;
515                 }
516 
517                 rp->entry[count].bus = d->bus;
518                 rp->entry[count++].index = cpu_to_le16(d->id);
519                 BT_DBG("Added hci%u", d->id);
520         }
521 
522         rp->num_controllers = cpu_to_le16(count);
523         rp_len = sizeof(*rp) + (sizeof(rp->entry[0]) * count);
524 
525         read_unlock(&hci_dev_list_lock);
526 
527         /* If this command is called at least once, then all the
528          * default index and unconfigured index events are disabled
529          * and from now on only extended index events are used.
530          */
531         hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
532         hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
533         hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
534 
535         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
536                                 MGMT_OP_READ_EXT_INDEX_LIST, 0, rp, rp_len);
537 
538         kfree(rp);
539 
540         return err;
541 }
542 
543 static bool is_configured(struct hci_dev *hdev)
544 {
545         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
546             !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
547                 return false;
548 
549         if (test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) &&
550             !bacmp(&hdev->public_addr, BDADDR_ANY))
551                 return false;
552 
553         return true;
554 }
555 
556 static __le32 get_missing_options(struct hci_dev *hdev)
557 {
558         u32 options = 0;
559 
560         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
561             !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
562                 options |= MGMT_OPTION_EXTERNAL_CONFIG;
563 
564         if (test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) &&
565             !bacmp(&hdev->public_addr, BDADDR_ANY))
566                 options |= MGMT_OPTION_PUBLIC_ADDRESS;
567 
568         return cpu_to_le32(options);
569 }
570 
571 static int new_options(struct hci_dev *hdev, struct sock *skip)
572 {
573         __le32 options = get_missing_options(hdev);
574 
575         return mgmt_generic_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
576                                   sizeof(options), skip);
577 }
578 
579 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
580 {
581         __le32 options = get_missing_options(hdev);
582 
583         return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
584                                  sizeof(options));
585 }
586 
587 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
588                             void *data, u16 data_len)
589 {
590         struct mgmt_rp_read_config_info rp;
591         u32 options = 0;
592 
593         BT_DBG("sock %p %s", sk, hdev->name);
594 
595         hci_dev_lock(hdev);
596 
597         memset(&rp, 0, sizeof(rp));
598         rp.manufacturer = cpu_to_le16(hdev->manufacturer);
599 
600         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
601                 options |= MGMT_OPTION_EXTERNAL_CONFIG;
602 
603         if (hdev->set_bdaddr)
604                 options |= MGMT_OPTION_PUBLIC_ADDRESS;
605 
606         rp.supported_options = cpu_to_le32(options);
607         rp.missing_options = get_missing_options(hdev);
608 
609         hci_dev_unlock(hdev);
610 
611         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
612                                  &rp, sizeof(rp));
613 }
614 
615 static u32 get_supported_settings(struct hci_dev *hdev)
616 {
617         u32 settings = 0;
618 
619         settings |= MGMT_SETTING_POWERED;
620         settings |= MGMT_SETTING_BONDABLE;
621         settings |= MGMT_SETTING_DEBUG_KEYS;
622         settings |= MGMT_SETTING_CONNECTABLE;
623         settings |= MGMT_SETTING_DISCOVERABLE;
624 
625         if (lmp_bredr_capable(hdev)) {
626                 if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
627                         settings |= MGMT_SETTING_FAST_CONNECTABLE;
628                 settings |= MGMT_SETTING_BREDR;
629                 settings |= MGMT_SETTING_LINK_SECURITY;
630 
631                 if (lmp_ssp_capable(hdev)) {
632                         settings |= MGMT_SETTING_SSP;
633                         settings |= MGMT_SETTING_HS;
634                 }
635 
636                 if (lmp_sc_capable(hdev))
637                         settings |= MGMT_SETTING_SECURE_CONN;
638         }
639 
640         if (lmp_le_capable(hdev)) {
641                 settings |= MGMT_SETTING_LE;
642                 settings |= MGMT_SETTING_ADVERTISING;
643                 settings |= MGMT_SETTING_SECURE_CONN;
644                 settings |= MGMT_SETTING_PRIVACY;
645                 settings |= MGMT_SETTING_STATIC_ADDRESS;
646         }
647 
648         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
649             hdev->set_bdaddr)
650                 settings |= MGMT_SETTING_CONFIGURATION;
651 
652         return settings;
653 }
654 
655 static u32 get_current_settings(struct hci_dev *hdev)
656 {
657         u32 settings = 0;
658 
659         if (hdev_is_powered(hdev))
660                 settings |= MGMT_SETTING_POWERED;
661 
662         if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
663                 settings |= MGMT_SETTING_CONNECTABLE;
664 
665         if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
666                 settings |= MGMT_SETTING_FAST_CONNECTABLE;
667 
668         if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
669                 settings |= MGMT_SETTING_DISCOVERABLE;
670 
671         if (hci_dev_test_flag(hdev, HCI_BONDABLE))
672                 settings |= MGMT_SETTING_BONDABLE;
673 
674         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
675                 settings |= MGMT_SETTING_BREDR;
676 
677         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
678                 settings |= MGMT_SETTING_LE;
679 
680         if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
681                 settings |= MGMT_SETTING_LINK_SECURITY;
682 
683         if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
684                 settings |= MGMT_SETTING_SSP;
685 
686         if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
687                 settings |= MGMT_SETTING_HS;
688 
689         if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
690                 settings |= MGMT_SETTING_ADVERTISING;
691 
692         if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
693                 settings |= MGMT_SETTING_SECURE_CONN;
694 
695         if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
696                 settings |= MGMT_SETTING_DEBUG_KEYS;
697 
698         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
699                 settings |= MGMT_SETTING_PRIVACY;
700 
701         /* The current setting for static address has two purposes. The
702          * first is to indicate if the static address will be used and
703          * the second is to indicate if it is actually set.
704          *
705          * This means if the static address is not configured, this flag
706          * will never be set. If the address is configured, then if the
707          * address is actually used decides if the flag is set or not.
708          *
709          * For single mode LE only controllers and dual-mode controllers
710          * with BR/EDR disabled, the existence of the static address will
711          * be evaluated.
712          */
713         if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
714             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
715             !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
716                 if (bacmp(&hdev->static_addr, BDADDR_ANY))
717                         settings |= MGMT_SETTING_STATIC_ADDRESS;
718         }
719 
720         return settings;
721 }
722 
723 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
724 {
725         return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
726 }
727 
728 static struct mgmt_pending_cmd *pending_find_data(u16 opcode,
729                                                   struct hci_dev *hdev,
730                                                   const void *data)
731 {
732         return mgmt_pending_find_data(HCI_CHANNEL_CONTROL, opcode, hdev, data);
733 }
734 
735 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
736 {
737         struct mgmt_pending_cmd *cmd;
738 
739         /* If there's a pending mgmt command the flags will not yet have
740          * their final values, so check for this first.
741          */
742         cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
743         if (cmd) {
744                 struct mgmt_mode *cp = cmd->param;
745                 if (cp->val == 0x01)
746                         return LE_AD_GENERAL;
747                 else if (cp->val == 0x02)
748                         return LE_AD_LIMITED;
749         } else {
750                 if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
751                         return LE_AD_LIMITED;
752                 else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
753                         return LE_AD_GENERAL;
754         }
755 
756         return 0;
757 }
758 
759 bool mgmt_get_connectable(struct hci_dev *hdev)
760 {
761         struct mgmt_pending_cmd *cmd;
762 
763         /* If there's a pending mgmt command the flag will not yet have
764          * it's final value, so check for this first.
765          */
766         cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
767         if (cmd) {
768                 struct mgmt_mode *cp = cmd->param;
769 
770                 return cp->val;
771         }
772 
773         return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
774 }
775 
776 static void service_cache_off(struct work_struct *work)
777 {
778         struct hci_dev *hdev = container_of(work, struct hci_dev,
779                                             service_cache.work);
780         struct hci_request req;
781 
782         if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
783                 return;
784 
785         hci_req_init(&req, hdev);
786 
787         hci_dev_lock(hdev);
788 
789         __hci_req_update_eir(&req);
790         __hci_req_update_class(&req);
791 
792         hci_dev_unlock(hdev);
793 
794         hci_req_run(&req, NULL);
795 }
796 
797 static void rpa_expired(struct work_struct *work)
798 {
799         struct hci_dev *hdev = container_of(work, struct hci_dev,
800                                             rpa_expired.work);
801         struct hci_request req;
802 
803         BT_DBG("");
804 
805         hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
806 
807         if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
808                 return;
809 
810         /* The generation of a new RPA and programming it into the
811          * controller happens in the hci_req_enable_advertising()
812          * function.
813          */
814         hci_req_init(&req, hdev);
815         __hci_req_enable_advertising(&req);
816         hci_req_run(&req, NULL);
817 }
818 
819 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
820 {
821         if (hci_dev_test_and_set_flag(hdev, HCI_MGMT))
822                 return;
823 
824         INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
825         INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
826 
827         /* Non-mgmt controlled devices get this bit set
828          * implicitly so that pairing works for them, however
829          * for mgmt we require user-space to explicitly enable
830          * it
831          */
832         hci_dev_clear_flag(hdev, HCI_BONDABLE);
833 }
834 
835 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
836                                 void *data, u16 data_len)
837 {
838         struct mgmt_rp_read_info rp;
839 
840         BT_DBG("sock %p %s", sk, hdev->name);
841 
842         hci_dev_lock(hdev);
843 
844         memset(&rp, 0, sizeof(rp));
845 
846         bacpy(&rp.bdaddr, &hdev->bdaddr);
847 
848         rp.version = hdev->hci_ver;
849         rp.manufacturer = cpu_to_le16(hdev->manufacturer);
850 
851         rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
852         rp.current_settings = cpu_to_le32(get_current_settings(hdev));
853 
854         memcpy(rp.dev_class, hdev->dev_class, 3);
855 
856         memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
857         memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
858 
859         hci_dev_unlock(hdev);
860 
861         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
862                                  sizeof(rp));
863 }
864 
865 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
866 {
867         __le32 settings = cpu_to_le32(get_current_settings(hdev));
868 
869         return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
870                                  sizeof(settings));
871 }
872 
873 static void clean_up_hci_complete(struct hci_dev *hdev, u8 status, u16 opcode)
874 {
875         BT_DBG("%s status 0x%02x", hdev->name, status);
876 
877         if (hci_conn_count(hdev) == 0) {
878                 cancel_delayed_work(&hdev->power_off);
879                 queue_work(hdev->req_workqueue, &hdev->power_off.work);
880         }
881 }
882 
883 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
884 {
885         struct mgmt_ev_advertising_added ev;
886 
887         ev.instance = instance;
888 
889         mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
890 }
891 
892 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
893                               u8 instance)
894 {
895         struct mgmt_ev_advertising_removed ev;
896 
897         ev.instance = instance;
898 
899         mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
900 }
901 
902 static void cancel_adv_timeout(struct hci_dev *hdev)
903 {
904         if (hdev->adv_instance_timeout) {
905                 hdev->adv_instance_timeout = 0;
906                 cancel_delayed_work(&hdev->adv_instance_expire);
907         }
908 }
909 
910 static int clean_up_hci_state(struct hci_dev *hdev)
911 {
912         struct hci_request req;
913         struct hci_conn *conn;
914         bool discov_stopped;
915         int err;
916 
917         hci_req_init(&req, hdev);
918 
919         if (test_bit(HCI_ISCAN, &hdev->flags) ||
920             test_bit(HCI_PSCAN, &hdev->flags)) {
921                 u8 scan = 0x00;
922                 hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
923         }
924 
925         hci_req_clear_adv_instance(hdev, NULL, 0x00, false);
926 
927         if (hci_dev_test_flag(hdev, HCI_LE_ADV))
928                 __hci_req_disable_advertising(&req);
929 
930         discov_stopped = hci_req_stop_discovery(&req);
931 
932         list_for_each_entry(conn, &hdev->conn_hash.list, list) {
933                 /* 0x15 == Terminated due to Power Off */
934                 __hci_abort_conn(&req, conn, 0x15);
935         }
936 
937         err = hci_req_run(&req, clean_up_hci_complete);
938         if (!err && discov_stopped)
939                 hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
940 
941         return err;
942 }
943 
944 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
945                        u16 len)
946 {
947         struct mgmt_mode *cp = data;
948         struct mgmt_pending_cmd *cmd;
949         int err;
950 
951         BT_DBG("request for %s", hdev->name);
952 
953         if (cp->val != 0x00 && cp->val != 0x01)
954                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
955                                        MGMT_STATUS_INVALID_PARAMS);
956 
957         hci_dev_lock(hdev);
958 
959         if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
960                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
961                                       MGMT_STATUS_BUSY);
962                 goto failed;
963         }
964 
965         if (!!cp->val == hdev_is_powered(hdev)) {
966                 err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
967                 goto failed;
968         }
969 
970         cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
971         if (!cmd) {
972                 err = -ENOMEM;
973                 goto failed;
974         }
975 
976         if (cp->val) {
977                 queue_work(hdev->req_workqueue, &hdev->power_on);
978                 err = 0;
979         } else {
980                 /* Disconnect connections, stop scans, etc */
981                 err = clean_up_hci_state(hdev);
982                 if (!err)
983                         queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
984                                            HCI_POWER_OFF_TIMEOUT);
985 
986                 /* ENODATA means there were no HCI commands queued */
987                 if (err == -ENODATA) {
988                         cancel_delayed_work(&hdev->power_off);
989                         queue_work(hdev->req_workqueue, &hdev->power_off.work);
990                         err = 0;
991                 }
992         }
993 
994 failed:
995         hci_dev_unlock(hdev);
996         return err;
997 }
998 
999 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1000 {
1001         __le32 ev = cpu_to_le32(get_current_settings(hdev));
1002 
1003         return mgmt_generic_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1004                                   sizeof(ev), skip);
1005 }
1006 
1007 int mgmt_new_settings(struct hci_dev *hdev)
1008 {
1009         return new_settings(hdev, NULL);
1010 }
1011 
1012 struct cmd_lookup {
1013         struct sock *sk;
1014         struct hci_dev *hdev;
1015         u8 mgmt_status;
1016 };
1017 
1018 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1019 {
1020         struct cmd_lookup *match = data;
1021 
1022         send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1023 
1024         list_del(&cmd->list);
1025 
1026         if (match->sk == NULL) {
1027                 match->sk = cmd->sk;
1028                 sock_hold(match->sk);
1029         }
1030 
1031         mgmt_pending_free(cmd);
1032 }
1033 
1034 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1035 {
1036         u8 *status = data;
1037 
1038         mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1039         mgmt_pending_remove(cmd);
1040 }
1041 
1042 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1043 {
1044         if (cmd->cmd_complete) {
1045                 u8 *status = data;
1046 
1047                 cmd->cmd_complete(cmd, *status);
1048                 mgmt_pending_remove(cmd);
1049 
1050                 return;
1051         }
1052 
1053         cmd_status_rsp(cmd, data);
1054 }
1055 
1056 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1057 {
1058         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1059                                  cmd->param, cmd->param_len);
1060 }
1061 
1062 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1063 {
1064         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1065                                  cmd->param, sizeof(struct mgmt_addr_info));
1066 }
1067 
1068 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1069 {
1070         if (!lmp_bredr_capable(hdev))
1071                 return MGMT_STATUS_NOT_SUPPORTED;
1072         else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1073                 return MGMT_STATUS_REJECTED;
1074         else
1075                 return MGMT_STATUS_SUCCESS;
1076 }
1077 
1078 static u8 mgmt_le_support(struct hci_dev *hdev)
1079 {
1080         if (!lmp_le_capable(hdev))
1081                 return MGMT_STATUS_NOT_SUPPORTED;
1082         else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1083                 return MGMT_STATUS_REJECTED;
1084         else
1085                 return MGMT_STATUS_SUCCESS;
1086 }
1087 
1088 void mgmt_set_discoverable_complete(struct hci_dev *hdev, u8 status)
1089 {
1090         struct mgmt_pending_cmd *cmd;
1091 
1092         BT_DBG("status 0x%02x", status);
1093 
1094         hci_dev_lock(hdev);
1095 
1096         cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
1097         if (!cmd)
1098                 goto unlock;
1099 
1100         if (status) {
1101                 u8 mgmt_err = mgmt_status(status);
1102                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1103                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1104                 goto remove_cmd;
1105         }
1106 
1107         if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1108             hdev->discov_timeout > 0) {
1109                 int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1110                 queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1111         }
1112 
1113         send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1114         new_settings(hdev, cmd->sk);
1115 
1116 remove_cmd:
1117         mgmt_pending_remove(cmd);
1118 
1119 unlock:
1120         hci_dev_unlock(hdev);
1121 }
1122 
1123 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1124                             u16 len)
1125 {
1126         struct mgmt_cp_set_discoverable *cp = data;
1127         struct mgmt_pending_cmd *cmd;
1128         u16 timeout;
1129         int err;
1130 
1131         BT_DBG("request for %s", hdev->name);
1132 
1133         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1134             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1135                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1136                                        MGMT_STATUS_REJECTED);
1137 
1138         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1139                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1140                                        MGMT_STATUS_INVALID_PARAMS);
1141 
1142         timeout = __le16_to_cpu(cp->timeout);
1143 
1144         /* Disabling discoverable requires that no timeout is set,
1145          * and enabling limited discoverable requires a timeout.
1146          */
1147         if ((cp->val == 0x00 && timeout > 0) ||
1148             (cp->val == 0x02 && timeout == 0))
1149                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1150                                        MGMT_STATUS_INVALID_PARAMS);
1151 
1152         hci_dev_lock(hdev);
1153 
1154         if (!hdev_is_powered(hdev) && timeout > 0) {
1155                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1156                                       MGMT_STATUS_NOT_POWERED);
1157                 goto failed;
1158         }
1159 
1160         if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1161             pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1162                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1163                                       MGMT_STATUS_BUSY);
1164                 goto failed;
1165         }
1166 
1167         if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1168                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1169                                       MGMT_STATUS_REJECTED);
1170                 goto failed;
1171         }
1172 
1173         if (!hdev_is_powered(hdev)) {
1174                 bool changed = false;
1175 
1176                 /* Setting limited discoverable when powered off is
1177                  * not a valid operation since it requires a timeout
1178                  * and so no need to check HCI_LIMITED_DISCOVERABLE.
1179                  */
1180                 if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1181                         hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1182                         changed = true;
1183                 }
1184 
1185                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1186                 if (err < 0)
1187                         goto failed;
1188 
1189                 if (changed)
1190                         err = new_settings(hdev, sk);
1191 
1192                 goto failed;
1193         }
1194 
1195         /* If the current mode is the same, then just update the timeout
1196          * value with the new value. And if only the timeout gets updated,
1197          * then no need for any HCI transactions.
1198          */
1199         if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1200             (cp->val == 0x02) == hci_dev_test_flag(hdev,
1201                                                    HCI_LIMITED_DISCOVERABLE)) {
1202                 cancel_delayed_work(&hdev->discov_off);
1203                 hdev->discov_timeout = timeout;
1204 
1205                 if (cp->val && hdev->discov_timeout > 0) {
1206                         int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1207                         queue_delayed_work(hdev->req_workqueue,
1208                                            &hdev->discov_off, to);
1209                 }
1210 
1211                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1212                 goto failed;
1213         }
1214 
1215         cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1216         if (!cmd) {
1217                 err = -ENOMEM;
1218                 goto failed;
1219         }
1220 
1221         /* Cancel any potential discoverable timeout that might be
1222          * still active and store new timeout value. The arming of
1223          * the timeout happens in the complete handler.
