1	/*
2	BlueZ - Bluetooth protocol stack for Linux
3
4	Copyright (C) 2010 Nokia Corporation
5	Copyright (C) 2011-2012 Intel Corporation
6
7	This program is free software; you can redistribute it and/or modify
8	it under the terms of the GNU General Public License version 2 as
9	published by the Free Software Foundation;
10
11	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22	SOFTWARE IS DISCLAIMED.
23	*/
24
25	/* Bluetooth HCI Management interface */
26
27	#include <linux/module.h>
28	#include <asm/unaligned.h>
29
30	#include <net/bluetooth/bluetooth.h>
31	#include <net/bluetooth/hci_core.h>
32	#include <net/bluetooth/hci_sock.h>
33	#include <net/bluetooth/l2cap.h>
34	#include <net/bluetooth/mgmt.h>
35
36	#include "hci_request.h"
37	#include "smp.h"
38	#include "mgmt_util.h"
39	#include "mgmt_config.h"
40	#include "msft.h"
41	#include "eir.h"
42	#include "aosp.h"
43
44	#define MGMT_VERSION 1
45	#define MGMT_REVISION 22
46
47	static const u16 mgmt_commands[] = {
48	MGMT_OP_READ_INDEX_LIST,
49	MGMT_OP_READ_INFO,
50	MGMT_OP_SET_POWERED,
51	MGMT_OP_SET_DISCOVERABLE,
52	MGMT_OP_SET_CONNECTABLE,
53	MGMT_OP_SET_FAST_CONNECTABLE,
54	MGMT_OP_SET_BONDABLE,
55	MGMT_OP_SET_LINK_SECURITY,
56	MGMT_OP_SET_SSP,
57	MGMT_OP_SET_HS,
58	MGMT_OP_SET_LE,
59	MGMT_OP_SET_DEV_CLASS,
60	MGMT_OP_SET_LOCAL_NAME,
61	MGMT_OP_ADD_UUID,
62	MGMT_OP_REMOVE_UUID,
63	MGMT_OP_LOAD_LINK_KEYS,
64	MGMT_OP_LOAD_LONG_TERM_KEYS,
65	MGMT_OP_DISCONNECT,
66	MGMT_OP_GET_CONNECTIONS,
67	MGMT_OP_PIN_CODE_REPLY,
68	MGMT_OP_PIN_CODE_NEG_REPLY,
69	MGMT_OP_SET_IO_CAPABILITY,
70	MGMT_OP_PAIR_DEVICE,
71	MGMT_OP_CANCEL_PAIR_DEVICE,
72	MGMT_OP_UNPAIR_DEVICE,
73	MGMT_OP_USER_CONFIRM_REPLY,
74	MGMT_OP_USER_CONFIRM_NEG_REPLY,
75	MGMT_OP_USER_PASSKEY_REPLY,
76	MGMT_OP_USER_PASSKEY_NEG_REPLY,
77	MGMT_OP_READ_LOCAL_OOB_DATA,
78	MGMT_OP_ADD_REMOTE_OOB_DATA,
79	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
80	MGMT_OP_START_DISCOVERY,
81	MGMT_OP_STOP_DISCOVERY,
82	MGMT_OP_CONFIRM_NAME,
83	MGMT_OP_BLOCK_DEVICE,
84	MGMT_OP_UNBLOCK_DEVICE,
85	MGMT_OP_SET_DEVICE_ID,
86	MGMT_OP_SET_ADVERTISING,
87	MGMT_OP_SET_BREDR,
88	MGMT_OP_SET_STATIC_ADDRESS,
89	MGMT_OP_SET_SCAN_PARAMS,
90	MGMT_OP_SET_SECURE_CONN,
91	MGMT_OP_SET_DEBUG_KEYS,
92	MGMT_OP_SET_PRIVACY,
93	MGMT_OP_LOAD_IRKS,
94	MGMT_OP_GET_CONN_INFO,
95	MGMT_OP_GET_CLOCK_INFO,
96	MGMT_OP_ADD_DEVICE,
97	MGMT_OP_REMOVE_DEVICE,
98	MGMT_OP_LOAD_CONN_PARAM,
99	MGMT_OP_READ_UNCONF_INDEX_LIST,
100	MGMT_OP_READ_CONFIG_INFO,
101	MGMT_OP_SET_EXTERNAL_CONFIG,
102	MGMT_OP_SET_PUBLIC_ADDRESS,
103	MGMT_OP_START_SERVICE_DISCOVERY,
104	MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
105	MGMT_OP_READ_EXT_INDEX_LIST,
106	MGMT_OP_READ_ADV_FEATURES,
107	MGMT_OP_ADD_ADVERTISING,
108	MGMT_OP_REMOVE_ADVERTISING,
109	MGMT_OP_GET_ADV_SIZE_INFO,
110	MGMT_OP_START_LIMITED_DISCOVERY,
111	MGMT_OP_READ_EXT_INFO,
112	MGMT_OP_SET_APPEARANCE,
113	MGMT_OP_GET_PHY_CONFIGURATION,
114	MGMT_OP_SET_PHY_CONFIGURATION,
115	MGMT_OP_SET_BLOCKED_KEYS,
116	MGMT_OP_SET_WIDEBAND_SPEECH,
117	MGMT_OP_READ_CONTROLLER_CAP,
118	MGMT_OP_READ_EXP_FEATURES_INFO,
119	MGMT_OP_SET_EXP_FEATURE,
120	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
121	MGMT_OP_SET_DEF_SYSTEM_CONFIG,
122	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
123	MGMT_OP_SET_DEF_RUNTIME_CONFIG,
124	MGMT_OP_GET_DEVICE_FLAGS,
125	MGMT_OP_SET_DEVICE_FLAGS,
126	MGMT_OP_READ_ADV_MONITOR_FEATURES,
127	MGMT_OP_ADD_ADV_PATTERNS_MONITOR,
128	MGMT_OP_REMOVE_ADV_MONITOR,
129	MGMT_OP_ADD_EXT_ADV_PARAMS,
130	MGMT_OP_ADD_EXT_ADV_DATA,
131	MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI,
132	MGMT_OP_SET_MESH_RECEIVER,
133	MGMT_OP_MESH_READ_FEATURES,
134	MGMT_OP_MESH_SEND,
135	MGMT_OP_MESH_SEND_CANCEL,
136	};
137
138	static const u16 mgmt_events[] = {
139	MGMT_EV_CONTROLLER_ERROR,
140	MGMT_EV_INDEX_ADDED,
141	MGMT_EV_INDEX_REMOVED,
142	MGMT_EV_NEW_SETTINGS,
143	MGMT_EV_CLASS_OF_DEV_CHANGED,
144	MGMT_EV_LOCAL_NAME_CHANGED,
145	MGMT_EV_NEW_LINK_KEY,
146	MGMT_EV_NEW_LONG_TERM_KEY,
147	MGMT_EV_DEVICE_CONNECTED,
148	MGMT_EV_DEVICE_DISCONNECTED,
149	MGMT_EV_CONNECT_FAILED,
150	MGMT_EV_PIN_CODE_REQUEST,
151	MGMT_EV_USER_CONFIRM_REQUEST,
152	MGMT_EV_USER_PASSKEY_REQUEST,
153	MGMT_EV_AUTH_FAILED,
154	MGMT_EV_DEVICE_FOUND,
155	MGMT_EV_DISCOVERING,
156	MGMT_EV_DEVICE_BLOCKED,
157	MGMT_EV_DEVICE_UNBLOCKED,
158	MGMT_EV_DEVICE_UNPAIRED,
159	MGMT_EV_PASSKEY_NOTIFY,
160	MGMT_EV_NEW_IRK,
161	MGMT_EV_NEW_CSRK,
162	MGMT_EV_DEVICE_ADDED,
163	MGMT_EV_DEVICE_REMOVED,
164	MGMT_EV_NEW_CONN_PARAM,
165	MGMT_EV_UNCONF_INDEX_ADDED,
166	MGMT_EV_UNCONF_INDEX_REMOVED,
167	MGMT_EV_NEW_CONFIG_OPTIONS,
168	MGMT_EV_EXT_INDEX_ADDED,
169	MGMT_EV_EXT_INDEX_REMOVED,
170	MGMT_EV_LOCAL_OOB_DATA_UPDATED,
171	MGMT_EV_ADVERTISING_ADDED,
172	MGMT_EV_ADVERTISING_REMOVED,
173	MGMT_EV_EXT_INFO_CHANGED,
174	MGMT_EV_PHY_CONFIGURATION_CHANGED,
175	MGMT_EV_EXP_FEATURE_CHANGED,
176	MGMT_EV_DEVICE_FLAGS_CHANGED,
177	MGMT_EV_ADV_MONITOR_ADDED,
178	MGMT_EV_ADV_MONITOR_REMOVED,
179	MGMT_EV_CONTROLLER_SUSPEND,
180	MGMT_EV_CONTROLLER_RESUME,
181	MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
182	MGMT_EV_ADV_MONITOR_DEVICE_LOST,
183	};
184
185	static const u16 mgmt_untrusted_commands[] = {
186	MGMT_OP_READ_INDEX_LIST,
187	MGMT_OP_READ_INFO,
188	MGMT_OP_READ_UNCONF_INDEX_LIST,
189	MGMT_OP_READ_CONFIG_INFO,
190	MGMT_OP_READ_EXT_INDEX_LIST,
191	MGMT_OP_READ_EXT_INFO,
192	MGMT_OP_READ_CONTROLLER_CAP,
193	MGMT_OP_READ_EXP_FEATURES_INFO,
194	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
195	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
196	};
197
198	static const u16 mgmt_untrusted_events[] = {
199	MGMT_EV_INDEX_ADDED,
200	MGMT_EV_INDEX_REMOVED,
201	MGMT_EV_NEW_SETTINGS,
202	MGMT_EV_CLASS_OF_DEV_CHANGED,
203	MGMT_EV_LOCAL_NAME_CHANGED,
204	MGMT_EV_UNCONF_INDEX_ADDED,
205	MGMT_EV_UNCONF_INDEX_REMOVED,
206	MGMT_EV_NEW_CONFIG_OPTIONS,
207	MGMT_EV_EXT_INDEX_ADDED,
208	MGMT_EV_EXT_INDEX_REMOVED,
209	MGMT_EV_EXT_INFO_CHANGED,
210	MGMT_EV_EXP_FEATURE_CHANGED,
211	};
212
213	#define CACHE_TIMEOUT msecs_to_jiffies(2 * 1000)
214
215	#define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
216	"\x00\x00\x00\x00\x00\x00\x00\x00"
217
218	/* HCI to MGMT error code conversion table */
219	static const u8 mgmt_status_table[] = {
220	MGMT_STATUS_SUCCESS,
221	MGMT_STATUS_UNKNOWN_COMMAND, /* Unknown Command */
222	MGMT_STATUS_NOT_CONNECTED, /* No Connection */
223	MGMT_STATUS_FAILED, /* Hardware Failure */
224	MGMT_STATUS_CONNECT_FAILED, /* Page Timeout */
225	MGMT_STATUS_AUTH_FAILED, /* Authentication Failed */
226	MGMT_STATUS_AUTH_FAILED, /* PIN or Key Missing */
227	MGMT_STATUS_NO_RESOURCES, /* Memory Full */
228	MGMT_STATUS_TIMEOUT, /* Connection Timeout */
229	MGMT_STATUS_NO_RESOURCES, /* Max Number of Connections */
230	MGMT_STATUS_NO_RESOURCES, /* Max Number of SCO Connections */
231	MGMT_STATUS_ALREADY_CONNECTED, /* ACL Connection Exists */
232	MGMT_STATUS_BUSY, /* Command Disallowed */
233	MGMT_STATUS_NO_RESOURCES, /* Rejected Limited Resources */
234	MGMT_STATUS_REJECTED, /* Rejected Security */
235	MGMT_STATUS_REJECTED, /* Rejected Personal */
236	MGMT_STATUS_TIMEOUT, /* Host Timeout */
237	MGMT_STATUS_NOT_SUPPORTED, /* Unsupported Feature */
238	MGMT_STATUS_INVALID_PARAMS, /* Invalid Parameters */
239	MGMT_STATUS_DISCONNECTED, /* OE User Ended Connection */
240	MGMT_STATUS_NO_RESOURCES, /* OE Low Resources */
241	MGMT_STATUS_DISCONNECTED, /* OE Power Off */
242	MGMT_STATUS_DISCONNECTED, /* Connection Terminated */
243	MGMT_STATUS_BUSY, /* Repeated Attempts */
244	MGMT_STATUS_REJECTED, /* Pairing Not Allowed */
245	MGMT_STATUS_FAILED, /* Unknown LMP PDU */
246	MGMT_STATUS_NOT_SUPPORTED, /* Unsupported Remote Feature */
247	MGMT_STATUS_REJECTED, /* SCO Offset Rejected */
248	MGMT_STATUS_REJECTED, /* SCO Interval Rejected */
249	MGMT_STATUS_REJECTED, /* Air Mode Rejected */
250	MGMT_STATUS_INVALID_PARAMS, /* Invalid LMP Parameters */
251	MGMT_STATUS_FAILED, /* Unspecified Error */
252	MGMT_STATUS_NOT_SUPPORTED, /* Unsupported LMP Parameter Value */
253	MGMT_STATUS_FAILED, /* Role Change Not Allowed */
254	MGMT_STATUS_TIMEOUT, /* LMP Response Timeout */
255	MGMT_STATUS_FAILED, /* LMP Error Transaction Collision */
256	MGMT_STATUS_FAILED, /* LMP PDU Not Allowed */
257	MGMT_STATUS_REJECTED, /* Encryption Mode Not Accepted */
258	MGMT_STATUS_FAILED, /* Unit Link Key Used */
259	MGMT_STATUS_NOT_SUPPORTED, /* QoS Not Supported */
260	MGMT_STATUS_TIMEOUT, /* Instant Passed */
261	MGMT_STATUS_NOT_SUPPORTED, /* Pairing Not Supported */
262	MGMT_STATUS_FAILED, /* Transaction Collision */
263	MGMT_STATUS_FAILED, /* Reserved for future use */
264	MGMT_STATUS_INVALID_PARAMS, /* Unacceptable Parameter */
265	MGMT_STATUS_REJECTED, /* QoS Rejected */
266	MGMT_STATUS_NOT_SUPPORTED, /* Classification Not Supported */
267	MGMT_STATUS_REJECTED, /* Insufficient Security */
268	MGMT_STATUS_INVALID_PARAMS, /* Parameter Out Of Range */
269	MGMT_STATUS_FAILED, /* Reserved for future use */
270	MGMT_STATUS_BUSY, /* Role Switch Pending */
271	MGMT_STATUS_FAILED, /* Reserved for future use */
272	MGMT_STATUS_FAILED, /* Slot Violation */
273	MGMT_STATUS_FAILED, /* Role Switch Failed */
274	MGMT_STATUS_INVALID_PARAMS, /* EIR Too Large */
275	MGMT_STATUS_NOT_SUPPORTED, /* Simple Pairing Not Supported */
276	MGMT_STATUS_BUSY, /* Host Busy Pairing */
277	MGMT_STATUS_REJECTED, /* Rejected, No Suitable Channel */
278	MGMT_STATUS_BUSY, /* Controller Busy */
279	MGMT_STATUS_INVALID_PARAMS, /* Unsuitable Connection Interval */
280	MGMT_STATUS_TIMEOUT, /* Directed Advertising Timeout */
281	MGMT_STATUS_AUTH_FAILED, /* Terminated Due to MIC Failure */
282	MGMT_STATUS_CONNECT_FAILED, /* Connection Establishment Failed */
283	MGMT_STATUS_CONNECT_FAILED, /* MAC Connection Failed */
284	};
285
286	static u8 mgmt_errno_status(int err)
287	{
288	switch (err) {
289	case 0:
290	return MGMT_STATUS_SUCCESS;
291	case -EPERM:
292	return MGMT_STATUS_REJECTED;
293	case -EINVAL:
294	return MGMT_STATUS_INVALID_PARAMS;
295	case -EOPNOTSUPP:
296	return MGMT_STATUS_NOT_SUPPORTED;
297	case -EBUSY:
298	return MGMT_STATUS_BUSY;
299	case -ETIMEDOUT:
300	return MGMT_STATUS_AUTH_FAILED;
301	case -ENOMEM:
302	return MGMT_STATUS_NO_RESOURCES;
303	case -EISCONN:
304	return MGMT_STATUS_ALREADY_CONNECTED;
305	case -ENOTCONN:
306	return MGMT_STATUS_DISCONNECTED;
307	}
308
309	return MGMT_STATUS_FAILED;
310	}
311
312	static u8 mgmt_status(int err)
313	{
314	if (err < 0)
315	return mgmt_errno_status(err);
316
317	if (err < ARRAY_SIZE(mgmt_status_table))
318	return mgmt_status_table[err];
319
320	return MGMT_STATUS_FAILED;
321	}
322
323	static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
324	u16 len, int flag)
325	{
326	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, data_len: len,
327	flag, NULL);
328	}
329
330	static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
331	u16 len, int flag, struct sock *skip_sk)
332	{
333	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, data_len: len,
334	flag, skip_sk);
335	}
336
337	static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
338	struct sock *skip_sk)
339	{
340	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, data_len: len,
341	flag: HCI_SOCK_TRUSTED, skip_sk);
342	}
343
344	static int mgmt_event_skb(struct sk_buff *skb, struct sock *skip_sk)
345	{
346	return mgmt_send_event_skb(HCI_CHANNEL_CONTROL, skb, flag: HCI_SOCK_TRUSTED,
347	skip_sk);
348	}
349
350	static u8 le_addr_type(u8 mgmt_addr_type)
351	{
352	if (mgmt_addr_type == BDADDR_LE_PUBLIC)
353	return ADDR_LE_DEV_PUBLIC;
354	else
355	return ADDR_LE_DEV_RANDOM;
356	}
357
358	void mgmt_fill_version_info(void *ver)
359	{
360	struct mgmt_rp_read_version *rp = ver;
361
362	rp->version = MGMT_VERSION;
363	rp->revision = cpu_to_le16(MGMT_REVISION);
364	}
365
366	static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
367	u16 data_len)
368	{
369	struct mgmt_rp_read_version rp;
370
371	bt_dev_dbg(hdev, "sock %p", sk);
372
373	mgmt_fill_version_info(ver: &rp);
374
375	return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, status: 0,
376	rp: &rp, rp_len: sizeof(rp));
377	}
378
379	static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
380	u16 data_len)
381	{
382	struct mgmt_rp_read_commands *rp;
383	u16 num_commands, num_events;
384	size_t rp_size;
385	int i, err;
386
387	bt_dev_dbg(hdev, "sock %p", sk);
388
389	if (hci_sock_test_flag(sk, nr: HCI_SOCK_TRUSTED)) {
390	num_commands = ARRAY_SIZE(mgmt_commands);
391	num_events = ARRAY_SIZE(mgmt_events);
392	} else {
393	num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
394	num_events = ARRAY_SIZE(mgmt_untrusted_events);
395	}
396
397	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
398
399	rp = kmalloc(size: rp_size, GFP_KERNEL);
400	if (!rp)
401	return -ENOMEM;
402
403	rp->num_commands = cpu_to_le16(num_commands);
404	rp->num_events = cpu_to_le16(num_events);
405
406	if (hci_sock_test_flag(sk, nr: HCI_SOCK_TRUSTED)) {
407	__le16 *opcode = rp->opcodes;
408
409	for (i = 0; i < num_commands; i++, opcode++)
410	put_unaligned_le16(val: mgmt_commands[i], p: opcode);
411
412	for (i = 0; i < num_events; i++, opcode++)
413	put_unaligned_le16(val: mgmt_events[i], p: opcode);
414	} else {
415	__le16 *opcode = rp->opcodes;
416
417	for (i = 0; i < num_commands; i++, opcode++)
418	put_unaligned_le16(val: mgmt_untrusted_commands[i], p: opcode);
419
420	for (i = 0; i < num_events; i++, opcode++)
421	put_unaligned_le16(val: mgmt_untrusted_events[i], p: opcode);
422	}
423
424	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, status: 0,
425	rp, rp_len: rp_size);
426	kfree(objp: rp);
427
428	return err;
429	}
430
431	static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
432	u16 data_len)
433	{
434	struct mgmt_rp_read_index_list *rp;
435	struct hci_dev *d;
436	size_t rp_len;
437	u16 count;
438	int err;
439
440	bt_dev_dbg(hdev, "sock %p", sk);
441
442	read_lock(&hci_dev_list_lock);
443
444	count = 0;
445	list_for_each_entry(d, &hci_dev_list, list) {
446	if (d->dev_type == HCI_PRIMARY &&
447	!hci_dev_test_flag(d, HCI_UNCONFIGURED))
448	count++;
449	}
450
451	rp_len = sizeof(*rp) + (2 * count);
452	rp = kmalloc(size: rp_len, GFP_ATOMIC);
453	if (!rp) {
454	read_unlock(&hci_dev_list_lock);
455	return -ENOMEM;
456	}
457
458	count = 0;
459	list_for_each_entry(d, &hci_dev_list, list) {
460	if (hci_dev_test_flag(d, HCI_SETUP) ||
461	hci_dev_test_flag(d, HCI_CONFIG) ||
462	hci_dev_test_flag(d, HCI_USER_CHANNEL))
463	continue;
464
465	/* Devices marked as raw-only are neither configured
466	* nor unconfigured controllers.
467	*/
468	if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
469	continue;
470
471	if (d->dev_type == HCI_PRIMARY &&
472	!hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
473	rp->index[count++] = cpu_to_le16(d->id);
474	bt_dev_dbg(hdev, "Added hci%u", d->id);
475	}
476	}
477
478	rp->num_controllers = cpu_to_le16(count);
479	rp_len = sizeof(*rp) + (2 * count);
480
481	read_unlock(&hci_dev_list_lock);
482
483	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
484	status: 0, rp, rp_len);
485
486	kfree(objp: rp);
487
488	return err;
489	}
490
491	static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
492	void *data, u16 data_len)
493	{
494	struct mgmt_rp_read_unconf_index_list *rp;
495	struct hci_dev *d;
496	size_t rp_len;
497	u16 count;
498	int err;
499
500	bt_dev_dbg(hdev, "sock %p", sk);
501
502	read_lock(&hci_dev_list_lock);
503
504	count = 0;
505	list_for_each_entry(d, &hci_dev_list, list) {
506	if (d->dev_type == HCI_PRIMARY &&
507	hci_dev_test_flag(d, HCI_UNCONFIGURED))
508	count++;
509	}
510
511	rp_len = sizeof(*rp) + (2 * count);
512	rp = kmalloc(size: rp_len, GFP_ATOMIC);
513	if (!rp) {
514	read_unlock(&hci_dev_list_lock);
515	return -ENOMEM;
516	}
517
518	count = 0;
519	list_for_each_entry(d, &hci_dev_list, list) {
520	if (hci_dev_test_flag(d, HCI_SETUP) ||
521	hci_dev_test_flag(d, HCI_CONFIG) ||
522	hci_dev_test_flag(d, HCI_USER_CHANNEL))
523	continue;
524
525	/* Devices marked as raw-only are neither configured
526	* nor unconfigured controllers.
527	*/
528	if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
529	continue;
530
531	if (d->dev_type == HCI_PRIMARY &&
532	hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
533	rp->index[count++] = cpu_to_le16(d->id);
534	bt_dev_dbg(hdev, "Added hci%u", d->id);
535	}
536	}
537
538	rp->num_controllers = cpu_to_le16(count);
539	rp_len = sizeof(*rp) + (2 * count);
540
541	read_unlock(&hci_dev_list_lock);
542
543	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
544	MGMT_OP_READ_UNCONF_INDEX_LIST, status: 0, rp, rp_len);
545
546	kfree(objp: rp);
547
548	return err;
549	}
550
551	static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
552	void *data, u16 data_len)
553	{
554	struct mgmt_rp_read_ext_index_list *rp;
555	struct hci_dev *d;
556	u16 count;
557	int err;
558
559	bt_dev_dbg(hdev, "sock %p", sk);
560
561	read_lock(&hci_dev_list_lock);
562
563	count = 0;
564	list_for_each_entry(d, &hci_dev_list, list) {
565	if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
566	count++;
567	}
568
569	rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
570	if (!rp) {
571	read_unlock(&hci_dev_list_lock);
572	return -ENOMEM;
573	}
574
575	count = 0;
576	list_for_each_entry(d, &hci_dev_list, list) {
577	if (hci_dev_test_flag(d, HCI_SETUP) ||
578	hci_dev_test_flag(d, HCI_CONFIG) ||
579	hci_dev_test_flag(d, HCI_USER_CHANNEL))
580	continue;
581
582	/* Devices marked as raw-only are neither configured
583	* nor unconfigured controllers.
584	*/
585	if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
586	continue;
587
588	if (d->dev_type == HCI_PRIMARY) {
589	if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
590	rp->entry[count].type = 0x01;
591	else
592	rp->entry[count].type = 0x00;
593	} else if (d->dev_type == HCI_AMP) {
594	rp->entry[count].type = 0x02;
595	} else {
596	continue;
597	}
598
599	rp->entry[count].bus = d->bus;
600	rp->entry[count++].index = cpu_to_le16(d->id);
601	bt_dev_dbg(hdev, "Added hci%u", d->id);
602	}
603
604	rp->num_controllers = cpu_to_le16(count);
605
606	read_unlock(&hci_dev_list_lock);
607
608	/* If this command is called at least once, then all the
609	* default index and unconfigured index events are disabled
610	* and from now on only extended index events are used.
611	*/
612	hci_sock_set_flag(sk, nr: HCI_MGMT_EXT_INDEX_EVENTS);
613	hci_sock_clear_flag(sk, nr: HCI_MGMT_INDEX_EVENTS);
614	hci_sock_clear_flag(sk, nr: HCI_MGMT_UNCONF_INDEX_EVENTS);
615
616	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
617	MGMT_OP_READ_EXT_INDEX_LIST, status: 0, rp,
618	struct_size(rp, entry, count));
619
620	kfree(objp: rp);
621
622	return err;
623	}
624
625	static bool is_configured(struct hci_dev *hdev)
626	{
627	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
628	!hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
629	return false;
630
631	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
632	test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
633	!bacmp(ba1: &hdev->public_addr, BDADDR_ANY))
634	return false;
635
636	return true;
637	}
638
639	static __le32 get_missing_options(struct hci_dev *hdev)
640	{
641	u32 options = 0;
642
643	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
644	!hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
645	options |= MGMT_OPTION_EXTERNAL_CONFIG;
646
647	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
648	test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
649	!bacmp(ba1: &hdev->public_addr, BDADDR_ANY))
650	options |= MGMT_OPTION_PUBLIC_ADDRESS;
651
652	return cpu_to_le32(options);
653	}
654
655	static int new_options(struct hci_dev *hdev, struct sock *skip)
656	{
657	__le32 options = get_missing_options(hdev);
658
659	return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, data: &options,
660	len: sizeof(options), flag: HCI_MGMT_OPTION_EVENTS, skip_sk: skip);
661	}
662
663	static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
664	{
665	__le32 options = get_missing_options(hdev);
666
667	return mgmt_cmd_complete(sk, index: hdev->id, cmd: opcode, status: 0, rp: &options,
668	rp_len: sizeof(options));
669	}
670
671	static int read_config_info(struct sock *sk, struct hci_dev *hdev,
672	void *data, u16 data_len)
673	{
674	struct mgmt_rp_read_config_info rp;
675	u32 options = 0;
676
677	bt_dev_dbg(hdev, "sock %p", sk);
678
679	hci_dev_lock(hdev);
680
681	memset(&rp, 0, sizeof(rp));
682	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
683
684	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
685	options |= MGMT_OPTION_EXTERNAL_CONFIG;
686
687	if (hdev->set_bdaddr)
688	options |= MGMT_OPTION_PUBLIC_ADDRESS;
689
690	rp.supported_options = cpu_to_le32(options);
691	rp.missing_options = get_missing_options(hdev);
692
693	hci_dev_unlock(hdev);
694
695	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_READ_CONFIG_INFO, status: 0,
696	rp: &rp, rp_len: sizeof(rp));
697	}
698
699	static u32 get_supported_phys(struct hci_dev *hdev)
700	{
701	u32 supported_phys = 0;
702
703	if (lmp_bredr_capable(hdev)) {
704	supported_phys |= MGMT_PHY_BR_1M_1SLOT;
705
706	if (hdev->features[0][0] & LMP_3SLOT)
707	supported_phys |= MGMT_PHY_BR_1M_3SLOT;
708
709	if (hdev->features[0][0] & LMP_5SLOT)
710	supported_phys |= MGMT_PHY_BR_1M_5SLOT;
711
712	if (lmp_edr_2m_capable(hdev)) {
713	supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
714
715	if (lmp_edr_3slot_capable(hdev))
716	supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
717
718	if (lmp_edr_5slot_capable(hdev))
719	supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
720
721	if (lmp_edr_3m_capable(hdev)) {
722	supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
723
724	if (lmp_edr_3slot_capable(hdev))
725	supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
726
727	if (lmp_edr_5slot_capable(hdev))
728	supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
729	}
730	}
731	}
732
733	if (lmp_le_capable(hdev)) {
734	supported_phys |= MGMT_PHY_LE_1M_TX;
735	supported_phys |= MGMT_PHY_LE_1M_RX;
736
737	if (hdev->le_features[1] & HCI_LE_PHY_2M) {
738	supported_phys |= MGMT_PHY_LE_2M_TX;
739	supported_phys |= MGMT_PHY_LE_2M_RX;
740	}
741
742	if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
743	supported_phys |= MGMT_PHY_LE_CODED_TX;
744	supported_phys |= MGMT_PHY_LE_CODED_RX;
745	}
746	}
747
748	return supported_phys;
749	}
750
751	static u32 get_selected_phys(struct hci_dev *hdev)
752	{
753	u32 selected_phys = 0;
754
755	if (lmp_bredr_capable(hdev)) {
756	selected_phys |= MGMT_PHY_BR_1M_1SLOT;
757
758	if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
759	selected_phys |= MGMT_PHY_BR_1M_3SLOT;
760
761	if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
762	selected_phys |= MGMT_PHY_BR_1M_5SLOT;
763
764	if (lmp_edr_2m_capable(hdev)) {
765	if (!(hdev->pkt_type & HCI_2DH1))
766	selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
767
768	if (lmp_edr_3slot_capable(hdev) &&
769	!(hdev->pkt_type & HCI_2DH3))
770	selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
771
772	if (lmp_edr_5slot_capable(hdev) &&
773	!(hdev->pkt_type & HCI_2DH5))
774	selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
775
776	if (lmp_edr_3m_capable(hdev)) {
777	if (!(hdev->pkt_type & HCI_3DH1))
778	selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
779
780	if (lmp_edr_3slot_capable(hdev) &&
781	!(hdev->pkt_type & HCI_3DH3))
782	selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
783
784	if (lmp_edr_5slot_capable(hdev) &&
785	!(hdev->pkt_type & HCI_3DH5))
786	selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
787	}
788	}
789	}
790
791	if (lmp_le_capable(hdev)) {
792	if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
793	selected_phys |= MGMT_PHY_LE_1M_TX;
794
795	if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
796	selected_phys |= MGMT_PHY_LE_1M_RX;
797
798	if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
799	selected_phys |= MGMT_PHY_LE_2M_TX;
800
801	if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
802	selected_phys |= MGMT_PHY_LE_2M_RX;
803
804	if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
805	selected_phys |= MGMT_PHY_LE_CODED_TX;
806
807	if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
808	selected_phys |= MGMT_PHY_LE_CODED_RX;
809	}
810
811	return selected_phys;
812	}
813
814	static u32 get_configurable_phys(struct hci_dev *hdev)
815	{
816	return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
817	~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
818	}
819
820	static u32 get_supported_settings(struct hci_dev *hdev)
821	{
822	u32 settings = 0;
823
824	settings |= MGMT_SETTING_POWERED;
825	settings |= MGMT_SETTING_BONDABLE;
826	settings |= MGMT_SETTING_DEBUG_KEYS;
827	settings |= MGMT_SETTING_CONNECTABLE;
828	settings |= MGMT_SETTING_DISCOVERABLE;
829
830	if (lmp_bredr_capable(hdev)) {
831	if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
832	settings |= MGMT_SETTING_FAST_CONNECTABLE;
833	settings |= MGMT_SETTING_BREDR;
834	settings |= MGMT_SETTING_LINK_SECURITY;
835
836	if (lmp_ssp_capable(hdev)) {
837	settings |= MGMT_SETTING_SSP;
838	}
839
840	if (lmp_sc_capable(hdev))
841	settings |= MGMT_SETTING_SECURE_CONN;
842
843	if (test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
844	&hdev->quirks))
845	settings |= MGMT_SETTING_WIDEBAND_SPEECH;
846	}
847
848	if (lmp_le_capable(hdev)) {
849	settings |= MGMT_SETTING_LE;
850	settings |= MGMT_SETTING_SECURE_CONN;
851	settings |= MGMT_SETTING_PRIVACY;
852	settings |= MGMT_SETTING_STATIC_ADDRESS;
853	settings |= MGMT_SETTING_ADVERTISING;
854	}
855
856	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
857	hdev->set_bdaddr)
858	settings |= MGMT_SETTING_CONFIGURATION;
859
860	if (cis_central_capable(hdev))
861	settings |= MGMT_SETTING_CIS_CENTRAL;
862
863	if (cis_peripheral_capable(hdev))
864	settings |= MGMT_SETTING_CIS_PERIPHERAL;
865
866	settings |= MGMT_SETTING_PHY_CONFIGURATION;
867
868	return settings;
869	}
870
871	static u32 get_current_settings(struct hci_dev *hdev)
872	{
873	u32 settings = 0;
874
875	if (hdev_is_powered(hdev))
876	settings |= MGMT_SETTING_POWERED;
877
878	if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
879	settings |= MGMT_SETTING_CONNECTABLE;
880
881	if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
882	settings |= MGMT_SETTING_FAST_CONNECTABLE;
883
884	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
885	settings |= MGMT_SETTING_DISCOVERABLE;
886
887	if (hci_dev_test_flag(hdev, HCI_BONDABLE))
888	settings |= MGMT_SETTING_BONDABLE;
889
890	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
891	settings |= MGMT_SETTING_BREDR;
892
893	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
894	settings |= MGMT_SETTING_LE;
895
896	if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
897	settings |= MGMT_SETTING_LINK_SECURITY;
898
899	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
900	settings |= MGMT_SETTING_SSP;
901
902	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
903	settings |= MGMT_SETTING_ADVERTISING;
904
905	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
906	settings |= MGMT_SETTING_SECURE_CONN;
907
908	if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
909	settings |= MGMT_SETTING_DEBUG_KEYS;
910
911	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
912	settings |= MGMT_SETTING_PRIVACY;
913
914	/* The current setting for static address has two purposes. The
915	* first is to indicate if the static address will be used and
916	* the second is to indicate if it is actually set.
917	*
918	* This means if the static address is not configured, this flag
919	* will never be set. If the address is configured, then if the
920	* address is actually used decides if the flag is set or not.
921	*
922	* For single mode LE only controllers and dual-mode controllers
923	* with BR/EDR disabled, the existence of the static address will
924	* be evaluated.
925	*/
926	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
927	!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
928	!bacmp(ba1: &hdev->bdaddr, BDADDR_ANY)) {
929	if (bacmp(ba1: &hdev->static_addr, BDADDR_ANY))
930	settings |= MGMT_SETTING_STATIC_ADDRESS;
931	}
932
933	if (hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED))
934	settings |= MGMT_SETTING_WIDEBAND_SPEECH;
935
936	if (cis_central_capable(hdev))
937	settings |= MGMT_SETTING_CIS_CENTRAL;
938
939	if (cis_peripheral_capable(hdev))
940	settings |= MGMT_SETTING_CIS_PERIPHERAL;
941
942	if (bis_capable(hdev))
943	settings |= MGMT_SETTING_ISO_BROADCASTER;
944
945	if (sync_recv_capable(hdev))
946	settings |= MGMT_SETTING_ISO_SYNC_RECEIVER;
947
948	return settings;
949	}
950
951	static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
952	{
953	return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
954	}
955
956	u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
957	{
958	struct mgmt_pending_cmd *cmd;
959
960	/* If there's a pending mgmt command the flags will not yet have
961	* their final values, so check for this first.
962	*/
963	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
964	if (cmd) {
965	struct mgmt_mode *cp = cmd->param;
966	if (cp->val == 0x01)
967	return LE_AD_GENERAL;
968	else if (cp->val == 0x02)
969	return LE_AD_LIMITED;
970	} else {
971	if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
972	return LE_AD_LIMITED;
973	else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
974	return LE_AD_GENERAL;
975	}
976
977	return 0;
978	}
979
980	bool mgmt_get_connectable(struct hci_dev *hdev)
981	{
982	struct mgmt_pending_cmd *cmd;
983
984	/* If there's a pending mgmt command the flag will not yet have
985	* it's final value, so check for this first.
986	*/
987	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
988	if (cmd) {
989	struct mgmt_mode *cp = cmd->param;
990
991	return cp->val;
992	}
993
994	return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
995	}
996
997	static int service_cache_sync(struct hci_dev *hdev, void *data)
998	{
999	hci_update_eir_sync(hdev);
1000	hci_update_class_sync(hdev);
1001
1002	return 0;
1003	}
1004
1005	static void service_cache_off(struct work_struct *work)
1006	{
1007	struct hci_dev *hdev = container_of(work, struct hci_dev,
1008	service_cache.work);
1009
1010	if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
1011	return;
1012
1013	hci_cmd_sync_queue(hdev, func: service_cache_sync, NULL, NULL);
1014	}
1015
1016	static int rpa_expired_sync(struct hci_dev *hdev, void *data)
1017	{
1018	/* The generation of a new RPA and programming it into the
1019	* controller happens in the hci_req_enable_advertising()
1020	* function.
1021	*/
1022	if (ext_adv_capable(hdev))
1023	return hci_start_ext_adv_sync(hdev, instance: hdev->cur_adv_instance);
1024	else
1025	return hci_enable_advertising_sync(hdev);
1026	}
1027
1028	static void rpa_expired(struct work_struct *work)
1029	{
1030	struct hci_dev *hdev = container_of(work, struct hci_dev,
1031	rpa_expired.work);
1032
1033	bt_dev_dbg(hdev, "");
1034
1035	hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1036
1037	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
1038	return;
1039
1040	hci_cmd_sync_queue(hdev, func: rpa_expired_sync, NULL, NULL);
1041	}
1042
1043	static int set_discoverable_sync(struct hci_dev *hdev, void *data);
1044
1045	static void discov_off(struct work_struct *work)
1046	{
1047	struct hci_dev *hdev = container_of(work, struct hci_dev,
1048	discov_off.work);
1049
1050	bt_dev_dbg(hdev, "");
1051
1052	hci_dev_lock(hdev);
1053
1054	/* When discoverable timeout triggers, then just make sure
1055	* the limited discoverable flag is cleared. Even in the case
1056	* of a timeout triggered from general discoverable, it is
1057	* safe to unconditionally clear the flag.
