xref: /linux/net/bluetooth/mgmt.c (revision 001821b0e79716c4e17c71d8e053a23599a7a508)
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3 
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI Management interface */
26 
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_sock.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "mgmt_util.h"
39 #include "mgmt_config.h"
40 #include "msft.h"
41 #include "eir.h"
42 #include "aosp.h"
43 
44 #define MGMT_VERSION	1
45 #define MGMT_REVISION	22
46 
47 static const u16 mgmt_commands[] = {
48 	MGMT_OP_READ_INDEX_LIST,
49 	MGMT_OP_READ_INFO,
50 	MGMT_OP_SET_POWERED,
51 	MGMT_OP_SET_DISCOVERABLE,
52 	MGMT_OP_SET_CONNECTABLE,
53 	MGMT_OP_SET_FAST_CONNECTABLE,
54 	MGMT_OP_SET_BONDABLE,
55 	MGMT_OP_SET_LINK_SECURITY,
56 	MGMT_OP_SET_SSP,
57 	MGMT_OP_SET_HS,
58 	MGMT_OP_SET_LE,
59 	MGMT_OP_SET_DEV_CLASS,
60 	MGMT_OP_SET_LOCAL_NAME,
61 	MGMT_OP_ADD_UUID,
62 	MGMT_OP_REMOVE_UUID,
63 	MGMT_OP_LOAD_LINK_KEYS,
64 	MGMT_OP_LOAD_LONG_TERM_KEYS,
65 	MGMT_OP_DISCONNECT,
66 	MGMT_OP_GET_CONNECTIONS,
67 	MGMT_OP_PIN_CODE_REPLY,
68 	MGMT_OP_PIN_CODE_NEG_REPLY,
69 	MGMT_OP_SET_IO_CAPABILITY,
70 	MGMT_OP_PAIR_DEVICE,
71 	MGMT_OP_CANCEL_PAIR_DEVICE,
72 	MGMT_OP_UNPAIR_DEVICE,
73 	MGMT_OP_USER_CONFIRM_REPLY,
74 	MGMT_OP_USER_CONFIRM_NEG_REPLY,
75 	MGMT_OP_USER_PASSKEY_REPLY,
76 	MGMT_OP_USER_PASSKEY_NEG_REPLY,
77 	MGMT_OP_READ_LOCAL_OOB_DATA,
78 	MGMT_OP_ADD_REMOTE_OOB_DATA,
79 	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
80 	MGMT_OP_START_DISCOVERY,
81 	MGMT_OP_STOP_DISCOVERY,
82 	MGMT_OP_CONFIRM_NAME,
83 	MGMT_OP_BLOCK_DEVICE,
84 	MGMT_OP_UNBLOCK_DEVICE,
85 	MGMT_OP_SET_DEVICE_ID,
86 	MGMT_OP_SET_ADVERTISING,
87 	MGMT_OP_SET_BREDR,
88 	MGMT_OP_SET_STATIC_ADDRESS,
89 	MGMT_OP_SET_SCAN_PARAMS,
90 	MGMT_OP_SET_SECURE_CONN,
91 	MGMT_OP_SET_DEBUG_KEYS,
92 	MGMT_OP_SET_PRIVACY,
93 	MGMT_OP_LOAD_IRKS,
94 	MGMT_OP_GET_CONN_INFO,
95 	MGMT_OP_GET_CLOCK_INFO,
96 	MGMT_OP_ADD_DEVICE,
97 	MGMT_OP_REMOVE_DEVICE,
98 	MGMT_OP_LOAD_CONN_PARAM,
99 	MGMT_OP_READ_UNCONF_INDEX_LIST,
100 	MGMT_OP_READ_CONFIG_INFO,
101 	MGMT_OP_SET_EXTERNAL_CONFIG,
102 	MGMT_OP_SET_PUBLIC_ADDRESS,
103 	MGMT_OP_START_SERVICE_DISCOVERY,
104 	MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
105 	MGMT_OP_READ_EXT_INDEX_LIST,
106 	MGMT_OP_READ_ADV_FEATURES,
107 	MGMT_OP_ADD_ADVERTISING,
108 	MGMT_OP_REMOVE_ADVERTISING,
109 	MGMT_OP_GET_ADV_SIZE_INFO,
110 	MGMT_OP_START_LIMITED_DISCOVERY,
111 	MGMT_OP_READ_EXT_INFO,
112 	MGMT_OP_SET_APPEARANCE,
113 	MGMT_OP_GET_PHY_CONFIGURATION,
114 	MGMT_OP_SET_PHY_CONFIGURATION,
115 	MGMT_OP_SET_BLOCKED_KEYS,
116 	MGMT_OP_SET_WIDEBAND_SPEECH,
117 	MGMT_OP_READ_CONTROLLER_CAP,
118 	MGMT_OP_READ_EXP_FEATURES_INFO,
119 	MGMT_OP_SET_EXP_FEATURE,
120 	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
121 	MGMT_OP_SET_DEF_SYSTEM_CONFIG,
122 	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
123 	MGMT_OP_SET_DEF_RUNTIME_CONFIG,
124 	MGMT_OP_GET_DEVICE_FLAGS,
125 	MGMT_OP_SET_DEVICE_FLAGS,
126 	MGMT_OP_READ_ADV_MONITOR_FEATURES,
127 	MGMT_OP_ADD_ADV_PATTERNS_MONITOR,
128 	MGMT_OP_REMOVE_ADV_MONITOR,
129 	MGMT_OP_ADD_EXT_ADV_PARAMS,
130 	MGMT_OP_ADD_EXT_ADV_DATA,
131 	MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI,
132 	MGMT_OP_SET_MESH_RECEIVER,
133 	MGMT_OP_MESH_READ_FEATURES,
134 	MGMT_OP_MESH_SEND,
135 	MGMT_OP_MESH_SEND_CANCEL,
136 };
137 
138 static const u16 mgmt_events[] = {
139 	MGMT_EV_CONTROLLER_ERROR,
140 	MGMT_EV_INDEX_ADDED,
141 	MGMT_EV_INDEX_REMOVED,
142 	MGMT_EV_NEW_SETTINGS,
143 	MGMT_EV_CLASS_OF_DEV_CHANGED,
144 	MGMT_EV_LOCAL_NAME_CHANGED,
145 	MGMT_EV_NEW_LINK_KEY,
146 	MGMT_EV_NEW_LONG_TERM_KEY,
147 	MGMT_EV_DEVICE_CONNECTED,
148 	MGMT_EV_DEVICE_DISCONNECTED,
149 	MGMT_EV_CONNECT_FAILED,
150 	MGMT_EV_PIN_CODE_REQUEST,
151 	MGMT_EV_USER_CONFIRM_REQUEST,
152 	MGMT_EV_USER_PASSKEY_REQUEST,
153 	MGMT_EV_AUTH_FAILED,
154 	MGMT_EV_DEVICE_FOUND,
155 	MGMT_EV_DISCOVERING,
156 	MGMT_EV_DEVICE_BLOCKED,
157 	MGMT_EV_DEVICE_UNBLOCKED,
158 	MGMT_EV_DEVICE_UNPAIRED,
159 	MGMT_EV_PASSKEY_NOTIFY,
160 	MGMT_EV_NEW_IRK,
161 	MGMT_EV_NEW_CSRK,
162 	MGMT_EV_DEVICE_ADDED,
163 	MGMT_EV_DEVICE_REMOVED,
164 	MGMT_EV_NEW_CONN_PARAM,
165 	MGMT_EV_UNCONF_INDEX_ADDED,
166 	MGMT_EV_UNCONF_INDEX_REMOVED,
167 	MGMT_EV_NEW_CONFIG_OPTIONS,
168 	MGMT_EV_EXT_INDEX_ADDED,
169 	MGMT_EV_EXT_INDEX_REMOVED,
170 	MGMT_EV_LOCAL_OOB_DATA_UPDATED,
171 	MGMT_EV_ADVERTISING_ADDED,
172 	MGMT_EV_ADVERTISING_REMOVED,
173 	MGMT_EV_EXT_INFO_CHANGED,
174 	MGMT_EV_PHY_CONFIGURATION_CHANGED,
175 	MGMT_EV_EXP_FEATURE_CHANGED,
176 	MGMT_EV_DEVICE_FLAGS_CHANGED,
177 	MGMT_EV_ADV_MONITOR_ADDED,
178 	MGMT_EV_ADV_MONITOR_REMOVED,
179 	MGMT_EV_CONTROLLER_SUSPEND,
180 	MGMT_EV_CONTROLLER_RESUME,
181 	MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
182 	MGMT_EV_ADV_MONITOR_DEVICE_LOST,
183 };
184 
185 static const u16 mgmt_untrusted_commands[] = {
186 	MGMT_OP_READ_INDEX_LIST,
187 	MGMT_OP_READ_INFO,
188 	MGMT_OP_READ_UNCONF_INDEX_LIST,
189 	MGMT_OP_READ_CONFIG_INFO,
190 	MGMT_OP_READ_EXT_INDEX_LIST,
191 	MGMT_OP_READ_EXT_INFO,
192 	MGMT_OP_READ_CONTROLLER_CAP,
193 	MGMT_OP_READ_EXP_FEATURES_INFO,
194 	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
195 	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
196 };
197 
198 static const u16 mgmt_untrusted_events[] = {
199 	MGMT_EV_INDEX_ADDED,
200 	MGMT_EV_INDEX_REMOVED,
201 	MGMT_EV_NEW_SETTINGS,
202 	MGMT_EV_CLASS_OF_DEV_CHANGED,
203 	MGMT_EV_LOCAL_NAME_CHANGED,
204 	MGMT_EV_UNCONF_INDEX_ADDED,
205 	MGMT_EV_UNCONF_INDEX_REMOVED,
206 	MGMT_EV_NEW_CONFIG_OPTIONS,
207 	MGMT_EV_EXT_INDEX_ADDED,
208 	MGMT_EV_EXT_INDEX_REMOVED,
209 	MGMT_EV_EXT_INFO_CHANGED,
210 	MGMT_EV_EXP_FEATURE_CHANGED,
211 };
212 
213 #define CACHE_TIMEOUT	msecs_to_jiffies(2 * 1000)
214 
215 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
216 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
217 
218 /* HCI to MGMT error code conversion table */
219 static const u8 mgmt_status_table[] = {
220 	MGMT_STATUS_SUCCESS,
221 	MGMT_STATUS_UNKNOWN_COMMAND,	/* Unknown Command */
222 	MGMT_STATUS_NOT_CONNECTED,	/* No Connection */
223 	MGMT_STATUS_FAILED,		/* Hardware Failure */
224 	MGMT_STATUS_CONNECT_FAILED,	/* Page Timeout */
225 	MGMT_STATUS_AUTH_FAILED,	/* Authentication Failed */
226 	MGMT_STATUS_AUTH_FAILED,	/* PIN or Key Missing */
227 	MGMT_STATUS_NO_RESOURCES,	/* Memory Full */
228 	MGMT_STATUS_TIMEOUT,		/* Connection Timeout */
229 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of Connections */
230 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of SCO Connections */
231 	MGMT_STATUS_ALREADY_CONNECTED,	/* ACL Connection Exists */
232 	MGMT_STATUS_BUSY,		/* Command Disallowed */
233 	MGMT_STATUS_NO_RESOURCES,	/* Rejected Limited Resources */
234 	MGMT_STATUS_REJECTED,		/* Rejected Security */
235 	MGMT_STATUS_REJECTED,		/* Rejected Personal */
236 	MGMT_STATUS_TIMEOUT,		/* Host Timeout */
237 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Feature */
238 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid Parameters */
239 	MGMT_STATUS_DISCONNECTED,	/* OE User Ended Connection */
240 	MGMT_STATUS_NO_RESOURCES,	/* OE Low Resources */
241 	MGMT_STATUS_DISCONNECTED,	/* OE Power Off */
242 	MGMT_STATUS_DISCONNECTED,	/* Connection Terminated */
243 	MGMT_STATUS_BUSY,		/* Repeated Attempts */
244 	MGMT_STATUS_REJECTED,		/* Pairing Not Allowed */
245 	MGMT_STATUS_FAILED,		/* Unknown LMP PDU */
246 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Remote Feature */
247 	MGMT_STATUS_REJECTED,		/* SCO Offset Rejected */
248 	MGMT_STATUS_REJECTED,		/* SCO Interval Rejected */
249 	MGMT_STATUS_REJECTED,		/* Air Mode Rejected */
250 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid LMP Parameters */
251 	MGMT_STATUS_FAILED,		/* Unspecified Error */
252 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported LMP Parameter Value */
253 	MGMT_STATUS_FAILED,		/* Role Change Not Allowed */
254 	MGMT_STATUS_TIMEOUT,		/* LMP Response Timeout */
255 	MGMT_STATUS_FAILED,		/* LMP Error Transaction Collision */
256 	MGMT_STATUS_FAILED,		/* LMP PDU Not Allowed */
257 	MGMT_STATUS_REJECTED,		/* Encryption Mode Not Accepted */
258 	MGMT_STATUS_FAILED,		/* Unit Link Key Used */
259 	MGMT_STATUS_NOT_SUPPORTED,	/* QoS Not Supported */
260 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
261 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
262 	MGMT_STATUS_FAILED,		/* Transaction Collision */
263 	MGMT_STATUS_FAILED,		/* Reserved for future use */
264 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
265 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
266 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
267 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
268 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
269 	MGMT_STATUS_FAILED,		/* Reserved for future use */
270 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
271 	MGMT_STATUS_FAILED,		/* Reserved for future use */
272 	MGMT_STATUS_FAILED,		/* Slot Violation */
273 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
274 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
275 	MGMT_STATUS_NOT_SUPPORTED,	/* Simple Pairing Not Supported */
276 	MGMT_STATUS_BUSY,		/* Host Busy Pairing */
277 	MGMT_STATUS_REJECTED,		/* Rejected, No Suitable Channel */
278 	MGMT_STATUS_BUSY,		/* Controller Busy */
279 	MGMT_STATUS_INVALID_PARAMS,	/* Unsuitable Connection Interval */
280 	MGMT_STATUS_TIMEOUT,		/* Directed Advertising Timeout */
281 	MGMT_STATUS_AUTH_FAILED,	/* Terminated Due to MIC Failure */
282 	MGMT_STATUS_CONNECT_FAILED,	/* Connection Establishment Failed */
283 	MGMT_STATUS_CONNECT_FAILED,	/* MAC Connection Failed */
284 };
285 
286 static u8 mgmt_errno_status(int err)
287 {
288 	switch (err) {
289 	case 0:
290 		return MGMT_STATUS_SUCCESS;
291 	case -EPERM:
292 		return MGMT_STATUS_REJECTED;
293 	case -EINVAL:
294 		return MGMT_STATUS_INVALID_PARAMS;
295 	case -EOPNOTSUPP:
296 		return MGMT_STATUS_NOT_SUPPORTED;
297 	case -EBUSY:
298 		return MGMT_STATUS_BUSY;
299 	case -ETIMEDOUT:
300 		return MGMT_STATUS_AUTH_FAILED;
301 	case -ENOMEM:
302 		return MGMT_STATUS_NO_RESOURCES;
303 	case -EISCONN:
304 		return MGMT_STATUS_ALREADY_CONNECTED;
305 	case -ENOTCONN:
306 		return MGMT_STATUS_DISCONNECTED;
307 	}
308 
309 	return MGMT_STATUS_FAILED;
310 }
311 
312 static u8 mgmt_status(int err)
313 {
314 	if (err < 0)
315 		return mgmt_errno_status(err);
316 
317 	if (err < ARRAY_SIZE(mgmt_status_table))
318 		return mgmt_status_table[err];
319 
320 	return MGMT_STATUS_FAILED;
321 }
322 
323 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
324 			    u16 len, int flag)
325 {
326 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
327 			       flag, NULL);
328 }
329 
330 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
331 			      u16 len, int flag, struct sock *skip_sk)
332 {
333 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
334 			       flag, skip_sk);
335 }
336 
337 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
338 		      struct sock *skip_sk)
339 {
340 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
341 			       HCI_SOCK_TRUSTED, skip_sk);
342 }
343 
344 static int mgmt_event_skb(struct sk_buff *skb, struct sock *skip_sk)
345 {
346 	return mgmt_send_event_skb(HCI_CHANNEL_CONTROL, skb, HCI_SOCK_TRUSTED,
347 				   skip_sk);
348 }
349 
350 static u8 le_addr_type(u8 mgmt_addr_type)
351 {
352 	if (mgmt_addr_type == BDADDR_LE_PUBLIC)
353 		return ADDR_LE_DEV_PUBLIC;
354 	else
355 		return ADDR_LE_DEV_RANDOM;
356 }
357 
358 void mgmt_fill_version_info(void *ver)
359 {
360 	struct mgmt_rp_read_version *rp = ver;
361 
362 	rp->version = MGMT_VERSION;
363 	rp->revision = cpu_to_le16(MGMT_REVISION);
364 }
365 
366 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
367 			u16 data_len)
368 {
369 	struct mgmt_rp_read_version rp;
370 
371 	bt_dev_dbg(hdev, "sock %p", sk);
372 
373 	mgmt_fill_version_info(&rp);
374 
375 	return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
376 				 &rp, sizeof(rp));
377 }
378 
379 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
380 			 u16 data_len)
381 {
382 	struct mgmt_rp_read_commands *rp;
383 	u16 num_commands, num_events;
384 	size_t rp_size;
385 	int i, err;
386 
387 	bt_dev_dbg(hdev, "sock %p", sk);
388 
389 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
390 		num_commands = ARRAY_SIZE(mgmt_commands);
391 		num_events = ARRAY_SIZE(mgmt_events);
392 	} else {
393 		num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
394 		num_events = ARRAY_SIZE(mgmt_untrusted_events);
395 	}
396 
397 	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
398 
399 	rp = kmalloc(rp_size, GFP_KERNEL);
400 	if (!rp)
401 		return -ENOMEM;
402 
403 	rp->num_commands = cpu_to_le16(num_commands);
404 	rp->num_events = cpu_to_le16(num_events);
405 
406 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
407 		__le16 *opcode = rp->opcodes;
408 
409 		for (i = 0; i < num_commands; i++, opcode++)
410 			put_unaligned_le16(mgmt_commands[i], opcode);
411 
412 		for (i = 0; i < num_events; i++, opcode++)
413 			put_unaligned_le16(mgmt_events[i], opcode);
414 	} else {
415 		__le16 *opcode = rp->opcodes;
416 
417 		for (i = 0; i < num_commands; i++, opcode++)
418 			put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
419 
420 		for (i = 0; i < num_events; i++, opcode++)
421 			put_unaligned_le16(mgmt_untrusted_events[i], opcode);
422 	}
423 
424 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
425 				rp, rp_size);
426 	kfree(rp);
427 
428 	return err;
429 }
430 
431 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
432 			   u16 data_len)
433 {
434 	struct mgmt_rp_read_index_list *rp;
435 	struct hci_dev *d;
436 	size_t rp_len;
437 	u16 count;
438 	int err;
439 
440 	bt_dev_dbg(hdev, "sock %p", sk);
441 
442 	read_lock(&hci_dev_list_lock);
443 
444 	count = 0;
445 	list_for_each_entry(d, &hci_dev_list, list) {
446 		if (!hci_dev_test_flag(d, HCI_UNCONFIGURED))
447 			count++;
448 	}
449 
450 	rp_len = sizeof(*rp) + (2 * count);
451 	rp = kmalloc(rp_len, GFP_ATOMIC);
452 	if (!rp) {
453 		read_unlock(&hci_dev_list_lock);
454 		return -ENOMEM;
455 	}
456 
457 	count = 0;
458 	list_for_each_entry(d, &hci_dev_list, list) {
459 		if (hci_dev_test_flag(d, HCI_SETUP) ||
460 		    hci_dev_test_flag(d, HCI_CONFIG) ||
461 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
462 			continue;
463 
464 		/* Devices marked as raw-only are neither configured
465 		 * nor unconfigured controllers.
466 		 */
467 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
468 			continue;
469 
470 		if (!hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
471 			rp->index[count++] = cpu_to_le16(d->id);
472 			bt_dev_dbg(hdev, "Added hci%u", d->id);
473 		}
474 	}
475 
476 	rp->num_controllers = cpu_to_le16(count);
477 	rp_len = sizeof(*rp) + (2 * count);
478 
479 	read_unlock(&hci_dev_list_lock);
480 
481 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
482 				0, rp, rp_len);
483 
484 	kfree(rp);
485 
486 	return err;
487 }
488 
489 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
490 				  void *data, u16 data_len)
491 {
492 	struct mgmt_rp_read_unconf_index_list *rp;
493 	struct hci_dev *d;
494 	size_t rp_len;
495 	u16 count;
496 	int err;
497 
498 	bt_dev_dbg(hdev, "sock %p", sk);
499 
500 	read_lock(&hci_dev_list_lock);
501 
502 	count = 0;
503 	list_for_each_entry(d, &hci_dev_list, list) {
504 		if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
505 			count++;
506 	}
507 
508 	rp_len = sizeof(*rp) + (2 * count);
509 	rp = kmalloc(rp_len, GFP_ATOMIC);
510 	if (!rp) {
511 		read_unlock(&hci_dev_list_lock);
512 		return -ENOMEM;
513 	}
514 
515 	count = 0;
516 	list_for_each_entry(d, &hci_dev_list, list) {
517 		if (hci_dev_test_flag(d, HCI_SETUP) ||
518 		    hci_dev_test_flag(d, HCI_CONFIG) ||
519 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
520 			continue;
521 
522 		/* Devices marked as raw-only are neither configured
523 		 * nor unconfigured controllers.
524 		 */
525 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
526 			continue;
527 
528 		if (hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
529 			rp->index[count++] = cpu_to_le16(d->id);
530 			bt_dev_dbg(hdev, "Added hci%u", d->id);
531 		}
532 	}
533 
534 	rp->num_controllers = cpu_to_le16(count);
535 	rp_len = sizeof(*rp) + (2 * count);
536 
537 	read_unlock(&hci_dev_list_lock);
538 
539 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
540 				MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
541 
542 	kfree(rp);
543 
544 	return err;
545 }
546 
547 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
548 			       void *data, u16 data_len)
549 {
550 	struct mgmt_rp_read_ext_index_list *rp;
551 	struct hci_dev *d;
552 	u16 count;
553 	int err;
554 
555 	bt_dev_dbg(hdev, "sock %p", sk);
556 
557 	read_lock(&hci_dev_list_lock);
558 
559 	count = 0;
560 	list_for_each_entry(d, &hci_dev_list, list)
561 		count++;
562 
563 	rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
564 	if (!rp) {
565 		read_unlock(&hci_dev_list_lock);
566 		return -ENOMEM;
567 	}
568 
569 	count = 0;
570 	list_for_each_entry(d, &hci_dev_list, list) {
571 		if (hci_dev_test_flag(d, HCI_SETUP) ||
572 		    hci_dev_test_flag(d, HCI_CONFIG) ||
573 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
574 			continue;
575 
576 		/* Devices marked as raw-only are neither configured
577 		 * nor unconfigured controllers.
578 		 */
579 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
580 			continue;
581 
582 		if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
583 			rp->entry[count].type = 0x01;
584 		else
585 			rp->entry[count].type = 0x00;
586 
587 		rp->entry[count].bus = d->bus;
588 		rp->entry[count++].index = cpu_to_le16(d->id);
589 		bt_dev_dbg(hdev, "Added hci%u", d->id);
590 	}
591 
592 	rp->num_controllers = cpu_to_le16(count);
593 
594 	read_unlock(&hci_dev_list_lock);
595 
596 	/* If this command is called at least once, then all the
597 	 * default index and unconfigured index events are disabled
598 	 * and from now on only extended index events are used.
599 	 */
600 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
601 	hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
602 	hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
603 
604 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
605 				MGMT_OP_READ_EXT_INDEX_LIST, 0, rp,
606 				struct_size(rp, entry, count));
607 
608 	kfree(rp);
609 
610 	return err;
611 }
612 
613 static bool is_configured(struct hci_dev *hdev)
614 {
615 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
616 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
617 		return false;
618 
619 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
620 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
621 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
622 		return false;
623 
624 	return true;
625 }
626 
627 static __le32 get_missing_options(struct hci_dev *hdev)
628 {
629 	u32 options = 0;
630 
631 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
632 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
633 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
634 
635 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
636 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
637 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
638 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
639 
640 	return cpu_to_le32(options);
641 }
642 
643 static int new_options(struct hci_dev *hdev, struct sock *skip)
644 {
645 	__le32 options = get_missing_options(hdev);
646 
647 	return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
648 				  sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
649 }
650 
651 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
652 {
653 	__le32 options = get_missing_options(hdev);
654 
655 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
656 				 sizeof(options));
657 }
658 
659 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
660 			    void *data, u16 data_len)
661 {
662 	struct mgmt_rp_read_config_info rp;
663 	u32 options = 0;
664 
665 	bt_dev_dbg(hdev, "sock %p", sk);
666 
667 	hci_dev_lock(hdev);
668 
669 	memset(&rp, 0, sizeof(rp));
670 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
671 
672 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
673 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
674 
675 	if (hdev->set_bdaddr)
676 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
677 
678 	rp.supported_options = cpu_to_le32(options);
679 	rp.missing_options = get_missing_options(hdev);
680 
681 	hci_dev_unlock(hdev);
682 
683 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
684 				 &rp, sizeof(rp));
685 }
686 
687 static u32 get_supported_phys(struct hci_dev *hdev)
688 {
689 	u32 supported_phys = 0;
690 
691 	if (lmp_bredr_capable(hdev)) {
692 		supported_phys |= MGMT_PHY_BR_1M_1SLOT;
693 
694 		if (hdev->features[0][0] & LMP_3SLOT)
695 			supported_phys |= MGMT_PHY_BR_1M_3SLOT;
696 
697 		if (hdev->features[0][0] & LMP_5SLOT)
698 			supported_phys |= MGMT_PHY_BR_1M_5SLOT;
699 
700 		if (lmp_edr_2m_capable(hdev)) {
701 			supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
702 
703 			if (lmp_edr_3slot_capable(hdev))
704 				supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
705 
706 			if (lmp_edr_5slot_capable(hdev))
707 				supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
708 
709 			if (lmp_edr_3m_capable(hdev)) {
710 				supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
711 
712 				if (lmp_edr_3slot_capable(hdev))
713 					supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
714 
715 				if (lmp_edr_5slot_capable(hdev))
716 					supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
717 			}
718 		}
719 	}
720 
721 	if (lmp_le_capable(hdev)) {
722 		supported_phys |= MGMT_PHY_LE_1M_TX;
723 		supported_phys |= MGMT_PHY_LE_1M_RX;
724 
725 		if (hdev->le_features[1] & HCI_LE_PHY_2M) {
726 			supported_phys |= MGMT_PHY_LE_2M_TX;
727 			supported_phys |= MGMT_PHY_LE_2M_RX;
728 		}
729 
730 		if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
731 			supported_phys |= MGMT_PHY_LE_CODED_TX;
732 			supported_phys |= MGMT_PHY_LE_CODED_RX;
733 		}
734 	}
735 
736 	return supported_phys;
737 }
738 
739 static u32 get_selected_phys(struct hci_dev *hdev)
740 {
741 	u32 selected_phys = 0;
742 
743 	if (lmp_bredr_capable(hdev)) {
744 		selected_phys |= MGMT_PHY_BR_1M_1SLOT;
745 
746 		if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
747 			selected_phys |= MGMT_PHY_BR_1M_3SLOT;
748 
749 		if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
750 			selected_phys |= MGMT_PHY_BR_1M_5SLOT;
751 
752 		if (lmp_edr_2m_capable(hdev)) {
753 			if (!(hdev->pkt_type & HCI_2DH1))
754 				selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
755 
756 			if (lmp_edr_3slot_capable(hdev) &&
757 			    !(hdev->pkt_type & HCI_2DH3))
758 				selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
759 
760 			if (lmp_edr_5slot_capable(hdev) &&
761 			    !(hdev->pkt_type & HCI_2DH5))
762 				selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
763 
764 			if (lmp_edr_3m_capable(hdev)) {
765 				if (!(hdev->pkt_type & HCI_3DH1))
766 					selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
767 
768 				if (lmp_edr_3slot_capable(hdev) &&
769 				    !(hdev->pkt_type & HCI_3DH3))
770 					selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
771 
772 				if (lmp_edr_5slot_capable(hdev) &&
773 				    !(hdev->pkt_type & HCI_3DH5))
774 					selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
775 			}
776 		}
777 	}
778 
779 	if (lmp_le_capable(hdev)) {
780 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
781 			selected_phys |= MGMT_PHY_LE_1M_TX;
782 
783 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
784 			selected_phys |= MGMT_PHY_LE_1M_RX;
785 
786 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
787 			selected_phys |= MGMT_PHY_LE_2M_TX;
788 
789 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
790 			selected_phys |= MGMT_PHY_LE_2M_RX;
791 
792 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
793 			selected_phys |= MGMT_PHY_LE_CODED_TX;
794 
795 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
796 			selected_phys |= MGMT_PHY_LE_CODED_RX;
797 	}
798 
799 	return selected_phys;
800 }
801 
802 static u32 get_configurable_phys(struct hci_dev *hdev)
803 {
804 	return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
805 		~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
806 }
807 
808 static u32 get_supported_settings(struct hci_dev *hdev)
809 {
810 	u32 settings = 0;
811 
812 	settings |= MGMT_SETTING_POWERED;
813 	settings |= MGMT_SETTING_BONDABLE;
814 	settings |= MGMT_SETTING_DEBUG_KEYS;
815 	settings |= MGMT_SETTING_CONNECTABLE;
816 	settings |= MGMT_SETTING_DISCOVERABLE;
817 
818 	if (lmp_bredr_capable(hdev)) {
819 		if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
820 			settings |= MGMT_SETTING_FAST_CONNECTABLE;
821 		settings |= MGMT_SETTING_BREDR;
822 		settings |= MGMT_SETTING_LINK_SECURITY;
823 
824 		if (lmp_ssp_capable(hdev)) {
825 			settings |= MGMT_SETTING_SSP;
826 		}
827 
828 		if (lmp_sc_capable(hdev))
829 			settings |= MGMT_SETTING_SECURE_CONN;
830 
831 		if (test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
832 			     &hdev->quirks))
833 			settings |= MGMT_SETTING_WIDEBAND_SPEECH;
834 	}
835 
836 	if (lmp_le_capable(hdev)) {
837 		settings |= MGMT_SETTING_LE;
838 		settings |= MGMT_SETTING_SECURE_CONN;
839 		settings |= MGMT_SETTING_PRIVACY;
840 		settings |= MGMT_SETTING_STATIC_ADDRESS;
841 		settings |= MGMT_SETTING_ADVERTISING;
842 	}
843 
844 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
845 	    hdev->set_bdaddr)
846 		settings |= MGMT_SETTING_CONFIGURATION;
847 
848 	if (cis_central_capable(hdev))
849 		settings |= MGMT_SETTING_CIS_CENTRAL;
850 
851 	if (cis_peripheral_capable(hdev))
852 		settings |= MGMT_SETTING_CIS_PERIPHERAL;
853 
854 	settings |= MGMT_SETTING_PHY_CONFIGURATION;
855 
856 	return settings;
857 }
858 
859 static u32 get_current_settings(struct hci_dev *hdev)
860 {
861 	u32 settings = 0;
862 
863 	if (hdev_is_powered(hdev))
864 		settings |= MGMT_SETTING_POWERED;
865 
866 	if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
867 		settings |= MGMT_SETTING_CONNECTABLE;
868 
869 	if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
870 		settings |= MGMT_SETTING_FAST_CONNECTABLE;
871 
872 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
873 		settings |= MGMT_SETTING_DISCOVERABLE;
874 
875 	if (hci_dev_test_flag(hdev, HCI_BONDABLE))
876 		settings |= MGMT_SETTING_BONDABLE;
877 
878 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
879 		settings |= MGMT_SETTING_BREDR;
880 
881 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
882 		settings |= MGMT_SETTING_LE;
883 
884 	if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
885 		settings |= MGMT_SETTING_LINK_SECURITY;
886 
887 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
888 		settings |= MGMT_SETTING_SSP;
889 
890 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
891 		settings |= MGMT_SETTING_ADVERTISING;
892 
893 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
894 		settings |= MGMT_SETTING_SECURE_CONN;
895 
896 	if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
897 		settings |= MGMT_SETTING_DEBUG_KEYS;
898 
899 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
900 		settings |= MGMT_SETTING_PRIVACY;
901 
902 	/* The current setting for static address has two purposes. The
903 	 * first is to indicate if the static address will be used and
904 	 * the second is to indicate if it is actually set.
905 	 *
906 	 * This means if the static address is not configured, this flag
907 	 * will never be set. If the address is configured, then if the
908 	 * address is actually used decides if the flag is set or not.
909 	 *
910 	 * For single mode LE only controllers and dual-mode controllers
911 	 * with BR/EDR disabled, the existence of the static address will
912 	 * be evaluated.
913 	 */
914 	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
915 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
916 	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
917 		if (bacmp(&hdev->static_addr, BDADDR_ANY))
918 			settings |= MGMT_SETTING_STATIC_ADDRESS;
919 	}
920 
921 	if (hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED))
922 		settings |= MGMT_SETTING_WIDEBAND_SPEECH;
923 
924 	if (cis_central_capable(hdev))
925 		settings |= MGMT_SETTING_CIS_CENTRAL;
926 
927 	if (cis_peripheral_capable(hdev))
928 		settings |= MGMT_SETTING_CIS_PERIPHERAL;
929 
930 	if (bis_capable(hdev))
931 		settings |= MGMT_SETTING_ISO_BROADCASTER;
932 
933 	if (sync_recv_capable(hdev))
934 		settings |= MGMT_SETTING_ISO_SYNC_RECEIVER;
935 
936 	return settings;
937 }
938 
939 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
940 {
941 	return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
942 }
943 
944 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
945 {
946 	struct mgmt_pending_cmd *cmd;
947 
948 	/* If there's a pending mgmt command the flags will not yet have
949 	 * their final values, so check for this first.
950 	 */
951 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
952 	if (cmd) {
953 		struct mgmt_mode *cp = cmd->param;
954 		if (cp->val == 0x01)
955 			return LE_AD_GENERAL;
956 		else if (cp->val == 0x02)
957 			return LE_AD_LIMITED;
958 	} else {
959 		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
960 			return LE_AD_LIMITED;
961 		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
962 			return LE_AD_GENERAL;
963 	}
964 
965 	return 0;
966 }
967 
968 bool mgmt_get_connectable(struct hci_dev *hdev)
969 {
970 	struct mgmt_pending_cmd *cmd;
971 
972 	/* If there's a pending mgmt command the flag will not yet have
973 	 * it's final value, so check for this first.
974 	 */
975 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
976 	if (cmd) {
977 		struct mgmt_mode *cp = cmd->param;
978 
979 		return cp->val;
980 	}
981 
982 	return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
983 }
984 
985 static int service_cache_sync(struct hci_dev *hdev, void *data)
986 {
987 	hci_update_eir_sync(hdev);
988 	hci_update_class_sync(hdev);
989 
990 	return 0;
991 }
992 
993 static void service_cache_off(struct work_struct *work)
994 {
995 	struct hci_dev *hdev = container_of(work, struct hci_dev,
996 					    service_cache.work);
997 
998 	if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
999 		return;
1000 
1001 	hci_cmd_sync_queue(hdev, service_cache_sync, NULL, NULL);
1002 }
1003 
1004 static int rpa_expired_sync(struct hci_dev *hdev, void *data)
1005 {
1006 	/* The generation of a new RPA and programming it into the
1007 	 * controller happens in the hci_req_enable_advertising()
1008 	 * function.
1009 	 */
1010 	if (ext_adv_capable(hdev))
1011 		return hci_start_ext_adv_sync(hdev, hdev->cur_adv_instance);
1012 	else
1013 		return hci_enable_advertising_sync(hdev);
1014 }
1015 
1016 static void rpa_expired(struct work_struct *work)
1017 {
1018 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1019 					    rpa_expired.work);
1020 
1021 	bt_dev_dbg(hdev, "");
1022 
1023 	hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1024 
1025 	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
1026 		return;
1027 
1028 	hci_cmd_sync_queue(hdev, rpa_expired_sync, NULL, NULL);
1029 }
1030 
1031 static int set_discoverable_sync(struct hci_dev *hdev, void *data);
1032 
1033 static void discov_off(struct work_struct *work)
1034 {
1035 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1036 					    discov_off.work);
1037 
1038 	bt_dev_dbg(hdev, "");
1039 
1040 	hci_dev_lock(hdev);
1041 
1042 	/* When discoverable timeout triggers, then just make sure
1043 	 * the limited discoverable flag is cleared. Even in the case
1044 	 * of a timeout triggered from general discoverable, it is
1045 	 * safe to unconditionally clear the flag.
1046 	 */
1047 	hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1048 	hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1049 	hdev->discov_timeout = 0;
1050 
1051 	hci_cmd_sync_queue(hdev, set_discoverable_sync, NULL, NULL);
1052 
1053 	mgmt_new_settings(hdev);
1054 
1055 	hci_dev_unlock(hdev);
1056 }
1057 
1058 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev);
1059 
1060 static void mesh_send_complete(struct hci_dev *hdev,
1061 			       struct mgmt_mesh_tx *mesh_tx, bool silent)
1062 {
1063 	u8 handle = mesh_tx->handle;
1064 
1065 	if (!silent)
1066 		mgmt_event(MGMT_EV_MESH_PACKET_CMPLT, hdev, &handle,
1067 			   sizeof(handle), NULL);
1068 
1069 	mgmt_mesh_remove(mesh_tx);
1070 }
1071 
1072 static int mesh_send_done_sync(struct hci_dev *hdev, void *data)
1073 {
1074 	struct mgmt_mesh_tx *mesh_tx;
1075 
1076 	hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
1077 	hci_disable_advertising_sync(hdev);
1078 	mesh_tx = mgmt_mesh_next(hdev, NULL);
1079 
1080 	if (mesh_tx)
1081 		mesh_send_complete(hdev, mesh_tx, false);
1082 
1083 	return 0;
1084 }
1085 
1086 static int mesh_send_sync(struct hci_dev *hdev, void *data);
1087 static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err);
1088 static void mesh_next(struct hci_dev *hdev, void *data, int err)
1089 {
1090 	struct mgmt_mesh_tx *mesh_tx = mgmt_mesh_next(hdev, NULL);
1091 
1092 	if (!mesh_tx)
1093 		return;
1094 
1095 	err = hci_cmd_sync_queue(hdev, mesh_send_sync, mesh_tx,
1096 				 mesh_send_start_complete);
1097 
1098 	if (err < 0)
1099 		mesh_send_complete(hdev, mesh_tx, false);
1100 	else
1101 		hci_dev_set_flag(hdev, HCI_MESH_SENDING);
1102 }
1103 
1104 static void mesh_send_done(struct work_struct *work)
1105 {
1106 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1107 					    mesh_send_done.work);
1108 
1109 	if (!hci_dev_test_flag(hdev, HCI_MESH_SENDING))
1110 		return;
1111 
1112 	hci_cmd_sync_queue(hdev, mesh_send_done_sync, NULL, mesh_next);
1113 }
1114 
1115 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
1116 {
1117 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1118 		return;
1119 
1120 	BT_INFO("MGMT ver %d.%d", MGMT_VERSION, MGMT_REVISION);
1121 
1122 	INIT_DELAYED_WORK(&hdev->discov_off, discov_off);
1123 	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
1124 	INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
1125 	INIT_DELAYED_WORK(&hdev->mesh_send_done, mesh_send_done);
1126 
1127 	/* Non-mgmt controlled devices get this bit set
1128 	 * implicitly so that pairing works for them, however
1129 	 * for mgmt we require user-space to explicitly enable
1130 	 * it
1131 	 */
1132 	hci_dev_clear_flag(hdev, HCI_BONDABLE);
1133 
1134 	hci_dev_set_flag(hdev, HCI_MGMT);
1135 }
1136 
1137 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
1138 				void *data, u16 data_len)
1139 {
1140 	struct mgmt_rp_read_info rp;
1141 
1142 	bt_dev_dbg(hdev, "sock %p", sk);
1143 
1144 	hci_dev_lock(hdev);
1145 
1146 	memset(&rp, 0, sizeof(rp));
1147 
1148 	bacpy(&rp.bdaddr, &hdev->bdaddr);
1149 
1150 	rp.version = hdev->hci_ver;
1151 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
1152 
1153 	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
1154 	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
1155 
1156 	memcpy(rp.dev_class, hdev->dev_class, 3);
1157 
1158 	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
1159 	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
1160 
1161 	hci_dev_unlock(hdev);
1162 
1163 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
1164 				 sizeof(rp));
1165 }
1166 
1167 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
1168 {
1169 	u16 eir_len = 0;
1170 	size_t name_len;
1171 
1172 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1173 		eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1174 					  hdev->dev_class, 3);
1175 
1176 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1177 		eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1178 					  hdev->appearance);
1179 
1180 	name_len = strnlen(hdev->dev_name, sizeof(hdev->dev_name));
1181 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1182 				  hdev->dev_name, name_len);
1183 
1184 	name_len = strnlen(hdev->short_name, sizeof(hdev->short_name));
1185 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1186 				  hdev->short_name, name_len);
1187 
1188 	return eir_len;
1189 }
1190 
1191 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1192 				    void *data, u16 data_len)
1193 {
1194 	char buf[512];
1195 	struct mgmt_rp_read_ext_info *rp = (void *)buf;
1196 	u16 eir_len;
1197 
1198 	bt_dev_dbg(hdev, "sock %p", sk);
1199 
1200 	memset(&buf, 0, sizeof(buf));
1201 
1202 	hci_dev_lock(hdev);
1203 
1204 	bacpy(&rp->bdaddr, &hdev->bdaddr);
1205 
1206 	rp->version = hdev->hci_ver;
1207 	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1208 
1209 	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1210 	rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1211 
1212 
1213 	eir_len = append_eir_data_to_buf(hdev, rp->eir);
1214 	rp->eir_len = cpu_to_le16(eir_len);
1215 
1216 	hci_dev_unlock(hdev);
1217 
1218 	/* If this command is called at least once, then the events
1219 	 * for class of device and local name changes are disabled
1220 	 * and only the new extended controller information event
1221 	 * is used.
1222 	 */
1223 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
1224 	hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1225 	hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1226 
1227 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
1228 				 sizeof(*rp) + eir_len);
1229 }
1230 
1231 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1232 {
1233 	char buf[512];
1234 	struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1235 	u16 eir_len;
1236 
1237 	memset(buf, 0, sizeof(buf));
1238 
1239 	eir_len = append_eir_data_to_buf(hdev, ev->eir);
1240 	ev->eir_len = cpu_to_le16(eir_len);
1241 
1242 	return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
1243 				  sizeof(*ev) + eir_len,
1244 				  HCI_MGMT_EXT_INFO_EVENTS, skip);
1245 }
1246 
1247 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1248 {
1249 	__le32 settings = cpu_to_le32(get_current_settings(hdev));
1250 
1251 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
1252 				 sizeof(settings));
1253 }
1254 
1255 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1256 {
1257 	struct mgmt_ev_advertising_added ev;
1258 
1259 	ev.instance = instance;
1260 
1261 	mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
1262 }
1263 
1264 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1265 			      u8 instance)
1266 {
1267 	struct mgmt_ev_advertising_removed ev;
1268 
1269 	ev.instance = instance;
1270 
1271 	mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
1272 }
1273 
1274 static void cancel_adv_timeout(struct hci_dev *hdev)
1275 {
1276 	if (hdev->adv_instance_timeout) {
1277 		hdev->adv_instance_timeout = 0;
1278 		cancel_delayed_work(&hdev->adv_instance_expire);
1279 	}
1280 }
1281 
1282 /* This function requires the caller holds hdev->lock */
1283 static void restart_le_actions(struct hci_dev *hdev)
1284 {
1285 	struct hci_conn_params *p;
1286 
1287 	list_for_each_entry(p, &hdev->le_conn_params, list) {
1288 		/* Needed for AUTO_OFF case where might not "really"
1289 		 * have been powered off.