1224          */
1225         cancel_delayed_work(&hdev->discov_off);
1226         hdev->discov_timeout = timeout;
1227 
1228         if (cp->val)
1229                 hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1230         else
1231                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1232 
1233         /* Limited discoverable mode */
1234         if (cp->val == 0x02)
1235                 hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1236         else
1237                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1238 
1239         queue_work(hdev->req_workqueue, &hdev->discoverable_update);
1240         err = 0;
1241 
1242 failed:
1243         hci_dev_unlock(hdev);
1244         return err;
1245 }
1246 
1247 void mgmt_set_connectable_complete(struct hci_dev *hdev, u8 status)
1248 {
1249         struct mgmt_pending_cmd *cmd;
1250 
1251         BT_DBG("status 0x%02x", status);
1252 
1253         hci_dev_lock(hdev);
1254 
1255         cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1256         if (!cmd)
1257                 goto unlock;
1258 
1259         if (status) {
1260                 u8 mgmt_err = mgmt_status(status);
1261                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1262                 goto remove_cmd;
1263         }
1264 
1265         send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1266         new_settings(hdev, cmd->sk);
1267 
1268 remove_cmd:
1269         mgmt_pending_remove(cmd);
1270 
1271 unlock:
1272         hci_dev_unlock(hdev);
1273 }
1274 
1275 static int set_connectable_update_settings(struct hci_dev *hdev,
1276                                            struct sock *sk, u8 val)
1277 {
1278         bool changed = false;
1279         int err;
1280 
1281         if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1282                 changed = true;
1283 
1284         if (val) {
1285                 hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1286         } else {
1287                 hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1288                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1289         }
1290 
1291         err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1292         if (err < 0)
1293                 return err;
1294 
1295         if (changed) {
1296                 hci_req_update_scan(hdev);
1297                 hci_update_background_scan(hdev);
1298                 return new_settings(hdev, sk);
1299         }
1300 
1301         return 0;
1302 }
1303 
1304 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1305                            u16 len)
1306 {
1307         struct mgmt_mode *cp = data;
1308         struct mgmt_pending_cmd *cmd;
1309         int err;
1310 
1311         BT_DBG("request for %s", hdev->name);
1312 
1313         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1314             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1315                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1316                                        MGMT_STATUS_REJECTED);
1317 
1318         if (cp->val != 0x00 && cp->val != 0x01)
1319                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1320                                        MGMT_STATUS_INVALID_PARAMS);
1321 
1322         hci_dev_lock(hdev);
1323 
1324         if (!hdev_is_powered(hdev)) {
1325                 err = set_connectable_update_settings(hdev, sk, cp->val);
1326                 goto failed;
1327         }
1328 
1329         if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1330             pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1331                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1332                                       MGMT_STATUS_BUSY);
1333                 goto failed;
1334         }
1335 
1336         cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1337         if (!cmd) {
1338                 err = -ENOMEM;
1339                 goto failed;
1340         }
1341 
1342         if (cp->val) {
1343                 hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1344         } else {
1345                 if (hdev->discov_timeout > 0)
1346                         cancel_delayed_work(&hdev->discov_off);
1347 
1348                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1349                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1350                 hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1351         }
1352 
1353         queue_work(hdev->req_workqueue, &hdev->connectable_update);
1354         err = 0;
1355 
1356 failed:
1357         hci_dev_unlock(hdev);
1358         return err;
1359 }
1360 
1361 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1362                         u16 len)
1363 {
1364         struct mgmt_mode *cp = data;
1365         bool changed;
1366         int err;
1367 
1368         BT_DBG("request for %s", hdev->name);
1369 
1370         if (cp->val != 0x00 && cp->val != 0x01)
1371                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1372                                        MGMT_STATUS_INVALID_PARAMS);
1373 
1374         hci_dev_lock(hdev);
1375 
1376         if (cp->val)
1377                 changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1378         else
1379                 changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1380 
1381         err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1382         if (err < 0)
1383                 goto unlock;
1384 
1385         if (changed) {
1386                 /* In limited privacy mode the change of bondable mode
1387                  * may affect the local advertising address.
1388                  */
1389                 if (hdev_is_powered(hdev) &&
1390                     hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
1391                     hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1392                     hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))
1393                         queue_work(hdev->req_workqueue,
1394                                    &hdev->discoverable_update);
1395 
1396                 err = new_settings(hdev, sk);
1397         }
1398 
1399 unlock:
1400         hci_dev_unlock(hdev);
1401         return err;
1402 }
1403 
1404 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1405                              u16 len)
1406 {
1407         struct mgmt_mode *cp = data;
1408         struct mgmt_pending_cmd *cmd;
1409         u8 val, status;
1410         int err;
1411 
1412         BT_DBG("request for %s", hdev->name);
1413 
1414         status = mgmt_bredr_support(hdev);
1415         if (status)
1416                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1417                                        status);
1418 
1419         if (cp->val != 0x00 && cp->val != 0x01)
1420                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1421                                        MGMT_STATUS_INVALID_PARAMS);
1422 
1423         hci_dev_lock(hdev);
1424 
1425         if (!hdev_is_powered(hdev)) {
1426                 bool changed = false;
1427 
1428                 if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1429                         hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1430                         changed = true;
1431                 }
1432 
1433                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1434                 if (err < 0)
1435                         goto failed;
1436 
1437                 if (changed)
1438                         err = new_settings(hdev, sk);
1439 
1440                 goto failed;
1441         }
1442 
1443         if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1444                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1445                                       MGMT_STATUS_BUSY);
1446                 goto failed;
1447         }
1448 
1449         val = !!cp->val;
1450 
1451         if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1452                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1453                 goto failed;
1454         }
1455 
1456         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1457         if (!cmd) {
1458                 err = -ENOMEM;
1459                 goto failed;
1460         }
1461 
1462         err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1463         if (err < 0) {
1464                 mgmt_pending_remove(cmd);
1465                 goto failed;
1466         }
1467 
1468 failed:
1469         hci_dev_unlock(hdev);
1470         return err;
1471 }
1472 
1473 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1474 {
1475         struct mgmt_mode *cp = data;
1476         struct mgmt_pending_cmd *cmd;
1477         u8 status;
1478         int err;
1479 
1480         BT_DBG("request for %s", hdev->name);
1481 
1482         status = mgmt_bredr_support(hdev);
1483         if (status)
1484                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1485 
1486         if (!lmp_ssp_capable(hdev))
1487                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1488                                        MGMT_STATUS_NOT_SUPPORTED);
1489 
1490         if (cp->val != 0x00 && cp->val != 0x01)
1491                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1492                                        MGMT_STATUS_INVALID_PARAMS);
1493 
1494         hci_dev_lock(hdev);
1495 
1496         if (!hdev_is_powered(hdev)) {
1497                 bool changed;
1498 
1499                 if (cp->val) {
1500                         changed = !hci_dev_test_and_set_flag(hdev,
1501                                                              HCI_SSP_ENABLED);
1502                 } else {
1503                         changed = hci_dev_test_and_clear_flag(hdev,
1504                                                               HCI_SSP_ENABLED);
1505                         if (!changed)
1506                                 changed = hci_dev_test_and_clear_flag(hdev,
1507                                                                       HCI_HS_ENABLED);
1508                         else
1509                                 hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1510                 }
1511 
1512                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1513                 if (err < 0)
1514                         goto failed;
1515 
1516                 if (changed)
1517                         err = new_settings(hdev, sk);
1518 
1519                 goto failed;
1520         }
1521 
1522         if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1523                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1524                                       MGMT_STATUS_BUSY);
1525                 goto failed;
1526         }
1527 
1528         if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
1529                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1530                 goto failed;
1531         }
1532 
1533         cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
1534         if (!cmd) {
1535                 err = -ENOMEM;
1536                 goto failed;
1537         }
1538 
1539         if (!cp->val && hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
1540                 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
1541                              sizeof(cp->val), &cp->val);
1542 
1543         err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &cp->val);
1544         if (err < 0) {
1545                 mgmt_pending_remove(cmd);
1546                 goto failed;
1547         }
1548 
1549 failed:
1550         hci_dev_unlock(hdev);
1551         return err;
1552 }
1553 
1554 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1555 {
1556         struct mgmt_mode *cp = data;
1557         bool changed;
1558         u8 status;
1559         int err;
1560 
1561         BT_DBG("request for %s", hdev->name);
1562 
1563         status = mgmt_bredr_support(hdev);
1564         if (status)
1565                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
1566 
1567         if (!lmp_ssp_capable(hdev))
1568                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1569                                        MGMT_STATUS_NOT_SUPPORTED);
1570 
1571         if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
1572                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1573                                        MGMT_STATUS_REJECTED);
1574 
1575         if (cp->val != 0x00 && cp->val != 0x01)
1576                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1577                                        MGMT_STATUS_INVALID_PARAMS);
1578 
1579         hci_dev_lock(hdev);
1580 
1581         if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1582                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1583                                       MGMT_STATUS_BUSY);
1584                 goto unlock;
1585         }
1586 
1587         if (cp->val) {
1588                 changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
1589         } else {
1590                 if (hdev_is_powered(hdev)) {
1591                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1592                                               MGMT_STATUS_REJECTED);
1593                         goto unlock;
1594                 }
1595 
1596                 changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
1597         }
1598 
1599         err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
1600         if (err < 0)
1601                 goto unlock;
1602 
1603         if (changed)
1604                 err = new_settings(hdev, sk);
1605 
1606 unlock:
1607         hci_dev_unlock(hdev);
1608         return err;
1609 }
1610 
1611 static void le_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1612 {
1613         struct cmd_lookup match = { NULL, hdev };
1614 
1615         hci_dev_lock(hdev);
1616 
1617         if (status) {
1618                 u8 mgmt_err = mgmt_status(status);
1619 
1620                 mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
1621                                      &mgmt_err);
1622                 goto unlock;
1623         }
1624 
1625         mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
1626 
1627         new_settings(hdev, match.sk);
1628 
1629         if (match.sk)
1630                 sock_put(match.sk);
1631 
1632         /* Make sure the controller has a good default for
1633          * advertising data. Restrict the update to when LE
1634          * has actually been enabled. During power on, the
1635          * update in powered_update_hci will take care of it.
1636          */
1637         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1638                 struct hci_request req;
1639 
1640                 hci_req_init(&req, hdev);
1641                 __hci_req_update_adv_data(&req, 0x00);
1642                 __hci_req_update_scan_rsp_data(&req, 0x00);
1643                 hci_req_run(&req, NULL);
1644                 hci_update_background_scan(hdev);
1645         }
1646 
1647 unlock:
1648         hci_dev_unlock(hdev);
1649 }
1650 
1651 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1652 {
1653         struct mgmt_mode *cp = data;
1654         struct hci_cp_write_le_host_supported hci_cp;
1655         struct mgmt_pending_cmd *cmd;
1656         struct hci_request req;
1657         int err;
1658         u8 val, enabled;
1659 
1660         BT_DBG("request for %s", hdev->name);
1661 
1662         if (!lmp_le_capable(hdev))
1663                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1664                                        MGMT_STATUS_NOT_SUPPORTED);
1665 
1666         if (cp->val != 0x00 && cp->val != 0x01)
1667                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1668                                        MGMT_STATUS_INVALID_PARAMS);
1669 
1670         /* Bluetooth single mode LE only controllers or dual-mode
1671          * controllers configured as LE only devices, do not allow
1672          * switching LE off. These have either LE enabled explicitly
1673          * or BR/EDR has been previously switched off.
1674          *
1675          * When trying to enable an already enabled LE, then gracefully
1676          * send a positive response. Trying to disable it however will
1677          * result into rejection.
1678          */
1679         if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1680                 if (cp->val == 0x01)
1681                         return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1682 
1683                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1684                                        MGMT_STATUS_REJECTED);
1685         }
1686 
1687         hci_dev_lock(hdev);
1688 
1689         val = !!cp->val;
1690         enabled = lmp_host_le_capable(hdev);
1691 
1692         if (!val)
1693                 hci_req_clear_adv_instance(hdev, NULL, 0x00, true);
1694 
1695         if (!hdev_is_powered(hdev) || val == enabled) {
1696                 bool changed = false;
1697 
1698                 if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1699                         hci_dev_change_flag(hdev, HCI_LE_ENABLED);
1700                         changed = true;
1701                 }
1702 
1703                 if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
1704                         hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1705                         changed = true;
1706                 }
1707 
1708                 err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1709                 if (err < 0)
1710                         goto unlock;
1711 
1712                 if (changed)
1713                         err = new_settings(hdev, sk);
1714 
1715                 goto unlock;
1716         }
1717 
1718         if (pending_find(MGMT_OP_SET_LE, hdev) ||
1719             pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
1720                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1721                                       MGMT_STATUS_BUSY);
1722                 goto unlock;
1723         }
1724 
1725         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
1726         if (!cmd) {
1727                 err = -ENOMEM;
1728                 goto unlock;
1729         }
1730 
1731         hci_req_init(&req, hdev);
1732 
1733         memset(&hci_cp, 0, sizeof(hci_cp));
1734 
1735         if (val) {
1736                 hci_cp.le = val;
1737                 hci_cp.simul = 0x00;
1738         } else {
1739                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1740                         __hci_req_disable_advertising(&req);
1741         }
1742 
1743         hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
1744                     &hci_cp);
1745 
1746         err = hci_req_run(&req, le_enable_complete);
1747         if (err < 0)
1748                 mgmt_pending_remove(cmd);
1749 
1750 unlock:
1751         hci_dev_unlock(hdev);
1752         return err;
1753 }
1754 
1755 /* This is a helper function to test for pending mgmt commands that can
1756  * cause CoD or EIR HCI commands. We can only allow one such pending
1757  * mgmt command at a time since otherwise we cannot easily track what
1758  * the current values are, will be, and based on that calculate if a new
1759  * HCI command needs to be sent and if yes with what value.
1760  */
1761 static bool pending_eir_or_class(struct hci_dev *hdev)
1762 {
1763         struct mgmt_pending_cmd *cmd;
1764 
1765         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
1766                 switch (cmd->opcode) {
1767                 case MGMT_OP_ADD_UUID:
1768                 case MGMT_OP_REMOVE_UUID:
1769                 case MGMT_OP_SET_DEV_CLASS:
1770                 case MGMT_OP_SET_POWERED:
1771                         return true;
1772                 }
1773         }
1774 
1775         return false;
1776 }
1777 
1778 static const u8 bluetooth_base_uuid[] = {
1779                         0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
1780                         0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1781 };
1782 
1783 static u8 get_uuid_size(const u8 *uuid)
1784 {
1785         u32 val;
1786 
1787         if (memcmp(uuid, bluetooth_base_uuid, 12))
1788                 return 128;
1789 
1790         val = get_unaligned_le32(&uuid[12]);
1791         if (val > 0xffff)
1792                 return 32;
1793 
1794         return 16;
1795 }
1796 
1797 static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
1798 {
1799         struct mgmt_pending_cmd *cmd;
1800 
1801         hci_dev_lock(hdev);
1802 
1803         cmd = pending_find(mgmt_op, hdev);
1804         if (!cmd)
1805                 goto unlock;
1806 
1807         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
1808                           mgmt_status(status), hdev->dev_class, 3);
1809 
1810         mgmt_pending_remove(cmd);
1811 
1812 unlock:
1813         hci_dev_unlock(hdev);
1814 }
1815 
1816 static void add_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1817 {
1818         BT_DBG("status 0x%02x", status);
1819 
1820         mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
1821 }
1822 
1823 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1824 {
1825         struct mgmt_cp_add_uuid *cp = data;
1826         struct mgmt_pending_cmd *cmd;
1827         struct hci_request req;
1828         struct bt_uuid *uuid;
1829         int err;
1830 
1831         BT_DBG("request for %s", hdev->name);
1832 
1833         hci_dev_lock(hdev);
1834 
1835         if (pending_eir_or_class(hdev)) {
1836                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
1837                                       MGMT_STATUS_BUSY);
1838                 goto failed;
1839         }
1840 
1841         uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
1842         if (!uuid) {
1843                 err = -ENOMEM;
1844                 goto failed;
1845         }
1846 
1847         memcpy(uuid->uuid, cp->uuid, 16);
1848         uuid->svc_hint = cp->svc_hint;
1849         uuid->size = get_uuid_size(cp->uuid);
1850 
1851         list_add_tail(&uuid->list, &hdev->uuids);
1852 
1853         hci_req_init(&req, hdev);
1854 
1855         __hci_req_update_class(&req);
1856         __hci_req_update_eir(&req);
1857 
1858         err = hci_req_run(&req, add_uuid_complete);
1859         if (err < 0) {
1860                 if (err != -ENODATA)
1861                         goto failed;
1862 
1863                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
1864                                         hdev->dev_class, 3);
1865                 goto failed;
1866         }
1867 
1868         cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
1869         if (!cmd) {
1870                 err = -ENOMEM;
1871                 goto failed;
1872         }
1873 
1874         err = 0;
1875 
1876 failed:
1877         hci_dev_unlock(hdev);
1878         return err;
1879 }
1880 
1881 static bool enable_service_cache(struct hci_dev *hdev)
1882 {
1883         if (!hdev_is_powered(hdev))
1884                 return false;
1885 
1886         if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
1887                 queue_delayed_work(hdev->workqueue, &hdev->service_cache,
1888                                    CACHE_TIMEOUT);
1889                 return true;
1890         }
1891 
1892         return false;
1893 }
1894 
1895 static void remove_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1896 {
1897         BT_DBG("status 0x%02x", status);
1898 
1899         mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
1900 }
1901 
1902 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
1903                        u16 len)
1904 {
1905         struct mgmt_cp_remove_uuid *cp = data;
1906         struct mgmt_pending_cmd *cmd;
1907         struct bt_uuid *match, *tmp;
1908         u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
1909         struct hci_request req;
1910         int err, found;
1911 
1912         BT_DBG("request for %s", hdev->name);
1913 
1914         hci_dev_lock(hdev);
1915 
1916         if (pending_eir_or_class(hdev)) {
1917                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
1918                                       MGMT_STATUS_BUSY);
1919                 goto unlock;
1920         }
1921 
1922         if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
1923                 hci_uuids_clear(hdev);
1924 
1925                 if (enable_service_cache(hdev)) {
1926                         err = mgmt_cmd_complete(sk, hdev->id,
1927                                                 MGMT_OP_REMOVE_UUID,
1928                                                 0, hdev->dev_class, 3);
1929                         goto unlock;
1930                 }
1931 
1932                 goto update_class;
1933         }
1934 
1935         found = 0;
1936 
1937         list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
1938                 if (memcmp(match->uuid, cp->uuid, 16) != 0)
1939                         continue;
1940 
1941                 list_del(&match->list);
1942                 kfree(match);
1943                 found++;
1944         }
1945 
1946         if (found == 0) {
1947                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
1948                                       MGMT_STATUS_INVALID_PARAMS);
1949                 goto unlock;
1950         }
1951 
1952 update_class:
1953         hci_req_init(&req, hdev);
1954 
1955         __hci_req_update_class(&req);
1956         __hci_req_update_eir(&req);
1957 
1958         err = hci_req_run(&req, remove_uuid_complete);
1959         if (err < 0) {
1960                 if (err != -ENODATA)
1961                         goto unlock;
1962 
1963                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
1964                                         hdev->dev_class, 3);
1965                 goto unlock;
1966         }
1967 
1968         cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
1969         if (!cmd) {
1970                 err = -ENOMEM;
1971                 goto unlock;
1972         }
1973 
1974         err = 0;
1975 
1976 unlock:
1977         hci_dev_unlock(hdev);
1978         return err;
1979 }
1980 
1981 static void set_class_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1982 {
1983         BT_DBG("status 0x%02x", status);
1984 
1985         mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
1986 }
1987 
1988 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
1989                          u16 len)
1990 {
1991         struct mgmt_cp_set_dev_class *cp = data;
1992         struct mgmt_pending_cmd *cmd;
1993         struct hci_request req;
1994         int err;
1995 
1996         BT_DBG("request for %s", hdev->name);
1997 
1998         if (!lmp_bredr_capable(hdev))
1999                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2000                                        MGMT_STATUS_NOT_SUPPORTED);
2001 
2002         hci_dev_lock(hdev);
2003 
2004         if (pending_eir_or_class(hdev)) {
2005                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2006                                       MGMT_STATUS_BUSY);
2007                 goto unlock;
2008         }
2009 
2010         if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2011                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2012                                       MGMT_STATUS_INVALID_PARAMS);
2013                 goto unlock;
2014         }
2015 
2016         hdev->major_class = cp->major;
2017         hdev->minor_class = cp->minor;
2018 
2019         if (!hdev_is_powered(hdev)) {
2020                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2021                                         hdev->dev_class, 3);
2022                 goto unlock;
2023         }
2024 
2025         hci_req_init(&req, hdev);
2026 
2027         if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2028                 hci_dev_unlock(hdev);
2029                 cancel_delayed_work_sync(&hdev->service_cache);
2030                 hci_dev_lock(hdev);
2031                 __hci_req_update_eir(&req);
2032         }
2033 
2034         __hci_req_update_class(&req);
2035 
2036         err = hci_req_run(&req, set_class_complete);
2037         if (err < 0) {
2038                 if (err != -ENODATA)
2039                         goto unlock;
2040 
2041                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2042                                         hdev->dev_class, 3);
2043                 goto unlock;
2044         }
2045 
2046         cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2047         if (!cmd) {
2048                 err = -ENOMEM;
2049                 goto unlock;
2050         }
2051 
2052         err = 0;
2053 
2054 unlock:
2055         hci_dev_unlock(hdev);
2056         return err;
2057 }
2058 
2059 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2060                           u16 len)
2061 {
2062         struct mgmt_cp_load_link_keys *cp = data;
2063         const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2064                                    sizeof(struct mgmt_link_key_info));
2065         u16 key_count, expected_len;
2066         bool changed;
2067         int i;
2068 
2069         BT_DBG("request for %s", hdev->name);
2070 
2071         if (!lmp_bredr_capable(hdev))
2072                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2073                                        MGMT_STATUS_NOT_SUPPORTED);
2074 
2075         key_count = __le16_to_cpu(cp->key_count);
2076         if (key_count > max_key_count) {
2077                 BT_ERR("load_link_keys: too big key_count value %u",
2078                        key_count);
2079                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2080                                        MGMT_STATUS_INVALID_PARAMS);
2081         }
2082 
2083         expected_len = sizeof(*cp) + key_count *
2084                                         sizeof(struct mgmt_link_key_info);
2085         if (expected_len != len) {
2086                 BT_ERR("load_link_keys: expected %u bytes, got %u bytes",
2087                        expected_len, len);
2088                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2089                                        MGMT_STATUS_INVALID_PARAMS);
2090         }
2091 
2092         if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2093                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2094                                        MGMT_STATUS_INVALID_PARAMS);
2095 
2096         BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys,
2097                key_count);
2098 
2099         for (i = 0; i < key_count; i++) {
2100                 struct mgmt_link_key_info *key = &cp->keys[i];
2101 
2102                 if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2103                         return mgmt_cmd_status(sk, hdev->id,
2104                                                MGMT_OP_LOAD_LINK_KEYS,
2105                                                MGMT_STATUS_INVALID_PARAMS);
2106         }
2107 
2108         hci_dev_lock(hdev);
2109 
2110         hci_link_keys_clear(hdev);
2111 
2112         if (cp->debug_keys)
2113                 changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2114         else
2115                 changed = hci_dev_test_and_clear_flag(hdev,
2116                                                       HCI_KEEP_DEBUG_KEYS);
2117 
2118         if (changed)
2119                 new_settings(hdev, NULL);
2120 
2121         for (i = 0; i < key_count; i++) {
2122                 struct mgmt_link_key_info *key = &cp->keys[i];
2123 
2124                 /* Always ignore debug keys and require a new pairing if
2125                  * the user wants to use them.