1058	*/
1059	hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1060	hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1061	hdev->discov_timeout = 0;
1062
1063	hci_cmd_sync_queue(hdev, func: set_discoverable_sync, NULL, NULL);
1064
1065	mgmt_new_settings(hdev);
1066
1067	hci_dev_unlock(hdev);
1068	}
1069
1070	static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev);
1071
1072	static void mesh_send_complete(struct hci_dev *hdev,
1073	struct mgmt_mesh_tx *mesh_tx, bool silent)
1074	{
1075	u8 handle = mesh_tx->handle;
1076
1077	if (!silent)
1078	mgmt_event(MGMT_EV_MESH_PACKET_CMPLT, hdev, data: &handle,
1079	len: sizeof(handle), NULL);
1080
1081	mgmt_mesh_remove(mesh_tx);
1082	}
1083
1084	static int mesh_send_done_sync(struct hci_dev *hdev, void *data)
1085	{
1086	struct mgmt_mesh_tx *mesh_tx;
1087
1088	hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
1089	hci_disable_advertising_sync(hdev);
1090	mesh_tx = mgmt_mesh_next(hdev, NULL);
1091
1092	if (mesh_tx)
1093	mesh_send_complete(hdev, mesh_tx, silent: false);
1094
1095	return 0;
1096	}
1097
1098	static int mesh_send_sync(struct hci_dev *hdev, void *data);
1099	static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err);
1100	static void mesh_next(struct hci_dev *hdev, void *data, int err)
1101	{
1102	struct mgmt_mesh_tx *mesh_tx = mgmt_mesh_next(hdev, NULL);
1103
1104	if (!mesh_tx)
1105	return;
1106
1107	err = hci_cmd_sync_queue(hdev, func: mesh_send_sync, data: mesh_tx,
1108	destroy: mesh_send_start_complete);
1109
1110	if (err < 0)
1111	mesh_send_complete(hdev, mesh_tx, silent: false);
1112	else
1113	hci_dev_set_flag(hdev, HCI_MESH_SENDING);
1114	}
1115
1116	static void mesh_send_done(struct work_struct *work)
1117	{
1118	struct hci_dev *hdev = container_of(work, struct hci_dev,
1119	mesh_send_done.work);
1120
1121	if (!hci_dev_test_flag(hdev, HCI_MESH_SENDING))
1122	return;
1123
1124	hci_cmd_sync_queue(hdev, func: mesh_send_done_sync, NULL, destroy: mesh_next);
1125	}
1126
1127	static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
1128	{
1129	if (hci_dev_test_flag(hdev, HCI_MGMT))
1130	return;
1131
1132	BT_INFO("MGMT ver %d.%d", MGMT_VERSION, MGMT_REVISION);
1133
1134	INIT_DELAYED_WORK(&hdev->discov_off, discov_off);
1135	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
1136	INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
1137	INIT_DELAYED_WORK(&hdev->mesh_send_done, mesh_send_done);
1138
1139	/* Non-mgmt controlled devices get this bit set
1140	* implicitly so that pairing works for them, however
1141	* for mgmt we require user-space to explicitly enable
1142	* it
1143	*/
1144	hci_dev_clear_flag(hdev, HCI_BONDABLE);
1145
1146	hci_dev_set_flag(hdev, HCI_MGMT);
1147	}
1148
1149	static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
1150	void *data, u16 data_len)
1151	{
1152	struct mgmt_rp_read_info rp;
1153
1154	bt_dev_dbg(hdev, "sock %p", sk);
1155
1156	hci_dev_lock(hdev);
1157
1158	memset(&rp, 0, sizeof(rp));
1159
1160	bacpy(dst: &rp.bdaddr, src: &hdev->bdaddr);
1161
1162	rp.version = hdev->hci_ver;
1163	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
1164
1165	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
1166	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
1167
1168	memcpy(rp.dev_class, hdev->dev_class, 3);
1169
1170	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
1171	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
1172
1173	hci_dev_unlock(hdev);
1174
1175	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_READ_INFO, status: 0, rp: &rp,
1176	rp_len: sizeof(rp));
1177	}
1178
1179	static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
1180	{
1181	u16 eir_len = 0;
1182	size_t name_len;
1183
1184	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1185	eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1186	data: hdev->dev_class, data_len: 3);
1187
1188	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1189	eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1190	data: hdev->appearance);
1191
1192	name_len = strnlen(p: hdev->dev_name, maxlen: sizeof(hdev->dev_name));
1193	eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1194	data: hdev->dev_name, data_len: name_len);
1195
1196	name_len = strnlen(p: hdev->short_name, maxlen: sizeof(hdev->short_name));
1197	eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1198	data: hdev->short_name, data_len: name_len);
1199
1200	return eir_len;
1201	}
1202
1203	static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1204	void *data, u16 data_len)
1205	{
1206	char buf[512];
1207	struct mgmt_rp_read_ext_info *rp = (void *)buf;
1208	u16 eir_len;
1209
1210	bt_dev_dbg(hdev, "sock %p", sk);
1211
1212	memset(&buf, 0, sizeof(buf));
1213
1214	hci_dev_lock(hdev);
1215
1216	bacpy(dst: &rp->bdaddr, src: &hdev->bdaddr);
1217
1218	rp->version = hdev->hci_ver;
1219	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1220
1221	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1222	rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1223
1224
1225	eir_len = append_eir_data_to_buf(hdev, eir: rp->eir);
1226	rp->eir_len = cpu_to_le16(eir_len);
1227
1228	hci_dev_unlock(hdev);
1229
1230	/* If this command is called at least once, then the events
1231	* for class of device and local name changes are disabled
1232	* and only the new extended controller information event
1233	* is used.
1234	*/
1235	hci_sock_set_flag(sk, nr: HCI_MGMT_EXT_INFO_EVENTS);
1236	hci_sock_clear_flag(sk, nr: HCI_MGMT_DEV_CLASS_EVENTS);
1237	hci_sock_clear_flag(sk, nr: HCI_MGMT_LOCAL_NAME_EVENTS);
1238
1239	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_READ_EXT_INFO, status: 0, rp,
1240	rp_len: sizeof(*rp) + eir_len);
1241	}
1242
1243	static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1244	{
1245	char buf[512];
1246	struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1247	u16 eir_len;
1248
1249	memset(buf, 0, sizeof(buf));
1250
1251	eir_len = append_eir_data_to_buf(hdev, eir: ev->eir);
1252	ev->eir_len = cpu_to_le16(eir_len);
1253
1254	return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, data: ev,
1255	len: sizeof(*ev) + eir_len,
1256	flag: HCI_MGMT_EXT_INFO_EVENTS, skip_sk: skip);
1257	}
1258
1259	static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1260	{
1261	__le32 settings = cpu_to_le32(get_current_settings(hdev));
1262
1263	return mgmt_cmd_complete(sk, index: hdev->id, cmd: opcode, status: 0, rp: &settings,
1264	rp_len: sizeof(settings));
1265	}
1266
1267	void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1268	{
1269	struct mgmt_ev_advertising_added ev;
1270
1271	ev.instance = instance;
1272
1273	mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, data: &ev, len: sizeof(ev), skip_sk: sk);
1274	}
1275
1276	void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1277	u8 instance)
1278	{
1279	struct mgmt_ev_advertising_removed ev;
1280
1281	ev.instance = instance;
1282
1283	mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, data: &ev, len: sizeof(ev), skip_sk: sk);
1284	}
1285
1286	static void cancel_adv_timeout(struct hci_dev *hdev)
1287	{
1288	if (hdev->adv_instance_timeout) {
1289	hdev->adv_instance_timeout = 0;
1290	cancel_delayed_work(dwork: &hdev->adv_instance_expire);
1291	}
1292	}
1293
1294	/* This function requires the caller holds hdev->lock */
1295	static void restart_le_actions(struct hci_dev *hdev)
1296	{
1297	struct hci_conn_params *p;
1298
1299	list_for_each_entry(p, &hdev->le_conn_params, list) {
1300	/* Needed for AUTO_OFF case where might not "really"
1301	* have been powered off.
1302	*/
1303	hci_pend_le_list_del_init(param: p);
1304
1305	switch (p->auto_connect) {
1306	case HCI_AUTO_CONN_DIRECT:
1307	case HCI_AUTO_CONN_ALWAYS:
1308	hci_pend_le_list_add(param: p, list: &hdev->pend_le_conns);
1309	break;
1310	case HCI_AUTO_CONN_REPORT:
1311	hci_pend_le_list_add(param: p, list: &hdev->pend_le_reports);
1312	break;
1313	default:
1314	break;
1315	}
1316	}
1317	}
1318
1319	static int new_settings(struct hci_dev *hdev, struct sock *skip)
1320	{
1321	__le32 ev = cpu_to_le32(get_current_settings(hdev));
1322
1323	return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, data: &ev,
1324	len: sizeof(ev), flag: HCI_MGMT_SETTING_EVENTS, skip_sk: skip);
1325	}
1326
1327	static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
1328	{
1329	struct mgmt_pending_cmd *cmd = data;
1330	struct mgmt_mode *cp;
1331
1332	/* Make sure cmd still outstanding. */
1333	if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
1334	return;
1335
1336	cp = cmd->param;
1337
1338	bt_dev_dbg(hdev, "err %d", err);
1339
1340	if (!err) {
1341	if (cp->val) {
1342	hci_dev_lock(hdev);
1343	restart_le_actions(hdev);
1344	hci_update_passive_scan(hdev);
1345	hci_dev_unlock(hdev);
1346	}
1347
1348	send_settings_rsp(sk: cmd->sk, opcode: cmd->opcode, hdev);
1349
1350	/* Only call new_setting for power on as power off is deferred
1351	* to hdev->power_off work which does call hci_dev_do_close.
1352	*/
1353	if (cp->val)
1354	new_settings(hdev, skip: cmd->sk);
1355	} else {
1356	mgmt_cmd_status(sk: cmd->sk, index: hdev->id, MGMT_OP_SET_POWERED,
1357	status: mgmt_status(err));
1358	}
1359
1360	mgmt_pending_remove(cmd);
1361	}
1362
1363	static int set_powered_sync(struct hci_dev *hdev, void *data)
1364	{
1365	struct mgmt_pending_cmd *cmd = data;
1366	struct mgmt_mode *cp = cmd->param;
1367
1368	BT_DBG("%s", hdev->name);
1369
1370	return hci_set_powered_sync(hdev, val: cp->val);
1371	}
1372
1373	static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1374	u16 len)
1375	{
1376	struct mgmt_mode *cp = data;
1377	struct mgmt_pending_cmd *cmd;
1378	int err;
1379
1380	bt_dev_dbg(hdev, "sock %p", sk);
1381
1382	if (cp->val != 0x00 && cp->val != 0x01)
1383	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_POWERED,
1384	MGMT_STATUS_INVALID_PARAMS);
1385
1386	hci_dev_lock(hdev);
1387
1388	if (!cp->val) {
1389	if (hci_dev_test_flag(hdev, HCI_POWERING_DOWN)) {
1390	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_POWERED,
1391	MGMT_STATUS_BUSY);
1392	goto failed;
1393	}
1394	}
1395
1396	if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1397	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_POWERED,
1398	MGMT_STATUS_BUSY);
1399	goto failed;
1400	}
1401
1402	if (!!cp->val == hdev_is_powered(hdev)) {
1403	err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1404	goto failed;
1405	}
1406
1407	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1408	if (!cmd) {
1409	err = -ENOMEM;
1410	goto failed;
1411	}
1412
1413	/* Cancel potentially blocking sync operation before power off */
1414	if (cp->val == 0x00) {
1415	hci_cmd_sync_cancel_sync(hdev, err: -EHOSTDOWN);
1416	err = hci_cmd_sync_queue(hdev, func: set_powered_sync, data: cmd,
1417	destroy: mgmt_set_powered_complete);
1418	} else {
1419	/* Use hci_cmd_sync_submit since hdev might not be running */
1420	err = hci_cmd_sync_submit(hdev, func: set_powered_sync, data: cmd,
1421	destroy: mgmt_set_powered_complete);
1422	}
1423
1424	if (err < 0)
1425	mgmt_pending_remove(cmd);
1426
1427	failed:
1428	hci_dev_unlock(hdev);
1429	return err;
1430	}
1431
1432	int mgmt_new_settings(struct hci_dev *hdev)
1433	{
1434	return new_settings(hdev, NULL);
1435	}
1436
1437	struct cmd_lookup {
1438	struct sock *sk;
1439	struct hci_dev *hdev;
1440	u8 mgmt_status;
1441	};
1442
1443	static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1444	{
1445	struct cmd_lookup *match = data;
1446
1447	send_settings_rsp(sk: cmd->sk, opcode: cmd->opcode, hdev: match->hdev);
1448
1449	list_del(entry: &cmd->list);
1450
1451	if (match->sk == NULL) {
1452	match->sk = cmd->sk;
1453	sock_hold(sk: match->sk);
1454	}
1455
1456	mgmt_pending_free(cmd);
1457	}
1458
1459	static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1460	{
1461	u8 *status = data;
1462
1463	mgmt_cmd_status(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status: *status);
1464	mgmt_pending_remove(cmd);
1465	}
1466
1467	static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1468	{
1469	if (cmd->cmd_complete) {
1470	u8 *status = data;
1471
1472	cmd->cmd_complete(cmd, *status);
1473	mgmt_pending_remove(cmd);
1474
1475	return;
1476	}
1477
1478	cmd_status_rsp(cmd, data);
1479	}
1480
1481	static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1482	{
1483	return mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status,
1484	rp: cmd->param, rp_len: cmd->param_len);
1485	}
1486
1487	static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1488	{
1489	return mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status,
1490	rp: cmd->param, rp_len: sizeof(struct mgmt_addr_info));
1491	}
1492
1493	static u8 mgmt_bredr_support(struct hci_dev *hdev)
1494	{
1495	if (!lmp_bredr_capable(hdev))
1496	return MGMT_STATUS_NOT_SUPPORTED;
1497	else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1498	return MGMT_STATUS_REJECTED;
1499	else
1500	return MGMT_STATUS_SUCCESS;
1501	}
1502
1503	static u8 mgmt_le_support(struct hci_dev *hdev)
1504	{
1505	if (!lmp_le_capable(hdev))
1506	return MGMT_STATUS_NOT_SUPPORTED;
1507	else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1508	return MGMT_STATUS_REJECTED;
1509	else
1510	return MGMT_STATUS_SUCCESS;
1511	}
1512
1513	static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
1514	int err)
1515	{
1516	struct mgmt_pending_cmd *cmd = data;
1517
1518	bt_dev_dbg(hdev, "err %d", err);
1519
1520	/* Make sure cmd still outstanding. */
1521	if (cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
1522	return;
1523
1524	hci_dev_lock(hdev);
1525
1526	if (err) {
1527	u8 mgmt_err = mgmt_status(err);
1528	mgmt_cmd_status(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status: mgmt_err);
1529	hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1530	goto done;
1531	}
1532
1533	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1534	hdev->discov_timeout > 0) {
1535	int to = msecs_to_jiffies(m: hdev->discov_timeout * 1000);
1536	queue_delayed_work(wq: hdev->req_workqueue, dwork: &hdev->discov_off, delay: to);
1537	}
1538
1539	send_settings_rsp(sk: cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1540	new_settings(hdev, skip: cmd->sk);
1541
1542	done:
1543	mgmt_pending_remove(cmd);
1544	hci_dev_unlock(hdev);
1545	}
1546
1547	static int set_discoverable_sync(struct hci_dev *hdev, void *data)
1548	{
1549	BT_DBG("%s", hdev->name);
1550
1551	return hci_update_discoverable_sync(hdev);
1552	}
1553
1554	static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1555	u16 len)
1556	{
1557	struct mgmt_cp_set_discoverable *cp = data;
1558	struct mgmt_pending_cmd *cmd;
1559	u16 timeout;
1560	int err;
1561
1562	bt_dev_dbg(hdev, "sock %p", sk);
1563
1564	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1565	!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1566	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DISCOVERABLE,
1567	MGMT_STATUS_REJECTED);
1568
1569	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1570	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DISCOVERABLE,
1571	MGMT_STATUS_INVALID_PARAMS);
1572
1573	timeout = __le16_to_cpu(cp->timeout);
1574
1575	/* Disabling discoverable requires that no timeout is set,
1576	* and enabling limited discoverable requires a timeout.
1577	*/
1578	if ((cp->val == 0x00 && timeout > 0) ||
1579	(cp->val == 0x02 && timeout == 0))
1580	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DISCOVERABLE,
1581	MGMT_STATUS_INVALID_PARAMS);
1582
1583	hci_dev_lock(hdev);
1584
1585	if (!hdev_is_powered(hdev) && timeout > 0) {
1586	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DISCOVERABLE,
1587	MGMT_STATUS_NOT_POWERED);
1588	goto failed;
1589	}
1590
1591	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1592	pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1593	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DISCOVERABLE,
1594	MGMT_STATUS_BUSY);
1595	goto failed;
1596	}
1597
1598	if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1599	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DISCOVERABLE,
1600	MGMT_STATUS_REJECTED);
1601	goto failed;
1602	}
1603
1604	if (hdev->advertising_paused) {
1605	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DISCOVERABLE,
1606	MGMT_STATUS_BUSY);
1607	goto failed;
1608	}
1609
1610	if (!hdev_is_powered(hdev)) {
1611	bool changed = false;
1612
1613	/* Setting limited discoverable when powered off is
1614	* not a valid operation since it requires a timeout
1615	* and so no need to check HCI_LIMITED_DISCOVERABLE.
1616	*/
1617	if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1618	hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1619	changed = true;
1620	}
1621
1622	err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1623	if (err < 0)
1624	goto failed;
1625
1626	if (changed)
1627	err = new_settings(hdev, skip: sk);
1628
1629	goto failed;
1630	}
1631
1632	/* If the current mode is the same, then just update the timeout
1633	* value with the new value. And if only the timeout gets updated,
1634	* then no need for any HCI transactions.
1635	*/
1636	if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1637	(cp->val == 0x02) == hci_dev_test_flag(hdev,
1638	HCI_LIMITED_DISCOVERABLE)) {
1639	cancel_delayed_work(dwork: &hdev->discov_off);
1640	hdev->discov_timeout = timeout;
1641
1642	if (cp->val && hdev->discov_timeout > 0) {
1643	int to = msecs_to_jiffies(m: hdev->discov_timeout * 1000);
1644	queue_delayed_work(wq: hdev->req_workqueue,
1645	dwork: &hdev->discov_off, delay: to);
1646	}
1647
1648	err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1649	goto failed;
1650	}
1651
1652	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1653	if (!cmd) {
1654	err = -ENOMEM;
1655	goto failed;
1656	}
1657
1658	/* Cancel any potential discoverable timeout that might be
1659	* still active and store new timeout value. The arming of
1660	* the timeout happens in the complete handler.
1661	*/
1662	cancel_delayed_work(dwork: &hdev->discov_off);
1663	hdev->discov_timeout = timeout;
1664
1665	if (cp->val)
1666	hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1667	else
1668	hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1669
1670	/* Limited discoverable mode */
1671	if (cp->val == 0x02)
1672	hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1673	else
1674	hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1675
1676	err = hci_cmd_sync_queue(hdev, func: set_discoverable_sync, data: cmd,
1677	destroy: mgmt_set_discoverable_complete);
1678
1679	if (err < 0)
1680	mgmt_pending_remove(cmd);
1681
1682	failed:
1683	hci_dev_unlock(hdev);
1684	return err;
1685	}
1686
1687	static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
1688	int err)
1689	{
1690	struct mgmt_pending_cmd *cmd = data;
1691
1692	bt_dev_dbg(hdev, "err %d", err);
1693
1694	/* Make sure cmd still outstanding. */
1695	if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
1696	return;
1697
1698	hci_dev_lock(hdev);
1699
1700	if (err) {
1701	u8 mgmt_err = mgmt_status(err);
1702	mgmt_cmd_status(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status: mgmt_err);
1703	goto done;
1704	}
1705
1706	send_settings_rsp(sk: cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1707	new_settings(hdev, skip: cmd->sk);
1708
1709	done:
1710	mgmt_pending_remove(cmd);
1711
1712	hci_dev_unlock(hdev);
1713	}
1714
1715	static int set_connectable_update_settings(struct hci_dev *hdev,
1716	struct sock *sk, u8 val)
1717	{
1718	bool changed = false;
1719	int err;
1720
1721	if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1722	changed = true;
1723
1724	if (val) {
1725	hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1726	} else {
1727	hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1728	hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1729	}
1730
1731	err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1732	if (err < 0)
1733	return err;
1734
1735	if (changed) {
1736	hci_update_scan(hdev);
1737	hci_update_passive_scan(hdev);
1738	return new_settings(hdev, skip: sk);
1739	}
1740
1741	return 0;
1742	}
1743
1744	static int set_connectable_sync(struct hci_dev *hdev, void *data)
1745	{
1746	BT_DBG("%s", hdev->name);
1747
1748	return hci_update_connectable_sync(hdev);
1749	}
1750
1751	static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1752	u16 len)
1753	{
1754	struct mgmt_mode *cp = data;
1755	struct mgmt_pending_cmd *cmd;
1756	int err;
1757
1758	bt_dev_dbg(hdev, "sock %p", sk);
1759
1760	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1761	!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1762	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_CONNECTABLE,
1763	MGMT_STATUS_REJECTED);
1764
1765	if (cp->val != 0x00 && cp->val != 0x01)
1766	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_CONNECTABLE,
1767	MGMT_STATUS_INVALID_PARAMS);
1768
1769	hci_dev_lock(hdev);
1770
1771	if (!hdev_is_powered(hdev)) {
1772	err = set_connectable_update_settings(hdev, sk, val: cp->val);
1773	goto failed;
1774	}
1775
1776	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1777	pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1778	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_CONNECTABLE,
1779	MGMT_STATUS_BUSY);
1780	goto failed;
1781	}
1782
1783	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1784	if (!cmd) {
1785	err = -ENOMEM;
1786	goto failed;
1787	}
1788
1789	if (cp->val) {
1790	hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1791	} else {
1792	if (hdev->discov_timeout > 0)
1793	cancel_delayed_work(dwork: &hdev->discov_off);
1794
1795	hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1796	hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1797	hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1798	}
1799
1800	err = hci_cmd_sync_queue(hdev, func: set_connectable_sync, data: cmd,
1801	destroy: mgmt_set_connectable_complete);
1802
1803	if (err < 0)
1804	mgmt_pending_remove(cmd);
1805
1806	failed:
1807	hci_dev_unlock(hdev);
1808	return err;
1809	}
1810
1811	static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1812	u16 len)
1813	{
1814	struct mgmt_mode *cp = data;
1815	bool changed;
1816	int err;
1817
1818	bt_dev_dbg(hdev, "sock %p", sk);
1819
1820	if (cp->val != 0x00 && cp->val != 0x01)
1821	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_BONDABLE,
1822	MGMT_STATUS_INVALID_PARAMS);
1823
1824	hci_dev_lock(hdev);
1825
1826	if (cp->val)
1827	changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1828	else
1829	changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1830
1831	err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1832	if (err < 0)
1833	goto unlock;
1834
1835	if (changed) {
1836	/* In limited privacy mode the change of bondable mode
1837	* may affect the local advertising address.
1838	*/
1839	hci_update_discoverable(hdev);
1840
1841	err = new_settings(hdev, skip: sk);
1842	}
1843
1844	unlock:
1845	hci_dev_unlock(hdev);
1846	return err;
1847	}
1848
1849	static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1850	u16 len)
1851	{
1852	struct mgmt_mode *cp = data;
1853	struct mgmt_pending_cmd *cmd;
1854	u8 val, status;
1855	int err;
1856
1857	bt_dev_dbg(hdev, "sock %p", sk);
1858
1859	status = mgmt_bredr_support(hdev);
1860	if (status)
1861	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_LINK_SECURITY,
1862	status);
1863
1864	if (cp->val != 0x00 && cp->val != 0x01)
1865	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_LINK_SECURITY,
1866	MGMT_STATUS_INVALID_PARAMS);
1867
1868	hci_dev_lock(hdev);
1869
1870	if (!hdev_is_powered(hdev)) {
1871	bool changed = false;
1872
1873	if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1874	hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1875	changed = true;
1876	}
1877
1878	err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1879	if (err < 0)
1880	goto failed;
1881
1882	if (changed)
1883	err = new_settings(hdev, skip: sk);
1884
1885	goto failed;
1886	}
1887
1888	if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1889	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_LINK_SECURITY,
1890	MGMT_STATUS_BUSY);
1891	goto failed;
1892	}
1893
1894	val = !!cp->val;
1895
1896	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1897	err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1898	goto failed;
1899	}
1900
1901	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1902	if (!cmd) {
1903	err = -ENOMEM;
1904	goto failed;
1905	}
1906
1907	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, plen: sizeof(val), param: &val);
1908	if (err < 0) {
1909	mgmt_pending_remove(cmd);
1910	goto failed;
1911	}
1912
1913	failed:
1914	hci_dev_unlock(hdev);
1915	return err;
1916	}
1917
1918	static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
1919	{
1920	struct cmd_lookup match = { NULL, hdev };
1921	struct mgmt_pending_cmd *cmd = data;
1922	struct mgmt_mode *cp = cmd->param;
1923	u8 enable = cp->val;
1924	bool changed;
1925
1926	/* Make sure cmd still outstanding. */
1927	if (cmd != pending_find(MGMT_OP_SET_SSP, hdev))
1928	return;
1929
1930	if (err) {
1931	u8 mgmt_err = mgmt_status(err);
1932
1933	if (enable && hci_dev_test_and_clear_flag(hdev,
1934	HCI_SSP_ENABLED)) {
1935	new_settings(hdev, NULL);
1936	}
1937
1938	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cb: cmd_status_rsp,
1939	data: &mgmt_err);
1940	return;
1941	}
1942
1943	if (enable) {
1944	changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1945	} else {
1946	changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
1947	}
1948
1949	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cb: settings_rsp, data: &match);
1950
1951	if (changed)
1952	new_settings(hdev, skip: match.sk);
1953
1954	if (match.sk)
1955	sock_put(sk: match.sk);
1956
1957	hci_update_eir_sync(hdev);
1958	}
1959
1960	static int set_ssp_sync(struct hci_dev *hdev, void *data)
1961	{
1962	struct mgmt_pending_cmd *cmd = data;
1963	struct mgmt_mode *cp = cmd->param;
1964	bool changed = false;
1965	int err;
1966
1967	if (cp->val)
1968	changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1969
1970	err = hci_write_ssp_mode_sync(hdev, mode: cp->val);
1971
1972	if (!err && changed)
1973	hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
1974
1975	return err;
1976	}
1977
1978	static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1979	{
1980	struct mgmt_mode *cp = data;
1981	struct mgmt_pending_cmd *cmd;
1982	u8 status;
1983	int err;
1984
1985	bt_dev_dbg(hdev, "sock %p", sk);
1986
1987	status = mgmt_bredr_support(hdev);
1988	if (status)
1989	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SSP, status);
1990
1991	if (!lmp_ssp_capable(hdev))
1992	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SSP,
1993	MGMT_STATUS_NOT_SUPPORTED);
1994
1995	if (cp->val != 0x00 && cp->val != 0x01)
1996	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SSP,
1997	MGMT_STATUS_INVALID_PARAMS);
1998
1999	hci_dev_lock(hdev);
2000
2001	if (!hdev_is_powered(hdev)) {
2002	bool changed;
2003
2004	if (cp->val) {
2005	changed = !hci_dev_test_and_set_flag(hdev,
2006	HCI_SSP_ENABLED);
2007	} else {
2008	changed = hci_dev_test_and_clear_flag(hdev,
2009	HCI_SSP_ENABLED);
2010	}
2011
2012	err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2013	if (err < 0)
2014	goto failed;
2015
2016	if (changed)
2017	err = new_settings(hdev, skip: sk);
2018
2019	goto failed;
2020	}
2021
2022	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
2023	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SSP,
2024	MGMT_STATUS_BUSY);
2025	goto failed;
2026	}
2027
2028	if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
2029	err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2030	goto failed;
2031	}
2032
2033	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
2034	if (!cmd)
2035	err = -ENOMEM;
2036	else
2037	err = hci_cmd_sync_queue(hdev, func: set_ssp_sync, data: cmd,
2038	destroy: set_ssp_complete);
2039
2040	if (err < 0) {
2041	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SSP,
2042	MGMT_STATUS_FAILED);
2043
2044	if (cmd)
2045	mgmt_pending_remove(cmd);
2046	}
2047
2048	failed:
2049	hci_dev_unlock(hdev);
2050	return err;
2051	}
2052
2053	static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2054	{
2055	bt_dev_dbg(hdev, "sock %p", sk);
2056
2057	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_HS,
2058	MGMT_STATUS_NOT_SUPPORTED);
2059	}
2060
2061	static void set_le_complete(struct hci_dev *hdev, void *data, int err)
2062	{
2063	struct cmd_lookup match = { NULL, hdev };
2064	u8 status = mgmt_status(err);
2065
2066	bt_dev_dbg(hdev, "err %d", err);
2067
2068	if (status) {
2069	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cb: cmd_status_rsp,
2070	data: &status);
2071	return;
2072	}
2073
2074	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cb: settings_rsp, data: &match);
2075
2076	new_settings(hdev, skip: match.sk);
2077
2078	if (match.sk)
2079	sock_put(sk: match.sk);
2080	}
2081
2082	static int set_le_sync(struct hci_dev *hdev, void *data)
2083	{
2084	struct mgmt_pending_cmd *cmd = data;
2085	struct mgmt_mode *cp = cmd->param;
2086	u8 val = !!cp->val;
2087	int err;
2088
2089	if (!val) {
2090	hci_clear_adv_instance_sync(hdev, NULL, instance: 0x00, force: true);
2091
2092	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
2093	hci_disable_advertising_sync(hdev);
2094
2095	if (ext_adv_capable(hdev))
2096	hci_remove_ext_adv_instance_sync(hdev, instance: 0, sk: cmd->sk);
2097	} else {
2098	hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2099	}
2100
2101	err = hci_write_le_host_supported_sync(hdev, le: val, simul: 0);
2102
2103	/* Make sure the controller has a good default for
2104	* advertising data. Restrict the update to when LE
2105	* has actually been enabled. During power on, the
2106	* update in powered_update_hci will take care of it.
2107	*/
2108	if (!err && hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2109	if (ext_adv_capable(hdev)) {
2110	int status;
2111
2112	status = hci_setup_ext_adv_instance_sync(hdev, instance: 0x00);
2113	if (!status)
2114	hci_update_scan_rsp_data_sync(hdev, instance: 0x00);
2115	} else {
2116	hci_update_adv_data_sync(hdev, instance: 0x00);
2117	hci_update_scan_rsp_data_sync(hdev, instance: 0x00);
2118	}
2119
2120	hci_update_passive_scan(hdev);
2121	}
2122
2123	return err;
2124	}
2125
2126	static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
2127	{
2128	struct mgmt_pending_cmd *cmd = data;
2129	u8 status = mgmt_status(err);
2130	struct sock *sk = cmd->sk;
2131
2132	if (status) {
2133	mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev,
2134	cb: cmd_status_rsp, data: &status);
2135	return;
2136	}
2137
2138	mgmt_pending_remove(cmd);
2139	mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_MESH_RECEIVER, status: 0, NULL, rp_len: 0);
2140	}
2141
2142	static int set_mesh_sync(struct hci_dev *hdev, void *data)
2143	{
2144	struct mgmt_pending_cmd *cmd = data;
2145	struct mgmt_cp_set_mesh *cp = cmd->param;
2146	size_t len = cmd->param_len;
2147
2148	memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
2149
2150	if (cp->enable)
2151	hci_dev_set_flag(hdev, HCI_MESH);
2152	else
2153	hci_dev_clear_flag(hdev, HCI_MESH);
2154
2155	len -= sizeof(*cp);
2156
2157	/* If filters don't fit, forward all adv pkts */
2158	if (len <= sizeof(hdev->mesh_ad_types))
2159	memcpy(hdev->mesh_ad_types, cp->ad_types, len);
2160
2161	hci_update_passive_scan_sync(hdev);
2162	return 0;
2163	}
2164
2165	static int set_mesh(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2166	{
2167	struct mgmt_cp_set_mesh *cp = data;
2168	struct mgmt_pending_cmd *cmd;
2169	int err = 0;
2170
2171	bt_dev_dbg(hdev, "sock %p", sk);
2172
2173	if (!lmp_le_capable(hdev) ||
2174	!hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2175	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2176	MGMT_STATUS_NOT_SUPPORTED);
2177
2178	if (cp->enable != 0x00 && cp->enable != 0x01)
2179	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2180	MGMT_STATUS_INVALID_PARAMS);
2181
2182	hci_dev_lock(hdev);
2183
2184	cmd = mgmt_pending_add(sk, MGMT_OP_SET_MESH_RECEIVER, hdev, data, len);
2185	if (!cmd)
2186	err = -ENOMEM;
2187	else
2188	err = hci_cmd_sync_queue(hdev, func: set_mesh_sync, data: cmd,
2189	destroy: set_mesh_complete);
2190
2191	if (err < 0) {
2192	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2193	MGMT_STATUS_FAILED);
2194
2195	if (cmd)
2196	mgmt_pending_remove(cmd);
2197	}
2198
2199	hci_dev_unlock(hdev);
2200	return err;
2201	}
2202
2203	static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err)
2204	{
2205	struct mgmt_mesh_tx *mesh_tx = data;
2206	struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2207	unsigned long mesh_send_interval;
2208	u8 mgmt_err = mgmt_status(err);
2209
2210	/* Report any errors here, but don't report completion */
2211
2212	if (mgmt_err) {
2213	hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
2214	/* Send Complete Error Code for handle */
2215	mesh_send_complete(hdev, mesh_tx, silent: false);
2216	return;
2217	}
2218
2219	mesh_send_interval = msecs_to_jiffies(m: (send->cnt) * 25);
2220	queue_delayed_work(wq: hdev->req_workqueue, dwork: &hdev->mesh_send_done,
2221	delay: mesh_send_interval);
2222	}
2223
2224	static int mesh_send_sync(struct hci_dev *hdev, void *data)
2225	{
2226	struct mgmt_mesh_tx *mesh_tx = data;
2227	struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2228	struct adv_info *adv, *next_instance;
2229	u8 instance = hdev->le_num_of_adv_sets + 1;
2230	u16 timeout, duration;
2231	int err = 0;
2232
2233	if (hdev->le_num_of_adv_sets <= hdev->adv_instance_cnt)
2234	return MGMT_STATUS_BUSY;
2235
2236	timeout = 1000;
2237	duration = send->cnt * INTERVAL_TO_MS(hdev->le_adv_max_interval);
2238	adv = hci_add_adv_instance(hdev, instance, flags: 0,
2239	adv_data_len: send->adv_data_len, adv_data: send->adv_data,
2240	scan_rsp_len: 0, NULL,
2241	timeout, duration,
2242	HCI_ADV_TX_POWER_NO_PREFERENCE,
2243	min_interval: hdev->le_adv_min_interval,
2244	max_interval: hdev->le_adv_max_interval,
2245	mesh_handle: mesh_tx->handle);
2246
2247	if (!IS_ERR(ptr: adv))
2248	mesh_tx->instance = instance;
2249	else
2250	err = PTR_ERR(ptr: adv);
2251
2252	if (hdev->cur_adv_instance == instance) {
2253	/* If the currently advertised instance is being changed then
2254	* cancel the current advertising and schedule the next
2255	* instance. If there is only one instance then the overridden
2256	* advertising data will be visible right away.
2257	*/
2258	cancel_adv_timeout(hdev);
2259
2260	next_instance = hci_get_next_instance(hdev, instance);
2261	if (next_instance)
2262	instance = next_instance->instance;
2263	else
2264	instance = 0;
2265	} else if (hdev->adv_instance_timeout) {
2266	/* Immediately advertise the new instance if no other, or
2267	* let it go naturally from queue if ADV is already happening
2268	*/
2269	instance = 0;
2270	}
2271
2272	if (instance)
2273	return hci_schedule_adv_instance_sync(hdev, instance, force: true);
2274
2275	return err;
2276	}
2277
2278	static void send_count(struct mgmt_mesh_tx *mesh_tx, void *data)
2279	{
2280	struct mgmt_rp_mesh_read_features *rp = data;
2281
2282	if (rp->used_handles >= rp->max_handles)
2283	return;
2284
2285	rp->handles[rp->used_handles++] = mesh_tx->handle;
2286	}
2287
2288	static int mesh_features(struct sock *sk, struct hci_dev *hdev,
2289	void *data, u16 len)
2290	{
2291	struct mgmt_rp_mesh_read_features rp;
2292
2293	if (!lmp_le_capable(hdev) ||
2294	!hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2295	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_MESH_READ_FEATURES,
2296	MGMT_STATUS_NOT_SUPPORTED);
2297
2298	memset(&rp, 0, sizeof(rp));
2299	rp.index = cpu_to_le16(hdev->id);
2300	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2301	rp.max_handles = MESH_HANDLES_MAX;
2302
2303	hci_dev_lock(hdev);
2304
2305	if (rp.max_handles)
2306	mgmt_mesh_foreach(hdev, cb: send_count, data: &rp, sk);
2307
2308	mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_MESH_READ_FEATURES, status: 0, rp: &rp,
2309	rp_len: rp.used_handles + sizeof(rp) - MESH_HANDLES_MAX);
2310
2311	hci_dev_unlock(hdev);
2312	return 0;
2313	}
2314
2315	static int send_cancel(struct hci_dev *hdev, void *data)
2316	{
2317	struct mgmt_pending_cmd *cmd = data;
2318	struct mgmt_cp_mesh_send_cancel *cancel = (void *)cmd->param;
2319	struct mgmt_mesh_tx *mesh_tx;
2320
2321	if (!cancel->handle) {
2322	do {
2323	mesh_tx = mgmt_mesh_next(hdev, sk: cmd->sk);
2324
2325	if (mesh_tx)
2326	mesh_send_complete(hdev, mesh_tx, silent: false);
2327	} while (mesh_tx);
2328	} else {
2329	mesh_tx = mgmt_mesh_find(hdev, handle: cancel->handle);
2330
2331	if (mesh_tx && mesh_tx->sk == cmd->sk)
2332	mesh_send_complete(hdev, mesh_tx, silent: false);
2333	}
2334
2335	mgmt_cmd_complete(sk: cmd->sk, index: hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2336	status: 0, NULL, rp_len: 0);
2337	mgmt_pending_free(cmd);
2338
2339	return 0;
2340	}
2341
2342	static int mesh_send_cancel(struct sock *sk, struct hci_dev *hdev,
2343	void *data, u16 len)
2344	{
2345	struct mgmt_pending_cmd *cmd;
2346	int err;
2347
2348	if (!lmp_le_capable(hdev) ||
2349	!hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2350	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2351	MGMT_STATUS_NOT_SUPPORTED);
2352
2353	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2354	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2355	MGMT_STATUS_REJECTED);
2356
2357	hci_dev_lock(hdev);
2358	cmd = mgmt_pending_new(sk, MGMT_OP_MESH_SEND_CANCEL, hdev, data, len);
2359	if (!cmd)
2360	err = -ENOMEM;
2361	else
2362	err = hci_cmd_sync_queue(hdev, func: send_cancel, data: cmd, NULL);
2363
2364	if (err < 0) {
2365	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2366	MGMT_STATUS_FAILED);
2367
2368	if (cmd)
2369	mgmt_pending_free(cmd);
2370	}
2371
2372	hci_dev_unlock(hdev);
2373	return err;
2374	}
2375
2376	static int mesh_send(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2377	{
2378	struct mgmt_mesh_tx *mesh_tx;
2379	struct mgmt_cp_mesh_send *send = data;
2380	struct mgmt_rp_mesh_read_features rp;
2381	bool sending;
2382	int err = 0;
2383
2384	if (!lmp_le_capable(hdev) ||
2385	!hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2386	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_MESH_SEND,
2387	MGMT_STATUS_NOT_SUPPORTED);
2388	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) ||
2389	len <= MGMT_MESH_SEND_SIZE ||
2390	len > (MGMT_MESH_SEND_SIZE + 31))
2391	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_MESH_SEND,
2392	MGMT_STATUS_REJECTED);
2393
2394	hci_dev_lock(hdev);
2395
2396	memset(&rp, 0, sizeof(rp));
2397	rp.max_handles = MESH_HANDLES_MAX;
2398
2399	mgmt_mesh_foreach(hdev, cb: send_count, data: &rp, sk);
2400
2401	if (rp.max_handles <= rp.used_handles) {
2402	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_MESH_SEND,
2403	MGMT_STATUS_BUSY);
2404	goto done;
2405	}
2406
2407	sending = hci_dev_test_flag(hdev, HCI_MESH_SENDING);
2408	mesh_tx = mgmt_mesh_add(sk, hdev, data: send, len);
2409
2410	if (!mesh_tx)
2411	err = -ENOMEM;
2412	else if (!sending)
2413	err = hci_cmd_sync_queue(hdev, func: mesh_send_sync, data: mesh_tx,
2414	destroy: mesh_send_start_complete);
2415
2416	if (err < 0) {
2417	bt_dev_err(hdev, "Send Mesh Failed %d", err);
2418	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_MESH_SEND,
2419	MGMT_STATUS_FAILED);
2420
2421	if (mesh_tx) {
2422	if (sending)
2423	mgmt_mesh_remove(mesh_tx);
2424	}
2425	} else {
2426	hci_dev_set_flag(hdev, HCI_MESH_SENDING);
2427
2428	mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_MESH_SEND, status: 0,
2429	rp: &mesh_tx->handle, rp_len: 1);
2430	}
2431
2432	done:
2433	hci_dev_unlock(hdev);
2434	return err;
2435	}
2436
2437	static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2438	{
2439	struct mgmt_mode *cp = data;
2440	struct mgmt_pending_cmd *cmd;
2441	int err;
2442	u8 val, enabled;
2443
2444	bt_dev_dbg(hdev, "sock %p", sk);
2445
2446	if (!lmp_le_capable(hdev))
2447	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_LE,
2448	MGMT_STATUS_NOT_SUPPORTED);
2449
2450	if (cp->val != 0x00 && cp->val != 0x01)
2451	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_LE,
2452	MGMT_STATUS_INVALID_PARAMS);
2453
2454	/* Bluetooth single mode LE only controllers or dual-mode
2455	* controllers configured as LE only devices, do not allow
2456	* switching LE off. These have either LE enabled explicitly
2457	* or BR/EDR has been previously switched off.
2458	*
2459	* When trying to enable an already enabled LE, then gracefully
2460	* send a positive response. Trying to disable it however will
2461	* result into rejection.
2462	*/
2463	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
2464	if (cp->val == 0x01)
2465	return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2466
2467	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_LE,
2468	MGMT_STATUS_REJECTED);
2469	}
2470
2471	hci_dev_lock(hdev);
2472
2473	val = !!cp->val;
2474	enabled = lmp_host_le_capable(hdev);
2475
2476	if (!hdev_is_powered(hdev) || val == enabled) {
2477	bool changed = false;
2478
2479	if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2480	hci_dev_change_flag(hdev, HCI_LE_ENABLED);
2481	changed = true;
2482	}
2483
2484	if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
2485	hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2486	changed = true;
2487	}
2488
2489	err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2490	if (err < 0)
2491	goto unlock;
2492
2493	if (changed)
2494	err = new_settings(hdev, skip: sk);
2495
2496	goto unlock;
2497	}
2498
2499	if (pending_find(MGMT_OP_SET_LE, hdev) ||
2500	pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
2501	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_LE,
2502	MGMT_STATUS_BUSY);
2503	goto unlock;
2504	}
2505
2506	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
2507	if (!cmd)
2508	err = -ENOMEM;
2509	else
2510	err = hci_cmd_sync_queue(hdev, func: set_le_sync, data: cmd,
2511	destroy: set_le_complete);
2512
2513	if (err < 0) {
2514	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_LE,
2515	MGMT_STATUS_FAILED);
2516
2517	if (cmd)
2518	mgmt_pending_remove(cmd);
2519	}
2520
2521	unlock:
2522	hci_dev_unlock(hdev);
2523	return err;
2524	}
2525
2526	/* This is a helper function to test for pending mgmt commands that can
2527	* cause CoD or EIR HCI commands. We can only allow one such pending
2528	* mgmt command at a time since otherwise we cannot easily track what
2529	* the current values are, will be, and based on that calculate if a new
2530	* HCI command needs to be sent and if yes with what value.
