]> Git Repo - linux.git/blob - net/bluetooth/mgmt.c
projects / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
topology/sysfs: rework book and drawer topology ifdefery
[linux.git] / net / bluetooth / mgmt.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI Management interface */
26
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_sock.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "mgmt_util.h"
39 #include "mgmt_config.h"
40 #include "msft.h"
41 #include "eir.h"
42
43 #define MGMT_VERSION    1
44 #define MGMT_REVISION   21
45
46 static const u16 mgmt_commands[] = {
47         MGMT_OP_READ_INDEX_LIST,
48         MGMT_OP_READ_INFO,
49         MGMT_OP_SET_POWERED,
50         MGMT_OP_SET_DISCOVERABLE,
51         MGMT_OP_SET_CONNECTABLE,
52         MGMT_OP_SET_FAST_CONNECTABLE,
53         MGMT_OP_SET_BONDABLE,
54         MGMT_OP_SET_LINK_SECURITY,
55         MGMT_OP_SET_SSP,
56         MGMT_OP_SET_HS,
57         MGMT_OP_SET_LE,
58         MGMT_OP_SET_DEV_CLASS,
59         MGMT_OP_SET_LOCAL_NAME,
60         MGMT_OP_ADD_UUID,
61         MGMT_OP_REMOVE_UUID,
62         MGMT_OP_LOAD_LINK_KEYS,
63         MGMT_OP_LOAD_LONG_TERM_KEYS,
64         MGMT_OP_DISCONNECT,
65         MGMT_OP_GET_CONNECTIONS,
66         MGMT_OP_PIN_CODE_REPLY,
67         MGMT_OP_PIN_CODE_NEG_REPLY,
68         MGMT_OP_SET_IO_CAPABILITY,
69         MGMT_OP_PAIR_DEVICE,
70         MGMT_OP_CANCEL_PAIR_DEVICE,
71         MGMT_OP_UNPAIR_DEVICE,
72         MGMT_OP_USER_CONFIRM_REPLY,
73         MGMT_OP_USER_CONFIRM_NEG_REPLY,
74         MGMT_OP_USER_PASSKEY_REPLY,
75         MGMT_OP_USER_PASSKEY_NEG_REPLY,
76         MGMT_OP_READ_LOCAL_OOB_DATA,
77         MGMT_OP_ADD_REMOTE_OOB_DATA,
78         MGMT_OP_REMOVE_REMOTE_OOB_DATA,
79         MGMT_OP_START_DISCOVERY,
80         MGMT_OP_STOP_DISCOVERY,
81         MGMT_OP_CONFIRM_NAME,
82         MGMT_OP_BLOCK_DEVICE,
83         MGMT_OP_UNBLOCK_DEVICE,
84         MGMT_OP_SET_DEVICE_ID,
85         MGMT_OP_SET_ADVERTISING,
86         MGMT_OP_SET_BREDR,
87         MGMT_OP_SET_STATIC_ADDRESS,
88         MGMT_OP_SET_SCAN_PARAMS,
89         MGMT_OP_SET_SECURE_CONN,
90         MGMT_OP_SET_DEBUG_KEYS,
91         MGMT_OP_SET_PRIVACY,
92         MGMT_OP_LOAD_IRKS,
93         MGMT_OP_GET_CONN_INFO,
94         MGMT_OP_GET_CLOCK_INFO,
95         MGMT_OP_ADD_DEVICE,
96         MGMT_OP_REMOVE_DEVICE,
97         MGMT_OP_LOAD_CONN_PARAM,
98         MGMT_OP_READ_UNCONF_INDEX_LIST,
99         MGMT_OP_READ_CONFIG_INFO,
100         MGMT_OP_SET_EXTERNAL_CONFIG,
101         MGMT_OP_SET_PUBLIC_ADDRESS,
102         MGMT_OP_START_SERVICE_DISCOVERY,
103         MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
104         MGMT_OP_READ_EXT_INDEX_LIST,
105         MGMT_OP_READ_ADV_FEATURES,
106         MGMT_OP_ADD_ADVERTISING,
107         MGMT_OP_REMOVE_ADVERTISING,
108         MGMT_OP_GET_ADV_SIZE_INFO,
109         MGMT_OP_START_LIMITED_DISCOVERY,
110         MGMT_OP_READ_EXT_INFO,
111         MGMT_OP_SET_APPEARANCE,
112         MGMT_OP_GET_PHY_CONFIGURATION,
113         MGMT_OP_SET_PHY_CONFIGURATION,
114         MGMT_OP_SET_BLOCKED_KEYS,
115         MGMT_OP_SET_WIDEBAND_SPEECH,
116         MGMT_OP_READ_CONTROLLER_CAP,
117         MGMT_OP_READ_EXP_FEATURES_INFO,
118         MGMT_OP_SET_EXP_FEATURE,
119         MGMT_OP_READ_DEF_SYSTEM_CONFIG,
120         MGMT_OP_SET_DEF_SYSTEM_CONFIG,
121         MGMT_OP_READ_DEF_RUNTIME_CONFIG,
122         MGMT_OP_SET_DEF_RUNTIME_CONFIG,
123         MGMT_OP_GET_DEVICE_FLAGS,
124         MGMT_OP_SET_DEVICE_FLAGS,
125         MGMT_OP_READ_ADV_MONITOR_FEATURES,
126         MGMT_OP_ADD_ADV_PATTERNS_MONITOR,
127         MGMT_OP_REMOVE_ADV_MONITOR,
128         MGMT_OP_ADD_EXT_ADV_PARAMS,
129         MGMT_OP_ADD_EXT_ADV_DATA,
130         MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI,
131 };
132
133 static const u16 mgmt_events[] = {
134         MGMT_EV_CONTROLLER_ERROR,
135         MGMT_EV_INDEX_ADDED,
136         MGMT_EV_INDEX_REMOVED,
137         MGMT_EV_NEW_SETTINGS,
138         MGMT_EV_CLASS_OF_DEV_CHANGED,
139         MGMT_EV_LOCAL_NAME_CHANGED,
140         MGMT_EV_NEW_LINK_KEY,
141         MGMT_EV_NEW_LONG_TERM_KEY,
142         MGMT_EV_DEVICE_CONNECTED,
143         MGMT_EV_DEVICE_DISCONNECTED,
144         MGMT_EV_CONNECT_FAILED,
145         MGMT_EV_PIN_CODE_REQUEST,
146         MGMT_EV_USER_CONFIRM_REQUEST,
147         MGMT_EV_USER_PASSKEY_REQUEST,
148         MGMT_EV_AUTH_FAILED,
149         MGMT_EV_DEVICE_FOUND,
150         MGMT_EV_DISCOVERING,
151         MGMT_EV_DEVICE_BLOCKED,
152         MGMT_EV_DEVICE_UNBLOCKED,
153         MGMT_EV_DEVICE_UNPAIRED,
154         MGMT_EV_PASSKEY_NOTIFY,
155         MGMT_EV_NEW_IRK,
156         MGMT_EV_NEW_CSRK,
157         MGMT_EV_DEVICE_ADDED,
158         MGMT_EV_DEVICE_REMOVED,
159         MGMT_EV_NEW_CONN_PARAM,
160         MGMT_EV_UNCONF_INDEX_ADDED,
161         MGMT_EV_UNCONF_INDEX_REMOVED,
162         MGMT_EV_NEW_CONFIG_OPTIONS,
163         MGMT_EV_EXT_INDEX_ADDED,
164         MGMT_EV_EXT_INDEX_REMOVED,
165         MGMT_EV_LOCAL_OOB_DATA_UPDATED,
166         MGMT_EV_ADVERTISING_ADDED,
167         MGMT_EV_ADVERTISING_REMOVED,
168         MGMT_EV_EXT_INFO_CHANGED,
169         MGMT_EV_PHY_CONFIGURATION_CHANGED,
170         MGMT_EV_EXP_FEATURE_CHANGED,
171         MGMT_EV_DEVICE_FLAGS_CHANGED,
172         MGMT_EV_ADV_MONITOR_ADDED,
173         MGMT_EV_ADV_MONITOR_REMOVED,
174         MGMT_EV_CONTROLLER_SUSPEND,
175         MGMT_EV_CONTROLLER_RESUME,
176 };
177
178 static const u16 mgmt_untrusted_commands[] = {
179         MGMT_OP_READ_INDEX_LIST,
180         MGMT_OP_READ_INFO,
181         MGMT_OP_READ_UNCONF_INDEX_LIST,
182         MGMT_OP_READ_CONFIG_INFO,
183         MGMT_OP_READ_EXT_INDEX_LIST,
184         MGMT_OP_READ_EXT_INFO,
185         MGMT_OP_READ_CONTROLLER_CAP,
186         MGMT_OP_READ_EXP_FEATURES_INFO,
187         MGMT_OP_READ_DEF_SYSTEM_CONFIG,
188         MGMT_OP_READ_DEF_RUNTIME_CONFIG,
189 };
190
191 static const u16 mgmt_untrusted_events[] = {
192         MGMT_EV_INDEX_ADDED,
193         MGMT_EV_INDEX_REMOVED,
194         MGMT_EV_NEW_SETTINGS,
195         MGMT_EV_CLASS_OF_DEV_CHANGED,
196         MGMT_EV_LOCAL_NAME_CHANGED,
197         MGMT_EV_UNCONF_INDEX_ADDED,
198         MGMT_EV_UNCONF_INDEX_REMOVED,
199         MGMT_EV_NEW_CONFIG_OPTIONS,
200         MGMT_EV_EXT_INDEX_ADDED,
201         MGMT_EV_EXT_INDEX_REMOVED,
202         MGMT_EV_EXT_INFO_CHANGED,
203         MGMT_EV_EXP_FEATURE_CHANGED,
204 };
205
206 #define CACHE_TIMEOUT   msecs_to_jiffies(2 * 1000)
207
208 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
209                  "\x00\x00\x00\x00\x00\x00\x00\x00"
210
211 /* HCI to MGMT error code conversion table */
212 static const u8 mgmt_status_table[] = {
213         MGMT_STATUS_SUCCESS,
214         MGMT_STATUS_UNKNOWN_COMMAND,    /* Unknown Command */
215         MGMT_STATUS_NOT_CONNECTED,      /* No Connection */
216         MGMT_STATUS_FAILED,             /* Hardware Failure */
217         MGMT_STATUS_CONNECT_FAILED,     /* Page Timeout */
218         MGMT_STATUS_AUTH_FAILED,        /* Authentication Failed */
219         MGMT_STATUS_AUTH_FAILED,        /* PIN or Key Missing */
220         MGMT_STATUS_NO_RESOURCES,       /* Memory Full */
221         MGMT_STATUS_TIMEOUT,            /* Connection Timeout */
222         MGMT_STATUS_NO_RESOURCES,       /* Max Number of Connections */
223         MGMT_STATUS_NO_RESOURCES,       /* Max Number of SCO Connections */
224         MGMT_STATUS_ALREADY_CONNECTED,  /* ACL Connection Exists */
225         MGMT_STATUS_BUSY,               /* Command Disallowed */
226         MGMT_STATUS_NO_RESOURCES,       /* Rejected Limited Resources */
227         MGMT_STATUS_REJECTED,           /* Rejected Security */
228         MGMT_STATUS_REJECTED,           /* Rejected Personal */
229         MGMT_STATUS_TIMEOUT,            /* Host Timeout */
230         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Feature */
231         MGMT_STATUS_INVALID_PARAMS,     /* Invalid Parameters */
232         MGMT_STATUS_DISCONNECTED,       /* OE User Ended Connection */
233         MGMT_STATUS_NO_RESOURCES,       /* OE Low Resources */
234         MGMT_STATUS_DISCONNECTED,       /* OE Power Off */
235         MGMT_STATUS_DISCONNECTED,       /* Connection Terminated */
236         MGMT_STATUS_BUSY,               /* Repeated Attempts */
237         MGMT_STATUS_REJECTED,           /* Pairing Not Allowed */
238         MGMT_STATUS_FAILED,             /* Unknown LMP PDU */
239         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Remote Feature */
240         MGMT_STATUS_REJECTED,           /* SCO Offset Rejected */
241         MGMT_STATUS_REJECTED,           /* SCO Interval Rejected */
242         MGMT_STATUS_REJECTED,           /* Air Mode Rejected */
243         MGMT_STATUS_INVALID_PARAMS,     /* Invalid LMP Parameters */
244         MGMT_STATUS_FAILED,             /* Unspecified Error */
245         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported LMP Parameter Value */
246         MGMT_STATUS_FAILED,             /* Role Change Not Allowed */
247         MGMT_STATUS_TIMEOUT,            /* LMP Response Timeout */
248         MGMT_STATUS_FAILED,             /* LMP Error Transaction Collision */
249         MGMT_STATUS_FAILED,             /* LMP PDU Not Allowed */
250         MGMT_STATUS_REJECTED,           /* Encryption Mode Not Accepted */
251         MGMT_STATUS_FAILED,             /* Unit Link Key Used */
252         MGMT_STATUS_NOT_SUPPORTED,      /* QoS Not Supported */
253         MGMT_STATUS_TIMEOUT,            /* Instant Passed */
254         MGMT_STATUS_NOT_SUPPORTED,      /* Pairing Not Supported */
255         MGMT_STATUS_FAILED,             /* Transaction Collision */
256         MGMT_STATUS_FAILED,             /* Reserved for future use */
257         MGMT_STATUS_INVALID_PARAMS,     /* Unacceptable Parameter */
258         MGMT_STATUS_REJECTED,           /* QoS Rejected */
259         MGMT_STATUS_NOT_SUPPORTED,      /* Classification Not Supported */
260         MGMT_STATUS_REJECTED,           /* Insufficient Security */
261         MGMT_STATUS_INVALID_PARAMS,     /* Parameter Out Of Range */
262         MGMT_STATUS_FAILED,             /* Reserved for future use */
263         MGMT_STATUS_BUSY,               /* Role Switch Pending */
264         MGMT_STATUS_FAILED,             /* Reserved for future use */
265         MGMT_STATUS_FAILED,             /* Slot Violation */
266         MGMT_STATUS_FAILED,             /* Role Switch Failed */
267         MGMT_STATUS_INVALID_PARAMS,     /* EIR Too Large */
268         MGMT_STATUS_NOT_SUPPORTED,      /* Simple Pairing Not Supported */
269         MGMT_STATUS_BUSY,               /* Host Busy Pairing */
270         MGMT_STATUS_REJECTED,           /* Rejected, No Suitable Channel */
271         MGMT_STATUS_BUSY,               /* Controller Busy */
272         MGMT_STATUS_INVALID_PARAMS,     /* Unsuitable Connection Interval */
273         MGMT_STATUS_TIMEOUT,            /* Directed Advertising Timeout */
274         MGMT_STATUS_AUTH_FAILED,        /* Terminated Due to MIC Failure */
275         MGMT_STATUS_CONNECT_FAILED,     /* Connection Establishment Failed */
276         MGMT_STATUS_CONNECT_FAILED,     /* MAC Connection Failed */
277 };
278
279 static u8 mgmt_status(u8 hci_status)
280 {
281         if (hci_status < ARRAY_SIZE(mgmt_status_table))
282                 return mgmt_status_table[hci_status];
283
284         return MGMT_STATUS_FAILED;
285 }
286
287 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
288                             u16 len, int flag)
289 {
290         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
291                                flag, NULL);
292 }
293
294 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
295                               u16 len, int flag, struct sock *skip_sk)
296 {
297         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
298                                flag, skip_sk);
299 }
300
301 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
302                       struct sock *skip_sk)
303 {
304         return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
305                                HCI_SOCK_TRUSTED, skip_sk);
306 }
307
308 static u8 le_addr_type(u8 mgmt_addr_type)
309 {
310         if (mgmt_addr_type == BDADDR_LE_PUBLIC)
311                 return ADDR_LE_DEV_PUBLIC;
312         else
313                 return ADDR_LE_DEV_RANDOM;
314 }
315
316 void mgmt_fill_version_info(void *ver)
317 {
318         struct mgmt_rp_read_version *rp = ver;
319
320         rp->version = MGMT_VERSION;
321         rp->revision = cpu_to_le16(MGMT_REVISION);
322 }
323
324 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
325                         u16 data_len)
326 {
327         struct mgmt_rp_read_version rp;
328
329         bt_dev_dbg(hdev, "sock %p", sk);
330
331         mgmt_fill_version_info(&rp);
332
333         return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
334                                  &rp, sizeof(rp));
335 }
336
337 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
338                          u16 data_len)
339 {
340         struct mgmt_rp_read_commands *rp;
341         u16 num_commands, num_events;
342         size_t rp_size;
343         int i, err;
344
345         bt_dev_dbg(hdev, "sock %p", sk);
346
347         if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
348                 num_commands = ARRAY_SIZE(mgmt_commands);
349                 num_events = ARRAY_SIZE(mgmt_events);
350         } else {
351                 num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
352                 num_events = ARRAY_SIZE(mgmt_untrusted_events);
353         }
354
355         rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
356
357         rp = kmalloc(rp_size, GFP_KERNEL);
358         if (!rp)
359                 return -ENOMEM;
360
361         rp->num_commands = cpu_to_le16(num_commands);
362         rp->num_events = cpu_to_le16(num_events);
363
364         if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
365                 __le16 *opcode = rp->opcodes;
366
367                 for (i = 0; i < num_commands; i++, opcode++)
368                         put_unaligned_le16(mgmt_commands[i], opcode);
369
370                 for (i = 0; i < num_events; i++, opcode++)
371                         put_unaligned_le16(mgmt_events[i], opcode);
372         } else {
373                 __le16 *opcode = rp->opcodes;
374
375                 for (i = 0; i < num_commands; i++, opcode++)
376                         put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
377
378                 for (i = 0; i < num_events; i++, opcode++)
379                         put_unaligned_le16(mgmt_untrusted_events[i], opcode);
380         }
381
382         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
383                                 rp, rp_size);
384         kfree(rp);
385
386         return err;
387 }
388
389 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
390                            u16 data_len)
391 {
392         struct mgmt_rp_read_index_list *rp;
393         struct hci_dev *d;
394         size_t rp_len;
395         u16 count;
396         int err;
397
398         bt_dev_dbg(hdev, "sock %p", sk);
399
400         read_lock(&hci_dev_list_lock);
401
402         count = 0;
403         list_for_each_entry(d, &hci_dev_list, list) {
404                 if (d->dev_type == HCI_PRIMARY &&
405                     !hci_dev_test_flag(d, HCI_UNCONFIGURED))
406                         count++;
407         }
408
409         rp_len = sizeof(*rp) + (2 * count);
410         rp = kmalloc(rp_len, GFP_ATOMIC);
411         if (!rp) {
412                 read_unlock(&hci_dev_list_lock);
413                 return -ENOMEM;
414         }
415
416         count = 0;
417         list_for_each_entry(d, &hci_dev_list, list) {
418                 if (hci_dev_test_flag(d, HCI_SETUP) ||
419                     hci_dev_test_flag(d, HCI_CONFIG) ||
420                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
421                         continue;
422
423                 /* Devices marked as raw-only are neither configured
424                  * nor unconfigured controllers.
425                  */
426                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
427                         continue;
428
429                 if (d->dev_type == HCI_PRIMARY &&
430                     !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
431                         rp->index[count++] = cpu_to_le16(d->id);
432                         bt_dev_dbg(hdev, "Added hci%u", d->id);
433                 }
434         }
435
436         rp->num_controllers = cpu_to_le16(count);
437         rp_len = sizeof(*rp) + (2 * count);
438
439         read_unlock(&hci_dev_list_lock);
440
441         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
442                                 0, rp, rp_len);
443
444         kfree(rp);
445
446         return err;
447 }
448
449 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
450                                   void *data, u16 data_len)
451 {
452         struct mgmt_rp_read_unconf_index_list *rp;
453         struct hci_dev *d;
454         size_t rp_len;
455         u16 count;
456         int err;
457
458         bt_dev_dbg(hdev, "sock %p", sk);
459
460         read_lock(&hci_dev_list_lock);
461
462         count = 0;
463         list_for_each_entry(d, &hci_dev_list, list) {
464                 if (d->dev_type == HCI_PRIMARY &&
465                     hci_dev_test_flag(d, HCI_UNCONFIGURED))
466                         count++;
467         }
468
469         rp_len = sizeof(*rp) + (2 * count);
470         rp = kmalloc(rp_len, GFP_ATOMIC);
471         if (!rp) {
472                 read_unlock(&hci_dev_list_lock);
473                 return -ENOMEM;
474         }
475
476         count = 0;
477         list_for_each_entry(d, &hci_dev_list, list) {
478                 if (hci_dev_test_flag(d, HCI_SETUP) ||
479                     hci_dev_test_flag(d, HCI_CONFIG) ||
480                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
481                         continue;
482
483                 /* Devices marked as raw-only are neither configured
484                  * nor unconfigured controllers.
485                  */
486                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
487                         continue;
488
489                 if (d->dev_type == HCI_PRIMARY &&
490                     hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
491                         rp->index[count++] = cpu_to_le16(d->id);
492                         bt_dev_dbg(hdev, "Added hci%u", d->id);
493                 }
494         }
495
496         rp->num_controllers = cpu_to_le16(count);
497         rp_len = sizeof(*rp) + (2 * count);
498
499         read_unlock(&hci_dev_list_lock);
500
501         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
502                                 MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
503
504         kfree(rp);
505
506         return err;
507 }
508
509 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
510                                void *data, u16 data_len)
511 {
512         struct mgmt_rp_read_ext_index_list *rp;
513         struct hci_dev *d;
514         u16 count;
515         int err;
516
517         bt_dev_dbg(hdev, "sock %p", sk);
518
519         read_lock(&hci_dev_list_lock);
520
521         count = 0;
522         list_for_each_entry(d, &hci_dev_list, list) {
523                 if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
524                         count++;
525         }
526
527         rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
528         if (!rp) {
529                 read_unlock(&hci_dev_list_lock);
530                 return -ENOMEM;
531         }
532
533         count = 0;
534         list_for_each_entry(d, &hci_dev_list, list) {
535                 if (hci_dev_test_flag(d, HCI_SETUP) ||
536                     hci_dev_test_flag(d, HCI_CONFIG) ||
537                     hci_dev_test_flag(d, HCI_USER_CHANNEL))
538                         continue;
539
540                 /* Devices marked as raw-only are neither configured
541                  * nor unconfigured controllers.
542                  */
543                 if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
544                         continue;
545
546                 if (d->dev_type == HCI_PRIMARY) {
547                         if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
548                                 rp->entry[count].type = 0x01;
549                         else
550                                 rp->entry[count].type = 0x00;
551                 } else if (d->dev_type == HCI_AMP) {
552                         rp->entry[count].type = 0x02;
553                 } else {
554                         continue;
555                 }
556
557                 rp->entry[count].bus = d->bus;
558                 rp->entry[count++].index = cpu_to_le16(d->id);
559                 bt_dev_dbg(hdev, "Added hci%u", d->id);
560         }
561
562         rp->num_controllers = cpu_to_le16(count);
563
564         read_unlock(&hci_dev_list_lock);
565
566         /* If this command is called at least once, then all the
567          * default index and unconfigured index events are disabled
568          * and from now on only extended index events are used.
569          */
570         hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
571         hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
572         hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
573
574         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
575                                 MGMT_OP_READ_EXT_INDEX_LIST, 0, rp,
576                                 struct_size(rp, entry, count));
577
578         kfree(rp);
579
580         return err;
581 }
582
583 static bool is_configured(struct hci_dev *hdev)
584 {
585         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
586             !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
587                 return false;
588
589         if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
590              test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
591             !bacmp(&hdev->public_addr, BDADDR_ANY))
592                 return false;
593
594         return true;
595 }
596
597 static __le32 get_missing_options(struct hci_dev *hdev)
598 {
599         u32 options = 0;
600
601         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
602             !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
603                 options |= MGMT_OPTION_EXTERNAL_CONFIG;
604
605         if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
606              test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
607             !bacmp(&hdev->public_addr, BDADDR_ANY))
608                 options |= MGMT_OPTION_PUBLIC_ADDRESS;
609
610         return cpu_to_le32(options);
611 }
612
613 static int new_options(struct hci_dev *hdev, struct sock *skip)
614 {
615         __le32 options = get_missing_options(hdev);
616
617         return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
618                                   sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
619 }
620
621 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
622 {
623         __le32 options = get_missing_options(hdev);
624
625         return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
626                                  sizeof(options));
627 }
628
629 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
630                             void *data, u16 data_len)
631 {
632         struct mgmt_rp_read_config_info rp;
633         u32 options = 0;
634
635         bt_dev_dbg(hdev, "sock %p", sk);
636
637         hci_dev_lock(hdev);
638
639         memset(&rp, 0, sizeof(rp));
640         rp.manufacturer = cpu_to_le16(hdev->manufacturer);
641
642         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
643                 options |= MGMT_OPTION_EXTERNAL_CONFIG;
644
645         if (hdev->set_bdaddr)
646                 options |= MGMT_OPTION_PUBLIC_ADDRESS;
647
648         rp.supported_options = cpu_to_le32(options);
649         rp.missing_options = get_missing_options(hdev);
650
651         hci_dev_unlock(hdev);
652
653         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
654                                  &rp, sizeof(rp));
655 }
656
657 static u32 get_supported_phys(struct hci_dev *hdev)
658 {
659         u32 supported_phys = 0;
660
661         if (lmp_bredr_capable(hdev)) {
662                 supported_phys |= MGMT_PHY_BR_1M_1SLOT;
663
664                 if (hdev->features[0][0] & LMP_3SLOT)
665                         supported_phys |= MGMT_PHY_BR_1M_3SLOT;
666
667                 if (hdev->features[0][0] & LMP_5SLOT)
668                         supported_phys |= MGMT_PHY_BR_1M_5SLOT;
669
670                 if (lmp_edr_2m_capable(hdev)) {
671                         supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
672
673                         if (lmp_edr_3slot_capable(hdev))
674                                 supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
675
676                         if (lmp_edr_5slot_capable(hdev))
677                                 supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
678
679                         if (lmp_edr_3m_capable(hdev)) {
680                                 supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
681
682                                 if (lmp_edr_3slot_capable(hdev))
683                                         supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
684
685                                 if (lmp_edr_5slot_capable(hdev))
686                                         supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
687                         }
688                 }
689         }
690
691         if (lmp_le_capable(hdev)) {
692                 supported_phys |= MGMT_PHY_LE_1M_TX;
693                 supported_phys |= MGMT_PHY_LE_1M_RX;
694
695                 if (hdev->le_features[1] & HCI_LE_PHY_2M) {
696                         supported_phys |= MGMT_PHY_LE_2M_TX;
697                         supported_phys |= MGMT_PHY_LE_2M_RX;
698                 }
699
700                 if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
701                         supported_phys |= MGMT_PHY_LE_CODED_TX;
702                         supported_phys |= MGMT_PHY_LE_CODED_RX;
703                 }
704         }
705
706         return supported_phys;
707 }
708
709 static u32 get_selected_phys(struct hci_dev *hdev)
710 {
711         u32 selected_phys = 0;
712
713         if (lmp_bredr_capable(hdev)) {
714                 selected_phys |= MGMT_PHY_BR_1M_1SLOT;
715
716                 if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
717                         selected_phys |= MGMT_PHY_BR_1M_3SLOT;
718
719                 if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
720                         selected_phys |= MGMT_PHY_BR_1M_5SLOT;
721
722                 if (lmp_edr_2m_capable(hdev)) {
723                         if (!(hdev->pkt_type & HCI_2DH1))
724                                 selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
725
726                         if (lmp_edr_3slot_capable(hdev) &&
727                             !(hdev->pkt_type & HCI_2DH3))
728                                 selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
729
730                         if (lmp_edr_5slot_capable(hdev) &&
731                             !(hdev->pkt_type & HCI_2DH5))
732                                 selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
733
734                         if (lmp_edr_3m_capable(hdev)) {
735                                 if (!(hdev->pkt_type & HCI_3DH1))
736                                         selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
737
738                                 if (lmp_edr_3slot_capable(hdev) &&
739                                     !(hdev->pkt_type & HCI_3DH3))
740                                         selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
741
742                                 if (lmp_edr_5slot_capable(hdev) &&
743                                     !(hdev->pkt_type & HCI_3DH5))
744                                         selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
745                         }
746                 }
747         }
748
749         if (lmp_le_capable(hdev)) {
750                 if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
751                         selected_phys |= MGMT_PHY_LE_1M_TX;
752
753                 if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
754                         selected_phys |= MGMT_PHY_LE_1M_RX;
755
756                 if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
757                         selected_phys |= MGMT_PHY_LE_2M_TX;
758
759                 if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
760                         selected_phys |= MGMT_PHY_LE_2M_RX;
761
762                 if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
763                         selected_phys |= MGMT_PHY_LE_CODED_TX;
764
765                 if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
766                         selected_phys |= MGMT_PHY_LE_CODED_RX;
767         }
768
769         return selected_phys;
770 }
771
772 static u32 get_configurable_phys(struct hci_dev *hdev)
773 {
774         return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
775                 ~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
776 }
777
778 static u32 get_supported_settings(struct hci_dev *hdev)
779 {
780         u32 settings = 0;
781
782         settings |= MGMT_SETTING_POWERED;
783         settings |= MGMT_SETTING_BONDABLE;
784         settings |= MGMT_SETTING_DEBUG_KEYS;
785         settings |= MGMT_SETTING_CONNECTABLE;
786         settings |= MGMT_SETTING_DISCOVERABLE;
787
788         if (lmp_bredr_capable(hdev)) {
789                 if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
790                         settings |= MGMT_SETTING_FAST_CONNECTABLE;
791                 settings |= MGMT_SETTING_BREDR;
792                 settings |= MGMT_SETTING_LINK_SECURITY;
793
794                 if (lmp_ssp_capable(hdev)) {
795                         settings |= MGMT_SETTING_SSP;
796                         if (IS_ENABLED(CONFIG_BT_HS))
797                                 settings |= MGMT_SETTING_HS;
798                 }
799
800                 if (lmp_sc_capable(hdev))
801                         settings |= MGMT_SETTING_SECURE_CONN;
802
803                 if (test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
804                              &hdev->quirks))
805                         settings |= MGMT_SETTING_WIDEBAND_SPEECH;
806         }
807
808         if (lmp_le_capable(hdev)) {
809                 settings |= MGMT_SETTING_LE;
810                 settings |= MGMT_SETTING_SECURE_CONN;
811                 settings |= MGMT_SETTING_PRIVACY;
812                 settings |= MGMT_SETTING_STATIC_ADDRESS;
813
814                 /* When the experimental feature for LL Privacy support is
815                  * enabled, then advertising is no longer supported.
816                  */
817                 if (!hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
818                         settings |= MGMT_SETTING_ADVERTISING;
819         }
820
821         if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
822             hdev->set_bdaddr)
823                 settings |= MGMT_SETTING_CONFIGURATION;
824
825         settings |= MGMT_SETTING_PHY_CONFIGURATION;
826
827         return settings;
828 }
829
830 static u32 get_current_settings(struct hci_dev *hdev)
831 {
832         u32 settings = 0;
833
834         if (hdev_is_powered(hdev))
835                 settings |= MGMT_SETTING_POWERED;
836
837         if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
838                 settings |= MGMT_SETTING_CONNECTABLE;
839
840         if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
841                 settings |= MGMT_SETTING_FAST_CONNECTABLE;
842
843         if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
844                 settings |= MGMT_SETTING_DISCOVERABLE;
845
846         if (hci_dev_test_flag(hdev, HCI_BONDABLE))
847                 settings |= MGMT_SETTING_BONDABLE;
848
849         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
850                 settings |= MGMT_SETTING_BREDR;
851
852         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
853                 settings |= MGMT_SETTING_LE;
854
855         if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
856                 settings |= MGMT_SETTING_LINK_SECURITY;
857
858         if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
859                 settings |= MGMT_SETTING_SSP;
860
861         if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
862                 settings |= MGMT_SETTING_HS;
863
864         if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
865                 settings |= MGMT_SETTING_ADVERTISING;
866
867         if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
868                 settings |= MGMT_SETTING_SECURE_CONN;
869
870         if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
871                 settings |= MGMT_SETTING_DEBUG_KEYS;
872
873         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
874                 settings |= MGMT_SETTING_PRIVACY;
875
876         /* The current setting for static address has two purposes. The
877          * first is to indicate if the static address will be used and
878          * the second is to indicate if it is actually set.
879          *
880          * This means if the static address is not configured, this flag
881          * will never be set. If the address is configured, then if the
882          * address is actually used decides if the flag is set or not.
883          *
884          * For single mode LE only controllers and dual-mode controllers
885          * with BR/EDR disabled, the existence of the static address will
886          * be evaluated.
887          */
888         if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
889             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
890             !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
891                 if (bacmp(&hdev->static_addr, BDADDR_ANY))
892                         settings |= MGMT_SETTING_STATIC_ADDRESS;
893         }
894
895         if (hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED))
896                 settings |= MGMT_SETTING_WIDEBAND_SPEECH;
897
898         return settings;
899 }
900
901 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
902 {
903         return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
904 }
905
906 static struct mgmt_pending_cmd *pending_find_data(u16 opcode,
907                                                   struct hci_dev *hdev,
908                                                   const void *data)
909 {
910         return mgmt_pending_find_data(HCI_CHANNEL_CONTROL, opcode, hdev, data);
911 }
912
913 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
914 {
915         struct mgmt_pending_cmd *cmd;
916
917         /* If there's a pending mgmt command the flags will not yet have
918          * their final values, so check for this first.
919          */
920         cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
921         if (cmd) {
922                 struct mgmt_mode *cp = cmd->param;
923                 if (cp->val == 0x01)
924                         return LE_AD_GENERAL;
925                 else if (cp->val == 0x02)
926                         return LE_AD_LIMITED;
927         } else {
928                 if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
929                         return LE_AD_LIMITED;
930                 else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
931                         return LE_AD_GENERAL;
932         }
933
934         return 0;
935 }
936
937 bool mgmt_get_connectable(struct hci_dev *hdev)
938 {
939         struct mgmt_pending_cmd *cmd;
940
941         /* If there's a pending mgmt command the flag will not yet have
942          * it's final value, so check for this first.
943          */
944         cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
945         if (cmd) {
946                 struct mgmt_mode *cp = cmd->param;
947
948                 return cp->val;
949         }
950
951         return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
952 }
953
954 static void service_cache_off(struct work_struct *work)
955 {
956         struct hci_dev *hdev = container_of(work, struct hci_dev,
957                                             service_cache.work);
958         struct hci_request req;
959
960         if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
961                 return;
962
963         hci_req_init(&req, hdev);
964
965         hci_dev_lock(hdev);
966
967         __hci_req_update_eir(&req);
968         __hci_req_update_class(&req);
969
970         hci_dev_unlock(hdev);
971
972         hci_req_run(&req, NULL);
973 }
974
975 static void rpa_expired(struct work_struct *work)
976 {
977         struct hci_dev *hdev = container_of(work, struct hci_dev,
978                                             rpa_expired.work);
979         struct hci_request req;
980
981         bt_dev_dbg(hdev, "");
982
983         hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
984
985         if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
986                 return;
987
988         /* The generation of a new RPA and programming it into the
989          * controller happens in the hci_req_enable_advertising()
990          * function.
991          */
992         hci_req_init(&req, hdev);
993         if (ext_adv_capable(hdev))
994                 __hci_req_start_ext_adv(&req, hdev->cur_adv_instance);
995         else
996                 __hci_req_enable_advertising(&req);
997         hci_req_run(&req, NULL);
998 }
999
1000 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
1001 {
1002         if (hci_dev_test_and_set_flag(hdev, HCI_MGMT))
1003                 return;
1004
1005         INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
1006         INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
1007
1008         /* Non-mgmt controlled devices get this bit set
1009          * implicitly so that pairing works for them, however
1010          * for mgmt we require user-space to explicitly enable
1011          * it
1012          */
1013         hci_dev_clear_flag(hdev, HCI_BONDABLE);
1014 }
1015
1016 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
1017                                 void *data, u16 data_len)
1018 {
1019         struct mgmt_rp_read_info rp;
1020
1021         bt_dev_dbg(hdev, "sock %p", sk);
1022
1023         hci_dev_lock(hdev);
1024
1025         memset(&rp, 0, sizeof(rp));
1026
1027         bacpy(&rp.bdaddr, &hdev->bdaddr);
1028
1029         rp.version = hdev->hci_ver;
1030         rp.manufacturer = cpu_to_le16(hdev->manufacturer);
1031
1032         rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
1033         rp.current_settings = cpu_to_le32(get_current_settings(hdev));
1034
1035         memcpy(rp.dev_class, hdev->dev_class, 3);
1036
1037         memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
1038         memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
1039
1040         hci_dev_unlock(hdev);
1041
1042         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
1043                                  sizeof(rp));
1044 }
1045
1046 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
1047 {
1048         u16 eir_len = 0;
1049         size_t name_len;
1050
1051         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1052                 eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1053                                           hdev->dev_class, 3);
1054
1055         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1056                 eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1057                                           hdev->appearance);
1058
1059         name_len = strlen(hdev->dev_name);
1060         eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1061                                   hdev->dev_name, name_len);
1062
1063         name_len = strlen(hdev->short_name);
1064         eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1065                                   hdev->short_name, name_len);
1066
1067         return eir_len;
1068 }
1069
1070 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1071                                     void *data, u16 data_len)
1072 {
1073         char buf[512];
1074         struct mgmt_rp_read_ext_info *rp = (void *)buf;
1075         u16 eir_len;
1076
1077         bt_dev_dbg(hdev, "sock %p", sk);
1078
1079         memset(&buf, 0, sizeof(buf));
1080
1081         hci_dev_lock(hdev);
1082
1083         bacpy(&rp->bdaddr, &hdev->bdaddr);
1084
1085         rp->version = hdev->hci_ver;
1086         rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1087
1088         rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1089         rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1090
1091
1092         eir_len = append_eir_data_to_buf(hdev, rp->eir);
1093         rp->eir_len = cpu_to_le16(eir_len);
1094
1095         hci_dev_unlock(hdev);
1096
1097         /* If this command is called at least once, then the events
1098          * for class of device and local name changes are disabled
1099          * and only the new extended controller information event
1100          * is used.