1290 		 */
1291 		hci_pend_le_list_del_init(p);
1292 
1293 		switch (p->auto_connect) {
1294 		case HCI_AUTO_CONN_DIRECT:
1295 		case HCI_AUTO_CONN_ALWAYS:
1296 			hci_pend_le_list_add(p, &hdev->pend_le_conns);
1297 			break;
1298 		case HCI_AUTO_CONN_REPORT:
1299 			hci_pend_le_list_add(p, &hdev->pend_le_reports);
1300 			break;
1301 		default:
1302 			break;
1303 		}
1304 	}
1305 }
1306 
1307 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1308 {
1309 	__le32 ev = cpu_to_le32(get_current_settings(hdev));
1310 
1311 	return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1312 				  sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1313 }
1314 
1315 static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
1316 {
1317 	struct mgmt_pending_cmd *cmd = data;
1318 	struct mgmt_mode *cp;
1319 
1320 	/* Make sure cmd still outstanding. */
1321 	if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
1322 		return;
1323 
1324 	cp = cmd->param;
1325 
1326 	bt_dev_dbg(hdev, "err %d", err);
1327 
1328 	if (!err) {
1329 		if (cp->val) {
1330 			hci_dev_lock(hdev);
1331 			restart_le_actions(hdev);
1332 			hci_update_passive_scan(hdev);
1333 			hci_dev_unlock(hdev);
1334 		}
1335 
1336 		send_settings_rsp(cmd->sk, cmd->opcode, hdev);
1337 
1338 		/* Only call new_setting for power on as power off is deferred
1339 		 * to hdev->power_off work which does call hci_dev_do_close.
1340 		 */
1341 		if (cp->val)
1342 			new_settings(hdev, cmd->sk);
1343 	} else {
1344 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED,
1345 				mgmt_status(err));
1346 	}
1347 
1348 	mgmt_pending_remove(cmd);
1349 }
1350 
1351 static int set_powered_sync(struct hci_dev *hdev, void *data)
1352 {
1353 	struct mgmt_pending_cmd *cmd = data;
1354 	struct mgmt_mode *cp = cmd->param;
1355 
1356 	BT_DBG("%s", hdev->name);
1357 
1358 	return hci_set_powered_sync(hdev, cp->val);
1359 }
1360 
1361 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1362 		       u16 len)
1363 {
1364 	struct mgmt_mode *cp = data;
1365 	struct mgmt_pending_cmd *cmd;
1366 	int err;
1367 
1368 	bt_dev_dbg(hdev, "sock %p", sk);
1369 
1370 	if (cp->val != 0x00 && cp->val != 0x01)
1371 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1372 				       MGMT_STATUS_INVALID_PARAMS);
1373 
1374 	hci_dev_lock(hdev);
1375 
1376 	if (!cp->val) {
1377 		if (hci_dev_test_flag(hdev, HCI_POWERING_DOWN)) {
1378 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1379 					      MGMT_STATUS_BUSY);
1380 			goto failed;
1381 		}
1382 	}
1383 
1384 	if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1385 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1386 				      MGMT_STATUS_BUSY);
1387 		goto failed;
1388 	}
1389 
1390 	if (!!cp->val == hdev_is_powered(hdev)) {
1391 		err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1392 		goto failed;
1393 	}
1394 
1395 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1396 	if (!cmd) {
1397 		err = -ENOMEM;
1398 		goto failed;
1399 	}
1400 
1401 	/* Cancel potentially blocking sync operation before power off */
1402 	if (cp->val == 0x00) {
1403 		hci_cmd_sync_cancel_sync(hdev, -EHOSTDOWN);
1404 		err = hci_cmd_sync_queue(hdev, set_powered_sync, cmd,
1405 					 mgmt_set_powered_complete);
1406 	} else {
1407 		/* Use hci_cmd_sync_submit since hdev might not be running */
1408 		err = hci_cmd_sync_submit(hdev, set_powered_sync, cmd,
1409 					  mgmt_set_powered_complete);
1410 	}
1411 
1412 	if (err < 0)
1413 		mgmt_pending_remove(cmd);
1414 
1415 failed:
1416 	hci_dev_unlock(hdev);
1417 	return err;
1418 }
1419 
1420 int mgmt_new_settings(struct hci_dev *hdev)
1421 {
1422 	return new_settings(hdev, NULL);
1423 }
1424 
1425 struct cmd_lookup {
1426 	struct sock *sk;
1427 	struct hci_dev *hdev;
1428 	u8 mgmt_status;
1429 };
1430 
1431 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1432 {
1433 	struct cmd_lookup *match = data;
1434 
1435 	send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1436 
1437 	list_del(&cmd->list);
1438 
1439 	if (match->sk == NULL) {
1440 		match->sk = cmd->sk;
1441 		sock_hold(match->sk);
1442 	}
1443 
1444 	mgmt_pending_free(cmd);
1445 }
1446 
1447 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1448 {
1449 	u8 *status = data;
1450 
1451 	mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1452 	mgmt_pending_remove(cmd);
1453 }
1454 
1455 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1456 {
1457 	if (cmd->cmd_complete) {
1458 		u8 *status = data;
1459 
1460 		cmd->cmd_complete(cmd, *status);
1461 		mgmt_pending_remove(cmd);
1462 
1463 		return;
1464 	}
1465 
1466 	cmd_status_rsp(cmd, data);
1467 }
1468 
1469 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1470 {
1471 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1472 				 cmd->param, cmd->param_len);
1473 }
1474 
1475 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1476 {
1477 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1478 				 cmd->param, sizeof(struct mgmt_addr_info));
1479 }
1480 
1481 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1482 {
1483 	if (!lmp_bredr_capable(hdev))
1484 		return MGMT_STATUS_NOT_SUPPORTED;
1485 	else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1486 		return MGMT_STATUS_REJECTED;
1487 	else
1488 		return MGMT_STATUS_SUCCESS;
1489 }
1490 
1491 static u8 mgmt_le_support(struct hci_dev *hdev)
1492 {
1493 	if (!lmp_le_capable(hdev))
1494 		return MGMT_STATUS_NOT_SUPPORTED;
1495 	else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1496 		return MGMT_STATUS_REJECTED;
1497 	else
1498 		return MGMT_STATUS_SUCCESS;
1499 }
1500 
1501 static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
1502 					   int err)
1503 {
1504 	struct mgmt_pending_cmd *cmd = data;
1505 
1506 	bt_dev_dbg(hdev, "err %d", err);
1507 
1508 	/* Make sure cmd still outstanding. */
1509 	if (cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
1510 		return;
1511 
1512 	hci_dev_lock(hdev);
1513 
1514 	if (err) {
1515 		u8 mgmt_err = mgmt_status(err);
1516 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1517 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1518 		goto done;
1519 	}
1520 
1521 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1522 	    hdev->discov_timeout > 0) {
1523 		int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1524 		queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1525 	}
1526 
1527 	send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1528 	new_settings(hdev, cmd->sk);
1529 
1530 done:
1531 	mgmt_pending_remove(cmd);
1532 	hci_dev_unlock(hdev);
1533 }
1534 
1535 static int set_discoverable_sync(struct hci_dev *hdev, void *data)
1536 {
1537 	BT_DBG("%s", hdev->name);
1538 
1539 	return hci_update_discoverable_sync(hdev);
1540 }
1541 
1542 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1543 			    u16 len)
1544 {
1545 	struct mgmt_cp_set_discoverable *cp = data;
1546 	struct mgmt_pending_cmd *cmd;
1547 	u16 timeout;
1548 	int err;
1549 
1550 	bt_dev_dbg(hdev, "sock %p", sk);
1551 
1552 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1553 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1554 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1555 				       MGMT_STATUS_REJECTED);
1556 
1557 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1558 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1559 				       MGMT_STATUS_INVALID_PARAMS);
1560 
1561 	timeout = __le16_to_cpu(cp->timeout);
1562 
1563 	/* Disabling discoverable requires that no timeout is set,
1564 	 * and enabling limited discoverable requires a timeout.
1565 	 */
1566 	if ((cp->val == 0x00 && timeout > 0) ||
1567 	    (cp->val == 0x02 && timeout == 0))
1568 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1569 				       MGMT_STATUS_INVALID_PARAMS);
1570 
1571 	hci_dev_lock(hdev);
1572 
1573 	if (!hdev_is_powered(hdev) && timeout > 0) {
1574 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1575 				      MGMT_STATUS_NOT_POWERED);
1576 		goto failed;
1577 	}
1578 
1579 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1580 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1581 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1582 				      MGMT_STATUS_BUSY);
1583 		goto failed;
1584 	}
1585 
1586 	if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1587 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1588 				      MGMT_STATUS_REJECTED);
1589 		goto failed;
1590 	}
1591 
1592 	if (hdev->advertising_paused) {
1593 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1594 				      MGMT_STATUS_BUSY);
1595 		goto failed;
1596 	}
1597 
1598 	if (!hdev_is_powered(hdev)) {
1599 		bool changed = false;
1600 
1601 		/* Setting limited discoverable when powered off is
1602 		 * not a valid operation since it requires a timeout
1603 		 * and so no need to check HCI_LIMITED_DISCOVERABLE.
1604 		 */
1605 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1606 			hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1607 			changed = true;
1608 		}
1609 
1610 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1611 		if (err < 0)
1612 			goto failed;
1613 
1614 		if (changed)
1615 			err = new_settings(hdev, sk);
1616 
1617 		goto failed;
1618 	}
1619 
1620 	/* If the current mode is the same, then just update the timeout
1621 	 * value with the new value. And if only the timeout gets updated,
1622 	 * then no need for any HCI transactions.
1623 	 */
1624 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1625 	    (cp->val == 0x02) == hci_dev_test_flag(hdev,
1626 						   HCI_LIMITED_DISCOVERABLE)) {
1627 		cancel_delayed_work(&hdev->discov_off);
1628 		hdev->discov_timeout = timeout;
1629 
1630 		if (cp->val && hdev->discov_timeout > 0) {
1631 			int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1632 			queue_delayed_work(hdev->req_workqueue,
1633 					   &hdev->discov_off, to);
1634 		}
1635 
1636 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1637 		goto failed;
1638 	}
1639 
1640 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1641 	if (!cmd) {
1642 		err = -ENOMEM;
1643 		goto failed;
1644 	}
1645 
1646 	/* Cancel any potential discoverable timeout that might be
1647 	 * still active and store new timeout value. The arming of
1648 	 * the timeout happens in the complete handler.
1649 	 */
1650 	cancel_delayed_work(&hdev->discov_off);
1651 	hdev->discov_timeout = timeout;
1652 
1653 	if (cp->val)
1654 		hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1655 	else
1656 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1657 
1658 	/* Limited discoverable mode */
1659 	if (cp->val == 0x02)
1660 		hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1661 	else
1662 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1663 
1664 	err = hci_cmd_sync_queue(hdev, set_discoverable_sync, cmd,
1665 				 mgmt_set_discoverable_complete);
1666 
1667 	if (err < 0)
1668 		mgmt_pending_remove(cmd);
1669 
1670 failed:
1671 	hci_dev_unlock(hdev);
1672 	return err;
1673 }
1674 
1675 static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
1676 					  int err)
1677 {
1678 	struct mgmt_pending_cmd *cmd = data;
1679 
1680 	bt_dev_dbg(hdev, "err %d", err);
1681 
1682 	/* Make sure cmd still outstanding. */
1683 	if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
1684 		return;
1685 
1686 	hci_dev_lock(hdev);
1687 
1688 	if (err) {
1689 		u8 mgmt_err = mgmt_status(err);
1690 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1691 		goto done;
1692 	}
1693 
1694 	send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1695 	new_settings(hdev, cmd->sk);
1696 
1697 done:
1698 	mgmt_pending_remove(cmd);
1699 
1700 	hci_dev_unlock(hdev);
1701 }
1702 
1703 static int set_connectable_update_settings(struct hci_dev *hdev,
1704 					   struct sock *sk, u8 val)
1705 {
1706 	bool changed = false;
1707 	int err;
1708 
1709 	if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1710 		changed = true;
1711 
1712 	if (val) {
1713 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1714 	} else {
1715 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1716 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1717 	}
1718 
1719 	err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1720 	if (err < 0)
1721 		return err;
1722 
1723 	if (changed) {
1724 		hci_update_scan(hdev);
1725 		hci_update_passive_scan(hdev);
1726 		return new_settings(hdev, sk);
1727 	}
1728 
1729 	return 0;
1730 }
1731 
1732 static int set_connectable_sync(struct hci_dev *hdev, void *data)
1733 {
1734 	BT_DBG("%s", hdev->name);
1735 
1736 	return hci_update_connectable_sync(hdev);
1737 }
1738 
1739 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1740 			   u16 len)
1741 {
1742 	struct mgmt_mode *cp = data;
1743 	struct mgmt_pending_cmd *cmd;
1744 	int err;
1745 
1746 	bt_dev_dbg(hdev, "sock %p", sk);
1747 
1748 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1749 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1750 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1751 				       MGMT_STATUS_REJECTED);
1752 
1753 	if (cp->val != 0x00 && cp->val != 0x01)
1754 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1755 				       MGMT_STATUS_INVALID_PARAMS);
1756 
1757 	hci_dev_lock(hdev);
1758 
1759 	if (!hdev_is_powered(hdev)) {
1760 		err = set_connectable_update_settings(hdev, sk, cp->val);
1761 		goto failed;
1762 	}
1763 
1764 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1765 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1766 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1767 				      MGMT_STATUS_BUSY);
1768 		goto failed;
1769 	}
1770 
1771 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1772 	if (!cmd) {
1773 		err = -ENOMEM;
1774 		goto failed;
1775 	}
1776 
1777 	if (cp->val) {
1778 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1779 	} else {
1780 		if (hdev->discov_timeout > 0)
1781 			cancel_delayed_work(&hdev->discov_off);
1782 
1783 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1784 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1785 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1786 	}
1787 
1788 	err = hci_cmd_sync_queue(hdev, set_connectable_sync, cmd,
1789 				 mgmt_set_connectable_complete);
1790 
1791 	if (err < 0)
1792 		mgmt_pending_remove(cmd);
1793 
1794 failed:
1795 	hci_dev_unlock(hdev);
1796 	return err;
1797 }
1798 
1799 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1800 			u16 len)
1801 {
1802 	struct mgmt_mode *cp = data;
1803 	bool changed;
1804 	int err;
1805 
1806 	bt_dev_dbg(hdev, "sock %p", sk);
1807 
1808 	if (cp->val != 0x00 && cp->val != 0x01)
1809 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1810 				       MGMT_STATUS_INVALID_PARAMS);
1811 
1812 	hci_dev_lock(hdev);
1813 
1814 	if (cp->val)
1815 		changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1816 	else
1817 		changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1818 
1819 	err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1820 	if (err < 0)
1821 		goto unlock;
1822 
1823 	if (changed) {
1824 		/* In limited privacy mode the change of bondable mode
1825 		 * may affect the local advertising address.
1826 		 */
1827 		hci_update_discoverable(hdev);
1828 
1829 		err = new_settings(hdev, sk);
1830 	}
1831 
1832 unlock:
1833 	hci_dev_unlock(hdev);
1834 	return err;
1835 }
1836 
1837 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1838 			     u16 len)
1839 {
1840 	struct mgmt_mode *cp = data;
1841 	struct mgmt_pending_cmd *cmd;
1842 	u8 val, status;
1843 	int err;
1844 
1845 	bt_dev_dbg(hdev, "sock %p", sk);
1846 
1847 	status = mgmt_bredr_support(hdev);
1848 	if (status)
1849 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1850 				       status);
1851 
1852 	if (cp->val != 0x00 && cp->val != 0x01)
1853 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1854 				       MGMT_STATUS_INVALID_PARAMS);
1855 
1856 	hci_dev_lock(hdev);
1857 
1858 	if (!hdev_is_powered(hdev)) {
1859 		bool changed = false;
1860 
1861 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1862 			hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1863 			changed = true;
1864 		}
1865 
1866 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1867 		if (err < 0)
1868 			goto failed;
1869 
1870 		if (changed)
1871 			err = new_settings(hdev, sk);
1872 
1873 		goto failed;
1874 	}
1875 
1876 	if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1877 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1878 				      MGMT_STATUS_BUSY);
1879 		goto failed;
1880 	}
1881 
1882 	val = !!cp->val;
1883 
1884 	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1885 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1886 		goto failed;
1887 	}
1888 
1889 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1890 	if (!cmd) {
1891 		err = -ENOMEM;
1892 		goto failed;
1893 	}
1894 
1895 	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1896 	if (err < 0) {
1897 		mgmt_pending_remove(cmd);
1898 		goto failed;
1899 	}
1900 
1901 failed:
1902 	hci_dev_unlock(hdev);
1903 	return err;
1904 }
1905 
1906 static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
1907 {
1908 	struct cmd_lookup match = { NULL, hdev };
1909 	struct mgmt_pending_cmd *cmd = data;
1910 	struct mgmt_mode *cp = cmd->param;
1911 	u8 enable = cp->val;
1912 	bool changed;
1913 
1914 	/* Make sure cmd still outstanding. */
1915 	if (cmd != pending_find(MGMT_OP_SET_SSP, hdev))
1916 		return;
1917 
1918 	if (err) {
1919 		u8 mgmt_err = mgmt_status(err);
1920 
1921 		if (enable && hci_dev_test_and_clear_flag(hdev,
1922 							  HCI_SSP_ENABLED)) {
1923 			new_settings(hdev, NULL);
1924 		}
1925 
1926 		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
1927 				     &mgmt_err);
1928 		return;
1929 	}
1930 
1931 	if (enable) {
1932 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1933 	} else {
1934 		changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
1935 	}
1936 
1937 	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
1938 
1939 	if (changed)
1940 		new_settings(hdev, match.sk);
1941 
1942 	if (match.sk)
1943 		sock_put(match.sk);
1944 
1945 	hci_update_eir_sync(hdev);
1946 }
1947 
1948 static int set_ssp_sync(struct hci_dev *hdev, void *data)
1949 {
1950 	struct mgmt_pending_cmd *cmd = data;
1951 	struct mgmt_mode *cp = cmd->param;
1952 	bool changed = false;
1953 	int err;
1954 
1955 	if (cp->val)
1956 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1957 
1958 	err = hci_write_ssp_mode_sync(hdev, cp->val);
1959 
1960 	if (!err && changed)
1961 		hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
1962 
1963 	return err;
1964 }
1965 
1966 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1967 {
1968 	struct mgmt_mode *cp = data;
1969 	struct mgmt_pending_cmd *cmd;
1970 	u8 status;
1971 	int err;
1972 
1973 	bt_dev_dbg(hdev, "sock %p", sk);
1974 
1975 	status = mgmt_bredr_support(hdev);
1976 	if (status)
1977 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1978 
1979 	if (!lmp_ssp_capable(hdev))
1980 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1981 				       MGMT_STATUS_NOT_SUPPORTED);
1982 
1983 	if (cp->val != 0x00 && cp->val != 0x01)
1984 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1985 				       MGMT_STATUS_INVALID_PARAMS);
1986 
1987 	hci_dev_lock(hdev);
1988 
1989 	if (!hdev_is_powered(hdev)) {
1990 		bool changed;
1991 
1992 		if (cp->val) {
1993 			changed = !hci_dev_test_and_set_flag(hdev,
1994 							     HCI_SSP_ENABLED);
1995 		} else {
1996 			changed = hci_dev_test_and_clear_flag(hdev,
1997 							      HCI_SSP_ENABLED);
1998 		}
1999 
2000 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2001 		if (err < 0)
2002 			goto failed;
2003 
2004 		if (changed)
2005 			err = new_settings(hdev, sk);
2006 
2007 		goto failed;
2008 	}
2009 
2010 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
2011 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2012 				      MGMT_STATUS_BUSY);
2013 		goto failed;
2014 	}
2015 
2016 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
2017 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2018 		goto failed;
2019 	}
2020 
2021 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
2022 	if (!cmd)
2023 		err = -ENOMEM;
2024 	else
2025 		err = hci_cmd_sync_queue(hdev, set_ssp_sync, cmd,
2026 					 set_ssp_complete);
2027 
2028 	if (err < 0) {
2029 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2030 				      MGMT_STATUS_FAILED);
2031 
2032 		if (cmd)
2033 			mgmt_pending_remove(cmd);
2034 	}
2035 
2036 failed:
2037 	hci_dev_unlock(hdev);
2038 	return err;
2039 }
2040 
2041 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2042 {
2043 	bt_dev_dbg(hdev, "sock %p", sk);
2044 
2045 	return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2046 				       MGMT_STATUS_NOT_SUPPORTED);
2047 }
2048 
2049 static void set_le_complete(struct hci_dev *hdev, void *data, int err)
2050 {
2051 	struct cmd_lookup match = { NULL, hdev };
2052 	u8 status = mgmt_status(err);
2053 
2054 	bt_dev_dbg(hdev, "err %d", err);
2055 
2056 	if (status) {
2057 		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
2058 							&status);
2059 		return;
2060 	}
2061 
2062 	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
2063 
2064 	new_settings(hdev, match.sk);
2065 
2066 	if (match.sk)
2067 		sock_put(match.sk);
2068 }
2069 
2070 static int set_le_sync(struct hci_dev *hdev, void *data)
2071 {
2072 	struct mgmt_pending_cmd *cmd = data;
2073 	struct mgmt_mode *cp = cmd->param;
2074 	u8 val = !!cp->val;
2075 	int err;
2076 
2077 	if (!val) {
2078 		hci_clear_adv_instance_sync(hdev, NULL, 0x00, true);
2079 
2080 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
2081 			hci_disable_advertising_sync(hdev);
2082 
2083 		if (ext_adv_capable(hdev))
2084 			hci_remove_ext_adv_instance_sync(hdev, 0, cmd->sk);
2085 	} else {
2086 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2087 	}
2088 
2089 	err = hci_write_le_host_supported_sync(hdev, val, 0);
2090 
2091 	/* Make sure the controller has a good default for
2092 	 * advertising data. Restrict the update to when LE
2093 	 * has actually been enabled. During power on, the
2094 	 * update in powered_update_hci will take care of it.
2095 	 */
2096 	if (!err && hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2097 		if (ext_adv_capable(hdev)) {
2098 			int status;
2099 
2100 			status = hci_setup_ext_adv_instance_sync(hdev, 0x00);
2101 			if (!status)
2102 				hci_update_scan_rsp_data_sync(hdev, 0x00);
2103 		} else {
2104 			hci_update_adv_data_sync(hdev, 0x00);
2105 			hci_update_scan_rsp_data_sync(hdev, 0x00);
2106 		}
2107 
2108 		hci_update_passive_scan(hdev);
2109 	}
2110 
2111 	return err;
2112 }
2113 
2114 static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
2115 {
2116 	struct mgmt_pending_cmd *cmd = data;
2117 	u8 status = mgmt_status(err);
2118 	struct sock *sk = cmd->sk;
2119 
2120 	if (status) {
2121 		mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev,
2122 				     cmd_status_rsp, &status);
2123 		return;
2124 	}
2125 
2126 	mgmt_pending_remove(cmd);
2127 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, 0, NULL, 0);
2128 }
2129 
2130 static int set_mesh_sync(struct hci_dev *hdev, void *data)
2131 {
2132 	struct mgmt_pending_cmd *cmd = data;
2133 	struct mgmt_cp_set_mesh *cp = cmd->param;
2134 	size_t len = cmd->param_len;
2135 
2136 	memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
2137 
2138 	if (cp->enable)
2139 		hci_dev_set_flag(hdev, HCI_MESH);
2140 	else
2141 		hci_dev_clear_flag(hdev, HCI_MESH);
2142 
2143 	len -= sizeof(*cp);
2144 
2145 	/* If filters don't fit, forward all adv pkts */
2146 	if (len <= sizeof(hdev->mesh_ad_types))
2147 		memcpy(hdev->mesh_ad_types, cp->ad_types, len);
2148 
2149 	hci_update_passive_scan_sync(hdev);
2150 	return 0;
2151 }
2152 
2153 static int set_mesh(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2154 {
2155 	struct mgmt_cp_set_mesh *cp = data;
2156 	struct mgmt_pending_cmd *cmd;
2157 	int err = 0;
2158 
2159 	bt_dev_dbg(hdev, "sock %p", sk);
2160 
2161 	if (!lmp_le_capable(hdev) ||
2162 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2163 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2164 				       MGMT_STATUS_NOT_SUPPORTED);
2165 
2166 	if (cp->enable != 0x00 && cp->enable != 0x01)
2167 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2168 				       MGMT_STATUS_INVALID_PARAMS);
2169 
2170 	hci_dev_lock(hdev);
2171 
2172 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_MESH_RECEIVER, hdev, data, len);
2173 	if (!cmd)
2174 		err = -ENOMEM;
2175 	else
2176 		err = hci_cmd_sync_queue(hdev, set_mesh_sync, cmd,
2177 					 set_mesh_complete);
2178 
2179 	if (err < 0) {
2180 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2181 				      MGMT_STATUS_FAILED);
2182 
2183 		if (cmd)
2184 			mgmt_pending_remove(cmd);
2185 	}
2186 
2187 	hci_dev_unlock(hdev);
2188 	return err;
2189 }
2190 
2191 static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err)
2192 {
2193 	struct mgmt_mesh_tx *mesh_tx = data;
2194 	struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2195 	unsigned long mesh_send_interval;
2196 	u8 mgmt_err = mgmt_status(err);
2197 
2198 	/* Report any errors here, but don't report completion */
2199 
2200 	if (mgmt_err) {
2201 		hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
2202 		/* Send Complete Error Code for handle */
2203 		mesh_send_complete(hdev, mesh_tx, false);
2204 		return;
2205 	}
2206 
2207 	mesh_send_interval = msecs_to_jiffies((send->cnt) * 25);
2208 	queue_delayed_work(hdev->req_workqueue, &hdev->mesh_send_done,
2209 			   mesh_send_interval);
2210 }
2211 
2212 static int mesh_send_sync(struct hci_dev *hdev, void *data)
2213 {
2214 	struct mgmt_mesh_tx *mesh_tx = data;
2215 	struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2216 	struct adv_info *adv, *next_instance;
2217 	u8 instance = hdev->le_num_of_adv_sets + 1;
2218 	u16 timeout, duration;
2219 	int err = 0;
2220 
2221 	if (hdev->le_num_of_adv_sets <= hdev->adv_instance_cnt)
2222 		return MGMT_STATUS_BUSY;
2223 
2224 	timeout = 1000;
2225 	duration = send->cnt * INTERVAL_TO_MS(hdev->le_adv_max_interval);
2226 	adv = hci_add_adv_instance(hdev, instance, 0,
2227 				   send->adv_data_len, send->adv_data,
2228 				   0, NULL,
2229 				   timeout, duration,
2230 				   HCI_ADV_TX_POWER_NO_PREFERENCE,
2231 				   hdev->le_adv_min_interval,
2232 				   hdev->le_adv_max_interval,
2233 				   mesh_tx->handle);
2234 
2235 	if (!IS_ERR(adv))
2236 		mesh_tx->instance = instance;
2237 	else
2238 		err = PTR_ERR(adv);
2239 
2240 	if (hdev->cur_adv_instance == instance) {
2241 		/* If the currently advertised instance is being changed then
2242 		 * cancel the current advertising and schedule the next
2243 		 * instance. If there is only one instance then the overridden
2244 		 * advertising data will be visible right away.
2245 		 */
2246 		cancel_adv_timeout(hdev);
2247 
2248 		next_instance = hci_get_next_instance(hdev, instance);
2249 		if (next_instance)
2250 			instance = next_instance->instance;
2251 		else
2252 			instance = 0;
2253 	} else if (hdev->adv_instance_timeout) {
2254 		/* Immediately advertise the new instance if no other, or
2255 		 * let it go naturally from queue if ADV is already happening
2256 		 */
2257 		instance = 0;
2258 	}
2259 
2260 	if (instance)
2261 		return hci_schedule_adv_instance_sync(hdev, instance, true);
2262 
2263 	return err;
2264 }
2265 
2266 static void send_count(struct mgmt_mesh_tx *mesh_tx, void *data)
2267 {
2268 	struct mgmt_rp_mesh_read_features *rp = data;
2269 
2270 	if (rp->used_handles >= rp->max_handles)
2271 		return;
2272 
2273 	rp->handles[rp->used_handles++] = mesh_tx->handle;
2274 }
2275 
2276 static int mesh_features(struct sock *sk, struct hci_dev *hdev,
2277 			 void *data, u16 len)
2278 {
2279 	struct mgmt_rp_mesh_read_features rp;
2280 
2281 	if (!lmp_le_capable(hdev) ||
2282 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2283 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_READ_FEATURES,
2284 				       MGMT_STATUS_NOT_SUPPORTED);
2285 
2286 	memset(&rp, 0, sizeof(rp));
2287 	rp.index = cpu_to_le16(hdev->id);
2288 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2289 		rp.max_handles = MESH_HANDLES_MAX;
2290 
2291 	hci_dev_lock(hdev);
2292 
2293 	if (rp.max_handles)
2294 		mgmt_mesh_foreach(hdev, send_count, &rp, sk);
2295 
2296 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_MESH_READ_FEATURES, 0, &rp,
2297 			  rp.used_handles + sizeof(rp) - MESH_HANDLES_MAX);
2298 
2299 	hci_dev_unlock(hdev);
2300 	return 0;
2301 }
2302 
2303 static int send_cancel(struct hci_dev *hdev, void *data)
2304 {
2305 	struct mgmt_pending_cmd *cmd = data;
2306 	struct mgmt_cp_mesh_send_cancel *cancel = (void *)cmd->param;
2307 	struct mgmt_mesh_tx *mesh_tx;
2308 
2309 	if (!cancel->handle) {
2310 		do {
2311 			mesh_tx = mgmt_mesh_next(hdev, cmd->sk);
2312 
2313 			if (mesh_tx)
2314 				mesh_send_complete(hdev, mesh_tx, false);
2315 		} while (mesh_tx);
2316 	} else {
2317 		mesh_tx = mgmt_mesh_find(hdev, cancel->handle);
2318 
2319 		if (mesh_tx && mesh_tx->sk == cmd->sk)
2320 			mesh_send_complete(hdev, mesh_tx, false);
2321 	}
2322 
2323 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2324 			  0, NULL, 0);
2325 	mgmt_pending_free(cmd);
2326 
2327 	return 0;
2328 }
2329 
2330 static int mesh_send_cancel(struct sock *sk, struct hci_dev *hdev,
2331 			    void *data, u16 len)
2332 {
2333 	struct mgmt_pending_cmd *cmd;
2334 	int err;
2335 
2336 	if (!lmp_le_capable(hdev) ||
2337 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2338 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2339 				       MGMT_STATUS_NOT_SUPPORTED);
2340 
2341 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2342 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2343 				       MGMT_STATUS_REJECTED);
2344 
2345 	hci_dev_lock(hdev);
2346 	cmd = mgmt_pending_new(sk, MGMT_OP_MESH_SEND_CANCEL, hdev, data, len);
2347 	if (!cmd)
2348 		err = -ENOMEM;
2349 	else
2350 		err = hci_cmd_sync_queue(hdev, send_cancel, cmd, NULL);
2351 
2352 	if (err < 0) {
2353 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2354 				      MGMT_STATUS_FAILED);
2355 
2356 		if (cmd)
2357 			mgmt_pending_free(cmd);
2358 	}
2359 
2360 	hci_dev_unlock(hdev);
2361 	return err;
2362 }
2363 
2364 static int mesh_send(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2365 {
2366 	struct mgmt_mesh_tx *mesh_tx;
2367 	struct mgmt_cp_mesh_send *send = data;
2368 	struct mgmt_rp_mesh_read_features rp;
2369 	bool sending;
2370 	int err = 0;
2371 
2372 	if (!lmp_le_capable(hdev) ||
2373 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2374 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2375 				       MGMT_STATUS_NOT_SUPPORTED);
2376 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) ||
2377 	    len <= MGMT_MESH_SEND_SIZE ||
2378 	    len > (MGMT_MESH_SEND_SIZE + 31))
2379 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2380 				       MGMT_STATUS_REJECTED);
2381 
2382 	hci_dev_lock(hdev);
2383 
2384 	memset(&rp, 0, sizeof(rp));
2385 	rp.max_handles = MESH_HANDLES_MAX;
2386 
2387 	mgmt_mesh_foreach(hdev, send_count, &rp, sk);
2388 
2389 	if (rp.max_handles <= rp.used_handles) {
2390 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2391 				      MGMT_STATUS_BUSY);
2392 		goto done;
2393 	}
2394 
2395 	sending = hci_dev_test_flag(hdev, HCI_MESH_SENDING);
2396 	mesh_tx = mgmt_mesh_add(sk, hdev, send, len);
2397 
2398 	if (!mesh_tx)
2399 		err = -ENOMEM;
2400 	else if (!sending)
2401 		err = hci_cmd_sync_queue(hdev, mesh_send_sync, mesh_tx,
2402 					 mesh_send_start_complete);
2403 
2404 	if (err < 0) {
2405 		bt_dev_err(hdev, "Send Mesh Failed %d", err);
2406 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2407 				      MGMT_STATUS_FAILED);
2408 
2409 		if (mesh_tx) {
2410 			if (sending)
2411 				mgmt_mesh_remove(mesh_tx);
2412 		}
2413 	} else {
2414 		hci_dev_set_flag(hdev, HCI_MESH_SENDING);
2415 
2416 		mgmt_cmd_complete(sk, hdev->id, MGMT_OP_MESH_SEND, 0,
2417 				  &mesh_tx->handle, 1);
2418 	}
2419 
2420 done:
2421 	hci_dev_unlock(hdev);
2422 	return err;
2423 }
2424 
2425 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2426 {
2427 	struct mgmt_mode *cp = data;
2428 	struct mgmt_pending_cmd *cmd;
2429 	int err;
2430 	u8 val, enabled;
2431 
2432 	bt_dev_dbg(hdev, "sock %p", sk);
2433 
2434 	if (!lmp_le_capable(hdev))
2435 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2436 				       MGMT_STATUS_NOT_SUPPORTED);
2437 
2438 	if (cp->val != 0x00 && cp->val != 0x01)
2439 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2440 				       MGMT_STATUS_INVALID_PARAMS);
2441 
2442 	/* Bluetooth single mode LE only controllers or dual-mode
2443 	 * controllers configured as LE only devices, do not allow
2444 	 * switching LE off. These have either LE enabled explicitly
2445 	 * or BR/EDR has been previously switched off.
2446 	 *
2447 	 * When trying to enable an already enabled LE, then gracefully
2448 	 * send a positive response. Trying to disable it however will
2449 	 * result into rejection.
2450 	 */
2451 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
2452 		if (cp->val == 0x01)
2453 			return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2454 
2455 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2456 				       MGMT_STATUS_REJECTED);
2457 	}
2458 
2459 	hci_dev_lock(hdev);
2460 
2461 	val = !!cp->val;
2462 	enabled = lmp_host_le_capable(hdev);
2463 
2464 	if (!hdev_is_powered(hdev) || val == enabled) {
2465 		bool changed = false;
2466 
2467 		if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2468 			hci_dev_change_flag(hdev, HCI_LE_ENABLED);
2469 			changed = true;
2470 		}
2471 
2472 		if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
2473 			hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2474 			changed = true;
2475 		}
2476 
2477 		err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2478 		if (err < 0)
2479 			goto unlock;
2480 
2481 		if (changed)
2482 			err = new_settings(hdev, sk);
2483 
2484 		goto unlock;
2485 	}
2486 
2487 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
2488 	    pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
2489 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2490 				      MGMT_STATUS_BUSY);
2491 		goto unlock;
2492 	}
2493 
2494 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
2495 	if (!cmd)
2496 		err = -ENOMEM;
2497 	else
2498 		err = hci_cmd_sync_queue(hdev, set_le_sync, cmd,
2499 					 set_le_complete);
2500 
2501 	if (err < 0) {
2502 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2503 				      MGMT_STATUS_FAILED);
2504 
2505 		if (cmd)
2506 			mgmt_pending_remove(cmd);
2507 	}
2508 
2509 unlock:
2510 	hci_dev_unlock(hdev);
2511 	return err;
2512 }
2513 
2514 /* This is a helper function to test for pending mgmt commands that can
2515  * cause CoD or EIR HCI commands. We can only allow one such pending
2516  * mgmt command at a time since otherwise we cannot easily track what
2517  * the current values are, will be, and based on that calculate if a new
2518  * HCI command needs to be sent and if yes with what value.
2519  */
2520 static bool pending_eir_or_class(struct hci_dev *hdev)
2521 {
2522 	struct mgmt_pending_cmd *cmd;
2523 
2524 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2525 		switch (cmd->opcode) {
2526 		case MGMT_OP_ADD_UUID:
2527 		case MGMT_OP_REMOVE_UUID:
2528 		case MGMT_OP_SET_DEV_CLASS:
2529 		case MGMT_OP_SET_POWERED:
2530 			return true;
2531 		}
2532 	}
2533 
2534 	return false;
2535 }
2536 
2537 static const u8 bluetooth_base_uuid[] = {
2538 			0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2539 			0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2540 };
2541 
2542 static u8 get_uuid_size(const u8 *uuid)
2543 {
2544 	u32 val;
2545 
2546 	if (memcmp(uuid, bluetooth_base_uuid, 12))
2547 		return 128;
2548 
2549 	val = get_unaligned_le32(&uuid[12]);
2550 	if (val > 0xffff)
2551 		return 32;
2552 
2553 	return 16;
2554 }
2555 
2556 static void mgmt_class_complete(struct hci_dev *hdev, void *data, int err)
2557 {
2558 	struct mgmt_pending_cmd *cmd = data;
2559 
2560 	bt_dev_dbg(hdev, "err %d", err);
2561 
2562 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
2563 			  mgmt_status(err), hdev->dev_class, 3);
2564 
2565 	mgmt_pending_free(cmd);
2566 }
2567 
2568 static int add_uuid_sync(struct hci_dev *hdev, void *data)
2569 {
2570 	int err;
2571 
2572 	err = hci_update_class_sync(hdev);
2573 	if (err)
2574 		return err;
2575 
2576 	return hci_update_eir_sync(hdev);
2577 }
2578 
2579 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2580 {
2581 	struct mgmt_cp_add_uuid *cp = data;
2582 	struct mgmt_pending_cmd *cmd;
2583 	struct bt_uuid *uuid;
2584 	int err;
2585 
2586 	bt_dev_dbg(hdev, "sock %p", sk);
2587 
2588 	hci_dev_lock(hdev);
2589 
2590 	if (pending_eir_or_class(hdev)) {
2591 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2592 				      MGMT_STATUS_BUSY);
2593 		goto failed;
2594 	}
2595 
2596 	uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2597 	if (!uuid) {
2598 		err = -ENOMEM;
2599 		goto failed;
2600 	}
2601 
2602 	memcpy(uuid->uuid, cp->uuid, 16);
2603 	uuid->svc_hint = cp->svc_hint;
2604 	uuid->size = get_uuid_size(cp->uuid);
2605 
2606 	list_add_tail(&uuid->list, &hdev->uuids);
2607 
2608 	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2609 	if (!cmd) {
2610 		err = -ENOMEM;
2611 		goto failed;
2612 	}
2613 
2614 	/* MGMT_OP_ADD_UUID don't require adapter the UP/Running so use
2615 	 * hci_cmd_sync_submit instead of hci_cmd_sync_queue.
2616 	 */
2617 	err = hci_cmd_sync_submit(hdev, add_uuid_sync, cmd,
2618 				  mgmt_class_complete);
2619 	if (err < 0) {
2620 		mgmt_pending_free(cmd);
2621 		goto failed;
2622 	}
2623 
2624 failed:
2625 	hci_dev_unlock(hdev);
2626 	return err;
2627 }
2628 
2629 static bool enable_service_cache(struct hci_dev *hdev)
2630 {
2631 	if (!hdev_is_powered(hdev))
2632 		return false;
2633 
2634 	if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2635 		queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2636 				   CACHE_TIMEOUT);
2637 		return true;
2638 	}
2639 
2640 	return false;
2641 }
2642 
2643 static int remove_uuid_sync(struct hci_dev *hdev, void *data)
2644 {
2645 	int err;
2646 
2647 	err = hci_update_class_sync(hdev);
2648 	if (err)
2649 		return err;
2650 
2651 	return hci_update_eir_sync(hdev);
2652 }
2653 
2654 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2655 		       u16 len)
2656 {
2657 	struct mgmt_cp_remove_uuid *cp = data;
2658 	struct mgmt_pending_cmd *cmd;
2659 	struct bt_uuid *match, *tmp;
2660 	static const u8 bt_uuid_any[] = {
2661 		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
2662 	};
2663 	int err, found;
2664 
2665 	bt_dev_dbg(hdev, "sock %p", sk);
2666 
2667 	hci_dev_lock(hdev);
2668 
2669 	if (pending_eir_or_class(hdev)) {
2670 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2671 				      MGMT_STATUS_BUSY);
2672 		goto unlock;
2673 	}
2674 
2675 	if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2676 		hci_uuids_clear(hdev);
2677 
2678 		if (enable_service_cache(hdev)) {
2679 			err = mgmt_cmd_complete(sk, hdev->id,
2680 						MGMT_OP_REMOVE_UUID,
2681 						0, hdev->dev_class, 3);
2682 			goto unlock;
2683 		}
2684 
2685 		goto update_class;
2686 	}
2687 
2688 	found = 0;
2689 
2690 	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2691 		if (memcmp(match->uuid, cp->uuid, 16) != 0)
2692 			continue;
2693 
2694 		list_del(&match->list);
2695 		kfree(match);
2696 		found++;
2697 	}
2698 
2699 	if (found == 0) {
2700 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2701 				      MGMT_STATUS_INVALID_PARAMS);
2702 		goto unlock;
2703 	}
2704 
2705 update_class:
2706 	cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2707 	if (!cmd) {
2708 		err = -ENOMEM;
2709 		goto unlock;
2710 	}
2711 
2712 	/* MGMT_OP_REMOVE_UUID don't require adapter the UP/Running so use
2713 	 * hci_cmd_sync_submit instead of hci_cmd_sync_queue.