2531	*/
2532	static bool pending_eir_or_class(struct hci_dev *hdev)
2533	{
2534	struct mgmt_pending_cmd *cmd;
2535
2536	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2537	switch (cmd->opcode) {
2538	case MGMT_OP_ADD_UUID:
2539	case MGMT_OP_REMOVE_UUID:
2540	case MGMT_OP_SET_DEV_CLASS:
2541	case MGMT_OP_SET_POWERED:
2542	return true;
2543	}
2544	}
2545
2546	return false;
2547	}
2548
2549	static const u8 bluetooth_base_uuid[] = {
2550	0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2551	0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2552	};
2553
2554	static u8 get_uuid_size(const u8 *uuid)
2555	{
2556	u32 val;
2557
2558	if (memcmp(p: uuid, q: bluetooth_base_uuid, size: 12))
2559	return 128;
2560
2561	val = get_unaligned_le32(p: &uuid[12]);
2562	if (val > 0xffff)
2563	return 32;
2564
2565	return 16;
2566	}
2567
2568	static void mgmt_class_complete(struct hci_dev *hdev, void *data, int err)
2569	{
2570	struct mgmt_pending_cmd *cmd = data;
2571
2572	bt_dev_dbg(hdev, "err %d", err);
2573
2574	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
2575	status: mgmt_status(err), rp: hdev->dev_class, rp_len: 3);
2576
2577	mgmt_pending_free(cmd);
2578	}
2579
2580	static int add_uuid_sync(struct hci_dev *hdev, void *data)
2581	{
2582	int err;
2583
2584	err = hci_update_class_sync(hdev);
2585	if (err)
2586	return err;
2587
2588	return hci_update_eir_sync(hdev);
2589	}
2590
2591	static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2592	{
2593	struct mgmt_cp_add_uuid *cp = data;
2594	struct mgmt_pending_cmd *cmd;
2595	struct bt_uuid *uuid;
2596	int err;
2597
2598	bt_dev_dbg(hdev, "sock %p", sk);
2599
2600	hci_dev_lock(hdev);
2601
2602	if (pending_eir_or_class(hdev)) {
2603	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_UUID,
2604	MGMT_STATUS_BUSY);
2605	goto failed;
2606	}
2607
2608	uuid = kmalloc(size: sizeof(*uuid), GFP_KERNEL);
2609	if (!uuid) {
2610	err = -ENOMEM;
2611	goto failed;
2612	}
2613
2614	memcpy(uuid->uuid, cp->uuid, 16);
2615	uuid->svc_hint = cp->svc_hint;
2616	uuid->size = get_uuid_size(uuid: cp->uuid);
2617
2618	list_add_tail(new: &uuid->list, head: &hdev->uuids);
2619
2620	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2621	if (!cmd) {
2622	err = -ENOMEM;
2623	goto failed;
2624	}
2625
2626	err = hci_cmd_sync_queue(hdev, func: add_uuid_sync, data: cmd, destroy: mgmt_class_complete);
2627	if (err < 0) {
2628	mgmt_pending_free(cmd);
2629	goto failed;
2630	}
2631
2632	failed:
2633	hci_dev_unlock(hdev);
2634	return err;
2635	}
2636
2637	static bool enable_service_cache(struct hci_dev *hdev)
2638	{
2639	if (!hdev_is_powered(hdev))
2640	return false;
2641
2642	if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2643	queue_delayed_work(wq: hdev->workqueue, dwork: &hdev->service_cache,
2644	CACHE_TIMEOUT);
2645	return true;
2646	}
2647
2648	return false;
2649	}
2650
2651	static int remove_uuid_sync(struct hci_dev *hdev, void *data)
2652	{
2653	int err;
2654
2655	err = hci_update_class_sync(hdev);
2656	if (err)
2657	return err;
2658
2659	return hci_update_eir_sync(hdev);
2660	}
2661
2662	static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2663	u16 len)
2664	{
2665	struct mgmt_cp_remove_uuid *cp = data;
2666	struct mgmt_pending_cmd *cmd;
2667	struct bt_uuid *match, *tmp;
2668	static const u8 bt_uuid_any[] = {
2669	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
2670	};
2671	int err, found;
2672
2673	bt_dev_dbg(hdev, "sock %p", sk);
2674
2675	hci_dev_lock(hdev);
2676
2677	if (pending_eir_or_class(hdev)) {
2678	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_REMOVE_UUID,
2679	MGMT_STATUS_BUSY);
2680	goto unlock;
2681	}
2682
2683	if (memcmp(p: cp->uuid, q: bt_uuid_any, size: 16) == 0) {
2684	hci_uuids_clear(hdev);
2685
2686	if (enable_service_cache(hdev)) {
2687	err = mgmt_cmd_complete(sk, index: hdev->id,
2688	MGMT_OP_REMOVE_UUID,
2689	status: 0, rp: hdev->dev_class, rp_len: 3);
2690	goto unlock;
2691	}
2692
2693	goto update_class;
2694	}
2695
2696	found = 0;
2697
2698	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2699	if (memcmp(p: match->uuid, q: cp->uuid, size: 16) != 0)
2700	continue;
2701
2702	list_del(entry: &match->list);
2703	kfree(objp: match);
2704	found++;
2705	}
2706
2707	if (found == 0) {
2708	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_REMOVE_UUID,
2709	MGMT_STATUS_INVALID_PARAMS);
2710	goto unlock;
2711	}
2712
2713	update_class:
2714	cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2715	if (!cmd) {
2716	err = -ENOMEM;
2717	goto unlock;
2718	}
2719
2720	err = hci_cmd_sync_queue(hdev, func: remove_uuid_sync, data: cmd,
2721	destroy: mgmt_class_complete);
2722	if (err < 0)
2723	mgmt_pending_free(cmd);
2724
2725	unlock:
2726	hci_dev_unlock(hdev);
2727	return err;
2728	}
2729
2730	static int set_class_sync(struct hci_dev *hdev, void *data)
2731	{
2732	int err = 0;
2733
2734	if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2735	cancel_delayed_work_sync(dwork: &hdev->service_cache);
2736	err = hci_update_eir_sync(hdev);
2737	}
2738
2739	if (err)
2740	return err;
2741
2742	return hci_update_class_sync(hdev);
2743	}
2744
2745	static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2746	u16 len)
2747	{
2748	struct mgmt_cp_set_dev_class *cp = data;
2749	struct mgmt_pending_cmd *cmd;
2750	int err;
2751
2752	bt_dev_dbg(hdev, "sock %p", sk);
2753
2754	if (!lmp_bredr_capable(hdev))
2755	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DEV_CLASS,
2756	MGMT_STATUS_NOT_SUPPORTED);
2757
2758	hci_dev_lock(hdev);
2759
2760	if (pending_eir_or_class(hdev)) {
2761	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DEV_CLASS,
2762	MGMT_STATUS_BUSY);
2763	goto unlock;
2764	}
2765
2766	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2767	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DEV_CLASS,
2768	MGMT_STATUS_INVALID_PARAMS);
2769	goto unlock;
2770	}
2771
2772	hdev->major_class = cp->major;
2773	hdev->minor_class = cp->minor;
2774
2775	if (!hdev_is_powered(hdev)) {
2776	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_DEV_CLASS, status: 0,
2777	rp: hdev->dev_class, rp_len: 3);
2778	goto unlock;
2779	}
2780
2781	cmd = mgmt_pending_new(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2782	if (!cmd) {
2783	err = -ENOMEM;
2784	goto unlock;
2785	}
2786
2787	err = hci_cmd_sync_queue(hdev, func: set_class_sync, data: cmd,
2788	destroy: mgmt_class_complete);
2789	if (err < 0)
2790	mgmt_pending_free(cmd);
2791
2792	unlock:
2793	hci_dev_unlock(hdev);
2794	return err;
2795	}
2796
2797	static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2798	u16 len)
2799	{
2800	struct mgmt_cp_load_link_keys *cp = data;
2801	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2802	sizeof(struct mgmt_link_key_info));
2803	u16 key_count, expected_len;
2804	bool changed;
2805	int i;
2806
2807	bt_dev_dbg(hdev, "sock %p", sk);
2808
2809	if (!lmp_bredr_capable(hdev))
2810	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2811	MGMT_STATUS_NOT_SUPPORTED);
2812
2813	key_count = __le16_to_cpu(cp->key_count);
2814	if (key_count > max_key_count) {
2815	bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2816	key_count);
2817	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2818	MGMT_STATUS_INVALID_PARAMS);
2819	}
2820
2821	expected_len = struct_size(cp, keys, key_count);
2822	if (expected_len != len) {
2823	bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2824	expected_len, len);
2825	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2826	MGMT_STATUS_INVALID_PARAMS);
2827	}
2828
2829	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2830	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2831	MGMT_STATUS_INVALID_PARAMS);
2832
2833	bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys,
2834	key_count);
2835
2836	for (i = 0; i < key_count; i++) {
2837	struct mgmt_link_key_info *key = &cp->keys[i];
2838
2839	/* Considering SMP over BREDR/LE, there is no need to check addr_type */
2840	if (key->type > 0x08)
2841	return mgmt_cmd_status(sk, index: hdev->id,
2842	MGMT_OP_LOAD_LINK_KEYS,
2843	MGMT_STATUS_INVALID_PARAMS);
2844	}
2845
2846	hci_dev_lock(hdev);
2847
2848	hci_link_keys_clear(hdev);
2849
2850	if (cp->debug_keys)
2851	changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2852	else
2853	changed = hci_dev_test_and_clear_flag(hdev,
2854	HCI_KEEP_DEBUG_KEYS);
2855
2856	if (changed)
2857	new_settings(hdev, NULL);
2858
2859	for (i = 0; i < key_count; i++) {
2860	struct mgmt_link_key_info *key = &cp->keys[i];
2861
2862	if (hci_is_blocked_key(hdev,
2863	HCI_BLOCKED_KEY_TYPE_LINKKEY,
2864	val: key->val)) {
2865	bt_dev_warn(hdev, "Skipping blocked link key for %pMR",
2866	&key->addr.bdaddr);
2867	continue;
2868	}
2869
2870	/* Always ignore debug keys and require a new pairing if
2871	* the user wants to use them.
2872	*/
2873	if (key->type == HCI_LK_DEBUG_COMBINATION)
2874	continue;
2875
2876	hci_add_link_key(hdev, NULL, bdaddr: &key->addr.bdaddr, val: key->val,
2877	type: key->type, pin_len: key->pin_len, NULL);
2878	}
2879
2880	mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_LOAD_LINK_KEYS, status: 0, NULL, rp_len: 0);
2881
2882	hci_dev_unlock(hdev);
2883
2884	return 0;
2885	}
2886
2887	static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2888	u8 addr_type, struct sock *skip_sk)
2889	{
2890	struct mgmt_ev_device_unpaired ev;
2891
2892	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
2893	ev.addr.type = addr_type;
2894
2895	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, data: &ev, len: sizeof(ev),
2896	skip_sk);
2897	}
2898
2899	static void unpair_device_complete(struct hci_dev *hdev, void *data, int err)
2900	{
2901	struct mgmt_pending_cmd *cmd = data;
2902	struct mgmt_cp_unpair_device *cp = cmd->param;
2903
2904	if (!err)
2905	device_unpaired(hdev, bdaddr: &cp->addr.bdaddr, addr_type: cp->addr.type, skip_sk: cmd->sk);
2906
2907	cmd->cmd_complete(cmd, err);
2908	mgmt_pending_free(cmd);
2909	}
2910
2911	static int unpair_device_sync(struct hci_dev *hdev, void *data)
2912	{
2913	struct mgmt_pending_cmd *cmd = data;
2914	struct mgmt_cp_unpair_device *cp = cmd->param;
2915	struct hci_conn *conn;
2916
2917	if (cp->addr.type == BDADDR_BREDR)
2918	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2919	ba: &cp->addr.bdaddr);
2920	else
2921	conn = hci_conn_hash_lookup_le(hdev, ba: &cp->addr.bdaddr,
2922	ba_type: le_addr_type(mgmt_addr_type: cp->addr.type));
2923
2924	if (!conn)
2925	return 0;
2926
2927	return hci_abort_conn_sync(hdev, conn, HCI_ERROR_REMOTE_USER_TERM);
2928	}
2929
2930	static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2931	u16 len)
2932	{
2933	struct mgmt_cp_unpair_device *cp = data;
2934	struct mgmt_rp_unpair_device rp;
2935	struct hci_conn_params *params;
2936	struct mgmt_pending_cmd *cmd;
2937	struct hci_conn *conn;
2938	u8 addr_type;
2939	int err;
2940
2941	memset(&rp, 0, sizeof(rp));
2942	bacpy(dst: &rp.addr.bdaddr, src: &cp->addr.bdaddr);
2943	rp.addr.type = cp->addr.type;
2944
2945	if (!bdaddr_type_is_valid(type: cp->addr.type))
2946	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_UNPAIR_DEVICE,
2947	MGMT_STATUS_INVALID_PARAMS,
2948	rp: &rp, rp_len: sizeof(rp));
2949
2950	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2951	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_UNPAIR_DEVICE,
2952	MGMT_STATUS_INVALID_PARAMS,
2953	rp: &rp, rp_len: sizeof(rp));
2954
2955	hci_dev_lock(hdev);
2956
2957	if (!hdev_is_powered(hdev)) {
2958	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_UNPAIR_DEVICE,
2959	MGMT_STATUS_NOT_POWERED, rp: &rp,
2960	rp_len: sizeof(rp));
2961	goto unlock;
2962	}
2963
2964	if (cp->addr.type == BDADDR_BREDR) {
2965	/* If disconnection is requested, then look up the
2966	* connection. If the remote device is connected, it
2967	* will be later used to terminate the link.
2968	*
2969	* Setting it to NULL explicitly will cause no
2970	* termination of the link.
2971	*/
2972	if (cp->disconnect)
2973	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2974	ba: &cp->addr.bdaddr);
2975	else
2976	conn = NULL;
2977
2978	err = hci_remove_link_key(hdev, bdaddr: &cp->addr.bdaddr);
2979	if (err < 0) {
2980	err = mgmt_cmd_complete(sk, index: hdev->id,
2981	MGMT_OP_UNPAIR_DEVICE,
2982	MGMT_STATUS_NOT_PAIRED, rp: &rp,
2983	rp_len: sizeof(rp));
2984	goto unlock;
2985	}
2986
2987	goto done;
2988	}
2989
2990	/* LE address type */
2991	addr_type = le_addr_type(mgmt_addr_type: cp->addr.type);
2992
2993	/* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
2994	err = smp_cancel_and_remove_pairing(hdev, bdaddr: &cp->addr.bdaddr, addr_type);
2995	if (err < 0) {
2996	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_UNPAIR_DEVICE,
2997	MGMT_STATUS_NOT_PAIRED, rp: &rp,
2998	rp_len: sizeof(rp));
2999	goto unlock;
3000	}
3001
3002	conn = hci_conn_hash_lookup_le(hdev, ba: &cp->addr.bdaddr, ba_type: addr_type);
3003	if (!conn) {
3004	hci_conn_params_del(hdev, addr: &cp->addr.bdaddr, addr_type);
3005	goto done;
3006	}
3007
3008
3009	/* Defer clearing up the connection parameters until closing to
3010	* give a chance of keeping them if a repairing happens.
3011	*/
3012	set_bit(nr: HCI_CONN_PARAM_REMOVAL_PEND, addr: &conn->flags);
3013
3014	/* Disable auto-connection parameters if present */
3015	params = hci_conn_params_lookup(hdev, addr: &cp->addr.bdaddr, addr_type);
3016	if (params) {
3017	if (params->explicit_connect)
3018	params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
3019	else
3020	params->auto_connect = HCI_AUTO_CONN_DISABLED;
3021	}
3022
3023	/* If disconnection is not requested, then clear the connection
3024	* variable so that the link is not terminated.
3025	*/
3026	if (!cp->disconnect)
3027	conn = NULL;
3028
3029	done:
3030	/* If the connection variable is set, then termination of the
3031	* link is requested.
3032	*/
3033	if (!conn) {
3034	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_UNPAIR_DEVICE, status: 0,
3035	rp: &rp, rp_len: sizeof(rp));
3036	device_unpaired(hdev, bdaddr: &cp->addr.bdaddr, addr_type: cp->addr.type, skip_sk: sk);
3037	goto unlock;
3038	}
3039
3040	cmd = mgmt_pending_new(sk, MGMT_OP_UNPAIR_DEVICE, hdev, data: cp,
3041	len: sizeof(*cp));
3042	if (!cmd) {
3043	err = -ENOMEM;
3044	goto unlock;
3045	}
3046
3047	cmd->cmd_complete = addr_cmd_complete;
3048
3049	err = hci_cmd_sync_queue(hdev, func: unpair_device_sync, data: cmd,
3050	destroy: unpair_device_complete);
3051	if (err < 0)
3052	mgmt_pending_free(cmd);
3053
3054	unlock:
3055	hci_dev_unlock(hdev);
3056	return err;
3057	}
3058
3059	static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
3060	u16 len)
3061	{
3062	struct mgmt_cp_disconnect *cp = data;
3063	struct mgmt_rp_disconnect rp;
3064	struct mgmt_pending_cmd *cmd;
3065	struct hci_conn *conn;
3066	int err;
3067
3068	bt_dev_dbg(hdev, "sock %p", sk);
3069
3070	memset(&rp, 0, sizeof(rp));
3071	bacpy(dst: &rp.addr.bdaddr, src: &cp->addr.bdaddr);
3072	rp.addr.type = cp->addr.type;
3073
3074	if (!bdaddr_type_is_valid(type: cp->addr.type))
3075	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_DISCONNECT,
3076	MGMT_STATUS_INVALID_PARAMS,
3077	rp: &rp, rp_len: sizeof(rp));
3078
3079	hci_dev_lock(hdev);
3080
3081	if (!test_bit(HCI_UP, &hdev->flags)) {
3082	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_DISCONNECT,
3083	MGMT_STATUS_NOT_POWERED, rp: &rp,
3084	rp_len: sizeof(rp));
3085	goto failed;
3086	}
3087
3088	if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
3089	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_DISCONNECT,
3090	MGMT_STATUS_BUSY, rp: &rp, rp_len: sizeof(rp));
3091	goto failed;
3092	}
3093
3094	if (cp->addr.type == BDADDR_BREDR)
3095	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
3096	ba: &cp->addr.bdaddr);
3097	else
3098	conn = hci_conn_hash_lookup_le(hdev, ba: &cp->addr.bdaddr,
3099	ba_type: le_addr_type(mgmt_addr_type: cp->addr.type));
3100
3101	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
3102	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_DISCONNECT,
3103	MGMT_STATUS_NOT_CONNECTED, rp: &rp,
3104	rp_len: sizeof(rp));
3105	goto failed;
3106	}
3107
3108	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
3109	if (!cmd) {
3110	err = -ENOMEM;
3111	goto failed;
3112	}
3113
3114	cmd->cmd_complete = generic_cmd_complete;
3115
3116	err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
3117	if (err < 0)
3118	mgmt_pending_remove(cmd);
3119
3120	failed:
3121	hci_dev_unlock(hdev);
3122	return err;
3123	}
3124
3125	static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
3126	{
3127	switch (link_type) {
3128	case ISO_LINK:
3129	case LE_LINK:
3130	switch (addr_type) {
3131	case ADDR_LE_DEV_PUBLIC:
3132	return BDADDR_LE_PUBLIC;
3133
3134	default:
3135	/* Fallback to LE Random address type */
3136	return BDADDR_LE_RANDOM;
3137	}
3138
3139	default:
3140	/* Fallback to BR/EDR type */
3141	return BDADDR_BREDR;
3142	}
3143	}
3144
3145	static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
3146	u16 data_len)
3147	{
3148	struct mgmt_rp_get_connections *rp;
3149	struct hci_conn *c;
3150	int err;
3151	u16 i;
3152
3153	bt_dev_dbg(hdev, "sock %p", sk);
3154
3155	hci_dev_lock(hdev);
3156
3157	if (!hdev_is_powered(hdev)) {
3158	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_GET_CONNECTIONS,
3159	MGMT_STATUS_NOT_POWERED);
3160	goto unlock;
3161	}
3162
3163	i = 0;
3164	list_for_each_entry(c, &hdev->conn_hash.list, list) {
3165	if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3166	i++;
3167	}
3168
3169	rp = kmalloc(struct_size(rp, addr, i), GFP_KERNEL);
3170	if (!rp) {
3171	err = -ENOMEM;
3172	goto unlock;
3173	}
3174
3175	i = 0;
3176	list_for_each_entry(c, &hdev->conn_hash.list, list) {
3177	if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3178	continue;
3179	bacpy(dst: &rp->addr[i].bdaddr, src: &c->dst);
3180	rp->addr[i].type = link_to_bdaddr(link_type: c->type, addr_type: c->dst_type);
3181	if (c->type == SCO_LINK || c->type == ESCO_LINK)
3182	continue;
3183	i++;
3184	}
3185
3186	rp->conn_count = cpu_to_le16(i);
3187
3188	/* Recalculate length in case of filtered SCO connections, etc */
3189	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_CONNECTIONS, status: 0, rp,
3190	struct_size(rp, addr, i));
3191
3192	kfree(objp: rp);
3193
3194	unlock:
3195	hci_dev_unlock(hdev);
3196	return err;
3197	}
3198
3199	static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3200	struct mgmt_cp_pin_code_neg_reply *cp)
3201	{
3202	struct mgmt_pending_cmd *cmd;
3203	int err;
3204
3205	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, data: cp,
3206	len: sizeof(*cp));
3207	if (!cmd)
3208	return -ENOMEM;
3209
3210	cmd->cmd_complete = addr_cmd_complete;
3211
3212	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3213	plen: sizeof(cp->addr.bdaddr), param: &cp->addr.bdaddr);
3214	if (err < 0)
3215	mgmt_pending_remove(cmd);
3216
3217	return err;
3218	}
3219
3220	static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3221	u16 len)
3222	{
3223	struct hci_conn *conn;
3224	struct mgmt_cp_pin_code_reply *cp = data;
3225	struct hci_cp_pin_code_reply reply;
3226	struct mgmt_pending_cmd *cmd;
3227	int err;
3228
3229	bt_dev_dbg(hdev, "sock %p", sk);
3230
3231	hci_dev_lock(hdev);
3232
3233	if (!hdev_is_powered(hdev)) {
3234	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_PIN_CODE_REPLY,
3235	MGMT_STATUS_NOT_POWERED);
3236	goto failed;
3237	}
3238
3239	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, ba: &cp->addr.bdaddr);
3240	if (!conn) {
3241	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_PIN_CODE_REPLY,
3242	MGMT_STATUS_NOT_CONNECTED);
3243	goto failed;
3244	}
3245
3246	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
3247	struct mgmt_cp_pin_code_neg_reply ncp;
3248
3249	memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
3250
3251	bt_dev_err(hdev, "PIN code is not 16 bytes long");
3252
3253	err = send_pin_code_neg_reply(sk, hdev, cp: &ncp);
3254	if (err >= 0)
3255	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_PIN_CODE_REPLY,
3256	MGMT_STATUS_INVALID_PARAMS);
3257
3258	goto failed;
3259	}
3260
3261	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
3262	if (!cmd) {
3263	err = -ENOMEM;
3264	goto failed;
3265	}
3266
3267	cmd->cmd_complete = addr_cmd_complete;
3268
3269	bacpy(dst: &reply.bdaddr, src: &cp->addr.bdaddr);
3270	reply.pin_len = cp->pin_len;
3271	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
3272
3273	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, plen: sizeof(reply), param: &reply);
3274	if (err < 0)
3275	mgmt_pending_remove(cmd);
3276
3277	failed:
3278	hci_dev_unlock(hdev);
3279	return err;
3280	}
3281
3282	static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
3283	u16 len)
3284	{
3285	struct mgmt_cp_set_io_capability *cp = data;
3286
3287	bt_dev_dbg(hdev, "sock %p", sk);
3288
3289	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
3290	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_IO_CAPABILITY,
3291	MGMT_STATUS_INVALID_PARAMS);
3292
3293	hci_dev_lock(hdev);
3294
3295	hdev->io_capability = cp->io_capability;
3296
3297	bt_dev_dbg(hdev, "IO capability set to 0x%02x", hdev->io_capability);
3298
3299	hci_dev_unlock(hdev);
3300
3301	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_IO_CAPABILITY, status: 0,
3302	NULL, rp_len: 0);
3303	}
3304
3305	static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
3306	{
3307	struct hci_dev *hdev = conn->hdev;
3308	struct mgmt_pending_cmd *cmd;
3309
3310	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
3311	if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
3312	continue;
3313
3314	if (cmd->user_data != conn)
3315	continue;
3316
3317	return cmd;
3318	}
3319
3320	return NULL;
3321	}
3322
3323	static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
3324	{
3325	struct mgmt_rp_pair_device rp;
3326	struct hci_conn *conn = cmd->user_data;
3327	int err;
3328
3329	bacpy(dst: &rp.addr.bdaddr, src: &conn->dst);
3330	rp.addr.type = link_to_bdaddr(link_type: conn->type, addr_type: conn->dst_type);
3331
3332	err = mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, MGMT_OP_PAIR_DEVICE,
3333	status, rp: &rp, rp_len: sizeof(rp));
3334
3335	/* So we don't get further callbacks for this connection */
3336	conn->connect_cfm_cb = NULL;
3337	conn->security_cfm_cb = NULL;
3338	conn->disconn_cfm_cb = NULL;
3339
3340	hci_conn_drop(conn);
3341
3342	/* The device is paired so there is no need to remove
3343	* its connection parameters anymore.
3344	*/
3345	clear_bit(nr: HCI_CONN_PARAM_REMOVAL_PEND, addr: &conn->flags);
3346
3347	hci_conn_put(conn);
3348
3349	return err;
3350	}
3351
3352	void mgmt_smp_complete(struct hci_conn *conn, bool complete)
3353	{
3354	u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
3355	struct mgmt_pending_cmd *cmd;
3356
3357	cmd = find_pairing(conn);
3358	if (cmd) {
3359	cmd->cmd_complete(cmd, status);
3360	mgmt_pending_remove(cmd);
3361	}
3362	}
3363
3364	static void pairing_complete_cb(struct hci_conn *conn, u8 status)
3365	{
3366	struct mgmt_pending_cmd *cmd;
3367
3368	BT_DBG("status %u", status);
3369
3370	cmd = find_pairing(conn);
3371	if (!cmd) {
3372	BT_DBG("Unable to find a pending command");
3373	return;
3374	}
3375
3376	cmd->cmd_complete(cmd, mgmt_status(err: status));
3377	mgmt_pending_remove(cmd);
3378	}
3379
3380	static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
3381	{
3382	struct mgmt_pending_cmd *cmd;
3383
3384	BT_DBG("status %u", status);
3385
3386	if (!status)
3387	return;
3388
3389	cmd = find_pairing(conn);
3390	if (!cmd) {
3391	BT_DBG("Unable to find a pending command");
3392	return;
3393	}
3394
3395	cmd->cmd_complete(cmd, mgmt_status(err: status));
3396	mgmt_pending_remove(cmd);
3397	}
3398
3399	static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3400	u16 len)
3401	{
3402	struct mgmt_cp_pair_device *cp = data;
3403	struct mgmt_rp_pair_device rp;
3404	struct mgmt_pending_cmd *cmd;
3405	u8 sec_level, auth_type;
3406	struct hci_conn *conn;
3407	int err;
3408
3409	bt_dev_dbg(hdev, "sock %p", sk);
3410
3411	memset(&rp, 0, sizeof(rp));
3412	bacpy(dst: &rp.addr.bdaddr, src: &cp->addr.bdaddr);
3413	rp.addr.type = cp->addr.type;
3414
3415	if (!bdaddr_type_is_valid(type: cp->addr.type))
3416	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_PAIR_DEVICE,
3417	MGMT_STATUS_INVALID_PARAMS,
3418	rp: &rp, rp_len: sizeof(rp));
3419
3420	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
3421	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_PAIR_DEVICE,
3422	MGMT_STATUS_INVALID_PARAMS,
3423	rp: &rp, rp_len: sizeof(rp));
3424
3425	hci_dev_lock(hdev);
3426
3427	if (!hdev_is_powered(hdev)) {
3428	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_PAIR_DEVICE,
3429	MGMT_STATUS_NOT_POWERED, rp: &rp,
3430	rp_len: sizeof(rp));
3431	goto unlock;
3432	}
3433
3434	if (hci_bdaddr_is_paired(hdev, bdaddr: &cp->addr.bdaddr, type: cp->addr.type)) {
3435	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_PAIR_DEVICE,
3436	MGMT_STATUS_ALREADY_PAIRED, rp: &rp,
3437	rp_len: sizeof(rp));
3438	goto unlock;
3439	}
3440
3441	sec_level = BT_SECURITY_MEDIUM;
3442	auth_type = HCI_AT_DEDICATED_BONDING;
3443
3444	if (cp->addr.type == BDADDR_BREDR) {
3445	conn = hci_connect_acl(hdev, dst: &cp->addr.bdaddr, sec_level,
3446	auth_type, conn_reason: CONN_REASON_PAIR_DEVICE,
3447	HCI_ACL_CONN_TIMEOUT);
3448	} else {
3449	u8 addr_type = le_addr_type(mgmt_addr_type: cp->addr.type);
3450	struct hci_conn_params *p;
3451
3452	/* When pairing a new device, it is expected to remember
3453	* this device for future connections. Adding the connection
3454	* parameter information ahead of time allows tracking
3455	* of the peripheral preferred values and will speed up any
3456	* further connection establishment.
3457	*
3458	* If connection parameters already exist, then they
3459	* will be kept and this function does nothing.
3460	*/
3461	p = hci_conn_params_add(hdev, addr: &cp->addr.bdaddr, addr_type);
3462
3463	if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
3464	p->auto_connect = HCI_AUTO_CONN_DISABLED;
3465
3466	conn = hci_connect_le_scan(hdev, dst: &cp->addr.bdaddr, dst_type: addr_type,
3467	sec_level, HCI_LE_CONN_TIMEOUT,
3468	conn_reason: CONN_REASON_PAIR_DEVICE);
3469	}
3470
3471	if (IS_ERR(ptr: conn)) {
3472	int status;
3473
3474	if (PTR_ERR(ptr: conn) == -EBUSY)
3475	status = MGMT_STATUS_BUSY;
3476	else if (PTR_ERR(ptr: conn) == -EOPNOTSUPP)
3477	status = MGMT_STATUS_NOT_SUPPORTED;
3478	else if (PTR_ERR(ptr: conn) == -ECONNREFUSED)
3479	status = MGMT_STATUS_REJECTED;
3480	else
3481	status = MGMT_STATUS_CONNECT_FAILED;
3482
3483	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_PAIR_DEVICE,
3484	status, rp: &rp, rp_len: sizeof(rp));
3485	goto unlock;
3486	}
3487
3488	if (conn->connect_cfm_cb) {
3489	hci_conn_drop(conn);
3490	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_PAIR_DEVICE,
3491	MGMT_STATUS_BUSY, rp: &rp, rp_len: sizeof(rp));
3492	goto unlock;
3493	}
3494
3495	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
3496	if (!cmd) {
3497	err = -ENOMEM;
3498	hci_conn_drop(conn);
3499	goto unlock;
3500	}
3501
3502	cmd->cmd_complete = pairing_complete;
3503
3504	/* For LE, just connecting isn't a proof that the pairing finished */
3505	if (cp->addr.type == BDADDR_BREDR) {
3506	conn->connect_cfm_cb = pairing_complete_cb;
3507	conn->security_cfm_cb = pairing_complete_cb;
3508	conn->disconn_cfm_cb = pairing_complete_cb;
3509	} else {
3510	conn->connect_cfm_cb = le_pairing_complete_cb;
3511	conn->security_cfm_cb = le_pairing_complete_cb;
3512	conn->disconn_cfm_cb = le_pairing_complete_cb;
3513	}
3514
3515	conn->io_capability = cp->io_cap;
3516	cmd->user_data = hci_conn_get(conn);
3517
3518	if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
3519	hci_conn_security(conn, sec_level, auth_type, initiator: true)) {
3520	cmd->cmd_complete(cmd, 0);
3521	mgmt_pending_remove(cmd);
3522	}
3523
3524	err = 0;
3525
3526	unlock:
3527	hci_dev_unlock(hdev);
3528	return err;
3529	}
3530
3531	static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3532	u16 len)
3533	{
3534	struct mgmt_addr_info *addr = data;
3535	struct mgmt_pending_cmd *cmd;
3536	struct hci_conn *conn;
3537	int err;
3538
3539	bt_dev_dbg(hdev, "sock %p", sk);
3540
3541	hci_dev_lock(hdev);
3542
3543	if (!hdev_is_powered(hdev)) {
3544	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3545	MGMT_STATUS_NOT_POWERED);
3546	goto unlock;
3547	}
3548
3549	cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3550	if (!cmd) {
3551	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3552	MGMT_STATUS_INVALID_PARAMS);
3553	goto unlock;
3554	}
3555
3556	conn = cmd->user_data;
3557
3558	if (bacmp(ba1: &addr->bdaddr, ba2: &conn->dst) != 0) {
3559	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3560	MGMT_STATUS_INVALID_PARAMS);
3561	goto unlock;
3562	}
3563
3564	cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3565	mgmt_pending_remove(cmd);
3566
3567	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, status: 0,
3568	rp: addr, rp_len: sizeof(*addr));
3569
3570	/* Since user doesn't want to proceed with the connection, abort any
3571	* ongoing pairing and then terminate the link if it was created
3572	* because of the pair device action.
3573	*/
3574	if (addr->type == BDADDR_BREDR)
3575	hci_remove_link_key(hdev, bdaddr: &addr->bdaddr);
3576	else
3577	smp_cancel_and_remove_pairing(hdev, bdaddr: &addr->bdaddr,
3578	addr_type: le_addr_type(mgmt_addr_type: addr->type));
3579
3580	if (conn->conn_reason == CONN_REASON_PAIR_DEVICE)
3581	hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
3582
3583	unlock:
3584	hci_dev_unlock(hdev);
3585	return err;
3586	}
3587
3588	static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3589	struct mgmt_addr_info *addr, u16 mgmt_op,
3590	u16 hci_op, __le32 passkey)
3591	{
3592	struct mgmt_pending_cmd *cmd;
3593	struct hci_conn *conn;
3594	int err;
3595
3596	hci_dev_lock(hdev);
3597
3598	if (!hdev_is_powered(hdev)) {
3599	err = mgmt_cmd_complete(sk, index: hdev->id, cmd: mgmt_op,
3600	MGMT_STATUS_NOT_POWERED, rp: addr,
3601	rp_len: sizeof(*addr));
3602	goto done;
3603	}
3604
3605	if (addr->type == BDADDR_BREDR)
3606	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, ba: &addr->bdaddr);
3607	else
3608	conn = hci_conn_hash_lookup_le(hdev, ba: &addr->bdaddr,
3609	ba_type: le_addr_type(mgmt_addr_type: addr->type));
3610
3611	if (!conn) {
3612	err = mgmt_cmd_complete(sk, index: hdev->id, cmd: mgmt_op,
3613	MGMT_STATUS_NOT_CONNECTED, rp: addr,
3614	rp_len: sizeof(*addr));
3615	goto done;
3616	}
3617
3618	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3619	err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3620	if (!err)
3621	err = mgmt_cmd_complete(sk, index: hdev->id, cmd: mgmt_op,
3622	MGMT_STATUS_SUCCESS, rp: addr,
3623	rp_len: sizeof(*addr));
3624	else
3625	err = mgmt_cmd_complete(sk, index: hdev->id, cmd: mgmt_op,
3626	MGMT_STATUS_FAILED, rp: addr,
3627	rp_len: sizeof(*addr));
3628
3629	goto done;
3630	}
3631
3632	cmd = mgmt_pending_add(sk, opcode: mgmt_op, hdev, data: addr, len: sizeof(*addr));
3633	if (!cmd) {
3634	err = -ENOMEM;
3635	goto done;
3636	}
3637
3638	cmd->cmd_complete = addr_cmd_complete;
3639
3640	/* Continue with pairing via HCI */
3641	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3642	struct hci_cp_user_passkey_reply cp;
3643
3644	bacpy(dst: &cp.bdaddr, src: &addr->bdaddr);
3645	cp.passkey = passkey;
3646	err = hci_send_cmd(hdev, opcode: hci_op, plen: sizeof(cp), param: &cp);
3647	} else
3648	err = hci_send_cmd(hdev, opcode: hci_op, plen: sizeof(addr->bdaddr),
3649	param: &addr->bdaddr);
3650
3651	if (err < 0)
3652	mgmt_pending_remove(cmd);
3653
3654	done:
3655	hci_dev_unlock(hdev);
3656	return err;
3657	}
3658
3659	static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3660	void *data, u16 len)
3661	{
3662	struct mgmt_cp_pin_code_neg_reply *cp = data;
3663
3664	bt_dev_dbg(hdev, "sock %p", sk);
3665
3666	return user_pairing_resp(sk, hdev, addr: &cp->addr,
3667	MGMT_OP_PIN_CODE_NEG_REPLY,
3668	HCI_OP_PIN_CODE_NEG_REPLY, passkey: 0);
3669	}
3670
3671	static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3672	u16 len)
3673	{
3674	struct mgmt_cp_user_confirm_reply *cp = data;
3675
3676	bt_dev_dbg(hdev, "sock %p", sk);
3677
3678	if (len != sizeof(*cp))
3679	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3680	MGMT_STATUS_INVALID_PARAMS);
3681
3682	return user_pairing_resp(sk, hdev, addr: &cp->addr,
3683	MGMT_OP_USER_CONFIRM_REPLY,
3684	HCI_OP_USER_CONFIRM_REPLY, passkey: 0);
3685	}
3686
3687	static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3688	void *data, u16 len)
3689	{
3690	struct mgmt_cp_user_confirm_neg_reply *cp = data;
3691
3692	bt_dev_dbg(hdev, "sock %p", sk);
3693
3694	return user_pairing_resp(sk, hdev, addr: &cp->addr,
3695	MGMT_OP_USER_CONFIRM_NEG_REPLY,
3696	HCI_OP_USER_CONFIRM_NEG_REPLY, passkey: 0);
3697	}
3698
3699	static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3700	u16 len)
3701	{
3702	struct mgmt_cp_user_passkey_reply *cp = data;
3703
3704	bt_dev_dbg(hdev, "sock %p", sk);
3705
3706	return user_pairing_resp(sk, hdev, addr: &cp->addr,
3707	MGMT_OP_USER_PASSKEY_REPLY,
3708	HCI_OP_USER_PASSKEY_REPLY, passkey: cp->passkey);
3709	}
3710
3711	static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3712	void *data, u16 len)
3713	{
3714	struct mgmt_cp_user_passkey_neg_reply *cp = data;
3715
3716	bt_dev_dbg(hdev, "sock %p", sk);
3717
3718	return user_pairing_resp(sk, hdev, addr: &cp->addr,
3719	MGMT_OP_USER_PASSKEY_NEG_REPLY,
3720	HCI_OP_USER_PASSKEY_NEG_REPLY, passkey: 0);
3721	}
3722
3723	static int adv_expire_sync(struct hci_dev *hdev, u32 flags)
3724	{
3725	struct adv_info *adv_instance;
3726
3727	adv_instance = hci_find_adv_instance(hdev, instance: hdev->cur_adv_instance);
3728	if (!adv_instance)
3729	return 0;
3730
3731	/* stop if current instance doesn't need to be changed */
3732	if (!(adv_instance->flags & flags))
3733	return 0;
3734
3735	cancel_adv_timeout(hdev);
3736
3737	adv_instance = hci_get_next_instance(hdev, instance: adv_instance->instance);
3738	if (!adv_instance)
3739	return 0;
3740
3741	hci_schedule_adv_instance_sync(hdev, instance: adv_instance->instance, force: true);
3742
3743	return 0;
3744	}
3745
3746	static int name_changed_sync(struct hci_dev *hdev, void *data)
3747	{
3748	return adv_expire_sync(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3749	}
3750
3751	static void set_name_complete(struct hci_dev *hdev, void *data, int err)
3752	{
3753	struct mgmt_pending_cmd *cmd = data;
3754	struct mgmt_cp_set_local_name *cp = cmd->param;
3755	u8 status = mgmt_status(err);
3756
3757	bt_dev_dbg(hdev, "err %d", err);
3758
3759	if (cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
3760	return;
3761
3762	if (status) {
3763	mgmt_cmd_status(sk: cmd->sk, index: hdev->id, MGMT_OP_SET_LOCAL_NAME,
3764	status);
3765	} else {
3766	mgmt_cmd_complete(sk: cmd->sk, index: hdev->id, MGMT_OP_SET_LOCAL_NAME, status: 0,
3767	rp: cp, rp_len: sizeof(*cp));
3768
3769	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3770	hci_cmd_sync_queue(hdev, func: name_changed_sync, NULL, NULL);
3771	}
3772
3773	mgmt_pending_remove(cmd);
3774	}
3775
3776	static int set_name_sync(struct hci_dev *hdev, void *data)
3777	{
3778	if (lmp_bredr_capable(hdev)) {
3779	hci_update_name_sync(hdev);
3780	hci_update_eir_sync(hdev);
3781	}
3782
3783	/* The name is stored in the scan response data and so
3784	* no need to update the advertising data here.