2126                  */
2127                 if (key->type == HCI_LK_DEBUG_COMBINATION)
2128                         continue;
2129 
2130                 hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2131                                  key->type, key->pin_len, NULL);
2132         }
2133 
2134         mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2135 
2136         hci_dev_unlock(hdev);
2137 
2138         return 0;
2139 }
2140 
2141 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2142                            u8 addr_type, struct sock *skip_sk)
2143 {
2144         struct mgmt_ev_device_unpaired ev;
2145 
2146         bacpy(&ev.addr.bdaddr, bdaddr);
2147         ev.addr.type = addr_type;
2148 
2149         return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2150                           skip_sk);
2151 }
2152 
2153 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2154                          u16 len)
2155 {
2156         struct mgmt_cp_unpair_device *cp = data;
2157         struct mgmt_rp_unpair_device rp;
2158         struct hci_conn_params *params;
2159         struct mgmt_pending_cmd *cmd;
2160         struct hci_conn *conn;
2161         u8 addr_type;
2162         int err;
2163 
2164         memset(&rp, 0, sizeof(rp));
2165         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2166         rp.addr.type = cp->addr.type;
2167 
2168         if (!bdaddr_type_is_valid(cp->addr.type))
2169                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2170                                          MGMT_STATUS_INVALID_PARAMS,
2171                                          &rp, sizeof(rp));
2172 
2173         if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2174                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2175                                          MGMT_STATUS_INVALID_PARAMS,
2176                                          &rp, sizeof(rp));
2177 
2178         hci_dev_lock(hdev);
2179 
2180         if (!hdev_is_powered(hdev)) {
2181                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2182                                         MGMT_STATUS_NOT_POWERED, &rp,
2183                                         sizeof(rp));
2184                 goto unlock;
2185         }
2186 
2187         if (cp->addr.type == BDADDR_BREDR) {
2188                 /* If disconnection is requested, then look up the
2189                  * connection. If the remote device is connected, it
2190                  * will be later used to terminate the link.
2191                  *
2192                  * Setting it to NULL explicitly will cause no
2193                  * termination of the link.
2194                  */
2195                 if (cp->disconnect)
2196                         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2197                                                        &cp->addr.bdaddr);
2198                 else
2199                         conn = NULL;
2200 
2201                 err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2202                 if (err < 0) {
2203                         err = mgmt_cmd_complete(sk, hdev->id,
2204                                                 MGMT_OP_UNPAIR_DEVICE,
2205                                                 MGMT_STATUS_NOT_PAIRED, &rp,
2206                                                 sizeof(rp));
2207                         goto unlock;
2208                 }
2209 
2210                 goto done;
2211         }
2212 
2213         /* LE address type */
2214         addr_type = le_addr_type(cp->addr.type);
2215 
2216         hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
2217 
2218         err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
2219         if (err < 0) {
2220                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2221                                         MGMT_STATUS_NOT_PAIRED, &rp,
2222                                         sizeof(rp));
2223                 goto unlock;
2224         }
2225 
2226         conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
2227         if (!conn) {
2228                 hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2229                 goto done;
2230         }
2231 
2232         /* Abort any ongoing SMP pairing */
2233         smp_cancel_pairing(conn);
2234 
2235         /* Defer clearing up the connection parameters until closing to
2236          * give a chance of keeping them if a repairing happens.
2237          */
2238         set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2239 
2240         /* Disable auto-connection parameters if present */
2241         params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
2242         if (params) {
2243                 if (params->explicit_connect)
2244                         params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2245                 else
2246                         params->auto_connect = HCI_AUTO_CONN_DISABLED;
2247         }
2248 
2249         /* If disconnection is not requested, then clear the connection
2250          * variable so that the link is not terminated.
2251          */
2252         if (!cp->disconnect)
2253                 conn = NULL;
2254 
2255 done:
2256         /* If the connection variable is set, then termination of the
2257          * link is requested.
2258          */
2259         if (!conn) {
2260                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
2261                                         &rp, sizeof(rp));
2262                 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
2263                 goto unlock;
2264         }
2265 
2266         cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
2267                                sizeof(*cp));
2268         if (!cmd) {
2269                 err = -ENOMEM;
2270                 goto unlock;
2271         }
2272 
2273         cmd->cmd_complete = addr_cmd_complete;
2274 
2275         err = hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
2276         if (err < 0)
2277                 mgmt_pending_remove(cmd);
2278 
2279 unlock:
2280         hci_dev_unlock(hdev);
2281         return err;
2282 }
2283 
2284 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2285                       u16 len)
2286 {
2287         struct mgmt_cp_disconnect *cp = data;
2288         struct mgmt_rp_disconnect rp;
2289         struct mgmt_pending_cmd *cmd;
2290         struct hci_conn *conn;
2291         int err;
2292 
2293         BT_DBG("");
2294 
2295         memset(&rp, 0, sizeof(rp));
2296         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2297         rp.addr.type = cp->addr.type;
2298 
2299         if (!bdaddr_type_is_valid(cp->addr.type))
2300                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2301                                          MGMT_STATUS_INVALID_PARAMS,
2302                                          &rp, sizeof(rp));
2303 
2304         hci_dev_lock(hdev);
2305 
2306         if (!test_bit(HCI_UP, &hdev->flags)) {
2307                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2308                                         MGMT_STATUS_NOT_POWERED, &rp,
2309                                         sizeof(rp));
2310                 goto failed;
2311         }
2312 
2313         if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
2314                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2315                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
2316                 goto failed;
2317         }
2318 
2319         if (cp->addr.type == BDADDR_BREDR)
2320                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2321                                                &cp->addr.bdaddr);
2322         else
2323                 conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2324                                                le_addr_type(cp->addr.type));
2325 
2326         if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
2327                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2328                                         MGMT_STATUS_NOT_CONNECTED, &rp,
2329                                         sizeof(rp));
2330                 goto failed;
2331         }
2332 
2333         cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
2334         if (!cmd) {
2335                 err = -ENOMEM;
2336                 goto failed;
2337         }
2338 
2339         cmd->cmd_complete = generic_cmd_complete;
2340 
2341         err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2342         if (err < 0)
2343                 mgmt_pending_remove(cmd);
2344 
2345 failed:
2346         hci_dev_unlock(hdev);
2347         return err;
2348 }
2349 
2350 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
2351 {
2352         switch (link_type) {
2353         case LE_LINK:
2354                 switch (addr_type) {
2355                 case ADDR_LE_DEV_PUBLIC:
2356                         return BDADDR_LE_PUBLIC;
2357 
2358                 default:
2359                         /* Fallback to LE Random address type */
2360                         return BDADDR_LE_RANDOM;
2361                 }
2362 
2363         default:
2364                 /* Fallback to BR/EDR type */
2365                 return BDADDR_BREDR;
2366         }
2367 }
2368 
2369 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
2370                            u16 data_len)
2371 {
2372         struct mgmt_rp_get_connections *rp;
2373         struct hci_conn *c;
2374         size_t rp_len;
2375         int err;
2376         u16 i;
2377 
2378         BT_DBG("");
2379 
2380         hci_dev_lock(hdev);
2381 
2382         if (!hdev_is_powered(hdev)) {
2383                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
2384                                       MGMT_STATUS_NOT_POWERED);
2385                 goto unlock;
2386         }
2387 
2388         i = 0;
2389         list_for_each_entry(c, &hdev->conn_hash.list, list) {
2390                 if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2391                         i++;
2392         }
2393 
2394         rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2395         rp = kmalloc(rp_len, GFP_KERNEL);
2396         if (!rp) {
2397                 err = -ENOMEM;
2398                 goto unlock;
2399         }
2400 
2401         i = 0;
2402         list_for_each_entry(c, &hdev->conn_hash.list, list) {
2403                 if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2404                         continue;
2405                 bacpy(&rp->addr[i].bdaddr, &c->dst);
2406                 rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
2407                 if (c->type == SCO_LINK || c->type == ESCO_LINK)
2408                         continue;
2409                 i++;
2410         }
2411 
2412         rp->conn_count = cpu_to_le16(i);
2413 
2414         /* Recalculate length in case of filtered SCO connections, etc */
2415         rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2416 
2417         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
2418                                 rp_len);
2419 
2420         kfree(rp);
2421 
2422 unlock:
2423         hci_dev_unlock(hdev);
2424         return err;
2425 }
2426 
2427 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2428                                    struct mgmt_cp_pin_code_neg_reply *cp)
2429 {
2430         struct mgmt_pending_cmd *cmd;
2431         int err;
2432 
2433         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
2434                                sizeof(*cp));
2435         if (!cmd)
2436                 return -ENOMEM;
2437 
2438         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2439                            sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
2440         if (err < 0)
2441                 mgmt_pending_remove(cmd);
2442 
2443         return err;
2444 }
2445 
2446 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2447                           u16 len)
2448 {
2449         struct hci_conn *conn;
2450         struct mgmt_cp_pin_code_reply *cp = data;
2451         struct hci_cp_pin_code_reply reply;
2452         struct mgmt_pending_cmd *cmd;
2453         int err;
2454 
2455         BT_DBG("");
2456 
2457         hci_dev_lock(hdev);
2458 
2459         if (!hdev_is_powered(hdev)) {
2460                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2461                                       MGMT_STATUS_NOT_POWERED);
2462                 goto failed;
2463         }
2464 
2465         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
2466         if (!conn) {
2467                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2468                                       MGMT_STATUS_NOT_CONNECTED);
2469                 goto failed;
2470         }
2471 
2472         if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
2473                 struct mgmt_cp_pin_code_neg_reply ncp;
2474 
2475                 memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
2476 
2477                 BT_ERR("PIN code is not 16 bytes long");
2478 
2479                 err = send_pin_code_neg_reply(sk, hdev, &ncp);
2480                 if (err >= 0)
2481                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2482                                               MGMT_STATUS_INVALID_PARAMS);
2483 
2484                 goto failed;
2485         }
2486 
2487         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
2488         if (!cmd) {
2489                 err = -ENOMEM;
2490                 goto failed;
2491         }
2492 
2493         cmd->cmd_complete = addr_cmd_complete;
2494 
2495         bacpy(&reply.bdaddr, &cp->addr.bdaddr);
2496         reply.pin_len = cp->pin_len;
2497         memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
2498 
2499         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
2500         if (err < 0)
2501                 mgmt_pending_remove(cmd);
2502 
2503 failed:
2504         hci_dev_unlock(hdev);
2505         return err;
2506 }
2507 
2508 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
2509                              u16 len)
2510 {
2511         struct mgmt_cp_set_io_capability *cp = data;
2512 
2513         BT_DBG("");
2514 
2515         if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
2516                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
2517                                          MGMT_STATUS_INVALID_PARAMS, NULL, 0);
2518 
2519         hci_dev_lock(hdev);
2520 
2521         hdev->io_capability = cp->io_capability;
2522 
2523         BT_DBG("%s IO capability set to 0x%02x", hdev->name,
2524                hdev->io_capability);
2525 
2526         hci_dev_unlock(hdev);
2527 
2528         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
2529                                  NULL, 0);
2530 }
2531 
2532 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
2533 {
2534         struct hci_dev *hdev = conn->hdev;
2535         struct mgmt_pending_cmd *cmd;
2536 
2537         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2538                 if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
2539                         continue;
2540 
2541                 if (cmd->user_data != conn)
2542                         continue;
2543 
2544                 return cmd;
2545         }
2546 
2547         return NULL;
2548 }
2549 
2550 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
2551 {
2552         struct mgmt_rp_pair_device rp;
2553         struct hci_conn *conn = cmd->user_data;
2554         int err;
2555 
2556         bacpy(&rp.addr.bdaddr, &conn->dst);
2557         rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
2558 
2559         err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
2560                                 status, &rp, sizeof(rp));
2561 
2562         /* So we don't get further callbacks for this connection */
2563         conn->connect_cfm_cb = NULL;
2564         conn->security_cfm_cb = NULL;
2565         conn->disconn_cfm_cb = NULL;
2566 
2567         hci_conn_drop(conn);
2568 
2569         /* The device is paired so there is no need to remove
2570          * its connection parameters anymore.
2571          */
2572         clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2573 
2574         hci_conn_put(conn);
2575 
2576         return err;
2577 }
2578 
2579 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2580 {
2581         u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2582         struct mgmt_pending_cmd *cmd;
2583 
2584         cmd = find_pairing(conn);
2585         if (cmd) {
2586                 cmd->cmd_complete(cmd, status);
2587                 mgmt_pending_remove(cmd);
2588         }
2589 }
2590 
2591 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2592 {
2593         struct mgmt_pending_cmd *cmd;
2594 
2595         BT_DBG("status %u", status);
2596 
2597         cmd = find_pairing(conn);
2598         if (!cmd) {
2599                 BT_DBG("Unable to find a pending command");
2600                 return;
2601         }
2602 
2603         cmd->cmd_complete(cmd, mgmt_status(status));
2604         mgmt_pending_remove(cmd);
2605 }
2606 
2607 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2608 {
2609         struct mgmt_pending_cmd *cmd;
2610 
2611         BT_DBG("status %u", status);
2612 
2613         if (!status)
2614                 return;
2615 
2616         cmd = find_pairing(conn);
2617         if (!cmd) {
2618                 BT_DBG("Unable to find a pending command");
2619                 return;
2620         }
2621 
2622         cmd->cmd_complete(cmd, mgmt_status(status));
2623         mgmt_pending_remove(cmd);
2624 }
2625 
2626 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2627                        u16 len)
2628 {
2629         struct mgmt_cp_pair_device *cp = data;
2630         struct mgmt_rp_pair_device rp;
2631         struct mgmt_pending_cmd *cmd;
2632         u8 sec_level, auth_type;
2633         struct hci_conn *conn;
2634         int err;
2635 
2636         BT_DBG("");
2637 
2638         memset(&rp, 0, sizeof(rp));
2639         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2640         rp.addr.type = cp->addr.type;
2641 
2642         if (!bdaddr_type_is_valid(cp->addr.type))
2643                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2644                                          MGMT_STATUS_INVALID_PARAMS,
2645                                          &rp, sizeof(rp));
2646 
2647         if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
2648                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2649                                          MGMT_STATUS_INVALID_PARAMS,
2650                                          &rp, sizeof(rp));
2651 
2652         hci_dev_lock(hdev);
2653 
2654         if (!hdev_is_powered(hdev)) {
2655                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2656                                         MGMT_STATUS_NOT_POWERED, &rp,
2657                                         sizeof(rp));
2658                 goto unlock;
2659         }
2660 
2661         if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
2662                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2663                                         MGMT_STATUS_ALREADY_PAIRED, &rp,
2664                                         sizeof(rp));
2665                 goto unlock;
2666         }
2667 
2668         sec_level = BT_SECURITY_MEDIUM;
2669         auth_type = HCI_AT_DEDICATED_BONDING;
2670 
2671         if (cp->addr.type == BDADDR_BREDR) {
2672                 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2673                                        auth_type);
2674         } else {
2675                 u8 addr_type = le_addr_type(cp->addr.type);
2676                 struct hci_conn_params *p;
2677 
2678                 /* When pairing a new device, it is expected to remember
2679                  * this device for future connections. Adding the connection
2680                  * parameter information ahead of time allows tracking
2681                  * of the slave preferred values and will speed up any
2682                  * further connection establishment.
2683                  *
2684                  * If connection parameters already exist, then they
2685                  * will be kept and this function does nothing.