2714 	 */
2715 	err = hci_cmd_sync_submit(hdev, remove_uuid_sync, cmd,
2716 				  mgmt_class_complete);
2717 	if (err < 0)
2718 		mgmt_pending_free(cmd);
2719 
2720 unlock:
2721 	hci_dev_unlock(hdev);
2722 	return err;
2723 }
2724 
2725 static int set_class_sync(struct hci_dev *hdev, void *data)
2726 {
2727 	int err = 0;
2728 
2729 	if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2730 		cancel_delayed_work_sync(&hdev->service_cache);
2731 		err = hci_update_eir_sync(hdev);
2732 	}
2733 
2734 	if (err)
2735 		return err;
2736 
2737 	return hci_update_class_sync(hdev);
2738 }
2739 
2740 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2741 			 u16 len)
2742 {
2743 	struct mgmt_cp_set_dev_class *cp = data;
2744 	struct mgmt_pending_cmd *cmd;
2745 	int err;
2746 
2747 	bt_dev_dbg(hdev, "sock %p", sk);
2748 
2749 	if (!lmp_bredr_capable(hdev))
2750 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2751 				       MGMT_STATUS_NOT_SUPPORTED);
2752 
2753 	hci_dev_lock(hdev);
2754 
2755 	if (pending_eir_or_class(hdev)) {
2756 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2757 				      MGMT_STATUS_BUSY);
2758 		goto unlock;
2759 	}
2760 
2761 	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2762 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2763 				      MGMT_STATUS_INVALID_PARAMS);
2764 		goto unlock;
2765 	}
2766 
2767 	hdev->major_class = cp->major;
2768 	hdev->minor_class = cp->minor;
2769 
2770 	if (!hdev_is_powered(hdev)) {
2771 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2772 					hdev->dev_class, 3);
2773 		goto unlock;
2774 	}
2775 
2776 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2777 	if (!cmd) {
2778 		err = -ENOMEM;
2779 		goto unlock;
2780 	}
2781 
2782 	/* MGMT_OP_SET_DEV_CLASS don't require adapter the UP/Running so use
2783 	 * hci_cmd_sync_submit instead of hci_cmd_sync_queue.
2784 	 */
2785 	err = hci_cmd_sync_submit(hdev, set_class_sync, cmd,
2786 				  mgmt_class_complete);
2787 	if (err < 0)
2788 		mgmt_pending_free(cmd);
2789 
2790 unlock:
2791 	hci_dev_unlock(hdev);
2792 	return err;
2793 }
2794 
2795 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2796 			  u16 len)
2797 {
2798 	struct mgmt_cp_load_link_keys *cp = data;
2799 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2800 				   sizeof(struct mgmt_link_key_info));
2801 	u16 key_count, expected_len;
2802 	bool changed;
2803 	int i;
2804 
2805 	bt_dev_dbg(hdev, "sock %p", sk);
2806 
2807 	if (!lmp_bredr_capable(hdev))
2808 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2809 				       MGMT_STATUS_NOT_SUPPORTED);
2810 
2811 	key_count = __le16_to_cpu(cp->key_count);
2812 	if (key_count > max_key_count) {
2813 		bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2814 			   key_count);
2815 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2816 				       MGMT_STATUS_INVALID_PARAMS);
2817 	}
2818 
2819 	expected_len = struct_size(cp, keys, key_count);
2820 	if (expected_len != len) {
2821 		bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2822 			   expected_len, len);
2823 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2824 				       MGMT_STATUS_INVALID_PARAMS);
2825 	}
2826 
2827 	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2828 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2829 				       MGMT_STATUS_INVALID_PARAMS);
2830 
2831 	bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys,
2832 		   key_count);
2833 
2834 	for (i = 0; i < key_count; i++) {
2835 		struct mgmt_link_key_info *key = &cp->keys[i];
2836 
2837 		/* Considering SMP over BREDR/LE, there is no need to check addr_type */
2838 		if (key->type > 0x08)
2839 			return mgmt_cmd_status(sk, hdev->id,
2840 					       MGMT_OP_LOAD_LINK_KEYS,
2841 					       MGMT_STATUS_INVALID_PARAMS);
2842 	}
2843 
2844 	hci_dev_lock(hdev);
2845 
2846 	hci_link_keys_clear(hdev);
2847 
2848 	if (cp->debug_keys)
2849 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2850 	else
2851 		changed = hci_dev_test_and_clear_flag(hdev,
2852 						      HCI_KEEP_DEBUG_KEYS);
2853 
2854 	if (changed)
2855 		new_settings(hdev, NULL);
2856 
2857 	for (i = 0; i < key_count; i++) {
2858 		struct mgmt_link_key_info *key = &cp->keys[i];
2859 
2860 		if (hci_is_blocked_key(hdev,
2861 				       HCI_BLOCKED_KEY_TYPE_LINKKEY,
2862 				       key->val)) {
2863 			bt_dev_warn(hdev, "Skipping blocked link key for %pMR",
2864 				    &key->addr.bdaddr);
2865 			continue;
2866 		}
2867 
2868 		/* Always ignore debug keys and require a new pairing if
2869 		 * the user wants to use them.
2870 		 */
2871 		if (key->type == HCI_LK_DEBUG_COMBINATION)
2872 			continue;
2873 
2874 		hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2875 				 key->type, key->pin_len, NULL);
2876 	}
2877 
2878 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2879 
2880 	hci_dev_unlock(hdev);
2881 
2882 	return 0;
2883 }
2884 
2885 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2886 			   u8 addr_type, struct sock *skip_sk)
2887 {
2888 	struct mgmt_ev_device_unpaired ev;
2889 
2890 	bacpy(&ev.addr.bdaddr, bdaddr);
2891 	ev.addr.type = addr_type;
2892 
2893 	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2894 			  skip_sk);
2895 }
2896 
2897 static void unpair_device_complete(struct hci_dev *hdev, void *data, int err)
2898 {
2899 	struct mgmt_pending_cmd *cmd = data;
2900 	struct mgmt_cp_unpair_device *cp = cmd->param;
2901 
2902 	if (!err)
2903 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
2904 
2905 	cmd->cmd_complete(cmd, err);
2906 	mgmt_pending_free(cmd);
2907 }
2908 
2909 static int unpair_device_sync(struct hci_dev *hdev, void *data)
2910 {
2911 	struct mgmt_pending_cmd *cmd = data;
2912 	struct mgmt_cp_unpair_device *cp = cmd->param;
2913 	struct hci_conn *conn;
2914 
2915 	if (cp->addr.type == BDADDR_BREDR)
2916 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2917 					       &cp->addr.bdaddr);
2918 	else
2919 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2920 					       le_addr_type(cp->addr.type));
2921 
2922 	if (!conn)
2923 		return 0;
2924 
2925 	return hci_abort_conn_sync(hdev, conn, HCI_ERROR_REMOTE_USER_TERM);
2926 }
2927 
2928 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2929 			 u16 len)
2930 {
2931 	struct mgmt_cp_unpair_device *cp = data;
2932 	struct mgmt_rp_unpair_device rp;
2933 	struct hci_conn_params *params;
2934 	struct mgmt_pending_cmd *cmd;
2935 	struct hci_conn *conn;
2936 	u8 addr_type;
2937 	int err;
2938 
2939 	memset(&rp, 0, sizeof(rp));
2940 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2941 	rp.addr.type = cp->addr.type;
2942 
2943 	if (!bdaddr_type_is_valid(cp->addr.type))
2944 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2945 					 MGMT_STATUS_INVALID_PARAMS,
2946 					 &rp, sizeof(rp));
2947 
2948 	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2949 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2950 					 MGMT_STATUS_INVALID_PARAMS,
2951 					 &rp, sizeof(rp));
2952 
2953 	hci_dev_lock(hdev);
2954 
2955 	if (!hdev_is_powered(hdev)) {
2956 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2957 					MGMT_STATUS_NOT_POWERED, &rp,
2958 					sizeof(rp));
2959 		goto unlock;
2960 	}
2961 
2962 	if (cp->addr.type == BDADDR_BREDR) {
2963 		/* If disconnection is requested, then look up the
2964 		 * connection. If the remote device is connected, it
2965 		 * will be later used to terminate the link.
2966 		 *
2967 		 * Setting it to NULL explicitly will cause no
2968 		 * termination of the link.
2969 		 */
2970 		if (cp->disconnect)
2971 			conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2972 						       &cp->addr.bdaddr);
2973 		else
2974 			conn = NULL;
2975 
2976 		err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2977 		if (err < 0) {
2978 			err = mgmt_cmd_complete(sk, hdev->id,
2979 						MGMT_OP_UNPAIR_DEVICE,
2980 						MGMT_STATUS_NOT_PAIRED, &rp,
2981 						sizeof(rp));
2982 			goto unlock;
2983 		}
2984 
2985 		goto done;
2986 	}
2987 
2988 	/* LE address type */
2989 	addr_type = le_addr_type(cp->addr.type);
2990 
2991 	/* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
2992 	err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
2993 	if (err < 0) {
2994 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2995 					MGMT_STATUS_NOT_PAIRED, &rp,
2996 					sizeof(rp));
2997 		goto unlock;
2998 	}
2999 
3000 	conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
3001 	if (!conn) {
3002 		hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
3003 		goto done;
3004 	}
3005 
3006 
3007 	/* Defer clearing up the connection parameters until closing to
3008 	 * give a chance of keeping them if a repairing happens.
3009 	 */
3010 	set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3011 
3012 	/* Disable auto-connection parameters if present */
3013 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
3014 	if (params) {
3015 		if (params->explicit_connect)
3016 			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
3017 		else
3018 			params->auto_connect = HCI_AUTO_CONN_DISABLED;
3019 	}
3020 
3021 	/* If disconnection is not requested, then clear the connection
3022 	 * variable so that the link is not terminated.
3023 	 */
3024 	if (!cp->disconnect)
3025 		conn = NULL;
3026 
3027 done:
3028 	/* If the connection variable is set, then termination of the
3029 	 * link is requested.
3030 	 */
3031 	if (!conn) {
3032 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
3033 					&rp, sizeof(rp));
3034 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
3035 		goto unlock;
3036 	}
3037 
3038 	cmd = mgmt_pending_new(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
3039 			       sizeof(*cp));
3040 	if (!cmd) {
3041 		err = -ENOMEM;
3042 		goto unlock;
3043 	}
3044 
3045 	cmd->cmd_complete = addr_cmd_complete;
3046 
3047 	err = hci_cmd_sync_queue(hdev, unpair_device_sync, cmd,
3048 				 unpair_device_complete);
3049 	if (err < 0)
3050 		mgmt_pending_free(cmd);
3051 
3052 unlock:
3053 	hci_dev_unlock(hdev);
3054 	return err;
3055 }
3056 
3057 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
3058 		      u16 len)
3059 {
3060 	struct mgmt_cp_disconnect *cp = data;
3061 	struct mgmt_rp_disconnect rp;
3062 	struct mgmt_pending_cmd *cmd;
3063 	struct hci_conn *conn;
3064 	int err;
3065 
3066 	bt_dev_dbg(hdev, "sock %p", sk);
3067 
3068 	memset(&rp, 0, sizeof(rp));
3069 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
3070 	rp.addr.type = cp->addr.type;
3071 
3072 	if (!bdaddr_type_is_valid(cp->addr.type))
3073 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3074 					 MGMT_STATUS_INVALID_PARAMS,
3075 					 &rp, sizeof(rp));
3076 
3077 	hci_dev_lock(hdev);
3078 
3079 	if (!test_bit(HCI_UP, &hdev->flags)) {
3080 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3081 					MGMT_STATUS_NOT_POWERED, &rp,
3082 					sizeof(rp));
3083 		goto failed;
3084 	}
3085 
3086 	if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
3087 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3088 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
3089 		goto failed;
3090 	}
3091 
3092 	if (cp->addr.type == BDADDR_BREDR)
3093 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
3094 					       &cp->addr.bdaddr);
3095 	else
3096 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
3097 					       le_addr_type(cp->addr.type));
3098 
3099 	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
3100 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3101 					MGMT_STATUS_NOT_CONNECTED, &rp,
3102 					sizeof(rp));
3103 		goto failed;
3104 	}
3105 
3106 	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
3107 	if (!cmd) {
3108 		err = -ENOMEM;
3109 		goto failed;
3110 	}
3111 
3112 	cmd->cmd_complete = generic_cmd_complete;
3113 
3114 	err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
3115 	if (err < 0)
3116 		mgmt_pending_remove(cmd);
3117 
3118 failed:
3119 	hci_dev_unlock(hdev);
3120 	return err;
3121 }
3122 
3123 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
3124 {
3125 	switch (link_type) {
3126 	case ISO_LINK:
3127 	case LE_LINK:
3128 		switch (addr_type) {
3129 		case ADDR_LE_DEV_PUBLIC:
3130 			return BDADDR_LE_PUBLIC;
3131 
3132 		default:
3133 			/* Fallback to LE Random address type */
3134 			return BDADDR_LE_RANDOM;
3135 		}
3136 
3137 	default:
3138 		/* Fallback to BR/EDR type */
3139 		return BDADDR_BREDR;
3140 	}
3141 }
3142 
3143 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
3144 			   u16 data_len)
3145 {
3146 	struct mgmt_rp_get_connections *rp;
3147 	struct hci_conn *c;
3148 	int err;
3149 	u16 i;
3150 
3151 	bt_dev_dbg(hdev, "sock %p", sk);
3152 
3153 	hci_dev_lock(hdev);
3154 
3155 	if (!hdev_is_powered(hdev)) {
3156 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
3157 				      MGMT_STATUS_NOT_POWERED);
3158 		goto unlock;
3159 	}
3160 
3161 	i = 0;
3162 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
3163 		if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3164 			i++;
3165 	}
3166 
3167 	rp = kmalloc(struct_size(rp, addr, i), GFP_KERNEL);
3168 	if (!rp) {
3169 		err = -ENOMEM;
3170 		goto unlock;
3171 	}
3172 
3173 	i = 0;
3174 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
3175 		if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3176 			continue;
3177 		bacpy(&rp->addr[i].bdaddr, &c->dst);
3178 		rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
3179 		if (c->type == SCO_LINK || c->type == ESCO_LINK)
3180 			continue;
3181 		i++;
3182 	}
3183 
3184 	rp->conn_count = cpu_to_le16(i);
3185 
3186 	/* Recalculate length in case of filtered SCO connections, etc */
3187 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
3188 				struct_size(rp, addr, i));
3189 
3190 	kfree(rp);
3191 
3192 unlock:
3193 	hci_dev_unlock(hdev);
3194 	return err;
3195 }
3196 
3197 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3198 				   struct mgmt_cp_pin_code_neg_reply *cp)
3199 {
3200 	struct mgmt_pending_cmd *cmd;
3201 	int err;
3202 
3203 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
3204 			       sizeof(*cp));
3205 	if (!cmd)
3206 		return -ENOMEM;
3207 
3208 	cmd->cmd_complete = addr_cmd_complete;
3209 
3210 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3211 			   sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
3212 	if (err < 0)
3213 		mgmt_pending_remove(cmd);
3214 
3215 	return err;
3216 }
3217 
3218 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3219 			  u16 len)
3220 {
3221 	struct hci_conn *conn;
3222 	struct mgmt_cp_pin_code_reply *cp = data;
3223 	struct hci_cp_pin_code_reply reply;
3224 	struct mgmt_pending_cmd *cmd;
3225 	int err;
3226 
3227 	bt_dev_dbg(hdev, "sock %p", sk);
3228 
3229 	hci_dev_lock(hdev);
3230 
3231 	if (!hdev_is_powered(hdev)) {
3232 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3233 				      MGMT_STATUS_NOT_POWERED);
3234 		goto failed;
3235 	}
3236 
3237 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
3238 	if (!conn) {
3239 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3240 				      MGMT_STATUS_NOT_CONNECTED);
3241 		goto failed;
3242 	}
3243 
3244 	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
3245 		struct mgmt_cp_pin_code_neg_reply ncp;
3246 
3247 		memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
3248 
3249 		bt_dev_err(hdev, "PIN code is not 16 bytes long");
3250 
3251 		err = send_pin_code_neg_reply(sk, hdev, &ncp);
3252 		if (err >= 0)
3253 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3254 					      MGMT_STATUS_INVALID_PARAMS);
3255 
3256 		goto failed;
3257 	}
3258 
3259 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
3260 	if (!cmd) {
3261 		err = -ENOMEM;
3262 		goto failed;
3263 	}
3264 
3265 	cmd->cmd_complete = addr_cmd_complete;
3266 
3267 	bacpy(&reply.bdaddr, &cp->addr.bdaddr);
3268 	reply.pin_len = cp->pin_len;
3269 	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
3270 
3271 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
3272 	if (err < 0)
3273 		mgmt_pending_remove(cmd);
3274 
3275 failed:
3276 	hci_dev_unlock(hdev);
3277 	return err;
3278 }
3279 
3280 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
3281 			     u16 len)
3282 {
3283 	struct mgmt_cp_set_io_capability *cp = data;
3284 
3285 	bt_dev_dbg(hdev, "sock %p", sk);
3286 
3287 	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
3288 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
3289 				       MGMT_STATUS_INVALID_PARAMS);
3290 
3291 	hci_dev_lock(hdev);
3292 
3293 	hdev->io_capability = cp->io_capability;
3294 
3295 	bt_dev_dbg(hdev, "IO capability set to 0x%02x", hdev->io_capability);
3296 
3297 	hci_dev_unlock(hdev);
3298 
3299 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
3300 				 NULL, 0);
3301 }
3302 
3303 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
3304 {
3305 	struct hci_dev *hdev = conn->hdev;
3306 	struct mgmt_pending_cmd *cmd;
3307 
3308 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
3309 		if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
3310 			continue;
3311 
3312 		if (cmd->user_data != conn)
3313 			continue;
3314 
3315 		return cmd;
3316 	}
3317 
3318 	return NULL;
3319 }
3320 
3321 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
3322 {
3323 	struct mgmt_rp_pair_device rp;
3324 	struct hci_conn *conn = cmd->user_data;
3325 	int err;
3326 
3327 	bacpy(&rp.addr.bdaddr, &conn->dst);
3328 	rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
3329 
3330 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
3331 				status, &rp, sizeof(rp));
3332 
3333 	/* So we don't get further callbacks for this connection */
3334 	conn->connect_cfm_cb = NULL;
3335 	conn->security_cfm_cb = NULL;
3336 	conn->disconn_cfm_cb = NULL;
3337 
3338 	hci_conn_drop(conn);
3339 
3340 	/* The device is paired so there is no need to remove
3341 	 * its connection parameters anymore.
3342 	 */
3343 	clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3344 
3345 	hci_conn_put(conn);
3346 
3347 	return err;
3348 }
3349 
3350 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
3351 {
3352 	u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
3353 	struct mgmt_pending_cmd *cmd;
3354 
3355 	cmd = find_pairing(conn);
3356 	if (cmd) {
3357 		cmd->cmd_complete(cmd, status);
3358 		mgmt_pending_remove(cmd);
3359 	}
3360 }
3361 
3362 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
3363 {
3364 	struct mgmt_pending_cmd *cmd;
3365 
3366 	BT_DBG("status %u", status);
3367 
3368 	cmd = find_pairing(conn);
3369 	if (!cmd) {
3370 		BT_DBG("Unable to find a pending command");
3371 		return;
3372 	}
3373 
3374 	cmd->cmd_complete(cmd, mgmt_status(status));
3375 	mgmt_pending_remove(cmd);
3376 }
3377 
3378 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
3379 {
3380 	struct mgmt_pending_cmd *cmd;
3381 
3382 	BT_DBG("status %u", status);
3383 
3384 	if (!status)
3385 		return;
3386 
3387 	cmd = find_pairing(conn);
3388 	if (!cmd) {
3389 		BT_DBG("Unable to find a pending command");
3390 		return;
3391 	}
3392 
3393 	cmd->cmd_complete(cmd, mgmt_status(status));
3394 	mgmt_pending_remove(cmd);
3395 }
3396 
3397 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3398 		       u16 len)
3399 {
3400 	struct mgmt_cp_pair_device *cp = data;
3401 	struct mgmt_rp_pair_device rp;
3402 	struct mgmt_pending_cmd *cmd;
3403 	u8 sec_level, auth_type;
3404 	struct hci_conn *conn;
3405 	int err;
3406 
3407 	bt_dev_dbg(hdev, "sock %p", sk);
3408 
3409 	memset(&rp, 0, sizeof(rp));
3410 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
3411 	rp.addr.type = cp->addr.type;
3412 
3413 	if (!bdaddr_type_is_valid(cp->addr.type))
3414 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3415 					 MGMT_STATUS_INVALID_PARAMS,
3416 					 &rp, sizeof(rp));
3417 
3418 	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
3419 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3420 					 MGMT_STATUS_INVALID_PARAMS,
3421 					 &rp, sizeof(rp));
3422 
3423 	hci_dev_lock(hdev);
3424 
3425 	if (!hdev_is_powered(hdev)) {
3426 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3427 					MGMT_STATUS_NOT_POWERED, &rp,
3428 					sizeof(rp));
3429 		goto unlock;
3430 	}
3431 
3432 	if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
3433 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3434 					MGMT_STATUS_ALREADY_PAIRED, &rp,
3435 					sizeof(rp));
3436 		goto unlock;
3437 	}
3438 
3439 	sec_level = BT_SECURITY_MEDIUM;
3440 	auth_type = HCI_AT_DEDICATED_BONDING;
3441 
3442 	if (cp->addr.type == BDADDR_BREDR) {
3443 		conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
3444 				       auth_type, CONN_REASON_PAIR_DEVICE,
3445 				       HCI_ACL_CONN_TIMEOUT);
3446 	} else {
3447 		u8 addr_type = le_addr_type(cp->addr.type);
3448 		struct hci_conn_params *p;
3449 
3450 		/* When pairing a new device, it is expected to remember
3451 		 * this device for future connections. Adding the connection
3452 		 * parameter information ahead of time allows tracking
3453 		 * of the peripheral preferred values and will speed up any
3454 		 * further connection establishment.
3455 		 *
3456 		 * If connection parameters already exist, then they
3457 		 * will be kept and this function does nothing.
3458 		 */
3459 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
3460 
3461 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
3462 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
3463 
3464 		conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr, addr_type,
3465 					   sec_level, HCI_LE_CONN_TIMEOUT,
3466 					   CONN_REASON_PAIR_DEVICE);
3467 	}
3468 
3469 	if (IS_ERR(conn)) {
3470 		int status;
3471 
3472 		if (PTR_ERR(conn) == -EBUSY)
3473 			status = MGMT_STATUS_BUSY;
3474 		else if (PTR_ERR(conn) == -EOPNOTSUPP)
3475 			status = MGMT_STATUS_NOT_SUPPORTED;
3476 		else if (PTR_ERR(conn) == -ECONNREFUSED)
3477 			status = MGMT_STATUS_REJECTED;
3478 		else
3479 			status = MGMT_STATUS_CONNECT_FAILED;
3480 
3481 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3482 					status, &rp, sizeof(rp));
3483 		goto unlock;
3484 	}
3485 
3486 	if (conn->connect_cfm_cb) {
3487 		hci_conn_drop(conn);
3488 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3489 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
3490 		goto unlock;
3491 	}
3492 
3493 	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
3494 	if (!cmd) {
3495 		err = -ENOMEM;
3496 		hci_conn_drop(conn);
3497 		goto unlock;
3498 	}
3499 
3500 	cmd->cmd_complete = pairing_complete;
3501 
3502 	/* For LE, just connecting isn't a proof that the pairing finished */
3503 	if (cp->addr.type == BDADDR_BREDR) {
3504 		conn->connect_cfm_cb = pairing_complete_cb;
3505 		conn->security_cfm_cb = pairing_complete_cb;
3506 		conn->disconn_cfm_cb = pairing_complete_cb;
3507 	} else {
3508 		conn->connect_cfm_cb = le_pairing_complete_cb;
3509 		conn->security_cfm_cb = le_pairing_complete_cb;
3510 		conn->disconn_cfm_cb = le_pairing_complete_cb;
3511 	}
3512 
3513 	conn->io_capability = cp->io_cap;
3514 	cmd->user_data = hci_conn_get(conn);
3515 
3516 	if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
3517 	    hci_conn_security(conn, sec_level, auth_type, true)) {
3518 		cmd->cmd_complete(cmd, 0);
3519 		mgmt_pending_remove(cmd);
3520 	}
3521 
3522 	err = 0;
3523 
3524 unlock:
3525 	hci_dev_unlock(hdev);
3526 	return err;
3527 }
3528 
3529 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3530 			      u16 len)
3531 {
3532 	struct mgmt_addr_info *addr = data;
3533 	struct mgmt_pending_cmd *cmd;
3534 	struct hci_conn *conn;
3535 	int err;
3536 
3537 	bt_dev_dbg(hdev, "sock %p", sk);
3538 
3539 	hci_dev_lock(hdev);
3540 
3541 	if (!hdev_is_powered(hdev)) {
3542 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3543 				      MGMT_STATUS_NOT_POWERED);
3544 		goto unlock;
3545 	}
3546 
3547 	cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3548 	if (!cmd) {
3549 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3550 				      MGMT_STATUS_INVALID_PARAMS);
3551 		goto unlock;
3552 	}
3553 
3554 	conn = cmd->user_data;
3555 
3556 	if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3557 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3558 				      MGMT_STATUS_INVALID_PARAMS);
3559 		goto unlock;
3560 	}
3561 
3562 	cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3563 	mgmt_pending_remove(cmd);
3564 
3565 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3566 				addr, sizeof(*addr));
3567 
3568 	/* Since user doesn't want to proceed with the connection, abort any
3569 	 * ongoing pairing and then terminate the link if it was created
3570 	 * because of the pair device action.
3571 	 */
3572 	if (addr->type == BDADDR_BREDR)
3573 		hci_remove_link_key(hdev, &addr->bdaddr);
3574 	else
3575 		smp_cancel_and_remove_pairing(hdev, &addr->bdaddr,
3576 					      le_addr_type(addr->type));
3577 
3578 	if (conn->conn_reason == CONN_REASON_PAIR_DEVICE)
3579 		hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
3580 
3581 unlock:
3582 	hci_dev_unlock(hdev);
3583 	return err;
3584 }
3585 
3586 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3587 			     struct mgmt_addr_info *addr, u16 mgmt_op,
3588 			     u16 hci_op, __le32 passkey)
3589 {
3590 	struct mgmt_pending_cmd *cmd;
3591 	struct hci_conn *conn;
3592 	int err;
3593 
3594 	hci_dev_lock(hdev);
3595 
3596 	if (!hdev_is_powered(hdev)) {
3597 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3598 					MGMT_STATUS_NOT_POWERED, addr,
3599 					sizeof(*addr));
3600 		goto done;
3601 	}
3602 
3603 	if (addr->type == BDADDR_BREDR)
3604 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3605 	else
3606 		conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
3607 					       le_addr_type(addr->type));
3608 
3609 	if (!conn) {
3610 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3611 					MGMT_STATUS_NOT_CONNECTED, addr,
3612 					sizeof(*addr));
3613 		goto done;
3614 	}
3615 
3616 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3617 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3618 		if (!err)
3619 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3620 						MGMT_STATUS_SUCCESS, addr,
3621 						sizeof(*addr));
3622 		else
3623 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3624 						MGMT_STATUS_FAILED, addr,
3625 						sizeof(*addr));
3626 
3627 		goto done;
3628 	}
3629 
3630 	cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3631 	if (!cmd) {
3632 		err = -ENOMEM;
3633 		goto done;
3634 	}
3635 
3636 	cmd->cmd_complete = addr_cmd_complete;
3637 
3638 	/* Continue with pairing via HCI */
3639 	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3640 		struct hci_cp_user_passkey_reply cp;
3641 
3642 		bacpy(&cp.bdaddr, &addr->bdaddr);
3643 		cp.passkey = passkey;
3644 		err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3645 	} else
3646 		err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3647 				   &addr->bdaddr);
3648 
3649 	if (err < 0)
3650 		mgmt_pending_remove(cmd);
3651 
3652 done:
3653 	hci_dev_unlock(hdev);
3654 	return err;
3655 }
3656 
3657 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3658 			      void *data, u16 len)
3659 {
3660 	struct mgmt_cp_pin_code_neg_reply *cp = data;
3661 
3662 	bt_dev_dbg(hdev, "sock %p", sk);
3663 
3664 	return user_pairing_resp(sk, hdev, &cp->addr,
3665 				MGMT_OP_PIN_CODE_NEG_REPLY,
3666 				HCI_OP_PIN_CODE_NEG_REPLY, 0);
3667 }
3668 
3669 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3670 			      u16 len)
3671 {
3672 	struct mgmt_cp_user_confirm_reply *cp = data;
3673 
3674 	bt_dev_dbg(hdev, "sock %p", sk);
3675 
3676 	if (len != sizeof(*cp))
3677 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3678 				       MGMT_STATUS_INVALID_PARAMS);
3679 
3680 	return user_pairing_resp(sk, hdev, &cp->addr,
3681 				 MGMT_OP_USER_CONFIRM_REPLY,
3682 				 HCI_OP_USER_CONFIRM_REPLY, 0);
3683 }
3684 
3685 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3686 				  void *data, u16 len)
3687 {
3688 	struct mgmt_cp_user_confirm_neg_reply *cp = data;
3689 
3690 	bt_dev_dbg(hdev, "sock %p", sk);
3691 
3692 	return user_pairing_resp(sk, hdev, &cp->addr,
3693 				 MGMT_OP_USER_CONFIRM_NEG_REPLY,
3694 				 HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3695 }
3696 
3697 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3698 			      u16 len)
3699 {
3700 	struct mgmt_cp_user_passkey_reply *cp = data;
3701 
3702 	bt_dev_dbg(hdev, "sock %p", sk);
3703 
3704 	return user_pairing_resp(sk, hdev, &cp->addr,
3705 				 MGMT_OP_USER_PASSKEY_REPLY,
3706 				 HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3707 }
3708 
3709 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3710 				  void *data, u16 len)
3711 {
3712 	struct mgmt_cp_user_passkey_neg_reply *cp = data;
3713 
3714 	bt_dev_dbg(hdev, "sock %p", sk);
3715 
3716 	return user_pairing_resp(sk, hdev, &cp->addr,
3717 				 MGMT_OP_USER_PASSKEY_NEG_REPLY,
3718 				 HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3719 }
3720 
3721 static int adv_expire_sync(struct hci_dev *hdev, u32 flags)
3722 {
3723 	struct adv_info *adv_instance;
3724 
3725 	adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3726 	if (!adv_instance)
3727 		return 0;
3728 
3729 	/* stop if current instance doesn't need to be changed */
3730 	if (!(adv_instance->flags & flags))
3731 		return 0;
3732 
3733 	cancel_adv_timeout(hdev);
3734 
3735 	adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3736 	if (!adv_instance)
3737 		return 0;
3738 
3739 	hci_schedule_adv_instance_sync(hdev, adv_instance->instance, true);
3740 
3741 	return 0;
3742 }
3743 
3744 static int name_changed_sync(struct hci_dev *hdev, void *data)
3745 {
3746 	return adv_expire_sync(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3747 }
3748 
3749 static void set_name_complete(struct hci_dev *hdev, void *data, int err)
3750 {
3751 	struct mgmt_pending_cmd *cmd = data;
3752 	struct mgmt_cp_set_local_name *cp = cmd->param;
3753 	u8 status = mgmt_status(err);
3754 
3755 	bt_dev_dbg(hdev, "err %d", err);
3756 
3757 	if (cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
3758 		return;
3759 
3760 	if (status) {
3761 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3762 				status);
3763 	} else {
3764 		mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3765 				  cp, sizeof(*cp));
3766 
3767 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3768 			hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL);
3769 	}
3770 
3771 	mgmt_pending_remove(cmd);
3772 }
3773 
3774 static int set_name_sync(struct hci_dev *hdev, void *data)
3775 {
3776 	if (lmp_bredr_capable(hdev)) {
3777 		hci_update_name_sync(hdev);
3778 		hci_update_eir_sync(hdev);
3779 	}
3780 
3781 	/* The name is stored in the scan response data and so
3782 	 * no need to update the advertising data here.
3783 	 */
3784 	if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3785 		hci_update_scan_rsp_data_sync(hdev, hdev->cur_adv_instance);
3786 
3787 	return 0;
3788 }
3789 
3790 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3791 			  u16 len)
3792 {
3793 	struct mgmt_cp_set_local_name *cp = data;
3794 	struct mgmt_pending_cmd *cmd;
3795 	int err;
3796 
3797 	bt_dev_dbg(hdev, "sock %p", sk);
3798 
3799 	hci_dev_lock(hdev);
3800 
3801 	/* If the old values are the same as the new ones just return a
3802 	 * direct command complete event.
3803 	 */
3804 	if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3805 	    !memcmp(hdev->short_name, cp->short_name,
3806 		    sizeof(hdev->short_name))) {
3807 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3808 					data, len);
3809 		goto failed;
3810 	}
3811 
3812 	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3813 
3814 	if (!hdev_is_powered(hdev)) {
3815 		memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3816 
3817 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3818 					data, len);
3819 		if (err < 0)
3820 			goto failed;
3821 
3822 		err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3823 					 len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3824 		ext_info_changed(hdev, sk);
3825 
3826 		goto failed;
3827 	}
3828 
3829 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3830 	if (!cmd)
3831 		err = -ENOMEM;
3832 	else
3833 		err = hci_cmd_sync_queue(hdev, set_name_sync, cmd,
3834 					 set_name_complete);
3835 
3836 	if (err < 0) {
3837 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3838 				      MGMT_STATUS_FAILED);
3839 
3840 		if (cmd)
3841 			mgmt_pending_remove(cmd);
3842 
3843 		goto failed;
3844 	}
3845 
3846 	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3847 
3848 failed:
3849 	hci_dev_unlock(hdev);
3850 	return err;
3851 }
3852 
3853 static int appearance_changed_sync(struct hci_dev *hdev, void *data)
3854 {
3855 	return adv_expire_sync(hdev, MGMT_ADV_FLAG_APPEARANCE);
3856 }
3857 
3858 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3859 			  u16 len)
3860 {
3861 	struct mgmt_cp_set_appearance *cp = data;
3862 	u16 appearance;
3863 	int err;
3864 
3865 	bt_dev_dbg(hdev, "sock %p", sk);
3866 
3867 	if (!lmp_le_capable(hdev))
3868 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3869 				       MGMT_STATUS_NOT_SUPPORTED);
3870 
3871 	appearance = le16_to_cpu(cp->appearance);
3872 
3873 	hci_dev_lock(hdev);
3874 
3875 	if (hdev->appearance != appearance) {
3876 		hdev->appearance = appearance;
3877 
3878 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3879 			hci_cmd_sync_queue(hdev, appearance_changed_sync, NULL,
3880 					   NULL);
3881 
3882 		ext_info_changed(hdev, sk);
3883 	}
3884 
3885 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3886 				0);
3887 
3888 	hci_dev_unlock(hdev);
3889 
3890 	return err;
3891 }
3892 
3893 static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3894 				 void *data, u16 len)
3895 {
3896 	struct mgmt_rp_get_phy_configuration rp;
3897 
3898 	bt_dev_dbg(hdev, "sock %p", sk);
3899 
3900 	hci_dev_lock(hdev);
3901 
3902 	memset(&rp, 0, sizeof(rp));
3903 
3904 	rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3905 	rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3906 	rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3907 
3908 	hci_dev_unlock(hdev);
3909 
3910 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, 0,
3911 				 &rp, sizeof(rp));
3912 }
3913 
3914 int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3915 {
3916 	struct mgmt_ev_phy_configuration_changed ev;
3917 
3918 	memset(&ev, 0, sizeof(ev));
3919 
3920 	ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3921 
3922 	return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, &ev,
3923 			  sizeof(ev), skip);
3924 }
3925 
3926 static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
3927 {
3928 	struct mgmt_pending_cmd *cmd = data;
3929 	struct sk_buff *skb = cmd->skb;
3930 	u8 status = mgmt_status(err);
3931 
3932 	if (cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
3933 		return;
3934 
3935 	if (!status) {
3936 		if (!skb)
3937 			status = MGMT_STATUS_FAILED;
3938 		else if (IS_ERR(skb))
3939 			status = mgmt_status(PTR_ERR(skb));
3940 		else
3941 			status = mgmt_status(skb->data[0]);
3942 	}
3943 
3944 	bt_dev_dbg(hdev, "status %d", status);
3945 
3946 	if (status) {
3947 		mgmt_cmd_status(cmd->sk, hdev->id,
3948 				MGMT_OP_SET_PHY_CONFIGURATION, status);
3949 	} else {
3950 		mgmt_cmd_complete(cmd->sk, hdev->id,
3951 				  MGMT_OP_SET_PHY_CONFIGURATION, 0,
3952 				  NULL, 0);
3953 
3954 		mgmt_phy_configuration_changed(hdev, cmd->sk);
3955 	}
3956 
3957 	if (skb && !IS_ERR(skb))
3958 		kfree_skb(skb);
3959 
3960 	mgmt_pending_remove(cmd);
3961 }
3962 
3963 static int set_default_phy_sync(struct hci_dev *hdev, void *data)
3964 {
3965 	struct mgmt_pending_cmd *cmd = data;
3966 	struct mgmt_cp_set_phy_configuration *cp = cmd->param;
3967 	struct hci_cp_le_set_default_phy cp_phy;
3968 	u32 selected_phys = __le32_to_cpu(cp->selected_phys);
3969 
3970 	memset(&cp_phy, 0, sizeof(cp_phy));
3971 
3972 	if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
3973 		cp_phy.all_phys |= 0x01;
3974 
3975 	if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
3976 		cp_phy.all_phys |= 0x02;
3977 
3978 	if (selected_phys & MGMT_PHY_LE_1M_TX)
3979 		cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
3980 
3981 	if (selected_phys & MGMT_PHY_LE_2M_TX)
3982 		cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
3983 
3984 	if (selected_phys & MGMT_PHY_LE_CODED_TX)
3985 		cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
3986 
3987 	if (selected_phys & MGMT_PHY_LE_1M_RX)
3988 		cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
3989 
3990 	if (selected_phys & MGMT_PHY_LE_2M_RX)
3991 		cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
3992 
3993 	if (selected_phys & MGMT_PHY_LE_CODED_RX)
3994 		cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
3995 
3996 	cmd->skb =  __hci_cmd_sync(hdev, HCI_OP_LE_SET_DEFAULT_PHY,
3997 				   sizeof(cp_phy), &cp_phy, HCI_CMD_TIMEOUT);
3998 
3999 	return 0;
4000 }
4001 
4002 static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
4003 				 void *data, u16 len)
4004 {
4005 	struct mgmt_cp_set_phy_configuration *cp = data;
4006 	struct mgmt_pending_cmd *cmd;
4007 	u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
4008 	u16 pkt_type = (HCI_DH1 | HCI_DM1);
4009 	bool changed = false;
4010 	int err;
4011 
4012 	bt_dev_dbg(hdev, "sock %p", sk);
4013 
4014 	configurable_phys = get_configurable_phys(hdev);
4015 	supported_phys = get_supported_phys(hdev);
4016 	selected_phys = __le32_to_cpu(cp->selected_phys);
4017 
4018 	if (selected_phys & ~supported_phys)
4019 		return mgmt_cmd_status(sk, hdev->id,
4020 				       MGMT_OP_SET_PHY_CONFIGURATION,
4021 				       MGMT_STATUS_INVALID_PARAMS);
4022 
4023 	unconfigure_phys = supported_phys & ~configurable_phys;
4024 
4025 	if ((selected_phys & unconfigure_phys) != unconfigure_phys)
4026 		return mgmt_cmd_status(sk, hdev->id,
4027 				       MGMT_OP_SET_PHY_CONFIGURATION,
4028 				       MGMT_STATUS_INVALID_PARAMS);
4029 
4030 	if (selected_phys == get_selected_phys(hdev))
4031 		return mgmt_cmd_complete(sk, hdev->id,
4032 					 MGMT_OP_SET_PHY_CONFIGURATION,
4033 					 0, NULL, 0);
4034 
4035 	hci_dev_lock(hdev);
4036 
4037 	if (!hdev_is_powered(hdev)) {
4038 		err = mgmt_cmd_status(sk, hdev->id,
4039 				      MGMT_OP_SET_PHY_CONFIGURATION,
4040 				      MGMT_STATUS_REJECTED);
4041 		goto unlock;
4042 	}
4043 
4044 	if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
4045 		err = mgmt_cmd_status(sk, hdev->id,
4046 				      MGMT_OP_SET_PHY_CONFIGURATION,
4047 				      MGMT_STATUS_BUSY);
4048 		goto unlock;
4049 	}
4050 
4051 	if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
4052 		pkt_type |= (HCI_DH3 | HCI_DM3);
4053 	else
4054 		pkt_type &= ~(HCI_DH3 | HCI_DM3);
4055 
4056 	if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
4057 		pkt_type |= (HCI_DH5 | HCI_DM5);
4058 	else
4059 		pkt_type &= ~(HCI_DH5 | HCI_DM5);
4060 
4061 	if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
4062 		pkt_type &= ~HCI_2DH1;
4063 	else
4064 		pkt_type |= HCI_2DH1;
4065 
4066 	if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
4067 		pkt_type &= ~HCI_2DH3;
4068 	else
4069 		pkt_type |= HCI_2DH3;
4070 
4071 	if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
4072 		pkt_type &= ~HCI_2DH5;
4073 	else
4074 		pkt_type |= HCI_2DH5;
4075 
4076 	if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
4077 		pkt_type &= ~HCI_3DH1;
4078 	else
4079 		pkt_type |= HCI_3DH1;
4080 
4081 	if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
4082 		pkt_type &= ~HCI_3DH3;
4083 	else
4084 		pkt_type |= HCI_3DH3;
4085 
4086 	if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
4087 		pkt_type &= ~HCI_3DH5;
4088 	else
4089 		pkt_type |= HCI_3DH5;
4090 
4091 	if (pkt_type != hdev->pkt_type) {
4092 		hdev->pkt_type = pkt_type;
4093 		changed = true;
4094 	}
4095 
4096 	if ((selected_phys & MGMT_PHY_LE_MASK) ==
4097 	    (get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
4098 		if (changed)
4099 			mgmt_phy_configuration_changed(hdev, sk);
4100 
4101 		err = mgmt_cmd_complete(sk, hdev->id,
4102 					MGMT_OP_SET_PHY_CONFIGURATION,
4103 					0, NULL, 0);
4104 
4105 		goto unlock;
4106 	}
4107 
4108 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
4109 			       len);
4110 	if (!cmd)
4111 		err = -ENOMEM;
4112 	else
4113 		err = hci_cmd_sync_queue(hdev, set_default_phy_sync, cmd,
4114 					 set_default_phy_complete);
4115 
4116 	if (err < 0) {
4117 		err = mgmt_cmd_status(sk, hdev->id,
4118 				      MGMT_OP_SET_PHY_CONFIGURATION,
4119 				      MGMT_STATUS_FAILED);
4120 
4121 		if (cmd)
4122 			mgmt_pending_remove(cmd);
4123 	}
4124 
4125 unlock:
4126 	hci_dev_unlock(hdev);
4127 
4128 	return err;
4129 }
4130 
4131 static int set_blocked_keys(struct sock *sk, struct hci_dev *hdev, void *data,
4132 			    u16 len)
4133 {
4134 	int err = MGMT_STATUS_SUCCESS;
4135 	struct mgmt_cp_set_blocked_keys *keys = data;
4136 	const u16 max_key_count = ((U16_MAX - sizeof(*keys)) /
4137 				   sizeof(struct mgmt_blocked_key_info));
4138 	u16 key_count, expected_len;
4139 	int i;
4140 
4141 	bt_dev_dbg(hdev, "sock %p", sk);
4142 
4143 	key_count = __le16_to_cpu(keys->key_count);
4144 	if (key_count > max_key_count) {
4145 		bt_dev_err(hdev, "too big key_count value %u", key_count);
4146 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4147 				       MGMT_STATUS_INVALID_PARAMS);
4148 	}
4149 
4150 	expected_len = struct_size(keys, keys, key_count);
4151 	if (expected_len != len) {
4152 		bt_dev_err(hdev, "expected %u bytes, got %u bytes",
4153 			   expected_len, len);
4154 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4155 				       MGMT_STATUS_INVALID_PARAMS);
4156 	}
4157 
4158 	hci_dev_lock(hdev);
4159 
4160 	hci_blocked_keys_clear(hdev);
4161 
4162 	for (i = 0; i < key_count; ++i) {
4163 		struct blocked_key *b = kzalloc(sizeof(*b), GFP_KERNEL);
4164 
4165 		if (!b) {
4166 			err = MGMT_STATUS_NO_RESOURCES;
4167 			break;
4168 		}
4169 
4170 		b->type = keys->keys[i].type;
4171 		memcpy(b->val, keys->keys[i].val, sizeof(b->val));
4172 		list_add_rcu(&b->list, &hdev->blocked_keys);
4173 	}
4174 	hci_dev_unlock(hdev);
4175 
4176 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4177 				err, NULL, 0);
4178 }
4179 
4180 static int set_wideband_speech(struct sock *sk, struct hci_dev *hdev,
4181 			       void *data, u16 len)
4182 {
4183 	struct mgmt_mode *cp = data;
4184 	int err;
4185 	bool changed = false;
4186 
4187 	bt_dev_dbg(hdev, "sock %p", sk);
4188 
4189 	if (!test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks))
4190 		return mgmt_cmd_status(sk, hdev->id,
4191 				       MGMT_OP_SET_WIDEBAND_SPEECH,
4192 				       MGMT_STATUS_NOT_SUPPORTED);
4193 
4194 	if (cp->val != 0x00 && cp->val != 0x01)
4195 		return mgmt_cmd_status(sk, hdev->id,
4196 				       MGMT_OP_SET_WIDEBAND_SPEECH,
4197 				       MGMT_STATUS_INVALID_PARAMS);
4198 
4199 	hci_dev_lock(hdev);
4200 
4201 	if (hdev_is_powered(hdev) &&
4202 	    !!cp->val != hci_dev_test_flag(hdev,
4203 					   HCI_WIDEBAND_SPEECH_ENABLED)) {
4204 		err = mgmt_cmd_status(sk, hdev->id,
4205 				      MGMT_OP_SET_WIDEBAND_SPEECH,
4206 				      MGMT_STATUS_REJECTED);
4207 		goto unlock;
4208 	}
4209 
4210 	if (cp->val)
4211 		changed = !hci_dev_test_and_set_flag(hdev,
4212 						   HCI_WIDEBAND_SPEECH_ENABLED);
4213 	else
4214 		changed = hci_dev_test_and_clear_flag(hdev,
4215 						   HCI_WIDEBAND_SPEECH_ENABLED);
4216 
4217 	err = send_settings_rsp(sk, MGMT_OP_SET_WIDEBAND_SPEECH, hdev);
4218 	if (err < 0)
4219 		goto unlock;
4220 
4221 	if (changed)
4222 		err = new_settings(hdev, sk);
4223 
4224 unlock:
4225 	hci_dev_unlock(hdev);
4226 	return err;
4227 }
4228 
4229 static int read_controller_cap(struct sock *sk, struct hci_dev *hdev,
4230 			       void *data, u16 data_len)
4231 {
4232 	char buf[20];
4233 	struct mgmt_rp_read_controller_cap *rp = (void *)buf;
4234 	u16 cap_len = 0;
4235 	u8 flags = 0;
4236 	u8 tx_power_range[2];
4237 
4238 	bt_dev_dbg(hdev, "sock %p", sk);
4239 
4240 	memset(&buf, 0, sizeof(buf));
4241 
4242 	hci_dev_lock(hdev);
4243 
4244 	/* When the Read Simple Pairing Options command is supported, then
4245 	 * the remote public key validation is supported.