1101          */
1102         hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
1103         hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1104         hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1105
1106         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
1107                                  sizeof(*rp) + eir_len);
1108 }
1109
1110 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1111 {
1112         char buf[512];
1113         struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1114         u16 eir_len;
1115
1116         memset(buf, 0, sizeof(buf));
1117
1118         eir_len = append_eir_data_to_buf(hdev, ev->eir);
1119         ev->eir_len = cpu_to_le16(eir_len);
1120
1121         return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
1122                                   sizeof(*ev) + eir_len,
1123                                   HCI_MGMT_EXT_INFO_EVENTS, skip);
1124 }
1125
1126 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1127 {
1128         __le32 settings = cpu_to_le32(get_current_settings(hdev));
1129
1130         return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
1131                                  sizeof(settings));
1132 }
1133
1134 static void clean_up_hci_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1135 {
1136         bt_dev_dbg(hdev, "status 0x%02x", status);
1137
1138         if (hci_conn_count(hdev) == 0) {
1139                 cancel_delayed_work(&hdev->power_off);
1140                 queue_work(hdev->req_workqueue, &hdev->power_off.work);
1141         }
1142 }
1143
1144 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1145 {
1146         struct mgmt_ev_advertising_added ev;
1147
1148         ev.instance = instance;
1149
1150         mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
1151 }
1152
1153 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1154                               u8 instance)
1155 {
1156         struct mgmt_ev_advertising_removed ev;
1157
1158         ev.instance = instance;
1159
1160         mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
1161 }
1162
1163 static void cancel_adv_timeout(struct hci_dev *hdev)
1164 {
1165         if (hdev->adv_instance_timeout) {
1166                 hdev->adv_instance_timeout = 0;
1167                 cancel_delayed_work(&hdev->adv_instance_expire);
1168         }
1169 }
1170
1171 static int clean_up_hci_state(struct hci_dev *hdev)
1172 {
1173         struct hci_request req;
1174         struct hci_conn *conn;
1175         bool discov_stopped;
1176         int err;
1177
1178         hci_req_init(&req, hdev);
1179
1180         if (test_bit(HCI_ISCAN, &hdev->flags) ||
1181             test_bit(HCI_PSCAN, &hdev->flags)) {
1182                 u8 scan = 0x00;
1183                 hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1184         }
1185
1186         hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, false);
1187
1188         if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1189                 __hci_req_disable_advertising(&req);
1190
1191         discov_stopped = hci_req_stop_discovery(&req);
1192
1193         list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1194                 /* 0x15 == Terminated due to Power Off */
1195                 __hci_abort_conn(&req, conn, 0x15);
1196         }
1197
1198         err = hci_req_run(&req, clean_up_hci_complete);
1199         if (!err && discov_stopped)
1200                 hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
1201
1202         return err;
1203 }
1204
1205 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1206                        u16 len)
1207 {
1208         struct mgmt_mode *cp = data;
1209         struct mgmt_pending_cmd *cmd;
1210         int err;
1211
1212         bt_dev_dbg(hdev, "sock %p", sk);
1213
1214         if (cp->val != 0x00 && cp->val != 0x01)
1215                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1216                                        MGMT_STATUS_INVALID_PARAMS);
1217
1218         hci_dev_lock(hdev);
1219
1220         if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1221                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1222                                       MGMT_STATUS_BUSY);
1223                 goto failed;
1224         }
1225
1226         if (!!cp->val == hdev_is_powered(hdev)) {
1227                 err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1228                 goto failed;
1229         }
1230
1231         cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1232         if (!cmd) {
1233                 err = -ENOMEM;
1234                 goto failed;
1235         }
1236
1237         if (cp->val) {
1238                 queue_work(hdev->req_workqueue, &hdev->power_on);
1239                 err = 0;
1240         } else {
1241                 /* Disconnect connections, stop scans, etc */
1242                 err = clean_up_hci_state(hdev);
1243                 if (!err)
1244                         queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1245                                            HCI_POWER_OFF_TIMEOUT);
1246
1247                 /* ENODATA means there were no HCI commands queued */
1248                 if (err == -ENODATA) {
1249                         cancel_delayed_work(&hdev->power_off);
1250                         queue_work(hdev->req_workqueue, &hdev->power_off.work);
1251                         err = 0;
1252                 }
1253         }
1254
1255 failed:
1256         hci_dev_unlock(hdev);
1257         return err;
1258 }
1259
1260 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1261 {
1262         __le32 ev = cpu_to_le32(get_current_settings(hdev));
1263
1264         return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1265                                   sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1266 }
1267
1268 int mgmt_new_settings(struct hci_dev *hdev)
1269 {
1270         return new_settings(hdev, NULL);
1271 }
1272
1273 struct cmd_lookup {
1274         struct sock *sk;
1275         struct hci_dev *hdev;
1276         u8 mgmt_status;
1277 };
1278
1279 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1280 {
1281         struct cmd_lookup *match = data;
1282
1283         send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1284
1285         list_del(&cmd->list);
1286
1287         if (match->sk == NULL) {
1288                 match->sk = cmd->sk;
1289                 sock_hold(match->sk);
1290         }
1291
1292         mgmt_pending_free(cmd);
1293 }
1294
1295 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1296 {
1297         u8 *status = data;
1298
1299         mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1300         mgmt_pending_remove(cmd);
1301 }
1302
1303 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1304 {
1305         if (cmd->cmd_complete) {
1306                 u8 *status = data;
1307
1308                 cmd->cmd_complete(cmd, *status);
1309                 mgmt_pending_remove(cmd);
1310
1311                 return;
1312         }
1313
1314         cmd_status_rsp(cmd, data);
1315 }
1316
1317 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1318 {
1319         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1320                                  cmd->param, cmd->param_len);
1321 }
1322
1323 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1324 {
1325         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1326                                  cmd->param, sizeof(struct mgmt_addr_info));
1327 }
1328
1329 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1330 {
1331         if (!lmp_bredr_capable(hdev))
1332                 return MGMT_STATUS_NOT_SUPPORTED;
1333         else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1334                 return MGMT_STATUS_REJECTED;
1335         else
1336                 return MGMT_STATUS_SUCCESS;
1337 }
1338
1339 static u8 mgmt_le_support(struct hci_dev *hdev)
1340 {
1341         if (!lmp_le_capable(hdev))
1342                 return MGMT_STATUS_NOT_SUPPORTED;
1343         else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1344                 return MGMT_STATUS_REJECTED;
1345         else
1346                 return MGMT_STATUS_SUCCESS;
1347 }
1348
1349 void mgmt_set_discoverable_complete(struct hci_dev *hdev, u8 status)
1350 {
1351         struct mgmt_pending_cmd *cmd;
1352
1353         bt_dev_dbg(hdev, "status 0x%02x", status);
1354
1355         hci_dev_lock(hdev);
1356
1357         cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
1358         if (!cmd)
1359                 goto unlock;
1360
1361         if (status) {
1362                 u8 mgmt_err = mgmt_status(status);
1363                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1364                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1365                 goto remove_cmd;
1366         }
1367
1368         if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1369             hdev->discov_timeout > 0) {
1370                 int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1371                 queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1372         }
1373
1374         send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1375         new_settings(hdev, cmd->sk);
1376
1377 remove_cmd:
1378         mgmt_pending_remove(cmd);
1379
1380 unlock:
1381         hci_dev_unlock(hdev);
1382 }
1383
1384 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1385                             u16 len)
1386 {
1387         struct mgmt_cp_set_discoverable *cp = data;
1388         struct mgmt_pending_cmd *cmd;
1389         u16 timeout;
1390         int err;
1391
1392         bt_dev_dbg(hdev, "sock %p", sk);
1393
1394         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1395             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1396                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1397                                        MGMT_STATUS_REJECTED);
1398
1399         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1400                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1401                                        MGMT_STATUS_INVALID_PARAMS);
1402
1403         timeout = __le16_to_cpu(cp->timeout);
1404
1405         /* Disabling discoverable requires that no timeout is set,
1406          * and enabling limited discoverable requires a timeout.
1407          */
1408         if ((cp->val == 0x00 && timeout > 0) ||
1409             (cp->val == 0x02 && timeout == 0))
1410                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1411                                        MGMT_STATUS_INVALID_PARAMS);
1412
1413         hci_dev_lock(hdev);
1414
1415         if (!hdev_is_powered(hdev) && timeout > 0) {
1416                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1417                                       MGMT_STATUS_NOT_POWERED);
1418                 goto failed;
1419         }
1420
1421         if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1422             pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1423                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1424                                       MGMT_STATUS_BUSY);
1425                 goto failed;
1426         }
1427
1428         if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1429                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1430                                       MGMT_STATUS_REJECTED);
1431                 goto failed;
1432         }
1433
1434         if (hdev->advertising_paused) {
1435                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1436                                       MGMT_STATUS_BUSY);
1437                 goto failed;
1438         }
1439
1440         if (!hdev_is_powered(hdev)) {
1441                 bool changed = false;
1442
1443                 /* Setting limited discoverable when powered off is
1444                  * not a valid operation since it requires a timeout
1445                  * and so no need to check HCI_LIMITED_DISCOVERABLE.
1446                  */
1447                 if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1448                         hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1449                         changed = true;
1450                 }
1451
1452                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1453                 if (err < 0)
1454                         goto failed;
1455
1456                 if (changed)
1457                         err = new_settings(hdev, sk);
1458
1459                 goto failed;
1460         }
1461
1462         /* If the current mode is the same, then just update the timeout
1463          * value with the new value. And if only the timeout gets updated,
1464          * then no need for any HCI transactions.
1465          */
1466         if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1467             (cp->val == 0x02) == hci_dev_test_flag(hdev,
1468                                                    HCI_LIMITED_DISCOVERABLE)) {
1469                 cancel_delayed_work(&hdev->discov_off);
1470                 hdev->discov_timeout = timeout;
1471
1472                 if (cp->val && hdev->discov_timeout > 0) {
1473                         int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1474                         queue_delayed_work(hdev->req_workqueue,
1475                                            &hdev->discov_off, to);
1476                 }
1477
1478                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1479                 goto failed;
1480         }
1481
1482         cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1483         if (!cmd) {
1484                 err = -ENOMEM;
1485                 goto failed;
1486         }
1487
1488         /* Cancel any potential discoverable timeout that might be
1489          * still active and store new timeout value. The arming of
1490          * the timeout happens in the complete handler.
1491          */
1492         cancel_delayed_work(&hdev->discov_off);
1493         hdev->discov_timeout = timeout;
1494
1495         if (cp->val)
1496                 hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1497         else
1498                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1499
1500         /* Limited discoverable mode */
1501         if (cp->val == 0x02)
1502                 hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1503         else
1504                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1505
1506         queue_work(hdev->req_workqueue, &hdev->discoverable_update);
1507         err = 0;
1508
1509 failed:
1510         hci_dev_unlock(hdev);
1511         return err;
1512 }
1513
1514 void mgmt_set_connectable_complete(struct hci_dev *hdev, u8 status)
1515 {
1516         struct mgmt_pending_cmd *cmd;
1517
1518         bt_dev_dbg(hdev, "status 0x%02x", status);
1519
1520         hci_dev_lock(hdev);
1521
1522         cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1523         if (!cmd)
1524                 goto unlock;
1525
1526         if (status) {
1527                 u8 mgmt_err = mgmt_status(status);
1528                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1529                 goto remove_cmd;
1530         }
1531
1532         send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1533         new_settings(hdev, cmd->sk);
1534
1535 remove_cmd:
1536         mgmt_pending_remove(cmd);
1537
1538 unlock:
1539         hci_dev_unlock(hdev);
1540 }
1541
1542 static int set_connectable_update_settings(struct hci_dev *hdev,
1543                                            struct sock *sk, u8 val)
1544 {
1545         bool changed = false;
1546         int err;
1547
1548         if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1549                 changed = true;
1550
1551         if (val) {
1552                 hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1553         } else {
1554                 hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1555                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1556         }
1557
1558         err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1559         if (err < 0)
1560                 return err;
1561
1562         if (changed) {
1563                 hci_req_update_scan(hdev);
1564                 hci_update_background_scan(hdev);
1565                 return new_settings(hdev, sk);
1566         }
1567
1568         return 0;
1569 }
1570
1571 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1572                            u16 len)
1573 {
1574         struct mgmt_mode *cp = data;
1575         struct mgmt_pending_cmd *cmd;
1576         int err;
1577
1578         bt_dev_dbg(hdev, "sock %p", sk);
1579
1580         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1581             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1582                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1583                                        MGMT_STATUS_REJECTED);
1584
1585         if (cp->val != 0x00 && cp->val != 0x01)
1586                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1587                                        MGMT_STATUS_INVALID_PARAMS);
1588
1589         hci_dev_lock(hdev);
1590
1591         if (!hdev_is_powered(hdev)) {
1592                 err = set_connectable_update_settings(hdev, sk, cp->val);
1593                 goto failed;
1594         }
1595
1596         if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1597             pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1598                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1599                                       MGMT_STATUS_BUSY);
1600                 goto failed;
1601         }
1602
1603         cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1604         if (!cmd) {
1605                 err = -ENOMEM;
1606                 goto failed;
1607         }
1608
1609         if (cp->val) {
1610                 hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1611         } else {
1612                 if (hdev->discov_timeout > 0)
1613                         cancel_delayed_work(&hdev->discov_off);
1614
1615                 hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1616                 hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1617                 hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1618         }
1619
1620         queue_work(hdev->req_workqueue, &hdev->connectable_update);
1621         err = 0;
1622
1623 failed:
1624         hci_dev_unlock(hdev);
1625         return err;
1626 }
1627
1628 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1629                         u16 len)
1630 {
1631         struct mgmt_mode *cp = data;
1632         bool changed;
1633         int err;
1634
1635         bt_dev_dbg(hdev, "sock %p", sk);
1636
1637         if (cp->val != 0x00 && cp->val != 0x01)
1638                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1639                                        MGMT_STATUS_INVALID_PARAMS);
1640
1641         hci_dev_lock(hdev);
1642
1643         if (cp->val)
1644                 changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1645         else
1646                 changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1647
1648         err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1649         if (err < 0)
1650                 goto unlock;
1651
1652         if (changed) {
1653                 /* In limited privacy mode the change of bondable mode
1654                  * may affect the local advertising address.
1655                  */
1656                 if (hdev_is_powered(hdev) &&
1657                     hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
1658                     hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1659                     hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))
1660                         queue_work(hdev->req_workqueue,
1661                                    &hdev->discoverable_update);
1662
1663                 err = new_settings(hdev, sk);
1664         }
1665
1666 unlock:
1667         hci_dev_unlock(hdev);
1668         return err;
1669 }
1670
1671 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1672                              u16 len)
1673 {
1674         struct mgmt_mode *cp = data;
1675         struct mgmt_pending_cmd *cmd;
1676         u8 val, status;
1677         int err;
1678
1679         bt_dev_dbg(hdev, "sock %p", sk);
1680
1681         status = mgmt_bredr_support(hdev);
1682         if (status)
1683                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1684                                        status);
1685
1686         if (cp->val != 0x00 && cp->val != 0x01)
1687                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1688                                        MGMT_STATUS_INVALID_PARAMS);
1689
1690         hci_dev_lock(hdev);
1691
1692         if (!hdev_is_powered(hdev)) {
1693                 bool changed = false;
1694
1695                 if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1696                         hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1697                         changed = true;
1698                 }
1699
1700                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1701                 if (err < 0)
1702                         goto failed;
1703
1704                 if (changed)
1705                         err = new_settings(hdev, sk);
1706
1707                 goto failed;
1708         }
1709
1710         if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1711                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1712                                       MGMT_STATUS_BUSY);
1713                 goto failed;
1714         }
1715
1716         val = !!cp->val;
1717
1718         if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1719                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1720                 goto failed;
1721         }
1722
1723         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1724         if (!cmd) {
1725                 err = -ENOMEM;
1726                 goto failed;
1727         }
1728
1729         err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1730         if (err < 0) {
1731                 mgmt_pending_remove(cmd);
1732                 goto failed;
1733         }
1734
1735 failed:
1736         hci_dev_unlock(hdev);
1737         return err;
1738 }
1739
1740 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1741 {
1742         struct mgmt_mode *cp = data;
1743         struct mgmt_pending_cmd *cmd;
1744         u8 status;
1745         int err;
1746
1747         bt_dev_dbg(hdev, "sock %p", sk);
1748
1749         status = mgmt_bredr_support(hdev);
1750         if (status)
1751                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1752
1753         if (!lmp_ssp_capable(hdev))
1754                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1755                                        MGMT_STATUS_NOT_SUPPORTED);
1756
1757         if (cp->val != 0x00 && cp->val != 0x01)
1758                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1759                                        MGMT_STATUS_INVALID_PARAMS);
1760
1761         hci_dev_lock(hdev);
1762
1763         if (!hdev_is_powered(hdev)) {
1764                 bool changed;
1765
1766                 if (cp->val) {
1767                         changed = !hci_dev_test_and_set_flag(hdev,
1768                                                              HCI_SSP_ENABLED);
1769                 } else {
1770                         changed = hci_dev_test_and_clear_flag(hdev,
1771                                                               HCI_SSP_ENABLED);
1772                         if (!changed)
1773                                 changed = hci_dev_test_and_clear_flag(hdev,
1774                                                                       HCI_HS_ENABLED);
1775                         else
1776                                 hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1777                 }
1778
1779                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1780                 if (err < 0)
1781                         goto failed;
1782
1783                 if (changed)
1784                         err = new_settings(hdev, sk);
1785
1786                 goto failed;
1787         }
1788
1789         if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1790                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1791                                       MGMT_STATUS_BUSY);
1792                 goto failed;
1793         }
1794
1795         if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
1796                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1797                 goto failed;
1798         }
1799
1800         cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
1801         if (!cmd) {
1802                 err = -ENOMEM;
1803                 goto failed;
1804         }
1805
1806         if (!cp->val && hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
1807                 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
1808                              sizeof(cp->val), &cp->val);
1809
1810         err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &cp->val);
1811         if (err < 0) {
1812                 mgmt_pending_remove(cmd);
1813                 goto failed;
1814         }
1815
1816 failed:
1817         hci_dev_unlock(hdev);
1818         return err;
1819 }
1820
1821 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1822 {
1823         struct mgmt_mode *cp = data;
1824         bool changed;
1825         u8 status;
1826         int err;
1827
1828         bt_dev_dbg(hdev, "sock %p", sk);
1829
1830         if (!IS_ENABLED(CONFIG_BT_HS))
1831                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1832                                        MGMT_STATUS_NOT_SUPPORTED);
1833
1834         status = mgmt_bredr_support(hdev);
1835         if (status)
1836                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
1837
1838         if (!lmp_ssp_capable(hdev))
1839                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1840                                        MGMT_STATUS_NOT_SUPPORTED);
1841
1842         if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
1843                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1844                                        MGMT_STATUS_REJECTED);
1845
1846         if (cp->val != 0x00 && cp->val != 0x01)
1847                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1848                                        MGMT_STATUS_INVALID_PARAMS);
1849
1850         hci_dev_lock(hdev);
1851
1852         if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1853                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1854                                       MGMT_STATUS_BUSY);
1855                 goto unlock;
1856         }
1857
1858         if (cp->val) {
1859                 changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
1860         } else {
1861                 if (hdev_is_powered(hdev)) {
1862                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1863                                               MGMT_STATUS_REJECTED);
1864                         goto unlock;
1865                 }
1866
1867                 changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
1868         }
1869
1870         err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
1871         if (err < 0)
1872                 goto unlock;
1873
1874         if (changed)
1875                 err = new_settings(hdev, sk);
1876
1877 unlock:
1878         hci_dev_unlock(hdev);
1879         return err;
1880 }
1881
1882 static void le_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1883 {
1884         struct cmd_lookup match = { NULL, hdev };
1885
1886         hci_dev_lock(hdev);
1887
1888         if (status) {
1889                 u8 mgmt_err = mgmt_status(status);
1890
1891                 mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
1892                                      &mgmt_err);
1893                 goto unlock;
1894         }
1895
1896         mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
1897
1898         new_settings(hdev, match.sk);
1899
1900         if (match.sk)
1901                 sock_put(match.sk);
1902
1903         /* Make sure the controller has a good default for
1904          * advertising data. Restrict the update to when LE
1905          * has actually been enabled. During power on, the
1906          * update in powered_update_hci will take care of it.
1907          */
1908         if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1909                 struct hci_request req;
1910                 hci_req_init(&req, hdev);
1911                 if (ext_adv_capable(hdev)) {
1912                         int err;
1913
1914                         err = __hci_req_setup_ext_adv_instance(&req, 0x00);
1915                         if (!err)
1916                                 __hci_req_update_scan_rsp_data(&req, 0x00);
1917                 } else {
1918                         __hci_req_update_adv_data(&req, 0x00);
1919                         __hci_req_update_scan_rsp_data(&req, 0x00);
1920                 }
1921                 hci_req_run(&req, NULL);
1922                 hci_update_background_scan(hdev);
1923         }
1924
1925 unlock:
1926         hci_dev_unlock(hdev);
1927 }
1928
1929 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1930 {
1931         struct mgmt_mode *cp = data;
1932         struct hci_cp_write_le_host_supported hci_cp;
1933         struct mgmt_pending_cmd *cmd;
1934         struct hci_request req;
1935         int err;
1936         u8 val, enabled;
1937
1938         bt_dev_dbg(hdev, "sock %p", sk);
1939
1940         if (!lmp_le_capable(hdev))
1941                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1942                                        MGMT_STATUS_NOT_SUPPORTED);
1943
1944         if (cp->val != 0x00 && cp->val != 0x01)
1945                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1946                                        MGMT_STATUS_INVALID_PARAMS);
1947
1948         /* Bluetooth single mode LE only controllers or dual-mode
1949          * controllers configured as LE only devices, do not allow
1950          * switching LE off. These have either LE enabled explicitly
1951          * or BR/EDR has been previously switched off.
1952          *
1953          * When trying to enable an already enabled LE, then gracefully
1954          * send a positive response. Trying to disable it however will
1955          * result into rejection.
1956          */
1957         if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1958                 if (cp->val == 0x01)
1959                         return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1960
1961                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1962                                        MGMT_STATUS_REJECTED);
1963         }
1964
1965         hci_dev_lock(hdev);
1966
1967         val = !!cp->val;
1968         enabled = lmp_host_le_capable(hdev);
1969
1970         if (!val)
1971                 hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, true);
1972
1973         if (!hdev_is_powered(hdev) || val == enabled) {
1974                 bool changed = false;
1975
1976                 if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1977                         hci_dev_change_flag(hdev, HCI_LE_ENABLED);
1978                         changed = true;
1979                 }
1980
1981                 if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
1982                         hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1983                         changed = true;
1984                 }
1985
1986                 err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1987                 if (err < 0)
1988                         goto unlock;
1989
1990                 if (changed)
1991                         err = new_settings(hdev, sk);
1992
1993                 goto unlock;
1994         }
1995
1996         if (pending_find(MGMT_OP_SET_LE, hdev) ||
1997             pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
1998                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1999                                       MGMT_STATUS_BUSY);
2000                 goto unlock;
2001         }
2002
2003         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
2004         if (!cmd) {
2005                 err = -ENOMEM;
2006                 goto unlock;
2007         }
2008
2009         hci_req_init(&req, hdev);
2010
2011         memset(&hci_cp, 0, sizeof(hci_cp));
2012
2013         if (val) {
2014                 hci_cp.le = val;
2015                 hci_cp.simul = 0x00;
2016         } else {
2017                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
2018                         __hci_req_disable_advertising(&req);
2019
2020                 if (ext_adv_capable(hdev))
2021                         __hci_req_clear_ext_adv_sets(&req);
2022         }
2023
2024         hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
2025                     &hci_cp);
2026
2027         err = hci_req_run(&req, le_enable_complete);
2028         if (err < 0)
2029                 mgmt_pending_remove(cmd);
2030
2031 unlock:
2032         hci_dev_unlock(hdev);
2033         return err;
2034 }
2035
2036 /* This is a helper function to test for pending mgmt commands that can
2037  * cause CoD or EIR HCI commands. We can only allow one such pending
2038  * mgmt command at a time since otherwise we cannot easily track what
2039  * the current values are, will be, and based on that calculate if a new
2040  * HCI command needs to be sent and if yes with what value.
2041  */
2042 static bool pending_eir_or_class(struct hci_dev *hdev)
2043 {
2044         struct mgmt_pending_cmd *cmd;
2045
2046         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2047                 switch (cmd->opcode) {
2048                 case MGMT_OP_ADD_UUID:
2049                 case MGMT_OP_REMOVE_UUID:
2050                 case MGMT_OP_SET_DEV_CLASS:
2051                 case MGMT_OP_SET_POWERED:
2052                         return true;
2053                 }
2054         }
2055
2056         return false;
2057 }
2058
2059 static const u8 bluetooth_base_uuid[] = {
2060                         0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2061                         0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2062 };
2063
2064 static u8 get_uuid_size(const u8 *uuid)
2065 {
2066         u32 val;
2067
2068         if (memcmp(uuid, bluetooth_base_uuid, 12))
2069                 return 128;
2070
2071         val = get_unaligned_le32(&uuid[12]);
2072         if (val > 0xffff)
2073                 return 32;
2074
2075         return 16;
2076 }
2077
2078 static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
2079 {
2080         struct mgmt_pending_cmd *cmd;
2081
2082         hci_dev_lock(hdev);
2083
2084         cmd = pending_find(mgmt_op, hdev);
2085         if (!cmd)
2086                 goto unlock;
2087
2088         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
2089                           mgmt_status(status), hdev->dev_class, 3);
2090
2091         mgmt_pending_remove(cmd);
2092
2093 unlock:
2094         hci_dev_unlock(hdev);
2095 }
2096
2097 static void add_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2098 {
2099         bt_dev_dbg(hdev, "status 0x%02x", status);
2100
2101         mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
2102 }
2103
2104 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2105 {
2106         struct mgmt_cp_add_uuid *cp = data;
2107         struct mgmt_pending_cmd *cmd;
2108         struct hci_request req;
2109         struct bt_uuid *uuid;
2110         int err;
2111
2112         bt_dev_dbg(hdev, "sock %p", sk);
2113
2114         hci_dev_lock(hdev);
2115
2116         if (pending_eir_or_class(hdev)) {
2117                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2118                                       MGMT_STATUS_BUSY);
2119                 goto failed;
2120         }
2121
2122         uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2123         if (!uuid) {
2124                 err = -ENOMEM;
2125                 goto failed;
2126         }
2127
2128         memcpy(uuid->uuid, cp->uuid, 16);
2129         uuid->svc_hint = cp->svc_hint;
2130         uuid->size = get_uuid_size(cp->uuid);
2131
2132         list_add_tail(&uuid->list, &hdev->uuids);
2133
2134         hci_req_init(&req, hdev);
2135
2136         __hci_req_update_class(&req);
2137         __hci_req_update_eir(&req);
2138
2139         err = hci_req_run(&req, add_uuid_complete);
2140         if (err < 0) {
2141                 if (err != -ENODATA)
2142                         goto failed;
2143
2144                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
2145                                         hdev->dev_class, 3);
2146                 goto failed;
2147         }
2148
2149         cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2150         if (!cmd) {
2151                 err = -ENOMEM;
2152                 goto failed;
2153         }
2154
2155         err = 0;
2156
2157 failed:
2158         hci_dev_unlock(hdev);
2159         return err;
2160 }
2161
2162 static bool enable_service_cache(struct hci_dev *hdev)
2163 {
2164         if (!hdev_is_powered(hdev))
2165                 return false;
2166
2167         if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2168                 queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2169                                    CACHE_TIMEOUT);
2170                 return true;
2171         }
2172
2173         return false;
2174 }
2175
2176 static void remove_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2177 {
2178         bt_dev_dbg(hdev, "status 0x%02x", status);
2179
2180         mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
2181 }
2182
2183 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2184                        u16 len)
2185 {
2186         struct mgmt_cp_remove_uuid *cp = data;
2187         struct mgmt_pending_cmd *cmd;
2188         struct bt_uuid *match, *tmp;
2189         u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
2190         struct hci_request req;
2191         int err, found;
2192
2193         bt_dev_dbg(hdev, "sock %p", sk);
2194
2195         hci_dev_lock(hdev);
2196
2197         if (pending_eir_or_class(hdev)) {
2198                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2199                                       MGMT_STATUS_BUSY);
2200                 goto unlock;
2201         }
2202
2203         if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2204                 hci_uuids_clear(hdev);
2205
2206                 if (enable_service_cache(hdev)) {
2207                         err = mgmt_cmd_complete(sk, hdev->id,
2208                                                 MGMT_OP_REMOVE_UUID,
2209                                                 0, hdev->dev_class, 3);
2210                         goto unlock;
2211                 }
2212
2213                 goto update_class;
2214         }
2215
2216         found = 0;
2217
2218         list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2219                 if (memcmp(match->uuid, cp->uuid, 16) != 0)
2220                         continue;
2221
2222                 list_del(&match->list);
2223                 kfree(match);
2224                 found++;
2225         }
2226
2227         if (found == 0) {
2228                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2229                                       MGMT_STATUS_INVALID_PARAMS);
2230                 goto unlock;
2231         }
2232
2233 update_class:
2234         hci_req_init(&req, hdev);
2235
2236         __hci_req_update_class(&req);
2237         __hci_req_update_eir(&req);
2238
2239         err = hci_req_run(&req, remove_uuid_complete);
2240         if (err < 0) {
2241                 if (err != -ENODATA)
2242                         goto unlock;
2243
2244                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
2245                                         hdev->dev_class, 3);
2246                 goto unlock;
2247         }
2248
2249         cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2250         if (!cmd) {
2251                 err = -ENOMEM;
2252                 goto unlock;
2253         }
2254
2255         err = 0;
2256
2257 unlock:
2258         hci_dev_unlock(hdev);
2259         return err;
2260 }
2261
2262 static void set_class_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2263 {
2264         bt_dev_dbg(hdev, "status 0x%02x", status);
2265
2266         mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
2267 }
2268
2269 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2270                          u16 len)
2271 {
2272         struct mgmt_cp_set_dev_class *cp = data;
2273         struct mgmt_pending_cmd *cmd;
2274         struct hci_request req;
2275         int err;
2276
2277         bt_dev_dbg(hdev, "sock %p", sk);
2278
2279         if (!lmp_bredr_capable(hdev))
2280                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2281                                        MGMT_STATUS_NOT_SUPPORTED);
2282
2283         hci_dev_lock(hdev);
2284
2285         if (pending_eir_or_class(hdev)) {
2286                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2287                                       MGMT_STATUS_BUSY);
2288                 goto unlock;
2289         }
2290
2291         if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2292                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2293                                       MGMT_STATUS_INVALID_PARAMS);
2294                 goto unlock;
2295         }
2296
2297         hdev->major_class = cp->major;
2298         hdev->minor_class = cp->minor;
2299
2300         if (!hdev_is_powered(hdev)) {
2301                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2302                                         hdev->dev_class, 3);
2303                 goto unlock;
2304         }
2305
2306         hci_req_init(&req, hdev);
2307
2308         if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2309                 hci_dev_unlock(hdev);
2310                 cancel_delayed_work_sync(&hdev->service_cache);
2311                 hci_dev_lock(hdev);
2312                 __hci_req_update_eir(&req);
2313         }
2314
2315         __hci_req_update_class(&req);
2316
2317         err = hci_req_run(&req, set_class_complete);
2318         if (err < 0) {
2319                 if (err != -ENODATA)
2320                         goto unlock;
2321
2322                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2323                                         hdev->dev_class, 3);
2324                 goto unlock;
2325         }
2326
2327         cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2328         if (!cmd) {
2329                 err = -ENOMEM;
2330                 goto unlock;
2331         }
2332
2333         err = 0;
2334
2335 unlock:
2336         hci_dev_unlock(hdev);
2337         return err;
2338 }
2339
2340 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2341                           u16 len)
2342 {
2343         struct mgmt_cp_load_link_keys *cp = data;
2344         const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2345                                    sizeof(struct mgmt_link_key_info));
2346         u16 key_count, expected_len;
2347         bool changed;
2348         int i;
2349
2350         bt_dev_dbg(hdev, "sock %p", sk);
2351
2352         if (!lmp_bredr_capable(hdev))
2353                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2354                                        MGMT_STATUS_NOT_SUPPORTED);
2355
2356         key_count = __le16_to_cpu(cp->key_count);
2357         if (key_count > max_key_count) {
2358                 bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2359                            key_count);
2360                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2361                                        MGMT_STATUS_INVALID_PARAMS);
2362         }
2363
2364         expected_len = struct_size(cp, keys, key_count);
2365         if (expected_len != len) {
2366                 bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2367                            expected_len, len);
2368                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2369                                        MGMT_STATUS_INVALID_PARAMS);
2370         }
2371
2372         if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2373                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2374                                        MGMT_STATUS_INVALID_PARAMS);
2375
2376         bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys,
2377                    key_count);
2378
2379         for (i = 0; i < key_count; i++) {
2380                 struct mgmt_link_key_info *key = &cp->keys[i];
2381
2382                 if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2383                         return mgmt_cmd_status(sk, hdev->id,
2384                                                MGMT_OP_LOAD_LINK_KEYS,
2385                                                MGMT_STATUS_INVALID_PARAMS);
2386         }
2387
2388         hci_dev_lock(hdev);
2389
2390         hci_link_keys_clear(hdev);
2391
2392         if (cp->debug_keys)
2393                 changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2394         else
2395                 changed = hci_dev_test_and_clear_flag(hdev,
2396                                                       HCI_KEEP_DEBUG_KEYS);
2397
2398         if (changed)
2399                 new_settings(hdev, NULL);
2400
2401         for (i = 0; i < key_count; i++) {
2402                 struct mgmt_link_key_info *key = &cp->keys[i];
2403
2404                 if (hci_is_blocked_key(hdev,
2405                                        HCI_BLOCKED_KEY_TYPE_LINKKEY,
2406                                        key->val)) {
2407                         bt_dev_warn(hdev, "Skipping blocked link key for %pMR",
2408                                     &key->addr.bdaddr);
2409                         continue;
2410                 }
2411
2412                 /* Always ignore debug keys and require a new pairing if
2413                  * the user wants to use them.
2414                  */
2415                 if (key->type == HCI_LK_DEBUG_COMBINATION)
2416                         continue;
2417
2418                 hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2419                                  key->type, key->pin_len, NULL);
2420         }
2421
2422         mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2423
2424         hci_dev_unlock(hdev);
2425
2426         return 0;
2427 }
2428
2429 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2430                            u8 addr_type, struct sock *skip_sk)
2431 {
2432         struct mgmt_ev_device_unpaired ev;
2433
2434         bacpy(&ev.addr.bdaddr, bdaddr);
2435         ev.addr.type = addr_type;
2436
2437         return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2438                           skip_sk);
2439 }
2440
2441 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2442                          u16 len)
2443 {
2444         struct mgmt_cp_unpair_device *cp = data;
2445         struct mgmt_rp_unpair_device rp;
2446         struct hci_conn_params *params;
2447         struct mgmt_pending_cmd *cmd;
2448         struct hci_conn *conn;
2449         u8 addr_type;
2450         int err;
2451
2452         memset(&rp, 0, sizeof(rp));
2453         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2454         rp.addr.type = cp->addr.type;
2455
2456         if (!bdaddr_type_is_valid(cp->addr.type))
2457                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2458                                          MGMT_STATUS_INVALID_PARAMS,
2459                                          &rp, sizeof(rp));
2460
2461         if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2462                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2463                                          MGMT_STATUS_INVALID_PARAMS,
2464                                          &rp, sizeof(rp));
2465
2466         hci_dev_lock(hdev);
2467
2468         if (!hdev_is_powered(hdev)) {
2469                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2470                                         MGMT_STATUS_NOT_POWERED, &rp,
2471                                         sizeof(rp));
2472                 goto unlock;
2473         }
2474
2475         if (cp->addr.type == BDADDR_BREDR) {
2476                 /* If disconnection is requested, then look up the
2477                  * connection. If the remote device is connected, it
2478                  * will be later used to terminate the link.
2479                  *
2480                  * Setting it to NULL explicitly will cause no
2481                  * termination of the link.
2482                  */
2483                 if (cp->disconnect)
2484                         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2485                                                        &cp->addr.bdaddr);
2486                 else
2487                         conn = NULL;
2488
2489                 err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2490                 if (err < 0) {
2491                         err = mgmt_cmd_complete(sk, hdev->id,
2492                                                 MGMT_OP_UNPAIR_DEVICE,
2493                                                 MGMT_STATUS_NOT_PAIRED, &rp,
2494                                                 sizeof(rp));
2495                         goto unlock;
2496                 }
2497
2498                 goto done;
2499         }
2500
2501         /* LE address type */
2502         addr_type = le_addr_type(cp->addr.type);
2503
2504         /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
2505         err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
2506         if (err < 0) {
2507                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2508                                         MGMT_STATUS_NOT_PAIRED, &rp,
2509                                         sizeof(rp));
2510                 goto unlock;
2511         }
2512
2513         conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
2514         if (!conn) {
2515                 hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2516                 goto done;
2517         }
2518
2519
2520         /* Defer clearing up the connection parameters until closing to
2521          * give a chance of keeping them if a repairing happens.
2522          */
2523         set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2524
2525         /* Disable auto-connection parameters if present */
2526         params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
2527         if (params) {
2528                 if (params->explicit_connect)
2529                         params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2530                 else
2531                         params->auto_connect = HCI_AUTO_CONN_DISABLED;
2532         }
2533
2534         /* If disconnection is not requested, then clear the connection
2535          * variable so that the link is not terminated.
2536          */
2537         if (!cp->disconnect)
2538                 conn = NULL;
2539
2540 done:
2541         /* If the connection variable is set, then termination of the
2542          * link is requested.
