Merge tag 'for-linus' of https://github.com/openrisc/linux
[platform/kernel/linux-starfive.git] / net / bluetooth / mgmt.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI Management interface */
26
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_sock.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "mgmt_util.h"
39 #include "mgmt_config.h"
40 #include "msft.h"
41 #include "eir.h"
42 #include "aosp.h"
43
44 #define MGMT_VERSION    1
45 #define MGMT_REVISION   22
46
47 static const u16 mgmt_commands[] = {
48         MGMT_OP_READ_INDEX_LIST,
49         MGMT_OP_READ_INFO,
50         MGMT_OP_SET_POWERED,
51         MGMT_OP_SET_DISCOVERABLE,
52         MGMT_OP_SET_CONNECTABLE,
53         MGMT_OP_SET_FAST_CONNECTABLE,
54         MGMT_OP_SET_BONDABLE,
55         MGMT_OP_SET_LINK_SECURITY,
56         MGMT_OP_SET_SSP,
57         MGMT_OP_SET_HS,
58         MGMT_OP_SET_LE,
59         MGMT_OP_SET_DEV_CLASS,
60         MGMT_OP_SET_LOCAL_NAME,
61         MGMT_OP_ADD_UUID,
62         MGMT_OP_REMOVE_UUID,
63         MGMT_OP_LOAD_LINK_KEYS,
64         MGMT_OP_LOAD_LONG_TERM_KEYS,
65         MGMT_OP_DISCONNECT,
66         MGMT_OP_GET_CONNECTIONS,
67         MGMT_OP_PIN_CODE_REPLY,
68         MGMT_OP_PIN_CODE_NEG_REPLY,
69         MGMT_OP_SET_IO_CAPABILITY,
70         MGMT_OP_PAIR_DEVICE,
71         MGMT_OP_CANCEL_PAIR_DEVICE,
72         MGMT_OP_UNPAIR_DEVICE,
73         MGMT_OP_USER_CONFIRM_REPLY,
74         MGMT_OP_USER_CONFIRM_NEG_REPLY,
75         MGMT_OP_USER_PASSKEY_REPLY,
76         MGMT_OP_USER_PASSKEY_NEG_REPLY,
77         MGMT_OP_READ_LOCAL_OOB_DATA,
78         MGMT_OP_ADD_REMOTE_OOB_DATA,
79         MGMT_OP_REMOVE_REMOTE_OOB_DATA,
80         MGMT_OP_START_DISCOVERY,
81         MGMT_OP_STOP_DISCOVERY,
82         MGMT_OP_CONFIRM_NAME,
83         MGMT_OP_BLOCK_DEVICE,
84         MGMT_OP_UNBLOCK_DEVICE,
85         MGMT_OP_SET_DEVICE_ID,
86         MGMT_OP_SET_ADVERTISING,
87         MGMT_OP_SET_BREDR,
88         MGMT_OP_SET_STATIC_ADDRESS,
89         MGMT_OP_SET_SCAN_PARAMS,
90         MGMT_OP_SET_SECURE_CONN,
91         MGMT_OP_SET_DEBUG_KEYS,
92         MGMT_OP_SET_PRIVACY,
93         MGMT_OP_LOAD_IRKS,
94         MGMT_OP_GET_CONN_INFO,
95         MGMT_OP_GET_CLOCK_INFO,
96         MGMT_OP_ADD_DEVICE,
97         MGMT_OP_REMOVE_DEVICE,
98         MGMT_OP_LOAD_CONN_PARAM,
99         MGMT_OP_READ_UNCONF_INDEX_LIST,
100         MGMT_OP_READ_CONFIG_INFO,
101         MGMT_OP_SET_EXTERNAL_CONFIG,
102         MGMT_OP_SET_PUBLIC_ADDRESS,
103         MGMT_OP_START_SERVICE_DISCOVERY,
104         MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
105         MGMT_OP_READ_EXT_INDEX_LIST,
106         MGMT_OP_READ_ADV_FEATURES,
107         MGMT_OP_ADD_ADVERTISING,
108         MGMT_OP_REMOVE_ADVERTISING,
109         MGMT_OP_GET_ADV_SIZE_INFO,
110         MGMT_OP_START_LIMITED_DISCOVERY,
111         MGMT_OP_READ_EXT_INFO,
112         MGMT_OP_SET_APPEARANCE,
113         MGMT_OP_GET_PHY_CONFIGURATION,
114         MGMT_OP_SET_PHY_CONFIGURATION,
115         MGMT_OP_SET_BLOCKED_KEYS,
116         MGMT_OP_SET_WIDEBAND_SPEECH,
117         MGMT_OP_READ_CONTROLLER_CAP,
118         MGMT_OP_READ_EXP_FEATURES_INFO,
119         MGMT_OP_SET_EXP_FEATURE,
120         MGMT_OP_READ_DEF_SYSTEM_CONFIG,
121         MGMT_OP_SET_DEF_SYSTEM_CONFIG,
122         MGMT_OP_READ_DEF_RUNTIME_CONFIG,
123         MGMT_OP_SET_DEF_RUNTIME_CONFIG,
124         MGMT_OP_GET_DEVICE_FLAGS,
125         MGMT_OP_SET_DEVICE_FLAGS,
126         MGMT_OP_READ_ADV_MONITOR_FEATURES,
127         MGMT_OP_ADD_ADV_PATTERNS_MONITOR,
128         MGMT_OP_REMOVE_ADV_MONITOR,
129         MGMT_OP_ADD_EXT_ADV_PARAMS,
130         MGMT_OP_ADD_EXT_ADV_DATA,
131         MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI,
132         MGMT_OP_SET_MESH_RECEIVER,
133         MGMT_OP_MESH_READ_FEATURES,
134         MGMT_OP_MESH_SEND,
135         MGMT_OP_MESH_SEND_CANCEL,
136 };
137
138 static const u16 mgmt_events[] = {
139         MGMT_EV_CONTROLLER_ERROR,
140         MGMT_EV_INDEX_ADDED,
141         MGMT_EV_INDEX_REMOVED,
142         MGMT_EV_NEW_SETTINGS,
143         MGMT_EV_CLASS_OF_DEV_CHANGED,
144         MGMT_EV_LOCAL_NAME_CHANGED,
145         MGMT_EV_NEW_LINK_KEY,
146         MGMT_EV_NEW_LONG_TERM_KEY,
147         MGMT_EV_DEVICE_CONNECTED,
148         MGMT_EV_DEVICE_DISCONNECTED,
149         MGMT_EV_CONNECT_FAILED,
150         MGMT_EV_PIN_CODE_REQUEST,
151         MGMT_EV_USER_CONFIRM_REQUEST,
152         MGMT_EV_USER_PASSKEY_REQUEST,
153         MGMT_EV_AUTH_FAILED,
154         MGMT_EV_DEVICE_FOUND,
155         MGMT_EV_DISCOVERING,
156         MGMT_EV_DEVICE_BLOCKED,
157         MGMT_EV_DEVICE_UNBLOCKED,
158         MGMT_EV_DEVICE_UNPAIRED,
159         MGMT_EV_PASSKEY_NOTIFY,
160         MGMT_EV_NEW_IRK,
161         MGMT_EV_NEW_CSRK,
162         MGMT_EV_DEVICE_ADDED,
163         MGMT_EV_DEVICE_REMOVED,
164         MGMT_EV_NEW_CONN_PARAM,
165         MGMT_EV_UNCONF_INDEX_ADDED,
166         MGMT_EV_UNCONF_INDEX_REMOVED,
167         MGMT_EV_NEW_CONFIG_OPTIONS,
168         MGMT_EV_EXT_INDEX_ADDED,
169         MGMT_EV_EXT_INDEX_REMOVED,
170         MGMT_EV_LOCAL_OOB_DATA_UPDATED,
171         MGMT_EV_ADVERTISING_ADDED,
172         MGMT_EV_ADVERTISING_REMOVED,
173         MGMT_EV_EXT_INFO_CHANGED,
174         MGMT_EV_PHY_CONFIGURATION_CHANGED,
175         MGMT_EV_EXP_FEATURE_CHANGED,
176         MGMT_EV_DEVICE_FLAGS_CHANGED,
177         MGMT_EV_ADV_MONITOR_ADDED,
178         MGMT_EV_ADV_MONITOR_REMOVED,
179         MGMT_EV_CONTROLLER_SUSPEND,
180         MGMT_EV_CONTROLLER_RESUME,
181         MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
182         MGMT_EV_ADV_MONITOR_DEVICE_LOST,
183 };
184
185 static const u16 mgmt_untrusted_commands[] = {
186         MGMT_OP_READ_INDEX_LIST,
187         MGMT_OP_READ_INFO,
188         MGMT_OP_READ_UNCONF_INDEX_LIST,
189         MGMT_OP_READ_CONFIG_INFO,
190         MGMT_OP_READ_EXT_INDEX_LIST,
191         MGMT_OP_READ_EXT_INFO,
192         MGMT_OP_READ_CONTROLLER_CAP,
193         MGMT_OP_READ_EXP_FEATURES_INFO,
194         MGMT_OP_READ_DEF_SYSTEM_CONFIG,
195         MGMT_OP_READ_DEF_RUNTIME_CONFIG,
196 };
197
198 static const u16 mgmt_untrusted_events[] = {
199         MGMT_EV_INDEX_ADDED,
200         MGMT_EV_INDEX_REMOVED,
201         MGMT_EV_NEW_SETTINGS,
202         MGMT_EV_CLASS_OF_DEV_CHANGED,
203         MGMT_EV_LOCAL_NAME_CHANGED,
204         MGMT_EV_UNCONF_INDEX_ADDED,
205         MGMT_EV_UNCONF_INDEX_REMOVED,
206         MGMT_EV_NEW_CONFIG_OPTIONS,
207         MGMT_EV_EXT_INDEX_ADDED,
208         MGMT_EV_EXT_INDEX_REMOVED,
209         MGMT_EV_EXT_INFO_CHANGED,
210         MGMT_EV_EXP_FEATURE_CHANGED,
211 };
212
213 #define CACHE_TIMEOUT   msecs_to_jiffies(2 * 1000)
214
215 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
216                  "\x00\x00\x00\x00\x00\x00\x00\x00"
217
218 /* HCI to MGMT error code conversion table */
219 static const u8 mgmt_status_table[] = {
220         MGMT_STATUS_SUCCESS,
221         MGMT_STATUS_UNKNOWN_COMMAND,    /* Unknown Command */
222         MGMT_STATUS_NOT_CONNECTED,      /* No Connection */
223         MGMT_STATUS_FAILED,             /* Hardware Failure */
224         MGMT_STATUS_CONNECT_FAILED,     /* Page Timeout */
225         MGMT_STATUS_AUTH_FAILED,        /* Authentication Failed */
226         MGMT_STATUS_AUTH_FAILED,        /* PIN or Key Missing */
227         MGMT_STATUS_NO_RESOURCES,       /* Memory Full */
228         MGMT_STATUS_TIMEOUT,            /* Connection Timeout */
229         MGMT_STATUS_NO_RESOURCES,       /* Max Number of Connections */
230         MGMT_STATUS_NO_RESOURCES,       /* Max Number of SCO Connections */
231         MGMT_STATUS_ALREADY_CONNECTED,  /* ACL Connection Exists */
232         MGMT_STATUS_BUSY,               /* Command Disallowed */
233         MGMT_STATUS_NO_RESOURCES,       /* Rejected Limited Resources */
234         MGMT_STATUS_REJECTED,           /* Rejected Security */
235         MGMT_STATUS_REJECTED,           /* Rejected Personal */
236         MGMT_STATUS_TIMEOUT,            /* Host Timeout */
237         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Feature */
238         MGMT_STATUS_INVALID_PARAMS,     /* Invalid Parameters */
239         MGMT_STATUS_DISCONNECTED,       /* OE User Ended Connection */
240         MGMT_STATUS_NO_RESOURCES,       /* OE Low Resources */
241         MGMT_STATUS_DISCONNECTED,       /* OE Power Off */
242         MGMT_STATUS_DISCONNECTED,       /* Connection Terminated */
243         MGMT_STATUS_BUSY,               /* Repeated Attempts */
244         MGMT_STATUS_REJECTED,           /* Pairing Not Allowed */
245         MGMT_STATUS_FAILED,             /* Unknown LMP PDU */
246         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Remote Feature */
247         MGMT_STATUS_REJECTED,           /* SCO Offset Rejected */
248         MGMT_STATUS_REJECTED,           /* SCO Interval Rejected */
249         MGMT_STATUS_REJECTED,           /* Air Mode Rejected */
250         MGMT_STATUS_INVALID_PARAMS,     /* Invalid LMP Parameters */
251         MGMT_STATUS_FAILED,             /* Unspecified Error */
252         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported LMP Parameter Value */
253         MGMT_STATUS_FAILED,             /* Role Change Not Allowed */
254         MGMT_STATUS_TIMEOUT,            /* LMP Response Timeout */
255         MGMT_STATUS_FAILED,             /* LMP Error Transaction Collision */
256         MGMT_STATUS_FAILED,             /* LMP PDU Not Allowed */
257         MGMT_STATUS_REJECTED,           /* Encryption Mode Not Accepted */
258         MGMT_STATUS_FAILED,             /* Unit Link Key Used */
259         MGMT_STATUS_NOT_SUPPORTED,      /* QoS Not Supported */
260         MGMT_STATUS_TIMEOUT,            /* Instant Passed */
261         MGMT_STATUS_NOT_SUPPORTED,      /* Pairing Not Supported */
262         MGMT_STATUS_FAILED,             /* Transaction Collision */
263         MGMT_STATUS_FAILED,             /* Reserved for future use */
264         MGMT_STATUS_INVALID_PARAMS,     /* Unacceptable Parameter */
265         MGMT_STATUS_REJECTED,           /* QoS Rejected */
266         MGMT_STATUS_NOT_SUPPORTED,      /* Classification Not Supported */
267         MGMT_STATUS_REJECTED,           /* Insufficient Security */
268         MGMT_STATUS_INVALID_PARAMS,     /* Parameter Out Of Range */
269         MGMT_STATUS_FAILED,             /* Reserved for future use */
270         MGMT_STATUS_BUSY,               /* Role Switch Pending */
271         MGMT_STATUS_FAILED,             /* Reserved for future use */
272         MGMT_STATUS_FAILED,             /* Slot Violation */
273         MGMT_STATUS_FAILED,             /* Role Switch Failed */
274         MGMT_STATUS_INVALID_PARAMS,     /* EIR Too Large */
275         MGMT_STATUS_NOT_SUPPORTED,      /* Simple Pairing Not Supported */
276         MGMT_STATUS_BUSY,               /* Host Busy Pairing */
277         MGMT_STATUS_REJECTED,           /* Rejected, No Suitable Channel */
278         MGMT_STATUS_BUSY,               /* Controller Busy */
279         MGMT_STATUS_INVALID_PARAMS,     /* Unsuitable Connection Interval */
280         MGMT_STATUS_TIMEOUT,            /* Directed Advertising Timeout */
281         MGMT_STATUS_AUTH_FAILED,        /* Terminated Due to MIC Failure */
282         MGMT_STATUS_CONNECT_FAILED,     /* Connection Establishment Failed */
283         MGMT_STATUS_CONNECT_FAILED,     /* MAC Connection Failed */
284 };
285
286 static u8 mgmt_errno_status(int err)
287 {
288         switch (err) {
289         case 0:
290                 return MGMT_STATUS_SUCCESS;
291         case -EPERM:
292                 return MGMT_STATUS_REJECTED;
293         case -EINVAL:
294                 return MGMT_STATUS_INVALID_PARAMS;
295         case -EOPNOTSUPP:
296                 return MGMT_STATUS_NOT_SUPPORTED;
297         case -EBUSY:
298                 return MGMT_STATUS_BUSY;
299         case -ETIMEDOUT:
300                 return MGMT_STATUS_AUTH_FAILED;
301         case -ENOMEM:
302                 return MGMT_STATUS_NO_RESOURCES;
303         case -EISCONN:
304                 return MGMT_STATUS_ALREADY_CONNECTED;
305         case -ENOTCONN:
306                 return MGMT_STATUS_DISCONNECTED;
307         }
308
309         return MGMT_STATUS_FAILED;
310 }
311
312 static u8 mgmt_status(int err)
313 {
314         if (err < 0)
315                 return mgmt_errno_status(err);
316
317         if (err < ARRAY_SIZE(mgmt_status_table))
318                 return mgmt_status_table[err];
319
320         return MGMT_STATUS_FAILED;
321 }
322
323 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
324                             u16 len, int flag)
325 {
326         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
327                                flag, NULL);
328 }
329
330 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
331                               u16 len, int flag, struct sock *skip_sk)
332 {
333         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
334                                flag, skip_sk);
335 }
336
337 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
338                       struct sock *skip_sk)
339 {
340         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
341                                HCI_SOCK_TRUSTED, skip_sk);
342 }
343
344 static int mgmt_event_skb(struct sk_buff *skb, struct sock *skip_sk)
345 {
346         return mgmt_send_event_skb(HCI_CHANNEL_CONTROL, skb, HCI_SOCK_TRUSTED,
347                                    skip_sk);
348 }
349
350 static u8 le_addr_type(u8 mgmt_addr_type)
351 {
352         if (mgmt_addr_type == BDADDR_LE_PUBLIC)
353                 return ADDR_LE_DEV_PUBLIC;
354         else
355                 return ADDR_LE_DEV_RANDOM;
356 }
357
358 void mgmt_fill_version_info(void *ver)
359 {
360         struct mgmt_rp_read_version *rp = ver;
361
362         rp->version = MGMT_VERSION;
363         rp->revision = cpu_to_le16(MGMT_REVISION);
364 }
365
366 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
367                         u16 data_len)
368 {
369         struct mgmt_rp_read_version rp;
370
371         bt_dev_dbg(hdev, "sock %p", sk);
372
373         mgmt_fill_version_info(&rp);
374
375         return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
376                                  &rp, sizeof(rp));
377 }
378
379 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
380                          u16 data_len)
381 {
382         struct mgmt_rp_read_commands *rp;
383         u16 num_commands, num_events;
384         size_t rp_size;
385         int i, err;
386
387         bt_dev_dbg(hdev, "sock %p", sk);
388
389         if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
390                 num_commands = ARRAY_SIZE(mgmt_commands);
391                 num_events = ARRAY_SIZE(mgmt_events);
392         } else {
393                 num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
394                 num_events = ARRAY_SIZE(mgmt_untrusted_events);
395         }
396
397         rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
398
399         rp = kmalloc(rp_size, GFP_KERNEL);
400         if (!rp)
401                 return -ENOMEM;
402
403         rp->num_commands = cpu_to_le16(num_commands);
404         rp->num_events = cpu_to_le16(num_events);
405
406         if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
407                 __le16 *opcode = rp->opcodes;
408
409                 for (i = 0; i < num_commands; i++, opcode++)
410                         put_unaligned_le16(mgmt_commands[i], opcode);
411
412                 for (i = 0; i < num_events; i++, opcode++)
413                         put_unaligned_le16(mgmt_events[i], opcode);
414         } else {
415                 __le16 *opcode = rp->opcodes;
416
417                 for (i = 0; i < num_commands; i++, opcode++)
418                         put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
419
420                 for (i = 0; i < num_events; i++, opcode++)
421                         put_unaligned_le16(mgmt_untrusted_events[i], opcode);
422         }
423
424         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
425                                 rp, rp_size);
426         kfree(rp);
427
428         return err;
429 }
430
431 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
432                            u16 data_len)
433 {
434         struct mgmt_rp_read_index_list *rp;
435         struct hci_dev *d;
436         size_t rp_len;
437         u16 count;
438         int err;
439
440         bt_dev_dbg(hdev, "sock %p", sk);
441
442         read_lock(&hci_dev_list_lock);
443
444         count = 0;
445         list_for_each_entry(d, &hci_dev_list, list) {
446                 if (d->dev_type == HCI_PRIMARY &&
447                     !hci_dev_test_flag(d, HCI_UNCONFIGURED))
448                         count++;
449         }
450
451         rp_len = sizeof(*rp) + (2 * count);
452         rp = kmalloc(rp_len, GFP_ATOMIC);
453         if (!rp) {
454                 read_unlock(&hci_dev_list_lock);
455                 return -ENOMEM;
456         }
457
458         count = 0;
459         list_for_each_entry(d, &hci_dev_list, list) {
460                 if (hci_dev_test_flag(d, HCI_SETUP) ||
461                     hci_dev_test_flag(d, HCI_CONFIG) ||
462                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
463                         continue;
464
465                 /* Devices marked as raw-only are neither configured
466                  * nor unconfigured controllers.
467                  */
468                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
469                         continue;
470
471                 if (d->dev_type == HCI_PRIMARY &&
472                     !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
473                         rp->index[count++] = cpu_to_le16(d->id);
474                         bt_dev_dbg(hdev, "Added hci%u", d->id);
475                 }
476         }
477
478         rp->num_controllers = cpu_to_le16(count);
479         rp_len = sizeof(*rp) + (2 * count);
480
481         read_unlock(&hci_dev_list_lock);
482
483         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
484                                 0, rp, rp_len);
485
486         kfree(rp);
487
488         return err;
489 }
490
491 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
492                                   void *data, u16 data_len)
493 {
494         struct mgmt_rp_read_unconf_index_list *rp;
495         struct hci_dev *d;
496         size_t rp_len;
497         u16 count;
498         int err;
499
500         bt_dev_dbg(hdev, "sock %p", sk);
501
502         read_lock(&hci_dev_list_lock);
503
504         count = 0;
505         list_for_each_entry(d, &hci_dev_list, list) {
506                 if (d->dev_type == HCI_PRIMARY &&
507                     hci_dev_test_flag(d, HCI_UNCONFIGURED))
508                         count++;
509         }
510
511         rp_len = sizeof(*rp) + (2 * count);
512         rp = kmalloc(rp_len, GFP_ATOMIC);
513         if (!rp) {
514                 read_unlock(&hci_dev_list_lock);
515                 return -ENOMEM;
516         }
517
518         count = 0;
519         list_for_each_entry(d, &hci_dev_list, list) {
520                 if (hci_dev_test_flag(d, HCI_SETUP) ||
521                     hci_dev_test_flag(d, HCI_CONFIG) ||
522                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
523                         continue;
524
525                 /* Devices marked as raw-only are neither configured
526                  * nor unconfigured controllers.
527                  */
528                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
529                         continue;
530
531                 if (d->dev_type == HCI_PRIMARY &&
532                     hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
533                         rp->index[count++] = cpu_to_le16(d->id);
534                         bt_dev_dbg(hdev, "Added hci%u", d->id);
535                 }
536         }
537
538         rp->num_controllers = cpu_to_le16(count);
539         rp_len = sizeof(*rp) + (2 * count);
540
541         read_unlock(&hci_dev_list_lock);
542
543         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
544                                 MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
545
546         kfree(rp);
547
548         return err;
549 }
550
551 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
552                                void *data, u16 data_len)
553 {
554         struct mgmt_rp_read_ext_index_list *rp;
555         struct hci_dev *d;
556         u16 count;
557         int err;
558
559         bt_dev_dbg(hdev, "sock %p", sk);
560
561         read_lock(&hci_dev_list_lock);
562
563         count = 0;
564         list_for_each_entry(d, &hci_dev_list, list) {
565                 if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
566                         count++;
567         }
568
569         rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
570         if (!rp) {
571                 read_unlock(&hci_dev_list_lock);
572                 return -ENOMEM;
573         }
574
575         count = 0;
576         list_for_each_entry(d, &hci_dev_list, list) {
577                 if (hci_dev_test_flag(d, HCI_SETUP) ||
578                     hci_dev_test_flag(d, HCI_CONFIG) ||
579                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
580                         continue;
581
582                 /* Devices marked as raw-only are neither configured
583                  * nor unconfigured controllers.
584                  */
585                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
586                         continue;
587
588                 if (d->dev_type == HCI_PRIMARY) {
589                         if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
590                                 rp->entry[count].type = 0x01;
591                         else
592                                 rp->entry[count].type = 0x00;
593                 } else if (d->dev_type == HCI_AMP) {
594                         rp->entry[count].type = 0x02;
595                 } else {
596                         continue;
597                 }
598
599                 rp->entry[count].bus = d->bus;
600                 rp->entry[count++].index = cpu_to_le16(d->id);
601                 bt_dev_dbg(hdev, "Added hci%u", d->id);
602         }
603
604         rp->num_controllers = cpu_to_le16(count);
605
606         read_unlock(&hci_dev_list_lock);
607
608         /* If this command is called at least once, then all the
609          * default index and unconfigured index events are disabled
610          * and from now on only extended index events are used.
611          */
612         hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
613         hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
614         hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
615
616         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
617                                 MGMT_OP_READ_EXT_INDEX_LIST, 0, rp,
618                                 struct_size(rp, entry, count));
619
620         kfree(rp);
621
622         return err;
623 }
624
625 static bool is_configured(struct hci_dev *hdev)
626 {
627         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
628             !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
629                 return false;
630
631         if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
632              test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
633             !bacmp(&hdev->public_addr, BDADDR_ANY))
634                 return false;
635
636         return true;
637 }
638
639 static __le32 get_missing_options(struct hci_dev *hdev)
640 {
641         u32 options = 0;
642
643         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
644             !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
645                 options |= MGMT_OPTION_EXTERNAL_CONFIG;
646
647         if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
648              test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
649             !bacmp(&hdev->public_addr, BDADDR_ANY))
650                 options |= MGMT_OPTION_PUBLIC_ADDRESS;
651
652         return cpu_to_le32(options);
653 }
654
655 static int new_options(struct hci_dev *hdev, struct sock *skip)
656 {
657         __le32 options = get_missing_options(hdev);
658
659         return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
660                                   sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
661 }
662
663 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
664 {
665         __le32 options = get_missing_options(hdev);
666
667         return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
668                                  sizeof(options));
669 }
670
671 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
672                             void *data, u16 data_len)
673 {
674         struct mgmt_rp_read_config_info rp;
675         u32 options = 0;
676
677         bt_dev_dbg(hdev, "sock %p", sk);
678
679         hci_dev_lock(hdev);
680
681         memset(&rp, 0, sizeof(rp));
682         rp.manufacturer = cpu_to_le16(hdev->manufacturer);
683
684         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
685                 options |= MGMT_OPTION_EXTERNAL_CONFIG;
686
687         if (hdev->set_bdaddr)
688                 options |= MGMT_OPTION_PUBLIC_ADDRESS;
689
690         rp.supported_options = cpu_to_le32(options);
691         rp.missing_options = get_missing_options(hdev);
692
693         hci_dev_unlock(hdev);
694
695         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
696                                  &rp, sizeof(rp));
697 }
698
699 static u32 get_supported_phys(struct hci_dev *hdev)
700 {
701         u32 supported_phys = 0;
702
703         if (lmp_bredr_capable(hdev)) {
704                 supported_phys |= MGMT_PHY_BR_1M_1SLOT;
705
706                 if (hdev->features[0][0] & LMP_3SLOT)
707                         supported_phys |= MGMT_PHY_BR_1M_3SLOT;
708
709                 if (hdev->features[0][0] & LMP_5SLOT)
710                         supported_phys |= MGMT_PHY_BR_1M_5SLOT;
711
712                 if (lmp_edr_2m_capable(hdev)) {
713                         supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
714
715                         if (lmp_edr_3slot_capable(hdev))
716                                 supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
717
718                         if (lmp_edr_5slot_capable(hdev))
719                                 supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
720
721                         if (lmp_edr_3m_capable(hdev)) {
722                                 supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
723
724                                 if (lmp_edr_3slot_capable(hdev))
725                                         supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
726
727                                 if (lmp_edr_5slot_capable(hdev))
728                                         supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
729                         }
730                 }
731         }
732
733         if (lmp_le_capable(hdev)) {
734                 supported_phys |= MGMT_PHY_LE_1M_TX;
735                 supported_phys |= MGMT_PHY_LE_1M_RX;
736
737                 if (hdev->le_features[1] & HCI_LE_PHY_2M) {
738                         supported_phys |= MGMT_PHY_LE_2M_TX;
739                         supported_phys |= MGMT_PHY_LE_2M_RX;
740                 }
741
742                 if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
743                         supported_phys |= MGMT_PHY_LE_CODED_TX;
744                         supported_phys |= MGMT_PHY_LE_CODED_RX;
745                 }
746         }
747
748         return supported_phys;
749 }
750
751 static u32 get_selected_phys(struct hci_dev *hdev)
752 {
753         u32 selected_phys = 0;
754
755         if (lmp_bredr_capable(hdev)) {
756                 selected_phys |= MGMT_PHY_BR_1M_1SLOT;
757
758                 if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
759                         selected_phys |= MGMT_PHY_BR_1M_3SLOT;
760
761                 if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
762                         selected_phys |= MGMT_PHY_BR_1M_5SLOT;
763
764                 if (lmp_edr_2m_capable(hdev)) {
765                         if (!(hdev->pkt_type & HCI_2DH1))
766                                 selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
767
768                         if (lmp_edr_3slot_capable(hdev) &&
769                             !(hdev->pkt_type & HCI_2DH3))
770                                 selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
771
772                         if (lmp_edr_5slot_capable(hdev) &&
773                             !(hdev->pkt_type & HCI_2DH5))
774                                 selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
775
776                         if (lmp_edr_3m_capable(hdev)) {
777                                 if (!(hdev->pkt_type & HCI_3DH1))
778                                         selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
779
780                                 if (lmp_edr_3slot_capable(hdev) &&
781                                     !(hdev->pkt_type & HCI_3DH3))
782                                         selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
783
784                                 if (lmp_edr_5slot_capable(hdev) &&
785                                     !(hdev->pkt_type & HCI_3DH5))
786                                         selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
787                         }
788                 }
789         }
790
791         if (lmp_le_capable(hdev)) {
792                 if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
793                         selected_phys |= MGMT_PHY_LE_1M_TX;
794
795                 if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
796                         selected_phys |= MGMT_PHY_LE_1M_RX;
797
798                 if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
799                         selected_phys |= MGMT_PHY_LE_2M_TX;
800
801                 if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
802                         selected_phys |= MGMT_PHY_LE_2M_RX;
803
804                 if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
805                         selected_phys |= MGMT_PHY_LE_CODED_TX;
806
807                 if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
808                         selected_phys |= MGMT_PHY_LE_CODED_RX;
809         }
810
811         return selected_phys;
812 }
813
814 static u32 get_configurable_phys(struct hci_dev *hdev)
815 {
816         return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
817                 ~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
818 }
819
820 static u32 get_supported_settings(struct hci_dev *hdev)
821 {
822         u32 settings = 0;
823
824         settings |= MGMT_SETTING_POWERED;
825         settings |= MGMT_SETTING_BONDABLE;
826         settings |= MGMT_SETTING_DEBUG_KEYS;
827         settings |= MGMT_SETTING_CONNECTABLE;
828         settings |= MGMT_SETTING_DISCOVERABLE;
829
830         if (lmp_bredr_capable(hdev)) {
831                 if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
832                         settings |= MGMT_SETTING_FAST_CONNECTABLE;
833                 settings |= MGMT_SETTING_BREDR;
834                 settings |= MGMT_SETTING_LINK_SECURITY;
835
836                 if (lmp_ssp_capable(hdev)) {
837                         settings |= MGMT_SETTING_SSP;
838                         if (IS_ENABLED(CONFIG_BT_HS))
839                                 settings |= MGMT_SETTING_HS;
840                 }
841
842                 if (lmp_sc_capable(hdev))
843                         settings |= MGMT_SETTING_SECURE_CONN;
844
845                 if (test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
846                              &hdev->quirks))
847                         settings |= MGMT_SETTING_WIDEBAND_SPEECH;
848         }
849
850         if (lmp_le_capable(hdev)) {
851                 settings |= MGMT_SETTING_LE;
852                 settings |= MGMT_SETTING_SECURE_CONN;
853                 settings |= MGMT_SETTING_PRIVACY;
854                 settings |= MGMT_SETTING_STATIC_ADDRESS;
855                 settings |= MGMT_SETTING_ADVERTISING;
856         }
857
858         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
859             hdev->set_bdaddr)
860                 settings |= MGMT_SETTING_CONFIGURATION;
861
862         if (cis_central_capable(hdev))
863                 settings |= MGMT_SETTING_CIS_CENTRAL;
864
865         if (cis_peripheral_capable(hdev))
866                 settings |= MGMT_SETTING_CIS_PERIPHERAL;
867
868         settings |= MGMT_SETTING_PHY_CONFIGURATION;
869
870         return settings;
871 }
872
873 static u32 get_current_settings(struct hci_dev *hdev)
874 {
875         u32 settings = 0;
876
877         if (hdev_is_powered(hdev))
878                 settings |= MGMT_SETTING_POWERED;
879
880         if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
881                 settings |= MGMT_SETTING_CONNECTABLE;
882
883         if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
884                 settings |= MGMT_SETTING_FAST_CONNECTABLE;
885
886         if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
887                 settings |= MGMT_SETTING_DISCOVERABLE;
888
889         if (hci_dev_test_flag(hdev, HCI_BONDABLE))
890                 settings |= MGMT_SETTING_BONDABLE;
891
892         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
893                 settings |= MGMT_SETTING_BREDR;
894
895         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
896                 settings |= MGMT_SETTING_LE;
897
898         if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
899                 settings |= MGMT_SETTING_LINK_SECURITY;
900
901         if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
902                 settings |= MGMT_SETTING_SSP;
903
904         if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
905                 settings |= MGMT_SETTING_HS;
906
907         if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
908                 settings |= MGMT_SETTING_ADVERTISING;
909
910         if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
911                 settings |= MGMT_SETTING_SECURE_CONN;
912
913         if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
914                 settings |= MGMT_SETTING_DEBUG_KEYS;
915
916         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
917                 settings |= MGMT_SETTING_PRIVACY;
918
919         /* The current setting for static address has two purposes. The
920          * first is to indicate if the static address will be used and
921          * the second is to indicate if it is actually set.
922          *
923          * This means if the static address is not configured, this flag
924          * will never be set. If the address is configured, then if the
925          * address is actually used decides if the flag is set or not.
926          *
927          * For single mode LE only controllers and dual-mode controllers
928          * with BR/EDR disabled, the existence of the static address will
929          * be evaluated.
930          */
931         if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
932             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
933             !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
934                 if (bacmp(&hdev->static_addr, BDADDR_ANY))
935                         settings |= MGMT_SETTING_STATIC_ADDRESS;
936         }
937
938         if (hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED))
939                 settings |= MGMT_SETTING_WIDEBAND_SPEECH;
940
941         if (cis_central_capable(hdev))
942                 settings |= MGMT_SETTING_CIS_CENTRAL;
943
944         if (cis_peripheral_capable(hdev))
945                 settings |= MGMT_SETTING_CIS_PERIPHERAL;
946
947         return settings;
948 }
949
950 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
951 {
952         return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
953 }
954
955 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
956 {
957         struct mgmt_pending_cmd *cmd;
958
959         /* If there's a pending mgmt command the flags will not yet have
960          * their final values, so check for this first.
961          */
962         cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
963         if (cmd) {
964                 struct mgmt_mode *cp = cmd->param;
965                 if (cp->val == 0x01)
966                         return LE_AD_GENERAL;
967                 else if (cp->val == 0x02)
968                         return LE_AD_LIMITED;
969         } else {
970                 if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
971                         return LE_AD_LIMITED;
972                 else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
973                         return LE_AD_GENERAL;
974         }
975
976         return 0;
977 }
978
979 bool mgmt_get_connectable(struct hci_dev *hdev)
980 {
981         struct mgmt_pending_cmd *cmd;
982
983         /* If there's a pending mgmt command the flag will not yet have
984          * it's final value, so check for this first.
985          */
986         cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
987         if (cmd) {
988                 struct mgmt_mode *cp = cmd->param;
989
990                 return cp->val;
991         }
992
993         return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
994 }
995
996 static int service_cache_sync(struct hci_dev *hdev, void *data)
997 {
998         hci_update_eir_sync(hdev);
999         hci_update_class_sync(hdev);
1000
1001         return 0;
1002 }
1003
1004 static void service_cache_off(struct work_struct *work)
1005 {
1006         struct hci_dev *hdev = container_of(work, struct hci_dev,
1007                                             service_cache.work);
1008
1009         if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
1010                 return;
1011
1012         hci_cmd_sync_queue(hdev, service_cache_sync, NULL, NULL);
1013 }
1014
1015 static int rpa_expired_sync(struct hci_dev *hdev, void *data)
1016 {
1017         /* The generation of a new RPA and programming it into the
1018          * controller happens in the hci_req_enable_advertising()
1019          * function.
1020          */
1021         if (ext_adv_capable(hdev))
1022                 return hci_start_ext_adv_sync(hdev, hdev->cur_adv_instance);
1023         else
1024                 return hci_enable_advertising_sync(hdev);
1025 }
1026
1027 static void rpa_expired(struct work_struct *work)
1028 {
1029         struct hci_dev *hdev = container_of(work, struct hci_dev,
1030                                             rpa_expired.work);
1031
1032         bt_dev_dbg(hdev, "");
1033
1034         hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1035
1036         if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
1037                 return;
1038
1039         hci_cmd_sync_queue(hdev, rpa_expired_sync, NULL, NULL);
1040 }
1041
1042 static void discov_off(struct work_struct *work)
1043 {
1044         struct hci_dev *hdev = container_of(work, struct hci_dev,
1045                                             discov_off.work);
1046
1047         bt_dev_dbg(hdev, "");
1048
1049         hci_dev_lock(hdev);
1050
1051         /* When discoverable timeout triggers, then just make sure
1052          * the limited discoverable flag is cleared. Even in the case
1053          * of a timeout triggered from general discoverable, it is
1054          * safe to unconditionally clear the flag.
1055          */
1056         hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1057         hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1058         hdev->discov_timeout = 0;
1059
1060         hci_update_discoverable(hdev);
1061
1062         mgmt_new_settings(hdev);
1063
1064         hci_dev_unlock(hdev);
1065 }
1066
1067 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev);
1068
1069 static void mesh_send_complete(struct hci_dev *hdev,
1070                                struct mgmt_mesh_tx *mesh_tx, bool silent)
1071 {
1072         u8 handle = mesh_tx->handle;
1073
1074         if (!silent)
1075                 mgmt_event(MGMT_EV_MESH_PACKET_CMPLT, hdev, &handle,
1076                            sizeof(handle), NULL);
1077
1078         mgmt_mesh_remove(mesh_tx);
1079 }
1080
1081 static int mesh_send_done_sync(struct hci_dev *hdev, void *data)
1082 {
1083         struct mgmt_mesh_tx *mesh_tx;
1084
1085         hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
1086         hci_disable_advertising_sync(hdev);
1087         mesh_tx = mgmt_mesh_next(hdev, NULL);
1088
1089         if (mesh_tx)
1090                 mesh_send_complete(hdev, mesh_tx, false);
1091
1092         return 0;
1093 }
1094
1095 static int mesh_send_sync(struct hci_dev *hdev, void *data);
1096 static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err);
1097 static void mesh_next(struct hci_dev *hdev, void *data, int err)
1098 {
1099         struct mgmt_mesh_tx *mesh_tx = mgmt_mesh_next(hdev, NULL);
1100
1101         if (!mesh_tx)
1102                 return;
1103
1104         err = hci_cmd_sync_queue(hdev, mesh_send_sync, mesh_tx,
1105                                  mesh_send_start_complete);
1106
1107         if (err < 0)
1108                 mesh_send_complete(hdev, mesh_tx, false);
1109         else
1110                 hci_dev_set_flag(hdev, HCI_MESH_SENDING);
1111 }
1112
1113 static void mesh_send_done(struct work_struct *work)
1114 {
1115         struct hci_dev *hdev = container_of(work, struct hci_dev,
1116                                             mesh_send_done.work);
1117
1118         if (!hci_dev_test_flag(hdev, HCI_MESH_SENDING))
1119                 return;
1120
1121         hci_cmd_sync_queue(hdev, mesh_send_done_sync, NULL, mesh_next);
1122 }
1123
1124 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
1125 {
1126         if (hci_dev_test_flag(hdev, HCI_MGMT))
1127                 return;
1128
1129         BT_INFO("MGMT ver %d.%d", MGMT_VERSION, MGMT_REVISION);
1130
1131         INIT_DELAYED_WORK(&hdev->discov_off, discov_off);
1132         INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
1133         INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
1134         INIT_DELAYED_WORK(&hdev->mesh_send_done, mesh_send_done);
1135
1136         /* Non-mgmt controlled devices get this bit set
1137          * implicitly so that pairing works for them, however
1138          * for mgmt we require user-space to explicitly enable
1139          * it
1140          */
1141         hci_dev_clear_flag(hdev, HCI_BONDABLE);
1142
1143         hci_dev_set_flag(hdev, HCI_MGMT);
1144 }
1145
1146 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
1147                                 void *data, u16 data_len)
1148 {
1149         struct mgmt_rp_read_info rp;
1150
1151         bt_dev_dbg(hdev, "sock %p", sk);
1152
1153         hci_dev_lock(hdev);
1154
1155         memset(&rp, 0, sizeof(rp));
1156
1157         bacpy(&rp.bdaddr, &hdev->bdaddr);
1158
1159         rp.version = hdev->hci_ver;
1160         rp.manufacturer = cpu_to_le16(hdev->manufacturer);
1161
1162         rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
1163         rp.current_settings = cpu_to_le32(get_current_settings(hdev));
1164
1165         memcpy(rp.dev_class, hdev->dev_class, 3);
1166
1167         memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
1168         memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
1169
1170         hci_dev_unlock(hdev);
1171
1172         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
1173                                  sizeof(rp));
1174 }
1175
1176 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
1177 {
1178         u16 eir_len = 0;
1179         size_t name_len;
1180
1181         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1182                 eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1183                                           hdev->dev_class, 3);
1184
1185         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1186                 eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1187                                           hdev->appearance);
1188
1189         name_len = strnlen(hdev->dev_name, sizeof(hdev->dev_name));
1190         eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1191                                   hdev->dev_name, name_len);
1192
1193         name_len = strnlen(hdev->short_name, sizeof(hdev->short_name));
1194         eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1195                                   hdev->short_name, name_len);
1196
1197         return eir_len;
1198 }
1199
1200 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1201                                     void *data, u16 data_len)
1202 {
1203         char buf[512];
1204         struct mgmt_rp_read_ext_info *rp = (void *)buf;
1205         u16 eir_len;
1206
1207         bt_dev_dbg(hdev, "sock %p", sk);
1208
1209         memset(&buf, 0, sizeof(buf));
1210
1211         hci_dev_lock(hdev);
1212
1213         bacpy(&rp->bdaddr, &hdev->bdaddr);
1214
1215         rp->version = hdev->hci_ver;
1216         rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1217
1218         rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1219         rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1220
1221
1222         eir_len = append_eir_data_to_buf(hdev, rp->eir);
1223         rp->eir_len = cpu_to_le16(eir_len);
1224
1225         hci_dev_unlock(hdev);
1226
1227         /* If this command is called at least once, then the events
1228          * for class of device and local name changes are disabled
1229          * and only the new extended controller information event
1230          * is used.