2686                  */
2687                 p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
2688 
2689                 if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
2690                         p->auto_connect = HCI_AUTO_CONN_DISABLED;
2691 
2692                 conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr,
2693                                            addr_type, sec_level,
2694                                            HCI_LE_CONN_TIMEOUT);
2695         }
2696 
2697         if (IS_ERR(conn)) {
2698                 int status;
2699 
2700                 if (PTR_ERR(conn) == -EBUSY)
2701                         status = MGMT_STATUS_BUSY;
2702                 else if (PTR_ERR(conn) == -EOPNOTSUPP)
2703                         status = MGMT_STATUS_NOT_SUPPORTED;
2704                 else if (PTR_ERR(conn) == -ECONNREFUSED)
2705                         status = MGMT_STATUS_REJECTED;
2706                 else
2707                         status = MGMT_STATUS_CONNECT_FAILED;
2708 
2709                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2710                                         status, &rp, sizeof(rp));
2711                 goto unlock;
2712         }
2713 
2714         if (conn->connect_cfm_cb) {
2715                 hci_conn_drop(conn);
2716                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2717                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
2718                 goto unlock;
2719         }
2720 
2721         cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
2722         if (!cmd) {
2723                 err = -ENOMEM;
2724                 hci_conn_drop(conn);
2725                 goto unlock;
2726         }
2727 
2728         cmd->cmd_complete = pairing_complete;
2729 
2730         /* For LE, just connecting isn't a proof that the pairing finished */
2731         if (cp->addr.type == BDADDR_BREDR) {
2732                 conn->connect_cfm_cb = pairing_complete_cb;
2733                 conn->security_cfm_cb = pairing_complete_cb;
2734                 conn->disconn_cfm_cb = pairing_complete_cb;
2735         } else {
2736                 conn->connect_cfm_cb = le_pairing_complete_cb;
2737                 conn->security_cfm_cb = le_pairing_complete_cb;
2738                 conn->disconn_cfm_cb = le_pairing_complete_cb;
2739         }
2740 
2741         conn->io_capability = cp->io_cap;
2742         cmd->user_data = hci_conn_get(conn);
2743 
2744         if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
2745             hci_conn_security(conn, sec_level, auth_type, true)) {
2746                 cmd->cmd_complete(cmd, 0);
2747                 mgmt_pending_remove(cmd);
2748         }
2749 
2750         err = 0;
2751 
2752 unlock:
2753         hci_dev_unlock(hdev);
2754         return err;
2755 }
2756 
2757 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2758                               u16 len)
2759 {
2760         struct mgmt_addr_info *addr = data;
2761         struct mgmt_pending_cmd *cmd;
2762         struct hci_conn *conn;
2763         int err;
2764 
2765         BT_DBG("");
2766 
2767         hci_dev_lock(hdev);
2768 
2769         if (!hdev_is_powered(hdev)) {
2770                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2771                                       MGMT_STATUS_NOT_POWERED);
2772                 goto unlock;
2773         }
2774 
2775         cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
2776         if (!cmd) {
2777                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2778                                       MGMT_STATUS_INVALID_PARAMS);
2779                 goto unlock;
2780         }
2781 
2782         conn = cmd->user_data;
2783 
2784         if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
2785                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2786                                       MGMT_STATUS_INVALID_PARAMS);
2787                 goto unlock;
2788         }
2789 
2790         cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
2791         mgmt_pending_remove(cmd);
2792 
2793         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
2794                                 addr, sizeof(*addr));
2795 unlock:
2796         hci_dev_unlock(hdev);
2797         return err;
2798 }
2799 
2800 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
2801                              struct mgmt_addr_info *addr, u16 mgmt_op,
2802                              u16 hci_op, __le32 passkey)
2803 {
2804         struct mgmt_pending_cmd *cmd;
2805         struct hci_conn *conn;
2806         int err;
2807 
2808         hci_dev_lock(hdev);
2809 
2810         if (!hdev_is_powered(hdev)) {
2811                 err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
2812                                         MGMT_STATUS_NOT_POWERED, addr,
2813                                         sizeof(*addr));
2814                 goto done;
2815         }
2816 
2817         if (addr->type == BDADDR_BREDR)
2818                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
2819         else
2820                 conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
2821                                                le_addr_type(addr->type));
2822 
2823         if (!conn) {
2824                 err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
2825                                         MGMT_STATUS_NOT_CONNECTED, addr,
2826                                         sizeof(*addr));
2827                 goto done;
2828         }
2829 
2830         if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
2831                 err = smp_user_confirm_reply(conn, mgmt_op, passkey);
2832                 if (!err)
2833                         err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
2834                                                 MGMT_STATUS_SUCCESS, addr,
2835                                                 sizeof(*addr));
2836                 else
2837                         err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
2838                                                 MGMT_STATUS_FAILED, addr,
2839                                                 sizeof(*addr));
2840 
2841                 goto done;
2842         }
2843 
2844         cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
2845         if (!cmd) {
2846                 err = -ENOMEM;
2847                 goto done;
2848         }
2849 
2850         cmd->cmd_complete = addr_cmd_complete;
2851 
2852         /* Continue with pairing via HCI */
2853         if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
2854                 struct hci_cp_user_passkey_reply cp;
2855 
2856                 bacpy(&cp.bdaddr, &addr->bdaddr);
2857                 cp.passkey = passkey;
2858                 err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
2859         } else
2860                 err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
2861                                    &addr->bdaddr);
2862 
2863         if (err < 0)
2864                 mgmt_pending_remove(cmd);
2865 
2866 done:
2867         hci_dev_unlock(hdev);
2868         return err;
2869 }
2870 
2871 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2872                               void *data, u16 len)
2873 {
2874         struct mgmt_cp_pin_code_neg_reply *cp = data;
2875 
2876         BT_DBG("");
2877 
2878         return user_pairing_resp(sk, hdev, &cp->addr,
2879                                 MGMT_OP_PIN_CODE_NEG_REPLY,
2880                                 HCI_OP_PIN_CODE_NEG_REPLY, 0);
2881 }
2882 
2883 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2884                               u16 len)
2885 {
2886         struct mgmt_cp_user_confirm_reply *cp = data;
2887 
2888         BT_DBG("");
2889 
2890         if (len != sizeof(*cp))
2891                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
2892                                        MGMT_STATUS_INVALID_PARAMS);
2893 
2894         return user_pairing_resp(sk, hdev, &cp->addr,
2895                                  MGMT_OP_USER_CONFIRM_REPLY,
2896                                  HCI_OP_USER_CONFIRM_REPLY, 0);
2897 }
2898 
2899 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
2900                                   void *data, u16 len)
2901 {
2902         struct mgmt_cp_user_confirm_neg_reply *cp = data;
2903 
2904         BT_DBG("");
2905 
2906         return user_pairing_resp(sk, hdev, &cp->addr,
2907                                  MGMT_OP_USER_CONFIRM_NEG_REPLY,
2908                                  HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
2909 }
2910 
2911 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2912                               u16 len)
2913 {
2914         struct mgmt_cp_user_passkey_reply *cp = data;
2915 
2916         BT_DBG("");
2917 
2918         return user_pairing_resp(sk, hdev, &cp->addr,
2919                                  MGMT_OP_USER_PASSKEY_REPLY,
2920                                  HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
2921 }
2922 
2923 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
2924                                   void *data, u16 len)
2925 {
2926         struct mgmt_cp_user_passkey_neg_reply *cp = data;
2927 
2928         BT_DBG("");
2929 
2930         return user_pairing_resp(sk, hdev, &cp->addr,
2931                                  MGMT_OP_USER_PASSKEY_NEG_REPLY,
2932                                  HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
2933 }
2934 
2935 static void set_name_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2936 {
2937         struct mgmt_cp_set_local_name *cp;
2938         struct mgmt_pending_cmd *cmd;
2939 
2940         BT_DBG("status 0x%02x", status);
2941 
2942         hci_dev_lock(hdev);
2943 
2944         cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
2945         if (!cmd)
2946                 goto unlock;
2947 
2948         cp = cmd->param;
2949 
2950         if (status)
2951                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
2952                                 mgmt_status(status));
2953         else
2954                 mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
2955                                   cp, sizeof(*cp));
2956 
2957         mgmt_pending_remove(cmd);
2958 
2959 unlock:
2960         hci_dev_unlock(hdev);
2961 }
2962 
2963 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
2964                           u16 len)
2965 {
2966         struct mgmt_cp_set_local_name *cp = data;
2967         struct mgmt_pending_cmd *cmd;
2968         struct hci_request req;
2969         int err;
2970 
2971         BT_DBG("");
2972 
2973         hci_dev_lock(hdev);
2974 
2975         /* If the old values are the same as the new ones just return a
2976          * direct command complete event.
2977          */
2978         if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
2979             !memcmp(hdev->short_name, cp->short_name,
2980                     sizeof(hdev->short_name))) {
2981                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
2982                                         data, len);
2983                 goto failed;
2984         }
2985 
2986         memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
2987 
2988         if (!hdev_is_powered(hdev)) {
2989                 memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
2990 
2991                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
2992                                         data, len);
2993                 if (err < 0)
2994                         goto failed;
2995 
2996                 err = mgmt_generic_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev,
2997                                          data, len, sk);
2998 
2999                 goto failed;
3000         }
3001 
3002         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3003         if (!cmd) {
3004                 err = -ENOMEM;
3005                 goto failed;
3006         }
3007 
3008         memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3009 
3010         hci_req_init(&req, hdev);
3011 
3012         if (lmp_bredr_capable(hdev)) {
3013                 __hci_req_update_name(&req);
3014                 __hci_req_update_eir(&req);
3015         }
3016 
3017         /* The name is stored in the scan response data and so
3018          * no need to udpate the advertising data here.
3019          */
3020         if (lmp_le_capable(hdev))
3021                 __hci_req_update_scan_rsp_data(&req, hdev->cur_adv_instance);
3022 
3023         err = hci_req_run(&req, set_name_complete);
3024         if (err < 0)
3025                 mgmt_pending_remove(cmd);
3026 
3027 failed:
3028         hci_dev_unlock(hdev);
3029         return err;
3030 }
3031 
3032 static void read_local_oob_data_complete(struct hci_dev *hdev, u8 status,
3033                                          u16 opcode, struct sk_buff *skb)
3034 {
3035         struct mgmt_rp_read_local_oob_data mgmt_rp;
3036         size_t rp_size = sizeof(mgmt_rp);
3037         struct mgmt_pending_cmd *cmd;
3038 
3039         BT_DBG("%s status %u", hdev->name, status);
3040 
3041         cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev);
3042         if (!cmd)
3043                 return;
3044 
3045         if (status || !skb) {
3046                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3047                                 status ? mgmt_status(status) : MGMT_STATUS_FAILED);
3048                 goto remove;
3049         }
3050 
3051         memset(&mgmt_rp, 0, sizeof(mgmt_rp));
3052 
3053         if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
3054                 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
3055 
3056                 if (skb->len < sizeof(*rp)) {
3057                         mgmt_cmd_status(cmd->sk, hdev->id,
3058                                         MGMT_OP_READ_LOCAL_OOB_DATA,
3059                                         MGMT_STATUS_FAILED);
3060                         goto remove;
3061                 }
3062 
3063                 memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
3064                 memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
3065 
3066                 rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
3067         } else {
3068                 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
3069 
3070                 if (skb->len < sizeof(*rp)) {
3071                         mgmt_cmd_status(cmd->sk, hdev->id,
3072                                         MGMT_OP_READ_LOCAL_OOB_DATA,
3073                                         MGMT_STATUS_FAILED);
3074                         goto remove;
3075                 }
3076 
3077                 memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
3078                 memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
3079 
3080                 memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
3081                 memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
3082         }
3083 
3084         mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3085                           MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
3086 
3087 remove:
3088         mgmt_pending_remove(cmd);
3089 }
3090 
3091 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3092                                void *data, u16 data_len)
3093 {
3094         struct mgmt_pending_cmd *cmd;
3095         struct hci_request req;
3096         int err;
3097 
3098         BT_DBG("%s", hdev->name);
3099 
3100         hci_dev_lock(hdev);
3101 
3102         if (!hdev_is_powered(hdev)) {
3103                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3104                                       MGMT_STATUS_NOT_POWERED);
3105                 goto unlock;
3106         }
3107 
3108         if (!lmp_ssp_capable(hdev)) {
3109                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3110                                       MGMT_STATUS_NOT_SUPPORTED);
3111                 goto unlock;
3112         }
3113 
3114         if (pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
3115                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3116                                       MGMT_STATUS_BUSY);
3117                 goto unlock;
3118         }
3119 
3120         cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
3121         if (!cmd) {
3122                 err = -ENOMEM;
3123                 goto unlock;
3124         }
3125 
3126         hci_req_init(&req, hdev);
3127 
3128         if (bredr_sc_enabled(hdev))
3129                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
3130         else
3131                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
3132 
3133         err = hci_req_run_skb(&req, read_local_oob_data_complete);
3134         if (err < 0)
3135                 mgmt_pending_remove(cmd);
3136 
3137 unlock:
3138         hci_dev_unlock(hdev);
3139         return err;
3140 }
3141 
3142 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3143                                void *data, u16 len)
3144 {
3145         struct mgmt_addr_info *addr = data;
3146         int err;
3147 
3148         BT_DBG("%s ", hdev->name);
3149 
3150         if (!bdaddr_type_is_valid(addr->type))
3151                 return mgmt_cmd_complete(sk, hdev->id,
3152                                          MGMT_OP_ADD_REMOTE_OOB_DATA,
3153                                          MGMT_STATUS_INVALID_PARAMS,
3154                                          addr, sizeof(*addr));
3155 
3156         hci_dev_lock(hdev);
3157 
3158         if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
3159                 struct mgmt_cp_add_remote_oob_data *cp = data;
3160                 u8 status;
3161 
3162                 if (cp->addr.type != BDADDR_BREDR) {
3163                         err = mgmt_cmd_complete(sk, hdev->id,
3164                                                 MGMT_OP_ADD_REMOTE_OOB_DATA,
3165                                                 MGMT_STATUS_INVALID_PARAMS,
3166                                                 &cp->addr, sizeof(cp->addr));
3167                         goto unlock;
3168                 }
3169 
3170                 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3171                                               cp->addr.type, cp->hash,
3172                                               cp->rand, NULL, NULL);
3173                 if (err < 0)
3174                         status = MGMT_STATUS_FAILED;
3175                 else
3176                         status = MGMT_STATUS_SUCCESS;
3177 
3178                 err = mgmt_cmd_complete(sk, hdev->id,
3179                                         MGMT_OP_ADD_REMOTE_OOB_DATA, status,
3180                                         &cp->addr, sizeof(cp->addr));
3181         } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3182                 struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3183                 u8 *rand192, *hash192, *rand256, *hash256;
3184                 u8 status;
3185 
3186                 if (bdaddr_type_is_le(cp->addr.type)) {
3187                         /* Enforce zero-valued 192-bit parameters as
3188                          * long as legacy SMP OOB isn't implemented.
3189                          */
3190                         if (memcmp(cp->rand192, ZERO_KEY, 16) ||
3191                             memcmp(cp->hash192, ZERO_KEY, 16)) {
3192                                 err = mgmt_cmd_complete(sk, hdev->id,
3193                                                         MGMT_OP_ADD_REMOTE_OOB_DATA,
3194                                                         MGMT_STATUS_INVALID_PARAMS,
3195                                                         addr, sizeof(*addr));
3196                                 goto unlock;
3197                         }
3198 
3199                         rand192 = NULL;
3200                         hash192 = NULL;
3201                 } else {
3202                         /* In case one of the P-192 values is set to zero,
3203                          * then just disable OOB data for P-192.
3204                          */
3205                         if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
3206                             !memcmp(cp->hash192, ZERO_KEY, 16)) {
3207                                 rand192 = NULL;
3208                                 hash192 = NULL;
3209                         } else {
3210                                 rand192 = cp->rand192;
3211                                 hash192 = cp->hash192;
3212                         }
3213                 }
3214 
3215                 /* In case one of the P-256 values is set to zero, then just
3216                  * disable OOB data for P-256.
3217                  */
3218                 if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
3219                     !memcmp(cp->hash256, ZERO_KEY, 16)) {
3220                         rand256 = NULL;
3221                         hash256 = NULL;
3222                 } else {
3223                         rand256 = cp->rand256;
3224                         hash256 = cp->hash256;
3225                 }
3226 
3227                 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3228                                               cp->addr.type, hash192, rand192,
3229                                               hash256, rand256);
3230                 if (err < 0)
3231                         status = MGMT_STATUS_FAILED;
3232                 else
3233                         status = MGMT_STATUS_SUCCESS;
3234 
3235                 err = mgmt_cmd_complete(sk, hdev->id,
3236                                         MGMT_OP_ADD_REMOTE_OOB_DATA,
3237                                         status, &cp->addr, sizeof(cp->addr));
3238         } else {
3239                 BT_ERR("add_remote_oob_data: invalid length of %u bytes", len);
3240                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3241                                       MGMT_STATUS_INVALID_PARAMS);
3242         }
3243 
3244 unlock:
3245         hci_dev_unlock(hdev);
3246         return err;
3247 }
3248 
3249 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3250                                   void *data, u16 len)
3251 {
3252         struct mgmt_cp_remove_remote_oob_data *cp = data;
3253         u8 status;
3254         int err;
3255 
3256         BT_DBG("%s", hdev->name);
3257 
3258         if (cp->addr.type != BDADDR_BREDR)
3259                 return mgmt_cmd_complete(sk, hdev->id,
3260                                          MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3261                                          MGMT_STATUS_INVALID_PARAMS,
3262                                          &cp->addr, sizeof(cp->addr));
3263 
3264         hci_dev_lock(hdev);
3265 
3266         if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
3267                 hci_remote_oob_data_clear(hdev);
3268                 status = MGMT_STATUS_SUCCESS;
3269                 goto done;
3270         }
3271 
3272         err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
3273         if (err < 0)
3274                 status = MGMT_STATUS_INVALID_PARAMS;
3275         else
3276                 status = MGMT_STATUS_SUCCESS;
3277 
3278 done:
3279         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3280                                 status, &cp->addr, sizeof(cp->addr));
3281 
3282         hci_dev_unlock(hdev);
3283         return err;
3284 }
3285 
3286 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
3287 {
3288         struct mgmt_pending_cmd *cmd;
3289 
3290         BT_DBG("status %d", status);
3291 
3292         hci_dev_lock(hdev);
3293 
3294         cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
3295         if (!cmd)
3296                 cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
3297 
3298         if (!cmd)
3299                 cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
3300 
3301         if (cmd) {
3302                 cmd->cmd_complete(cmd, mgmt_status(status));
3303                 mgmt_pending_remove(cmd);
3304         }
3305 
3306         hci_dev_unlock(hdev);
3307 }
3308 
3309 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
3310                                     uint8_t *mgmt_status)
3311 {
3312         switch (type) {
3313         case DISCOV_TYPE_LE:
3314                 *mgmt_status = mgmt_le_support(hdev);
3315                 if (*mgmt_status)
3316                         return false;
3317                 break;
3318         case DISCOV_TYPE_INTERLEAVED:
3319                 *mgmt_status = mgmt_le_support(hdev);
3320                 if (*mgmt_status)
3321                         return false;
3322                 /* Intentional fall-through */
3323         case DISCOV_TYPE_BREDR:
3324                 *mgmt_status = mgmt_bredr_support(hdev);
3325                 if (*mgmt_status)
3326                         return false;
3327                 break;
3328         default:
3329                 *mgmt_status = MGMT_STATUS_INVALID_PARAMS;
3330                 return false;
3331         }
3332 
3333         return true;
3334 }
3335 
3336 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
3337                                     u16 op, void *data, u16 len)
3338 {
3339         struct mgmt_cp_start_discovery *cp = data;
3340         struct mgmt_pending_cmd *cmd;
3341         u8 status;
3342         int err;
3343 
3344         BT_DBG("%s", hdev->name);
3345 
3346         hci_dev_lock(hdev);
3347 
3348         if (!hdev_is_powered(hdev)) {
3349                 err = mgmt_cmd_complete(sk, hdev->id, op,
3350                                         MGMT_STATUS_NOT_POWERED,
3351                                         &cp->type, sizeof(cp->type));
3352                 goto failed;
3353         }
3354 
3355         if (hdev->discovery.state != DISCOVERY_STOPPED ||
3356             hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
3357                 err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
3358                                         &cp->type, sizeof(cp->type));
3359                 goto failed;
3360         }
3361 
3362         if (!discovery_type_is_valid(hdev, cp->type, &status)) {
3363                 err = mgmt_cmd_complete(sk, hdev->id, op, status,
3364                                         &cp->type, sizeof(cp->type));
3365                 goto failed;
3366         }
3367 
3368         /* Clear the discovery filter first to free any previously
3369          * allocated memory for the UUID list.
3370          */
3371         hci_discovery_filter_clear(hdev);
3372 
3373         hdev->discovery.type = cp->type;
3374         hdev->discovery.report_invalid_rssi = false;
3375         if (op == MGMT_OP_START_LIMITED_DISCOVERY)
3376                 hdev->discovery.limited = true;
3377         else
3378                 hdev->discovery.limited = false;
3379 
3380         cmd = mgmt_pending_add(sk, op, hdev, data, len);
3381         if (!cmd) {
3382                 err = -ENOMEM;
3383                 goto failed;
3384         }
3385 
3386         cmd->cmd_complete = generic_cmd_complete;
3387 
3388         hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3389         queue_work(hdev->req_workqueue, &hdev->discov_update);
3390         err = 0;
3391 
3392 failed:
3393         hci_dev_unlock(hdev);
3394         return err;
3395 }
3396 
3397 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
3398                            void *data, u16 len)
3399 {
3400         return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
3401                                         data, len);
3402 }
3403 
3404 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
3405                                    void *data, u16 len)
3406 {
3407         return start_discovery_internal(sk, hdev,
3408                                         MGMT_OP_START_LIMITED_DISCOVERY,
3409                                         data, len);
3410 }
3411 
3412 static int service_discovery_cmd_complete(struct mgmt_pending_cmd *cmd,
3413                                           u8 status)
3414 {
3415         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
3416                                  cmd->param, 1);
3417 }
3418 
3419 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
3420                                    void *data, u16 len)
3421 {
3422         struct mgmt_cp_start_service_discovery *cp = data;
3423         struct mgmt_pending_cmd *cmd;
3424         const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
3425         u16 uuid_count, expected_len;
3426         u8 status;
3427         int err;
3428 
3429         BT_DBG("%s", hdev->name);
3430 
3431         hci_dev_lock(hdev);
3432 
3433         if (!hdev_is_powered(hdev)) {
3434                 err = mgmt_cmd_complete(sk, hdev->id,
3435                                         MGMT_OP_START_SERVICE_DISCOVERY,
3436                                         MGMT_STATUS_NOT_POWERED,
3437                                         &cp->type, sizeof(cp->type));
3438                 goto failed;
3439         }
3440 
3441         if (hdev->discovery.state != DISCOVERY_STOPPED ||
3442             hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
3443                 err = mgmt_cmd_complete(sk, hdev->id,
3444                                         MGMT_OP_START_SERVICE_DISCOVERY,
3445                                         MGMT_STATUS_BUSY, &cp->type,
3446                                         sizeof(cp->type));
3447                 goto failed;
3448         }
3449 
3450         uuid_count = __le16_to_cpu(cp->uuid_count);
3451         if (uuid_count > max_uuid_count) {
3452                 BT_ERR("service_discovery: too big uuid_count value %u",
3453                        uuid_count);
3454                 err = mgmt_cmd_complete(sk, hdev->id,
3455                                         MGMT_OP_START_SERVICE_DISCOVERY,
3456                                         MGMT_STATUS_INVALID_PARAMS, &cp->type,
3457                                         sizeof(cp->type));
3458                 goto failed;
3459         }
3460 
3461         expected_len = sizeof(*cp) + uuid_count * 16;
3462         if (expected_len != len) {
3463                 BT_ERR("service_discovery: expected %u bytes, got %u bytes",
3464                        expected_len, len);
3465                 err = mgmt_cmd_complete(sk, hdev->id,
3466                                         MGMT_OP_START_SERVICE_DISCOVERY,
3467                                         MGMT_STATUS_INVALID_PARAMS, &cp->type,
3468                                         sizeof(cp->type));
3469                 goto failed;
3470         }
3471 
3472         if (!discovery_type_is_valid(hdev, cp->type, &status)) {
3473                 err = mgmt_cmd_complete(sk, hdev->id,
3474                                         MGMT_OP_START_SERVICE_DISCOVERY,
3475                                         status, &cp->type, sizeof(cp->type));
3476                 goto failed;
3477         }
3478 
3479         cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
3480                                hdev, data, len);
3481         if (!cmd) {
3482                 err = -ENOMEM;
3483                 goto failed;
3484         }
3485 
3486         cmd->cmd_complete = service_discovery_cmd_complete;
3487 
3488         /* Clear the discovery filter first to free any previously
3489          * allocated memory for the UUID list.