2543          */
2544         if (!conn) {
2545                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
2546                                         &rp, sizeof(rp));
2547                 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
2548                 goto unlock;
2549         }
2550
2551         cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
2552                                sizeof(*cp));
2553         if (!cmd) {
2554                 err = -ENOMEM;
2555                 goto unlock;
2556         }
2557
2558         cmd->cmd_complete = addr_cmd_complete;
2559
2560         err = hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
2561         if (err < 0)
2562                 mgmt_pending_remove(cmd);
2563
2564 unlock:
2565         hci_dev_unlock(hdev);
2566         return err;
2567 }
2568
2569 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2570                       u16 len)
2571 {
2572         struct mgmt_cp_disconnect *cp = data;
2573         struct mgmt_rp_disconnect rp;
2574         struct mgmt_pending_cmd *cmd;
2575         struct hci_conn *conn;
2576         int err;
2577
2578         bt_dev_dbg(hdev, "sock %p", sk);
2579
2580         memset(&rp, 0, sizeof(rp));
2581         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2582         rp.addr.type = cp->addr.type;
2583
2584         if (!bdaddr_type_is_valid(cp->addr.type))
2585                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2586                                          MGMT_STATUS_INVALID_PARAMS,
2587                                          &rp, sizeof(rp));
2588
2589         hci_dev_lock(hdev);
2590
2591         if (!test_bit(HCI_UP, &hdev->flags)) {
2592                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2593                                         MGMT_STATUS_NOT_POWERED, &rp,
2594                                         sizeof(rp));
2595                 goto failed;
2596         }
2597
2598         if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
2599                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2600                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
2601                 goto failed;
2602         }
2603
2604         if (cp->addr.type == BDADDR_BREDR)
2605                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2606                                                &cp->addr.bdaddr);
2607         else
2608                 conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2609                                                le_addr_type(cp->addr.type));
2610
2611         if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
2612                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2613                                         MGMT_STATUS_NOT_CONNECTED, &rp,
2614                                         sizeof(rp));
2615                 goto failed;
2616         }
2617
2618         cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
2619         if (!cmd) {
2620                 err = -ENOMEM;
2621                 goto failed;
2622         }
2623
2624         cmd->cmd_complete = generic_cmd_complete;
2625
2626         err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2627         if (err < 0)
2628                 mgmt_pending_remove(cmd);
2629
2630 failed:
2631         hci_dev_unlock(hdev);
2632         return err;
2633 }
2634
2635 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
2636 {
2637         switch (link_type) {
2638         case LE_LINK:
2639                 switch (addr_type) {
2640                 case ADDR_LE_DEV_PUBLIC:
2641                         return BDADDR_LE_PUBLIC;
2642
2643                 default:
2644                         /* Fallback to LE Random address type */
2645                         return BDADDR_LE_RANDOM;
2646                 }
2647
2648         default:
2649                 /* Fallback to BR/EDR type */
2650                 return BDADDR_BREDR;
2651         }
2652 }
2653
2654 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
2655                            u16 data_len)
2656 {
2657         struct mgmt_rp_get_connections *rp;
2658         struct hci_conn *c;
2659         int err;
2660         u16 i;
2661
2662         bt_dev_dbg(hdev, "sock %p", sk);
2663
2664         hci_dev_lock(hdev);
2665
2666         if (!hdev_is_powered(hdev)) {
2667                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
2668                                       MGMT_STATUS_NOT_POWERED);
2669                 goto unlock;
2670         }
2671
2672         i = 0;
2673         list_for_each_entry(c, &hdev->conn_hash.list, list) {
2674                 if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2675                         i++;
2676         }
2677
2678         rp = kmalloc(struct_size(rp, addr, i), GFP_KERNEL);
2679         if (!rp) {
2680                 err = -ENOMEM;
2681                 goto unlock;
2682         }
2683
2684         i = 0;
2685         list_for_each_entry(c, &hdev->conn_hash.list, list) {
2686                 if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2687                         continue;
2688                 bacpy(&rp->addr[i].bdaddr, &c->dst);
2689                 rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
2690                 if (c->type == SCO_LINK || c->type == ESCO_LINK)
2691                         continue;
2692                 i++;
2693         }
2694
2695         rp->conn_count = cpu_to_le16(i);
2696
2697         /* Recalculate length in case of filtered SCO connections, etc */
2698         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
2699                                 struct_size(rp, addr, i));
2700
2701         kfree(rp);
2702
2703 unlock:
2704         hci_dev_unlock(hdev);
2705         return err;
2706 }
2707
2708 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2709                                    struct mgmt_cp_pin_code_neg_reply *cp)
2710 {
2711         struct mgmt_pending_cmd *cmd;
2712         int err;
2713
2714         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
2715                                sizeof(*cp));
2716         if (!cmd)
2717                 return -ENOMEM;
2718
2719         cmd->cmd_complete = addr_cmd_complete;
2720
2721         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2722                            sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
2723         if (err < 0)
2724                 mgmt_pending_remove(cmd);
2725
2726         return err;
2727 }
2728
2729 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2730                           u16 len)
2731 {
2732         struct hci_conn *conn;
2733         struct mgmt_cp_pin_code_reply *cp = data;
2734         struct hci_cp_pin_code_reply reply;
2735         struct mgmt_pending_cmd *cmd;
2736         int err;
2737
2738         bt_dev_dbg(hdev, "sock %p", sk);
2739
2740         hci_dev_lock(hdev);
2741
2742         if (!hdev_is_powered(hdev)) {
2743                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2744                                       MGMT_STATUS_NOT_POWERED);
2745                 goto failed;
2746         }
2747
2748         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
2749         if (!conn) {
2750                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2751                                       MGMT_STATUS_NOT_CONNECTED);
2752                 goto failed;
2753         }
2754
2755         if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
2756                 struct mgmt_cp_pin_code_neg_reply ncp;
2757
2758                 memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
2759
2760                 bt_dev_err(hdev, "PIN code is not 16 bytes long");
2761
2762                 err = send_pin_code_neg_reply(sk, hdev, &ncp);
2763                 if (err >= 0)
2764                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2765                                               MGMT_STATUS_INVALID_PARAMS);
2766
2767                 goto failed;
2768         }
2769
2770         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
2771         if (!cmd) {
2772                 err = -ENOMEM;
2773                 goto failed;
2774         }
2775
2776         cmd->cmd_complete = addr_cmd_complete;
2777
2778         bacpy(&reply.bdaddr, &cp->addr.bdaddr);
2779         reply.pin_len = cp->pin_len;
2780         memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
2781
2782         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
2783         if (err < 0)
2784                 mgmt_pending_remove(cmd);
2785
2786 failed:
2787         hci_dev_unlock(hdev);
2788         return err;
2789 }
2790
2791 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
2792                              u16 len)
2793 {
2794         struct mgmt_cp_set_io_capability *cp = data;
2795
2796         bt_dev_dbg(hdev, "sock %p", sk);
2797
2798         if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
2799                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
2800                                        MGMT_STATUS_INVALID_PARAMS);
2801
2802         hci_dev_lock(hdev);
2803
2804         hdev->io_capability = cp->io_capability;
2805
2806         bt_dev_dbg(hdev, "IO capability set to 0x%02x", hdev->io_capability);
2807
2808         hci_dev_unlock(hdev);
2809
2810         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
2811                                  NULL, 0);
2812 }
2813
2814 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
2815 {
2816         struct hci_dev *hdev = conn->hdev;
2817         struct mgmt_pending_cmd *cmd;
2818
2819         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2820                 if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
2821                         continue;
2822
2823                 if (cmd->user_data != conn)
2824                         continue;
2825
2826                 return cmd;
2827         }
2828
2829         return NULL;
2830 }
2831
2832 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
2833 {
2834         struct mgmt_rp_pair_device rp;
2835         struct hci_conn *conn = cmd->user_data;
2836         int err;
2837
2838         bacpy(&rp.addr.bdaddr, &conn->dst);
2839         rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
2840
2841         err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
2842                                 status, &rp, sizeof(rp));
2843
2844         /* So we don't get further callbacks for this connection */
2845         conn->connect_cfm_cb = NULL;
2846         conn->security_cfm_cb = NULL;
2847         conn->disconn_cfm_cb = NULL;
2848
2849         hci_conn_drop(conn);
2850
2851         /* The device is paired so there is no need to remove
2852          * its connection parameters anymore.
2853          */
2854         clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2855
2856         hci_conn_put(conn);
2857
2858         return err;
2859 }
2860
2861 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2862 {
2863         u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2864         struct mgmt_pending_cmd *cmd;
2865
2866         cmd = find_pairing(conn);
2867         if (cmd) {
2868                 cmd->cmd_complete(cmd, status);
2869                 mgmt_pending_remove(cmd);
2870         }
2871 }
2872
2873 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2874 {
2875         struct mgmt_pending_cmd *cmd;
2876
2877         BT_DBG("status %u", status);
2878
2879         cmd = find_pairing(conn);
2880         if (!cmd) {
2881                 BT_DBG("Unable to find a pending command");
2882                 return;
2883         }
2884
2885         cmd->cmd_complete(cmd, mgmt_status(status));
2886         mgmt_pending_remove(cmd);
2887 }
2888
2889 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2890 {
2891         struct mgmt_pending_cmd *cmd;
2892
2893         BT_DBG("status %u", status);
2894
2895         if (!status)
2896                 return;
2897
2898         cmd = find_pairing(conn);
2899         if (!cmd) {
2900                 BT_DBG("Unable to find a pending command");
2901                 return;
2902         }
2903
2904         cmd->cmd_complete(cmd, mgmt_status(status));
2905         mgmt_pending_remove(cmd);
2906 }
2907
2908 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2909                        u16 len)
2910 {
2911         struct mgmt_cp_pair_device *cp = data;
2912         struct mgmt_rp_pair_device rp;
2913         struct mgmt_pending_cmd *cmd;
2914         u8 sec_level, auth_type;
2915         struct hci_conn *conn;
2916         int err;
2917
2918         bt_dev_dbg(hdev, "sock %p", sk);
2919
2920         memset(&rp, 0, sizeof(rp));
2921         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2922         rp.addr.type = cp->addr.type;
2923
2924         if (!bdaddr_type_is_valid(cp->addr.type))
2925                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2926                                          MGMT_STATUS_INVALID_PARAMS,
2927                                          &rp, sizeof(rp));
2928
2929         if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
2930                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2931                                          MGMT_STATUS_INVALID_PARAMS,
2932                                          &rp, sizeof(rp));
2933
2934         hci_dev_lock(hdev);
2935
2936         if (!hdev_is_powered(hdev)) {
2937                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2938                                         MGMT_STATUS_NOT_POWERED, &rp,
2939                                         sizeof(rp));
2940                 goto unlock;
2941         }
2942
2943         if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
2944                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2945                                         MGMT_STATUS_ALREADY_PAIRED, &rp,
2946                                         sizeof(rp));
2947                 goto unlock;
2948         }
2949
2950         sec_level = BT_SECURITY_MEDIUM;
2951         auth_type = HCI_AT_DEDICATED_BONDING;
2952
2953         if (cp->addr.type == BDADDR_BREDR) {
2954                 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2955                                        auth_type, CONN_REASON_PAIR_DEVICE);
2956         } else {
2957                 u8 addr_type = le_addr_type(cp->addr.type);
2958                 struct hci_conn_params *p;
2959
2960                 /* When pairing a new device, it is expected to remember
2961                  * this device for future connections. Adding the connection
2962                  * parameter information ahead of time allows tracking
2963                  * of the peripheral preferred values and will speed up any
2964                  * further connection establishment.
2965                  *
2966                  * If connection parameters already exist, then they
2967                  * will be kept and this function does nothing.
2968                  */
2969                 p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
2970
2971                 if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
2972                         p->auto_connect = HCI_AUTO_CONN_DISABLED;
2973
2974                 conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr, addr_type,
2975                                            sec_level, HCI_LE_CONN_TIMEOUT,
2976                                            CONN_REASON_PAIR_DEVICE);
2977         }
2978
2979         if (IS_ERR(conn)) {
2980                 int status;
2981
2982                 if (PTR_ERR(conn) == -EBUSY)
2983                         status = MGMT_STATUS_BUSY;
2984                 else if (PTR_ERR(conn) == -EOPNOTSUPP)
2985                         status = MGMT_STATUS_NOT_SUPPORTED;
2986                 else if (PTR_ERR(conn) == -ECONNREFUSED)
2987                         status = MGMT_STATUS_REJECTED;
2988                 else
2989                         status = MGMT_STATUS_CONNECT_FAILED;
2990
2991                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2992                                         status, &rp, sizeof(rp));
2993                 goto unlock;
2994         }
2995
2996         if (conn->connect_cfm_cb) {
2997                 hci_conn_drop(conn);
2998                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2999                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
3000                 goto unlock;
3001         }
3002
3003         cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
3004         if (!cmd) {
3005                 err = -ENOMEM;
3006                 hci_conn_drop(conn);
3007                 goto unlock;
3008         }
3009
3010         cmd->cmd_complete = pairing_complete;
3011
3012         /* For LE, just connecting isn't a proof that the pairing finished */
3013         if (cp->addr.type == BDADDR_BREDR) {
3014                 conn->connect_cfm_cb = pairing_complete_cb;
3015                 conn->security_cfm_cb = pairing_complete_cb;
3016                 conn->disconn_cfm_cb = pairing_complete_cb;
3017         } else {
3018                 conn->connect_cfm_cb = le_pairing_complete_cb;
3019                 conn->security_cfm_cb = le_pairing_complete_cb;
3020                 conn->disconn_cfm_cb = le_pairing_complete_cb;
3021         }
3022
3023         conn->io_capability = cp->io_cap;
3024         cmd->user_data = hci_conn_get(conn);
3025
3026         if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
3027             hci_conn_security(conn, sec_level, auth_type, true)) {
3028                 cmd->cmd_complete(cmd, 0);
3029                 mgmt_pending_remove(cmd);
3030         }
3031
3032         err = 0;
3033
3034 unlock:
3035         hci_dev_unlock(hdev);
3036         return err;
3037 }
3038
3039 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3040                               u16 len)
3041 {
3042         struct mgmt_addr_info *addr = data;
3043         struct mgmt_pending_cmd *cmd;
3044         struct hci_conn *conn;
3045         int err;
3046
3047         bt_dev_dbg(hdev, "sock %p", sk);
3048
3049         hci_dev_lock(hdev);
3050
3051         if (!hdev_is_powered(hdev)) {
3052                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3053                                       MGMT_STATUS_NOT_POWERED);
3054                 goto unlock;
3055         }
3056
3057         cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3058         if (!cmd) {
3059                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3060                                       MGMT_STATUS_INVALID_PARAMS);
3061                 goto unlock;
3062         }
3063
3064         conn = cmd->user_data;
3065
3066         if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3067                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3068                                       MGMT_STATUS_INVALID_PARAMS);
3069                 goto unlock;
3070         }
3071
3072         cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3073         mgmt_pending_remove(cmd);
3074
3075         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3076                                 addr, sizeof(*addr));
3077
3078         /* Since user doesn't want to proceed with the connection, abort any
3079          * ongoing pairing and then terminate the link if it was created
3080          * because of the pair device action.
3081          */
3082         if (addr->type == BDADDR_BREDR)
3083                 hci_remove_link_key(hdev, &addr->bdaddr);
3084         else
3085                 smp_cancel_and_remove_pairing(hdev, &addr->bdaddr,
3086                                               le_addr_type(addr->type));
3087
3088         if (conn->conn_reason == CONN_REASON_PAIR_DEVICE)
3089                 hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
3090
3091 unlock:
3092         hci_dev_unlock(hdev);
3093         return err;
3094 }
3095
3096 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3097                              struct mgmt_addr_info *addr, u16 mgmt_op,
3098                              u16 hci_op, __le32 passkey)
3099 {
3100         struct mgmt_pending_cmd *cmd;
3101         struct hci_conn *conn;
3102         int err;
3103
3104         hci_dev_lock(hdev);
3105
3106         if (!hdev_is_powered(hdev)) {
3107                 err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3108                                         MGMT_STATUS_NOT_POWERED, addr,
3109                                         sizeof(*addr));
3110                 goto done;
3111         }
3112
3113         if (addr->type == BDADDR_BREDR)
3114                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3115         else
3116                 conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
3117                                                le_addr_type(addr->type));
3118
3119         if (!conn) {
3120                 err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3121                                         MGMT_STATUS_NOT_CONNECTED, addr,
3122                                         sizeof(*addr));
3123                 goto done;
3124         }
3125
3126         if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3127                 err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3128                 if (!err)
3129                         err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3130                                                 MGMT_STATUS_SUCCESS, addr,
3131                                                 sizeof(*addr));
3132                 else
3133                         err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3134                                                 MGMT_STATUS_FAILED, addr,
3135                                                 sizeof(*addr));
3136
3137                 goto done;
3138         }
3139
3140         cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3141         if (!cmd) {
3142                 err = -ENOMEM;
3143                 goto done;
3144         }
3145
3146         cmd->cmd_complete = addr_cmd_complete;
3147
3148         /* Continue with pairing via HCI */
3149         if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3150                 struct hci_cp_user_passkey_reply cp;
3151
3152                 bacpy(&cp.bdaddr, &addr->bdaddr);
3153                 cp.passkey = passkey;
3154                 err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3155         } else
3156                 err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3157                                    &addr->bdaddr);
3158
3159         if (err < 0)
3160                 mgmt_pending_remove(cmd);
3161
3162 done:
3163         hci_dev_unlock(hdev);
3164         return err;
3165 }
3166
3167 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3168                               void *data, u16 len)
3169 {
3170         struct mgmt_cp_pin_code_neg_reply *cp = data;
3171
3172         bt_dev_dbg(hdev, "sock %p", sk);
3173
3174         return user_pairing_resp(sk, hdev, &cp->addr,
3175                                 MGMT_OP_PIN_CODE_NEG_REPLY,
3176                                 HCI_OP_PIN_CODE_NEG_REPLY, 0);
3177 }
3178
3179 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3180                               u16 len)
3181 {
3182         struct mgmt_cp_user_confirm_reply *cp = data;
3183
3184         bt_dev_dbg(hdev, "sock %p", sk);
3185
3186         if (len != sizeof(*cp))
3187                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3188                                        MGMT_STATUS_INVALID_PARAMS);
3189
3190         return user_pairing_resp(sk, hdev, &cp->addr,
3191                                  MGMT_OP_USER_CONFIRM_REPLY,
3192                                  HCI_OP_USER_CONFIRM_REPLY, 0);
3193 }
3194
3195 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3196                                   void *data, u16 len)
3197 {
3198         struct mgmt_cp_user_confirm_neg_reply *cp = data;
3199
3200         bt_dev_dbg(hdev, "sock %p", sk);
3201
3202         return user_pairing_resp(sk, hdev, &cp->addr,
3203                                  MGMT_OP_USER_CONFIRM_NEG_REPLY,
3204                                  HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3205 }
3206
3207 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3208                               u16 len)
3209 {
3210         struct mgmt_cp_user_passkey_reply *cp = data;
3211
3212         bt_dev_dbg(hdev, "sock %p", sk);
3213
3214         return user_pairing_resp(sk, hdev, &cp->addr,
3215                                  MGMT_OP_USER_PASSKEY_REPLY,
3216                                  HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3217 }
3218
3219 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3220                                   void *data, u16 len)
3221 {
3222         struct mgmt_cp_user_passkey_neg_reply *cp = data;
3223
3224         bt_dev_dbg(hdev, "sock %p", sk);
3225
3226         return user_pairing_resp(sk, hdev, &cp->addr,
3227                                  MGMT_OP_USER_PASSKEY_NEG_REPLY,
3228                                  HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3229 }
3230
3231 static void adv_expire(struct hci_dev *hdev, u32 flags)
3232 {
3233         struct adv_info *adv_instance;
3234         struct hci_request req;
3235         int err;
3236
3237         adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3238         if (!adv_instance)
3239                 return;
3240
3241         /* stop if current instance doesn't need to be changed */
3242         if (!(adv_instance->flags & flags))
3243                 return;
3244
3245         cancel_adv_timeout(hdev);
3246
3247         adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3248         if (!adv_instance)
3249                 return;
3250
3251         hci_req_init(&req, hdev);
3252         err = __hci_req_schedule_adv_instance(&req, adv_instance->instance,
3253                                               true);
3254         if (err)
3255                 return;
3256
3257         hci_req_run(&req, NULL);
3258 }
3259
3260 static void set_name_complete(struct hci_dev *hdev, u8 status, u16 opcode)
3261 {
3262         struct mgmt_cp_set_local_name *cp;
3263         struct mgmt_pending_cmd *cmd;
3264
3265         bt_dev_dbg(hdev, "status 0x%02x", status);
3266
3267         hci_dev_lock(hdev);
3268
3269         cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
3270         if (!cmd)
3271                 goto unlock;
3272
3273         cp = cmd->param;
3274
3275         if (status) {
3276                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3277                                 mgmt_status(status));
3278         } else {
3279                 mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3280                                   cp, sizeof(*cp));
3281
3282                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3283                         adv_expire(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3284         }
3285
3286         mgmt_pending_remove(cmd);
3287
3288 unlock:
3289         hci_dev_unlock(hdev);
3290 }
3291
3292 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3293                           u16 len)
3294 {
3295         struct mgmt_cp_set_local_name *cp = data;
3296         struct mgmt_pending_cmd *cmd;
3297         struct hci_request req;
3298         int err;
3299
3300         bt_dev_dbg(hdev, "sock %p", sk);
3301
3302         hci_dev_lock(hdev);
3303
3304         /* If the old values are the same as the new ones just return a
3305          * direct command complete event.
3306          */
3307         if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3308             !memcmp(hdev->short_name, cp->short_name,
3309                     sizeof(hdev->short_name))) {
3310                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3311                                         data, len);
3312                 goto failed;
3313         }
3314
3315         memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3316
3317         if (!hdev_is_powered(hdev)) {
3318                 memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3319
3320                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3321                                         data, len);
3322                 if (err < 0)
3323                         goto failed;
3324
3325                 err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3326                                          len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3327                 ext_info_changed(hdev, sk);
3328
3329                 goto failed;
3330         }
3331
3332         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3333         if (!cmd) {
3334                 err = -ENOMEM;
3335                 goto failed;
3336         }
3337
3338         memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3339
3340         hci_req_init(&req, hdev);
3341
3342         if (lmp_bredr_capable(hdev)) {
3343                 __hci_req_update_name(&req);
3344                 __hci_req_update_eir(&req);
3345         }
3346
3347         /* The name is stored in the scan response data and so
3348          * no need to update the advertising data here.
3349          */
3350         if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3351                 __hci_req_update_scan_rsp_data(&req, hdev->cur_adv_instance);
3352
3353         err = hci_req_run(&req, set_name_complete);
3354         if (err < 0)
3355                 mgmt_pending_remove(cmd);
3356
3357 failed:
3358         hci_dev_unlock(hdev);
3359         return err;
3360 }
3361
3362 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3363                           u16 len)
3364 {
3365         struct mgmt_cp_set_appearance *cp = data;
3366         u16 appearance;
3367         int err;
3368
3369         bt_dev_dbg(hdev, "sock %p", sk);
3370
3371         if (!lmp_le_capable(hdev))
3372                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3373                                        MGMT_STATUS_NOT_SUPPORTED);
3374
3375         appearance = le16_to_cpu(cp->appearance);
3376
3377         hci_dev_lock(hdev);
3378
3379         if (hdev->appearance != appearance) {
3380                 hdev->appearance = appearance;
3381
3382                 if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3383                         adv_expire(hdev, MGMT_ADV_FLAG_APPEARANCE);
3384
3385                 ext_info_changed(hdev, sk);
3386         }
3387
3388         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3389                                 0);
3390
3391         hci_dev_unlock(hdev);
3392
3393         return err;
3394 }
3395
3396 static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3397                                  void *data, u16 len)
3398 {
3399         struct mgmt_rp_get_phy_configuration rp;
3400
3401         bt_dev_dbg(hdev, "sock %p", sk);
3402
3403         hci_dev_lock(hdev);
3404
3405         memset(&rp, 0, sizeof(rp));
3406
3407         rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3408         rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3409         rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3410
3411         hci_dev_unlock(hdev);
3412
3413         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, 0,
3414                                  &rp, sizeof(rp));
3415 }
3416
3417 int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3418 {
3419         struct mgmt_ev_phy_configuration_changed ev;
3420
3421         memset(&ev, 0, sizeof(ev));
3422
3423         ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3424
3425         return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, &ev,
3426                           sizeof(ev), skip);
3427 }
3428
3429 static void set_default_phy_complete(struct hci_dev *hdev, u8 status,
3430                                      u16 opcode, struct sk_buff *skb)
3431 {
3432         struct mgmt_pending_cmd *cmd;
3433
3434         bt_dev_dbg(hdev, "status 0x%02x", status);
3435
3436         hci_dev_lock(hdev);
3437
3438         cmd = pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev);
3439         if (!cmd)
3440                 goto unlock;
3441
3442         if (status) {
3443                 mgmt_cmd_status(cmd->sk, hdev->id,
3444                                 MGMT_OP_SET_PHY_CONFIGURATION,
3445                                 mgmt_status(status));
3446         } else {
3447                 mgmt_cmd_complete(cmd->sk, hdev->id,
3448                                   MGMT_OP_SET_PHY_CONFIGURATION, 0,
3449                                   NULL, 0);
3450
3451                 mgmt_phy_configuration_changed(hdev, cmd->sk);
3452         }
3453
3454         mgmt_pending_remove(cmd);
3455
3456 unlock:
3457         hci_dev_unlock(hdev);
3458 }
3459
3460 static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3461                                  void *data, u16 len)
3462 {
3463         struct mgmt_cp_set_phy_configuration *cp = data;
3464         struct hci_cp_le_set_default_phy cp_phy;
3465         struct mgmt_pending_cmd *cmd;
3466         struct hci_request req;
3467         u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
3468         u16 pkt_type = (HCI_DH1 | HCI_DM1);
3469         bool changed = false;
3470         int err;
3471
3472         bt_dev_dbg(hdev, "sock %p", sk);
3473
3474         configurable_phys = get_configurable_phys(hdev);
3475         supported_phys = get_supported_phys(hdev);
3476         selected_phys = __le32_to_cpu(cp->selected_phys);
3477
3478         if (selected_phys & ~supported_phys)
3479                 return mgmt_cmd_status(sk, hdev->id,
3480                                        MGMT_OP_SET_PHY_CONFIGURATION,
3481                                        MGMT_STATUS_INVALID_PARAMS);
3482
3483         unconfigure_phys = supported_phys & ~configurable_phys;
3484
3485         if ((selected_phys & unconfigure_phys) != unconfigure_phys)
3486                 return mgmt_cmd_status(sk, hdev->id,
3487                                        MGMT_OP_SET_PHY_CONFIGURATION,
3488                                        MGMT_STATUS_INVALID_PARAMS);
3489
3490         if (selected_phys == get_selected_phys(hdev))
3491                 return mgmt_cmd_complete(sk, hdev->id,
3492                                          MGMT_OP_SET_PHY_CONFIGURATION,
3493                                          0, NULL, 0);
3494
3495         hci_dev_lock(hdev);
3496
3497         if (!hdev_is_powered(hdev)) {
3498                 err = mgmt_cmd_status(sk, hdev->id,
3499                                       MGMT_OP_SET_PHY_CONFIGURATION,
3500                                       MGMT_STATUS_REJECTED);
3501                 goto unlock;
3502         }
3503
3504         if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
3505                 err = mgmt_cmd_status(sk, hdev->id,
3506                                       MGMT_OP_SET_PHY_CONFIGURATION,
3507                                       MGMT_STATUS_BUSY);
3508                 goto unlock;
3509         }
3510
3511         if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
3512                 pkt_type |= (HCI_DH3 | HCI_DM3);
3513         else
3514                 pkt_type &= ~(HCI_DH3 | HCI_DM3);
3515
3516         if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
3517                 pkt_type |= (HCI_DH5 | HCI_DM5);
3518         else
3519                 pkt_type &= ~(HCI_DH5 | HCI_DM5);
3520
3521         if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
3522                 pkt_type &= ~HCI_2DH1;
3523         else
3524                 pkt_type |= HCI_2DH1;
3525
3526         if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
3527                 pkt_type &= ~HCI_2DH3;
3528         else
3529                 pkt_type |= HCI_2DH3;
3530
3531         if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
3532                 pkt_type &= ~HCI_2DH5;
3533         else
3534                 pkt_type |= HCI_2DH5;
3535
3536         if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
3537                 pkt_type &= ~HCI_3DH1;
3538         else
3539                 pkt_type |= HCI_3DH1;
3540
3541         if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
3542                 pkt_type &= ~HCI_3DH3;
3543         else
3544                 pkt_type |= HCI_3DH3;
3545
3546         if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
3547                 pkt_type &= ~HCI_3DH5;
3548         else
3549                 pkt_type |= HCI_3DH5;
3550
3551         if (pkt_type != hdev->pkt_type) {
3552                 hdev->pkt_type = pkt_type;
3553                 changed = true;
3554         }
3555
3556         if ((selected_phys & MGMT_PHY_LE_MASK) ==
3557             (get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
3558                 if (changed)
3559                         mgmt_phy_configuration_changed(hdev, sk);
3560
3561                 err = mgmt_cmd_complete(sk, hdev->id,
3562                                         MGMT_OP_SET_PHY_CONFIGURATION,
3563                                         0, NULL, 0);
3564
3565                 goto unlock;
3566         }
3567
3568         cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
3569                                len);
3570         if (!cmd) {
3571                 err = -ENOMEM;
3572                 goto unlock;
3573         }
3574
3575         hci_req_init(&req, hdev);
3576
3577         memset(&cp_phy, 0, sizeof(cp_phy));
3578
3579         if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
3580                 cp_phy.all_phys |= 0x01;
3581
3582         if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
3583                 cp_phy.all_phys |= 0x02;
3584
3585         if (selected_phys & MGMT_PHY_LE_1M_TX)
3586                 cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
3587
3588         if (selected_phys & MGMT_PHY_LE_2M_TX)
3589                 cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
3590
3591         if (selected_phys & MGMT_PHY_LE_CODED_TX)
3592                 cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
3593
3594         if (selected_phys & MGMT_PHY_LE_1M_RX)
3595                 cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
3596
3597         if (selected_phys & MGMT_PHY_LE_2M_RX)
3598                 cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
3599
3600         if (selected_phys & MGMT_PHY_LE_CODED_RX)
3601                 cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
3602
3603         hci_req_add(&req, HCI_OP_LE_SET_DEFAULT_PHY, sizeof(cp_phy), &cp_phy);
3604
3605         err = hci_req_run_skb(&req, set_default_phy_complete);
3606         if (err < 0)
3607                 mgmt_pending_remove(cmd);
3608
3609 unlock:
3610         hci_dev_unlock(hdev);
3611
3612         return err;
3613 }
3614
3615 static int set_blocked_keys(struct sock *sk, struct hci_dev *hdev, void *data,
3616                             u16 len)
3617 {
3618         int err = MGMT_STATUS_SUCCESS;
3619         struct mgmt_cp_set_blocked_keys *keys = data;
3620         const u16 max_key_count = ((U16_MAX - sizeof(*keys)) /
3621                                    sizeof(struct mgmt_blocked_key_info));
3622         u16 key_count, expected_len;
3623         int i;
3624
3625         bt_dev_dbg(hdev, "sock %p", sk);
3626
3627         key_count = __le16_to_cpu(keys->key_count);
3628         if (key_count > max_key_count) {
3629                 bt_dev_err(hdev, "too big key_count value %u", key_count);
3630                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3631                                        MGMT_STATUS_INVALID_PARAMS);
3632         }
3633
3634         expected_len = struct_size(keys, keys, key_count);
3635         if (expected_len != len) {
3636                 bt_dev_err(hdev, "expected %u bytes, got %u bytes",
3637                            expected_len, len);
3638                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3639                                        MGMT_STATUS_INVALID_PARAMS);
3640         }
3641
3642         hci_dev_lock(hdev);
3643
3644         hci_blocked_keys_clear(hdev);
3645
3646         for (i = 0; i < keys->key_count; ++i) {
3647                 struct blocked_key *b = kzalloc(sizeof(*b), GFP_KERNEL);
3648
3649                 if (!b) {
3650                         err = MGMT_STATUS_NO_RESOURCES;
3651                         break;
3652                 }
3653
3654                 b->type = keys->keys[i].type;
3655                 memcpy(b->val, keys->keys[i].val, sizeof(b->val));
3656                 list_add_rcu(&b->list, &hdev->blocked_keys);
3657         }
3658         hci_dev_unlock(hdev);
3659
3660         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3661                                 err, NULL, 0);
3662 }
3663
3664 static int set_wideband_speech(struct sock *sk, struct hci_dev *hdev,
3665                                void *data, u16 len)
3666 {
3667         struct mgmt_mode *cp = data;
3668         int err;
3669         bool changed = false;
3670
3671         bt_dev_dbg(hdev, "sock %p", sk);
3672
3673         if (!test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks))
3674                 return mgmt_cmd_status(sk, hdev->id,
3675                                        MGMT_OP_SET_WIDEBAND_SPEECH,
3676                                        MGMT_STATUS_NOT_SUPPORTED);
3677
3678         if (cp->val != 0x00 && cp->val != 0x01)
3679                 return mgmt_cmd_status(sk, hdev->id,
3680                                        MGMT_OP_SET_WIDEBAND_SPEECH,
3681                                        MGMT_STATUS_INVALID_PARAMS);
3682
3683         hci_dev_lock(hdev);
3684
3685         if (pending_find(MGMT_OP_SET_WIDEBAND_SPEECH, hdev)) {
3686                 err = mgmt_cmd_status(sk, hdev->id,
3687                                       MGMT_OP_SET_WIDEBAND_SPEECH,
3688                                       MGMT_STATUS_BUSY);
3689                 goto unlock;
3690         }
3691
3692         if (hdev_is_powered(hdev) &&
3693             !!cp->val != hci_dev_test_flag(hdev,
3694                                            HCI_WIDEBAND_SPEECH_ENABLED)) {
3695                 err = mgmt_cmd_status(sk, hdev->id,
3696                                       MGMT_OP_SET_WIDEBAND_SPEECH,
3697                                       MGMT_STATUS_REJECTED);
3698                 goto unlock;
3699         }
3700
3701         if (cp->val)
3702                 changed = !hci_dev_test_and_set_flag(hdev,
3703                                                    HCI_WIDEBAND_SPEECH_ENABLED);
3704         else
3705                 changed = hci_dev_test_and_clear_flag(hdev,
3706                                                    HCI_WIDEBAND_SPEECH_ENABLED);
3707
3708         err = send_settings_rsp(sk, MGMT_OP_SET_WIDEBAND_SPEECH, hdev);
3709         if (err < 0)
3710                 goto unlock;
3711
3712         if (changed)
3713                 err = new_settings(hdev, sk);
3714
3715 unlock:
3716         hci_dev_unlock(hdev);
3717         return err;
3718 }
3719
3720 static int read_controller_cap(struct sock *sk, struct hci_dev *hdev,
3721                                void *data, u16 data_len)
3722 {
3723         char buf[20];
3724         struct mgmt_rp_read_controller_cap *rp = (void *)buf;
3725         u16 cap_len = 0;
3726         u8 flags = 0;
3727         u8 tx_power_range[2];
3728
3729         bt_dev_dbg(hdev, "sock %p", sk);
3730
3731         memset(&buf, 0, sizeof(buf));
3732
3733         hci_dev_lock(hdev);
3734
3735         /* When the Read Simple Pairing Options command is supported, then
3736          * the remote public key validation is supported.
3737          *
3738          * Alternatively, when Microsoft extensions are available, they can
3739          * indicate support for public key validation as well.
3740          */
3741         if ((hdev->commands[41] & 0x08) || msft_curve_validity(hdev))
3742                 flags |= 0x01;  /* Remote public key validation (BR/EDR) */
3743
3744         flags |= 0x02;          /* Remote public key validation (LE) */
3745
3746         /* When the Read Encryption Key Size command is supported, then the
3747          * encryption key size is enforced.
3748          */
3749         if (hdev->commands[20] & 0x10)
3750                 flags |= 0x04;  /* Encryption key size enforcement (BR/EDR) */
3751
3752         flags |= 0x08;          /* Encryption key size enforcement (LE) */
3753
3754         cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_SEC_FLAGS,
3755                                   &flags, 1);
3756
3757         /* When the Read Simple Pairing Options command is supported, then
3758          * also max encryption key size information is provided.
3759          */
3760         if (hdev->commands[41] & 0x08)
3761                 cap_len = eir_append_le16(rp->cap, cap_len,
3762                                           MGMT_CAP_MAX_ENC_KEY_SIZE,
3763                                           hdev->max_enc_key_size);
3764
3765         cap_len = eir_append_le16(rp->cap, cap_len,
3766                                   MGMT_CAP_SMP_MAX_ENC_KEY_SIZE,
3767                                   SMP_MAX_ENC_KEY_SIZE);
3768
3769         /* Append the min/max LE tx power parameters if we were able to fetch
3770          * it from the controller
3771          */
3772         if (hdev->commands[38] & 0x80) {
3773                 memcpy(&tx_power_range[0], &hdev->min_le_tx_power, 1);
3774                 memcpy(&tx_power_range[1], &hdev->max_le_tx_power, 1);
3775                 cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_LE_TX_PWR,
3776                                           tx_power_range, 2);
3777         }
3778
3779         rp->cap_len = cpu_to_le16(cap_len);
3780
3781         hci_dev_unlock(hdev);
3782
3783         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONTROLLER_CAP, 0,
3784                                  rp, sizeof(*rp) + cap_len);
3785 }
3786
3787 #ifdef CONFIG_BT_FEATURE_DEBUG
3788 /* d4992530-b9ec-469f-ab01-6c481c47da1c */
3789 static const u8 debug_uuid[16] = {
3790         0x1c, 0xda, 0x47, 0x1c, 0x48, 0x6c, 0x01, 0xab,
3791         0x9f, 0x46, 0xec, 0xb9, 0x30, 0x25, 0x99, 0xd4,
3792 };
3793 #endif
3794
3795 /* 330859bc-7506-492d-9370-9a6f0614037f */
3796 static const u8 quality_report_uuid[16] = {
3797         0x7f, 0x03, 0x14, 0x06, 0x6f, 0x9a, 0x70, 0x93,
3798         0x2d, 0x49, 0x06, 0x75, 0xbc, 0x59, 0x08, 0x33,
3799 };
3800
3801 /* a6695ace-ee7f-4fb9-881a-5fac66c629af */
3802 static const u8 offload_codecs_uuid[16] = {
3803         0xaf, 0x29, 0xc6, 0x66, 0xac, 0x5f, 0x1a, 0x88,
3804         0xb9, 0x4f, 0x7f, 0xee, 0xce, 0x5a, 0x69, 0xa6,
3805 };
3806
3807 /* 671b10b5-42c0-4696-9227-eb28d1b049d6 */
3808 static const u8 simult_central_periph_uuid[16] = {
3809         0xd6, 0x49, 0xb0, 0xd1, 0x28, 0xeb, 0x27, 0x92,
3810         0x96, 0x46, 0xc0, 0x42, 0xb5, 0x10, 0x1b, 0x67,
3811 };
3812
3813 /* 15c0a148-c273-11ea-b3de-0242ac130004 */
3814 static const u8 rpa_resolution_uuid[16] = {
3815         0x04, 0x00, 0x13, 0xac, 0x42, 0x02, 0xde, 0xb3,
3816         0xea, 0x11, 0x73, 0xc2, 0x48, 0xa1, 0xc0, 0x15,
3817 };
3818
3819 static int read_exp_features_info(struct sock *sk, struct hci_dev *hdev,
3820                                   void *data, u16 data_len)
3821 {
3822         char buf[102];   /* Enough space for 5 features: 2 + 20 * 5 */
3823         struct mgmt_rp_read_exp_features_info *rp = (void *)buf;
3824         u16 idx = 0;
3825         u32 flags;
3826
3827         bt_dev_dbg(hdev, "sock %p", sk);
3828
3829         memset(&buf, 0, sizeof(buf));
3830
3831 #ifdef CONFIG_BT_FEATURE_DEBUG
3832         if (!hdev) {
3833                 flags = bt_dbg_get() ? BIT(0) : 0;
3834
3835                 memcpy(rp->features[idx].uuid, debug_uuid, 16);
3836                 rp->features[idx].flags = cpu_to_le32(flags);
3837                 idx++;
3838         }
3839 #endif
3840
3841         if (hdev) {
3842                 if (test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) &&
3843                     (hdev->le_states[4] & 0x08) &&      /* Central */
3844                     (hdev->le_states[4] & 0x40) &&      /* Peripheral */
3845                     (hdev->le_states[3] & 0x10))        /* Simultaneous */
3846                         flags = BIT(0);
3847                 else
3848                         flags = 0;
3849
3850                 memcpy(rp->features[idx].uuid, simult_central_periph_uuid, 16);
3851                 rp->features[idx].flags = cpu_to_le32(flags);
3852                 idx++;
3853         }
3854
3855         if (hdev && use_ll_privacy(hdev)) {
3856                 if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
3857                         flags = BIT(0) | BIT(1);
3858                 else
3859                         flags = BIT(1);
3860
3861                 memcpy(rp->features[idx].uuid, rpa_resolution_uuid, 16);
3862                 rp->features[idx].flags = cpu_to_le32(flags);
3863                 idx++;
3864         }
3865
3866         if (hdev && hdev->set_quality_report) {
3867                 if (hci_dev_test_flag(hdev, HCI_QUALITY_REPORT))
3868                         flags = BIT(0);
3869                 else
3870                         flags = 0;
3871
3872                 memcpy(rp->features[idx].uuid, quality_report_uuid, 16);
3873                 rp->features[idx].flags = cpu_to_le32(flags);
3874                 idx++;
3875         }
3876
3877         if (hdev && hdev->get_data_path_id) {
3878                 if (hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED))
3879                         flags = BIT(0);
3880                 else
3881                         flags = 0;
3882
3883                 memcpy(rp->features[idx].uuid, offload_codecs_uuid, 16);
3884                 rp->features[idx].flags = cpu_to_le32(flags);
3885                 idx++;
3886         }
3887
3888         rp->feature_count = cpu_to_le16(idx);
3889
3890         /* After reading the experimental features information, enable
3891          * the events to update client on any future change.