1231          */
1232         hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
1233         hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1234         hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1235
1236         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
1237                                  sizeof(*rp) + eir_len);
1238 }
1239
1240 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1241 {
1242         char buf[512];
1243         struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1244         u16 eir_len;
1245
1246         memset(buf, 0, sizeof(buf));
1247
1248         eir_len = append_eir_data_to_buf(hdev, ev->eir);
1249         ev->eir_len = cpu_to_le16(eir_len);
1250
1251         return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
1252                                   sizeof(*ev) + eir_len,
1253                                   HCI_MGMT_EXT_INFO_EVENTS, skip);
1254 }
1255
1256 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1257 {
1258         __le32 settings = cpu_to_le32(get_current_settings(hdev));
1259
1260         return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
1261                                  sizeof(settings));
1262 }
1263
1264 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1265 {
1266         struct mgmt_ev_advertising_added ev;
1267
1268         ev.instance = instance;
1269
1270         mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
1271 }
1272
1273 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1274                               u8 instance)
1275 {
1276         struct mgmt_ev_advertising_removed ev;
1277
1278         ev.instance = instance;
1279
1280         mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
1281 }
1282
1283 static void cancel_adv_timeout(struct hci_dev *hdev)
1284 {
1285         if (hdev->adv_instance_timeout) {
1286                 hdev->adv_instance_timeout = 0;
1287                 cancel_delayed_work(&hdev->adv_instance_expire);
1288         }
1289 }
1290
1291 /* This function requires the caller holds hdev->lock */
1292 static void restart_le_actions(struct hci_dev *hdev)
1293 {
1294         struct hci_conn_params *p;
1295
1296         list_for_each_entry(p, &hdev->le_conn_params, list) {
1297                 /* Needed for AUTO_OFF case where might not "really"
1298                  * have been powered off.
1299                  */
1300                 list_del_init(&p->action);
1301
1302                 switch (p->auto_connect) {
1303                 case HCI_AUTO_CONN_DIRECT:
1304                 case HCI_AUTO_CONN_ALWAYS:
1305                         list_add(&p->action, &hdev->pend_le_conns);
1306                         break;
1307                 case HCI_AUTO_CONN_REPORT:
1308                         list_add(&p->action, &hdev->pend_le_reports);
1309                         break;
1310                 default:
1311                         break;
1312                 }
1313         }
1314 }
1315
1316 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1317 {
1318         __le32 ev = cpu_to_le32(get_current_settings(hdev));
1319
1320         return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1321                                   sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1322 }
1323
1324 static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
1325 {
1326         struct mgmt_pending_cmd *cmd = data;
1327         struct mgmt_mode *cp;
1328
1329         /* Make sure cmd still outstanding. */
1330         if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
1331                 return;
1332
1333         cp = cmd->param;
1334
1335         bt_dev_dbg(hdev, "err %d", err);
1336
1337         if (!err) {
1338                 if (cp->val) {
1339                         hci_dev_lock(hdev);
1340                         restart_le_actions(hdev);
1341                         hci_update_passive_scan(hdev);
1342                         hci_dev_unlock(hdev);
1343                 }
1344
1345                 send_settings_rsp(cmd->sk, cmd->opcode, hdev);
1346
1347                 /* Only call new_setting for power on as power off is deferred
1348                  * to hdev->power_off work which does call hci_dev_do_close.
1349                  */
1350                 if (cp->val)
1351                         new_settings(hdev, cmd->sk);
1352         } else {
1353                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED,
1354                                 mgmt_status(err));
1355         }
1356
1357         mgmt_pending_remove(cmd);
1358 }
1359
1360 static int set_powered_sync(struct hci_dev *hdev, void *data)
1361 {
1362         struct mgmt_pending_cmd *cmd = data;
1363         struct mgmt_mode *cp = cmd->param;
1364
1365         BT_DBG("%s", hdev->name);
1366
1367         return hci_set_powered_sync(hdev, cp->val);
1368 }
1369
1370 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1371                        u16 len)
1372 {
1373         struct mgmt_mode *cp = data;
1374         struct mgmt_pending_cmd *cmd;
1375         int err;
1376
1377         bt_dev_dbg(hdev, "sock %p", sk);
1378
1379         if (cp->val != 0x00 && cp->val != 0x01)
1380                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1381                                        MGMT_STATUS_INVALID_PARAMS);
1382
1383         hci_dev_lock(hdev);
1384
1385         if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1386                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1387                                       MGMT_STATUS_BUSY);
1388                 goto failed;
1389         }
1390
1391         if (!!cp->val == hdev_is_powered(hdev)) {
1392                 err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1393                 goto failed;
1394         }
1395
1396         cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1397         if (!cmd) {
1398                 err = -ENOMEM;
1399                 goto failed;
1400         }
1401
1402         /* Cancel potentially blocking sync operation before power off */
1403         if (cp->val == 0x00) {
1404                 __hci_cmd_sync_cancel(hdev, -EHOSTDOWN);
1405                 err = hci_cmd_sync_queue(hdev, set_powered_sync, cmd,
1406                                          mgmt_set_powered_complete);
1407         } else {
1408                 /* Use hci_cmd_sync_submit since hdev might not be running */
1409                 err = hci_cmd_sync_submit(hdev, set_powered_sync, cmd,
1410                                           mgmt_set_powered_complete);
1411         }
1412
1413         if (err < 0)
1414                 mgmt_pending_remove(cmd);
1415
1416 failed:
1417         hci_dev_unlock(hdev);
1418         return err;
1419 }
1420
1421 int mgmt_new_settings(struct hci_dev *hdev)
1422 {
1423         return new_settings(hdev, NULL);
1424 }
1425
1426 struct cmd_lookup {
1427         struct sock *sk;
1428         struct hci_dev *hdev;
1429         u8 mgmt_status;
1430 };
1431
1432 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1433 {
1434         struct cmd_lookup *match = data;
1435
1436         send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1437
1438         list_del(&cmd->list);
1439
1440         if (match->sk == NULL) {
1441                 match->sk = cmd->sk;
1442                 sock_hold(match->sk);
1443         }
1444
1445         mgmt_pending_free(cmd);
1446 }
1447
1448 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1449 {
1450         u8 *status = data;
1451
1452         mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1453         mgmt_pending_remove(cmd);
1454 }
1455
1456 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1457 {
1458         if (cmd->cmd_complete) {
1459                 u8 *status = data;
1460
1461                 cmd->cmd_complete(cmd, *status);
1462                 mgmt_pending_remove(cmd);
1463
1464                 return;
1465         }
1466
1467         cmd_status_rsp(cmd, data);
1468 }
1469
1470 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1471 {
1472         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1473                                  cmd->param, cmd->param_len);
1474 }
1475
1476 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1477 {
1478         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1479                                  cmd->param, sizeof(struct mgmt_addr_info));
1480 }
1481
1482 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1483 {
1484         if (!lmp_bredr_capable(hdev))
1485                 return MGMT_STATUS_NOT_SUPPORTED;
1486         else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1487                 return MGMT_STATUS_REJECTED;
1488         else
1489                 return MGMT_STATUS_SUCCESS;
1490 }
1491
1492 static u8 mgmt_le_support(struct hci_dev *hdev)
1493 {
1494         if (!lmp_le_capable(hdev))
1495                 return MGMT_STATUS_NOT_SUPPORTED;
1496         else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1497                 return MGMT_STATUS_REJECTED;
1498         else
1499                 return MGMT_STATUS_SUCCESS;
1500 }
1501
1502 static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
1503                                            int err)
1504 {
1505         struct mgmt_pending_cmd *cmd = data;
1506
1507         bt_dev_dbg(hdev, "err %d", err);
1508
1509         /* Make sure cmd still outstanding. */
1510         if (cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
1511                 return;
1512
1513         hci_dev_lock(hdev);
1514
1515         if (err) {
1516                 u8 mgmt_err = mgmt_status(err);
1517                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1518                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1519                 goto done;
1520         }
1521
1522         if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1523             hdev->discov_timeout > 0) {
1524                 int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1525                 queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1526         }
1527
1528         send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1529         new_settings(hdev, cmd->sk);
1530
1531 done:
1532         mgmt_pending_remove(cmd);
1533         hci_dev_unlock(hdev);
1534 }
1535
1536 static int set_discoverable_sync(struct hci_dev *hdev, void *data)
1537 {
1538         BT_DBG("%s", hdev->name);
1539
1540         return hci_update_discoverable_sync(hdev);
1541 }
1542
1543 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1544                             u16 len)
1545 {
1546         struct mgmt_cp_set_discoverable *cp = data;
1547         struct mgmt_pending_cmd *cmd;
1548         u16 timeout;
1549         int err;
1550
1551         bt_dev_dbg(hdev, "sock %p", sk);
1552
1553         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1554             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1555                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1556                                        MGMT_STATUS_REJECTED);
1557
1558         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1559                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1560                                        MGMT_STATUS_INVALID_PARAMS);
1561
1562         timeout = __le16_to_cpu(cp->timeout);
1563
1564         /* Disabling discoverable requires that no timeout is set,
1565          * and enabling limited discoverable requires a timeout.
1566          */
1567         if ((cp->val == 0x00 && timeout > 0) ||
1568             (cp->val == 0x02 && timeout == 0))
1569                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1570                                        MGMT_STATUS_INVALID_PARAMS);
1571
1572         hci_dev_lock(hdev);
1573
1574         if (!hdev_is_powered(hdev) && timeout > 0) {
1575                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1576                                       MGMT_STATUS_NOT_POWERED);
1577                 goto failed;
1578         }
1579
1580         if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1581             pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1582                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1583                                       MGMT_STATUS_BUSY);
1584                 goto failed;
1585         }
1586
1587         if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1588                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1589                                       MGMT_STATUS_REJECTED);
1590                 goto failed;
1591         }
1592
1593         if (hdev->advertising_paused) {
1594                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1595                                       MGMT_STATUS_BUSY);
1596                 goto failed;
1597         }
1598
1599         if (!hdev_is_powered(hdev)) {
1600                 bool changed = false;
1601
1602                 /* Setting limited discoverable when powered off is
1603                  * not a valid operation since it requires a timeout
1604                  * and so no need to check HCI_LIMITED_DISCOVERABLE.
1605                  */
1606                 if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1607                         hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1608                         changed = true;
1609                 }
1610
1611                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1612                 if (err < 0)
1613                         goto failed;
1614
1615                 if (changed)
1616                         err = new_settings(hdev, sk);
1617
1618                 goto failed;
1619         }
1620
1621         /* If the current mode is the same, then just update the timeout
1622          * value with the new value. And if only the timeout gets updated,
1623          * then no need for any HCI transactions.
1624          */
1625         if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1626             (cp->val == 0x02) == hci_dev_test_flag(hdev,
1627                                                    HCI_LIMITED_DISCOVERABLE)) {
1628                 cancel_delayed_work(&hdev->discov_off);
1629                 hdev->discov_timeout = timeout;
1630
1631                 if (cp->val && hdev->discov_timeout > 0) {
1632                         int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1633                         queue_delayed_work(hdev->req_workqueue,
1634                                            &hdev->discov_off, to);
1635                 }
1636
1637                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1638                 goto failed;
1639         }
1640
1641         cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1642         if (!cmd) {
1643                 err = -ENOMEM;
1644                 goto failed;
1645         }
1646
1647         /* Cancel any potential discoverable timeout that might be
1648          * still active and store new timeout value. The arming of
1649          * the timeout happens in the complete handler.
1650          */
1651         cancel_delayed_work(&hdev->discov_off);
1652         hdev->discov_timeout = timeout;
1653
1654         if (cp->val)
1655                 hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1656         else
1657                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1658
1659         /* Limited discoverable mode */
1660         if (cp->val == 0x02)
1661                 hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1662         else
1663                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1664
1665         err = hci_cmd_sync_queue(hdev, set_discoverable_sync, cmd,
1666                                  mgmt_set_discoverable_complete);
1667
1668         if (err < 0)
1669                 mgmt_pending_remove(cmd);
1670
1671 failed:
1672         hci_dev_unlock(hdev);
1673         return err;
1674 }
1675
1676 static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
1677                                           int err)
1678 {
1679         struct mgmt_pending_cmd *cmd = data;
1680
1681         bt_dev_dbg(hdev, "err %d", err);
1682
1683         /* Make sure cmd still outstanding. */
1684         if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
1685                 return;
1686
1687         hci_dev_lock(hdev);
1688
1689         if (err) {
1690                 u8 mgmt_err = mgmt_status(err);
1691                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1692                 goto done;
1693         }
1694
1695         send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1696         new_settings(hdev, cmd->sk);
1697
1698 done:
1699         if (cmd)
1700                 mgmt_pending_remove(cmd);
1701
1702         hci_dev_unlock(hdev);
1703 }
1704
1705 static int set_connectable_update_settings(struct hci_dev *hdev,
1706                                            struct sock *sk, u8 val)
1707 {
1708         bool changed = false;
1709         int err;
1710
1711         if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1712                 changed = true;
1713
1714         if (val) {
1715                 hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1716         } else {
1717                 hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1718                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1719         }
1720
1721         err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1722         if (err < 0)
1723                 return err;
1724
1725         if (changed) {
1726                 hci_update_scan(hdev);
1727                 hci_update_passive_scan(hdev);
1728                 return new_settings(hdev, sk);
1729         }
1730
1731         return 0;
1732 }
1733
1734 static int set_connectable_sync(struct hci_dev *hdev, void *data)
1735 {
1736         BT_DBG("%s", hdev->name);
1737
1738         return hci_update_connectable_sync(hdev);
1739 }
1740
1741 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1742                            u16 len)
1743 {
1744         struct mgmt_mode *cp = data;
1745         struct mgmt_pending_cmd *cmd;
1746         int err;
1747
1748         bt_dev_dbg(hdev, "sock %p", sk);
1749
1750         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1751             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1752                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1753                                        MGMT_STATUS_REJECTED);
1754
1755         if (cp->val != 0x00 && cp->val != 0x01)
1756                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1757                                        MGMT_STATUS_INVALID_PARAMS);
1758
1759         hci_dev_lock(hdev);
1760
1761         if (!hdev_is_powered(hdev)) {
1762                 err = set_connectable_update_settings(hdev, sk, cp->val);
1763                 goto failed;
1764         }
1765
1766         if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1767             pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1768                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1769                                       MGMT_STATUS_BUSY);
1770                 goto failed;
1771         }
1772
1773         cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1774         if (!cmd) {
1775                 err = -ENOMEM;
1776                 goto failed;
1777         }
1778
1779         if (cp->val) {
1780                 hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1781         } else {
1782                 if (hdev->discov_timeout > 0)
1783                         cancel_delayed_work(&hdev->discov_off);
1784
1785                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1786                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1787                 hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1788         }
1789
1790         err = hci_cmd_sync_queue(hdev, set_connectable_sync, cmd,
1791                                  mgmt_set_connectable_complete);
1792
1793         if (err < 0)
1794                 mgmt_pending_remove(cmd);
1795
1796 failed:
1797         hci_dev_unlock(hdev);
1798         return err;
1799 }
1800
1801 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1802                         u16 len)
1803 {
1804         struct mgmt_mode *cp = data;
1805         bool changed;
1806         int err;
1807
1808         bt_dev_dbg(hdev, "sock %p", sk);
1809
1810         if (cp->val != 0x00 && cp->val != 0x01)
1811                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1812                                        MGMT_STATUS_INVALID_PARAMS);
1813
1814         hci_dev_lock(hdev);
1815
1816         if (cp->val)
1817                 changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1818         else
1819                 changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1820
1821         err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1822         if (err < 0)
1823                 goto unlock;
1824
1825         if (changed) {
1826                 /* In limited privacy mode the change of bondable mode
1827                  * may affect the local advertising address.
1828                  */
1829                 hci_update_discoverable(hdev);
1830
1831                 err = new_settings(hdev, sk);
1832         }
1833
1834 unlock:
1835         hci_dev_unlock(hdev);
1836         return err;
1837 }
1838
1839 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1840                              u16 len)
1841 {
1842         struct mgmt_mode *cp = data;
1843         struct mgmt_pending_cmd *cmd;
1844         u8 val, status;
1845         int err;
1846
1847         bt_dev_dbg(hdev, "sock %p", sk);
1848
1849         status = mgmt_bredr_support(hdev);
1850         if (status)
1851                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1852                                        status);
1853
1854         if (cp->val != 0x00 && cp->val != 0x01)
1855                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1856                                        MGMT_STATUS_INVALID_PARAMS);
1857
1858         hci_dev_lock(hdev);
1859
1860         if (!hdev_is_powered(hdev)) {
1861                 bool changed = false;
1862
1863                 if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1864                         hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1865                         changed = true;
1866                 }
1867
1868                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1869                 if (err < 0)
1870                         goto failed;
1871
1872                 if (changed)
1873                         err = new_settings(hdev, sk);
1874
1875                 goto failed;
1876         }
1877
1878         if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1879                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1880                                       MGMT_STATUS_BUSY);
1881                 goto failed;
1882         }
1883
1884         val = !!cp->val;
1885
1886         if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1887                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1888                 goto failed;
1889         }
1890
1891         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1892         if (!cmd) {
1893                 err = -ENOMEM;
1894                 goto failed;
1895         }
1896
1897         err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1898         if (err < 0) {
1899                 mgmt_pending_remove(cmd);
1900                 goto failed;
1901         }
1902
1903 failed:
1904         hci_dev_unlock(hdev);
1905         return err;
1906 }
1907
1908 static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
1909 {
1910         struct cmd_lookup match = { NULL, hdev };
1911         struct mgmt_pending_cmd *cmd = data;
1912         struct mgmt_mode *cp = cmd->param;
1913         u8 enable = cp->val;
1914         bool changed;
1915
1916         /* Make sure cmd still outstanding. */
1917         if (cmd != pending_find(MGMT_OP_SET_SSP, hdev))
1918                 return;
1919
1920         if (err) {
1921                 u8 mgmt_err = mgmt_status(err);
1922
1923                 if (enable && hci_dev_test_and_clear_flag(hdev,
1924                                                           HCI_SSP_ENABLED)) {
1925                         hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1926                         new_settings(hdev, NULL);
1927                 }
1928
1929                 mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
1930                                      &mgmt_err);
1931                 return;
1932         }
1933
1934         if (enable) {
1935                 changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1936         } else {
1937                 changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
1938
1939                 if (!changed)
1940                         changed = hci_dev_test_and_clear_flag(hdev,
1941                                                               HCI_HS_ENABLED);
1942                 else
1943                         hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1944         }
1945
1946         mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
1947
1948         if (changed)
1949                 new_settings(hdev, match.sk);
1950
1951         if (match.sk)
1952                 sock_put(match.sk);
1953
1954         hci_update_eir_sync(hdev);
1955 }
1956
1957 static int set_ssp_sync(struct hci_dev *hdev, void *data)
1958 {
1959         struct mgmt_pending_cmd *cmd = data;
1960         struct mgmt_mode *cp = cmd->param;
1961         bool changed = false;
1962         int err;
1963
1964         if (cp->val)
1965                 changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1966
1967         err = hci_write_ssp_mode_sync(hdev, cp->val);
1968
1969         if (!err && changed)
1970                 hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
1971
1972         return err;
1973 }
1974
1975 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1976 {
1977         struct mgmt_mode *cp = data;
1978         struct mgmt_pending_cmd *cmd;
1979         u8 status;
1980         int err;
1981
1982         bt_dev_dbg(hdev, "sock %p", sk);
1983
1984         status = mgmt_bredr_support(hdev);
1985         if (status)
1986                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1987
1988         if (!lmp_ssp_capable(hdev))
1989                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1990                                        MGMT_STATUS_NOT_SUPPORTED);
1991
1992         if (cp->val != 0x00 && cp->val != 0x01)
1993                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1994                                        MGMT_STATUS_INVALID_PARAMS);
1995
1996         hci_dev_lock(hdev);
1997
1998         if (!hdev_is_powered(hdev)) {
1999                 bool changed;
2000
2001                 if (cp->val) {
2002                         changed = !hci_dev_test_and_set_flag(hdev,
2003                                                              HCI_SSP_ENABLED);
2004                 } else {
2005                         changed = hci_dev_test_and_clear_flag(hdev,
2006                                                               HCI_SSP_ENABLED);
2007                         if (!changed)
2008                                 changed = hci_dev_test_and_clear_flag(hdev,
2009                                                                       HCI_HS_ENABLED);
2010                         else
2011                                 hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
2012                 }
2013
2014                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2015                 if (err < 0)
2016                         goto failed;
2017
2018                 if (changed)
2019                         err = new_settings(hdev, sk);
2020
2021                 goto failed;
2022         }
2023
2024         if (pending_find(MGMT_OP_SET_SSP, hdev)) {
2025                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2026                                       MGMT_STATUS_BUSY);
2027                 goto failed;
2028         }
2029
2030         if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
2031                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2032                 goto failed;
2033         }
2034
2035         cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
2036         if (!cmd)
2037                 err = -ENOMEM;
2038         else
2039                 err = hci_cmd_sync_queue(hdev, set_ssp_sync, cmd,
2040                                          set_ssp_complete);
2041
2042         if (err < 0) {
2043                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2044                                       MGMT_STATUS_FAILED);
2045
2046                 if (cmd)
2047                         mgmt_pending_remove(cmd);
2048         }
2049
2050 failed:
2051         hci_dev_unlock(hdev);
2052         return err;
2053 }
2054
2055 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2056 {
2057         struct mgmt_mode *cp = data;
2058         bool changed;
2059         u8 status;
2060         int err;
2061
2062         bt_dev_dbg(hdev, "sock %p", sk);
2063
2064         if (!IS_ENABLED(CONFIG_BT_HS))
2065                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2066                                        MGMT_STATUS_NOT_SUPPORTED);
2067
2068         status = mgmt_bredr_support(hdev);
2069         if (status)
2070                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
2071
2072         if (!lmp_ssp_capable(hdev))
2073                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2074                                        MGMT_STATUS_NOT_SUPPORTED);
2075
2076         if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
2077                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2078                                        MGMT_STATUS_REJECTED);
2079
2080         if (cp->val != 0x00 && cp->val != 0x01)
2081                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2082                                        MGMT_STATUS_INVALID_PARAMS);
2083
2084         hci_dev_lock(hdev);
2085
2086         if (pending_find(MGMT_OP_SET_SSP, hdev)) {
2087                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2088                                       MGMT_STATUS_BUSY);
2089                 goto unlock;
2090         }
2091
2092         if (cp->val) {
2093                 changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
2094         } else {
2095                 if (hdev_is_powered(hdev)) {
2096                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2097                                               MGMT_STATUS_REJECTED);
2098                         goto unlock;
2099                 }
2100
2101                 changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
2102         }
2103
2104         err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
2105         if (err < 0)
2106                 goto unlock;
2107
2108         if (changed)
2109                 err = new_settings(hdev, sk);
2110
2111 unlock:
2112         hci_dev_unlock(hdev);
2113         return err;
2114 }
2115
2116 static void set_le_complete(struct hci_dev *hdev, void *data, int err)
2117 {
2118         struct cmd_lookup match = { NULL, hdev };
2119         u8 status = mgmt_status(err);
2120
2121         bt_dev_dbg(hdev, "err %d", err);
2122
2123         if (status) {
2124                 mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
2125                                                         &status);
2126                 return;
2127         }
2128
2129         mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
2130
2131         new_settings(hdev, match.sk);
2132
2133         if (match.sk)
2134                 sock_put(match.sk);
2135 }
2136
2137 static int set_le_sync(struct hci_dev *hdev, void *data)
2138 {
2139         struct mgmt_pending_cmd *cmd = data;
2140         struct mgmt_mode *cp = cmd->param;
2141         u8 val = !!cp->val;
2142         int err;
2143
2144         if (!val) {
2145                 hci_clear_adv_instance_sync(hdev, NULL, 0x00, true);
2146
2147                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
2148                         hci_disable_advertising_sync(hdev);
2149
2150                 if (ext_adv_capable(hdev))
2151                         hci_remove_ext_adv_instance_sync(hdev, 0, cmd->sk);
2152         } else {
2153                 hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2154         }
2155
2156         err = hci_write_le_host_supported_sync(hdev, val, 0);
2157
2158         /* Make sure the controller has a good default for
2159          * advertising data. Restrict the update to when LE
2160          * has actually been enabled. During power on, the
2161          * update in powered_update_hci will take care of it.
2162          */
2163         if (!err && hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2164                 if (ext_adv_capable(hdev)) {
2165                         int status;
2166
2167                         status = hci_setup_ext_adv_instance_sync(hdev, 0x00);
2168                         if (!status)
2169                                 hci_update_scan_rsp_data_sync(hdev, 0x00);
2170                 } else {
2171                         hci_update_adv_data_sync(hdev, 0x00);
2172                         hci_update_scan_rsp_data_sync(hdev, 0x00);
2173                 }
2174
2175                 hci_update_passive_scan(hdev);
2176         }
2177
2178         return err;
2179 }
2180
2181 static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
2182 {
2183         struct mgmt_pending_cmd *cmd = data;
2184         u8 status = mgmt_status(err);
2185         struct sock *sk = cmd->sk;
2186
2187         if (status) {
2188                 mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev,
2189                                      cmd_status_rsp, &status);
2190                 return;
2191         }
2192
2193         mgmt_pending_remove(cmd);
2194         mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, 0, NULL, 0);
2195 }
2196
2197 static int set_mesh_sync(struct hci_dev *hdev, void *data)
2198 {
2199         struct mgmt_pending_cmd *cmd = data;
2200         struct mgmt_cp_set_mesh *cp = cmd->param;
2201         size_t len = cmd->param_len;
2202
2203         memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
2204
2205         if (cp->enable)
2206                 hci_dev_set_flag(hdev, HCI_MESH);
2207         else
2208                 hci_dev_clear_flag(hdev, HCI_MESH);
2209
2210         len -= sizeof(*cp);
2211
2212         /* If filters don't fit, forward all adv pkts */
2213         if (len <= sizeof(hdev->mesh_ad_types))
2214                 memcpy(hdev->mesh_ad_types, cp->ad_types, len);
2215
2216         hci_update_passive_scan_sync(hdev);
2217         return 0;
2218 }
2219
2220 static int set_mesh(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2221 {
2222         struct mgmt_cp_set_mesh *cp = data;
2223         struct mgmt_pending_cmd *cmd;
2224         int err = 0;
2225
2226         bt_dev_dbg(hdev, "sock %p", sk);
2227
2228         if (!lmp_le_capable(hdev) ||
2229             !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2230                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2231                                        MGMT_STATUS_NOT_SUPPORTED);
2232
2233         if (cp->enable != 0x00 && cp->enable != 0x01)
2234                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2235                                        MGMT_STATUS_INVALID_PARAMS);
2236
2237         hci_dev_lock(hdev);
2238
2239         cmd = mgmt_pending_add(sk, MGMT_OP_SET_MESH_RECEIVER, hdev, data, len);
2240         if (!cmd)
2241                 err = -ENOMEM;
2242         else
2243                 err = hci_cmd_sync_queue(hdev, set_mesh_sync, cmd,
2244                                          set_mesh_complete);
2245
2246         if (err < 0) {
2247                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2248                                       MGMT_STATUS_FAILED);
2249
2250                 if (cmd)
2251                         mgmt_pending_remove(cmd);
2252         }
2253
2254         hci_dev_unlock(hdev);
2255         return err;
2256 }
2257
2258 static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err)
2259 {
2260         struct mgmt_mesh_tx *mesh_tx = data;
2261         struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2262         unsigned long mesh_send_interval;
2263         u8 mgmt_err = mgmt_status(err);
2264
2265         /* Report any errors here, but don't report completion */
2266
2267         if (mgmt_err) {
2268                 hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
2269                 /* Send Complete Error Code for handle */
2270                 mesh_send_complete(hdev, mesh_tx, false);
2271                 return;
2272         }
2273
2274         mesh_send_interval = msecs_to_jiffies((send->cnt) * 25);
2275         queue_delayed_work(hdev->req_workqueue, &hdev->mesh_send_done,
2276                            mesh_send_interval);
2277 }
2278
2279 static int mesh_send_sync(struct hci_dev *hdev, void *data)
2280 {
2281         struct mgmt_mesh_tx *mesh_tx = data;
2282         struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2283         struct adv_info *adv, *next_instance;
2284         u8 instance = hdev->le_num_of_adv_sets + 1;
2285         u16 timeout, duration;
2286         int err = 0;
2287
2288         if (hdev->le_num_of_adv_sets <= hdev->adv_instance_cnt)
2289                 return MGMT_STATUS_BUSY;
2290
2291         timeout = 1000;
2292         duration = send->cnt * INTERVAL_TO_MS(hdev->le_adv_max_interval);
2293         adv = hci_add_adv_instance(hdev, instance, 0,
2294                                    send->adv_data_len, send->adv_data,
2295                                    0, NULL,
2296                                    timeout, duration,
2297                                    HCI_ADV_TX_POWER_NO_PREFERENCE,
2298                                    hdev->le_adv_min_interval,
2299                                    hdev->le_adv_max_interval,
2300                                    mesh_tx->handle);
2301
2302         if (!IS_ERR(adv))
2303                 mesh_tx->instance = instance;
2304         else
2305                 err = PTR_ERR(adv);
2306
2307         if (hdev->cur_adv_instance == instance) {
2308                 /* If the currently advertised instance is being changed then
2309                  * cancel the current advertising and schedule the next
2310                  * instance. If there is only one instance then the overridden
2311                  * advertising data will be visible right away.
2312                  */
2313                 cancel_adv_timeout(hdev);
2314
2315                 next_instance = hci_get_next_instance(hdev, instance);
2316                 if (next_instance)
2317                         instance = next_instance->instance;
2318                 else
2319                         instance = 0;
2320         } else if (hdev->adv_instance_timeout) {
2321                 /* Immediately advertise the new instance if no other, or
2322                  * let it go naturally from queue if ADV is already happening
2323                  */
2324                 instance = 0;
2325         }
2326
2327         if (instance)
2328                 return hci_schedule_adv_instance_sync(hdev, instance, true);
2329
2330         return err;
2331 }
2332
2333 static void send_count(struct mgmt_mesh_tx *mesh_tx, void *data)
2334 {
2335         struct mgmt_rp_mesh_read_features *rp = data;
2336
2337         if (rp->used_handles >= rp->max_handles)
2338                 return;
2339
2340         rp->handles[rp->used_handles++] = mesh_tx->handle;
2341 }
2342
2343 static int mesh_features(struct sock *sk, struct hci_dev *hdev,
2344                          void *data, u16 len)
2345 {
2346         struct mgmt_rp_mesh_read_features rp;
2347
2348         if (!lmp_le_capable(hdev) ||
2349             !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2350                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_READ_FEATURES,
2351                                        MGMT_STATUS_NOT_SUPPORTED);
2352
2353         memset(&rp, 0, sizeof(rp));
2354         rp.index = cpu_to_le16(hdev->id);
2355         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2356                 rp.max_handles = MESH_HANDLES_MAX;
2357
2358         hci_dev_lock(hdev);
2359
2360         if (rp.max_handles)
2361                 mgmt_mesh_foreach(hdev, send_count, &rp, sk);
2362
2363         mgmt_cmd_complete(sk, hdev->id, MGMT_OP_MESH_READ_FEATURES, 0, &rp,
2364                           rp.used_handles + sizeof(rp) - MESH_HANDLES_MAX);
2365
2366         hci_dev_unlock(hdev);
2367         return 0;
2368 }
2369
2370 static int send_cancel(struct hci_dev *hdev, void *data)
2371 {
2372         struct mgmt_pending_cmd *cmd = data;
2373         struct mgmt_cp_mesh_send_cancel *cancel = (void *)cmd->param;
2374         struct mgmt_mesh_tx *mesh_tx;
2375
2376         if (!cancel->handle) {
2377                 do {
2378                         mesh_tx = mgmt_mesh_next(hdev, cmd->sk);
2379
2380                         if (mesh_tx)
2381                                 mesh_send_complete(hdev, mesh_tx, false);
2382                 } while (mesh_tx);
2383         } else {
2384                 mesh_tx = mgmt_mesh_find(hdev, cancel->handle);
2385
2386                 if (mesh_tx && mesh_tx->sk == cmd->sk)
2387                         mesh_send_complete(hdev, mesh_tx, false);
2388         }
2389
2390         mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2391                           0, NULL, 0);
2392         mgmt_pending_free(cmd);
2393
2394         return 0;
2395 }
2396
2397 static int mesh_send_cancel(struct sock *sk, struct hci_dev *hdev,
2398                             void *data, u16 len)
2399 {
2400         struct mgmt_pending_cmd *cmd;
2401         int err;
2402
2403         if (!lmp_le_capable(hdev) ||
2404             !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2405                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2406                                        MGMT_STATUS_NOT_SUPPORTED);
2407
2408         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2409                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2410                                        MGMT_STATUS_REJECTED);
2411
2412         hci_dev_lock(hdev);
2413         cmd = mgmt_pending_new(sk, MGMT_OP_MESH_SEND_CANCEL, hdev, data, len);
2414         if (!cmd)
2415                 err = -ENOMEM;
2416         else
2417                 err = hci_cmd_sync_queue(hdev, send_cancel, cmd, NULL);
2418
2419         if (err < 0) {
2420                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2421                                       MGMT_STATUS_FAILED);
2422
2423                 if (cmd)
2424                         mgmt_pending_free(cmd);
2425         }
2426
2427         hci_dev_unlock(hdev);
2428         return err;
2429 }
2430
2431 static int mesh_send(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2432 {
2433         struct mgmt_mesh_tx *mesh_tx;
2434         struct mgmt_cp_mesh_send *send = data;
2435         struct mgmt_rp_mesh_read_features rp;
2436         bool sending;
2437         int err = 0;
2438
2439         if (!lmp_le_capable(hdev) ||
2440             !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2441                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2442                                        MGMT_STATUS_NOT_SUPPORTED);
2443         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) ||
2444             len <= MGMT_MESH_SEND_SIZE ||
2445             len > (MGMT_MESH_SEND_SIZE + 31))
2446                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2447                                        MGMT_STATUS_REJECTED);
2448
2449         hci_dev_lock(hdev);
2450
2451         memset(&rp, 0, sizeof(rp));
2452         rp.max_handles = MESH_HANDLES_MAX;
2453
2454         mgmt_mesh_foreach(hdev, send_count, &rp, sk);
2455
2456         if (rp.max_handles <= rp.used_handles) {
2457                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2458                                       MGMT_STATUS_BUSY);
2459                 goto done;
2460         }
2461
2462         sending = hci_dev_test_flag(hdev, HCI_MESH_SENDING);
2463         mesh_tx = mgmt_mesh_add(sk, hdev, send, len);
2464
2465         if (!mesh_tx)
2466                 err = -ENOMEM;
2467         else if (!sending)
2468                 err = hci_cmd_sync_queue(hdev, mesh_send_sync, mesh_tx,
2469                                          mesh_send_start_complete);
2470
2471         if (err < 0) {
2472                 bt_dev_err(hdev, "Send Mesh Failed %d", err);
2473                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2474                                       MGMT_STATUS_FAILED);
2475
2476                 if (mesh_tx) {
2477                         if (sending)
2478                                 mgmt_mesh_remove(mesh_tx);
2479                 }
2480         } else {
2481                 hci_dev_set_flag(hdev, HCI_MESH_SENDING);
2482
2483                 mgmt_cmd_complete(sk, hdev->id, MGMT_OP_MESH_SEND, 0,
2484                                   &mesh_tx->handle, 1);
2485         }
2486
2487 done:
2488         hci_dev_unlock(hdev);
2489         return err;
2490 }
2491
2492 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2493 {
2494         struct mgmt_mode *cp = data;
2495         struct mgmt_pending_cmd *cmd;
2496         int err;
2497         u8 val, enabled;
2498
2499         bt_dev_dbg(hdev, "sock %p", sk);
2500
2501         if (!lmp_le_capable(hdev))
2502                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2503                                        MGMT_STATUS_NOT_SUPPORTED);
2504
2505         if (cp->val != 0x00 && cp->val != 0x01)
2506                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2507                                        MGMT_STATUS_INVALID_PARAMS);
2508
2509         /* Bluetooth single mode LE only controllers or dual-mode
2510          * controllers configured as LE only devices, do not allow
2511          * switching LE off. These have either LE enabled explicitly
2512          * or BR/EDR has been previously switched off.
2513          *
2514          * When trying to enable an already enabled LE, then gracefully
2515          * send a positive response. Trying to disable it however will
2516          * result into rejection.
2517          */
2518         if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
2519                 if (cp->val == 0x01)
2520                         return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2521
2522                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2523                                        MGMT_STATUS_REJECTED);
2524         }
2525
2526         hci_dev_lock(hdev);
2527
2528         val = !!cp->val;
2529         enabled = lmp_host_le_capable(hdev);
2530
2531         if (!hdev_is_powered(hdev) || val == enabled) {
2532                 bool changed = false;
2533
2534                 if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2535                         hci_dev_change_flag(hdev, HCI_LE_ENABLED);
2536                         changed = true;
2537                 }
2538
2539                 if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
2540                         hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2541                         changed = true;
2542                 }
2543
2544                 err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2545                 if (err < 0)
2546                         goto unlock;
2547
2548                 if (changed)
2549                         err = new_settings(hdev, sk);
2550
2551                 goto unlock;
2552         }
2553
2554         if (pending_find(MGMT_OP_SET_LE, hdev) ||
2555             pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
2556                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2557                                       MGMT_STATUS_BUSY);
2558                 goto unlock;
2559         }
2560
2561         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
2562         if (!cmd)
2563                 err = -ENOMEM;
2564         else
2565                 err = hci_cmd_sync_queue(hdev, set_le_sync, cmd,
2566                                          set_le_complete);
2567
2568         if (err < 0) {
2569                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2570                                       MGMT_STATUS_FAILED);
2571
2572                 if (cmd)
2573                         mgmt_pending_remove(cmd);
2574         }
2575
2576 unlock:
2577         hci_dev_unlock(hdev);
2578         return err;
2579 }
2580
2581 /* This is a helper function to test for pending mgmt commands that can
2582  * cause CoD or EIR HCI commands. We can only allow one such pending
2583  * mgmt command at a time since otherwise we cannot easily track what
2584  * the current values are, will be, and based on that calculate if a new
2585  * HCI command needs to be sent and if yes with what value.