3490          */
3491         hci_discovery_filter_clear(hdev);
3492 
3493         hdev->discovery.result_filtering = true;
3494         hdev->discovery.type = cp->type;
3495         hdev->discovery.rssi = cp->rssi;
3496         hdev->discovery.uuid_count = uuid_count;
3497 
3498         if (uuid_count > 0) {
3499                 hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
3500                                                 GFP_KERNEL);
3501                 if (!hdev->discovery.uuids) {
3502                         err = mgmt_cmd_complete(sk, hdev->id,
3503                                                 MGMT_OP_START_SERVICE_DISCOVERY,
3504                                                 MGMT_STATUS_FAILED,
3505                                                 &cp->type, sizeof(cp->type));
3506                         mgmt_pending_remove(cmd);
3507                         goto failed;
3508                 }
3509         }
3510 
3511         hci_discovery_set_state(hdev, DISCOVERY_STARTING);
3512         queue_work(hdev->req_workqueue, &hdev->discov_update);
3513         err = 0;
3514 
3515 failed:
3516         hci_dev_unlock(hdev);
3517         return err;
3518 }
3519 
3520 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
3521 {
3522         struct mgmt_pending_cmd *cmd;
3523 
3524         BT_DBG("status %d", status);
3525 
3526         hci_dev_lock(hdev);
3527 
3528         cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
3529         if (cmd) {
3530                 cmd->cmd_complete(cmd, mgmt_status(status));
3531                 mgmt_pending_remove(cmd);
3532         }
3533 
3534         hci_dev_unlock(hdev);
3535 }
3536 
3537 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
3538                           u16 len)
3539 {
3540         struct mgmt_cp_stop_discovery *mgmt_cp = data;
3541         struct mgmt_pending_cmd *cmd;
3542         int err;
3543 
3544         BT_DBG("%s", hdev->name);
3545 
3546         hci_dev_lock(hdev);
3547 
3548         if (!hci_discovery_active(hdev)) {
3549                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
3550                                         MGMT_STATUS_REJECTED, &mgmt_cp->type,
3551                                         sizeof(mgmt_cp->type));
3552                 goto unlock;
3553         }
3554 
3555         if (hdev->discovery.type != mgmt_cp->type) {
3556                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
3557                                         MGMT_STATUS_INVALID_PARAMS,
3558                                         &mgmt_cp->type, sizeof(mgmt_cp->type));
3559                 goto unlock;
3560         }
3561 
3562         cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
3563         if (!cmd) {
3564                 err = -ENOMEM;
3565                 goto unlock;
3566         }
3567 
3568         cmd->cmd_complete = generic_cmd_complete;
3569 
3570         hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
3571         queue_work(hdev->req_workqueue, &hdev->discov_update);
3572         err = 0;
3573 
3574 unlock:
3575         hci_dev_unlock(hdev);
3576         return err;
3577 }
3578 
3579 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
3580                         u16 len)
3581 {
3582         struct mgmt_cp_confirm_name *cp = data;
3583         struct inquiry_entry *e;
3584         int err;
3585 
3586         BT_DBG("%s", hdev->name);
3587 
3588         hci_dev_lock(hdev);
3589 
3590         if (!hci_discovery_active(hdev)) {
3591                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
3592                                         MGMT_STATUS_FAILED, &cp->addr,
3593                                         sizeof(cp->addr));
3594                 goto failed;
3595         }
3596 
3597         e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
3598         if (!e) {
3599                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
3600                                         MGMT_STATUS_INVALID_PARAMS, &cp->addr,
3601                                         sizeof(cp->addr));
3602                 goto failed;
3603         }
3604 
3605         if (cp->name_known) {
3606                 e->name_state = NAME_KNOWN;
3607                 list_del(&e->list);
3608         } else {
3609                 e->name_state = NAME_NEEDED;
3610                 hci_inquiry_cache_update_resolve(hdev, e);
3611         }
3612 
3613         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
3614                                 &cp->addr, sizeof(cp->addr));
3615 
3616 failed:
3617         hci_dev_unlock(hdev);
3618         return err;
3619 }
3620 
3621 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
3622                         u16 len)
3623 {
3624         struct mgmt_cp_block_device *cp = data;
3625         u8 status;
3626         int err;
3627 
3628         BT_DBG("%s", hdev->name);
3629 
3630         if (!bdaddr_type_is_valid(cp->addr.type))
3631                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
3632                                          MGMT_STATUS_INVALID_PARAMS,
3633                                          &cp->addr, sizeof(cp->addr));
3634 
3635         hci_dev_lock(hdev);
3636 
3637         err = hci_bdaddr_list_add(&hdev->blacklist, &cp->addr.bdaddr,
3638                                   cp->addr.type);
3639         if (err < 0) {
3640                 status = MGMT_STATUS_FAILED;
3641                 goto done;
3642         }
3643 
3644         mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
3645                    sk);
3646         status = MGMT_STATUS_SUCCESS;
3647 
3648 done:
3649         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
3650                                 &cp->addr, sizeof(cp->addr));
3651 
3652         hci_dev_unlock(hdev);
3653 
3654         return err;
3655 }
3656 
3657 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
3658                           u16 len)
3659 {
3660         struct mgmt_cp_unblock_device *cp = data;
3661         u8 status;
3662         int err;
3663 
3664         BT_DBG("%s", hdev->name);
3665 
3666         if (!bdaddr_type_is_valid(cp->addr.type))
3667                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
3668                                          MGMT_STATUS_INVALID_PARAMS,
3669                                          &cp->addr, sizeof(cp->addr));
3670 
3671         hci_dev_lock(hdev);
3672 
3673         err = hci_bdaddr_list_del(&hdev->blacklist, &cp->addr.bdaddr,
3674                                   cp->addr.type);
3675         if (err < 0) {
3676                 status = MGMT_STATUS_INVALID_PARAMS;
3677                 goto done;
3678         }
3679 
3680         mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
3681                    sk);
3682         status = MGMT_STATUS_SUCCESS;
3683 
3684 done:
3685         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
3686                                 &cp->addr, sizeof(cp->addr));
3687 
3688         hci_dev_unlock(hdev);
3689 
3690         return err;
3691 }
3692 
3693 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
3694                          u16 len)
3695 {
3696         struct mgmt_cp_set_device_id *cp = data;
3697         struct hci_request req;
3698         int err;
3699         __u16 source;
3700 
3701         BT_DBG("%s", hdev->name);
3702 
3703         source = __le16_to_cpu(cp->source);
3704 
3705         if (source > 0x0002)
3706                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
3707                                        MGMT_STATUS_INVALID_PARAMS);
3708 
3709         hci_dev_lock(hdev);
3710 
3711         hdev->devid_source = source;
3712         hdev->devid_vendor = __le16_to_cpu(cp->vendor);
3713         hdev->devid_product = __le16_to_cpu(cp->product);
3714         hdev->devid_version = __le16_to_cpu(cp->version);
3715 
3716         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
3717                                 NULL, 0);
3718 
3719         hci_req_init(&req, hdev);
3720         __hci_req_update_eir(&req);
3721         hci_req_run(&req, NULL);
3722 
3723         hci_dev_unlock(hdev);
3724 
3725         return err;
3726 }
3727 
3728 static void enable_advertising_instance(struct hci_dev *hdev, u8 status,
3729                                         u16 opcode)
3730 {
3731         BT_DBG("status %d", status);
3732 }
3733 
3734 static void set_advertising_complete(struct hci_dev *hdev, u8 status,
3735                                      u16 opcode)
3736 {
3737         struct cmd_lookup match = { NULL, hdev };
3738         struct hci_request req;
3739         u8 instance;
3740         struct adv_info *adv_instance;
3741         int err;
3742 
3743         hci_dev_lock(hdev);
3744 
3745         if (status) {
3746                 u8 mgmt_err = mgmt_status(status);
3747 
3748                 mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
3749                                      cmd_status_rsp, &mgmt_err);
3750                 goto unlock;
3751         }
3752 
3753         if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3754                 hci_dev_set_flag(hdev, HCI_ADVERTISING);
3755         else
3756                 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
3757 
3758         mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
3759                              &match);
3760 
3761         new_settings(hdev, match.sk);
3762 
3763         if (match.sk)
3764                 sock_put(match.sk);
3765 
3766         /* If "Set Advertising" was just disabled and instance advertising was
3767          * set up earlier, then re-enable multi-instance advertising.
3768          */
3769         if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
3770             list_empty(&hdev->adv_instances))
3771                 goto unlock;
3772 
3773         instance = hdev->cur_adv_instance;
3774         if (!instance) {
3775                 adv_instance = list_first_entry_or_null(&hdev->adv_instances,
3776                                                         struct adv_info, list);
3777                 if (!adv_instance)
3778                         goto unlock;
3779 
3780                 instance = adv_instance->instance;
3781         }
3782 
3783         hci_req_init(&req, hdev);
3784 
3785         err = __hci_req_schedule_adv_instance(&req, instance, true);
3786 
3787         if (!err)
3788                 err = hci_req_run(&req, enable_advertising_instance);
3789 
3790         if (err)
3791                 BT_ERR("Failed to re-configure advertising");
3792 
3793 unlock:
3794         hci_dev_unlock(hdev);
3795 }
3796 
3797 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
3798                            u16 len)
3799 {
3800         struct mgmt_mode *cp = data;
3801         struct mgmt_pending_cmd *cmd;
3802         struct hci_request req;
3803         u8 val, status;
3804         int err;
3805 
3806         BT_DBG("request for %s", hdev->name);
3807 
3808         status = mgmt_le_support(hdev);
3809         if (status)
3810                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
3811                                        status);
3812 
3813         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
3814                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
3815                                        MGMT_STATUS_INVALID_PARAMS);
3816 
3817         hci_dev_lock(hdev);
3818 
3819         val = !!cp->val;
3820 
3821         /* The following conditions are ones which mean that we should
3822          * not do any HCI communication but directly send a mgmt
3823          * response to user space (after toggling the flag if
3824          * necessary).
3825          */
3826         if (!hdev_is_powered(hdev) ||
3827             (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
3828              (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
3829             hci_conn_num(hdev, LE_LINK) > 0 ||
3830             (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
3831              hdev->le_scan_type == LE_SCAN_ACTIVE)) {
3832                 bool changed;
3833 
3834                 if (cp->val) {
3835                         hdev->cur_adv_instance = 0x00;
3836                         changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
3837                         if (cp->val == 0x02)
3838                                 hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
3839                         else
3840                                 hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
3841                 } else {
3842                         changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
3843                         hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
3844                 }
3845 
3846                 err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
3847                 if (err < 0)
3848                         goto unlock;
3849 
3850                 if (changed)
3851                         err = new_settings(hdev, sk);
3852 
3853                 goto unlock;
3854         }
3855 
3856         if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
3857             pending_find(MGMT_OP_SET_LE, hdev)) {
3858                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
3859                                       MGMT_STATUS_BUSY);
3860                 goto unlock;
3861         }
3862 
3863         cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
3864         if (!cmd) {
3865                 err = -ENOMEM;
3866                 goto unlock;
3867         }
3868 
3869         hci_req_init(&req, hdev);
3870 
3871         if (cp->val == 0x02)
3872                 hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
3873         else
3874                 hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
3875 
3876         cancel_adv_timeout(hdev);
3877 
3878         if (val) {
3879                 /* Switch to instance "" for the Set Advertising setting.
3880                  * We cannot use update_[adv|scan_rsp]_data() here as the
3881                  * HCI_ADVERTISING flag is not yet set.
3882                  */
3883                 hdev->cur_adv_instance = 0x00;
3884                 __hci_req_update_adv_data(&req, 0x00);
3885                 __hci_req_update_scan_rsp_data(&req, 0x00);
3886                 __hci_req_enable_advertising(&req);
3887         } else {
3888                 __hci_req_disable_advertising(&req);
3889         }
3890 
3891         err = hci_req_run(&req, set_advertising_complete);
3892         if (err < 0)
3893                 mgmt_pending_remove(cmd);
3894 
3895 unlock:
3896         hci_dev_unlock(hdev);
3897         return err;
3898 }
3899 
3900 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
3901                               void *data, u16 len)
3902 {
3903         struct mgmt_cp_set_static_address *cp = data;
3904         int err;
3905 
3906         BT_DBG("%s", hdev->name);
3907 
3908         if (!lmp_le_capable(hdev))
3909                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
3910                                        MGMT_STATUS_NOT_SUPPORTED);
3911 
3912         if (hdev_is_powered(hdev))
3913                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
3914                                        MGMT_STATUS_REJECTED);
3915 
3916         if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
3917                 if (!bacmp(&cp->bdaddr, BDADDR_NONE))
3918                         return mgmt_cmd_status(sk, hdev->id,
3919                                                MGMT_OP_SET_STATIC_ADDRESS,
3920                                                MGMT_STATUS_INVALID_PARAMS);
3921 
3922                 /* Two most significant bits shall be set */
3923                 if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
3924                         return mgmt_cmd_status(sk, hdev->id,
3925                                                MGMT_OP_SET_STATIC_ADDRESS,
3926                                                MGMT_STATUS_INVALID_PARAMS);
3927         }
3928 
3929         hci_dev_lock(hdev);
3930 
3931         bacpy(&hdev->static_addr, &cp->bdaddr);
3932 
3933         err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
3934         if (err < 0)
3935                 goto unlock;
3936 
3937         err = new_settings(hdev, sk);
3938 
3939 unlock:
3940         hci_dev_unlock(hdev);
3941         return err;
3942 }
3943 
3944 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
3945                            void *data, u16 len)
3946 {
3947         struct mgmt_cp_set_scan_params *cp = data;
3948         __u16 interval, window;
3949         int err;
3950 
3951         BT_DBG("%s", hdev->name);
3952 
3953         if (!lmp_le_capable(hdev))
3954                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
3955                                        MGMT_STATUS_NOT_SUPPORTED);
3956 
3957         interval = __le16_to_cpu(cp->interval);
3958 
3959         if (interval < 0x0004 || interval > 0x4000)
3960                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
3961                                        MGMT_STATUS_INVALID_PARAMS);
3962 
3963         window = __le16_to_cpu(cp->window);
3964 
3965         if (window < 0x0004 || window > 0x4000)
3966                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
3967                                        MGMT_STATUS_INVALID_PARAMS);
3968 
3969         if (window > interval)
3970                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
3971                                        MGMT_STATUS_INVALID_PARAMS);
3972 
3973         hci_dev_lock(hdev);
3974 
3975         hdev->le_scan_interval = interval;
3976         hdev->le_scan_window = window;
3977 
3978         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
3979                                 NULL, 0);
3980 
3981         /* If background scan is running, restart it so new parameters are
3982          * loaded.
3983          */
3984         if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
3985             hdev->discovery.state == DISCOVERY_STOPPED) {
3986                 struct hci_request req;
3987 
3988                 hci_req_init(&req, hdev);
3989 
3990                 hci_req_add_le_scan_disable(&req);
3991                 hci_req_add_le_passive_scan(&req);
3992 
3993                 hci_req_run(&req, NULL);
3994         }
3995 
3996         hci_dev_unlock(hdev);
3997 
3998         return err;
3999 }
4000 
4001 static void fast_connectable_complete(struct hci_dev *hdev, u8 status,
4002                                       u16 opcode)
4003 {
4004         struct mgmt_pending_cmd *cmd;
4005 
4006         BT_DBG("status 0x%02x", status);
4007 
4008         hci_dev_lock(hdev);
4009 
4010         cmd = pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4011         if (!cmd)
4012                 goto unlock;
4013 
4014         if (status) {
4015                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4016                                 mgmt_status(status));
4017         } else {
4018                 struct mgmt_mode *cp = cmd->param;
4019 
4020                 if (cp->val)
4021                         hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
4022                 else
4023                         hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
4024 
4025                 send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
4026                 new_settings(hdev, cmd->sk);
4027         }
4028 
4029         mgmt_pending_remove(cmd);
4030 
4031 unlock:
4032         hci_dev_unlock(hdev);
4033 }
4034 
4035 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
4036                                 void *data, u16 len)
4037 {
4038         struct mgmt_mode *cp = data;
4039         struct mgmt_pending_cmd *cmd;
4040         struct hci_request req;
4041         int err;
4042 
4043         BT_DBG("%s", hdev->name);
4044 
4045         if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
4046             hdev->hci_ver < BLUETOOTH_VER_1_2)
4047                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4048                                        MGMT_STATUS_NOT_SUPPORTED);
4049 
4050         if (cp->val != 0x00 && cp->val != 0x01)
4051                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4052                                        MGMT_STATUS_INVALID_PARAMS);
4053 
4054         hci_dev_lock(hdev);
4055 
4056         if (pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev)) {
4057                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4058                                       MGMT_STATUS_BUSY);
4059                 goto unlock;
4060         }
4061 
4062         if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
4063                 err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4064                                         hdev);
4065                 goto unlock;
4066         }
4067 
4068         if (!hdev_is_powered(hdev)) {
4069                 hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
4070                 err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
4071                                         hdev);
4072                 new_settings(hdev, sk);
4073                 goto unlock;
4074         }
4075 
4076         cmd = mgmt_pending_add(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev,
4077                                data, len);
4078         if (!cmd) {
4079                 err = -ENOMEM;
4080                 goto unlock;
4081         }
4082 
4083         hci_req_init(&req, hdev);
4084 
4085         __hci_req_write_fast_connectable(&req, cp->val);
4086 
4087         err = hci_req_run(&req, fast_connectable_complete);
4088         if (err < 0) {
4089                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
4090                                       MGMT_STATUS_FAILED);
4091                 mgmt_pending_remove(cmd);
4092         }
4093 
4094 unlock:
4095         hci_dev_unlock(hdev);
4096 
4097         return err;
4098 }
4099 
4100 static void set_bredr_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4101 {
4102         struct mgmt_pending_cmd *cmd;
4103 
4104         BT_DBG("status 0x%02x", status);
4105 
4106         hci_dev_lock(hdev);
4107 
4108         cmd = pending_find(MGMT_OP_SET_BREDR, hdev);
4109         if (!cmd)
4110                 goto unlock;
4111 
4112         if (status) {
4113                 u8 mgmt_err = mgmt_status(status);
4114 
4115                 /* We need to restore the flag if related HCI commands
4116                  * failed.
4117                  */
4118                 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
4119 
4120                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
4121         } else {
4122                 send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
4123                 new_settings(hdev, cmd->sk);
4124         }
4125 
4126         mgmt_pending_remove(cmd);
4127 
4128 unlock:
4129         hci_dev_unlock(hdev);
4130 }
4131 
4132 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
4133 {
4134         struct mgmt_mode *cp = data;
4135         struct mgmt_pending_cmd *cmd;
4136         struct hci_request req;
4137         int err;
4138 
4139         BT_DBG("request for %s", hdev->name);
4140 
4141         if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
4142                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4143                                        MGMT_STATUS_NOT_SUPPORTED);
4144 
4145         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
4146                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4147                                        MGMT_STATUS_REJECTED);
4148 
4149         if (cp->val != 0x00 && cp->val != 0x01)
4150                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4151                                        MGMT_STATUS_INVALID_PARAMS);
4152 
4153         hci_dev_lock(hdev);
4154 
4155         if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
4156                 err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4157                 goto unlock;
4158         }
4159 
4160         if (!hdev_is_powered(hdev)) {
4161                 if (!cp->val) {
4162                         hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
4163                         hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
4164                         hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
4165                         hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
4166                         hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
4167                 }
4168 
4169                 hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
4170 
4171                 err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
4172                 if (err < 0)
4173                         goto unlock;
4174 
4175                 err = new_settings(hdev, sk);
4176                 goto unlock;
4177         }
4178 
4179         /* Reject disabling when powered on */
4180         if (!cp->val) {
4181                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4182                                       MGMT_STATUS_REJECTED);
4183                 goto unlock;
4184         } else {
4185                 /* When configuring a dual-mode controller to operate
4186                  * with LE only and using a static address, then switching
4187                  * BR/EDR back on is not allowed.