4246 	 *
4247 	 * Alternatively, when Microsoft extensions are available, they can
4248 	 * indicate support for public key validation as well.
4249 	 */
4250 	if ((hdev->commands[41] & 0x08) || msft_curve_validity(hdev))
4251 		flags |= 0x01;	/* Remote public key validation (BR/EDR) */
4252 
4253 	flags |= 0x02;		/* Remote public key validation (LE) */
4254 
4255 	/* When the Read Encryption Key Size command is supported, then the
4256 	 * encryption key size is enforced.
4257 	 */
4258 	if (hdev->commands[20] & 0x10)
4259 		flags |= 0x04;	/* Encryption key size enforcement (BR/EDR) */
4260 
4261 	flags |= 0x08;		/* Encryption key size enforcement (LE) */
4262 
4263 	cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_SEC_FLAGS,
4264 				  &flags, 1);
4265 
4266 	/* When the Read Simple Pairing Options command is supported, then
4267 	 * also max encryption key size information is provided.
4268 	 */
4269 	if (hdev->commands[41] & 0x08)
4270 		cap_len = eir_append_le16(rp->cap, cap_len,
4271 					  MGMT_CAP_MAX_ENC_KEY_SIZE,
4272 					  hdev->max_enc_key_size);
4273 
4274 	cap_len = eir_append_le16(rp->cap, cap_len,
4275 				  MGMT_CAP_SMP_MAX_ENC_KEY_SIZE,
4276 				  SMP_MAX_ENC_KEY_SIZE);
4277 
4278 	/* Append the min/max LE tx power parameters if we were able to fetch
4279 	 * it from the controller
4280 	 */
4281 	if (hdev->commands[38] & 0x80) {
4282 		memcpy(&tx_power_range[0], &hdev->min_le_tx_power, 1);
4283 		memcpy(&tx_power_range[1], &hdev->max_le_tx_power, 1);
4284 		cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_LE_TX_PWR,
4285 					  tx_power_range, 2);
4286 	}
4287 
4288 	rp->cap_len = cpu_to_le16(cap_len);
4289 
4290 	hci_dev_unlock(hdev);
4291 
4292 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONTROLLER_CAP, 0,
4293 				 rp, sizeof(*rp) + cap_len);
4294 }
4295 
4296 #ifdef CONFIG_BT_FEATURE_DEBUG
4297 /* d4992530-b9ec-469f-ab01-6c481c47da1c */
4298 static const u8 debug_uuid[16] = {
4299 	0x1c, 0xda, 0x47, 0x1c, 0x48, 0x6c, 0x01, 0xab,
4300 	0x9f, 0x46, 0xec, 0xb9, 0x30, 0x25, 0x99, 0xd4,
4301 };
4302 #endif
4303 
4304 /* 330859bc-7506-492d-9370-9a6f0614037f */
4305 static const u8 quality_report_uuid[16] = {
4306 	0x7f, 0x03, 0x14, 0x06, 0x6f, 0x9a, 0x70, 0x93,
4307 	0x2d, 0x49, 0x06, 0x75, 0xbc, 0x59, 0x08, 0x33,
4308 };
4309 
4310 /* a6695ace-ee7f-4fb9-881a-5fac66c629af */
4311 static const u8 offload_codecs_uuid[16] = {
4312 	0xaf, 0x29, 0xc6, 0x66, 0xac, 0x5f, 0x1a, 0x88,
4313 	0xb9, 0x4f, 0x7f, 0xee, 0xce, 0x5a, 0x69, 0xa6,
4314 };
4315 
4316 /* 671b10b5-42c0-4696-9227-eb28d1b049d6 */
4317 static const u8 le_simultaneous_roles_uuid[16] = {
4318 	0xd6, 0x49, 0xb0, 0xd1, 0x28, 0xeb, 0x27, 0x92,
4319 	0x96, 0x46, 0xc0, 0x42, 0xb5, 0x10, 0x1b, 0x67,
4320 };
4321 
4322 /* 15c0a148-c273-11ea-b3de-0242ac130004 */
4323 static const u8 rpa_resolution_uuid[16] = {
4324 	0x04, 0x00, 0x13, 0xac, 0x42, 0x02, 0xde, 0xb3,
4325 	0xea, 0x11, 0x73, 0xc2, 0x48, 0xa1, 0xc0, 0x15,
4326 };
4327 
4328 /* 6fbaf188-05e0-496a-9885-d6ddfdb4e03e */
4329 static const u8 iso_socket_uuid[16] = {
4330 	0x3e, 0xe0, 0xb4, 0xfd, 0xdd, 0xd6, 0x85, 0x98,
4331 	0x6a, 0x49, 0xe0, 0x05, 0x88, 0xf1, 0xba, 0x6f,
4332 };
4333 
4334 /* 2ce463d7-7a03-4d8d-bf05-5f24e8f36e76 */
4335 static const u8 mgmt_mesh_uuid[16] = {
4336 	0x76, 0x6e, 0xf3, 0xe8, 0x24, 0x5f, 0x05, 0xbf,
4337 	0x8d, 0x4d, 0x03, 0x7a, 0xd7, 0x63, 0xe4, 0x2c,
4338 };
4339 
4340 static int read_exp_features_info(struct sock *sk, struct hci_dev *hdev,
4341 				  void *data, u16 data_len)
4342 {
4343 	struct mgmt_rp_read_exp_features_info *rp;
4344 	size_t len;
4345 	u16 idx = 0;
4346 	u32 flags;
4347 	int status;
4348 
4349 	bt_dev_dbg(hdev, "sock %p", sk);
4350 
4351 	/* Enough space for 7 features */
4352 	len = sizeof(*rp) + (sizeof(rp->features[0]) * 7);
4353 	rp = kzalloc(len, GFP_KERNEL);
4354 	if (!rp)
4355 		return -ENOMEM;
4356 
4357 #ifdef CONFIG_BT_FEATURE_DEBUG
4358 	if (!hdev) {
4359 		flags = bt_dbg_get() ? BIT(0) : 0;
4360 
4361 		memcpy(rp->features[idx].uuid, debug_uuid, 16);
4362 		rp->features[idx].flags = cpu_to_le32(flags);
4363 		idx++;
4364 	}
4365 #endif
4366 
4367 	if (hdev && hci_dev_le_state_simultaneous(hdev)) {
4368 		if (hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES))
4369 			flags = BIT(0);
4370 		else
4371 			flags = 0;
4372 
4373 		memcpy(rp->features[idx].uuid, le_simultaneous_roles_uuid, 16);
4374 		rp->features[idx].flags = cpu_to_le32(flags);
4375 		idx++;
4376 	}
4377 
4378 	if (hdev && ll_privacy_capable(hdev)) {
4379 		if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
4380 			flags = BIT(0) | BIT(1);
4381 		else
4382 			flags = BIT(1);
4383 
4384 		memcpy(rp->features[idx].uuid, rpa_resolution_uuid, 16);
4385 		rp->features[idx].flags = cpu_to_le32(flags);
4386 		idx++;
4387 	}
4388 
4389 	if (hdev && (aosp_has_quality_report(hdev) ||
4390 		     hdev->set_quality_report)) {
4391 		if (hci_dev_test_flag(hdev, HCI_QUALITY_REPORT))
4392 			flags = BIT(0);
4393 		else
4394 			flags = 0;
4395 
4396 		memcpy(rp->features[idx].uuid, quality_report_uuid, 16);
4397 		rp->features[idx].flags = cpu_to_le32(flags);
4398 		idx++;
4399 	}
4400 
4401 	if (hdev && hdev->get_data_path_id) {
4402 		if (hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED))
4403 			flags = BIT(0);
4404 		else
4405 			flags = 0;
4406 
4407 		memcpy(rp->features[idx].uuid, offload_codecs_uuid, 16);
4408 		rp->features[idx].flags = cpu_to_le32(flags);
4409 		idx++;
4410 	}
4411 
4412 	if (IS_ENABLED(CONFIG_BT_LE)) {
4413 		flags = iso_enabled() ? BIT(0) : 0;
4414 		memcpy(rp->features[idx].uuid, iso_socket_uuid, 16);
4415 		rp->features[idx].flags = cpu_to_le32(flags);
4416 		idx++;
4417 	}
4418 
4419 	if (hdev && lmp_le_capable(hdev)) {
4420 		if (hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
4421 			flags = BIT(0);
4422 		else
4423 			flags = 0;
4424 
4425 		memcpy(rp->features[idx].uuid, mgmt_mesh_uuid, 16);
4426 		rp->features[idx].flags = cpu_to_le32(flags);
4427 		idx++;
4428 	}
4429 
4430 	rp->feature_count = cpu_to_le16(idx);
4431 
4432 	/* After reading the experimental features information, enable
4433 	 * the events to update client on any future change.
4434 	 */
4435 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4436 
4437 	status = mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4438 				   MGMT_OP_READ_EXP_FEATURES_INFO,
4439 				   0, rp, sizeof(*rp) + (20 * idx));
4440 
4441 	kfree(rp);
4442 	return status;
4443 }
4444 
4445 static int exp_ll_privacy_feature_changed(bool enabled, struct hci_dev *hdev,
4446 					  struct sock *skip)
4447 {
4448 	struct mgmt_ev_exp_feature_changed ev;
4449 
4450 	memset(&ev, 0, sizeof(ev));
4451 	memcpy(ev.uuid, rpa_resolution_uuid, 16);
4452 	ev.flags = cpu_to_le32((enabled ? BIT(0) : 0) | BIT(1));
4453 
4454 	// Do we need to be atomic with the conn_flags?
4455 	if (enabled && privacy_mode_capable(hdev))
4456 		hdev->conn_flags |= HCI_CONN_FLAG_DEVICE_PRIVACY;
4457 	else
4458 		hdev->conn_flags &= ~HCI_CONN_FLAG_DEVICE_PRIVACY;
4459 
4460 	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4461 				  &ev, sizeof(ev),
4462 				  HCI_MGMT_EXP_FEATURE_EVENTS, skip);
4463 
4464 }
4465 
4466 static int exp_feature_changed(struct hci_dev *hdev, const u8 *uuid,
4467 			       bool enabled, struct sock *skip)
4468 {
4469 	struct mgmt_ev_exp_feature_changed ev;
4470 
4471 	memset(&ev, 0, sizeof(ev));
4472 	memcpy(ev.uuid, uuid, 16);
4473 	ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
4474 
4475 	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4476 				  &ev, sizeof(ev),
4477 				  HCI_MGMT_EXP_FEATURE_EVENTS, skip);
4478 }
4479 
4480 #define EXP_FEAT(_uuid, _set_func)	\
4481 {					\
4482 	.uuid = _uuid,			\
4483 	.set_func = _set_func,		\
4484 }
4485 
4486 /* The zero key uuid is special. Multiple exp features are set through it. */
4487 static int set_zero_key_func(struct sock *sk, struct hci_dev *hdev,
4488 			     struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4489 {
4490 	struct mgmt_rp_set_exp_feature rp;
4491 
4492 	memset(rp.uuid, 0, 16);
4493 	rp.flags = cpu_to_le32(0);
4494 
4495 #ifdef CONFIG_BT_FEATURE_DEBUG
4496 	if (!hdev) {
4497 		bool changed = bt_dbg_get();
4498 
4499 		bt_dbg_set(false);
4500 
4501 		if (changed)
4502 			exp_feature_changed(NULL, ZERO_KEY, false, sk);
4503 	}
4504 #endif
4505 
4506 	if (hdev && use_ll_privacy(hdev) && !hdev_is_powered(hdev)) {
4507 		bool changed;
4508 
4509 		changed = hci_dev_test_and_clear_flag(hdev,
4510 						      HCI_ENABLE_LL_PRIVACY);
4511 		if (changed)
4512 			exp_feature_changed(hdev, rpa_resolution_uuid, false,
4513 					    sk);
4514 	}
4515 
4516 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4517 
4518 	return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4519 				 MGMT_OP_SET_EXP_FEATURE, 0,
4520 				 &rp, sizeof(rp));
4521 }
4522 
4523 #ifdef CONFIG_BT_FEATURE_DEBUG
4524 static int set_debug_func(struct sock *sk, struct hci_dev *hdev,
4525 			  struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4526 {
4527 	struct mgmt_rp_set_exp_feature rp;
4528 
4529 	bool val, changed;
4530 	int err;
4531 
4532 	/* Command requires to use the non-controller index */
4533 	if (hdev)
4534 		return mgmt_cmd_status(sk, hdev->id,
4535 				       MGMT_OP_SET_EXP_FEATURE,
4536 				       MGMT_STATUS_INVALID_INDEX);
4537 
4538 	/* Parameters are limited to a single octet */
4539 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4540 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4541 				       MGMT_OP_SET_EXP_FEATURE,
4542 				       MGMT_STATUS_INVALID_PARAMS);
4543 
4544 	/* Only boolean on/off is supported */
4545 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4546 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4547 				       MGMT_OP_SET_EXP_FEATURE,
4548 				       MGMT_STATUS_INVALID_PARAMS);
4549 
4550 	val = !!cp->param[0];
4551 	changed = val ? !bt_dbg_get() : bt_dbg_get();
4552 	bt_dbg_set(val);
4553 
4554 	memcpy(rp.uuid, debug_uuid, 16);
4555 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4556 
4557 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4558 
4559 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4560 				MGMT_OP_SET_EXP_FEATURE, 0,
4561 				&rp, sizeof(rp));
4562 
4563 	if (changed)
4564 		exp_feature_changed(hdev, debug_uuid, val, sk);
4565 
4566 	return err;
4567 }
4568 #endif
4569 
4570 static int set_mgmt_mesh_func(struct sock *sk, struct hci_dev *hdev,
4571 			      struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4572 {
4573 	struct mgmt_rp_set_exp_feature rp;
4574 	bool val, changed;
4575 	int err;
4576 
4577 	/* Command requires to use the controller index */
4578 	if (!hdev)
4579 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4580 				       MGMT_OP_SET_EXP_FEATURE,
4581 				       MGMT_STATUS_INVALID_INDEX);
4582 
4583 	/* Parameters are limited to a single octet */
4584 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4585 		return mgmt_cmd_status(sk, hdev->id,
4586 				       MGMT_OP_SET_EXP_FEATURE,
4587 				       MGMT_STATUS_INVALID_PARAMS);
4588 
4589 	/* Only boolean on/off is supported */
4590 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4591 		return mgmt_cmd_status(sk, hdev->id,
4592 				       MGMT_OP_SET_EXP_FEATURE,
4593 				       MGMT_STATUS_INVALID_PARAMS);
4594 
4595 	val = !!cp->param[0];
4596 
4597 	if (val) {
4598 		changed = !hci_dev_test_and_set_flag(hdev,
4599 						     HCI_MESH_EXPERIMENTAL);
4600 	} else {
4601 		hci_dev_clear_flag(hdev, HCI_MESH);
4602 		changed = hci_dev_test_and_clear_flag(hdev,
4603 						      HCI_MESH_EXPERIMENTAL);
4604 	}
4605 
4606 	memcpy(rp.uuid, mgmt_mesh_uuid, 16);
4607 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4608 
4609 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4610 
4611 	err = mgmt_cmd_complete(sk, hdev->id,
4612 				MGMT_OP_SET_EXP_FEATURE, 0,
4613 				&rp, sizeof(rp));
4614 
4615 	if (changed)
4616 		exp_feature_changed(hdev, mgmt_mesh_uuid, val, sk);
4617 
4618 	return err;
4619 }
4620 
4621 static int set_rpa_resolution_func(struct sock *sk, struct hci_dev *hdev,
4622 				   struct mgmt_cp_set_exp_feature *cp,
4623 				   u16 data_len)
4624 {
4625 	struct mgmt_rp_set_exp_feature rp;
4626 	bool val, changed;
4627 	int err;
4628 	u32 flags;
4629 
4630 	/* Command requires to use the controller index */
4631 	if (!hdev)
4632 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4633 				       MGMT_OP_SET_EXP_FEATURE,
4634 				       MGMT_STATUS_INVALID_INDEX);
4635 
4636 	/* Changes can only be made when controller is powered down */
4637 	if (hdev_is_powered(hdev))
4638 		return mgmt_cmd_status(sk, hdev->id,
4639 				       MGMT_OP_SET_EXP_FEATURE,
4640 				       MGMT_STATUS_REJECTED);
4641 
4642 	/* Parameters are limited to a single octet */
4643 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4644 		return mgmt_cmd_status(sk, hdev->id,
4645 				       MGMT_OP_SET_EXP_FEATURE,
4646 				       MGMT_STATUS_INVALID_PARAMS);
4647 
4648 	/* Only boolean on/off is supported */
4649 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4650 		return mgmt_cmd_status(sk, hdev->id,
4651 				       MGMT_OP_SET_EXP_FEATURE,
4652 				       MGMT_STATUS_INVALID_PARAMS);
4653 
4654 	val = !!cp->param[0];
4655 
4656 	if (val) {
4657 		changed = !hci_dev_test_and_set_flag(hdev,
4658 						     HCI_ENABLE_LL_PRIVACY);
4659 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4660 
4661 		/* Enable LL privacy + supported settings changed */
4662 		flags = BIT(0) | BIT(1);
4663 	} else {
4664 		changed = hci_dev_test_and_clear_flag(hdev,
4665 						      HCI_ENABLE_LL_PRIVACY);
4666 
4667 		/* Disable LL privacy + supported settings changed */
4668 		flags = BIT(1);
4669 	}
4670 
4671 	memcpy(rp.uuid, rpa_resolution_uuid, 16);
4672 	rp.flags = cpu_to_le32(flags);
4673 
4674 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4675 
4676 	err = mgmt_cmd_complete(sk, hdev->id,
4677 				MGMT_OP_SET_EXP_FEATURE, 0,
4678 				&rp, sizeof(rp));
4679 
4680 	if (changed)
4681 		exp_ll_privacy_feature_changed(val, hdev, sk);
4682 
4683 	return err;
4684 }
4685 
4686 static int set_quality_report_func(struct sock *sk, struct hci_dev *hdev,
4687 				   struct mgmt_cp_set_exp_feature *cp,
4688 				   u16 data_len)
4689 {
4690 	struct mgmt_rp_set_exp_feature rp;
4691 	bool val, changed;
4692 	int err;
4693 
4694 	/* Command requires to use a valid controller index */
4695 	if (!hdev)
4696 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4697 				       MGMT_OP_SET_EXP_FEATURE,
4698 				       MGMT_STATUS_INVALID_INDEX);
4699 
4700 	/* Parameters are limited to a single octet */
4701 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4702 		return mgmt_cmd_status(sk, hdev->id,
4703 				       MGMT_OP_SET_EXP_FEATURE,
4704 				       MGMT_STATUS_INVALID_PARAMS);
4705 
4706 	/* Only boolean on/off is supported */
4707 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4708 		return mgmt_cmd_status(sk, hdev->id,
4709 				       MGMT_OP_SET_EXP_FEATURE,
4710 				       MGMT_STATUS_INVALID_PARAMS);
4711 
4712 	hci_req_sync_lock(hdev);
4713 
4714 	val = !!cp->param[0];
4715 	changed = (val != hci_dev_test_flag(hdev, HCI_QUALITY_REPORT));
4716 
4717 	if (!aosp_has_quality_report(hdev) && !hdev->set_quality_report) {
4718 		err = mgmt_cmd_status(sk, hdev->id,
4719 				      MGMT_OP_SET_EXP_FEATURE,
4720 				      MGMT_STATUS_NOT_SUPPORTED);
4721 		goto unlock_quality_report;
4722 	}
4723 
4724 	if (changed) {
4725 		if (hdev->set_quality_report)
4726 			err = hdev->set_quality_report(hdev, val);
4727 		else
4728 			err = aosp_set_quality_report(hdev, val);
4729 
4730 		if (err) {
4731 			err = mgmt_cmd_status(sk, hdev->id,
4732 					      MGMT_OP_SET_EXP_FEATURE,
4733 					      MGMT_STATUS_FAILED);
4734 			goto unlock_quality_report;
4735 		}
4736 
4737 		if (val)
4738 			hci_dev_set_flag(hdev, HCI_QUALITY_REPORT);
4739 		else
4740 			hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
4741 	}
4742 
4743 	bt_dev_dbg(hdev, "quality report enable %d changed %d", val, changed);
4744 
4745 	memcpy(rp.uuid, quality_report_uuid, 16);
4746 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4747 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4748 
4749 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_EXP_FEATURE, 0,
4750 				&rp, sizeof(rp));
4751 
4752 	if (changed)
4753 		exp_feature_changed(hdev, quality_report_uuid, val, sk);
4754 
4755 unlock_quality_report:
4756 	hci_req_sync_unlock(hdev);
4757 	return err;
4758 }
4759 
4760 static int set_offload_codec_func(struct sock *sk, struct hci_dev *hdev,
4761 				  struct mgmt_cp_set_exp_feature *cp,
4762 				  u16 data_len)
4763 {
4764 	bool val, changed;
4765 	int err;
4766 	struct mgmt_rp_set_exp_feature rp;
4767 
4768 	/* Command requires to use a valid controller index */
4769 	if (!hdev)
4770 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4771 				       MGMT_OP_SET_EXP_FEATURE,
4772 				       MGMT_STATUS_INVALID_INDEX);
4773 
4774 	/* Parameters are limited to a single octet */
4775 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4776 		return mgmt_cmd_status(sk, hdev->id,
4777 				       MGMT_OP_SET_EXP_FEATURE,
4778 				       MGMT_STATUS_INVALID_PARAMS);
4779 
4780 	/* Only boolean on/off is supported */
4781 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4782 		return mgmt_cmd_status(sk, hdev->id,
4783 				       MGMT_OP_SET_EXP_FEATURE,
4784 				       MGMT_STATUS_INVALID_PARAMS);
4785 
4786 	val = !!cp->param[0];
4787 	changed = (val != hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED));
4788 
4789 	if (!hdev->get_data_path_id) {
4790 		return mgmt_cmd_status(sk, hdev->id,
4791 				       MGMT_OP_SET_EXP_FEATURE,
4792 				       MGMT_STATUS_NOT_SUPPORTED);
4793 	}
4794 
4795 	if (changed) {
4796 		if (val)
4797 			hci_dev_set_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4798 		else
4799 			hci_dev_clear_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4800 	}
4801 
4802 	bt_dev_info(hdev, "offload codecs enable %d changed %d",
4803 		    val, changed);
4804 
4805 	memcpy(rp.uuid, offload_codecs_uuid, 16);
4806 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4807 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4808 	err = mgmt_cmd_complete(sk, hdev->id,
4809 				MGMT_OP_SET_EXP_FEATURE, 0,
4810 				&rp, sizeof(rp));
4811 
4812 	if (changed)
4813 		exp_feature_changed(hdev, offload_codecs_uuid, val, sk);
4814 
4815 	return err;
4816 }
4817 
4818 static int set_le_simultaneous_roles_func(struct sock *sk, struct hci_dev *hdev,
4819 					  struct mgmt_cp_set_exp_feature *cp,
4820 					  u16 data_len)
4821 {
4822 	bool val, changed;
4823 	int err;
4824 	struct mgmt_rp_set_exp_feature rp;
4825 
4826 	/* Command requires to use a valid controller index */
4827 	if (!hdev)
4828 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4829 				       MGMT_OP_SET_EXP_FEATURE,
4830 				       MGMT_STATUS_INVALID_INDEX);
4831 
4832 	/* Parameters are limited to a single octet */
4833 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4834 		return mgmt_cmd_status(sk, hdev->id,
4835 				       MGMT_OP_SET_EXP_FEATURE,
4836 				       MGMT_STATUS_INVALID_PARAMS);
4837 
4838 	/* Only boolean on/off is supported */
4839 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4840 		return mgmt_cmd_status(sk, hdev->id,
4841 				       MGMT_OP_SET_EXP_FEATURE,
4842 				       MGMT_STATUS_INVALID_PARAMS);
4843 
4844 	val = !!cp->param[0];
4845 	changed = (val != hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES));
4846 
4847 	if (!hci_dev_le_state_simultaneous(hdev)) {
4848 		return mgmt_cmd_status(sk, hdev->id,
4849 				       MGMT_OP_SET_EXP_FEATURE,
4850 				       MGMT_STATUS_NOT_SUPPORTED);
4851 	}
4852 
4853 	if (changed) {
4854 		if (val)
4855 			hci_dev_set_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4856 		else
4857 			hci_dev_clear_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4858 	}
4859 
4860 	bt_dev_info(hdev, "LE simultaneous roles enable %d changed %d",
4861 		    val, changed);
4862 
4863 	memcpy(rp.uuid, le_simultaneous_roles_uuid, 16);
4864 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4865 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4866 	err = mgmt_cmd_complete(sk, hdev->id,
4867 				MGMT_OP_SET_EXP_FEATURE, 0,
4868 				&rp, sizeof(rp));
4869 
4870 	if (changed)
4871 		exp_feature_changed(hdev, le_simultaneous_roles_uuid, val, sk);
4872 
4873 	return err;
4874 }
4875 
4876 #ifdef CONFIG_BT_LE
4877 static int set_iso_socket_func(struct sock *sk, struct hci_dev *hdev,
4878 			       struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4879 {
4880 	struct mgmt_rp_set_exp_feature rp;
4881 	bool val, changed = false;
4882 	int err;
4883 
4884 	/* Command requires to use the non-controller index */
4885 	if (hdev)
4886 		return mgmt_cmd_status(sk, hdev->id,
4887 				       MGMT_OP_SET_EXP_FEATURE,
4888 				       MGMT_STATUS_INVALID_INDEX);
4889 
4890 	/* Parameters are limited to a single octet */
4891 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4892 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4893 				       MGMT_OP_SET_EXP_FEATURE,
4894 				       MGMT_STATUS_INVALID_PARAMS);
4895 
4896 	/* Only boolean on/off is supported */
4897 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4898 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4899 				       MGMT_OP_SET_EXP_FEATURE,
4900 				       MGMT_STATUS_INVALID_PARAMS);
4901 
4902 	val = cp->param[0] ? true : false;
4903 	if (val)
4904 		err = iso_init();
4905 	else
4906 		err = iso_exit();
4907 
4908 	if (!err)
4909 		changed = true;
4910 
4911 	memcpy(rp.uuid, iso_socket_uuid, 16);
4912 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4913 
4914 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4915 
4916 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4917 				MGMT_OP_SET_EXP_FEATURE, 0,
4918 				&rp, sizeof(rp));
4919 
4920 	if (changed)
4921 		exp_feature_changed(hdev, iso_socket_uuid, val, sk);
4922 
4923 	return err;
4924 }
4925 #endif
4926 
4927 static const struct mgmt_exp_feature {
4928 	const u8 *uuid;
4929 	int (*set_func)(struct sock *sk, struct hci_dev *hdev,
4930 			struct mgmt_cp_set_exp_feature *cp, u16 data_len);
4931 } exp_features[] = {
4932 	EXP_FEAT(ZERO_KEY, set_zero_key_func),
4933 #ifdef CONFIG_BT_FEATURE_DEBUG
4934 	EXP_FEAT(debug_uuid, set_debug_func),
4935 #endif
4936 	EXP_FEAT(mgmt_mesh_uuid, set_mgmt_mesh_func),
4937 	EXP_FEAT(rpa_resolution_uuid, set_rpa_resolution_func),
4938 	EXP_FEAT(quality_report_uuid, set_quality_report_func),
4939 	EXP_FEAT(offload_codecs_uuid, set_offload_codec_func),
4940 	EXP_FEAT(le_simultaneous_roles_uuid, set_le_simultaneous_roles_func),
4941 #ifdef CONFIG_BT_LE
4942 	EXP_FEAT(iso_socket_uuid, set_iso_socket_func),
4943 #endif
4944 
4945 	/* end with a null feature */
4946 	EXP_FEAT(NULL, NULL)
4947 };
4948 
4949 static int set_exp_feature(struct sock *sk, struct hci_dev *hdev,
4950 			   void *data, u16 data_len)
4951 {
4952 	struct mgmt_cp_set_exp_feature *cp = data;
4953 	size_t i = 0;
4954 
4955 	bt_dev_dbg(hdev, "sock %p", sk);
4956 
4957 	for (i = 0; exp_features[i].uuid; i++) {
4958 		if (!memcmp(cp->uuid, exp_features[i].uuid, 16))
4959 			return exp_features[i].set_func(sk, hdev, cp, data_len);
4960 	}
4961 
4962 	return mgmt_cmd_status(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4963 			       MGMT_OP_SET_EXP_FEATURE,
4964 			       MGMT_STATUS_NOT_SUPPORTED);
4965 }
4966 
4967 static u32 get_params_flags(struct hci_dev *hdev,
4968 			    struct hci_conn_params *params)
4969 {
4970 	u32 flags = hdev->conn_flags;
4971 
4972 	/* Devices using RPAs can only be programmed in the acceptlist if
4973 	 * LL Privacy has been enable otherwise they cannot mark
4974 	 * HCI_CONN_FLAG_REMOTE_WAKEUP.
4975 	 */
4976 	if ((flags & HCI_CONN_FLAG_REMOTE_WAKEUP) && !use_ll_privacy(hdev) &&
4977 	    hci_find_irk_by_addr(hdev, &params->addr, params->addr_type))
4978 		flags &= ~HCI_CONN_FLAG_REMOTE_WAKEUP;
4979 
4980 	return flags;
4981 }
4982 
4983 static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
4984 			    u16 data_len)
4985 {
4986 	struct mgmt_cp_get_device_flags *cp = data;
4987 	struct mgmt_rp_get_device_flags rp;
4988 	struct bdaddr_list_with_flags *br_params;
4989 	struct hci_conn_params *params;
4990 	u32 supported_flags;
4991 	u32 current_flags = 0;
4992 	u8 status = MGMT_STATUS_INVALID_PARAMS;
4993 
4994 	bt_dev_dbg(hdev, "Get device flags %pMR (type 0x%x)\n",
4995 		   &cp->addr.bdaddr, cp->addr.type);
4996 
4997 	hci_dev_lock(hdev);
4998 
4999 	supported_flags = hdev->conn_flags;
5000 
5001 	memset(&rp, 0, sizeof(rp));
5002 
5003 	if (cp->addr.type == BDADDR_BREDR) {
5004 		br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
5005 							      &cp->addr.bdaddr,
5006 							      cp->addr.type);
5007 		if (!br_params)
5008 			goto done;
5009 
5010 		current_flags = br_params->flags;
5011 	} else {
5012 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5013 						le_addr_type(cp->addr.type));
5014 		if (!params)
5015 			goto done;
5016 
5017 		supported_flags = get_params_flags(hdev, params);
5018 		current_flags = params->flags;
5019 	}
5020 
5021 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5022 	rp.addr.type = cp->addr.type;
5023 	rp.supported_flags = cpu_to_le32(supported_flags);
5024 	rp.current_flags = cpu_to_le32(current_flags);
5025 
5026 	status = MGMT_STATUS_SUCCESS;
5027 
5028 done:
5029 	hci_dev_unlock(hdev);
5030 
5031 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_DEVICE_FLAGS, status,
5032 				&rp, sizeof(rp));
5033 }
5034 
5035 static void device_flags_changed(struct sock *sk, struct hci_dev *hdev,
5036 				 bdaddr_t *bdaddr, u8 bdaddr_type,
5037 				 u32 supported_flags, u32 current_flags)
5038 {
5039 	struct mgmt_ev_device_flags_changed ev;
5040 
5041 	bacpy(&ev.addr.bdaddr, bdaddr);
5042 	ev.addr.type = bdaddr_type;
5043 	ev.supported_flags = cpu_to_le32(supported_flags);
5044 	ev.current_flags = cpu_to_le32(current_flags);
5045 
5046 	mgmt_event(MGMT_EV_DEVICE_FLAGS_CHANGED, hdev, &ev, sizeof(ev), sk);
5047 }
5048 
5049 static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
5050 			    u16 len)
5051 {
5052 	struct mgmt_cp_set_device_flags *cp = data;
5053 	struct bdaddr_list_with_flags *br_params;
5054 	struct hci_conn_params *params;
5055 	u8 status = MGMT_STATUS_INVALID_PARAMS;
5056 	u32 supported_flags;
5057 	u32 current_flags = __le32_to_cpu(cp->current_flags);
5058 
5059 	bt_dev_dbg(hdev, "Set device flags %pMR (type 0x%x) = 0x%x",
5060 		   &cp->addr.bdaddr, cp->addr.type, current_flags);
5061 
5062 	// We should take hci_dev_lock() early, I think.. conn_flags can change
5063 	supported_flags = hdev->conn_flags;
5064 
5065 	if ((supported_flags | current_flags) != supported_flags) {
5066 		bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5067 			    current_flags, supported_flags);
5068 		goto done;
5069 	}
5070 
5071 	hci_dev_lock(hdev);
5072 
5073 	if (cp->addr.type == BDADDR_BREDR) {
5074 		br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
5075 							      &cp->addr.bdaddr,
5076 							      cp->addr.type);
5077 
5078 		if (br_params) {
5079 			br_params->flags = current_flags;
5080 			status = MGMT_STATUS_SUCCESS;
5081 		} else {
5082 			bt_dev_warn(hdev, "No such BR/EDR device %pMR (0x%x)",
5083 				    &cp->addr.bdaddr, cp->addr.type);
5084 		}
5085 
5086 		goto unlock;
5087 	}
5088 
5089 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5090 					le_addr_type(cp->addr.type));
5091 	if (!params) {
5092 		bt_dev_warn(hdev, "No such LE device %pMR (0x%x)",
5093 			    &cp->addr.bdaddr, le_addr_type(cp->addr.type));
5094 		goto unlock;
5095 	}
5096 
5097 	supported_flags = get_params_flags(hdev, params);
5098 
5099 	if ((supported_flags | current_flags) != supported_flags) {
5100 		bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5101 			    current_flags, supported_flags);
5102 		goto unlock;
5103 	}
5104 
5105 	WRITE_ONCE(params->flags, current_flags);
5106 	status = MGMT_STATUS_SUCCESS;
5107 
5108 	/* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
5109 	 * has been set.
5110 	 */
5111 	if (params->flags & HCI_CONN_FLAG_DEVICE_PRIVACY)
5112 		hci_update_passive_scan(hdev);
5113 
5114 unlock:
5115 	hci_dev_unlock(hdev);
5116 
5117 done:
5118 	if (status == MGMT_STATUS_SUCCESS)
5119 		device_flags_changed(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
5120 				     supported_flags, current_flags);
5121 
5122 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_FLAGS, status,
5123 				 &cp->addr, sizeof(cp->addr));
5124 }
5125 
5126 static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
5127 				   u16 handle)
5128 {
5129 	struct mgmt_ev_adv_monitor_added ev;
5130 
5131 	ev.monitor_handle = cpu_to_le16(handle);
5132 
5133 	mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, &ev, sizeof(ev), sk);
5134 }
5135 
5136 void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
5137 {
5138 	struct mgmt_ev_adv_monitor_removed ev;
5139 	struct mgmt_pending_cmd *cmd;
5140 	struct sock *sk_skip = NULL;
5141 	struct mgmt_cp_remove_adv_monitor *cp;
5142 
5143 	cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
5144 	if (cmd) {
5145 		cp = cmd->param;
5146 
5147 		if (cp->monitor_handle)
5148 			sk_skip = cmd->sk;
5149 	}
5150 
5151 	ev.monitor_handle = cpu_to_le16(handle);
5152 
5153 	mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk_skip);
5154 }
5155 
5156 static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
5157 				 void *data, u16 len)
5158 {
5159 	struct adv_monitor *monitor = NULL;
5160 	struct mgmt_rp_read_adv_monitor_features *rp = NULL;
5161 	int handle, err;
5162 	size_t rp_size = 0;
5163 	__u32 supported = 0;
5164 	__u32 enabled = 0;
5165 	__u16 num_handles = 0;
5166 	__u16 handles[HCI_MAX_ADV_MONITOR_NUM_HANDLES];
5167 
5168 	BT_DBG("request for %s", hdev->name);
5169 
5170 	hci_dev_lock(hdev);
5171 
5172 	if (msft_monitor_supported(hdev))
5173 		supported |= MGMT_ADV_MONITOR_FEATURE_MASK_OR_PATTERNS;
5174 
5175 	idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
5176 		handles[num_handles++] = monitor->handle;
5177 
5178 	hci_dev_unlock(hdev);
5179 
5180 	rp_size = sizeof(*rp) + (num_handles * sizeof(u16));
5181 	rp = kmalloc(rp_size, GFP_KERNEL);
5182 	if (!rp)
5183 		return -ENOMEM;
5184 
5185 	/* All supported features are currently enabled */
5186 	enabled = supported;
5187 
5188 	rp->supported_features = cpu_to_le32(supported);
5189 	rp->enabled_features = cpu_to_le32(enabled);
5190 	rp->max_num_handles = cpu_to_le16(HCI_MAX_ADV_MONITOR_NUM_HANDLES);
5191 	rp->max_num_patterns = HCI_MAX_ADV_MONITOR_NUM_PATTERNS;
5192 	rp->num_handles = cpu_to_le16(num_handles);
5193 	if (num_handles)
5194 		memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));
5195 
5196 	err = mgmt_cmd_complete(sk, hdev->id,
5197 				MGMT_OP_READ_ADV_MONITOR_FEATURES,
5198 				MGMT_STATUS_SUCCESS, rp, rp_size);
5199 
5200 	kfree(rp);
5201 
5202 	return err;
5203 }
5204 
5205 static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
5206 						   void *data, int status)
5207 {
5208 	struct mgmt_rp_add_adv_patterns_monitor rp;
5209 	struct mgmt_pending_cmd *cmd = data;
5210 	struct adv_monitor *monitor = cmd->user_data;
5211 
5212 	hci_dev_lock(hdev);
5213 
5214 	rp.monitor_handle = cpu_to_le16(monitor->handle);
5215 
5216 	if (!status) {
5217 		mgmt_adv_monitor_added(cmd->sk, hdev, monitor->handle);
5218 		hdev->adv_monitors_cnt++;
5219 		if (monitor->state == ADV_MONITOR_STATE_NOT_REGISTERED)
5220 			monitor->state = ADV_MONITOR_STATE_REGISTERED;
5221 		hci_update_passive_scan(hdev);
5222 	}
5223 
5224 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
5225 			  mgmt_status(status), &rp, sizeof(rp));
5226 	mgmt_pending_remove(cmd);
5227 
5228 	hci_dev_unlock(hdev);
5229 	bt_dev_dbg(hdev, "add monitor %d complete, status %d",
5230 		   rp.monitor_handle, status);
5231 }
5232 
5233 static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
5234 {
5235 	struct mgmt_pending_cmd *cmd = data;
5236 	struct adv_monitor *monitor = cmd->user_data;
5237 
5238 	return hci_add_adv_monitor(hdev, monitor);
5239 }
5240 
5241 static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5242 				      struct adv_monitor *m, u8 status,
5243 				      void *data, u16 len, u16 op)
5244 {
5245 	struct mgmt_pending_cmd *cmd;
5246 	int err;
5247 
5248 	hci_dev_lock(hdev);
5249 
5250 	if (status)
5251 		goto unlock;
5252 
5253 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
5254 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5255 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
5256 	    pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
5257 		status = MGMT_STATUS_BUSY;
5258 		goto unlock;
5259 	}
5260 
5261 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
5262 	if (!cmd) {
5263 		status = MGMT_STATUS_NO_RESOURCES;
5264 		goto unlock;
5265 	}
5266 
5267 	cmd->user_data = m;
5268 	err = hci_cmd_sync_queue(hdev, mgmt_add_adv_patterns_monitor_sync, cmd,
5269 				 mgmt_add_adv_patterns_monitor_complete);
5270 	if (err) {
5271 		if (err == -ENOMEM)
5272 			status = MGMT_STATUS_NO_RESOURCES;
5273 		else
5274 			status = MGMT_STATUS_FAILED;
5275 
5276 		goto unlock;
5277 	}
5278 
5279 	hci_dev_unlock(hdev);
5280 
5281 	return 0;
5282 
5283 unlock:
5284 	hci_free_adv_monitor(hdev, m);
5285 	hci_dev_unlock(hdev);
5286 	return mgmt_cmd_status(sk, hdev->id, op, status);
5287 }
5288 
5289 static void parse_adv_monitor_rssi(struct adv_monitor *m,
5290 				   struct mgmt_adv_rssi_thresholds *rssi)
5291 {
5292 	if (rssi) {
5293 		m->rssi.low_threshold = rssi->low_threshold;
5294 		m->rssi.low_threshold_timeout =
5295 		    __le16_to_cpu(rssi->low_threshold_timeout);
5296 		m->rssi.high_threshold = rssi->high_threshold;
5297 		m->rssi.high_threshold_timeout =
5298 		    __le16_to_cpu(rssi->high_threshold_timeout);
5299 		m->rssi.sampling_period = rssi->sampling_period;
5300 	} else {
5301 		/* Default values. These numbers are the least constricting
5302 		 * parameters for MSFT API to work, so it behaves as if there
5303 		 * are no rssi parameter to consider. May need to be changed
5304 		 * if other API are to be supported.