3785	*/
3786	if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3787	hci_update_scan_rsp_data_sync(hdev, instance: hdev->cur_adv_instance);
3788
3789	return 0;
3790	}
3791
3792	static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3793	u16 len)
3794	{
3795	struct mgmt_cp_set_local_name *cp = data;
3796	struct mgmt_pending_cmd *cmd;
3797	int err;
3798
3799	bt_dev_dbg(hdev, "sock %p", sk);
3800
3801	hci_dev_lock(hdev);
3802
3803	/* If the old values are the same as the new ones just return a
3804	* direct command complete event.
3805	*/
3806	if (!memcmp(p: hdev->dev_name, q: cp->name, size: sizeof(hdev->dev_name)) &&
3807	!memcmp(p: hdev->short_name, q: cp->short_name,
3808	size: sizeof(hdev->short_name))) {
3809	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_LOCAL_NAME, status: 0,
3810	rp: data, rp_len: len);
3811	goto failed;
3812	}
3813
3814	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3815
3816	if (!hdev_is_powered(hdev)) {
3817	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3818
3819	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_LOCAL_NAME, status: 0,
3820	rp: data, rp_len: len);
3821	if (err < 0)
3822	goto failed;
3823
3824	err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3825	len, flag: HCI_MGMT_LOCAL_NAME_EVENTS, skip_sk: sk);
3826	ext_info_changed(hdev, skip: sk);
3827
3828	goto failed;
3829	}
3830
3831	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3832	if (!cmd)
3833	err = -ENOMEM;
3834	else
3835	err = hci_cmd_sync_queue(hdev, func: set_name_sync, data: cmd,
3836	destroy: set_name_complete);
3837
3838	if (err < 0) {
3839	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_LOCAL_NAME,
3840	MGMT_STATUS_FAILED);
3841
3842	if (cmd)
3843	mgmt_pending_remove(cmd);
3844
3845	goto failed;
3846	}
3847
3848	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3849
3850	failed:
3851	hci_dev_unlock(hdev);
3852	return err;
3853	}
3854
3855	static int appearance_changed_sync(struct hci_dev *hdev, void *data)
3856	{
3857	return adv_expire_sync(hdev, MGMT_ADV_FLAG_APPEARANCE);
3858	}
3859
3860	static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3861	u16 len)
3862	{
3863	struct mgmt_cp_set_appearance *cp = data;
3864	u16 appearance;
3865	int err;
3866
3867	bt_dev_dbg(hdev, "sock %p", sk);
3868
3869	if (!lmp_le_capable(hdev))
3870	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_APPEARANCE,
3871	MGMT_STATUS_NOT_SUPPORTED);
3872
3873	appearance = le16_to_cpu(cp->appearance);
3874
3875	hci_dev_lock(hdev);
3876
3877	if (hdev->appearance != appearance) {
3878	hdev->appearance = appearance;
3879
3880	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3881	hci_cmd_sync_queue(hdev, func: appearance_changed_sync, NULL,
3882	NULL);
3883
3884	ext_info_changed(hdev, skip: sk);
3885	}
3886
3887	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_APPEARANCE, status: 0, NULL,
3888	rp_len: 0);
3889
3890	hci_dev_unlock(hdev);
3891
3892	return err;
3893	}
3894
3895	static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3896	void *data, u16 len)
3897	{
3898	struct mgmt_rp_get_phy_configuration rp;
3899
3900	bt_dev_dbg(hdev, "sock %p", sk);
3901
3902	hci_dev_lock(hdev);
3903
3904	memset(&rp, 0, sizeof(rp));
3905
3906	rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3907	rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3908	rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3909
3910	hci_dev_unlock(hdev);
3911
3912	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, status: 0,
3913	rp: &rp, rp_len: sizeof(rp));
3914	}
3915
3916	int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3917	{
3918	struct mgmt_ev_phy_configuration_changed ev;
3919
3920	memset(&ev, 0, sizeof(ev));
3921
3922	ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3923
3924	return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, data: &ev,
3925	len: sizeof(ev), skip_sk: skip);
3926	}
3927
3928	static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
3929	{
3930	struct mgmt_pending_cmd *cmd = data;
3931	struct sk_buff *skb = cmd->skb;
3932	u8 status = mgmt_status(err);
3933
3934	if (cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
3935	return;
3936
3937	if (!status) {
3938	if (!skb)
3939	status = MGMT_STATUS_FAILED;
3940	else if (IS_ERR(ptr: skb))
3941	status = mgmt_status(err: PTR_ERR(ptr: skb));
3942	else
3943	status = mgmt_status(err: skb->data[0]);
3944	}
3945
3946	bt_dev_dbg(hdev, "status %d", status);
3947
3948	if (status) {
3949	mgmt_cmd_status(sk: cmd->sk, index: hdev->id,
3950	MGMT_OP_SET_PHY_CONFIGURATION, status);
3951	} else {
3952	mgmt_cmd_complete(sk: cmd->sk, index: hdev->id,
3953	MGMT_OP_SET_PHY_CONFIGURATION, status: 0,
3954	NULL, rp_len: 0);
3955
3956	mgmt_phy_configuration_changed(hdev, skip: cmd->sk);
3957	}
3958
3959	if (skb && !IS_ERR(ptr: skb))
3960	kfree_skb(skb);
3961
3962	mgmt_pending_remove(cmd);
3963	}
3964
3965	static int set_default_phy_sync(struct hci_dev *hdev, void *data)
3966	{
3967	struct mgmt_pending_cmd *cmd = data;
3968	struct mgmt_cp_set_phy_configuration *cp = cmd->param;
3969	struct hci_cp_le_set_default_phy cp_phy;
3970	u32 selected_phys = __le32_to_cpu(cp->selected_phys);
3971
3972	memset(&cp_phy, 0, sizeof(cp_phy));
3973
3974	if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
3975	cp_phy.all_phys |= 0x01;
3976
3977	if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
3978	cp_phy.all_phys |= 0x02;
3979
3980	if (selected_phys & MGMT_PHY_LE_1M_TX)
3981	cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
3982
3983	if (selected_phys & MGMT_PHY_LE_2M_TX)
3984	cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
3985
3986	if (selected_phys & MGMT_PHY_LE_CODED_TX)
3987	cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
3988
3989	if (selected_phys & MGMT_PHY_LE_1M_RX)
3990	cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
3991
3992	if (selected_phys & MGMT_PHY_LE_2M_RX)
3993	cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
3994
3995	if (selected_phys & MGMT_PHY_LE_CODED_RX)
3996	cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
3997
3998	cmd->skb = __hci_cmd_sync(hdev, HCI_OP_LE_SET_DEFAULT_PHY,
3999	plen: sizeof(cp_phy), param: &cp_phy, HCI_CMD_TIMEOUT);
4000
4001	return 0;
4002	}
4003
4004	static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
4005	void *data, u16 len)
4006	{
4007	struct mgmt_cp_set_phy_configuration *cp = data;
4008	struct mgmt_pending_cmd *cmd;
4009	u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
4010	u16 pkt_type = (HCI_DH1 | HCI_DM1);
4011	bool changed = false;
4012	int err;
4013
4014	bt_dev_dbg(hdev, "sock %p", sk);
4015
4016	configurable_phys = get_configurable_phys(hdev);
4017	supported_phys = get_supported_phys(hdev);
4018	selected_phys = __le32_to_cpu(cp->selected_phys);
4019
4020	if (selected_phys & ~supported_phys)
4021	return mgmt_cmd_status(sk, index: hdev->id,
4022	MGMT_OP_SET_PHY_CONFIGURATION,
4023	MGMT_STATUS_INVALID_PARAMS);
4024
4025	unconfigure_phys = supported_phys & ~configurable_phys;
4026
4027	if ((selected_phys & unconfigure_phys) != unconfigure_phys)
4028	return mgmt_cmd_status(sk, index: hdev->id,
4029	MGMT_OP_SET_PHY_CONFIGURATION,
4030	MGMT_STATUS_INVALID_PARAMS);
4031
4032	if (selected_phys == get_selected_phys(hdev))
4033	return mgmt_cmd_complete(sk, index: hdev->id,
4034	MGMT_OP_SET_PHY_CONFIGURATION,
4035	status: 0, NULL, rp_len: 0);
4036
4037	hci_dev_lock(hdev);
4038
4039	if (!hdev_is_powered(hdev)) {
4040	err = mgmt_cmd_status(sk, index: hdev->id,
4041	MGMT_OP_SET_PHY_CONFIGURATION,
4042	MGMT_STATUS_REJECTED);
4043	goto unlock;
4044	}
4045
4046	if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
4047	err = mgmt_cmd_status(sk, index: hdev->id,
4048	MGMT_OP_SET_PHY_CONFIGURATION,
4049	MGMT_STATUS_BUSY);
4050	goto unlock;
4051	}
4052
4053	if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
4054	pkt_type |= (HCI_DH3 | HCI_DM3);
4055	else
4056	pkt_type &= ~(HCI_DH3 | HCI_DM3);
4057
4058	if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
4059	pkt_type |= (HCI_DH5 | HCI_DM5);
4060	else
4061	pkt_type &= ~(HCI_DH5 | HCI_DM5);
4062
4063	if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
4064	pkt_type &= ~HCI_2DH1;
4065	else
4066	pkt_type |= HCI_2DH1;
4067
4068	if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
4069	pkt_type &= ~HCI_2DH3;
4070	else
4071	pkt_type |= HCI_2DH3;
4072
4073	if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
4074	pkt_type &= ~HCI_2DH5;
4075	else
4076	pkt_type |= HCI_2DH5;
4077
4078	if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
4079	pkt_type &= ~HCI_3DH1;
4080	else
4081	pkt_type |= HCI_3DH1;
4082
4083	if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
4084	pkt_type &= ~HCI_3DH3;
4085	else
4086	pkt_type |= HCI_3DH3;
4087
4088	if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
4089	pkt_type &= ~HCI_3DH5;
4090	else
4091	pkt_type |= HCI_3DH5;
4092
4093	if (pkt_type != hdev->pkt_type) {
4094	hdev->pkt_type = pkt_type;
4095	changed = true;
4096	}
4097
4098	if ((selected_phys & MGMT_PHY_LE_MASK) ==
4099	(get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
4100	if (changed)
4101	mgmt_phy_configuration_changed(hdev, skip: sk);
4102
4103	err = mgmt_cmd_complete(sk, index: hdev->id,
4104	MGMT_OP_SET_PHY_CONFIGURATION,
4105	status: 0, NULL, rp_len: 0);
4106
4107	goto unlock;
4108	}
4109
4110	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
4111	len);
4112	if (!cmd)
4113	err = -ENOMEM;
4114	else
4115	err = hci_cmd_sync_queue(hdev, func: set_default_phy_sync, data: cmd,
4116	destroy: set_default_phy_complete);
4117
4118	if (err < 0) {
4119	err = mgmt_cmd_status(sk, index: hdev->id,
4120	MGMT_OP_SET_PHY_CONFIGURATION,
4121	MGMT_STATUS_FAILED);
4122
4123	if (cmd)
4124	mgmt_pending_remove(cmd);
4125	}
4126
4127	unlock:
4128	hci_dev_unlock(hdev);
4129
4130	return err;
4131	}
4132
4133	static int set_blocked_keys(struct sock *sk, struct hci_dev *hdev, void *data,
4134	u16 len)
4135	{
4136	int err = MGMT_STATUS_SUCCESS;
4137	struct mgmt_cp_set_blocked_keys *keys = data;
4138	const u16 max_key_count = ((U16_MAX - sizeof(*keys)) /
4139	sizeof(struct mgmt_blocked_key_info));
4140	u16 key_count, expected_len;
4141	int i;
4142
4143	bt_dev_dbg(hdev, "sock %p", sk);
4144
4145	key_count = __le16_to_cpu(keys->key_count);
4146	if (key_count > max_key_count) {
4147	bt_dev_err(hdev, "too big key_count value %u", key_count);
4148	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4149	MGMT_STATUS_INVALID_PARAMS);
4150	}
4151
4152	expected_len = struct_size(keys, keys, key_count);
4153	if (expected_len != len) {
4154	bt_dev_err(hdev, "expected %u bytes, got %u bytes",
4155	expected_len, len);
4156	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4157	MGMT_STATUS_INVALID_PARAMS);
4158	}
4159
4160	hci_dev_lock(hdev);
4161
4162	hci_blocked_keys_clear(hdev);
4163
4164	for (i = 0; i < key_count; ++i) {
4165	struct blocked_key *b = kzalloc(size: sizeof(*b), GFP_KERNEL);
4166
4167	if (!b) {
4168	err = MGMT_STATUS_NO_RESOURCES;
4169	break;
4170	}
4171
4172	b->type = keys->keys[i].type;
4173	memcpy(b->val, keys->keys[i].val, sizeof(b->val));
4174	list_add_rcu(new: &b->list, head: &hdev->blocked_keys);
4175	}
4176	hci_dev_unlock(hdev);
4177
4178	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4179	status: err, NULL, rp_len: 0);
4180	}
4181
4182	static int set_wideband_speech(struct sock *sk, struct hci_dev *hdev,
4183	void *data, u16 len)
4184	{
4185	struct mgmt_mode *cp = data;
4186	int err;
4187	bool changed = false;
4188
4189	bt_dev_dbg(hdev, "sock %p", sk);
4190
4191	if (!test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks))
4192	return mgmt_cmd_status(sk, index: hdev->id,
4193	MGMT_OP_SET_WIDEBAND_SPEECH,
4194	MGMT_STATUS_NOT_SUPPORTED);
4195
4196	if (cp->val != 0x00 && cp->val != 0x01)
4197	return mgmt_cmd_status(sk, index: hdev->id,
4198	MGMT_OP_SET_WIDEBAND_SPEECH,
4199	MGMT_STATUS_INVALID_PARAMS);
4200
4201	hci_dev_lock(hdev);
4202
4203	if (hdev_is_powered(hdev) &&
4204	!!cp->val != hci_dev_test_flag(hdev,
4205	HCI_WIDEBAND_SPEECH_ENABLED)) {
4206	err = mgmt_cmd_status(sk, index: hdev->id,
4207	MGMT_OP_SET_WIDEBAND_SPEECH,
4208	MGMT_STATUS_REJECTED);
4209	goto unlock;
4210	}
4211
4212	if (cp->val)
4213	changed = !hci_dev_test_and_set_flag(hdev,
4214	HCI_WIDEBAND_SPEECH_ENABLED);
4215	else
4216	changed = hci_dev_test_and_clear_flag(hdev,
4217	HCI_WIDEBAND_SPEECH_ENABLED);
4218
4219	err = send_settings_rsp(sk, MGMT_OP_SET_WIDEBAND_SPEECH, hdev);
4220	if (err < 0)
4221	goto unlock;
4222
4223	if (changed)
4224	err = new_settings(hdev, skip: sk);
4225
4226	unlock:
4227	hci_dev_unlock(hdev);
4228	return err;
4229	}
4230
4231	static int read_controller_cap(struct sock *sk, struct hci_dev *hdev,
4232	void *data, u16 data_len)
4233	{
4234	char buf[20];
4235	struct mgmt_rp_read_controller_cap *rp = (void *)buf;
4236	u16 cap_len = 0;
4237	u8 flags = 0;
4238	u8 tx_power_range[2];
4239
4240	bt_dev_dbg(hdev, "sock %p", sk);
4241
4242	memset(&buf, 0, sizeof(buf));
4243
4244	hci_dev_lock(hdev);
4245
4246	/* When the Read Simple Pairing Options command is supported, then
4247	* the remote public key validation is supported.
4248	*
4249	* Alternatively, when Microsoft extensions are available, they can
4250	* indicate support for public key validation as well.
4251	*/
4252	if ((hdev->commands[41] & 0x08) || msft_curve_validity(hdev))
4253	flags |= 0x01; /* Remote public key validation (BR/EDR) */
4254
4255	flags |= 0x02; /* Remote public key validation (LE) */
4256
4257	/* When the Read Encryption Key Size command is supported, then the
4258	* encryption key size is enforced.
4259	*/
4260	if (hdev->commands[20] & 0x10)
4261	flags |= 0x04; /* Encryption key size enforcement (BR/EDR) */
4262
4263	flags |= 0x08; /* Encryption key size enforcement (LE) */
4264
4265	cap_len = eir_append_data(eir: rp->cap, eir_len: cap_len, MGMT_CAP_SEC_FLAGS,
4266	data: &flags, data_len: 1);
4267
4268	/* When the Read Simple Pairing Options command is supported, then
4269	* also max encryption key size information is provided.
4270	*/
4271	if (hdev->commands[41] & 0x08)
4272	cap_len = eir_append_le16(eir: rp->cap, eir_len: cap_len,
4273	MGMT_CAP_MAX_ENC_KEY_SIZE,
4274	data: hdev->max_enc_key_size);
4275
4276	cap_len = eir_append_le16(eir: rp->cap, eir_len: cap_len,
4277	MGMT_CAP_SMP_MAX_ENC_KEY_SIZE,
4278	SMP_MAX_ENC_KEY_SIZE);
4279
4280	/* Append the min/max LE tx power parameters if we were able to fetch
4281	* it from the controller
4282	*/
4283	if (hdev->commands[38] & 0x80) {
4284	memcpy(&tx_power_range[0], &hdev->min_le_tx_power, 1);
4285	memcpy(&tx_power_range[1], &hdev->max_le_tx_power, 1);
4286	cap_len = eir_append_data(eir: rp->cap, eir_len: cap_len, MGMT_CAP_LE_TX_PWR,
4287	data: tx_power_range, data_len: 2);
4288	}
4289
4290	rp->cap_len = cpu_to_le16(cap_len);
4291
4292	hci_dev_unlock(hdev);
4293
4294	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_READ_CONTROLLER_CAP, status: 0,
4295	rp, rp_len: sizeof(*rp) + cap_len);
4296	}
4297
4298	#ifdef CONFIG_BT_FEATURE_DEBUG
4299	/* d4992530-b9ec-469f-ab01-6c481c47da1c */
4300	static const u8 debug_uuid[16] = {
4301	0x1c, 0xda, 0x47, 0x1c, 0x48, 0x6c, 0x01, 0xab,
4302	0x9f, 0x46, 0xec, 0xb9, 0x30, 0x25, 0x99, 0xd4,
4303	};
4304	#endif
4305
4306	/* 330859bc-7506-492d-9370-9a6f0614037f */
4307	static const u8 quality_report_uuid[16] = {
4308	0x7f, 0x03, 0x14, 0x06, 0x6f, 0x9a, 0x70, 0x93,
4309	0x2d, 0x49, 0x06, 0x75, 0xbc, 0x59, 0x08, 0x33,
4310	};
4311
4312	/* a6695ace-ee7f-4fb9-881a-5fac66c629af */
4313	static const u8 offload_codecs_uuid[16] = {
4314	0xaf, 0x29, 0xc6, 0x66, 0xac, 0x5f, 0x1a, 0x88,
4315	0xb9, 0x4f, 0x7f, 0xee, 0xce, 0x5a, 0x69, 0xa6,
4316	};
4317
4318	/* 671b10b5-42c0-4696-9227-eb28d1b049d6 */
4319	static const u8 le_simultaneous_roles_uuid[16] = {
4320	0xd6, 0x49, 0xb0, 0xd1, 0x28, 0xeb, 0x27, 0x92,
4321	0x96, 0x46, 0xc0, 0x42, 0xb5, 0x10, 0x1b, 0x67,
4322	};
4323
4324	/* 15c0a148-c273-11ea-b3de-0242ac130004 */
4325	static const u8 rpa_resolution_uuid[16] = {
4326	0x04, 0x00, 0x13, 0xac, 0x42, 0x02, 0xde, 0xb3,
4327	0xea, 0x11, 0x73, 0xc2, 0x48, 0xa1, 0xc0, 0x15,
4328	};
4329
4330	/* 6fbaf188-05e0-496a-9885-d6ddfdb4e03e */
4331	static const u8 iso_socket_uuid[16] = {
4332	0x3e, 0xe0, 0xb4, 0xfd, 0xdd, 0xd6, 0x85, 0x98,
4333	0x6a, 0x49, 0xe0, 0x05, 0x88, 0xf1, 0xba, 0x6f,
4334	};
4335
4336	/* 2ce463d7-7a03-4d8d-bf05-5f24e8f36e76 */
4337	static const u8 mgmt_mesh_uuid[16] = {
4338	0x76, 0x6e, 0xf3, 0xe8, 0x24, 0x5f, 0x05, 0xbf,
4339	0x8d, 0x4d, 0x03, 0x7a, 0xd7, 0x63, 0xe4, 0x2c,
4340	};
4341
4342	static int read_exp_features_info(struct sock *sk, struct hci_dev *hdev,
4343	void *data, u16 data_len)
4344	{
4345	struct mgmt_rp_read_exp_features_info *rp;
4346	size_t len;
4347	u16 idx = 0;
4348	u32 flags;
4349	int status;
4350
4351	bt_dev_dbg(hdev, "sock %p", sk);
4352
4353	/* Enough space for 7 features */
4354	len = sizeof(*rp) + (sizeof(rp->features[0]) * 7);
4355	rp = kzalloc(size: len, GFP_KERNEL);
4356	if (!rp)
4357	return -ENOMEM;
4358
4359	#ifdef CONFIG_BT_FEATURE_DEBUG
4360	if (!hdev) {
4361	flags = bt_dbg_get() ? BIT(0) : 0;
4362
4363	memcpy(rp->features[idx].uuid, debug_uuid, 16);
4364	rp->features[idx].flags = cpu_to_le32(flags);
4365	idx++;
4366	}
4367	#endif
4368
4369	if (hdev && hci_dev_le_state_simultaneous(hdev)) {
4370	if (hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES))
4371	flags = BIT(0);
4372	else
4373	flags = 0;
4374
4375	memcpy(rp->features[idx].uuid, le_simultaneous_roles_uuid, 16);
4376	rp->features[idx].flags = cpu_to_le32(flags);
4377	idx++;
4378	}
4379
4380	if (hdev && ll_privacy_capable(hdev)) {
4381	if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
4382	flags = BIT(0) | BIT(1);
4383	else
4384	flags = BIT(1);
4385
4386	memcpy(rp->features[idx].uuid, rpa_resolution_uuid, 16);
4387	rp->features[idx].flags = cpu_to_le32(flags);
4388	idx++;
4389	}
4390
4391	if (hdev && (aosp_has_quality_report(hdev) ||
4392	hdev->set_quality_report)) {
4393	if (hci_dev_test_flag(hdev, HCI_QUALITY_REPORT))
4394	flags = BIT(0);
4395	else
4396	flags = 0;
4397
4398	memcpy(rp->features[idx].uuid, quality_report_uuid, 16);
4399	rp->features[idx].flags = cpu_to_le32(flags);
4400	idx++;
4401	}
4402
4403	if (hdev && hdev->get_data_path_id) {
4404	if (hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED))
4405	flags = BIT(0);
4406	else
4407	flags = 0;
4408
4409	memcpy(rp->features[idx].uuid, offload_codecs_uuid, 16);
4410	rp->features[idx].flags = cpu_to_le32(flags);
4411	idx++;
4412	}
4413
4414	if (IS_ENABLED(CONFIG_BT_LE)) {
4415	flags = iso_enabled() ? BIT(0) : 0;
4416	memcpy(rp->features[idx].uuid, iso_socket_uuid, 16);
4417	rp->features[idx].flags = cpu_to_le32(flags);
4418	idx++;
4419	}
4420
4421	if (hdev && lmp_le_capable(hdev)) {
4422	if (hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
4423	flags = BIT(0);
4424	else
4425	flags = 0;
4426
4427	memcpy(rp->features[idx].uuid, mgmt_mesh_uuid, 16);
4428	rp->features[idx].flags = cpu_to_le32(flags);
4429	idx++;
4430	}
4431
4432	rp->feature_count = cpu_to_le16(idx);
4433
4434	/* After reading the experimental features information, enable
4435	* the events to update client on any future change.
4436	*/
4437	hci_sock_set_flag(sk, nr: HCI_MGMT_EXP_FEATURE_EVENTS);
4438
4439	status = mgmt_cmd_complete(sk, index: hdev ? hdev->id : MGMT_INDEX_NONE,
4440	MGMT_OP_READ_EXP_FEATURES_INFO,
4441	status: 0, rp, rp_len: sizeof(*rp) + (20 * idx));
4442
4443	kfree(objp: rp);
4444	return status;
4445	}
4446
4447	static int exp_ll_privacy_feature_changed(bool enabled, struct hci_dev *hdev,
4448	struct sock *skip)
4449	{
4450	struct mgmt_ev_exp_feature_changed ev;
4451
4452	memset(&ev, 0, sizeof(ev));
4453	memcpy(ev.uuid, rpa_resolution_uuid, 16);
4454	ev.flags = cpu_to_le32((enabled ? BIT(0) : 0) | BIT(1));
4455
4456	// Do we need to be atomic with the conn_flags?
4457	if (enabled && privacy_mode_capable(hdev))
4458	hdev->conn_flags |= HCI_CONN_FLAG_DEVICE_PRIVACY;
4459	else
4460	hdev->conn_flags &= ~HCI_CONN_FLAG_DEVICE_PRIVACY;
4461
4462	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4463	data: &ev, len: sizeof(ev),
4464	flag: HCI_MGMT_EXP_FEATURE_EVENTS, skip_sk: skip);
4465
4466	}
4467
4468	static int exp_feature_changed(struct hci_dev *hdev, const u8 *uuid,
4469	bool enabled, struct sock *skip)
4470	{
4471	struct mgmt_ev_exp_feature_changed ev;
4472
4473	memset(&ev, 0, sizeof(ev));
4474	memcpy(ev.uuid, uuid, 16);
4475	ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
4476
4477	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4478	data: &ev, len: sizeof(ev),
4479	flag: HCI_MGMT_EXP_FEATURE_EVENTS, skip_sk: skip);
4480	}
4481
4482	#define EXP_FEAT(_uuid, _set_func) \
4483	{ \
4484	.uuid = _uuid, \
4485	.set_func = _set_func, \
4486	}
4487
4488	/* The zero key uuid is special. Multiple exp features are set through it. */
4489	static int set_zero_key_func(struct sock *sk, struct hci_dev *hdev,
4490	struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4491	{
4492	struct mgmt_rp_set_exp_feature rp;
4493
4494	memset(rp.uuid, 0, 16);
4495	rp.flags = cpu_to_le32(0);
4496
4497	#ifdef CONFIG_BT_FEATURE_DEBUG
4498	if (!hdev) {
4499	bool changed = bt_dbg_get();
4500
4501	bt_dbg_set(false);
4502
4503	if (changed)
4504	exp_feature_changed(NULL, ZERO_KEY, false, sk);
4505	}
4506	#endif
4507
4508	if (hdev && use_ll_privacy(hdev) && !hdev_is_powered(hdev)) {
4509	bool changed;
4510
4511	changed = hci_dev_test_and_clear_flag(hdev,
4512	HCI_ENABLE_LL_PRIVACY);
4513	if (changed)
4514	exp_feature_changed(hdev, uuid: rpa_resolution_uuid, enabled: false,
4515	skip: sk);
4516	}
4517
4518	hci_sock_set_flag(sk, nr: HCI_MGMT_EXP_FEATURE_EVENTS);
4519
4520	return mgmt_cmd_complete(sk, index: hdev ? hdev->id : MGMT_INDEX_NONE,
4521	MGMT_OP_SET_EXP_FEATURE, status: 0,
4522	rp: &rp, rp_len: sizeof(rp));
4523	}
4524
4525	#ifdef CONFIG_BT_FEATURE_DEBUG
4526	static int set_debug_func(struct sock *sk, struct hci_dev *hdev,
4527	struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4528	{
4529	struct mgmt_rp_set_exp_feature rp;
4530
4531	bool val, changed;
4532	int err;
4533
4534	/* Command requires to use the non-controller index */
4535	if (hdev)
4536	return mgmt_cmd_status(sk, hdev->id,
4537	MGMT_OP_SET_EXP_FEATURE,
4538	MGMT_STATUS_INVALID_INDEX);
4539
4540	/* Parameters are limited to a single octet */
4541	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4542	return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4543	MGMT_OP_SET_EXP_FEATURE,
4544	MGMT_STATUS_INVALID_PARAMS);
4545
4546	/* Only boolean on/off is supported */
4547	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4548	return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4549	MGMT_OP_SET_EXP_FEATURE,
4550	MGMT_STATUS_INVALID_PARAMS);
4551
4552	val = !!cp->param[0];
4553	changed = val ? !bt_dbg_get() : bt_dbg_get();
4554	bt_dbg_set(val);
4555
4556	memcpy(rp.uuid, debug_uuid, 16);
4557	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4558
4559	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4560
4561	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4562	MGMT_OP_SET_EXP_FEATURE, 0,
4563	&rp, sizeof(rp));
4564
4565	if (changed)
4566	exp_feature_changed(hdev, debug_uuid, val, sk);
4567
4568	return err;
4569	}
4570	#endif
4571
4572	static int set_mgmt_mesh_func(struct sock *sk, struct hci_dev *hdev,
4573	struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4574	{
4575	struct mgmt_rp_set_exp_feature rp;
4576	bool val, changed;
4577	int err;
4578
4579	/* Command requires to use the controller index */
4580	if (!hdev)
4581	return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4582	MGMT_OP_SET_EXP_FEATURE,
4583	MGMT_STATUS_INVALID_INDEX);
4584
4585	/* Parameters are limited to a single octet */
4586	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4587	return mgmt_cmd_status(sk, index: hdev->id,
4588	MGMT_OP_SET_EXP_FEATURE,
4589	MGMT_STATUS_INVALID_PARAMS);
4590
4591	/* Only boolean on/off is supported */
4592	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4593	return mgmt_cmd_status(sk, index: hdev->id,
4594	MGMT_OP_SET_EXP_FEATURE,
4595	MGMT_STATUS_INVALID_PARAMS);
4596
4597	val = !!cp->param[0];
4598
4599	if (val) {
4600	changed = !hci_dev_test_and_set_flag(hdev,
4601	HCI_MESH_EXPERIMENTAL);
4602	} else {
4603	hci_dev_clear_flag(hdev, HCI_MESH);
4604	changed = hci_dev_test_and_clear_flag(hdev,
4605	HCI_MESH_EXPERIMENTAL);
4606	}
4607
4608	memcpy(rp.uuid, mgmt_mesh_uuid, 16);
4609	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4610
4611	hci_sock_set_flag(sk, nr: HCI_MGMT_EXP_FEATURE_EVENTS);
4612
4613	err = mgmt_cmd_complete(sk, index: hdev->id,
4614	MGMT_OP_SET_EXP_FEATURE, status: 0,
4615	rp: &rp, rp_len: sizeof(rp));
4616
4617	if (changed)
4618	exp_feature_changed(hdev, uuid: mgmt_mesh_uuid, enabled: val, skip: sk);
4619
4620	return err;
4621	}
4622
4623	static int set_rpa_resolution_func(struct sock *sk, struct hci_dev *hdev,
4624	struct mgmt_cp_set_exp_feature *cp,
4625	u16 data_len)
4626	{
4627	struct mgmt_rp_set_exp_feature rp;
4628	bool val, changed;
4629	int err;
4630	u32 flags;
4631
4632	/* Command requires to use the controller index */
4633	if (!hdev)
4634	return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4635	MGMT_OP_SET_EXP_FEATURE,
4636	MGMT_STATUS_INVALID_INDEX);
4637
4638	/* Changes can only be made when controller is powered down */
4639	if (hdev_is_powered(hdev))
4640	return mgmt_cmd_status(sk, index: hdev->id,
4641	MGMT_OP_SET_EXP_FEATURE,
4642	MGMT_STATUS_REJECTED);
4643
4644	/* Parameters are limited to a single octet */
4645	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4646	return mgmt_cmd_status(sk, index: hdev->id,
4647	MGMT_OP_SET_EXP_FEATURE,
4648	MGMT_STATUS_INVALID_PARAMS);
4649
4650	/* Only boolean on/off is supported */
4651	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4652	return mgmt_cmd_status(sk, index: hdev->id,
4653	MGMT_OP_SET_EXP_FEATURE,
4654	MGMT_STATUS_INVALID_PARAMS);
4655
4656	val = !!cp->param[0];
4657
4658	if (val) {
4659	changed = !hci_dev_test_and_set_flag(hdev,
4660	HCI_ENABLE_LL_PRIVACY);
4661	hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4662
4663	/* Enable LL privacy + supported settings changed */
4664	flags = BIT(0) | BIT(1);
4665	} else {
4666	changed = hci_dev_test_and_clear_flag(hdev,
4667	HCI_ENABLE_LL_PRIVACY);
4668
4669	/* Disable LL privacy + supported settings changed */
4670	flags = BIT(1);
4671	}
4672
4673	memcpy(rp.uuid, rpa_resolution_uuid, 16);
4674	rp.flags = cpu_to_le32(flags);
4675
4676	hci_sock_set_flag(sk, nr: HCI_MGMT_EXP_FEATURE_EVENTS);
4677
4678	err = mgmt_cmd_complete(sk, index: hdev->id,
4679	MGMT_OP_SET_EXP_FEATURE, status: 0,
4680	rp: &rp, rp_len: sizeof(rp));
4681
4682	if (changed)
4683	exp_ll_privacy_feature_changed(enabled: val, hdev, skip: sk);
4684
4685	return err;
4686	}
4687
4688	static int set_quality_report_func(struct sock *sk, struct hci_dev *hdev,
4689	struct mgmt_cp_set_exp_feature *cp,
4690	u16 data_len)
4691	{
4692	struct mgmt_rp_set_exp_feature rp;
4693	bool val, changed;
4694	int err;
4695
4696	/* Command requires to use a valid controller index */
4697	if (!hdev)
4698	return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4699	MGMT_OP_SET_EXP_FEATURE,
4700	MGMT_STATUS_INVALID_INDEX);
4701
4702	/* Parameters are limited to a single octet */
4703	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4704	return mgmt_cmd_status(sk, index: hdev->id,
4705	MGMT_OP_SET_EXP_FEATURE,
4706	MGMT_STATUS_INVALID_PARAMS);
4707
4708	/* Only boolean on/off is supported */
4709	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4710	return mgmt_cmd_status(sk, index: hdev->id,
4711	MGMT_OP_SET_EXP_FEATURE,
4712	MGMT_STATUS_INVALID_PARAMS);
4713
4714	hci_req_sync_lock(hdev);
4715
4716	val = !!cp->param[0];
4717	changed = (val != hci_dev_test_flag(hdev, HCI_QUALITY_REPORT));
4718
4719	if (!aosp_has_quality_report(hdev) && !hdev->set_quality_report) {
4720	err = mgmt_cmd_status(sk, index: hdev->id,
4721	MGMT_OP_SET_EXP_FEATURE,
4722	MGMT_STATUS_NOT_SUPPORTED);
4723	goto unlock_quality_report;
4724	}
4725
4726	if (changed) {
4727	if (hdev->set_quality_report)
4728	err = hdev->set_quality_report(hdev, val);
4729	else
4730	err = aosp_set_quality_report(hdev, enable: val);
4731
4732	if (err) {
4733	err = mgmt_cmd_status(sk, index: hdev->id,
4734	MGMT_OP_SET_EXP_FEATURE,
4735	MGMT_STATUS_FAILED);
4736	goto unlock_quality_report;
4737	}
4738
4739	if (val)
4740	hci_dev_set_flag(hdev, HCI_QUALITY_REPORT);
4741	else
4742	hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
4743	}
4744
4745	bt_dev_dbg(hdev, "quality report enable %d changed %d", val, changed);
4746
4747	memcpy(rp.uuid, quality_report_uuid, 16);
4748	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4749	hci_sock_set_flag(sk, nr: HCI_MGMT_EXP_FEATURE_EVENTS);
4750
4751	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_EXP_FEATURE, status: 0,
4752	rp: &rp, rp_len: sizeof(rp));
4753
4754	if (changed)
4755	exp_feature_changed(hdev, uuid: quality_report_uuid, enabled: val, skip: sk);
4756
4757	unlock_quality_report:
4758	hci_req_sync_unlock(hdev);
4759	return err;
4760	}
4761
4762	static int set_offload_codec_func(struct sock *sk, struct hci_dev *hdev,
4763	struct mgmt_cp_set_exp_feature *cp,
4764	u16 data_len)
4765	{
4766	bool val, changed;
4767	int err;
4768	struct mgmt_rp_set_exp_feature rp;
4769
4770	/* Command requires to use a valid controller index */
4771	if (!hdev)
4772	return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4773	MGMT_OP_SET_EXP_FEATURE,
4774	MGMT_STATUS_INVALID_INDEX);
4775
4776	/* Parameters are limited to a single octet */
4777	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4778	return mgmt_cmd_status(sk, index: hdev->id,
4779	MGMT_OP_SET_EXP_FEATURE,
4780	MGMT_STATUS_INVALID_PARAMS);
4781
4782	/* Only boolean on/off is supported */
4783	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4784	return mgmt_cmd_status(sk, index: hdev->id,
4785	MGMT_OP_SET_EXP_FEATURE,
4786	MGMT_STATUS_INVALID_PARAMS);
4787
4788	val = !!cp->param[0];
4789	changed = (val != hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED));
4790
4791	if (!hdev->get_data_path_id) {
4792	return mgmt_cmd_status(sk, index: hdev->id,
4793	MGMT_OP_SET_EXP_FEATURE,
4794	MGMT_STATUS_NOT_SUPPORTED);
4795	}
4796
4797	if (changed) {
4798	if (val)
4799	hci_dev_set_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4800	else
4801	hci_dev_clear_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4802	}
4803
4804	bt_dev_info(hdev, "offload codecs enable %d changed %d",
4805	val, changed);
4806
4807	memcpy(rp.uuid, offload_codecs_uuid, 16);
4808	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4809	hci_sock_set_flag(sk, nr: HCI_MGMT_EXP_FEATURE_EVENTS);
4810	err = mgmt_cmd_complete(sk, index: hdev->id,
4811	MGMT_OP_SET_EXP_FEATURE, status: 0,
4812	rp: &rp, rp_len: sizeof(rp));
4813
4814	if (changed)
4815	exp_feature_changed(hdev, uuid: offload_codecs_uuid, enabled: val, skip: sk);
4816
4817	return err;
4818	}
4819
4820	static int set_le_simultaneous_roles_func(struct sock *sk, struct hci_dev *hdev,
4821	struct mgmt_cp_set_exp_feature *cp,
4822	u16 data_len)
4823	{
4824	bool val, changed;
4825	int err;
4826	struct mgmt_rp_set_exp_feature rp;
4827
4828	/* Command requires to use a valid controller index */
4829	if (!hdev)
4830	return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4831	MGMT_OP_SET_EXP_FEATURE,
4832	MGMT_STATUS_INVALID_INDEX);
4833
4834	/* Parameters are limited to a single octet */
4835	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4836	return mgmt_cmd_status(sk, index: hdev->id,
4837	MGMT_OP_SET_EXP_FEATURE,
4838	MGMT_STATUS_INVALID_PARAMS);
4839
4840	/* Only boolean on/off is supported */
4841	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4842	return mgmt_cmd_status(sk, index: hdev->id,
4843	MGMT_OP_SET_EXP_FEATURE,
4844	MGMT_STATUS_INVALID_PARAMS);
4845
4846	val = !!cp->param[0];
4847	changed = (val != hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES));
4848
4849	if (!hci_dev_le_state_simultaneous(hdev)) {
4850	return mgmt_cmd_status(sk, index: hdev->id,
4851	MGMT_OP_SET_EXP_FEATURE,
4852	MGMT_STATUS_NOT_SUPPORTED);
4853	}
4854
4855	if (changed) {
4856	if (val)
4857	hci_dev_set_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4858	else
4859	hci_dev_clear_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4860	}
4861
4862	bt_dev_info(hdev, "LE simultaneous roles enable %d changed %d",
4863	val, changed);
4864
4865	memcpy(rp.uuid, le_simultaneous_roles_uuid, 16);
4866	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4867	hci_sock_set_flag(sk, nr: HCI_MGMT_EXP_FEATURE_EVENTS);
4868	err = mgmt_cmd_complete(sk, index: hdev->id,
4869	MGMT_OP_SET_EXP_FEATURE, status: 0,
4870	rp: &rp, rp_len: sizeof(rp));
4871
4872	if (changed)
4873	exp_feature_changed(hdev, uuid: le_simultaneous_roles_uuid, enabled: val, skip: sk);
4874
4875	return err;
4876	}
4877
4878	#ifdef CONFIG_BT_LE
4879	static int set_iso_socket_func(struct sock *sk, struct hci_dev *hdev,
4880	struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4881	{
4882	struct mgmt_rp_set_exp_feature rp;
4883	bool val, changed = false;
4884	int err;
4885
4886	/* Command requires to use the non-controller index */
4887	if (hdev)
4888	return mgmt_cmd_status(sk, index: hdev->id,
4889	MGMT_OP_SET_EXP_FEATURE,
4890	MGMT_STATUS_INVALID_INDEX);
4891
4892	/* Parameters are limited to a single octet */
4893	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4894	return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4895	MGMT_OP_SET_EXP_FEATURE,
4896	MGMT_STATUS_INVALID_PARAMS);
4897
4898	/* Only boolean on/off is supported */
4899	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4900	return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4901	MGMT_OP_SET_EXP_FEATURE,
4902	MGMT_STATUS_INVALID_PARAMS);
4903
4904	val = cp->param[0] ? true : false;
4905	if (val)
4906	err = iso_init();
4907	else
4908	err = iso_exit();
4909
4910	if (!err)
4911	changed = true;
4912
4913	memcpy(rp.uuid, iso_socket_uuid, 16);
4914	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4915
4916	hci_sock_set_flag(sk, nr: HCI_MGMT_EXP_FEATURE_EVENTS);
4917
4918	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4919	MGMT_OP_SET_EXP_FEATURE, status: 0,
4920	rp: &rp, rp_len: sizeof(rp));
4921
4922	if (changed)
4923	exp_feature_changed(hdev, uuid: iso_socket_uuid, enabled: val, skip: sk);
4924
4925	return err;
4926	}
4927	#endif
4928
4929	static const struct mgmt_exp_feature {
4930	const u8 *uuid;
4931	int (*set_func)(struct sock *sk, struct hci_dev *hdev,
4932	struct mgmt_cp_set_exp_feature *cp, u16 data_len);
4933	} exp_features[] = {
4934	EXP_FEAT(ZERO_KEY, set_zero_key_func),
4935	#ifdef CONFIG_BT_FEATURE_DEBUG
4936	EXP_FEAT(debug_uuid, set_debug_func),
4937	#endif
4938	EXP_FEAT(mgmt_mesh_uuid, set_mgmt_mesh_func),
4939	EXP_FEAT(rpa_resolution_uuid, set_rpa_resolution_func),
4940	EXP_FEAT(quality_report_uuid, set_quality_report_func),
4941	EXP_FEAT(offload_codecs_uuid, set_offload_codec_func),
4942	EXP_FEAT(le_simultaneous_roles_uuid, set_le_simultaneous_roles_func),
4943	#ifdef CONFIG_BT_LE
4944	EXP_FEAT(iso_socket_uuid, set_iso_socket_func),
4945	#endif
4946
4947	/* end with a null feature */
4948	EXP_FEAT(NULL, NULL)
4949	};
4950
4951	static int set_exp_feature(struct sock *sk, struct hci_dev *hdev,
4952	void *data, u16 data_len)
4953	{
4954	struct mgmt_cp_set_exp_feature *cp = data;
4955	size_t i = 0;
4956
4957	bt_dev_dbg(hdev, "sock %p", sk);
4958
4959	for (i = 0; exp_features[i].uuid; i++) {
4960	if (!memcmp(p: cp->uuid, q: exp_features[i].uuid, size: 16))
4961	return exp_features[i].set_func(sk, hdev, cp, data_len);
4962	}
4963
4964	return mgmt_cmd_status(sk, index: hdev ? hdev->id : MGMT_INDEX_NONE,
4965	MGMT_OP_SET_EXP_FEATURE,
4966	MGMT_STATUS_NOT_SUPPORTED);
4967	}
4968
4969	static u32 get_params_flags(struct hci_dev *hdev,
4970	struct hci_conn_params *params)
4971	{
4972	u32 flags = hdev->conn_flags;
4973
4974	/* Devices using RPAs can only be programmed in the acceptlist if
4975	* LL Privacy has been enable otherwise they cannot mark
4976	* HCI_CONN_FLAG_REMOTE_WAKEUP.