3892          */
3893         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
3894
3895         return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
3896                                  MGMT_OP_READ_EXP_FEATURES_INFO,
3897                                  0, rp, sizeof(*rp) + (20 * idx));
3898 }
3899
3900 static int exp_ll_privacy_feature_changed(bool enabled, struct hci_dev *hdev,
3901                                           struct sock *skip)
3902 {
3903         struct mgmt_ev_exp_feature_changed ev;
3904
3905         memset(&ev, 0, sizeof(ev));
3906         memcpy(ev.uuid, rpa_resolution_uuid, 16);
3907         ev.flags = cpu_to_le32((enabled ? BIT(0) : 0) | BIT(1));
3908
3909         return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
3910                                   &ev, sizeof(ev),
3911                                   HCI_MGMT_EXP_FEATURE_EVENTS, skip);
3912
3913 }
3914
3915 #ifdef CONFIG_BT_FEATURE_DEBUG
3916 static int exp_debug_feature_changed(bool enabled, struct sock *skip)
3917 {
3918         struct mgmt_ev_exp_feature_changed ev;
3919
3920         memset(&ev, 0, sizeof(ev));
3921         memcpy(ev.uuid, debug_uuid, 16);
3922         ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
3923
3924         return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, NULL,
3925                                   &ev, sizeof(ev),
3926                                   HCI_MGMT_EXP_FEATURE_EVENTS, skip);
3927 }
3928 #endif
3929
3930 static int exp_quality_report_feature_changed(bool enabled, struct sock *skip)
3931 {
3932         struct mgmt_ev_exp_feature_changed ev;
3933
3934         memset(&ev, 0, sizeof(ev));
3935         memcpy(ev.uuid, quality_report_uuid, 16);
3936         ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
3937
3938         return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, NULL,
3939                                   &ev, sizeof(ev),
3940                                   HCI_MGMT_EXP_FEATURE_EVENTS, skip);
3941 }
3942
3943 #define EXP_FEAT(_uuid, _set_func)      \
3944 {                                       \
3945         .uuid = _uuid,                  \
3946         .set_func = _set_func,          \
3947 }
3948
3949 /* The zero key uuid is special. Multiple exp features are set through it. */
3950 static int set_zero_key_func(struct sock *sk, struct hci_dev *hdev,
3951                              struct mgmt_cp_set_exp_feature *cp, u16 data_len)
3952 {
3953         struct mgmt_rp_set_exp_feature rp;
3954
3955         memset(rp.uuid, 0, 16);
3956         rp.flags = cpu_to_le32(0);
3957
3958 #ifdef CONFIG_BT_FEATURE_DEBUG
3959         if (!hdev) {
3960                 bool changed = bt_dbg_get();
3961
3962                 bt_dbg_set(false);
3963
3964                 if (changed)
3965                         exp_debug_feature_changed(false, sk);
3966         }
3967 #endif
3968
3969         if (hdev && use_ll_privacy(hdev) && !hdev_is_powered(hdev)) {
3970                 bool changed = hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY);
3971
3972                 hci_dev_clear_flag(hdev, HCI_ENABLE_LL_PRIVACY);
3973
3974                 if (changed)
3975                         exp_ll_privacy_feature_changed(false, hdev, sk);
3976         }
3977
3978         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
3979
3980         return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
3981                                  MGMT_OP_SET_EXP_FEATURE, 0,
3982                                  &rp, sizeof(rp));
3983 }
3984
3985 #ifdef CONFIG_BT_FEATURE_DEBUG
3986 static int set_debug_func(struct sock *sk, struct hci_dev *hdev,
3987                           struct mgmt_cp_set_exp_feature *cp, u16 data_len)
3988 {
3989         struct mgmt_rp_set_exp_feature rp;
3990
3991         bool val, changed;
3992         int err;
3993
3994         /* Command requires to use the non-controller index */
3995         if (hdev)
3996                 return mgmt_cmd_status(sk, hdev->id,
3997                                        MGMT_OP_SET_EXP_FEATURE,
3998                                        MGMT_STATUS_INVALID_INDEX);
3999
4000         /* Parameters are limited to a single octet */
4001         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4002                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4003                                        MGMT_OP_SET_EXP_FEATURE,
4004                                        MGMT_STATUS_INVALID_PARAMS);
4005
4006         /* Only boolean on/off is supported */
4007         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4008                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4009                                        MGMT_OP_SET_EXP_FEATURE,
4010                                        MGMT_STATUS_INVALID_PARAMS);
4011
4012         val = !!cp->param[0];
4013         changed = val ? !bt_dbg_get() : bt_dbg_get();
4014         bt_dbg_set(val);
4015
4016         memcpy(rp.uuid, debug_uuid, 16);
4017         rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4018
4019         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4020
4021         err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4022                                 MGMT_OP_SET_EXP_FEATURE, 0,
4023                                 &rp, sizeof(rp));
4024
4025         if (changed)
4026                 exp_debug_feature_changed(val, sk);
4027
4028         return err;
4029 }
4030 #endif
4031
4032 static int set_rpa_resolution_func(struct sock *sk, struct hci_dev *hdev,
4033                                    struct mgmt_cp_set_exp_feature *cp,
4034                                    u16 data_len)
4035 {
4036         struct mgmt_rp_set_exp_feature rp;
4037         bool val, changed;
4038         int err;
4039         u32 flags;
4040
4041         /* Command requires to use the controller index */
4042         if (!hdev)
4043                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4044                                        MGMT_OP_SET_EXP_FEATURE,
4045                                        MGMT_STATUS_INVALID_INDEX);
4046
4047         /* Changes can only be made when controller is powered down */
4048         if (hdev_is_powered(hdev))
4049                 return mgmt_cmd_status(sk, hdev->id,
4050                                        MGMT_OP_SET_EXP_FEATURE,
4051                                        MGMT_STATUS_REJECTED);
4052
4053         /* Parameters are limited to a single octet */
4054         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4055                 return mgmt_cmd_status(sk, hdev->id,
4056                                        MGMT_OP_SET_EXP_FEATURE,
4057                                        MGMT_STATUS_INVALID_PARAMS);
4058
4059         /* Only boolean on/off is supported */
4060         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4061                 return mgmt_cmd_status(sk, hdev->id,
4062                                        MGMT_OP_SET_EXP_FEATURE,
4063                                        MGMT_STATUS_INVALID_PARAMS);
4064
4065         val = !!cp->param[0];
4066
4067         if (val) {
4068                 changed = !hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY);
4069                 hci_dev_set_flag(hdev, HCI_ENABLE_LL_PRIVACY);
4070                 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4071
4072                 /* Enable LL privacy + supported settings changed */
4073                 flags = BIT(0) | BIT(1);
4074         } else {
4075                 changed = hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY);
4076                 hci_dev_clear_flag(hdev, HCI_ENABLE_LL_PRIVACY);
4077
4078                 /* Disable LL privacy + supported settings changed */
4079                 flags = BIT(1);
4080         }
4081
4082         memcpy(rp.uuid, rpa_resolution_uuid, 16);
4083         rp.flags = cpu_to_le32(flags);
4084
4085         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4086
4087         err = mgmt_cmd_complete(sk, hdev->id,
4088                                 MGMT_OP_SET_EXP_FEATURE, 0,
4089                                 &rp, sizeof(rp));
4090
4091         if (changed)
4092                 exp_ll_privacy_feature_changed(val, hdev, sk);
4093
4094         return err;
4095 }
4096
4097 static int set_quality_report_func(struct sock *sk, struct hci_dev *hdev,
4098                                    struct mgmt_cp_set_exp_feature *cp,
4099                                    u16 data_len)
4100 {
4101         struct mgmt_rp_set_exp_feature rp;
4102         bool val, changed;
4103         int err;
4104
4105         /* Command requires to use a valid controller index */
4106         if (!hdev)
4107                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4108                                        MGMT_OP_SET_EXP_FEATURE,
4109                                        MGMT_STATUS_INVALID_INDEX);
4110
4111         /* Parameters are limited to a single octet */
4112         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4113                 return mgmt_cmd_status(sk, hdev->id,
4114                                        MGMT_OP_SET_EXP_FEATURE,
4115                                        MGMT_STATUS_INVALID_PARAMS);
4116
4117         /* Only boolean on/off is supported */
4118         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4119                 return mgmt_cmd_status(sk, hdev->id,
4120                                        MGMT_OP_SET_EXP_FEATURE,
4121                                        MGMT_STATUS_INVALID_PARAMS);
4122
4123         hci_req_sync_lock(hdev);
4124
4125         val = !!cp->param[0];
4126         changed = (val != hci_dev_test_flag(hdev, HCI_QUALITY_REPORT));
4127
4128         if (!hdev->set_quality_report) {
4129                 err = mgmt_cmd_status(sk, hdev->id,
4130                                       MGMT_OP_SET_EXP_FEATURE,
4131                                       MGMT_STATUS_NOT_SUPPORTED);
4132                 goto unlock_quality_report;
4133         }
4134
4135         if (changed) {
4136                 err = hdev->set_quality_report(hdev, val);
4137                 if (err) {
4138                         err = mgmt_cmd_status(sk, hdev->id,
4139                                               MGMT_OP_SET_EXP_FEATURE,
4140                                               MGMT_STATUS_FAILED);
4141                         goto unlock_quality_report;
4142                 }
4143                 if (val)
4144                         hci_dev_set_flag(hdev, HCI_QUALITY_REPORT);
4145                 else
4146                         hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
4147         }
4148
4149         bt_dev_dbg(hdev, "quality report enable %d changed %d", val, changed);
4150
4151         memcpy(rp.uuid, quality_report_uuid, 16);
4152         rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4153         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4154         err = mgmt_cmd_complete(sk, hdev->id,
4155                                 MGMT_OP_SET_EXP_FEATURE, 0,
4156                                 &rp, sizeof(rp));
4157
4158         if (changed)
4159                 exp_quality_report_feature_changed(val, sk);
4160
4161 unlock_quality_report:
4162         hci_req_sync_unlock(hdev);
4163         return err;
4164 }
4165
4166 static int exp_offload_codec_feature_changed(bool enabled, struct sock *skip)
4167 {
4168         struct mgmt_ev_exp_feature_changed ev;
4169
4170         memset(&ev, 0, sizeof(ev));
4171         memcpy(ev.uuid, offload_codecs_uuid, 16);
4172         ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
4173
4174         return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, NULL,
4175                                   &ev, sizeof(ev),
4176                                   HCI_MGMT_EXP_FEATURE_EVENTS, skip);
4177 }
4178
4179 static int set_offload_codec_func(struct sock *sk, struct hci_dev *hdev,
4180                                   struct mgmt_cp_set_exp_feature *cp,
4181                                   u16 data_len)
4182 {
4183         bool val, changed;
4184         int err;
4185         struct mgmt_rp_set_exp_feature rp;
4186
4187         /* Command requires to use a valid controller index */
4188         if (!hdev)
4189                 return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4190                                        MGMT_OP_SET_EXP_FEATURE,
4191                                        MGMT_STATUS_INVALID_INDEX);
4192
4193         /* Parameters are limited to a single octet */
4194         if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4195                 return mgmt_cmd_status(sk, hdev->id,
4196                                        MGMT_OP_SET_EXP_FEATURE,
4197                                        MGMT_STATUS_INVALID_PARAMS);
4198
4199         /* Only boolean on/off is supported */
4200         if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4201                 return mgmt_cmd_status(sk, hdev->id,
4202                                        MGMT_OP_SET_EXP_FEATURE,
4203                                        MGMT_STATUS_INVALID_PARAMS);
4204
4205         val = !!cp->param[0];
4206         changed = (val != hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED));
4207
4208         if (!hdev->get_data_path_id) {
4209                 return mgmt_cmd_status(sk, hdev->id,
4210                                        MGMT_OP_SET_EXP_FEATURE,
4211                                        MGMT_STATUS_NOT_SUPPORTED);
4212         }
4213
4214         if (changed) {
4215                 if (val)
4216                         hci_dev_set_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4217                 else
4218                         hci_dev_clear_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4219         }
4220
4221         bt_dev_info(hdev, "offload codecs enable %d changed %d",
4222                     val, changed);
4223
4224         memcpy(rp.uuid, offload_codecs_uuid, 16);
4225         rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4226         hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4227         err = mgmt_cmd_complete(sk, hdev->id,
4228                                 MGMT_OP_SET_EXP_FEATURE, 0,
4229                                 &rp, sizeof(rp));
4230
4231         if (changed)
4232                 exp_offload_codec_feature_changed(val, sk);
4233
4234         return err;
4235 }
4236
4237 static const struct mgmt_exp_feature {
4238         const u8 *uuid;
4239         int (*set_func)(struct sock *sk, struct hci_dev *hdev,
4240                         struct mgmt_cp_set_exp_feature *cp, u16 data_len);
4241 } exp_features[] = {
4242         EXP_FEAT(ZERO_KEY, set_zero_key_func),
4243 #ifdef CONFIG_BT_FEATURE_DEBUG
4244         EXP_FEAT(debug_uuid, set_debug_func),
4245 #endif
4246         EXP_FEAT(rpa_resolution_uuid, set_rpa_resolution_func),
4247         EXP_FEAT(quality_report_uuid, set_quality_report_func),
4248         EXP_FEAT(offload_codecs_uuid, set_offload_codec_func),
4249
4250         /* end with a null feature */
4251         EXP_FEAT(NULL, NULL)
4252 };
4253
4254 static int set_exp_feature(struct sock *sk, struct hci_dev *hdev,
4255                            void *data, u16 data_len)
4256 {
4257         struct mgmt_cp_set_exp_feature *cp = data;
4258         size_t i = 0;
4259
4260         bt_dev_dbg(hdev, "sock %p", sk);
4261
4262         for (i = 0; exp_features[i].uuid; i++) {
4263                 if (!memcmp(cp->uuid, exp_features[i].uuid, 16))
4264                         return exp_features[i].set_func(sk, hdev, cp, data_len);
4265         }
4266
4267         return mgmt_cmd_status(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4268                                MGMT_OP_SET_EXP_FEATURE,
4269                                MGMT_STATUS_NOT_SUPPORTED);
4270 }
4271
4272 #define SUPPORTED_DEVICE_FLAGS() ((1U << HCI_CONN_FLAG_MAX) - 1)
4273
4274 static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
4275                             u16 data_len)
4276 {
4277         struct mgmt_cp_get_device_flags *cp = data;
4278         struct mgmt_rp_get_device_flags rp;
4279         struct bdaddr_list_with_flags *br_params;
4280         struct hci_conn_params *params;
4281         u32 supported_flags = SUPPORTED_DEVICE_FLAGS();
4282         u32 current_flags = 0;
4283         u8 status = MGMT_STATUS_INVALID_PARAMS;
4284
4285         bt_dev_dbg(hdev, "Get device flags %pMR (type 0x%x)\n",
4286                    &cp->addr.bdaddr, cp->addr.type);
4287
4288         hci_dev_lock(hdev);
4289
4290         memset(&rp, 0, sizeof(rp));
4291
4292         if (cp->addr.type == BDADDR_BREDR) {
4293                 br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
4294                                                               &cp->addr.bdaddr,
4295                                                               cp->addr.type);
4296                 if (!br_params)
4297                         goto done;
4298
4299                 current_flags = br_params->current_flags;
4300         } else {
4301                 params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
4302                                                 le_addr_type(cp->addr.type));
4303
4304                 if (!params)
4305                         goto done;
4306
4307                 current_flags = params->current_flags;
4308         }
4309
4310         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4311         rp.addr.type = cp->addr.type;
4312         rp.supported_flags = cpu_to_le32(supported_flags);
4313         rp.current_flags = cpu_to_le32(current_flags);
4314
4315         status = MGMT_STATUS_SUCCESS;
4316
4317 done:
4318         hci_dev_unlock(hdev);
4319
4320         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_DEVICE_FLAGS, status,
4321                                 &rp, sizeof(rp));
4322 }
4323
4324 static void device_flags_changed(struct sock *sk, struct hci_dev *hdev,
4325                                  bdaddr_t *bdaddr, u8 bdaddr_type,
4326                                  u32 supported_flags, u32 current_flags)
4327 {
4328         struct mgmt_ev_device_flags_changed ev;
4329
4330         bacpy(&ev.addr.bdaddr, bdaddr);
4331         ev.addr.type = bdaddr_type;
4332         ev.supported_flags = cpu_to_le32(supported_flags);
4333         ev.current_flags = cpu_to_le32(current_flags);
4334
4335         mgmt_event(MGMT_EV_DEVICE_FLAGS_CHANGED, hdev, &ev, sizeof(ev), sk);
4336 }
4337
4338 static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
4339                             u16 len)
4340 {
4341         struct mgmt_cp_set_device_flags *cp = data;
4342         struct bdaddr_list_with_flags *br_params;
4343         struct hci_conn_params *params;
4344         u8 status = MGMT_STATUS_INVALID_PARAMS;
4345         u32 supported_flags = SUPPORTED_DEVICE_FLAGS();
4346         u32 current_flags = __le32_to_cpu(cp->current_flags);
4347
4348         bt_dev_dbg(hdev, "Set device flags %pMR (type 0x%x) = 0x%x",
4349                    &cp->addr.bdaddr, cp->addr.type,
4350                    __le32_to_cpu(current_flags));
4351
4352         if ((supported_flags | current_flags) != supported_flags) {
4353                 bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
4354                             current_flags, supported_flags);
4355                 goto done;
4356         }
4357
4358         hci_dev_lock(hdev);
4359
4360         if (cp->addr.type == BDADDR_BREDR) {
4361                 br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
4362                                                               &cp->addr.bdaddr,
4363                                                               cp->addr.type);
4364
4365                 if (br_params) {
4366                         br_params->current_flags = current_flags;
4367                         status = MGMT_STATUS_SUCCESS;
4368                 } else {
4369                         bt_dev_warn(hdev, "No such BR/EDR device %pMR (0x%x)",
4370                                     &cp->addr.bdaddr, cp->addr.type);
4371                 }
4372         } else {
4373                 params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
4374                                                 le_addr_type(cp->addr.type));
4375                 if (params) {
4376                         params->current_flags = current_flags;
4377                         status = MGMT_STATUS_SUCCESS;
4378                 } else {
4379                         bt_dev_warn(hdev, "No such LE device %pMR (0x%x)",
4380                                     &cp->addr.bdaddr,
4381                                     le_addr_type(cp->addr.type));
4382                 }
4383         }
4384
4385 done:
4386         hci_dev_unlock(hdev);
4387
4388         if (status == MGMT_STATUS_SUCCESS)
4389                 device_flags_changed(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
4390                                      supported_flags, current_flags);
4391
4392         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_FLAGS, status,
4393                                  &cp->addr, sizeof(cp->addr));
4394 }
4395
4396 static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
4397                                    u16 handle)
4398 {
4399         struct mgmt_ev_adv_monitor_added ev;
4400
4401         ev.monitor_handle = cpu_to_le16(handle);
4402
4403         mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, &ev, sizeof(ev), sk);
4404 }
4405
4406 void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
4407 {
4408         struct mgmt_ev_adv_monitor_removed ev;
4409         struct mgmt_pending_cmd *cmd;
4410         struct sock *sk_skip = NULL;
4411         struct mgmt_cp_remove_adv_monitor *cp;
4412
4413         cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
4414         if (cmd) {
4415                 cp = cmd->param;
4416
4417                 if (cp->monitor_handle)
4418                         sk_skip = cmd->sk;
4419         }
4420
4421         ev.monitor_handle = cpu_to_le16(handle);
4422
4423         mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk_skip);
4424 }
4425
4426 static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
4427                                  void *data, u16 len)
4428 {
4429         struct adv_monitor *monitor = NULL;
4430         struct mgmt_rp_read_adv_monitor_features *rp = NULL;
4431         int handle, err;
4432         size_t rp_size = 0;
4433         __u32 supported = 0;
4434         __u32 enabled = 0;
4435         __u16 num_handles = 0;
4436         __u16 handles[HCI_MAX_ADV_MONITOR_NUM_HANDLES];
4437
4438         BT_DBG("request for %s", hdev->name);
4439
4440         hci_dev_lock(hdev);
4441
4442         if (msft_monitor_supported(hdev))
4443                 supported |= MGMT_ADV_MONITOR_FEATURE_MASK_OR_PATTERNS;
4444
4445         idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
4446                 handles[num_handles++] = monitor->handle;
4447
4448         hci_dev_unlock(hdev);
4449
4450         rp_size = sizeof(*rp) + (num_handles * sizeof(u16));
4451         rp = kmalloc(rp_size, GFP_KERNEL);
4452         if (!rp)
4453                 return -ENOMEM;
4454
4455         /* All supported features are currently enabled */
4456         enabled = supported;
4457
4458         rp->supported_features = cpu_to_le32(supported);
4459         rp->enabled_features = cpu_to_le32(enabled);
4460         rp->max_num_handles = cpu_to_le16(HCI_MAX_ADV_MONITOR_NUM_HANDLES);
4461         rp->max_num_patterns = HCI_MAX_ADV_MONITOR_NUM_PATTERNS;
4462         rp->num_handles = cpu_to_le16(num_handles);
4463         if (num_handles)
4464                 memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));
4465
4466         err = mgmt_cmd_complete(sk, hdev->id,
4467                                 MGMT_OP_READ_ADV_MONITOR_FEATURES,
4468                                 MGMT_STATUS_SUCCESS, rp, rp_size);
4469
4470         kfree(rp);
4471
4472         return err;
4473 }
4474
4475 int mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, u8 status)
4476 {
4477         struct mgmt_rp_add_adv_patterns_monitor rp;
4478         struct mgmt_pending_cmd *cmd;
4479         struct adv_monitor *monitor;
4480         int err = 0;
4481
4482         hci_dev_lock(hdev);
4483
4484         cmd = pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev);
4485         if (!cmd) {
4486                 cmd = pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev);
4487                 if (!cmd)
4488                         goto done;
4489         }
4490
4491         monitor = cmd->user_data;
4492         rp.monitor_handle = cpu_to_le16(monitor->handle);
4493
4494         if (!status) {
4495                 mgmt_adv_monitor_added(cmd->sk, hdev, monitor->handle);
4496                 hdev->adv_monitors_cnt++;
4497                 if (monitor->state == ADV_MONITOR_STATE_NOT_REGISTERED)
4498                         monitor->state = ADV_MONITOR_STATE_REGISTERED;
4499                 hci_update_background_scan(hdev);
4500         }
4501
4502         err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
4503                                 mgmt_status(status), &rp, sizeof(rp));
4504         mgmt_pending_remove(cmd);
4505
4506 done:
4507         hci_dev_unlock(hdev);
4508         bt_dev_dbg(hdev, "add monitor %d complete, status %u",
4509                    rp.monitor_handle, status);
4510
4511         return err;
4512 }
4513
4514 static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
4515                                       struct adv_monitor *m, u8 status,
4516                                       void *data, u16 len, u16 op)
4517 {
4518         struct mgmt_rp_add_adv_patterns_monitor rp;
4519         struct mgmt_pending_cmd *cmd;
4520         int err;
4521         bool pending;
4522
4523         hci_dev_lock(hdev);
4524
4525         if (status)
4526                 goto unlock;
4527
4528         if (pending_find(MGMT_OP_SET_LE, hdev) ||
4529             pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
4530             pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
4531             pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
4532                 status = MGMT_STATUS_BUSY;
4533                 goto unlock;
4534         }
4535
4536         cmd = mgmt_pending_add(sk, op, hdev, data, len);
4537         if (!cmd) {
4538                 status = MGMT_STATUS_NO_RESOURCES;
4539                 goto unlock;
4540         }
4541
4542         cmd->user_data = m;
4543         pending = hci_add_adv_monitor(hdev, m, &err);
4544         if (err) {
4545                 if (err == -ENOSPC || err == -ENOMEM)
4546                         status = MGMT_STATUS_NO_RESOURCES;
4547                 else if (err == -EINVAL)
4548                         status = MGMT_STATUS_INVALID_PARAMS;
4549                 else
4550                         status = MGMT_STATUS_FAILED;
4551
4552                 mgmt_pending_remove(cmd);
4553                 goto unlock;
4554         }
4555
4556         if (!pending) {
4557                 mgmt_pending_remove(cmd);
4558                 rp.monitor_handle = cpu_to_le16(m->handle);
4559                 mgmt_adv_monitor_added(sk, hdev, m->handle);
4560                 m->state = ADV_MONITOR_STATE_REGISTERED;
4561                 hdev->adv_monitors_cnt++;
4562
4563                 hci_dev_unlock(hdev);
4564                 return mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_SUCCESS,
4565                                          &rp, sizeof(rp));
4566         }
4567
4568         hci_dev_unlock(hdev);
4569
4570         return 0;
4571
4572 unlock:
4573         hci_free_adv_monitor(hdev, m);
4574         hci_dev_unlock(hdev);
4575         return mgmt_cmd_status(sk, hdev->id, op, status);
4576 }
4577
4578 static void parse_adv_monitor_rssi(struct adv_monitor *m,
4579                                    struct mgmt_adv_rssi_thresholds *rssi)
4580 {
4581         if (rssi) {
4582                 m->rssi.low_threshold = rssi->low_threshold;
4583                 m->rssi.low_threshold_timeout =
4584                     __le16_to_cpu(rssi->low_threshold_timeout);
4585                 m->rssi.high_threshold = rssi->high_threshold;
4586                 m->rssi.high_threshold_timeout =
4587                     __le16_to_cpu(rssi->high_threshold_timeout);
4588                 m->rssi.sampling_period = rssi->sampling_period;
4589         } else {
4590                 /* Default values. These numbers are the least constricting
4591                  * parameters for MSFT API to work, so it behaves as if there
4592                  * are no rssi parameter to consider. May need to be changed
4593                  * if other API are to be supported.
4594                  */
4595                 m->rssi.low_threshold = -127;
4596                 m->rssi.low_threshold_timeout = 60;
4597                 m->rssi.high_threshold = -127;
4598                 m->rssi.high_threshold_timeout = 0;
4599                 m->rssi.sampling_period = 0;
4600         }
4601 }
4602
4603 static u8 parse_adv_monitor_pattern(struct adv_monitor *m, u8 pattern_count,
4604                                     struct mgmt_adv_pattern *patterns)
4605 {
4606         u8 offset = 0, length = 0;
4607         struct adv_pattern *p = NULL;
4608         int i;
4609
4610         for (i = 0; i < pattern_count; i++) {
4611                 offset = patterns[i].offset;
4612                 length = patterns[i].length;
4613                 if (offset >= HCI_MAX_AD_LENGTH ||
4614                     length > HCI_MAX_AD_LENGTH ||
4615                     (offset + length) > HCI_MAX_AD_LENGTH)
4616                         return MGMT_STATUS_INVALID_PARAMS;
4617
4618                 p = kmalloc(sizeof(*p), GFP_KERNEL);
4619                 if (!p)
4620                         return MGMT_STATUS_NO_RESOURCES;
4621
4622                 p->ad_type = patterns[i].ad_type;
4623                 p->offset = patterns[i].offset;
4624                 p->length = patterns[i].length;
4625                 memcpy(p->value, patterns[i].value, p->length);
4626
4627                 INIT_LIST_HEAD(&p->list);
4628                 list_add(&p->list, &m->patterns);
4629         }
4630
4631         return MGMT_STATUS_SUCCESS;
4632 }
4633
4634 static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
4635                                     void *data, u16 len)
4636 {
4637         struct mgmt_cp_add_adv_patterns_monitor *cp = data;
4638         struct adv_monitor *m = NULL;
4639         u8 status = MGMT_STATUS_SUCCESS;
4640         size_t expected_size = sizeof(*cp);
4641
4642         BT_DBG("request for %s", hdev->name);
4643
4644         if (len <= sizeof(*cp)) {
4645                 status = MGMT_STATUS_INVALID_PARAMS;
4646                 goto done;
4647         }
4648
4649         expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
4650         if (len != expected_size) {
4651                 status = MGMT_STATUS_INVALID_PARAMS;
4652                 goto done;
4653         }
4654
4655         m = kzalloc(sizeof(*m), GFP_KERNEL);
4656         if (!m) {
4657                 status = MGMT_STATUS_NO_RESOURCES;
4658                 goto done;
4659         }
4660
4661         INIT_LIST_HEAD(&m->patterns);
4662
4663         parse_adv_monitor_rssi(m, NULL);
4664         status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
4665
4666 done:
4667         return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
4668                                           MGMT_OP_ADD_ADV_PATTERNS_MONITOR);
4669 }
4670
4671 static int add_adv_patterns_monitor_rssi(struct sock *sk, struct hci_dev *hdev,
4672                                          void *data, u16 len)
4673 {
4674         struct mgmt_cp_add_adv_patterns_monitor_rssi *cp = data;
4675         struct adv_monitor *m = NULL;
4676         u8 status = MGMT_STATUS_SUCCESS;
4677         size_t expected_size = sizeof(*cp);
4678
4679         BT_DBG("request for %s", hdev->name);
4680
4681         if (len <= sizeof(*cp)) {
4682                 status = MGMT_STATUS_INVALID_PARAMS;
4683                 goto done;
4684         }
4685
4686         expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
4687         if (len != expected_size) {
4688                 status = MGMT_STATUS_INVALID_PARAMS;
4689                 goto done;
4690         }
4691
4692         m = kzalloc(sizeof(*m), GFP_KERNEL);
4693         if (!m) {
4694                 status = MGMT_STATUS_NO_RESOURCES;
4695                 goto done;
4696         }
4697
4698         INIT_LIST_HEAD(&m->patterns);
4699
4700         parse_adv_monitor_rssi(m, &cp->rssi);
4701         status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
4702
4703 done:
4704         return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
4705                                          MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI);
4706 }
4707
4708 int mgmt_remove_adv_monitor_complete(struct hci_dev *hdev, u8 status)
4709 {
4710         struct mgmt_rp_remove_adv_monitor rp;
4711         struct mgmt_cp_remove_adv_monitor *cp;
4712         struct mgmt_pending_cmd *cmd;
4713         int err = 0;
4714
4715         hci_dev_lock(hdev);
4716
4717         cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
4718         if (!cmd)
4719                 goto done;
4720
4721         cp = cmd->param;
4722         rp.monitor_handle = cp->monitor_handle;
4723
4724         if (!status)
4725                 hci_update_background_scan(hdev);
4726
4727         err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
4728                                 mgmt_status(status), &rp, sizeof(rp));
4729         mgmt_pending_remove(cmd);
4730
4731 done:
4732         hci_dev_unlock(hdev);
4733         bt_dev_dbg(hdev, "remove monitor %d complete, status %u",
4734                    rp.monitor_handle, status);
4735
4736         return err;
4737 }
4738
4739 static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
4740                               void *data, u16 len)
4741 {
4742         struct mgmt_cp_remove_adv_monitor *cp = data;
4743         struct mgmt_rp_remove_adv_monitor rp;
4744         struct mgmt_pending_cmd *cmd;
4745         u16 handle = __le16_to_cpu(cp->monitor_handle);
4746         int err, status;
4747         bool pending;
4748
4749         BT_DBG("request for %s", hdev->name);
4750         rp.monitor_handle = cp->monitor_handle;
4751
4752         hci_dev_lock(hdev);
4753
4754         if (pending_find(MGMT_OP_SET_LE, hdev) ||
4755             pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
4756             pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
4757             pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
4758                 status = MGMT_STATUS_BUSY;
4759                 goto unlock;
4760         }
4761
4762         cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
4763         if (!cmd) {
4764                 status = MGMT_STATUS_NO_RESOURCES;
4765                 goto unlock;
4766         }
4767
4768         if (handle)
4769                 pending = hci_remove_single_adv_monitor(hdev, handle, &err);
4770         else
4771                 pending = hci_remove_all_adv_monitor(hdev, &err);
4772
4773         if (err) {
4774                 mgmt_pending_remove(cmd);
4775
4776                 if (err == -ENOENT)
4777                         status = MGMT_STATUS_INVALID_INDEX;
4778                 else
4779                         status = MGMT_STATUS_FAILED;
4780
4781                 goto unlock;
4782         }
4783
4784         /* monitor can be removed without forwarding request to controller */
4785         if (!pending) {
4786                 mgmt_pending_remove(cmd);
4787                 hci_dev_unlock(hdev);
4788
4789                 return mgmt_cmd_complete(sk, hdev->id,
4790                                          MGMT_OP_REMOVE_ADV_MONITOR,
4791                                          MGMT_STATUS_SUCCESS,
4792                                          &rp, sizeof(rp));
4793         }
4794
4795         hci_dev_unlock(hdev);
4796         return 0;
4797
4798 unlock:
4799         hci_dev_unlock(hdev);
4800         return mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADV_MONITOR,
4801                                status);
4802 }
4803
4804 static void read_local_oob_data_complete(struct hci_dev *hdev, u8 status,
4805                                          u16 opcode, struct sk_buff *skb)
4806 {
4807         struct mgmt_rp_read_local_oob_data mgmt_rp;
4808         size_t rp_size = sizeof(mgmt_rp);
4809         struct mgmt_pending_cmd *cmd;
4810
4811         bt_dev_dbg(hdev, "status %u", status);
4812
4813         cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev);
4814         if (!cmd)
4815                 return;
4816
4817         if (status || !skb) {
4818                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4819                                 status ? mgmt_status(status) : MGMT_STATUS_FAILED);
4820                 goto remove;
4821         }
4822
4823         memset(&mgmt_rp, 0, sizeof(mgmt_rp));
4824
4825         if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
4826                 struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
4827
4828                 if (skb->len < sizeof(*rp)) {
4829                         mgmt_cmd_status(cmd->sk, hdev->id,
4830                                         MGMT_OP_READ_LOCAL_OOB_DATA,
4831                                         MGMT_STATUS_FAILED);
4832                         goto remove;
4833                 }
4834
4835                 memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
4836                 memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
4837
4838                 rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
4839         } else {
4840                 struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
4841
4842                 if (skb->len < sizeof(*rp)) {
4843                         mgmt_cmd_status(cmd->sk, hdev->id,
4844                                         MGMT_OP_READ_LOCAL_OOB_DATA,
4845                                         MGMT_STATUS_FAILED);
4846                         goto remove;
4847                 }
4848
4849                 memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
4850                 memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
4851
4852                 memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
4853                 memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
4854         }
4855
4856         mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4857                           MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
4858
4859 remove:
4860         mgmt_pending_remove(cmd);
4861 }
4862
4863 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
4864                                void *data, u16 data_len)
4865 {
4866         struct mgmt_pending_cmd *cmd;
4867         struct hci_request req;
4868         int err;
4869
4870         bt_dev_dbg(hdev, "sock %p", sk);
4871
4872         hci_dev_lock(hdev);
4873
4874         if (!hdev_is_powered(hdev)) {
4875                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4876                                       MGMT_STATUS_NOT_POWERED);
4877                 goto unlock;
4878         }
4879
4880         if (!lmp_ssp_capable(hdev)) {
4881                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4882                                       MGMT_STATUS_NOT_SUPPORTED);
4883                 goto unlock;
4884         }
4885
4886         if (pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
4887                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4888                                       MGMT_STATUS_BUSY);
4889                 goto unlock;
4890         }
4891
4892         cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
4893         if (!cmd) {
4894                 err = -ENOMEM;
4895                 goto unlock;
4896         }
4897
4898         hci_req_init(&req, hdev);
4899
4900         if (bredr_sc_enabled(hdev))
4901                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
4902         else
4903                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
4904
4905         err = hci_req_run_skb(&req, read_local_oob_data_complete);
4906         if (err < 0)
4907                 mgmt_pending_remove(cmd);
4908
4909 unlock:
4910         hci_dev_unlock(hdev);
4911         return err;
4912 }
4913
4914 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
4915                                void *data, u16 len)
4916 {
4917         struct mgmt_addr_info *addr = data;
4918         int err;
4919
4920         bt_dev_dbg(hdev, "sock %p", sk);
4921
4922         if (!bdaddr_type_is_valid(addr->type))
4923                 return mgmt_cmd_complete(sk, hdev->id,
4924                                          MGMT_OP_ADD_REMOTE_OOB_DATA,
4925                                          MGMT_STATUS_INVALID_PARAMS,
4926                                          addr, sizeof(*addr));
4927
4928         hci_dev_lock(hdev);
4929
4930         if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
4931                 struct mgmt_cp_add_remote_oob_data *cp = data;
4932                 u8 status;
4933
4934                 if (cp->addr.type != BDADDR_BREDR) {
4935                         err = mgmt_cmd_complete(sk, hdev->id,
4936                                                 MGMT_OP_ADD_REMOTE_OOB_DATA,
4937                                                 MGMT_STATUS_INVALID_PARAMS,
4938                                                 &cp->addr, sizeof(cp->addr));
4939                         goto unlock;
4940                 }
4941
4942                 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
4943                                               cp->addr.type, cp->hash,
4944                                               cp->rand, NULL, NULL);
4945                 if (err < 0)
4946                         status = MGMT_STATUS_FAILED;
4947                 else
4948                         status = MGMT_STATUS_SUCCESS;
4949
4950                 err = mgmt_cmd_complete(sk, hdev->id,
4951                                         MGMT_OP_ADD_REMOTE_OOB_DATA, status,
4952                                         &cp->addr, sizeof(cp->addr));
4953         } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
4954                 struct mgmt_cp_add_remote_oob_ext_data *cp = data;
4955                 u8 *rand192, *hash192, *rand256, *hash256;
4956                 u8 status;
4957
4958                 if (bdaddr_type_is_le(cp->addr.type)) {
4959                         /* Enforce zero-valued 192-bit parameters as
4960                          * long as legacy SMP OOB isn't implemented.