5305 		 */
5306 		m->rssi.low_threshold = -127;
5307 		m->rssi.low_threshold_timeout = 60;
5308 		m->rssi.high_threshold = -127;
5309 		m->rssi.high_threshold_timeout = 0;
5310 		m->rssi.sampling_period = 0;
5311 	}
5312 }
5313 
5314 static u8 parse_adv_monitor_pattern(struct adv_monitor *m, u8 pattern_count,
5315 				    struct mgmt_adv_pattern *patterns)
5316 {
5317 	u8 offset = 0, length = 0;
5318 	struct adv_pattern *p = NULL;
5319 	int i;
5320 
5321 	for (i = 0; i < pattern_count; i++) {
5322 		offset = patterns[i].offset;
5323 		length = patterns[i].length;
5324 		if (offset >= HCI_MAX_EXT_AD_LENGTH ||
5325 		    length > HCI_MAX_EXT_AD_LENGTH ||
5326 		    (offset + length) > HCI_MAX_EXT_AD_LENGTH)
5327 			return MGMT_STATUS_INVALID_PARAMS;
5328 
5329 		p = kmalloc(sizeof(*p), GFP_KERNEL);
5330 		if (!p)
5331 			return MGMT_STATUS_NO_RESOURCES;
5332 
5333 		p->ad_type = patterns[i].ad_type;
5334 		p->offset = patterns[i].offset;
5335 		p->length = patterns[i].length;
5336 		memcpy(p->value, patterns[i].value, p->length);
5337 
5338 		INIT_LIST_HEAD(&p->list);
5339 		list_add(&p->list, &m->patterns);
5340 	}
5341 
5342 	return MGMT_STATUS_SUCCESS;
5343 }
5344 
5345 static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5346 				    void *data, u16 len)
5347 {
5348 	struct mgmt_cp_add_adv_patterns_monitor *cp = data;
5349 	struct adv_monitor *m = NULL;
5350 	u8 status = MGMT_STATUS_SUCCESS;
5351 	size_t expected_size = sizeof(*cp);
5352 
5353 	BT_DBG("request for %s", hdev->name);
5354 
5355 	if (len <= sizeof(*cp)) {
5356 		status = MGMT_STATUS_INVALID_PARAMS;
5357 		goto done;
5358 	}
5359 
5360 	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5361 	if (len != expected_size) {
5362 		status = MGMT_STATUS_INVALID_PARAMS;
5363 		goto done;
5364 	}
5365 
5366 	m = kzalloc(sizeof(*m), GFP_KERNEL);
5367 	if (!m) {
5368 		status = MGMT_STATUS_NO_RESOURCES;
5369 		goto done;
5370 	}
5371 
5372 	INIT_LIST_HEAD(&m->patterns);
5373 
5374 	parse_adv_monitor_rssi(m, NULL);
5375 	status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
5376 
5377 done:
5378 	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5379 					  MGMT_OP_ADD_ADV_PATTERNS_MONITOR);
5380 }
5381 
5382 static int add_adv_patterns_monitor_rssi(struct sock *sk, struct hci_dev *hdev,
5383 					 void *data, u16 len)
5384 {
5385 	struct mgmt_cp_add_adv_patterns_monitor_rssi *cp = data;
5386 	struct adv_monitor *m = NULL;
5387 	u8 status = MGMT_STATUS_SUCCESS;
5388 	size_t expected_size = sizeof(*cp);
5389 
5390 	BT_DBG("request for %s", hdev->name);
5391 
5392 	if (len <= sizeof(*cp)) {
5393 		status = MGMT_STATUS_INVALID_PARAMS;
5394 		goto done;
5395 	}
5396 
5397 	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5398 	if (len != expected_size) {
5399 		status = MGMT_STATUS_INVALID_PARAMS;
5400 		goto done;
5401 	}
5402 
5403 	m = kzalloc(sizeof(*m), GFP_KERNEL);
5404 	if (!m) {
5405 		status = MGMT_STATUS_NO_RESOURCES;
5406 		goto done;
5407 	}
5408 
5409 	INIT_LIST_HEAD(&m->patterns);
5410 
5411 	parse_adv_monitor_rssi(m, &cp->rssi);
5412 	status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
5413 
5414 done:
5415 	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5416 					 MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI);
5417 }
5418 
5419 static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
5420 					     void *data, int status)
5421 {
5422 	struct mgmt_rp_remove_adv_monitor rp;
5423 	struct mgmt_pending_cmd *cmd = data;
5424 	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5425 
5426 	hci_dev_lock(hdev);
5427 
5428 	rp.monitor_handle = cp->monitor_handle;
5429 
5430 	if (!status)
5431 		hci_update_passive_scan(hdev);
5432 
5433 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
5434 			  mgmt_status(status), &rp, sizeof(rp));
5435 	mgmt_pending_remove(cmd);
5436 
5437 	hci_dev_unlock(hdev);
5438 	bt_dev_dbg(hdev, "remove monitor %d complete, status %d",
5439 		   rp.monitor_handle, status);
5440 }
5441 
5442 static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
5443 {
5444 	struct mgmt_pending_cmd *cmd = data;
5445 	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5446 	u16 handle = __le16_to_cpu(cp->monitor_handle);
5447 
5448 	if (!handle)
5449 		return hci_remove_all_adv_monitor(hdev);
5450 
5451 	return hci_remove_single_adv_monitor(hdev, handle);
5452 }
5453 
5454 static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
5455 			      void *data, u16 len)
5456 {
5457 	struct mgmt_pending_cmd *cmd;
5458 	int err, status;
5459 
5460 	hci_dev_lock(hdev);
5461 
5462 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
5463 	    pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
5464 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5465 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
5466 		status = MGMT_STATUS_BUSY;
5467 		goto unlock;
5468 	}
5469 
5470 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
5471 	if (!cmd) {
5472 		status = MGMT_STATUS_NO_RESOURCES;
5473 		goto unlock;
5474 	}
5475 
5476 	err = hci_cmd_sync_submit(hdev, mgmt_remove_adv_monitor_sync, cmd,
5477 				  mgmt_remove_adv_monitor_complete);
5478 
5479 	if (err) {
5480 		mgmt_pending_remove(cmd);
5481 
5482 		if (err == -ENOMEM)
5483 			status = MGMT_STATUS_NO_RESOURCES;
5484 		else
5485 			status = MGMT_STATUS_FAILED;
5486 
5487 		goto unlock;
5488 	}
5489 
5490 	hci_dev_unlock(hdev);
5491 
5492 	return 0;
5493 
5494 unlock:
5495 	hci_dev_unlock(hdev);
5496 	return mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADV_MONITOR,
5497 			       status);
5498 }
5499 
5500 static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
5501 {
5502 	struct mgmt_rp_read_local_oob_data mgmt_rp;
5503 	size_t rp_size = sizeof(mgmt_rp);
5504 	struct mgmt_pending_cmd *cmd = data;
5505 	struct sk_buff *skb = cmd->skb;
5506 	u8 status = mgmt_status(err);
5507 
5508 	if (!status) {
5509 		if (!skb)
5510 			status = MGMT_STATUS_FAILED;
5511 		else if (IS_ERR(skb))
5512 			status = mgmt_status(PTR_ERR(skb));
5513 		else
5514 			status = mgmt_status(skb->data[0]);
5515 	}
5516 
5517 	bt_dev_dbg(hdev, "status %d", status);
5518 
5519 	if (status) {
5520 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
5521 		goto remove;
5522 	}
5523 
5524 	memset(&mgmt_rp, 0, sizeof(mgmt_rp));
5525 
5526 	if (!bredr_sc_enabled(hdev)) {
5527 		struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
5528 
5529 		if (skb->len < sizeof(*rp)) {
5530 			mgmt_cmd_status(cmd->sk, hdev->id,
5531 					MGMT_OP_READ_LOCAL_OOB_DATA,
5532 					MGMT_STATUS_FAILED);
5533 			goto remove;
5534 		}
5535 
5536 		memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
5537 		memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
5538 
5539 		rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
5540 	} else {
5541 		struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
5542 
5543 		if (skb->len < sizeof(*rp)) {
5544 			mgmt_cmd_status(cmd->sk, hdev->id,
5545 					MGMT_OP_READ_LOCAL_OOB_DATA,
5546 					MGMT_STATUS_FAILED);
5547 			goto remove;
5548 		}
5549 
5550 		memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
5551 		memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
5552 
5553 		memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
5554 		memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
5555 	}
5556 
5557 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5558 			  MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
5559 
5560 remove:
5561 	if (skb && !IS_ERR(skb))
5562 		kfree_skb(skb);
5563 
5564 	mgmt_pending_free(cmd);
5565 }
5566 
5567 static int read_local_oob_data_sync(struct hci_dev *hdev, void *data)
5568 {
5569 	struct mgmt_pending_cmd *cmd = data;
5570 
5571 	if (bredr_sc_enabled(hdev))
5572 		cmd->skb = hci_read_local_oob_data_sync(hdev, true, cmd->sk);
5573 	else
5574 		cmd->skb = hci_read_local_oob_data_sync(hdev, false, cmd->sk);
5575 
5576 	if (IS_ERR(cmd->skb))
5577 		return PTR_ERR(cmd->skb);
5578 	else
5579 		return 0;
5580 }
5581 
5582 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
5583 			       void *data, u16 data_len)
5584 {
5585 	struct mgmt_pending_cmd *cmd;
5586 	int err;
5587 
5588 	bt_dev_dbg(hdev, "sock %p", sk);
5589 
5590 	hci_dev_lock(hdev);
5591 
5592 	if (!hdev_is_powered(hdev)) {
5593 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5594 				      MGMT_STATUS_NOT_POWERED);
5595 		goto unlock;
5596 	}
5597 
5598 	if (!lmp_ssp_capable(hdev)) {
5599 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5600 				      MGMT_STATUS_NOT_SUPPORTED);
5601 		goto unlock;
5602 	}
5603 
5604 	cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
5605 	if (!cmd)
5606 		err = -ENOMEM;
5607 	else
5608 		err = hci_cmd_sync_queue(hdev, read_local_oob_data_sync, cmd,
5609 					 read_local_oob_data_complete);
5610 
5611 	if (err < 0) {
5612 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5613 				      MGMT_STATUS_FAILED);
5614 
5615 		if (cmd)
5616 			mgmt_pending_free(cmd);
5617 	}
5618 
5619 unlock:
5620 	hci_dev_unlock(hdev);
5621 	return err;
5622 }
5623 
5624 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5625 			       void *data, u16 len)
5626 {
5627 	struct mgmt_addr_info *addr = data;
5628 	int err;
5629 
5630 	bt_dev_dbg(hdev, "sock %p", sk);
5631 
5632 	if (!bdaddr_type_is_valid(addr->type))
5633 		return mgmt_cmd_complete(sk, hdev->id,
5634 					 MGMT_OP_ADD_REMOTE_OOB_DATA,
5635 					 MGMT_STATUS_INVALID_PARAMS,
5636 					 addr, sizeof(*addr));
5637 
5638 	hci_dev_lock(hdev);
5639 
5640 	if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
5641 		struct mgmt_cp_add_remote_oob_data *cp = data;
5642 		u8 status;
5643 
5644 		if (cp->addr.type != BDADDR_BREDR) {
5645 			err = mgmt_cmd_complete(sk, hdev->id,
5646 						MGMT_OP_ADD_REMOTE_OOB_DATA,
5647 						MGMT_STATUS_INVALID_PARAMS,
5648 						&cp->addr, sizeof(cp->addr));
5649 			goto unlock;
5650 		}
5651 
5652 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
5653 					      cp->addr.type, cp->hash,
5654 					      cp->rand, NULL, NULL);
5655 		if (err < 0)
5656 			status = MGMT_STATUS_FAILED;
5657 		else
5658 			status = MGMT_STATUS_SUCCESS;
5659 
5660 		err = mgmt_cmd_complete(sk, hdev->id,
5661 					MGMT_OP_ADD_REMOTE_OOB_DATA, status,
5662 					&cp->addr, sizeof(cp->addr));
5663 	} else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
5664 		struct mgmt_cp_add_remote_oob_ext_data *cp = data;
5665 		u8 *rand192, *hash192, *rand256, *hash256;
5666 		u8 status;
5667 
5668 		if (bdaddr_type_is_le(cp->addr.type)) {
5669 			/* Enforce zero-valued 192-bit parameters as
5670 			 * long as legacy SMP OOB isn't implemented.
5671 			 */
5672 			if (memcmp(cp->rand192, ZERO_KEY, 16) ||
5673 			    memcmp(cp->hash192, ZERO_KEY, 16)) {
5674 				err = mgmt_cmd_complete(sk, hdev->id,
5675 							MGMT_OP_ADD_REMOTE_OOB_DATA,
5676 							MGMT_STATUS_INVALID_PARAMS,
5677 							addr, sizeof(*addr));
5678 				goto unlock;
5679 			}
5680 
5681 			rand192 = NULL;
5682 			hash192 = NULL;
5683 		} else {
5684 			/* In case one of the P-192 values is set to zero,
5685 			 * then just disable OOB data for P-192.
5686 			 */
5687 			if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
5688 			    !memcmp(cp->hash192, ZERO_KEY, 16)) {
5689 				rand192 = NULL;
5690 				hash192 = NULL;
5691 			} else {
5692 				rand192 = cp->rand192;
5693 				hash192 = cp->hash192;
5694 			}
5695 		}
5696 
5697 		/* In case one of the P-256 values is set to zero, then just
5698 		 * disable OOB data for P-256.
5699 		 */
5700 		if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
5701 		    !memcmp(cp->hash256, ZERO_KEY, 16)) {
5702 			rand256 = NULL;
5703 			hash256 = NULL;
5704 		} else {
5705 			rand256 = cp->rand256;
5706 			hash256 = cp->hash256;
5707 		}
5708 
5709 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
5710 					      cp->addr.type, hash192, rand192,
5711 					      hash256, rand256);
5712 		if (err < 0)
5713 			status = MGMT_STATUS_FAILED;
5714 		else
5715 			status = MGMT_STATUS_SUCCESS;
5716 
5717 		err = mgmt_cmd_complete(sk, hdev->id,
5718 					MGMT_OP_ADD_REMOTE_OOB_DATA,
5719 					status, &cp->addr, sizeof(cp->addr));
5720 	} else {
5721 		bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
5722 			   len);
5723 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
5724 				      MGMT_STATUS_INVALID_PARAMS);
5725 	}
5726 
5727 unlock:
5728 	hci_dev_unlock(hdev);
5729 	return err;
5730 }
5731 
5732 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5733 				  void *data, u16 len)
5734 {
5735 	struct mgmt_cp_remove_remote_oob_data *cp = data;
5736 	u8 status;
5737 	int err;
5738 
5739 	bt_dev_dbg(hdev, "sock %p", sk);
5740 
5741 	if (cp->addr.type != BDADDR_BREDR)
5742 		return mgmt_cmd_complete(sk, hdev->id,
5743 					 MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5744 					 MGMT_STATUS_INVALID_PARAMS,
5745 					 &cp->addr, sizeof(cp->addr));
5746 
5747 	hci_dev_lock(hdev);
5748 
5749 	if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5750 		hci_remote_oob_data_clear(hdev);
5751 		status = MGMT_STATUS_SUCCESS;
5752 		goto done;
5753 	}
5754 
5755 	err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
5756 	if (err < 0)
5757 		status = MGMT_STATUS_INVALID_PARAMS;
5758 	else
5759 		status = MGMT_STATUS_SUCCESS;
5760 
5761 done:
5762 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5763 				status, &cp->addr, sizeof(cp->addr));
5764 
5765 	hci_dev_unlock(hdev);
5766 	return err;
5767 }
5768 
5769 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
5770 {
5771 	struct mgmt_pending_cmd *cmd;
5772 
5773 	bt_dev_dbg(hdev, "status %u", status);
5774 
5775 	hci_dev_lock(hdev);
5776 
5777 	cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
5778 	if (!cmd)
5779 		cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
5780 
5781 	if (!cmd)
5782 		cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
5783 
5784 	if (cmd) {
5785 		cmd->cmd_complete(cmd, mgmt_status(status));
5786 		mgmt_pending_remove(cmd);
5787 	}
5788 
5789 	hci_dev_unlock(hdev);
5790 }
5791 
5792 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
5793 				    uint8_t *mgmt_status)
5794 {
5795 	switch (type) {
5796 	case DISCOV_TYPE_LE:
5797 		*mgmt_status = mgmt_le_support(hdev);
5798 		if (*mgmt_status)
5799 			return false;
5800 		break;
5801 	case DISCOV_TYPE_INTERLEAVED:
5802 		*mgmt_status = mgmt_le_support(hdev);
5803 		if (*mgmt_status)
5804 			return false;
5805 		fallthrough;
5806 	case DISCOV_TYPE_BREDR:
5807 		*mgmt_status = mgmt_bredr_support(hdev);
5808 		if (*mgmt_status)
5809 			return false;
5810 		break;
5811 	default:
5812 		*mgmt_status = MGMT_STATUS_INVALID_PARAMS;
5813 		return false;
5814 	}
5815 
5816 	return true;
5817 }
5818 
5819 static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
5820 {
5821 	struct mgmt_pending_cmd *cmd = data;
5822 
5823 	if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
5824 	    cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
5825 	    cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
5826 		return;
5827 
5828 	bt_dev_dbg(hdev, "err %d", err);
5829 
5830 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
5831 			  cmd->param, 1);
5832 	mgmt_pending_remove(cmd);
5833 
5834 	hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED:
5835 				DISCOVERY_FINDING);
5836 }
5837 
5838 static int start_discovery_sync(struct hci_dev *hdev, void *data)
5839 {
5840 	return hci_start_discovery_sync(hdev);
5841 }
5842 
5843 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
5844 				    u16 op, void *data, u16 len)
5845 {
5846 	struct mgmt_cp_start_discovery *cp = data;
5847 	struct mgmt_pending_cmd *cmd;
5848 	u8 status;
5849 	int err;
5850 
5851 	bt_dev_dbg(hdev, "sock %p", sk);
5852 
5853 	hci_dev_lock(hdev);
5854 
5855 	if (!hdev_is_powered(hdev)) {
5856 		err = mgmt_cmd_complete(sk, hdev->id, op,
5857 					MGMT_STATUS_NOT_POWERED,
5858 					&cp->type, sizeof(cp->type));
5859 		goto failed;
5860 	}
5861 
5862 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
5863 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5864 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5865 					&cp->type, sizeof(cp->type));
5866 		goto failed;
5867 	}
5868 
5869 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
5870 		err = mgmt_cmd_complete(sk, hdev->id, op, status,
5871 					&cp->type, sizeof(cp->type));
5872 		goto failed;
5873 	}
5874 
5875 	/* Can't start discovery when it is paused */
5876 	if (hdev->discovery_paused) {
5877 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5878 					&cp->type, sizeof(cp->type));
5879 		goto failed;
5880 	}
5881 
5882 	/* Clear the discovery filter first to free any previously
5883 	 * allocated memory for the UUID list.
5884 	 */
5885 	hci_discovery_filter_clear(hdev);
5886 
5887 	hdev->discovery.type = cp->type;
5888 	hdev->discovery.report_invalid_rssi = false;
5889 	if (op == MGMT_OP_START_LIMITED_DISCOVERY)
5890 		hdev->discovery.limited = true;
5891 	else
5892 		hdev->discovery.limited = false;
5893 
5894 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
5895 	if (!cmd) {
5896 		err = -ENOMEM;
5897 		goto failed;
5898 	}
5899 
5900 	err = hci_cmd_sync_queue(hdev, start_discovery_sync, cmd,
5901 				 start_discovery_complete);
5902 	if (err < 0) {
5903 		mgmt_pending_remove(cmd);
5904 		goto failed;
5905 	}
5906 
5907 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
5908 
5909 failed:
5910 	hci_dev_unlock(hdev);
5911 	return err;
5912 }
5913 
5914 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
5915 			   void *data, u16 len)
5916 {
5917 	return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
5918 					data, len);
5919 }
5920 
5921 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
5922 				   void *data, u16 len)
5923 {
5924 	return start_discovery_internal(sk, hdev,
5925 					MGMT_OP_START_LIMITED_DISCOVERY,
5926 					data, len);
5927 }
5928 
5929 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
5930 				   void *data, u16 len)
5931 {
5932 	struct mgmt_cp_start_service_discovery *cp = data;
5933 	struct mgmt_pending_cmd *cmd;
5934 	const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
5935 	u16 uuid_count, expected_len;
5936 	u8 status;
5937 	int err;
5938 
5939 	bt_dev_dbg(hdev, "sock %p", sk);
5940 
5941 	hci_dev_lock(hdev);
5942 
5943 	if (!hdev_is_powered(hdev)) {
5944 		err = mgmt_cmd_complete(sk, hdev->id,
5945 					MGMT_OP_START_SERVICE_DISCOVERY,
5946 					MGMT_STATUS_NOT_POWERED,
5947 					&cp->type, sizeof(cp->type));
5948 		goto failed;
5949 	}
5950 
5951 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
5952 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5953 		err = mgmt_cmd_complete(sk, hdev->id,
5954 					MGMT_OP_START_SERVICE_DISCOVERY,
5955 					MGMT_STATUS_BUSY, &cp->type,
5956 					sizeof(cp->type));
5957 		goto failed;
5958 	}
5959 
5960 	if (hdev->discovery_paused) {
5961 		err = mgmt_cmd_complete(sk, hdev->id,
5962 					MGMT_OP_START_SERVICE_DISCOVERY,
5963 					MGMT_STATUS_BUSY, &cp->type,
5964 					sizeof(cp->type));
5965 		goto failed;
5966 	}
5967 
5968 	uuid_count = __le16_to_cpu(cp->uuid_count);
5969 	if (uuid_count > max_uuid_count) {
5970 		bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
5971 			   uuid_count);
5972 		err = mgmt_cmd_complete(sk, hdev->id,
5973 					MGMT_OP_START_SERVICE_DISCOVERY,
5974 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
5975 					sizeof(cp->type));
5976 		goto failed;
5977 	}
5978 
5979 	expected_len = sizeof(*cp) + uuid_count * 16;
5980 	if (expected_len != len) {
5981 		bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
5982 			   expected_len, len);
5983 		err = mgmt_cmd_complete(sk, hdev->id,
5984 					MGMT_OP_START_SERVICE_DISCOVERY,
5985 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
5986 					sizeof(cp->type));
5987 		goto failed;
5988 	}
5989 
5990 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
5991 		err = mgmt_cmd_complete(sk, hdev->id,
5992 					MGMT_OP_START_SERVICE_DISCOVERY,
5993 					status, &cp->type, sizeof(cp->type));
5994 		goto failed;
5995 	}
5996 
5997 	cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
5998 			       hdev, data, len);
5999 	if (!cmd) {
6000 		err = -ENOMEM;
6001 		goto failed;
6002 	}
6003 
6004 	/* Clear the discovery filter first to free any previously
6005 	 * allocated memory for the UUID list.
6006 	 */
6007 	hci_discovery_filter_clear(hdev);
6008 
6009 	hdev->discovery.result_filtering = true;
6010 	hdev->discovery.type = cp->type;
6011 	hdev->discovery.rssi = cp->rssi;
6012 	hdev->discovery.uuid_count = uuid_count;
6013 
6014 	if (uuid_count > 0) {
6015 		hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
6016 						GFP_KERNEL);
6017 		if (!hdev->discovery.uuids) {
6018 			err = mgmt_cmd_complete(sk, hdev->id,
6019 						MGMT_OP_START_SERVICE_DISCOVERY,
6020 						MGMT_STATUS_FAILED,
6021 						&cp->type, sizeof(cp->type));
6022 			mgmt_pending_remove(cmd);
6023 			goto failed;
6024 		}
6025 	}
6026 
6027 	err = hci_cmd_sync_queue(hdev, start_discovery_sync, cmd,
6028 				 start_discovery_complete);
6029 	if (err < 0) {
6030 		mgmt_pending_remove(cmd);
6031 		goto failed;
6032 	}
6033 
6034 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
6035 
6036 failed:
6037 	hci_dev_unlock(hdev);
6038 	return err;
6039 }
6040 
6041 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
6042 {
6043 	struct mgmt_pending_cmd *cmd;
6044 
6045 	bt_dev_dbg(hdev, "status %u", status);
6046 
6047 	hci_dev_lock(hdev);
6048 
6049 	cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
6050 	if (cmd) {
6051 		cmd->cmd_complete(cmd, mgmt_status(status));
6052 		mgmt_pending_remove(cmd);
6053 	}
6054 
6055 	hci_dev_unlock(hdev);
6056 }
6057 
6058 static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
6059 {
6060 	struct mgmt_pending_cmd *cmd = data;
6061 
6062 	if (cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
6063 		return;
6064 
6065 	bt_dev_dbg(hdev, "err %d", err);
6066 
6067 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
6068 			  cmd->param, 1);
6069 	mgmt_pending_remove(cmd);
6070 
6071 	if (!err)
6072 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
6073 }
6074 
6075 static int stop_discovery_sync(struct hci_dev *hdev, void *data)
6076 {
6077 	return hci_stop_discovery_sync(hdev);
6078 }
6079 
6080 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
6081 			  u16 len)
6082 {
6083 	struct mgmt_cp_stop_discovery *mgmt_cp = data;
6084 	struct mgmt_pending_cmd *cmd;
6085 	int err;
6086 
6087 	bt_dev_dbg(hdev, "sock %p", sk);
6088 
6089 	hci_dev_lock(hdev);
6090 
6091 	if (!hci_discovery_active(hdev)) {
6092 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
6093 					MGMT_STATUS_REJECTED, &mgmt_cp->type,
6094 					sizeof(mgmt_cp->type));
6095 		goto unlock;
6096 	}
6097 
6098 	if (hdev->discovery.type != mgmt_cp->type) {
6099 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
6100 					MGMT_STATUS_INVALID_PARAMS,
6101 					&mgmt_cp->type, sizeof(mgmt_cp->type));
6102 		goto unlock;
6103 	}
6104 
6105 	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
6106 	if (!cmd) {
6107 		err = -ENOMEM;
6108 		goto unlock;
6109 	}
6110 
6111 	err = hci_cmd_sync_queue(hdev, stop_discovery_sync, cmd,
6112 				 stop_discovery_complete);
6113 	if (err < 0) {
6114 		mgmt_pending_remove(cmd);
6115 		goto unlock;
6116 	}
6117 
6118 	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
6119 
6120 unlock:
6121 	hci_dev_unlock(hdev);
6122 	return err;
6123 }
6124 
6125 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
6126 			u16 len)
6127 {
6128 	struct mgmt_cp_confirm_name *cp = data;
6129 	struct inquiry_entry *e;
6130 	int err;
6131 
6132 	bt_dev_dbg(hdev, "sock %p", sk);
6133 
6134 	hci_dev_lock(hdev);
6135 
6136 	if (!hci_discovery_active(hdev)) {
6137 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
6138 					MGMT_STATUS_FAILED, &cp->addr,
6139 					sizeof(cp->addr));
6140 		goto failed;
6141 	}
6142 
6143 	e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
6144 	if (!e) {
6145 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
6146 					MGMT_STATUS_INVALID_PARAMS, &cp->addr,
6147 					sizeof(cp->addr));
6148 		goto failed;
6149 	}
6150 
6151 	if (cp->name_known) {
6152 		e->name_state = NAME_KNOWN;
6153 		list_del(&e->list);
6154 	} else {
6155 		e->name_state = NAME_NEEDED;
6156 		hci_inquiry_cache_update_resolve(hdev, e);
6157 	}
6158 
6159 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
6160 				&cp->addr, sizeof(cp->addr));
6161 
6162 failed:
6163 	hci_dev_unlock(hdev);
6164 	return err;
6165 }
6166 
6167 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
6168 			u16 len)
6169 {
6170 	struct mgmt_cp_block_device *cp = data;
6171 	u8 status;
6172 	int err;
6173 
6174 	bt_dev_dbg(hdev, "sock %p", sk);
6175 
6176 	if (!bdaddr_type_is_valid(cp->addr.type))
6177 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
6178 					 MGMT_STATUS_INVALID_PARAMS,
6179 					 &cp->addr, sizeof(cp->addr));
6180 
6181 	hci_dev_lock(hdev);
6182 
6183 	err = hci_bdaddr_list_add(&hdev->reject_list, &cp->addr.bdaddr,
6184 				  cp->addr.type);
6185 	if (err < 0) {
6186 		status = MGMT_STATUS_FAILED;
6187 		goto done;
6188 	}
6189 
6190 	mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
6191 		   sk);
6192 	status = MGMT_STATUS_SUCCESS;
6193 
6194 done:
6195 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
6196 				&cp->addr, sizeof(cp->addr));
6197 
6198 	hci_dev_unlock(hdev);
6199 
6200 	return err;
6201 }
6202 
6203 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
6204 			  u16 len)
6205 {
6206 	struct mgmt_cp_unblock_device *cp = data;
6207 	u8 status;
6208 	int err;
6209 
6210 	bt_dev_dbg(hdev, "sock %p", sk);
6211 
6212 	if (!bdaddr_type_is_valid(cp->addr.type))
6213 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
6214 					 MGMT_STATUS_INVALID_PARAMS,
6215 					 &cp->addr, sizeof(cp->addr));
6216 
6217 	hci_dev_lock(hdev);
6218 
6219 	err = hci_bdaddr_list_del(&hdev->reject_list, &cp->addr.bdaddr,
6220 				  cp->addr.type);
6221 	if (err < 0) {
6222 		status = MGMT_STATUS_INVALID_PARAMS;
6223 		goto done;
6224 	}
6225 
6226 	mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
6227 		   sk);
6228 	status = MGMT_STATUS_SUCCESS;
6229 
6230 done:
6231 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
6232 				&cp->addr, sizeof(cp->addr));
6233 
6234 	hci_dev_unlock(hdev);
6235 
6236 	return err;
6237 }
6238 
6239 static int set_device_id_sync(struct hci_dev *hdev, void *data)
6240 {
6241 	return hci_update_eir_sync(hdev);
6242 }
6243 
6244 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
6245 			 u16 len)
6246 {
6247 	struct mgmt_cp_set_device_id *cp = data;
6248 	int err;
6249 	__u16 source;
6250 
6251 	bt_dev_dbg(hdev, "sock %p", sk);
6252 
6253 	source = __le16_to_cpu(cp->source);
6254 
6255 	if (source > 0x0002)
6256 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
6257 				       MGMT_STATUS_INVALID_PARAMS);
6258 
6259 	hci_dev_lock(hdev);
6260 
6261 	hdev->devid_source = source;
6262 	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
6263 	hdev->devid_product = __le16_to_cpu(cp->product);
6264 	hdev->devid_version = __le16_to_cpu(cp->version);
6265 
6266 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
6267 				NULL, 0);
6268 
6269 	hci_cmd_sync_queue(hdev, set_device_id_sync, NULL, NULL);
6270 
6271 	hci_dev_unlock(hdev);
6272 
6273 	return err;
6274 }
6275 
6276 static void enable_advertising_instance(struct hci_dev *hdev, int err)
6277 {
6278 	if (err)
6279 		bt_dev_err(hdev, "failed to re-configure advertising %d", err);
6280 	else
6281 		bt_dev_dbg(hdev, "status %d", err);
6282 }
6283 
6284 static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
6285 {
6286 	struct cmd_lookup match = { NULL, hdev };
6287 	u8 instance;
6288 	struct adv_info *adv_instance;
6289 	u8 status = mgmt_status(err);
6290 
6291 	if (status) {
6292 		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
6293 				     cmd_status_rsp, &status);
6294 		return;
6295 	}
6296 
6297 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
6298 		hci_dev_set_flag(hdev, HCI_ADVERTISING);
6299 	else
6300 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
6301 
6302 	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
6303 			     &match);
6304 
6305 	new_settings(hdev, match.sk);
6306 
6307 	if (match.sk)
6308 		sock_put(match.sk);
6309 
6310 	/* If "Set Advertising" was just disabled and instance advertising was
6311 	 * set up earlier, then re-enable multi-instance advertising.
6312 	 */
6313 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
6314 	    list_empty(&hdev->adv_instances))
6315 		return;
6316 
6317 	instance = hdev->cur_adv_instance;
6318 	if (!instance) {
6319 		adv_instance = list_first_entry_or_null(&hdev->adv_instances,
6320 							struct adv_info, list);
6321 		if (!adv_instance)
6322 			return;
6323 
6324 		instance = adv_instance->instance;
6325 	}
6326 
6327 	err = hci_schedule_adv_instance_sync(hdev, instance, true);
6328 
6329 	enable_advertising_instance(hdev, err);
6330 }
6331 
6332 static int set_adv_sync(struct hci_dev *hdev, void *data)
6333 {
6334 	struct mgmt_pending_cmd *cmd = data;
6335 	struct mgmt_mode *cp = cmd->param;
6336 	u8 val = !!cp->val;
6337 
6338 	if (cp->val == 0x02)
6339 		hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6340 	else
6341 		hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6342 
6343 	cancel_adv_timeout(hdev);
6344 
6345 	if (val) {
6346 		/* Switch to instance "0" for the Set Advertising setting.
6347 		 * We cannot use update_[adv|scan_rsp]_data() here as the
6348 		 * HCI_ADVERTISING flag is not yet set.
6349 		 */
6350 		hdev->cur_adv_instance = 0x00;
6351 
6352 		if (ext_adv_capable(hdev)) {
6353 			hci_start_ext_adv_sync(hdev, 0x00);
6354 		} else {
6355 			hci_update_adv_data_sync(hdev, 0x00);
6356 			hci_update_scan_rsp_data_sync(hdev, 0x00);
6357 			hci_enable_advertising_sync(hdev);
6358 		}
6359 	} else {
6360 		hci_disable_advertising_sync(hdev);
6361 	}
6362 
6363 	return 0;
6364 }
6365 
6366 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
6367 			   u16 len)
6368 {
6369 	struct mgmt_mode *cp = data;
6370 	struct mgmt_pending_cmd *cmd;
6371 	u8 val, status;
6372 	int err;
6373 
6374 	bt_dev_dbg(hdev, "sock %p", sk);
6375 
6376 	status = mgmt_le_support(hdev);
6377 	if (status)
6378 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6379 				       status);
6380 
6381 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6382 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6383 				       MGMT_STATUS_INVALID_PARAMS);
6384 
6385 	if (hdev->advertising_paused)
6386 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6387 				       MGMT_STATUS_BUSY);
6388 
6389 	hci_dev_lock(hdev);
6390 
6391 	val = !!cp->val;
6392 
6393 	/* The following conditions are ones which mean that we should
6394 	 * not do any HCI communication but directly send a mgmt
6395 	 * response to user space (after toggling the flag if
6396 	 * necessary).
6397 	 */
6398 	if (!hdev_is_powered(hdev) ||
6399 	    (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
6400 	     (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
6401 	    hci_dev_test_flag(hdev, HCI_MESH) ||
6402 	    hci_conn_num(hdev, LE_LINK) > 0 ||
6403 	    (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6404 	     hdev->le_scan_type == LE_SCAN_ACTIVE)) {
6405 		bool changed;
6406 
6407 		if (cp->val) {
6408 			hdev->cur_adv_instance = 0x00;
6409 			changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
6410 			if (cp->val == 0x02)
6411 				hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6412 			else
6413 				hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6414 		} else {
6415 			changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
6416 			hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6417 		}
6418 
6419 		err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
6420 		if (err < 0)
6421 			goto unlock;
6422 
6423 		if (changed)
6424 			err = new_settings(hdev, sk);
6425 
6426 		goto unlock;
6427 	}
6428 
6429 	if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
6430 	    pending_find(MGMT_OP_SET_LE, hdev)) {
6431 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6432 				      MGMT_STATUS_BUSY);
6433 		goto unlock;
6434 	}
6435 
6436 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
6437 	if (!cmd)
6438 		err = -ENOMEM;
6439 	else
6440 		err = hci_cmd_sync_queue(hdev, set_adv_sync, cmd,
6441 					 set_advertising_complete);
6442 
6443 	if (err < 0 && cmd)
6444 		mgmt_pending_remove(cmd);
6445 
6446 unlock:
6447 	hci_dev_unlock(hdev);
6448 	return err;
6449 }
6450 
6451 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
6452 			      void *data, u16 len)
6453 {
6454 	struct mgmt_cp_set_static_address *cp = data;
6455 	int err;
6456 
6457 	bt_dev_dbg(hdev, "sock %p", sk);
6458 
6459 	if (!lmp_le_capable(hdev))
6460 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6461 				       MGMT_STATUS_NOT_SUPPORTED);
6462 
6463 	if (hdev_is_powered(hdev))
6464 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6465 				       MGMT_STATUS_REJECTED);
6466 
6467 	if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
6468 		if (!bacmp(&cp->bdaddr, BDADDR_NONE))
6469 			return mgmt_cmd_status(sk, hdev->id,
6470 					       MGMT_OP_SET_STATIC_ADDRESS,
6471 					       MGMT_STATUS_INVALID_PARAMS);
6472 
6473 		/* Two most significant bits shall be set */
6474 		if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
6475 			return mgmt_cmd_status(sk, hdev->id,
6476 					       MGMT_OP_SET_STATIC_ADDRESS,
6477 					       MGMT_STATUS_INVALID_PARAMS);
6478 	}
6479 
6480 	hci_dev_lock(hdev);
6481 
6482 	bacpy(&hdev->static_addr, &cp->bdaddr);
6483 
6484 	err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
6485 	if (err < 0)
6486 		goto unlock;
6487 
6488 	err = new_settings(hdev, sk);
6489 
6490 unlock:
6491 	hci_dev_unlock(hdev);
6492 	return err;
6493 }
6494 
6495 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
6496 			   void *data, u16 len)
6497 {
6498 	struct mgmt_cp_set_scan_params *cp = data;
6499 	__u16 interval, window;
6500 	int err;
6501 
6502 	bt_dev_dbg(hdev, "sock %p", sk);
6503 
6504 	if (!lmp_le_capable(hdev))
6505 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6506 				       MGMT_STATUS_NOT_SUPPORTED);
6507 
6508 	interval = __le16_to_cpu(cp->interval);
6509 
6510 	if (interval < 0x0004 || interval > 0x4000)
6511 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6512 				       MGMT_STATUS_INVALID_PARAMS);
6513 
6514 	window = __le16_to_cpu(cp->window);
6515 
6516 	if (window < 0x0004 || window > 0x4000)
6517 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6518 				       MGMT_STATUS_INVALID_PARAMS);
6519 
6520 	if (window > interval)
6521 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6522 				       MGMT_STATUS_INVALID_PARAMS);
6523 
6524 	hci_dev_lock(hdev);
6525 
6526 	hdev->le_scan_interval = interval;
6527 	hdev->le_scan_window = window;
6528 
6529 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
6530 				NULL, 0);
6531 
6532 	/* If background scan is running, restart it so new parameters are
6533 	 * loaded.
6534 	 */
6535 	if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6536 	    hdev->discovery.state == DISCOVERY_STOPPED)
6537 		hci_update_passive_scan(hdev);
6538 
6539 	hci_dev_unlock(hdev);
6540 
6541 	return err;
6542 }
6543 
6544 static void fast_connectable_complete(struct hci_dev *hdev, void *data, int err)
6545 {
6546 	struct mgmt_pending_cmd *cmd = data;
6547 
6548 	bt_dev_dbg(hdev, "err %d", err);
6549 
6550 	if (err) {
6551 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6552 				mgmt_status(err));
6553 	} else {
6554 		struct mgmt_mode *cp = cmd->param;
6555 
6556 		if (cp->val)
6557 			hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
6558 		else
6559 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6560 
6561 		send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6562 		new_settings(hdev, cmd->sk);
6563 	}
6564 
6565 	mgmt_pending_free(cmd);
6566 }
6567 
6568 static int write_fast_connectable_sync(struct hci_dev *hdev, void *data)
6569 {
6570 	struct mgmt_pending_cmd *cmd = data;
6571 	struct mgmt_mode *cp = cmd->param;
6572 
6573 	return hci_write_fast_connectable_sync(hdev, cp->val);
6574 }
6575 
6576 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
6577 				void *data, u16 len)
6578 {
6579 	struct mgmt_mode *cp = data;
6580 	struct mgmt_pending_cmd *cmd;
6581 	int err;
6582 
6583 	bt_dev_dbg(hdev, "sock %p", sk);
6584 
6585 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
6586 	    hdev->hci_ver < BLUETOOTH_VER_1_2)
6587 		return mgmt_cmd_status(sk, hdev->id,
6588 				       MGMT_OP_SET_FAST_CONNECTABLE,
6589 				       MGMT_STATUS_NOT_SUPPORTED);
6590 
6591 	if (cp->val != 0x00 && cp->val != 0x01)
6592 		return mgmt_cmd_status(sk, hdev->id,
6593 				       MGMT_OP_SET_FAST_CONNECTABLE,
6594 				       MGMT_STATUS_INVALID_PARAMS);
6595 
6596 	hci_dev_lock(hdev);
6597 
6598 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
6599 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6600 		goto unlock;
6601 	}
6602 
6603 	if (!hdev_is_powered(hdev)) {
6604 		hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
6605 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6606 		new_settings(hdev, sk);
6607 		goto unlock;
6608 	}
6609 
6610 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev, data,
6611 			       len);
6612 	if (!cmd)
6613 		err = -ENOMEM;
6614 	else
6615 		err = hci_cmd_sync_queue(hdev, write_fast_connectable_sync, cmd,
6616 					 fast_connectable_complete);
6617 
6618 	if (err < 0) {
6619 		mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6620 				MGMT_STATUS_FAILED);
6621 
6622 		if (cmd)
6623 			mgmt_pending_free(cmd);
6624 	}
6625 
6626 unlock:
6627 	hci_dev_unlock(hdev);
6628 
6629 	return err;
6630 }
6631 
6632 static void set_bredr_complete(struct hci_dev *hdev, void *data, int err)
6633 {
6634 	struct mgmt_pending_cmd *cmd = data;
6635 
6636 	bt_dev_dbg(hdev, "err %d", err);
6637 
6638 	if (err) {
6639 		u8 mgmt_err = mgmt_status(err);
6640 
6641 		/* We need to restore the flag if related HCI commands
6642 		 * failed.
6643 		 */
6644 		hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
6645 
6646 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
6647 	} else {
6648 		send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
6649 		new_settings(hdev, cmd->sk);
6650 	}
6651 
6652 	mgmt_pending_free(cmd);
6653 }
6654 
6655 static int set_bredr_sync(struct hci_dev *hdev, void *data)
6656 {
6657 	int status;
6658 
6659 	status = hci_write_fast_connectable_sync(hdev, false);
6660 
6661 	if (!status)
6662 		status = hci_update_scan_sync(hdev);
6663 
6664 	/* Since only the advertising data flags will change, there
6665 	 * is no need to update the scan response data.