4977	*/
4978	if ((flags & HCI_CONN_FLAG_REMOTE_WAKEUP) && !use_ll_privacy(hdev) &&
4979	hci_find_irk_by_addr(hdev, bdaddr: &params->addr, addr_type: params->addr_type))
4980	flags &= ~HCI_CONN_FLAG_REMOTE_WAKEUP;
4981
4982	return flags;
4983	}
4984
4985	static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
4986	u16 data_len)
4987	{
4988	struct mgmt_cp_get_device_flags *cp = data;
4989	struct mgmt_rp_get_device_flags rp;
4990	struct bdaddr_list_with_flags *br_params;
4991	struct hci_conn_params *params;
4992	u32 supported_flags;
4993	u32 current_flags = 0;
4994	u8 status = MGMT_STATUS_INVALID_PARAMS;
4995
4996	bt_dev_dbg(hdev, "Get device flags %pMR (type 0x%x)\n",
4997	&cp->addr.bdaddr, cp->addr.type);
4998
4999	hci_dev_lock(hdev);
5000
5001	supported_flags = hdev->conn_flags;
5002
5003	memset(&rp, 0, sizeof(rp));
5004
5005	if (cp->addr.type == BDADDR_BREDR) {
5006	br_params = hci_bdaddr_list_lookup_with_flags(list: &hdev->accept_list,
5007	bdaddr: &cp->addr.bdaddr,
5008	type: cp->addr.type);
5009	if (!br_params)
5010	goto done;
5011
5012	current_flags = br_params->flags;
5013	} else {
5014	params = hci_conn_params_lookup(hdev, addr: &cp->addr.bdaddr,
5015	addr_type: le_addr_type(mgmt_addr_type: cp->addr.type));
5016	if (!params)
5017	goto done;
5018
5019	supported_flags = get_params_flags(hdev, params);
5020	current_flags = params->flags;
5021	}
5022
5023	bacpy(dst: &rp.addr.bdaddr, src: &cp->addr.bdaddr);
5024	rp.addr.type = cp->addr.type;
5025	rp.supported_flags = cpu_to_le32(supported_flags);
5026	rp.current_flags = cpu_to_le32(current_flags);
5027
5028	status = MGMT_STATUS_SUCCESS;
5029
5030	done:
5031	hci_dev_unlock(hdev);
5032
5033	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_DEVICE_FLAGS, status,
5034	rp: &rp, rp_len: sizeof(rp));
5035	}
5036
5037	static void device_flags_changed(struct sock *sk, struct hci_dev *hdev,
5038	bdaddr_t *bdaddr, u8 bdaddr_type,
5039	u32 supported_flags, u32 current_flags)
5040	{
5041	struct mgmt_ev_device_flags_changed ev;
5042
5043	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
5044	ev.addr.type = bdaddr_type;
5045	ev.supported_flags = cpu_to_le32(supported_flags);
5046	ev.current_flags = cpu_to_le32(current_flags);
5047
5048	mgmt_event(MGMT_EV_DEVICE_FLAGS_CHANGED, hdev, data: &ev, len: sizeof(ev), skip_sk: sk);
5049	}
5050
5051	static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
5052	u16 len)
5053	{
5054	struct mgmt_cp_set_device_flags *cp = data;
5055	struct bdaddr_list_with_flags *br_params;
5056	struct hci_conn_params *params;
5057	u8 status = MGMT_STATUS_INVALID_PARAMS;
5058	u32 supported_flags;
5059	u32 current_flags = __le32_to_cpu(cp->current_flags);
5060
5061	bt_dev_dbg(hdev, "Set device flags %pMR (type 0x%x) = 0x%x",
5062	&cp->addr.bdaddr, cp->addr.type, current_flags);
5063
5064	// We should take hci_dev_lock() early, I think.. conn_flags can change
5065	supported_flags = hdev->conn_flags;
5066
5067	if ((supported_flags | current_flags) != supported_flags) {
5068	bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5069	current_flags, supported_flags);
5070	goto done;
5071	}
5072
5073	hci_dev_lock(hdev);
5074
5075	if (cp->addr.type == BDADDR_BREDR) {
5076	br_params = hci_bdaddr_list_lookup_with_flags(list: &hdev->accept_list,
5077	bdaddr: &cp->addr.bdaddr,
5078	type: cp->addr.type);
5079
5080	if (br_params) {
5081	br_params->flags = current_flags;
5082	status = MGMT_STATUS_SUCCESS;
5083	} else {
5084	bt_dev_warn(hdev, "No such BR/EDR device %pMR (0x%x)",
5085	&cp->addr.bdaddr, cp->addr.type);
5086	}
5087
5088	goto unlock;
5089	}
5090
5091	params = hci_conn_params_lookup(hdev, addr: &cp->addr.bdaddr,
5092	addr_type: le_addr_type(mgmt_addr_type: cp->addr.type));
5093	if (!params) {
5094	bt_dev_warn(hdev, "No such LE device %pMR (0x%x)",
5095	&cp->addr.bdaddr, le_addr_type(cp->addr.type));
5096	goto unlock;
5097	}
5098
5099	supported_flags = get_params_flags(hdev, params);
5100
5101	if ((supported_flags | current_flags) != supported_flags) {
5102	bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5103	current_flags, supported_flags);
5104	goto unlock;
5105	}
5106
5107	WRITE_ONCE(params->flags, current_flags);
5108	status = MGMT_STATUS_SUCCESS;
5109
5110	/* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
5111	* has been set.
5112	*/
5113	if (params->flags & HCI_CONN_FLAG_DEVICE_PRIVACY)
5114	hci_update_passive_scan(hdev);
5115
5116	unlock:
5117	hci_dev_unlock(hdev);
5118
5119	done:
5120	if (status == MGMT_STATUS_SUCCESS)
5121	device_flags_changed(sk, hdev, bdaddr: &cp->addr.bdaddr, bdaddr_type: cp->addr.type,
5122	supported_flags, current_flags);
5123
5124	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_DEVICE_FLAGS, status,
5125	rp: &cp->addr, rp_len: sizeof(cp->addr));
5126	}
5127
5128	static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
5129	u16 handle)
5130	{
5131	struct mgmt_ev_adv_monitor_added ev;
5132
5133	ev.monitor_handle = cpu_to_le16(handle);
5134
5135	mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, data: &ev, len: sizeof(ev), skip_sk: sk);
5136	}
5137
5138	void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
5139	{
5140	struct mgmt_ev_adv_monitor_removed ev;
5141	struct mgmt_pending_cmd *cmd;
5142	struct sock *sk_skip = NULL;
5143	struct mgmt_cp_remove_adv_monitor *cp;
5144
5145	cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
5146	if (cmd) {
5147	cp = cmd->param;
5148
5149	if (cp->monitor_handle)
5150	sk_skip = cmd->sk;
5151	}
5152
5153	ev.monitor_handle = cpu_to_le16(handle);
5154
5155	mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, data: &ev, len: sizeof(ev), skip_sk: sk_skip);
5156	}
5157
5158	static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
5159	void *data, u16 len)
5160	{
5161	struct adv_monitor *monitor = NULL;
5162	struct mgmt_rp_read_adv_monitor_features *rp = NULL;
5163	int handle, err;
5164	size_t rp_size = 0;
5165	__u32 supported = 0;
5166	__u32 enabled = 0;
5167	__u16 num_handles = 0;
5168	__u16 handles[HCI_MAX_ADV_MONITOR_NUM_HANDLES];
5169
5170	BT_DBG("request for %s", hdev->name);
5171
5172	hci_dev_lock(hdev);
5173
5174	if (msft_monitor_supported(hdev))
5175	supported |= MGMT_ADV_MONITOR_FEATURE_MASK_OR_PATTERNS;
5176
5177	idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
5178	handles[num_handles++] = monitor->handle;
5179
5180	hci_dev_unlock(hdev);
5181
5182	rp_size = sizeof(*rp) + (num_handles * sizeof(u16));
5183	rp = kmalloc(size: rp_size, GFP_KERNEL);
5184	if (!rp)
5185	return -ENOMEM;
5186
5187	/* All supported features are currently enabled */
5188	enabled = supported;
5189
5190	rp->supported_features = cpu_to_le32(supported);
5191	rp->enabled_features = cpu_to_le32(enabled);
5192	rp->max_num_handles = cpu_to_le16(HCI_MAX_ADV_MONITOR_NUM_HANDLES);
5193	rp->max_num_patterns = HCI_MAX_ADV_MONITOR_NUM_PATTERNS;
5194	rp->num_handles = cpu_to_le16(num_handles);
5195	if (num_handles)
5196	memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));
5197
5198	err = mgmt_cmd_complete(sk, index: hdev->id,
5199	MGMT_OP_READ_ADV_MONITOR_FEATURES,
5200	MGMT_STATUS_SUCCESS, rp, rp_len: rp_size);
5201
5202	kfree(objp: rp);
5203
5204	return err;
5205	}
5206
5207	static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
5208	void *data, int status)
5209	{
5210	struct mgmt_rp_add_adv_patterns_monitor rp;
5211	struct mgmt_pending_cmd *cmd = data;
5212	struct adv_monitor *monitor = cmd->user_data;
5213
5214	hci_dev_lock(hdev);
5215
5216	rp.monitor_handle = cpu_to_le16(monitor->handle);
5217
5218	if (!status) {
5219	mgmt_adv_monitor_added(sk: cmd->sk, hdev, handle: monitor->handle);
5220	hdev->adv_monitors_cnt++;
5221	if (monitor->state == ADV_MONITOR_STATE_NOT_REGISTERED)
5222	monitor->state = ADV_MONITOR_STATE_REGISTERED;
5223	hci_update_passive_scan(hdev);
5224	}
5225
5226	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
5227	status: mgmt_status(err: status), rp: &rp, rp_len: sizeof(rp));
5228	mgmt_pending_remove(cmd);
5229
5230	hci_dev_unlock(hdev);
5231	bt_dev_dbg(hdev, "add monitor %d complete, status %d",
5232	rp.monitor_handle, status);
5233	}
5234
5235	static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
5236	{
5237	struct mgmt_pending_cmd *cmd = data;
5238	struct adv_monitor *monitor = cmd->user_data;
5239
5240	return hci_add_adv_monitor(hdev, monitor);
5241	}
5242
5243	static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5244	struct adv_monitor *m, u8 status,
5245	void *data, u16 len, u16 op)
5246	{
5247	struct mgmt_pending_cmd *cmd;
5248	int err;
5249
5250	hci_dev_lock(hdev);
5251
5252	if (status)
5253	goto unlock;
5254
5255	if (pending_find(MGMT_OP_SET_LE, hdev) ||
5256	pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5257	pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
5258	pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
5259	status = MGMT_STATUS_BUSY;
5260	goto unlock;
5261	}
5262
5263	cmd = mgmt_pending_add(sk, opcode: op, hdev, data, len);
5264	if (!cmd) {
5265	status = MGMT_STATUS_NO_RESOURCES;
5266	goto unlock;
5267	}
5268
5269	cmd->user_data = m;
5270	err = hci_cmd_sync_queue(hdev, func: mgmt_add_adv_patterns_monitor_sync, data: cmd,
5271	destroy: mgmt_add_adv_patterns_monitor_complete);
5272	if (err) {
5273	if (err == -ENOMEM)
5274	status = MGMT_STATUS_NO_RESOURCES;
5275	else
5276	status = MGMT_STATUS_FAILED;
5277
5278	goto unlock;
5279	}
5280
5281	hci_dev_unlock(hdev);
5282
5283	return 0;
5284
5285	unlock:
5286	hci_free_adv_monitor(hdev, monitor: m);
5287	hci_dev_unlock(hdev);
5288	return mgmt_cmd_status(sk, index: hdev->id, cmd: op, status);
5289	}
5290
5291	static void parse_adv_monitor_rssi(struct adv_monitor *m,
5292	struct mgmt_adv_rssi_thresholds *rssi)
5293	{
5294	if (rssi) {
5295	m->rssi.low_threshold = rssi->low_threshold;
5296	m->rssi.low_threshold_timeout =
5297	__le16_to_cpu(rssi->low_threshold_timeout);
5298	m->rssi.high_threshold = rssi->high_threshold;
5299	m->rssi.high_threshold_timeout =
5300	__le16_to_cpu(rssi->high_threshold_timeout);
5301	m->rssi.sampling_period = rssi->sampling_period;
5302	} else {
5303	/* Default values. These numbers are the least constricting
5304	* parameters for MSFT API to work, so it behaves as if there
5305	* are no rssi parameter to consider. May need to be changed
5306	* if other API are to be supported.
5307	*/
5308	m->rssi.low_threshold = -127;
5309	m->rssi.low_threshold_timeout = 60;
5310	m->rssi.high_threshold = -127;
5311	m->rssi.high_threshold_timeout = 0;
5312	m->rssi.sampling_period = 0;
5313	}
5314	}
5315
5316	static u8 parse_adv_monitor_pattern(struct adv_monitor *m, u8 pattern_count,
5317	struct mgmt_adv_pattern *patterns)
5318	{
5319	u8 offset = 0, length = 0;
5320	struct adv_pattern *p = NULL;
5321	int i;
5322
5323	for (i = 0; i < pattern_count; i++) {
5324	offset = patterns[i].offset;
5325	length = patterns[i].length;
5326	if (offset >= HCI_MAX_EXT_AD_LENGTH ||
5327	length > HCI_MAX_EXT_AD_LENGTH ||
5328	(offset + length) > HCI_MAX_EXT_AD_LENGTH)
5329	return MGMT_STATUS_INVALID_PARAMS;
5330
5331	p = kmalloc(size: sizeof(*p), GFP_KERNEL);
5332	if (!p)
5333	return MGMT_STATUS_NO_RESOURCES;
5334
5335	p->ad_type = patterns[i].ad_type;
5336	p->offset = patterns[i].offset;
5337	p->length = patterns[i].length;
5338	memcpy(p->value, patterns[i].value, p->length);
5339
5340	INIT_LIST_HEAD(list: &p->list);
5341	list_add(new: &p->list, head: &m->patterns);
5342	}
5343
5344	return MGMT_STATUS_SUCCESS;
5345	}
5346
5347	static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5348	void *data, u16 len)
5349	{
5350	struct mgmt_cp_add_adv_patterns_monitor *cp = data;
5351	struct adv_monitor *m = NULL;
5352	u8 status = MGMT_STATUS_SUCCESS;
5353	size_t expected_size = sizeof(*cp);
5354
5355	BT_DBG("request for %s", hdev->name);
5356
5357	if (len <= sizeof(*cp)) {
5358	status = MGMT_STATUS_INVALID_PARAMS;
5359	goto done;
5360	}
5361
5362	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5363	if (len != expected_size) {
5364	status = MGMT_STATUS_INVALID_PARAMS;
5365	goto done;
5366	}
5367
5368	m = kzalloc(size: sizeof(*m), GFP_KERNEL);
5369	if (!m) {
5370	status = MGMT_STATUS_NO_RESOURCES;
5371	goto done;
5372	}
5373
5374	INIT_LIST_HEAD(list: &m->patterns);
5375
5376	parse_adv_monitor_rssi(m, NULL);
5377	status = parse_adv_monitor_pattern(m, pattern_count: cp->pattern_count, patterns: cp->patterns);
5378
5379	done:
5380	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5381	MGMT_OP_ADD_ADV_PATTERNS_MONITOR);
5382	}
5383
5384	static int add_adv_patterns_monitor_rssi(struct sock *sk, struct hci_dev *hdev,
5385	void *data, u16 len)
5386	{
5387	struct mgmt_cp_add_adv_patterns_monitor_rssi *cp = data;
5388	struct adv_monitor *m = NULL;
5389	u8 status = MGMT_STATUS_SUCCESS;
5390	size_t expected_size = sizeof(*cp);
5391
5392	BT_DBG("request for %s", hdev->name);
5393
5394	if (len <= sizeof(*cp)) {
5395	status = MGMT_STATUS_INVALID_PARAMS;
5396	goto done;
5397	}
5398
5399	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5400	if (len != expected_size) {
5401	status = MGMT_STATUS_INVALID_PARAMS;
5402	goto done;
5403	}
5404
5405	m = kzalloc(size: sizeof(*m), GFP_KERNEL);
5406	if (!m) {
5407	status = MGMT_STATUS_NO_RESOURCES;
5408	goto done;
5409	}
5410
5411	INIT_LIST_HEAD(list: &m->patterns);
5412
5413	parse_adv_monitor_rssi(m, rssi: &cp->rssi);
5414	status = parse_adv_monitor_pattern(m, pattern_count: cp->pattern_count, patterns: cp->patterns);
5415
5416	done:
5417	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5418	MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI);
5419	}
5420
5421	static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
5422	void *data, int status)
5423	{
5424	struct mgmt_rp_remove_adv_monitor rp;
5425	struct mgmt_pending_cmd *cmd = data;
5426	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5427
5428	hci_dev_lock(hdev);
5429
5430	rp.monitor_handle = cp->monitor_handle;
5431
5432	if (!status)
5433	hci_update_passive_scan(hdev);
5434
5435	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
5436	status: mgmt_status(err: status), rp: &rp, rp_len: sizeof(rp));
5437	mgmt_pending_remove(cmd);
5438
5439	hci_dev_unlock(hdev);
5440	bt_dev_dbg(hdev, "remove monitor %d complete, status %d",
5441	rp.monitor_handle, status);
5442	}
5443
5444	static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
5445	{
5446	struct mgmt_pending_cmd *cmd = data;
5447	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5448	u16 handle = __le16_to_cpu(cp->monitor_handle);
5449
5450	if (!handle)
5451	return hci_remove_all_adv_monitor(hdev);
5452
5453	return hci_remove_single_adv_monitor(hdev, handle);
5454	}
5455
5456	static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
5457	void *data, u16 len)
5458	{
5459	struct mgmt_pending_cmd *cmd;
5460	int err, status;
5461
5462	hci_dev_lock(hdev);
5463
5464	if (pending_find(MGMT_OP_SET_LE, hdev) ||
5465	pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
5466	pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5467	pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
5468	status = MGMT_STATUS_BUSY;
5469	goto unlock;
5470	}
5471
5472	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
5473	if (!cmd) {
5474	status = MGMT_STATUS_NO_RESOURCES;
5475	goto unlock;
5476	}
5477
5478	err = hci_cmd_sync_queue(hdev, func: mgmt_remove_adv_monitor_sync, data: cmd,
5479	destroy: mgmt_remove_adv_monitor_complete);
5480
5481	if (err) {
5482	mgmt_pending_remove(cmd);
5483
5484	if (err == -ENOMEM)
5485	status = MGMT_STATUS_NO_RESOURCES;
5486	else
5487	status = MGMT_STATUS_FAILED;
5488
5489	goto unlock;
5490	}
5491
5492	hci_dev_unlock(hdev);
5493
5494	return 0;
5495
5496	unlock:
5497	hci_dev_unlock(hdev);
5498	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_REMOVE_ADV_MONITOR,
5499	status);
5500	}
5501
5502	static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
5503	{
5504	struct mgmt_rp_read_local_oob_data mgmt_rp;
5505	size_t rp_size = sizeof(mgmt_rp);
5506	struct mgmt_pending_cmd *cmd = data;
5507	struct sk_buff *skb = cmd->skb;
5508	u8 status = mgmt_status(err);
5509
5510	if (!status) {
5511	if (!skb)
5512	status = MGMT_STATUS_FAILED;
5513	else if (IS_ERR(ptr: skb))
5514	status = mgmt_status(err: PTR_ERR(ptr: skb));
5515	else
5516	status = mgmt_status(err: skb->data[0]);
5517	}
5518
5519	bt_dev_dbg(hdev, "status %d", status);
5520
5521	if (status) {
5522	mgmt_cmd_status(sk: cmd->sk, index: hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
5523	goto remove;
5524	}
5525
5526	memset(&mgmt_rp, 0, sizeof(mgmt_rp));
5527
5528	if (!bredr_sc_enabled(hdev)) {
5529	struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
5530
5531	if (skb->len < sizeof(*rp)) {
5532	mgmt_cmd_status(sk: cmd->sk, index: hdev->id,
5533	MGMT_OP_READ_LOCAL_OOB_DATA,
5534	MGMT_STATUS_FAILED);
5535	goto remove;
5536	}
5537
5538	memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
5539	memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
5540
5541	rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
5542	} else {
5543	struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
5544
5545	if (skb->len < sizeof(*rp)) {
5546	mgmt_cmd_status(sk: cmd->sk, index: hdev->id,
5547	MGMT_OP_READ_LOCAL_OOB_DATA,
5548	MGMT_STATUS_FAILED);
5549	goto remove;
5550	}
5551
5552	memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
5553	memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
5554
5555	memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
5556	memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
5557	}
5558
5559	mgmt_cmd_complete(sk: cmd->sk, index: hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5560	MGMT_STATUS_SUCCESS, rp: &mgmt_rp, rp_len: rp_size);
5561
5562	remove:
5563	if (skb && !IS_ERR(ptr: skb))
5564	kfree_skb(skb);
5565
5566	mgmt_pending_free(cmd);
5567	}
5568
5569	static int read_local_oob_data_sync(struct hci_dev *hdev, void *data)
5570	{
5571	struct mgmt_pending_cmd *cmd = data;
5572
5573	if (bredr_sc_enabled(hdev))
5574	cmd->skb = hci_read_local_oob_data_sync(hdev, ext: true, sk: cmd->sk);
5575	else
5576	cmd->skb = hci_read_local_oob_data_sync(hdev, ext: false, sk: cmd->sk);
5577
5578	if (IS_ERR(ptr: cmd->skb))
5579	return PTR_ERR(ptr: cmd->skb);
5580	else
5581	return 0;
5582	}
5583
5584	static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
5585	void *data, u16 data_len)
5586	{
5587	struct mgmt_pending_cmd *cmd;
5588	int err;
5589
5590	bt_dev_dbg(hdev, "sock %p", sk);
5591
5592	hci_dev_lock(hdev);
5593
5594	if (!hdev_is_powered(hdev)) {
5595	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5596	MGMT_STATUS_NOT_POWERED);
5597	goto unlock;
5598	}
5599
5600	if (!lmp_ssp_capable(hdev)) {
5601	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5602	MGMT_STATUS_NOT_SUPPORTED);
5603	goto unlock;
5604	}
5605
5606	cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, len: 0);
5607	if (!cmd)
5608	err = -ENOMEM;
5609	else
5610	err = hci_cmd_sync_queue(hdev, func: read_local_oob_data_sync, data: cmd,
5611	destroy: read_local_oob_data_complete);
5612
5613	if (err < 0) {
5614	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5615	MGMT_STATUS_FAILED);
5616
5617	if (cmd)
5618	mgmt_pending_free(cmd);
5619	}
5620
5621	unlock:
5622	hci_dev_unlock(hdev);
5623	return err;
5624	}
5625
5626	static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5627	void *data, u16 len)
5628	{
5629	struct mgmt_addr_info *addr = data;
5630	int err;
5631
5632	bt_dev_dbg(hdev, "sock %p", sk);
5633
5634	if (!bdaddr_type_is_valid(type: addr->type))
5635	return mgmt_cmd_complete(sk, index: hdev->id,
5636	MGMT_OP_ADD_REMOTE_OOB_DATA,
5637	MGMT_STATUS_INVALID_PARAMS,
5638	rp: addr, rp_len: sizeof(*addr));
5639
5640	hci_dev_lock(hdev);
5641
5642	if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
5643	struct mgmt_cp_add_remote_oob_data *cp = data;
5644	u8 status;
5645
5646	if (cp->addr.type != BDADDR_BREDR) {
5647	err = mgmt_cmd_complete(sk, index: hdev->id,
5648	MGMT_OP_ADD_REMOTE_OOB_DATA,
5649	MGMT_STATUS_INVALID_PARAMS,
5650	rp: &cp->addr, rp_len: sizeof(cp->addr));
5651	goto unlock;
5652	}
5653
5654	err = hci_add_remote_oob_data(hdev, bdaddr: &cp->addr.bdaddr,
5655	bdaddr_type: cp->addr.type, hash192: cp->hash,
5656	rand192: cp->rand, NULL, NULL);
5657	if (err < 0)
5658	status = MGMT_STATUS_FAILED;
5659	else
5660	status = MGMT_STATUS_SUCCESS;
5661
5662	err = mgmt_cmd_complete(sk, index: hdev->id,
5663	MGMT_OP_ADD_REMOTE_OOB_DATA, status,
5664	rp: &cp->addr, rp_len: sizeof(cp->addr));
5665	} else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
5666	struct mgmt_cp_add_remote_oob_ext_data *cp = data;
5667	u8 *rand192, *hash192, *rand256, *hash256;
5668	u8 status;
5669
5670	if (bdaddr_type_is_le(type: cp->addr.type)) {
5671	/* Enforce zero-valued 192-bit parameters as
5672	* long as legacy SMP OOB isn't implemented.
5673	*/
5674	if (memcmp(p: cp->rand192, ZERO_KEY, size: 16) ||
5675	memcmp(p: cp->hash192, ZERO_KEY, size: 16)) {
5676	err = mgmt_cmd_complete(sk, index: hdev->id,
5677	MGMT_OP_ADD_REMOTE_OOB_DATA,
5678	MGMT_STATUS_INVALID_PARAMS,
5679	rp: addr, rp_len: sizeof(*addr));
5680	goto unlock;
5681	}
5682
5683	rand192 = NULL;
5684	hash192 = NULL;
5685	} else {
5686	/* In case one of the P-192 values is set to zero,
5687	* then just disable OOB data for P-192.
5688	*/
5689	if (!memcmp(p: cp->rand192, ZERO_KEY, size: 16) ||
5690	!memcmp(p: cp->hash192, ZERO_KEY, size: 16)) {
5691	rand192 = NULL;
5692	hash192 = NULL;
5693	} else {
5694	rand192 = cp->rand192;
5695	hash192 = cp->hash192;
5696	}
5697	}
5698
5699	/* In case one of the P-256 values is set to zero, then just
5700	* disable OOB data for P-256.
5701	*/
5702	if (!memcmp(p: cp->rand256, ZERO_KEY, size: 16) ||
5703	!memcmp(p: cp->hash256, ZERO_KEY, size: 16)) {
5704	rand256 = NULL;
5705	hash256 = NULL;
5706	} else {
5707	rand256 = cp->rand256;
5708	hash256 = cp->hash256;
5709	}
5710
5711	err = hci_add_remote_oob_data(hdev, bdaddr: &cp->addr.bdaddr,
5712	bdaddr_type: cp->addr.type, hash192, rand192,
5713	hash256, rand256);
5714	if (err < 0)
5715	status = MGMT_STATUS_FAILED;
5716	else
5717	status = MGMT_STATUS_SUCCESS;
5718
5719	err = mgmt_cmd_complete(sk, index: hdev->id,
5720	MGMT_OP_ADD_REMOTE_OOB_DATA,
5721	status, rp: &cp->addr, rp_len: sizeof(cp->addr));
5722	} else {
5723	bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
5724	len);
5725	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
5726	MGMT_STATUS_INVALID_PARAMS);
5727	}
5728
5729	unlock:
5730	hci_dev_unlock(hdev);
5731	return err;
5732	}
5733
5734	static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5735	void *data, u16 len)
5736	{
5737	struct mgmt_cp_remove_remote_oob_data *cp = data;
5738	u8 status;
5739	int err;
5740
5741	bt_dev_dbg(hdev, "sock %p", sk);
5742
5743	if (cp->addr.type != BDADDR_BREDR)
5744	return mgmt_cmd_complete(sk, index: hdev->id,
5745	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5746	MGMT_STATUS_INVALID_PARAMS,
5747	rp: &cp->addr, rp_len: sizeof(cp->addr));
5748
5749	hci_dev_lock(hdev);
5750
5751	if (!bacmp(ba1: &cp->addr.bdaddr, BDADDR_ANY)) {
5752	hci_remote_oob_data_clear(hdev);
5753	status = MGMT_STATUS_SUCCESS;
5754	goto done;
5755	}
5756
5757	err = hci_remove_remote_oob_data(hdev, bdaddr: &cp->addr.bdaddr, bdaddr_type: cp->addr.type);
5758	if (err < 0)
5759	status = MGMT_STATUS_INVALID_PARAMS;
5760	else
5761	status = MGMT_STATUS_SUCCESS;
5762
5763	done:
5764	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5765	status, rp: &cp->addr, rp_len: sizeof(cp->addr));
5766
5767	hci_dev_unlock(hdev);
5768	return err;
5769	}
5770
5771	void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
5772	{
5773	struct mgmt_pending_cmd *cmd;
5774
5775	bt_dev_dbg(hdev, "status %u", status);
5776
5777	hci_dev_lock(hdev);
5778
5779	cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
5780	if (!cmd)
5781	cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
5782
5783	if (!cmd)
5784	cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
5785
5786	if (cmd) {
5787	cmd->cmd_complete(cmd, mgmt_status(err: status));
5788	mgmt_pending_remove(cmd);
5789	}
5790
5791	hci_dev_unlock(hdev);
5792	}
5793
5794	static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
5795	uint8_t *mgmt_status)
5796	{
5797	switch (type) {
5798	case DISCOV_TYPE_LE:
5799	*mgmt_status = mgmt_le_support(hdev);
5800	if (*mgmt_status)
5801	return false;
5802	break;
5803	case DISCOV_TYPE_INTERLEAVED:
5804	*mgmt_status = mgmt_le_support(hdev);
5805	if (*mgmt_status)
5806	return false;
5807	fallthrough;
5808	case DISCOV_TYPE_BREDR:
5809	*mgmt_status = mgmt_bredr_support(hdev);
5810	if (*mgmt_status)
5811	return false;
5812	break;
5813	default:
5814	*mgmt_status = MGMT_STATUS_INVALID_PARAMS;
5815	return false;
5816	}
5817
5818	return true;
5819	}
5820
5821	static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
5822	{
5823	struct mgmt_pending_cmd *cmd = data;
5824
5825	if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
5826	cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
5827	cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
5828	return;
5829
5830	bt_dev_dbg(hdev, "err %d", err);
5831
5832	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status: mgmt_status(err),
5833	rp: cmd->param, rp_len: 1);
5834	mgmt_pending_remove(cmd);
5835
5836	hci_discovery_set_state(hdev, state: err ? DISCOVERY_STOPPED:
5837	DISCOVERY_FINDING);
5838	}
5839
5840	static int start_discovery_sync(struct hci_dev *hdev, void *data)
5841	{
5842	return hci_start_discovery_sync(hdev);
5843	}
5844
5845	static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
5846	u16 op, void *data, u16 len)
5847	{
5848	struct mgmt_cp_start_discovery *cp = data;
5849	struct mgmt_pending_cmd *cmd;
5850	u8 status;
5851	int err;
5852
5853	bt_dev_dbg(hdev, "sock %p", sk);
5854
5855	hci_dev_lock(hdev);
5856
5857	if (!hdev_is_powered(hdev)) {
5858	err = mgmt_cmd_complete(sk, index: hdev->id, cmd: op,
5859	MGMT_STATUS_NOT_POWERED,
5860	rp: &cp->type, rp_len: sizeof(cp->type));
5861	goto failed;
5862	}
5863
5864	if (hdev->discovery.state != DISCOVERY_STOPPED ||
5865	hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5866	err = mgmt_cmd_complete(sk, index: hdev->id, cmd: op, MGMT_STATUS_BUSY,
5867	rp: &cp->type, rp_len: sizeof(cp->type));
5868	goto failed;
5869	}
5870
5871	if (!discovery_type_is_valid(hdev, type: cp->type, mgmt_status: &status)) {
5872	err = mgmt_cmd_complete(sk, index: hdev->id, cmd: op, status,
5873	rp: &cp->type, rp_len: sizeof(cp->type));
5874	goto failed;
5875	}
5876
5877	/* Can't start discovery when it is paused */
5878	if (hdev->discovery_paused) {
5879	err = mgmt_cmd_complete(sk, index: hdev->id, cmd: op, MGMT_STATUS_BUSY,
5880	rp: &cp->type, rp_len: sizeof(cp->type));
5881	goto failed;
5882	}
5883
5884	/* Clear the discovery filter first to free any previously
5885	* allocated memory for the UUID list.
5886	*/
5887	hci_discovery_filter_clear(hdev);
5888
5889	hdev->discovery.type = cp->type;
5890	hdev->discovery.report_invalid_rssi = false;
5891	if (op == MGMT_OP_START_LIMITED_DISCOVERY)
5892	hdev->discovery.limited = true;
5893	else
5894	hdev->discovery.limited = false;
5895
5896	cmd = mgmt_pending_add(sk, opcode: op, hdev, data, len);
5897	if (!cmd) {
5898	err = -ENOMEM;
5899	goto failed;
5900	}
5901
5902	err = hci_cmd_sync_queue(hdev, func: start_discovery_sync, data: cmd,
5903	destroy: start_discovery_complete);
5904	if (err < 0) {
5905	mgmt_pending_remove(cmd);
5906	goto failed;
5907	}
5908
5909	hci_discovery_set_state(hdev, state: DISCOVERY_STARTING);
5910
5911	failed:
5912	hci_dev_unlock(hdev);
5913	return err;
5914	}
5915
5916	static int start_discovery(struct sock *sk, struct hci_dev *hdev,
5917	void *data, u16 len)
5918	{
5919	return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
5920	data, len);
5921	}
5922
5923	static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
5924	void *data, u16 len)
5925	{
5926	return start_discovery_internal(sk, hdev,
5927	MGMT_OP_START_LIMITED_DISCOVERY,
5928	data, len);
5929	}
5930
5931	static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
5932	void *data, u16 len)
5933	{
5934	struct mgmt_cp_start_service_discovery *cp = data;
5935	struct mgmt_pending_cmd *cmd;
5936	const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
5937	u16 uuid_count, expected_len;
5938	u8 status;
5939	int err;
5940
5941	bt_dev_dbg(hdev, "sock %p", sk);
5942
5943	hci_dev_lock(hdev);
5944
5945	if (!hdev_is_powered(hdev)) {
5946	err = mgmt_cmd_complete(sk, index: hdev->id,
5947	MGMT_OP_START_SERVICE_DISCOVERY,
5948	MGMT_STATUS_NOT_POWERED,
5949	rp: &cp->type, rp_len: sizeof(cp->type));
5950	goto failed;
5951	}
5952
5953	if (hdev->discovery.state != DISCOVERY_STOPPED ||
5954	hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5955	err = mgmt_cmd_complete(sk, index: hdev->id,
5956	MGMT_OP_START_SERVICE_DISCOVERY,
5957	MGMT_STATUS_BUSY, rp: &cp->type,
5958	rp_len: sizeof(cp->type));
5959	goto failed;
5960	}
5961
5962	if (hdev->discovery_paused) {
5963	err = mgmt_cmd_complete(sk, index: hdev->id,
5964	MGMT_OP_START_SERVICE_DISCOVERY,
5965	MGMT_STATUS_BUSY, rp: &cp->type,
5966	rp_len: sizeof(cp->type));
5967	goto failed;
5968	}
5969
5970	uuid_count = __le16_to_cpu(cp->uuid_count);
5971	if (uuid_count > max_uuid_count) {
5972	bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
5973	uuid_count);
5974	err = mgmt_cmd_complete(sk, index: hdev->id,
5975	MGMT_OP_START_SERVICE_DISCOVERY,
5976	MGMT_STATUS_INVALID_PARAMS, rp: &cp->type,
5977	rp_len: sizeof(cp->type));
5978	goto failed;
5979	}
5980
5981	expected_len = sizeof(*cp) + uuid_count * 16;
5982	if (expected_len != len) {
5983	bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
5984	expected_len, len);
5985	err = mgmt_cmd_complete(sk, index: hdev->id,
5986	MGMT_OP_START_SERVICE_DISCOVERY,
5987	MGMT_STATUS_INVALID_PARAMS, rp: &cp->type,
5988	rp_len: sizeof(cp->type));
5989	goto failed;
5990	}
5991
5992	if (!discovery_type_is_valid(hdev, type: cp->type, mgmt_status: &status)) {
5993	err = mgmt_cmd_complete(sk, index: hdev->id,
5994	MGMT_OP_START_SERVICE_DISCOVERY,
5995	status, rp: &cp->type, rp_len: sizeof(cp->type));
5996	goto failed;
5997	}
5998
5999	cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
6000	hdev, data, len);
6001	if (!cmd) {
6002	err = -ENOMEM;
6003	goto failed;
6004	}
6005
6006	/* Clear the discovery filter first to free any previously
6007	* allocated memory for the UUID list.