4961                          */
4962                         if (memcmp(cp->rand192, ZERO_KEY, 16) ||
4963                             memcmp(cp->hash192, ZERO_KEY, 16)) {
4964                                 err = mgmt_cmd_complete(sk, hdev->id,
4965                                                         MGMT_OP_ADD_REMOTE_OOB_DATA,
4966                                                         MGMT_STATUS_INVALID_PARAMS,
4967                                                         addr, sizeof(*addr));
4968                                 goto unlock;
4969                         }
4970
4971                         rand192 = NULL;
4972                         hash192 = NULL;
4973                 } else {
4974                         /* In case one of the P-192 values is set to zero,
4975                          * then just disable OOB data for P-192.
4976                          */
4977                         if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
4978                             !memcmp(cp->hash192, ZERO_KEY, 16)) {
4979                                 rand192 = NULL;
4980                                 hash192 = NULL;
4981                         } else {
4982                                 rand192 = cp->rand192;
4983                                 hash192 = cp->hash192;
4984                         }
4985                 }
4986
4987                 /* In case one of the P-256 values is set to zero, then just
4988                  * disable OOB data for P-256.
4989                  */
4990                 if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
4991                     !memcmp(cp->hash256, ZERO_KEY, 16)) {
4992                         rand256 = NULL;
4993                         hash256 = NULL;
4994                 } else {
4995                         rand256 = cp->rand256;
4996                         hash256 = cp->hash256;
4997                 }
4998
4999                 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
5000                                               cp->addr.type, hash192, rand192,
5001                                               hash256, rand256);
5002                 if (err < 0)
5003                         status = MGMT_STATUS_FAILED;
5004                 else
5005                         status = MGMT_STATUS_SUCCESS;
5006
5007                 err = mgmt_cmd_complete(sk, hdev->id,
5008                                         MGMT_OP_ADD_REMOTE_OOB_DATA,
5009                                         status, &cp->addr, sizeof(cp->addr));
5010         } else {
5011                 bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
5012                            len);
5013                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
5014                                       MGMT_STATUS_INVALID_PARAMS);
5015         }
5016
5017 unlock:
5018         hci_dev_unlock(hdev);
5019         return err;
5020 }
5021
5022 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5023                                   void *data, u16 len)
5024 {
5025         struct mgmt_cp_remove_remote_oob_data *cp = data;
5026         u8 status;
5027         int err;
5028
5029         bt_dev_dbg(hdev, "sock %p", sk);
5030
5031         if (cp->addr.type != BDADDR_BREDR)
5032                 return mgmt_cmd_complete(sk, hdev->id,
5033                                          MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5034                                          MGMT_STATUS_INVALID_PARAMS,
5035                                          &cp->addr, sizeof(cp->addr));
5036
5037         hci_dev_lock(hdev);
5038
5039         if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5040                 hci_remote_oob_data_clear(hdev);
5041                 status = MGMT_STATUS_SUCCESS;
5042                 goto done;
5043         }
5044
5045         err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
5046         if (err < 0)
5047                 status = MGMT_STATUS_INVALID_PARAMS;
5048         else
5049                 status = MGMT_STATUS_SUCCESS;
5050
5051 done:
5052         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5053                                 status, &cp->addr, sizeof(cp->addr));
5054
5055         hci_dev_unlock(hdev);
5056         return err;
5057 }
5058
5059 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
5060 {
5061         struct mgmt_pending_cmd *cmd;
5062
5063         bt_dev_dbg(hdev, "status %u", status);
5064
5065         hci_dev_lock(hdev);
5066
5067         cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
5068         if (!cmd)
5069                 cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
5070
5071         if (!cmd)
5072                 cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
5073
5074         if (cmd) {
5075                 cmd->cmd_complete(cmd, mgmt_status(status));
5076                 mgmt_pending_remove(cmd);
5077         }
5078
5079         hci_dev_unlock(hdev);
5080
5081         /* Handle suspend notifier */
5082         if (test_and_clear_bit(SUSPEND_UNPAUSE_DISCOVERY,
5083                                hdev->suspend_tasks)) {
5084                 bt_dev_dbg(hdev, "Unpaused discovery");
5085                 wake_up(&hdev->suspend_wait_q);
5086         }
5087 }
5088
5089 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
5090                                     uint8_t *mgmt_status)
5091 {
5092         switch (type) {
5093         case DISCOV_TYPE_LE:
5094                 *mgmt_status = mgmt_le_support(hdev);
5095                 if (*mgmt_status)
5096                         return false;
5097                 break;
5098         case DISCOV_TYPE_INTERLEAVED:
5099                 *mgmt_status = mgmt_le_support(hdev);
5100                 if (*mgmt_status)
5101                         return false;
5102                 fallthrough;
5103         case DISCOV_TYPE_BREDR:
5104                 *mgmt_status = mgmt_bredr_support(hdev);
5105                 if (*mgmt_status)
5106                         return false;
5107                 break;
5108         default:
5109                 *mgmt_status = MGMT_STATUS_INVALID_PARAMS;
5110                 return false;
5111         }
5112
5113         return true;
5114 }
5115
5116 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
5117                                     u16 op, void *data, u16 len)
5118 {
5119         struct mgmt_cp_start_discovery *cp = data;
5120         struct mgmt_pending_cmd *cmd;
5121         u8 status;
5122         int err;
5123
5124         bt_dev_dbg(hdev, "sock %p", sk);
5125
5126         hci_dev_lock(hdev);
5127
5128         if (!hdev_is_powered(hdev)) {
5129                 err = mgmt_cmd_complete(sk, hdev->id, op,
5130                                         MGMT_STATUS_NOT_POWERED,
5131                                         &cp->type, sizeof(cp->type));
5132                 goto failed;
5133         }
5134
5135         if (hdev->discovery.state != DISCOVERY_STOPPED ||
5136             hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5137                 err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5138                                         &cp->type, sizeof(cp->type));
5139                 goto failed;
5140         }
5141
5142         if (!discovery_type_is_valid(hdev, cp->type, &status)) {
5143                 err = mgmt_cmd_complete(sk, hdev->id, op, status,
5144                                         &cp->type, sizeof(cp->type));
5145                 goto failed;
5146         }
5147
5148         /* Can't start discovery when it is paused */
5149         if (hdev->discovery_paused) {
5150                 err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5151                                         &cp->type, sizeof(cp->type));
5152                 goto failed;
5153         }
5154
5155         /* Clear the discovery filter first to free any previously
5156          * allocated memory for the UUID list.
5157          */
5158         hci_discovery_filter_clear(hdev);
5159
5160         hdev->discovery.type = cp->type;
5161         hdev->discovery.report_invalid_rssi = false;
5162         if (op == MGMT_OP_START_LIMITED_DISCOVERY)
5163                 hdev->discovery.limited = true;
5164         else
5165                 hdev->discovery.limited = false;
5166
5167         cmd = mgmt_pending_add(sk, op, hdev, data, len);
5168         if (!cmd) {
5169                 err = -ENOMEM;
5170                 goto failed;
5171         }
5172
5173         cmd->cmd_complete = generic_cmd_complete;
5174
5175         hci_discovery_set_state(hdev, DISCOVERY_STARTING);
5176         queue_work(hdev->req_workqueue, &hdev->discov_update);
5177         err = 0;
5178
5179 failed:
5180         hci_dev_unlock(hdev);
5181         return err;
5182 }
5183
5184 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
5185                            void *data, u16 len)
5186 {
5187         return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
5188                                         data, len);
5189 }
5190
5191 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
5192                                    void *data, u16 len)
5193 {
5194         return start_discovery_internal(sk, hdev,
5195                                         MGMT_OP_START_LIMITED_DISCOVERY,
5196                                         data, len);
5197 }
5198
5199 static int service_discovery_cmd_complete(struct mgmt_pending_cmd *cmd,
5200                                           u8 status)
5201 {
5202         return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
5203                                  cmd->param, 1);
5204 }
5205
5206 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
5207                                    void *data, u16 len)
5208 {
5209         struct mgmt_cp_start_service_discovery *cp = data;
5210         struct mgmt_pending_cmd *cmd;
5211         const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
5212         u16 uuid_count, expected_len;
5213         u8 status;
5214         int err;
5215
5216         bt_dev_dbg(hdev, "sock %p", sk);
5217
5218         hci_dev_lock(hdev);
5219
5220         if (!hdev_is_powered(hdev)) {
5221                 err = mgmt_cmd_complete(sk, hdev->id,
5222                                         MGMT_OP_START_SERVICE_DISCOVERY,
5223                                         MGMT_STATUS_NOT_POWERED,
5224                                         &cp->type, sizeof(cp->type));
5225                 goto failed;
5226         }
5227
5228         if (hdev->discovery.state != DISCOVERY_STOPPED ||
5229             hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5230                 err = mgmt_cmd_complete(sk, hdev->id,
5231                                         MGMT_OP_START_SERVICE_DISCOVERY,
5232                                         MGMT_STATUS_BUSY, &cp->type,
5233                                         sizeof(cp->type));
5234                 goto failed;
5235         }
5236
5237         if (hdev->discovery_paused) {
5238                 err = mgmt_cmd_complete(sk, hdev->id,
5239                                         MGMT_OP_START_SERVICE_DISCOVERY,
5240                                         MGMT_STATUS_BUSY, &cp->type,
5241                                         sizeof(cp->type));
5242                 goto failed;
5243         }
5244
5245         uuid_count = __le16_to_cpu(cp->uuid_count);
5246         if (uuid_count > max_uuid_count) {
5247                 bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
5248                            uuid_count);
5249                 err = mgmt_cmd_complete(sk, hdev->id,
5250                                         MGMT_OP_START_SERVICE_DISCOVERY,
5251                                         MGMT_STATUS_INVALID_PARAMS, &cp->type,
5252                                         sizeof(cp->type));
5253                 goto failed;
5254         }
5255
5256         expected_len = sizeof(*cp) + uuid_count * 16;
5257         if (expected_len != len) {
5258                 bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
5259                            expected_len, len);
5260                 err = mgmt_cmd_complete(sk, hdev->id,
5261                                         MGMT_OP_START_SERVICE_DISCOVERY,
5262                                         MGMT_STATUS_INVALID_PARAMS, &cp->type,
5263                                         sizeof(cp->type));
5264                 goto failed;
5265         }
5266
5267         if (!discovery_type_is_valid(hdev, cp->type, &status)) {
5268                 err = mgmt_cmd_complete(sk, hdev->id,
5269                                         MGMT_OP_START_SERVICE_DISCOVERY,
5270                                         status, &cp->type, sizeof(cp->type));
5271                 goto failed;
5272         }
5273
5274         cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
5275                                hdev, data, len);
5276         if (!cmd) {
5277                 err = -ENOMEM;
5278                 goto failed;
5279         }
5280
5281         cmd->cmd_complete = service_discovery_cmd_complete;
5282
5283         /* Clear the discovery filter first to free any previously
5284          * allocated memory for the UUID list.
5285          */
5286         hci_discovery_filter_clear(hdev);
5287
5288         hdev->discovery.result_filtering = true;
5289         hdev->discovery.type = cp->type;
5290         hdev->discovery.rssi = cp->rssi;
5291         hdev->discovery.uuid_count = uuid_count;
5292
5293         if (uuid_count > 0) {
5294                 hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
5295                                                 GFP_KERNEL);
5296                 if (!hdev->discovery.uuids) {
5297                         err = mgmt_cmd_complete(sk, hdev->id,
5298                                                 MGMT_OP_START_SERVICE_DISCOVERY,
5299                                                 MGMT_STATUS_FAILED,
5300                                                 &cp->type, sizeof(cp->type));
5301                         mgmt_pending_remove(cmd);
5302                         goto failed;
5303                 }
5304         }
5305
5306         hci_discovery_set_state(hdev, DISCOVERY_STARTING);
5307         queue_work(hdev->req_workqueue, &hdev->discov_update);
5308         err = 0;
5309
5310 failed:
5311         hci_dev_unlock(hdev);
5312         return err;
5313 }
5314
5315 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
5316 {
5317         struct mgmt_pending_cmd *cmd;
5318
5319         bt_dev_dbg(hdev, "status %u", status);
5320
5321         hci_dev_lock(hdev);
5322
5323         cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
5324         if (cmd) {
5325                 cmd->cmd_complete(cmd, mgmt_status(status));
5326                 mgmt_pending_remove(cmd);
5327         }
5328
5329         hci_dev_unlock(hdev);
5330
5331         /* Handle suspend notifier */
5332         if (test_and_clear_bit(SUSPEND_PAUSE_DISCOVERY, hdev->suspend_tasks)) {
5333                 bt_dev_dbg(hdev, "Paused discovery");
5334                 wake_up(&hdev->suspend_wait_q);
5335         }
5336 }
5337
5338 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
5339                           u16 len)
5340 {
5341         struct mgmt_cp_stop_discovery *mgmt_cp = data;
5342         struct mgmt_pending_cmd *cmd;
5343         int err;
5344
5345         bt_dev_dbg(hdev, "sock %p", sk);
5346
5347         hci_dev_lock(hdev);
5348
5349         if (!hci_discovery_active(hdev)) {
5350                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
5351                                         MGMT_STATUS_REJECTED, &mgmt_cp->type,
5352                                         sizeof(mgmt_cp->type));
5353                 goto unlock;
5354         }
5355
5356         if (hdev->discovery.type != mgmt_cp->type) {
5357                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
5358                                         MGMT_STATUS_INVALID_PARAMS,
5359                                         &mgmt_cp->type, sizeof(mgmt_cp->type));
5360                 goto unlock;
5361         }
5362
5363         cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
5364         if (!cmd) {
5365                 err = -ENOMEM;
5366                 goto unlock;
5367         }
5368
5369         cmd->cmd_complete = generic_cmd_complete;
5370
5371         hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
5372         queue_work(hdev->req_workqueue, &hdev->discov_update);
5373         err = 0;
5374
5375 unlock:
5376         hci_dev_unlock(hdev);
5377         return err;
5378 }
5379
5380 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
5381                         u16 len)
5382 {
5383         struct mgmt_cp_confirm_name *cp = data;
5384         struct inquiry_entry *e;
5385         int err;
5386
5387         bt_dev_dbg(hdev, "sock %p", sk);
5388
5389         hci_dev_lock(hdev);
5390
5391         if (!hci_discovery_active(hdev)) {
5392                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
5393                                         MGMT_STATUS_FAILED, &cp->addr,
5394                                         sizeof(cp->addr));
5395                 goto failed;
5396         }
5397
5398         e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
5399         if (!e) {
5400                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
5401                                         MGMT_STATUS_INVALID_PARAMS, &cp->addr,
5402                                         sizeof(cp->addr));
5403                 goto failed;
5404         }
5405
5406         if (cp->name_known) {
5407                 e->name_state = NAME_KNOWN;
5408                 list_del(&e->list);
5409         } else {
5410                 e->name_state = NAME_NEEDED;
5411                 hci_inquiry_cache_update_resolve(hdev, e);
5412         }
5413
5414         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
5415                                 &cp->addr, sizeof(cp->addr));
5416
5417 failed:
5418         hci_dev_unlock(hdev);
5419         return err;
5420 }
5421
5422 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
5423                         u16 len)
5424 {
5425         struct mgmt_cp_block_device *cp = data;
5426         u8 status;
5427         int err;
5428
5429         bt_dev_dbg(hdev, "sock %p", sk);
5430
5431         if (!bdaddr_type_is_valid(cp->addr.type))
5432                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
5433                                          MGMT_STATUS_INVALID_PARAMS,
5434                                          &cp->addr, sizeof(cp->addr));
5435
5436         hci_dev_lock(hdev);
5437
5438         err = hci_bdaddr_list_add(&hdev->reject_list, &cp->addr.bdaddr,
5439                                   cp->addr.type);
5440         if (err < 0) {
5441                 status = MGMT_STATUS_FAILED;
5442                 goto done;
5443         }
5444
5445         mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
5446                    sk);
5447         status = MGMT_STATUS_SUCCESS;
5448
5449 done:
5450         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
5451                                 &cp->addr, sizeof(cp->addr));
5452
5453         hci_dev_unlock(hdev);
5454
5455         return err;
5456 }
5457
5458 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
5459                           u16 len)
5460 {
5461         struct mgmt_cp_unblock_device *cp = data;
5462         u8 status;
5463         int err;
5464
5465         bt_dev_dbg(hdev, "sock %p", sk);
5466
5467         if (!bdaddr_type_is_valid(cp->addr.type))
5468                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
5469                                          MGMT_STATUS_INVALID_PARAMS,
5470                                          &cp->addr, sizeof(cp->addr));
5471
5472         hci_dev_lock(hdev);
5473
5474         err = hci_bdaddr_list_del(&hdev->reject_list, &cp->addr.bdaddr,
5475                                   cp->addr.type);
5476         if (err < 0) {
5477                 status = MGMT_STATUS_INVALID_PARAMS;
5478                 goto done;
5479         }
5480
5481         mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
5482                    sk);
5483         status = MGMT_STATUS_SUCCESS;
5484
5485 done:
5486         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
5487                                 &cp->addr, sizeof(cp->addr));
5488
5489         hci_dev_unlock(hdev);
5490
5491         return err;
5492 }
5493
5494 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
5495                          u16 len)
5496 {
5497         struct mgmt_cp_set_device_id *cp = data;
5498         struct hci_request req;
5499         int err;
5500         __u16 source;
5501
5502         bt_dev_dbg(hdev, "sock %p", sk);
5503
5504         source = __le16_to_cpu(cp->source);
5505
5506         if (source > 0x0002)
5507                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
5508                                        MGMT_STATUS_INVALID_PARAMS);
5509
5510         hci_dev_lock(hdev);
5511
5512         hdev->devid_source = source;
5513         hdev->devid_vendor = __le16_to_cpu(cp->vendor);
5514         hdev->devid_product = __le16_to_cpu(cp->product);
5515         hdev->devid_version = __le16_to_cpu(cp->version);
5516
5517         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
5518                                 NULL, 0);
5519
5520         hci_req_init(&req, hdev);
5521         __hci_req_update_eir(&req);
5522         hci_req_run(&req, NULL);
5523
5524         hci_dev_unlock(hdev);
5525
5526         return err;
5527 }
5528
5529 static void enable_advertising_instance(struct hci_dev *hdev, u8 status,
5530                                         u16 opcode)
5531 {
5532         bt_dev_dbg(hdev, "status %u", status);
5533 }
5534
5535 static void set_advertising_complete(struct hci_dev *hdev, u8 status,
5536                                      u16 opcode)
5537 {
5538         struct cmd_lookup match = { NULL, hdev };
5539         struct hci_request req;
5540         u8 instance;
5541         struct adv_info *adv_instance;
5542         int err;
5543
5544         hci_dev_lock(hdev);
5545
5546         if (status) {
5547                 u8 mgmt_err = mgmt_status(status);
5548
5549                 mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
5550                                      cmd_status_rsp, &mgmt_err);
5551                 goto unlock;
5552         }
5553
5554         if (hci_dev_test_flag(hdev, HCI_LE_ADV))
5555                 hci_dev_set_flag(hdev, HCI_ADVERTISING);
5556         else
5557                 hci_dev_clear_flag(hdev, HCI_ADVERTISING);
5558
5559         mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
5560                              &match);
5561
5562         new_settings(hdev, match.sk);
5563
5564         if (match.sk)
5565                 sock_put(match.sk);
5566
5567         /* Handle suspend notifier */
5568         if (test_and_clear_bit(SUSPEND_PAUSE_ADVERTISING,
5569                                hdev->suspend_tasks)) {
5570                 bt_dev_dbg(hdev, "Paused advertising");
5571                 wake_up(&hdev->suspend_wait_q);
5572         } else if (test_and_clear_bit(SUSPEND_UNPAUSE_ADVERTISING,
5573                                       hdev->suspend_tasks)) {
5574                 bt_dev_dbg(hdev, "Unpaused advertising");
5575                 wake_up(&hdev->suspend_wait_q);
5576         }
5577
5578         /* If "Set Advertising" was just disabled and instance advertising was
5579          * set up earlier, then re-enable multi-instance advertising.
5580          */
5581         if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
5582             list_empty(&hdev->adv_instances))
5583                 goto unlock;
5584
5585         instance = hdev->cur_adv_instance;
5586         if (!instance) {
5587                 adv_instance = list_first_entry_or_null(&hdev->adv_instances,
5588                                                         struct adv_info, list);
5589                 if (!adv_instance)
5590                         goto unlock;
5591
5592                 instance = adv_instance->instance;
5593         }
5594
5595         hci_req_init(&req, hdev);
5596
5597         err = __hci_req_schedule_adv_instance(&req, instance, true);
5598
5599         if (!err)
5600                 err = hci_req_run(&req, enable_advertising_instance);
5601
5602         if (err)
5603                 bt_dev_err(hdev, "failed to re-configure advertising");
5604
5605 unlock:
5606         hci_dev_unlock(hdev);
5607 }
5608
5609 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
5610                            u16 len)
5611 {
5612         struct mgmt_mode *cp = data;
5613         struct mgmt_pending_cmd *cmd;
5614         struct hci_request req;
5615         u8 val, status;
5616         int err;
5617
5618         bt_dev_dbg(hdev, "sock %p", sk);
5619
5620         status = mgmt_le_support(hdev);
5621         if (status)
5622                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5623                                        status);
5624
5625         /* Enabling the experimental LL Privay support disables support for
5626          * advertising.
5627          */
5628         if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
5629                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5630                                        MGMT_STATUS_NOT_SUPPORTED);
5631
5632         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
5633                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5634                                        MGMT_STATUS_INVALID_PARAMS);
5635
5636         if (hdev->advertising_paused)
5637                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5638                                        MGMT_STATUS_BUSY);
5639
5640         hci_dev_lock(hdev);
5641
5642         val = !!cp->val;
5643
5644         /* The following conditions are ones which mean that we should
5645          * not do any HCI communication but directly send a mgmt
5646          * response to user space (after toggling the flag if
5647          * necessary).
5648          */
5649         if (!hdev_is_powered(hdev) ||
5650             (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
5651              (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
5652             hci_conn_num(hdev, LE_LINK) > 0 ||
5653             (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
5654              hdev->le_scan_type == LE_SCAN_ACTIVE)) {
5655                 bool changed;
5656
5657                 if (cp->val) {
5658                         hdev->cur_adv_instance = 0x00;
5659                         changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
5660                         if (cp->val == 0x02)
5661                                 hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5662                         else
5663                                 hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5664                 } else {
5665                         changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
5666                         hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5667                 }
5668
5669                 err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
5670                 if (err < 0)
5671                         goto unlock;
5672
5673                 if (changed)
5674                         err = new_settings(hdev, sk);
5675
5676                 goto unlock;
5677         }
5678
5679         if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
5680             pending_find(MGMT_OP_SET_LE, hdev)) {
5681                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5682                                       MGMT_STATUS_BUSY);
5683                 goto unlock;
5684         }
5685
5686         cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
5687         if (!cmd) {
5688                 err = -ENOMEM;
5689                 goto unlock;
5690         }
5691
5692         hci_req_init(&req, hdev);
5693
5694         if (cp->val == 0x02)
5695                 hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5696         else
5697                 hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5698
5699         cancel_adv_timeout(hdev);
5700
5701         if (val) {
5702                 /* Switch to instance "0" for the Set Advertising setting.
5703                  * We cannot use update_[adv|scan_rsp]_data() here as the
5704                  * HCI_ADVERTISING flag is not yet set.
5705                  */
5706                 hdev->cur_adv_instance = 0x00;
5707
5708                 if (ext_adv_capable(hdev)) {
5709                         __hci_req_start_ext_adv(&req, 0x00);
5710                 } else {
5711                         __hci_req_update_adv_data(&req, 0x00);
5712                         __hci_req_update_scan_rsp_data(&req, 0x00);
5713                         __hci_req_enable_advertising(&req);
5714                 }
5715         } else {
5716                 __hci_req_disable_advertising(&req);
5717         }
5718
5719         err = hci_req_run(&req, set_advertising_complete);
5720         if (err < 0)
5721                 mgmt_pending_remove(cmd);
5722
5723 unlock:
5724         hci_dev_unlock(hdev);
5725         return err;
5726 }
5727
5728 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
5729                               void *data, u16 len)
5730 {
5731         struct mgmt_cp_set_static_address *cp = data;
5732         int err;
5733
5734         bt_dev_dbg(hdev, "sock %p", sk);
5735
5736         if (!lmp_le_capable(hdev))
5737                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
5738                                        MGMT_STATUS_NOT_SUPPORTED);
5739
5740         if (hdev_is_powered(hdev))
5741                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
5742                                        MGMT_STATUS_REJECTED);
5743
5744         if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
5745                 if (!bacmp(&cp->bdaddr, BDADDR_NONE))
5746                         return mgmt_cmd_status(sk, hdev->id,
5747                                                MGMT_OP_SET_STATIC_ADDRESS,
5748                                                MGMT_STATUS_INVALID_PARAMS);
5749
5750                 /* Two most significant bits shall be set */
5751                 if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
5752                         return mgmt_cmd_status(sk, hdev->id,
5753                                                MGMT_OP_SET_STATIC_ADDRESS,
5754                                                MGMT_STATUS_INVALID_PARAMS);
5755         }
5756
5757         hci_dev_lock(hdev);
5758
5759         bacpy(&hdev->static_addr, &cp->bdaddr);
5760
5761         err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
5762         if (err < 0)
5763                 goto unlock;
5764
5765         err = new_settings(hdev, sk);
5766
5767 unlock:
5768         hci_dev_unlock(hdev);
5769         return err;
5770 }
5771
5772 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
5773                            void *data, u16 len)
5774 {
5775         struct mgmt_cp_set_scan_params *cp = data;
5776         __u16 interval, window;
5777         int err;
5778
5779         bt_dev_dbg(hdev, "sock %p", sk);
5780
5781         if (!lmp_le_capable(hdev))
5782                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
5783                                        MGMT_STATUS_NOT_SUPPORTED);
5784
5785         interval = __le16_to_cpu(cp->interval);
5786
5787         if (interval < 0x0004 || interval > 0x4000)
5788                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
5789                                        MGMT_STATUS_INVALID_PARAMS);
5790
5791         window = __le16_to_cpu(cp->window);
5792
5793         if (window < 0x0004 || window > 0x4000)
5794                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
5795                                        MGMT_STATUS_INVALID_PARAMS);
5796
5797         if (window > interval)
5798                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
5799                                        MGMT_STATUS_INVALID_PARAMS);
5800
5801         hci_dev_lock(hdev);
5802
5803         hdev->le_scan_interval = interval;
5804         hdev->le_scan_window = window;
5805
5806         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
5807                                 NULL, 0);
5808
5809         /* If background scan is running, restart it so new parameters are
5810          * loaded.
5811          */
5812         if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
5813             hdev->discovery.state == DISCOVERY_STOPPED) {
5814                 struct hci_request req;
5815
5816                 hci_req_init(&req, hdev);
5817
5818                 hci_req_add_le_scan_disable(&req, false);
5819                 hci_req_add_le_passive_scan(&req);
5820
5821                 hci_req_run(&req, NULL);
5822         }
5823
5824         hci_dev_unlock(hdev);
5825
5826         return err;
5827 }
5828
5829 static void fast_connectable_complete(struct hci_dev *hdev, u8 status,
5830                                       u16 opcode)
5831 {
5832         struct mgmt_pending_cmd *cmd;
5833
5834         bt_dev_dbg(hdev, "status 0x%02x", status);
5835
5836         hci_dev_lock(hdev);
5837
5838         cmd = pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev);
5839         if (!cmd)
5840                 goto unlock;
5841
5842         if (status) {
5843                 mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5844                                 mgmt_status(status));
5845         } else {
5846                 struct mgmt_mode *cp = cmd->param;
5847
5848                 if (cp->val)
5849                         hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
5850                 else
5851                         hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
5852
5853                 send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
5854                 new_settings(hdev, cmd->sk);
5855         }
5856
5857         mgmt_pending_remove(cmd);
5858
5859 unlock:
5860         hci_dev_unlock(hdev);
5861 }
5862
5863 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
5864                                 void *data, u16 len)
5865 {
5866         struct mgmt_mode *cp = data;
5867         struct mgmt_pending_cmd *cmd;
5868         struct hci_request req;
5869         int err;
5870
5871         bt_dev_dbg(hdev, "sock %p", sk);
5872
5873         if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
5874             hdev->hci_ver < BLUETOOTH_VER_1_2)
5875                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5876                                        MGMT_STATUS_NOT_SUPPORTED);
5877
5878         if (cp->val != 0x00 && cp->val != 0x01)
5879                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5880                                        MGMT_STATUS_INVALID_PARAMS);
5881
5882         hci_dev_lock(hdev);
5883
5884         if (pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev)) {
5885                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5886                                       MGMT_STATUS_BUSY);
5887                 goto unlock;
5888         }
5889
5890         if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
5891                 err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
5892                                         hdev);
5893                 goto unlock;
5894         }
5895
5896         if (!hdev_is_powered(hdev)) {
5897                 hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
5898                 err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
5899                                         hdev);
5900                 new_settings(hdev, sk);
5901                 goto unlock;
5902         }
5903
5904         cmd = mgmt_pending_add(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev,
5905                                data, len);
5906         if (!cmd) {
5907                 err = -ENOMEM;
5908                 goto unlock;
5909         }
5910
5911         hci_req_init(&req, hdev);
5912
5913         __hci_req_write_fast_connectable(&req, cp->val);
5914
5915         err = hci_req_run(&req, fast_connectable_complete);
5916         if (err < 0) {
5917                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5918                                       MGMT_STATUS_FAILED);
5919                 mgmt_pending_remove(cmd);
5920         }
5921
5922 unlock:
5923         hci_dev_unlock(hdev);
5924
5925         return err;
5926 }
5927
5928 static void set_bredr_complete(struct hci_dev *hdev, u8 status, u16 opcode)
5929 {
5930         struct mgmt_pending_cmd *cmd;
5931
5932         bt_dev_dbg(hdev, "status 0x%02x", status);
5933
5934         hci_dev_lock(hdev);
5935
5936         cmd = pending_find(MGMT_OP_SET_BREDR, hdev);
5937         if (!cmd)
5938                 goto unlock;
5939
5940         if (status) {
5941                 u8 mgmt_err = mgmt_status(status);
5942
5943                 /* We need to restore the flag if related HCI commands
5944                  * failed.
5945                  */
5946                 hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
5947
5948                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
5949         } else {
5950                 send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
5951                 new_settings(hdev, cmd->sk);
5952         }
5953
5954         mgmt_pending_remove(cmd);
5955
5956 unlock:
5957         hci_dev_unlock(hdev);
5958 }
5959
5960 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
5961 {
5962         struct mgmt_mode *cp = data;
5963         struct mgmt_pending_cmd *cmd;
5964         struct hci_request req;
5965         int err;
5966
5967         bt_dev_dbg(hdev, "sock %p", sk);
5968
5969         if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
5970                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5971                                        MGMT_STATUS_NOT_SUPPORTED);
5972
5973         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
5974                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5975                                        MGMT_STATUS_REJECTED);
5976
5977         if (cp->val != 0x00 && cp->val != 0x01)
5978                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5979                                        MGMT_STATUS_INVALID_PARAMS);
5980
5981         hci_dev_lock(hdev);
5982
5983         if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
5984                 err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
5985                 goto unlock;
5986         }
5987
5988         if (!hdev_is_powered(hdev)) {
5989                 if (!cp->val) {
5990                         hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
5991                         hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
5992                         hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
5993                         hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
5994                         hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
5995                 }
5996
5997                 hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
5998
5999                 err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6000                 if (err < 0)
6001                         goto unlock;
6002
6003                 err = new_settings(hdev, sk);
6004                 goto unlock;
6005         }
6006
6007         /* Reject disabling when powered on */
6008         if (!cp->val) {
6009                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6010                                       MGMT_STATUS_REJECTED);
6011                 goto unlock;
6012         } else {
6013                 /* When configuring a dual-mode controller to operate
6014                  * with LE only and using a static address, then switching
6015                  * BR/EDR back on is not allowed.
6016                  *
6017                  * Dual-mode controllers shall operate with the public
6018                  * address as its identity address for BR/EDR and LE. So
6019                  * reject the attempt to create an invalid configuration.
6020                  *
6021                  * The same restrictions applies when secure connections
6022                  * has been enabled. For BR/EDR this is a controller feature
6023                  * while for LE it is a host stack feature. This means that
6024                  * switching BR/EDR back on when secure connections has been
6025                  * enabled is not a supported transaction.
6026                  */
6027                 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6028                     (bacmp(&hdev->static_addr, BDADDR_ANY) ||
6029                      hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
6030                         err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6031                                               MGMT_STATUS_REJECTED);
6032                         goto unlock;
6033                 }
6034         }
6035
6036         if (pending_find(MGMT_OP_SET_BREDR, hdev)) {
6037                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6038                                       MGMT_STATUS_BUSY);
6039                 goto unlock;
6040         }
6041
6042         cmd = mgmt_pending_add(sk, MGMT_OP_SET_BREDR, hdev, data, len);
6043         if (!cmd) {
6044                 err = -ENOMEM;
6045                 goto unlock;
6046         }
6047
6048         /* We need to flip the bit already here so that
6049          * hci_req_update_adv_data generates the correct flags.
6050          */
6051         hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
6052
6053         hci_req_init(&req, hdev);
6054
6055         __hci_req_write_fast_connectable(&req, false);
6056         __hci_req_update_scan(&req);
6057
6058         /* Since only the advertising data flags will change, there
6059          * is no need to update the scan response data.