6666 	 */
6667 	if (!status)
6668 		status = hci_update_adv_data_sync(hdev, hdev->cur_adv_instance);
6669 
6670 	return status;
6671 }
6672 
6673 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
6674 {
6675 	struct mgmt_mode *cp = data;
6676 	struct mgmt_pending_cmd *cmd;
6677 	int err;
6678 
6679 	bt_dev_dbg(hdev, "sock %p", sk);
6680 
6681 	if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
6682 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6683 				       MGMT_STATUS_NOT_SUPPORTED);
6684 
6685 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6686 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6687 				       MGMT_STATUS_REJECTED);
6688 
6689 	if (cp->val != 0x00 && cp->val != 0x01)
6690 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6691 				       MGMT_STATUS_INVALID_PARAMS);
6692 
6693 	hci_dev_lock(hdev);
6694 
6695 	if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6696 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6697 		goto unlock;
6698 	}
6699 
6700 	if (!hdev_is_powered(hdev)) {
6701 		if (!cp->val) {
6702 			hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
6703 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
6704 			hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
6705 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6706 		}
6707 
6708 		hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
6709 
6710 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6711 		if (err < 0)
6712 			goto unlock;
6713 
6714 		err = new_settings(hdev, sk);
6715 		goto unlock;
6716 	}
6717 
6718 	/* Reject disabling when powered on */
6719 	if (!cp->val) {
6720 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6721 				      MGMT_STATUS_REJECTED);
6722 		goto unlock;
6723 	} else {
6724 		/* When configuring a dual-mode controller to operate
6725 		 * with LE only and using a static address, then switching
6726 		 * BR/EDR back on is not allowed.
6727 		 *
6728 		 * Dual-mode controllers shall operate with the public
6729 		 * address as its identity address for BR/EDR and LE. So
6730 		 * reject the attempt to create an invalid configuration.
6731 		 *
6732 		 * The same restrictions applies when secure connections
6733 		 * has been enabled. For BR/EDR this is a controller feature
6734 		 * while for LE it is a host stack feature. This means that
6735 		 * switching BR/EDR back on when secure connections has been
6736 		 * enabled is not a supported transaction.
6737 		 */
6738 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6739 		    (bacmp(&hdev->static_addr, BDADDR_ANY) ||
6740 		     hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
6741 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6742 					      MGMT_STATUS_REJECTED);
6743 			goto unlock;
6744 		}
6745 	}
6746 
6747 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_BREDR, hdev, data, len);
6748 	if (!cmd)
6749 		err = -ENOMEM;
6750 	else
6751 		err = hci_cmd_sync_queue(hdev, set_bredr_sync, cmd,
6752 					 set_bredr_complete);
6753 
6754 	if (err < 0) {
6755 		mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6756 				MGMT_STATUS_FAILED);
6757 		if (cmd)
6758 			mgmt_pending_free(cmd);
6759 
6760 		goto unlock;
6761 	}
6762 
6763 	/* We need to flip the bit already here so that
6764 	 * hci_req_update_adv_data generates the correct flags.
6765 	 */
6766 	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
6767 
6768 unlock:
6769 	hci_dev_unlock(hdev);
6770 	return err;
6771 }
6772 
6773 static void set_secure_conn_complete(struct hci_dev *hdev, void *data, int err)
6774 {
6775 	struct mgmt_pending_cmd *cmd = data;
6776 	struct mgmt_mode *cp;
6777 
6778 	bt_dev_dbg(hdev, "err %d", err);
6779 
6780 	if (err) {
6781 		u8 mgmt_err = mgmt_status(err);
6782 
6783 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
6784 		goto done;
6785 	}
6786 
6787 	cp = cmd->param;
6788 
6789 	switch (cp->val) {
6790 	case 0x00:
6791 		hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
6792 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6793 		break;
6794 	case 0x01:
6795 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6796 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6797 		break;
6798 	case 0x02:
6799 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6800 		hci_dev_set_flag(hdev, HCI_SC_ONLY);
6801 		break;
6802 	}
6803 
6804 	send_settings_rsp(cmd->sk, cmd->opcode, hdev);
6805 	new_settings(hdev, cmd->sk);
6806 
6807 done:
6808 	mgmt_pending_free(cmd);
6809 }
6810 
6811 static int set_secure_conn_sync(struct hci_dev *hdev, void *data)
6812 {
6813 	struct mgmt_pending_cmd *cmd = data;
6814 	struct mgmt_mode *cp = cmd->param;
6815 	u8 val = !!cp->val;
6816 
6817 	/* Force write of val */
6818 	hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6819 
6820 	return hci_write_sc_support_sync(hdev, val);
6821 }
6822 
6823 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
6824 			   void *data, u16 len)
6825 {
6826 	struct mgmt_mode *cp = data;
6827 	struct mgmt_pending_cmd *cmd;
6828 	u8 val;
6829 	int err;
6830 
6831 	bt_dev_dbg(hdev, "sock %p", sk);
6832 
6833 	if (!lmp_sc_capable(hdev) &&
6834 	    !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6835 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6836 				       MGMT_STATUS_NOT_SUPPORTED);
6837 
6838 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6839 	    lmp_sc_capable(hdev) &&
6840 	    !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
6841 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6842 				       MGMT_STATUS_REJECTED);
6843 
6844 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6845 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6846 				       MGMT_STATUS_INVALID_PARAMS);
6847 
6848 	hci_dev_lock(hdev);
6849 
6850 	if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
6851 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6852 		bool changed;
6853 
6854 		if (cp->val) {
6855 			changed = !hci_dev_test_and_set_flag(hdev,
6856 							     HCI_SC_ENABLED);
6857 			if (cp->val == 0x02)
6858 				hci_dev_set_flag(hdev, HCI_SC_ONLY);
6859 			else
6860 				hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6861 		} else {
6862 			changed = hci_dev_test_and_clear_flag(hdev,
6863 							      HCI_SC_ENABLED);
6864 			hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6865 		}
6866 
6867 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6868 		if (err < 0)
6869 			goto failed;
6870 
6871 		if (changed)
6872 			err = new_settings(hdev, sk);
6873 
6874 		goto failed;
6875 	}
6876 
6877 	val = !!cp->val;
6878 
6879 	if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
6880 	    (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6881 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6882 		goto failed;
6883 	}
6884 
6885 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
6886 	if (!cmd)
6887 		err = -ENOMEM;
6888 	else
6889 		err = hci_cmd_sync_queue(hdev, set_secure_conn_sync, cmd,
6890 					 set_secure_conn_complete);
6891 
6892 	if (err < 0) {
6893 		mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6894 				MGMT_STATUS_FAILED);
6895 		if (cmd)
6896 			mgmt_pending_free(cmd);
6897 	}
6898 
6899 failed:
6900 	hci_dev_unlock(hdev);
6901 	return err;
6902 }
6903 
6904 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
6905 			  void *data, u16 len)
6906 {
6907 	struct mgmt_mode *cp = data;
6908 	bool changed, use_changed;
6909 	int err;
6910 
6911 	bt_dev_dbg(hdev, "sock %p", sk);
6912 
6913 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6914 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
6915 				       MGMT_STATUS_INVALID_PARAMS);
6916 
6917 	hci_dev_lock(hdev);
6918 
6919 	if (cp->val)
6920 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
6921 	else
6922 		changed = hci_dev_test_and_clear_flag(hdev,
6923 						      HCI_KEEP_DEBUG_KEYS);
6924 
6925 	if (cp->val == 0x02)
6926 		use_changed = !hci_dev_test_and_set_flag(hdev,
6927 							 HCI_USE_DEBUG_KEYS);
6928 	else
6929 		use_changed = hci_dev_test_and_clear_flag(hdev,
6930 							  HCI_USE_DEBUG_KEYS);
6931 
6932 	if (hdev_is_powered(hdev) && use_changed &&
6933 	    hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
6934 		u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
6935 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
6936 			     sizeof(mode), &mode);
6937 	}
6938 
6939 	err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
6940 	if (err < 0)
6941 		goto unlock;
6942 
6943 	if (changed)
6944 		err = new_settings(hdev, sk);
6945 
6946 unlock:
6947 	hci_dev_unlock(hdev);
6948 	return err;
6949 }
6950 
6951 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
6952 		       u16 len)
6953 {
6954 	struct mgmt_cp_set_privacy *cp = cp_data;
6955 	bool changed;
6956 	int err;
6957 
6958 	bt_dev_dbg(hdev, "sock %p", sk);
6959 
6960 	if (!lmp_le_capable(hdev))
6961 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
6962 				       MGMT_STATUS_NOT_SUPPORTED);
6963 
6964 	if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
6965 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
6966 				       MGMT_STATUS_INVALID_PARAMS);
6967 
6968 	if (hdev_is_powered(hdev))
6969 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
6970 				       MGMT_STATUS_REJECTED);
6971 
6972 	hci_dev_lock(hdev);
6973 
6974 	/* If user space supports this command it is also expected to
6975 	 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
6976 	 */
6977 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
6978 
6979 	if (cp->privacy) {
6980 		changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
6981 		memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
6982 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
6983 		hci_adv_instances_set_rpa_expired(hdev, true);
6984 		if (cp->privacy == 0x02)
6985 			hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
6986 		else
6987 			hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
6988 	} else {
6989 		changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
6990 		memset(hdev->irk, 0, sizeof(hdev->irk));
6991 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
6992 		hci_adv_instances_set_rpa_expired(hdev, false);
6993 		hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
6994 	}
6995 
6996 	err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
6997 	if (err < 0)
6998 		goto unlock;
6999 
7000 	if (changed)
7001 		err = new_settings(hdev, sk);
7002 
7003 unlock:
7004 	hci_dev_unlock(hdev);
7005 	return err;
7006 }
7007 
7008 static bool irk_is_valid(struct mgmt_irk_info *irk)
7009 {
7010 	switch (irk->addr.type) {
7011 	case BDADDR_LE_PUBLIC:
7012 		return true;
7013 
7014 	case BDADDR_LE_RANDOM:
7015 		/* Two most significant bits shall be set */
7016 		if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7017 			return false;
7018 		return true;
7019 	}
7020 
7021 	return false;
7022 }
7023 
7024 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
7025 		     u16 len)
7026 {
7027 	struct mgmt_cp_load_irks *cp = cp_data;
7028 	const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
7029 				   sizeof(struct mgmt_irk_info));
7030 	u16 irk_count, expected_len;
7031 	int i, err;
7032 
7033 	bt_dev_dbg(hdev, "sock %p", sk);
7034 
7035 	if (!lmp_le_capable(hdev))
7036 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7037 				       MGMT_STATUS_NOT_SUPPORTED);
7038 
7039 	irk_count = __le16_to_cpu(cp->irk_count);
7040 	if (irk_count > max_irk_count) {
7041 		bt_dev_err(hdev, "load_irks: too big irk_count value %u",
7042 			   irk_count);
7043 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7044 				       MGMT_STATUS_INVALID_PARAMS);
7045 	}
7046 
7047 	expected_len = struct_size(cp, irks, irk_count);
7048 	if (expected_len != len) {
7049 		bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
7050 			   expected_len, len);
7051 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7052 				       MGMT_STATUS_INVALID_PARAMS);
7053 	}
7054 
7055 	bt_dev_dbg(hdev, "irk_count %u", irk_count);
7056 
7057 	for (i = 0; i < irk_count; i++) {
7058 		struct mgmt_irk_info *key = &cp->irks[i];
7059 
7060 		if (!irk_is_valid(key))
7061 			return mgmt_cmd_status(sk, hdev->id,
7062 					       MGMT_OP_LOAD_IRKS,
7063 					       MGMT_STATUS_INVALID_PARAMS);
7064 	}
7065 
7066 	hci_dev_lock(hdev);
7067 
7068 	hci_smp_irks_clear(hdev);
7069 
7070 	for (i = 0; i < irk_count; i++) {
7071 		struct mgmt_irk_info *irk = &cp->irks[i];
7072 		u8 addr_type = le_addr_type(irk->addr.type);
7073 
7074 		if (hci_is_blocked_key(hdev,
7075 				       HCI_BLOCKED_KEY_TYPE_IRK,
7076 				       irk->val)) {
7077 			bt_dev_warn(hdev, "Skipping blocked IRK for %pMR",
7078 				    &irk->addr.bdaddr);
7079 			continue;
7080 		}
7081 
7082 		/* When using SMP over BR/EDR, the addr type should be set to BREDR */
7083 		if (irk->addr.type == BDADDR_BREDR)
7084 			addr_type = BDADDR_BREDR;
7085 
7086 		hci_add_irk(hdev, &irk->addr.bdaddr,
7087 			    addr_type, irk->val,
7088 			    BDADDR_ANY);
7089 	}
7090 
7091 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
7092 
7093 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
7094 
7095 	hci_dev_unlock(hdev);
7096 
7097 	return err;
7098 }
7099 
7100 static bool ltk_is_valid(struct mgmt_ltk_info *key)
7101 {
7102 	if (key->initiator != 0x00 && key->initiator != 0x01)
7103 		return false;
7104 
7105 	switch (key->addr.type) {
7106 	case BDADDR_LE_PUBLIC:
7107 		return true;
7108 
7109 	case BDADDR_LE_RANDOM:
7110 		/* Two most significant bits shall be set */
7111 		if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7112 			return false;
7113 		return true;
7114 	}
7115 
7116 	return false;
7117 }
7118 
7119 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
7120 			       void *cp_data, u16 len)
7121 {
7122 	struct mgmt_cp_load_long_term_keys *cp = cp_data;
7123 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
7124 				   sizeof(struct mgmt_ltk_info));
7125 	u16 key_count, expected_len;
7126 	int i, err;
7127 
7128 	bt_dev_dbg(hdev, "sock %p", sk);
7129 
7130 	if (!lmp_le_capable(hdev))
7131 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7132 				       MGMT_STATUS_NOT_SUPPORTED);
7133 
7134 	key_count = __le16_to_cpu(cp->key_count);
7135 	if (key_count > max_key_count) {
7136 		bt_dev_err(hdev, "load_ltks: too big key_count value %u",
7137 			   key_count);
7138 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7139 				       MGMT_STATUS_INVALID_PARAMS);
7140 	}
7141 
7142 	expected_len = struct_size(cp, keys, key_count);
7143 	if (expected_len != len) {
7144 		bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
7145 			   expected_len, len);
7146 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7147 				       MGMT_STATUS_INVALID_PARAMS);
7148 	}
7149 
7150 	bt_dev_dbg(hdev, "key_count %u", key_count);
7151 
7152 	for (i = 0; i < key_count; i++) {
7153 		struct mgmt_ltk_info *key = &cp->keys[i];
7154 
7155 		if (!ltk_is_valid(key))
7156 			return mgmt_cmd_status(sk, hdev->id,
7157 					       MGMT_OP_LOAD_LONG_TERM_KEYS,
7158 					       MGMT_STATUS_INVALID_PARAMS);
7159 	}
7160 
7161 	hci_dev_lock(hdev);
7162 
7163 	hci_smp_ltks_clear(hdev);
7164 
7165 	for (i = 0; i < key_count; i++) {
7166 		struct mgmt_ltk_info *key = &cp->keys[i];
7167 		u8 type, authenticated;
7168 		u8 addr_type = le_addr_type(key->addr.type);
7169 
7170 		if (hci_is_blocked_key(hdev,
7171 				       HCI_BLOCKED_KEY_TYPE_LTK,
7172 				       key->val)) {
7173 			bt_dev_warn(hdev, "Skipping blocked LTK for %pMR",
7174 				    &key->addr.bdaddr);
7175 			continue;
7176 		}
7177 
7178 		switch (key->type) {
7179 		case MGMT_LTK_UNAUTHENTICATED:
7180 			authenticated = 0x00;
7181 			type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7182 			break;
7183 		case MGMT_LTK_AUTHENTICATED:
7184 			authenticated = 0x01;
7185 			type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7186 			break;
7187 		case MGMT_LTK_P256_UNAUTH:
7188 			authenticated = 0x00;
7189 			type = SMP_LTK_P256;
7190 			break;
7191 		case MGMT_LTK_P256_AUTH:
7192 			authenticated = 0x01;
7193 			type = SMP_LTK_P256;
7194 			break;
7195 		case MGMT_LTK_P256_DEBUG:
7196 			authenticated = 0x00;
7197 			type = SMP_LTK_P256_DEBUG;
7198 			fallthrough;
7199 		default:
7200 			continue;
7201 		}
7202 
7203 		/* When using SMP over BR/EDR, the addr type should be set to BREDR */
7204 		if (key->addr.type == BDADDR_BREDR)
7205 			addr_type = BDADDR_BREDR;
7206 
7207 		hci_add_ltk(hdev, &key->addr.bdaddr,
7208 			    addr_type, type, authenticated,
7209 			    key->val, key->enc_size, key->ediv, key->rand);
7210 	}
7211 
7212 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
7213 			   NULL, 0);
7214 
7215 	hci_dev_unlock(hdev);
7216 
7217 	return err;
7218 }
7219 
7220 static void get_conn_info_complete(struct hci_dev *hdev, void *data, int err)
7221 {
7222 	struct mgmt_pending_cmd *cmd = data;
7223 	struct hci_conn *conn = cmd->user_data;
7224 	struct mgmt_cp_get_conn_info *cp = cmd->param;
7225 	struct mgmt_rp_get_conn_info rp;
7226 	u8 status;
7227 
7228 	bt_dev_dbg(hdev, "err %d", err);
7229 
7230 	memcpy(&rp.addr, &cp->addr, sizeof(rp.addr));
7231 
7232 	status = mgmt_status(err);
7233 	if (status == MGMT_STATUS_SUCCESS) {
7234 		rp.rssi = conn->rssi;
7235 		rp.tx_power = conn->tx_power;
7236 		rp.max_tx_power = conn->max_tx_power;
7237 	} else {
7238 		rp.rssi = HCI_RSSI_INVALID;
7239 		rp.tx_power = HCI_TX_POWER_INVALID;
7240 		rp.max_tx_power = HCI_TX_POWER_INVALID;
7241 	}
7242 
7243 	mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, status,
7244 			  &rp, sizeof(rp));
7245 
7246 	mgmt_pending_free(cmd);
7247 }
7248 
7249 static int get_conn_info_sync(struct hci_dev *hdev, void *data)
7250 {
7251 	struct mgmt_pending_cmd *cmd = data;
7252 	struct mgmt_cp_get_conn_info *cp = cmd->param;
7253 	struct hci_conn *conn;
7254 	int err;
7255 	__le16   handle;
7256 
7257 	/* Make sure we are still connected */
7258 	if (cp->addr.type == BDADDR_BREDR)
7259 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7260 					       &cp->addr.bdaddr);
7261 	else
7262 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
7263 
7264 	if (!conn || conn->state != BT_CONNECTED)
7265 		return MGMT_STATUS_NOT_CONNECTED;
7266 
7267 	cmd->user_data = conn;
7268 	handle = cpu_to_le16(conn->handle);
7269 
7270 	/* Refresh RSSI each time */
7271 	err = hci_read_rssi_sync(hdev, handle);
7272 
7273 	/* For LE links TX power does not change thus we don't need to
7274 	 * query for it once value is known.
7275 	 */
7276 	if (!err && (!bdaddr_type_is_le(cp->addr.type) ||
7277 		     conn->tx_power == HCI_TX_POWER_INVALID))
7278 		err = hci_read_tx_power_sync(hdev, handle, 0x00);
7279 
7280 	/* Max TX power needs to be read only once per connection */
7281 	if (!err && conn->max_tx_power == HCI_TX_POWER_INVALID)
7282 		err = hci_read_tx_power_sync(hdev, handle, 0x01);
7283 
7284 	return err;
7285 }
7286 
7287 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
7288 			 u16 len)
7289 {
7290 	struct mgmt_cp_get_conn_info *cp = data;
7291 	struct mgmt_rp_get_conn_info rp;
7292 	struct hci_conn *conn;
7293 	unsigned long conn_info_age;
7294 	int err = 0;
7295 
7296 	bt_dev_dbg(hdev, "sock %p", sk);
7297 
7298 	memset(&rp, 0, sizeof(rp));
7299 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7300 	rp.addr.type = cp->addr.type;
7301 
7302 	if (!bdaddr_type_is_valid(cp->addr.type))
7303 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7304 					 MGMT_STATUS_INVALID_PARAMS,
7305 					 &rp, sizeof(rp));
7306 
7307 	hci_dev_lock(hdev);
7308 
7309 	if (!hdev_is_powered(hdev)) {
7310 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7311 					MGMT_STATUS_NOT_POWERED, &rp,
7312 					sizeof(rp));
7313 		goto unlock;
7314 	}
7315 
7316 	if (cp->addr.type == BDADDR_BREDR)
7317 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7318 					       &cp->addr.bdaddr);
7319 	else
7320 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
7321 
7322 	if (!conn || conn->state != BT_CONNECTED) {
7323 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7324 					MGMT_STATUS_NOT_CONNECTED, &rp,
7325 					sizeof(rp));
7326 		goto unlock;
7327 	}
7328 
7329 	/* To avoid client trying to guess when to poll again for information we
7330 	 * calculate conn info age as random value between min/max set in hdev.
7331 	 */
7332 	conn_info_age = get_random_u32_inclusive(hdev->conn_info_min_age,
7333 						 hdev->conn_info_max_age - 1);
7334 
7335 	/* Query controller to refresh cached values if they are too old or were
7336 	 * never read.
7337 	 */
7338 	if (time_after(jiffies, conn->conn_info_timestamp +
7339 		       msecs_to_jiffies(conn_info_age)) ||
7340 	    !conn->conn_info_timestamp) {
7341 		struct mgmt_pending_cmd *cmd;
7342 
7343 		cmd = mgmt_pending_new(sk, MGMT_OP_GET_CONN_INFO, hdev, data,
7344 				       len);
7345 		if (!cmd) {
7346 			err = -ENOMEM;
7347 		} else {
7348 			err = hci_cmd_sync_queue(hdev, get_conn_info_sync,
7349 						 cmd, get_conn_info_complete);
7350 		}
7351 
7352 		if (err < 0) {
7353 			mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7354 					  MGMT_STATUS_FAILED, &rp, sizeof(rp));
7355 
7356 			if (cmd)
7357 				mgmt_pending_free(cmd);
7358 
7359 			goto unlock;
7360 		}
7361 
7362 		conn->conn_info_timestamp = jiffies;
7363 	} else {
7364 		/* Cache is valid, just reply with values cached in hci_conn */
7365 		rp.rssi = conn->rssi;
7366 		rp.tx_power = conn->tx_power;
7367 		rp.max_tx_power = conn->max_tx_power;
7368 
7369 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7370 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
7371 	}
7372 
7373 unlock:
7374 	hci_dev_unlock(hdev);
7375 	return err;
7376 }
7377 
7378 static void get_clock_info_complete(struct hci_dev *hdev, void *data, int err)
7379 {
7380 	struct mgmt_pending_cmd *cmd = data;
7381 	struct mgmt_cp_get_clock_info *cp = cmd->param;
7382 	struct mgmt_rp_get_clock_info rp;
7383 	struct hci_conn *conn = cmd->user_data;
7384 	u8 status = mgmt_status(err);
7385 
7386 	bt_dev_dbg(hdev, "err %d", err);
7387 
7388 	memset(&rp, 0, sizeof(rp));
7389 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7390 	rp.addr.type = cp->addr.type;
7391 
7392 	if (err)
7393 		goto complete;
7394 
7395 	rp.local_clock = cpu_to_le32(hdev->clock);
7396 
7397 	if (conn) {
7398 		rp.piconet_clock = cpu_to_le32(conn->clock);
7399 		rp.accuracy = cpu_to_le16(conn->clock_accuracy);
7400 	}
7401 
7402 complete:
7403 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
7404 			  sizeof(rp));
7405 
7406 	mgmt_pending_free(cmd);
7407 }
7408 
7409 static int get_clock_info_sync(struct hci_dev *hdev, void *data)
7410 {
7411 	struct mgmt_pending_cmd *cmd = data;
7412 	struct mgmt_cp_get_clock_info *cp = cmd->param;
7413 	struct hci_cp_read_clock hci_cp;
7414 	struct hci_conn *conn;
7415 
7416 	memset(&hci_cp, 0, sizeof(hci_cp));
7417 	hci_read_clock_sync(hdev, &hci_cp);
7418 
7419 	/* Make sure connection still exists */
7420 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
7421 	if (!conn || conn->state != BT_CONNECTED)
7422 		return MGMT_STATUS_NOT_CONNECTED;
7423 
7424 	cmd->user_data = conn;
7425 	hci_cp.handle = cpu_to_le16(conn->handle);
7426 	hci_cp.which = 0x01; /* Piconet clock */
7427 
7428 	return hci_read_clock_sync(hdev, &hci_cp);
7429 }
7430 
7431 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
7432 								u16 len)
7433 {
7434 	struct mgmt_cp_get_clock_info *cp = data;
7435 	struct mgmt_rp_get_clock_info rp;
7436 	struct mgmt_pending_cmd *cmd;
7437 	struct hci_conn *conn;
7438 	int err;
7439 
7440 	bt_dev_dbg(hdev, "sock %p", sk);
7441 
7442 	memset(&rp, 0, sizeof(rp));
7443 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7444 	rp.addr.type = cp->addr.type;
7445 
7446 	if (cp->addr.type != BDADDR_BREDR)
7447 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7448 					 MGMT_STATUS_INVALID_PARAMS,
7449 					 &rp, sizeof(rp));
7450 
7451 	hci_dev_lock(hdev);
7452 
7453 	if (!hdev_is_powered(hdev)) {
7454 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7455 					MGMT_STATUS_NOT_POWERED, &rp,
7456 					sizeof(rp));
7457 		goto unlock;
7458 	}
7459 
7460 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
7461 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7462 					       &cp->addr.bdaddr);
7463 		if (!conn || conn->state != BT_CONNECTED) {
7464 			err = mgmt_cmd_complete(sk, hdev->id,
7465 						MGMT_OP_GET_CLOCK_INFO,
7466 						MGMT_STATUS_NOT_CONNECTED,
7467 						&rp, sizeof(rp));
7468 			goto unlock;
7469 		}
7470 	} else {
7471 		conn = NULL;
7472 	}
7473 
7474 	cmd = mgmt_pending_new(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
7475 	if (!cmd)
7476 		err = -ENOMEM;
7477 	else
7478 		err = hci_cmd_sync_queue(hdev, get_clock_info_sync, cmd,
7479 					 get_clock_info_complete);
7480 
7481 	if (err < 0) {
7482 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7483 					MGMT_STATUS_FAILED, &rp, sizeof(rp));
7484 
7485 		if (cmd)
7486 			mgmt_pending_free(cmd);
7487 	}
7488 
7489 
7490 unlock:
7491 	hci_dev_unlock(hdev);
7492 	return err;
7493 }
7494 
7495 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
7496 {
7497 	struct hci_conn *conn;
7498 
7499 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
7500 	if (!conn)
7501 		return false;
7502 
7503 	if (conn->dst_type != type)
7504 		return false;
7505 
7506 	if (conn->state != BT_CONNECTED)
7507 		return false;
7508 
7509 	return true;
7510 }
7511 
7512 /* This function requires the caller holds hdev->lock */
7513 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
7514 			       u8 addr_type, u8 auto_connect)
7515 {
7516 	struct hci_conn_params *params;
7517 
7518 	params = hci_conn_params_add(hdev, addr, addr_type);
7519 	if (!params)
7520 		return -EIO;
7521 
7522 	if (params->auto_connect == auto_connect)
7523 		return 0;
7524 
7525 	hci_pend_le_list_del_init(params);
7526 
7527 	switch (auto_connect) {
7528 	case HCI_AUTO_CONN_DISABLED:
7529 	case HCI_AUTO_CONN_LINK_LOSS:
7530 		/* If auto connect is being disabled when we're trying to
7531 		 * connect to device, keep connecting.
7532 		 */
7533 		if (params->explicit_connect)
7534 			hci_pend_le_list_add(params, &hdev->pend_le_conns);
7535 		break;
7536 	case HCI_AUTO_CONN_REPORT:
7537 		if (params->explicit_connect)
7538 			hci_pend_le_list_add(params, &hdev->pend_le_conns);
7539 		else
7540 			hci_pend_le_list_add(params, &hdev->pend_le_reports);
7541 		break;
7542 	case HCI_AUTO_CONN_DIRECT:
7543 	case HCI_AUTO_CONN_ALWAYS:
7544 		if (!is_connected(hdev, addr, addr_type))
7545 			hci_pend_le_list_add(params, &hdev->pend_le_conns);
7546 		break;
7547 	}
7548 
7549 	params->auto_connect = auto_connect;
7550 
7551 	bt_dev_dbg(hdev, "addr %pMR (type %u) auto_connect %u",
7552 		   addr, addr_type, auto_connect);
7553 
7554 	return 0;
7555 }
7556 
7557 static void device_added(struct sock *sk, struct hci_dev *hdev,
7558 			 bdaddr_t *bdaddr, u8 type, u8 action)
7559 {
7560 	struct mgmt_ev_device_added ev;
7561 
7562 	bacpy(&ev.addr.bdaddr, bdaddr);
7563 	ev.addr.type = type;
7564 	ev.action = action;
7565 
7566 	mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
7567 }
7568 
7569 static int add_device_sync(struct hci_dev *hdev, void *data)
7570 {
7571 	return hci_update_passive_scan_sync(hdev);
7572 }
7573 
7574 static int add_device(struct sock *sk, struct hci_dev *hdev,
7575 		      void *data, u16 len)
7576 {
7577 	struct mgmt_cp_add_device *cp = data;
7578 	u8 auto_conn, addr_type;
7579 	struct hci_conn_params *params;
7580 	int err;
7581 	u32 current_flags = 0;
7582 	u32 supported_flags;
7583 
7584 	bt_dev_dbg(hdev, "sock %p", sk);
7585 
7586 	if (!bdaddr_type_is_valid(cp->addr.type) ||
7587 	    !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
7588 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7589 					 MGMT_STATUS_INVALID_PARAMS,
7590 					 &cp->addr, sizeof(cp->addr));
7591 
7592 	if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
7593 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7594 					 MGMT_STATUS_INVALID_PARAMS,
7595 					 &cp->addr, sizeof(cp->addr));
7596 
7597 	hci_dev_lock(hdev);
7598 
7599 	if (cp->addr.type == BDADDR_BREDR) {
7600 		/* Only incoming connections action is supported for now */
7601 		if (cp->action != 0x01) {
7602 			err = mgmt_cmd_complete(sk, hdev->id,
7603 						MGMT_OP_ADD_DEVICE,
7604 						MGMT_STATUS_INVALID_PARAMS,
7605 						&cp->addr, sizeof(cp->addr));
7606 			goto unlock;
7607 		}
7608 
7609 		err = hci_bdaddr_list_add_with_flags(&hdev->accept_list,
7610 						     &cp->addr.bdaddr,
7611 						     cp->addr.type, 0);
7612 		if (err)
7613 			goto unlock;
7614 
7615 		hci_update_scan(hdev);
7616 
7617 		goto added;
7618 	}
7619 
7620 	addr_type = le_addr_type(cp->addr.type);
7621 
7622 	if (cp->action == 0x02)
7623 		auto_conn = HCI_AUTO_CONN_ALWAYS;
7624 	else if (cp->action == 0x01)
7625 		auto_conn = HCI_AUTO_CONN_DIRECT;
7626 	else
7627 		auto_conn = HCI_AUTO_CONN_REPORT;
7628 
7629 	/* Kernel internally uses conn_params with resolvable private
7630 	 * address, but Add Device allows only identity addresses.
7631 	 * Make sure it is enforced before calling
7632 	 * hci_conn_params_lookup.
7633 	 */
7634 	if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
7635 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7636 					MGMT_STATUS_INVALID_PARAMS,
7637 					&cp->addr, sizeof(cp->addr));
7638 		goto unlock;
7639 	}
7640 
7641 	/* If the connection parameters don't exist for this device,
7642 	 * they will be created and configured with defaults.
7643 	 */
7644 	if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
7645 				auto_conn) < 0) {
7646 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7647 					MGMT_STATUS_FAILED, &cp->addr,
7648 					sizeof(cp->addr));
7649 		goto unlock;
7650 	} else {
7651 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7652 						addr_type);
7653 		if (params)
7654 			current_flags = params->flags;
7655 	}
7656 
7657 	err = hci_cmd_sync_queue(hdev, add_device_sync, NULL, NULL);
7658 	if (err < 0)
7659 		goto unlock;
7660 
7661 added:
7662 	device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
7663 	supported_flags = hdev->conn_flags;
7664 	device_flags_changed(NULL, hdev, &cp->addr.bdaddr, cp->addr.type,
7665 			     supported_flags, current_flags);
7666 
7667 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7668 				MGMT_STATUS_SUCCESS, &cp->addr,
7669 				sizeof(cp->addr));
7670 
7671 unlock:
7672 	hci_dev_unlock(hdev);
7673 	return err;
7674 }
7675 
7676 static void device_removed(struct sock *sk, struct hci_dev *hdev,
7677 			   bdaddr_t *bdaddr, u8 type)
7678 {
7679 	struct mgmt_ev_device_removed ev;
7680 
7681 	bacpy(&ev.addr.bdaddr, bdaddr);
7682 	ev.addr.type = type;
7683 
7684 	mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
7685 }
7686 
7687 static int remove_device_sync(struct hci_dev *hdev, void *data)
7688 {
7689 	return hci_update_passive_scan_sync(hdev);
7690 }
7691 
7692 static int remove_device(struct sock *sk, struct hci_dev *hdev,
7693 			 void *data, u16 len)
7694 {
7695 	struct mgmt_cp_remove_device *cp = data;
7696 	int err;
7697 
7698 	bt_dev_dbg(hdev, "sock %p", sk);
7699 
7700 	hci_dev_lock(hdev);
7701 
7702 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
7703 		struct hci_conn_params *params;
7704 		u8 addr_type;
7705 
7706 		if (!bdaddr_type_is_valid(cp->addr.type)) {
7707 			err = mgmt_cmd_complete(sk, hdev->id,
7708 						MGMT_OP_REMOVE_DEVICE,
7709 						MGMT_STATUS_INVALID_PARAMS,
7710 						&cp->addr, sizeof(cp->addr));
7711 			goto unlock;
7712 		}
7713 
7714 		if (cp->addr.type == BDADDR_BREDR) {
7715 			err = hci_bdaddr_list_del(&hdev->accept_list,
7716 						  &cp->addr.bdaddr,
7717 						  cp->addr.type);
7718 			if (err) {
7719 				err = mgmt_cmd_complete(sk, hdev->id,
7720 							MGMT_OP_REMOVE_DEVICE,
7721 							MGMT_STATUS_INVALID_PARAMS,
7722 							&cp->addr,
7723 							sizeof(cp->addr));
7724 				goto unlock;
7725 			}
7726 
7727 			hci_update_scan(hdev);
7728 
7729 			device_removed(sk, hdev, &cp->addr.bdaddr,
7730 				       cp->addr.type);
7731 			goto complete;
7732 		}
7733 
7734 		addr_type = le_addr_type(cp->addr.type);
7735 
7736 		/* Kernel internally uses conn_params with resolvable private
7737 		 * address, but Remove Device allows only identity addresses.
7738 		 * Make sure it is enforced before calling
7739 		 * hci_conn_params_lookup.
7740 		 */
7741 		if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
7742 			err = mgmt_cmd_complete(sk, hdev->id,
7743 						MGMT_OP_REMOVE_DEVICE,
7744 						MGMT_STATUS_INVALID_PARAMS,
7745 						&cp->addr, sizeof(cp->addr));
7746 			goto unlock;
7747 		}
7748 
7749 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7750 						addr_type);
7751 		if (!params) {
7752 			err = mgmt_cmd_complete(sk, hdev->id,
7753 						MGMT_OP_REMOVE_DEVICE,
7754 						MGMT_STATUS_INVALID_PARAMS,
7755 						&cp->addr, sizeof(cp->addr));
7756 			goto unlock;
7757 		}
7758 
7759 		if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
7760 		    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
7761 			err = mgmt_cmd_complete(sk, hdev->id,
7762 						MGMT_OP_REMOVE_DEVICE,
7763 						MGMT_STATUS_INVALID_PARAMS,
7764 						&cp->addr, sizeof(cp->addr));
7765 			goto unlock;
7766 		}
7767 
7768 		hci_conn_params_free(params);
7769 
7770 		device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
7771 	} else {
7772 		struct hci_conn_params *p, *tmp;
7773 		struct bdaddr_list *b, *btmp;
7774 
7775 		if (cp->addr.type) {
7776 			err = mgmt_cmd_complete(sk, hdev->id,
7777 						MGMT_OP_REMOVE_DEVICE,
7778 						MGMT_STATUS_INVALID_PARAMS,
7779 						&cp->addr, sizeof(cp->addr));
7780 			goto unlock;
7781 		}
7782 
7783 		list_for_each_entry_safe(b, btmp, &hdev->accept_list, list) {
7784 			device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
7785 			list_del(&b->list);
7786 			kfree(b);
7787 		}
7788 
7789 		hci_update_scan(hdev);
7790 
7791 		list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
7792 			if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
7793 				continue;
7794 			device_removed(sk, hdev, &p->addr, p->addr_type);
7795 			if (p->explicit_connect) {
7796 				p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
7797 				continue;
7798 			}
7799 			hci_conn_params_free(p);
7800 		}
7801 
7802 		bt_dev_dbg(hdev, "All LE connection parameters were removed");
7803 	}
7804 
7805 	hci_cmd_sync_queue(hdev, remove_device_sync, NULL, NULL);
7806 
7807 complete:
7808 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
7809 				MGMT_STATUS_SUCCESS, &cp->addr,
7810 				sizeof(cp->addr));
7811 unlock:
7812 	hci_dev_unlock(hdev);
7813 	return err;
7814 }
7815 
7816 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
7817 			   u16 len)
7818 {
7819 	struct mgmt_cp_load_conn_param *cp = data;
7820 	const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
7821 				     sizeof(struct mgmt_conn_param));
7822 	u16 param_count, expected_len;
7823 	int i;
7824 
7825 	if (!lmp_le_capable(hdev))
7826 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7827 				       MGMT_STATUS_NOT_SUPPORTED);
7828 
7829 	param_count = __le16_to_cpu(cp->param_count);
7830 	if (param_count > max_param_count) {
7831 		bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
7832 			   param_count);
7833 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7834 				       MGMT_STATUS_INVALID_PARAMS);
7835 	}
7836 
7837 	expected_len = struct_size(cp, params, param_count);
7838 	if (expected_len != len) {
7839 		bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
7840 			   expected_len, len);
7841 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7842 				       MGMT_STATUS_INVALID_PARAMS);
7843 	}
7844 
7845 	bt_dev_dbg(hdev, "param_count %u", param_count);
7846 
7847 	hci_dev_lock(hdev);
7848 
7849 	hci_conn_params_clear_disabled(hdev);
7850 
7851 	for (i = 0; i < param_count; i++) {
7852 		struct mgmt_conn_param *param = &cp->params[i];
7853 		struct hci_conn_params *hci_param;
7854 		u16 min, max, latency, timeout;
7855 		u8 addr_type;
7856 
7857 		bt_dev_dbg(hdev, "Adding %pMR (type %u)", &param->addr.bdaddr,
7858 			   param->addr.type);
7859 
7860 		if (param->addr.type == BDADDR_LE_PUBLIC) {
7861 			addr_type = ADDR_LE_DEV_PUBLIC;
7862 		} else if (param->addr.type == BDADDR_LE_RANDOM) {
7863 			addr_type = ADDR_LE_DEV_RANDOM;
7864 		} else {
7865 			bt_dev_err(hdev, "ignoring invalid connection parameters");
7866 			continue;
7867 		}
7868 
7869 		min = le16_to_cpu(param->min_interval);
7870 		max = le16_to_cpu(param->max_interval);
7871 		latency = le16_to_cpu(param->latency);
7872 		timeout = le16_to_cpu(param->timeout);
7873 
7874 		bt_dev_dbg(hdev, "min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
7875 			   min, max, latency, timeout);
7876 
7877 		if (hci_check_conn_params(min, max, latency, timeout) < 0) {
7878 			bt_dev_err(hdev, "ignoring invalid connection parameters");
7879 			continue;
7880 		}
7881 
7882 		hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
7883 						addr_type);
7884 		if (!hci_param) {
7885 			bt_dev_err(hdev, "failed to add connection parameters");
7886 			continue;
7887 		}
7888 
7889 		hci_param->conn_min_interval = min;
7890 		hci_param->conn_max_interval = max;
7891 		hci_param->conn_latency = latency;
7892 		hci_param->supervision_timeout = timeout;
7893 	}
7894 
7895 	hci_dev_unlock(hdev);
7896 
7897 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
7898 				 NULL, 0);
7899 }
7900 
7901 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
7902 			       void *data, u16 len)
7903 {
7904 	struct mgmt_cp_set_external_config *cp = data;
7905 	bool changed;
7906 	int err;
7907 
7908 	bt_dev_dbg(hdev, "sock %p", sk);
7909 
7910 	if (hdev_is_powered(hdev))
7911 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7912 				       MGMT_STATUS_REJECTED);
7913 
7914 	if (cp->config != 0x00 && cp->config != 0x01)
7915 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7916 				         MGMT_STATUS_INVALID_PARAMS);
7917 
7918 	if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
7919 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7920 				       MGMT_STATUS_NOT_SUPPORTED);
7921 
7922 	hci_dev_lock(hdev);
7923 
7924 	if (cp->config)
7925 		changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
7926 	else
7927 		changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
7928 
7929 	err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
7930 	if (err < 0)
7931 		goto unlock;
7932 
7933 	if (!changed)
7934 		goto unlock;
7935 
7936 	err = new_options(hdev, sk);
7937 
7938 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
7939 		mgmt_index_removed(hdev);
7940 
7941 		if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
7942 			hci_dev_set_flag(hdev, HCI_CONFIG);
7943 			hci_dev_set_flag(hdev, HCI_AUTO_OFF);
7944 
7945 			queue_work(hdev->req_workqueue, &hdev->power_on);
7946 		} else {
7947 			set_bit(HCI_RAW, &hdev->flags);
7948 			mgmt_index_added(hdev);
7949 		}
7950 	}
7951 
7952 unlock:
7953 	hci_dev_unlock(hdev);
7954 	return err;
7955 }
7956 
7957 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
7958 			      void *data, u16 len)
7959 {
7960 	struct mgmt_cp_set_public_address *cp = data;
7961 	bool changed;
7962 	int err;
7963 
7964 	bt_dev_dbg(hdev, "sock %p", sk);
7965 
7966 	if (hdev_is_powered(hdev))
7967 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7968 				       MGMT_STATUS_REJECTED);
7969 
7970 	if (!bacmp(&cp->bdaddr, BDADDR_ANY))
7971 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7972 				       MGMT_STATUS_INVALID_PARAMS);
7973 
7974 	if (!hdev->set_bdaddr)
7975 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7976 				       MGMT_STATUS_NOT_SUPPORTED);
7977 
7978 	hci_dev_lock(hdev);
7979 
7980 	changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
7981 	bacpy(&hdev->public_addr, &cp->bdaddr);
7982 
7983 	err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
7984 	if (err < 0)
7985 		goto unlock;
7986 
7987 	if (!changed)
7988 		goto unlock;
7989 
7990 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
7991 		err = new_options(hdev, sk);
7992 
7993 	if (is_configured(hdev)) {
7994 		mgmt_index_removed(hdev);
7995 
7996 		hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
7997 
7998 		hci_dev_set_flag(hdev, HCI_CONFIG);
7999 		hci_dev_set_flag(hdev, HCI_AUTO_OFF);
8000 
8001 		queue_work(hdev->req_workqueue, &hdev->power_on);
8002 	}
8003 
8004 unlock:
8005 	hci_dev_unlock(hdev);
8006 	return err;
8007 }
8008 
8009 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
8010 					     int err)
8011 {
8012 	const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
8013 	struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
8014 	u8 *h192, *r192, *h256, *r256;
8015 	struct mgmt_pending_cmd *cmd = data;
8016 	struct sk_buff *skb = cmd->skb;
8017 	u8 status = mgmt_status(err);
8018 	u16 eir_len;
8019 
8020 	if (cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
8021 		return;
8022 
8023 	if (!status) {
8024 		if (!skb)
8025 			status = MGMT_STATUS_FAILED;
8026 		else if (IS_ERR(skb))
8027 			status = mgmt_status(PTR_ERR(skb));
8028 		else
8029 			status = mgmt_status(skb->data[0]);
8030 	}
8031 
8032 	bt_dev_dbg(hdev, "status %u", status);
8033 
8034 	mgmt_cp = cmd->param;
8035 
8036 	if (status) {
8037 		status = mgmt_status(status);
8038 		eir_len = 0;
8039 
8040 		h192 = NULL;
8041 		r192 = NULL;
8042 		h256 = NULL;
8043 		r256 = NULL;
8044 	} else if (!bredr_sc_enabled(hdev)) {
8045 		struct hci_rp_read_local_oob_data *rp;
8046 
8047 		if (skb->len != sizeof(*rp)) {
8048 			status = MGMT_STATUS_FAILED;
8049 			eir_len = 0;
8050 		} else {
8051 			status = MGMT_STATUS_SUCCESS;
8052 			rp = (void *)skb->data;
8053 
8054 			eir_len = 5 + 18 + 18;
8055 			h192 = rp->hash;
8056 			r192 = rp->rand;
8057 			h256 = NULL;
8058 			r256 = NULL;
8059 		}
8060 	} else {
8061 		struct hci_rp_read_local_oob_ext_data *rp;
8062 
8063 		if (skb->len != sizeof(*rp)) {
8064 			status = MGMT_STATUS_FAILED;
8065 			eir_len = 0;
8066 		} else {
8067 			status = MGMT_STATUS_SUCCESS;
8068 			rp = (void *)skb->data;
8069 
8070 			if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
8071 				eir_len = 5 + 18 + 18;
8072 				h192 = NULL;
8073 				r192 = NULL;
8074 			} else {
8075 				eir_len = 5 + 18 + 18 + 18 + 18;
8076 				h192 = rp->hash192;
8077 				r192 = rp->rand192;
8078 			}
8079 
8080 			h256 = rp->hash256;
8081 			r256 = rp->rand256;
8082 		}
8083 	}
8084 
8085 	mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
8086 	if (!mgmt_rp)
8087 		goto done;
8088 
8089 	if (eir_len == 0)
8090 		goto send_rsp;
8091 
8092 	eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
8093 				  hdev->dev_class, 3);
8094 
8095 	if (h192 && r192) {
8096 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8097 					  EIR_SSP_HASH_C192, h192, 16);
8098 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8099 					  EIR_SSP_RAND_R192, r192, 16);
8100 	}
8101 
8102 	if (h256 && r256) {
8103 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8104 					  EIR_SSP_HASH_C256, h256, 16);
8105 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8106 					  EIR_SSP_RAND_R256, r256, 16);
8107 	}
8108 
8109 send_rsp:
8110 	mgmt_rp->type = mgmt_cp->type;
8111 	mgmt_rp->eir_len = cpu_to_le16(eir_len);
8112 
8113 	err = mgmt_cmd_complete(cmd->sk, hdev->id,
8114 				MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
8115 				mgmt_rp, sizeof(*mgmt_rp) + eir_len);
8116 	if (err < 0 || status)
8117 		goto done;
8118 
8119 	hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
8120 
8121 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8122 				 mgmt_rp, sizeof(*mgmt_rp) + eir_len,
8123 				 HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
8124 done:
8125 	if (skb && !IS_ERR(skb))
8126 		kfree_skb(skb);
8127 
8128 	kfree(mgmt_rp);
8129 	mgmt_pending_remove(cmd);
8130 }
8131 
8132 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
8133 				  struct mgmt_cp_read_local_oob_ext_data *cp)
8134 {
8135 	struct mgmt_pending_cmd *cmd;
8136 	int err;
8137 
8138 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
8139 			       cp, sizeof(*cp));
8140 	if (!cmd)
8141 		return -ENOMEM;
8142 
8143 	err = hci_cmd_sync_queue(hdev, read_local_oob_data_sync, cmd,
8144 				 read_local_oob_ext_data_complete);
8145 
8146 	if (err < 0) {
8147 		mgmt_pending_remove(cmd);
8148 		return err;
8149 	}
8150 
8151 	return 0;
8152 }
8153 
8154 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
8155 				   void *data, u16 data_len)
8156 {
8157 	struct mgmt_cp_read_local_oob_ext_data *cp = data;
8158 	struct mgmt_rp_read_local_oob_ext_data *rp;
8159 	size_t rp_len;
8160 	u16 eir_len;
8161 	u8 status, flags, role, addr[7], hash[16], rand[16];
8162 	int err;
8163 
8164 	bt_dev_dbg(hdev, "sock %p", sk);
8165 
8166 	if (hdev_is_powered(hdev)) {
8167 		switch (cp->type) {
8168 		case BIT(BDADDR_BREDR):
8169 			status = mgmt_bredr_support(hdev);
8170 			if (status)
8171 				eir_len = 0;
8172 			else
8173 				eir_len = 5;
8174 			break;
8175 		case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8176 			status = mgmt_le_support(hdev);
8177 			if (status)
8178 				eir_len = 0;
8179 			else
8180 				eir_len = 9 + 3 + 18 + 18 + 3;
8181 			break;
8182 		default:
8183 			status = MGMT_STATUS_INVALID_PARAMS;
8184 			eir_len = 0;
8185 			break;
8186 		}
8187 	} else {
8188 		status = MGMT_STATUS_NOT_POWERED;
8189 		eir_len = 0;
8190 	}
8191 
8192 	rp_len = sizeof(*rp) + eir_len;
8193 	rp = kmalloc(rp_len, GFP_ATOMIC);
8194 	if (!rp)
8195 		return -ENOMEM;
8196 
8197 	if (!status && !lmp_ssp_capable(hdev)) {
8198 		status = MGMT_STATUS_NOT_SUPPORTED;
8199 		eir_len = 0;
8200 	}
8201 
8202 	if (status)
8203 		goto complete;
8204 
8205 	hci_dev_lock(hdev);
8206 
8207 	eir_len = 0;
8208 	switch (cp->type) {
8209 	case BIT(BDADDR_BREDR):
8210 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
8211 			err = read_local_ssp_oob_req(hdev, sk, cp);
8212 			hci_dev_unlock(hdev);
8213 			if (!err)
8214 				goto done;
8215 
8216 			status = MGMT_STATUS_FAILED;
8217 			goto complete;
8218 		} else {
8219 			eir_len = eir_append_data(rp->eir, eir_len,
8220 						  EIR_CLASS_OF_DEV,
8221 						  hdev->dev_class, 3);
8222 		}
8223 		break;
8224 	case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8225 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
8226 		    smp_generate_oob(hdev, hash, rand) < 0) {
8227 			hci_dev_unlock(hdev);
8228 			status = MGMT_STATUS_FAILED;
8229 			goto complete;
8230 		}
8231 
8232 		/* This should return the active RPA, but since the RPA
8233 		 * is only programmed on demand, it is really hard to fill
8234 		 * this in at the moment. For now disallow retrieving
8235 		 * local out-of-band data when privacy is in use.