6008	*/
6009	hci_discovery_filter_clear(hdev);
6010
6011	hdev->discovery.result_filtering = true;
6012	hdev->discovery.type = cp->type;
6013	hdev->discovery.rssi = cp->rssi;
6014	hdev->discovery.uuid_count = uuid_count;
6015
6016	if (uuid_count > 0) {
6017	hdev->discovery.uuids = kmemdup(p: cp->uuids, size: uuid_count * 16,
6018	GFP_KERNEL);
6019	if (!hdev->discovery.uuids) {
6020	err = mgmt_cmd_complete(sk, index: hdev->id,
6021	MGMT_OP_START_SERVICE_DISCOVERY,
6022	MGMT_STATUS_FAILED,
6023	rp: &cp->type, rp_len: sizeof(cp->type));
6024	mgmt_pending_remove(cmd);
6025	goto failed;
6026	}
6027	}
6028
6029	err = hci_cmd_sync_queue(hdev, func: start_discovery_sync, data: cmd,
6030	destroy: start_discovery_complete);
6031	if (err < 0) {
6032	mgmt_pending_remove(cmd);
6033	goto failed;
6034	}
6035
6036	hci_discovery_set_state(hdev, state: DISCOVERY_STARTING);
6037
6038	failed:
6039	hci_dev_unlock(hdev);
6040	return err;
6041	}
6042
6043	void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
6044	{
6045	struct mgmt_pending_cmd *cmd;
6046
6047	bt_dev_dbg(hdev, "status %u", status);
6048
6049	hci_dev_lock(hdev);
6050
6051	cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
6052	if (cmd) {
6053	cmd->cmd_complete(cmd, mgmt_status(err: status));
6054	mgmt_pending_remove(cmd);
6055	}
6056
6057	hci_dev_unlock(hdev);
6058	}
6059
6060	static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
6061	{
6062	struct mgmt_pending_cmd *cmd = data;
6063
6064	if (cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
6065	return;
6066
6067	bt_dev_dbg(hdev, "err %d", err);
6068
6069	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status: mgmt_status(err),
6070	rp: cmd->param, rp_len: 1);
6071	mgmt_pending_remove(cmd);
6072
6073	if (!err)
6074	hci_discovery_set_state(hdev, state: DISCOVERY_STOPPED);
6075	}
6076
6077	static int stop_discovery_sync(struct hci_dev *hdev, void *data)
6078	{
6079	return hci_stop_discovery_sync(hdev);
6080	}
6081
6082	static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
6083	u16 len)
6084	{
6085	struct mgmt_cp_stop_discovery *mgmt_cp = data;
6086	struct mgmt_pending_cmd *cmd;
6087	int err;
6088
6089	bt_dev_dbg(hdev, "sock %p", sk);
6090
6091	hci_dev_lock(hdev);
6092
6093	if (!hci_discovery_active(hdev)) {
6094	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_STOP_DISCOVERY,
6095	MGMT_STATUS_REJECTED, rp: &mgmt_cp->type,
6096	rp_len: sizeof(mgmt_cp->type));
6097	goto unlock;
6098	}
6099
6100	if (hdev->discovery.type != mgmt_cp->type) {
6101	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_STOP_DISCOVERY,
6102	MGMT_STATUS_INVALID_PARAMS,
6103	rp: &mgmt_cp->type, rp_len: sizeof(mgmt_cp->type));
6104	goto unlock;
6105	}
6106
6107	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
6108	if (!cmd) {
6109	err = -ENOMEM;
6110	goto unlock;
6111	}
6112
6113	err = hci_cmd_sync_queue(hdev, func: stop_discovery_sync, data: cmd,
6114	destroy: stop_discovery_complete);
6115	if (err < 0) {
6116	mgmt_pending_remove(cmd);
6117	goto unlock;
6118	}
6119
6120	hci_discovery_set_state(hdev, state: DISCOVERY_STOPPING);
6121
6122	unlock:
6123	hci_dev_unlock(hdev);
6124	return err;
6125	}
6126
6127	static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
6128	u16 len)
6129	{
6130	struct mgmt_cp_confirm_name *cp = data;
6131	struct inquiry_entry *e;
6132	int err;
6133
6134	bt_dev_dbg(hdev, "sock %p", sk);
6135
6136	hci_dev_lock(hdev);
6137
6138	if (!hci_discovery_active(hdev)) {
6139	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_CONFIRM_NAME,
6140	MGMT_STATUS_FAILED, rp: &cp->addr,
6141	rp_len: sizeof(cp->addr));
6142	goto failed;
6143	}
6144
6145	e = hci_inquiry_cache_lookup_unknown(hdev, bdaddr: &cp->addr.bdaddr);
6146	if (!e) {
6147	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_CONFIRM_NAME,
6148	MGMT_STATUS_INVALID_PARAMS, rp: &cp->addr,
6149	rp_len: sizeof(cp->addr));
6150	goto failed;
6151	}
6152
6153	if (cp->name_known) {
6154	e->name_state = NAME_KNOWN;
6155	list_del(entry: &e->list);
6156	} else {
6157	e->name_state = NAME_NEEDED;
6158	hci_inquiry_cache_update_resolve(hdev, ie: e);
6159	}
6160
6161	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_CONFIRM_NAME, status: 0,
6162	rp: &cp->addr, rp_len: sizeof(cp->addr));
6163
6164	failed:
6165	hci_dev_unlock(hdev);
6166	return err;
6167	}
6168
6169	static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
6170	u16 len)
6171	{
6172	struct mgmt_cp_block_device *cp = data;
6173	u8 status;
6174	int err;
6175
6176	bt_dev_dbg(hdev, "sock %p", sk);
6177
6178	if (!bdaddr_type_is_valid(type: cp->addr.type))
6179	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_BLOCK_DEVICE,
6180	MGMT_STATUS_INVALID_PARAMS,
6181	rp: &cp->addr, rp_len: sizeof(cp->addr));
6182
6183	hci_dev_lock(hdev);
6184
6185	err = hci_bdaddr_list_add(list: &hdev->reject_list, bdaddr: &cp->addr.bdaddr,
6186	type: cp->addr.type);
6187	if (err < 0) {
6188	status = MGMT_STATUS_FAILED;
6189	goto done;
6190	}
6191
6192	mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, data: &cp->addr, len: sizeof(cp->addr),
6193	skip_sk: sk);
6194	status = MGMT_STATUS_SUCCESS;
6195
6196	done:
6197	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_BLOCK_DEVICE, status,
6198	rp: &cp->addr, rp_len: sizeof(cp->addr));
6199
6200	hci_dev_unlock(hdev);
6201
6202	return err;
6203	}
6204
6205	static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
6206	u16 len)
6207	{
6208	struct mgmt_cp_unblock_device *cp = data;
6209	u8 status;
6210	int err;
6211
6212	bt_dev_dbg(hdev, "sock %p", sk);
6213
6214	if (!bdaddr_type_is_valid(type: cp->addr.type))
6215	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_UNBLOCK_DEVICE,
6216	MGMT_STATUS_INVALID_PARAMS,
6217	rp: &cp->addr, rp_len: sizeof(cp->addr));
6218
6219	hci_dev_lock(hdev);
6220
6221	err = hci_bdaddr_list_del(list: &hdev->reject_list, bdaddr: &cp->addr.bdaddr,
6222	type: cp->addr.type);
6223	if (err < 0) {
6224	status = MGMT_STATUS_INVALID_PARAMS;
6225	goto done;
6226	}
6227
6228	mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, data: &cp->addr, len: sizeof(cp->addr),
6229	skip_sk: sk);
6230	status = MGMT_STATUS_SUCCESS;
6231
6232	done:
6233	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
6234	rp: &cp->addr, rp_len: sizeof(cp->addr));
6235
6236	hci_dev_unlock(hdev);
6237
6238	return err;
6239	}
6240
6241	static int set_device_id_sync(struct hci_dev *hdev, void *data)
6242	{
6243	return hci_update_eir_sync(hdev);
6244	}
6245
6246	static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
6247	u16 len)
6248	{
6249	struct mgmt_cp_set_device_id *cp = data;
6250	int err;
6251	__u16 source;
6252
6253	bt_dev_dbg(hdev, "sock %p", sk);
6254
6255	source = __le16_to_cpu(cp->source);
6256
6257	if (source > 0x0002)
6258	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DEVICE_ID,
6259	MGMT_STATUS_INVALID_PARAMS);
6260
6261	hci_dev_lock(hdev);
6262
6263	hdev->devid_source = source;
6264	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
6265	hdev->devid_product = __le16_to_cpu(cp->product);
6266	hdev->devid_version = __le16_to_cpu(cp->version);
6267
6268	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_DEVICE_ID, status: 0,
6269	NULL, rp_len: 0);
6270
6271	hci_cmd_sync_queue(hdev, func: set_device_id_sync, NULL, NULL);
6272
6273	hci_dev_unlock(hdev);
6274
6275	return err;
6276	}
6277
6278	static void enable_advertising_instance(struct hci_dev *hdev, int err)
6279	{
6280	if (err)
6281	bt_dev_err(hdev, "failed to re-configure advertising %d", err);
6282	else
6283	bt_dev_dbg(hdev, "status %d", err);
6284	}
6285
6286	static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
6287	{
6288	struct cmd_lookup match = { NULL, hdev };
6289	u8 instance;
6290	struct adv_info *adv_instance;
6291	u8 status = mgmt_status(err);
6292
6293	if (status) {
6294	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
6295	cb: cmd_status_rsp, data: &status);
6296	return;
6297	}
6298
6299	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
6300	hci_dev_set_flag(hdev, HCI_ADVERTISING);
6301	else
6302	hci_dev_clear_flag(hdev, HCI_ADVERTISING);
6303
6304	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, cb: settings_rsp,
6305	data: &match);
6306
6307	new_settings(hdev, skip: match.sk);
6308
6309	if (match.sk)
6310	sock_put(sk: match.sk);
6311
6312	/* If "Set Advertising" was just disabled and instance advertising was
6313	* set up earlier, then re-enable multi-instance advertising.
6314	*/
6315	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
6316	list_empty(head: &hdev->adv_instances))
6317	return;
6318
6319	instance = hdev->cur_adv_instance;
6320	if (!instance) {
6321	adv_instance = list_first_entry_or_null(&hdev->adv_instances,
6322	struct adv_info, list);
6323	if (!adv_instance)
6324	return;
6325
6326	instance = adv_instance->instance;
6327	}
6328
6329	err = hci_schedule_adv_instance_sync(hdev, instance, force: true);
6330
6331	enable_advertising_instance(hdev, err);
6332	}
6333
6334	static int set_adv_sync(struct hci_dev *hdev, void *data)
6335	{
6336	struct mgmt_pending_cmd *cmd = data;
6337	struct mgmt_mode *cp = cmd->param;
6338	u8 val = !!cp->val;
6339
6340	if (cp->val == 0x02)
6341	hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6342	else
6343	hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6344
6345	cancel_adv_timeout(hdev);
6346
6347	if (val) {
6348	/* Switch to instance "0" for the Set Advertising setting.
6349	* We cannot use update_[adv|scan_rsp]_data() here as the
6350	* HCI_ADVERTISING flag is not yet set.
6351	*/
6352	hdev->cur_adv_instance = 0x00;
6353
6354	if (ext_adv_capable(hdev)) {
6355	hci_start_ext_adv_sync(hdev, instance: 0x00);
6356	} else {
6357	hci_update_adv_data_sync(hdev, instance: 0x00);
6358	hci_update_scan_rsp_data_sync(hdev, instance: 0x00);
6359	hci_enable_advertising_sync(hdev);
6360	}
6361	} else {
6362	hci_disable_advertising_sync(hdev);
6363	}
6364
6365	return 0;
6366	}
6367
6368	static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
6369	u16 len)
6370	{
6371	struct mgmt_mode *cp = data;
6372	struct mgmt_pending_cmd *cmd;
6373	u8 val, status;
6374	int err;
6375
6376	bt_dev_dbg(hdev, "sock %p", sk);
6377
6378	status = mgmt_le_support(hdev);
6379	if (status)
6380	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_ADVERTISING,
6381	status);
6382
6383	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6384	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_ADVERTISING,
6385	MGMT_STATUS_INVALID_PARAMS);
6386
6387	if (hdev->advertising_paused)
6388	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_ADVERTISING,
6389	MGMT_STATUS_BUSY);
6390
6391	hci_dev_lock(hdev);
6392
6393	val = !!cp->val;
6394
6395	/* The following conditions are ones which mean that we should
6396	* not do any HCI communication but directly send a mgmt
6397	* response to user space (after toggling the flag if
6398	* necessary).
6399	*/
6400	if (!hdev_is_powered(hdev) ||
6401	(val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
6402	(cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
6403	hci_dev_test_flag(hdev, HCI_MESH) ||
6404	hci_conn_num(hdev, LE_LINK) > 0 ||
6405	(hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6406	hdev->le_scan_type == LE_SCAN_ACTIVE)) {
6407	bool changed;
6408
6409	if (cp->val) {
6410	hdev->cur_adv_instance = 0x00;
6411	changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
6412	if (cp->val == 0x02)
6413	hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6414	else
6415	hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6416	} else {
6417	changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
6418	hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6419	}
6420
6421	err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
6422	if (err < 0)
6423	goto unlock;
6424
6425	if (changed)
6426	err = new_settings(hdev, skip: sk);
6427
6428	goto unlock;
6429	}
6430
6431	if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
6432	pending_find(MGMT_OP_SET_LE, hdev)) {
6433	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_ADVERTISING,
6434	MGMT_STATUS_BUSY);
6435	goto unlock;
6436	}
6437
6438	cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
6439	if (!cmd)
6440	err = -ENOMEM;
6441	else
6442	err = hci_cmd_sync_queue(hdev, func: set_adv_sync, data: cmd,
6443	destroy: set_advertising_complete);
6444
6445	if (err < 0 && cmd)
6446	mgmt_pending_remove(cmd);
6447
6448	unlock:
6449	hci_dev_unlock(hdev);
6450	return err;
6451	}
6452
6453	static int set_static_address(struct sock *sk, struct hci_dev *hdev,
6454	void *data, u16 len)
6455	{
6456	struct mgmt_cp_set_static_address *cp = data;
6457	int err;
6458
6459	bt_dev_dbg(hdev, "sock %p", sk);
6460
6461	if (!lmp_le_capable(hdev))
6462	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6463	MGMT_STATUS_NOT_SUPPORTED);
6464
6465	if (hdev_is_powered(hdev))
6466	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6467	MGMT_STATUS_REJECTED);
6468
6469	if (bacmp(ba1: &cp->bdaddr, BDADDR_ANY)) {
6470	if (!bacmp(ba1: &cp->bdaddr, BDADDR_NONE))
6471	return mgmt_cmd_status(sk, index: hdev->id,
6472	MGMT_OP_SET_STATIC_ADDRESS,
6473	MGMT_STATUS_INVALID_PARAMS);
6474
6475	/* Two most significant bits shall be set */
6476	if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
6477	return mgmt_cmd_status(sk, index: hdev->id,
6478	MGMT_OP_SET_STATIC_ADDRESS,
6479	MGMT_STATUS_INVALID_PARAMS);
6480	}
6481
6482	hci_dev_lock(hdev);
6483
6484	bacpy(dst: &hdev->static_addr, src: &cp->bdaddr);
6485
6486	err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
6487	if (err < 0)
6488	goto unlock;
6489
6490	err = new_settings(hdev, skip: sk);
6491
6492	unlock:
6493	hci_dev_unlock(hdev);
6494	return err;
6495	}
6496
6497	static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
6498	void *data, u16 len)
6499	{
6500	struct mgmt_cp_set_scan_params *cp = data;
6501	__u16 interval, window;
6502	int err;
6503
6504	bt_dev_dbg(hdev, "sock %p", sk);
6505
6506	if (!lmp_le_capable(hdev))
6507	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6508	MGMT_STATUS_NOT_SUPPORTED);
6509
6510	interval = __le16_to_cpu(cp->interval);
6511
6512	if (interval < 0x0004 || interval > 0x4000)
6513	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6514	MGMT_STATUS_INVALID_PARAMS);
6515
6516	window = __le16_to_cpu(cp->window);
6517
6518	if (window < 0x0004 || window > 0x4000)
6519	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6520	MGMT_STATUS_INVALID_PARAMS);
6521
6522	if (window > interval)
6523	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6524	MGMT_STATUS_INVALID_PARAMS);
6525
6526	hci_dev_lock(hdev);
6527
6528	hdev->le_scan_interval = interval;
6529	hdev->le_scan_window = window;
6530
6531	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_SET_SCAN_PARAMS, status: 0,
6532	NULL, rp_len: 0);
6533
6534	/* If background scan is running, restart it so new parameters are
6535	* loaded.
6536	*/
6537	if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6538	hdev->discovery.state == DISCOVERY_STOPPED)
6539	hci_update_passive_scan(hdev);
6540
6541	hci_dev_unlock(hdev);
6542
6543	return err;
6544	}
6545
6546	static void fast_connectable_complete(struct hci_dev *hdev, void *data, int err)
6547	{
6548	struct mgmt_pending_cmd *cmd = data;
6549
6550	bt_dev_dbg(hdev, "err %d", err);
6551
6552	if (err) {
6553	mgmt_cmd_status(sk: cmd->sk, index: hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6554	status: mgmt_status(err));
6555	} else {
6556	struct mgmt_mode *cp = cmd->param;
6557
6558	if (cp->val)
6559	hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
6560	else
6561	hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6562
6563	send_settings_rsp(sk: cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6564	new_settings(hdev, skip: cmd->sk);
6565	}
6566
6567	mgmt_pending_free(cmd);
6568	}
6569
6570	static int write_fast_connectable_sync(struct hci_dev *hdev, void *data)
6571	{
6572	struct mgmt_pending_cmd *cmd = data;
6573	struct mgmt_mode *cp = cmd->param;
6574
6575	return hci_write_fast_connectable_sync(hdev, enable: cp->val);
6576	}
6577
6578	static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
6579	void *data, u16 len)
6580	{
6581	struct mgmt_mode *cp = data;
6582	struct mgmt_pending_cmd *cmd;
6583	int err;
6584
6585	bt_dev_dbg(hdev, "sock %p", sk);
6586
6587	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
6588	hdev->hci_ver < BLUETOOTH_VER_1_2)
6589	return mgmt_cmd_status(sk, index: hdev->id,
6590	MGMT_OP_SET_FAST_CONNECTABLE,
6591	MGMT_STATUS_NOT_SUPPORTED);
6592
6593	if (cp->val != 0x00 && cp->val != 0x01)
6594	return mgmt_cmd_status(sk, index: hdev->id,
6595	MGMT_OP_SET_FAST_CONNECTABLE,
6596	MGMT_STATUS_INVALID_PARAMS);
6597
6598	hci_dev_lock(hdev);
6599
6600	if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
6601	err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6602	goto unlock;
6603	}
6604
6605	if (!hdev_is_powered(hdev)) {
6606	hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
6607	err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6608	new_settings(hdev, skip: sk);
6609	goto unlock;
6610	}
6611
6612	cmd = mgmt_pending_new(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev, data,
6613	len);
6614	if (!cmd)
6615	err = -ENOMEM;
6616	else
6617	err = hci_cmd_sync_queue(hdev, func: write_fast_connectable_sync, data: cmd,
6618	destroy: fast_connectable_complete);
6619
6620	if (err < 0) {
6621	mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6622	MGMT_STATUS_FAILED);
6623
6624	if (cmd)
6625	mgmt_pending_free(cmd);
6626	}
6627
6628	unlock:
6629	hci_dev_unlock(hdev);
6630
6631	return err;
6632	}
6633
6634	static void set_bredr_complete(struct hci_dev *hdev, void *data, int err)
6635	{
6636	struct mgmt_pending_cmd *cmd = data;
6637
6638	bt_dev_dbg(hdev, "err %d", err);
6639
6640	if (err) {
6641	u8 mgmt_err = mgmt_status(err);
6642
6643	/* We need to restore the flag if related HCI commands
6644	* failed.
6645	*/
6646	hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
6647
6648	mgmt_cmd_status(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status: mgmt_err);
6649	} else {
6650	send_settings_rsp(sk: cmd->sk, MGMT_OP_SET_BREDR, hdev);
6651	new_settings(hdev, skip: cmd->sk);
6652	}
6653
6654	mgmt_pending_free(cmd);
6655	}
6656
6657	static int set_bredr_sync(struct hci_dev *hdev, void *data)
6658	{
6659	int status;
6660
6661	status = hci_write_fast_connectable_sync(hdev, enable: false);
6662
6663	if (!status)
6664	status = hci_update_scan_sync(hdev);
6665
6666	/* Since only the advertising data flags will change, there
6667	* is no need to update the scan response data.
6668	*/
6669	if (!status)
6670	status = hci_update_adv_data_sync(hdev, instance: hdev->cur_adv_instance);
6671
6672	return status;
6673	}
6674
6675	static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
6676	{
6677	struct mgmt_mode *cp = data;
6678	struct mgmt_pending_cmd *cmd;
6679	int err;
6680
6681	bt_dev_dbg(hdev, "sock %p", sk);
6682
6683	if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
6684	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_BREDR,
6685	MGMT_STATUS_NOT_SUPPORTED);
6686
6687	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6688	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_BREDR,
6689	MGMT_STATUS_REJECTED);
6690
6691	if (cp->val != 0x00 && cp->val != 0x01)
6692	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_BREDR,
6693	MGMT_STATUS_INVALID_PARAMS);
6694
6695	hci_dev_lock(hdev);
6696
6697	if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6698	err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6699	goto unlock;
6700	}
6701
6702	if (!hdev_is_powered(hdev)) {
6703	if (!cp->val) {
6704	hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
6705	hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
6706	hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
6707	hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6708	}
6709
6710	hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
6711
6712	err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6713	if (err < 0)
6714	goto unlock;
6715
6716	err = new_settings(hdev, skip: sk);
6717	goto unlock;
6718	}
6719
6720	/* Reject disabling when powered on */
6721	if (!cp->val) {
6722	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_BREDR,
6723	MGMT_STATUS_REJECTED);
6724	goto unlock;
6725	} else {
6726	/* When configuring a dual-mode controller to operate
6727	* with LE only and using a static address, then switching
6728	* BR/EDR back on is not allowed.
6729	*
6730	* Dual-mode controllers shall operate with the public
6731	* address as its identity address for BR/EDR and LE. So
6732	* reject the attempt to create an invalid configuration.
6733	*
6734	* The same restrictions applies when secure connections
6735	* has been enabled. For BR/EDR this is a controller feature
6736	* while for LE it is a host stack feature. This means that
6737	* switching BR/EDR back on when secure connections has been
6738	* enabled is not a supported transaction.
6739	*/
6740	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6741	(bacmp(ba1: &hdev->static_addr, BDADDR_ANY) ||
6742	hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
6743	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_BREDR,
6744	MGMT_STATUS_REJECTED);
6745	goto unlock;
6746	}
6747	}
6748
6749	cmd = mgmt_pending_new(sk, MGMT_OP_SET_BREDR, hdev, data, len);
6750	if (!cmd)
6751	err = -ENOMEM;
6752	else
6753	err = hci_cmd_sync_queue(hdev, func: set_bredr_sync, data: cmd,
6754	destroy: set_bredr_complete);
6755
6756	if (err < 0) {
6757	mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_BREDR,
6758	MGMT_STATUS_FAILED);
6759	if (cmd)
6760	mgmt_pending_free(cmd);
6761
6762	goto unlock;
6763	}
6764
6765	/* We need to flip the bit already here so that
6766	* hci_req_update_adv_data generates the correct flags.
6767	*/
6768	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
6769
6770	unlock:
6771	hci_dev_unlock(hdev);
6772	return err;
6773	}
6774
6775	static void set_secure_conn_complete(struct hci_dev *hdev, void *data, int err)
6776	{
6777	struct mgmt_pending_cmd *cmd = data;
6778	struct mgmt_mode *cp;
6779
6780	bt_dev_dbg(hdev, "err %d", err);
6781
6782	if (err) {
6783	u8 mgmt_err = mgmt_status(err);
6784
6785	mgmt_cmd_status(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status: mgmt_err);
6786	goto done;
6787	}
6788
6789	cp = cmd->param;
6790
6791	switch (cp->val) {
6792	case 0x00:
6793	hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
6794	hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6795	break;
6796	case 0x01:
6797	hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6798	hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6799	break;
6800	case 0x02:
6801	hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6802	hci_dev_set_flag(hdev, HCI_SC_ONLY);
6803	break;
6804	}
6805
6806	send_settings_rsp(sk: cmd->sk, opcode: cmd->opcode, hdev);
6807	new_settings(hdev, skip: cmd->sk);
6808
6809	done:
6810	mgmt_pending_free(cmd);
6811	}
6812
6813	static int set_secure_conn_sync(struct hci_dev *hdev, void *data)
6814	{
6815	struct mgmt_pending_cmd *cmd = data;
6816	struct mgmt_mode *cp = cmd->param;
6817	u8 val = !!cp->val;
6818
6819	/* Force write of val */
6820	hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6821
6822	return hci_write_sc_support_sync(hdev, val);
6823	}
6824
6825	static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
6826	void *data, u16 len)
6827	{
6828	struct mgmt_mode *cp = data;
6829	struct mgmt_pending_cmd *cmd;
6830	u8 val;
6831	int err;
6832
6833	bt_dev_dbg(hdev, "sock %p", sk);
6834
6835	if (!lmp_sc_capable(hdev) &&
6836	!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6837	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SECURE_CONN,
6838	MGMT_STATUS_NOT_SUPPORTED);
6839
6840	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6841	lmp_sc_capable(hdev) &&
6842	!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
6843	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SECURE_CONN,
6844	MGMT_STATUS_REJECTED);
6845
6846	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6847	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SECURE_CONN,
6848	MGMT_STATUS_INVALID_PARAMS);
6849
6850	hci_dev_lock(hdev);
6851
6852	if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
6853	!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6854	bool changed;
6855
6856	if (cp->val) {
6857	changed = !hci_dev_test_and_set_flag(hdev,
6858	HCI_SC_ENABLED);
6859	if (cp->val == 0x02)
6860	hci_dev_set_flag(hdev, HCI_SC_ONLY);
6861	else
6862	hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6863	} else {
6864	changed = hci_dev_test_and_clear_flag(hdev,
6865	HCI_SC_ENABLED);
6866	hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6867	}
6868
6869	err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6870	if (err < 0)
6871	goto failed;
6872
6873	if (changed)
6874	err = new_settings(hdev, skip: sk);
6875
6876	goto failed;
6877	}
6878
6879	val = !!cp->val;
6880
6881	if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
6882	(cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6883	err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6884	goto failed;
6885	}
6886
6887	cmd = mgmt_pending_new(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
6888	if (!cmd)
6889	err = -ENOMEM;
6890	else
6891	err = hci_cmd_sync_queue(hdev, func: set_secure_conn_sync, data: cmd,
6892	destroy: set_secure_conn_complete);
6893
6894	if (err < 0) {
6895	mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_SECURE_CONN,
6896	MGMT_STATUS_FAILED);
6897	if (cmd)
6898	mgmt_pending_free(cmd);
6899	}
6900
6901	failed:
6902	hci_dev_unlock(hdev);
6903	return err;
6904	}
6905
6906	static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
6907	void *data, u16 len)
6908	{
6909	struct mgmt_mode *cp = data;
6910	bool changed, use_changed;
6911	int err;
6912
6913	bt_dev_dbg(hdev, "sock %p", sk);
6914
6915	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6916	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_DEBUG_KEYS,
6917	MGMT_STATUS_INVALID_PARAMS);
6918
6919	hci_dev_lock(hdev);
6920
6921	if (cp->val)
6922	changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
6923	else
6924	changed = hci_dev_test_and_clear_flag(hdev,
6925	HCI_KEEP_DEBUG_KEYS);
6926
6927	if (cp->val == 0x02)
6928	use_changed = !hci_dev_test_and_set_flag(hdev,
6929	HCI_USE_DEBUG_KEYS);
6930	else
6931	use_changed = hci_dev_test_and_clear_flag(hdev,
6932	HCI_USE_DEBUG_KEYS);
6933
6934	if (hdev_is_powered(hdev) && use_changed &&
6935	hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
6936	u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
6937	hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
6938	plen: sizeof(mode), param: &mode);
6939	}
6940
6941	err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
6942	if (err < 0)
6943	goto unlock;
6944
6945	if (changed)
6946	err = new_settings(hdev, skip: sk);
6947
6948	unlock:
6949	hci_dev_unlock(hdev);
6950	return err;
6951	}
6952
6953	static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
6954	u16 len)
6955	{
6956	struct mgmt_cp_set_privacy *cp = cp_data;
6957	bool changed;
6958	int err;
6959
6960	bt_dev_dbg(hdev, "sock %p", sk);
6961
6962	if (!lmp_le_capable(hdev))
6963	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_PRIVACY,
6964	MGMT_STATUS_NOT_SUPPORTED);
6965
6966	if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
6967	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_PRIVACY,
6968	MGMT_STATUS_INVALID_PARAMS);
6969
6970	if (hdev_is_powered(hdev))
6971	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_PRIVACY,
6972	MGMT_STATUS_REJECTED);
6973
6974	hci_dev_lock(hdev);
6975
6976	/* If user space supports this command it is also expected to
6977	* handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
6978	*/
6979	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
6980
6981	if (cp->privacy) {
6982	changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
6983	memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
6984	hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
6985	hci_adv_instances_set_rpa_expired(hdev, rpa_expired: true);
6986	if (cp->privacy == 0x02)
6987	hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
6988	else
6989	hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
6990	} else {
6991	changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
6992	memset(hdev->irk, 0, sizeof(hdev->irk));
6993	hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
6994	hci_adv_instances_set_rpa_expired(hdev, rpa_expired: false);
6995	hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
6996	}
6997
6998	err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
6999	if (err < 0)
7000	goto unlock;
7001
7002	if (changed)
7003	err = new_settings(hdev, skip: sk);
7004
7005	unlock:
7006	hci_dev_unlock(hdev);
7007	return err;
7008	}
7009
7010	static bool irk_is_valid(struct mgmt_irk_info *irk)
7011	{
7012	switch (irk->addr.type) {
7013	case BDADDR_LE_PUBLIC:
7014	return true;
7015
7016	case BDADDR_LE_RANDOM:
7017	/* Two most significant bits shall be set */
7018	if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7019	return false;
7020	return true;
7021	}
7022
7023	return false;
7024	}
7025
7026	static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
7027	u16 len)
7028	{
7029	struct mgmt_cp_load_irks *cp = cp_data;
7030	const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
7031	sizeof(struct mgmt_irk_info));
7032	u16 irk_count, expected_len;
7033	int i, err;
7034
7035	bt_dev_dbg(hdev, "sock %p", sk);
7036
7037	if (!lmp_le_capable(hdev))
7038	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_IRKS,
7039	MGMT_STATUS_NOT_SUPPORTED);
7040
7041	irk_count = __le16_to_cpu(cp->irk_count);
7042	if (irk_count > max_irk_count) {
7043	bt_dev_err(hdev, "load_irks: too big irk_count value %u",
7044	irk_count);
7045	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_IRKS,
7046	MGMT_STATUS_INVALID_PARAMS);
7047	}
7048
7049	expected_len = struct_size(cp, irks, irk_count);
7050	if (expected_len != len) {
7051	bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
7052	expected_len, len);
7053	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_IRKS,
7054	MGMT_STATUS_INVALID_PARAMS);
7055	}
7056
7057	bt_dev_dbg(hdev, "irk_count %u", irk_count);
7058
7059	for (i = 0; i < irk_count; i++) {
7060	struct mgmt_irk_info *key = &cp->irks[i];
7061
7062	if (!irk_is_valid(irk: key))
7063	return mgmt_cmd_status(sk, index: hdev->id,
7064	MGMT_OP_LOAD_IRKS,
7065	MGMT_STATUS_INVALID_PARAMS);
7066	}
7067
7068	hci_dev_lock(hdev);
7069
7070	hci_smp_irks_clear(hdev);
7071
7072	for (i = 0; i < irk_count; i++) {
7073	struct mgmt_irk_info *irk = &cp->irks[i];
7074	u8 addr_type = le_addr_type(mgmt_addr_type: irk->addr.type);
7075
7076	if (hci_is_blocked_key(hdev,
7077	HCI_BLOCKED_KEY_TYPE_IRK,
7078	val: irk->val)) {
7079	bt_dev_warn(hdev, "Skipping blocked IRK for %pMR",
7080	&irk->addr.bdaddr);
7081	continue;
7082	}
7083
7084	/* When using SMP over BR/EDR, the addr type should be set to BREDR */
7085	if (irk->addr.type == BDADDR_BREDR)
7086	addr_type = BDADDR_BREDR;
7087
7088	hci_add_irk(hdev, bdaddr: &irk->addr.bdaddr,
7089	addr_type, val: irk->val,
7090	BDADDR_ANY);
7091	}
7092
7093	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
7094
7095	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_LOAD_IRKS, status: 0, NULL, rp_len: 0);
7096
7097	hci_dev_unlock(hdev);
7098
7099	return err;
7100	}
7101
7102	static bool ltk_is_valid(struct mgmt_ltk_info *key)
7103	{
7104	if (key->initiator != 0x00 && key->initiator != 0x01)
7105	return false;
7106
7107	switch (key->addr.type) {
7108	case BDADDR_LE_PUBLIC:
7109	return true;
7110
7111	case BDADDR_LE_RANDOM:
7112	/* Two most significant bits shall be set */
7113	if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7114	return false;
7115	return true;
7116	}
7117
7118	return false;
7119	}
7120
7121	static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
7122	void *cp_data, u16 len)
7123	{
7124	struct mgmt_cp_load_long_term_keys *cp = cp_data;
7125	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
7126	sizeof(struct mgmt_ltk_info));
7127	u16 key_count, expected_len;
7128	int i, err;
7129
7130	bt_dev_dbg(hdev, "sock %p", sk);
7131
7132	if (!lmp_le_capable(hdev))
7133	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7134	MGMT_STATUS_NOT_SUPPORTED);
7135
7136	key_count = __le16_to_cpu(cp->key_count);
7137	if (key_count > max_key_count) {
7138	bt_dev_err(hdev, "load_ltks: too big key_count value %u",
7139	key_count);
7140	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7141	MGMT_STATUS_INVALID_PARAMS);
7142	}
7143
7144	expected_len = struct_size(cp, keys, key_count);
7145	if (expected_len != len) {
7146	bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
7147	expected_len, len);
7148	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7149	MGMT_STATUS_INVALID_PARAMS);
7150	}
7151
7152	bt_dev_dbg(hdev, "key_count %u", key_count);
7153
7154	for (i = 0; i < key_count; i++) {
7155	struct mgmt_ltk_info *key = &cp->keys[i];
7156
7157	if (!ltk_is_valid(key))
7158	return mgmt_cmd_status(sk, index: hdev->id,
7159	MGMT_OP_LOAD_LONG_TERM_KEYS,
7160	MGMT_STATUS_INVALID_PARAMS);
7161	}
7162
7163	hci_dev_lock(hdev);
7164
7165	hci_smp_ltks_clear(hdev);
7166
7167	for (i = 0; i < key_count; i++) {
7168	struct mgmt_ltk_info *key = &cp->keys[i];
7169	u8 type, authenticated;
7170	u8 addr_type = le_addr_type(mgmt_addr_type: key->addr.type);
7171
7172	if (hci_is_blocked_key(hdev,
7173	HCI_BLOCKED_KEY_TYPE_LTK,
7174	val: key->val)) {
7175	bt_dev_warn(hdev, "Skipping blocked LTK for %pMR",
7176	&key->addr.bdaddr);
7177	continue;
7178	}
7179
7180	switch (key->type) {
7181	case MGMT_LTK_UNAUTHENTICATED:
7182	authenticated = 0x00;
7183	type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7184	break;
7185	case MGMT_LTK_AUTHENTICATED:
7186	authenticated = 0x01;
7187	type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7188	break;
7189	case MGMT_LTK_P256_UNAUTH:
7190	authenticated = 0x00;
7191	type = SMP_LTK_P256;
7192	break;
7193	case MGMT_LTK_P256_AUTH:
7194	authenticated = 0x01;
7195	type = SMP_LTK_P256;
7196	break;
7197	case MGMT_LTK_P256_DEBUG:
7198	authenticated = 0x00;
7199	type = SMP_LTK_P256_DEBUG;
7200	fallthrough;
7201	default:
7202	continue;
7203	}
7204
7205	/* When using SMP over BR/EDR, the addr type should be set to BREDR */
7206	if (key->addr.type == BDADDR_BREDR)
7207	addr_type = BDADDR_BREDR;
7208
7209	hci_add_ltk(hdev, bdaddr: &key->addr.bdaddr,
7210	addr_type, type, authenticated,
7211	tk: key->val, enc_size: key->enc_size, ediv: key->ediv, rand: key->rand);
7212	}
7213
7214	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, status: 0,
7215	NULL, rp_len: 0);
7216
7217	hci_dev_unlock(hdev);
7218
7219	return err;
7220	}
7221
7222	static void get_conn_info_complete(struct hci_dev *hdev, void *data, int err)
7223	{
7224	struct mgmt_pending_cmd *cmd = data;
7225	struct hci_conn *conn = cmd->user_data;
7226	struct mgmt_cp_get_conn_info *cp = cmd->param;
7227	struct mgmt_rp_get_conn_info rp;
7228	u8 status;
7229
7230	bt_dev_dbg(hdev, "err %d", err);
7231
7232	memcpy(&rp.addr, &cp->addr, sizeof(rp.addr));
7233
7234	status = mgmt_status(err);
7235	if (status == MGMT_STATUS_SUCCESS) {
7236	rp.rssi = conn->rssi;
7237	rp.tx_power = conn->tx_power;
7238	rp.max_tx_power = conn->max_tx_power;
7239	} else {
7240	rp.rssi = HCI_RSSI_INVALID;
7241	rp.tx_power = HCI_TX_POWER_INVALID;
7242	rp.max_tx_power = HCI_TX_POWER_INVALID;
7243	}
7244
7245	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, MGMT_OP_GET_CONN_INFO, status,
7246	rp: &rp, rp_len: sizeof(rp));
7247
7248	mgmt_pending_free(cmd);
7249	}
7250
7251	static int get_conn_info_sync(struct hci_dev *hdev, void *data)
7252	{
7253	struct mgmt_pending_cmd *cmd = data;
7254	struct mgmt_cp_get_conn_info *cp = cmd->param;
7255	struct hci_conn *conn;
7256	int err;
7257	__le16 handle;
7258
7259	/* Make sure we are still connected */
7260	if (cp->addr.type == BDADDR_BREDR)
7261	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7262	ba: &cp->addr.bdaddr);
7263	else
7264	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, ba: &cp->addr.bdaddr);
7265
7266	if (!conn || conn->state != BT_CONNECTED)
7267	return MGMT_STATUS_NOT_CONNECTED;
7268
7269	cmd->user_data = conn;
7270	handle = cpu_to_le16(conn->handle);
7271
7272	/* Refresh RSSI each time */
7273	err = hci_read_rssi_sync(hdev, handle);
7274
7275	/* For LE links TX power does not change thus we don't need to
7276	* query for it once value is known.
7277	*/
7278	if (!err && (!bdaddr_type_is_le(type: cp->addr.type) ||
7279	conn->tx_power == HCI_TX_POWER_INVALID))
7280	err = hci_read_tx_power_sync(hdev, handle, type: 0x00);
7281
7282	/* Max TX power needs to be read only once per connection */
7283	if (!err && conn->max_tx_power == HCI_TX_POWER_INVALID)
7284	err = hci_read_tx_power_sync(hdev, handle, type: 0x01);
7285
7286	return err;
7287	}
7288
7289	static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
7290	u16 len)
7291	{
7292	struct mgmt_cp_get_conn_info *cp = data;
7293	struct mgmt_rp_get_conn_info rp;
7294	struct hci_conn *conn;
7295	unsigned long conn_info_age;
7296	int err = 0;
7297
7298	bt_dev_dbg(hdev, "sock %p", sk);
7299
7300	memset(&rp, 0, sizeof(rp));
7301	bacpy(dst: &rp.addr.bdaddr, src: &cp->addr.bdaddr);
7302	rp.addr.type = cp->addr.type;
7303
7304	if (!bdaddr_type_is_valid(type: cp->addr.type))
7305	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_CONN_INFO,
7306	MGMT_STATUS_INVALID_PARAMS,
7307	rp: &rp, rp_len: sizeof(rp));
7308
7309	hci_dev_lock(hdev);
7310
7311	if (!hdev_is_powered(hdev)) {
7312	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_CONN_INFO,
7313	MGMT_STATUS_NOT_POWERED, rp: &rp,
7314	rp_len: sizeof(rp));
7315	goto unlock;
7316	}
7317
7318	if (cp->addr.type == BDADDR_BREDR)
7319	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7320	ba: &cp->addr.bdaddr);
7321	else
7322	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, ba: &cp->addr.bdaddr);
7323
7324	if (!conn || conn->state != BT_CONNECTED) {
7325	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_CONN_INFO,
7326	MGMT_STATUS_NOT_CONNECTED, rp: &rp,
7327	rp_len: sizeof(rp));
7328	goto unlock;
7329	}
7330
7331	/* To avoid client trying to guess when to poll again for information we
7332	* calculate conn info age as random value between min/max set in hdev.
7333	*/
7334	conn_info_age = get_random_u32_inclusive(floor: hdev->conn_info_min_age,
7335	ceil: hdev->conn_info_max_age - 1);
7336
7337	/* Query controller to refresh cached values if they are too old or were
7338	* never read.