2586  */
2587 static bool pending_eir_or_class(struct hci_dev *hdev)
2588 {
2589         struct mgmt_pending_cmd *cmd;
2590
2591         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2592                 switch (cmd->opcode) {
2593                 case MGMT_OP_ADD_UUID:
2594                 case MGMT_OP_REMOVE_UUID:
2595                 case MGMT_OP_SET_DEV_CLASS:
2596                 case MGMT_OP_SET_POWERED:
2597                         return true;
2598                 }
2599         }
2600
2601         return false;
2602 }
2603
2604 static const u8 bluetooth_base_uuid[] = {
2605                         0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2606                         0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2607 };
2608
2609 static u8 get_uuid_size(const u8 *uuid)
2610 {
2611         u32 val;
2612
2613         if (memcmp(uuid, bluetooth_base_uuid, 12))
2614                 return 128;
2615
2616         val = get_unaligned_le32(&uuid[12]);
2617         if (val > 0xffff)
2618                 return 32;
2619
2620         return 16;
2621 }
2622
2623 static void mgmt_class_complete(struct hci_dev *hdev, void *data, int err)
2624 {
2625         struct mgmt_pending_cmd *cmd = data;
2626
2627         bt_dev_dbg(hdev, "err %d", err);
2628
2629         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
2630                           mgmt_status(err), hdev->dev_class, 3);
2631
2632         mgmt_pending_free(cmd);
2633 }
2634
2635 static int add_uuid_sync(struct hci_dev *hdev, void *data)
2636 {
2637         int err;
2638
2639         err = hci_update_class_sync(hdev);
2640         if (err)
2641                 return err;
2642
2643         return hci_update_eir_sync(hdev);
2644 }
2645
2646 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2647 {
2648         struct mgmt_cp_add_uuid *cp = data;
2649         struct mgmt_pending_cmd *cmd;
2650         struct bt_uuid *uuid;
2651         int err;
2652
2653         bt_dev_dbg(hdev, "sock %p", sk);
2654
2655         hci_dev_lock(hdev);
2656
2657         if (pending_eir_or_class(hdev)) {
2658                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2659                                       MGMT_STATUS_BUSY);
2660                 goto failed;
2661         }
2662
2663         uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2664         if (!uuid) {
2665                 err = -ENOMEM;
2666                 goto failed;
2667         }
2668
2669         memcpy(uuid->uuid, cp->uuid, 16);
2670         uuid->svc_hint = cp->svc_hint;
2671         uuid->size = get_uuid_size(cp->uuid);
2672
2673         list_add_tail(&uuid->list, &hdev->uuids);
2674
2675         cmd = mgmt_pending_new(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2676         if (!cmd) {
2677                 err = -ENOMEM;
2678                 goto failed;
2679         }
2680
2681         err = hci_cmd_sync_queue(hdev, add_uuid_sync, cmd, mgmt_class_complete);
2682         if (err < 0) {
2683                 mgmt_pending_free(cmd);
2684                 goto failed;
2685         }
2686
2687 failed:
2688         hci_dev_unlock(hdev);
2689         return err;
2690 }
2691
2692 static bool enable_service_cache(struct hci_dev *hdev)
2693 {
2694         if (!hdev_is_powered(hdev))
2695                 return false;
2696
2697         if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2698                 queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2699                                    CACHE_TIMEOUT);
2700                 return true;
2701         }
2702
2703         return false;
2704 }
2705
2706 static int remove_uuid_sync(struct hci_dev *hdev, void *data)
2707 {
2708         int err;
2709
2710         err = hci_update_class_sync(hdev);
2711         if (err)
2712                 return err;
2713
2714         return hci_update_eir_sync(hdev);
2715 }
2716
2717 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2718                        u16 len)
2719 {
2720         struct mgmt_cp_remove_uuid *cp = data;
2721         struct mgmt_pending_cmd *cmd;
2722         struct bt_uuid *match, *tmp;
2723         static const u8 bt_uuid_any[] = {
2724                 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
2725         };
2726         int err, found;
2727
2728         bt_dev_dbg(hdev, "sock %p", sk);
2729
2730         hci_dev_lock(hdev);
2731
2732         if (pending_eir_or_class(hdev)) {
2733                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2734                                       MGMT_STATUS_BUSY);
2735                 goto unlock;
2736         }
2737
2738         if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2739                 hci_uuids_clear(hdev);
2740
2741                 if (enable_service_cache(hdev)) {
2742                         err = mgmt_cmd_complete(sk, hdev->id,
2743                                                 MGMT_OP_REMOVE_UUID,
2744                                                 0, hdev->dev_class, 3);
2745                         goto unlock;
2746                 }
2747
2748                 goto update_class;
2749         }
2750
2751         found = 0;
2752
2753         list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2754                 if (memcmp(match->uuid, cp->uuid, 16) != 0)
2755                         continue;
2756
2757                 list_del(&match->list);
2758                 kfree(match);
2759                 found++;
2760         }
2761
2762         if (found == 0) {
2763                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2764                                       MGMT_STATUS_INVALID_PARAMS);
2765                 goto unlock;
2766         }
2767
2768 update_class:
2769         cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2770         if (!cmd) {
2771                 err = -ENOMEM;
2772                 goto unlock;
2773         }
2774
2775         err = hci_cmd_sync_queue(hdev, remove_uuid_sync, cmd,
2776                                  mgmt_class_complete);
2777         if (err < 0)
2778                 mgmt_pending_free(cmd);
2779
2780 unlock:
2781         hci_dev_unlock(hdev);
2782         return err;
2783 }
2784
2785 static int set_class_sync(struct hci_dev *hdev, void *data)
2786 {
2787         int err = 0;
2788
2789         if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2790                 cancel_delayed_work_sync(&hdev->service_cache);
2791                 err = hci_update_eir_sync(hdev);
2792         }
2793
2794         if (err)
2795                 return err;
2796
2797         return hci_update_class_sync(hdev);
2798 }
2799
2800 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2801                          u16 len)
2802 {
2803         struct mgmt_cp_set_dev_class *cp = data;
2804         struct mgmt_pending_cmd *cmd;
2805         int err;
2806
2807         bt_dev_dbg(hdev, "sock %p", sk);
2808
2809         if (!lmp_bredr_capable(hdev))
2810                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2811                                        MGMT_STATUS_NOT_SUPPORTED);
2812
2813         hci_dev_lock(hdev);
2814
2815         if (pending_eir_or_class(hdev)) {
2816                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2817                                       MGMT_STATUS_BUSY);
2818                 goto unlock;
2819         }
2820
2821         if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2822                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2823                                       MGMT_STATUS_INVALID_PARAMS);
2824                 goto unlock;
2825         }
2826
2827         hdev->major_class = cp->major;
2828         hdev->minor_class = cp->minor;
2829
2830         if (!hdev_is_powered(hdev)) {
2831                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2832                                         hdev->dev_class, 3);
2833                 goto unlock;
2834         }
2835
2836         cmd = mgmt_pending_new(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2837         if (!cmd) {
2838                 err = -ENOMEM;
2839                 goto unlock;
2840         }
2841
2842         err = hci_cmd_sync_queue(hdev, set_class_sync, cmd,
2843                                  mgmt_class_complete);
2844         if (err < 0)
2845                 mgmt_pending_free(cmd);
2846
2847 unlock:
2848         hci_dev_unlock(hdev);
2849         return err;
2850 }
2851
2852 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2853                           u16 len)
2854 {
2855         struct mgmt_cp_load_link_keys *cp = data;
2856         const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2857                                    sizeof(struct mgmt_link_key_info));
2858         u16 key_count, expected_len;
2859         bool changed;
2860         int i;
2861
2862         bt_dev_dbg(hdev, "sock %p", sk);
2863
2864         if (!lmp_bredr_capable(hdev))
2865                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2866                                        MGMT_STATUS_NOT_SUPPORTED);
2867
2868         key_count = __le16_to_cpu(cp->key_count);
2869         if (key_count > max_key_count) {
2870                 bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2871                            key_count);
2872                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2873                                        MGMT_STATUS_INVALID_PARAMS);
2874         }
2875
2876         expected_len = struct_size(cp, keys, key_count);
2877         if (expected_len != len) {
2878                 bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2879                            expected_len, len);
2880                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2881                                        MGMT_STATUS_INVALID_PARAMS);
2882         }
2883
2884         if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2885                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2886                                        MGMT_STATUS_INVALID_PARAMS);
2887
2888         bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys,
2889                    key_count);
2890
2891         for (i = 0; i < key_count; i++) {
2892                 struct mgmt_link_key_info *key = &cp->keys[i];
2893
2894                 if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2895                         return mgmt_cmd_status(sk, hdev->id,
2896                                                MGMT_OP_LOAD_LINK_KEYS,
2897                                                MGMT_STATUS_INVALID_PARAMS);
2898         }
2899
2900         hci_dev_lock(hdev);
2901
2902         hci_link_keys_clear(hdev);
2903
2904         if (cp->debug_keys)
2905                 changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2906         else
2907                 changed = hci_dev_test_and_clear_flag(hdev,
2908                                                       HCI_KEEP_DEBUG_KEYS);
2909
2910         if (changed)
2911                 new_settings(hdev, NULL);
2912
2913         for (i = 0; i < key_count; i++) {
2914                 struct mgmt_link_key_info *key = &cp->keys[i];
2915
2916                 if (hci_is_blocked_key(hdev,
2917                                        HCI_BLOCKED_KEY_TYPE_LINKKEY,
2918                                        key->val)) {
2919                         bt_dev_warn(hdev, "Skipping blocked link key for %pMR",
2920                                     &key->addr.bdaddr);
2921                         continue;
2922                 }
2923
2924                 /* Always ignore debug keys and require a new pairing if
2925                  * the user wants to use them.
2926                  */
2927                 if (key->type == HCI_LK_DEBUG_COMBINATION)
2928                         continue;
2929
2930                 hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2931                                  key->type, key->pin_len, NULL);
2932         }
2933
2934         mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2935
2936         hci_dev_unlock(hdev);
2937
2938         return 0;
2939 }
2940
2941 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2942                            u8 addr_type, struct sock *skip_sk)
2943 {
2944         struct mgmt_ev_device_unpaired ev;
2945
2946         bacpy(&ev.addr.bdaddr, bdaddr);
2947         ev.addr.type = addr_type;
2948
2949         return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2950                           skip_sk);
2951 }
2952
2953 static void unpair_device_complete(struct hci_dev *hdev, void *data, int err)
2954 {
2955         struct mgmt_pending_cmd *cmd = data;
2956         struct mgmt_cp_unpair_device *cp = cmd->param;
2957
2958         if (!err)
2959                 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
2960
2961         cmd->cmd_complete(cmd, err);
2962         mgmt_pending_free(cmd);
2963 }
2964
2965 static int unpair_device_sync(struct hci_dev *hdev, void *data)
2966 {
2967         struct mgmt_pending_cmd *cmd = data;
2968         struct mgmt_cp_unpair_device *cp = cmd->param;
2969         struct hci_conn *conn;
2970
2971         if (cp->addr.type == BDADDR_BREDR)
2972                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2973                                                &cp->addr.bdaddr);
2974         else
2975                 conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2976                                                le_addr_type(cp->addr.type));
2977
2978         if (!conn)
2979                 return 0;
2980
2981         return hci_abort_conn_sync(hdev, conn, HCI_ERROR_REMOTE_USER_TERM);
2982 }
2983
2984 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2985                          u16 len)
2986 {
2987         struct mgmt_cp_unpair_device *cp = data;
2988         struct mgmt_rp_unpair_device rp;
2989         struct hci_conn_params *params;
2990         struct mgmt_pending_cmd *cmd;
2991         struct hci_conn *conn;
2992         u8 addr_type;
2993         int err;
2994
2995         memset(&rp, 0, sizeof(rp));
2996         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2997         rp.addr.type = cp->addr.type;
2998
2999         if (!bdaddr_type_is_valid(cp->addr.type))
3000                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
3001                                          MGMT_STATUS_INVALID_PARAMS,
3002                                          &rp, sizeof(rp));
3003
3004         if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
3005                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
3006                                          MGMT_STATUS_INVALID_PARAMS,
3007                                          &rp, sizeof(rp));
3008
3009         hci_dev_lock(hdev);
3010
3011         if (!hdev_is_powered(hdev)) {
3012                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
3013                                         MGMT_STATUS_NOT_POWERED, &rp,
3014                                         sizeof(rp));
3015                 goto unlock;
3016         }
3017
3018         if (cp->addr.type == BDADDR_BREDR) {
3019                 /* If disconnection is requested, then look up the
3020                  * connection. If the remote device is connected, it
3021                  * will be later used to terminate the link.
3022                  *
3023                  * Setting it to NULL explicitly will cause no
3024                  * termination of the link.
3025                  */
3026                 if (cp->disconnect)
3027                         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
3028                                                        &cp->addr.bdaddr);
3029                 else
3030                         conn = NULL;
3031
3032                 err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
3033                 if (err < 0) {
3034                         err = mgmt_cmd_complete(sk, hdev->id,
3035                                                 MGMT_OP_UNPAIR_DEVICE,
3036                                                 MGMT_STATUS_NOT_PAIRED, &rp,
3037                                                 sizeof(rp));
3038                         goto unlock;
3039                 }
3040
3041                 goto done;
3042         }
3043
3044         /* LE address type */
3045         addr_type = le_addr_type(cp->addr.type);
3046
3047         /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
3048         err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
3049         if (err < 0) {
3050                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
3051                                         MGMT_STATUS_NOT_PAIRED, &rp,
3052                                         sizeof(rp));
3053                 goto unlock;
3054         }
3055
3056         conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
3057         if (!conn) {
3058                 hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
3059                 goto done;
3060         }
3061
3062
3063         /* Defer clearing up the connection parameters until closing to
3064          * give a chance of keeping them if a repairing happens.
3065          */
3066         set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3067
3068         /* Disable auto-connection parameters if present */
3069         params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
3070         if (params) {
3071                 if (params->explicit_connect)
3072                         params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
3073                 else
3074                         params->auto_connect = HCI_AUTO_CONN_DISABLED;
3075         }
3076
3077         /* If disconnection is not requested, then clear the connection
3078          * variable so that the link is not terminated.
3079          */
3080         if (!cp->disconnect)
3081                 conn = NULL;
3082
3083 done:
3084         /* If the connection variable is set, then termination of the
3085          * link is requested.
3086          */
3087         if (!conn) {
3088                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
3089                                         &rp, sizeof(rp));
3090                 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
3091                 goto unlock;
3092         }
3093
3094         cmd = mgmt_pending_new(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
3095                                sizeof(*cp));
3096         if (!cmd) {
3097                 err = -ENOMEM;
3098                 goto unlock;
3099         }
3100
3101         cmd->cmd_complete = addr_cmd_complete;
3102
3103         err = hci_cmd_sync_queue(hdev, unpair_device_sync, cmd,
3104                                  unpair_device_complete);
3105         if (err < 0)
3106                 mgmt_pending_free(cmd);
3107
3108 unlock:
3109         hci_dev_unlock(hdev);
3110         return err;
3111 }
3112
3113 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
3114                       u16 len)
3115 {
3116         struct mgmt_cp_disconnect *cp = data;
3117         struct mgmt_rp_disconnect rp;
3118         struct mgmt_pending_cmd *cmd;
3119         struct hci_conn *conn;
3120         int err;
3121
3122         bt_dev_dbg(hdev, "sock %p", sk);
3123
3124         memset(&rp, 0, sizeof(rp));
3125         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
3126         rp.addr.type = cp->addr.type;
3127
3128         if (!bdaddr_type_is_valid(cp->addr.type))
3129                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3130                                          MGMT_STATUS_INVALID_PARAMS,
3131                                          &rp, sizeof(rp));
3132
3133         hci_dev_lock(hdev);
3134
3135         if (!test_bit(HCI_UP, &hdev->flags)) {
3136                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3137                                         MGMT_STATUS_NOT_POWERED, &rp,
3138                                         sizeof(rp));
3139                 goto failed;
3140         }
3141
3142         if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
3143                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3144                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
3145                 goto failed;
3146         }
3147
3148         if (cp->addr.type == BDADDR_BREDR)
3149                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
3150                                                &cp->addr.bdaddr);
3151         else
3152                 conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
3153                                                le_addr_type(cp->addr.type));
3154
3155         if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
3156                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3157                                         MGMT_STATUS_NOT_CONNECTED, &rp,
3158                                         sizeof(rp));
3159                 goto failed;
3160         }
3161
3162         cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
3163         if (!cmd) {
3164                 err = -ENOMEM;
3165                 goto failed;
3166         }
3167
3168         cmd->cmd_complete = generic_cmd_complete;
3169
3170         err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
3171         if (err < 0)
3172                 mgmt_pending_remove(cmd);
3173
3174 failed:
3175         hci_dev_unlock(hdev);
3176         return err;
3177 }
3178
3179 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
3180 {
3181         switch (link_type) {
3182         case LE_LINK:
3183                 switch (addr_type) {
3184                 case ADDR_LE_DEV_PUBLIC:
3185                         return BDADDR_LE_PUBLIC;
3186
3187                 default:
3188                         /* Fallback to LE Random address type */
3189                         return BDADDR_LE_RANDOM;
3190                 }
3191
3192         default:
3193                 /* Fallback to BR/EDR type */
3194                 return BDADDR_BREDR;
3195         }
3196 }
3197
3198 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
3199                            u16 data_len)
3200 {
3201         struct mgmt_rp_get_connections *rp;
3202         struct hci_conn *c;
3203         int err;
3204         u16 i;
3205
3206         bt_dev_dbg(hdev, "sock %p", sk);
3207
3208         hci_dev_lock(hdev);
3209
3210         if (!hdev_is_powered(hdev)) {
3211                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
3212                                       MGMT_STATUS_NOT_POWERED);
3213                 goto unlock;
3214         }
3215
3216         i = 0;
3217         list_for_each_entry(c, &hdev->conn_hash.list, list) {
3218                 if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3219                         i++;
3220         }
3221
3222         rp = kmalloc(struct_size(rp, addr, i), GFP_KERNEL);
3223         if (!rp) {
3224                 err = -ENOMEM;
3225                 goto unlock;
3226         }
3227
3228         i = 0;
3229         list_for_each_entry(c, &hdev->conn_hash.list, list) {
3230                 if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3231                         continue;
3232                 bacpy(&rp->addr[i].bdaddr, &c->dst);
3233                 rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
3234                 if (c->type == SCO_LINK || c->type == ESCO_LINK)
3235                         continue;
3236                 i++;
3237         }
3238
3239         rp->conn_count = cpu_to_le16(i);
3240
3241         /* Recalculate length in case of filtered SCO connections, etc */
3242         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
3243                                 struct_size(rp, addr, i));
3244
3245         kfree(rp);
3246
3247 unlock:
3248         hci_dev_unlock(hdev);
3249         return err;
3250 }
3251
3252 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3253                                    struct mgmt_cp_pin_code_neg_reply *cp)
3254 {
3255         struct mgmt_pending_cmd *cmd;
3256         int err;
3257
3258         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
3259                                sizeof(*cp));
3260         if (!cmd)
3261                 return -ENOMEM;
3262
3263         cmd->cmd_complete = addr_cmd_complete;
3264
3265         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3266                            sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
3267         if (err < 0)
3268                 mgmt_pending_remove(cmd);
3269
3270         return err;
3271 }
3272
3273 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3274                           u16 len)
3275 {
3276         struct hci_conn *conn;
3277         struct mgmt_cp_pin_code_reply *cp = data;
3278         struct hci_cp_pin_code_reply reply;
3279         struct mgmt_pending_cmd *cmd;
3280         int err;
3281
3282         bt_dev_dbg(hdev, "sock %p", sk);
3283
3284         hci_dev_lock(hdev);
3285
3286         if (!hdev_is_powered(hdev)) {
3287                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3288                                       MGMT_STATUS_NOT_POWERED);
3289                 goto failed;
3290         }
3291
3292         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
3293         if (!conn) {
3294                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3295                                       MGMT_STATUS_NOT_CONNECTED);
3296                 goto failed;
3297         }
3298
3299         if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
3300                 struct mgmt_cp_pin_code_neg_reply ncp;
3301
3302                 memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
3303
3304                 bt_dev_err(hdev, "PIN code is not 16 bytes long");
3305
3306                 err = send_pin_code_neg_reply(sk, hdev, &ncp);
3307                 if (err >= 0)
3308                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3309                                               MGMT_STATUS_INVALID_PARAMS);
3310
3311                 goto failed;
3312         }
3313
3314         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
3315         if (!cmd) {
3316                 err = -ENOMEM;
3317                 goto failed;
3318         }
3319
3320         cmd->cmd_complete = addr_cmd_complete;
3321
3322         bacpy(&reply.bdaddr, &cp->addr.bdaddr);
3323         reply.pin_len = cp->pin_len;
3324         memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
3325
3326         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
3327         if (err < 0)
3328                 mgmt_pending_remove(cmd);
3329
3330 failed:
3331         hci_dev_unlock(hdev);
3332         return err;
3333 }
3334
3335 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
3336                              u16 len)
3337 {
3338         struct mgmt_cp_set_io_capability *cp = data;
3339
3340         bt_dev_dbg(hdev, "sock %p", sk);
3341
3342         if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
3343                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
3344                                        MGMT_STATUS_INVALID_PARAMS);
3345
3346         hci_dev_lock(hdev);
3347
3348         hdev->io_capability = cp->io_capability;
3349
3350         bt_dev_dbg(hdev, "IO capability set to 0x%02x", hdev->io_capability);
3351
3352         hci_dev_unlock(hdev);
3353
3354         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
3355                                  NULL, 0);
3356 }
3357
3358 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
3359 {
3360         struct hci_dev *hdev = conn->hdev;
3361         struct mgmt_pending_cmd *cmd;
3362
3363         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
3364                 if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
3365                         continue;
3366
3367                 if (cmd->user_data != conn)
3368                         continue;
3369
3370                 return cmd;
3371         }
3372
3373         return NULL;
3374 }
3375
3376 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
3377 {
3378         struct mgmt_rp_pair_device rp;
3379         struct hci_conn *conn = cmd->user_data;
3380         int err;
3381
3382         bacpy(&rp.addr.bdaddr, &conn->dst);
3383         rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
3384
3385         err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
3386                                 status, &rp, sizeof(rp));
3387
3388         /* So we don't get further callbacks for this connection */
3389         conn->connect_cfm_cb = NULL;
3390         conn->security_cfm_cb = NULL;
3391         conn->disconn_cfm_cb = NULL;
3392
3393         hci_conn_drop(conn);
3394
3395         /* The device is paired so there is no need to remove
3396          * its connection parameters anymore.
3397          */
3398         clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3399
3400         hci_conn_put(conn);
3401
3402         return err;
3403 }
3404
3405 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
3406 {
3407         u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
3408         struct mgmt_pending_cmd *cmd;
3409
3410         cmd = find_pairing(conn);
3411         if (cmd) {
3412                 cmd->cmd_complete(cmd, status);
3413                 mgmt_pending_remove(cmd);
3414         }
3415 }
3416
3417 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
3418 {
3419         struct mgmt_pending_cmd *cmd;
3420
3421         BT_DBG("status %u", status);
3422
3423         cmd = find_pairing(conn);
3424         if (!cmd) {
3425                 BT_DBG("Unable to find a pending command");
3426                 return;
3427         }
3428
3429         cmd->cmd_complete(cmd, mgmt_status(status));
3430         mgmt_pending_remove(cmd);
3431 }
3432
3433 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
3434 {
3435         struct mgmt_pending_cmd *cmd;
3436
3437         BT_DBG("status %u", status);
3438
3439         if (!status)
3440                 return;
3441
3442         cmd = find_pairing(conn);
3443         if (!cmd) {
3444                 BT_DBG("Unable to find a pending command");
3445                 return;
3446         }
3447
3448         cmd->cmd_complete(cmd, mgmt_status(status));
3449         mgmt_pending_remove(cmd);
3450 }
3451
3452 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3453                        u16 len)
3454 {
3455         struct mgmt_cp_pair_device *cp = data;
3456         struct mgmt_rp_pair_device rp;
3457         struct mgmt_pending_cmd *cmd;
3458         u8 sec_level, auth_type;
3459         struct hci_conn *conn;
3460         int err;
3461
3462         bt_dev_dbg(hdev, "sock %p", sk);
3463
3464         memset(&rp, 0, sizeof(rp));
3465         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
3466         rp.addr.type = cp->addr.type;
3467
3468         if (!bdaddr_type_is_valid(cp->addr.type))
3469                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3470                                          MGMT_STATUS_INVALID_PARAMS,
3471                                          &rp, sizeof(rp));
3472
3473         if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
3474                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3475                                          MGMT_STATUS_INVALID_PARAMS,
3476                                          &rp, sizeof(rp));
3477
3478         hci_dev_lock(hdev);
3479
3480         if (!hdev_is_powered(hdev)) {
3481                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3482                                         MGMT_STATUS_NOT_POWERED, &rp,
3483                                         sizeof(rp));
3484                 goto unlock;
3485         }
3486
3487         if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
3488                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3489                                         MGMT_STATUS_ALREADY_PAIRED, &rp,
3490                                         sizeof(rp));
3491                 goto unlock;
3492         }
3493
3494         sec_level = BT_SECURITY_MEDIUM;
3495         auth_type = HCI_AT_DEDICATED_BONDING;
3496
3497         if (cp->addr.type == BDADDR_BREDR) {
3498                 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
3499                                        auth_type, CONN_REASON_PAIR_DEVICE);
3500         } else {
3501                 u8 addr_type = le_addr_type(cp->addr.type);
3502                 struct hci_conn_params *p;
3503
3504                 /* When pairing a new device, it is expected to remember
3505                  * this device for future connections. Adding the connection
3506                  * parameter information ahead of time allows tracking
3507                  * of the peripheral preferred values and will speed up any
3508                  * further connection establishment.
3509                  *
3510                  * If connection parameters already exist, then they
3511                  * will be kept and this function does nothing.
3512                  */
3513                 p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
3514
3515                 if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
3516                         p->auto_connect = HCI_AUTO_CONN_DISABLED;
3517
3518                 conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr, addr_type,
3519                                            sec_level, HCI_LE_CONN_TIMEOUT,
3520                                            CONN_REASON_PAIR_DEVICE);
3521         }
3522
3523         if (IS_ERR(conn)) {
3524                 int status;
3525
3526                 if (PTR_ERR(conn) == -EBUSY)
3527                         status = MGMT_STATUS_BUSY;
3528                 else if (PTR_ERR(conn) == -EOPNOTSUPP)
3529                         status = MGMT_STATUS_NOT_SUPPORTED;
3530                 else if (PTR_ERR(conn) == -ECONNREFUSED)
3531                         status = MGMT_STATUS_REJECTED;
3532                 else
3533                         status = MGMT_STATUS_CONNECT_FAILED;
3534
3535                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3536                                         status, &rp, sizeof(rp));
3537                 goto unlock;
3538         }
3539
3540         if (conn->connect_cfm_cb) {
3541                 hci_conn_drop(conn);
3542                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3543                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
3544                 goto unlock;
3545         }
3546
3547         cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
3548         if (!cmd) {
3549                 err = -ENOMEM;
3550                 hci_conn_drop(conn);
3551                 goto unlock;
3552         }
3553
3554         cmd->cmd_complete = pairing_complete;
3555
3556         /* For LE, just connecting isn't a proof that the pairing finished */
3557         if (cp->addr.type == BDADDR_BREDR) {
3558                 conn->connect_cfm_cb = pairing_complete_cb;
3559                 conn->security_cfm_cb = pairing_complete_cb;
3560                 conn->disconn_cfm_cb = pairing_complete_cb;
3561         } else {
3562                 conn->connect_cfm_cb = le_pairing_complete_cb;
3563                 conn->security_cfm_cb = le_pairing_complete_cb;
3564                 conn->disconn_cfm_cb = le_pairing_complete_cb;
3565         }
3566
3567         conn->io_capability = cp->io_cap;
3568         cmd->user_data = hci_conn_get(conn);
3569
3570         if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
3571             hci_conn_security(conn, sec_level, auth_type, true)) {
3572                 cmd->cmd_complete(cmd, 0);
3573                 mgmt_pending_remove(cmd);
3574         }
3575
3576         err = 0;
3577
3578 unlock:
3579         hci_dev_unlock(hdev);
3580         return err;
3581 }
3582
3583 static int abort_conn_sync(struct hci_dev *hdev, void *data)
3584 {
3585         struct hci_conn *conn;
3586         u16 handle = PTR_ERR(data);
3587
3588         conn = hci_conn_hash_lookup_handle(hdev, handle);
3589         if (!conn)
3590                 return 0;
3591
3592         return hci_abort_conn_sync(hdev, conn, HCI_ERROR_REMOTE_USER_TERM);
3593 }
3594
3595 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3596                               u16 len)
3597 {
3598         struct mgmt_addr_info *addr = data;
3599         struct mgmt_pending_cmd *cmd;
3600         struct hci_conn *conn;
3601         int err;
3602
3603         bt_dev_dbg(hdev, "sock %p", sk);
3604
3605         hci_dev_lock(hdev);
3606
3607         if (!hdev_is_powered(hdev)) {
3608                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3609                                       MGMT_STATUS_NOT_POWERED);
3610                 goto unlock;
3611         }
3612
3613         cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3614         if (!cmd) {
3615                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3616                                       MGMT_STATUS_INVALID_PARAMS);
3617                 goto unlock;
3618         }
3619
3620         conn = cmd->user_data;
3621
3622         if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3623                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3624                                       MGMT_STATUS_INVALID_PARAMS);
3625                 goto unlock;
3626         }
3627
3628         cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3629         mgmt_pending_remove(cmd);
3630
3631         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3632                                 addr, sizeof(*addr));
3633
3634         /* Since user doesn't want to proceed with the connection, abort any
3635          * ongoing pairing and then terminate the link if it was created
3636          * because of the pair device action.
3637          */
3638         if (addr->type == BDADDR_BREDR)
3639                 hci_remove_link_key(hdev, &addr->bdaddr);
3640         else
3641                 smp_cancel_and_remove_pairing(hdev, &addr->bdaddr,
3642                                               le_addr_type(addr->type));
3643
3644         if (conn->conn_reason == CONN_REASON_PAIR_DEVICE)
3645                 hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle),
3646                                    NULL);
3647
3648 unlock:
3649         hci_dev_unlock(hdev);
3650         return err;
3651 }
3652
3653 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3654                              struct mgmt_addr_info *addr, u16 mgmt_op,
3655                              u16 hci_op, __le32 passkey)
3656 {
3657         struct mgmt_pending_cmd *cmd;
3658         struct hci_conn *conn;
3659         int err;
3660
3661         hci_dev_lock(hdev);
3662
3663         if (!hdev_is_powered(hdev)) {
3664                 err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3665                                         MGMT_STATUS_NOT_POWERED, addr,
3666                                         sizeof(*addr));
3667                 goto done;
3668         }
3669
3670         if (addr->type == BDADDR_BREDR)
3671                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3672         else
3673                 conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
3674                                                le_addr_type(addr->type));
3675
3676         if (!conn) {
3677                 err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3678                                         MGMT_STATUS_NOT_CONNECTED, addr,
3679                                         sizeof(*addr));
3680                 goto done;
3681         }
3682
3683         if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3684                 err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3685                 if (!err)
3686                         err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3687                                                 MGMT_STATUS_SUCCESS, addr,
3688                                                 sizeof(*addr));
3689                 else
3690                         err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3691                                                 MGMT_STATUS_FAILED, addr,
3692                                                 sizeof(*addr));
3693
3694                 goto done;
3695         }
3696
3697         cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3698         if (!cmd) {
3699                 err = -ENOMEM;
3700                 goto done;
3701         }
3702
3703         cmd->cmd_complete = addr_cmd_complete;
3704
3705         /* Continue with pairing via HCI */
3706         if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3707                 struct hci_cp_user_passkey_reply cp;
3708
3709                 bacpy(&cp.bdaddr, &addr->bdaddr);
3710                 cp.passkey = passkey;
3711                 err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3712         } else
3713                 err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3714                                    &addr->bdaddr);
3715
3716         if (err < 0)
3717                 mgmt_pending_remove(cmd);
3718
3719 done:
3720         hci_dev_unlock(hdev);
3721         return err;
3722 }
3723
3724 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3725                               void *data, u16 len)
3726 {
3727         struct mgmt_cp_pin_code_neg_reply *cp = data;
3728
3729         bt_dev_dbg(hdev, "sock %p", sk);
3730
3731         return user_pairing_resp(sk, hdev, &cp->addr,
3732                                 MGMT_OP_PIN_CODE_NEG_REPLY,
3733                                 HCI_OP_PIN_CODE_NEG_REPLY, 0);
3734 }
3735
3736 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3737                               u16 len)
3738 {
3739         struct mgmt_cp_user_confirm_reply *cp = data;
3740
3741         bt_dev_dbg(hdev, "sock %p", sk);
3742
3743         if (len != sizeof(*cp))
3744                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3745                                        MGMT_STATUS_INVALID_PARAMS);
3746
3747         return user_pairing_resp(sk, hdev, &cp->addr,
3748                                  MGMT_OP_USER_CONFIRM_REPLY,
3749                                  HCI_OP_USER_CONFIRM_REPLY, 0);
3750 }
3751
3752 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3753                                   void *data, u16 len)
3754 {
3755         struct mgmt_cp_user_confirm_neg_reply *cp = data;
3756
3757         bt_dev_dbg(hdev, "sock %p", sk);
3758
3759         return user_pairing_resp(sk, hdev, &cp->addr,
3760                                  MGMT_OP_USER_CONFIRM_NEG_REPLY,
3761                                  HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3762 }
3763
3764 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3765                               u16 len)
3766 {
3767         struct mgmt_cp_user_passkey_reply *cp = data;
3768
3769         bt_dev_dbg(hdev, "sock %p", sk);
3770
3771         return user_pairing_resp(sk, hdev, &cp->addr,
3772                                  MGMT_OP_USER_PASSKEY_REPLY,
3773                                  HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3774 }
3775
3776 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3777                                   void *data, u16 len)
3778 {
3779         struct mgmt_cp_user_passkey_neg_reply *cp = data;
3780
3781         bt_dev_dbg(hdev, "sock %p", sk);
3782
3783         return user_pairing_resp(sk, hdev, &cp->addr,
3784                                  MGMT_OP_USER_PASSKEY_NEG_REPLY,
3785                                  HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3786 }
3787
3788 static int adv_expire_sync(struct hci_dev *hdev, u32 flags)
3789 {
3790         struct adv_info *adv_instance;
3791
3792         adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3793         if (!adv_instance)
3794                 return 0;
3795
3796         /* stop if current instance doesn't need to be changed */
3797         if (!(adv_instance->flags & flags))
3798                 return 0;
3799
3800         cancel_adv_timeout(hdev);
3801
3802         adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3803         if (!adv_instance)
3804                 return 0;
3805
3806         hci_schedule_adv_instance_sync(hdev, adv_instance->instance, true);
3807
3808         return 0;
3809 }
3810
3811 static int name_changed_sync(struct hci_dev *hdev, void *data)
3812 {
3813         return adv_expire_sync(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3814 }
3815
3816 static void set_name_complete(struct hci_dev *hdev, void *data, int err)
3817 {
3818         struct mgmt_pending_cmd *cmd = data;
3819         struct mgmt_cp_set_local_name *cp = cmd->param;
3820         u8 status = mgmt_status(err);
3821
3822         bt_dev_dbg(hdev, "err %d", err);
3823
3824         if (cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
3825                 return;
3826
3827         if (status) {
3828                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3829                                 status);
3830         } else {
3831                 mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3832                                   cp, sizeof(*cp));
3833
3834                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3835                         hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL);
3836         }
3837
3838         mgmt_pending_remove(cmd);
3839 }
3840
3841 static int set_name_sync(struct hci_dev *hdev, void *data)
3842 {
3843         if (lmp_bredr_capable(hdev)) {
3844                 hci_update_name_sync(hdev);
3845                 hci_update_eir_sync(hdev);
3846         }
3847
3848         /* The name is stored in the scan response data and so
3849          * no need to update the advertising data here.
3850          */
3851         if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3852                 hci_update_scan_rsp_data_sync(hdev, hdev->cur_adv_instance);
3853
3854         return 0;
3855 }
3856
3857 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3858                           u16 len)
3859 {
3860         struct mgmt_cp_set_local_name *cp = data;
3861         struct mgmt_pending_cmd *cmd;
3862         int err;
3863
3864         bt_dev_dbg(hdev, "sock %p", sk);
3865
3866         hci_dev_lock(hdev);
3867
3868         /* If the old values are the same as the new ones just return a
3869          * direct command complete event.
3870          */
3871         if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3872             !memcmp(hdev->short_name, cp->short_name,
3873                     sizeof(hdev->short_name))) {
3874                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3875                                         data, len);
3876                 goto failed;
3877         }
3878
3879         memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3880
3881         if (!hdev_is_powered(hdev)) {
3882                 memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3883
3884                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3885                                         data, len);
3886                 if (err < 0)
3887                         goto failed;
3888
3889                 err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3890                                          len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3891                 ext_info_changed(hdev, sk);
3892
3893                 goto failed;
3894         }
3895
3896         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3897         if (!cmd)
3898                 err = -ENOMEM;
3899         else
3900                 err = hci_cmd_sync_queue(hdev, set_name_sync, cmd,
3901                                          set_name_complete);
3902
3903         if (err < 0) {
3904                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3905                                       MGMT_STATUS_FAILED);
3906
3907                 if (cmd)
3908                         mgmt_pending_remove(cmd);
3909
3910                 goto failed;
3911         }
3912
3913         memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3914
3915 failed:
3916         hci_dev_unlock(hdev);
3917         return err;
3918 }
3919
3920 static int appearance_changed_sync(struct hci_dev *hdev, void *data)
3921 {
3922         return adv_expire_sync(hdev, MGMT_ADV_FLAG_APPEARANCE);
3923 }
3924
3925 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3926                           u16 len)
3927 {
3928         struct mgmt_cp_set_appearance *cp = data;
3929         u16 appearance;
3930         int err;
3931
3932         bt_dev_dbg(hdev, "sock %p", sk);
3933
3934         if (!lmp_le_capable(hdev))
3935                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3936                                        MGMT_STATUS_NOT_SUPPORTED);
3937
3938         appearance = le16_to_cpu(cp->appearance);
3939
3940         hci_dev_lock(hdev);
3941
3942         if (hdev->appearance != appearance) {
3943                 hdev->appearance = appearance;
3944
3945                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3946                         hci_cmd_sync_queue(hdev, appearance_changed_sync, NULL,
3947                                            NULL);
3948
3949                 ext_info_changed(hdev, sk);
3950         }
3951
3952         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3953                                 0);
3954
3955         hci_dev_unlock(hdev);
3956
3957         return err;
3958 }
3959
3960 static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3961                                  void *data, u16 len)
3962 {
3963         struct mgmt_rp_get_phy_configuration rp;
3964
3965         bt_dev_dbg(hdev, "sock %p", sk);
3966
3967         hci_dev_lock(hdev);
3968
3969         memset(&rp, 0, sizeof(rp));
3970
3971         rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3972         rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3973         rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3974
3975         hci_dev_unlock(hdev);
3976
3977         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, 0,
3978                                  &rp, sizeof(rp));
3979 }
3980
3981 int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3982 {
3983         struct mgmt_ev_phy_configuration_changed ev;
3984
3985         memset(&ev, 0, sizeof(ev));
3986
3987         ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3988
3989         return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, &ev,
3990                           sizeof(ev), skip);
3991 }
3992
3993 static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
3994 {
3995         struct mgmt_pending_cmd *cmd = data;
3996         struct sk_buff *skb = cmd->skb;
3997         u8 status = mgmt_status(err);
3998
3999         if (cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
4000                 return;
4001
4002         if (!status) {
4003                 if (!skb)
4004                         status = MGMT_STATUS_FAILED;
4005                 else if (IS_ERR(skb))
4006                         status = mgmt_status(PTR_ERR(skb));
4007                 else
4008                         status = mgmt_status(skb->data[0]);
4009         }
4010
4011         bt_dev_dbg(hdev, "status %d", status);
4012
4013         if (status) {
4014                 mgmt_cmd_status(cmd->sk, hdev->id,
4015                                 MGMT_OP_SET_PHY_CONFIGURATION, status);
4016         } else {
4017                 mgmt_cmd_complete(cmd->sk, hdev->id,
4018                                   MGMT_OP_SET_PHY_CONFIGURATION, 0,
4019                                   NULL, 0);
4020
4021                 mgmt_phy_configuration_changed(hdev, cmd->sk);
4022         }
4023
4024         if (skb && !IS_ERR(skb))
4025                 kfree_skb(skb);
4026
4027         mgmt_pending_remove(cmd);
4028 }
4029
4030 static int set_default_phy_sync(struct hci_dev *hdev, void *data)
4031 {
4032         struct mgmt_pending_cmd *cmd = data;
4033         struct mgmt_cp_set_phy_configuration *cp = cmd->param;
4034         struct hci_cp_le_set_default_phy cp_phy;
4035         u32 selected_phys = __le32_to_cpu(cp->selected_phys);
4036
4037         memset(&cp_phy, 0, sizeof(cp_phy));
4038
4039         if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
4040                 cp_phy.all_phys |= 0x01;
4041
4042         if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
4043                 cp_phy.all_phys |= 0x02;
4044
4045         if (selected_phys & MGMT_PHY_LE_1M_TX)
4046                 cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
4047
4048         if (selected_phys & MGMT_PHY_LE_2M_TX)
4049                 cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
4050
4051         if (selected_phys & MGMT_PHY_LE_CODED_TX)
4052                 cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
4053
4054         if (selected_phys & MGMT_PHY_LE_1M_RX)
4055                 cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
4056
4057         if (selected_phys & MGMT_PHY_LE_2M_RX)
4058                 cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
4059
4060         if (selected_phys & MGMT_PHY_LE_CODED_RX)
4061                 cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
4062
4063         cmd->skb =  __hci_cmd_sync(hdev, HCI_OP_LE_SET_DEFAULT_PHY,
4064                                    sizeof(cp_phy), &cp_phy, HCI_CMD_TIMEOUT);
4065
4066         return 0;
4067 }
4068
4069 static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
4070                                  void *data, u16 len)
4071 {
4072         struct mgmt_cp_set_phy_configuration *cp = data;
4073         struct mgmt_pending_cmd *cmd;
4074         u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
4075         u16 pkt_type = (HCI_DH1 | HCI_DM1);
4076         bool changed = false;
4077         int err;
4078
4079         bt_dev_dbg(hdev, "sock %p", sk);
4080
4081         configurable_phys = get_configurable_phys(hdev);
4082         supported_phys = get_supported_phys(hdev);
4083         selected_phys = __le32_to_cpu(cp->selected_phys);
4084
4085         if (selected_phys & ~supported_phys)
4086                 return mgmt_cmd_status(sk, hdev->id,
4087                                        MGMT_OP_SET_PHY_CONFIGURATION,
4088                                        MGMT_STATUS_INVALID_PARAMS);
4089
4090         unconfigure_phys = supported_phys & ~configurable_phys;
4091
4092         if ((selected_phys & unconfigure_phys) != unconfigure_phys)
4093                 return mgmt_cmd_status(sk, hdev->id,
4094                                        MGMT_OP_SET_PHY_CONFIGURATION,
4095                                        MGMT_STATUS_INVALID_PARAMS);
4096
4097         if (selected_phys == get_selected_phys(hdev))
4098                 return mgmt_cmd_complete(sk, hdev->id,
4099                                          MGMT_OP_SET_PHY_CONFIGURATION,
4100                                          0, NULL, 0);
4101
4102         hci_dev_lock(hdev);
4103
4104         if (!hdev_is_powered(hdev)) {
4105                 err = mgmt_cmd_status(sk, hdev->id,
4106                                       MGMT_OP_SET_PHY_CONFIGURATION,
4107                                       MGMT_STATUS_REJECTED);
4108                 goto unlock;
4109         }
4110
4111         if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
4112                 err = mgmt_cmd_status(sk, hdev->id,
4113                                       MGMT_OP_SET_PHY_CONFIGURATION,
4114                                       MGMT_STATUS_BUSY);
4115                 goto unlock;
4116         }
4117
4118         if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
4119                 pkt_type |= (HCI_DH3 | HCI_DM3);
4120         else
4121                 pkt_type &= ~(HCI_DH3 | HCI_DM3);
4122
4123         if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
4124                 pkt_type |= (HCI_DH5 | HCI_DM5);
4125         else
4126                 pkt_type &= ~(HCI_DH5 | HCI_DM5);
4127
4128         if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
4129                 pkt_type &= ~HCI_2DH1;
4130         else
4131                 pkt_type |= HCI_2DH1;
4132
4133         if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
4134                 pkt_type &= ~HCI_2DH3;
4135         else
4136                 pkt_type |= HCI_2DH3;
4137
4138         if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
4139                 pkt_type &= ~HCI_2DH5;
4140         else
4141                 pkt_type |= HCI_2DH5;
4142
4143         if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
4144                 pkt_type &= ~HCI_3DH1;
4145         else
4146                 pkt_type |= HCI_3DH1;
4147
4148         if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
4149                 pkt_type &= ~HCI_3DH3;
4150         else
4151                 pkt_type |= HCI_3DH3;
4152
4153         if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
4154                 pkt_type &= ~HCI_3DH5;
4155         else
4156                 pkt_type |= HCI_3DH5;
4157
4158         if (pkt_type != hdev->pkt_type) {
4159                 hdev->pkt_type = pkt_type;
4160                 changed = true;
4161         }
4162
4163         if ((selected_phys & MGMT_PHY_LE_MASK) ==
4164             (get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
4165                 if (changed)
4166                         mgmt_phy_configuration_changed(hdev, sk);
4167
4168                 err = mgmt_cmd_complete(sk, hdev->id,
4169                                         MGMT_OP_SET_PHY_CONFIGURATION,
4170                                         0, NULL, 0);
4171
4172                 goto unlock;
4173         }
4174
4175         cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
4176                                len);
4177         if (!cmd)
4178                 err = -ENOMEM;
4179         else
4180                 err = hci_cmd_sync_queue(hdev, set_default_phy_sync, cmd,
4181                                          set_default_phy_complete);
4182
4183         if (err < 0) {
4184                 err = mgmt_cmd_status(sk, hdev->id,
4185                                       MGMT_OP_SET_PHY_CONFIGURATION,
4186                                       MGMT_STATUS_FAILED);
4187
4188                 if (cmd)
4189                         mgmt_pending_remove(cmd);
4190         }
4191
4192 unlock:
4193         hci_dev_unlock(hdev);
4194
4195         return err;
4196 }
4197
4198 static int set_blocked_keys(struct sock *sk, struct hci_dev *hdev, void *data,
4199                             u16 len)
4200 {
4201         int err = MGMT_STATUS_SUCCESS;
4202         struct mgmt_cp_set_blocked_keys *keys = data;
4203         const u16 max_key_count = ((U16_MAX - sizeof(*keys)) /
4204                                    sizeof(struct mgmt_blocked_key_info));
4205         u16 key_count, expected_len;
4206         int i;
4207
4208         bt_dev_dbg(hdev, "sock %p", sk);
4209
4210         key_count = __le16_to_cpu(keys->key_count);
4211         if (key_count > max_key_count) {
4212                 bt_dev_err(hdev, "too big key_count value %u", key_count);
4213                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4214                                        MGMT_STATUS_INVALID_PARAMS);
4215         }
4216
4217         expected_len = struct_size(keys, keys, key_count);
4218         if (expected_len != len) {
4219                 bt_dev_err(hdev, "expected %u bytes, got %u bytes",
4220                            expected_len, len);
4221                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4222                                        MGMT_STATUS_INVALID_PARAMS);
4223         }
4224
4225         hci_dev_lock(hdev);
4226
4227         hci_blocked_keys_clear(hdev);
4228
4229         for (i = 0; i < key_count; ++i) {
4230                 struct blocked_key *b = kzalloc(sizeof(*b), GFP_KERNEL);
4231
4232                 if (!b) {
4233                         err = MGMT_STATUS_NO_RESOURCES;
4234                         break;
4235                 }
4236
4237                 b->type = keys->keys[i].type;
4238                 memcpy(b->val, keys->keys[i].val, sizeof(b->val));
4239                 list_add_rcu(&b->list, &hdev->blocked_keys);
4240         }
4241         hci_dev_unlock(hdev);
4242
4243         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4244                                 err, NULL, 0);
4245 }
4246
4247 static int set_wideband_speech(struct sock *sk, struct hci_dev *hdev,
4248                                void *data, u16 len)
4249 {
4250         struct mgmt_mode *cp = data;
4251         int err;
4252         bool changed = false;
4253
4254         bt_dev_dbg(hdev, "sock %p", sk);
4255
4256         if (!test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks))
4257                 return mgmt_cmd_status(sk, hdev->id,
4258                                        MGMT_OP_SET_WIDEBAND_SPEECH,
4259                                        MGMT_STATUS_NOT_SUPPORTED);
4260
4261         if (cp->val != 0x00 && cp->val != 0x01)
4262                 return mgmt_cmd_status(sk, hdev->id,
4263                                        MGMT_OP_SET_WIDEBAND_SPEECH,
4264                                        MGMT_STATUS_INVALID_PARAMS);
4265
4266         hci_dev_lock(hdev);
4267
4268         if (hdev_is_powered(hdev) &&
4269             !!cp->val != hci_dev_test_flag(hdev,
4270                                            HCI_WIDEBAND_SPEECH_ENABLED)) {
4271                 err = mgmt_cmd_status(sk, hdev->id,
4272                                       MGMT_OP_SET_WIDEBAND_SPEECH,
4273                                       MGMT_STATUS_REJECTED);
4274                 goto unlock;
4275         }
4276
4277         if (cp->val)
4278                 changed = !hci_dev_test_and_set_flag(hdev,
4279                                                    HCI_WIDEBAND_SPEECH_ENABLED);
4280         else
4281                 changed = hci_dev_test_and_clear_flag(hdev,
4282                                                    HCI_WIDEBAND_SPEECH_ENABLED);
4283
4284         err = send_settings_rsp(sk, MGMT_OP_SET_WIDEBAND_SPEECH, hdev);
4285         if (err < 0)
4286                 goto unlock;
4287
4288         if (changed)
4289                 err = new_settings(hdev, sk);
4290
4291 unlock:
4292         hci_dev_unlock(hdev);
4293         return err;
4294 }
4295
4296 static int read_controller_cap(struct sock *sk, struct hci_dev *hdev,
4297                                void *data, u16 data_len)
4298 {
4299         char buf[20];
4300         struct mgmt_rp_read_controller_cap *rp = (void *)buf;
4301         u16 cap_len = 0;
4302         u8 flags = 0;
4303         u8 tx_power_range[2];
4304
4305         bt_dev_dbg(hdev, "sock %p", sk);
4306
4307         memset(&buf, 0, sizeof(buf));
4308
4309         hci_dev_lock(hdev);
4310
4311         /* When the Read Simple Pairing Options command is supported, then
4312          * the remote public key validation is supported.