8236 		 *
8237 		 * Returning the identity address will not help here since
8238 		 * pairing happens before the identity resolving key is
8239 		 * known and thus the connection establishment happens
8240 		 * based on the RPA and not the identity address.
8241 		 */
8242 		if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
8243 			hci_dev_unlock(hdev);
8244 			status = MGMT_STATUS_REJECTED;
8245 			goto complete;
8246 		}
8247 
8248 		if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
8249 		   !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
8250 		   (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
8251 		    bacmp(&hdev->static_addr, BDADDR_ANY))) {
8252 			memcpy(addr, &hdev->static_addr, 6);
8253 			addr[6] = 0x01;
8254 		} else {
8255 			memcpy(addr, &hdev->bdaddr, 6);
8256 			addr[6] = 0x00;
8257 		}
8258 
8259 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
8260 					  addr, sizeof(addr));
8261 
8262 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
8263 			role = 0x02;
8264 		else
8265 			role = 0x01;
8266 
8267 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
8268 					  &role, sizeof(role));
8269 
8270 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
8271 			eir_len = eir_append_data(rp->eir, eir_len,
8272 						  EIR_LE_SC_CONFIRM,
8273 						  hash, sizeof(hash));
8274 
8275 			eir_len = eir_append_data(rp->eir, eir_len,
8276 						  EIR_LE_SC_RANDOM,
8277 						  rand, sizeof(rand));
8278 		}
8279 
8280 		flags = mgmt_get_adv_discov_flags(hdev);
8281 
8282 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
8283 			flags |= LE_AD_NO_BREDR;
8284 
8285 		eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
8286 					  &flags, sizeof(flags));
8287 		break;
8288 	}
8289 
8290 	hci_dev_unlock(hdev);
8291 
8292 	hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
8293 
8294 	status = MGMT_STATUS_SUCCESS;
8295 
8296 complete:
8297 	rp->type = cp->type;
8298 	rp->eir_len = cpu_to_le16(eir_len);
8299 
8300 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
8301 				status, rp, sizeof(*rp) + eir_len);
8302 	if (err < 0 || status)
8303 		goto done;
8304 
8305 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8306 				 rp, sizeof(*rp) + eir_len,
8307 				 HCI_MGMT_OOB_DATA_EVENTS, sk);
8308 
8309 done:
8310 	kfree(rp);
8311 
8312 	return err;
8313 }
8314 
8315 static u32 get_supported_adv_flags(struct hci_dev *hdev)
8316 {
8317 	u32 flags = 0;
8318 
8319 	flags |= MGMT_ADV_FLAG_CONNECTABLE;
8320 	flags |= MGMT_ADV_FLAG_DISCOV;
8321 	flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
8322 	flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
8323 	flags |= MGMT_ADV_FLAG_APPEARANCE;
8324 	flags |= MGMT_ADV_FLAG_LOCAL_NAME;
8325 	flags |= MGMT_ADV_PARAM_DURATION;
8326 	flags |= MGMT_ADV_PARAM_TIMEOUT;
8327 	flags |= MGMT_ADV_PARAM_INTERVALS;
8328 	flags |= MGMT_ADV_PARAM_TX_POWER;
8329 	flags |= MGMT_ADV_PARAM_SCAN_RSP;
8330 
8331 	/* In extended adv TX_POWER returned from Set Adv Param
8332 	 * will be always valid.
8333 	 */
8334 	if (hdev->adv_tx_power != HCI_TX_POWER_INVALID || ext_adv_capable(hdev))
8335 		flags |= MGMT_ADV_FLAG_TX_POWER;
8336 
8337 	if (ext_adv_capable(hdev)) {
8338 		flags |= MGMT_ADV_FLAG_SEC_1M;
8339 		flags |= MGMT_ADV_FLAG_HW_OFFLOAD;
8340 		flags |= MGMT_ADV_FLAG_CAN_SET_TX_POWER;
8341 
8342 		if (le_2m_capable(hdev))
8343 			flags |= MGMT_ADV_FLAG_SEC_2M;
8344 
8345 		if (le_coded_capable(hdev))
8346 			flags |= MGMT_ADV_FLAG_SEC_CODED;
8347 	}
8348 
8349 	return flags;
8350 }
8351 
8352 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
8353 			     void *data, u16 data_len)
8354 {
8355 	struct mgmt_rp_read_adv_features *rp;
8356 	size_t rp_len;
8357 	int err;
8358 	struct adv_info *adv_instance;
8359 	u32 supported_flags;
8360 	u8 *instance;
8361 
8362 	bt_dev_dbg(hdev, "sock %p", sk);
8363 
8364 	if (!lmp_le_capable(hdev))
8365 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
8366 				       MGMT_STATUS_REJECTED);
8367 
8368 	hci_dev_lock(hdev);
8369 
8370 	rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
8371 	rp = kmalloc(rp_len, GFP_ATOMIC);
8372 	if (!rp) {
8373 		hci_dev_unlock(hdev);
8374 		return -ENOMEM;
8375 	}
8376 
8377 	supported_flags = get_supported_adv_flags(hdev);
8378 
8379 	rp->supported_flags = cpu_to_le32(supported_flags);
8380 	rp->max_adv_data_len = max_adv_len(hdev);
8381 	rp->max_scan_rsp_len = max_adv_len(hdev);
8382 	rp->max_instances = hdev->le_num_of_adv_sets;
8383 	rp->num_instances = hdev->adv_instance_cnt;
8384 
8385 	instance = rp->instance;
8386 	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
8387 		/* Only instances 1-le_num_of_adv_sets are externally visible */
8388 		if (adv_instance->instance <= hdev->adv_instance_cnt) {
8389 			*instance = adv_instance->instance;
8390 			instance++;
8391 		} else {
8392 			rp->num_instances--;
8393 			rp_len--;
8394 		}
8395 	}
8396 
8397 	hci_dev_unlock(hdev);
8398 
8399 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
8400 				MGMT_STATUS_SUCCESS, rp, rp_len);
8401 
8402 	kfree(rp);
8403 
8404 	return err;
8405 }
8406 
8407 static u8 calculate_name_len(struct hci_dev *hdev)
8408 {
8409 	u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 2]; /* len + type + name */
8410 
8411 	return eir_append_local_name(hdev, buf, 0);
8412 }
8413 
8414 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
8415 			   bool is_adv_data)
8416 {
8417 	u8 max_len = max_adv_len(hdev);
8418 
8419 	if (is_adv_data) {
8420 		if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
8421 				 MGMT_ADV_FLAG_LIMITED_DISCOV |
8422 				 MGMT_ADV_FLAG_MANAGED_FLAGS))
8423 			max_len -= 3;
8424 
8425 		if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
8426 			max_len -= 3;
8427 	} else {
8428 		if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
8429 			max_len -= calculate_name_len(hdev);
8430 
8431 		if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
8432 			max_len -= 4;
8433 	}
8434 
8435 	return max_len;
8436 }
8437 
8438 static bool flags_managed(u32 adv_flags)
8439 {
8440 	return adv_flags & (MGMT_ADV_FLAG_DISCOV |
8441 			    MGMT_ADV_FLAG_LIMITED_DISCOV |
8442 			    MGMT_ADV_FLAG_MANAGED_FLAGS);
8443 }
8444 
8445 static bool tx_power_managed(u32 adv_flags)
8446 {
8447 	return adv_flags & MGMT_ADV_FLAG_TX_POWER;
8448 }
8449 
8450 static bool name_managed(u32 adv_flags)
8451 {
8452 	return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
8453 }
8454 
8455 static bool appearance_managed(u32 adv_flags)
8456 {
8457 	return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
8458 }
8459 
8460 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
8461 			      u8 len, bool is_adv_data)
8462 {
8463 	int i, cur_len;
8464 	u8 max_len;
8465 
8466 	max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
8467 
8468 	if (len > max_len)
8469 		return false;
8470 
8471 	/* Make sure that the data is correctly formatted. */
8472 	for (i = 0; i < len; i += (cur_len + 1)) {
8473 		cur_len = data[i];
8474 
8475 		if (!cur_len)
8476 			continue;
8477 
8478 		if (data[i + 1] == EIR_FLAGS &&
8479 		    (!is_adv_data || flags_managed(adv_flags)))
8480 			return false;
8481 
8482 		if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
8483 			return false;
8484 
8485 		if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
8486 			return false;
8487 
8488 		if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
8489 			return false;
8490 
8491 		if (data[i + 1] == EIR_APPEARANCE &&
8492 		    appearance_managed(adv_flags))
8493 			return false;
8494 
8495 		/* If the current field length would exceed the total data
8496 		 * length, then it's invalid.
8497 		 */
8498 		if (i + cur_len >= len)
8499 			return false;
8500 	}
8501 
8502 	return true;
8503 }
8504 
8505 static bool requested_adv_flags_are_valid(struct hci_dev *hdev, u32 adv_flags)
8506 {
8507 	u32 supported_flags, phy_flags;
8508 
8509 	/* The current implementation only supports a subset of the specified
8510 	 * flags. Also need to check mutual exclusiveness of sec flags.
8511 	 */
8512 	supported_flags = get_supported_adv_flags(hdev);
8513 	phy_flags = adv_flags & MGMT_ADV_FLAG_SEC_MASK;
8514 	if (adv_flags & ~supported_flags ||
8515 	    ((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
8516 		return false;
8517 
8518 	return true;
8519 }
8520 
8521 static bool adv_busy(struct hci_dev *hdev)
8522 {
8523 	return pending_find(MGMT_OP_SET_LE, hdev);
8524 }
8525 
8526 static void add_adv_complete(struct hci_dev *hdev, struct sock *sk, u8 instance,
8527 			     int err)
8528 {
8529 	struct adv_info *adv, *n;
8530 
8531 	bt_dev_dbg(hdev, "err %d", err);
8532 
8533 	hci_dev_lock(hdev);
8534 
8535 	list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
8536 		u8 instance;
8537 
8538 		if (!adv->pending)
8539 			continue;
8540 
8541 		if (!err) {
8542 			adv->pending = false;
8543 			continue;
8544 		}
8545 
8546 		instance = adv->instance;
8547 
8548 		if (hdev->cur_adv_instance == instance)
8549 			cancel_adv_timeout(hdev);
8550 
8551 		hci_remove_adv_instance(hdev, instance);
8552 		mgmt_advertising_removed(sk, hdev, instance);
8553 	}
8554 
8555 	hci_dev_unlock(hdev);
8556 }
8557 
8558 static void add_advertising_complete(struct hci_dev *hdev, void *data, int err)
8559 {
8560 	struct mgmt_pending_cmd *cmd = data;
8561 	struct mgmt_cp_add_advertising *cp = cmd->param;
8562 	struct mgmt_rp_add_advertising rp;
8563 
8564 	memset(&rp, 0, sizeof(rp));
8565 
8566 	rp.instance = cp->instance;
8567 
8568 	if (err)
8569 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8570 				mgmt_status(err));
8571 	else
8572 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8573 				  mgmt_status(err), &rp, sizeof(rp));
8574 
8575 	add_adv_complete(hdev, cmd->sk, cp->instance, err);
8576 
8577 	mgmt_pending_free(cmd);
8578 }
8579 
8580 static int add_advertising_sync(struct hci_dev *hdev, void *data)
8581 {
8582 	struct mgmt_pending_cmd *cmd = data;
8583 	struct mgmt_cp_add_advertising *cp = cmd->param;
8584 
8585 	return hci_schedule_adv_instance_sync(hdev, cp->instance, true);
8586 }
8587 
8588 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
8589 			   void *data, u16 data_len)
8590 {
8591 	struct mgmt_cp_add_advertising *cp = data;
8592 	struct mgmt_rp_add_advertising rp;
8593 	u32 flags;
8594 	u8 status;
8595 	u16 timeout, duration;
8596 	unsigned int prev_instance_cnt;
8597 	u8 schedule_instance = 0;
8598 	struct adv_info *adv, *next_instance;
8599 	int err;
8600 	struct mgmt_pending_cmd *cmd;
8601 
8602 	bt_dev_dbg(hdev, "sock %p", sk);
8603 
8604 	status = mgmt_le_support(hdev);
8605 	if (status)
8606 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8607 				       status);
8608 
8609 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8610 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8611 				       MGMT_STATUS_INVALID_PARAMS);
8612 
8613 	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
8614 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8615 				       MGMT_STATUS_INVALID_PARAMS);
8616 
8617 	flags = __le32_to_cpu(cp->flags);
8618 	timeout = __le16_to_cpu(cp->timeout);
8619 	duration = __le16_to_cpu(cp->duration);
8620 
8621 	if (!requested_adv_flags_are_valid(hdev, flags))
8622 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8623 				       MGMT_STATUS_INVALID_PARAMS);
8624 
8625 	hci_dev_lock(hdev);
8626 
8627 	if (timeout && !hdev_is_powered(hdev)) {
8628 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8629 				      MGMT_STATUS_REJECTED);
8630 		goto unlock;
8631 	}
8632 
8633 	if (adv_busy(hdev)) {
8634 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8635 				      MGMT_STATUS_BUSY);
8636 		goto unlock;
8637 	}
8638 
8639 	if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
8640 	    !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
8641 			       cp->scan_rsp_len, false)) {
8642 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8643 				      MGMT_STATUS_INVALID_PARAMS);
8644 		goto unlock;
8645 	}
8646 
8647 	prev_instance_cnt = hdev->adv_instance_cnt;
8648 
8649 	adv = hci_add_adv_instance(hdev, cp->instance, flags,
8650 				   cp->adv_data_len, cp->data,
8651 				   cp->scan_rsp_len,
8652 				   cp->data + cp->adv_data_len,
8653 				   timeout, duration,
8654 				   HCI_ADV_TX_POWER_NO_PREFERENCE,
8655 				   hdev->le_adv_min_interval,
8656 				   hdev->le_adv_max_interval, 0);
8657 	if (IS_ERR(adv)) {
8658 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8659 				      MGMT_STATUS_FAILED);
8660 		goto unlock;
8661 	}
8662 
8663 	/* Only trigger an advertising added event if a new instance was
8664 	 * actually added.
8665 	 */
8666 	if (hdev->adv_instance_cnt > prev_instance_cnt)
8667 		mgmt_advertising_added(sk, hdev, cp->instance);
8668 
8669 	if (hdev->cur_adv_instance == cp->instance) {
8670 		/* If the currently advertised instance is being changed then
8671 		 * cancel the current advertising and schedule the next
8672 		 * instance. If there is only one instance then the overridden
8673 		 * advertising data will be visible right away.
8674 		 */
8675 		cancel_adv_timeout(hdev);
8676 
8677 		next_instance = hci_get_next_instance(hdev, cp->instance);
8678 		if (next_instance)
8679 			schedule_instance = next_instance->instance;
8680 	} else if (!hdev->adv_instance_timeout) {
8681 		/* Immediately advertise the new instance if no other
8682 		 * instance is currently being advertised.
8683 		 */
8684 		schedule_instance = cp->instance;
8685 	}
8686 
8687 	/* If the HCI_ADVERTISING flag is set or the device isn't powered or
8688 	 * there is no instance to be advertised then we have no HCI
8689 	 * communication to make. Simply return.
8690 	 */
8691 	if (!hdev_is_powered(hdev) ||
8692 	    hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
8693 	    !schedule_instance) {
8694 		rp.instance = cp->instance;
8695 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8696 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8697 		goto unlock;
8698 	}
8699 
8700 	/* We're good to go, update advertising data, parameters, and start
8701 	 * advertising.
8702 	 */
8703 	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
8704 			       data_len);
8705 	if (!cmd) {
8706 		err = -ENOMEM;
8707 		goto unlock;
8708 	}
8709 
8710 	cp->instance = schedule_instance;
8711 
8712 	err = hci_cmd_sync_queue(hdev, add_advertising_sync, cmd,
8713 				 add_advertising_complete);
8714 	if (err < 0)
8715 		mgmt_pending_free(cmd);
8716 
8717 unlock:
8718 	hci_dev_unlock(hdev);
8719 
8720 	return err;
8721 }
8722 
8723 static void add_ext_adv_params_complete(struct hci_dev *hdev, void *data,
8724 					int err)
8725 {
8726 	struct mgmt_pending_cmd *cmd = data;
8727 	struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8728 	struct mgmt_rp_add_ext_adv_params rp;
8729 	struct adv_info *adv;
8730 	u32 flags;
8731 
8732 	BT_DBG("%s", hdev->name);
8733 
8734 	hci_dev_lock(hdev);
8735 
8736 	adv = hci_find_adv_instance(hdev, cp->instance);
8737 	if (!adv)
8738 		goto unlock;
8739 
8740 	rp.instance = cp->instance;
8741 	rp.tx_power = adv->tx_power;
8742 
8743 	/* While we're at it, inform userspace of the available space for this
8744 	 * advertisement, given the flags that will be used.
8745 	 */
8746 	flags = __le32_to_cpu(cp->flags);
8747 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8748 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8749 
8750 	if (err) {
8751 		/* If this advertisement was previously advertising and we
8752 		 * failed to update it, we signal that it has been removed and
8753 		 * delete its structure
8754 		 */
8755 		if (!adv->pending)
8756 			mgmt_advertising_removed(cmd->sk, hdev, cp->instance);
8757 
8758 		hci_remove_adv_instance(hdev, cp->instance);
8759 
8760 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8761 				mgmt_status(err));
8762 	} else {
8763 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8764 				  mgmt_status(err), &rp, sizeof(rp));
8765 	}
8766 
8767 unlock:
8768 	mgmt_pending_free(cmd);
8769 
8770 	hci_dev_unlock(hdev);
8771 }
8772 
8773 static int add_ext_adv_params_sync(struct hci_dev *hdev, void *data)
8774 {
8775 	struct mgmt_pending_cmd *cmd = data;
8776 	struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8777 
8778 	return hci_setup_ext_adv_instance_sync(hdev, cp->instance);
8779 }
8780 
8781 static int add_ext_adv_params(struct sock *sk, struct hci_dev *hdev,
8782 			      void *data, u16 data_len)
8783 {
8784 	struct mgmt_cp_add_ext_adv_params *cp = data;
8785 	struct mgmt_rp_add_ext_adv_params rp;
8786 	struct mgmt_pending_cmd *cmd = NULL;
8787 	struct adv_info *adv;
8788 	u32 flags, min_interval, max_interval;
8789 	u16 timeout, duration;
8790 	u8 status;
8791 	s8 tx_power;
8792 	int err;
8793 
8794 	BT_DBG("%s", hdev->name);
8795 
8796 	status = mgmt_le_support(hdev);
8797 	if (status)
8798 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8799 				       status);
8800 
8801 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8802 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8803 				       MGMT_STATUS_INVALID_PARAMS);
8804 
8805 	/* The purpose of breaking add_advertising into two separate MGMT calls
8806 	 * for params and data is to allow more parameters to be added to this
8807 	 * structure in the future. For this reason, we verify that we have the
8808 	 * bare minimum structure we know of when the interface was defined. Any
8809 	 * extra parameters we don't know about will be ignored in this request.
8810 	 */
8811 	if (data_len < MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE)
8812 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8813 				       MGMT_STATUS_INVALID_PARAMS);
8814 
8815 	flags = __le32_to_cpu(cp->flags);
8816 
8817 	if (!requested_adv_flags_are_valid(hdev, flags))
8818 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8819 				       MGMT_STATUS_INVALID_PARAMS);
8820 
8821 	hci_dev_lock(hdev);
8822 
8823 	/* In new interface, we require that we are powered to register */
8824 	if (!hdev_is_powered(hdev)) {
8825 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8826 				      MGMT_STATUS_REJECTED);
8827 		goto unlock;
8828 	}
8829 
8830 	if (adv_busy(hdev)) {
8831 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8832 				      MGMT_STATUS_BUSY);
8833 		goto unlock;
8834 	}
8835 
8836 	/* Parse defined parameters from request, use defaults otherwise */
8837 	timeout = (flags & MGMT_ADV_PARAM_TIMEOUT) ?
8838 		  __le16_to_cpu(cp->timeout) : 0;
8839 
8840 	duration = (flags & MGMT_ADV_PARAM_DURATION) ?
8841 		   __le16_to_cpu(cp->duration) :
8842 		   hdev->def_multi_adv_rotation_duration;
8843 
8844 	min_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8845 		       __le32_to_cpu(cp->min_interval) :
8846 		       hdev->le_adv_min_interval;
8847 
8848 	max_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8849 		       __le32_to_cpu(cp->max_interval) :
8850 		       hdev->le_adv_max_interval;
8851 
8852 	tx_power = (flags & MGMT_ADV_PARAM_TX_POWER) ?
8853 		   cp->tx_power :
8854 		   HCI_ADV_TX_POWER_NO_PREFERENCE;
8855 
8856 	/* Create advertising instance with no advertising or response data */
8857 	adv = hci_add_adv_instance(hdev, cp->instance, flags, 0, NULL, 0, NULL,
8858 				   timeout, duration, tx_power, min_interval,
8859 				   max_interval, 0);
8860 
8861 	if (IS_ERR(adv)) {
8862 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8863 				      MGMT_STATUS_FAILED);
8864 		goto unlock;
8865 	}
8866 
8867 	/* Submit request for advertising params if ext adv available */
8868 	if (ext_adv_capable(hdev)) {
8869 		cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_PARAMS, hdev,
8870 				       data, data_len);
8871 		if (!cmd) {
8872 			err = -ENOMEM;
8873 			hci_remove_adv_instance(hdev, cp->instance);
8874 			goto unlock;
8875 		}
8876 
8877 		err = hci_cmd_sync_queue(hdev, add_ext_adv_params_sync, cmd,
8878 					 add_ext_adv_params_complete);
8879 		if (err < 0)
8880 			mgmt_pending_free(cmd);
8881 	} else {
8882 		rp.instance = cp->instance;
8883 		rp.tx_power = HCI_ADV_TX_POWER_NO_PREFERENCE;
8884 		rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8885 		rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8886 		err = mgmt_cmd_complete(sk, hdev->id,
8887 					MGMT_OP_ADD_EXT_ADV_PARAMS,
8888 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8889 	}
8890 
8891 unlock:
8892 	hci_dev_unlock(hdev);
8893 
8894 	return err;
8895 }
8896 
8897 static void add_ext_adv_data_complete(struct hci_dev *hdev, void *data, int err)
8898 {
8899 	struct mgmt_pending_cmd *cmd = data;
8900 	struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8901 	struct mgmt_rp_add_advertising rp;
8902 
8903 	add_adv_complete(hdev, cmd->sk, cp->instance, err);
8904 
8905 	memset(&rp, 0, sizeof(rp));
8906 
8907 	rp.instance = cp->instance;
8908 
8909 	if (err)
8910 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8911 				mgmt_status(err));
8912 	else
8913 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8914 				  mgmt_status(err), &rp, sizeof(rp));
8915 
8916 	mgmt_pending_free(cmd);
8917 }
8918 
8919 static int add_ext_adv_data_sync(struct hci_dev *hdev, void *data)
8920 {
8921 	struct mgmt_pending_cmd *cmd = data;
8922 	struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8923 	int err;
8924 
8925 	if (ext_adv_capable(hdev)) {
8926 		err = hci_update_adv_data_sync(hdev, cp->instance);
8927 		if (err)
8928 			return err;
8929 
8930 		err = hci_update_scan_rsp_data_sync(hdev, cp->instance);
8931 		if (err)
8932 			return err;
8933 
8934 		return hci_enable_ext_advertising_sync(hdev, cp->instance);
8935 	}
8936 
8937 	return hci_schedule_adv_instance_sync(hdev, cp->instance, true);
8938 }
8939 
8940 static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
8941 			    u16 data_len)
8942 {
8943 	struct mgmt_cp_add_ext_adv_data *cp = data;
8944 	struct mgmt_rp_add_ext_adv_data rp;
8945 	u8 schedule_instance = 0;
8946 	struct adv_info *next_instance;
8947 	struct adv_info *adv_instance;
8948 	int err = 0;
8949 	struct mgmt_pending_cmd *cmd;
8950 
8951 	BT_DBG("%s", hdev->name);
8952 
8953 	hci_dev_lock(hdev);
8954 
8955 	adv_instance = hci_find_adv_instance(hdev, cp->instance);
8956 
8957 	if (!adv_instance) {
8958 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8959 				      MGMT_STATUS_INVALID_PARAMS);
8960 		goto unlock;
8961 	}
8962 
8963 	/* In new interface, we require that we are powered to register */
8964 	if (!hdev_is_powered(hdev)) {
8965 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8966 				      MGMT_STATUS_REJECTED);
8967 		goto clear_new_instance;
8968 	}
8969 
8970 	if (adv_busy(hdev)) {
8971 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8972 				      MGMT_STATUS_BUSY);
8973 		goto clear_new_instance;
8974 	}
8975 
8976 	/* Validate new data */
8977 	if (!tlv_data_is_valid(hdev, adv_instance->flags, cp->data,
8978 			       cp->adv_data_len, true) ||
8979 	    !tlv_data_is_valid(hdev, adv_instance->flags, cp->data +
8980 			       cp->adv_data_len, cp->scan_rsp_len, false)) {
8981 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8982 				      MGMT_STATUS_INVALID_PARAMS);
8983 		goto clear_new_instance;
8984 	}
8985 
8986 	/* Set the data in the advertising instance */
8987 	hci_set_adv_instance_data(hdev, cp->instance, cp->adv_data_len,
8988 				  cp->data, cp->scan_rsp_len,
8989 				  cp->data + cp->adv_data_len);
8990 
8991 	/* If using software rotation, determine next instance to use */
8992 	if (hdev->cur_adv_instance == cp->instance) {
8993 		/* If the currently advertised instance is being changed
8994 		 * then cancel the current advertising and schedule the
8995 		 * next instance. If there is only one instance then the
8996 		 * overridden advertising data will be visible right
8997 		 * away
8998 		 */
8999 		cancel_adv_timeout(hdev);
9000 
9001 		next_instance = hci_get_next_instance(hdev, cp->instance);
9002 		if (next_instance)
9003 			schedule_instance = next_instance->instance;
9004 	} else if (!hdev->adv_instance_timeout) {
9005 		/* Immediately advertise the new instance if no other
9006 		 * instance is currently being advertised.
9007 		 */
9008 		schedule_instance = cp->instance;
9009 	}
9010 
9011 	/* If the HCI_ADVERTISING flag is set or there is no instance to
9012 	 * be advertised then we have no HCI communication to make.
9013 	 * Simply return.
9014 	 */
9015 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) || !schedule_instance) {
9016 		if (adv_instance->pending) {
9017 			mgmt_advertising_added(sk, hdev, cp->instance);
9018 			adv_instance->pending = false;
9019 		}
9020 		rp.instance = cp->instance;
9021 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9022 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9023 		goto unlock;
9024 	}
9025 
9026 	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_DATA, hdev, data,
9027 			       data_len);
9028 	if (!cmd) {
9029 		err = -ENOMEM;
9030 		goto clear_new_instance;
9031 	}
9032 
9033 	err = hci_cmd_sync_queue(hdev, add_ext_adv_data_sync, cmd,
9034 				 add_ext_adv_data_complete);
9035 	if (err < 0) {
9036 		mgmt_pending_free(cmd);
9037 		goto clear_new_instance;
9038 	}
9039 
9040 	/* We were successful in updating data, so trigger advertising_added
9041 	 * event if this is an instance that wasn't previously advertising. If
9042 	 * a failure occurs in the requests we initiated, we will remove the
9043 	 * instance again in add_advertising_complete
9044 	 */
9045 	if (adv_instance->pending)
9046 		mgmt_advertising_added(sk, hdev, cp->instance);
9047 
9048 	goto unlock;
9049 
9050 clear_new_instance:
9051 	hci_remove_adv_instance(hdev, cp->instance);
9052 
9053 unlock:
9054 	hci_dev_unlock(hdev);
9055 
9056 	return err;
9057 }
9058 
9059 static void remove_advertising_complete(struct hci_dev *hdev, void *data,
9060 					int err)
9061 {
9062 	struct mgmt_pending_cmd *cmd = data;
9063 	struct mgmt_cp_remove_advertising *cp = cmd->param;
9064 	struct mgmt_rp_remove_advertising rp;
9065 
9066 	bt_dev_dbg(hdev, "err %d", err);
9067 
9068 	memset(&rp, 0, sizeof(rp));
9069 	rp.instance = cp->instance;
9070 
9071 	if (err)
9072 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
9073 				mgmt_status(err));
9074 	else
9075 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
9076 				  MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9077 
9078 	mgmt_pending_free(cmd);
9079 }
9080 
9081 static int remove_advertising_sync(struct hci_dev *hdev, void *data)
9082 {
9083 	struct mgmt_pending_cmd *cmd = data;
9084 	struct mgmt_cp_remove_advertising *cp = cmd->param;
9085 	int err;
9086 
9087 	err = hci_remove_advertising_sync(hdev, cmd->sk, cp->instance, true);
9088 	if (err)
9089 		return err;
9090 
9091 	if (list_empty(&hdev->adv_instances))
9092 		err = hci_disable_advertising_sync(hdev);
9093 
9094 	return err;
9095 }
9096 
9097 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
9098 			      void *data, u16 data_len)
9099 {
9100 	struct mgmt_cp_remove_advertising *cp = data;
9101 	struct mgmt_pending_cmd *cmd;
9102 	int err;
9103 
9104 	bt_dev_dbg(hdev, "sock %p", sk);
9105 
9106 	hci_dev_lock(hdev);
9107 
9108 	if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
9109 		err = mgmt_cmd_status(sk, hdev->id,
9110 				      MGMT_OP_REMOVE_ADVERTISING,
9111 				      MGMT_STATUS_INVALID_PARAMS);
9112 		goto unlock;
9113 	}
9114 
9115 	if (pending_find(MGMT_OP_SET_LE, hdev)) {
9116 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9117 				      MGMT_STATUS_BUSY);
9118 		goto unlock;
9119 	}
9120 
9121 	if (list_empty(&hdev->adv_instances)) {
9122 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9123 				      MGMT_STATUS_INVALID_PARAMS);
9124 		goto unlock;
9125 	}
9126 
9127 	cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
9128 			       data_len);
9129 	if (!cmd) {
9130 		err = -ENOMEM;
9131 		goto unlock;
9132 	}
9133 
9134 	err = hci_cmd_sync_queue(hdev, remove_advertising_sync, cmd,
9135 				 remove_advertising_complete);
9136 	if (err < 0)
9137 		mgmt_pending_free(cmd);
9138 
9139 unlock:
9140 	hci_dev_unlock(hdev);
9141 
9142 	return err;
9143 }
9144 
9145 static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
9146 			     void *data, u16 data_len)
9147 {
9148 	struct mgmt_cp_get_adv_size_info *cp = data;
9149 	struct mgmt_rp_get_adv_size_info rp;
9150 	u32 flags, supported_flags;
9151 
9152 	bt_dev_dbg(hdev, "sock %p", sk);
9153 
9154 	if (!lmp_le_capable(hdev))
9155 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9156 				       MGMT_STATUS_REJECTED);
9157 
9158 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
9159 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9160 				       MGMT_STATUS_INVALID_PARAMS);
9161 
9162 	flags = __le32_to_cpu(cp->flags);
9163 
9164 	/* The current implementation only supports a subset of the specified
9165 	 * flags.