7339	*/
7340	if (time_after(jiffies, conn->conn_info_timestamp +
7341	msecs_to_jiffies(conn_info_age)) ||
7342	!conn->conn_info_timestamp) {
7343	struct mgmt_pending_cmd *cmd;
7344
7345	cmd = mgmt_pending_new(sk, MGMT_OP_GET_CONN_INFO, hdev, data,
7346	len);
7347	if (!cmd) {
7348	err = -ENOMEM;
7349	} else {
7350	err = hci_cmd_sync_queue(hdev, func: get_conn_info_sync,
7351	data: cmd, destroy: get_conn_info_complete);
7352	}
7353
7354	if (err < 0) {
7355	mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_CONN_INFO,
7356	MGMT_STATUS_FAILED, rp: &rp, rp_len: sizeof(rp));
7357
7358	if (cmd)
7359	mgmt_pending_free(cmd);
7360
7361	goto unlock;
7362	}
7363
7364	conn->conn_info_timestamp = jiffies;
7365	} else {
7366	/* Cache is valid, just reply with values cached in hci_conn */
7367	rp.rssi = conn->rssi;
7368	rp.tx_power = conn->tx_power;
7369	rp.max_tx_power = conn->max_tx_power;
7370
7371	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_CONN_INFO,
7372	MGMT_STATUS_SUCCESS, rp: &rp, rp_len: sizeof(rp));
7373	}
7374
7375	unlock:
7376	hci_dev_unlock(hdev);
7377	return err;
7378	}
7379
7380	static void get_clock_info_complete(struct hci_dev *hdev, void *data, int err)
7381	{
7382	struct mgmt_pending_cmd *cmd = data;
7383	struct mgmt_cp_get_clock_info *cp = cmd->param;
7384	struct mgmt_rp_get_clock_info rp;
7385	struct hci_conn *conn = cmd->user_data;
7386	u8 status = mgmt_status(err);
7387
7388	bt_dev_dbg(hdev, "err %d", err);
7389
7390	memset(&rp, 0, sizeof(rp));
7391	bacpy(dst: &rp.addr.bdaddr, src: &cp->addr.bdaddr);
7392	rp.addr.type = cp->addr.type;
7393
7394	if (err)
7395	goto complete;
7396
7397	rp.local_clock = cpu_to_le32(hdev->clock);
7398
7399	if (conn) {
7400	rp.piconet_clock = cpu_to_le32(conn->clock);
7401	rp.accuracy = cpu_to_le16(conn->clock_accuracy);
7402	}
7403
7404	complete:
7405	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode, status, rp: &rp,
7406	rp_len: sizeof(rp));
7407
7408	mgmt_pending_free(cmd);
7409	}
7410
7411	static int get_clock_info_sync(struct hci_dev *hdev, void *data)
7412	{
7413	struct mgmt_pending_cmd *cmd = data;
7414	struct mgmt_cp_get_clock_info *cp = cmd->param;
7415	struct hci_cp_read_clock hci_cp;
7416	struct hci_conn *conn;
7417
7418	memset(&hci_cp, 0, sizeof(hci_cp));
7419	hci_read_clock_sync(hdev, cp: &hci_cp);
7420
7421	/* Make sure connection still exists */
7422	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, ba: &cp->addr.bdaddr);
7423	if (!conn || conn->state != BT_CONNECTED)
7424	return MGMT_STATUS_NOT_CONNECTED;
7425
7426	cmd->user_data = conn;
7427	hci_cp.handle = cpu_to_le16(conn->handle);
7428	hci_cp.which = 0x01; /* Piconet clock */
7429
7430	return hci_read_clock_sync(hdev, cp: &hci_cp);
7431	}
7432
7433	static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
7434	u16 len)
7435	{
7436	struct mgmt_cp_get_clock_info *cp = data;
7437	struct mgmt_rp_get_clock_info rp;
7438	struct mgmt_pending_cmd *cmd;
7439	struct hci_conn *conn;
7440	int err;
7441
7442	bt_dev_dbg(hdev, "sock %p", sk);
7443
7444	memset(&rp, 0, sizeof(rp));
7445	bacpy(dst: &rp.addr.bdaddr, src: &cp->addr.bdaddr);
7446	rp.addr.type = cp->addr.type;
7447
7448	if (cp->addr.type != BDADDR_BREDR)
7449	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_CLOCK_INFO,
7450	MGMT_STATUS_INVALID_PARAMS,
7451	rp: &rp, rp_len: sizeof(rp));
7452
7453	hci_dev_lock(hdev);
7454
7455	if (!hdev_is_powered(hdev)) {
7456	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_CLOCK_INFO,
7457	MGMT_STATUS_NOT_POWERED, rp: &rp,
7458	rp_len: sizeof(rp));
7459	goto unlock;
7460	}
7461
7462	if (bacmp(ba1: &cp->addr.bdaddr, BDADDR_ANY)) {
7463	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7464	ba: &cp->addr.bdaddr);
7465	if (!conn || conn->state != BT_CONNECTED) {
7466	err = mgmt_cmd_complete(sk, index: hdev->id,
7467	MGMT_OP_GET_CLOCK_INFO,
7468	MGMT_STATUS_NOT_CONNECTED,
7469	rp: &rp, rp_len: sizeof(rp));
7470	goto unlock;
7471	}
7472	} else {
7473	conn = NULL;
7474	}
7475
7476	cmd = mgmt_pending_new(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
7477	if (!cmd)
7478	err = -ENOMEM;
7479	else
7480	err = hci_cmd_sync_queue(hdev, func: get_clock_info_sync, data: cmd,
7481	destroy: get_clock_info_complete);
7482
7483	if (err < 0) {
7484	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_CLOCK_INFO,
7485	MGMT_STATUS_FAILED, rp: &rp, rp_len: sizeof(rp));
7486
7487	if (cmd)
7488	mgmt_pending_free(cmd);
7489	}
7490
7491
7492	unlock:
7493	hci_dev_unlock(hdev);
7494	return err;
7495	}
7496
7497	static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
7498	{
7499	struct hci_conn *conn;
7500
7501	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, ba: addr);
7502	if (!conn)
7503	return false;
7504
7505	if (conn->dst_type != type)
7506	return false;
7507
7508	if (conn->state != BT_CONNECTED)
7509	return false;
7510
7511	return true;
7512	}
7513
7514	/* This function requires the caller holds hdev->lock */
7515	static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
7516	u8 addr_type, u8 auto_connect)
7517	{
7518	struct hci_conn_params *params;
7519
7520	params = hci_conn_params_add(hdev, addr, addr_type);
7521	if (!params)
7522	return -EIO;
7523
7524	if (params->auto_connect == auto_connect)
7525	return 0;
7526
7527	hci_pend_le_list_del_init(param: params);
7528
7529	switch (auto_connect) {
7530	case HCI_AUTO_CONN_DISABLED:
7531	case HCI_AUTO_CONN_LINK_LOSS:
7532	/* If auto connect is being disabled when we're trying to
7533	* connect to device, keep connecting.
7534	*/
7535	if (params->explicit_connect)
7536	hci_pend_le_list_add(param: params, list: &hdev->pend_le_conns);
7537	break;
7538	case HCI_AUTO_CONN_REPORT:
7539	if (params->explicit_connect)
7540	hci_pend_le_list_add(param: params, list: &hdev->pend_le_conns);
7541	else
7542	hci_pend_le_list_add(param: params, list: &hdev->pend_le_reports);
7543	break;
7544	case HCI_AUTO_CONN_DIRECT:
7545	case HCI_AUTO_CONN_ALWAYS:
7546	if (!is_connected(hdev, addr, type: addr_type))
7547	hci_pend_le_list_add(param: params, list: &hdev->pend_le_conns);
7548	break;
7549	}
7550
7551	params->auto_connect = auto_connect;
7552
7553	bt_dev_dbg(hdev, "addr %pMR (type %u) auto_connect %u",
7554	addr, addr_type, auto_connect);
7555
7556	return 0;
7557	}
7558
7559	static void device_added(struct sock *sk, struct hci_dev *hdev,
7560	bdaddr_t *bdaddr, u8 type, u8 action)
7561	{
7562	struct mgmt_ev_device_added ev;
7563
7564	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
7565	ev.addr.type = type;
7566	ev.action = action;
7567
7568	mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, data: &ev, len: sizeof(ev), skip_sk: sk);
7569	}
7570
7571	static int add_device_sync(struct hci_dev *hdev, void *data)
7572	{
7573	return hci_update_passive_scan_sync(hdev);
7574	}
7575
7576	static int add_device(struct sock *sk, struct hci_dev *hdev,
7577	void *data, u16 len)
7578	{
7579	struct mgmt_cp_add_device *cp = data;
7580	u8 auto_conn, addr_type;
7581	struct hci_conn_params *params;
7582	int err;
7583	u32 current_flags = 0;
7584	u32 supported_flags;
7585
7586	bt_dev_dbg(hdev, "sock %p", sk);
7587
7588	if (!bdaddr_type_is_valid(type: cp->addr.type) ||
7589	!bacmp(ba1: &cp->addr.bdaddr, BDADDR_ANY))
7590	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_ADD_DEVICE,
7591	MGMT_STATUS_INVALID_PARAMS,
7592	rp: &cp->addr, rp_len: sizeof(cp->addr));
7593
7594	if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
7595	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_ADD_DEVICE,
7596	MGMT_STATUS_INVALID_PARAMS,
7597	rp: &cp->addr, rp_len: sizeof(cp->addr));
7598
7599	hci_dev_lock(hdev);
7600
7601	if (cp->addr.type == BDADDR_BREDR) {
7602	/* Only incoming connections action is supported for now */
7603	if (cp->action != 0x01) {
7604	err = mgmt_cmd_complete(sk, index: hdev->id,
7605	MGMT_OP_ADD_DEVICE,
7606	MGMT_STATUS_INVALID_PARAMS,
7607	rp: &cp->addr, rp_len: sizeof(cp->addr));
7608	goto unlock;
7609	}
7610
7611	err = hci_bdaddr_list_add_with_flags(list: &hdev->accept_list,
7612	bdaddr: &cp->addr.bdaddr,
7613	type: cp->addr.type, flags: 0);
7614	if (err)
7615	goto unlock;
7616
7617	hci_update_scan(hdev);
7618
7619	goto added;
7620	}
7621
7622	addr_type = le_addr_type(mgmt_addr_type: cp->addr.type);
7623
7624	if (cp->action == 0x02)
7625	auto_conn = HCI_AUTO_CONN_ALWAYS;
7626	else if (cp->action == 0x01)
7627	auto_conn = HCI_AUTO_CONN_DIRECT;
7628	else
7629	auto_conn = HCI_AUTO_CONN_REPORT;
7630
7631	/* Kernel internally uses conn_params with resolvable private
7632	* address, but Add Device allows only identity addresses.
7633	* Make sure it is enforced before calling
7634	* hci_conn_params_lookup.
7635	*/
7636	if (!hci_is_identity_address(addr: &cp->addr.bdaddr, addr_type)) {
7637	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_ADD_DEVICE,
7638	MGMT_STATUS_INVALID_PARAMS,
7639	rp: &cp->addr, rp_len: sizeof(cp->addr));
7640	goto unlock;
7641	}
7642
7643	/* If the connection parameters don't exist for this device,
7644	* they will be created and configured with defaults.
7645	*/
7646	if (hci_conn_params_set(hdev, addr: &cp->addr.bdaddr, addr_type,
7647	auto_connect: auto_conn) < 0) {
7648	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_ADD_DEVICE,
7649	MGMT_STATUS_FAILED, rp: &cp->addr,
7650	rp_len: sizeof(cp->addr));
7651	goto unlock;
7652	} else {
7653	params = hci_conn_params_lookup(hdev, addr: &cp->addr.bdaddr,
7654	addr_type);
7655	if (params)
7656	current_flags = params->flags;
7657	}
7658
7659	err = hci_cmd_sync_queue(hdev, func: add_device_sync, NULL, NULL);
7660	if (err < 0)
7661	goto unlock;
7662
7663	added:
7664	device_added(sk, hdev, bdaddr: &cp->addr.bdaddr, type: cp->addr.type, action: cp->action);
7665	supported_flags = hdev->conn_flags;
7666	device_flags_changed(NULL, hdev, bdaddr: &cp->addr.bdaddr, bdaddr_type: cp->addr.type,
7667	supported_flags, current_flags);
7668
7669	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_ADD_DEVICE,
7670	MGMT_STATUS_SUCCESS, rp: &cp->addr,
7671	rp_len: sizeof(cp->addr));
7672
7673	unlock:
7674	hci_dev_unlock(hdev);
7675	return err;
7676	}
7677
7678	static void device_removed(struct sock *sk, struct hci_dev *hdev,
7679	bdaddr_t *bdaddr, u8 type)
7680	{
7681	struct mgmt_ev_device_removed ev;
7682
7683	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
7684	ev.addr.type = type;
7685
7686	mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, data: &ev, len: sizeof(ev), skip_sk: sk);
7687	}
7688
7689	static int remove_device_sync(struct hci_dev *hdev, void *data)
7690	{
7691	return hci_update_passive_scan_sync(hdev);
7692	}
7693
7694	static int remove_device(struct sock *sk, struct hci_dev *hdev,
7695	void *data, u16 len)
7696	{
7697	struct mgmt_cp_remove_device *cp = data;
7698	int err;
7699
7700	bt_dev_dbg(hdev, "sock %p", sk);
7701
7702	hci_dev_lock(hdev);
7703
7704	if (bacmp(ba1: &cp->addr.bdaddr, BDADDR_ANY)) {
7705	struct hci_conn_params *params;
7706	u8 addr_type;
7707
7708	if (!bdaddr_type_is_valid(type: cp->addr.type)) {
7709	err = mgmt_cmd_complete(sk, index: hdev->id,
7710	MGMT_OP_REMOVE_DEVICE,
7711	MGMT_STATUS_INVALID_PARAMS,
7712	rp: &cp->addr, rp_len: sizeof(cp->addr));
7713	goto unlock;
7714	}
7715
7716	if (cp->addr.type == BDADDR_BREDR) {
7717	err = hci_bdaddr_list_del(list: &hdev->accept_list,
7718	bdaddr: &cp->addr.bdaddr,
7719	type: cp->addr.type);
7720	if (err) {
7721	err = mgmt_cmd_complete(sk, index: hdev->id,
7722	MGMT_OP_REMOVE_DEVICE,
7723	MGMT_STATUS_INVALID_PARAMS,
7724	rp: &cp->addr,
7725	rp_len: sizeof(cp->addr));
7726	goto unlock;
7727	}
7728
7729	hci_update_scan(hdev);
7730
7731	device_removed(sk, hdev, bdaddr: &cp->addr.bdaddr,
7732	type: cp->addr.type);
7733	goto complete;
7734	}
7735
7736	addr_type = le_addr_type(mgmt_addr_type: cp->addr.type);
7737
7738	/* Kernel internally uses conn_params with resolvable private
7739	* address, but Remove Device allows only identity addresses.
7740	* Make sure it is enforced before calling
7741	* hci_conn_params_lookup.
7742	*/
7743	if (!hci_is_identity_address(addr: &cp->addr.bdaddr, addr_type)) {
7744	err = mgmt_cmd_complete(sk, index: hdev->id,
7745	MGMT_OP_REMOVE_DEVICE,
7746	MGMT_STATUS_INVALID_PARAMS,
7747	rp: &cp->addr, rp_len: sizeof(cp->addr));
7748	goto unlock;
7749	}
7750
7751	params = hci_conn_params_lookup(hdev, addr: &cp->addr.bdaddr,
7752	addr_type);
7753	if (!params) {
7754	err = mgmt_cmd_complete(sk, index: hdev->id,
7755	MGMT_OP_REMOVE_DEVICE,
7756	MGMT_STATUS_INVALID_PARAMS,
7757	rp: &cp->addr, rp_len: sizeof(cp->addr));
7758	goto unlock;
7759	}
7760
7761	if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
7762	params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
7763	err = mgmt_cmd_complete(sk, index: hdev->id,
7764	MGMT_OP_REMOVE_DEVICE,
7765	MGMT_STATUS_INVALID_PARAMS,
7766	rp: &cp->addr, rp_len: sizeof(cp->addr));
7767	goto unlock;
7768	}
7769
7770	hci_conn_params_free(param: params);
7771
7772	device_removed(sk, hdev, bdaddr: &cp->addr.bdaddr, type: cp->addr.type);
7773	} else {
7774	struct hci_conn_params *p, *tmp;
7775	struct bdaddr_list *b, *btmp;
7776
7777	if (cp->addr.type) {
7778	err = mgmt_cmd_complete(sk, index: hdev->id,
7779	MGMT_OP_REMOVE_DEVICE,
7780	MGMT_STATUS_INVALID_PARAMS,
7781	rp: &cp->addr, rp_len: sizeof(cp->addr));
7782	goto unlock;
7783	}
7784
7785	list_for_each_entry_safe(b, btmp, &hdev->accept_list, list) {
7786	device_removed(sk, hdev, bdaddr: &b->bdaddr, type: b->bdaddr_type);
7787	list_del(entry: &b->list);
7788	kfree(objp: b);
7789	}
7790
7791	hci_update_scan(hdev);
7792
7793	list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
7794	if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
7795	continue;
7796	device_removed(sk, hdev, bdaddr: &p->addr, type: p->addr_type);
7797	if (p->explicit_connect) {
7798	p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
7799	continue;
7800	}
7801	hci_conn_params_free(param: p);
7802	}
7803
7804	bt_dev_dbg(hdev, "All LE connection parameters were removed");
7805	}
7806
7807	hci_cmd_sync_queue(hdev, func: remove_device_sync, NULL, NULL);
7808
7809	complete:
7810	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_REMOVE_DEVICE,
7811	MGMT_STATUS_SUCCESS, rp: &cp->addr,
7812	rp_len: sizeof(cp->addr));
7813	unlock:
7814	hci_dev_unlock(hdev);
7815	return err;
7816	}
7817
7818	static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
7819	u16 len)
7820	{
7821	struct mgmt_cp_load_conn_param *cp = data;
7822	const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
7823	sizeof(struct mgmt_conn_param));
7824	u16 param_count, expected_len;
7825	int i;
7826
7827	if (!lmp_le_capable(hdev))
7828	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7829	MGMT_STATUS_NOT_SUPPORTED);
7830
7831	param_count = __le16_to_cpu(cp->param_count);
7832	if (param_count > max_param_count) {
7833	bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
7834	param_count);
7835	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7836	MGMT_STATUS_INVALID_PARAMS);
7837	}
7838
7839	expected_len = struct_size(cp, params, param_count);
7840	if (expected_len != len) {
7841	bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
7842	expected_len, len);
7843	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7844	MGMT_STATUS_INVALID_PARAMS);
7845	}
7846
7847	bt_dev_dbg(hdev, "param_count %u", param_count);
7848
7849	hci_dev_lock(hdev);
7850
7851	hci_conn_params_clear_disabled(hdev);
7852
7853	for (i = 0; i < param_count; i++) {
7854	struct mgmt_conn_param *param = &cp->params[i];
7855	struct hci_conn_params *hci_param;
7856	u16 min, max, latency, timeout;
7857	u8 addr_type;
7858
7859	bt_dev_dbg(hdev, "Adding %pMR (type %u)", &param->addr.bdaddr,
7860	param->addr.type);
7861
7862	if (param->addr.type == BDADDR_LE_PUBLIC) {
7863	addr_type = ADDR_LE_DEV_PUBLIC;
7864	} else if (param->addr.type == BDADDR_LE_RANDOM) {
7865	addr_type = ADDR_LE_DEV_RANDOM;
7866	} else {
7867	bt_dev_err(hdev, "ignoring invalid connection parameters");
7868	continue;
7869	}
7870
7871	min = le16_to_cpu(param->min_interval);
7872	max = le16_to_cpu(param->max_interval);
7873	latency = le16_to_cpu(param->latency);
7874	timeout = le16_to_cpu(param->timeout);
7875
7876	bt_dev_dbg(hdev, "min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
7877	min, max, latency, timeout);
7878
7879	if (hci_check_conn_params(min, max, latency, to_multiplier: timeout) < 0) {
7880	bt_dev_err(hdev, "ignoring invalid connection parameters");
7881	continue;
7882	}
7883
7884	hci_param = hci_conn_params_add(hdev, addr: &param->addr.bdaddr,
7885	addr_type);
7886	if (!hci_param) {
7887	bt_dev_err(hdev, "failed to add connection parameters");
7888	continue;
7889	}
7890
7891	hci_param->conn_min_interval = min;
7892	hci_param->conn_max_interval = max;
7893	hci_param->conn_latency = latency;
7894	hci_param->supervision_timeout = timeout;
7895	}
7896
7897	hci_dev_unlock(hdev);
7898
7899	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_LOAD_CONN_PARAM, status: 0,
7900	NULL, rp_len: 0);
7901	}
7902
7903	static int set_external_config(struct sock *sk, struct hci_dev *hdev,
7904	void *data, u16 len)
7905	{
7906	struct mgmt_cp_set_external_config *cp = data;
7907	bool changed;
7908	int err;
7909
7910	bt_dev_dbg(hdev, "sock %p", sk);
7911
7912	if (hdev_is_powered(hdev))
7913	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7914	MGMT_STATUS_REJECTED);
7915
7916	if (cp->config != 0x00 && cp->config != 0x01)
7917	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7918	MGMT_STATUS_INVALID_PARAMS);
7919
7920	if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
7921	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7922	MGMT_STATUS_NOT_SUPPORTED);
7923
7924	hci_dev_lock(hdev);
7925
7926	if (cp->config)
7927	changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
7928	else
7929	changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
7930
7931	err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
7932	if (err < 0)
7933	goto unlock;
7934
7935	if (!changed)
7936	goto unlock;
7937
7938	err = new_options(hdev, skip: sk);
7939
7940	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
7941	mgmt_index_removed(hdev);
7942
7943	if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
7944	hci_dev_set_flag(hdev, HCI_CONFIG);
7945	hci_dev_set_flag(hdev, HCI_AUTO_OFF);
7946
7947	queue_work(wq: hdev->req_workqueue, work: &hdev->power_on);
7948	} else {
7949	set_bit(nr: HCI_RAW, addr: &hdev->flags);
7950	mgmt_index_added(hdev);
7951	}
7952	}
7953
7954	unlock:
7955	hci_dev_unlock(hdev);
7956	return err;
7957	}
7958
7959	static int set_public_address(struct sock *sk, struct hci_dev *hdev,
7960	void *data, u16 len)
7961	{
7962	struct mgmt_cp_set_public_address *cp = data;
7963	bool changed;
7964	int err;
7965
7966	bt_dev_dbg(hdev, "sock %p", sk);
7967
7968	if (hdev_is_powered(hdev))
7969	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7970	MGMT_STATUS_REJECTED);
7971
7972	if (!bacmp(ba1: &cp->bdaddr, BDADDR_ANY))
7973	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7974	MGMT_STATUS_INVALID_PARAMS);
7975
7976	if (!hdev->set_bdaddr)
7977	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7978	MGMT_STATUS_NOT_SUPPORTED);
7979
7980	hci_dev_lock(hdev);
7981
7982	changed = !!bacmp(ba1: &hdev->public_addr, ba2: &cp->bdaddr);
7983	bacpy(dst: &hdev->public_addr, src: &cp->bdaddr);
7984
7985	err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
7986	if (err < 0)
7987	goto unlock;
7988
7989	if (!changed)
7990	goto unlock;
7991
7992	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
7993	err = new_options(hdev, skip: sk);
7994
7995	if (is_configured(hdev)) {
7996	mgmt_index_removed(hdev);
7997
7998	hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
7999
8000	hci_dev_set_flag(hdev, HCI_CONFIG);
8001	hci_dev_set_flag(hdev, HCI_AUTO_OFF);
8002
8003	queue_work(wq: hdev->req_workqueue, work: &hdev->power_on);
8004	}
8005
8006	unlock:
8007	hci_dev_unlock(hdev);
8008	return err;
8009	}
8010
8011	static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
8012	int err)
8013	{
8014	const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
8015	struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
8016	u8 *h192, *r192, *h256, *r256;
8017	struct mgmt_pending_cmd *cmd = data;
8018	struct sk_buff *skb = cmd->skb;
8019	u8 status = mgmt_status(err);
8020	u16 eir_len;
8021
8022	if (cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
8023	return;
8024
8025	if (!status) {
8026	if (!skb)
8027	status = MGMT_STATUS_FAILED;
8028	else if (IS_ERR(ptr: skb))
8029	status = mgmt_status(err: PTR_ERR(ptr: skb));
8030	else
8031	status = mgmt_status(err: skb->data[0]);
8032	}
8033
8034	bt_dev_dbg(hdev, "status %u", status);
8035
8036	mgmt_cp = cmd->param;
8037
8038	if (status) {
8039	status = mgmt_status(err: status);
8040	eir_len = 0;
8041
8042	h192 = NULL;
8043	r192 = NULL;
8044	h256 = NULL;
8045	r256 = NULL;
8046	} else if (!bredr_sc_enabled(hdev)) {
8047	struct hci_rp_read_local_oob_data *rp;
8048
8049	if (skb->len != sizeof(*rp)) {
8050	status = MGMT_STATUS_FAILED;
8051	eir_len = 0;
8052	} else {
8053	status = MGMT_STATUS_SUCCESS;
8054	rp = (void *)skb->data;
8055
8056	eir_len = 5 + 18 + 18;
8057	h192 = rp->hash;
8058	r192 = rp->rand;
8059	h256 = NULL;
8060	r256 = NULL;
8061	}
8062	} else {
8063	struct hci_rp_read_local_oob_ext_data *rp;
8064
8065	if (skb->len != sizeof(*rp)) {
8066	status = MGMT_STATUS_FAILED;
8067	eir_len = 0;
8068	} else {
8069	status = MGMT_STATUS_SUCCESS;
8070	rp = (void *)skb->data;
8071
8072	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
8073	eir_len = 5 + 18 + 18;
8074	h192 = NULL;
8075	r192 = NULL;
8076	} else {
8077	eir_len = 5 + 18 + 18 + 18 + 18;
8078	h192 = rp->hash192;
8079	r192 = rp->rand192;
8080	}
8081
8082	h256 = rp->hash256;
8083	r256 = rp->rand256;
8084	}
8085	}
8086
8087	mgmt_rp = kmalloc(size: sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
8088	if (!mgmt_rp)
8089	goto done;
8090
8091	if (eir_len == 0)
8092	goto send_rsp;
8093
8094	eir_len = eir_append_data(eir: mgmt_rp->eir, eir_len: 0, EIR_CLASS_OF_DEV,
8095	data: hdev->dev_class, data_len: 3);
8096
8097	if (h192 && r192) {
8098	eir_len = eir_append_data(eir: mgmt_rp->eir, eir_len,
8099	EIR_SSP_HASH_C192, data: h192, data_len: 16);
8100	eir_len = eir_append_data(eir: mgmt_rp->eir, eir_len,
8101	EIR_SSP_RAND_R192, data: r192, data_len: 16);
8102	}
8103
8104	if (h256 && r256) {
8105	eir_len = eir_append_data(eir: mgmt_rp->eir, eir_len,
8106	EIR_SSP_HASH_C256, data: h256, data_len: 16);
8107	eir_len = eir_append_data(eir: mgmt_rp->eir, eir_len,
8108	EIR_SSP_RAND_R256, data: r256, data_len: 16);
8109	}
8110
8111	send_rsp:
8112	mgmt_rp->type = mgmt_cp->type;
8113	mgmt_rp->eir_len = cpu_to_le16(eir_len);
8114
8115	err = mgmt_cmd_complete(sk: cmd->sk, index: hdev->id,
8116	MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
8117	rp: mgmt_rp, rp_len: sizeof(*mgmt_rp) + eir_len);
8118	if (err < 0 || status)
8119	goto done;
8120
8121	hci_sock_set_flag(sk: cmd->sk, nr: HCI_MGMT_OOB_DATA_EVENTS);
8122
8123	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8124	data: mgmt_rp, len: sizeof(*mgmt_rp) + eir_len,
8125	flag: HCI_MGMT_OOB_DATA_EVENTS, skip_sk: cmd->sk);
8126	done:
8127	if (skb && !IS_ERR(ptr: skb))
8128	kfree_skb(skb);
8129
8130	kfree(objp: mgmt_rp);
8131	mgmt_pending_remove(cmd);
8132	}
8133
8134	static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
8135	struct mgmt_cp_read_local_oob_ext_data *cp)
8136	{
8137	struct mgmt_pending_cmd *cmd;
8138	int err;
8139
8140	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
8141	data: cp, len: sizeof(*cp));
8142	if (!cmd)
8143	return -ENOMEM;
8144
8145	err = hci_cmd_sync_queue(hdev, func: read_local_oob_data_sync, data: cmd,
8146	destroy: read_local_oob_ext_data_complete);
8147
8148	if (err < 0) {
8149	mgmt_pending_remove(cmd);
8150	return err;
8151	}
8152
8153	return 0;
8154	}
8155
8156	static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
8157	void *data, u16 data_len)
8158	{
8159	struct mgmt_cp_read_local_oob_ext_data *cp = data;
8160	struct mgmt_rp_read_local_oob_ext_data *rp;
8161	size_t rp_len;
8162	u16 eir_len;
8163	u8 status, flags, role, addr[7], hash[16], rand[16];
8164	int err;
8165
8166	bt_dev_dbg(hdev, "sock %p", sk);
8167
8168	if (hdev_is_powered(hdev)) {
8169	switch (cp->type) {
8170	case BIT(BDADDR_BREDR):
8171	status = mgmt_bredr_support(hdev);
8172	if (status)
8173	eir_len = 0;
8174	else
8175	eir_len = 5;
8176	break;
8177	case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8178	status = mgmt_le_support(hdev);
8179	if (status)
8180	eir_len = 0;
8181	else
8182	eir_len = 9 + 3 + 18 + 18 + 3;
8183	break;
8184	default:
8185	status = MGMT_STATUS_INVALID_PARAMS;
8186	eir_len = 0;
8187	break;
8188	}
8189	} else {
8190	status = MGMT_STATUS_NOT_POWERED;
8191	eir_len = 0;
8192	}
8193
8194	rp_len = sizeof(*rp) + eir_len;
8195	rp = kmalloc(size: rp_len, GFP_ATOMIC);
8196	if (!rp)
8197	return -ENOMEM;
8198
8199	if (!status && !lmp_ssp_capable(hdev)) {
8200	status = MGMT_STATUS_NOT_SUPPORTED;
8201	eir_len = 0;
8202	}
8203
8204	if (status)
8205	goto complete;
8206
8207	hci_dev_lock(hdev);
8208
8209	eir_len = 0;
8210	switch (cp->type) {
8211	case BIT(BDADDR_BREDR):
8212	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
8213	err = read_local_ssp_oob_req(hdev, sk, cp);
8214	hci_dev_unlock(hdev);
8215	if (!err)
8216	goto done;
8217
8218	status = MGMT_STATUS_FAILED;
8219	goto complete;
8220	} else {
8221	eir_len = eir_append_data(eir: rp->eir, eir_len,
8222	EIR_CLASS_OF_DEV,
8223	data: hdev->dev_class, data_len: 3);
8224	}
8225	break;
8226	case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8227	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
8228	smp_generate_oob(hdev, hash, rand) < 0) {
8229	hci_dev_unlock(hdev);
8230	status = MGMT_STATUS_FAILED;
8231	goto complete;
8232	}
8233
8234	/* This should return the active RPA, but since the RPA
8235	* is only programmed on demand, it is really hard to fill
8236	* this in at the moment. For now disallow retrieving
8237	* local out-of-band data when privacy is in use.
8238	*
8239	* Returning the identity address will not help here since
8240	* pairing happens before the identity resolving key is
8241	* known and thus the connection establishment happens
8242	* based on the RPA and not the identity address.
8243	*/
8244	if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
8245	hci_dev_unlock(hdev);
8246	status = MGMT_STATUS_REJECTED;
8247	goto complete;
8248	}
8249
8250	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
8251	!bacmp(ba1: &hdev->bdaddr, BDADDR_ANY) ||
8252	(!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
8253	bacmp(ba1: &hdev->static_addr, BDADDR_ANY))) {
8254	memcpy(addr, &hdev->static_addr, 6);
8255	addr[6] = 0x01;
8256	} else {
8257	memcpy(addr, &hdev->bdaddr, 6);
8258	addr[6] = 0x00;
8259	}
8260
8261	eir_len = eir_append_data(eir: rp->eir, eir_len, EIR_LE_BDADDR,
8262	data: addr, data_len: sizeof(addr));
8263
8264	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
8265	role = 0x02;
8266	else
8267	role = 0x01;
8268
8269	eir_len = eir_append_data(eir: rp->eir, eir_len, EIR_LE_ROLE,
8270	data: &role, data_len: sizeof(role));
8271
8272	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
8273	eir_len = eir_append_data(eir: rp->eir, eir_len,
8274	EIR_LE_SC_CONFIRM,
8275	data: hash, data_len: sizeof(hash));
8276
8277	eir_len = eir_append_data(eir: rp->eir, eir_len,
8278	EIR_LE_SC_RANDOM,
8279	data: rand, data_len: sizeof(rand));
8280	}
8281
8282	flags = mgmt_get_adv_discov_flags(hdev);
8283
8284	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
8285	flags |= LE_AD_NO_BREDR;
8286
8287	eir_len = eir_append_data(eir: rp->eir, eir_len, EIR_FLAGS,
8288	data: &flags, data_len: sizeof(flags));
8289	break;
8290	}
8291
8292	hci_dev_unlock(hdev);
8293
8294	hci_sock_set_flag(sk, nr: HCI_MGMT_OOB_DATA_EVENTS);
8295
8296	status = MGMT_STATUS_SUCCESS;
8297
8298	complete:
8299	rp->type = cp->type;
8300	rp->eir_len = cpu_to_le16(eir_len);
8301
8302	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
8303	status, rp, rp_len: sizeof(*rp) + eir_len);
8304	if (err < 0 || status)
8305	goto done;
8306
8307	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8308	data: rp, len: sizeof(*rp) + eir_len,
8309	flag: HCI_MGMT_OOB_DATA_EVENTS, skip_sk: sk);
8310
8311	done:
8312	kfree(objp: rp);
8313
8314	return err;
8315	}
8316
8317	static u32 get_supported_adv_flags(struct hci_dev *hdev)
8318	{
8319	u32 flags = 0;
8320
8321	flags |= MGMT_ADV_FLAG_CONNECTABLE;
8322	flags |= MGMT_ADV_FLAG_DISCOV;
8323	flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
8324	flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
8325	flags |= MGMT_ADV_FLAG_APPEARANCE;
8326	flags |= MGMT_ADV_FLAG_LOCAL_NAME;
8327	flags |= MGMT_ADV_PARAM_DURATION;
8328	flags |= MGMT_ADV_PARAM_TIMEOUT;
8329	flags |= MGMT_ADV_PARAM_INTERVALS;
8330	flags |= MGMT_ADV_PARAM_TX_POWER;
8331	flags |= MGMT_ADV_PARAM_SCAN_RSP;
8332
8333	/* In extended adv TX_POWER returned from Set Adv Param
8334	* will be always valid.
8335	*/
8336	if (hdev->adv_tx_power != HCI_TX_POWER_INVALID || ext_adv_capable(hdev))
8337	flags |= MGMT_ADV_FLAG_TX_POWER;
8338
8339	if (ext_adv_capable(hdev)) {
8340	flags |= MGMT_ADV_FLAG_SEC_1M;
8341	flags |= MGMT_ADV_FLAG_HW_OFFLOAD;
8342	flags |= MGMT_ADV_FLAG_CAN_SET_TX_POWER;
8343
8344	if (le_2m_capable(hdev))
8345	flags |= MGMT_ADV_FLAG_SEC_2M;
8346
8347	if (le_coded_capable(hdev))
8348	flags |= MGMT_ADV_FLAG_SEC_CODED;
8349	}
8350
8351	return flags;
8352	}
8353
8354	static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
8355	void *data, u16 data_len)
8356	{
8357	struct mgmt_rp_read_adv_features *rp;
8358	size_t rp_len;
8359	int err;
8360	struct adv_info *adv_instance;
8361	u32 supported_flags;
8362	u8 *instance;
8363
8364	bt_dev_dbg(hdev, "sock %p", sk);
8365
8366	if (!lmp_le_capable(hdev))
8367	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_READ_ADV_FEATURES,
8368	MGMT_STATUS_REJECTED);
8369
8370	hci_dev_lock(hdev);
8371
8372	rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
8373	rp = kmalloc(size: rp_len, GFP_ATOMIC);
8374	if (!rp) {
8375	hci_dev_unlock(hdev);
8376	return -ENOMEM;
8377	}
8378
8379	supported_flags = get_supported_adv_flags(hdev);
8380
8381	rp->supported_flags = cpu_to_le32(supported_flags);
8382	rp->max_adv_data_len = max_adv_len(hdev);
8383	rp->max_scan_rsp_len = max_adv_len(hdev);
8384	rp->max_instances = hdev->le_num_of_adv_sets;
8385	rp->num_instances = hdev->adv_instance_cnt;
8386
8387	instance = rp->instance;
8388	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
8389	/* Only instances 1-le_num_of_adv_sets are externally visible */
8390	if (adv_instance->instance <= hdev->adv_instance_cnt) {
8391	*instance = adv_instance->instance;
8392	instance++;
8393	} else {
8394	rp->num_instances--;
8395	rp_len--;
8396	}
8397	}
8398
8399	hci_dev_unlock(hdev);
8400
8401	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_READ_ADV_FEATURES,
8402	MGMT_STATUS_SUCCESS, rp, rp_len);
8403
8404	kfree(objp: rp);
8405
8406	return err;
8407	}
8408
8409	static u8 calculate_name_len(struct hci_dev *hdev)
8410	{
8411	u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 2]; /* len + type + name */
8412
8413	return eir_append_local_name(hdev, eir: buf, ad_len: 0);
8414	}
8415
8416	static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
8417	bool is_adv_data)
8418	{
8419	u8 max_len = max_adv_len(hdev);
8420
8421	if (is_adv_data) {
8422	if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
8423	MGMT_ADV_FLAG_LIMITED_DISCOV |
8424	MGMT_ADV_FLAG_MANAGED_FLAGS))
8425	max_len -= 3;
8426
8427	if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
8428	max_len -= 3;
8429	} else {
8430	if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
8431	max_len -= calculate_name_len(hdev);
8432
8433	if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
8434	max_len -= 4;
8435	}
8436
8437	return max_len;
8438	}
8439
8440	static bool flags_managed(u32 adv_flags)
8441	{
8442	return adv_flags & (MGMT_ADV_FLAG_DISCOV |
8443	MGMT_ADV_FLAG_LIMITED_DISCOV |
8444	MGMT_ADV_FLAG_MANAGED_FLAGS);
8445	}
8446
8447	static bool tx_power_managed(u32 adv_flags)
8448	{
8449	return adv_flags & MGMT_ADV_FLAG_TX_POWER;
8450	}
8451
8452	static bool name_managed(u32 adv_flags)
8453	{
8454	return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
8455	}
8456
8457	static bool appearance_managed(u32 adv_flags)
8458	{
8459	return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
8460	}
8461
8462	static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
8463	u8 len, bool is_adv_data)
8464	{
8465	int i, cur_len;
8466	u8 max_len;
8467
8468	max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
8469
8470	if (len > max_len)
8471	return false;
8472
8473	/* Make sure that the data is correctly formatted. */
8474	for (i = 0; i < len; i += (cur_len + 1)) {
8475	cur_len = data[i];
8476
8477	if (!cur_len)
8478	continue;
8479
8480	if (data[i + 1] == EIR_FLAGS &&
8481	(!is_adv_data || flags_managed(adv_flags)))
8482	return false;
8483
8484	if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
8485	return false;
8486
8487	if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
8488	return false;
8489
8490	if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
8491	return false;
8492
8493	if (data[i + 1] == EIR_APPEARANCE &&
8494	appearance_managed(adv_flags))
8495	return false;
8496
8497	/* If the current field length would exceed the total data
8498	* length, then it's invalid.
8499	*/
8500	if (i + cur_len >= len)
8501	return false;
8502	}
8503
8504	return true;
8505	}
8506
8507	static bool requested_adv_flags_are_valid(struct hci_dev *hdev, u32 adv_flags)
8508	{
8509	u32 supported_flags, phy_flags;
8510
8511	/* The current implementation only supports a subset of the specified
8512	* flags. Also need to check mutual exclusiveness of sec flags.
8513	*/
8514	supported_flags = get_supported_adv_flags(hdev);
8515	phy_flags = adv_flags & MGMT_ADV_FLAG_SEC_MASK;
8516	if (adv_flags & ~supported_flags ||
8517	((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
8518	return false;
8519
8520	return true;
8521	}
8522
8523	static bool adv_busy(struct hci_dev *hdev)
8524	{
8525	return pending_find(MGMT_OP_SET_LE, hdev);
8526	}
8527
8528	static void add_adv_complete(struct hci_dev *hdev, struct sock *sk, u8 instance,
8529	int err)
8530	{
8531	struct adv_info *adv, *n;
8532
8533	bt_dev_dbg(hdev, "err %d", err);
8534
8535	hci_dev_lock(hdev);
8536
8537	list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
8538	u8 instance;
8539
8540	if (!adv->pending)
8541	continue;
8542
8543	if (!err) {
8544	adv->pending = false;
8545	continue;
8546	}
8547
8548	instance = adv->instance;
8549
8550	if (hdev->cur_adv_instance == instance)
8551	cancel_adv_timeout(hdev);
8552
8553	hci_remove_adv_instance(hdev, instance);
8554	mgmt_advertising_removed(sk, hdev, instance);
8555	}
8556
8557	hci_dev_unlock(hdev);
8558	}
8559
8560	static void add_advertising_complete(struct hci_dev *hdev, void *data, int err)
8561	{
8562	struct mgmt_pending_cmd *cmd = data;
8563	struct mgmt_cp_add_advertising *cp = cmd->param;
8564	struct mgmt_rp_add_advertising rp;
8565
8566	memset(&rp, 0, sizeof(rp));
8567
8568	rp.instance = cp->instance;
8569
8570	if (err)
8571	mgmt_cmd_status(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
8572	status: mgmt_status(err));
8573	else
8574	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
8575	status: mgmt_status(err), rp: &rp, rp_len: sizeof(rp));
8576
8577	add_adv_complete(hdev, sk: cmd->sk, instance: cp->instance, err);
8578
8579	mgmt_pending_free(cmd);
8580	}
8581
8582	static int add_advertising_sync(struct hci_dev *hdev, void *data)
8583	{
8584	struct mgmt_pending_cmd *cmd = data;
8585	struct mgmt_cp_add_advertising *cp = cmd->param;
8586
8587	return hci_schedule_adv_instance_sync(hdev, instance: cp->instance, force: true);
8588	}
8589
8590	static int add_advertising(struct sock *sk, struct hci_dev *hdev,
8591	void *data, u16 data_len)
8592	{
8593	struct mgmt_cp_add_advertising *cp = data;
8594	struct mgmt_rp_add_advertising rp;
8595	u32 flags;
8596	u8 status;
8597	u16 timeout, duration;
8598	unsigned int prev_instance_cnt;
8599	u8 schedule_instance = 0;
8600	struct adv_info *adv, *next_instance;
8601	int err;
8602	struct mgmt_pending_cmd *cmd;
8603
8604	bt_dev_dbg(hdev, "sock %p", sk);
8605
8606	status = mgmt_le_support(hdev);
8607	if (status)
8608	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_ADVERTISING,
8609	status);
8610
8611	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8612	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_ADVERTISING,
8613	MGMT_STATUS_INVALID_PARAMS);
8614
8615	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
8616	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_ADVERTISING,
8617	MGMT_STATUS_INVALID_PARAMS);
8618
8619	flags = __le32_to_cpu(cp->flags);
8620	timeout = __le16_to_cpu(cp->timeout);
8621	duration = __le16_to_cpu(cp->duration);
8622
8623	if (!requested_adv_flags_are_valid(hdev, adv_flags: flags))
8624	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_ADVERTISING,
8625	MGMT_STATUS_INVALID_PARAMS);
8626
8627	hci_dev_lock(hdev);
8628
8629	if (timeout && !hdev_is_powered(hdev)) {
8630	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_ADVERTISING,
8631	MGMT_STATUS_REJECTED);
8632	goto unlock;
8633	}
8634
8635	if (adv_busy(hdev)) {
8636	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_ADVERTISING,
8637	MGMT_STATUS_BUSY);
8638	goto unlock;
8639	}
8640
8641	if (!tlv_data_is_valid(hdev, adv_flags: flags, data: cp->data, len: cp->adv_data_len, is_adv_data: true) ||
8642	!tlv_data_is_valid(hdev, adv_flags: flags, data: cp->data + cp->adv_data_len,
8643	len: cp->scan_rsp_len, is_adv_data: false)) {
8644	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_ADVERTISING,
8645	MGMT_STATUS_INVALID_PARAMS);
8646	goto unlock;
8647	}
8648
8649	prev_instance_cnt = hdev->adv_instance_cnt;
8650
8651	adv = hci_add_adv_instance(hdev, instance: cp->instance, flags,
8652	adv_data_len: cp->adv_data_len, adv_data: cp->data,
8653	scan_rsp_len: cp->scan_rsp_len,
8654	scan_rsp_data: cp->data + cp->adv_data_len,
8655	timeout, duration,
8656	HCI_ADV_TX_POWER_NO_PREFERENCE,
8657	min_interval: hdev->le_adv_min_interval,
8658	max_interval: hdev->le_adv_max_interval, mesh_handle: 0);
8659	if (IS_ERR(ptr: adv)) {
8660	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_ADVERTISING,
8661	MGMT_STATUS_FAILED);
8662	goto unlock;
8663	}
8664
8665	/* Only trigger an advertising added event if a new instance was
8666	* actually added.