4313          *
4314          * Alternatively, when Microsoft extensions are available, they can
4315          * indicate support for public key validation as well.
4316          */
4317         if ((hdev->commands[41] & 0x08) || msft_curve_validity(hdev))
4318                 flags |= 0x01;  /* Remote public key validation (BR/EDR) */
4319
4320         flags |= 0x02;          /* Remote public key validation (LE) */
4321
4322         /* When the Read Encryption Key Size command is supported, then the
4323          * encryption key size is enforced.
4324          */
4325         if (hdev->commands[20] & 0x10)
4326                 flags |= 0x04;  /* Encryption key size enforcement (BR/EDR) */
4327
4328         flags |= 0x08;          /* Encryption key size enforcement (LE) */
4329
4330         cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_SEC_FLAGS,
4331                                   &flags, 1);
4332
4333         /* When the Read Simple Pairing Options command is supported, then
4334          * also max encryption key size information is provided.
4335          */
4336         if (hdev->commands[41] & 0x08)
4337                 cap_len = eir_append_le16(rp->cap, cap_len,
4338                                           MGMT_CAP_MAX_ENC_KEY_SIZE,
4339                                           hdev->max_enc_key_size);
4340
4341         cap_len = eir_append_le16(rp->cap, cap_len,
4342                                   MGMT_CAP_SMP_MAX_ENC_KEY_SIZE,
4343                                   SMP_MAX_ENC_KEY_SIZE);
4344
4345         /* Append the min/max LE tx power parameters if we were able to fetch
4346          * it from the controller
4347          */
4348         if (hdev->commands[38] & 0x80) {
4349                 memcpy(&tx_power_range[0], &hdev->min_le_tx_power, 1);
4350                 memcpy(&tx_power_range[1], &hdev->max_le_tx_power, 1);
4351                 cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_LE_TX_PWR,
4352                                           tx_power_range, 2);
4353         }
4354
4355         rp->cap_len = cpu_to_le16(cap_len);
4356
4357         hci_dev_unlock(hdev);
4358
4359         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONTROLLER_CAP, 0,
4360                                  rp, sizeof(*rp) + cap_len);
4361 }
4362
4363 #ifdef CONFIG_BT_FEATURE_DEBUG
4364 /* d4992530-b9ec-469f-ab01-6c481c47da1c */
4365 static const u8 debug_uuid[16] = {
4366         0x1c, 0xda, 0x47, 0x1c, 0x48, 0x6c, 0x01, 0xab,
4367         0x9f, 0x46, 0xec, 0xb9, 0x30, 0x25, 0x99, 0xd4,
4368 };
4369 #endif
4370
4371 /* 330859bc-7506-492d-9370-9a6f0614037f */
4372 static const u8 quality_report_uuid[16] = {
4373         0x7f, 0x03, 0x14, 0x06, 0x6f, 0x9a, 0x70, 0x93,
4374         0x2d, 0x49, 0x06, 0x75, 0xbc, 0x59, 0x08, 0x33,
4375 };
4376
4377 /* a6695ace-ee7f-4fb9-881a-5fac66c629af */
4378 static const u8 offload_codecs_uuid[16] = {
4379         0xaf, 0x29, 0xc6, 0x66, 0xac, 0x5f, 0x1a, 0x88,
4380         0xb9, 0x4f, 0x7f, 0xee, 0xce, 0x5a, 0x69, 0xa6,
4381 };
4382
4383 /* 671b10b5-42c0-4696-9227-eb28d1b049d6 */
4384 static const u8 le_simultaneous_roles_uuid[16] = {
4385         0xd6, 0x49, 0xb0, 0xd1, 0x28, 0xeb, 0x27, 0x92,
4386         0x96, 0x46, 0xc0, 0x42, 0xb5, 0x10, 0x1b, 0x67,
4387 };
4388
4389 /* 15c0a148-c273-11ea-b3de-0242ac130004 */
4390 static const u8 rpa_resolution_uuid[16] = {
4391         0x04, 0x00, 0x13, 0xac, 0x42, 0x02, 0xde, 0xb3,
4392         0xea, 0x11, 0x73, 0xc2, 0x48, 0xa1, 0xc0, 0x15,
4393 };
4394
4395 /* 6fbaf188-05e0-496a-9885-d6ddfdb4e03e */
4396 static const u8 iso_socket_uuid[16] = {
4397         0x3e, 0xe0, 0xb4, 0xfd, 0xdd, 0xd6, 0x85, 0x98,
4398         0x6a, 0x49, 0xe0, 0x05, 0x88, 0xf1, 0xba, 0x6f,
4399 };
4400
4401 /* 2ce463d7-7a03-4d8d-bf05-5f24e8f36e76 */
4402 static const u8 mgmt_mesh_uuid[16] = {
4403         0x76, 0x6e, 0xf3, 0xe8, 0x24, 0x5f, 0x05, 0xbf,
4404         0x8d, 0x4d, 0x03, 0x7a, 0xd7, 0x63, 0xe4, 0x2c,
4405 };
4406
4407 static int read_exp_features_info(struct sock *sk, struct hci_dev *hdev,
4408                                   void *data, u16 data_len)
4409 {
4410         struct mgmt_rp_read_exp_features_info *rp;
4411         size_t len;
4412         u16 idx = 0;
4413         u32 flags;
4414         int status;
4415
4416         bt_dev_dbg(hdev, "sock %p", sk);
4417
4418         /* Enough space for 7 features */
4419         len = sizeof(*rp) + (sizeof(rp->features[0]) * 7);
4420         rp = kzalloc(len, GFP_KERNEL);
4421         if (!rp)
4422                 return -ENOMEM;
4423
4424 #ifdef CONFIG_BT_FEATURE_DEBUG
4425         if (!hdev) {
4426                 flags = bt_dbg_get() ? BIT(0) : 0;
4427
4428                 memcpy(rp->features[idx].uuid, debug_uuid, 16);
4429                 rp->features[idx].flags = cpu_to_le32(flags);
4430                 idx++;
4431         }
4432 #endif
4433
4434         if (hdev && hci_dev_le_state_simultaneous(hdev)) {
4435                 if (hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES))
4436                         flags = BIT(0);
4437                 else
4438                         flags = 0;
4439
4440                 memcpy(rp->features[idx].uuid, le_simultaneous_roles_uuid, 16);
4441                 rp->features[idx].flags = cpu_to_le32(flags);
4442                 idx++;
4443         }
4444
4445         if (hdev && ll_privacy_capable(hdev)) {
4446                 if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
4447                         flags = BIT(0) | BIT(1);
4448                 else
4449                         flags = BIT(1);
4450
4451                 memcpy(rp->features[idx].uuid, rpa_resolution_uuid, 16);
4452                 rp->features[idx].flags = cpu_to_le32(flags);
4453                 idx++;
4454         }
4455
4456         if (hdev && (aosp_has_quality_report(hdev) ||
4457                      hdev->set_quality_report)) {
4458                 if (hci_dev_test_flag(hdev, HCI_QUALITY_REPORT))
4459                         flags = BIT(0);
4460                 else
4461                         flags = 0;
4462
4463                 memcpy(rp->features[idx].uuid, quality_report_uuid, 16);
4464                 rp->features[idx].flags = cpu_to_le32(flags);
4465                 idx++;
4466         }
4467
4468         if (hdev && hdev->get_data_path_id) {
4469                 if (hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED))
4470                         flags = BIT(0);
4471                 else
4472                         flags = 0;
4473
4474                 memcpy(rp->features[idx].uuid, offload_codecs_uuid, 16);
4475                 rp->features[idx].flags = cpu_to_le32(flags);
4476                 idx++;
4477         }
4478
4479         if (IS_ENABLED(CONFIG_BT_LE)) {
4480                 flags = iso_enabled() ? BIT(0) : 0;
4481                 memcpy(rp->features[idx].uuid, iso_socket_uuid, 16);
4482                 rp->features[idx].flags = cpu_to_le32(flags);
4483                 idx++;
4484         }
4485
4486         if (hdev && lmp_le_capable(hdev)) {
4487                 if (hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
4488                         flags = BIT(0);
4489                 else
4490                         flags = 0;
4491
4492                 memcpy(rp->features[idx].uuid, mgmt_mesh_uuid, 16);
4493                 rp->features[idx].flags = cpu_to_le32(flags);
4494                 idx++;
4495         }
4496
4497         rp->feature_count = cpu_to_le16(idx);
4498
4499         /* After reading the experimental features information, enable
4500          * the events to update client on any future change.
4501          */
4502         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4503
4504         status = mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4505                                    MGMT_OP_READ_EXP_FEATURES_INFO,
4506                                    0, rp, sizeof(*rp) + (20 * idx));
4507
4508         kfree(rp);
4509         return status;
4510 }
4511
4512 static int exp_ll_privacy_feature_changed(bool enabled, struct hci_dev *hdev,
4513                                           struct sock *skip)
4514 {
4515         struct mgmt_ev_exp_feature_changed ev;
4516
4517         memset(&ev, 0, sizeof(ev));
4518         memcpy(ev.uuid, rpa_resolution_uuid, 16);
4519         ev.flags = cpu_to_le32((enabled ? BIT(0) : 0) | BIT(1));
4520
4521         // Do we need to be atomic with the conn_flags?
4522         if (enabled && privacy_mode_capable(hdev))
4523                 hdev->conn_flags |= HCI_CONN_FLAG_DEVICE_PRIVACY;
4524         else
4525                 hdev->conn_flags &= ~HCI_CONN_FLAG_DEVICE_PRIVACY;
4526
4527         return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4528                                   &ev, sizeof(ev),
4529                                   HCI_MGMT_EXP_FEATURE_EVENTS, skip);
4530
4531 }
4532
4533 static int exp_feature_changed(struct hci_dev *hdev, const u8 *uuid,
4534                                bool enabled, struct sock *skip)
4535 {
4536         struct mgmt_ev_exp_feature_changed ev;
4537
4538         memset(&ev, 0, sizeof(ev));
4539         memcpy(ev.uuid, uuid, 16);
4540         ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
4541
4542         return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4543                                   &ev, sizeof(ev),
4544                                   HCI_MGMT_EXP_FEATURE_EVENTS, skip);
4545 }
4546
4547 #define EXP_FEAT(_uuid, _set_func)      \
4548 {                                       \
4549         .uuid = _uuid,                  \
4550         .set_func = _set_func,          \
4551 }
4552
4553 /* The zero key uuid is special. Multiple exp features are set through it. */
4554 static int set_zero_key_func(struct sock *sk, struct hci_dev *hdev,
4555                              struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4556 {
4557         struct mgmt_rp_set_exp_feature rp;
4558
4559         memset(rp.uuid, 0, 16);
4560         rp.flags = cpu_to_le32(0);
4561
4562 #ifdef CONFIG_BT_FEATURE_DEBUG
4563         if (!hdev) {
4564                 bool changed = bt_dbg_get();
4565
4566                 bt_dbg_set(false);
4567
4568                 if (changed)
4569                         exp_feature_changed(NULL, ZERO_KEY, false, sk);
4570         }
4571 #endif
4572
4573         if (hdev && use_ll_privacy(hdev) && !hdev_is_powered(hdev)) {
4574                 bool changed;
4575
4576                 changed = hci_dev_test_and_clear_flag(hdev,
4577                                                       HCI_ENABLE_LL_PRIVACY);
4578                 if (changed)
4579                         exp_feature_changed(hdev, rpa_resolution_uuid, false,
4580                                             sk);
4581         }
4582
4583         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4584
4585         return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4586                                  MGMT_OP_SET_EXP_FEATURE, 0,
4587                                  &rp, sizeof(rp));
4588 }
4589
4590 #ifdef CONFIG_BT_FEATURE_DEBUG
4591 static int set_debug_func(struct sock *sk, struct hci_dev *hdev,
4592                           struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4593 {
4594         struct mgmt_rp_set_exp_feature rp;
4595
4596         bool val, changed;
4597         int err;
4598
4599         /* Command requires to use the non-controller index */
4600         if (hdev)
4601                 return mgmt_cmd_status(sk, hdev->id,
4602                                        MGMT_OP_SET_EXP_FEATURE,
4603                                        MGMT_STATUS_INVALID_INDEX);
4604
4605         /* Parameters are limited to a single octet */
4606         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4607                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4608                                        MGMT_OP_SET_EXP_FEATURE,
4609                                        MGMT_STATUS_INVALID_PARAMS);
4610
4611         /* Only boolean on/off is supported */
4612         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4613                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4614                                        MGMT_OP_SET_EXP_FEATURE,
4615                                        MGMT_STATUS_INVALID_PARAMS);
4616
4617         val = !!cp->param[0];
4618         changed = val ? !bt_dbg_get() : bt_dbg_get();
4619         bt_dbg_set(val);
4620
4621         memcpy(rp.uuid, debug_uuid, 16);
4622         rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4623
4624         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4625
4626         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4627                                 MGMT_OP_SET_EXP_FEATURE, 0,
4628                                 &rp, sizeof(rp));
4629
4630         if (changed)
4631                 exp_feature_changed(hdev, debug_uuid, val, sk);
4632
4633         return err;
4634 }
4635 #endif
4636
4637 static int set_mgmt_mesh_func(struct sock *sk, struct hci_dev *hdev,
4638                               struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4639 {
4640         struct mgmt_rp_set_exp_feature rp;
4641         bool val, changed;
4642         int err;
4643
4644         /* Command requires to use the controller index */
4645         if (!hdev)
4646                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4647                                        MGMT_OP_SET_EXP_FEATURE,
4648                                        MGMT_STATUS_INVALID_INDEX);
4649
4650         /* Parameters are limited to a single octet */
4651         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4652                 return mgmt_cmd_status(sk, hdev->id,
4653                                        MGMT_OP_SET_EXP_FEATURE,
4654                                        MGMT_STATUS_INVALID_PARAMS);
4655
4656         /* Only boolean on/off is supported */
4657         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4658                 return mgmt_cmd_status(sk, hdev->id,
4659                                        MGMT_OP_SET_EXP_FEATURE,
4660                                        MGMT_STATUS_INVALID_PARAMS);
4661
4662         val = !!cp->param[0];
4663
4664         if (val) {
4665                 changed = !hci_dev_test_and_set_flag(hdev,
4666                                                      HCI_MESH_EXPERIMENTAL);
4667         } else {
4668                 hci_dev_clear_flag(hdev, HCI_MESH);
4669                 changed = hci_dev_test_and_clear_flag(hdev,
4670                                                       HCI_MESH_EXPERIMENTAL);
4671         }
4672
4673         memcpy(rp.uuid, mgmt_mesh_uuid, 16);
4674         rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4675
4676         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4677
4678         err = mgmt_cmd_complete(sk, hdev->id,
4679                                 MGMT_OP_SET_EXP_FEATURE, 0,
4680                                 &rp, sizeof(rp));
4681
4682         if (changed)
4683                 exp_feature_changed(hdev, mgmt_mesh_uuid, val, sk);
4684
4685         return err;
4686 }
4687
4688 static int set_rpa_resolution_func(struct sock *sk, struct hci_dev *hdev,
4689                                    struct mgmt_cp_set_exp_feature *cp,
4690                                    u16 data_len)
4691 {
4692         struct mgmt_rp_set_exp_feature rp;
4693         bool val, changed;
4694         int err;
4695         u32 flags;
4696
4697         /* Command requires to use the controller index */
4698         if (!hdev)
4699                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4700                                        MGMT_OP_SET_EXP_FEATURE,
4701                                        MGMT_STATUS_INVALID_INDEX);
4702
4703         /* Changes can only be made when controller is powered down */
4704         if (hdev_is_powered(hdev))
4705                 return mgmt_cmd_status(sk, hdev->id,
4706                                        MGMT_OP_SET_EXP_FEATURE,
4707                                        MGMT_STATUS_REJECTED);
4708
4709         /* Parameters are limited to a single octet */
4710         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4711                 return mgmt_cmd_status(sk, hdev->id,
4712                                        MGMT_OP_SET_EXP_FEATURE,
4713                                        MGMT_STATUS_INVALID_PARAMS);
4714
4715         /* Only boolean on/off is supported */
4716         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4717                 return mgmt_cmd_status(sk, hdev->id,
4718                                        MGMT_OP_SET_EXP_FEATURE,
4719                                        MGMT_STATUS_INVALID_PARAMS);
4720
4721         val = !!cp->param[0];
4722
4723         if (val) {
4724                 changed = !hci_dev_test_and_set_flag(hdev,
4725                                                      HCI_ENABLE_LL_PRIVACY);
4726                 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4727
4728                 /* Enable LL privacy + supported settings changed */
4729                 flags = BIT(0) | BIT(1);
4730         } else {
4731                 changed = hci_dev_test_and_clear_flag(hdev,
4732                                                       HCI_ENABLE_LL_PRIVACY);
4733
4734                 /* Disable LL privacy + supported settings changed */
4735                 flags = BIT(1);
4736         }
4737
4738         memcpy(rp.uuid, rpa_resolution_uuid, 16);
4739         rp.flags = cpu_to_le32(flags);
4740
4741         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4742
4743         err = mgmt_cmd_complete(sk, hdev->id,
4744                                 MGMT_OP_SET_EXP_FEATURE, 0,
4745                                 &rp, sizeof(rp));
4746
4747         if (changed)
4748                 exp_ll_privacy_feature_changed(val, hdev, sk);
4749
4750         return err;
4751 }
4752
4753 static int set_quality_report_func(struct sock *sk, struct hci_dev *hdev,
4754                                    struct mgmt_cp_set_exp_feature *cp,
4755                                    u16 data_len)
4756 {
4757         struct mgmt_rp_set_exp_feature rp;
4758         bool val, changed;
4759         int err;
4760
4761         /* Command requires to use a valid controller index */
4762         if (!hdev)
4763                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4764                                        MGMT_OP_SET_EXP_FEATURE,
4765                                        MGMT_STATUS_INVALID_INDEX);
4766
4767         /* Parameters are limited to a single octet */
4768         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4769                 return mgmt_cmd_status(sk, hdev->id,
4770                                        MGMT_OP_SET_EXP_FEATURE,
4771                                        MGMT_STATUS_INVALID_PARAMS);
4772
4773         /* Only boolean on/off is supported */
4774         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4775                 return mgmt_cmd_status(sk, hdev->id,
4776                                        MGMT_OP_SET_EXP_FEATURE,
4777                                        MGMT_STATUS_INVALID_PARAMS);
4778
4779         hci_req_sync_lock(hdev);
4780
4781         val = !!cp->param[0];
4782         changed = (val != hci_dev_test_flag(hdev, HCI_QUALITY_REPORT));
4783
4784         if (!aosp_has_quality_report(hdev) && !hdev->set_quality_report) {
4785                 err = mgmt_cmd_status(sk, hdev->id,
4786                                       MGMT_OP_SET_EXP_FEATURE,
4787                                       MGMT_STATUS_NOT_SUPPORTED);
4788                 goto unlock_quality_report;
4789         }
4790
4791         if (changed) {
4792                 if (hdev->set_quality_report)
4793                         err = hdev->set_quality_report(hdev, val);
4794                 else
4795                         err = aosp_set_quality_report(hdev, val);
4796
4797                 if (err) {
4798                         err = mgmt_cmd_status(sk, hdev->id,
4799                                               MGMT_OP_SET_EXP_FEATURE,
4800                                               MGMT_STATUS_FAILED);
4801                         goto unlock_quality_report;
4802                 }
4803
4804                 if (val)
4805                         hci_dev_set_flag(hdev, HCI_QUALITY_REPORT);
4806                 else
4807                         hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
4808         }
4809
4810         bt_dev_dbg(hdev, "quality report enable %d changed %d", val, changed);
4811
4812         memcpy(rp.uuid, quality_report_uuid, 16);
4813         rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4814         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4815
4816         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_EXP_FEATURE, 0,
4817                                 &rp, sizeof(rp));
4818
4819         if (changed)
4820                 exp_feature_changed(hdev, quality_report_uuid, val, sk);
4821
4822 unlock_quality_report:
4823         hci_req_sync_unlock(hdev);
4824         return err;
4825 }
4826
4827 static int set_offload_codec_func(struct sock *sk, struct hci_dev *hdev,
4828                                   struct mgmt_cp_set_exp_feature *cp,
4829                                   u16 data_len)
4830 {
4831         bool val, changed;
4832         int err;
4833         struct mgmt_rp_set_exp_feature rp;
4834
4835         /* Command requires to use a valid controller index */
4836         if (!hdev)
4837                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4838                                        MGMT_OP_SET_EXP_FEATURE,
4839                                        MGMT_STATUS_INVALID_INDEX);
4840
4841         /* Parameters are limited to a single octet */
4842         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4843                 return mgmt_cmd_status(sk, hdev->id,
4844                                        MGMT_OP_SET_EXP_FEATURE,
4845                                        MGMT_STATUS_INVALID_PARAMS);
4846
4847         /* Only boolean on/off is supported */
4848         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4849                 return mgmt_cmd_status(sk, hdev->id,
4850                                        MGMT_OP_SET_EXP_FEATURE,
4851                                        MGMT_STATUS_INVALID_PARAMS);
4852
4853         val = !!cp->param[0];
4854         changed = (val != hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED));
4855
4856         if (!hdev->get_data_path_id) {
4857                 return mgmt_cmd_status(sk, hdev->id,
4858                                        MGMT_OP_SET_EXP_FEATURE,
4859                                        MGMT_STATUS_NOT_SUPPORTED);
4860         }
4861
4862         if (changed) {
4863                 if (val)
4864                         hci_dev_set_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4865                 else
4866                         hci_dev_clear_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4867         }
4868
4869         bt_dev_info(hdev, "offload codecs enable %d changed %d",
4870                     val, changed);
4871
4872         memcpy(rp.uuid, offload_codecs_uuid, 16);
4873         rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4874         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4875         err = mgmt_cmd_complete(sk, hdev->id,
4876                                 MGMT_OP_SET_EXP_FEATURE, 0,
4877                                 &rp, sizeof(rp));
4878
4879         if (changed)
4880                 exp_feature_changed(hdev, offload_codecs_uuid, val, sk);
4881
4882         return err;
4883 }
4884
4885 static int set_le_simultaneous_roles_func(struct sock *sk, struct hci_dev *hdev,
4886                                           struct mgmt_cp_set_exp_feature *cp,
4887                                           u16 data_len)
4888 {
4889         bool val, changed;
4890         int err;
4891         struct mgmt_rp_set_exp_feature rp;
4892
4893         /* Command requires to use a valid controller index */
4894         if (!hdev)
4895                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4896                                        MGMT_OP_SET_EXP_FEATURE,
4897                                        MGMT_STATUS_INVALID_INDEX);
4898
4899         /* Parameters are limited to a single octet */
4900         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4901                 return mgmt_cmd_status(sk, hdev->id,
4902                                        MGMT_OP_SET_EXP_FEATURE,
4903                                        MGMT_STATUS_INVALID_PARAMS);
4904
4905         /* Only boolean on/off is supported */
4906         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4907                 return mgmt_cmd_status(sk, hdev->id,
4908                                        MGMT_OP_SET_EXP_FEATURE,
4909                                        MGMT_STATUS_INVALID_PARAMS);
4910
4911         val = !!cp->param[0];
4912         changed = (val != hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES));
4913
4914         if (!hci_dev_le_state_simultaneous(hdev)) {
4915                 return mgmt_cmd_status(sk, hdev->id,
4916                                        MGMT_OP_SET_EXP_FEATURE,
4917                                        MGMT_STATUS_NOT_SUPPORTED);
4918         }
4919
4920         if (changed) {
4921                 if (val)
4922                         hci_dev_set_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4923                 else
4924                         hci_dev_clear_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4925         }
4926
4927         bt_dev_info(hdev, "LE simultaneous roles enable %d changed %d",
4928                     val, changed);
4929
4930         memcpy(rp.uuid, le_simultaneous_roles_uuid, 16);
4931         rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4932         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4933         err = mgmt_cmd_complete(sk, hdev->id,
4934                                 MGMT_OP_SET_EXP_FEATURE, 0,
4935                                 &rp, sizeof(rp));
4936
4937         if (changed)
4938                 exp_feature_changed(hdev, le_simultaneous_roles_uuid, val, sk);
4939
4940         return err;
4941 }
4942
4943 #ifdef CONFIG_BT_LE
4944 static int set_iso_socket_func(struct sock *sk, struct hci_dev *hdev,
4945                                struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4946 {
4947         struct mgmt_rp_set_exp_feature rp;
4948         bool val, changed = false;
4949         int err;
4950
4951         /* Command requires to use the non-controller index */
4952         if (hdev)
4953                 return mgmt_cmd_status(sk, hdev->id,
4954                                        MGMT_OP_SET_EXP_FEATURE,
4955                                        MGMT_STATUS_INVALID_INDEX);
4956
4957         /* Parameters are limited to a single octet */
4958         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4959                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4960                                        MGMT_OP_SET_EXP_FEATURE,
4961                                        MGMT_STATUS_INVALID_PARAMS);
4962
4963         /* Only boolean on/off is supported */
4964         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4965                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4966                                        MGMT_OP_SET_EXP_FEATURE,
4967                                        MGMT_STATUS_INVALID_PARAMS);
4968
4969         val = cp->param[0] ? true : false;
4970         if (val)
4971                 err = iso_init();
4972         else
4973                 err = iso_exit();
4974
4975         if (!err)
4976                 changed = true;
4977
4978         memcpy(rp.uuid, iso_socket_uuid, 16);
4979         rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4980
4981         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4982
4983         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4984                                 MGMT_OP_SET_EXP_FEATURE, 0,
4985                                 &rp, sizeof(rp));
4986
4987         if (changed)
4988                 exp_feature_changed(hdev, iso_socket_uuid, val, sk);
4989
4990         return err;
4991 }
4992 #endif
4993
4994 static const struct mgmt_exp_feature {
4995         const u8 *uuid;
4996         int (*set_func)(struct sock *sk, struct hci_dev *hdev,
4997                         struct mgmt_cp_set_exp_feature *cp, u16 data_len);
4998 } exp_features[] = {
4999         EXP_FEAT(ZERO_KEY, set_zero_key_func),
5000 #ifdef CONFIG_BT_FEATURE_DEBUG
5001         EXP_FEAT(debug_uuid, set_debug_func),
5002 #endif
5003         EXP_FEAT(mgmt_mesh_uuid, set_mgmt_mesh_func),
5004         EXP_FEAT(rpa_resolution_uuid, set_rpa_resolution_func),
5005         EXP_FEAT(quality_report_uuid, set_quality_report_func),
5006         EXP_FEAT(offload_codecs_uuid, set_offload_codec_func),
5007         EXP_FEAT(le_simultaneous_roles_uuid, set_le_simultaneous_roles_func),
5008 #ifdef CONFIG_BT_LE
5009         EXP_FEAT(iso_socket_uuid, set_iso_socket_func),
5010 #endif
5011
5012         /* end with a null feature */
5013         EXP_FEAT(NULL, NULL)
5014 };
5015
5016 static int set_exp_feature(struct sock *sk, struct hci_dev *hdev,
5017                            void *data, u16 data_len)
5018 {
5019         struct mgmt_cp_set_exp_feature *cp = data;
5020         size_t i = 0;
5021
5022         bt_dev_dbg(hdev, "sock %p", sk);
5023
5024         for (i = 0; exp_features[i].uuid; i++) {
5025                 if (!memcmp(cp->uuid, exp_features[i].uuid, 16))
5026                         return exp_features[i].set_func(sk, hdev, cp, data_len);
5027         }
5028
5029         return mgmt_cmd_status(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
5030                                MGMT_OP_SET_EXP_FEATURE,
5031                                MGMT_STATUS_NOT_SUPPORTED);
5032 }
5033
5034 static u32 get_params_flags(struct hci_dev *hdev,
5035                             struct hci_conn_params *params)
5036 {
5037         u32 flags = hdev->conn_flags;
5038
5039         /* Devices using RPAs can only be programmed in the acceptlist if
5040          * LL Privacy has been enable otherwise they cannot mark
5041          * HCI_CONN_FLAG_REMOTE_WAKEUP.
5042          */
5043         if ((flags & HCI_CONN_FLAG_REMOTE_WAKEUP) && !use_ll_privacy(hdev) &&
5044             hci_find_irk_by_addr(hdev, &params->addr, params->addr_type))
5045                 flags &= ~HCI_CONN_FLAG_REMOTE_WAKEUP;
5046
5047         return flags;
5048 }
5049
5050 static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
5051                             u16 data_len)
5052 {
5053         struct mgmt_cp_get_device_flags *cp = data;
5054         struct mgmt_rp_get_device_flags rp;
5055         struct bdaddr_list_with_flags *br_params;
5056         struct hci_conn_params *params;
5057         u32 supported_flags;
5058         u32 current_flags = 0;
5059         u8 status = MGMT_STATUS_INVALID_PARAMS;
5060
5061         bt_dev_dbg(hdev, "Get device flags %pMR (type 0x%x)\n",
5062                    &cp->addr.bdaddr, cp->addr.type);
5063
5064         hci_dev_lock(hdev);
5065
5066         supported_flags = hdev->conn_flags;
5067
5068         memset(&rp, 0, sizeof(rp));
5069
5070         if (cp->addr.type == BDADDR_BREDR) {
5071                 br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
5072                                                               &cp->addr.bdaddr,
5073                                                               cp->addr.type);
5074                 if (!br_params)
5075                         goto done;
5076
5077                 current_flags = br_params->flags;
5078         } else {
5079                 params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5080                                                 le_addr_type(cp->addr.type));
5081                 if (!params)
5082                         goto done;
5083
5084                 supported_flags = get_params_flags(hdev, params);
5085                 current_flags = params->flags;
5086         }
5087
5088         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5089         rp.addr.type = cp->addr.type;
5090         rp.supported_flags = cpu_to_le32(supported_flags);
5091         rp.current_flags = cpu_to_le32(current_flags);
5092
5093         status = MGMT_STATUS_SUCCESS;
5094
5095 done:
5096         hci_dev_unlock(hdev);
5097
5098         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_DEVICE_FLAGS, status,
5099                                 &rp, sizeof(rp));
5100 }
5101
5102 static void device_flags_changed(struct sock *sk, struct hci_dev *hdev,
5103                                  bdaddr_t *bdaddr, u8 bdaddr_type,
5104                                  u32 supported_flags, u32 current_flags)
5105 {
5106         struct mgmt_ev_device_flags_changed ev;
5107
5108         bacpy(&ev.addr.bdaddr, bdaddr);
5109         ev.addr.type = bdaddr_type;
5110         ev.supported_flags = cpu_to_le32(supported_flags);
5111         ev.current_flags = cpu_to_le32(current_flags);
5112
5113         mgmt_event(MGMT_EV_DEVICE_FLAGS_CHANGED, hdev, &ev, sizeof(ev), sk);
5114 }
5115
5116 static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
5117                             u16 len)
5118 {
5119         struct mgmt_cp_set_device_flags *cp = data;
5120         struct bdaddr_list_with_flags *br_params;
5121         struct hci_conn_params *params;
5122         u8 status = MGMT_STATUS_INVALID_PARAMS;
5123         u32 supported_flags;
5124         u32 current_flags = __le32_to_cpu(cp->current_flags);
5125
5126         bt_dev_dbg(hdev, "Set device flags %pMR (type 0x%x) = 0x%x",
5127                    &cp->addr.bdaddr, cp->addr.type, current_flags);
5128
5129         // We should take hci_dev_lock() early, I think.. conn_flags can change
5130         supported_flags = hdev->conn_flags;
5131
5132         if ((supported_flags | current_flags) != supported_flags) {
5133                 bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5134                             current_flags, supported_flags);
5135                 goto done;
5136         }
5137
5138         hci_dev_lock(hdev);
5139
5140         if (cp->addr.type == BDADDR_BREDR) {
5141                 br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
5142                                                               &cp->addr.bdaddr,
5143                                                               cp->addr.type);
5144
5145                 if (br_params) {
5146                         br_params->flags = current_flags;
5147                         status = MGMT_STATUS_SUCCESS;
5148                 } else {
5149                         bt_dev_warn(hdev, "No such BR/EDR device %pMR (0x%x)",
5150                                     &cp->addr.bdaddr, cp->addr.type);
5151                 }
5152
5153                 goto unlock;
5154         }
5155
5156         params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5157                                         le_addr_type(cp->addr.type));
5158         if (!params) {
5159                 bt_dev_warn(hdev, "No such LE device %pMR (0x%x)",
5160                             &cp->addr.bdaddr, le_addr_type(cp->addr.type));
5161                 goto unlock;
5162         }
5163
5164         supported_flags = get_params_flags(hdev, params);
5165
5166         if ((supported_flags | current_flags) != supported_flags) {
5167                 bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5168                             current_flags, supported_flags);
5169                 goto unlock;
5170         }
5171
5172         params->flags = current_flags;
5173         status = MGMT_STATUS_SUCCESS;
5174
5175         /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
5176          * has been set.
5177          */
5178         if (params->flags & HCI_CONN_FLAG_DEVICE_PRIVACY)
5179                 hci_update_passive_scan(hdev);
5180
5181 unlock:
5182         hci_dev_unlock(hdev);
5183
5184 done:
5185         if (status == MGMT_STATUS_SUCCESS)
5186                 device_flags_changed(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
5187                                      supported_flags, current_flags);
5188
5189         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_FLAGS, status,
5190                                  &cp->addr, sizeof(cp->addr));
5191 }
5192
5193 static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
5194                                    u16 handle)
5195 {
5196         struct mgmt_ev_adv_monitor_added ev;
5197
5198         ev.monitor_handle = cpu_to_le16(handle);
5199
5200         mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, &ev, sizeof(ev), sk);
5201 }
5202
5203 void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
5204 {
5205         struct mgmt_ev_adv_monitor_removed ev;
5206         struct mgmt_pending_cmd *cmd;
5207         struct sock *sk_skip = NULL;
5208         struct mgmt_cp_remove_adv_monitor *cp;
5209
5210         cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
5211         if (cmd) {
5212                 cp = cmd->param;
5213
5214                 if (cp->monitor_handle)
5215                         sk_skip = cmd->sk;
5216         }
5217
5218         ev.monitor_handle = cpu_to_le16(handle);
5219
5220         mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk_skip);
5221 }
5222
5223 static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
5224                                  void *data, u16 len)
5225 {
5226         struct adv_monitor *monitor = NULL;
5227         struct mgmt_rp_read_adv_monitor_features *rp = NULL;
5228         int handle, err;
5229         size_t rp_size = 0;
5230         __u32 supported = 0;
5231         __u32 enabled = 0;
5232         __u16 num_handles = 0;
5233         __u16 handles[HCI_MAX_ADV_MONITOR_NUM_HANDLES];
5234
5235         BT_DBG("request for %s", hdev->name);
5236
5237         hci_dev_lock(hdev);
5238
5239         if (msft_monitor_supported(hdev))
5240                 supported |= MGMT_ADV_MONITOR_FEATURE_MASK_OR_PATTERNS;
5241
5242         idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
5243                 handles[num_handles++] = monitor->handle;
5244
5245         hci_dev_unlock(hdev);
5246
5247         rp_size = sizeof(*rp) + (num_handles * sizeof(u16));
5248         rp = kmalloc(rp_size, GFP_KERNEL);
5249         if (!rp)
5250                 return -ENOMEM;
5251
5252         /* All supported features are currently enabled */
5253         enabled = supported;
5254
5255         rp->supported_features = cpu_to_le32(supported);
5256         rp->enabled_features = cpu_to_le32(enabled);
5257         rp->max_num_handles = cpu_to_le16(HCI_MAX_ADV_MONITOR_NUM_HANDLES);
5258         rp->max_num_patterns = HCI_MAX_ADV_MONITOR_NUM_PATTERNS;
5259         rp->num_handles = cpu_to_le16(num_handles);
5260         if (num_handles)
5261                 memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));
5262
5263         err = mgmt_cmd_complete(sk, hdev->id,
5264                                 MGMT_OP_READ_ADV_MONITOR_FEATURES,
5265                                 MGMT_STATUS_SUCCESS, rp, rp_size);
5266
5267         kfree(rp);
5268
5269         return err;
5270 }
5271
5272 static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
5273                                                    void *data, int status)
5274 {
5275         struct mgmt_rp_add_adv_patterns_monitor rp;
5276         struct mgmt_pending_cmd *cmd = data;
5277         struct adv_monitor *monitor = cmd->user_data;
5278
5279         hci_dev_lock(hdev);
5280
5281         rp.monitor_handle = cpu_to_le16(monitor->handle);
5282
5283         if (!status) {
5284                 mgmt_adv_monitor_added(cmd->sk, hdev, monitor->handle);
5285                 hdev->adv_monitors_cnt++;
5286                 if (monitor->state == ADV_MONITOR_STATE_NOT_REGISTERED)
5287                         monitor->state = ADV_MONITOR_STATE_REGISTERED;
5288                 hci_update_passive_scan(hdev);
5289         }
5290
5291         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
5292                           mgmt_status(status), &rp, sizeof(rp));
5293         mgmt_pending_remove(cmd);
5294
5295         hci_dev_unlock(hdev);
5296         bt_dev_dbg(hdev, "add monitor %d complete, status %d",
5297                    rp.monitor_handle, status);
5298 }
5299
5300 static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
5301 {
5302         struct mgmt_pending_cmd *cmd = data;
5303         struct adv_monitor *monitor = cmd->user_data;
5304
5305         return hci_add_adv_monitor(hdev, monitor);
5306 }
5307
5308 static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5309                                       struct adv_monitor *m, u8 status,
5310                                       void *data, u16 len, u16 op)
5311 {
5312         struct mgmt_pending_cmd *cmd;
5313         int err;
5314
5315         hci_dev_lock(hdev);
5316
5317         if (status)
5318                 goto unlock;
5319
5320         if (pending_find(MGMT_OP_SET_LE, hdev) ||
5321             pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5322             pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
5323             pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
5324                 status = MGMT_STATUS_BUSY;
5325                 goto unlock;
5326         }
5327
5328         cmd = mgmt_pending_add(sk, op, hdev, data, len);
5329         if (!cmd) {
5330                 status = MGMT_STATUS_NO_RESOURCES;
5331                 goto unlock;
5332         }
5333
5334         cmd->user_data = m;
5335         err = hci_cmd_sync_queue(hdev, mgmt_add_adv_patterns_monitor_sync, cmd,
5336                                  mgmt_add_adv_patterns_monitor_complete);
5337         if (err) {
5338                 if (err == -ENOMEM)
5339                         status = MGMT_STATUS_NO_RESOURCES;
5340                 else
5341                         status = MGMT_STATUS_FAILED;
5342
5343                 goto unlock;
5344         }
5345
5346         hci_dev_unlock(hdev);
5347
5348         return 0;
5349
5350 unlock:
5351         hci_free_adv_monitor(hdev, m);
5352         hci_dev_unlock(hdev);
5353         return mgmt_cmd_status(sk, hdev->id, op, status);
5354 }
5355
5356 static void parse_adv_monitor_rssi(struct adv_monitor *m,
5357                                    struct mgmt_adv_rssi_thresholds *rssi)
5358 {
5359         if (rssi) {
5360                 m->rssi.low_threshold = rssi->low_threshold;
5361                 m->rssi.low_threshold_timeout =
5362                     __le16_to_cpu(rssi->low_threshold_timeout);
5363                 m->rssi.high_threshold = rssi->high_threshold;
5364                 m->rssi.high_threshold_timeout =
5365                     __le16_to_cpu(rssi->high_threshold_timeout);
5366                 m->rssi.sampling_period = rssi->sampling_period;
5367         } else {
5368                 /* Default values. These numbers are the least constricting
5369                  * parameters for MSFT API to work, so it behaves as if there
5370                  * are no rssi parameter to consider. May need to be changed
5371                  * if other API are to be supported.