6060          */
6061         __hci_req_update_adv_data(&req, hdev->cur_adv_instance);
6062
6063         err = hci_req_run(&req, set_bredr_complete);
6064         if (err < 0)
6065                 mgmt_pending_remove(cmd);
6066
6067 unlock:
6068         hci_dev_unlock(hdev);
6069         return err;
6070 }
6071
6072 static void sc_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
6073 {
6074         struct mgmt_pending_cmd *cmd;
6075         struct mgmt_mode *cp;
6076
6077         bt_dev_dbg(hdev, "status %u", status);
6078
6079         hci_dev_lock(hdev);
6080
6081         cmd = pending_find(MGMT_OP_SET_SECURE_CONN, hdev);
6082         if (!cmd)
6083                 goto unlock;
6084
6085         if (status) {
6086                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
6087                                 mgmt_status(status));
6088                 goto remove;
6089         }
6090
6091         cp = cmd->param;
6092
6093         switch (cp->val) {
6094         case 0x00:
6095                 hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
6096                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6097                 break;
6098         case 0x01:
6099                 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6100                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6101                 break;
6102         case 0x02:
6103                 hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6104                 hci_dev_set_flag(hdev, HCI_SC_ONLY);
6105                 break;
6106         }
6107
6108         send_settings_rsp(cmd->sk, MGMT_OP_SET_SECURE_CONN, hdev);
6109         new_settings(hdev, cmd->sk);
6110
6111 remove:
6112         mgmt_pending_remove(cmd);
6113 unlock:
6114         hci_dev_unlock(hdev);
6115 }
6116
6117 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
6118                            void *data, u16 len)
6119 {
6120         struct mgmt_mode *cp = data;
6121         struct mgmt_pending_cmd *cmd;
6122         struct hci_request req;
6123         u8 val;
6124         int err;
6125
6126         bt_dev_dbg(hdev, "sock %p", sk);
6127
6128         if (!lmp_sc_capable(hdev) &&
6129             !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6130                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6131                                        MGMT_STATUS_NOT_SUPPORTED);
6132
6133         if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6134             lmp_sc_capable(hdev) &&
6135             !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
6136                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6137                                        MGMT_STATUS_REJECTED);
6138
6139         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6140                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6141                                   MGMT_STATUS_INVALID_PARAMS);
6142
6143         hci_dev_lock(hdev);
6144
6145         if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
6146             !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6147                 bool changed;
6148
6149                 if (cp->val) {
6150                         changed = !hci_dev_test_and_set_flag(hdev,
6151                                                              HCI_SC_ENABLED);
6152                         if (cp->val == 0x02)
6153                                 hci_dev_set_flag(hdev, HCI_SC_ONLY);
6154                         else
6155                                 hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6156                 } else {
6157                         changed = hci_dev_test_and_clear_flag(hdev,
6158                                                               HCI_SC_ENABLED);
6159                         hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6160                 }
6161
6162                 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6163                 if (err < 0)
6164                         goto failed;
6165
6166                 if (changed)
6167                         err = new_settings(hdev, sk);
6168
6169                 goto failed;
6170         }
6171
6172         if (pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
6173                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6174                                       MGMT_STATUS_BUSY);
6175                 goto failed;
6176         }
6177
6178         val = !!cp->val;
6179
6180         if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
6181             (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6182                 err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6183                 goto failed;
6184         }
6185
6186         cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
6187         if (!cmd) {
6188                 err = -ENOMEM;
6189                 goto failed;
6190         }
6191
6192         hci_req_init(&req, hdev);
6193         hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
6194         err = hci_req_run(&req, sc_enable_complete);
6195         if (err < 0) {
6196                 mgmt_pending_remove(cmd);
6197                 goto failed;
6198         }
6199
6200 failed:
6201         hci_dev_unlock(hdev);
6202         return err;
6203 }
6204
6205 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
6206                           void *data, u16 len)
6207 {
6208         struct mgmt_mode *cp = data;
6209         bool changed, use_changed;
6210         int err;
6211
6212         bt_dev_dbg(hdev, "sock %p", sk);
6213
6214         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6215                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
6216                                        MGMT_STATUS_INVALID_PARAMS);
6217
6218         hci_dev_lock(hdev);
6219
6220         if (cp->val)
6221                 changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
6222         else
6223                 changed = hci_dev_test_and_clear_flag(hdev,
6224                                                       HCI_KEEP_DEBUG_KEYS);
6225
6226         if (cp->val == 0x02)
6227                 use_changed = !hci_dev_test_and_set_flag(hdev,
6228                                                          HCI_USE_DEBUG_KEYS);
6229         else
6230                 use_changed = hci_dev_test_and_clear_flag(hdev,
6231                                                           HCI_USE_DEBUG_KEYS);
6232
6233         if (hdev_is_powered(hdev) && use_changed &&
6234             hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
6235                 u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
6236                 hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
6237                              sizeof(mode), &mode);
6238         }
6239
6240         err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
6241         if (err < 0)
6242                 goto unlock;
6243
6244         if (changed)
6245                 err = new_settings(hdev, sk);
6246
6247 unlock:
6248         hci_dev_unlock(hdev);
6249         return err;
6250 }
6251
6252 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
6253                        u16 len)
6254 {
6255         struct mgmt_cp_set_privacy *cp = cp_data;
6256         bool changed;
6257         int err;
6258
6259         bt_dev_dbg(hdev, "sock %p", sk);
6260
6261         if (!lmp_le_capable(hdev))
6262                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
6263                                        MGMT_STATUS_NOT_SUPPORTED);
6264
6265         if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
6266                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
6267                                        MGMT_STATUS_INVALID_PARAMS);
6268
6269         if (hdev_is_powered(hdev))
6270                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
6271                                        MGMT_STATUS_REJECTED);
6272
6273         hci_dev_lock(hdev);
6274
6275         /* If user space supports this command it is also expected to
6276          * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
6277          */
6278         hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
6279
6280         if (cp->privacy) {
6281                 changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
6282                 memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
6283                 hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
6284                 hci_adv_instances_set_rpa_expired(hdev, true);
6285                 if (cp->privacy == 0x02)
6286                         hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
6287                 else
6288                         hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
6289         } else {
6290                 changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
6291                 memset(hdev->irk, 0, sizeof(hdev->irk));
6292                 hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
6293                 hci_adv_instances_set_rpa_expired(hdev, false);
6294                 hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
6295         }
6296
6297         err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
6298         if (err < 0)
6299                 goto unlock;
6300
6301         if (changed)
6302                 err = new_settings(hdev, sk);
6303
6304 unlock:
6305         hci_dev_unlock(hdev);
6306         return err;
6307 }
6308
6309 static bool irk_is_valid(struct mgmt_irk_info *irk)
6310 {
6311         switch (irk->addr.type) {
6312         case BDADDR_LE_PUBLIC:
6313                 return true;
6314
6315         case BDADDR_LE_RANDOM:
6316                 /* Two most significant bits shall be set */
6317                 if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
6318                         return false;
6319                 return true;
6320         }
6321
6322         return false;
6323 }
6324
6325 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
6326                      u16 len)
6327 {
6328         struct mgmt_cp_load_irks *cp = cp_data;
6329         const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
6330                                    sizeof(struct mgmt_irk_info));
6331         u16 irk_count, expected_len;
6332         int i, err;
6333
6334         bt_dev_dbg(hdev, "sock %p", sk);
6335
6336         if (!lmp_le_capable(hdev))
6337                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
6338                                        MGMT_STATUS_NOT_SUPPORTED);
6339
6340         irk_count = __le16_to_cpu(cp->irk_count);
6341         if (irk_count > max_irk_count) {
6342                 bt_dev_err(hdev, "load_irks: too big irk_count value %u",
6343                            irk_count);
6344                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
6345                                        MGMT_STATUS_INVALID_PARAMS);
6346         }
6347
6348         expected_len = struct_size(cp, irks, irk_count);
6349         if (expected_len != len) {
6350                 bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
6351                            expected_len, len);
6352                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
6353                                        MGMT_STATUS_INVALID_PARAMS);
6354         }
6355
6356         bt_dev_dbg(hdev, "irk_count %u", irk_count);
6357
6358         for (i = 0; i < irk_count; i++) {
6359                 struct mgmt_irk_info *key = &cp->irks[i];
6360
6361                 if (!irk_is_valid(key))
6362                         return mgmt_cmd_status(sk, hdev->id,
6363                                                MGMT_OP_LOAD_IRKS,
6364                                                MGMT_STATUS_INVALID_PARAMS);
6365         }
6366
6367         hci_dev_lock(hdev);
6368
6369         hci_smp_irks_clear(hdev);
6370
6371         for (i = 0; i < irk_count; i++) {
6372                 struct mgmt_irk_info *irk = &cp->irks[i];
6373
6374                 if (hci_is_blocked_key(hdev,
6375                                        HCI_BLOCKED_KEY_TYPE_IRK,
6376                                        irk->val)) {
6377                         bt_dev_warn(hdev, "Skipping blocked IRK for %pMR",
6378                                     &irk->addr.bdaddr);
6379                         continue;
6380                 }
6381
6382                 hci_add_irk(hdev, &irk->addr.bdaddr,
6383                             le_addr_type(irk->addr.type), irk->val,
6384                             BDADDR_ANY);
6385         }
6386
6387         hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
6388
6389         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
6390
6391         hci_dev_unlock(hdev);
6392
6393         return err;
6394 }
6395
6396 static bool ltk_is_valid(struct mgmt_ltk_info *key)
6397 {
6398         if (key->initiator != 0x00 && key->initiator != 0x01)
6399                 return false;
6400
6401         switch (key->addr.type) {
6402         case BDADDR_LE_PUBLIC:
6403                 return true;
6404
6405         case BDADDR_LE_RANDOM:
6406                 /* Two most significant bits shall be set */
6407                 if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
6408                         return false;
6409                 return true;
6410         }
6411
6412         return false;
6413 }
6414
6415 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
6416                                void *cp_data, u16 len)
6417 {
6418         struct mgmt_cp_load_long_term_keys *cp = cp_data;
6419         const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
6420                                    sizeof(struct mgmt_ltk_info));
6421         u16 key_count, expected_len;
6422         int i, err;
6423
6424         bt_dev_dbg(hdev, "sock %p", sk);
6425
6426         if (!lmp_le_capable(hdev))
6427                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
6428                                        MGMT_STATUS_NOT_SUPPORTED);
6429
6430         key_count = __le16_to_cpu(cp->key_count);
6431         if (key_count > max_key_count) {
6432                 bt_dev_err(hdev, "load_ltks: too big key_count value %u",
6433                            key_count);
6434                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
6435                                        MGMT_STATUS_INVALID_PARAMS);
6436         }
6437
6438         expected_len = struct_size(cp, keys, key_count);
6439         if (expected_len != len) {
6440                 bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
6441                            expected_len, len);
6442                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
6443                                        MGMT_STATUS_INVALID_PARAMS);
6444         }
6445
6446         bt_dev_dbg(hdev, "key_count %u", key_count);
6447
6448         for (i = 0; i < key_count; i++) {
6449                 struct mgmt_ltk_info *key = &cp->keys[i];
6450
6451                 if (!ltk_is_valid(key))
6452                         return mgmt_cmd_status(sk, hdev->id,
6453                                                MGMT_OP_LOAD_LONG_TERM_KEYS,
6454                                                MGMT_STATUS_INVALID_PARAMS);
6455         }
6456
6457         hci_dev_lock(hdev);
6458
6459         hci_smp_ltks_clear(hdev);
6460
6461         for (i = 0; i < key_count; i++) {
6462                 struct mgmt_ltk_info *key = &cp->keys[i];
6463                 u8 type, authenticated;
6464
6465                 if (hci_is_blocked_key(hdev,
6466                                        HCI_BLOCKED_KEY_TYPE_LTK,
6467                                        key->val)) {
6468                         bt_dev_warn(hdev, "Skipping blocked LTK for %pMR",
6469                                     &key->addr.bdaddr);
6470                         continue;
6471                 }
6472
6473                 switch (key->type) {
6474                 case MGMT_LTK_UNAUTHENTICATED:
6475                         authenticated = 0x00;
6476                         type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
6477                         break;
6478                 case MGMT_LTK_AUTHENTICATED:
6479                         authenticated = 0x01;
6480                         type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
6481                         break;
6482                 case MGMT_LTK_P256_UNAUTH:
6483                         authenticated = 0x00;
6484                         type = SMP_LTK_P256;
6485                         break;
6486                 case MGMT_LTK_P256_AUTH:
6487                         authenticated = 0x01;
6488                         type = SMP_LTK_P256;
6489                         break;
6490                 case MGMT_LTK_P256_DEBUG:
6491                         authenticated = 0x00;
6492                         type = SMP_LTK_P256_DEBUG;
6493                         fallthrough;
6494                 default:
6495                         continue;
6496                 }
6497
6498                 hci_add_ltk(hdev, &key->addr.bdaddr,
6499                             le_addr_type(key->addr.type), type, authenticated,
6500                             key->val, key->enc_size, key->ediv, key->rand);
6501         }
6502
6503         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
6504                            NULL, 0);
6505
6506         hci_dev_unlock(hdev);
6507
6508         return err;
6509 }
6510
6511 static int conn_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
6512 {
6513         struct hci_conn *conn = cmd->user_data;
6514         struct mgmt_rp_get_conn_info rp;
6515         int err;
6516
6517         memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
6518
6519         if (status == MGMT_STATUS_SUCCESS) {
6520                 rp.rssi = conn->rssi;
6521                 rp.tx_power = conn->tx_power;
6522                 rp.max_tx_power = conn->max_tx_power;
6523         } else {
6524                 rp.rssi = HCI_RSSI_INVALID;
6525                 rp.tx_power = HCI_TX_POWER_INVALID;
6526                 rp.max_tx_power = HCI_TX_POWER_INVALID;
6527         }
6528
6529         err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
6530                                 status, &rp, sizeof(rp));
6531
6532         hci_conn_drop(conn);
6533         hci_conn_put(conn);
6534
6535         return err;
6536 }
6537
6538 static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status,
6539                                        u16 opcode)
6540 {
6541         struct hci_cp_read_rssi *cp;
6542         struct mgmt_pending_cmd *cmd;
6543         struct hci_conn *conn;
6544         u16 handle;
6545         u8 status;
6546
6547         bt_dev_dbg(hdev, "status 0x%02x", hci_status);
6548
6549         hci_dev_lock(hdev);
6550
6551         /* Commands sent in request are either Read RSSI or Read Transmit Power
6552          * Level so we check which one was last sent to retrieve connection
6553          * handle.  Both commands have handle as first parameter so it's safe to
6554          * cast data on the same command struct.
6555          *
6556          * First command sent is always Read RSSI and we fail only if it fails.
6557          * In other case we simply override error to indicate success as we
6558          * already remembered if TX power value is actually valid.
6559          */
6560         cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
6561         if (!cp) {
6562                 cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
6563                 status = MGMT_STATUS_SUCCESS;
6564         } else {
6565                 status = mgmt_status(hci_status);
6566         }
6567
6568         if (!cp) {
6569                 bt_dev_err(hdev, "invalid sent_cmd in conn_info response");
6570                 goto unlock;
6571         }
6572
6573         handle = __le16_to_cpu(cp->handle);
6574         conn = hci_conn_hash_lookup_handle(hdev, handle);
6575         if (!conn) {
6576                 bt_dev_err(hdev, "unknown handle (%u) in conn_info response",
6577                            handle);
6578                 goto unlock;
6579         }
6580
6581         cmd = pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
6582         if (!cmd)
6583                 goto unlock;
6584
6585         cmd->cmd_complete(cmd, status);
6586         mgmt_pending_remove(cmd);
6587
6588 unlock:
6589         hci_dev_unlock(hdev);
6590 }
6591
6592 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
6593                          u16 len)
6594 {
6595         struct mgmt_cp_get_conn_info *cp = data;
6596         struct mgmt_rp_get_conn_info rp;
6597         struct hci_conn *conn;
6598         unsigned long conn_info_age;
6599         int err = 0;
6600
6601         bt_dev_dbg(hdev, "sock %p", sk);
6602
6603         memset(&rp, 0, sizeof(rp));
6604         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
6605         rp.addr.type = cp->addr.type;
6606
6607         if (!bdaddr_type_is_valid(cp->addr.type))
6608                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6609                                          MGMT_STATUS_INVALID_PARAMS,
6610                                          &rp, sizeof(rp));
6611
6612         hci_dev_lock(hdev);
6613
6614         if (!hdev_is_powered(hdev)) {
6615                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6616                                         MGMT_STATUS_NOT_POWERED, &rp,
6617                                         sizeof(rp));
6618                 goto unlock;
6619         }
6620
6621         if (cp->addr.type == BDADDR_BREDR)
6622                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
6623                                                &cp->addr.bdaddr);
6624         else
6625                 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
6626
6627         if (!conn || conn->state != BT_CONNECTED) {
6628                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6629                                         MGMT_STATUS_NOT_CONNECTED, &rp,
6630                                         sizeof(rp));
6631                 goto unlock;
6632         }
6633
6634         if (pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
6635                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6636                                         MGMT_STATUS_BUSY, &rp, sizeof(rp));
6637                 goto unlock;
6638         }
6639
6640         /* To avoid client trying to guess when to poll again for information we
6641          * calculate conn info age as random value between min/max set in hdev.
6642          */
6643         conn_info_age = hdev->conn_info_min_age +
6644                         prandom_u32_max(hdev->conn_info_max_age -
6645                                         hdev->conn_info_min_age);
6646
6647         /* Query controller to refresh cached values if they are too old or were
6648          * never read.
6649          */
6650         if (time_after(jiffies, conn->conn_info_timestamp +
6651                        msecs_to_jiffies(conn_info_age)) ||
6652             !conn->conn_info_timestamp) {
6653                 struct hci_request req;
6654                 struct hci_cp_read_tx_power req_txp_cp;
6655                 struct hci_cp_read_rssi req_rssi_cp;
6656                 struct mgmt_pending_cmd *cmd;
6657
6658                 hci_req_init(&req, hdev);
6659                 req_rssi_cp.handle = cpu_to_le16(conn->handle);
6660                 hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
6661                             &req_rssi_cp);
6662
6663                 /* For LE links TX power does not change thus we don't need to
6664                  * query for it once value is known.
6665                  */
6666                 if (!bdaddr_type_is_le(cp->addr.type) ||
6667                     conn->tx_power == HCI_TX_POWER_INVALID) {
6668                         req_txp_cp.handle = cpu_to_le16(conn->handle);
6669                         req_txp_cp.type = 0x00;
6670                         hci_req_add(&req, HCI_OP_READ_TX_POWER,
6671                                     sizeof(req_txp_cp), &req_txp_cp);
6672                 }
6673
6674                 /* Max TX power needs to be read only once per connection */
6675                 if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
6676                         req_txp_cp.handle = cpu_to_le16(conn->handle);
6677                         req_txp_cp.type = 0x01;
6678                         hci_req_add(&req, HCI_OP_READ_TX_POWER,
6679                                     sizeof(req_txp_cp), &req_txp_cp);
6680                 }
6681
6682                 err = hci_req_run(&req, conn_info_refresh_complete);
6683                 if (err < 0)
6684                         goto unlock;
6685
6686                 cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
6687                                        data, len);
6688                 if (!cmd) {
6689                         err = -ENOMEM;
6690                         goto unlock;
6691                 }
6692
6693                 hci_conn_hold(conn);
6694                 cmd->user_data = hci_conn_get(conn);
6695                 cmd->cmd_complete = conn_info_cmd_complete;
6696
6697                 conn->conn_info_timestamp = jiffies;
6698         } else {
6699                 /* Cache is valid, just reply with values cached in hci_conn */
6700                 rp.rssi = conn->rssi;
6701                 rp.tx_power = conn->tx_power;
6702                 rp.max_tx_power = conn->max_tx_power;
6703
6704                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6705                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
6706         }
6707
6708 unlock:
6709         hci_dev_unlock(hdev);
6710         return err;
6711 }
6712
6713 static int clock_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
6714 {
6715         struct hci_conn *conn = cmd->user_data;
6716         struct mgmt_rp_get_clock_info rp;
6717         struct hci_dev *hdev;
6718         int err;
6719
6720         memset(&rp, 0, sizeof(rp));
6721         memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
6722
6723         if (status)
6724                 goto complete;
6725
6726         hdev = hci_dev_get(cmd->index);
6727         if (hdev) {
6728                 rp.local_clock = cpu_to_le32(hdev->clock);
6729                 hci_dev_put(hdev);
6730         }
6731
6732         if (conn) {
6733                 rp.piconet_clock = cpu_to_le32(conn->clock);
6734                 rp.accuracy = cpu_to_le16(conn->clock_accuracy);
6735         }
6736
6737 complete:
6738         err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
6739                                 sizeof(rp));
6740
6741         if (conn) {
6742                 hci_conn_drop(conn);
6743                 hci_conn_put(conn);
6744         }
6745
6746         return err;
6747 }
6748
6749 static void get_clock_info_complete(struct hci_dev *hdev, u8 status, u16 opcode)
6750 {
6751         struct hci_cp_read_clock *hci_cp;
6752         struct mgmt_pending_cmd *cmd;
6753         struct hci_conn *conn;
6754
6755         bt_dev_dbg(hdev, "status %u", status);
6756
6757         hci_dev_lock(hdev);
6758
6759         hci_cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
6760         if (!hci_cp)
6761                 goto unlock;
6762
6763         if (hci_cp->which) {
6764                 u16 handle = __le16_to_cpu(hci_cp->handle);
6765                 conn = hci_conn_hash_lookup_handle(hdev, handle);
6766         } else {
6767                 conn = NULL;
6768         }
6769
6770         cmd = pending_find_data(MGMT_OP_GET_CLOCK_INFO, hdev, conn);
6771         if (!cmd)
6772                 goto unlock;
6773
6774         cmd->cmd_complete(cmd, mgmt_status(status));
6775         mgmt_pending_remove(cmd);
6776
6777 unlock:
6778         hci_dev_unlock(hdev);
6779 }
6780
6781 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
6782                          u16 len)
6783 {
6784         struct mgmt_cp_get_clock_info *cp = data;
6785         struct mgmt_rp_get_clock_info rp;
6786         struct hci_cp_read_clock hci_cp;
6787         struct mgmt_pending_cmd *cmd;
6788         struct hci_request req;
6789         struct hci_conn *conn;
6790         int err;
6791
6792         bt_dev_dbg(hdev, "sock %p", sk);
6793
6794         memset(&rp, 0, sizeof(rp));
6795         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
6796         rp.addr.type = cp->addr.type;
6797
6798         if (cp->addr.type != BDADDR_BREDR)
6799                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
6800                                          MGMT_STATUS_INVALID_PARAMS,
6801                                          &rp, sizeof(rp));
6802
6803         hci_dev_lock(hdev);
6804
6805         if (!hdev_is_powered(hdev)) {
6806                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
6807                                         MGMT_STATUS_NOT_POWERED, &rp,
6808                                         sizeof(rp));
6809                 goto unlock;
6810         }
6811
6812         if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
6813                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
6814                                                &cp->addr.bdaddr);
6815                 if (!conn || conn->state != BT_CONNECTED) {
6816                         err = mgmt_cmd_complete(sk, hdev->id,
6817                                                 MGMT_OP_GET_CLOCK_INFO,
6818                                                 MGMT_STATUS_NOT_CONNECTED,
6819                                                 &rp, sizeof(rp));
6820                         goto unlock;
6821                 }
6822         } else {
6823                 conn = NULL;
6824         }
6825
6826         cmd = mgmt_pending_add(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
6827         if (!cmd) {
6828                 err = -ENOMEM;
6829                 goto unlock;
6830         }
6831
6832         cmd->cmd_complete = clock_info_cmd_complete;
6833
6834         hci_req_init(&req, hdev);
6835
6836         memset(&hci_cp, 0, sizeof(hci_cp));
6837         hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
6838
6839         if (conn) {
6840                 hci_conn_hold(conn);
6841                 cmd->user_data = hci_conn_get(conn);
6842
6843                 hci_cp.handle = cpu_to_le16(conn->handle);
6844                 hci_cp.which = 0x01; /* Piconet clock */
6845                 hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
6846         }
6847
6848         err = hci_req_run(&req, get_clock_info_complete);
6849         if (err < 0)
6850                 mgmt_pending_remove(cmd);
6851
6852 unlock:
6853         hci_dev_unlock(hdev);
6854         return err;
6855 }
6856
6857 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
6858 {
6859         struct hci_conn *conn;
6860
6861         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
6862         if (!conn)
6863                 return false;
6864
6865         if (conn->dst_type != type)
6866                 return false;
6867
6868         if (conn->state != BT_CONNECTED)
6869                 return false;
6870
6871         return true;
6872 }
6873
6874 /* This function requires the caller holds hdev->lock */
6875 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
6876                                u8 addr_type, u8 auto_connect)
6877 {
6878         struct hci_conn_params *params;
6879
6880         params = hci_conn_params_add(hdev, addr, addr_type);
6881         if (!params)
6882                 return -EIO;
6883
6884         if (params->auto_connect == auto_connect)
6885                 return 0;
6886
6887         list_del_init(&params->action);
6888
6889         switch (auto_connect) {
6890         case HCI_AUTO_CONN_DISABLED:
6891         case HCI_AUTO_CONN_LINK_LOSS:
6892                 /* If auto connect is being disabled when we're trying to
6893                  * connect to device, keep connecting.
6894                  */
6895                 if (params->explicit_connect)
6896                         list_add(&params->action, &hdev->pend_le_conns);
6897                 break;
6898         case HCI_AUTO_CONN_REPORT:
6899                 if (params->explicit_connect)
6900                         list_add(&params->action, &hdev->pend_le_conns);
6901                 else
6902                         list_add(&params->action, &hdev->pend_le_reports);
6903                 break;
6904         case HCI_AUTO_CONN_DIRECT:
6905         case HCI_AUTO_CONN_ALWAYS:
6906                 if (!is_connected(hdev, addr, addr_type))
6907                         list_add(&params->action, &hdev->pend_le_conns);
6908                 break;
6909         }
6910
6911         params->auto_connect = auto_connect;
6912
6913         bt_dev_dbg(hdev, "addr %pMR (type %u) auto_connect %u",
6914                    addr, addr_type, auto_connect);
6915
6916         return 0;
6917 }
6918
6919 static void device_added(struct sock *sk, struct hci_dev *hdev,
6920                          bdaddr_t *bdaddr, u8 type, u8 action)
6921 {
6922         struct mgmt_ev_device_added ev;
6923
6924         bacpy(&ev.addr.bdaddr, bdaddr);
6925         ev.addr.type = type;
6926         ev.action = action;
6927
6928         mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
6929 }
6930
6931 static int add_device(struct sock *sk, struct hci_dev *hdev,
6932                       void *data, u16 len)
6933 {
6934         struct mgmt_cp_add_device *cp = data;
6935         u8 auto_conn, addr_type;
6936         struct hci_conn_params *params;
6937         int err;
6938         u32 current_flags = 0;
6939
6940         bt_dev_dbg(hdev, "sock %p", sk);
6941
6942         if (!bdaddr_type_is_valid(cp->addr.type) ||
6943             !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
6944                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6945                                          MGMT_STATUS_INVALID_PARAMS,
6946                                          &cp->addr, sizeof(cp->addr));
6947
6948         if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
6949                 return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6950                                          MGMT_STATUS_INVALID_PARAMS,
6951                                          &cp->addr, sizeof(cp->addr));
6952
6953         hci_dev_lock(hdev);
6954
6955         if (cp->addr.type == BDADDR_BREDR) {
6956                 /* Only incoming connections action is supported for now */
6957                 if (cp->action != 0x01) {
6958                         err = mgmt_cmd_complete(sk, hdev->id,
6959                                                 MGMT_OP_ADD_DEVICE,
6960                                                 MGMT_STATUS_INVALID_PARAMS,
6961                                                 &cp->addr, sizeof(cp->addr));
6962                         goto unlock;
6963                 }
6964
6965                 err = hci_bdaddr_list_add_with_flags(&hdev->accept_list,
6966                                                      &cp->addr.bdaddr,
6967                                                      cp->addr.type, 0);
6968                 if (err)
6969                         goto unlock;
6970
6971                 hci_req_update_scan(hdev);
6972
6973                 goto added;
6974         }
6975
6976         addr_type = le_addr_type(cp->addr.type);
6977
6978         if (cp->action == 0x02)
6979                 auto_conn = HCI_AUTO_CONN_ALWAYS;
6980         else if (cp->action == 0x01)
6981                 auto_conn = HCI_AUTO_CONN_DIRECT;
6982         else
6983                 auto_conn = HCI_AUTO_CONN_REPORT;
6984
6985         /* Kernel internally uses conn_params with resolvable private
6986          * address, but Add Device allows only identity addresses.
6987          * Make sure it is enforced before calling
6988          * hci_conn_params_lookup.
6989          */
6990         if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
6991                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6992                                         MGMT_STATUS_INVALID_PARAMS,
6993                                         &cp->addr, sizeof(cp->addr));
6994                 goto unlock;
6995         }
6996
6997         /* If the connection parameters don't exist for this device,
6998          * they will be created and configured with defaults.
6999          */
7000         if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
7001                                 auto_conn) < 0) {
7002                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7003                                         MGMT_STATUS_FAILED, &cp->addr,
7004                                         sizeof(cp->addr));
7005                 goto unlock;
7006         } else {
7007                 params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7008                                                 addr_type);
7009                 if (params)
7010                         current_flags = params->current_flags;
7011         }
7012
7013         hci_update_background_scan(hdev);
7014
7015 added:
7016         device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
7017         device_flags_changed(NULL, hdev, &cp->addr.bdaddr, cp->addr.type,
7018                              SUPPORTED_DEVICE_FLAGS(), current_flags);
7019
7020         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7021                                 MGMT_STATUS_SUCCESS, &cp->addr,
7022                                 sizeof(cp->addr));
7023
7024 unlock:
7025         hci_dev_unlock(hdev);
7026         return err;
7027 }
7028
7029 static void device_removed(struct sock *sk, struct hci_dev *hdev,
7030                            bdaddr_t *bdaddr, u8 type)
7031 {
7032         struct mgmt_ev_device_removed ev;
7033
7034         bacpy(&ev.addr.bdaddr, bdaddr);
7035         ev.addr.type = type;
7036
7037         mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
7038 }
7039
7040 static int remove_device(struct sock *sk, struct hci_dev *hdev,
7041                          void *data, u16 len)
7042 {
7043         struct mgmt_cp_remove_device *cp = data;
7044         int err;
7045
7046         bt_dev_dbg(hdev, "sock %p", sk);
7047
7048         hci_dev_lock(hdev);
7049
7050         if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
7051                 struct hci_conn_params *params;
7052                 u8 addr_type;
7053
7054                 if (!bdaddr_type_is_valid(cp->addr.type)) {
7055                         err = mgmt_cmd_complete(sk, hdev->id,
7056                                                 MGMT_OP_REMOVE_DEVICE,
7057                                                 MGMT_STATUS_INVALID_PARAMS,
7058                                                 &cp->addr, sizeof(cp->addr));
7059                         goto unlock;
7060                 }
7061
7062                 if (cp->addr.type == BDADDR_BREDR) {
7063                         err = hci_bdaddr_list_del(&hdev->accept_list,
7064                                                   &cp->addr.bdaddr,
7065                                                   cp->addr.type);
7066                         if (err) {
7067                                 err = mgmt_cmd_complete(sk, hdev->id,
7068                                                         MGMT_OP_REMOVE_DEVICE,
7069                                                         MGMT_STATUS_INVALID_PARAMS,
7070                                                         &cp->addr,
7071                                                         sizeof(cp->addr));
7072                                 goto unlock;
7073                         }
7074
7075                         hci_req_update_scan(hdev);
7076
7077                         device_removed(sk, hdev, &cp->addr.bdaddr,
7078                                        cp->addr.type);
7079                         goto complete;
7080                 }
7081
7082                 addr_type = le_addr_type(cp->addr.type);
7083
7084                 /* Kernel internally uses conn_params with resolvable private
7085                  * address, but Remove Device allows only identity addresses.
7086                  * Make sure it is enforced before calling
7087                  * hci_conn_params_lookup.
7088                  */
7089                 if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
7090                         err = mgmt_cmd_complete(sk, hdev->id,
7091                                                 MGMT_OP_REMOVE_DEVICE,
7092                                                 MGMT_STATUS_INVALID_PARAMS,
7093                                                 &cp->addr, sizeof(cp->addr));
7094                         goto unlock;
7095                 }
7096
7097                 params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7098                                                 addr_type);
7099                 if (!params) {
7100                         err = mgmt_cmd_complete(sk, hdev->id,
7101                                                 MGMT_OP_REMOVE_DEVICE,
7102                                                 MGMT_STATUS_INVALID_PARAMS,
7103                                                 &cp->addr, sizeof(cp->addr));
7104                         goto unlock;
7105                 }
7106
7107                 if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
7108                     params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
7109                         err = mgmt_cmd_complete(sk, hdev->id,
7110                                                 MGMT_OP_REMOVE_DEVICE,
7111                                                 MGMT_STATUS_INVALID_PARAMS,
7112                                                 &cp->addr, sizeof(cp->addr));
7113                         goto unlock;
7114                 }
7115
7116                 list_del(&params->action);
7117                 list_del(&params->list);
7118                 kfree(params);
7119                 hci_update_background_scan(hdev);
7120
7121                 device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
7122         } else {
7123                 struct hci_conn_params *p, *tmp;
7124                 struct bdaddr_list *b, *btmp;
7125
7126                 if (cp->addr.type) {
7127                         err = mgmt_cmd_complete(sk, hdev->id,
7128                                                 MGMT_OP_REMOVE_DEVICE,
7129                                                 MGMT_STATUS_INVALID_PARAMS,
7130                                                 &cp->addr, sizeof(cp->addr));
7131                         goto unlock;
7132                 }
7133
7134                 list_for_each_entry_safe(b, btmp, &hdev->accept_list, list) {
7135                         device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
7136                         list_del(&b->list);
7137                         kfree(b);
7138                 }
7139
7140                 hci_req_update_scan(hdev);
7141
7142                 list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
7143                         if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
7144                                 continue;
7145                         device_removed(sk, hdev, &p->addr, p->addr_type);
7146                         if (p->explicit_connect) {
7147                                 p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
7148                                 continue;
7149                         }
7150                         list_del(&p->action);
7151                         list_del(&p->list);
7152                         kfree(p);
7153                 }
7154
7155                 bt_dev_dbg(hdev, "All LE connection parameters were removed");
7156
7157                 hci_update_background_scan(hdev);
7158         }
7159
7160 complete:
7161         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
7162                                 MGMT_STATUS_SUCCESS, &cp->addr,
7163                                 sizeof(cp->addr));
7164 unlock:
7165         hci_dev_unlock(hdev);
7166         return err;
7167 }
7168
7169 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
7170                            u16 len)
7171 {
7172         struct mgmt_cp_load_conn_param *cp = data;
7173         const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
7174                                      sizeof(struct mgmt_conn_param));
7175         u16 param_count, expected_len;
7176         int i;
7177
7178         if (!lmp_le_capable(hdev))
7179                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7180                                        MGMT_STATUS_NOT_SUPPORTED);
7181
7182         param_count = __le16_to_cpu(cp->param_count);
7183         if (param_count > max_param_count) {
7184                 bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
7185                            param_count);
7186                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7187                                        MGMT_STATUS_INVALID_PARAMS);
7188         }
7189
7190         expected_len = struct_size(cp, params, param_count);
7191         if (expected_len != len) {
7192                 bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
7193                            expected_len, len);
7194                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7195                                        MGMT_STATUS_INVALID_PARAMS);
7196         }
7197
7198         bt_dev_dbg(hdev, "param_count %u", param_count);
7199
7200         hci_dev_lock(hdev);
7201
7202         hci_conn_params_clear_disabled(hdev);
7203
7204         for (i = 0; i < param_count; i++) {
7205                 struct mgmt_conn_param *param = &cp->params[i];
7206                 struct hci_conn_params *hci_param;
7207                 u16 min, max, latency, timeout;
7208                 u8 addr_type;
7209
7210                 bt_dev_dbg(hdev, "Adding %pMR (type %u)", &param->addr.bdaddr,
7211                            param->addr.type);
7212
7213                 if (param->addr.type == BDADDR_LE_PUBLIC) {
7214                         addr_type = ADDR_LE_DEV_PUBLIC;
7215                 } else if (param->addr.type == BDADDR_LE_RANDOM) {
7216                         addr_type = ADDR_LE_DEV_RANDOM;
7217                 } else {
7218                         bt_dev_err(hdev, "ignoring invalid connection parameters");
7219                         continue;
7220                 }
7221
7222                 min = le16_to_cpu(param->min_interval);
7223                 max = le16_to_cpu(param->max_interval);
7224                 latency = le16_to_cpu(param->latency);
7225                 timeout = le16_to_cpu(param->timeout);
7226
7227                 bt_dev_dbg(hdev, "min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
7228                            min, max, latency, timeout);
7229
7230                 if (hci_check_conn_params(min, max, latency, timeout) < 0) {
7231                         bt_dev_err(hdev, "ignoring invalid connection parameters");
7232                         continue;
7233                 }
7234
7235                 hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
7236                                                 addr_type);
7237                 if (!hci_param) {
7238                         bt_dev_err(hdev, "failed to add connection parameters");
7239                         continue;
7240                 }
7241
7242                 hci_param->conn_min_interval = min;
7243                 hci_param->conn_max_interval = max;
7244                 hci_param->conn_latency = latency;
7245                 hci_param->supervision_timeout = timeout;
7246         }
7247
7248         hci_dev_unlock(hdev);
7249
7250         return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
7251                                  NULL, 0);
7252 }
7253
7254 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
7255                                void *data, u16 len)
7256 {
7257         struct mgmt_cp_set_external_config *cp = data;
7258         bool changed;
7259         int err;
7260
7261         bt_dev_dbg(hdev, "sock %p", sk);
7262
7263         if (hdev_is_powered(hdev))
7264                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7265                                        MGMT_STATUS_REJECTED);
7266
7267         if (cp->config != 0x00 && cp->config != 0x01)
7268                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7269                                          MGMT_STATUS_INVALID_PARAMS);
7270
7271         if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
7272                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7273                                        MGMT_STATUS_NOT_SUPPORTED);
7274
7275         hci_dev_lock(hdev);
7276
7277         if (cp->config)
7278                 changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
7279         else
7280                 changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
7281
7282         err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
7283         if (err < 0)
7284                 goto unlock;
7285
7286         if (!changed)
7287                 goto unlock;
7288
7289         err = new_options(hdev, sk);
7290
7291         if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
7292                 mgmt_index_removed(hdev);
7293
7294                 if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
7295                         hci_dev_set_flag(hdev, HCI_CONFIG);
7296                         hci_dev_set_flag(hdev, HCI_AUTO_OFF);
7297
7298                         queue_work(hdev->req_workqueue, &hdev->power_on);
7299                 } else {
7300                         set_bit(HCI_RAW, &hdev->flags);
7301                         mgmt_index_added(hdev);
7302                 }
7303         }
7304
7305 unlock:
7306         hci_dev_unlock(hdev);
7307         return err;
7308 }
7309
7310 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
7311                               void *data, u16 len)
7312 {
7313         struct mgmt_cp_set_public_address *cp = data;
7314         bool changed;
7315         int err;
7316
7317         bt_dev_dbg(hdev, "sock %p", sk);
7318
7319         if (hdev_is_powered(hdev))
7320                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7321                                        MGMT_STATUS_REJECTED);
7322
7323         if (!bacmp(&cp->bdaddr, BDADDR_ANY))
7324                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7325                                        MGMT_STATUS_INVALID_PARAMS);
7326
7327         if (!hdev->set_bdaddr)
7328                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7329                                        MGMT_STATUS_NOT_SUPPORTED);
7330
7331         hci_dev_lock(hdev);
7332
7333         changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
7334         bacpy(&hdev->public_addr, &cp->bdaddr);
7335
7336         err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
7337         if (err < 0)
7338                 goto unlock;
7339
7340         if (!changed)
7341                 goto unlock;
7342
7343         if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
7344                 err = new_options(hdev, sk);
7345
7346         if (is_configured(hdev)) {
7347                 mgmt_index_removed(hdev);
7348
7349                 hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
7350
7351                 hci_dev_set_flag(hdev, HCI_CONFIG);
7352                 hci_dev_set_flag(hdev, HCI_AUTO_OFF);
7353
7354                 queue_work(hdev->req_workqueue, &hdev->power_on);
7355         }
7356
7357 unlock:
7358         hci_dev_unlock(hdev);
7359         return err;
7360 }
7361
7362 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, u8 status,
7363                                              u16 opcode, struct sk_buff *skb)
7364 {
7365         const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
7366         struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
7367         u8 *h192, *r192, *h256, *r256;
7368         struct mgmt_pending_cmd *cmd;
7369         u16 eir_len;
7370         int err;
7371
7372         bt_dev_dbg(hdev, "status %u", status);
7373
7374         cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev);
7375         if (!cmd)
7376                 return;
7377
7378         mgmt_cp = cmd->param;
7379
7380         if (status) {
7381                 status = mgmt_status(status);
7382                 eir_len = 0;
7383
7384                 h192 = NULL;
7385                 r192 = NULL;
7386                 h256 = NULL;
7387                 r256 = NULL;
7388         } else if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
7389                 struct hci_rp_read_local_oob_data *rp;
7390
7391                 if (skb->len != sizeof(*rp)) {
7392                         status = MGMT_STATUS_FAILED;
7393                         eir_len = 0;
7394                 } else {
7395                         status = MGMT_STATUS_SUCCESS;
7396                         rp = (void *)skb->data;
7397
7398                         eir_len = 5 + 18 + 18;
7399                         h192 = rp->hash;
7400                         r192 = rp->rand;
7401                         h256 = NULL;
7402                         r256 = NULL;
7403                 }
7404         } else {
7405                 struct hci_rp_read_local_oob_ext_data *rp;
7406
7407                 if (skb->len != sizeof(*rp)) {
7408                         status = MGMT_STATUS_FAILED;
7409                         eir_len = 0;
7410                 } else {
7411                         status = MGMT_STATUS_SUCCESS;
7412                         rp = (void *)skb->data;
7413
7414                         if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
7415                                 eir_len = 5 + 18 + 18;
7416                                 h192 = NULL;
7417                                 r192 = NULL;
7418                         } else {
7419                                 eir_len = 5 + 18 + 18 + 18 + 18;
7420                                 h192 = rp->hash192;
7421                                 r192 = rp->rand192;
7422                         }
7423
7424                         h256 = rp->hash256;
7425                         r256 = rp->rand256;
7426                 }
7427         }
7428
7429         mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
7430         if (!mgmt_rp)
7431                 goto done;
7432
7433         if (eir_len == 0)
7434                 goto send_rsp;
7435
7436         eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
7437                                   hdev->dev_class, 3);
7438
7439         if (h192 && r192) {
7440                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
7441                                           EIR_SSP_HASH_C192, h192, 16);
7442                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
7443                                           EIR_SSP_RAND_R192, r192, 16);
7444         }
7445
7446         if (h256 && r256) {
7447                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
7448                                           EIR_SSP_HASH_C256, h256, 16);
7449                 eir_len = eir_append_data(mgmt_rp->eir, eir_len,
7450                                           EIR_SSP_RAND_R256, r256, 16);
7451         }
7452
7453 send_rsp:
7454         mgmt_rp->type = mgmt_cp->type;
7455         mgmt_rp->eir_len = cpu_to_le16(eir_len);
7456
7457         err = mgmt_cmd_complete(cmd->sk, hdev->id,
7458                                 MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
7459                                 mgmt_rp, sizeof(*mgmt_rp) + eir_len);
7460         if (err < 0 || status)
7461                 goto done;
7462
7463         hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
7464
7465         err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
7466                                  mgmt_rp, sizeof(*mgmt_rp) + eir_len,
7467                                  HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
7468 done:
7469         kfree(mgmt_rp);
7470         mgmt_pending_remove(cmd);
7471 }
7472
7473 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
7474                                   struct mgmt_cp_read_local_oob_ext_data *cp)
7475 {
7476         struct mgmt_pending_cmd *cmd;
7477         struct hci_request req;
7478         int err;
7479
7480         cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
7481                                cp, sizeof(*cp));
7482         if (!cmd)
7483                 return -ENOMEM;
7484
7485         hci_req_init(&req, hdev);
7486
7487         if (bredr_sc_enabled(hdev))
7488                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
7489         else
7490                 hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
7491
7492         err = hci_req_run_skb(&req, read_local_oob_ext_data_complete);
7493         if (err < 0) {
7494                 mgmt_pending_remove(cmd);
7495                 return err;
7496         }
7497
7498         return 0;
7499 }
7500
7501 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
7502                                    void *data, u16 data_len)
7503 {
7504         struct mgmt_cp_read_local_oob_ext_data *cp = data;
7505         struct mgmt_rp_read_local_oob_ext_data *rp;
7506         size_t rp_len;
7507         u16 eir_len;
7508         u8 status, flags, role, addr[7], hash[16], rand[16];
7509         int err;
7510
7511         bt_dev_dbg(hdev, "sock %p", sk);
7512
7513         if (hdev_is_powered(hdev)) {
7514                 switch (cp->type) {
7515                 case BIT(BDADDR_BREDR):
7516                         status = mgmt_bredr_support(hdev);
7517                         if (status)
7518                                 eir_len = 0;
7519                         else
7520                                 eir_len = 5;
7521                         break;
7522                 case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
7523                         status = mgmt_le_support(hdev);
7524                         if (status)
7525                                 eir_len = 0;
7526                         else
7527                                 eir_len = 9 + 3 + 18 + 18 + 3;
7528                         break;
7529                 default:
7530                         status = MGMT_STATUS_INVALID_PARAMS;
7531                         eir_len = 0;
7532                         break;
7533                 }
7534         } else {
7535                 status = MGMT_STATUS_NOT_POWERED;
7536                 eir_len = 0;
7537         }
7538
7539         rp_len = sizeof(*rp) + eir_len;
7540         rp = kmalloc(rp_len, GFP_ATOMIC);
7541         if (!rp)
7542                 return -ENOMEM;
7543
7544         if (!status && !lmp_ssp_capable(hdev)) {
7545                 status = MGMT_STATUS_NOT_SUPPORTED;
7546                 eir_len = 0;
7547         }
7548
7549         if (status)
7550                 goto complete;
7551
7552         hci_dev_lock(hdev);
7553
7554         eir_len = 0;
7555         switch (cp->type) {
7556         case BIT(BDADDR_BREDR):
7557                 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
7558                         err = read_local_ssp_oob_req(hdev, sk, cp);
7559                         hci_dev_unlock(hdev);
7560                         if (!err)
7561                                 goto done;
7562
7563                         status = MGMT_STATUS_FAILED;
7564                         goto complete;
7565                 } else {
7566                         eir_len = eir_append_data(rp->eir, eir_len,
7567                                                   EIR_CLASS_OF_DEV,
7568                                                   hdev->dev_class, 3);
7569                 }
7570                 break;
7571         case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
7572                 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
7573                     smp_generate_oob(hdev, hash, rand) < 0) {
7574                         hci_dev_unlock(hdev);
7575                         status = MGMT_STATUS_FAILED;
7576                         goto complete;
7577                 }
7578
7579                 /* This should return the active RPA, but since the RPA
7580                  * is only programmed on demand, it is really hard to fill
7581                  * this in at the moment. For now disallow retrieving
7582                  * local out-of-band data when privacy is in use.