4188                  *
4189                  * Dual-mode controllers shall operate with the public
4190                  * address as its identity address for BR/EDR and LE. So
4191                  * reject the attempt to create an invalid configuration.
4192                  *
4193                  * The same restrictions applies when secure connections
4194                  * has been enabled. For BR/EDR this is a controller feature
4195                  * while for LE it is a host stack feature. This means that
4196                  * switching BR/EDR back on when secure connections has been
4197                  * enabled is not a supported transaction.
4198                  */
4199                 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
4200                     (bacmp(&hdev->static_addr, BDADDR_ANY) ||
4201                      hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
4202                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4203                                               MGMT_STATUS_REJECTED);
4204                         goto unlock;
4205                 }
4206         }
4207 
4208         if (pending_find(MGMT_OP_SET_BREDR, hdev)) {
4209                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
4210                                       MGMT_STATUS_BUSY);
4211                 goto unlock;
4212         }
4213 
4214         cmd = mgmt_pending_add(sk, MGMT_OP_SET_BREDR, hdev, data, len);
4215         if (!cmd) {
4216                 err = -ENOMEM;
4217                 goto unlock;
4218         }
4219 
4220         /* We need to flip the bit already here so that
4221          * hci_req_update_adv_data generates the correct flags.
4222          */
4223         hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
4224 
4225         hci_req_init(&req, hdev);
4226 
4227         __hci_req_write_fast_connectable(&req, false);
4228         __hci_req_update_scan(&req);
4229 
4230         /* Since only the advertising data flags will change, there
4231          * is no need to update the scan response data.
4232          */
4233         __hci_req_update_adv_data(&req, hdev->cur_adv_instance);
4234 
4235         err = hci_req_run(&req, set_bredr_complete);
4236         if (err < 0)
4237                 mgmt_pending_remove(cmd);
4238 
4239 unlock:
4240         hci_dev_unlock(hdev);
4241         return err;
4242 }
4243 
4244 static void sc_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4245 {
4246         struct mgmt_pending_cmd *cmd;
4247         struct mgmt_mode *cp;
4248 
4249         BT_DBG("%s status %u", hdev->name, status);
4250 
4251         hci_dev_lock(hdev);
4252 
4253         cmd = pending_find(MGMT_OP_SET_SECURE_CONN, hdev);
4254         if (!cmd)
4255                 goto unlock;
4256 
4257         if (status) {
4258                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
4259                                 mgmt_status(status));
4260                 goto remove;
4261         }
4262 
4263         cp = cmd->param;
4264 
4265         switch (cp->val) {
4266         case 0x00:
4267                 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
4268                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4269                 break;
4270         case 0x01:
4271                 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
4272                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4273                 break;
4274         case 0x02:
4275                 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
4276                 hci_dev_set_flag(hdev, HCI_SC_ONLY);
4277                 break;
4278         }
4279 
4280         send_settings_rsp(cmd->sk, MGMT_OP_SET_SECURE_CONN, hdev);
4281         new_settings(hdev, cmd->sk);
4282 
4283 remove:
4284         mgmt_pending_remove(cmd);
4285 unlock:
4286         hci_dev_unlock(hdev);
4287 }
4288 
4289 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
4290                            void *data, u16 len)
4291 {
4292         struct mgmt_mode *cp = data;
4293         struct mgmt_pending_cmd *cmd;
4294         struct hci_request req;
4295         u8 val;
4296         int err;
4297 
4298         BT_DBG("request for %s", hdev->name);
4299 
4300         if (!lmp_sc_capable(hdev) &&
4301             !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
4302                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4303                                        MGMT_STATUS_NOT_SUPPORTED);
4304 
4305         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
4306             lmp_sc_capable(hdev) &&
4307             !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
4308                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4309                                        MGMT_STATUS_REJECTED);
4310 
4311         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4312                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4313                                   MGMT_STATUS_INVALID_PARAMS);
4314 
4315         hci_dev_lock(hdev);
4316 
4317         if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
4318             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
4319                 bool changed;
4320 
4321                 if (cp->val) {
4322                         changed = !hci_dev_test_and_set_flag(hdev,
4323                                                              HCI_SC_ENABLED);
4324                         if (cp->val == 0x02)
4325                                 hci_dev_set_flag(hdev, HCI_SC_ONLY);
4326                         else
4327                                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4328                 } else {
4329                         changed = hci_dev_test_and_clear_flag(hdev,
4330                                                               HCI_SC_ENABLED);
4331                         hci_dev_clear_flag(hdev, HCI_SC_ONLY);
4332                 }
4333 
4334                 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4335                 if (err < 0)
4336                         goto failed;
4337 
4338                 if (changed)
4339                         err = new_settings(hdev, sk);
4340 
4341                 goto failed;
4342         }
4343 
4344         if (pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
4345                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
4346                                       MGMT_STATUS_BUSY);
4347                 goto failed;
4348         }
4349 
4350         val = !!cp->val;
4351 
4352         if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
4353             (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
4354                 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
4355                 goto failed;
4356         }
4357 
4358         cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
4359         if (!cmd) {
4360                 err = -ENOMEM;
4361                 goto failed;
4362         }
4363 
4364         hci_req_init(&req, hdev);
4365         hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
4366         err = hci_req_run(&req, sc_enable_complete);
4367         if (err < 0) {
4368                 mgmt_pending_remove(cmd);
4369                 goto failed;
4370         }
4371 
4372 failed:
4373         hci_dev_unlock(hdev);
4374         return err;
4375 }
4376 
4377 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
4378                           void *data, u16 len)
4379 {
4380         struct mgmt_mode *cp = data;
4381         bool changed, use_changed;
4382         int err;
4383 
4384         BT_DBG("request for %s", hdev->name);
4385 
4386         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
4387                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
4388                                        MGMT_STATUS_INVALID_PARAMS);
4389 
4390         hci_dev_lock(hdev);
4391 
4392         if (cp->val)
4393                 changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
4394         else
4395                 changed = hci_dev_test_and_clear_flag(hdev,
4396                                                       HCI_KEEP_DEBUG_KEYS);
4397 
4398         if (cp->val == 0x02)
4399                 use_changed = !hci_dev_test_and_set_flag(hdev,
4400                                                          HCI_USE_DEBUG_KEYS);
4401         else
4402                 use_changed = hci_dev_test_and_clear_flag(hdev,
4403                                                           HCI_USE_DEBUG_KEYS);
4404 
4405         if (hdev_is_powered(hdev) && use_changed &&
4406             hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
4407                 u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
4408                 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
4409                              sizeof(mode), &mode);
4410         }
4411 
4412         err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
4413         if (err < 0)
4414                 goto unlock;
4415 
4416         if (changed)
4417                 err = new_settings(hdev, sk);
4418 
4419 unlock:
4420         hci_dev_unlock(hdev);
4421         return err;
4422 }
4423 
4424 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4425                        u16 len)
4426 {
4427         struct mgmt_cp_set_privacy *cp = cp_data;
4428         bool changed;
4429         int err;
4430 
4431         BT_DBG("request for %s", hdev->name);
4432 
4433         if (!lmp_le_capable(hdev))
4434                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4435                                        MGMT_STATUS_NOT_SUPPORTED);
4436 
4437         if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
4438                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4439                                        MGMT_STATUS_INVALID_PARAMS);
4440 
4441         if (hdev_is_powered(hdev))
4442                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
4443                                        MGMT_STATUS_REJECTED);
4444 
4445         hci_dev_lock(hdev);
4446 
4447         /* If user space supports this command it is also expected to
4448          * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
4449          */
4450         hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
4451 
4452         if (cp->privacy) {
4453                 changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
4454                 memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
4455                 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
4456                 if (cp->privacy == 0x02)
4457                         hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
4458                 else
4459                         hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
4460         } else {
4461                 changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
4462                 memset(hdev->irk, 0, sizeof(hdev->irk));
4463                 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
4464                 hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
4465         }
4466 
4467         err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
4468         if (err < 0)
4469                 goto unlock;
4470 
4471         if (changed)
4472                 err = new_settings(hdev, sk);
4473 
4474 unlock:
4475         hci_dev_unlock(hdev);
4476         return err;
4477 }
4478 
4479 static bool irk_is_valid(struct mgmt_irk_info *irk)
4480 {
4481         switch (irk->addr.type) {
4482         case BDADDR_LE_PUBLIC:
4483                 return true;
4484 
4485         case BDADDR_LE_RANDOM:
4486                 /* Two most significant bits shall be set */
4487                 if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4488                         return false;
4489                 return true;
4490         }
4491 
4492         return false;
4493 }
4494 
4495 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
4496                      u16 len)
4497 {
4498         struct mgmt_cp_load_irks *cp = cp_data;
4499         const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
4500                                    sizeof(struct mgmt_irk_info));
4501         u16 irk_count, expected_len;
4502         int i, err;
4503 
4504         BT_DBG("request for %s", hdev->name);
4505 
4506         if (!lmp_le_capable(hdev))
4507                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4508                                        MGMT_STATUS_NOT_SUPPORTED);
4509 
4510         irk_count = __le16_to_cpu(cp->irk_count);
4511         if (irk_count > max_irk_count) {
4512                 BT_ERR("load_irks: too big irk_count value %u", irk_count);
4513                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4514                                        MGMT_STATUS_INVALID_PARAMS);
4515         }
4516 
4517         expected_len = sizeof(*cp) + irk_count * sizeof(struct mgmt_irk_info);
4518         if (expected_len != len) {
4519                 BT_ERR("load_irks: expected %u bytes, got %u bytes",
4520                        expected_len, len);
4521                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
4522                                        MGMT_STATUS_INVALID_PARAMS);
4523         }
4524 
4525         BT_DBG("%s irk_count %u", hdev->name, irk_count);
4526 
4527         for (i = 0; i < irk_count; i++) {
4528                 struct mgmt_irk_info *key = &cp->irks[i];
4529 
4530                 if (!irk_is_valid(key))
4531                         return mgmt_cmd_status(sk, hdev->id,
4532                                                MGMT_OP_LOAD_IRKS,
4533                                                MGMT_STATUS_INVALID_PARAMS);
4534         }
4535 
4536         hci_dev_lock(hdev);
4537 
4538         hci_smp_irks_clear(hdev);
4539 
4540         for (i = 0; i < irk_count; i++) {
4541                 struct mgmt_irk_info *irk = &cp->irks[i];
4542 
4543                 hci_add_irk(hdev, &irk->addr.bdaddr,
4544                             le_addr_type(irk->addr.type), irk->val,
4545                             BDADDR_ANY);
4546         }
4547 
4548         hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
4549 
4550         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
4551 
4552         hci_dev_unlock(hdev);
4553 
4554         return err;
4555 }
4556 
4557 static bool ltk_is_valid(struct mgmt_ltk_info *key)
4558 {
4559         if (key->master != 0x00 && key->master != 0x01)
4560                 return false;
4561 
4562         switch (key->addr.type) {
4563         case BDADDR_LE_PUBLIC:
4564                 return true;
4565 
4566         case BDADDR_LE_RANDOM:
4567                 /* Two most significant bits shall be set */
4568                 if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
4569                         return false;
4570                 return true;
4571         }
4572 
4573         return false;
4574 }
4575 
4576 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
4577                                void *cp_data, u16 len)
4578 {
4579         struct mgmt_cp_load_long_term_keys *cp = cp_data;
4580         const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
4581                                    sizeof(struct mgmt_ltk_info));
4582         u16 key_count, expected_len;
4583         int i, err;
4584 
4585         BT_DBG("request for %s", hdev->name);
4586 
4587         if (!lmp_le_capable(hdev))
4588                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
4589                                        MGMT_STATUS_NOT_SUPPORTED);
4590 
4591         key_count = __le16_to_cpu(cp->key_count);
4592         if (key_count > max_key_count) {
4593                 BT_ERR("load_ltks: too big key_count value %u", key_count);
4594                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
4595                                        MGMT_STATUS_INVALID_PARAMS);
4596         }
4597 
4598         expected_len = sizeof(*cp) + key_count *
4599                                         sizeof(struct mgmt_ltk_info);
4600         if (expected_len != len) {
4601                 BT_ERR("load_keys: expected %u bytes, got %u bytes",
4602                        expected_len, len);
4603                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
4604                                        MGMT_STATUS_INVALID_PARAMS);
4605         }
4606 
4607         BT_DBG("%s key_count %u", hdev->name, key_count);
4608 
4609         for (i = 0; i < key_count; i++) {
4610                 struct mgmt_ltk_info *key = &cp->keys[i];
4611 
4612                 if (!ltk_is_valid(key))
4613                         return mgmt_cmd_status(sk, hdev->id,
4614                                                MGMT_OP_LOAD_LONG_TERM_KEYS,
4615                                                MGMT_STATUS_INVALID_PARAMS);
4616         }
4617 
4618         hci_dev_lock(hdev);
4619 
4620         hci_smp_ltks_clear(hdev);
4621 
4622         for (i = 0; i < key_count; i++) {
4623                 struct mgmt_ltk_info *key = &cp->keys[i];
4624                 u8 type, authenticated;
4625 
4626                 switch (key->type) {
4627                 case MGMT_LTK_UNAUTHENTICATED:
4628                         authenticated = 0x00;
4629                         type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
4630                         break;
4631                 case MGMT_LTK_AUTHENTICATED:
4632                         authenticated = 0x01;
4633                         type = key->master ? SMP_LTK : SMP_LTK_SLAVE;
4634                         break;
4635                 case MGMT_LTK_P256_UNAUTH:
4636                         authenticated = 0x00;
4637                         type = SMP_LTK_P256;
4638                         break;
4639                 case MGMT_LTK_P256_AUTH:
4640                         authenticated = 0x01;
4641                         type = SMP_LTK_P256;
4642                         break;
4643                 case MGMT_LTK_P256_DEBUG:
4644                         authenticated = 0x00;
4645                         type = SMP_LTK_P256_DEBUG;
4646                 default:
4647                         continue;
4648                 }
4649 
4650                 hci_add_ltk(hdev, &key->addr.bdaddr,
4651                             le_addr_type(key->addr.type), type, authenticated,
4652                             key->val, key->enc_size, key->ediv, key->rand);
4653         }
4654 
4655         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
4656                            NULL, 0);
4657 
4658         hci_dev_unlock(hdev);
4659 
4660         return err;
4661 }
4662 
4663 static int conn_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
4664 {
4665         struct hci_conn *conn = cmd->user_data;
4666         struct mgmt_rp_get_conn_info rp;
4667         int err;
4668 
4669         memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
4670 
4671         if (status == MGMT_STATUS_SUCCESS) {
4672                 rp.rssi = conn->rssi;
4673                 rp.tx_power = conn->tx_power;
4674                 rp.max_tx_power = conn->max_tx_power;
4675         } else {
4676                 rp.rssi = HCI_RSSI_INVALID;
4677                 rp.tx_power = HCI_TX_POWER_INVALID;
4678                 rp.max_tx_power = HCI_TX_POWER_INVALID;
4679         }
4680 
4681         err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
4682                                 status, &rp, sizeof(rp));
4683 
4684         hci_conn_drop(conn);
4685         hci_conn_put(conn);
4686 
4687         return err;
4688 }
4689 
4690 static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status,
4691                                        u16 opcode)
4692 {
4693         struct hci_cp_read_rssi *cp;
4694         struct mgmt_pending_cmd *cmd;
4695         struct hci_conn *conn;
4696         u16 handle;
4697         u8 status;
4698 
4699         BT_DBG("status 0x%02x", hci_status);
4700 
4701         hci_dev_lock(hdev);
4702 
4703         /* Commands sent in request are either Read RSSI or Read Transmit Power
4704          * Level so we check which one was last sent to retrieve connection
4705          * handle.  Both commands have handle as first parameter so it's safe to
4706          * cast data on the same command struct.
4707          *
4708          * First command sent is always Read RSSI and we fail only if it fails.
4709          * In other case we simply override error to indicate success as we
4710          * already remembered if TX power value is actually valid.
4711          */
4712         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
4713         if (!cp) {
4714                 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
4715                 status = MGMT_STATUS_SUCCESS;
4716         } else {
4717                 status = mgmt_status(hci_status);
4718         }
4719 
4720         if (!cp) {
4721                 BT_ERR("invalid sent_cmd in conn_info response");
4722                 goto unlock;
4723         }
4724 
4725         handle = __le16_to_cpu(cp->handle);
4726         conn = hci_conn_hash_lookup_handle(hdev, handle);
4727         if (!conn) {
4728                 BT_ERR("unknown handle (%d) in conn_info response", handle);
4729                 goto unlock;
4730         }
4731 
4732         cmd = pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
4733         if (!cmd)
4734                 goto unlock;
4735 
4736         cmd->cmd_complete(cmd, status);
4737         mgmt_pending_remove(cmd);
4738 
4739 unlock:
4740         hci_dev_unlock(hdev);
4741 }
4742 
4743 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
4744                          u16 len)
4745 {
4746         struct mgmt_cp_get_conn_info *cp = data;
4747         struct mgmt_rp_get_conn_info rp;
4748         struct hci_conn *conn;
4749         unsigned long conn_info_age;
4750         int err = 0;
4751 
4752         BT_DBG("%s", hdev->name);
4753 
4754         memset(&rp, 0, sizeof(rp));
4755         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4756         rp.addr.type = cp->addr.type;
4757 
4758         if (!bdaddr_type_is_valid(cp->addr.type))
4759                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4760                                          MGMT_STATUS_INVALID_PARAMS,
4761                                          &rp, sizeof(rp));
4762 
4763         hci_dev_lock(hdev);
4764 
4765         if (!hdev_is_powered(hdev)) {
4766                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4767                                         MGMT_STATUS_NOT_POWERED, &rp,
4768                                         sizeof(rp));
4769                 goto unlock;
4770         }
4771 
4772         if (cp->addr.type == BDADDR_BREDR)
4773                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
4774                                                &cp->addr.bdaddr);
4775         else
4776                 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
4777 
4778         if (!conn || conn->state != BT_CONNECTED) {
4779                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4780                                         MGMT_STATUS_NOT_CONNECTED, &rp,
4781                                         sizeof(rp));
4782                 goto unlock;
4783         }
4784 
4785         if (pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
4786                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4787                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
4788                 goto unlock;
4789         }
4790 
4791         /* To avoid client trying to guess when to poll again for information we
4792          * calculate conn info age as random value between min/max set in hdev.
4793          */
4794         conn_info_age = hdev->conn_info_min_age +
4795                         prandom_u32_max(hdev->conn_info_max_age -
4796                                         hdev->conn_info_min_age);
4797 
4798         /* Query controller to refresh cached values if they are too old or were
4799          * never read.
4800          */
4801         if (time_after(jiffies, conn->conn_info_timestamp +
4802                        msecs_to_jiffies(conn_info_age)) ||
4803             !conn->conn_info_timestamp) {
4804                 struct hci_request req;
4805                 struct hci_cp_read_tx_power req_txp_cp;
4806                 struct hci_cp_read_rssi req_rssi_cp;
4807                 struct mgmt_pending_cmd *cmd;
4808 
4809                 hci_req_init(&req, hdev);
4810                 req_rssi_cp.handle = cpu_to_le16(conn->handle);
4811                 hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
4812                             &req_rssi_cp);
4813 
4814                 /* For LE links TX power does not change thus we don't need to
4815                  * query for it once value is known.