5372                  */
5373                 m->rssi.low_threshold = -127;
5374                 m->rssi.low_threshold_timeout = 60;
5375                 m->rssi.high_threshold = -127;
5376                 m->rssi.high_threshold_timeout = 0;
5377                 m->rssi.sampling_period = 0;
5378         }
5379 }
5380
5381 static u8 parse_adv_monitor_pattern(struct adv_monitor *m, u8 pattern_count,
5382                                     struct mgmt_adv_pattern *patterns)
5383 {
5384         u8 offset = 0, length = 0;
5385         struct adv_pattern *p = NULL;
5386         int i;
5387
5388         for (i = 0; i < pattern_count; i++) {
5389                 offset = patterns[i].offset;
5390                 length = patterns[i].length;
5391                 if (offset >= HCI_MAX_AD_LENGTH ||
5392                     length > HCI_MAX_AD_LENGTH ||
5393                     (offset + length) > HCI_MAX_AD_LENGTH)
5394                         return MGMT_STATUS_INVALID_PARAMS;
5395
5396                 p = kmalloc(sizeof(*p), GFP_KERNEL);
5397                 if (!p)
5398                         return MGMT_STATUS_NO_RESOURCES;
5399
5400                 p->ad_type = patterns[i].ad_type;
5401                 p->offset = patterns[i].offset;
5402                 p->length = patterns[i].length;
5403                 memcpy(p->value, patterns[i].value, p->length);
5404
5405                 INIT_LIST_HEAD(&p->list);
5406                 list_add(&p->list, &m->patterns);
5407         }
5408
5409         return MGMT_STATUS_SUCCESS;
5410 }
5411
5412 static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5413                                     void *data, u16 len)
5414 {
5415         struct mgmt_cp_add_adv_patterns_monitor *cp = data;
5416         struct adv_monitor *m = NULL;
5417         u8 status = MGMT_STATUS_SUCCESS;
5418         size_t expected_size = sizeof(*cp);
5419
5420         BT_DBG("request for %s", hdev->name);
5421
5422         if (len <= sizeof(*cp)) {
5423                 status = MGMT_STATUS_INVALID_PARAMS;
5424                 goto done;
5425         }
5426
5427         expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5428         if (len != expected_size) {
5429                 status = MGMT_STATUS_INVALID_PARAMS;
5430                 goto done;
5431         }
5432
5433         m = kzalloc(sizeof(*m), GFP_KERNEL);
5434         if (!m) {
5435                 status = MGMT_STATUS_NO_RESOURCES;
5436                 goto done;
5437         }
5438
5439         INIT_LIST_HEAD(&m->patterns);
5440
5441         parse_adv_monitor_rssi(m, NULL);
5442         status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
5443
5444 done:
5445         return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5446                                           MGMT_OP_ADD_ADV_PATTERNS_MONITOR);
5447 }
5448
5449 static int add_adv_patterns_monitor_rssi(struct sock *sk, struct hci_dev *hdev,
5450                                          void *data, u16 len)
5451 {
5452         struct mgmt_cp_add_adv_patterns_monitor_rssi *cp = data;
5453         struct adv_monitor *m = NULL;
5454         u8 status = MGMT_STATUS_SUCCESS;
5455         size_t expected_size = sizeof(*cp);
5456
5457         BT_DBG("request for %s", hdev->name);
5458
5459         if (len <= sizeof(*cp)) {
5460                 status = MGMT_STATUS_INVALID_PARAMS;
5461                 goto done;
5462         }
5463
5464         expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5465         if (len != expected_size) {
5466                 status = MGMT_STATUS_INVALID_PARAMS;
5467                 goto done;
5468         }
5469
5470         m = kzalloc(sizeof(*m), GFP_KERNEL);
5471         if (!m) {
5472                 status = MGMT_STATUS_NO_RESOURCES;
5473                 goto done;
5474         }
5475
5476         INIT_LIST_HEAD(&m->patterns);
5477
5478         parse_adv_monitor_rssi(m, &cp->rssi);
5479         status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
5480
5481 done:
5482         return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5483                                          MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI);
5484 }
5485
5486 static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
5487                                              void *data, int status)
5488 {
5489         struct mgmt_rp_remove_adv_monitor rp;
5490         struct mgmt_pending_cmd *cmd = data;
5491         struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5492
5493         hci_dev_lock(hdev);
5494
5495         rp.monitor_handle = cp->monitor_handle;
5496
5497         if (!status)
5498                 hci_update_passive_scan(hdev);
5499
5500         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
5501                           mgmt_status(status), &rp, sizeof(rp));
5502         mgmt_pending_remove(cmd);
5503
5504         hci_dev_unlock(hdev);
5505         bt_dev_dbg(hdev, "remove monitor %d complete, status %d",
5506                    rp.monitor_handle, status);
5507 }
5508
5509 static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
5510 {
5511         struct mgmt_pending_cmd *cmd = data;
5512         struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5513         u16 handle = __le16_to_cpu(cp->monitor_handle);
5514
5515         if (!handle)
5516                 return hci_remove_all_adv_monitor(hdev);
5517
5518         return hci_remove_single_adv_monitor(hdev, handle);
5519 }
5520
5521 static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
5522                               void *data, u16 len)
5523 {
5524         struct mgmt_pending_cmd *cmd;
5525         int err, status;
5526
5527         hci_dev_lock(hdev);
5528
5529         if (pending_find(MGMT_OP_SET_LE, hdev) ||
5530             pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
5531             pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5532             pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
5533                 status = MGMT_STATUS_BUSY;
5534                 goto unlock;
5535         }
5536
5537         cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
5538         if (!cmd) {
5539                 status = MGMT_STATUS_NO_RESOURCES;
5540                 goto unlock;
5541         }
5542
5543         err = hci_cmd_sync_queue(hdev, mgmt_remove_adv_monitor_sync, cmd,
5544                                  mgmt_remove_adv_monitor_complete);
5545
5546         if (err) {
5547                 mgmt_pending_remove(cmd);
5548
5549                 if (err == -ENOMEM)
5550                         status = MGMT_STATUS_NO_RESOURCES;
5551                 else
5552                         status = MGMT_STATUS_FAILED;
5553
5554                 goto unlock;
5555         }
5556
5557         hci_dev_unlock(hdev);
5558
5559         return 0;
5560
5561 unlock:
5562         hci_dev_unlock(hdev);
5563         return mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADV_MONITOR,
5564                                status);
5565 }
5566
5567 static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
5568 {
5569         struct mgmt_rp_read_local_oob_data mgmt_rp;
5570         size_t rp_size = sizeof(mgmt_rp);
5571         struct mgmt_pending_cmd *cmd = data;
5572         struct sk_buff *skb = cmd->skb;
5573         u8 status = mgmt_status(err);
5574
5575         if (!status) {
5576                 if (!skb)
5577                         status = MGMT_STATUS_FAILED;
5578                 else if (IS_ERR(skb))
5579                         status = mgmt_status(PTR_ERR(skb));
5580                 else
5581                         status = mgmt_status(skb->data[0]);
5582         }
5583
5584         bt_dev_dbg(hdev, "status %d", status);
5585
5586         if (status) {
5587                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
5588                 goto remove;
5589         }
5590
5591         memset(&mgmt_rp, 0, sizeof(mgmt_rp));
5592
5593         if (!bredr_sc_enabled(hdev)) {
5594                 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
5595
5596                 if (skb->len < sizeof(*rp)) {
5597                         mgmt_cmd_status(cmd->sk, hdev->id,
5598                                         MGMT_OP_READ_LOCAL_OOB_DATA,
5599                                         MGMT_STATUS_FAILED);
5600                         goto remove;
5601                 }
5602
5603                 memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
5604                 memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
5605
5606                 rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
5607         } else {
5608                 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
5609
5610                 if (skb->len < sizeof(*rp)) {
5611                         mgmt_cmd_status(cmd->sk, hdev->id,
5612                                         MGMT_OP_READ_LOCAL_OOB_DATA,
5613                                         MGMT_STATUS_FAILED);
5614                         goto remove;
5615                 }
5616
5617                 memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
5618                 memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
5619
5620                 memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
5621                 memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
5622         }
5623
5624         mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5625                           MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
5626
5627 remove:
5628         if (skb && !IS_ERR(skb))
5629                 kfree_skb(skb);
5630
5631         mgmt_pending_free(cmd);
5632 }
5633
5634 static int read_local_oob_data_sync(struct hci_dev *hdev, void *data)
5635 {
5636         struct mgmt_pending_cmd *cmd = data;
5637
5638         if (bredr_sc_enabled(hdev))
5639                 cmd->skb = hci_read_local_oob_data_sync(hdev, true, cmd->sk);
5640         else
5641                 cmd->skb = hci_read_local_oob_data_sync(hdev, false, cmd->sk);
5642
5643         if (IS_ERR(cmd->skb))
5644                 return PTR_ERR(cmd->skb);
5645         else
5646                 return 0;
5647 }
5648
5649 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
5650                                void *data, u16 data_len)
5651 {
5652         struct mgmt_pending_cmd *cmd;
5653         int err;
5654
5655         bt_dev_dbg(hdev, "sock %p", sk);
5656
5657         hci_dev_lock(hdev);
5658
5659         if (!hdev_is_powered(hdev)) {
5660                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5661                                       MGMT_STATUS_NOT_POWERED);
5662                 goto unlock;
5663         }
5664
5665         if (!lmp_ssp_capable(hdev)) {
5666                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5667                                       MGMT_STATUS_NOT_SUPPORTED);
5668                 goto unlock;
5669         }
5670
5671         cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
5672         if (!cmd)
5673                 err = -ENOMEM;
5674         else
5675                 err = hci_cmd_sync_queue(hdev, read_local_oob_data_sync, cmd,
5676                                          read_local_oob_data_complete);
5677
5678         if (err < 0) {
5679                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5680                                       MGMT_STATUS_FAILED);
5681
5682                 if (cmd)
5683                         mgmt_pending_free(cmd);
5684         }
5685
5686 unlock:
5687         hci_dev_unlock(hdev);
5688         return err;
5689 }
5690
5691 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5692                                void *data, u16 len)
5693 {
5694         struct mgmt_addr_info *addr = data;
5695         int err;
5696
5697         bt_dev_dbg(hdev, "sock %p", sk);
5698
5699         if (!bdaddr_type_is_valid(addr->type))
5700                 return mgmt_cmd_complete(sk, hdev->id,
5701                                          MGMT_OP_ADD_REMOTE_OOB_DATA,
5702                                          MGMT_STATUS_INVALID_PARAMS,
5703                                          addr, sizeof(*addr));
5704
5705         hci_dev_lock(hdev);
5706
5707         if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
5708                 struct mgmt_cp_add_remote_oob_data *cp = data;
5709                 u8 status;
5710
5711                 if (cp->addr.type != BDADDR_BREDR) {
5712                         err = mgmt_cmd_complete(sk, hdev->id,
5713                                                 MGMT_OP_ADD_REMOTE_OOB_DATA,
5714                                                 MGMT_STATUS_INVALID_PARAMS,
5715                                                 &cp->addr, sizeof(cp->addr));
5716                         goto unlock;
5717                 }
5718
5719                 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
5720                                               cp->addr.type, cp->hash,
5721                                               cp->rand, NULL, NULL);
5722                 if (err < 0)
5723                         status = MGMT_STATUS_FAILED;
5724                 else
5725                         status = MGMT_STATUS_SUCCESS;
5726
5727                 err = mgmt_cmd_complete(sk, hdev->id,
5728                                         MGMT_OP_ADD_REMOTE_OOB_DATA, status,
5729                                         &cp->addr, sizeof(cp->addr));
5730         } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
5731                 struct mgmt_cp_add_remote_oob_ext_data *cp = data;
5732                 u8 *rand192, *hash192, *rand256, *hash256;
5733                 u8 status;
5734
5735                 if (bdaddr_type_is_le(cp->addr.type)) {
5736                         /* Enforce zero-valued 192-bit parameters as
5737                          * long as legacy SMP OOB isn't implemented.
5738                          */
5739                         if (memcmp(cp->rand192, ZERO_KEY, 16) ||
5740                             memcmp(cp->hash192, ZERO_KEY, 16)) {
5741                                 err = mgmt_cmd_complete(sk, hdev->id,
5742                                                         MGMT_OP_ADD_REMOTE_OOB_DATA,
5743                                                         MGMT_STATUS_INVALID_PARAMS,
5744                                                         addr, sizeof(*addr));
5745                                 goto unlock;
5746                         }
5747
5748                         rand192 = NULL;
5749                         hash192 = NULL;
5750                 } else {
5751                         /* In case one of the P-192 values is set to zero,
5752                          * then just disable OOB data for P-192.
5753                          */
5754                         if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
5755                             !memcmp(cp->hash192, ZERO_KEY, 16)) {
5756                                 rand192 = NULL;
5757                                 hash192 = NULL;
5758                         } else {
5759                                 rand192 = cp->rand192;
5760                                 hash192 = cp->hash192;
5761                         }
5762                 }
5763
5764                 /* In case one of the P-256 values is set to zero, then just
5765                  * disable OOB data for P-256.
5766                  */
5767                 if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
5768                     !memcmp(cp->hash256, ZERO_KEY, 16)) {
5769                         rand256 = NULL;
5770                         hash256 = NULL;
5771                 } else {
5772                         rand256 = cp->rand256;
5773                         hash256 = cp->hash256;
5774                 }
5775
5776                 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
5777                                               cp->addr.type, hash192, rand192,
5778                                               hash256, rand256);
5779                 if (err < 0)
5780                         status = MGMT_STATUS_FAILED;
5781                 else
5782                         status = MGMT_STATUS_SUCCESS;
5783
5784                 err = mgmt_cmd_complete(sk, hdev->id,
5785                                         MGMT_OP_ADD_REMOTE_OOB_DATA,
5786                                         status, &cp->addr, sizeof(cp->addr));
5787         } else {
5788                 bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
5789                            len);
5790                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
5791                                       MGMT_STATUS_INVALID_PARAMS);
5792         }
5793
5794 unlock:
5795         hci_dev_unlock(hdev);
5796         return err;
5797 }
5798
5799 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5800                                   void *data, u16 len)
5801 {
5802         struct mgmt_cp_remove_remote_oob_data *cp = data;
5803         u8 status;
5804         int err;
5805
5806         bt_dev_dbg(hdev, "sock %p", sk);
5807
5808         if (cp->addr.type != BDADDR_BREDR)
5809                 return mgmt_cmd_complete(sk, hdev->id,
5810                                          MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5811                                          MGMT_STATUS_INVALID_PARAMS,
5812                                          &cp->addr, sizeof(cp->addr));
5813
5814         hci_dev_lock(hdev);
5815
5816         if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5817                 hci_remote_oob_data_clear(hdev);
5818                 status = MGMT_STATUS_SUCCESS;
5819                 goto done;
5820         }
5821
5822         err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
5823         if (err < 0)
5824                 status = MGMT_STATUS_INVALID_PARAMS;
5825         else
5826                 status = MGMT_STATUS_SUCCESS;
5827
5828 done:
5829         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5830                                 status, &cp->addr, sizeof(cp->addr));
5831
5832         hci_dev_unlock(hdev);
5833         return err;
5834 }
5835
5836 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
5837 {
5838         struct mgmt_pending_cmd *cmd;
5839
5840         bt_dev_dbg(hdev, "status %u", status);
5841
5842         hci_dev_lock(hdev);
5843
5844         cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
5845         if (!cmd)
5846                 cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
5847
5848         if (!cmd)
5849                 cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
5850
5851         if (cmd) {
5852                 cmd->cmd_complete(cmd, mgmt_status(status));
5853                 mgmt_pending_remove(cmd);
5854         }
5855
5856         hci_dev_unlock(hdev);
5857 }
5858
5859 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
5860                                     uint8_t *mgmt_status)
5861 {
5862         switch (type) {
5863         case DISCOV_TYPE_LE:
5864                 *mgmt_status = mgmt_le_support(hdev);
5865                 if (*mgmt_status)
5866                         return false;
5867                 break;
5868         case DISCOV_TYPE_INTERLEAVED:
5869                 *mgmt_status = mgmt_le_support(hdev);
5870                 if (*mgmt_status)
5871                         return false;
5872                 fallthrough;
5873         case DISCOV_TYPE_BREDR:
5874                 *mgmt_status = mgmt_bredr_support(hdev);
5875                 if (*mgmt_status)
5876                         return false;
5877                 break;
5878         default:
5879                 *mgmt_status = MGMT_STATUS_INVALID_PARAMS;
5880                 return false;
5881         }
5882
5883         return true;
5884 }
5885
5886 static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
5887 {
5888         struct mgmt_pending_cmd *cmd = data;
5889
5890         if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
5891             cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
5892             cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
5893                 return;
5894
5895         bt_dev_dbg(hdev, "err %d", err);
5896
5897         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
5898                           cmd->param, 1);
5899         mgmt_pending_remove(cmd);
5900
5901         hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED:
5902                                 DISCOVERY_FINDING);
5903 }
5904
5905 static int start_discovery_sync(struct hci_dev *hdev, void *data)
5906 {
5907         return hci_start_discovery_sync(hdev);
5908 }
5909
5910 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
5911                                     u16 op, void *data, u16 len)
5912 {
5913         struct mgmt_cp_start_discovery *cp = data;
5914         struct mgmt_pending_cmd *cmd;
5915         u8 status;
5916         int err;
5917
5918         bt_dev_dbg(hdev, "sock %p", sk);
5919
5920         hci_dev_lock(hdev);
5921
5922         if (!hdev_is_powered(hdev)) {
5923                 err = mgmt_cmd_complete(sk, hdev->id, op,
5924                                         MGMT_STATUS_NOT_POWERED,
5925                                         &cp->type, sizeof(cp->type));
5926                 goto failed;
5927         }
5928
5929         if (hdev->discovery.state != DISCOVERY_STOPPED ||
5930             hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5931                 err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5932                                         &cp->type, sizeof(cp->type));
5933                 goto failed;
5934         }
5935
5936         if (!discovery_type_is_valid(hdev, cp->type, &status)) {
5937                 err = mgmt_cmd_complete(sk, hdev->id, op, status,
5938                                         &cp->type, sizeof(cp->type));
5939                 goto failed;
5940         }
5941
5942         /* Can't start discovery when it is paused */
5943         if (hdev->discovery_paused) {
5944                 err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5945                                         &cp->type, sizeof(cp->type));
5946                 goto failed;
5947         }
5948
5949         /* Clear the discovery filter first to free any previously
5950          * allocated memory for the UUID list.
5951          */
5952         hci_discovery_filter_clear(hdev);
5953
5954         hdev->discovery.type = cp->type;
5955         hdev->discovery.report_invalid_rssi = false;
5956         if (op == MGMT_OP_START_LIMITED_DISCOVERY)
5957                 hdev->discovery.limited = true;
5958         else
5959                 hdev->discovery.limited = false;
5960
5961         cmd = mgmt_pending_add(sk, op, hdev, data, len);
5962         if (!cmd) {
5963                 err = -ENOMEM;
5964                 goto failed;
5965         }
5966
5967         err = hci_cmd_sync_queue(hdev, start_discovery_sync, cmd,
5968                                  start_discovery_complete);
5969         if (err < 0) {
5970                 mgmt_pending_remove(cmd);
5971                 goto failed;
5972         }
5973
5974         hci_discovery_set_state(hdev, DISCOVERY_STARTING);
5975
5976 failed:
5977         hci_dev_unlock(hdev);
5978         return err;
5979 }
5980
5981 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
5982                            void *data, u16 len)
5983 {
5984         return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
5985                                         data, len);
5986 }
5987
5988 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
5989                                    void *data, u16 len)
5990 {
5991         return start_discovery_internal(sk, hdev,
5992                                         MGMT_OP_START_LIMITED_DISCOVERY,
5993                                         data, len);
5994 }
5995
5996 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
5997                                    void *data, u16 len)
5998 {
5999         struct mgmt_cp_start_service_discovery *cp = data;
6000         struct mgmt_pending_cmd *cmd;
6001         const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
6002         u16 uuid_count, expected_len;
6003         u8 status;
6004         int err;
6005
6006         bt_dev_dbg(hdev, "sock %p", sk);
6007
6008         hci_dev_lock(hdev);
6009
6010         if (!hdev_is_powered(hdev)) {
6011                 err = mgmt_cmd_complete(sk, hdev->id,
6012                                         MGMT_OP_START_SERVICE_DISCOVERY,
6013                                         MGMT_STATUS_NOT_POWERED,
6014                                         &cp->type, sizeof(cp->type));
6015                 goto failed;
6016         }
6017
6018         if (hdev->discovery.state != DISCOVERY_STOPPED ||
6019             hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
6020                 err = mgmt_cmd_complete(sk, hdev->id,
6021                                         MGMT_OP_START_SERVICE_DISCOVERY,
6022                                         MGMT_STATUS_BUSY, &cp->type,
6023                                         sizeof(cp->type));
6024                 goto failed;
6025         }
6026
6027         if (hdev->discovery_paused) {
6028                 err = mgmt_cmd_complete(sk, hdev->id,
6029                                         MGMT_OP_START_SERVICE_DISCOVERY,
6030                                         MGMT_STATUS_BUSY, &cp->type,
6031                                         sizeof(cp->type));
6032                 goto failed;
6033         }
6034
6035         uuid_count = __le16_to_cpu(cp->uuid_count);
6036         if (uuid_count > max_uuid_count) {
6037                 bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
6038                            uuid_count);
6039                 err = mgmt_cmd_complete(sk, hdev->id,
6040                                         MGMT_OP_START_SERVICE_DISCOVERY,
6041                                         MGMT_STATUS_INVALID_PARAMS, &cp->type,
6042                                         sizeof(cp->type));
6043                 goto failed;
6044         }
6045
6046         expected_len = sizeof(*cp) + uuid_count * 16;
6047         if (expected_len != len) {
6048                 bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
6049                            expected_len, len);
6050                 err = mgmt_cmd_complete(sk, hdev->id,
6051                                         MGMT_OP_START_SERVICE_DISCOVERY,
6052                                         MGMT_STATUS_INVALID_PARAMS, &cp->type,
6053                                         sizeof(cp->type));
6054                 goto failed;
6055         }
6056
6057         if (!discovery_type_is_valid(hdev, cp->type, &status)) {
6058                 err = mgmt_cmd_complete(sk, hdev->id,
6059                                         MGMT_OP_START_SERVICE_DISCOVERY,
6060                                         status, &cp->type, sizeof(cp->type));
6061                 goto failed;
6062         }
6063
6064         cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
6065                                hdev, data, len);
6066         if (!cmd) {
6067                 err = -ENOMEM;
6068                 goto failed;
6069         }
6070
6071         /* Clear the discovery filter first to free any previously
6072          * allocated memory for the UUID list.
6073          */
6074         hci_discovery_filter_clear(hdev);
6075
6076         hdev->discovery.result_filtering = true;
6077         hdev->discovery.type = cp->type;
6078         hdev->discovery.rssi = cp->rssi;
6079         hdev->discovery.uuid_count = uuid_count;
6080
6081         if (uuid_count > 0) {
6082                 hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
6083                                                 GFP_KERNEL);
6084                 if (!hdev->discovery.uuids) {
6085                         err = mgmt_cmd_complete(sk, hdev->id,
6086                                                 MGMT_OP_START_SERVICE_DISCOVERY,
6087                                                 MGMT_STATUS_FAILED,
6088                                                 &cp->type, sizeof(cp->type));
6089                         mgmt_pending_remove(cmd);
6090                         goto failed;
6091                 }
6092         }
6093
6094         err = hci_cmd_sync_queue(hdev, start_discovery_sync, cmd,
6095                                  start_discovery_complete);
6096         if (err < 0) {
6097                 mgmt_pending_remove(cmd);
6098                 goto failed;
6099         }
6100
6101         hci_discovery_set_state(hdev, DISCOVERY_STARTING);
6102
6103 failed:
6104         hci_dev_unlock(hdev);
6105         return err;
6106 }
6107
6108 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
6109 {
6110         struct mgmt_pending_cmd *cmd;
6111
6112         bt_dev_dbg(hdev, "status %u", status);
6113
6114         hci_dev_lock(hdev);
6115
6116         cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
6117         if (cmd) {
6118                 cmd->cmd_complete(cmd, mgmt_status(status));
6119                 mgmt_pending_remove(cmd);
6120         }
6121
6122         hci_dev_unlock(hdev);
6123 }
6124
6125 static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
6126 {
6127         struct mgmt_pending_cmd *cmd = data;
6128
6129         if (cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
6130                 return;
6131
6132         bt_dev_dbg(hdev, "err %d", err);
6133
6134         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
6135                           cmd->param, 1);
6136         mgmt_pending_remove(cmd);
6137
6138         if (!err)
6139                 hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
6140 }
6141
6142 static int stop_discovery_sync(struct hci_dev *hdev, void *data)
6143 {
6144         return hci_stop_discovery_sync(hdev);
6145 }
6146
6147 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
6148                           u16 len)
6149 {
6150         struct mgmt_cp_stop_discovery *mgmt_cp = data;
6151         struct mgmt_pending_cmd *cmd;
6152         int err;
6153
6154         bt_dev_dbg(hdev, "sock %p", sk);
6155
6156         hci_dev_lock(hdev);
6157
6158         if (!hci_discovery_active(hdev)) {
6159                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
6160                                         MGMT_STATUS_REJECTED, &mgmt_cp->type,
6161                                         sizeof(mgmt_cp->type));
6162                 goto unlock;
6163         }
6164
6165         if (hdev->discovery.type != mgmt_cp->type) {
6166                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
6167                                         MGMT_STATUS_INVALID_PARAMS,
6168                                         &mgmt_cp->type, sizeof(mgmt_cp->type));
6169                 goto unlock;
6170         }
6171
6172         cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
6173         if (!cmd) {
6174                 err = -ENOMEM;
6175                 goto unlock;
6176         }
6177
6178         err = hci_cmd_sync_queue(hdev, stop_discovery_sync, cmd,
6179                                  stop_discovery_complete);
6180         if (err < 0) {
6181                 mgmt_pending_remove(cmd);
6182                 goto unlock;
6183         }
6184
6185         hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
6186
6187 unlock:
6188         hci_dev_unlock(hdev);
6189         return err;
6190 }
6191
6192 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
6193                         u16 len)
6194 {
6195         struct mgmt_cp_confirm_name *cp = data;
6196         struct inquiry_entry *e;
6197         int err;
6198
6199         bt_dev_dbg(hdev, "sock %p", sk);
6200
6201         hci_dev_lock(hdev);
6202
6203         if (!hci_discovery_active(hdev)) {
6204                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
6205                                         MGMT_STATUS_FAILED, &cp->addr,
6206                                         sizeof(cp->addr));
6207                 goto failed;
6208         }
6209
6210         e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
6211         if (!e) {
6212                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
6213                                         MGMT_STATUS_INVALID_PARAMS, &cp->addr,
6214                                         sizeof(cp->addr));
6215                 goto failed;
6216         }
6217
6218         if (cp->name_known) {
6219                 e->name_state = NAME_KNOWN;
6220                 list_del(&e->list);
6221         } else {
6222                 e->name_state = NAME_NEEDED;
6223                 hci_inquiry_cache_update_resolve(hdev, e);
6224         }
6225
6226         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
6227                                 &cp->addr, sizeof(cp->addr));
6228
6229 failed:
6230         hci_dev_unlock(hdev);
6231         return err;
6232 }
6233
6234 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
6235                         u16 len)
6236 {
6237         struct mgmt_cp_block_device *cp = data;
6238         u8 status;
6239         int err;
6240
6241         bt_dev_dbg(hdev, "sock %p", sk);
6242
6243         if (!bdaddr_type_is_valid(cp->addr.type))
6244                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
6245                                          MGMT_STATUS_INVALID_PARAMS,
6246                                          &cp->addr, sizeof(cp->addr));
6247
6248         hci_dev_lock(hdev);
6249
6250         err = hci_bdaddr_list_add(&hdev->reject_list, &cp->addr.bdaddr,
6251                                   cp->addr.type);
6252         if (err < 0) {
6253                 status = MGMT_STATUS_FAILED;
6254                 goto done;
6255         }
6256
6257         mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
6258                    sk);
6259         status = MGMT_STATUS_SUCCESS;
6260
6261 done:
6262         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
6263                                 &cp->addr, sizeof(cp->addr));
6264
6265         hci_dev_unlock(hdev);
6266
6267         return err;
6268 }
6269
6270 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
6271                           u16 len)
6272 {
6273         struct mgmt_cp_unblock_device *cp = data;
6274         u8 status;
6275         int err;
6276
6277         bt_dev_dbg(hdev, "sock %p", sk);
6278
6279         if (!bdaddr_type_is_valid(cp->addr.type))
6280                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
6281                                          MGMT_STATUS_INVALID_PARAMS,
6282                                          &cp->addr, sizeof(cp->addr));
6283
6284         hci_dev_lock(hdev);
6285
6286         err = hci_bdaddr_list_del(&hdev->reject_list, &cp->addr.bdaddr,
6287                                   cp->addr.type);
6288         if (err < 0) {
6289                 status = MGMT_STATUS_INVALID_PARAMS;
6290                 goto done;
6291         }
6292
6293         mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
6294                    sk);
6295         status = MGMT_STATUS_SUCCESS;
6296
6297 done:
6298         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
6299                                 &cp->addr, sizeof(cp->addr));
6300
6301         hci_dev_unlock(hdev);
6302
6303         return err;
6304 }
6305
6306 static int set_device_id_sync(struct hci_dev *hdev, void *data)
6307 {
6308         return hci_update_eir_sync(hdev);
6309 }
6310
6311 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
6312                          u16 len)
6313 {
6314         struct mgmt_cp_set_device_id *cp = data;
6315         int err;
6316         __u16 source;
6317
6318         bt_dev_dbg(hdev, "sock %p", sk);
6319
6320         source = __le16_to_cpu(cp->source);
6321
6322         if (source > 0x0002)
6323                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
6324                                        MGMT_STATUS_INVALID_PARAMS);
6325
6326         hci_dev_lock(hdev);
6327
6328         hdev->devid_source = source;
6329         hdev->devid_vendor = __le16_to_cpu(cp->vendor);
6330         hdev->devid_product = __le16_to_cpu(cp->product);
6331         hdev->devid_version = __le16_to_cpu(cp->version);
6332
6333         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
6334                                 NULL, 0);
6335
6336         hci_cmd_sync_queue(hdev, set_device_id_sync, NULL, NULL);
6337
6338         hci_dev_unlock(hdev);
6339
6340         return err;
6341 }
6342
6343 static void enable_advertising_instance(struct hci_dev *hdev, int err)
6344 {
6345         if (err)
6346                 bt_dev_err(hdev, "failed to re-configure advertising %d", err);
6347         else
6348                 bt_dev_dbg(hdev, "status %d", err);
6349 }
6350
6351 static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
6352 {
6353         struct cmd_lookup match = { NULL, hdev };
6354         u8 instance;
6355         struct adv_info *adv_instance;
6356         u8 status = mgmt_status(err);
6357
6358         if (status) {
6359                 mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
6360                                      cmd_status_rsp, &status);
6361                 return;
6362         }
6363
6364         if (hci_dev_test_flag(hdev, HCI_LE_ADV))
6365                 hci_dev_set_flag(hdev, HCI_ADVERTISING);
6366         else
6367                 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
6368
6369         mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
6370                              &match);
6371
6372         new_settings(hdev, match.sk);
6373
6374         if (match.sk)
6375                 sock_put(match.sk);
6376
6377         /* If "Set Advertising" was just disabled and instance advertising was
6378          * set up earlier, then re-enable multi-instance advertising.
6379          */
6380         if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
6381             list_empty(&hdev->adv_instances))
6382                 return;
6383
6384         instance = hdev->cur_adv_instance;
6385         if (!instance) {
6386                 adv_instance = list_first_entry_or_null(&hdev->adv_instances,
6387                                                         struct adv_info, list);
6388                 if (!adv_instance)
6389                         return;
6390
6391                 instance = adv_instance->instance;
6392         }
6393
6394         err = hci_schedule_adv_instance_sync(hdev, instance, true);
6395
6396         enable_advertising_instance(hdev, err);
6397 }
6398
6399 static int set_adv_sync(struct hci_dev *hdev, void *data)
6400 {
6401         struct mgmt_pending_cmd *cmd = data;
6402         struct mgmt_mode *cp = cmd->param;
6403         u8 val = !!cp->val;
6404
6405         if (cp->val == 0x02)
6406                 hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6407         else
6408                 hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6409
6410         cancel_adv_timeout(hdev);
6411
6412         if (val) {
6413                 /* Switch to instance "0" for the Set Advertising setting.
6414                  * We cannot use update_[adv|scan_rsp]_data() here as the
6415                  * HCI_ADVERTISING flag is not yet set.
6416                  */
6417                 hdev->cur_adv_instance = 0x00;
6418
6419                 if (ext_adv_capable(hdev)) {
6420                         hci_start_ext_adv_sync(hdev, 0x00);
6421                 } else {
6422                         hci_update_adv_data_sync(hdev, 0x00);
6423                         hci_update_scan_rsp_data_sync(hdev, 0x00);
6424                         hci_enable_advertising_sync(hdev);
6425                 }
6426         } else {
6427                 hci_disable_advertising_sync(hdev);
6428         }
6429
6430         return 0;
6431 }
6432
6433 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
6434                            u16 len)
6435 {
6436         struct mgmt_mode *cp = data;
6437         struct mgmt_pending_cmd *cmd;
6438         u8 val, status;
6439         int err;
6440
6441         bt_dev_dbg(hdev, "sock %p", sk);
6442
6443         status = mgmt_le_support(hdev);
6444         if (status)
6445                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6446                                        status);
6447
6448         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6449                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6450                                        MGMT_STATUS_INVALID_PARAMS);
6451
6452         if (hdev->advertising_paused)
6453                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6454                                        MGMT_STATUS_BUSY);
6455
6456         hci_dev_lock(hdev);
6457
6458         val = !!cp->val;
6459
6460         /* The following conditions are ones which mean that we should
6461          * not do any HCI communication but directly send a mgmt
6462          * response to user space (after toggling the flag if
6463          * necessary).
6464          */
6465         if (!hdev_is_powered(hdev) ||
6466             (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
6467              (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
6468             hci_dev_test_flag(hdev, HCI_MESH) ||
6469             hci_conn_num(hdev, LE_LINK) > 0 ||
6470             (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6471              hdev->le_scan_type == LE_SCAN_ACTIVE)) {
6472                 bool changed;
6473
6474                 if (cp->val) {
6475                         hdev->cur_adv_instance = 0x00;
6476                         changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
6477                         if (cp->val == 0x02)
6478                                 hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6479                         else
6480                                 hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6481                 } else {
6482                         changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
6483                         hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6484                 }
6485
6486                 err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
6487                 if (err < 0)
6488                         goto unlock;
6489
6490                 if (changed)
6491                         err = new_settings(hdev, sk);
6492
6493                 goto unlock;
6494         }
6495
6496         if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
6497             pending_find(MGMT_OP_SET_LE, hdev)) {
6498                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6499                                       MGMT_STATUS_BUSY);
6500                 goto unlock;
6501         }
6502
6503         cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
6504         if (!cmd)
6505                 err = -ENOMEM;
6506         else
6507                 err = hci_cmd_sync_queue(hdev, set_adv_sync, cmd,
6508                                          set_advertising_complete);
6509
6510         if (err < 0 && cmd)
6511                 mgmt_pending_remove(cmd);
6512
6513 unlock:
6514         hci_dev_unlock(hdev);
6515         return err;
6516 }
6517
6518 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
6519                               void *data, u16 len)
6520 {
6521         struct mgmt_cp_set_static_address *cp = data;
6522         int err;
6523
6524         bt_dev_dbg(hdev, "sock %p", sk);
6525
6526         if (!lmp_le_capable(hdev))
6527                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6528                                        MGMT_STATUS_NOT_SUPPORTED);
6529
6530         if (hdev_is_powered(hdev))
6531                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6532                                        MGMT_STATUS_REJECTED);
6533
6534         if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
6535                 if (!bacmp(&cp->bdaddr, BDADDR_NONE))
6536                         return mgmt_cmd_status(sk, hdev->id,
6537                                                MGMT_OP_SET_STATIC_ADDRESS,
6538                                                MGMT_STATUS_INVALID_PARAMS);
6539
6540                 /* Two most significant bits shall be set */
6541                 if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
6542                         return mgmt_cmd_status(sk, hdev->id,
6543                                                MGMT_OP_SET_STATIC_ADDRESS,
6544                                                MGMT_STATUS_INVALID_PARAMS);
6545         }
6546
6547         hci_dev_lock(hdev);
6548
6549         bacpy(&hdev->static_addr, &cp->bdaddr);
6550
6551         err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
6552         if (err < 0)
6553                 goto unlock;
6554
6555         err = new_settings(hdev, sk);
6556
6557 unlock:
6558         hci_dev_unlock(hdev);
6559         return err;
6560 }
6561
6562 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
6563                            void *data, u16 len)
6564 {
6565         struct mgmt_cp_set_scan_params *cp = data;
6566         __u16 interval, window;
6567         int err;
6568
6569         bt_dev_dbg(hdev, "sock %p", sk);
6570
6571         if (!lmp_le_capable(hdev))
6572                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6573                                        MGMT_STATUS_NOT_SUPPORTED);
6574
6575         interval = __le16_to_cpu(cp->interval);
6576
6577         if (interval < 0x0004 || interval > 0x4000)
6578                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6579                                        MGMT_STATUS_INVALID_PARAMS);
6580
6581         window = __le16_to_cpu(cp->window);
6582
6583         if (window < 0x0004 || window > 0x4000)
6584                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6585                                        MGMT_STATUS_INVALID_PARAMS);
6586
6587         if (window > interval)
6588                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6589                                        MGMT_STATUS_INVALID_PARAMS);
6590
6591         hci_dev_lock(hdev);
6592
6593         hdev->le_scan_interval = interval;
6594         hdev->le_scan_window = window;
6595
6596         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
6597                                 NULL, 0);
6598
6599         /* If background scan is running, restart it so new parameters are
6600          * loaded.
6601          */
6602         if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6603             hdev->discovery.state == DISCOVERY_STOPPED)
6604                 hci_update_passive_scan(hdev);
6605
6606         hci_dev_unlock(hdev);
6607
6608         return err;
6609 }
6610
6611 static void fast_connectable_complete(struct hci_dev *hdev, void *data, int err)
6612 {
6613         struct mgmt_pending_cmd *cmd = data;
6614
6615         bt_dev_dbg(hdev, "err %d", err);
6616
6617         if (err) {
6618                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6619                                 mgmt_status(err));
6620         } else {
6621                 struct mgmt_mode *cp = cmd->param;
6622
6623                 if (cp->val)
6624                         hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
6625                 else
6626                         hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6627
6628                 send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6629                 new_settings(hdev, cmd->sk);
6630         }
6631
6632         mgmt_pending_free(cmd);
6633 }
6634
6635 static int write_fast_connectable_sync(struct hci_dev *hdev, void *data)
6636 {
6637         struct mgmt_pending_cmd *cmd = data;
6638         struct mgmt_mode *cp = cmd->param;
6639
6640         return hci_write_fast_connectable_sync(hdev, cp->val);
6641 }
6642
6643 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
6644                                 void *data, u16 len)
6645 {
6646         struct mgmt_mode *cp = data;
6647         struct mgmt_pending_cmd *cmd;
6648         int err;
6649
6650         bt_dev_dbg(hdev, "sock %p", sk);
6651
6652         if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
6653             hdev->hci_ver < BLUETOOTH_VER_1_2)
6654                 return mgmt_cmd_status(sk, hdev->id,
6655                                        MGMT_OP_SET_FAST_CONNECTABLE,
6656                                        MGMT_STATUS_NOT_SUPPORTED);
6657
6658         if (cp->val != 0x00 && cp->val != 0x01)
6659                 return mgmt_cmd_status(sk, hdev->id,
6660                                        MGMT_OP_SET_FAST_CONNECTABLE,
6661                                        MGMT_STATUS_INVALID_PARAMS);
6662
6663         hci_dev_lock(hdev);
6664
6665         if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
6666                 err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6667                 goto unlock;
6668         }
6669
6670         if (!hdev_is_powered(hdev)) {
6671                 hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
6672                 err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6673                 new_settings(hdev, sk);
6674                 goto unlock;
6675         }
6676
6677         cmd = mgmt_pending_new(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev, data,
6678                                len);
6679         if (!cmd)
6680                 err = -ENOMEM;
6681         else
6682                 err = hci_cmd_sync_queue(hdev, write_fast_connectable_sync, cmd,
6683                                          fast_connectable_complete);
6684
6685         if (err < 0) {
6686                 mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6687                                 MGMT_STATUS_FAILED);
6688
6689                 if (cmd)
6690                         mgmt_pending_free(cmd);
6691         }
6692
6693 unlock:
6694         hci_dev_unlock(hdev);
6695
6696         return err;
6697 }
6698
6699 static void set_bredr_complete(struct hci_dev *hdev, void *data, int err)
6700 {
6701         struct mgmt_pending_cmd *cmd = data;
6702
6703         bt_dev_dbg(hdev, "err %d", err);
6704
6705         if (err) {
6706                 u8 mgmt_err = mgmt_status(err);
6707
6708                 /* We need to restore the flag if related HCI commands
6709                  * failed.