7583                  *
7584                  * Returning the identity address will not help here since
7585                  * pairing happens before the identity resolving key is
7586                  * known and thus the connection establishment happens
7587                  * based on the RPA and not the identity address.
7588                  */
7589                 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
7590                         hci_dev_unlock(hdev);
7591                         status = MGMT_STATUS_REJECTED;
7592                         goto complete;
7593                 }
7594
7595                 if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
7596                    !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
7597                    (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
7598                     bacmp(&hdev->static_addr, BDADDR_ANY))) {
7599                         memcpy(addr, &hdev->static_addr, 6);
7600                         addr[6] = 0x01;
7601                 } else {
7602                         memcpy(addr, &hdev->bdaddr, 6);
7603                         addr[6] = 0x00;
7604                 }
7605
7606                 eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
7607                                           addr, sizeof(addr));
7608
7609                 if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7610                         role = 0x02;
7611                 else
7612                         role = 0x01;
7613
7614                 eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
7615                                           &role, sizeof(role));
7616
7617                 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
7618                         eir_len = eir_append_data(rp->eir, eir_len,
7619                                                   EIR_LE_SC_CONFIRM,
7620                                                   hash, sizeof(hash));
7621
7622                         eir_len = eir_append_data(rp->eir, eir_len,
7623                                                   EIR_LE_SC_RANDOM,
7624                                                   rand, sizeof(rand));
7625                 }
7626
7627                 flags = mgmt_get_adv_discov_flags(hdev);
7628
7629                 if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
7630                         flags |= LE_AD_NO_BREDR;
7631
7632                 eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
7633                                           &flags, sizeof(flags));
7634                 break;
7635         }
7636
7637         hci_dev_unlock(hdev);
7638
7639         hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
7640
7641         status = MGMT_STATUS_SUCCESS;
7642
7643 complete:
7644         rp->type = cp->type;
7645         rp->eir_len = cpu_to_le16(eir_len);
7646
7647         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
7648                                 status, rp, sizeof(*rp) + eir_len);
7649         if (err < 0 || status)
7650                 goto done;
7651
7652         err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
7653                                  rp, sizeof(*rp) + eir_len,
7654                                  HCI_MGMT_OOB_DATA_EVENTS, sk);
7655
7656 done:
7657         kfree(rp);
7658
7659         return err;
7660 }
7661
7662 static u32 get_supported_adv_flags(struct hci_dev *hdev)
7663 {
7664         u32 flags = 0;
7665
7666         flags |= MGMT_ADV_FLAG_CONNECTABLE;
7667         flags |= MGMT_ADV_FLAG_DISCOV;
7668         flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
7669         flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
7670         flags |= MGMT_ADV_FLAG_APPEARANCE;
7671         flags |= MGMT_ADV_FLAG_LOCAL_NAME;
7672         flags |= MGMT_ADV_PARAM_DURATION;
7673         flags |= MGMT_ADV_PARAM_TIMEOUT;
7674         flags |= MGMT_ADV_PARAM_INTERVALS;
7675         flags |= MGMT_ADV_PARAM_TX_POWER;
7676         flags |= MGMT_ADV_PARAM_SCAN_RSP;
7677
7678         /* In extended adv TX_POWER returned from Set Adv Param
7679          * will be always valid.
7680          */
7681         if ((hdev->adv_tx_power != HCI_TX_POWER_INVALID) ||
7682             ext_adv_capable(hdev))
7683                 flags |= MGMT_ADV_FLAG_TX_POWER;
7684
7685         if (ext_adv_capable(hdev)) {
7686                 flags |= MGMT_ADV_FLAG_SEC_1M;
7687                 flags |= MGMT_ADV_FLAG_HW_OFFLOAD;
7688                 flags |= MGMT_ADV_FLAG_CAN_SET_TX_POWER;
7689
7690                 if (hdev->le_features[1] & HCI_LE_PHY_2M)
7691                         flags |= MGMT_ADV_FLAG_SEC_2M;
7692
7693                 if (hdev->le_features[1] & HCI_LE_PHY_CODED)
7694                         flags |= MGMT_ADV_FLAG_SEC_CODED;
7695         }
7696
7697         return flags;
7698 }
7699
7700 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
7701                              void *data, u16 data_len)
7702 {
7703         struct mgmt_rp_read_adv_features *rp;
7704         size_t rp_len;
7705         int err;
7706         struct adv_info *adv_instance;
7707         u32 supported_flags;
7708         u8 *instance;
7709
7710         bt_dev_dbg(hdev, "sock %p", sk);
7711
7712         if (!lmp_le_capable(hdev))
7713                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
7714                                        MGMT_STATUS_REJECTED);
7715
7716         /* Enabling the experimental LL Privay support disables support for
7717          * advertising.
7718          */
7719         if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
7720                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
7721                                        MGMT_STATUS_NOT_SUPPORTED);
7722
7723         hci_dev_lock(hdev);
7724
7725         rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
7726         rp = kmalloc(rp_len, GFP_ATOMIC);
7727         if (!rp) {
7728                 hci_dev_unlock(hdev);
7729                 return -ENOMEM;
7730         }
7731
7732         supported_flags = get_supported_adv_flags(hdev);
7733
7734         rp->supported_flags = cpu_to_le32(supported_flags);
7735         rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
7736         rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
7737         rp->max_instances = hdev->le_num_of_adv_sets;
7738         rp->num_instances = hdev->adv_instance_cnt;
7739
7740         instance = rp->instance;
7741         list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
7742                 *instance = adv_instance->instance;
7743                 instance++;
7744         }
7745
7746         hci_dev_unlock(hdev);
7747
7748         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
7749                                 MGMT_STATUS_SUCCESS, rp, rp_len);
7750
7751         kfree(rp);
7752
7753         return err;
7754 }
7755
7756 static u8 calculate_name_len(struct hci_dev *hdev)
7757 {
7758         u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 3];
7759
7760         return eir_append_local_name(hdev, buf, 0);
7761 }
7762
7763 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
7764                            bool is_adv_data)
7765 {
7766         u8 max_len = HCI_MAX_AD_LENGTH;
7767
7768         if (is_adv_data) {
7769                 if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
7770                                  MGMT_ADV_FLAG_LIMITED_DISCOV |
7771                                  MGMT_ADV_FLAG_MANAGED_FLAGS))
7772                         max_len -= 3;
7773
7774                 if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
7775                         max_len -= 3;
7776         } else {
7777                 if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
7778                         max_len -= calculate_name_len(hdev);
7779
7780                 if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
7781                         max_len -= 4;
7782         }
7783
7784         return max_len;
7785 }
7786
7787 static bool flags_managed(u32 adv_flags)
7788 {
7789         return adv_flags & (MGMT_ADV_FLAG_DISCOV |
7790                             MGMT_ADV_FLAG_LIMITED_DISCOV |
7791                             MGMT_ADV_FLAG_MANAGED_FLAGS);
7792 }
7793
7794 static bool tx_power_managed(u32 adv_flags)
7795 {
7796         return adv_flags & MGMT_ADV_FLAG_TX_POWER;
7797 }
7798
7799 static bool name_managed(u32 adv_flags)
7800 {
7801         return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
7802 }
7803
7804 static bool appearance_managed(u32 adv_flags)
7805 {
7806         return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
7807 }
7808
7809 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
7810                               u8 len, bool is_adv_data)
7811 {
7812         int i, cur_len;
7813         u8 max_len;
7814
7815         max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
7816
7817         if (len > max_len)
7818                 return false;
7819
7820         /* Make sure that the data is correctly formatted. */
7821         for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
7822                 cur_len = data[i];
7823
7824                 if (!cur_len)
7825                         continue;
7826
7827                 if (data[i + 1] == EIR_FLAGS &&
7828                     (!is_adv_data || flags_managed(adv_flags)))
7829                         return false;
7830
7831                 if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
7832                         return false;
7833
7834                 if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
7835                         return false;
7836
7837                 if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
7838                         return false;
7839
7840                 if (data[i + 1] == EIR_APPEARANCE &&
7841                     appearance_managed(adv_flags))
7842                         return false;
7843
7844                 /* If the current field length would exceed the total data
7845                  * length, then it's invalid.
7846                  */
7847                 if (i + cur_len >= len)
7848                         return false;
7849         }
7850
7851         return true;
7852 }
7853
7854 static bool requested_adv_flags_are_valid(struct hci_dev *hdev, u32 adv_flags)
7855 {
7856         u32 supported_flags, phy_flags;
7857
7858         /* The current implementation only supports a subset of the specified
7859          * flags. Also need to check mutual exclusiveness of sec flags.
7860          */
7861         supported_flags = get_supported_adv_flags(hdev);
7862         phy_flags = adv_flags & MGMT_ADV_FLAG_SEC_MASK;
7863         if (adv_flags & ~supported_flags ||
7864             ((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
7865                 return false;
7866
7867         return true;
7868 }
7869
7870 static bool adv_busy(struct hci_dev *hdev)
7871 {
7872         return (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
7873                 pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
7874                 pending_find(MGMT_OP_SET_LE, hdev) ||
7875                 pending_find(MGMT_OP_ADD_EXT_ADV_PARAMS, hdev) ||
7876                 pending_find(MGMT_OP_ADD_EXT_ADV_DATA, hdev));
7877 }
7878
7879 static void add_advertising_complete(struct hci_dev *hdev, u8 status,
7880                                      u16 opcode)
7881 {
7882         struct mgmt_pending_cmd *cmd;
7883         struct mgmt_cp_add_advertising *cp;
7884         struct mgmt_rp_add_advertising rp;
7885         struct adv_info *adv_instance, *n;
7886         u8 instance;
7887
7888         bt_dev_dbg(hdev, "status %u", status);
7889
7890         hci_dev_lock(hdev);
7891
7892         cmd = pending_find(MGMT_OP_ADD_ADVERTISING, hdev);
7893         if (!cmd)
7894                 cmd = pending_find(MGMT_OP_ADD_EXT_ADV_DATA, hdev);
7895
7896         list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
7897                 if (!adv_instance->pending)
7898                         continue;
7899
7900                 if (!status) {
7901                         adv_instance->pending = false;
7902                         continue;
7903                 }
7904
7905                 instance = adv_instance->instance;
7906
7907                 if (hdev->cur_adv_instance == instance)
7908                         cancel_adv_timeout(hdev);
7909
7910                 hci_remove_adv_instance(hdev, instance);
7911                 mgmt_advertising_removed(cmd ? cmd->sk : NULL, hdev, instance);
7912         }
7913
7914         if (!cmd)
7915                 goto unlock;
7916
7917         cp = cmd->param;
7918         rp.instance = cp->instance;
7919
7920         if (status)
7921                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
7922                                 mgmt_status(status));
7923         else
7924                 mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
7925                                   mgmt_status(status), &rp, sizeof(rp));
7926
7927         mgmt_pending_remove(cmd);
7928
7929 unlock:
7930         hci_dev_unlock(hdev);
7931 }
7932
7933 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
7934                            void *data, u16 data_len)
7935 {
7936         struct mgmt_cp_add_advertising *cp = data;
7937         struct mgmt_rp_add_advertising rp;
7938         u32 flags;
7939         u8 status;
7940         u16 timeout, duration;
7941         unsigned int prev_instance_cnt = hdev->adv_instance_cnt;
7942         u8 schedule_instance = 0;
7943         struct adv_info *next_instance;
7944         int err;
7945         struct mgmt_pending_cmd *cmd;
7946         struct hci_request req;
7947
7948         bt_dev_dbg(hdev, "sock %p", sk);
7949
7950         status = mgmt_le_support(hdev);
7951         if (status)
7952                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7953                                        status);
7954
7955         /* Enabling the experimental LL Privay support disables support for
7956          * advertising.
7957          */
7958         if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
7959                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7960                                        MGMT_STATUS_NOT_SUPPORTED);
7961
7962         if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
7963                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7964                                        MGMT_STATUS_INVALID_PARAMS);
7965
7966         if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
7967                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7968                                        MGMT_STATUS_INVALID_PARAMS);
7969
7970         flags = __le32_to_cpu(cp->flags);
7971         timeout = __le16_to_cpu(cp->timeout);
7972         duration = __le16_to_cpu(cp->duration);
7973
7974         if (!requested_adv_flags_are_valid(hdev, flags))
7975                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7976                                        MGMT_STATUS_INVALID_PARAMS);
7977
7978         hci_dev_lock(hdev);
7979
7980         if (timeout && !hdev_is_powered(hdev)) {
7981                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7982                                       MGMT_STATUS_REJECTED);
7983                 goto unlock;
7984         }
7985
7986         if (adv_busy(hdev)) {
7987                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7988                                       MGMT_STATUS_BUSY);
7989                 goto unlock;
7990         }
7991
7992         if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
7993             !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
7994                                cp->scan_rsp_len, false)) {
7995                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7996                                       MGMT_STATUS_INVALID_PARAMS);
7997                 goto unlock;
7998         }
7999
8000         err = hci_add_adv_instance(hdev, cp->instance, flags,
8001                                    cp->adv_data_len, cp->data,
8002                                    cp->scan_rsp_len,
8003                                    cp->data + cp->adv_data_len,
8004                                    timeout, duration,
8005                                    HCI_ADV_TX_POWER_NO_PREFERENCE,
8006                                    hdev->le_adv_min_interval,
8007                                    hdev->le_adv_max_interval);
8008         if (err < 0) {
8009                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8010                                       MGMT_STATUS_FAILED);
8011                 goto unlock;
8012         }
8013
8014         /* Only trigger an advertising added event if a new instance was
8015          * actually added.
8016          */
8017         if (hdev->adv_instance_cnt > prev_instance_cnt)
8018                 mgmt_advertising_added(sk, hdev, cp->instance);
8019
8020         if (hdev->cur_adv_instance == cp->instance) {
8021                 /* If the currently advertised instance is being changed then
8022                  * cancel the current advertising and schedule the next
8023                  * instance. If there is only one instance then the overridden
8024                  * advertising data will be visible right away.
8025                  */
8026                 cancel_adv_timeout(hdev);
8027
8028                 next_instance = hci_get_next_instance(hdev, cp->instance);
8029                 if (next_instance)
8030                         schedule_instance = next_instance->instance;
8031         } else if (!hdev->adv_instance_timeout) {
8032                 /* Immediately advertise the new instance if no other
8033                  * instance is currently being advertised.
8034                  */
8035                 schedule_instance = cp->instance;
8036         }
8037
8038         /* If the HCI_ADVERTISING flag is set or the device isn't powered or
8039          * there is no instance to be advertised then we have no HCI
8040          * communication to make. Simply return.
8041          */
8042         if (!hdev_is_powered(hdev) ||
8043             hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
8044             !schedule_instance) {
8045                 rp.instance = cp->instance;
8046                 err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8047                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8048                 goto unlock;
8049         }
8050
8051         /* We're good to go, update advertising data, parameters, and start
8052          * advertising.
8053          */
8054         cmd = mgmt_pending_add(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
8055                                data_len);
8056         if (!cmd) {
8057                 err = -ENOMEM;
8058                 goto unlock;
8059         }
8060
8061         hci_req_init(&req, hdev);
8062
8063         err = __hci_req_schedule_adv_instance(&req, schedule_instance, true);
8064
8065         if (!err)
8066                 err = hci_req_run(&req, add_advertising_complete);
8067
8068         if (err < 0) {
8069                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8070                                       MGMT_STATUS_FAILED);
8071                 mgmt_pending_remove(cmd);
8072         }
8073
8074 unlock:
8075         hci_dev_unlock(hdev);
8076
8077         return err;
8078 }
8079
8080 static void add_ext_adv_params_complete(struct hci_dev *hdev, u8 status,
8081                                         u16 opcode)
8082 {
8083         struct mgmt_pending_cmd *cmd;
8084         struct mgmt_cp_add_ext_adv_params *cp;
8085         struct mgmt_rp_add_ext_adv_params rp;
8086         struct adv_info *adv_instance;
8087         u32 flags;
8088
8089         BT_DBG("%s", hdev->name);
8090
8091         hci_dev_lock(hdev);
8092
8093         cmd = pending_find(MGMT_OP_ADD_EXT_ADV_PARAMS, hdev);
8094         if (!cmd)
8095                 goto unlock;
8096
8097         cp = cmd->param;
8098         adv_instance = hci_find_adv_instance(hdev, cp->instance);
8099         if (!adv_instance)
8100                 goto unlock;
8101
8102         rp.instance = cp->instance;
8103         rp.tx_power = adv_instance->tx_power;
8104
8105         /* While we're at it, inform userspace of the available space for this
8106          * advertisement, given the flags that will be used.
8107          */
8108         flags = __le32_to_cpu(cp->flags);
8109         rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8110         rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8111
8112         if (status) {
8113                 /* If this advertisement was previously advertising and we
8114                  * failed to update it, we signal that it has been removed and
8115                  * delete its structure
8116                  */
8117                 if (!adv_instance->pending)
8118                         mgmt_advertising_removed(cmd->sk, hdev, cp->instance);
8119
8120                 hci_remove_adv_instance(hdev, cp->instance);
8121
8122                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8123                                 mgmt_status(status));
8124
8125         } else {
8126                 mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8127                                   mgmt_status(status), &rp, sizeof(rp));
8128         }
8129
8130 unlock:
8131         if (cmd)
8132                 mgmt_pending_remove(cmd);
8133
8134         hci_dev_unlock(hdev);
8135 }
8136
8137 static int add_ext_adv_params(struct sock *sk, struct hci_dev *hdev,
8138                               void *data, u16 data_len)
8139 {
8140         struct mgmt_cp_add_ext_adv_params *cp = data;
8141         struct mgmt_rp_add_ext_adv_params rp;
8142         struct mgmt_pending_cmd *cmd = NULL;
8143         struct adv_info *adv_instance;
8144         struct hci_request req;
8145         u32 flags, min_interval, max_interval;
8146         u16 timeout, duration;
8147         u8 status;
8148         s8 tx_power;
8149         int err;
8150
8151         BT_DBG("%s", hdev->name);
8152
8153         status = mgmt_le_support(hdev);
8154         if (status)
8155                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8156                                        status);
8157
8158         if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8159                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8160                                        MGMT_STATUS_INVALID_PARAMS);
8161
8162         /* The purpose of breaking add_advertising into two separate MGMT calls
8163          * for params and data is to allow more parameters to be added to this
8164          * structure in the future. For this reason, we verify that we have the
8165          * bare minimum structure we know of when the interface was defined. Any
8166          * extra parameters we don't know about will be ignored in this request.
8167          */
8168         if (data_len < MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE)
8169                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8170                                        MGMT_STATUS_INVALID_PARAMS);
8171
8172         flags = __le32_to_cpu(cp->flags);
8173
8174         if (!requested_adv_flags_are_valid(hdev, flags))
8175                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8176                                        MGMT_STATUS_INVALID_PARAMS);
8177
8178         hci_dev_lock(hdev);
8179
8180         /* In new interface, we require that we are powered to register */
8181         if (!hdev_is_powered(hdev)) {
8182                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8183                                       MGMT_STATUS_REJECTED);
8184                 goto unlock;
8185         }
8186
8187         if (adv_busy(hdev)) {
8188                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8189                                       MGMT_STATUS_BUSY);
8190                 goto unlock;
8191         }
8192
8193         /* Parse defined parameters from request, use defaults otherwise */
8194         timeout = (flags & MGMT_ADV_PARAM_TIMEOUT) ?
8195                   __le16_to_cpu(cp->timeout) : 0;
8196
8197         duration = (flags & MGMT_ADV_PARAM_DURATION) ?
8198                    __le16_to_cpu(cp->duration) :
8199                    hdev->def_multi_adv_rotation_duration;
8200
8201         min_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8202                        __le32_to_cpu(cp->min_interval) :
8203                        hdev->le_adv_min_interval;
8204
8205         max_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8206                        __le32_to_cpu(cp->max_interval) :
8207                        hdev->le_adv_max_interval;
8208
8209         tx_power = (flags & MGMT_ADV_PARAM_TX_POWER) ?
8210                    cp->tx_power :
8211                    HCI_ADV_TX_POWER_NO_PREFERENCE;
8212
8213         /* Create advertising instance with no advertising or response data */
8214         err = hci_add_adv_instance(hdev, cp->instance, flags,
8215                                    0, NULL, 0, NULL, timeout, duration,
8216                                    tx_power, min_interval, max_interval);
8217
8218         if (err < 0) {
8219                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8220                                       MGMT_STATUS_FAILED);
8221                 goto unlock;
8222         }
8223
8224         /* Submit request for advertising params if ext adv available */
8225         if (ext_adv_capable(hdev)) {
8226                 hci_req_init(&req, hdev);
8227                 adv_instance = hci_find_adv_instance(hdev, cp->instance);
8228
8229                 /* Updating parameters of an active instance will return a
8230                  * Command Disallowed error, so we must first disable the
8231                  * instance if it is active.
8232                  */
8233                 if (!adv_instance->pending)
8234                         __hci_req_disable_ext_adv_instance(&req, cp->instance);
8235
8236                 __hci_req_setup_ext_adv_instance(&req, cp->instance);
8237
8238                 err = hci_req_run(&req, add_ext_adv_params_complete);
8239
8240                 if (!err)
8241                         cmd = mgmt_pending_add(sk, MGMT_OP_ADD_EXT_ADV_PARAMS,
8242                                                hdev, data, data_len);
8243                 if (!cmd) {
8244                         err = -ENOMEM;
8245                         hci_remove_adv_instance(hdev, cp->instance);
8246                         goto unlock;
8247                 }
8248
8249         } else {
8250                 rp.instance = cp->instance;
8251                 rp.tx_power = HCI_ADV_TX_POWER_NO_PREFERENCE;
8252                 rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8253                 rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8254                 err = mgmt_cmd_complete(sk, hdev->id,
8255                                         MGMT_OP_ADD_EXT_ADV_PARAMS,
8256                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8257         }
8258
8259 unlock:
8260         hci_dev_unlock(hdev);
8261
8262         return err;
8263 }
8264
8265 static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
8266                             u16 data_len)
8267 {
8268         struct mgmt_cp_add_ext_adv_data *cp = data;
8269         struct mgmt_rp_add_ext_adv_data rp;
8270         u8 schedule_instance = 0;
8271         struct adv_info *next_instance;
8272         struct adv_info *adv_instance;
8273         int err = 0;
8274         struct mgmt_pending_cmd *cmd;
8275         struct hci_request req;
8276
8277         BT_DBG("%s", hdev->name);
8278
8279         hci_dev_lock(hdev);
8280
8281         adv_instance = hci_find_adv_instance(hdev, cp->instance);
8282
8283         if (!adv_instance) {
8284                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8285                                       MGMT_STATUS_INVALID_PARAMS);
8286                 goto unlock;
8287         }
8288
8289         /* In new interface, we require that we are powered to register */
8290         if (!hdev_is_powered(hdev)) {
8291                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8292                                       MGMT_STATUS_REJECTED);
8293                 goto clear_new_instance;
8294         }
8295
8296         if (adv_busy(hdev)) {
8297                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8298                                       MGMT_STATUS_BUSY);
8299                 goto clear_new_instance;
8300         }
8301
8302         /* Validate new data */
8303         if (!tlv_data_is_valid(hdev, adv_instance->flags, cp->data,
8304                                cp->adv_data_len, true) ||
8305             !tlv_data_is_valid(hdev, adv_instance->flags, cp->data +
8306                                cp->adv_data_len, cp->scan_rsp_len, false)) {
8307                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8308                                       MGMT_STATUS_INVALID_PARAMS);
8309                 goto clear_new_instance;
8310         }
8311
8312         /* Set the data in the advertising instance */
8313         hci_set_adv_instance_data(hdev, cp->instance, cp->adv_data_len,
8314                                   cp->data, cp->scan_rsp_len,
8315                                   cp->data + cp->adv_data_len);
8316
8317         /* We're good to go, update advertising data, parameters, and start
8318          * advertising.
8319          */
8320
8321         hci_req_init(&req, hdev);
8322
8323         hci_req_add(&req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
8324
8325         if (ext_adv_capable(hdev)) {
8326                 __hci_req_update_adv_data(&req, cp->instance);
8327                 __hci_req_update_scan_rsp_data(&req, cp->instance);
8328                 __hci_req_enable_ext_advertising(&req, cp->instance);
8329
8330         } else {
8331                 /* If using software rotation, determine next instance to use */
8332
8333                 if (hdev->cur_adv_instance == cp->instance) {
8334                         /* If the currently advertised instance is being changed
8335                          * then cancel the current advertising and schedule the
8336                          * next instance. If there is only one instance then the
8337                          * overridden advertising data will be visible right
8338                          * away
8339                          */
8340                         cancel_adv_timeout(hdev);
8341
8342                         next_instance = hci_get_next_instance(hdev,
8343                                                               cp->instance);
8344                         if (next_instance)
8345                                 schedule_instance = next_instance->instance;
8346                 } else if (!hdev->adv_instance_timeout) {
8347                         /* Immediately advertise the new instance if no other
8348                          * instance is currently being advertised.
8349                          */
8350                         schedule_instance = cp->instance;
8351                 }
8352
8353                 /* If the HCI_ADVERTISING flag is set or there is no instance to
8354                  * be advertised then we have no HCI communication to make.
8355                  * Simply return.
8356                  */
8357                 if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
8358                     !schedule_instance) {
8359                         if (adv_instance->pending) {
8360                                 mgmt_advertising_added(sk, hdev, cp->instance);
8361                                 adv_instance->pending = false;
8362                         }
8363                         rp.instance = cp->instance;
8364                         err = mgmt_cmd_complete(sk, hdev->id,
8365                                                 MGMT_OP_ADD_EXT_ADV_DATA,
8366                                                 MGMT_STATUS_SUCCESS, &rp,
8367                                                 sizeof(rp));
8368                         goto unlock;
8369                 }
8370
8371                 err = __hci_req_schedule_adv_instance(&req, schedule_instance,
8372                                                       true);
8373         }
8374
8375         cmd = mgmt_pending_add(sk, MGMT_OP_ADD_EXT_ADV_DATA, hdev, data,
8376                                data_len);
8377         if (!cmd) {
8378                 err = -ENOMEM;
8379                 goto clear_new_instance;
8380         }
8381
8382         if (!err)
8383                 err = hci_req_run(&req, add_advertising_complete);
8384
8385         if (err < 0) {
8386                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8387                                       MGMT_STATUS_FAILED);
8388                 mgmt_pending_remove(cmd);
8389                 goto clear_new_instance;
8390         }
8391
8392         /* We were successful in updating data, so trigger advertising_added
8393          * event if this is an instance that wasn't previously advertising. If
8394          * a failure occurs in the requests we initiated, we will remove the
8395          * instance again in add_advertising_complete
8396          */
8397         if (adv_instance->pending)
8398                 mgmt_advertising_added(sk, hdev, cp->instance);
8399
8400         goto unlock;
8401
8402 clear_new_instance:
8403         hci_remove_adv_instance(hdev, cp->instance);
8404
8405 unlock:
8406         hci_dev_unlock(hdev);
8407
8408         return err;
8409 }
8410
8411 static void remove_advertising_complete(struct hci_dev *hdev, u8 status,
8412                                         u16 opcode)
8413 {
8414         struct mgmt_pending_cmd *cmd;
8415         struct mgmt_cp_remove_advertising *cp;
8416         struct mgmt_rp_remove_advertising rp;
8417
8418         bt_dev_dbg(hdev, "status %u", status);
8419
8420         hci_dev_lock(hdev);
8421
8422         /* A failure status here only means that we failed to disable
8423          * advertising. Otherwise, the advertising instance has been removed,
8424          * so report success.
8425          */
8426         cmd = pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev);
8427         if (!cmd)
8428                 goto unlock;
8429
8430         cp = cmd->param;
8431         rp.instance = cp->instance;
8432
8433         mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, MGMT_STATUS_SUCCESS,
8434                           &rp, sizeof(rp));
8435         mgmt_pending_remove(cmd);
8436
8437 unlock:
8438         hci_dev_unlock(hdev);
8439 }
8440
8441 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
8442                               void *data, u16 data_len)
8443 {
8444         struct mgmt_cp_remove_advertising *cp = data;
8445         struct mgmt_rp_remove_advertising rp;
8446         struct mgmt_pending_cmd *cmd;
8447         struct hci_request req;
8448         int err;
8449
8450         bt_dev_dbg(hdev, "sock %p", sk);
8451
8452         /* Enabling the experimental LL Privay support disables support for
8453          * advertising.
8454          */
8455         if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
8456                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
8457                                        MGMT_STATUS_NOT_SUPPORTED);
8458
8459         hci_dev_lock(hdev);
8460
8461         if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
8462                 err = mgmt_cmd_status(sk, hdev->id,
8463                                       MGMT_OP_REMOVE_ADVERTISING,
8464                                       MGMT_STATUS_INVALID_PARAMS);
8465                 goto unlock;
8466         }
8467
8468         if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
8469             pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
8470             pending_find(MGMT_OP_SET_LE, hdev)) {
8471                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
8472                                       MGMT_STATUS_BUSY);
8473                 goto unlock;
8474         }
8475
8476         if (list_empty(&hdev->adv_instances)) {
8477                 err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
8478                                       MGMT_STATUS_INVALID_PARAMS);
8479                 goto unlock;
8480         }
8481
8482         hci_req_init(&req, hdev);
8483
8484         /* If we use extended advertising, instance is disabled and removed */
8485         if (ext_adv_capable(hdev)) {
8486                 __hci_req_disable_ext_adv_instance(&req, cp->instance);
8487                 __hci_req_remove_ext_adv_instance(&req, cp->instance);
8488         }
8489
8490         hci_req_clear_adv_instance(hdev, sk, &req, cp->instance, true);
8491
8492         if (list_empty(&hdev->adv_instances))
8493                 __hci_req_disable_advertising(&req);
8494
8495         /* If no HCI commands have been collected so far or the HCI_ADVERTISING
8496          * flag is set or the device isn't powered then we have no HCI
8497          * communication to make. Simply return.
8498          */
8499         if (skb_queue_empty(&req.cmd_q) ||
8500             !hdev_is_powered(hdev) ||
8501             hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
8502                 hci_req_purge(&req);
8503                 rp.instance = cp->instance;
8504                 err = mgmt_cmd_complete(sk, hdev->id,
8505                                         MGMT_OP_REMOVE_ADVERTISING,
8506                                         MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8507                 goto unlock;
8508         }
8509
8510         cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
8511                                data_len);
8512         if (!cmd) {
8513                 err = -ENOMEM;
8514                 goto unlock;
8515         }
8516
8517         err = hci_req_run(&req, remove_advertising_complete);
8518         if (err < 0)
8519                 mgmt_pending_remove(cmd);
8520
8521 unlock:
8522         hci_dev_unlock(hdev);
8523
8524         return err;
8525 }
8526
8527 static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
8528                              void *data, u16 data_len)
8529 {
8530         struct mgmt_cp_get_adv_size_info *cp = data;
8531         struct mgmt_rp_get_adv_size_info rp;
8532         u32 flags, supported_flags;
8533         int err;
8534
8535         bt_dev_dbg(hdev, "sock %p", sk);
8536
8537         if (!lmp_le_capable(hdev))
8538                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
8539                                        MGMT_STATUS_REJECTED);
8540
8541         if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8542                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
8543                                        MGMT_STATUS_INVALID_PARAMS);
8544
8545         flags = __le32_to_cpu(cp->flags);
8546
8547         /* The current implementation only supports a subset of the specified
8548          * flags.