9166 	 */
9167 	supported_flags = get_supported_adv_flags(hdev);
9168 	if (flags & ~supported_flags)
9169 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9170 				       MGMT_STATUS_INVALID_PARAMS);
9171 
9172 	rp.instance = cp->instance;
9173 	rp.flags = cp->flags;
9174 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
9175 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
9176 
9177 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9178 				 MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9179 }
9180 
9181 static const struct hci_mgmt_handler mgmt_handlers[] = {
9182 	{ NULL }, /* 0x0000 (no command) */
9183 	{ read_version,            MGMT_READ_VERSION_SIZE,
9184 						HCI_MGMT_NO_HDEV |
9185 						HCI_MGMT_UNTRUSTED },
9186 	{ read_commands,           MGMT_READ_COMMANDS_SIZE,
9187 						HCI_MGMT_NO_HDEV |
9188 						HCI_MGMT_UNTRUSTED },
9189 	{ read_index_list,         MGMT_READ_INDEX_LIST_SIZE,
9190 						HCI_MGMT_NO_HDEV |
9191 						HCI_MGMT_UNTRUSTED },
9192 	{ read_controller_info,    MGMT_READ_INFO_SIZE,
9193 						HCI_MGMT_UNTRUSTED },
9194 	{ set_powered,             MGMT_SETTING_SIZE },
9195 	{ set_discoverable,        MGMT_SET_DISCOVERABLE_SIZE },
9196 	{ set_connectable,         MGMT_SETTING_SIZE },
9197 	{ set_fast_connectable,    MGMT_SETTING_SIZE },
9198 	{ set_bondable,            MGMT_SETTING_SIZE },
9199 	{ set_link_security,       MGMT_SETTING_SIZE },
9200 	{ set_ssp,                 MGMT_SETTING_SIZE },
9201 	{ set_hs,                  MGMT_SETTING_SIZE },
9202 	{ set_le,                  MGMT_SETTING_SIZE },
9203 	{ set_dev_class,           MGMT_SET_DEV_CLASS_SIZE },
9204 	{ set_local_name,          MGMT_SET_LOCAL_NAME_SIZE },
9205 	{ add_uuid,                MGMT_ADD_UUID_SIZE },
9206 	{ remove_uuid,             MGMT_REMOVE_UUID_SIZE },
9207 	{ load_link_keys,          MGMT_LOAD_LINK_KEYS_SIZE,
9208 						HCI_MGMT_VAR_LEN },
9209 	{ load_long_term_keys,     MGMT_LOAD_LONG_TERM_KEYS_SIZE,
9210 						HCI_MGMT_VAR_LEN },
9211 	{ disconnect,              MGMT_DISCONNECT_SIZE },
9212 	{ get_connections,         MGMT_GET_CONNECTIONS_SIZE },
9213 	{ pin_code_reply,          MGMT_PIN_CODE_REPLY_SIZE },
9214 	{ pin_code_neg_reply,      MGMT_PIN_CODE_NEG_REPLY_SIZE },
9215 	{ set_io_capability,       MGMT_SET_IO_CAPABILITY_SIZE },
9216 	{ pair_device,             MGMT_PAIR_DEVICE_SIZE },
9217 	{ cancel_pair_device,      MGMT_CANCEL_PAIR_DEVICE_SIZE },
9218 	{ unpair_device,           MGMT_UNPAIR_DEVICE_SIZE },
9219 	{ user_confirm_reply,      MGMT_USER_CONFIRM_REPLY_SIZE },
9220 	{ user_confirm_neg_reply,  MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
9221 	{ user_passkey_reply,      MGMT_USER_PASSKEY_REPLY_SIZE },
9222 	{ user_passkey_neg_reply,  MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
9223 	{ read_local_oob_data,     MGMT_READ_LOCAL_OOB_DATA_SIZE },
9224 	{ add_remote_oob_data,     MGMT_ADD_REMOTE_OOB_DATA_SIZE,
9225 						HCI_MGMT_VAR_LEN },
9226 	{ remove_remote_oob_data,  MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
9227 	{ start_discovery,         MGMT_START_DISCOVERY_SIZE },
9228 	{ stop_discovery,          MGMT_STOP_DISCOVERY_SIZE },
9229 	{ confirm_name,            MGMT_CONFIRM_NAME_SIZE },
9230 	{ block_device,            MGMT_BLOCK_DEVICE_SIZE },
9231 	{ unblock_device,          MGMT_UNBLOCK_DEVICE_SIZE },
9232 	{ set_device_id,           MGMT_SET_DEVICE_ID_SIZE },
9233 	{ set_advertising,         MGMT_SETTING_SIZE },
9234 	{ set_bredr,               MGMT_SETTING_SIZE },
9235 	{ set_static_address,      MGMT_SET_STATIC_ADDRESS_SIZE },
9236 	{ set_scan_params,         MGMT_SET_SCAN_PARAMS_SIZE },
9237 	{ set_secure_conn,         MGMT_SETTING_SIZE },
9238 	{ set_debug_keys,          MGMT_SETTING_SIZE },
9239 	{ set_privacy,             MGMT_SET_PRIVACY_SIZE },
9240 	{ load_irks,               MGMT_LOAD_IRKS_SIZE,
9241 						HCI_MGMT_VAR_LEN },
9242 	{ get_conn_info,           MGMT_GET_CONN_INFO_SIZE },
9243 	{ get_clock_info,          MGMT_GET_CLOCK_INFO_SIZE },
9244 	{ add_device,              MGMT_ADD_DEVICE_SIZE },
9245 	{ remove_device,           MGMT_REMOVE_DEVICE_SIZE },
9246 	{ load_conn_param,         MGMT_LOAD_CONN_PARAM_SIZE,
9247 						HCI_MGMT_VAR_LEN },
9248 	{ read_unconf_index_list,  MGMT_READ_UNCONF_INDEX_LIST_SIZE,
9249 						HCI_MGMT_NO_HDEV |
9250 						HCI_MGMT_UNTRUSTED },
9251 	{ read_config_info,        MGMT_READ_CONFIG_INFO_SIZE,
9252 						HCI_MGMT_UNCONFIGURED |
9253 						HCI_MGMT_UNTRUSTED },
9254 	{ set_external_config,     MGMT_SET_EXTERNAL_CONFIG_SIZE,
9255 						HCI_MGMT_UNCONFIGURED },
9256 	{ set_public_address,      MGMT_SET_PUBLIC_ADDRESS_SIZE,
9257 						HCI_MGMT_UNCONFIGURED },
9258 	{ start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
9259 						HCI_MGMT_VAR_LEN },
9260 	{ read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
9261 	{ read_ext_index_list,     MGMT_READ_EXT_INDEX_LIST_SIZE,
9262 						HCI_MGMT_NO_HDEV |
9263 						HCI_MGMT_UNTRUSTED },
9264 	{ read_adv_features,       MGMT_READ_ADV_FEATURES_SIZE },
9265 	{ add_advertising,	   MGMT_ADD_ADVERTISING_SIZE,
9266 						HCI_MGMT_VAR_LEN },
9267 	{ remove_advertising,	   MGMT_REMOVE_ADVERTISING_SIZE },
9268 	{ get_adv_size_info,       MGMT_GET_ADV_SIZE_INFO_SIZE },
9269 	{ start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
9270 	{ read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
9271 						HCI_MGMT_UNTRUSTED },
9272 	{ set_appearance,	   MGMT_SET_APPEARANCE_SIZE },
9273 	{ get_phy_configuration,   MGMT_GET_PHY_CONFIGURATION_SIZE },
9274 	{ set_phy_configuration,   MGMT_SET_PHY_CONFIGURATION_SIZE },
9275 	{ set_blocked_keys,	   MGMT_OP_SET_BLOCKED_KEYS_SIZE,
9276 						HCI_MGMT_VAR_LEN },
9277 	{ set_wideband_speech,	   MGMT_SETTING_SIZE },
9278 	{ read_controller_cap,     MGMT_READ_CONTROLLER_CAP_SIZE,
9279 						HCI_MGMT_UNTRUSTED },
9280 	{ read_exp_features_info,  MGMT_READ_EXP_FEATURES_INFO_SIZE,
9281 						HCI_MGMT_UNTRUSTED |
9282 						HCI_MGMT_HDEV_OPTIONAL },
9283 	{ set_exp_feature,         MGMT_SET_EXP_FEATURE_SIZE,
9284 						HCI_MGMT_VAR_LEN |
9285 						HCI_MGMT_HDEV_OPTIONAL },
9286 	{ read_def_system_config,  MGMT_READ_DEF_SYSTEM_CONFIG_SIZE,
9287 						HCI_MGMT_UNTRUSTED },
9288 	{ set_def_system_config,   MGMT_SET_DEF_SYSTEM_CONFIG_SIZE,
9289 						HCI_MGMT_VAR_LEN },
9290 	{ read_def_runtime_config, MGMT_READ_DEF_RUNTIME_CONFIG_SIZE,
9291 						HCI_MGMT_UNTRUSTED },
9292 	{ set_def_runtime_config,  MGMT_SET_DEF_RUNTIME_CONFIG_SIZE,
9293 						HCI_MGMT_VAR_LEN },
9294 	{ get_device_flags,        MGMT_GET_DEVICE_FLAGS_SIZE },
9295 	{ set_device_flags,        MGMT_SET_DEVICE_FLAGS_SIZE },
9296 	{ read_adv_mon_features,   MGMT_READ_ADV_MONITOR_FEATURES_SIZE },
9297 	{ add_adv_patterns_monitor,MGMT_ADD_ADV_PATTERNS_MONITOR_SIZE,
9298 						HCI_MGMT_VAR_LEN },
9299 	{ remove_adv_monitor,      MGMT_REMOVE_ADV_MONITOR_SIZE },
9300 	{ add_ext_adv_params,      MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE,
9301 						HCI_MGMT_VAR_LEN },
9302 	{ add_ext_adv_data,        MGMT_ADD_EXT_ADV_DATA_SIZE,
9303 						HCI_MGMT_VAR_LEN },
9304 	{ add_adv_patterns_monitor_rssi,
9305 				   MGMT_ADD_ADV_PATTERNS_MONITOR_RSSI_SIZE,
9306 						HCI_MGMT_VAR_LEN },
9307 	{ set_mesh,                MGMT_SET_MESH_RECEIVER_SIZE,
9308 						HCI_MGMT_VAR_LEN },
9309 	{ mesh_features,           MGMT_MESH_READ_FEATURES_SIZE },
9310 	{ mesh_send,               MGMT_MESH_SEND_SIZE,
9311 						HCI_MGMT_VAR_LEN },
9312 	{ mesh_send_cancel,        MGMT_MESH_SEND_CANCEL_SIZE },
9313 };
9314 
9315 void mgmt_index_added(struct hci_dev *hdev)
9316 {
9317 	struct mgmt_ev_ext_index ev;
9318 
9319 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9320 		return;
9321 
9322 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9323 		mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev, NULL, 0,
9324 				 HCI_MGMT_UNCONF_INDEX_EVENTS);
9325 		ev.type = 0x01;
9326 	} else {
9327 		mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0,
9328 				 HCI_MGMT_INDEX_EVENTS);
9329 		ev.type = 0x00;
9330 	}
9331 
9332 	ev.bus = hdev->bus;
9333 
9334 	mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, &ev, sizeof(ev),
9335 			 HCI_MGMT_EXT_INDEX_EVENTS);
9336 }
9337 
9338 void mgmt_index_removed(struct hci_dev *hdev)
9339 {
9340 	struct mgmt_ev_ext_index ev;
9341 	u8 status = MGMT_STATUS_INVALID_INDEX;
9342 
9343 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9344 		return;
9345 
9346 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
9347 
9348 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9349 		mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0,
9350 				 HCI_MGMT_UNCONF_INDEX_EVENTS);
9351 		ev.type = 0x01;
9352 	} else {
9353 		mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0,
9354 				 HCI_MGMT_INDEX_EVENTS);
9355 		ev.type = 0x00;
9356 	}
9357 
9358 	ev.bus = hdev->bus;
9359 
9360 	mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, &ev, sizeof(ev),
9361 			 HCI_MGMT_EXT_INDEX_EVENTS);
9362 
9363 	/* Cancel any remaining timed work */
9364 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
9365 		return;
9366 	cancel_delayed_work_sync(&hdev->discov_off);
9367 	cancel_delayed_work_sync(&hdev->service_cache);
9368 	cancel_delayed_work_sync(&hdev->rpa_expired);
9369 }
9370 
9371 void mgmt_power_on(struct hci_dev *hdev, int err)
9372 {
9373 	struct cmd_lookup match = { NULL, hdev };
9374 
9375 	bt_dev_dbg(hdev, "err %d", err);
9376 
9377 	hci_dev_lock(hdev);
9378 
9379 	if (!err) {
9380 		restart_le_actions(hdev);
9381 		hci_update_passive_scan(hdev);
9382 	}
9383 
9384 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
9385 
9386 	new_settings(hdev, match.sk);
9387 
9388 	if (match.sk)
9389 		sock_put(match.sk);
9390 
9391 	hci_dev_unlock(hdev);
9392 }
9393 
9394 void __mgmt_power_off(struct hci_dev *hdev)
9395 {
9396 	struct cmd_lookup match = { NULL, hdev };
9397 	u8 status, zero_cod[] = { 0, 0, 0 };
9398 
9399 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
9400 
9401 	/* If the power off is because of hdev unregistration let
9402 	 * use the appropriate INVALID_INDEX status. Otherwise use
9403 	 * NOT_POWERED. We cover both scenarios here since later in
9404 	 * mgmt_index_removed() any hci_conn callbacks will have already
9405 	 * been triggered, potentially causing misleading DISCONNECTED
9406 	 * status responses.
9407 	 */
9408 	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
9409 		status = MGMT_STATUS_INVALID_INDEX;
9410 	else
9411 		status = MGMT_STATUS_NOT_POWERED;
9412 
9413 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
9414 
9415 	if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
9416 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
9417 				   zero_cod, sizeof(zero_cod),
9418 				   HCI_MGMT_DEV_CLASS_EVENTS, NULL);
9419 		ext_info_changed(hdev, NULL);
9420 	}
9421 
9422 	new_settings(hdev, match.sk);
9423 
9424 	if (match.sk)
9425 		sock_put(match.sk);
9426 }
9427 
9428 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
9429 {
9430 	struct mgmt_pending_cmd *cmd;
9431 	u8 status;
9432 
9433 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9434 	if (!cmd)
9435 		return;
9436 
9437 	if (err == -ERFKILL)
9438 		status = MGMT_STATUS_RFKILLED;
9439 	else
9440 		status = MGMT_STATUS_FAILED;
9441 
9442 	mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
9443 
9444 	mgmt_pending_remove(cmd);
9445 }
9446 
9447 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
9448 		       bool persistent)
9449 {
9450 	struct mgmt_ev_new_link_key ev;
9451 
9452 	memset(&ev, 0, sizeof(ev));
9453 
9454 	ev.store_hint = persistent;
9455 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
9456 	ev.key.addr.type = link_to_bdaddr(key->link_type, key->bdaddr_type);
9457 	ev.key.type = key->type;
9458 	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
9459 	ev.key.pin_len = key->pin_len;
9460 
9461 	mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
9462 }
9463 
9464 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
9465 {
9466 	switch (ltk->type) {
9467 	case SMP_LTK:
9468 	case SMP_LTK_RESPONDER:
9469 		if (ltk->authenticated)
9470 			return MGMT_LTK_AUTHENTICATED;
9471 		return MGMT_LTK_UNAUTHENTICATED;
9472 	case SMP_LTK_P256:
9473 		if (ltk->authenticated)
9474 			return MGMT_LTK_P256_AUTH;
9475 		return MGMT_LTK_P256_UNAUTH;
9476 	case SMP_LTK_P256_DEBUG:
9477 		return MGMT_LTK_P256_DEBUG;
9478 	}
9479 
9480 	return MGMT_LTK_UNAUTHENTICATED;
9481 }
9482 
9483 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
9484 {
9485 	struct mgmt_ev_new_long_term_key ev;
9486 
9487 	memset(&ev, 0, sizeof(ev));
9488 
9489 	/* Devices using resolvable or non-resolvable random addresses
9490 	 * without providing an identity resolving key don't require
9491 	 * to store long term keys. Their addresses will change the
9492 	 * next time around.
9493 	 *
9494 	 * Only when a remote device provides an identity address
9495 	 * make sure the long term key is stored. If the remote
9496 	 * identity is known, the long term keys are internally
9497 	 * mapped to the identity address. So allow static random
9498 	 * and public addresses here.
9499 	 */
9500 	if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9501 	    (key->bdaddr.b[5] & 0xc0) != 0xc0)
9502 		ev.store_hint = 0x00;
9503 	else
9504 		ev.store_hint = persistent;
9505 
9506 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
9507 	ev.key.addr.type = link_to_bdaddr(key->link_type, key->bdaddr_type);
9508 	ev.key.type = mgmt_ltk_type(key);
9509 	ev.key.enc_size = key->enc_size;
9510 	ev.key.ediv = key->ediv;
9511 	ev.key.rand = key->rand;
9512 
9513 	if (key->type == SMP_LTK)
9514 		ev.key.initiator = 1;
9515 
9516 	/* Make sure we copy only the significant bytes based on the
9517 	 * encryption key size, and set the rest of the value to zeroes.
9518 	 */
9519 	memcpy(ev.key.val, key->val, key->enc_size);
9520 	memset(ev.key.val + key->enc_size, 0,
9521 	       sizeof(ev.key.val) - key->enc_size);
9522 
9523 	mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
9524 }
9525 
9526 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
9527 {
9528 	struct mgmt_ev_new_irk ev;
9529 
9530 	memset(&ev, 0, sizeof(ev));
9531 
9532 	ev.store_hint = persistent;
9533 
9534 	bacpy(&ev.rpa, &irk->rpa);
9535 	bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
9536 	ev.irk.addr.type = link_to_bdaddr(irk->link_type, irk->addr_type);
9537 	memcpy(ev.irk.val, irk->val, sizeof(irk->val));
9538 
9539 	mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
9540 }
9541 
9542 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
9543 		   bool persistent)
9544 {
9545 	struct mgmt_ev_new_csrk ev;
9546 
9547 	memset(&ev, 0, sizeof(ev));
9548 
9549 	/* Devices using resolvable or non-resolvable random addresses
9550 	 * without providing an identity resolving key don't require
9551 	 * to store signature resolving keys. Their addresses will change
9552 	 * the next time around.
9553 	 *
9554 	 * Only when a remote device provides an identity address
9555 	 * make sure the signature resolving key is stored. So allow
9556 	 * static random and public addresses here.
9557 	 */
9558 	if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9559 	    (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
9560 		ev.store_hint = 0x00;
9561 	else
9562 		ev.store_hint = persistent;
9563 
9564 	bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
9565 	ev.key.addr.type = link_to_bdaddr(csrk->link_type, csrk->bdaddr_type);
9566 	ev.key.type = csrk->type;
9567 	memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
9568 
9569 	mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
9570 }
9571 
9572 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
9573 			 u8 bdaddr_type, u8 store_hint, u16 min_interval,
9574 			 u16 max_interval, u16 latency, u16 timeout)
9575 {
9576 	struct mgmt_ev_new_conn_param ev;
9577 
9578 	if (!hci_is_identity_address(bdaddr, bdaddr_type))
9579 		return;
9580 
9581 	memset(&ev, 0, sizeof(ev));
9582 	bacpy(&ev.addr.bdaddr, bdaddr);
9583 	ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
9584 	ev.store_hint = store_hint;
9585 	ev.min_interval = cpu_to_le16(min_interval);
9586 	ev.max_interval = cpu_to_le16(max_interval);
9587 	ev.latency = cpu_to_le16(latency);
9588 	ev.timeout = cpu_to_le16(timeout);
9589 
9590 	mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
9591 }
9592 
9593 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
9594 			   u8 *name, u8 name_len)
9595 {
9596 	struct sk_buff *skb;
9597 	struct mgmt_ev_device_connected *ev;
9598 	u16 eir_len = 0;
9599 	u32 flags = 0;
9600 
9601 	if (test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
9602 		return;
9603 
9604 	/* allocate buff for LE or BR/EDR adv */
9605 	if (conn->le_adv_data_len > 0)
9606 		skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9607 				     sizeof(*ev) + conn->le_adv_data_len);
9608 	else
9609 		skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9610 				     sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0) +
9611 				     eir_precalc_len(sizeof(conn->dev_class)));
9612 
9613 	ev = skb_put(skb, sizeof(*ev));
9614 	bacpy(&ev->addr.bdaddr, &conn->dst);
9615 	ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9616 
9617 	if (conn->out)
9618 		flags |= MGMT_DEV_FOUND_INITIATED_CONN;
9619 
9620 	ev->flags = __cpu_to_le32(flags);
9621 
9622 	/* We must ensure that the EIR Data fields are ordered and
9623 	 * unique. Keep it simple for now and avoid the problem by not
9624 	 * adding any BR/EDR data to the LE adv.
9625 	 */
9626 	if (conn->le_adv_data_len > 0) {
9627 		skb_put_data(skb, conn->le_adv_data, conn->le_adv_data_len);
9628 		eir_len = conn->le_adv_data_len;
9629 	} else {
9630 		if (name)
9631 			eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
9632 
9633 		if (memcmp(conn->dev_class, "\0\0\0", sizeof(conn->dev_class)))
9634 			eir_len += eir_skb_put_data(skb, EIR_CLASS_OF_DEV,
9635 						    conn->dev_class, sizeof(conn->dev_class));
9636 	}
9637 
9638 	ev->eir_len = cpu_to_le16(eir_len);
9639 
9640 	mgmt_event_skb(skb, NULL);
9641 }
9642 
9643 static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
9644 {
9645 	struct sock **sk = data;
9646 
9647 	cmd->cmd_complete(cmd, 0);
9648 
9649 	*sk = cmd->sk;
9650 	sock_hold(*sk);
9651 
9652 	mgmt_pending_remove(cmd);
9653 }
9654 
9655 static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
9656 {
9657 	struct hci_dev *hdev = data;
9658 	struct mgmt_cp_unpair_device *cp = cmd->param;
9659 
9660 	device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
9661 
9662 	cmd->cmd_complete(cmd, 0);
9663 	mgmt_pending_remove(cmd);
9664 }
9665 
9666 bool mgmt_powering_down(struct hci_dev *hdev)
9667 {
9668 	struct mgmt_pending_cmd *cmd;
9669 	struct mgmt_mode *cp;
9670 
9671 	if (hci_dev_test_flag(hdev, HCI_POWERING_DOWN))
9672 		return true;
9673 
9674 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9675 	if (!cmd)
9676 		return false;
9677 
9678 	cp = cmd->param;
9679 	if (!cp->val)
9680 		return true;
9681 
9682 	return false;
9683 }
9684 
9685 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
9686 			      u8 link_type, u8 addr_type, u8 reason,
9687 			      bool mgmt_connected)
9688 {
9689 	struct mgmt_ev_device_disconnected ev;
9690 	struct sock *sk = NULL;
9691 
9692 	if (!mgmt_connected)
9693 		return;
9694 
9695 	if (link_type != ACL_LINK && link_type != LE_LINK)
9696 		return;
9697 
9698 	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
9699 
9700 	bacpy(&ev.addr.bdaddr, bdaddr);
9701 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9702 	ev.reason = reason;
9703 
9704 	/* Report disconnects due to suspend */
9705 	if (hdev->suspended)
9706 		ev.reason = MGMT_DEV_DISCONN_LOCAL_HOST_SUSPEND;
9707 
9708 	mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
9709 
9710 	if (sk)
9711 		sock_put(sk);
9712 
9713 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9714 			     hdev);
9715 }
9716 
9717 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
9718 			    u8 link_type, u8 addr_type, u8 status)
9719 {
9720 	u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
9721 	struct mgmt_cp_disconnect *cp;
9722 	struct mgmt_pending_cmd *cmd;
9723 
9724 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9725 			     hdev);
9726 
9727 	cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
9728 	if (!cmd)
9729 		return;
9730 
9731 	cp = cmd->param;
9732 
9733 	if (bacmp(bdaddr, &cp->addr.bdaddr))
9734 		return;
9735 
9736 	if (cp->addr.type != bdaddr_type)
9737 		return;
9738 
9739 	cmd->cmd_complete(cmd, mgmt_status(status));
9740 	mgmt_pending_remove(cmd);
9741 }
9742 
9743 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9744 			 u8 addr_type, u8 status)
9745 {
9746 	struct mgmt_ev_connect_failed ev;
9747 
9748 	bacpy(&ev.addr.bdaddr, bdaddr);
9749 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9750 	ev.status = mgmt_status(status);
9751 
9752 	mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
9753 }
9754 
9755 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
9756 {
9757 	struct mgmt_ev_pin_code_request ev;
9758 
9759 	bacpy(&ev.addr.bdaddr, bdaddr);
9760 	ev.addr.type = BDADDR_BREDR;
9761 	ev.secure = secure;
9762 
9763 	mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
9764 }
9765 
9766 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9767 				  u8 status)
9768 {
9769 	struct mgmt_pending_cmd *cmd;
9770 
9771 	cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
9772 	if (!cmd)
9773 		return;
9774 
9775 	cmd->cmd_complete(cmd, mgmt_status(status));
9776 	mgmt_pending_remove(cmd);
9777 }
9778 
9779 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9780 				      u8 status)
9781 {
9782 	struct mgmt_pending_cmd *cmd;
9783 
9784 	cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
9785 	if (!cmd)
9786 		return;
9787 
9788 	cmd->cmd_complete(cmd, mgmt_status(status));
9789 	mgmt_pending_remove(cmd);
9790 }
9791 
9792 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9793 			      u8 link_type, u8 addr_type, u32 value,
9794 			      u8 confirm_hint)
9795 {
9796 	struct mgmt_ev_user_confirm_request ev;
9797 
9798 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9799 
9800 	bacpy(&ev.addr.bdaddr, bdaddr);
9801 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9802 	ev.confirm_hint = confirm_hint;
9803 	ev.value = cpu_to_le32(value);
9804 
9805 	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
9806 			  NULL);
9807 }
9808 
9809 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9810 			      u8 link_type, u8 addr_type)
9811 {
9812 	struct mgmt_ev_user_passkey_request ev;
9813 
9814 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9815 
9816 	bacpy(&ev.addr.bdaddr, bdaddr);
9817 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9818 
9819 	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
9820 			  NULL);
9821 }
9822 
9823 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9824 				      u8 link_type, u8 addr_type, u8 status,
9825 				      u8 opcode)
9826 {
9827 	struct mgmt_pending_cmd *cmd;
9828 
9829 	cmd = pending_find(opcode, hdev);
9830 	if (!cmd)
9831 		return -ENOENT;
9832 
9833 	cmd->cmd_complete(cmd, mgmt_status(status));
9834 	mgmt_pending_remove(cmd);
9835 
9836 	return 0;
9837 }
9838 
9839 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9840 				     u8 link_type, u8 addr_type, u8 status)
9841 {
9842 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9843 					  status, MGMT_OP_USER_CONFIRM_REPLY);
9844 }
9845 
9846 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9847 					 u8 link_type, u8 addr_type, u8 status)
9848 {
9849 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9850 					  status,
9851 					  MGMT_OP_USER_CONFIRM_NEG_REPLY);
9852 }
9853 
9854 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9855 				     u8 link_type, u8 addr_type, u8 status)
9856 {
9857 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9858 					  status, MGMT_OP_USER_PASSKEY_REPLY);
9859 }
9860 
9861 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9862 					 u8 link_type, u8 addr_type, u8 status)
9863 {
9864 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9865 					  status,
9866 					  MGMT_OP_USER_PASSKEY_NEG_REPLY);
9867 }
9868 
9869 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
9870 			     u8 link_type, u8 addr_type, u32 passkey,
9871 			     u8 entered)
9872 {
9873 	struct mgmt_ev_passkey_notify ev;
9874 
9875 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9876 
9877 	bacpy(&ev.addr.bdaddr, bdaddr);
9878 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9879 	ev.passkey = __cpu_to_le32(passkey);
9880 	ev.entered = entered;
9881 
9882 	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
9883 }
9884 
9885 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
9886 {
9887 	struct mgmt_ev_auth_failed ev;
9888 	struct mgmt_pending_cmd *cmd;
9889 	u8 status = mgmt_status(hci_status);
9890 
9891 	bacpy(&ev.addr.bdaddr, &conn->dst);
9892 	ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9893 	ev.status = status;
9894 
9895 	cmd = find_pairing(conn);
9896 
9897 	mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
9898 		    cmd ? cmd->sk : NULL);
9899 
9900 	if (cmd) {
9901 		cmd->cmd_complete(cmd, status);
9902 		mgmt_pending_remove(cmd);
9903 	}
9904 }
9905 
9906 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
9907 {
9908 	struct cmd_lookup match = { NULL, hdev };
9909 	bool changed;
9910 
9911 	if (status) {
9912 		u8 mgmt_err = mgmt_status(status);
9913 		mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
9914 				     cmd_status_rsp, &mgmt_err);
9915 		return;
9916 	}
9917 
9918 	if (test_bit(HCI_AUTH, &hdev->flags))
9919 		changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
9920 	else
9921 		changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
9922 
9923 	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
9924 			     &match);
9925 
9926 	if (changed)
9927 		new_settings(hdev, match.sk);
9928 
9929 	if (match.sk)
9930 		sock_put(match.sk);
9931 }
9932 
9933 static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
9934 {
9935 	struct cmd_lookup *match = data;
9936 
9937 	if (match->sk == NULL) {
9938 		match->sk = cmd->sk;
9939 		sock_hold(match->sk);
9940 	}
9941 }
9942 
9943 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
9944 				    u8 status)
9945 {
9946 	struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
9947 
9948 	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
9949 	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
9950 	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
9951 
9952 	if (!status) {
9953 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
9954 				   3, HCI_MGMT_DEV_CLASS_EVENTS, NULL);
9955 		ext_info_changed(hdev, NULL);
9956 	}
9957 
9958 	if (match.sk)
9959 		sock_put(match.sk);
9960 }
9961 
9962 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
9963 {
9964 	struct mgmt_cp_set_local_name ev;
9965 	struct mgmt_pending_cmd *cmd;
9966 
9967 	if (status)
9968 		return;
9969 
9970 	memset(&ev, 0, sizeof(ev));
9971 	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
9972 	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
9973 
9974 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
9975 	if (!cmd) {
9976 		memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
9977 
9978 		/* If this is a HCI command related to powering on the
9979 		 * HCI dev don't send any mgmt signals.
9980 		 */
9981 		if (hci_dev_test_flag(hdev, HCI_POWERING_DOWN))
9982 			return;
9983 
9984 		if (pending_find(MGMT_OP_SET_POWERED, hdev))
9985 			return;
9986 	}
9987 
9988 	mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
9989 			   HCI_MGMT_LOCAL_NAME_EVENTS, cmd ? cmd->sk : NULL);
9990 	ext_info_changed(hdev, cmd ? cmd->sk : NULL);
9991 }
9992 
9993 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
9994 {
9995 	int i;
9996 
9997 	for (i = 0; i < uuid_count; i++) {
9998 		if (!memcmp(uuid, uuids[i], 16))
9999 			return true;
10000 	}
10001 
10002 	return false;
10003 }
10004 
10005 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
10006 {
10007 	u16 parsed = 0;
10008 
10009 	while (parsed < eir_len) {
10010 		u8 field_len = eir[0];
10011 		u8 uuid[16];
10012 		int i;
10013 
10014 		if (field_len == 0)
10015 			break;
10016 
10017 		if (eir_len - parsed < field_len + 1)
10018 			break;
10019 
10020 		switch (eir[1]) {
10021 		case EIR_UUID16_ALL:
10022 		case EIR_UUID16_SOME:
10023 			for (i = 0; i + 3 <= field_len; i += 2) {
10024 				memcpy(uuid, bluetooth_base_uuid, 16);
10025 				uuid[13] = eir[i + 3];
10026 				uuid[12] = eir[i + 2];
10027 				if (has_uuid(uuid, uuid_count, uuids))
10028 					return true;
10029 			}
10030 			break;
10031 		case EIR_UUID32_ALL:
10032 		case EIR_UUID32_SOME:
10033 			for (i = 0; i + 5 <= field_len; i += 4) {
10034 				memcpy(uuid, bluetooth_base_uuid, 16);
10035 				uuid[15] = eir[i + 5];
10036 				uuid[14] = eir[i + 4];
10037 				uuid[13] = eir[i + 3];
10038 				uuid[12] = eir[i + 2];
10039 				if (has_uuid(uuid, uuid_count, uuids))
10040 					return true;
10041 			}
10042 			break;
10043 		case EIR_UUID128_ALL:
10044 		case EIR_UUID128_SOME:
10045 			for (i = 0; i + 17 <= field_len; i += 16) {
10046 				memcpy(uuid, eir + i + 2, 16);
10047 				if (has_uuid(uuid, uuid_count, uuids))
10048 					return true;
10049 			}
10050 			break;
10051 		}
10052 
10053 		parsed += field_len + 1;
10054 		eir += field_len + 1;
10055 	}
10056 
10057 	return false;
10058 }
10059 
10060 static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
10061 			    u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
10062 {
10063 	/* If a RSSI threshold has been specified, and
10064 	 * HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
10065 	 * a RSSI smaller than the RSSI threshold will be dropped. If the quirk
10066 	 * is set, let it through for further processing, as we might need to
10067 	 * restart the scan.
10068 	 *
10069 	 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
10070 	 * the results are also dropped.
10071 	 */
10072 	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10073 	    (rssi == HCI_RSSI_INVALID ||
10074 	    (rssi < hdev->discovery.rssi &&
10075 	     !test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
10076 		return  false;
10077 
10078 	if (hdev->discovery.uuid_count != 0) {
10079 		/* If a list of UUIDs is provided in filter, results with no
10080 		 * matching UUID should be dropped.
10081 		 */
10082 		if (!eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count,
10083 				   hdev->discovery.uuids) &&
10084 		    !eir_has_uuids(scan_rsp, scan_rsp_len,
10085 				   hdev->discovery.uuid_count,
10086 				   hdev->discovery.uuids))
10087 			return false;
10088 	}
10089 
10090 	/* If duplicate filtering does not report RSSI changes, then restart
10091 	 * scanning to ensure updated result with updated RSSI values.
10092 	 */
10093 	if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
10094 		/* Validate RSSI value against the RSSI threshold once more. */
10095 		if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10096 		    rssi < hdev->discovery.rssi)
10097 			return false;
10098 	}
10099 
10100 	return true;
10101 }
10102 
10103 void mgmt_adv_monitor_device_lost(struct hci_dev *hdev, u16 handle,
10104 				  bdaddr_t *bdaddr, u8 addr_type)
10105 {
10106 	struct mgmt_ev_adv_monitor_device_lost ev;
10107 
10108 	ev.monitor_handle = cpu_to_le16(handle);
10109 	bacpy(&ev.addr.bdaddr, bdaddr);
10110 	ev.addr.type = addr_type;
10111 
10112 	mgmt_event(MGMT_EV_ADV_MONITOR_DEVICE_LOST, hdev, &ev, sizeof(ev),
10113 		   NULL);
10114 }
10115 
10116 static void mgmt_send_adv_monitor_device_found(struct hci_dev *hdev,
10117 					       struct sk_buff *skb,
10118 					       struct sock *skip_sk,
10119 					       u16 handle)
10120 {
10121 	struct sk_buff *advmon_skb;
10122 	size_t advmon_skb_len;
10123 	__le16 *monitor_handle;
10124 
10125 	if (!skb)
10126 		return;
10127 
10128 	advmon_skb_len = (sizeof(struct mgmt_ev_adv_monitor_device_found) -
10129 			  sizeof(struct mgmt_ev_device_found)) + skb->len;
10130 	advmon_skb = mgmt_alloc_skb(hdev, MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
10131 				    advmon_skb_len);
10132 	if (!advmon_skb)
10133 		return;
10134 
10135 	/* ADV_MONITOR_DEVICE_FOUND is similar to DEVICE_FOUND event except
10136 	 * that it also has 'monitor_handle'. Make a copy of DEVICE_FOUND and
10137 	 * store monitor_handle of the matched monitor.
10138 	 */
10139 	monitor_handle = skb_put(advmon_skb, sizeof(*monitor_handle));
10140 	*monitor_handle = cpu_to_le16(handle);
10141 	skb_put_data(advmon_skb, skb->data, skb->len);
10142 
10143 	mgmt_event_skb(advmon_skb, skip_sk);
10144 }
10145 
10146 static void mgmt_adv_monitor_device_found(struct hci_dev *hdev,
10147 					  bdaddr_t *bdaddr, bool report_device,
10148 					  struct sk_buff *skb,
10149 					  struct sock *skip_sk)
10150 {
10151 	struct monitored_device *dev, *tmp;
10152 	bool matched = false;
10153 	bool notified = false;
10154 
10155 	/* We have received the Advertisement Report because:
10156 	 * 1. the kernel has initiated active discovery
10157 	 * 2. if not, we have pend_le_reports > 0 in which case we are doing
10158 	 *    passive scanning
10159 	 * 3. if none of the above is true, we have one or more active
10160 	 *    Advertisement Monitor
10161 	 *
10162 	 * For case 1 and 2, report all advertisements via MGMT_EV_DEVICE_FOUND
10163 	 * and report ONLY one advertisement per device for the matched Monitor
10164 	 * via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10165 	 *
10166 	 * For case 3, since we are not active scanning and all advertisements
10167 	 * received are due to a matched Advertisement Monitor, report all
10168 	 * advertisements ONLY via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10169 	 */
10170 	if (report_device && !hdev->advmon_pend_notify) {
10171 		mgmt_event_skb(skb, skip_sk);
10172 		return;
10173 	}
10174 
10175 	hdev->advmon_pend_notify = false;
10176 
10177 	list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices, list) {
10178 		if (!bacmp(&dev->bdaddr, bdaddr)) {
10179 			matched = true;
10180 
10181 			if (!dev->notified) {
10182 				mgmt_send_adv_monitor_device_found(hdev, skb,
10183 								   skip_sk,
10184 								   dev->handle);
10185 				notified = true;
10186 				dev->notified = true;
10187 			}
10188 		}
10189 
10190 		if (!dev->notified)
10191 			hdev->advmon_pend_notify = true;
10192 	}
10193 
10194 	if (!report_device &&
10195 	    ((matched && !notified) || !msft_monitor_supported(hdev))) {
10196 		/* Handle 0 indicates that we are not active scanning and this
10197 		 * is a subsequent advertisement report for an already matched
10198 		 * Advertisement Monitor or the controller offloading support
10199 		 * is not available.
10200 		 */
10201 		mgmt_send_adv_monitor_device_found(hdev, skb, skip_sk, 0);
10202 	}
10203 
10204 	if (report_device)
10205 		mgmt_event_skb(skb, skip_sk);
10206 	else
10207 		kfree_skb(skb);
10208 }
10209 
10210 static void mesh_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr,
10211 			      u8 addr_type, s8 rssi, u32 flags, u8 *eir,
10212 			      u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10213 			      u64 instant)
10214 {
10215 	struct sk_buff *skb;
10216 	struct mgmt_ev_mesh_device_found *ev;
10217 	int i, j;
10218 
10219 	if (!hdev->mesh_ad_types[0])
10220 		goto accepted;
10221 
10222 	/* Scan for requested AD types */
10223 	if (eir_len > 0) {
10224 		for (i = 0; i + 1 < eir_len; i += eir[i] + 1) {
10225 			for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10226 				if (!hdev->mesh_ad_types[j])
10227 					break;
10228 
10229 				if (hdev->mesh_ad_types[j] == eir[i + 1])
10230 					goto accepted;
10231 			}
10232 		}
10233 	}
10234 
10235 	if (scan_rsp_len > 0) {
10236 		for (i = 0; i + 1 < scan_rsp_len; i += scan_rsp[i] + 1) {
10237 			for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10238 				if (!hdev->mesh_ad_types[j])
10239 					break;
10240 
10241 				if (hdev->mesh_ad_types[j] == scan_rsp[i + 1])
10242 					goto accepted;
10243 			}
10244 		}
10245 	}
10246 
10247 	return;
10248 
10249 accepted:
10250 	skb = mgmt_alloc_skb(hdev, MGMT_EV_MESH_DEVICE_FOUND,
10251 			     sizeof(*ev) + eir_len + scan_rsp_len);
10252 	if (!skb)
10253 		return;
10254 
10255 	ev = skb_put(skb, sizeof(*ev));
10256 
10257 	bacpy(&ev->addr.bdaddr, bdaddr);
10258 	ev->addr.type = link_to_bdaddr(LE_LINK, addr_type);
10259 	ev->rssi = rssi;
10260 	ev->flags = cpu_to_le32(flags);
10261 	ev->instant = cpu_to_le64(instant);
10262 
10263 	if (eir_len > 0)
10264 		/* Copy EIR or advertising data into event */
10265 		skb_put_data(skb, eir, eir_len);
10266 
10267 	if (scan_rsp_len > 0)
10268 		/* Append scan response data to event */
10269 		skb_put_data(skb, scan_rsp, scan_rsp_len);
10270 
10271 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10272 
10273 	mgmt_event_skb(skb, NULL);
10274 }
10275 
10276 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10277 		       u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
10278 		       u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10279 		       u64 instant)
10280 {
10281 	struct sk_buff *skb;
10282 	struct mgmt_ev_device_found *ev;
10283 	bool report_device = hci_discovery_active(hdev);
10284 
10285 	if (hci_dev_test_flag(hdev, HCI_MESH) && link_type == LE_LINK)
10286 		mesh_device_found(hdev, bdaddr, addr_type, rssi, flags,
10287 				  eir, eir_len, scan_rsp, scan_rsp_len,
10288 				  instant);
10289 
10290 	/* Don't send events for a non-kernel initiated discovery. With
10291 	 * LE one exception is if we have pend_le_reports > 0 in which
10292 	 * case we're doing passive scanning and want these events.
10293 	 */
10294 	if (!hci_discovery_active(hdev)) {
10295 		if (link_type == ACL_LINK)
10296 			return;
10297 		if (link_type == LE_LINK && !list_empty(&hdev->pend_le_reports))
10298 			report_device = true;
10299 		else if (!hci_is_adv_monitoring(hdev))
10300 			return;
10301 	}
10302 
10303 	if (hdev->discovery.result_filtering) {
10304 		/* We are using service discovery */
10305 		if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
10306 				     scan_rsp_len))
10307 			return;
10308 	}
10309 
10310 	if (hdev->discovery.limited) {
10311 		/* Check for limited discoverable bit */
10312 		if (dev_class) {
10313 			if (!(dev_class[1] & 0x20))
10314 				return;
10315 		} else {
10316 			u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
10317 			if (!flags || !(flags[0] & LE_AD_LIMITED))
10318 				return;
10319 		}
10320 	}
10321 
10322 	/* Allocate skb. The 5 extra bytes are for the potential CoD field */
10323 	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10324 			     sizeof(*ev) + eir_len + scan_rsp_len + 5);
10325 	if (!skb)
10326 		return;
10327 
10328 	ev = skb_put(skb, sizeof(*ev));
10329 
10330 	/* In case of device discovery with BR/EDR devices (pre 1.2), the
10331 	 * RSSI value was reported as 0 when not available. This behavior
10332 	 * is kept when using device discovery. This is required for full
10333 	 * backwards compatibility with the API.
10334 	 *
10335 	 * However when using service discovery, the value 127 will be
10336 	 * returned when the RSSI is not available.
10337 	 */
10338 	if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
10339 	    link_type == ACL_LINK)
10340 		rssi = 0;
10341 
10342 	bacpy(&ev->addr.bdaddr, bdaddr);
10343 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
10344 	ev->rssi = rssi;
10345 	ev->flags = cpu_to_le32(flags);
10346 
10347 	if (eir_len > 0)
10348 		/* Copy EIR or advertising data into event */
10349 		skb_put_data(skb, eir, eir_len);
10350 
10351 	if (dev_class && !eir_get_data(eir, eir_len, EIR_CLASS_OF_DEV, NULL)) {
10352 		u8 eir_cod[5];
10353 
10354 		eir_len += eir_append_data(eir_cod, 0, EIR_CLASS_OF_DEV,
10355 					   dev_class, 3);
10356 		skb_put_data(skb, eir_cod, sizeof(eir_cod));
10357 	}
10358 
10359 	if (scan_rsp_len > 0)
10360 		/* Append scan response data to event */
10361 		skb_put_data(skb, scan_rsp, scan_rsp_len);
10362 
10363 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10364 
10365 	mgmt_adv_monitor_device_found(hdev, bdaddr, report_device, skb, NULL);
10366 }
10367 
10368 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10369 		      u8 addr_type, s8 rssi, u8 *name, u8 name_len)
10370 {
10371 	struct sk_buff *skb;
10372 	struct mgmt_ev_device_found *ev;
10373 	u16 eir_len = 0;
10374 	u32 flags = 0;
10375 
10376 	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10377 			     sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0));
10378 
10379 	ev = skb_put(skb, sizeof(*ev));
10380 	bacpy(&ev->addr.bdaddr, bdaddr);
10381 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
10382 	ev->rssi = rssi;
10383 
10384 	if (name)
10385 		eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
10386 	else
10387 		flags = MGMT_DEV_FOUND_NAME_REQUEST_FAILED;
10388 
10389 	ev->eir_len = cpu_to_le16(eir_len);
10390 	ev->flags = cpu_to_le32(flags);
10391 
10392 	mgmt_event_skb(skb, NULL);
10393 }
10394 
10395 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
10396 {
10397 	struct mgmt_ev_discovering ev;
10398 
10399 	bt_dev_dbg(hdev, "discovering %u", discovering);
10400 
10401 	memset(&ev, 0, sizeof(ev));
10402 	ev.type = hdev->discovery.type;
10403 	ev.discovering = discovering;
10404 
10405 	mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
10406 }
10407 
10408 void mgmt_suspending(struct hci_dev *hdev, u8 state)
10409 {
10410 	struct mgmt_ev_controller_suspend ev;
10411 
10412 	ev.suspend_state = state;
10413 	mgmt_event(MGMT_EV_CONTROLLER_SUSPEND, hdev, &ev, sizeof(ev), NULL);
10414 }
10415 
10416 void mgmt_resuming(struct hci_dev *hdev, u8 reason, bdaddr_t *bdaddr,
10417 		   u8 addr_type)
10418 {
10419 	struct mgmt_ev_controller_resume ev;
10420 
10421 	ev.wake_reason = reason;
10422 	if (bdaddr) {
10423 		bacpy(&ev.addr.bdaddr, bdaddr);
10424 		ev.addr.type = addr_type;
10425 	} else {
10426 		memset(&ev.addr, 0, sizeof(ev.addr));
10427 	}
10428 
10429 	mgmt_event(MGMT_EV_CONTROLLER_RESUME, hdev, &ev, sizeof(ev), NULL);
10430 }
10431 
10432 static struct hci_mgmt_chan chan = {
10433 	.channel	= HCI_CHANNEL_CONTROL,
10434 	.handler_count	= ARRAY_SIZE(mgmt_handlers),
10435 	.handlers	= mgmt_handlers,
10436 	.hdev_init	= mgmt_init_hdev,
10437 };
10438 
10439 int mgmt_init(void)
10440 {
10441 	return hci_mgmt_chan_register(&chan);
10442 }
10443 
10444 void mgmt_exit(void)
10445 {
10446 	hci_mgmt_chan_unregister(&chan);
10447 }
10448 
10449 void mgmt_cleanup(struct sock *sk)
10450 {
10451 	struct mgmt_mesh_tx *mesh_tx;
10452 	struct hci_dev *hdev;
10453 
10454 	read_lock(&hci_dev_list_lock);
10455 
10456 	list_for_each_entry(hdev, &hci_dev_list, list) {
10457 		do {
10458 			mesh_tx = mgmt_mesh_next(hdev, sk);
10459 
10460 			if (mesh_tx)
10461 				mesh_send_complete(hdev, mesh_tx, true);
10462 		} while (mesh_tx);
10463 	}
10464 
10465 	read_unlock(&hci_dev_list_lock);
10466 }
10467