6710                  */
6711                 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
6712
6713                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
6714         } else {
6715                 send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
6716                 new_settings(hdev, cmd->sk);
6717         }
6718
6719         mgmt_pending_free(cmd);
6720 }
6721
6722 static int set_bredr_sync(struct hci_dev *hdev, void *data)
6723 {
6724         int status;
6725
6726         status = hci_write_fast_connectable_sync(hdev, false);
6727
6728         if (!status)
6729                 status = hci_update_scan_sync(hdev);
6730
6731         /* Since only the advertising data flags will change, there
6732          * is no need to update the scan response data.
6733          */
6734         if (!status)
6735                 status = hci_update_adv_data_sync(hdev, hdev->cur_adv_instance);
6736
6737         return status;
6738 }
6739
6740 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
6741 {
6742         struct mgmt_mode *cp = data;
6743         struct mgmt_pending_cmd *cmd;
6744         int err;
6745
6746         bt_dev_dbg(hdev, "sock %p", sk);
6747
6748         if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
6749                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6750                                        MGMT_STATUS_NOT_SUPPORTED);
6751
6752         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6753                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6754                                        MGMT_STATUS_REJECTED);
6755
6756         if (cp->val != 0x00 && cp->val != 0x01)
6757                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6758                                        MGMT_STATUS_INVALID_PARAMS);
6759
6760         hci_dev_lock(hdev);
6761
6762         if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6763                 err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6764                 goto unlock;
6765         }
6766
6767         if (!hdev_is_powered(hdev)) {
6768                 if (!cp->val) {
6769                         hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
6770                         hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
6771                         hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
6772                         hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6773                         hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
6774                 }
6775
6776                 hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
6777
6778                 err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6779                 if (err < 0)
6780                         goto unlock;
6781
6782                 err = new_settings(hdev, sk);
6783                 goto unlock;
6784         }
6785
6786         /* Reject disabling when powered on */
6787         if (!cp->val) {
6788                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6789                                       MGMT_STATUS_REJECTED);
6790                 goto unlock;
6791         } else {
6792                 /* When configuring a dual-mode controller to operate
6793                  * with LE only and using a static address, then switching
6794                  * BR/EDR back on is not allowed.
6795                  *
6796                  * Dual-mode controllers shall operate with the public
6797                  * address as its identity address for BR/EDR and LE. So
6798                  * reject the attempt to create an invalid configuration.
6799                  *
6800                  * The same restrictions applies when secure connections
6801                  * has been enabled. For BR/EDR this is a controller feature
6802                  * while for LE it is a host stack feature. This means that
6803                  * switching BR/EDR back on when secure connections has been
6804                  * enabled is not a supported transaction.
6805                  */
6806                 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6807                     (bacmp(&hdev->static_addr, BDADDR_ANY) ||
6808                      hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
6809                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6810                                               MGMT_STATUS_REJECTED);
6811                         goto unlock;
6812                 }
6813         }
6814
6815         cmd = mgmt_pending_new(sk, MGMT_OP_SET_BREDR, hdev, data, len);
6816         if (!cmd)
6817                 err = -ENOMEM;
6818         else
6819                 err = hci_cmd_sync_queue(hdev, set_bredr_sync, cmd,
6820                                          set_bredr_complete);
6821
6822         if (err < 0) {
6823                 mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6824                                 MGMT_STATUS_FAILED);
6825                 if (cmd)
6826                         mgmt_pending_free(cmd);
6827
6828                 goto unlock;
6829         }
6830
6831         /* We need to flip the bit already here so that
6832          * hci_req_update_adv_data generates the correct flags.
6833          */
6834         hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
6835
6836 unlock:
6837         hci_dev_unlock(hdev);
6838         return err;
6839 }
6840
6841 static void set_secure_conn_complete(struct hci_dev *hdev, void *data, int err)
6842 {
6843         struct mgmt_pending_cmd *cmd = data;
6844         struct mgmt_mode *cp;
6845
6846         bt_dev_dbg(hdev, "err %d", err);
6847
6848         if (err) {
6849                 u8 mgmt_err = mgmt_status(err);
6850
6851                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
6852                 goto done;
6853         }
6854
6855         cp = cmd->param;
6856
6857         switch (cp->val) {
6858         case 0x00:
6859                 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
6860                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6861                 break;
6862         case 0x01:
6863                 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6864                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6865                 break;
6866         case 0x02:
6867                 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6868                 hci_dev_set_flag(hdev, HCI_SC_ONLY);
6869                 break;
6870         }
6871
6872         send_settings_rsp(cmd->sk, cmd->opcode, hdev);
6873         new_settings(hdev, cmd->sk);
6874
6875 done:
6876         mgmt_pending_free(cmd);
6877 }
6878
6879 static int set_secure_conn_sync(struct hci_dev *hdev, void *data)
6880 {
6881         struct mgmt_pending_cmd *cmd = data;
6882         struct mgmt_mode *cp = cmd->param;
6883         u8 val = !!cp->val;
6884
6885         /* Force write of val */
6886         hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6887
6888         return hci_write_sc_support_sync(hdev, val);
6889 }
6890
6891 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
6892                            void *data, u16 len)
6893 {
6894         struct mgmt_mode *cp = data;
6895         struct mgmt_pending_cmd *cmd;
6896         u8 val;
6897         int err;
6898
6899         bt_dev_dbg(hdev, "sock %p", sk);
6900
6901         if (!lmp_sc_capable(hdev) &&
6902             !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6903                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6904                                        MGMT_STATUS_NOT_SUPPORTED);
6905
6906         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6907             lmp_sc_capable(hdev) &&
6908             !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
6909                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6910                                        MGMT_STATUS_REJECTED);
6911
6912         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6913                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6914                                        MGMT_STATUS_INVALID_PARAMS);
6915
6916         hci_dev_lock(hdev);
6917
6918         if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
6919             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6920                 bool changed;
6921
6922                 if (cp->val) {
6923                         changed = !hci_dev_test_and_set_flag(hdev,
6924                                                              HCI_SC_ENABLED);
6925                         if (cp->val == 0x02)
6926                                 hci_dev_set_flag(hdev, HCI_SC_ONLY);
6927                         else
6928                                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6929                 } else {
6930                         changed = hci_dev_test_and_clear_flag(hdev,
6931                                                               HCI_SC_ENABLED);
6932                         hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6933                 }
6934
6935                 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6936                 if (err < 0)
6937                         goto failed;
6938
6939                 if (changed)
6940                         err = new_settings(hdev, sk);
6941
6942                 goto failed;
6943         }
6944
6945         val = !!cp->val;
6946
6947         if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
6948             (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6949                 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6950                 goto failed;
6951         }
6952
6953         cmd = mgmt_pending_new(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
6954         if (!cmd)
6955                 err = -ENOMEM;
6956         else
6957                 err = hci_cmd_sync_queue(hdev, set_secure_conn_sync, cmd,
6958                                          set_secure_conn_complete);
6959
6960         if (err < 0) {
6961                 mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6962                                 MGMT_STATUS_FAILED);
6963                 if (cmd)
6964                         mgmt_pending_free(cmd);
6965         }
6966
6967 failed:
6968         hci_dev_unlock(hdev);
6969         return err;
6970 }
6971
6972 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
6973                           void *data, u16 len)
6974 {
6975         struct mgmt_mode *cp = data;
6976         bool changed, use_changed;
6977         int err;
6978
6979         bt_dev_dbg(hdev, "sock %p", sk);
6980
6981         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6982                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
6983                                        MGMT_STATUS_INVALID_PARAMS);
6984
6985         hci_dev_lock(hdev);
6986
6987         if (cp->val)
6988                 changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
6989         else
6990                 changed = hci_dev_test_and_clear_flag(hdev,
6991                                                       HCI_KEEP_DEBUG_KEYS);
6992
6993         if (cp->val == 0x02)
6994                 use_changed = !hci_dev_test_and_set_flag(hdev,
6995                                                          HCI_USE_DEBUG_KEYS);
6996         else
6997                 use_changed = hci_dev_test_and_clear_flag(hdev,
6998                                                           HCI_USE_DEBUG_KEYS);
6999
7000         if (hdev_is_powered(hdev) && use_changed &&
7001             hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
7002                 u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
7003                 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
7004                              sizeof(mode), &mode);
7005         }
7006
7007         err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
7008         if (err < 0)
7009                 goto unlock;
7010
7011         if (changed)
7012                 err = new_settings(hdev, sk);
7013
7014 unlock:
7015         hci_dev_unlock(hdev);
7016         return err;
7017 }
7018
7019 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
7020                        u16 len)
7021 {
7022         struct mgmt_cp_set_privacy *cp = cp_data;
7023         bool changed;
7024         int err;
7025
7026         bt_dev_dbg(hdev, "sock %p", sk);
7027
7028         if (!lmp_le_capable(hdev))
7029                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
7030                                        MGMT_STATUS_NOT_SUPPORTED);
7031
7032         if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
7033                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
7034                                        MGMT_STATUS_INVALID_PARAMS);
7035
7036         if (hdev_is_powered(hdev))
7037                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
7038                                        MGMT_STATUS_REJECTED);
7039
7040         hci_dev_lock(hdev);
7041
7042         /* If user space supports this command it is also expected to
7043          * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
7044          */
7045         hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
7046
7047         if (cp->privacy) {
7048                 changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
7049                 memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
7050                 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
7051                 hci_adv_instances_set_rpa_expired(hdev, true);
7052                 if (cp->privacy == 0x02)
7053                         hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
7054                 else
7055                         hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
7056         } else {
7057                 changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
7058                 memset(hdev->irk, 0, sizeof(hdev->irk));
7059                 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
7060                 hci_adv_instances_set_rpa_expired(hdev, false);
7061                 hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
7062         }
7063
7064         err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
7065         if (err < 0)
7066                 goto unlock;
7067
7068         if (changed)
7069                 err = new_settings(hdev, sk);
7070
7071 unlock:
7072         hci_dev_unlock(hdev);
7073         return err;
7074 }
7075
7076 static bool irk_is_valid(struct mgmt_irk_info *irk)
7077 {
7078         switch (irk->addr.type) {
7079         case BDADDR_LE_PUBLIC:
7080                 return true;
7081
7082         case BDADDR_LE_RANDOM:
7083                 /* Two most significant bits shall be set */
7084                 if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7085                         return false;
7086                 return true;
7087         }
7088
7089         return false;
7090 }
7091
7092 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
7093                      u16 len)
7094 {
7095         struct mgmt_cp_load_irks *cp = cp_data;
7096         const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
7097                                    sizeof(struct mgmt_irk_info));
7098         u16 irk_count, expected_len;
7099         int i, err;
7100
7101         bt_dev_dbg(hdev, "sock %p", sk);
7102
7103         if (!lmp_le_capable(hdev))
7104                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7105                                        MGMT_STATUS_NOT_SUPPORTED);
7106
7107         irk_count = __le16_to_cpu(cp->irk_count);
7108         if (irk_count > max_irk_count) {
7109                 bt_dev_err(hdev, "load_irks: too big irk_count value %u",
7110                            irk_count);
7111                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7112                                        MGMT_STATUS_INVALID_PARAMS);
7113         }
7114
7115         expected_len = struct_size(cp, irks, irk_count);
7116         if (expected_len != len) {
7117                 bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
7118                            expected_len, len);
7119                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7120                                        MGMT_STATUS_INVALID_PARAMS);
7121         }
7122
7123         bt_dev_dbg(hdev, "irk_count %u", irk_count);
7124
7125         for (i = 0; i < irk_count; i++) {
7126                 struct mgmt_irk_info *key = &cp->irks[i];
7127
7128                 if (!irk_is_valid(key))
7129                         return mgmt_cmd_status(sk, hdev->id,
7130                                                MGMT_OP_LOAD_IRKS,
7131                                                MGMT_STATUS_INVALID_PARAMS);
7132         }
7133
7134         hci_dev_lock(hdev);
7135
7136         hci_smp_irks_clear(hdev);
7137
7138         for (i = 0; i < irk_count; i++) {
7139                 struct mgmt_irk_info *irk = &cp->irks[i];
7140
7141                 if (hci_is_blocked_key(hdev,
7142                                        HCI_BLOCKED_KEY_TYPE_IRK,
7143                                        irk->val)) {
7144                         bt_dev_warn(hdev, "Skipping blocked IRK for %pMR",
7145                                     &irk->addr.bdaddr);
7146                         continue;
7147                 }
7148
7149                 hci_add_irk(hdev, &irk->addr.bdaddr,
7150                             le_addr_type(irk->addr.type), irk->val,
7151                             BDADDR_ANY);
7152         }
7153
7154         hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
7155
7156         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
7157
7158         hci_dev_unlock(hdev);
7159
7160         return err;
7161 }
7162
7163 static bool ltk_is_valid(struct mgmt_ltk_info *key)
7164 {
7165         if (key->initiator != 0x00 && key->initiator != 0x01)
7166                 return false;
7167
7168         switch (key->addr.type) {
7169         case BDADDR_LE_PUBLIC:
7170                 return true;
7171
7172         case BDADDR_LE_RANDOM:
7173                 /* Two most significant bits shall be set */
7174                 if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7175                         return false;
7176                 return true;
7177         }
7178
7179         return false;
7180 }
7181
7182 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
7183                                void *cp_data, u16 len)
7184 {
7185         struct mgmt_cp_load_long_term_keys *cp = cp_data;
7186         const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
7187                                    sizeof(struct mgmt_ltk_info));
7188         u16 key_count, expected_len;
7189         int i, err;
7190
7191         bt_dev_dbg(hdev, "sock %p", sk);
7192
7193         if (!lmp_le_capable(hdev))
7194                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7195                                        MGMT_STATUS_NOT_SUPPORTED);
7196
7197         key_count = __le16_to_cpu(cp->key_count);
7198         if (key_count > max_key_count) {
7199                 bt_dev_err(hdev, "load_ltks: too big key_count value %u",
7200                            key_count);
7201                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7202                                        MGMT_STATUS_INVALID_PARAMS);
7203         }
7204
7205         expected_len = struct_size(cp, keys, key_count);
7206         if (expected_len != len) {
7207                 bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
7208                            expected_len, len);
7209                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7210                                        MGMT_STATUS_INVALID_PARAMS);
7211         }
7212
7213         bt_dev_dbg(hdev, "key_count %u", key_count);
7214
7215         for (i = 0; i < key_count; i++) {
7216                 struct mgmt_ltk_info *key = &cp->keys[i];
7217
7218                 if (!ltk_is_valid(key))
7219                         return mgmt_cmd_status(sk, hdev->id,
7220                                                MGMT_OP_LOAD_LONG_TERM_KEYS,
7221                                                MGMT_STATUS_INVALID_PARAMS);
7222         }
7223
7224         hci_dev_lock(hdev);
7225
7226         hci_smp_ltks_clear(hdev);
7227
7228         for (i = 0; i < key_count; i++) {
7229                 struct mgmt_ltk_info *key = &cp->keys[i];
7230                 u8 type, authenticated;
7231
7232                 if (hci_is_blocked_key(hdev,
7233                                        HCI_BLOCKED_KEY_TYPE_LTK,
7234                                        key->val)) {
7235                         bt_dev_warn(hdev, "Skipping blocked LTK for %pMR",
7236                                     &key->addr.bdaddr);
7237                         continue;
7238                 }
7239
7240                 switch (key->type) {
7241                 case MGMT_LTK_UNAUTHENTICATED:
7242                         authenticated = 0x00;
7243                         type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7244                         break;
7245                 case MGMT_LTK_AUTHENTICATED:
7246                         authenticated = 0x01;
7247                         type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7248                         break;
7249                 case MGMT_LTK_P256_UNAUTH:
7250                         authenticated = 0x00;
7251                         type = SMP_LTK_P256;
7252                         break;
7253                 case MGMT_LTK_P256_AUTH:
7254                         authenticated = 0x01;
7255                         type = SMP_LTK_P256;
7256                         break;
7257                 case MGMT_LTK_P256_DEBUG:
7258                         authenticated = 0x00;
7259                         type = SMP_LTK_P256_DEBUG;
7260                         fallthrough;
7261                 default:
7262                         continue;
7263                 }
7264
7265                 hci_add_ltk(hdev, &key->addr.bdaddr,
7266                             le_addr_type(key->addr.type), type, authenticated,
7267                             key->val, key->enc_size, key->ediv, key->rand);
7268         }
7269
7270         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
7271                            NULL, 0);
7272
7273         hci_dev_unlock(hdev);
7274
7275         return err;
7276 }
7277
7278 static void get_conn_info_complete(struct hci_dev *hdev, void *data, int err)
7279 {
7280         struct mgmt_pending_cmd *cmd = data;
7281         struct hci_conn *conn = cmd->user_data;
7282         struct mgmt_cp_get_conn_info *cp = cmd->param;
7283         struct mgmt_rp_get_conn_info rp;
7284         u8 status;
7285
7286         bt_dev_dbg(hdev, "err %d", err);
7287
7288         memcpy(&rp.addr, &cp->addr.bdaddr, sizeof(rp.addr));
7289
7290         status = mgmt_status(err);
7291         if (status == MGMT_STATUS_SUCCESS) {
7292                 rp.rssi = conn->rssi;
7293                 rp.tx_power = conn->tx_power;
7294                 rp.max_tx_power = conn->max_tx_power;
7295         } else {
7296                 rp.rssi = HCI_RSSI_INVALID;
7297                 rp.tx_power = HCI_TX_POWER_INVALID;
7298                 rp.max_tx_power = HCI_TX_POWER_INVALID;
7299         }
7300
7301         mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, status,
7302                           &rp, sizeof(rp));
7303
7304         mgmt_pending_free(cmd);
7305 }
7306
7307 static int get_conn_info_sync(struct hci_dev *hdev, void *data)
7308 {
7309         struct mgmt_pending_cmd *cmd = data;
7310         struct mgmt_cp_get_conn_info *cp = cmd->param;
7311         struct hci_conn *conn;
7312         int err;
7313         __le16   handle;
7314
7315         /* Make sure we are still connected */
7316         if (cp->addr.type == BDADDR_BREDR)
7317                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7318                                                &cp->addr.bdaddr);
7319         else
7320                 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
7321
7322         if (!conn || conn->state != BT_CONNECTED)
7323                 return MGMT_STATUS_NOT_CONNECTED;
7324
7325         cmd->user_data = conn;
7326         handle = cpu_to_le16(conn->handle);
7327
7328         /* Refresh RSSI each time */
7329         err = hci_read_rssi_sync(hdev, handle);
7330
7331         /* For LE links TX power does not change thus we don't need to
7332          * query for it once value is known.
7333          */
7334         if (!err && (!bdaddr_type_is_le(cp->addr.type) ||
7335                      conn->tx_power == HCI_TX_POWER_INVALID))
7336                 err = hci_read_tx_power_sync(hdev, handle, 0x00);
7337
7338         /* Max TX power needs to be read only once per connection */
7339         if (!err && conn->max_tx_power == HCI_TX_POWER_INVALID)
7340                 err = hci_read_tx_power_sync(hdev, handle, 0x01);
7341
7342         return err;
7343 }
7344
7345 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
7346                          u16 len)
7347 {
7348         struct mgmt_cp_get_conn_info *cp = data;
7349         struct mgmt_rp_get_conn_info rp;
7350         struct hci_conn *conn;
7351         unsigned long conn_info_age;
7352         int err = 0;
7353
7354         bt_dev_dbg(hdev, "sock %p", sk);
7355
7356         memset(&rp, 0, sizeof(rp));
7357         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7358         rp.addr.type = cp->addr.type;
7359
7360         if (!bdaddr_type_is_valid(cp->addr.type))
7361                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7362                                          MGMT_STATUS_INVALID_PARAMS,
7363                                          &rp, sizeof(rp));
7364
7365         hci_dev_lock(hdev);
7366
7367         if (!hdev_is_powered(hdev)) {
7368                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7369                                         MGMT_STATUS_NOT_POWERED, &rp,
7370                                         sizeof(rp));
7371                 goto unlock;
7372         }
7373
7374         if (cp->addr.type == BDADDR_BREDR)
7375                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7376                                                &cp->addr.bdaddr);
7377         else
7378                 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
7379
7380         if (!conn || conn->state != BT_CONNECTED) {
7381                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7382                                         MGMT_STATUS_NOT_CONNECTED, &rp,
7383                                         sizeof(rp));
7384                 goto unlock;
7385         }
7386
7387         /* To avoid client trying to guess when to poll again for information we
7388          * calculate conn info age as random value between min/max set in hdev.
7389          */
7390         conn_info_age = get_random_u32_inclusive(hdev->conn_info_min_age,
7391                                                  hdev->conn_info_max_age - 1);
7392
7393         /* Query controller to refresh cached values if they are too old or were
7394          * never read.
7395          */
7396         if (time_after(jiffies, conn->conn_info_timestamp +
7397                        msecs_to_jiffies(conn_info_age)) ||
7398             !conn->conn_info_timestamp) {
7399                 struct mgmt_pending_cmd *cmd;
7400
7401                 cmd = mgmt_pending_new(sk, MGMT_OP_GET_CONN_INFO, hdev, data,
7402                                        len);
7403                 if (!cmd) {
7404                         err = -ENOMEM;
7405                 } else {
7406                         err = hci_cmd_sync_queue(hdev, get_conn_info_sync,
7407                                                  cmd, get_conn_info_complete);
7408                 }
7409
7410                 if (err < 0) {
7411                         mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7412                                           MGMT_STATUS_FAILED, &rp, sizeof(rp));
7413
7414                         if (cmd)
7415                                 mgmt_pending_free(cmd);
7416
7417                         goto unlock;
7418                 }
7419
7420                 conn->conn_info_timestamp = jiffies;
7421         } else {
7422                 /* Cache is valid, just reply with values cached in hci_conn */
7423                 rp.rssi = conn->rssi;
7424                 rp.tx_power = conn->tx_power;
7425                 rp.max_tx_power = conn->max_tx_power;
7426
7427                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7428                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
7429         }
7430
7431 unlock:
7432         hci_dev_unlock(hdev);
7433         return err;
7434 }
7435
7436 static void get_clock_info_complete(struct hci_dev *hdev, void *data, int err)
7437 {
7438         struct mgmt_pending_cmd *cmd = data;
7439         struct mgmt_cp_get_clock_info *cp = cmd->param;
7440         struct mgmt_rp_get_clock_info rp;
7441         struct hci_conn *conn = cmd->user_data;
7442         u8 status = mgmt_status(err);
7443
7444         bt_dev_dbg(hdev, "err %d", err);
7445
7446         memset(&rp, 0, sizeof(rp));
7447         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7448         rp.addr.type = cp->addr.type;
7449
7450         if (err)
7451                 goto complete;
7452
7453         rp.local_clock = cpu_to_le32(hdev->clock);
7454
7455         if (conn) {
7456                 rp.piconet_clock = cpu_to_le32(conn->clock);
7457                 rp.accuracy = cpu_to_le16(conn->clock_accuracy);
7458         }
7459
7460 complete:
7461         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
7462                           sizeof(rp));
7463
7464         mgmt_pending_free(cmd);
7465 }
7466
7467 static int get_clock_info_sync(struct hci_dev *hdev, void *data)
7468 {
7469         struct mgmt_pending_cmd *cmd = data;
7470         struct mgmt_cp_get_clock_info *cp = cmd->param;
7471         struct hci_cp_read_clock hci_cp;
7472         struct hci_conn *conn;
7473
7474         memset(&hci_cp, 0, sizeof(hci_cp));
7475         hci_read_clock_sync(hdev, &hci_cp);
7476
7477         /* Make sure connection still exists */
7478         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
7479         if (!conn || conn->state != BT_CONNECTED)
7480                 return MGMT_STATUS_NOT_CONNECTED;
7481
7482         cmd->user_data = conn;
7483         hci_cp.handle = cpu_to_le16(conn->handle);
7484         hci_cp.which = 0x01; /* Piconet clock */
7485
7486         return hci_read_clock_sync(hdev, &hci_cp);
7487 }
7488
7489 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
7490                                                                 u16 len)
7491 {
7492         struct mgmt_cp_get_clock_info *cp = data;
7493         struct mgmt_rp_get_clock_info rp;
7494         struct mgmt_pending_cmd *cmd;
7495         struct hci_conn *conn;
7496         int err;
7497
7498         bt_dev_dbg(hdev, "sock %p", sk);
7499
7500         memset(&rp, 0, sizeof(rp));
7501         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7502         rp.addr.type = cp->addr.type;
7503
7504         if (cp->addr.type != BDADDR_BREDR)
7505                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7506                                          MGMT_STATUS_INVALID_PARAMS,
7507                                          &rp, sizeof(rp));
7508
7509         hci_dev_lock(hdev);
7510
7511         if (!hdev_is_powered(hdev)) {
7512                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7513                                         MGMT_STATUS_NOT_POWERED, &rp,
7514                                         sizeof(rp));
7515                 goto unlock;
7516         }
7517
7518         if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
7519                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7520                                                &cp->addr.bdaddr);
7521                 if (!conn || conn->state != BT_CONNECTED) {
7522                         err = mgmt_cmd_complete(sk, hdev->id,
7523                                                 MGMT_OP_GET_CLOCK_INFO,
7524                                                 MGMT_STATUS_NOT_CONNECTED,
7525                                                 &rp, sizeof(rp));
7526                         goto unlock;
7527                 }
7528         } else {
7529                 conn = NULL;
7530         }
7531
7532         cmd = mgmt_pending_new(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
7533         if (!cmd)
7534                 err = -ENOMEM;
7535         else
7536                 err = hci_cmd_sync_queue(hdev, get_clock_info_sync, cmd,
7537                                          get_clock_info_complete);
7538
7539         if (err < 0) {
7540                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7541                                         MGMT_STATUS_FAILED, &rp, sizeof(rp));
7542
7543                 if (cmd)
7544                         mgmt_pending_free(cmd);
7545         }
7546
7547
7548 unlock:
7549         hci_dev_unlock(hdev);
7550         return err;
7551 }
7552
7553 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
7554 {
7555         struct hci_conn *conn;
7556
7557         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
7558         if (!conn)
7559                 return false;
7560
7561         if (conn->dst_type != type)
7562                 return false;
7563
7564         if (conn->state != BT_CONNECTED)
7565                 return false;
7566
7567         return true;
7568 }
7569
7570 /* This function requires the caller holds hdev->lock */
7571 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
7572                                u8 addr_type, u8 auto_connect)
7573 {
7574         struct hci_conn_params *params;
7575
7576         params = hci_conn_params_add(hdev, addr, addr_type);
7577         if (!params)
7578                 return -EIO;
7579
7580         if (params->auto_connect == auto_connect)
7581                 return 0;
7582
7583         list_del_init(&params->action);
7584
7585         switch (auto_connect) {
7586         case HCI_AUTO_CONN_DISABLED:
7587         case HCI_AUTO_CONN_LINK_LOSS:
7588                 /* If auto connect is being disabled when we're trying to
7589                  * connect to device, keep connecting.
7590                  */
7591                 if (params->explicit_connect)
7592                         list_add(&params->action, &hdev->pend_le_conns);
7593                 break;
7594         case HCI_AUTO_CONN_REPORT:
7595                 if (params->explicit_connect)
7596                         list_add(&params->action, &hdev->pend_le_conns);
7597                 else
7598                         list_add(&params->action, &hdev->pend_le_reports);
7599                 break;
7600         case HCI_AUTO_CONN_DIRECT:
7601         case HCI_AUTO_CONN_ALWAYS:
7602                 if (!is_connected(hdev, addr, addr_type))
7603                         list_add(&params->action, &hdev->pend_le_conns);
7604                 break;
7605         }
7606
7607         params->auto_connect = auto_connect;
7608
7609         bt_dev_dbg(hdev, "addr %pMR (type %u) auto_connect %u",
7610                    addr, addr_type, auto_connect);
7611
7612         return 0;
7613 }
7614
7615 static void device_added(struct sock *sk, struct hci_dev *hdev,
7616                          bdaddr_t *bdaddr, u8 type, u8 action)
7617 {
7618         struct mgmt_ev_device_added ev;
7619
7620         bacpy(&ev.addr.bdaddr, bdaddr);
7621         ev.addr.type = type;
7622         ev.action = action;
7623
7624         mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
7625 }
7626
7627 static int add_device_sync(struct hci_dev *hdev, void *data)
7628 {
7629         return hci_update_passive_scan_sync(hdev);
7630 }
7631
7632 static int add_device(struct sock *sk, struct hci_dev *hdev,
7633                       void *data, u16 len)
7634 {
7635         struct mgmt_cp_add_device *cp = data;
7636         u8 auto_conn, addr_type;
7637         struct hci_conn_params *params;
7638         int err;
7639         u32 current_flags = 0;
7640         u32 supported_flags;
7641
7642         bt_dev_dbg(hdev, "sock %p", sk);
7643
7644         if (!bdaddr_type_is_valid(cp->addr.type) ||
7645             !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
7646                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7647                                          MGMT_STATUS_INVALID_PARAMS,
7648                                          &cp->addr, sizeof(cp->addr));
7649
7650         if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
7651                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7652                                          MGMT_STATUS_INVALID_PARAMS,
7653                                          &cp->addr, sizeof(cp->addr));
7654
7655         hci_dev_lock(hdev);
7656
7657         if (cp->addr.type == BDADDR_BREDR) {
7658                 /* Only incoming connections action is supported for now */
7659                 if (cp->action != 0x01) {
7660                         err = mgmt_cmd_complete(sk, hdev->id,
7661                                                 MGMT_OP_ADD_DEVICE,
7662                                                 MGMT_STATUS_INVALID_PARAMS,
7663                                                 &cp->addr, sizeof(cp->addr));
7664                         goto unlock;
7665                 }
7666
7667                 err = hci_bdaddr_list_add_with_flags(&hdev->accept_list,
7668                                                      &cp->addr.bdaddr,
7669                                                      cp->addr.type, 0);
7670                 if (err)
7671                         goto unlock;
7672
7673                 hci_update_scan(hdev);
7674
7675                 goto added;
7676         }
7677
7678         addr_type = le_addr_type(cp->addr.type);
7679
7680         if (cp->action == 0x02)
7681                 auto_conn = HCI_AUTO_CONN_ALWAYS;
7682         else if (cp->action == 0x01)
7683                 auto_conn = HCI_AUTO_CONN_DIRECT;
7684         else
7685                 auto_conn = HCI_AUTO_CONN_REPORT;
7686
7687         /* Kernel internally uses conn_params with resolvable private
7688          * address, but Add Device allows only identity addresses.
7689          * Make sure it is enforced before calling
7690          * hci_conn_params_lookup.
7691          */
7692         if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
7693                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7694                                         MGMT_STATUS_INVALID_PARAMS,
7695                                         &cp->addr, sizeof(cp->addr));
7696                 goto unlock;
7697         }
7698
7699         /* If the connection parameters don't exist for this device,
7700          * they will be created and configured with defaults.
7701          */
7702         if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
7703                                 auto_conn) < 0) {
7704                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7705                                         MGMT_STATUS_FAILED, &cp->addr,
7706                                         sizeof(cp->addr));
7707                 goto unlock;
7708         } else {
7709                 params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7710                                                 addr_type);
7711                 if (params)
7712                         current_flags = params->flags;
7713         }
7714
7715         err = hci_cmd_sync_queue(hdev, add_device_sync, NULL, NULL);
7716         if (err < 0)
7717                 goto unlock;
7718
7719 added:
7720         device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
7721         supported_flags = hdev->conn_flags;
7722         device_flags_changed(NULL, hdev, &cp->addr.bdaddr, cp->addr.type,
7723                              supported_flags, current_flags);
7724
7725         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7726                                 MGMT_STATUS_SUCCESS, &cp->addr,
7727                                 sizeof(cp->addr));
7728
7729 unlock:
7730         hci_dev_unlock(hdev);
7731         return err;
7732 }
7733
7734 static void device_removed(struct sock *sk, struct hci_dev *hdev,
7735                            bdaddr_t *bdaddr, u8 type)
7736 {
7737         struct mgmt_ev_device_removed ev;
7738
7739         bacpy(&ev.addr.bdaddr, bdaddr);
7740         ev.addr.type = type;
7741
7742         mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
7743 }
7744
7745 static int remove_device_sync(struct hci_dev *hdev, void *data)
7746 {
7747         return hci_update_passive_scan_sync(hdev);
7748 }
7749
7750 static int remove_device(struct sock *sk, struct hci_dev *hdev,
7751                          void *data, u16 len)
7752 {
7753         struct mgmt_cp_remove_device *cp = data;
7754         int err;
7755
7756         bt_dev_dbg(hdev, "sock %p", sk);
7757
7758         hci_dev_lock(hdev);
7759
7760         if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
7761                 struct hci_conn_params *params;
7762                 u8 addr_type;
7763
7764                 if (!bdaddr_type_is_valid(cp->addr.type)) {
7765                         err = mgmt_cmd_complete(sk, hdev->id,
7766                                                 MGMT_OP_REMOVE_DEVICE,
7767                                                 MGMT_STATUS_INVALID_PARAMS,
7768                                                 &cp->addr, sizeof(cp->addr));
7769                         goto unlock;
7770                 }
7771
7772                 if (cp->addr.type == BDADDR_BREDR) {
7773                         err = hci_bdaddr_list_del(&hdev->accept_list,
7774                                                   &cp->addr.bdaddr,
7775                                                   cp->addr.type);
7776                         if (err) {
7777                                 err = mgmt_cmd_complete(sk, hdev->id,
7778                                                         MGMT_OP_REMOVE_DEVICE,
7779                                                         MGMT_STATUS_INVALID_PARAMS,
7780                                                         &cp->addr,
7781                                                         sizeof(cp->addr));
7782                                 goto unlock;
7783                         }
7784
7785                         hci_update_scan(hdev);
7786
7787                         device_removed(sk, hdev, &cp->addr.bdaddr,
7788                                        cp->addr.type);
7789                         goto complete;
7790                 }
7791
7792                 addr_type = le_addr_type(cp->addr.type);
7793
7794                 /* Kernel internally uses conn_params with resolvable private
7795                  * address, but Remove Device allows only identity addresses.
7796                  * Make sure it is enforced before calling
7797                  * hci_conn_params_lookup.