8549          */
8550         supported_flags = get_supported_adv_flags(hdev);
8551         if (flags & ~supported_flags)
8552                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
8553                                        MGMT_STATUS_INVALID_PARAMS);
8554
8555         rp.instance = cp->instance;
8556         rp.flags = cp->flags;
8557         rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8558         rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8559
8560         err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
8561                                 MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8562
8563         return err;
8564 }
8565
8566 static const struct hci_mgmt_handler mgmt_handlers[] = {
8567         { NULL }, /* 0x0000 (no command) */
8568         { read_version,            MGMT_READ_VERSION_SIZE,
8569                                                 HCI_MGMT_NO_HDEV |
8570                                                 HCI_MGMT_UNTRUSTED },
8571         { read_commands,           MGMT_READ_COMMANDS_SIZE,
8572                                                 HCI_MGMT_NO_HDEV |
8573                                                 HCI_MGMT_UNTRUSTED },
8574         { read_index_list,         MGMT_READ_INDEX_LIST_SIZE,
8575                                                 HCI_MGMT_NO_HDEV |
8576                                                 HCI_MGMT_UNTRUSTED },
8577         { read_controller_info,    MGMT_READ_INFO_SIZE,
8578                                                 HCI_MGMT_UNTRUSTED },
8579         { set_powered,             MGMT_SETTING_SIZE },
8580         { set_discoverable,        MGMT_SET_DISCOVERABLE_SIZE },
8581         { set_connectable,         MGMT_SETTING_SIZE },
8582         { set_fast_connectable,    MGMT_SETTING_SIZE },
8583         { set_bondable,            MGMT_SETTING_SIZE },
8584         { set_link_security,       MGMT_SETTING_SIZE },
8585         { set_ssp,                 MGMT_SETTING_SIZE },
8586         { set_hs,                  MGMT_SETTING_SIZE },
8587         { set_le,                  MGMT_SETTING_SIZE },
8588         { set_dev_class,           MGMT_SET_DEV_CLASS_SIZE },
8589         { set_local_name,          MGMT_SET_LOCAL_NAME_SIZE },
8590         { add_uuid,                MGMT_ADD_UUID_SIZE },
8591         { remove_uuid,             MGMT_REMOVE_UUID_SIZE },
8592         { load_link_keys,          MGMT_LOAD_LINK_KEYS_SIZE,
8593                                                 HCI_MGMT_VAR_LEN },
8594         { load_long_term_keys,     MGMT_LOAD_LONG_TERM_KEYS_SIZE,
8595                                                 HCI_MGMT_VAR_LEN },
8596         { disconnect,              MGMT_DISCONNECT_SIZE },
8597         { get_connections,         MGMT_GET_CONNECTIONS_SIZE },
8598         { pin_code_reply,          MGMT_PIN_CODE_REPLY_SIZE },
8599         { pin_code_neg_reply,      MGMT_PIN_CODE_NEG_REPLY_SIZE },
8600         { set_io_capability,       MGMT_SET_IO_CAPABILITY_SIZE },
8601         { pair_device,             MGMT_PAIR_DEVICE_SIZE },
8602         { cancel_pair_device,      MGMT_CANCEL_PAIR_DEVICE_SIZE },
8603         { unpair_device,           MGMT_UNPAIR_DEVICE_SIZE },
8604         { user_confirm_reply,      MGMT_USER_CONFIRM_REPLY_SIZE },
8605         { user_confirm_neg_reply,  MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
8606         { user_passkey_reply,      MGMT_USER_PASSKEY_REPLY_SIZE },
8607         { user_passkey_neg_reply,  MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
8608         { read_local_oob_data,     MGMT_READ_LOCAL_OOB_DATA_SIZE },
8609         { add_remote_oob_data,     MGMT_ADD_REMOTE_OOB_DATA_SIZE,
8610                                                 HCI_MGMT_VAR_LEN },
8611         { remove_remote_oob_data,  MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
8612         { start_discovery,         MGMT_START_DISCOVERY_SIZE },
8613         { stop_discovery,          MGMT_STOP_DISCOVERY_SIZE },
8614         { confirm_name,            MGMT_CONFIRM_NAME_SIZE },
8615         { block_device,            MGMT_BLOCK_DEVICE_SIZE },
8616         { unblock_device,          MGMT_UNBLOCK_DEVICE_SIZE },
8617         { set_device_id,           MGMT_SET_DEVICE_ID_SIZE },
8618         { set_advertising,         MGMT_SETTING_SIZE },
8619         { set_bredr,               MGMT_SETTING_SIZE },
8620         { set_static_address,      MGMT_SET_STATIC_ADDRESS_SIZE },
8621         { set_scan_params,         MGMT_SET_SCAN_PARAMS_SIZE },
8622         { set_secure_conn,         MGMT_SETTING_SIZE },
8623         { set_debug_keys,          MGMT_SETTING_SIZE },
8624         { set_privacy,             MGMT_SET_PRIVACY_SIZE },
8625         { load_irks,               MGMT_LOAD_IRKS_SIZE,
8626                                                 HCI_MGMT_VAR_LEN },
8627         { get_conn_info,           MGMT_GET_CONN_INFO_SIZE },
8628         { get_clock_info,          MGMT_GET_CLOCK_INFO_SIZE },
8629         { add_device,              MGMT_ADD_DEVICE_SIZE },
8630         { remove_device,           MGMT_REMOVE_DEVICE_SIZE },
8631         { load_conn_param,         MGMT_LOAD_CONN_PARAM_SIZE,
8632                                                 HCI_MGMT_VAR_LEN },
8633         { read_unconf_index_list,  MGMT_READ_UNCONF_INDEX_LIST_SIZE,
8634                                                 HCI_MGMT_NO_HDEV |
8635                                                 HCI_MGMT_UNTRUSTED },
8636         { read_config_info,        MGMT_READ_CONFIG_INFO_SIZE,
8637                                                 HCI_MGMT_UNCONFIGURED |
8638                                                 HCI_MGMT_UNTRUSTED },
8639         { set_external_config,     MGMT_SET_EXTERNAL_CONFIG_SIZE,
8640                                                 HCI_MGMT_UNCONFIGURED },
8641         { set_public_address,      MGMT_SET_PUBLIC_ADDRESS_SIZE,
8642                                                 HCI_MGMT_UNCONFIGURED },
8643         { start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
8644                                                 HCI_MGMT_VAR_LEN },
8645         { read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
8646         { read_ext_index_list,     MGMT_READ_EXT_INDEX_LIST_SIZE,
8647                                                 HCI_MGMT_NO_HDEV |
8648                                                 HCI_MGMT_UNTRUSTED },
8649         { read_adv_features,       MGMT_READ_ADV_FEATURES_SIZE },
8650         { add_advertising,         MGMT_ADD_ADVERTISING_SIZE,
8651                                                 HCI_MGMT_VAR_LEN },
8652         { remove_advertising,      MGMT_REMOVE_ADVERTISING_SIZE },
8653         { get_adv_size_info,       MGMT_GET_ADV_SIZE_INFO_SIZE },
8654         { start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
8655         { read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
8656                                                 HCI_MGMT_UNTRUSTED },
8657         { set_appearance,          MGMT_SET_APPEARANCE_SIZE },
8658         { get_phy_configuration,   MGMT_GET_PHY_CONFIGURATION_SIZE },
8659         { set_phy_configuration,   MGMT_SET_PHY_CONFIGURATION_SIZE },
8660         { set_blocked_keys,        MGMT_OP_SET_BLOCKED_KEYS_SIZE,
8661                                                 HCI_MGMT_VAR_LEN },
8662         { set_wideband_speech,     MGMT_SETTING_SIZE },
8663         { read_controller_cap,     MGMT_READ_CONTROLLER_CAP_SIZE,
8664                                                 HCI_MGMT_UNTRUSTED },
8665         { read_exp_features_info,  MGMT_READ_EXP_FEATURES_INFO_SIZE,
8666                                                 HCI_MGMT_UNTRUSTED |
8667                                                 HCI_MGMT_HDEV_OPTIONAL },
8668         { set_exp_feature,         MGMT_SET_EXP_FEATURE_SIZE,
8669                                                 HCI_MGMT_VAR_LEN |
8670                                                 HCI_MGMT_HDEV_OPTIONAL },
8671         { read_def_system_config,  MGMT_READ_DEF_SYSTEM_CONFIG_SIZE,
8672                                                 HCI_MGMT_UNTRUSTED },
8673         { set_def_system_config,   MGMT_SET_DEF_SYSTEM_CONFIG_SIZE,
8674                                                 HCI_MGMT_VAR_LEN },
8675         { read_def_runtime_config, MGMT_READ_DEF_RUNTIME_CONFIG_SIZE,
8676                                                 HCI_MGMT_UNTRUSTED },
8677         { set_def_runtime_config,  MGMT_SET_DEF_RUNTIME_CONFIG_SIZE,
8678                                                 HCI_MGMT_VAR_LEN },
8679         { get_device_flags,        MGMT_GET_DEVICE_FLAGS_SIZE },
8680         { set_device_flags,        MGMT_SET_DEVICE_FLAGS_SIZE },
8681         { read_adv_mon_features,   MGMT_READ_ADV_MONITOR_FEATURES_SIZE },
8682         { add_adv_patterns_monitor,MGMT_ADD_ADV_PATTERNS_MONITOR_SIZE,
8683                                                 HCI_MGMT_VAR_LEN },
8684         { remove_adv_monitor,      MGMT_REMOVE_ADV_MONITOR_SIZE },
8685         { add_ext_adv_params,      MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE,
8686                                                 HCI_MGMT_VAR_LEN },
8687         { add_ext_adv_data,        MGMT_ADD_EXT_ADV_DATA_SIZE,
8688                                                 HCI_MGMT_VAR_LEN },
8689         { add_adv_patterns_monitor_rssi,
8690                                    MGMT_ADD_ADV_PATTERNS_MONITOR_RSSI_SIZE,
8691                                                 HCI_MGMT_VAR_LEN },
8692 };
8693
8694 void mgmt_index_added(struct hci_dev *hdev)
8695 {
8696         struct mgmt_ev_ext_index ev;
8697
8698         if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
8699                 return;
8700
8701         switch (hdev->dev_type) {
8702         case HCI_PRIMARY:
8703                 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
8704                         mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev,
8705                                          NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
8706                         ev.type = 0x01;
8707                 } else {
8708                         mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0,
8709                                          HCI_MGMT_INDEX_EVENTS);
8710                         ev.type = 0x00;
8711                 }
8712                 break;
8713         case HCI_AMP:
8714                 ev.type = 0x02;
8715                 break;
8716         default:
8717                 return;
8718         }
8719
8720         ev.bus = hdev->bus;
8721
8722         mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, &ev, sizeof(ev),
8723                          HCI_MGMT_EXT_INDEX_EVENTS);
8724 }
8725
8726 void mgmt_index_removed(struct hci_dev *hdev)
8727 {
8728         struct mgmt_ev_ext_index ev;
8729         u8 status = MGMT_STATUS_INVALID_INDEX;
8730
8731         if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
8732                 return;
8733
8734         switch (hdev->dev_type) {
8735         case HCI_PRIMARY:
8736                 mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
8737
8738                 if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
8739                         mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
8740                                          NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
8741                         ev.type = 0x01;
8742                 } else {
8743                         mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0,
8744                                          HCI_MGMT_INDEX_EVENTS);
8745                         ev.type = 0x00;
8746                 }
8747                 break;
8748         case HCI_AMP:
8749                 ev.type = 0x02;
8750                 break;
8751         default:
8752                 return;
8753         }
8754
8755         ev.bus = hdev->bus;
8756
8757         mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, &ev, sizeof(ev),
8758                          HCI_MGMT_EXT_INDEX_EVENTS);
8759 }
8760
8761 /* This function requires the caller holds hdev->lock */
8762 static void restart_le_actions(struct hci_dev *hdev)
8763 {
8764         struct hci_conn_params *p;
8765
8766         list_for_each_entry(p, &hdev->le_conn_params, list) {
8767                 /* Needed for AUTO_OFF case where might not "really"
8768                  * have been powered off.
8769                  */
8770                 list_del_init(&p->action);
8771
8772                 switch (p->auto_connect) {
8773                 case HCI_AUTO_CONN_DIRECT:
8774                 case HCI_AUTO_CONN_ALWAYS:
8775                         list_add(&p->action, &hdev->pend_le_conns);
8776                         break;
8777                 case HCI_AUTO_CONN_REPORT:
8778                         list_add(&p->action, &hdev->pend_le_reports);
8779                         break;
8780                 default:
8781                         break;
8782                 }
8783         }
8784 }
8785
8786 void mgmt_power_on(struct hci_dev *hdev, int err)
8787 {
8788         struct cmd_lookup match = { NULL, hdev };
8789
8790         bt_dev_dbg(hdev, "err %d", err);
8791
8792         hci_dev_lock(hdev);
8793
8794         if (!err) {
8795                 restart_le_actions(hdev);
8796                 hci_update_background_scan(hdev);
8797         }
8798
8799         mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
8800
8801         new_settings(hdev, match.sk);
8802
8803         if (match.sk)
8804                 sock_put(match.sk);
8805
8806         hci_dev_unlock(hdev);
8807 }
8808
8809 void __mgmt_power_off(struct hci_dev *hdev)
8810 {
8811         struct cmd_lookup match = { NULL, hdev };
8812         u8 status, zero_cod[] = { 0, 0, 0 };
8813
8814         mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
8815
8816         /* If the power off is because of hdev unregistration let
8817          * use the appropriate INVALID_INDEX status. Otherwise use
8818          * NOT_POWERED. We cover both scenarios here since later in
8819          * mgmt_index_removed() any hci_conn callbacks will have already
8820          * been triggered, potentially causing misleading DISCONNECTED
8821          * status responses.
8822          */
8823         if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
8824                 status = MGMT_STATUS_INVALID_INDEX;
8825         else
8826                 status = MGMT_STATUS_NOT_POWERED;
8827
8828         mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
8829
8830         if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
8831                 mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
8832                                    zero_cod, sizeof(zero_cod),
8833                                    HCI_MGMT_DEV_CLASS_EVENTS, NULL);
8834                 ext_info_changed(hdev, NULL);
8835         }
8836
8837         new_settings(hdev, match.sk);
8838
8839         if (match.sk)
8840                 sock_put(match.sk);
8841 }
8842
8843 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
8844 {
8845         struct mgmt_pending_cmd *cmd;
8846         u8 status;
8847
8848         cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
8849         if (!cmd)
8850                 return;
8851
8852         if (err == -ERFKILL)
8853                 status = MGMT_STATUS_RFKILLED;
8854         else
8855                 status = MGMT_STATUS_FAILED;
8856
8857         mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
8858
8859         mgmt_pending_remove(cmd);
8860 }
8861
8862 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
8863                        bool persistent)
8864 {
8865         struct mgmt_ev_new_link_key ev;
8866
8867         memset(&ev, 0, sizeof(ev));
8868
8869         ev.store_hint = persistent;
8870         bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
8871         ev.key.addr.type = BDADDR_BREDR;
8872         ev.key.type = key->type;
8873         memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
8874         ev.key.pin_len = key->pin_len;
8875
8876         mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
8877 }
8878
8879 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
8880 {
8881         switch (ltk->type) {
8882         case SMP_LTK:
8883         case SMP_LTK_RESPONDER:
8884                 if (ltk->authenticated)
8885                         return MGMT_LTK_AUTHENTICATED;
8886                 return MGMT_LTK_UNAUTHENTICATED;
8887         case SMP_LTK_P256:
8888                 if (ltk->authenticated)
8889                         return MGMT_LTK_P256_AUTH;
8890                 return MGMT_LTK_P256_UNAUTH;
8891         case SMP_LTK_P256_DEBUG:
8892                 return MGMT_LTK_P256_DEBUG;
8893         }
8894
8895         return MGMT_LTK_UNAUTHENTICATED;
8896 }
8897
8898 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
8899 {
8900         struct mgmt_ev_new_long_term_key ev;
8901
8902         memset(&ev, 0, sizeof(ev));
8903
8904         /* Devices using resolvable or non-resolvable random addresses
8905          * without providing an identity resolving key don't require
8906          * to store long term keys. Their addresses will change the
8907          * next time around.
8908          *
8909          * Only when a remote device provides an identity address
8910          * make sure the long term key is stored. If the remote
8911          * identity is known, the long term keys are internally
8912          * mapped to the identity address. So allow static random
8913          * and public addresses here.
8914          */
8915         if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
8916             (key->bdaddr.b[5] & 0xc0) != 0xc0)
8917                 ev.store_hint = 0x00;
8918         else
8919                 ev.store_hint = persistent;
8920
8921         bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
8922         ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
8923         ev.key.type = mgmt_ltk_type(key);
8924         ev.key.enc_size = key->enc_size;
8925         ev.key.ediv = key->ediv;
8926         ev.key.rand = key->rand;
8927
8928         if (key->type == SMP_LTK)
8929                 ev.key.initiator = 1;
8930
8931         /* Make sure we copy only the significant bytes based on the
8932          * encryption key size, and set the rest of the value to zeroes.
8933          */
8934         memcpy(ev.key.val, key->val, key->enc_size);
8935         memset(ev.key.val + key->enc_size, 0,
8936                sizeof(ev.key.val) - key->enc_size);
8937
8938         mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
8939 }
8940
8941 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
8942 {
8943         struct mgmt_ev_new_irk ev;
8944
8945         memset(&ev, 0, sizeof(ev));
8946
8947         ev.store_hint = persistent;
8948
8949         bacpy(&ev.rpa, &irk->rpa);
8950         bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
8951         ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
8952         memcpy(ev.irk.val, irk->val, sizeof(irk->val));
8953
8954         mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
8955 }
8956
8957 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
8958                    bool persistent)
8959 {
8960         struct mgmt_ev_new_csrk ev;
8961
8962         memset(&ev, 0, sizeof(ev));
8963
8964         /* Devices using resolvable or non-resolvable random addresses
8965          * without providing an identity resolving key don't require
8966          * to store signature resolving keys. Their addresses will change
8967          * the next time around.
8968          *
8969          * Only when a remote device provides an identity address
8970          * make sure the signature resolving key is stored. So allow
8971          * static random and public addresses here.
8972          */
8973         if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
8974             (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
8975                 ev.store_hint = 0x00;
8976         else
8977                 ev.store_hint = persistent;
8978
8979         bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
8980         ev.key.addr.type = link_to_bdaddr(LE_LINK, csrk->bdaddr_type);
8981         ev.key.type = csrk->type;
8982         memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
8983
8984         mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
8985 }
8986
8987 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
8988                          u8 bdaddr_type, u8 store_hint, u16 min_interval,
8989                          u16 max_interval, u16 latency, u16 timeout)
8990 {
8991         struct mgmt_ev_new_conn_param ev;
8992
8993         if (!hci_is_identity_address(bdaddr, bdaddr_type))
8994                 return;
8995
8996         memset(&ev, 0, sizeof(ev));
8997         bacpy(&ev.addr.bdaddr, bdaddr);
8998         ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
8999         ev.store_hint = store_hint;
9000         ev.min_interval = cpu_to_le16(min_interval);
9001         ev.max_interval = cpu_to_le16(max_interval);
9002         ev.latency = cpu_to_le16(latency);
9003         ev.timeout = cpu_to_le16(timeout);
9004
9005         mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
9006 }
9007
9008 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
9009                            u8 *name, u8 name_len)
9010 {
9011         char buf[512];
9012         struct mgmt_ev_device_connected *ev = (void *) buf;
9013         u16 eir_len = 0;
9014         u32 flags = 0;
9015
9016         bacpy(&ev->addr.bdaddr, &conn->dst);
9017         ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9018
9019         if (conn->out)
9020                 flags |= MGMT_DEV_FOUND_INITIATED_CONN;
9021
9022         ev->flags = __cpu_to_le32(flags);
9023
9024         /* We must ensure that the EIR Data fields are ordered and
9025          * unique. Keep it simple for now and avoid the problem by not
9026          * adding any BR/EDR data to the LE adv.
9027          */
9028         if (conn->le_adv_data_len > 0) {
9029                 memcpy(&ev->eir[eir_len],
9030                        conn->le_adv_data, conn->le_adv_data_len);
9031                 eir_len = conn->le_adv_data_len;
9032         } else {
9033                 if (name_len > 0)
9034                         eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE,
9035                                                   name, name_len);
9036
9037                 if (memcmp(conn->dev_class, "\0\0\0", 3) != 0)
9038                         eir_len = eir_append_data(ev->eir, eir_len,
9039                                                   EIR_CLASS_OF_DEV,
9040                                                   conn->dev_class, 3);
9041         }
9042
9043         ev->eir_len = cpu_to_le16(eir_len);
9044
9045         mgmt_event(MGMT_EV_DEVICE_CONNECTED, hdev, buf,
9046                     sizeof(*ev) + eir_len, NULL);
9047 }
9048
9049 static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
9050 {
9051         struct sock **sk = data;
9052
9053         cmd->cmd_complete(cmd, 0);
9054
9055         *sk = cmd->sk;
9056         sock_hold(*sk);
9057
9058         mgmt_pending_remove(cmd);
9059 }
9060
9061 static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
9062 {
9063         struct hci_dev *hdev = data;
9064         struct mgmt_cp_unpair_device *cp = cmd->param;
9065
9066         device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
9067
9068         cmd->cmd_complete(cmd, 0);
9069         mgmt_pending_remove(cmd);
9070 }
9071
9072 bool mgmt_powering_down(struct hci_dev *hdev)
9073 {
9074         struct mgmt_pending_cmd *cmd;
9075         struct mgmt_mode *cp;
9076
9077         cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9078         if (!cmd)
9079                 return false;
9080
9081         cp = cmd->param;
9082         if (!cp->val)
9083                 return true;
9084
9085         return false;
9086 }
9087
9088 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
9089                               u8 link_type, u8 addr_type, u8 reason,
9090                               bool mgmt_connected)
9091 {
9092         struct mgmt_ev_device_disconnected ev;
9093         struct sock *sk = NULL;
9094
9095         /* The connection is still in hci_conn_hash so test for 1
9096          * instead of 0 to know if this is the last one.
9097          */
9098         if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
9099                 cancel_delayed_work(&hdev->power_off);
9100                 queue_work(hdev->req_workqueue, &hdev->power_off.work);
9101         }
9102
9103         if (!mgmt_connected)
9104                 return;
9105
9106         if (link_type != ACL_LINK && link_type != LE_LINK)
9107                 return;
9108
9109         mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
9110
9111         bacpy(&ev.addr.bdaddr, bdaddr);
9112         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9113         ev.reason = reason;
9114
9115         /* Report disconnects due to suspend */
9116         if (hdev->suspended)
9117                 ev.reason = MGMT_DEV_DISCONN_LOCAL_HOST_SUSPEND;
9118
9119         mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
9120
9121         if (sk)
9122                 sock_put(sk);
9123
9124         mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9125                              hdev);
9126 }
9127
9128 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
9129                             u8 link_type, u8 addr_type, u8 status)
9130 {
9131         u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
9132         struct mgmt_cp_disconnect *cp;
9133         struct mgmt_pending_cmd *cmd;
9134
9135         mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9136                              hdev);
9137
9138         cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
9139         if (!cmd)
9140                 return;
9141
9142         cp = cmd->param;
9143
9144         if (bacmp(bdaddr, &cp->addr.bdaddr))
9145                 return;
9146
9147         if (cp->addr.type != bdaddr_type)
9148                 return;
9149
9150         cmd->cmd_complete(cmd, mgmt_status(status));
9151         mgmt_pending_remove(cmd);
9152 }
9153
9154 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9155                          u8 addr_type, u8 status)
9156 {
9157         struct mgmt_ev_connect_failed ev;
9158
9159         /* The connection is still in hci_conn_hash so test for 1
9160          * instead of 0 to know if this is the last one.
9161          */
9162         if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
9163                 cancel_delayed_work(&hdev->power_off);
9164                 queue_work(hdev->req_workqueue, &hdev->power_off.work);
9165         }
9166
9167         bacpy(&ev.addr.bdaddr, bdaddr);
9168         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9169         ev.status = mgmt_status(status);
9170
9171         mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
9172 }
9173
9174 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
9175 {
9176         struct mgmt_ev_pin_code_request ev;
9177
9178         bacpy(&ev.addr.bdaddr, bdaddr);
9179         ev.addr.type = BDADDR_BREDR;
9180         ev.secure = secure;
9181
9182         mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
9183 }
9184
9185 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9186                                   u8 status)
9187 {
9188         struct mgmt_pending_cmd *cmd;
9189
9190         cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
9191         if (!cmd)
9192                 return;
9193
9194         cmd->cmd_complete(cmd, mgmt_status(status));
9195         mgmt_pending_remove(cmd);
9196 }
9197
9198 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9199                                       u8 status)
9200 {
9201         struct mgmt_pending_cmd *cmd;
9202
9203         cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
9204         if (!cmd)
9205                 return;
9206
9207         cmd->cmd_complete(cmd, mgmt_status(status));
9208         mgmt_pending_remove(cmd);
9209 }
9210
9211 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9212                               u8 link_type, u8 addr_type, u32 value,
9213                               u8 confirm_hint)
9214 {
9215         struct mgmt_ev_user_confirm_request ev;
9216
9217         bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9218
9219         bacpy(&ev.addr.bdaddr, bdaddr);
9220         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9221         ev.confirm_hint = confirm_hint;
9222         ev.value = cpu_to_le32(value);
9223
9224         return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
9225                           NULL);
9226 }
9227
9228 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9229                               u8 link_type, u8 addr_type)
9230 {
9231         struct mgmt_ev_user_passkey_request ev;
9232
9233         bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9234
9235         bacpy(&ev.addr.bdaddr, bdaddr);
9236         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9237
9238         return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
9239                           NULL);
9240 }
9241
9242 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9243                                       u8 link_type, u8 addr_type, u8 status,
9244                                       u8 opcode)
9245 {
9246         struct mgmt_pending_cmd *cmd;
9247
9248         cmd = pending_find(opcode, hdev);
9249         if (!cmd)
9250                 return -ENOENT;
9251
9252         cmd->cmd_complete(cmd, mgmt_status(status));
9253         mgmt_pending_remove(cmd);
9254
9255         return 0;
9256 }
9257
9258 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9259                                      u8 link_type, u8 addr_type, u8 status)
9260 {
9261         return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9262                                           status, MGMT_OP_USER_CONFIRM_REPLY);
9263 }
9264
9265 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9266                                          u8 link_type, u8 addr_type, u8 status)
9267 {
9268         return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9269                                           status,
9270                                           MGMT_OP_USER_CONFIRM_NEG_REPLY);
9271 }
9272
9273 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9274                                      u8 link_type, u8 addr_type, u8 status)
9275 {
9276         return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9277                                           status, MGMT_OP_USER_PASSKEY_REPLY);
9278 }
9279
9280 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9281                                          u8 link_type, u8 addr_type, u8 status)
9282 {
9283         return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9284                                           status,
9285                                           MGMT_OP_USER_PASSKEY_NEG_REPLY);
9286 }
9287
9288 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
9289                              u8 link_type, u8 addr_type, u32 passkey,
9290                              u8 entered)
9291 {
9292         struct mgmt_ev_passkey_notify ev;
9293
9294         bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9295
9296         bacpy(&ev.addr.bdaddr, bdaddr);
9297         ev.addr.type = link_to_bdaddr(link_type, addr_type);
9298         ev.passkey = __cpu_to_le32(passkey);
9299         ev.entered = entered;
9300
9301         return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
9302 }
9303
9304 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
9305 {
9306         struct mgmt_ev_auth_failed ev;
9307         struct mgmt_pending_cmd *cmd;
9308         u8 status = mgmt_status(hci_status);
9309
9310         bacpy(&ev.addr.bdaddr, &conn->dst);
9311         ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9312         ev.status = status;
9313
9314         cmd = find_pairing(conn);
9315
9316         mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
9317                     cmd ? cmd->sk : NULL);
9318
9319         if (cmd) {
9320                 cmd->cmd_complete(cmd, status);
9321                 mgmt_pending_remove(cmd);
9322         }
9323 }
9324
9325 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
9326 {
9327         struct cmd_lookup match = { NULL, hdev };
9328         bool changed;
9329
9330         if (status) {
9331                 u8 mgmt_err = mgmt_status(status);
9332                 mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
9333                                      cmd_status_rsp, &mgmt_err);
9334                 return;
9335         }
9336
9337         if (test_bit(HCI_AUTH, &hdev->flags))
9338                 changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
9339         else
9340                 changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
9341
9342         mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
9343                              &match);
9344
9345         if (changed)
9346                 new_settings(hdev, match.sk);
9347
9348         if (match.sk)
9349                 sock_put(match.sk);
9350 }
9351
9352 static void clear_eir(struct hci_request *req)
9353 {
9354         struct hci_dev *hdev = req->hdev;
9355         struct hci_cp_write_eir cp;
9356
9357         if (!lmp_ext_inq_capable(hdev))
9358                 return;
9359
9360         memset(hdev->eir, 0, sizeof(hdev->eir));
9361
9362         memset(&cp, 0, sizeof(cp));
9363
9364         hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
9365 }
9366
9367 void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
9368 {
9369         struct cmd_lookup match = { NULL, hdev };
9370         struct hci_request req;
9371         bool changed = false;
9372
9373         if (status) {
9374                 u8 mgmt_err = mgmt_status(status);
9375
9376                 if (enable && hci_dev_test_and_clear_flag(hdev,
9377                                                           HCI_SSP_ENABLED)) {
9378                         hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
9379                         new_settings(hdev, NULL);
9380                 }
9381
9382                 mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
9383                                      &mgmt_err);
9384                 return;
9385         }
9386
9387         if (enable) {
9388                 changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
9389         } else {
9390                 changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
9391                 if (!changed)
9392                         changed = hci_dev_test_and_clear_flag(hdev,
9393                                                               HCI_HS_ENABLED);
9394                 else
9395                         hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
9396         }
9397
9398         mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
9399
9400         if (changed)
9401                 new_settings(hdev, match.sk);
9402
9403         if (match.sk)
9404                 sock_put(match.sk);
9405
9406         hci_req_init(&req, hdev);
9407
9408         if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
9409                 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
9410                         hci_req_add(&req, HCI_OP_WRITE_SSP_DEBUG_MODE,
9411                                     sizeof(enable), &enable);
9412                 __hci_req_update_eir(&req);
9413         } else {
9414                 clear_eir(&req);
9415         }
9416
9417         hci_req_run(&req, NULL);
9418 }
9419
9420 static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
9421 {
9422         struct cmd_lookup *match = data;
9423
9424         if (match->sk == NULL) {
9425                 match->sk = cmd->sk;
9426                 sock_hold(match->sk);
9427         }
9428 }
9429
9430 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
9431                                     u8 status)
9432 {
9433         struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
9434
9435         mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
9436         mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
9437         mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
9438
9439         if (!status) {
9440                 mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
9441                                    3, HCI_MGMT_DEV_CLASS_EVENTS, NULL);
9442                 ext_info_changed(hdev, NULL);
9443         }
9444
9445         if (match.sk)
9446                 sock_put(match.sk);
9447 }
9448
9449 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
9450 {
9451         struct mgmt_cp_set_local_name ev;
9452         struct mgmt_pending_cmd *cmd;
9453
9454         if (status)
9455                 return;
9456
9457         memset(&ev, 0, sizeof(ev));
9458         memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
9459         memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
9460
9461         cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
9462         if (!cmd) {
9463                 memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
9464
9465                 /* If this is a HCI command related to powering on the
9466                  * HCI dev don't send any mgmt signals.
9467                  */
9468                 if (pending_find(MGMT_OP_SET_POWERED, hdev))
9469                         return;
9470         }
9471
9472         mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
9473                            HCI_MGMT_LOCAL_NAME_EVENTS, cmd ? cmd->sk : NULL);
9474         ext_info_changed(hdev, cmd ? cmd->sk : NULL);
9475 }
9476
9477 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
9478 {
9479         int i;
9480
9481         for (i = 0; i < uuid_count; i++) {
9482                 if (!memcmp(uuid, uuids[i], 16))
9483                         return true;
9484         }
9485
9486         return false;
9487 }
9488
9489 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
9490 {
9491         u16 parsed = 0;
9492
9493         while (parsed < eir_len) {
9494                 u8 field_len = eir[0];
9495                 u8 uuid[16];
9496                 int i;
9497
9498                 if (field_len == 0)
9499                         break;
9500
9501                 if (eir_len - parsed < field_len + 1)
9502                         break;
9503
9504                 switch (eir[1]) {
9505                 case EIR_UUID16_ALL:
9506                 case EIR_UUID16_SOME:
9507                         for (i = 0; i + 3 <= field_len; i += 2) {
9508                                 memcpy(uuid, bluetooth_base_uuid, 16);
9509                                 uuid[13] = eir[i + 3];
9510                                 uuid[12] = eir[i + 2];
9511                                 if (has_uuid(uuid, uuid_count, uuids))
9512                                         return true;
9513                         }
9514                         break;
9515                 case EIR_UUID32_ALL:
9516                 case EIR_UUID32_SOME:
9517                         for (i = 0; i + 5 <= field_len; i += 4) {
9518                                 memcpy(uuid, bluetooth_base_uuid, 16);
9519                                 uuid[15] = eir[i + 5];
9520                                 uuid[14] = eir[i + 4];
9521                                 uuid[13] = eir[i + 3];
9522                                 uuid[12] = eir[i + 2];
9523                                 if (has_uuid(uuid, uuid_count, uuids))
9524                                         return true;
9525                         }
9526                         break;
9527                 case EIR_UUID128_ALL:
9528                 case EIR_UUID128_SOME:
9529                         for (i = 0; i + 17 <= field_len; i += 16) {
9530                                 memcpy(uuid, eir + i + 2, 16);
9531                                 if (has_uuid(uuid, uuid_count, uuids))
9532                                         return true;
9533                         }
9534                         break;
9535                 }
9536
9537                 parsed += field_len + 1;
9538                 eir += field_len + 1;
9539         }
9540
9541         return false;
9542 }
9543
9544 static void restart_le_scan(struct hci_dev *hdev)
9545 {
9546         /* If controller is not scanning we are done. */
9547         if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
9548                 return;
9549
9550         if (time_after(jiffies + DISCOV_LE_RESTART_DELAY,
9551                        hdev->discovery.scan_start +
9552                        hdev->discovery.scan_duration))
9553                 return;
9554
9555         queue_delayed_work(hdev->req_workqueue, &hdev->le_scan_restart,
9556                            DISCOV_LE_RESTART_DELAY);
9557 }
9558
9559 static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
9560                             u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
9561 {
9562         /* If a RSSI threshold has been specified, and
9563          * HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
9564          * a RSSI smaller than the RSSI threshold will be dropped. If the quirk
9565          * is set, let it through for further processing, as we might need to
9566          * restart the scan.
9567          *
9568          * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
9569          * the results are also dropped.
9570          */
9571         if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
9572             (rssi == HCI_RSSI_INVALID ||
9573             (rssi < hdev->discovery.rssi &&
9574              !test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
9575                 return  false;
9576
9577         if (hdev->discovery.uuid_count != 0) {
9578                 /* If a list of UUIDs is provided in filter, results with no
9579                  * matching UUID should be dropped.
9580                  */
9581                 if (!eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count,
9582                                    hdev->discovery.uuids) &&
9583                     !eir_has_uuids(scan_rsp, scan_rsp_len,
9584                                    hdev->discovery.uuid_count,
9585                                    hdev->discovery.uuids))
9586                         return false;
9587         }
9588
9589         /* If duplicate filtering does not report RSSI changes, then restart
9590          * scanning to ensure updated result with updated RSSI values.
9591          */
9592         if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
9593                 restart_le_scan(hdev);
9594
9595                 /* Validate RSSI value against the RSSI threshold once more. */
9596                 if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
9597                     rssi < hdev->discovery.rssi)
9598                         return false;
9599         }
9600
9601         return true;
9602 }
9603
9604 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9605                        u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
9606                        u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
9607 {
9608         char buf[512];
9609         struct mgmt_ev_device_found *ev = (void *)buf;
9610         size_t ev_size;
9611
9612         /* Don't send events for a non-kernel initiated discovery. With
9613          * LE one exception is if we have pend_le_reports > 0 in which
9614          * case we're doing passive scanning and want these events.
9615          */
9616         if (!hci_discovery_active(hdev)) {
9617                 if (link_type == ACL_LINK)
9618                         return;
9619                 if (link_type == LE_LINK &&
9620                     list_empty(&hdev->pend_le_reports) &&
9621                     !hci_is_adv_monitoring(hdev)) {
9622                         return;
9623                 }
9624         }
9625
9626         if (hdev->discovery.result_filtering) {
9627                 /* We are using service discovery */
9628                 if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
9629                                      scan_rsp_len))
9630                         return;
9631         }
9632
9633         if (hdev->discovery.limited) {
9634                 /* Check for limited discoverable bit */
9635                 if (dev_class) {
9636                         if (!(dev_class[1] & 0x20))
9637                                 return;
9638                 } else {
9639                         u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
9640                         if (!flags || !(flags[0] & LE_AD_LIMITED))
9641                                 return;
9642                 }
9643         }
9644
9645         /* Make sure that the buffer is big enough. The 5 extra bytes
9646          * are for the potential CoD field.
9647          */
9648         if (sizeof(*ev) + eir_len + scan_rsp_len + 5 > sizeof(buf))
9649                 return;
9650
9651         memset(buf, 0, sizeof(buf));
9652
9653         /* In case of device discovery with BR/EDR devices (pre 1.2), the
9654          * RSSI value was reported as 0 when not available. This behavior
9655          * is kept when using device discovery. This is required for full
9656          * backwards compatibility with the API.
9657          *
9658          * However when using service discovery, the value 127 will be
9659          * returned when the RSSI is not available.
9660          */
9661         if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
9662             link_type == ACL_LINK)
9663                 rssi = 0;
9664
9665         bacpy(&ev->addr.bdaddr, bdaddr);
9666         ev->addr.type = link_to_bdaddr(link_type, addr_type);
9667         ev->rssi = rssi;
9668         ev->flags = cpu_to_le32(flags);
9669
9670         if (eir_len > 0)
9671                 /* Copy EIR or advertising data into event */
9672                 memcpy(ev->eir, eir, eir_len);
9673
9674         if (dev_class && !eir_get_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
9675                                        NULL))
9676                 eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
9677                                           dev_class, 3);
9678
9679         if (scan_rsp_len > 0)
9680                 /* Append scan response data to event */
9681                 memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
9682
9683         ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
9684         ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
9685
9686         mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL);
9687 }
9688
9689 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9690                       u8 addr_type, s8 rssi, u8 *name, u8 name_len)
9691 {
9692         struct mgmt_ev_device_found *ev;
9693         char buf[sizeof(*ev) + HCI_MAX_NAME_LENGTH + 2];
9694         u16 eir_len;
9695
9696         ev = (struct mgmt_ev_device_found *) buf;
9697
9698         memset(buf, 0, sizeof(buf));
9699
9700         bacpy(&ev->addr.bdaddr, bdaddr);
9701         ev->addr.type = link_to_bdaddr(link_type, addr_type);
9702         ev->rssi = rssi;
9703
9704         eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name,
9705                                   name_len);
9706
9707         ev->eir_len = cpu_to_le16(eir_len);
9708
9709         mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, sizeof(*ev) + eir_len, NULL);
9710 }
9711
9712 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
9713 {
9714         struct mgmt_ev_discovering ev;
9715
9716         bt_dev_dbg(hdev, "discovering %u", discovering);
9717
9718         memset(&ev, 0, sizeof(ev));
9719         ev.type = hdev->discovery.type;
9720         ev.discovering = discovering;
9721
9722         mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
9723 }
9724
9725 void mgmt_suspending(struct hci_dev *hdev, u8 state)
9726 {
9727         struct mgmt_ev_controller_suspend ev;
9728
9729         ev.suspend_state = state;
9730         mgmt_event(MGMT_EV_CONTROLLER_SUSPEND, hdev, &ev, sizeof(ev), NULL);
9731 }
9732
9733 void mgmt_resuming(struct hci_dev *hdev, u8 reason, bdaddr_t *bdaddr,
9734                    u8 addr_type)
9735 {
9736         struct mgmt_ev_controller_resume ev;
9737
9738         ev.wake_reason = reason;
9739         if (bdaddr) {
9740                 bacpy(&ev.addr.bdaddr, bdaddr);
9741                 ev.addr.type = addr_type;
9742         } else {
9743                 memset(&ev.addr, 0, sizeof(ev.addr));
9744         }
9745
9746         mgmt_event(MGMT_EV_CONTROLLER_RESUME, hdev, &ev, sizeof(ev), NULL);
9747 }
9748
9749 static struct hci_mgmt_chan chan = {
9750         .channel        = HCI_CHANNEL_CONTROL,
9751         .handler_count  = ARRAY_SIZE(mgmt_handlers),
9752         .handlers       = mgmt_handlers,
9753         .hdev_init      = mgmt_init_hdev,
9754 };
9755
9756 int mgmt_init(void)
9757 {
9758         return hci_mgmt_chan_register(&chan);
9759 }
9760
9761 void mgmt_exit(void)
9762 {
9763         hci_mgmt_chan_unregister(&chan);
9764 }
Empty description
This page took 0.604073 seconds and 4 git commands to generate.