4816                  */
4817                 if (!bdaddr_type_is_le(cp->addr.type) ||
4818                     conn->tx_power == HCI_TX_POWER_INVALID) {
4819                         req_txp_cp.handle = cpu_to_le16(conn->handle);
4820                         req_txp_cp.type = 0x00;
4821                         hci_req_add(&req, HCI_OP_READ_TX_POWER,
4822                                     sizeof(req_txp_cp), &req_txp_cp);
4823                 }
4824 
4825                 /* Max TX power needs to be read only once per connection */
4826                 if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
4827                         req_txp_cp.handle = cpu_to_le16(conn->handle);
4828                         req_txp_cp.type = 0x01;
4829                         hci_req_add(&req, HCI_OP_READ_TX_POWER,
4830                                     sizeof(req_txp_cp), &req_txp_cp);
4831                 }
4832 
4833                 err = hci_req_run(&req, conn_info_refresh_complete);
4834                 if (err < 0)
4835                         goto unlock;
4836 
4837                 cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
4838                                        data, len);
4839                 if (!cmd) {
4840                         err = -ENOMEM;
4841                         goto unlock;
4842                 }
4843 
4844                 hci_conn_hold(conn);
4845                 cmd->user_data = hci_conn_get(conn);
4846                 cmd->cmd_complete = conn_info_cmd_complete;
4847 
4848                 conn->conn_info_timestamp = jiffies;
4849         } else {
4850                 /* Cache is valid, just reply with values cached in hci_conn */
4851                 rp.rssi = conn->rssi;
4852                 rp.tx_power = conn->tx_power;
4853                 rp.max_tx_power = conn->max_tx_power;
4854 
4855                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
4856                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
4857         }
4858 
4859 unlock:
4860         hci_dev_unlock(hdev);
4861         return err;
4862 }
4863 
4864 static int clock_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
4865 {
4866         struct hci_conn *conn = cmd->user_data;
4867         struct mgmt_rp_get_clock_info rp;
4868         struct hci_dev *hdev;
4869         int err;
4870 
4871         memset(&rp, 0, sizeof(rp));
4872         memcpy(&rp.addr, &cmd->param, sizeof(rp.addr));
4873 
4874         if (status)
4875                 goto complete;
4876 
4877         hdev = hci_dev_get(cmd->index);
4878         if (hdev) {
4879                 rp.local_clock = cpu_to_le32(hdev->clock);
4880                 hci_dev_put(hdev);
4881         }
4882 
4883         if (conn) {
4884                 rp.piconet_clock = cpu_to_le32(conn->clock);
4885                 rp.accuracy = cpu_to_le16(conn->clock_accuracy);
4886         }
4887 
4888 complete:
4889         err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
4890                                 sizeof(rp));
4891 
4892         if (conn) {
4893                 hci_conn_drop(conn);
4894                 hci_conn_put(conn);
4895         }
4896 
4897         return err;
4898 }
4899 
4900 static void get_clock_info_complete(struct hci_dev *hdev, u8 status, u16 opcode)
4901 {
4902         struct hci_cp_read_clock *hci_cp;
4903         struct mgmt_pending_cmd *cmd;
4904         struct hci_conn *conn;
4905 
4906         BT_DBG("%s status %u", hdev->name, status);
4907 
4908         hci_dev_lock(hdev);
4909 
4910         hci_cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
4911         if (!hci_cp)
4912                 goto unlock;
4913 
4914         if (hci_cp->which) {
4915                 u16 handle = __le16_to_cpu(hci_cp->handle);
4916                 conn = hci_conn_hash_lookup_handle(hdev, handle);
4917         } else {
4918                 conn = NULL;
4919         }
4920 
4921         cmd = pending_find_data(MGMT_OP_GET_CLOCK_INFO, hdev, conn);
4922         if (!cmd)
4923                 goto unlock;
4924 
4925         cmd->cmd_complete(cmd, mgmt_status(status));
4926         mgmt_pending_remove(cmd);
4927 
4928 unlock:
4929         hci_dev_unlock(hdev);
4930 }
4931 
4932 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
4933                          u16 len)
4934 {
4935         struct mgmt_cp_get_clock_info *cp = data;
4936         struct mgmt_rp_get_clock_info rp;
4937         struct hci_cp_read_clock hci_cp;
4938         struct mgmt_pending_cmd *cmd;
4939         struct hci_request req;
4940         struct hci_conn *conn;
4941         int err;
4942 
4943         BT_DBG("%s", hdev->name);
4944 
4945         memset(&rp, 0, sizeof(rp));
4946         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4947         rp.addr.type = cp->addr.type;
4948 
4949         if (cp->addr.type != BDADDR_BREDR)
4950                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
4951                                          MGMT_STATUS_INVALID_PARAMS,
4952                                          &rp, sizeof(rp));
4953 
4954         hci_dev_lock(hdev);
4955 
4956         if (!hdev_is_powered(hdev)) {
4957                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
4958                                         MGMT_STATUS_NOT_POWERED, &rp,
4959                                         sizeof(rp));
4960                 goto unlock;
4961         }
4962 
4963         if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
4964                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
4965                                                &cp->addr.bdaddr);
4966                 if (!conn || conn->state != BT_CONNECTED) {
4967                         err = mgmt_cmd_complete(sk, hdev->id,
4968                                                 MGMT_OP_GET_CLOCK_INFO,
4969                                                 MGMT_STATUS_NOT_CONNECTED,
4970                                                 &rp, sizeof(rp));
4971                         goto unlock;
4972                 }
4973         } else {
4974                 conn = NULL;
4975         }
4976 
4977         cmd = mgmt_pending_add(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
4978         if (!cmd) {
4979                 err = -ENOMEM;
4980                 goto unlock;
4981         }
4982 
4983         cmd->cmd_complete = clock_info_cmd_complete;
4984 
4985         hci_req_init(&req, hdev);
4986 
4987         memset(&hci_cp, 0, sizeof(hci_cp));
4988         hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
4989 
4990         if (conn) {
4991                 hci_conn_hold(conn);
4992                 cmd->user_data = hci_conn_get(conn);
4993 
4994                 hci_cp.handle = cpu_to_le16(conn->handle);
4995                 hci_cp.which = 0x01; /* Piconet clock */
4996                 hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
4997         }
4998 
4999         err = hci_req_run(&req, get_clock_info_complete);
5000         if (err < 0)
5001                 mgmt_pending_remove(cmd);
5002 
5003 unlock:
5004         hci_dev_unlock(hdev);
5005         return err;
5006 }
5007 
5008 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
5009 {
5010         struct hci_conn *conn;
5011 
5012         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
5013         if (!conn)
5014                 return false;
5015 
5016         if (conn->dst_type != type)
5017                 return false;
5018 
5019         if (conn->state != BT_CONNECTED)
5020                 return false;
5021 
5022         return true;
5023 }
5024 
5025 /* This function requires the caller holds hdev->lock */
5026 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
5027                                u8 addr_type, u8 auto_connect)
5028 {
5029         struct hci_conn_params *params;
5030 
5031         params = hci_conn_params_add(hdev, addr, addr_type);
5032         if (!params)
5033                 return -EIO;
5034 
5035         if (params->auto_connect == auto_connect)
5036                 return 0;
5037 
5038         list_del_init(&params->action);
5039 
5040         switch (auto_connect) {
5041         case HCI_AUTO_CONN_DISABLED:
5042         case HCI_AUTO_CONN_LINK_LOSS:
5043                 /* If auto connect is being disabled when we're trying to
5044                  * connect to device, keep connecting.
5045                  */
5046                 if (params->explicit_connect)
5047                         list_add(&params->action, &hdev->pend_le_conns);
5048                 break;
5049         case HCI_AUTO_CONN_REPORT:
5050                 if (params->explicit_connect)
5051                         list_add(&params->action, &hdev->pend_le_conns);
5052                 else
5053                         list_add(&params->action, &hdev->pend_le_reports);
5054                 break;
5055         case HCI_AUTO_CONN_DIRECT:
5056         case HCI_AUTO_CONN_ALWAYS:
5057                 if (!is_connected(hdev, addr, addr_type))
5058                         list_add(&params->action, &hdev->pend_le_conns);
5059                 break;
5060         }
5061 
5062         params->auto_connect = auto_connect;
5063 
5064         BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
5065                auto_connect);
5066 
5067         return 0;
5068 }
5069 
5070 static void device_added(struct sock *sk, struct hci_dev *hdev,
5071                          bdaddr_t *bdaddr, u8 type, u8 action)
5072 {
5073         struct mgmt_ev_device_added ev;
5074 
5075         bacpy(&ev.addr.bdaddr, bdaddr);
5076         ev.addr.type = type;
5077         ev.action = action;
5078 
5079         mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
5080 }
5081 
5082 static int add_device(struct sock *sk, struct hci_dev *hdev,
5083                       void *data, u16 len)
5084 {
5085         struct mgmt_cp_add_device *cp = data;
5086         u8 auto_conn, addr_type;
5087         int err;
5088 
5089         BT_DBG("%s", hdev->name);
5090 
5091         if (!bdaddr_type_is_valid(cp->addr.type) ||
5092             !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
5093                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5094                                          MGMT_STATUS_INVALID_PARAMS,
5095                                          &cp->addr, sizeof(cp->addr));
5096 
5097         if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
5098                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5099                                          MGMT_STATUS_INVALID_PARAMS,
5100                                          &cp->addr, sizeof(cp->addr));
5101 
5102         hci_dev_lock(hdev);
5103 
5104         if (cp->addr.type == BDADDR_BREDR) {
5105                 /* Only incoming connections action is supported for now */
5106                 if (cp->action != 0x01) {
5107                         err = mgmt_cmd_complete(sk, hdev->id,
5108                                                 MGMT_OP_ADD_DEVICE,
5109                                                 MGMT_STATUS_INVALID_PARAMS,
5110                                                 &cp->addr, sizeof(cp->addr));
5111                         goto unlock;
5112                 }
5113 
5114                 err = hci_bdaddr_list_add(&hdev->whitelist, &cp->addr.bdaddr,
5115                                           cp->addr.type);
5116                 if (err)
5117                         goto unlock;
5118 
5119                 hci_req_update_scan(hdev);
5120 
5121                 goto added;
5122         }
5123 
5124         addr_type = le_addr_type(cp->addr.type);
5125 
5126         if (cp->action == 0x02)
5127                 auto_conn = HCI_AUTO_CONN_ALWAYS;
5128         else if (cp->action == 0x01)
5129                 auto_conn = HCI_AUTO_CONN_DIRECT;
5130         else
5131                 auto_conn = HCI_AUTO_CONN_REPORT;
5132 
5133         /* Kernel internally uses conn_params with resolvable private
5134          * address, but Add Device allows only identity addresses.
5135          * Make sure it is enforced before calling
5136          * hci_conn_params_lookup.
5137          */
5138         if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
5139                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5140                                         MGMT_STATUS_INVALID_PARAMS,
5141                                         &cp->addr, sizeof(cp->addr));
5142                 goto unlock;
5143         }
5144 
5145         /* If the connection parameters don't exist for this device,
5146          * they will be created and configured with defaults.
5147          */
5148         if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
5149                                 auto_conn) < 0) {
5150                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5151                                         MGMT_STATUS_FAILED, &cp->addr,
5152                                         sizeof(cp->addr));
5153                 goto unlock;
5154         }
5155 
5156         hci_update_background_scan(hdev);
5157 
5158 added:
5159         device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
5160 
5161         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
5162                                 MGMT_STATUS_SUCCESS, &cp->addr,
5163                                 sizeof(cp->addr));
5164 
5165 unlock:
5166         hci_dev_unlock(hdev);
5167         return err;
5168 }
5169 
5170 static void device_removed(struct sock *sk, struct hci_dev *hdev,
5171                            bdaddr_t *bdaddr, u8 type)
5172 {
5173         struct mgmt_ev_device_removed ev;
5174 
5175         bacpy(&ev.addr.bdaddr, bdaddr);
5176         ev.addr.type = type;
5177 
5178         mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
5179 }
5180 
5181 static int remove_device(struct sock *sk, struct hci_dev *hdev,
5182                          void *data, u16 len)
5183 {
5184         struct mgmt_cp_remove_device *cp = data;
5185         int err;
5186 
5187         BT_DBG("%s", hdev->name);
5188 
5189         hci_dev_lock(hdev);
5190 
5191         if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5192                 struct hci_conn_params *params;
5193                 u8 addr_type;
5194 
5195                 if (!bdaddr_type_is_valid(cp->addr.type)) {
5196                         err = mgmt_cmd_complete(sk, hdev->id,
5197                                                 MGMT_OP_REMOVE_DEVICE,
5198                                                 MGMT_STATUS_INVALID_PARAMS,
5199                                                 &cp->addr, sizeof(cp->addr));
5200                         goto unlock;
5201                 }
5202 
5203                 if (cp->addr.type == BDADDR_BREDR) {
5204                         err = hci_bdaddr_list_del(&hdev->whitelist,
5205                                                   &cp->addr.bdaddr,
5206                                                   cp->addr.type);
5207                         if (err) {
5208                                 err = mgmt_cmd_complete(sk, hdev->id,
5209                                                         MGMT_OP_REMOVE_DEVICE,
5210                                                         MGMT_STATUS_INVALID_PARAMS,
5211                                                         &cp->addr,
5212                                                         sizeof(cp->addr));
5213                                 goto unlock;
5214                         }
5215 
5216                         hci_req_update_scan(hdev);
5217 
5218                         device_removed(sk, hdev, &cp->addr.bdaddr,
5219                                        cp->addr.type);
5220                         goto complete;
5221                 }
5222 
5223                 addr_type = le_addr_type(cp->addr.type);
5224 
5225                 /* Kernel internally uses conn_params with resolvable private
5226                  * address, but Remove Device allows only identity addresses.
5227                  * Make sure it is enforced before calling
5228                  * hci_conn_params_lookup.
5229                  */
5230                 if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
5231                         err = mgmt_cmd_complete(sk, hdev->id,
5232                                                 MGMT_OP_REMOVE_DEVICE,
5233                                                 MGMT_STATUS_INVALID_PARAMS,
5234                                                 &cp->addr, sizeof(cp->addr));
5235                         goto unlock;
5236                 }
5237 
5238                 params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5239                                                 addr_type);
5240                 if (!params) {
5241                         err = mgmt_cmd_complete(sk, hdev->id,
5242                                                 MGMT_OP_REMOVE_DEVICE,
5243                                                 MGMT_STATUS_INVALID_PARAMS,
5244                                                 &cp->addr, sizeof(cp->addr));
5245                         goto unlock;
5246                 }
5247 
5248                 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
5249                     params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
5250                         err = mgmt_cmd_complete(sk, hdev->id,
5251                                                 MGMT_OP_REMOVE_DEVICE,
5252                                                 MGMT_STATUS_INVALID_PARAMS,
5253                                                 &cp->addr, sizeof(cp->addr));
5254                         goto unlock;
5255                 }
5256 
5257                 list_del(&params->action);
5258                 list_del(&params->list);
5259                 kfree(params);
5260                 hci_update_background_scan(hdev);
5261 
5262                 device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
5263         } else {
5264                 struct hci_conn_params *p, *tmp;
5265                 struct bdaddr_list *b, *btmp;
5266 
5267                 if (cp->addr.type) {
5268                         err = mgmt_cmd_complete(sk, hdev->id,
5269                                                 MGMT_OP_REMOVE_DEVICE,
5270                                                 MGMT_STATUS_INVALID_PARAMS,
5271                                                 &cp->addr, sizeof(cp->addr));
5272                         goto unlock;
5273                 }
5274 
5275                 list_for_each_entry_safe(b, btmp, &hdev->whitelist, list) {
5276                         device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
5277                         list_del(&b->list);
5278                         kfree(b);
5279                 }
5280 
5281                 hci_req_update_scan(hdev);
5282 
5283                 list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
5284                         if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
5285                                 continue;
5286                         device_removed(sk, hdev, &p->addr, p->addr_type);
5287                         if (p->explicit_connect) {
5288                                 p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
5289                                 continue;
5290                         }
5291                         list_del(&p->action);
5292                         list_del(&p->list);
5293                         kfree(p);
5294                 }
5295 
5296                 BT_DBG("All LE connection parameters were removed");
5297 
5298                 hci_update_background_scan(hdev);
5299         }
5300 
5301 complete:
5302         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
5303                                 MGMT_STATUS_SUCCESS, &cp->addr,
5304                                 sizeof(cp->addr));
5305 unlock:
5306         hci_dev_unlock(hdev);
5307         return err;
5308 }
5309 
5310 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
5311                            u16 len)
5312 {
5313         struct mgmt_cp_load_conn_param *cp = data;
5314         const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
5315                                      sizeof(struct mgmt_conn_param));
5316         u16 param_count, expected_len;
5317         int i;
5318 
5319         if (!lmp_le_capable(hdev))
5320                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5321                                        MGMT_STATUS_NOT_SUPPORTED);
5322 
5323         param_count = __le16_to_cpu(cp->param_count);
5324         if (param_count > max_param_count) {
5325                 BT_ERR("load_conn_param: too big param_count value %u",
5326                        param_count);
5327                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5328                                        MGMT_STATUS_INVALID_PARAMS);
5329         }
5330 
5331         expected_len = sizeof(*cp) + param_count *
5332                                         sizeof(struct mgmt_conn_param);
5333         if (expected_len != len) {
5334                 BT_ERR("load_conn_param: expected %u bytes, got %u bytes",
5335                        expected_len, len);
5336                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
5337                                        MGMT_STATUS_INVALID_PARAMS);
5338         }
5339 
5340         BT_DBG("%s param_count %u", hdev->name, param_count);
5341 
5342         hci_dev_lock(hdev);
5343 
5344         hci_conn_params_clear_disabled(hdev);
5345 
5346         for (i = 0; i < param_count; i++) {
5347                 struct mgmt_conn_param *param = &cp->params[i];
5348                 struct hci_conn_params *hci_param;
5349                 u16 min, max, latency, timeout;
5350                 u8 addr_type;
5351 
5352                 BT_DBG("Adding %pMR (type %u)", &param->addr.bdaddr,
5353                        param->addr.type);
5354 
5355                 if (param->addr.type == BDADDR_LE_PUBLIC) {
5356                         addr_type = ADDR_LE_DEV_PUBLIC;
5357                 } else if (param->addr.type == BDADDR_LE_RANDOM) {
5358                         addr_type = ADDR_LE_DEV_RANDOM;
5359                 } else {
5360                         BT_ERR("Ignoring invalid connection parameters");
5361                         continue;
5362                 }
5363 
5364                 min = le16_to_cpu(param->min_interval);
5365                 max = le16_to_cpu(param->max_interval);
5366                 latency = le16_to_cpu(param->latency);
5367                 timeout = le16_to_cpu(param->timeout);
5368 
5369                 BT_DBG("min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
5370                        min, max, latency, timeout);
5371 
5372                 if (hci_check_conn_params(min, max, latency, timeout) < 0) {
5373                         BT_ERR("Ignoring invalid connection parameters");
5374                         continue;
5375                 }
5376 
5377                 hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
5378                                                 addr_type);
5379                 if (!hci_param) {
5380                         BT_ERR("Failed to add connection parameters");
5381                         continue;
5382                 }
5383 
5384                 hci_param->conn_min_interval = min;
5385                 hci_param->conn_max_interval = max;
5386                 hci_param->conn_latency = latency;
5387                 hci_param->supervision_timeout = timeout;
5388         }
5389 
5390         hci_dev_unlock(hdev);
5391 
5392         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
5393                                  NULL, 0);
5394 }
5395 
5396 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
5397                                void *data, u16 len)
5398 {
5399         struct mgmt_cp_set_external_config *cp = data;
5400         bool changed;
5401         int err;
5402 
5403         BT_DBG("%s", hdev->name);
5404 
5405         if (hdev_is_powered(hdev))
5406                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5407                                        MGMT_STATUS_REJECTED);
5408 
5409         if (cp->config != 0x00 && cp->config != 0x01)
5410                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5411                                          MGMT_STATUS_INVALID_PARAMS);
5412 
5413         if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
5414                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
5415                                        MGMT_STATUS_NOT_SUPPORTED);
5416 
5417         hci_dev_lock(hdev);
5418 
5419         if (cp->config)
5420                 changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
5421         else
5422                 changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
5423 
5424         err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
5425         if (err < 0)
5426                 goto unlock;
5427 
5428         if (!changed)
5429                 goto unlock;
5430 
5431         err = new_options(hdev, sk);
5432 
5433         if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
5434                 mgmt_index_removed(hdev);
5435 
5436                 if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
5437                         hci_dev_set_flag(hdev, HCI_CONFIG);
5438                         hci_dev_set_flag(hdev, HCI_AUTO_OFF);
5439 
5440                         queue_work(hdev->req_workqueue, &hdev->power_on);
5441                 } else {
5442                         set_bit(HCI_RAW, &hdev->flags);
5443                         mgmt_index_added(hdev);
5444                 }
5445         }
5446 
5447 unlock:
5448         hci_dev_unlock(hdev);
5449         return err;
5450 }
5451 
5452 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
5453                               void *data, u16 len)
5454 {
5455         struct mgmt_cp_set_public_address *cp = data;
5456         bool changed;
5457         int err;
5458 
5459         BT_DBG("%s", hdev->name);
5460 
5461         if (hdev_is_powered(hdev))
5462                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5463                                        MGMT_STATUS_REJECTED);
5464 
5465         if (!bacmp(&cp->bdaddr, BDADDR_ANY))
5466                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5467                                        MGMT_STATUS_INVALID_PARAMS);
5468 
5469         if (!hdev->set_bdaddr)
5470                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
5471                                        MGMT_STATUS_NOT_SUPPORTED);
5472 
5473         hci_dev_lock(hdev);
5474 
5475         changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
5476         bacpy(&hdev->public_addr, &cp->bdaddr);
5477 
5478         err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
5479         if (err < 0)
5480                 goto unlock;
5481 