7798                  */
7799                 if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
7800                         err = mgmt_cmd_complete(sk, hdev->id,
7801                                                 MGMT_OP_REMOVE_DEVICE,
7802                                                 MGMT_STATUS_INVALID_PARAMS,
7803                                                 &cp->addr, sizeof(cp->addr));
7804                         goto unlock;
7805                 }
7806
7807                 params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7808                                                 addr_type);
7809                 if (!params) {
7810                         err = mgmt_cmd_complete(sk, hdev->id,
7811                                                 MGMT_OP_REMOVE_DEVICE,
7812                                                 MGMT_STATUS_INVALID_PARAMS,
7813                                                 &cp->addr, sizeof(cp->addr));
7814                         goto unlock;
7815                 }
7816
7817                 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
7818                     params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
7819                         err = mgmt_cmd_complete(sk, hdev->id,
7820                                                 MGMT_OP_REMOVE_DEVICE,
7821                                                 MGMT_STATUS_INVALID_PARAMS,
7822                                                 &cp->addr, sizeof(cp->addr));
7823                         goto unlock;
7824                 }
7825
7826                 list_del(&params->action);
7827                 list_del(&params->list);
7828                 kfree(params);
7829
7830                 device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
7831         } else {
7832                 struct hci_conn_params *p, *tmp;
7833                 struct bdaddr_list *b, *btmp;
7834
7835                 if (cp->addr.type) {
7836                         err = mgmt_cmd_complete(sk, hdev->id,
7837                                                 MGMT_OP_REMOVE_DEVICE,
7838                                                 MGMT_STATUS_INVALID_PARAMS,
7839                                                 &cp->addr, sizeof(cp->addr));
7840                         goto unlock;
7841                 }
7842
7843                 list_for_each_entry_safe(b, btmp, &hdev->accept_list, list) {
7844                         device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
7845                         list_del(&b->list);
7846                         kfree(b);
7847                 }
7848
7849                 hci_update_scan(hdev);
7850
7851                 list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
7852                         if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
7853                                 continue;
7854                         device_removed(sk, hdev, &p->addr, p->addr_type);
7855                         if (p->explicit_connect) {
7856                                 p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
7857                                 continue;
7858                         }
7859                         list_del(&p->action);
7860                         list_del(&p->list);
7861                         kfree(p);
7862                 }
7863
7864                 bt_dev_dbg(hdev, "All LE connection parameters were removed");
7865         }
7866
7867         hci_cmd_sync_queue(hdev, remove_device_sync, NULL, NULL);
7868
7869 complete:
7870         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
7871                                 MGMT_STATUS_SUCCESS, &cp->addr,
7872                                 sizeof(cp->addr));
7873 unlock:
7874         hci_dev_unlock(hdev);
7875         return err;
7876 }
7877
7878 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
7879                            u16 len)
7880 {
7881         struct mgmt_cp_load_conn_param *cp = data;
7882         const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
7883                                      sizeof(struct mgmt_conn_param));
7884         u16 param_count, expected_len;
7885         int i;
7886
7887         if (!lmp_le_capable(hdev))
7888                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7889                                        MGMT_STATUS_NOT_SUPPORTED);
7890
7891         param_count = __le16_to_cpu(cp->param_count);
7892         if (param_count > max_param_count) {
7893                 bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
7894                            param_count);
7895                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7896                                        MGMT_STATUS_INVALID_PARAMS);
7897         }
7898
7899         expected_len = struct_size(cp, params, param_count);
7900         if (expected_len != len) {
7901                 bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
7902                            expected_len, len);
7903                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7904                                        MGMT_STATUS_INVALID_PARAMS);
7905         }
7906
7907         bt_dev_dbg(hdev, "param_count %u", param_count);
7908
7909         hci_dev_lock(hdev);
7910
7911         hci_conn_params_clear_disabled(hdev);
7912
7913         for (i = 0; i < param_count; i++) {
7914                 struct mgmt_conn_param *param = &cp->params[i];
7915                 struct hci_conn_params *hci_param;
7916                 u16 min, max, latency, timeout;
7917                 u8 addr_type;
7918
7919                 bt_dev_dbg(hdev, "Adding %pMR (type %u)", &param->addr.bdaddr,
7920                            param->addr.type);
7921
7922                 if (param->addr.type == BDADDR_LE_PUBLIC) {
7923                         addr_type = ADDR_LE_DEV_PUBLIC;
7924                 } else if (param->addr.type == BDADDR_LE_RANDOM) {
7925                         addr_type = ADDR_LE_DEV_RANDOM;
7926                 } else {
7927                         bt_dev_err(hdev, "ignoring invalid connection parameters");
7928                         continue;
7929                 }
7930
7931                 min = le16_to_cpu(param->min_interval);
7932                 max = le16_to_cpu(param->max_interval);
7933                 latency = le16_to_cpu(param->latency);
7934                 timeout = le16_to_cpu(param->timeout);
7935
7936                 bt_dev_dbg(hdev, "min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
7937                            min, max, latency, timeout);
7938
7939                 if (hci_check_conn_params(min, max, latency, timeout) < 0) {
7940                         bt_dev_err(hdev, "ignoring invalid connection parameters");
7941                         continue;
7942                 }
7943
7944                 hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
7945                                                 addr_type);
7946                 if (!hci_param) {
7947                         bt_dev_err(hdev, "failed to add connection parameters");
7948                         continue;
7949                 }
7950
7951                 hci_param->conn_min_interval = min;
7952                 hci_param->conn_max_interval = max;
7953                 hci_param->conn_latency = latency;
7954                 hci_param->supervision_timeout = timeout;
7955         }
7956
7957         hci_dev_unlock(hdev);
7958
7959         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
7960                                  NULL, 0);
7961 }
7962
7963 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
7964                                void *data, u16 len)
7965 {
7966         struct mgmt_cp_set_external_config *cp = data;
7967         bool changed;
7968         int err;
7969
7970         bt_dev_dbg(hdev, "sock %p", sk);
7971
7972         if (hdev_is_powered(hdev))
7973                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7974                                        MGMT_STATUS_REJECTED);
7975
7976         if (cp->config != 0x00 && cp->config != 0x01)
7977                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7978                                          MGMT_STATUS_INVALID_PARAMS);
7979
7980         if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
7981                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7982                                        MGMT_STATUS_NOT_SUPPORTED);
7983
7984         hci_dev_lock(hdev);
7985
7986         if (cp->config)
7987                 changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
7988         else
7989                 changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
7990
7991         err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
7992         if (err < 0)
7993                 goto unlock;
7994
7995         if (!changed)
7996                 goto unlock;
7997
7998         err = new_options(hdev, sk);
7999
8000         if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
8001                 mgmt_index_removed(hdev);
8002
8003                 if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
8004                         hci_dev_set_flag(hdev, HCI_CONFIG);
8005                         hci_dev_set_flag(hdev, HCI_AUTO_OFF);
8006
8007                         queue_work(hdev->req_workqueue, &hdev->power_on);
8008                 } else {
8009                         set_bit(HCI_RAW, &hdev->flags);
8010                         mgmt_index_added(hdev);
8011                 }
8012         }
8013
8014 unlock:
8015         hci_dev_unlock(hdev);
8016         return err;
8017 }
8018
8019 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
8020                               void *data, u16 len)
8021 {
8022         struct mgmt_cp_set_public_address *cp = data;
8023         bool changed;
8024         int err;
8025
8026         bt_dev_dbg(hdev, "sock %p", sk);
8027
8028         if (hdev_is_powered(hdev))
8029                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
8030                                        MGMT_STATUS_REJECTED);
8031
8032         if (!bacmp(&cp->bdaddr, BDADDR_ANY))
8033                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
8034                                        MGMT_STATUS_INVALID_PARAMS);
8035
8036         if (!hdev->set_bdaddr)
8037                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
8038                                        MGMT_STATUS_NOT_SUPPORTED);
8039
8040         hci_dev_lock(hdev);
8041
8042         changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
8043         bacpy(&hdev->public_addr, &cp->bdaddr);
8044
8045         err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
8046         if (err < 0)
8047                 goto unlock;
8048
8049         if (!changed)
8050                 goto unlock;
8051
8052         if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
8053                 err = new_options(hdev, sk);
8054
8055         if (is_configured(hdev)) {
8056                 mgmt_index_removed(hdev);
8057
8058                 hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
8059
8060                 hci_dev_set_flag(hdev, HCI_CONFIG);
8061                 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
8062
8063                 queue_work(hdev->req_workqueue, &hdev->power_on);
8064         }
8065
8066 unlock:
8067         hci_dev_unlock(hdev);
8068         return err;
8069 }
8070
8071 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
8072                                              int err)
8073 {
8074         const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
8075         struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
8076         u8 *h192, *r192, *h256, *r256;
8077         struct mgmt_pending_cmd *cmd = data;
8078         struct sk_buff *skb = cmd->skb;
8079         u8 status = mgmt_status(err);
8080         u16 eir_len;
8081
8082         if (cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
8083                 return;
8084
8085         if (!status) {
8086                 if (!skb)
8087                         status = MGMT_STATUS_FAILED;
8088                 else if (IS_ERR(skb))
8089                         status = mgmt_status(PTR_ERR(skb));
8090                 else
8091                         status = mgmt_status(skb->data[0]);
8092         }
8093
8094         bt_dev_dbg(hdev, "status %u", status);
8095
8096         mgmt_cp = cmd->param;
8097
8098         if (status) {
8099                 status = mgmt_status(status);
8100                 eir_len = 0;
8101
8102                 h192 = NULL;
8103                 r192 = NULL;
8104                 h256 = NULL;
8105                 r256 = NULL;
8106         } else if (!bredr_sc_enabled(hdev)) {
8107                 struct hci_rp_read_local_oob_data *rp;
8108
8109                 if (skb->len != sizeof(*rp)) {
8110                         status = MGMT_STATUS_FAILED;
8111                         eir_len = 0;
8112                 } else {
8113                         status = MGMT_STATUS_SUCCESS;
8114                         rp = (void *)skb->data;
8115
8116                         eir_len = 5 + 18 + 18;
8117                         h192 = rp->hash;
8118                         r192 = rp->rand;
8119                         h256 = NULL;
8120                         r256 = NULL;
8121                 }
8122         } else {
8123                 struct hci_rp_read_local_oob_ext_data *rp;
8124
8125                 if (skb->len != sizeof(*rp)) {
8126                         status = MGMT_STATUS_FAILED;
8127                         eir_len = 0;
8128                 } else {
8129                         status = MGMT_STATUS_SUCCESS;
8130                         rp = (void *)skb->data;
8131
8132                         if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
8133                                 eir_len = 5 + 18 + 18;
8134                                 h192 = NULL;
8135                                 r192 = NULL;
8136                         } else {
8137                                 eir_len = 5 + 18 + 18 + 18 + 18;
8138                                 h192 = rp->hash192;
8139                                 r192 = rp->rand192;
8140                         }
8141
8142                         h256 = rp->hash256;
8143                         r256 = rp->rand256;
8144                 }
8145         }
8146
8147         mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
8148         if (!mgmt_rp)
8149                 goto done;
8150
8151         if (eir_len == 0)
8152                 goto send_rsp;
8153
8154         eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
8155                                   hdev->dev_class, 3);
8156
8157         if (h192 && r192) {
8158                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8159                                           EIR_SSP_HASH_C192, h192, 16);
8160                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8161                                           EIR_SSP_RAND_R192, r192, 16);
8162         }
8163
8164         if (h256 && r256) {
8165                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8166                                           EIR_SSP_HASH_C256, h256, 16);
8167                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8168                                           EIR_SSP_RAND_R256, r256, 16);
8169         }
8170
8171 send_rsp:
8172         mgmt_rp->type = mgmt_cp->type;
8173         mgmt_rp->eir_len = cpu_to_le16(eir_len);
8174
8175         err = mgmt_cmd_complete(cmd->sk, hdev->id,
8176                                 MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
8177                                 mgmt_rp, sizeof(*mgmt_rp) + eir_len);
8178         if (err < 0 || status)
8179                 goto done;
8180
8181         hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
8182
8183         err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8184                                  mgmt_rp, sizeof(*mgmt_rp) + eir_len,
8185                                  HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
8186 done:
8187         if (skb && !IS_ERR(skb))
8188                 kfree_skb(skb);
8189
8190         kfree(mgmt_rp);
8191         mgmt_pending_remove(cmd);
8192 }
8193
8194 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
8195                                   struct mgmt_cp_read_local_oob_ext_data *cp)
8196 {
8197         struct mgmt_pending_cmd *cmd;
8198         int err;
8199
8200         cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
8201                                cp, sizeof(*cp));
8202         if (!cmd)
8203                 return -ENOMEM;
8204
8205         err = hci_cmd_sync_queue(hdev, read_local_oob_data_sync, cmd,
8206                                  read_local_oob_ext_data_complete);
8207
8208         if (err < 0) {
8209                 mgmt_pending_remove(cmd);
8210                 return err;
8211         }
8212
8213         return 0;
8214 }
8215
8216 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
8217                                    void *data, u16 data_len)
8218 {
8219         struct mgmt_cp_read_local_oob_ext_data *cp = data;
8220         struct mgmt_rp_read_local_oob_ext_data *rp;
8221         size_t rp_len;
8222         u16 eir_len;
8223         u8 status, flags, role, addr[7], hash[16], rand[16];
8224         int err;
8225
8226         bt_dev_dbg(hdev, "sock %p", sk);
8227
8228         if (hdev_is_powered(hdev)) {
8229                 switch (cp->type) {
8230                 case BIT(BDADDR_BREDR):
8231                         status = mgmt_bredr_support(hdev);
8232                         if (status)
8233                                 eir_len = 0;
8234                         else
8235                                 eir_len = 5;
8236                         break;
8237                 case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8238                         status = mgmt_le_support(hdev);
8239                         if (status)
8240                                 eir_len = 0;
8241                         else
8242                                 eir_len = 9 + 3 + 18 + 18 + 3;
8243                         break;
8244                 default:
8245                         status = MGMT_STATUS_INVALID_PARAMS;
8246                         eir_len = 0;
8247                         break;
8248                 }
8249         } else {
8250                 status = MGMT_STATUS_NOT_POWERED;
8251                 eir_len = 0;
8252         }
8253
8254         rp_len = sizeof(*rp) + eir_len;
8255         rp = kmalloc(rp_len, GFP_ATOMIC);
8256         if (!rp)
8257                 return -ENOMEM;
8258
8259         if (!status && !lmp_ssp_capable(hdev)) {
8260                 status = MGMT_STATUS_NOT_SUPPORTED;
8261                 eir_len = 0;
8262         }
8263
8264         if (status)
8265                 goto complete;
8266
8267         hci_dev_lock(hdev);
8268
8269         eir_len = 0;
8270         switch (cp->type) {
8271         case BIT(BDADDR_BREDR):
8272                 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
8273                         err = read_local_ssp_oob_req(hdev, sk, cp);
8274                         hci_dev_unlock(hdev);
8275                         if (!err)
8276                                 goto done;
8277
8278                         status = MGMT_STATUS_FAILED;
8279                         goto complete;
8280                 } else {
8281                         eir_len = eir_append_data(rp->eir, eir_len,
8282                                                   EIR_CLASS_OF_DEV,
8283                                                   hdev->dev_class, 3);
8284                 }
8285                 break;
8286         case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8287                 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
8288                     smp_generate_oob(hdev, hash, rand) < 0) {
8289                         hci_dev_unlock(hdev);
8290                         status = MGMT_STATUS_FAILED;
8291                         goto complete;
8292                 }
8293
8294                 /* This should return the active RPA, but since the RPA
8295                  * is only programmed on demand, it is really hard to fill
8296                  * this in at the moment. For now disallow retrieving
8297                  * local out-of-band data when privacy is in use.
8298                  *
8299                  * Returning the identity address will not help here since
8300                  * pairing happens before the identity resolving key is
8301                  * known and thus the connection establishment happens
8302                  * based on the RPA and not the identity address.
8303                  */
8304                 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
8305                         hci_dev_unlock(hdev);
8306                         status = MGMT_STATUS_REJECTED;
8307                         goto complete;
8308                 }
8309
8310                 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
8311                    !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
8312                    (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
8313                     bacmp(&hdev->static_addr, BDADDR_ANY))) {
8314                         memcpy(addr, &hdev->static_addr, 6);
8315                         addr[6] = 0x01;
8316                 } else {
8317                         memcpy(addr, &hdev->bdaddr, 6);
8318                         addr[6] = 0x00;
8319                 }
8320
8321                 eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
8322                                           addr, sizeof(addr));
8323
8324                 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
8325                         role = 0x02;
8326                 else
8327                         role = 0x01;
8328
8329                 eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
8330                                           &role, sizeof(role));
8331
8332                 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
8333                         eir_len = eir_append_data(rp->eir, eir_len,
8334                                                   EIR_LE_SC_CONFIRM,
8335                                                   hash, sizeof(hash));
8336
8337                         eir_len = eir_append_data(rp->eir, eir_len,
8338                                                   EIR_LE_SC_RANDOM,
8339                                                   rand, sizeof(rand));
8340                 }
8341
8342                 flags = mgmt_get_adv_discov_flags(hdev);
8343
8344                 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
8345                         flags |= LE_AD_NO_BREDR;
8346
8347                 eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
8348                                           &flags, sizeof(flags));
8349                 break;
8350         }
8351
8352         hci_dev_unlock(hdev);
8353
8354         hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
8355
8356         status = MGMT_STATUS_SUCCESS;
8357
8358 complete:
8359         rp->type = cp->type;
8360         rp->eir_len = cpu_to_le16(eir_len);
8361
8362         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
8363                                 status, rp, sizeof(*rp) + eir_len);
8364         if (err < 0 || status)
8365                 goto done;
8366
8367         err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8368                                  rp, sizeof(*rp) + eir_len,
8369                                  HCI_MGMT_OOB_DATA_EVENTS, sk);
8370
8371 done:
8372         kfree(rp);
8373
8374         return err;
8375 }
8376
8377 static u32 get_supported_adv_flags(struct hci_dev *hdev)
8378 {
8379         u32 flags = 0;
8380
8381         flags |= MGMT_ADV_FLAG_CONNECTABLE;
8382         flags |= MGMT_ADV_FLAG_DISCOV;
8383         flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
8384         flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
8385         flags |= MGMT_ADV_FLAG_APPEARANCE;
8386         flags |= MGMT_ADV_FLAG_LOCAL_NAME;
8387         flags |= MGMT_ADV_PARAM_DURATION;
8388         flags |= MGMT_ADV_PARAM_TIMEOUT;
8389         flags |= MGMT_ADV_PARAM_INTERVALS;
8390         flags |= MGMT_ADV_PARAM_TX_POWER;
8391         flags |= MGMT_ADV_PARAM_SCAN_RSP;
8392
8393         /* In extended adv TX_POWER returned from Set Adv Param
8394          * will be always valid.
8395          */
8396         if (hdev->adv_tx_power != HCI_TX_POWER_INVALID || ext_adv_capable(hdev))
8397                 flags |= MGMT_ADV_FLAG_TX_POWER;
8398
8399         if (ext_adv_capable(hdev)) {
8400                 flags |= MGMT_ADV_FLAG_SEC_1M;
8401                 flags |= MGMT_ADV_FLAG_HW_OFFLOAD;
8402                 flags |= MGMT_ADV_FLAG_CAN_SET_TX_POWER;
8403
8404                 if (le_2m_capable(hdev))
8405                         flags |= MGMT_ADV_FLAG_SEC_2M;
8406
8407                 if (le_coded_capable(hdev))
8408                         flags |= MGMT_ADV_FLAG_SEC_CODED;
8409         }
8410
8411         return flags;
8412 }
8413
8414 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
8415                              void *data, u16 data_len)
8416 {
8417         struct mgmt_rp_read_adv_features *rp;
8418         size_t rp_len;
8419         int err;
8420         struct adv_info *adv_instance;
8421         u32 supported_flags;
8422         u8 *instance;
8423
8424         bt_dev_dbg(hdev, "sock %p", sk);
8425
8426         if (!lmp_le_capable(hdev))
8427                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
8428                                        MGMT_STATUS_REJECTED);
8429
8430         hci_dev_lock(hdev);
8431
8432         rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
8433         rp = kmalloc(rp_len, GFP_ATOMIC);
8434         if (!rp) {
8435                 hci_dev_unlock(hdev);
8436                 return -ENOMEM;
8437         }
8438
8439         supported_flags = get_supported_adv_flags(hdev);
8440
8441         rp->supported_flags = cpu_to_le32(supported_flags);
8442         rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
8443         rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
8444         rp->max_instances = hdev->le_num_of_adv_sets;
8445         rp->num_instances = hdev->adv_instance_cnt;
8446
8447         instance = rp->instance;
8448         list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
8449                 /* Only instances 1-le_num_of_adv_sets are externally visible */
8450                 if (adv_instance->instance <= hdev->adv_instance_cnt) {
8451                         *instance = adv_instance->instance;
8452                         instance++;
8453                 } else {
8454                         rp->num_instances--;
8455                         rp_len--;
8456                 }
8457         }
8458
8459         hci_dev_unlock(hdev);
8460
8461         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
8462                                 MGMT_STATUS_SUCCESS, rp, rp_len);
8463
8464         kfree(rp);
8465
8466         return err;
8467 }
8468
8469 static u8 calculate_name_len(struct hci_dev *hdev)
8470 {
8471         u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 3];
8472
8473         return eir_append_local_name(hdev, buf, 0);
8474 }
8475
8476 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
8477                            bool is_adv_data)
8478 {
8479         u8 max_len = HCI_MAX_AD_LENGTH;
8480
8481         if (is_adv_data) {
8482                 if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
8483                                  MGMT_ADV_FLAG_LIMITED_DISCOV |
8484                                  MGMT_ADV_FLAG_MANAGED_FLAGS))
8485                         max_len -= 3;
8486
8487                 if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
8488                         max_len -= 3;
8489         } else {
8490                 if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
8491                         max_len -= calculate_name_len(hdev);
8492
8493                 if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
8494                         max_len -= 4;
8495         }
8496
8497         return max_len;
8498 }
8499
8500 static bool flags_managed(u32 adv_flags)
8501 {
8502         return adv_flags & (MGMT_ADV_FLAG_DISCOV |
8503                             MGMT_ADV_FLAG_LIMITED_DISCOV |
8504                             MGMT_ADV_FLAG_MANAGED_FLAGS);
8505 }
8506
8507 static bool tx_power_managed(u32 adv_flags)
8508 {
8509         return adv_flags & MGMT_ADV_FLAG_TX_POWER;
8510 }
8511
8512 static bool name_managed(u32 adv_flags)
8513 {
8514         return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
8515 }
8516
8517 static bool appearance_managed(u32 adv_flags)
8518 {
8519         return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
8520 }
8521
8522 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
8523                               u8 len, bool is_adv_data)
8524 {
8525         int i, cur_len;
8526         u8 max_len;
8527
8528         max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
8529
8530         if (len > max_len)
8531                 return false;
8532
8533         /* Make sure that the data is correctly formatted. */
8534         for (i = 0; i < len; i += (cur_len + 1)) {
8535                 cur_len = data[i];
8536
8537                 if (!cur_len)
8538                         continue;
8539
8540                 if (data[i + 1] == EIR_FLAGS &&
8541                     (!is_adv_data || flags_managed(adv_flags)))
8542                         return false;
8543
8544                 if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
8545                         return false;
8546
8547                 if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
8548                         return false;
8549
8550                 if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
8551                         return false;
8552
8553                 if (data[i + 1] == EIR_APPEARANCE &&
8554                     appearance_managed(adv_flags))
8555                         return false;
8556
8557                 /* If the current field length would exceed the total data
8558                  * length, then it's invalid.
8559                  */
8560                 if (i + cur_len >= len)
8561                         return false;
8562         }
8563
8564         return true;
8565 }
8566
8567 static bool requested_adv_flags_are_valid(struct hci_dev *hdev, u32 adv_flags)
8568 {
8569         u32 supported_flags, phy_flags;
8570
8571         /* The current implementation only supports a subset of the specified
8572          * flags. Also need to check mutual exclusiveness of sec flags.
8573          */
8574         supported_flags = get_supported_adv_flags(hdev);
8575         phy_flags = adv_flags & MGMT_ADV_FLAG_SEC_MASK;
8576         if (adv_flags & ~supported_flags ||
8577             ((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
8578                 return false;
8579
8580         return true;
8581 }
8582
8583 static bool adv_busy(struct hci_dev *hdev)
8584 {
8585         return pending_find(MGMT_OP_SET_LE, hdev);
8586 }
8587
8588 static void add_adv_complete(struct hci_dev *hdev, struct sock *sk, u8 instance,
8589                              int err)
8590 {
8591         struct adv_info *adv, *n;
8592
8593         bt_dev_dbg(hdev, "err %d", err);
8594
8595         hci_dev_lock(hdev);
8596
8597         list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
8598                 u8 instance;
8599
8600                 if (!adv->pending)
8601                         continue;
8602
8603                 if (!err) {
8604                         adv->pending = false;
8605                         continue;
8606                 }
8607
8608                 instance = adv->instance;
8609
8610                 if (hdev->cur_adv_instance == instance)
8611                         cancel_adv_timeout(hdev);
8612
8613                 hci_remove_adv_instance(hdev, instance);
8614                 mgmt_advertising_removed(sk, hdev, instance);
8615         }
8616
8617         hci_dev_unlock(hdev);
8618 }
8619
8620 static void add_advertising_complete(struct hci_dev *hdev, void *data, int err)
8621 {
8622         struct mgmt_pending_cmd *cmd = data;
8623         struct mgmt_cp_add_advertising *cp = cmd->param;
8624         struct mgmt_rp_add_advertising rp;
8625
8626         memset(&rp, 0, sizeof(rp));
8627
8628         rp.instance = cp->instance;
8629
8630         if (err)
8631                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8632                                 mgmt_status(err));
8633         else
8634                 mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8635                                   mgmt_status(err), &rp, sizeof(rp));
8636
8637         add_adv_complete(hdev, cmd->sk, cp->instance, err);
8638
8639         mgmt_pending_free(cmd);
8640 }
8641
8642 static int add_advertising_sync(struct hci_dev *hdev, void *data)
8643 {
8644         struct mgmt_pending_cmd *cmd = data;
8645         struct mgmt_cp_add_advertising *cp = cmd->param;
8646
8647         return hci_schedule_adv_instance_sync(hdev, cp->instance, true);
8648 }
8649
8650 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
8651                            void *data, u16 data_len)
8652 {
8653         struct mgmt_cp_add_advertising *cp = data;
8654         struct mgmt_rp_add_advertising rp;
8655         u32 flags;
8656         u8 status;
8657         u16 timeout, duration;
8658         unsigned int prev_instance_cnt;
8659         u8 schedule_instance = 0;
8660         struct adv_info *adv, *next_instance;
8661         int err;
8662         struct mgmt_pending_cmd *cmd;
8663
8664         bt_dev_dbg(hdev, "sock %p", sk);
8665
8666         status = mgmt_le_support(hdev);
8667         if (status)
8668                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8669                                        status);
8670
8671         if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8672                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8673                                        MGMT_STATUS_INVALID_PARAMS);
8674
8675         if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
8676                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8677                                        MGMT_STATUS_INVALID_PARAMS);
8678
8679         flags = __le32_to_cpu(cp->flags);
8680         timeout = __le16_to_cpu(cp->timeout);
8681         duration = __le16_to_cpu(cp->duration);
8682
8683         if (!requested_adv_flags_are_valid(hdev, flags))
8684                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8685                                        MGMT_STATUS_INVALID_PARAMS);
8686
8687         hci_dev_lock(hdev);
8688
8689         if (timeout && !hdev_is_powered(hdev)) {
8690                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8691                                       MGMT_STATUS_REJECTED);
8692                 goto unlock;
8693         }
8694
8695         if (adv_busy(hdev)) {
8696                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8697                                       MGMT_STATUS_BUSY);
8698                 goto unlock;
8699         }
8700
8701         if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
8702             !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
8703                                cp->scan_rsp_len, false)) {
8704                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8705                                       MGMT_STATUS_INVALID_PARAMS);
8706                 goto unlock;
8707         }
8708
8709         prev_instance_cnt = hdev->adv_instance_cnt;
8710
8711         adv = hci_add_adv_instance(hdev, cp->instance, flags,
8712                                    cp->adv_data_len, cp->data,
8713                                    cp->scan_rsp_len,
8714                                    cp->data + cp->adv_data_len,
8715                                    timeout, duration,
8716                                    HCI_ADV_TX_POWER_NO_PREFERENCE,
8717                                    hdev->le_adv_min_interval,
8718                                    hdev->le_adv_max_interval, 0);
8719         if (IS_ERR(adv)) {
8720                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8721                                       MGMT_STATUS_FAILED);
8722                 goto unlock;
8723         }
8724
8725         /* Only trigger an advertising added event if a new instance was
8726          * actually added.
8727          */
8728         if (hdev->adv_instance_cnt > prev_instance_cnt)
8729                 mgmt_advertising_added(sk, hdev, cp->instance);
8730
8731         if (hdev->cur_adv_instance == cp->instance) {
8732                 /* If the currently advertised instance is being changed then
8733                  * cancel the current advertising and schedule the next
8734                  * instance. If there is only one instance then the overridden
8735                  * advertising data will be visible right away.
8736                  */
8737                 cancel_adv_timeout(hdev);
8738
8739                 next_instance = hci_get_next_instance(hdev, cp->instance);
8740                 if (next_instance)
8741                         schedule_instance = next_instance->instance;
8742         } else if (!hdev->adv_instance_timeout) {
8743                 /* Immediately advertise the new instance if no other
8744                  * instance is currently being advertised.
8745                  */
8746                 schedule_instance = cp->instance;
8747         }
8748
8749         /* If the HCI_ADVERTISING flag is set or the device isn't powered or
8750          * there is no instance to be advertised then we have no HCI
8751          * communication to make. Simply return.
8752          */
8753         if (!hdev_is_powered(hdev) ||
8754             hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
8755             !schedule_instance) {
8756                 rp.instance = cp->instance;
8757                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8758                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8759                 goto unlock;
8760         }
8761
8762         /* We're good to go, update advertising data, parameters, and start
8763          * advertising.
8764          */
8765         cmd = mgmt_pending_new(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
8766                                data_len);
8767         if (!cmd) {
8768                 err = -ENOMEM;
8769                 goto unlock;
8770         }
8771
8772         cp->instance = schedule_instance;
8773
8774         err = hci_cmd_sync_queue(hdev, add_advertising_sync, cmd,
8775                                  add_advertising_complete);
8776         if (err < 0)
8777                 mgmt_pending_free(cmd);
8778
8779 unlock:
8780         hci_dev_unlock(hdev);
8781
8782         return err;
8783 }
8784
8785 static void add_ext_adv_params_complete(struct hci_dev *hdev, void *data,
8786                                         int err)
8787 {
8788         struct mgmt_pending_cmd *cmd = data;
8789         struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8790         struct mgmt_rp_add_ext_adv_params rp;
8791         struct adv_info *adv;
8792         u32 flags;
8793
8794         BT_DBG("%s", hdev->name);
8795
8796         hci_dev_lock(hdev);
8797
8798         adv = hci_find_adv_instance(hdev, cp->instance);
8799         if (!adv)
8800                 goto unlock;
8801
8802         rp.instance = cp->instance;
8803         rp.tx_power = adv->tx_power;
8804
8805         /* While we're at it, inform userspace of the available space for this
8806          * advertisement, given the flags that will be used.
8807          */
8808         flags = __le32_to_cpu(cp->flags);
8809         rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8810         rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8811
8812         if (err) {
8813                 /* If this advertisement was previously advertising and we
8814                  * failed to update it, we signal that it has been removed and
8815                  * delete its structure
8816                  */
8817                 if (!adv->pending)
8818                         mgmt_advertising_removed(cmd->sk, hdev, cp->instance);
8819
8820                 hci_remove_adv_instance(hdev, cp->instance);
8821
8822                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8823                                 mgmt_status(err));
8824         } else {
8825                 mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8826                                   mgmt_status(err), &rp, sizeof(rp));
8827         }
8828
8829 unlock:
8830         if (cmd)
8831                 mgmt_pending_free(cmd);
8832
8833         hci_dev_unlock(hdev);
8834 }
8835
8836 static int add_ext_adv_params_sync(struct hci_dev *hdev, void *data)
8837 {
8838         struct mgmt_pending_cmd *cmd = data;
8839         struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8840
8841         return hci_setup_ext_adv_instance_sync(hdev, cp->instance);
8842 }
8843
8844 static int add_ext_adv_params(struct sock *sk, struct hci_dev *hdev,
8845                               void *data, u16 data_len)
8846 {
8847         struct mgmt_cp_add_ext_adv_params *cp = data;
8848         struct mgmt_rp_add_ext_adv_params rp;
8849         struct mgmt_pending_cmd *cmd = NULL;
8850         struct adv_info *adv;
8851         u32 flags, min_interval, max_interval;
8852         u16 timeout, duration;
8853         u8 status;
8854         s8 tx_power;
8855         int err;
8856
8857         BT_DBG("%s", hdev->name);
8858
8859         status = mgmt_le_support(hdev);
8860         if (status)
8861                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8862                                        status);
8863
8864         if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8865                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8866                                        MGMT_STATUS_INVALID_PARAMS);
8867
8868         /* The purpose of breaking add_advertising into two separate MGMT calls
8869          * for params and data is to allow more parameters to be added to this
8870          * structure in the future. For this reason, we verify that we have the
8871          * bare minimum structure we know of when the interface was defined. Any
8872          * extra parameters we don't know about will be ignored in this request.
8873          */
8874         if (data_len < MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE)
8875                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8876                                        MGMT_STATUS_INVALID_PARAMS);
8877
8878         flags = __le32_to_cpu(cp->flags);
8879
8880         if (!requested_adv_flags_are_valid(hdev, flags))
8881                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8882                                        MGMT_STATUS_INVALID_PARAMS);
8883
8884         hci_dev_lock(hdev);
8885
8886         /* In new interface, we require that we are powered to register */
8887         if (!hdev_is_powered(hdev)) {
8888                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8889                                       MGMT_STATUS_REJECTED);
8890                 goto unlock;
8891         }
8892
8893         if (adv_busy(hdev)) {
8894                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8895                                       MGMT_STATUS_BUSY);
8896                 goto unlock;
8897         }
8898
8899         /* Parse defined parameters from request, use defaults otherwise */
8900         timeout = (flags & MGMT_ADV_PARAM_TIMEOUT) ?
8901                   __le16_to_cpu(cp->timeout) : 0;
8902
8903         duration = (flags & MGMT_ADV_PARAM_DURATION) ?
8904                    __le16_to_cpu(cp->duration) :
8905                    hdev->def_multi_adv_rotation_duration;
8906
8907         min_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8908                        __le32_to_cpu(cp->min_interval) :
8909                        hdev->le_adv_min_interval;
8910
8911         max_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8912                        __le32_to_cpu(cp->max_interval) :
8913                        hdev->le_adv_max_interval;
8914
8915         tx_power = (flags & MGMT_ADV_PARAM_TX_POWER) ?
8916                    cp->tx_power :
8917                    HCI_ADV_TX_POWER_NO_PREFERENCE;
8918
8919         /* Create advertising instance with no advertising or response data */
8920         adv = hci_add_adv_instance(hdev, cp->instance, flags, 0, NULL, 0, NULL,
8921                                    timeout, duration, tx_power, min_interval,
8922                                    max_interval, 0);
8923
8924         if (IS_ERR(adv)) {
8925                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8926                                       MGMT_STATUS_FAILED);
8927                 goto unlock;
8928         }
8929
8930         /* Submit request for advertising params if ext adv available */
8931         if (ext_adv_capable(hdev)) {
8932                 cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_PARAMS, hdev,
8933                                        data, data_len);
8934                 if (!cmd) {
8935                         err = -ENOMEM;
8936                         hci_remove_adv_instance(hdev, cp->instance);
8937                         goto unlock;
8938                 }
8939
8940                 err = hci_cmd_sync_queue(hdev, add_ext_adv_params_sync, cmd,
8941                                          add_ext_adv_params_complete);
8942                 if (err < 0)
8943                         mgmt_pending_free(cmd);
8944         } else {
8945                 rp.instance = cp->instance;
8946                 rp.tx_power = HCI_ADV_TX_POWER_NO_PREFERENCE;
8947                 rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8948                 rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8949                 err = mgmt_cmd_complete(sk, hdev->id,
8950                                         MGMT_OP_ADD_EXT_ADV_PARAMS,
8951                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8952         }
8953
8954 unlock:
8955         hci_dev_unlock(hdev);
8956
8957         return err;
8958 }
8959
8960 static void add_ext_adv_data_complete(struct hci_dev *hdev, void *data, int err)
8961 {
8962         struct mgmt_pending_cmd *cmd = data;
8963         struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8964         struct mgmt_rp_add_advertising rp;
8965
8966         add_adv_complete(hdev, cmd->sk, cp->instance, err);
8967
8968         memset(&rp, 0, sizeof(rp));
8969
8970         rp.instance = cp->instance;
8971
8972         if (err)
8973                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8974                                 mgmt_status(err));
8975         else
8976                 mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8977                                   mgmt_status(err), &rp, sizeof(rp));
8978
8979         mgmt_pending_free(cmd);
8980 }
8981
8982 static int add_ext_adv_data_sync(struct hci_dev *hdev, void *data)
8983 {
8984         struct mgmt_pending_cmd *cmd = data;
8985         struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8986         int err;
8987
8988         if (ext_adv_capable(hdev)) {
8989                 err = hci_update_adv_data_sync(hdev, cp->instance);
8990                 if (err)
8991                         return err;
8992
8993                 err = hci_update_scan_rsp_data_sync(hdev, cp->instance);
8994                 if (err)
8995                         return err;
8996
8997                 return hci_enable_ext_advertising_sync(hdev, cp->instance);
8998         }
8999
9000         return hci_schedule_adv_instance_sync(hdev, cp->instance, true);
9001 }
9002
9003 static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
9004                             u16 data_len)
9005 {
9006         struct mgmt_cp_add_ext_adv_data *cp = data;
9007         struct mgmt_rp_add_ext_adv_data rp;
9008         u8 schedule_instance = 0;
9009         struct adv_info *next_instance;
9010         struct adv_info *adv_instance;
9011         int err = 0;
9012         struct mgmt_pending_cmd *cmd;
9013
9014         BT_DBG("%s", hdev->name);
9015
9016         hci_dev_lock(hdev);
9017
9018         adv_instance = hci_find_adv_instance(hdev, cp->instance);
9019
9020         if (!adv_instance) {
9021                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9022                                       MGMT_STATUS_INVALID_PARAMS);
9023                 goto unlock;
9024         }
9025
9026         /* In new interface, we require that we are powered to register */
9027         if (!hdev_is_powered(hdev)) {
9028                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9029                                       MGMT_STATUS_REJECTED);
9030                 goto clear_new_instance;
9031         }
9032
9033         if (adv_busy(hdev)) {
9034                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9035                                       MGMT_STATUS_BUSY);
9036                 goto clear_new_instance;
9037         }
9038
9039         /* Validate new data */
9040         if (!tlv_data_is_valid(hdev, adv_instance->flags, cp->data,
9041                                cp->adv_data_len, true) ||
9042             !tlv_data_is_valid(hdev, adv_instance->flags, cp->data +
9043                                cp->adv_data_len, cp->scan_rsp_len, false)) {
9044                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9045                                       MGMT_STATUS_INVALID_PARAMS);
9046                 goto clear_new_instance;
9047         }
9048
9049         /* Set the data in the advertising instance */
9050         hci_set_adv_instance_data(hdev, cp->instance, cp->adv_data_len,
9051                                   cp->data, cp->scan_rsp_len,
9052                                   cp->data + cp->adv_data_len);
9053
9054         /* If using software rotation, determine next instance to use */
9055         if (hdev->cur_adv_instance == cp->instance) {
9056                 /* If the currently advertised instance is being changed
9057                  * then cancel the current advertising and schedule the
9058                  * next instance. If there is only one instance then the
9059                  * overridden advertising data will be visible right
9060                  * away
9061                  */
9062                 cancel_adv_timeout(hdev);
9063
9064                 next_instance = hci_get_next_instance(hdev, cp->instance);
9065                 if (next_instance)
9066                         schedule_instance = next_instance->instance;
9067         } else if (!hdev->adv_instance_timeout) {
9068                 /* Immediately advertise the new instance if no other
9069                  * instance is currently being advertised.
9070                  */
9071                 schedule_instance = cp->instance;
9072         }
9073
9074         /* If the HCI_ADVERTISING flag is set or there is no instance to
9075          * be advertised then we have no HCI communication to make.
9076          * Simply return.
9077          */
9078         if (hci_dev_test_flag(hdev, HCI_ADVERTISING) || !schedule_instance) {
9079                 if (adv_instance->pending) {
9080                         mgmt_advertising_added(sk, hdev, cp->instance);
9081                         adv_instance->pending = false;
9082                 }
9083                 rp.instance = cp->instance;
9084                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9085                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9086                 goto unlock;
9087         }
9088
9089         cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_DATA, hdev, data,
9090                                data_len);
9091         if (!cmd) {
9092                 err = -ENOMEM;
9093                 goto clear_new_instance;
9094         }
9095
9096         err = hci_cmd_sync_queue(hdev, add_ext_adv_data_sync, cmd,
9097                                  add_ext_adv_data_complete);
9098         if (err < 0) {
9099                 mgmt_pending_free(cmd);
9100                 goto clear_new_instance;
9101         }
9102
9103         /* We were successful in updating data, so trigger advertising_added
9104          * event if this is an instance that wasn't previously advertising. If
9105          * a failure occurs in the requests we initiated, we will remove the
9106          * instance again in add_advertising_complete
9107          */
9108         if (adv_instance->pending)
9109                 mgmt_advertising_added(sk, hdev, cp->instance);
9110
9111         goto unlock;
9112
9113 clear_new_instance:
9114         hci_remove_adv_instance(hdev, cp->instance);
9115
9116 unlock:
9117         hci_dev_unlock(hdev);
9118
9119         return err;
9120 }
9121
9122 static void remove_advertising_complete(struct hci_dev *hdev, void *data,
9123                                         int err)
9124 {
9125         struct mgmt_pending_cmd *cmd = data;
9126         struct mgmt_cp_remove_advertising *cp = cmd->param;
9127         struct mgmt_rp_remove_advertising rp;
9128
9129         bt_dev_dbg(hdev, "err %d", err);
9130
9131         memset(&rp, 0, sizeof(rp));
9132         rp.instance = cp->instance;
9133
9134         if (err)
9135                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
9136                                 mgmt_status(err));
9137         else
9138                 mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
9139                                   MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9140
9141         mgmt_pending_free(cmd);
9142 }
9143
9144 static int remove_advertising_sync(struct hci_dev *hdev, void *data)
9145 {
9146         struct mgmt_pending_cmd *cmd = data;
9147         struct mgmt_cp_remove_advertising *cp = cmd->param;
9148         int err;
9149
9150         err = hci_remove_advertising_sync(hdev, cmd->sk, cp->instance, true);
9151         if (err)
9152                 return err;
9153
9154         if (list_empty(&hdev->adv_instances))
9155                 err = hci_disable_advertising_sync(hdev);
9156
9157         return err;
9158 }
9159
9160 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
9161                               void *data, u16 data_len)
9162 {
9163         struct mgmt_cp_remove_advertising *cp = data;
9164         struct mgmt_pending_cmd *cmd;
9165         int err;
9166
9167         bt_dev_dbg(hdev, "sock %p", sk);
9168
9169         hci_dev_lock(hdev);
9170
9171         if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
9172                 err = mgmt_cmd_status(sk, hdev->id,
9173                                       MGMT_OP_REMOVE_ADVERTISING,
9174                                       MGMT_STATUS_INVALID_PARAMS);
9175                 goto unlock;
9176         }
9177
9178         if (pending_find(MGMT_OP_SET_LE, hdev)) {
9179                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9180                                       MGMT_STATUS_BUSY);
9181                 goto unlock;
9182         }
9183
9184         if (list_empty(&hdev->adv_instances)) {
9185                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9186                                       MGMT_STATUS_INVALID_PARAMS);
9187                 goto unlock;
9188         }
9189
9190         cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
9191                                data_len);
9192         if (!cmd) {
9193                 err = -ENOMEM;
9194                 goto unlock;
9195         }
9196
9197         err = hci_cmd_sync_queue(hdev, remove_advertising_sync, cmd,
9198                                  remove_advertising_complete);
9199         if (err < 0)
9200                 mgmt_pending_free(cmd);
9201
9202 unlock:
9203         hci_dev_unlock(hdev);
9204
9205         return err;
9206 }
9207
9208 static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
9209                              void *data, u16 data_len)
9210 {
9211         struct mgmt_cp_get_adv_size_info *cp = data;
9212         struct mgmt_rp_get_adv_size_info rp;
9213         u32 flags, supported_flags;
9214
9215         bt_dev_dbg(hdev, "sock %p", sk);
9216
9217         if (!lmp_le_capable(hdev))
9218                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9219                                        MGMT_STATUS_REJECTED);
9220
9221         if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
9222                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9223                                        MGMT_STATUS_INVALID_PARAMS);
9224
9225         flags = __le32_to_cpu(cp->flags);
9226
9227         /* The current implementation only supports a subset of the specified
9228          * flags.
9229          */
9230         supported_flags = get_supported_adv_flags(hdev);
9231         if (flags & ~supported_flags)
9232                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9233                                        MGMT_STATUS_INVALID_PARAMS);
9234
9235         rp.instance = cp->instance;
9236         rp.flags = cp->flags;
9237         rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
9238         rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
9239
9240         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9241                                  MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9242 }
9243
9244 static const struct hci_mgmt_handler mgmt_handlers[] = {
9245         { NULL }, /* 0x0000 (no command) */
9246         { read_version,            MGMT_READ_VERSION_SIZE,
9247                                                 HCI_MGMT_NO_HDEV |
9248                                                 HCI_MGMT_UNTRUSTED },
9249         { read_commands,           MGMT_READ_COMMANDS_SIZE,
9250                                                 HCI_MGMT_NO_HDEV |
9251                                                 HCI_MGMT_UNTRUSTED },
9252         { read_index_list,         MGMT_READ_INDEX_LIST_SIZE,
9253                                                 HCI_MGMT_NO_HDEV |
9254                                                 HCI_MGMT_UNTRUSTED },
9255         { read_controller_info,    MGMT_READ_INFO_SIZE,
9256                                                 HCI_MGMT_UNTRUSTED },
9257         { set_powered,             MGMT_SETTING_SIZE },
9258         { set_discoverable,        MGMT_SET_DISCOVERABLE_SIZE },
9259         { set_connectable,         MGMT_SETTING_SIZE },
9260         { set_fast_connectable,    MGMT_SETTING_SIZE },
9261         { set_bondable,            MGMT_SETTING_SIZE },
9262         { set_link_security,       MGMT_SETTING_SIZE },
9263         { set_ssp,                 MGMT_SETTING_SIZE },
9264         { set_hs,                  MGMT_SETTING_SIZE },
9265         { set_le,                  MGMT_SETTING_SIZE },
9266         { set_dev_class,           MGMT_SET_DEV_CLASS_SIZE },
9267         { set_local_name,          MGMT_SET_LOCAL_NAME_SIZE },
9268         { add_uuid,                MGMT_ADD_UUID_SIZE },
9269         { remove_uuid,             MGMT_REMOVE_UUID_SIZE },
9270         { load_link_keys,          MGMT_LOAD_LINK_KEYS_SIZE,
9271                                                 HCI_MGMT_VAR_LEN },
9272         { load_long_term_keys,     MGMT_LOAD_LONG_TERM_KEYS_SIZE,
9273                                                 HCI_MGMT_VAR_LEN },
9274         { disconnect,              MGMT_DISCONNECT_SIZE },
9275         { get_connections,         MGMT_GET_CONNECTIONS_SIZE },
9276         { pin_code_reply,          MGMT_PIN_CODE_REPLY_SIZE },
9277         { pin_code_neg_reply,      MGMT_PIN_CODE_NEG_REPLY_SIZE },
9278         { set_io_capability,       MGMT_SET_IO_CAPABILITY_SIZE },
9279         { pair_device,             MGMT_PAIR_DEVICE_SIZE },
9280         { cancel_pair_device,      MGMT_CANCEL_PAIR_DEVICE_SIZE },
9281         { unpair_device,           MGMT_UNPAIR_DEVICE_SIZE },
9282         { user_confirm_reply,      MGMT_USER_CONFIRM_REPLY_SIZE },
9283         { user_confirm_neg_reply,  MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
9284         { user_passkey_reply,      MGMT_USER_PASSKEY_REPLY_SIZE },
9285         { user_passkey_neg_reply,  MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
9286         { read_local_oob_data,     MGMT_READ_LOCAL_OOB_DATA_SIZE },
9287         { add_remote_oob_data,     MGMT_ADD_REMOTE_OOB_DATA_SIZE,
9288                                                 HCI_MGMT_VAR_LEN },
9289         { remove_remote_oob_data,  MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
9290         { start_discovery,         MGMT_START_DISCOVERY_SIZE },
9291         { stop_discovery,          MGMT_STOP_DISCOVERY_SIZE },
9292         { confirm_name,            MGMT_CONFIRM_NAME_SIZE },
9293         { block_device,            MGMT_BLOCK_DEVICE_SIZE },
9294         { unblock_device,          MGMT_UNBLOCK_DEVICE_SIZE },
9295         { set_device_id,           MGMT_SET_DEVICE_ID_SIZE },
9296         { set_advertising,         MGMT_SETTING_SIZE },
9297         { set_bredr,               MGMT_SETTING_SIZE },
9298         { set_static_address,      MGMT_SET_STATIC_ADDRESS_SIZE },
9299         { set_scan_params,         MGMT_SET_SCAN_PARAMS_SIZE },
9300         { set_secure_conn,         MGMT_SETTING_SIZE },
9301         { set_debug_keys,          MGMT_SETTING_SIZE },
9302         { set_privacy,             MGMT_SET_PRIVACY_SIZE },
9303         { load_irks,               MGMT_LOAD_IRKS_SIZE,
9304                                                 HCI_MGMT_VAR_LEN },
9305         { get_conn_info,           MGMT_GET_CONN_INFO_SIZE },
9306         { get_clock_info,          MGMT_GET_CLOCK_INFO_SIZE },
9307         { add_device,              MGMT_ADD_DEVICE_SIZE },
9308         { remove_device,           MGMT_REMOVE_DEVICE_SIZE },
9309         { load_conn_param,         MGMT_LOAD_CONN_PARAM_SIZE,
9310                                                 HCI_MGMT_VAR_LEN },
9311         { read_unconf_index_list,  MGMT_READ_UNCONF_INDEX_LIST_SIZE,
9312                                                 HCI_MGMT_NO_HDEV |
9313                                                 HCI_MGMT_UNTRUSTED },
9314         { read_config_info,        MGMT_READ_CONFIG_INFO_SIZE,
9315                                                 HCI_MGMT_UNCONFIGURED |
9316                                                 HCI_MGMT_UNTRUSTED },
9317         { set_external_config,     MGMT_SET_EXTERNAL_CONFIG_SIZE,
9318                                                 HCI_MGMT_UNCONFIGURED },
9319         { set_public_address,      MGMT_SET_PUBLIC_ADDRESS_SIZE,
9320                                                 HCI_MGMT_UNCONFIGURED },
9321         { start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
9322                                                 HCI_MGMT_VAR_LEN },
9323         { read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
9324         { read_ext_index_list,     MGMT_READ_EXT_INDEX_LIST_SIZE,
9325                                                 HCI_MGMT_NO_HDEV |
9326                                                 HCI_MGMT_UNTRUSTED },
9327         { read_adv_features,       MGMT_READ_ADV_FEATURES_SIZE },
9328         { add_advertising,         MGMT_ADD_ADVERTISING_SIZE,
9329                                                 HCI_MGMT_VAR_LEN },
9330         { remove_advertising,      MGMT_REMOVE_ADVERTISING_SIZE },
9331         { get_adv_size_info,       MGMT_GET_ADV_SIZE_INFO_SIZE },
9332         { start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
9333         { read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
9334                                                 HCI_MGMT_UNTRUSTED },
9335         { set_appearance,          MGMT_SET_APPEARANCE_SIZE },
9336         { get_phy_configuration,   MGMT_GET_PHY_CONFIGURATION_SIZE },
9337         { set_phy_configuration,   MGMT_SET_PHY_CONFIGURATION_SIZE },
9338         { set_blocked_keys,        MGMT_OP_SET_BLOCKED_KEYS_SIZE,
9339                                                 HCI_MGMT_VAR_LEN },
9340         { set_wideband_speech,     MGMT_SETTING_SIZE },
9341         { read_controller_cap,     MGMT_READ_CONTROLLER_CAP_SIZE,
9342                                                 HCI_MGMT_UNTRUSTED },
9343         { read_exp_features_info,  MGMT_READ_EXP_FEATURES_INFO_SIZE,
9344                                                 HCI_MGMT_UNTRUSTED |
9345                                                 HCI_MGMT_HDEV_OPTIONAL },
9346         { set_exp_feature,         MGMT_SET_EXP_FEATURE_SIZE,
9347                                                 HCI_MGMT_VAR_LEN |
9348                                                 HCI_MGMT_HDEV_OPTIONAL },
9349         { read_def_system_config,  MGMT_READ_DEF_SYSTEM_CONFIG_SIZE,
9350                                                 HCI_MGMT_UNTRUSTED },
9351         { set_def_system_config,   MGMT_SET_DEF_SYSTEM_CONFIG_SIZE,
9352                                                 HCI_MGMT_VAR_LEN },
9353         { read_def_runtime_config, MGMT_READ_DEF_RUNTIME_CONFIG_SIZE,
9354                                                 HCI_MGMT_UNTRUSTED },
9355         { set_def_runtime_config,  MGMT_SET_DEF_RUNTIME_CONFIG_SIZE,
9356                                                 HCI_MGMT_VAR_LEN },
9357         { get_device_flags,        MGMT_GET_DEVICE_FLAGS_SIZE },
9358         { set_device_flags,        MGMT_SET_DEVICE_FLAGS_SIZE },
9359         { read_adv_mon_features,   MGMT_READ_ADV_MONITOR_FEATURES_SIZE },
9360         { add_adv_patterns_monitor,MGMT_ADD_ADV_PATTERNS_MONITOR_SIZE,
9361                                                 HCI_MGMT_VAR_LEN },
9362         { remove_adv_monitor,      MGMT_REMOVE_ADV_MONITOR_SIZE },
9363         { add_ext_adv_params,      MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE,
9364                                                 HCI_MGMT_VAR_LEN },
9365         { add_ext_adv_data,        MGMT_ADD_EXT_ADV_DATA_SIZE,
9366                                                 HCI_MGMT_VAR_LEN },
9367         { add_adv_patterns_monitor_rssi,
9368                                    MGMT_ADD_ADV_PATTERNS_MONITOR_RSSI_SIZE,
9369                                                 HCI_MGMT_VAR_LEN },
9370         { set_mesh,                MGMT_SET_MESH_RECEIVER_SIZE,
9371                                                 HCI_MGMT_VAR_LEN },
9372         { mesh_features,           MGMT_MESH_READ_FEATURES_SIZE },
9373         { mesh_send,               MGMT_MESH_SEND_SIZE,
9374                                                 HCI_MGMT_VAR_LEN },
9375         { mesh_send_cancel,        MGMT_MESH_SEND_CANCEL_SIZE },
9376 };
9377
9378 void mgmt_index_added(struct hci_dev *hdev)
9379 {
9380         struct mgmt_ev_ext_index ev;
9381
9382         if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9383                 return;
9384
9385         switch (hdev->dev_type) {
9386         case HCI_PRIMARY:
9387                 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9388                         mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev,
9389                                          NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
9390                         ev.type = 0x01;
9391                 } else {
9392                         mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0,
9393                                          HCI_MGMT_INDEX_EVENTS);
9394                         ev.type = 0x00;
9395                 }
9396                 break;
9397         case HCI_AMP:
9398                 ev.type = 0x02;
9399                 break;
9400         default:
9401                 return;
9402         }
9403
9404         ev.bus = hdev->bus;
9405
9406         mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, &ev, sizeof(ev),
9407                          HCI_MGMT_EXT_INDEX_EVENTS);
9408 }
9409
9410 void mgmt_index_removed(struct hci_dev *hdev)
9411 {
9412         struct mgmt_ev_ext_index ev;
9413         u8 status = MGMT_STATUS_INVALID_INDEX;
9414
9415         if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9416                 return;
9417
9418         switch (hdev->dev_type) {
9419         case HCI_PRIMARY:
9420                 mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
9421
9422                 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9423                         mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
9424                                          NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
9425                         ev.type = 0x01;
9426                 } else {
9427                         mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0,
9428                                          HCI_MGMT_INDEX_EVENTS);
9429                         ev.type = 0x00;
9430                 }
9431                 break;
9432         case HCI_AMP:
9433                 ev.type = 0x02;
9434                 break;
9435         default:
9436                 return;
9437         }
9438
9439         ev.bus = hdev->bus;
9440
9441         mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, &ev, sizeof(ev),
9442                          HCI_MGMT_EXT_INDEX_EVENTS);
9443
9444         /* Cancel any remaining timed work */
9445         if (!hci_dev_test_flag(hdev, HCI_MGMT))
9446                 return;
9447         cancel_delayed_work_sync(&hdev->discov_off);
9448         cancel_delayed_work_sync(&hdev->service_cache);
9449         cancel_delayed_work_sync(&hdev->rpa_expired);
9450 }
9451
9452 void mgmt_power_on(struct hci_dev *hdev, int err)
9453 {
9454         struct cmd_lookup match = { NULL, hdev };
9455
9456         bt_dev_dbg(hdev, "err %d", err);
9457
9458         hci_dev_lock(hdev);
9459
9460         if (!err) {
9461                 restart_le_actions(hdev);
9462                 hci_update_passive_scan(hdev);
9463         }
9464
9465         mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
9466
9467         new_settings(hdev, match.sk);
9468
9469         if (match.sk)
9470                 sock_put(match.sk);
9471
9472         hci_dev_unlock(hdev);
9473 }
9474
9475 void __mgmt_power_off(struct hci_dev *hdev)
9476 {
9477         struct cmd_lookup match = { NULL, hdev };
9478         u8 status, zero_cod[] = { 0, 0, 0 };
9479
9480         mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
9481
9482         /* If the power off is because of hdev unregistration let
9483          * use the appropriate INVALID_INDEX status. Otherwise use
9484          * NOT_POWERED. We cover both scenarios here since later in
9485          * mgmt_index_removed() any hci_conn callbacks will have already
9486          * been triggered, potentially causing misleading DISCONNECTED
9487          * status responses.
9488          */
9489         if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
9490                 status = MGMT_STATUS_INVALID_INDEX;
9491         else
9492                 status = MGMT_STATUS_NOT_POWERED;
9493
9494         mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
9495
9496         if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
9497                 mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
9498                                    zero_cod, sizeof(zero_cod),
9499                                    HCI_MGMT_DEV_CLASS_EVENTS, NULL);
9500                 ext_info_changed(hdev, NULL);
9501         }
9502
9503         new_settings(hdev, match.sk);
9504
9505         if (match.sk)
9506                 sock_put(match.sk);
9507 }
9508
9509 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
9510 {
9511         struct mgmt_pending_cmd *cmd;
9512         u8 status;
9513
9514         cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9515         if (!cmd)
9516                 return;
9517
9518         if (err == -ERFKILL)
9519                 status = MGMT_STATUS_RFKILLED;
9520         else
9521                 status = MGMT_STATUS_FAILED;
9522
9523         mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
9524
9525         mgmt_pending_remove(cmd);
9526 }
9527
9528 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
9529                        bool persistent)
9530 {
9531         struct mgmt_ev_new_link_key ev;
9532
9533         memset(&ev, 0, sizeof(ev));
9534
9535         ev.store_hint = persistent;
9536         bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
9537         ev.key.addr.type = BDADDR_BREDR;
9538         ev.key.type = key->type;
9539         memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
9540         ev.key.pin_len = key->pin_len;
9541
9542         mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
9543 }
9544
9545 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
9546 {
9547         switch (ltk->type) {
9548         case SMP_LTK:
9549         case SMP_LTK_RESPONDER:
9550                 if (ltk->authenticated)
9551                         return MGMT_LTK_AUTHENTICATED;
9552                 return MGMT_LTK_UNAUTHENTICATED;
9553         case SMP_LTK_P256:
9554                 if (ltk->authenticated)
9555                         return MGMT_LTK_P256_AUTH;
9556                 return MGMT_LTK_P256_UNAUTH;
9557         case SMP_LTK_P256_DEBUG:
9558                 return MGMT_LTK_P256_DEBUG;
9559         }
9560
9561         return MGMT_LTK_UNAUTHENTICATED;
9562 }
9563
9564 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
9565 {
9566         struct mgmt_ev_new_long_term_key ev;
9567
9568         memset(&ev, 0, sizeof(ev));
9569
9570         /* Devices using resolvable or non-resolvable random addresses
9571          * without providing an identity resolving key don't require
9572          * to store long term keys. Their addresses will change the
9573          * next time around.
9574          *
9575          * Only when a remote device provides an identity address
9576          * make sure the long term key is stored. If the remote
9577          * identity is known, the long term keys are internally
9578          * mapped to the identity address. So allow static random
9579          * and public addresses here.
9580          */
9581         if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9582             (key->bdaddr.b[5] & 0xc0) != 0xc0)
9583                 ev.store_hint = 0x00;
9584         else
9585                 ev.store_hint = persistent;
9586
9587         bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
9588         ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
9589         ev.key.type = mgmt_ltk_type(key);
9590         ev.key.enc_size = key->enc_size;
9591         ev.key.ediv = key->ediv;
9592         ev.key.rand = key->rand;
9593
9594         if (key->type == SMP_LTK)
9595                 ev.key.initiator = 1;
9596
9597         /* Make sure we copy only the significant bytes based on the
9598          * encryption key size, and set the rest of the value to zeroes.
9599          */
9600         memcpy(ev.key.val, key->val, key->enc_size);
9601         memset(ev.key.val + key->enc_size, 0,
9602                sizeof(ev.key.val) - key->enc_size);
9603
9604         mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
9605 }
9606
9607 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
9608 {
9609         struct mgmt_ev_new_irk ev;
9610
9611         memset(&ev, 0, sizeof(ev));
9612
9613         ev.store_hint = persistent;
9614
9615         bacpy(&ev.rpa, &irk->rpa);
9616         bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
9617         ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
9618         memcpy(ev.irk.val, irk->val, sizeof(irk->val));
9619
9620         mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
9621 }
9622
9623 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
9624                    bool persistent)
9625 {
9626         struct mgmt_ev_new_csrk ev;
9627
9628         memset(&ev, 0, sizeof(ev));
9629
9630         /* Devices using resolvable or non-resolvable random addresses
9631          * without providing an identity resolving key don't require
9632          * to store signature resolving keys. Their addresses will change
9633          * the next time around.
9634          *
9635          * Only when a remote device provides an identity address
9636          * make sure the signature resolving key is stored. So allow
9637          * static random and public addresses here.
9638          */
9639         if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9640             (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
9641                 ev.store_hint = 0x00;
9642         else
9643                 ev.store_hint = persistent;
9644
9645         bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
9646         ev.key.addr.type = link_to_bdaddr(LE_LINK, csrk->bdaddr_type);
9647         ev.key.type = csrk->type;
9648         memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
9649
9650         mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
9651 }
9652
9653 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
9654                          u8 bdaddr_type, u8 store_hint, u16 min_interval,
9655                          u16 max_interval, u16 latency, u16 timeout)
9656 {
9657         struct mgmt_ev_new_conn_param ev;
9658
9659         if (!hci_is_identity_address(bdaddr, bdaddr_type))
9660                 return;
9661
9662         memset(&ev, 0, sizeof(ev));
9663         bacpy(&ev.addr.bdaddr, bdaddr);
9664         ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
9665         ev.store_hint = store_hint;
9666         ev.min_interval = cpu_to_le16(min_interval);
9667         ev.max_interval = cpu_to_le16(max_interval);
9668         ev.latency = cpu_to_le16(latency);
9669         ev.timeout = cpu_to_le16(timeout);
9670
9671         mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
9672 }
9673
9674 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
9675                            u8 *name, u8 name_len)
9676 {
9677         struct sk_buff *skb;
9678         struct mgmt_ev_device_connected *ev;
9679         u16 eir_len = 0;
9680         u32 flags = 0;
9681
9682         /* allocate buff for LE or BR/EDR adv */
9683         if (conn->le_adv_data_len > 0)
9684                 skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9685                                      sizeof(*ev) + conn->le_adv_data_len);
9686         else
9687                 skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9688                                      sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0) +
9689                                      eir_precalc_len(sizeof(conn->dev_class)));
9690
9691         ev = skb_put(skb, sizeof(*ev));
9692         bacpy(&ev->addr.bdaddr, &conn->dst);
9693         ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9694
9695         if (conn->out)
9696                 flags |= MGMT_DEV_FOUND_INITIATED_CONN;
9697
9698         ev->flags = __cpu_to_le32(flags);
9699
9700         /* We must ensure that the EIR Data fields are ordered and
9701          * unique. Keep it simple for now and avoid the problem by not
9702          * adding any BR/EDR data to the LE adv.
9703          */
9704         if (conn->le_adv_data_len > 0) {
9705                 skb_put_data(skb, conn->le_adv_data, conn->le_adv_data_len);
9706                 eir_len = conn->le_adv_data_len;
9707         } else {
9708                 if (name)
9709                         eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
9710
9711                 if (memcmp(conn->dev_class, "\0\0\0", sizeof(conn->dev_class)))
9712                         eir_len += eir_skb_put_data(skb, EIR_CLASS_OF_DEV,
9713                                                     conn->dev_class, sizeof(conn->dev_class));
9714         }
9715
9716         ev->eir_len = cpu_to_le16(eir_len);
9717
9718         mgmt_event_skb(skb, NULL);
9719 }
9720
9721 static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
9722 {
9723         struct sock **sk = data;
9724
9725         cmd->cmd_complete(cmd, 0);
9726
9727         *sk = cmd->sk;
9728         sock_hold(*sk);
9729
9730         mgmt_pending_remove(cmd);
9731 }
9732
9733 static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
9734 {
9735         struct hci_dev *hdev = data;
9736         struct mgmt_cp_unpair_device *cp = cmd->param;
9737
9738         device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
9739
9740         cmd->cmd_complete(cmd, 0);
9741         mgmt_pending_remove(cmd);
9742 }
9743
9744 bool mgmt_powering_down(struct hci_dev *hdev)
9745 {
9746         struct mgmt_pending_cmd *cmd;
9747         struct mgmt_mode *cp;
9748
9749         cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9750         if (!cmd)
9751                 return false;
9752
9753         cp = cmd->param;
9754         if (!cp->val)
9755                 return true;
9756
9757         return false;
9758 }
9759
9760 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
9761                               u8 link_type, u8 addr_type, u8 reason,
9762                               bool mgmt_connected)
9763 {
9764         struct mgmt_ev_device_disconnected ev;
9765         struct sock *sk = NULL;
9766
9767         /* The connection is still in hci_conn_hash so test for 1
9768          * instead of 0 to know if this is the last one.
9769          */
9770         if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
9771                 cancel_delayed_work(&hdev->power_off);
9772                 queue_work(hdev->req_workqueue, &hdev->power_off.work);
9773         }
9774
9775         if (!mgmt_connected)
9776                 return;
9777
9778         if (link_type != ACL_LINK && link_type != LE_LINK)
9779                 return;
9780
9781         mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
9782
9783         bacpy(&ev.addr.bdaddr, bdaddr);
9784         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9785         ev.reason = reason;
9786
9787         /* Report disconnects due to suspend */
9788         if (hdev->suspended)
9789                 ev.reason = MGMT_DEV_DISCONN_LOCAL_HOST_SUSPEND;
9790
9791         mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
9792
9793         if (sk)
9794                 sock_put(sk);
9795
9796         mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9797                              hdev);
9798 }
9799
9800 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
9801                             u8 link_type, u8 addr_type, u8 status)
9802 {
9803         u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
9804         struct mgmt_cp_disconnect *cp;
9805         struct mgmt_pending_cmd *cmd;
9806
9807         mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9808                              hdev);
9809
9810         cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
9811         if (!cmd)
9812                 return;
9813
9814         cp = cmd->param;
9815
9816         if (bacmp(bdaddr, &cp->addr.bdaddr))
9817                 return;
9818
9819         if (cp->addr.type != bdaddr_type)
9820                 return;
9821
9822         cmd->cmd_complete(cmd, mgmt_status(status));
9823         mgmt_pending_remove(cmd);
9824 }
9825
9826 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9827                          u8 addr_type, u8 status)
9828 {
9829         struct mgmt_ev_connect_failed ev;
9830
9831         /* The connection is still in hci_conn_hash so test for 1
9832          * instead of 0 to know if this is the last one.
9833          */
9834         if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
9835                 cancel_delayed_work(&hdev->power_off);
9836                 queue_work(hdev->req_workqueue, &hdev->power_off.work);
9837         }
9838
9839         bacpy(&ev.addr.bdaddr, bdaddr);
9840         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9841         ev.status = mgmt_status(status);
9842
9843         mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
9844 }
9845
9846 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
9847 {
9848         struct mgmt_ev_pin_code_request ev;
9849
9850         bacpy(&ev.addr.bdaddr, bdaddr);
9851         ev.addr.type = BDADDR_BREDR;
9852         ev.secure = secure;
9853
9854         mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
9855 }
9856
9857 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9858                                   u8 status)
9859 {
9860         struct mgmt_pending_cmd *cmd;
9861
9862         cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
9863         if (!cmd)
9864                 return;
9865
9866         cmd->cmd_complete(cmd, mgmt_status(status));
9867         mgmt_pending_remove(cmd);
9868 }
9869
9870 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9871                                       u8 status)
9872 {
9873         struct mgmt_pending_cmd *cmd;
9874
9875         cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
9876         if (!cmd)
9877                 return;
9878
9879         cmd->cmd_complete(cmd, mgmt_status(status));
9880         mgmt_pending_remove(cmd);
9881 }
9882
9883 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9884                               u8 link_type, u8 addr_type, u32 value,
9885                               u8 confirm_hint)
9886 {
9887         struct mgmt_ev_user_confirm_request ev;
9888
9889         bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9890
9891         bacpy(&ev.addr.bdaddr, bdaddr);
9892         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9893         ev.confirm_hint = confirm_hint;
9894         ev.value = cpu_to_le32(value);
9895
9896         return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
9897                           NULL);
9898 }
9899
9900 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9901                               u8 link_type, u8 addr_type)
9902 {
9903         struct mgmt_ev_user_passkey_request ev;
9904
9905         bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9906
9907         bacpy(&ev.addr.bdaddr, bdaddr);
9908         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9909
9910         return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
9911                           NULL);
9912 }
9913
9914 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9915                                       u8 link_type, u8 addr_type, u8 status,
9916                                       u8 opcode)
9917 {
9918         struct mgmt_pending_cmd *cmd;
9919
9920         cmd = pending_find(opcode, hdev);
9921         if (!cmd)
9922                 return -ENOENT;
9923
9924         cmd->cmd_complete(cmd, mgmt_status(status));
9925         mgmt_pending_remove(cmd);
9926
9927         return 0;
9928 }
9929
9930 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9931                                      u8 link_type, u8 addr_type, u8 status)
9932 {
9933         return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9934                                           status, MGMT_OP_USER_CONFIRM_REPLY);
9935 }
9936
9937 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9938                                          u8 link_type, u8 addr_type, u8 status)
9939 {
9940         return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9941                                           status,
9942                                           MGMT_OP_USER_CONFIRM_NEG_REPLY);
9943 }
9944
9945 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9946                                      u8 link_type, u8 addr_type, u8 status)
9947 {
9948         return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9949                                           status, MGMT_OP_USER_PASSKEY_REPLY);
9950 }
9951
9952 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9953                                          u8 link_type, u8 addr_type, u8 status)
9954 {
9955         return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9956                                           status,
9957                                           MGMT_OP_USER_PASSKEY_NEG_REPLY);
9958 }
9959
9960 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
9961                              u8 link_type, u8 addr_type, u32 passkey,
9962                              u8 entered)
9963 {
9964         struct mgmt_ev_passkey_notify ev;
9965
9966         bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9967
9968         bacpy(&ev.addr.bdaddr, bdaddr);
9969         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9970         ev.passkey = __cpu_to_le32(passkey);
9971         ev.entered = entered;
9972
9973         return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
9974 }
9975
9976 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
9977 {
9978         struct mgmt_ev_auth_failed ev;
9979         struct mgmt_pending_cmd *cmd;
9980         u8 status = mgmt_status(hci_status);
9981
9982         bacpy(&ev.addr.bdaddr, &conn->dst);
9983         ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9984         ev.status = status;
9985
9986         cmd = find_pairing(conn);
9987
9988         mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
9989                     cmd ? cmd->sk : NULL);
9990
9991         if (cmd) {
9992                 cmd->cmd_complete(cmd, status);
9993                 mgmt_pending_remove(cmd);
9994         }
9995 }
9996
9997 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
9998 {
9999         struct cmd_lookup match = { NULL, hdev };
10000         bool changed;
10001
10002         if (status) {
10003                 u8 mgmt_err = mgmt_status(status);
10004                 mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
10005                                      cmd_status_rsp, &mgmt_err);
10006                 return;
10007         }
10008
10009         if (test_bit(HCI_AUTH, &hdev->flags))
10010                 changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
10011         else
10012                 changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
10013
10014         mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
10015                              &match);
10016
10017         if (changed)
10018                 new_settings(hdev, match.sk);
10019
10020         if (match.sk)
10021                 sock_put(match.sk);
10022 }
10023
10024 static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
10025 {
10026         struct cmd_lookup *match = data;
10027
10028         if (match->sk == NULL) {
10029                 match->sk = cmd->sk;
10030                 sock_hold(match->sk);
10031         }
10032 }
10033
10034 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
10035                                     u8 status)
10036 {
10037         struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
10038
10039         mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
10040         mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
10041         mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
10042
10043         if (!status) {
10044                 mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
10045                                    3, HCI_MGMT_DEV_CLASS_EVENTS, NULL);
10046                 ext_info_changed(hdev, NULL);
10047         }
10048
10049         if (match.sk)
10050                 sock_put(match.sk);
10051 }
10052
10053 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
10054 {
10055         struct mgmt_cp_set_local_name ev;
10056         struct mgmt_pending_cmd *cmd;
10057
10058         if (status)
10059                 return;
10060
10061         memset(&ev, 0, sizeof(ev));
10062         memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
10063         memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
10064
10065         cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
10066         if (!cmd) {
10067                 memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
10068
10069                 /* If this is a HCI command related to powering on the
10070                  * HCI dev don't send any mgmt signals.
10071                  */
10072                 if (pending_find(MGMT_OP_SET_POWERED, hdev))
10073                         return;
10074         }
10075
10076         mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
10077                            HCI_MGMT_LOCAL_NAME_EVENTS, cmd ? cmd->sk : NULL);
10078         ext_info_changed(hdev, cmd ? cmd->sk : NULL);
10079 }
10080
10081 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
10082 {
10083         int i;
10084
10085         for (i = 0; i < uuid_count; i++) {
10086                 if (!memcmp(uuid, uuids[i], 16))
10087                         return true;
10088         }
10089
10090         return false;
10091 }
10092
10093 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
10094 {
10095         u16 parsed = 0;
10096
10097         while (parsed < eir_len) {
10098                 u8 field_len = eir[0];
10099                 u8 uuid[16];
10100                 int i;
10101
10102                 if (field_len == 0)
10103                         break;
10104
10105                 if (eir_len - parsed < field_len + 1)
10106                         break;
10107
10108                 switch (eir[1]) {
10109                 case EIR_UUID16_ALL:
10110                 case EIR_UUID16_SOME:
10111                         for (i = 0; i + 3 <= field_len; i += 2) {
10112                                 memcpy(uuid, bluetooth_base_uuid, 16);
10113                                 uuid[13] = eir[i + 3];
10114                                 uuid[12] = eir[i + 2];
10115                                 if (has_uuid(uuid, uuid_count, uuids))
10116                                         return true;
10117                         }
10118                         break;
10119                 case EIR_UUID32_ALL:
10120                 case EIR_UUID32_SOME:
10121                         for (i = 0; i + 5 <= field_len; i += 4) {
10122                                 memcpy(uuid, bluetooth_base_uuid, 16);
10123                                 uuid[15] = eir[i + 5];
10124                                 uuid[14] = eir[i + 4];
10125                                 uuid[13] = eir[i + 3];
10126                                 uuid[12] = eir[i + 2];
10127                                 if (has_uuid(uuid, uuid_count, uuids))
10128                                         return true;
10129                         }
10130                         break;
10131                 case EIR_UUID128_ALL:
10132                 case EIR_UUID128_SOME:
10133                         for (i = 0; i + 17 <= field_len; i += 16) {
10134                                 memcpy(uuid, eir + i + 2, 16);
10135                                 if (has_uuid(uuid, uuid_count, uuids))
10136                                         return true;
10137                         }
10138                         break;
10139                 }
10140
10141                 parsed += field_len + 1;
10142                 eir += field_len + 1;
10143         }
10144
10145         return false;
10146 }
10147
10148 static void restart_le_scan(struct hci_dev *hdev)
10149 {
10150         /* If controller is not scanning we are done. */
10151         if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
10152                 return;
10153
10154         if (time_after(jiffies + DISCOV_LE_RESTART_DELAY,
10155                        hdev->discovery.scan_start +
10156                        hdev->discovery.scan_duration))
10157                 return;
10158
10159         queue_delayed_work(hdev->req_workqueue, &hdev->le_scan_restart,
10160                            DISCOV_LE_RESTART_DELAY);
10161 }
10162
10163 static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
10164                             u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
10165 {
10166         /* If a RSSI threshold has been specified, and
10167          * HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
10168          * a RSSI smaller than the RSSI threshold will be dropped. If the quirk
10169          * is set, let it through for further processing, as we might need to
10170          * restart the scan.
10171          *
10172          * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
10173          * the results are also dropped.
10174          */
10175         if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10176             (rssi == HCI_RSSI_INVALID ||
10177             (rssi < hdev->discovery.rssi &&
10178              !test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
10179                 return  false;
10180
10181         if (hdev->discovery.uuid_count != 0) {
10182                 /* If a list of UUIDs is provided in filter, results with no
10183                  * matching UUID should be dropped.
10184                  */
10185                 if (!eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count,
10186                                    hdev->discovery.uuids) &&
10187                     !eir_has_uuids(scan_rsp, scan_rsp_len,
10188                                    hdev->discovery.uuid_count,
10189                                    hdev->discovery.uuids))
10190                         return false;
10191         }
10192
10193         /* If duplicate filtering does not report RSSI changes, then restart
10194          * scanning to ensure updated result with updated RSSI values.
10195          */
10196         if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
10197                 restart_le_scan(hdev);
10198
10199                 /* Validate RSSI value against the RSSI threshold once more. */
10200                 if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10201                     rssi < hdev->discovery.rssi)
10202                         return false;
10203         }
10204
10205         return true;
10206 }
10207
10208 void mgmt_adv_monitor_device_lost(struct hci_dev *hdev, u16 handle,
10209                                   bdaddr_t *bdaddr, u8 addr_type)
10210 {
10211         struct mgmt_ev_adv_monitor_device_lost ev;
10212
10213         ev.monitor_handle = cpu_to_le16(handle);
10214         bacpy(&ev.addr.bdaddr, bdaddr);
10215         ev.addr.type = addr_type;
10216
10217         mgmt_event(MGMT_EV_ADV_MONITOR_DEVICE_LOST, hdev, &ev, sizeof(ev),
10218                    NULL);
10219 }
10220
10221 static void mgmt_send_adv_monitor_device_found(struct hci_dev *hdev,
10222                                                struct sk_buff *skb,
10223                                                struct sock *skip_sk,
10224                                                u16 handle)
10225 {
10226         struct sk_buff *advmon_skb;
10227         size_t advmon_skb_len;
10228         __le16 *monitor_handle;
10229
10230         if (!skb)
10231                 return;
10232
10233         advmon_skb_len = (sizeof(struct mgmt_ev_adv_monitor_device_found) -
10234                           sizeof(struct mgmt_ev_device_found)) + skb->len;
10235         advmon_skb = mgmt_alloc_skb(hdev, MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
10236                                     advmon_skb_len);
10237         if (!advmon_skb)
10238                 return;
10239
10240         /* ADV_MONITOR_DEVICE_FOUND is similar to DEVICE_FOUND event except
10241          * that it also has 'monitor_handle'. Make a copy of DEVICE_FOUND and
10242          * store monitor_handle of the matched monitor.
10243          */
10244         monitor_handle = skb_put(advmon_skb, sizeof(*monitor_handle));
10245         *monitor_handle = cpu_to_le16(handle);
10246         skb_put_data(advmon_skb, skb->data, skb->len);
10247
10248         mgmt_event_skb(advmon_skb, skip_sk);
10249 }
10250
10251 static void mgmt_adv_monitor_device_found(struct hci_dev *hdev,
10252                                           bdaddr_t *bdaddr, bool report_device,
10253                                           struct sk_buff *skb,
10254                                           struct sock *skip_sk)
10255 {
10256         struct monitored_device *dev, *tmp;
10257         bool matched = false;
10258         bool notified = false;
10259
10260         /* We have received the Advertisement Report because:
10261          * 1. the kernel has initiated active discovery
10262          * 2. if not, we have pend_le_reports > 0 in which case we are doing
10263          *    passive scanning
10264          * 3. if none of the above is true, we have one or more active
10265          *    Advertisement Monitor
10266          *
10267          * For case 1 and 2, report all advertisements via MGMT_EV_DEVICE_FOUND
10268          * and report ONLY one advertisement per device for the matched Monitor
10269          * via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10270          *
10271          * For case 3, since we are not active scanning and all advertisements
10272          * received are due to a matched Advertisement Monitor, report all
10273          * advertisements ONLY via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10274          */
10275         if (report_device && !hdev->advmon_pend_notify) {
10276                 mgmt_event_skb(skb, skip_sk);
10277                 return;
10278         }
10279
10280         hdev->advmon_pend_notify = false;
10281
10282         list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices, list) {
10283                 if (!bacmp(&dev->bdaddr, bdaddr)) {
10284                         matched = true;
10285
10286                         if (!dev->notified) {
10287                                 mgmt_send_adv_monitor_device_found(hdev, skb,
10288                                                                    skip_sk,
10289                                                                    dev->handle);
10290                                 notified = true;
10291                                 dev->notified = true;
10292                         }
10293                 }
10294
10295                 if (!dev->notified)
10296                         hdev->advmon_pend_notify = true;
10297         }
10298
10299         if (!report_device &&
10300             ((matched && !notified) || !msft_monitor_supported(hdev))) {
10301                 /* Handle 0 indicates that we are not active scanning and this
10302                  * is a subsequent advertisement report for an already matched
10303                  * Advertisement Monitor or the controller offloading support
10304                  * is not available.
10305                  */
10306                 mgmt_send_adv_monitor_device_found(hdev, skb, skip_sk, 0);
10307         }
10308
10309         if (report_device)
10310                 mgmt_event_skb(skb, skip_sk);
10311         else
10312                 kfree_skb(skb);
10313 }
10314
10315 static void mesh_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr,
10316                               u8 addr_type, s8 rssi, u32 flags, u8 *eir,
10317                               u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10318                               u64 instant)
10319 {
10320         struct sk_buff *skb;
10321         struct mgmt_ev_mesh_device_found *ev;
10322         int i, j;
10323
10324         if (!hdev->mesh_ad_types[0])
10325                 goto accepted;
10326
10327         /* Scan for requested AD types */
10328         if (eir_len > 0) {
10329                 for (i = 0; i + 1 < eir_len; i += eir[i] + 1) {
10330                         for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10331                                 if (!hdev->mesh_ad_types[j])
10332                                         break;
10333
10334                                 if (hdev->mesh_ad_types[j] == eir[i + 1])
10335                                         goto accepted;
10336                         }
10337                 }
10338         }
10339
10340         if (scan_rsp_len > 0) {
10341                 for (i = 0; i + 1 < scan_rsp_len; i += scan_rsp[i] + 1) {
10342                         for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10343                                 if (!hdev->mesh_ad_types[j])
10344                                         break;
10345
10346                                 if (hdev->mesh_ad_types[j] == scan_rsp[i + 1])
10347                                         goto accepted;
10348                         }
10349                 }
10350         }
10351
10352         return;
10353
10354 accepted:
10355         skb = mgmt_alloc_skb(hdev, MGMT_EV_MESH_DEVICE_FOUND,
10356                              sizeof(*ev) + eir_len + scan_rsp_len);
10357         if (!skb)
10358                 return;
10359
10360         ev = skb_put(skb, sizeof(*ev));
10361
10362         bacpy(&ev->addr.bdaddr, bdaddr);
10363         ev->addr.type = link_to_bdaddr(LE_LINK, addr_type);
10364         ev->rssi = rssi;
10365         ev->flags = cpu_to_le32(flags);
10366         ev->instant = cpu_to_le64(instant);
10367
10368         if (eir_len > 0)
10369                 /* Copy EIR or advertising data into event */
10370                 skb_put_data(skb, eir, eir_len);
10371
10372         if (scan_rsp_len > 0)
10373                 /* Append scan response data to event */
10374                 skb_put_data(skb, scan_rsp, scan_rsp_len);
10375
10376         ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10377
10378         mgmt_event_skb(skb, NULL);
10379 }
10380
10381 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10382                        u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
10383                        u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10384                        u64 instant)
10385 {
10386         struct sk_buff *skb;
10387         struct mgmt_ev_device_found *ev;
10388         bool report_device = hci_discovery_active(hdev);
10389
10390         if (hci_dev_test_flag(hdev, HCI_MESH) && link_type == LE_LINK)
10391                 mesh_device_found(hdev, bdaddr, addr_type, rssi, flags,
10392                                   eir, eir_len, scan_rsp, scan_rsp_len,
10393                                   instant);
10394
10395         /* Don't send events for a non-kernel initiated discovery. With
10396          * LE one exception is if we have pend_le_reports > 0 in which
10397          * case we're doing passive scanning and want these events.
10398          */
10399         if (!hci_discovery_active(hdev)) {
10400                 if (link_type == ACL_LINK)
10401                         return;
10402                 if (link_type == LE_LINK && !list_empty(&hdev->pend_le_reports))
10403                         report_device = true;
10404                 else if (!hci_is_adv_monitoring(hdev))
10405                         return;
10406         }
10407
10408         if (hdev->discovery.result_filtering) {
10409                 /* We are using service discovery */
10410                 if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
10411                                      scan_rsp_len))
10412                         return;
10413         }
10414
10415         if (hdev->discovery.limited) {
10416                 /* Check for limited discoverable bit */
10417                 if (dev_class) {
10418                         if (!(dev_class[1] & 0x20))
10419                                 return;
10420                 } else {
10421                         u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
10422                         if (!flags || !(flags[0] & LE_AD_LIMITED))
10423                                 return;
10424                 }
10425         }
10426
10427         /* Allocate skb. The 5 extra bytes are for the potential CoD field */
10428         skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10429                              sizeof(*ev) + eir_len + scan_rsp_len + 5);
10430         if (!skb)
10431                 return;
10432
10433         ev = skb_put(skb, sizeof(*ev));
10434
10435         /* In case of device discovery with BR/EDR devices (pre 1.2), the
10436          * RSSI value was reported as 0 when not available. This behavior
10437          * is kept when using device discovery. This is required for full
10438          * backwards compatibility with the API.
10439          *
10440          * However when using service discovery, the value 127 will be
10441          * returned when the RSSI is not available.
10442          */
10443         if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
10444             link_type == ACL_LINK)
10445                 rssi = 0;
10446
10447         bacpy(&ev->addr.bdaddr, bdaddr);
10448         ev->addr.type = link_to_bdaddr(link_type, addr_type);
10449         ev->rssi = rssi;
10450         ev->flags = cpu_to_le32(flags);
10451
10452         if (eir_len > 0)
10453                 /* Copy EIR or advertising data into event */
10454                 skb_put_data(skb, eir, eir_len);
10455
10456         if (dev_class && !eir_get_data(eir, eir_len, EIR_CLASS_OF_DEV, NULL)) {
10457                 u8 eir_cod[5];
10458
10459                 eir_len += eir_append_data(eir_cod, 0, EIR_CLASS_OF_DEV,
10460                                            dev_class, 3);
10461                 skb_put_data(skb, eir_cod, sizeof(eir_cod));
10462         }
10463
10464         if (scan_rsp_len > 0)
10465                 /* Append scan response data to event */
10466                 skb_put_data(skb, scan_rsp, scan_rsp_len);
10467
10468         ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10469
10470         mgmt_adv_monitor_device_found(hdev, bdaddr, report_device, skb, NULL);
10471 }
10472
10473 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10474                       u8 addr_type, s8 rssi, u8 *name, u8 name_len)
10475 {
10476         struct sk_buff *skb;
10477         struct mgmt_ev_device_found *ev;
10478         u16 eir_len = 0;
10479         u32 flags = 0;
10480
10481         skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10482                              sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0));
10483
10484         ev = skb_put(skb, sizeof(*ev));
10485         bacpy(&ev->addr.bdaddr, bdaddr);
10486         ev->addr.type = link_to_bdaddr(link_type, addr_type);
10487         ev->rssi = rssi;
10488
10489         if (name)
10490                 eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
10491         else
10492                 flags = MGMT_DEV_FOUND_NAME_REQUEST_FAILED;
10493
10494         ev->eir_len = cpu_to_le16(eir_len);
10495         ev->flags = cpu_to_le32(flags);
10496
10497         mgmt_event_skb(skb, NULL);
10498 }
10499
10500 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
10501 {
10502         struct mgmt_ev_discovering ev;
10503
10504         bt_dev_dbg(hdev, "discovering %u", discovering);
10505
10506         memset(&ev, 0, sizeof(ev));
10507         ev.type = hdev->discovery.type;
10508         ev.discovering = discovering;
10509
10510         mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
10511 }
10512
10513 void mgmt_suspending(struct hci_dev *hdev, u8 state)
10514 {
10515         struct mgmt_ev_controller_suspend ev;
10516
10517         ev.suspend_state = state;
10518         mgmt_event(MGMT_EV_CONTROLLER_SUSPEND, hdev, &ev, sizeof(ev), NULL);
10519 }
10520
10521 void mgmt_resuming(struct hci_dev *hdev, u8 reason, bdaddr_t *bdaddr,
10522                    u8 addr_type)
10523 {
10524         struct mgmt_ev_controller_resume ev;
10525
10526         ev.wake_reason = reason;
10527         if (bdaddr) {
10528                 bacpy(&ev.addr.bdaddr, bdaddr);
10529                 ev.addr.type = addr_type;
10530         } else {
10531                 memset(&ev.addr, 0, sizeof(ev.addr));
10532         }
10533
10534         mgmt_event(MGMT_EV_CONTROLLER_RESUME, hdev, &ev, sizeof(ev), NULL);
10535 }
10536
10537 static struct hci_mgmt_chan chan = {
10538         .channel        = HCI_CHANNEL_CONTROL,
10539         .handler_count  = ARRAY_SIZE(mgmt_handlers),
10540         .handlers       = mgmt_handlers,
10541         .hdev_init      = mgmt_init_hdev,
10542 };
10543
10544 int mgmt_init(void)
10545 {
10546         return hci_mgmt_chan_register(&chan);
10547 }
10548
10549 void mgmt_exit(void)
10550 {
10551         hci_mgmt_chan_unregister(&chan);
10552 }
10553
10554 void mgmt_cleanup(struct sock *sk)
10555 {
10556         struct mgmt_mesh_tx *mesh_tx;
10557         struct hci_dev *hdev;
10558
10559         read_lock(&hci_dev_list_lock);
10560
10561         list_for_each_entry(hdev, &hci_dev_list, list) {
10562                 do {
10563                         mesh_tx = mgmt_mesh_next(hdev, sk);
10564
10565                         if (mesh_tx)
10566                                 mesh_send_complete(hdev, mesh_tx, true);
10567                 } while (mesh_tx);
10568         }
10569
10570         read_unlock(&hci_dev_list_lock);
10571 }