5482         if (!changed)
5483                 goto unlock;
5484 
5485         if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
5486                 err = new_options(hdev, sk);
5487 
5488         if (is_configured(hdev)) {
5489                 mgmt_index_removed(hdev);
5490 
5491                 hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
5492 
5493                 hci_dev_set_flag(hdev, HCI_CONFIG);
5494                 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
5495 
5496                 queue_work(hdev->req_workqueue, &hdev->power_on);
5497         }
5498 
5499 unlock:
5500         hci_dev_unlock(hdev);
5501         return err;
5502 }
5503 
5504 static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type, u8 *data,
5505                                   u8 data_len)
5506 {
5507         eir[eir_len++] = sizeof(type) + data_len;
5508         eir[eir_len++] = type;
5509         memcpy(&eir[eir_len], data, data_len);
5510         eir_len += data_len;
5511 
5512         return eir_len;
5513 }
5514 
5515 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, u8 status,
5516                                              u16 opcode, struct sk_buff *skb)
5517 {
5518         const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
5519         struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
5520         u8 *h192, *r192, *h256, *r256;
5521         struct mgmt_pending_cmd *cmd;
5522         u16 eir_len;
5523         int err;
5524 
5525         BT_DBG("%s status %u", hdev->name, status);
5526 
5527         cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev);
5528         if (!cmd)
5529                 return;
5530 
5531         mgmt_cp = cmd->param;
5532 
5533         if (status) {
5534                 status = mgmt_status(status);
5535                 eir_len = 0;
5536 
5537                 h192 = NULL;
5538                 r192 = NULL;
5539                 h256 = NULL;
5540                 r256 = NULL;
5541         } else if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
5542                 struct hci_rp_read_local_oob_data *rp;
5543 
5544                 if (skb->len != sizeof(*rp)) {
5545                         status = MGMT_STATUS_FAILED;
5546                         eir_len = 0;
5547                 } else {
5548                         status = MGMT_STATUS_SUCCESS;
5549                         rp = (void *)skb->data;
5550 
5551                         eir_len = 5 + 18 + 18;
5552                         h192 = rp->hash;
5553                         r192 = rp->rand;
5554                         h256 = NULL;
5555                         r256 = NULL;
5556                 }
5557         } else {
5558                 struct hci_rp_read_local_oob_ext_data *rp;
5559 
5560                 if (skb->len != sizeof(*rp)) {
5561                         status = MGMT_STATUS_FAILED;
5562                         eir_len = 0;
5563                 } else {
5564                         status = MGMT_STATUS_SUCCESS;
5565                         rp = (void *)skb->data;
5566 
5567                         if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5568                                 eir_len = 5 + 18 + 18;
5569                                 h192 = NULL;
5570                                 r192 = NULL;
5571                         } else {
5572                                 eir_len = 5 + 18 + 18 + 18 + 18;
5573                                 h192 = rp->hash192;
5574                                 r192 = rp->rand192;
5575                         }
5576 
5577                         h256 = rp->hash256;
5578                         r256 = rp->rand256;
5579                 }
5580         }
5581 
5582         mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
5583         if (!mgmt_rp)
5584                 goto done;
5585 
5586         if (status)
5587                 goto send_rsp;
5588 
5589         eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
5590                                   hdev->dev_class, 3);
5591 
5592         if (h192 && r192) {
5593                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
5594                                           EIR_SSP_HASH_C192, h192, 16);
5595                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
5596                                           EIR_SSP_RAND_R192, r192, 16);
5597         }
5598 
5599         if (h256 && r256) {
5600                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
5601                                           EIR_SSP_HASH_C256, h256, 16);
5602                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
5603                                           EIR_SSP_RAND_R256, r256, 16);
5604         }
5605 
5606 send_rsp:
5607         mgmt_rp->type = mgmt_cp->type;
5608         mgmt_rp->eir_len = cpu_to_le16(eir_len);
5609 
5610         err = mgmt_cmd_complete(cmd->sk, hdev->id,
5611                                 MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
5612                                 mgmt_rp, sizeof(*mgmt_rp) + eir_len);
5613         if (err < 0 || status)
5614                 goto done;
5615 
5616         hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
5617 
5618         err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
5619                                  mgmt_rp, sizeof(*mgmt_rp) + eir_len,
5620                                  HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
5621 done:
5622         kfree(mgmt_rp);
5623         mgmt_pending_remove(cmd);
5624 }
5625 
5626 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
5627                                   struct mgmt_cp_read_local_oob_ext_data *cp)
5628 {
5629         struct mgmt_pending_cmd *cmd;
5630         struct hci_request req;
5631         int err;
5632 
5633         cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
5634                                cp, sizeof(*cp));
5635         if (!cmd)
5636                 return -ENOMEM;
5637 
5638         hci_req_init(&req, hdev);
5639 
5640         if (bredr_sc_enabled(hdev))
5641                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
5642         else
5643                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
5644 
5645         err = hci_req_run_skb(&req, read_local_oob_ext_data_complete);
5646         if (err < 0) {
5647                 mgmt_pending_remove(cmd);
5648                 return err;
5649         }
5650 
5651         return 0;
5652 }
5653 
5654 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
5655                                    void *data, u16 data_len)
5656 {
5657         struct mgmt_cp_read_local_oob_ext_data *cp = data;
5658         struct mgmt_rp_read_local_oob_ext_data *rp;
5659         size_t rp_len;
5660         u16 eir_len;
5661         u8 status, flags, role, addr[7], hash[16], rand[16];
5662         int err;
5663 
5664         BT_DBG("%s", hdev->name);
5665 
5666         if (hdev_is_powered(hdev)) {
5667                 switch (cp->type) {
5668                 case BIT(BDADDR_BREDR):
5669                         status = mgmt_bredr_support(hdev);
5670                         if (status)
5671                                 eir_len = 0;
5672                         else
5673                                 eir_len = 5;
5674                         break;
5675                 case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
5676                         status = mgmt_le_support(hdev);
5677                         if (status)
5678                                 eir_len = 0;
5679                         else
5680                                 eir_len = 9 + 3 + 18 + 18 + 3;
5681                         break;
5682                 default:
5683                         status = MGMT_STATUS_INVALID_PARAMS;
5684                         eir_len = 0;
5685                         break;
5686                 }
5687         } else {
5688                 status = MGMT_STATUS_NOT_POWERED;
5689                 eir_len = 0;
5690         }
5691 
5692         rp_len = sizeof(*rp) + eir_len;
5693         rp = kmalloc(rp_len, GFP_ATOMIC);
5694         if (!rp)
5695                 return -ENOMEM;
5696 
5697         if (status)
5698                 goto complete;
5699 
5700         hci_dev_lock(hdev);
5701 
5702         eir_len = 0;
5703         switch (cp->type) {
5704         case BIT(BDADDR_BREDR):
5705                 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
5706                         err = read_local_ssp_oob_req(hdev, sk, cp);
5707                         hci_dev_unlock(hdev);
5708                         if (!err)
5709                                 goto done;
5710 
5711                         status = MGMT_STATUS_FAILED;
5712                         goto complete;
5713                 } else {
5714                         eir_len = eir_append_data(rp->eir, eir_len,
5715                                                   EIR_CLASS_OF_DEV,
5716                                                   hdev->dev_class, 3);
5717                 }
5718                 break;
5719         case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
5720                 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
5721                     smp_generate_oob(hdev, hash, rand) < 0) {
5722                         hci_dev_unlock(hdev);
5723                         status = MGMT_STATUS_FAILED;
5724                         goto complete;
5725                 }
5726 
5727                 /* This should return the active RPA, but since the RPA
5728                  * is only programmed on demand, it is really hard to fill
5729                  * this in at the moment. For now disallow retrieving
5730                  * local out-of-band data when privacy is in use.
5731                  *
5732                  * Returning the identity address will not help here since
5733                  * pairing happens before the identity resolving key is
5734                  * known and thus the connection establishment happens
5735                  * based on the RPA and not the identity address.
5736                  */
5737                 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
5738                         hci_dev_unlock(hdev);
5739                         status = MGMT_STATUS_REJECTED;
5740                         goto complete;
5741                 }
5742 
5743                 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
5744                    !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
5745                    (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
5746                     bacmp(&hdev->static_addr, BDADDR_ANY))) {
5747                         memcpy(addr, &hdev->static_addr, 6);
5748                         addr[6] = 0x01;
5749                 } else {
5750                         memcpy(addr, &hdev->bdaddr, 6);
5751                         addr[6] = 0x00;
5752                 }
5753 
5754                 eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
5755                                           addr, sizeof(addr));
5756 
5757                 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
5758                         role = 0x02;
5759                 else
5760                         role = 0x01;
5761 
5762                 eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
5763                                           &role, sizeof(role));
5764 
5765                 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
5766                         eir_len = eir_append_data(rp->eir, eir_len,
5767                                                   EIR_LE_SC_CONFIRM,
5768                                                   hash, sizeof(hash));
5769 
5770                         eir_len = eir_append_data(rp->eir, eir_len,
5771                                                   EIR_LE_SC_RANDOM,
5772                                                   rand, sizeof(rand));
5773                 }
5774 
5775                 flags = mgmt_get_adv_discov_flags(hdev);
5776 
5777                 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
5778                         flags |= LE_AD_NO_BREDR;
5779 
5780                 eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
5781                                           &flags, sizeof(flags));
5782                 break;
5783         }
5784 
5785         hci_dev_unlock(hdev);
5786 
5787         hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
5788 
5789         status = MGMT_STATUS_SUCCESS;
5790 
5791 complete:
5792         rp->type = cp->type;
5793         rp->eir_len = cpu_to_le16(eir_len);
5794 
5795         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
5796                                 status, rp, sizeof(*rp) + eir_len);
5797         if (err < 0 || status)
5798                 goto done;
5799 
5800         err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
5801                                  rp, sizeof(*rp) + eir_len,
5802                                  HCI_MGMT_OOB_DATA_EVENTS, sk);
5803 
5804 done:
5805         kfree(rp);
5806 
5807         return err;
5808 }
5809 
5810 static u32 get_supported_adv_flags(struct hci_dev *hdev)
5811 {
5812         u32 flags = 0;
5813 
5814         flags |= MGMT_ADV_FLAG_CONNECTABLE;
5815         flags |= MGMT_ADV_FLAG_DISCOV;
5816         flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
5817         flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
5818 
5819         if (hdev->adv_tx_power != HCI_TX_POWER_INVALID)
5820                 flags |= MGMT_ADV_FLAG_TX_POWER;
5821 
5822         return flags;
5823 }
5824 
5825 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
5826                              void *data, u16 data_len)
5827 {
5828         struct mgmt_rp_read_adv_features *rp;
5829         size_t rp_len;
5830         int err;
5831         struct adv_info *adv_instance;
5832         u32 supported_flags;
5833         u8 *instance;
5834 
5835         BT_DBG("%s", hdev->name);
5836 
5837         if (!lmp_le_capable(hdev))
5838                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
5839                                        MGMT_STATUS_REJECTED);
5840 
5841         hci_dev_lock(hdev);
5842 
5843         rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
5844         rp = kmalloc(rp_len, GFP_ATOMIC);
5845         if (!rp) {
5846                 hci_dev_unlock(hdev);
5847                 return -ENOMEM;
5848         }
5849 
5850         supported_flags = get_supported_adv_flags(hdev);
5851 
5852         rp->supported_flags = cpu_to_le32(supported_flags);
5853         rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
5854         rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
5855         rp->max_instances = HCI_MAX_ADV_INSTANCES;
5856         rp->num_instances = hdev->adv_instance_cnt;
5857 
5858         instance = rp->instance;
5859         list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
5860                 *instance = adv_instance->instance;
5861                 instance++;
5862         }
5863 
5864         hci_dev_unlock(hdev);
5865 
5866         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
5867                                 MGMT_STATUS_SUCCESS, rp, rp_len);
5868 
5869         kfree(rp);
5870 
5871         return err;
5872 }
5873 
5874 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
5875                               u8 len, bool is_adv_data)
5876 {
5877         u8 max_len = HCI_MAX_AD_LENGTH;
5878         int i, cur_len;
5879         bool flags_managed = false;
5880         bool tx_power_managed = false;
5881 
5882         if (is_adv_data) {
5883                 if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
5884                                  MGMT_ADV_FLAG_LIMITED_DISCOV |
5885                                  MGMT_ADV_FLAG_MANAGED_FLAGS)) {
5886                         flags_managed = true;
5887                         max_len -= 3;
5888                 }
5889 
5890                 if (adv_flags & MGMT_ADV_FLAG_TX_POWER) {
5891                         tx_power_managed = true;
5892                         max_len -= 3;
5893                 }
5894         }
5895 
5896         if (len > max_len)
5897                 return false;
5898 
5899         /* Make sure that the data is correctly formatted. */
5900         for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
5901                 cur_len = data[i];
5902 
5903                 if (flags_managed && data[i + 1] == EIR_FLAGS)
5904                         return false;
5905 
5906                 if (tx_power_managed && data[i + 1] == EIR_TX_POWER)
5907                         return false;
5908 
5909                 /* If the current field length would exceed the total data
5910                  * length, then it's invalid.
5911                  */
5912                 if (i + cur_len >= len)
5913                         return false;
5914         }
5915 
5916         return true;
5917 }
5918 
5919 static void add_advertising_complete(struct hci_dev *hdev, u8 status,
5920                                      u16 opcode)
5921 {
5922         struct mgmt_pending_cmd *cmd;
5923         struct mgmt_cp_add_advertising *cp;
5924         struct mgmt_rp_add_advertising rp;
5925         struct adv_info *adv_instance, *n;
5926         u8 instance;
5927 
5928         BT_DBG("status %d", status);
5929 
5930         hci_dev_lock(hdev);
5931 
5932         cmd = pending_find(MGMT_OP_ADD_ADVERTISING, hdev);
5933 
5934         list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
5935                 if (!adv_instance->pending)
5936                         continue;
5937 
5938                 if (!status) {
5939                         adv_instance->pending = false;
5940                         continue;
5941                 }
5942 
5943                 instance = adv_instance->instance;
5944 
5945                 if (hdev->cur_adv_instance == instance)
5946                         cancel_adv_timeout(hdev);
5947 
5948                 hci_remove_adv_instance(hdev, instance);
5949                 mgmt_advertising_removed(cmd ? cmd->sk : NULL, hdev, instance);
5950         }
5951 
5952         if (!cmd)
5953                 goto unlock;
5954 
5955         cp = cmd->param;
5956         rp.instance = cp->instance;
5957 
5958         if (status)
5959                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
5960                                 mgmt_status(status));
5961         else
5962                 mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
5963                                   mgmt_status(status), &rp, sizeof(rp));
5964 
5965         mgmt_pending_remove(cmd);
5966 
5967 unlock:
5968         hci_dev_unlock(hdev);
5969 }
5970 
5971 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
5972                            void *data, u16 data_len)
5973 {
5974         struct mgmt_cp_add_advertising *cp = data;
5975         struct mgmt_rp_add_advertising rp;
5976         u32 flags;
5977         u32 supported_flags;
5978         u8 status;
5979         u16 timeout, duration;
5980         unsigned int prev_instance_cnt = hdev->adv_instance_cnt;
5981         u8 schedule_instance = 0;
5982         struct adv_info *next_instance;
5983         int err;
5984         struct mgmt_pending_cmd *cmd;
5985         struct hci_request req;
5986 
5987         BT_DBG("%s", hdev->name);
5988 
5989         status = mgmt_le_support(hdev);
5990         if (status)
5991                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
5992                                        status);
5993 
5994         if (cp->instance < 1 || cp->instance > HCI_MAX_ADV_INSTANCES)
5995                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
5996                                        MGMT_STATUS_INVALID_PARAMS);
5997 
5998         if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
5999                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6000                                        MGMT_STATUS_INVALID_PARAMS);
6001 
6002         flags = __le32_to_cpu(cp->flags);
6003         timeout = __le16_to_cpu(cp->timeout);
6004         duration = __le16_to_cpu(cp->duration);
6005 
6006         /* The current implementation only supports a subset of the specified
6007          * flags.
6008          */
6009         supported_flags = get_supported_adv_flags(hdev);
6010         if (flags & ~supported_flags)
6011                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6012                                        MGMT_STATUS_INVALID_PARAMS);
6013 
6014         hci_dev_lock(hdev);
6015 
6016         if (timeout && !hdev_is_powered(hdev)) {
6017                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6018                                       MGMT_STATUS_REJECTED);
6019                 goto unlock;
6020         }
6021 
6022         if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
6023             pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
6024             pending_find(MGMT_OP_SET_LE, hdev)) {
6025                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6026                                       MGMT_STATUS_BUSY);
6027                 goto unlock;
6028         }
6029 
6030         if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
6031             !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
6032                                cp->scan_rsp_len, false)) {
6033                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6034                                       MGMT_STATUS_INVALID_PARAMS);
6035                 goto unlock;
6036         }
6037 
6038         err = hci_add_adv_instance(hdev, cp->instance, flags,
6039                                    cp->adv_data_len, cp->data,
6040                                    cp->scan_rsp_len,
6041                                    cp->data + cp->adv_data_len,
6042                                    timeout, duration);
6043         if (err < 0) {
6044                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6045                                       MGMT_STATUS_FAILED);
6046                 goto unlock;
6047         }
6048 
6049         /* Only trigger an advertising added event if a new instance was
6050          * actually added.
6051          */
6052         if (hdev->adv_instance_cnt > prev_instance_cnt)
6053                 mgmt_advertising_added(sk, hdev, cp->instance);
6054 
6055         if (hdev->cur_adv_instance == cp->instance) {
6056                 /* If the currently advertised instance is being changed then
6057                  * cancel the current advertising and schedule the next
6058                  * instance. If there is only one instance then the overridden
6059                  * advertising data will be visible right away.
6060                  */
6061                 cancel_adv_timeout(hdev);
6062 
6063                 next_instance = hci_get_next_instance(hdev, cp->instance);
6064                 if (next_instance)
6065                         schedule_instance = next_instance->instance;
6066         } else if (!hdev->adv_instance_timeout) {
6067                 /* Immediately advertise the new instance if no other
6068                  * instance is currently being advertised.
6069                  */
6070                 schedule_instance = cp->instance;
6071         }
6072 
6073         /* If the HCI_ADVERTISING flag is set or the device isn't powered or
6074          * there is no instance to be advertised then we have no HCI
6075          * communication to make. Simply return.
6076          */
6077         if (!hdev_is_powered(hdev) ||
6078             hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
6079             !schedule_instance) {
6080                 rp.instance = cp->instance;
6081                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
6082                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
6083                 goto unlock;
6084         }
6085 
6086         /* We're good to go, update advertising data, parameters, and start
6087          * advertising.
6088          */
6089         cmd = mgmt_pending_add(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
6090                                data_len);
6091         if (!cmd) {
6092                 err = -ENOMEM;
6093                 goto unlock;
6094         }
6095 
6096         hci_req_init(&req, hdev);
6097 
6098         err = __hci_req_schedule_adv_instance(&req, schedule_instance, true);
6099 
6100         if (!err)
6101                 err = hci_req_run(&req, add_advertising_complete);
6102 
6103         if (err < 0)
6104                 mgmt_pending_remove(cmd);
6105 
6106 unlock:
6107         hci_dev_unlock(hdev);
6108 
6109         return err;
6110 }
6111 
6112 static void remove_advertising_complete(struct hci_dev *hdev, u8 status,
6113                                         u16 opcode)
6114 {
6115         struct mgmt_pending_cmd *cmd;
6116         struct mgmt_cp_remove_advertising *cp;
6117         struct mgmt_rp_remove_advertising rp;
6118 
6119         BT_DBG("status %d", status);
6120 
6121         hci_dev_lock(hdev);
6122 
6123         /* A failure status here only means that we failed to disable
6124          * advertising. Otherwise, the advertising instance has been removed,
6125          * so report success.
6126          */
6127         cmd = pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev);
6128         if (!cmd)
6129                 goto unlock;
6130 
6131         cp = cmd->param;
6132         rp.instance = cp->instance;
6133 
6134         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, MGMT_STATUS_SUCCESS,
6135                           &rp, sizeof(rp));
6136         mgmt_pending_remove(cmd);
6137 
6138 unlock:
6139         hci_dev_unlock(hdev);
6140 }
6141 
6142 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
6143                               void *data, u16 data_len)
6144 {
6145         struct mgmt_cp_remove_advertising *cp = data;
6146         struct mgmt_rp_remove_advertising rp;
6147         struct mgmt_pending_cmd *cmd;
6148         struct hci_request req;
6149         int err;
6150 
6151         BT_DBG("%s", hdev->name);
6152 
6153         hci_dev_lock(hdev);
6154 
6155         if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
6156                 err = mgmt_cmd_status(sk, hdev->id,
6157                                       MGMT_OP_REMOVE_ADVERTISING,
6158                                       MGMT_STATUS_INVALID_PARAMS);
6159                 goto unlock;
6160         }
6161 
6162         if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
6163             pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
6164             pending_find(MGMT_OP_SET_LE, hdev)) {
6165                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
6166                                       MGMT_STATUS_BUSY);
6167                 goto unlock;