8667	*/
8668	if (hdev->adv_instance_cnt > prev_instance_cnt)
8669	mgmt_advertising_added(sk, hdev, instance: cp->instance);
8670
8671	if (hdev->cur_adv_instance == cp->instance) {
8672	/* If the currently advertised instance is being changed then
8673	* cancel the current advertising and schedule the next
8674	* instance. If there is only one instance then the overridden
8675	* advertising data will be visible right away.
8676	*/
8677	cancel_adv_timeout(hdev);
8678
8679	next_instance = hci_get_next_instance(hdev, instance: cp->instance);
8680	if (next_instance)
8681	schedule_instance = next_instance->instance;
8682	} else if (!hdev->adv_instance_timeout) {
8683	/* Immediately advertise the new instance if no other
8684	* instance is currently being advertised.
8685	*/
8686	schedule_instance = cp->instance;
8687	}
8688
8689	/* If the HCI_ADVERTISING flag is set or the device isn't powered or
8690	* there is no instance to be advertised then we have no HCI
8691	* communication to make. Simply return.
8692	*/
8693	if (!hdev_is_powered(hdev) ||
8694	hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
8695	!schedule_instance) {
8696	rp.instance = cp->instance;
8697	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_ADD_ADVERTISING,
8698	MGMT_STATUS_SUCCESS, rp: &rp, rp_len: sizeof(rp));
8699	goto unlock;
8700	}
8701
8702	/* We're good to go, update advertising data, parameters, and start
8703	* advertising.
8704	*/
8705	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
8706	len: data_len);
8707	if (!cmd) {
8708	err = -ENOMEM;
8709	goto unlock;
8710	}
8711
8712	cp->instance = schedule_instance;
8713
8714	err = hci_cmd_sync_queue(hdev, func: add_advertising_sync, data: cmd,
8715	destroy: add_advertising_complete);
8716	if (err < 0)
8717	mgmt_pending_free(cmd);
8718
8719	unlock:
8720	hci_dev_unlock(hdev);
8721
8722	return err;
8723	}
8724
8725	static void add_ext_adv_params_complete(struct hci_dev *hdev, void *data,
8726	int err)
8727	{
8728	struct mgmt_pending_cmd *cmd = data;
8729	struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8730	struct mgmt_rp_add_ext_adv_params rp;
8731	struct adv_info *adv;
8732	u32 flags;
8733
8734	BT_DBG("%s", hdev->name);
8735
8736	hci_dev_lock(hdev);
8737
8738	adv = hci_find_adv_instance(hdev, instance: cp->instance);
8739	if (!adv)
8740	goto unlock;
8741
8742	rp.instance = cp->instance;
8743	rp.tx_power = adv->tx_power;
8744
8745	/* While we're at it, inform userspace of the available space for this
8746	* advertisement, given the flags that will be used.
8747	*/
8748	flags = __le32_to_cpu(cp->flags);
8749	rp.max_adv_data_len = tlv_data_max_len(hdev, adv_flags: flags, is_adv_data: true);
8750	rp.max_scan_rsp_len = tlv_data_max_len(hdev, adv_flags: flags, is_adv_data: false);
8751
8752	if (err) {
8753	/* If this advertisement was previously advertising and we
8754	* failed to update it, we signal that it has been removed and
8755	* delete its structure
8756	*/
8757	if (!adv->pending)
8758	mgmt_advertising_removed(sk: cmd->sk, hdev, instance: cp->instance);
8759
8760	hci_remove_adv_instance(hdev, instance: cp->instance);
8761
8762	mgmt_cmd_status(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
8763	status: mgmt_status(err));
8764	} else {
8765	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
8766	status: mgmt_status(err), rp: &rp, rp_len: sizeof(rp));
8767	}
8768
8769	unlock:
8770	mgmt_pending_free(cmd);
8771
8772	hci_dev_unlock(hdev);
8773	}
8774
8775	static int add_ext_adv_params_sync(struct hci_dev *hdev, void *data)
8776	{
8777	struct mgmt_pending_cmd *cmd = data;
8778	struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8779
8780	return hci_setup_ext_adv_instance_sync(hdev, instance: cp->instance);
8781	}
8782
8783	static int add_ext_adv_params(struct sock *sk, struct hci_dev *hdev,
8784	void *data, u16 data_len)
8785	{
8786	struct mgmt_cp_add_ext_adv_params *cp = data;
8787	struct mgmt_rp_add_ext_adv_params rp;
8788	struct mgmt_pending_cmd *cmd = NULL;
8789	struct adv_info *adv;
8790	u32 flags, min_interval, max_interval;
8791	u16 timeout, duration;
8792	u8 status;
8793	s8 tx_power;
8794	int err;
8795
8796	BT_DBG("%s", hdev->name);
8797
8798	status = mgmt_le_support(hdev);
8799	if (status)
8800	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8801	status);
8802
8803	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8804	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8805	MGMT_STATUS_INVALID_PARAMS);
8806
8807	/* The purpose of breaking add_advertising into two separate MGMT calls
8808	* for params and data is to allow more parameters to be added to this
8809	* structure in the future. For this reason, we verify that we have the
8810	* bare minimum structure we know of when the interface was defined. Any
8811	* extra parameters we don't know about will be ignored in this request.
8812	*/
8813	if (data_len < MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE)
8814	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8815	MGMT_STATUS_INVALID_PARAMS);
8816
8817	flags = __le32_to_cpu(cp->flags);
8818
8819	if (!requested_adv_flags_are_valid(hdev, adv_flags: flags))
8820	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8821	MGMT_STATUS_INVALID_PARAMS);
8822
8823	hci_dev_lock(hdev);
8824
8825	/* In new interface, we require that we are powered to register */
8826	if (!hdev_is_powered(hdev)) {
8827	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8828	MGMT_STATUS_REJECTED);
8829	goto unlock;
8830	}
8831
8832	if (adv_busy(hdev)) {
8833	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8834	MGMT_STATUS_BUSY);
8835	goto unlock;
8836	}
8837
8838	/* Parse defined parameters from request, use defaults otherwise */
8839	timeout = (flags & MGMT_ADV_PARAM_TIMEOUT) ?
8840	__le16_to_cpu(cp->timeout) : 0;
8841
8842	duration = (flags & MGMT_ADV_PARAM_DURATION) ?
8843	__le16_to_cpu(cp->duration) :
8844	hdev->def_multi_adv_rotation_duration;
8845
8846	min_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8847	__le32_to_cpu(cp->min_interval) :
8848	hdev->le_adv_min_interval;
8849
8850	max_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8851	__le32_to_cpu(cp->max_interval) :
8852	hdev->le_adv_max_interval;
8853
8854	tx_power = (flags & MGMT_ADV_PARAM_TX_POWER) ?
8855	cp->tx_power :
8856	HCI_ADV_TX_POWER_NO_PREFERENCE;
8857
8858	/* Create advertising instance with no advertising or response data */
8859	adv = hci_add_adv_instance(hdev, instance: cp->instance, flags, adv_data_len: 0, NULL, scan_rsp_len: 0, NULL,
8860	timeout, duration, tx_power, min_interval,
8861	max_interval, mesh_handle: 0);
8862
8863	if (IS_ERR(ptr: adv)) {
8864	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8865	MGMT_STATUS_FAILED);
8866	goto unlock;
8867	}
8868
8869	/* Submit request for advertising params if ext adv available */
8870	if (ext_adv_capable(hdev)) {
8871	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_PARAMS, hdev,
8872	data, len: data_len);
8873	if (!cmd) {
8874	err = -ENOMEM;
8875	hci_remove_adv_instance(hdev, instance: cp->instance);
8876	goto unlock;
8877	}
8878
8879	err = hci_cmd_sync_queue(hdev, func: add_ext_adv_params_sync, data: cmd,
8880	destroy: add_ext_adv_params_complete);
8881	if (err < 0)
8882	mgmt_pending_free(cmd);
8883	} else {
8884	rp.instance = cp->instance;
8885	rp.tx_power = HCI_ADV_TX_POWER_NO_PREFERENCE;
8886	rp.max_adv_data_len = tlv_data_max_len(hdev, adv_flags: flags, is_adv_data: true);
8887	rp.max_scan_rsp_len = tlv_data_max_len(hdev, adv_flags: flags, is_adv_data: false);
8888	err = mgmt_cmd_complete(sk, index: hdev->id,
8889	MGMT_OP_ADD_EXT_ADV_PARAMS,
8890	MGMT_STATUS_SUCCESS, rp: &rp, rp_len: sizeof(rp));
8891	}
8892
8893	unlock:
8894	hci_dev_unlock(hdev);
8895
8896	return err;
8897	}
8898
8899	static void add_ext_adv_data_complete(struct hci_dev *hdev, void *data, int err)
8900	{
8901	struct mgmt_pending_cmd *cmd = data;
8902	struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8903	struct mgmt_rp_add_advertising rp;
8904
8905	add_adv_complete(hdev, sk: cmd->sk, instance: cp->instance, err);
8906
8907	memset(&rp, 0, sizeof(rp));
8908
8909	rp.instance = cp->instance;
8910
8911	if (err)
8912	mgmt_cmd_status(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
8913	status: mgmt_status(err));
8914	else
8915	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
8916	status: mgmt_status(err), rp: &rp, rp_len: sizeof(rp));
8917
8918	mgmt_pending_free(cmd);
8919	}
8920
8921	static int add_ext_adv_data_sync(struct hci_dev *hdev, void *data)
8922	{
8923	struct mgmt_pending_cmd *cmd = data;
8924	struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8925	int err;
8926
8927	if (ext_adv_capable(hdev)) {
8928	err = hci_update_adv_data_sync(hdev, instance: cp->instance);
8929	if (err)
8930	return err;
8931
8932	err = hci_update_scan_rsp_data_sync(hdev, instance: cp->instance);
8933	if (err)
8934	return err;
8935
8936	return hci_enable_ext_advertising_sync(hdev, instance: cp->instance);
8937	}
8938
8939	return hci_schedule_adv_instance_sync(hdev, instance: cp->instance, force: true);
8940	}
8941
8942	static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
8943	u16 data_len)
8944	{
8945	struct mgmt_cp_add_ext_adv_data *cp = data;
8946	struct mgmt_rp_add_ext_adv_data rp;
8947	u8 schedule_instance = 0;
8948	struct adv_info *next_instance;
8949	struct adv_info *adv_instance;
8950	int err = 0;
8951	struct mgmt_pending_cmd *cmd;
8952
8953	BT_DBG("%s", hdev->name);
8954
8955	hci_dev_lock(hdev);
8956
8957	adv_instance = hci_find_adv_instance(hdev, instance: cp->instance);
8958
8959	if (!adv_instance) {
8960	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8961	MGMT_STATUS_INVALID_PARAMS);
8962	goto unlock;
8963	}
8964
8965	/* In new interface, we require that we are powered to register */
8966	if (!hdev_is_powered(hdev)) {
8967	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8968	MGMT_STATUS_REJECTED);
8969	goto clear_new_instance;
8970	}
8971
8972	if (adv_busy(hdev)) {
8973	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8974	MGMT_STATUS_BUSY);
8975	goto clear_new_instance;
8976	}
8977
8978	/* Validate new data */
8979	if (!tlv_data_is_valid(hdev, adv_flags: adv_instance->flags, data: cp->data,
8980	len: cp->adv_data_len, is_adv_data: true) ||
8981	!tlv_data_is_valid(hdev, adv_flags: adv_instance->flags, data: cp->data +
8982	cp->adv_data_len, len: cp->scan_rsp_len, is_adv_data: false)) {
8983	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8984	MGMT_STATUS_INVALID_PARAMS);
8985	goto clear_new_instance;
8986	}
8987
8988	/* Set the data in the advertising instance */
8989	hci_set_adv_instance_data(hdev, instance: cp->instance, adv_data_len: cp->adv_data_len,
8990	adv_data: cp->data, scan_rsp_len: cp->scan_rsp_len,
8991	scan_rsp_data: cp->data + cp->adv_data_len);
8992
8993	/* If using software rotation, determine next instance to use */
8994	if (hdev->cur_adv_instance == cp->instance) {
8995	/* If the currently advertised instance is being changed
8996	* then cancel the current advertising and schedule the
8997	* next instance. If there is only one instance then the
8998	* overridden advertising data will be visible right
8999	* away
9000	*/
9001	cancel_adv_timeout(hdev);
9002
9003	next_instance = hci_get_next_instance(hdev, instance: cp->instance);
9004	if (next_instance)
9005	schedule_instance = next_instance->instance;
9006	} else if (!hdev->adv_instance_timeout) {
9007	/* Immediately advertise the new instance if no other
9008	* instance is currently being advertised.
9009	*/
9010	schedule_instance = cp->instance;
9011	}
9012
9013	/* If the HCI_ADVERTISING flag is set or there is no instance to
9014	* be advertised then we have no HCI communication to make.
9015	* Simply return.
9016	*/
9017	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) || !schedule_instance) {
9018	if (adv_instance->pending) {
9019	mgmt_advertising_added(sk, hdev, instance: cp->instance);
9020	adv_instance->pending = false;
9021	}
9022	rp.instance = cp->instance;
9023	err = mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9024	MGMT_STATUS_SUCCESS, rp: &rp, rp_len: sizeof(rp));
9025	goto unlock;
9026	}
9027
9028	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_DATA, hdev, data,
9029	len: data_len);
9030	if (!cmd) {
9031	err = -ENOMEM;
9032	goto clear_new_instance;
9033	}
9034
9035	err = hci_cmd_sync_queue(hdev, func: add_ext_adv_data_sync, data: cmd,
9036	destroy: add_ext_adv_data_complete);
9037	if (err < 0) {
9038	mgmt_pending_free(cmd);
9039	goto clear_new_instance;
9040	}
9041
9042	/* We were successful in updating data, so trigger advertising_added
9043	* event if this is an instance that wasn't previously advertising. If
9044	* a failure occurs in the requests we initiated, we will remove the
9045	* instance again in add_advertising_complete
9046	*/
9047	if (adv_instance->pending)
9048	mgmt_advertising_added(sk, hdev, instance: cp->instance);
9049
9050	goto unlock;
9051
9052	clear_new_instance:
9053	hci_remove_adv_instance(hdev, instance: cp->instance);
9054
9055	unlock:
9056	hci_dev_unlock(hdev);
9057
9058	return err;
9059	}
9060
9061	static void remove_advertising_complete(struct hci_dev *hdev, void *data,
9062	int err)
9063	{
9064	struct mgmt_pending_cmd *cmd = data;
9065	struct mgmt_cp_remove_advertising *cp = cmd->param;
9066	struct mgmt_rp_remove_advertising rp;
9067
9068	bt_dev_dbg(hdev, "err %d", err);
9069
9070	memset(&rp, 0, sizeof(rp));
9071	rp.instance = cp->instance;
9072
9073	if (err)
9074	mgmt_cmd_status(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
9075	status: mgmt_status(err));
9076	else
9077	mgmt_cmd_complete(sk: cmd->sk, index: cmd->index, cmd: cmd->opcode,
9078	MGMT_STATUS_SUCCESS, rp: &rp, rp_len: sizeof(rp));
9079
9080	mgmt_pending_free(cmd);
9081	}
9082
9083	static int remove_advertising_sync(struct hci_dev *hdev, void *data)
9084	{
9085	struct mgmt_pending_cmd *cmd = data;
9086	struct mgmt_cp_remove_advertising *cp = cmd->param;
9087	int err;
9088
9089	err = hci_remove_advertising_sync(hdev, sk: cmd->sk, instance: cp->instance, force: true);
9090	if (err)
9091	return err;
9092
9093	if (list_empty(head: &hdev->adv_instances))
9094	err = hci_disable_advertising_sync(hdev);
9095
9096	return err;
9097	}
9098
9099	static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
9100	void *data, u16 data_len)
9101	{
9102	struct mgmt_cp_remove_advertising *cp = data;
9103	struct mgmt_pending_cmd *cmd;
9104	int err;
9105
9106	bt_dev_dbg(hdev, "sock %p", sk);
9107
9108	hci_dev_lock(hdev);
9109
9110	if (cp->instance && !hci_find_adv_instance(hdev, instance: cp->instance)) {
9111	err = mgmt_cmd_status(sk, index: hdev->id,
9112	MGMT_OP_REMOVE_ADVERTISING,
9113	MGMT_STATUS_INVALID_PARAMS);
9114	goto unlock;
9115	}
9116
9117	if (pending_find(MGMT_OP_SET_LE, hdev)) {
9118	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9119	MGMT_STATUS_BUSY);
9120	goto unlock;
9121	}
9122
9123	if (list_empty(head: &hdev->adv_instances)) {
9124	err = mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9125	MGMT_STATUS_INVALID_PARAMS);
9126	goto unlock;
9127	}
9128
9129	cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
9130	len: data_len);
9131	if (!cmd) {
9132	err = -ENOMEM;
9133	goto unlock;
9134	}
9135
9136	err = hci_cmd_sync_queue(hdev, func: remove_advertising_sync, data: cmd,
9137	destroy: remove_advertising_complete);
9138	if (err < 0)
9139	mgmt_pending_free(cmd);
9140
9141	unlock:
9142	hci_dev_unlock(hdev);
9143
9144	return err;
9145	}
9146
9147	static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
9148	void *data, u16 data_len)
9149	{
9150	struct mgmt_cp_get_adv_size_info *cp = data;
9151	struct mgmt_rp_get_adv_size_info rp;
9152	u32 flags, supported_flags;
9153
9154	bt_dev_dbg(hdev, "sock %p", sk);
9155
9156	if (!lmp_le_capable(hdev))
9157	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9158	MGMT_STATUS_REJECTED);
9159
9160	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
9161	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9162	MGMT_STATUS_INVALID_PARAMS);
9163
9164	flags = __le32_to_cpu(cp->flags);
9165
9166	/* The current implementation only supports a subset of the specified
9167	* flags.
9168	*/
9169	supported_flags = get_supported_adv_flags(hdev);
9170	if (flags & ~supported_flags)
9171	return mgmt_cmd_status(sk, index: hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9172	MGMT_STATUS_INVALID_PARAMS);
9173
9174	rp.instance = cp->instance;
9175	rp.flags = cp->flags;
9176	rp.max_adv_data_len = tlv_data_max_len(hdev, adv_flags: flags, is_adv_data: true);
9177	rp.max_scan_rsp_len = tlv_data_max_len(hdev, adv_flags: flags, is_adv_data: false);
9178
9179	return mgmt_cmd_complete(sk, index: hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9180	MGMT_STATUS_SUCCESS, rp: &rp, rp_len: sizeof(rp));
9181	}
9182
9183	static const struct hci_mgmt_handler mgmt_handlers[] = {
9184	{ NULL }, /* 0x0000 (no command) */
9185	{ read_version, MGMT_READ_VERSION_SIZE,
9186	HCI_MGMT_NO_HDEV |
9187	HCI_MGMT_UNTRUSTED },
9188	{ read_commands, MGMT_READ_COMMANDS_SIZE,
9189	HCI_MGMT_NO_HDEV |
9190	HCI_MGMT_UNTRUSTED },
9191	{ read_index_list, MGMT_READ_INDEX_LIST_SIZE,
9192	HCI_MGMT_NO_HDEV |
9193	HCI_MGMT_UNTRUSTED },
9194	{ read_controller_info, MGMT_READ_INFO_SIZE,
9195	HCI_MGMT_UNTRUSTED },
9196	{ set_powered, MGMT_SETTING_SIZE },
9197	{ set_discoverable, MGMT_SET_DISCOVERABLE_SIZE },
9198	{ set_connectable, MGMT_SETTING_SIZE },
9199	{ set_fast_connectable, MGMT_SETTING_SIZE },
9200	{ set_bondable, MGMT_SETTING_SIZE },
9201	{ set_link_security, MGMT_SETTING_SIZE },
9202	{ set_ssp, MGMT_SETTING_SIZE },
9203	{ set_hs, MGMT_SETTING_SIZE },
9204	{ set_le, MGMT_SETTING_SIZE },
9205	{ set_dev_class, MGMT_SET_DEV_CLASS_SIZE },
9206	{ set_local_name, MGMT_SET_LOCAL_NAME_SIZE },
9207	{ add_uuid, MGMT_ADD_UUID_SIZE },
9208	{ remove_uuid, MGMT_REMOVE_UUID_SIZE },
9209	{ load_link_keys, MGMT_LOAD_LINK_KEYS_SIZE,
9210	HCI_MGMT_VAR_LEN },
9211	{ load_long_term_keys, MGMT_LOAD_LONG_TERM_KEYS_SIZE,
9212	HCI_MGMT_VAR_LEN },
9213	{ disconnect, MGMT_DISCONNECT_SIZE },
9214	{ get_connections, MGMT_GET_CONNECTIONS_SIZE },
9215	{ pin_code_reply, MGMT_PIN_CODE_REPLY_SIZE },
9216	{ pin_code_neg_reply, MGMT_PIN_CODE_NEG_REPLY_SIZE },
9217	{ set_io_capability, MGMT_SET_IO_CAPABILITY_SIZE },
9218	{ pair_device, MGMT_PAIR_DEVICE_SIZE },
9219	{ cancel_pair_device, MGMT_CANCEL_PAIR_DEVICE_SIZE },
9220	{ unpair_device, MGMT_UNPAIR_DEVICE_SIZE },
9221	{ user_confirm_reply, MGMT_USER_CONFIRM_REPLY_SIZE },
9222	{ user_confirm_neg_reply, MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
9223	{ user_passkey_reply, MGMT_USER_PASSKEY_REPLY_SIZE },
9224	{ user_passkey_neg_reply, MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
9225	{ read_local_oob_data, MGMT_READ_LOCAL_OOB_DATA_SIZE },
9226	{ add_remote_oob_data, MGMT_ADD_REMOTE_OOB_DATA_SIZE,
9227	HCI_MGMT_VAR_LEN },
9228	{ remove_remote_oob_data, MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
9229	{ start_discovery, MGMT_START_DISCOVERY_SIZE },
9230	{ stop_discovery, MGMT_STOP_DISCOVERY_SIZE },
9231	{ confirm_name, MGMT_CONFIRM_NAME_SIZE },
9232	{ block_device, MGMT_BLOCK_DEVICE_SIZE },
9233	{ unblock_device, MGMT_UNBLOCK_DEVICE_SIZE },
9234	{ set_device_id, MGMT_SET_DEVICE_ID_SIZE },
9235	{ set_advertising, MGMT_SETTING_SIZE },
9236	{ set_bredr, MGMT_SETTING_SIZE },
9237	{ set_static_address, MGMT_SET_STATIC_ADDRESS_SIZE },
9238	{ set_scan_params, MGMT_SET_SCAN_PARAMS_SIZE },
9239	{ set_secure_conn, MGMT_SETTING_SIZE },
9240	{ set_debug_keys, MGMT_SETTING_SIZE },
9241	{ set_privacy, MGMT_SET_PRIVACY_SIZE },
9242	{ load_irks, MGMT_LOAD_IRKS_SIZE,
9243	HCI_MGMT_VAR_LEN },
9244	{ get_conn_info, MGMT_GET_CONN_INFO_SIZE },
9245	{ get_clock_info, MGMT_GET_CLOCK_INFO_SIZE },
9246	{ add_device, MGMT_ADD_DEVICE_SIZE },
9247	{ remove_device, MGMT_REMOVE_DEVICE_SIZE },
9248	{ load_conn_param, MGMT_LOAD_CONN_PARAM_SIZE,
9249	HCI_MGMT_VAR_LEN },
9250	{ read_unconf_index_list, MGMT_READ_UNCONF_INDEX_LIST_SIZE,
9251	HCI_MGMT_NO_HDEV |
9252	HCI_MGMT_UNTRUSTED },
9253	{ read_config_info, MGMT_READ_CONFIG_INFO_SIZE,
9254	HCI_MGMT_UNCONFIGURED |
9255	HCI_MGMT_UNTRUSTED },
9256	{ set_external_config, MGMT_SET_EXTERNAL_CONFIG_SIZE,
9257	HCI_MGMT_UNCONFIGURED },
9258	{ set_public_address, MGMT_SET_PUBLIC_ADDRESS_SIZE,
9259	HCI_MGMT_UNCONFIGURED },
9260	{ start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
9261	HCI_MGMT_VAR_LEN },
9262	{ read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
9263	{ read_ext_index_list, MGMT_READ_EXT_INDEX_LIST_SIZE,
9264	HCI_MGMT_NO_HDEV |
9265	HCI_MGMT_UNTRUSTED },
9266	{ read_adv_features, MGMT_READ_ADV_FEATURES_SIZE },
9267	{ add_advertising, MGMT_ADD_ADVERTISING_SIZE,
9268	HCI_MGMT_VAR_LEN },
9269	{ remove_advertising, MGMT_REMOVE_ADVERTISING_SIZE },
9270	{ get_adv_size_info, MGMT_GET_ADV_SIZE_INFO_SIZE },
9271	{ start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
9272	{ read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
9273	HCI_MGMT_UNTRUSTED },
9274	{ set_appearance, MGMT_SET_APPEARANCE_SIZE },
9275	{ get_phy_configuration, MGMT_GET_PHY_CONFIGURATION_SIZE },
9276	{ set_phy_configuration, MGMT_SET_PHY_CONFIGURATION_SIZE },
9277	{ set_blocked_keys, MGMT_OP_SET_BLOCKED_KEYS_SIZE,
9278	HCI_MGMT_VAR_LEN },
9279	{ set_wideband_speech, MGMT_SETTING_SIZE },
9280	{ read_controller_cap, MGMT_READ_CONTROLLER_CAP_SIZE,
9281	HCI_MGMT_UNTRUSTED },
9282	{ read_exp_features_info, MGMT_READ_EXP_FEATURES_INFO_SIZE,
9283	HCI_MGMT_UNTRUSTED |
9284	HCI_MGMT_HDEV_OPTIONAL },
9285	{ set_exp_feature, MGMT_SET_EXP_FEATURE_SIZE,
9286	HCI_MGMT_VAR_LEN |
9287	HCI_MGMT_HDEV_OPTIONAL },
9288	{ read_def_system_config, MGMT_READ_DEF_SYSTEM_CONFIG_SIZE,
9289	HCI_MGMT_UNTRUSTED },
9290	{ set_def_system_config, MGMT_SET_DEF_SYSTEM_CONFIG_SIZE,
9291	HCI_MGMT_VAR_LEN },
9292	{ read_def_runtime_config, MGMT_READ_DEF_RUNTIME_CONFIG_SIZE,
9293	HCI_MGMT_UNTRUSTED },
9294	{ set_def_runtime_config, MGMT_SET_DEF_RUNTIME_CONFIG_SIZE,
9295	HCI_MGMT_VAR_LEN },
9296	{ get_device_flags, MGMT_GET_DEVICE_FLAGS_SIZE },
9297	{ set_device_flags, MGMT_SET_DEVICE_FLAGS_SIZE },
9298	{ read_adv_mon_features, MGMT_READ_ADV_MONITOR_FEATURES_SIZE },
9299	{ add_adv_patterns_monitor,MGMT_ADD_ADV_PATTERNS_MONITOR_SIZE,
9300	HCI_MGMT_VAR_LEN },
9301	{ remove_adv_monitor, MGMT_REMOVE_ADV_MONITOR_SIZE },
9302	{ add_ext_adv_params, MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE,
9303	HCI_MGMT_VAR_LEN },
9304	{ add_ext_adv_data, MGMT_ADD_EXT_ADV_DATA_SIZE,
9305	HCI_MGMT_VAR_LEN },
9306	{ add_adv_patterns_monitor_rssi,
9307	MGMT_ADD_ADV_PATTERNS_MONITOR_RSSI_SIZE,
9308	HCI_MGMT_VAR_LEN },
9309	{ set_mesh, MGMT_SET_MESH_RECEIVER_SIZE,
9310	HCI_MGMT_VAR_LEN },
9311	{ mesh_features, MGMT_MESH_READ_FEATURES_SIZE },
9312	{ mesh_send, MGMT_MESH_SEND_SIZE,
9313	HCI_MGMT_VAR_LEN },
9314	{ mesh_send_cancel, MGMT_MESH_SEND_CANCEL_SIZE },
9315	};
9316
9317	void mgmt_index_added(struct hci_dev *hdev)
9318	{
9319	struct mgmt_ev_ext_index ev;
9320
9321	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9322	return;
9323
9324	switch (hdev->dev_type) {
9325	case HCI_PRIMARY:
9326	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9327	mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev,
9328	NULL, len: 0, flag: HCI_MGMT_UNCONF_INDEX_EVENTS);
9329	ev.type = 0x01;
9330	} else {
9331	mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, len: 0,
9332	flag: HCI_MGMT_INDEX_EVENTS);
9333	ev.type = 0x00;
9334	}
9335	break;
9336	case HCI_AMP:
9337	ev.type = 0x02;
9338	break;
9339	default:
9340	return;
9341	}
9342
9343	ev.bus = hdev->bus;
9344
9345	mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, data: &ev, len: sizeof(ev),
9346	flag: HCI_MGMT_EXT_INDEX_EVENTS);
9347	}
9348
9349	void mgmt_index_removed(struct hci_dev *hdev)
9350	{
9351	struct mgmt_ev_ext_index ev;
9352	u8 status = MGMT_STATUS_INVALID_INDEX;
9353
9354	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9355	return;
9356
9357	switch (hdev->dev_type) {
9358	case HCI_PRIMARY:
9359	mgmt_pending_foreach(opcode: 0, hdev, cb: cmd_complete_rsp, data: &status);
9360
9361	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9362	mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
9363	NULL, len: 0, flag: HCI_MGMT_UNCONF_INDEX_EVENTS);
9364	ev.type = 0x01;
9365	} else {
9366	mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, len: 0,
9367	flag: HCI_MGMT_INDEX_EVENTS);
9368	ev.type = 0x00;
9369	}
9370	break;
9371	case HCI_AMP:
9372	ev.type = 0x02;
9373	break;
9374	default:
9375	return;
9376	}
9377
9378	ev.bus = hdev->bus;
9379
9380	mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, data: &ev, len: sizeof(ev),
9381	flag: HCI_MGMT_EXT_INDEX_EVENTS);
9382
9383	/* Cancel any remaining timed work */
9384	if (!hci_dev_test_flag(hdev, HCI_MGMT))
9385	return;
9386	cancel_delayed_work_sync(dwork: &hdev->discov_off);
9387	cancel_delayed_work_sync(dwork: &hdev->service_cache);
9388	cancel_delayed_work_sync(dwork: &hdev->rpa_expired);
9389	}
9390
9391	void mgmt_power_on(struct hci_dev *hdev, int err)
9392	{
9393	struct cmd_lookup match = { NULL, hdev };
9394
9395	bt_dev_dbg(hdev, "err %d", err);
9396
9397	hci_dev_lock(hdev);
9398
9399	if (!err) {
9400	restart_le_actions(hdev);
9401	hci_update_passive_scan(hdev);
9402	}
9403
9404	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, cb: settings_rsp, data: &match);
9405
9406	new_settings(hdev, skip: match.sk);
9407
9408	if (match.sk)
9409	sock_put(sk: match.sk);
9410
9411	hci_dev_unlock(hdev);
9412	}
9413
9414	void __mgmt_power_off(struct hci_dev *hdev)
9415	{
9416	struct cmd_lookup match = { NULL, hdev };
9417	u8 status, zero_cod[] = { 0, 0, 0 };
9418
9419	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, cb: settings_rsp, data: &match);
9420
9421	/* If the power off is because of hdev unregistration let
9422	* use the appropriate INVALID_INDEX status. Otherwise use
9423	* NOT_POWERED. We cover both scenarios here since later in
9424	* mgmt_index_removed() any hci_conn callbacks will have already
9425	* been triggered, potentially causing misleading DISCONNECTED
9426	* status responses.
9427	*/
9428	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
9429	status = MGMT_STATUS_INVALID_INDEX;
9430	else
9431	status = MGMT_STATUS_NOT_POWERED;
9432
9433	mgmt_pending_foreach(opcode: 0, hdev, cb: cmd_complete_rsp, data: &status);
9434
9435	if (memcmp(p: hdev->dev_class, q: zero_cod, size: sizeof(zero_cod)) != 0) {
9436	mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
9437	data: zero_cod, len: sizeof(zero_cod),
9438	flag: HCI_MGMT_DEV_CLASS_EVENTS, NULL);
9439	ext_info_changed(hdev, NULL);
9440	}
9441
9442	new_settings(hdev, skip: match.sk);
9443
9444	if (match.sk)
9445	sock_put(sk: match.sk);
9446	}
9447
9448	void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
9449	{
9450	struct mgmt_pending_cmd *cmd;
9451	u8 status;
9452
9453	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9454	if (!cmd)
9455	return;
9456
9457	if (err == -ERFKILL)
9458	status = MGMT_STATUS_RFKILLED;
9459	else
9460	status = MGMT_STATUS_FAILED;
9461
9462	mgmt_cmd_status(sk: cmd->sk, index: hdev->id, MGMT_OP_SET_POWERED, status);
9463
9464	mgmt_pending_remove(cmd);
9465	}
9466
9467	void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
9468	bool persistent)
9469	{
9470	struct mgmt_ev_new_link_key ev;
9471
9472	memset(&ev, 0, sizeof(ev));
9473
9474	ev.store_hint = persistent;
9475	bacpy(dst: &ev.key.addr.bdaddr, src: &key->bdaddr);
9476	ev.key.addr.type = link_to_bdaddr(link_type: key->link_type, addr_type: key->bdaddr_type);
9477	ev.key.type = key->type;
9478	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
9479	ev.key.pin_len = key->pin_len;
9480
9481	mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, data: &ev, len: sizeof(ev), NULL);
9482	}
9483
9484	static u8 mgmt_ltk_type(struct smp_ltk *ltk)
9485	{
9486	switch (ltk->type) {
9487	case SMP_LTK:
9488	case SMP_LTK_RESPONDER:
9489	if (ltk->authenticated)
9490	return MGMT_LTK_AUTHENTICATED;
9491	return MGMT_LTK_UNAUTHENTICATED;
9492	case SMP_LTK_P256:
9493	if (ltk->authenticated)
9494	return MGMT_LTK_P256_AUTH;
9495	return MGMT_LTK_P256_UNAUTH;
9496	case SMP_LTK_P256_DEBUG:
9497	return MGMT_LTK_P256_DEBUG;
9498	}
9499
9500	return MGMT_LTK_UNAUTHENTICATED;
9501	}
9502
9503	void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
9504	{
9505	struct mgmt_ev_new_long_term_key ev;
9506
9507	memset(&ev, 0, sizeof(ev));
9508
9509	/* Devices using resolvable or non-resolvable random addresses
9510	* without providing an identity resolving key don't require
9511	* to store long term keys. Their addresses will change the
9512	* next time around.
9513	*
9514	* Only when a remote device provides an identity address
9515	* make sure the long term key is stored. If the remote
9516	* identity is known, the long term keys are internally
9517	* mapped to the identity address. So allow static random
9518	* and public addresses here.
9519	*/
9520	if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9521	(key->bdaddr.b[5] & 0xc0) != 0xc0)
9522	ev.store_hint = 0x00;
9523	else
9524	ev.store_hint = persistent;
9525
9526	bacpy(dst: &ev.key.addr.bdaddr, src: &key->bdaddr);
9527	ev.key.addr.type = link_to_bdaddr(link_type: key->link_type, addr_type: key->bdaddr_type);
9528	ev.key.type = mgmt_ltk_type(ltk: key);
9529	ev.key.enc_size = key->enc_size;
9530	ev.key.ediv = key->ediv;
9531	ev.key.rand = key->rand;
9532
9533	if (key->type == SMP_LTK)
9534	ev.key.initiator = 1;
9535
9536	/* Make sure we copy only the significant bytes based on the
9537	* encryption key size, and set the rest of the value to zeroes.
9538	*/
9539	memcpy(ev.key.val, key->val, key->enc_size);
9540	memset(ev.key.val + key->enc_size, 0,
9541	sizeof(ev.key.val) - key->enc_size);
9542
9543	mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, data: &ev, len: sizeof(ev), NULL);
9544	}
9545
9546	void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
9547	{
9548	struct mgmt_ev_new_irk ev;
9549
9550	memset(&ev, 0, sizeof(ev));
9551
9552	ev.store_hint = persistent;
9553
9554	bacpy(dst: &ev.rpa, src: &irk->rpa);
9555	bacpy(dst: &ev.irk.addr.bdaddr, src: &irk->bdaddr);
9556	ev.irk.addr.type = link_to_bdaddr(link_type: irk->link_type, addr_type: irk->addr_type);
9557	memcpy(ev.irk.val, irk->val, sizeof(irk->val));
9558
9559	mgmt_event(MGMT_EV_NEW_IRK, hdev, data: &ev, len: sizeof(ev), NULL);
9560	}
9561
9562	void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
9563	bool persistent)
9564	{
9565	struct mgmt_ev_new_csrk ev;
9566
9567	memset(&ev, 0, sizeof(ev));
9568
9569	/* Devices using resolvable or non-resolvable random addresses
9570	* without providing an identity resolving key don't require
9571	* to store signature resolving keys. Their addresses will change
9572	* the next time around.
9573	*
9574	* Only when a remote device provides an identity address
9575	* make sure the signature resolving key is stored. So allow
9576	* static random and public addresses here.
9577	*/
9578	if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9579	(csrk->bdaddr.b[5] & 0xc0) != 0xc0)
9580	ev.store_hint = 0x00;
9581	else
9582	ev.store_hint = persistent;
9583
9584	bacpy(dst: &ev.key.addr.bdaddr, src: &csrk->bdaddr);
9585	ev.key.addr.type = link_to_bdaddr(link_type: csrk->link_type, addr_type: csrk->bdaddr_type);
9586	ev.key.type = csrk->type;
9587	memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
9588
9589	mgmt_event(MGMT_EV_NEW_CSRK, hdev, data: &ev, len: sizeof(ev), NULL);
9590	}
9591
9592	void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
9593	u8 bdaddr_type, u8 store_hint, u16 min_interval,
9594	u16 max_interval, u16 latency, u16 timeout)
9595	{
9596	struct mgmt_ev_new_conn_param ev;
9597
9598	if (!hci_is_identity_address(addr: bdaddr, addr_type: bdaddr_type))
9599	return;
9600
9601	memset(&ev, 0, sizeof(ev));
9602	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
9603	ev.addr.type = link_to_bdaddr(LE_LINK, addr_type: bdaddr_type);
9604	ev.store_hint = store_hint;
9605	ev.min_interval = cpu_to_le16(min_interval);
9606	ev.max_interval = cpu_to_le16(max_interval);
9607	ev.latency = cpu_to_le16(latency);
9608	ev.timeout = cpu_to_le16(timeout);
9609
9610	mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, data: &ev, len: sizeof(ev), NULL);
9611	}
9612
9613	void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
9614	u8 *name, u8 name_len)
9615	{
9616	struct sk_buff *skb;
9617	struct mgmt_ev_device_connected *ev;
9618	u16 eir_len = 0;
9619	u32 flags = 0;
9620
9621	if (test_and_set_bit(nr: HCI_CONN_MGMT_CONNECTED, addr: &conn->flags))
9622	return;
9623
9624	/* allocate buff for LE or BR/EDR adv */
9625	if (conn->le_adv_data_len > 0)
9626	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9627	size: sizeof(*ev) + conn->le_adv_data_len);
9628	else
9629	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9630	size: sizeof(*ev) + (name ? eir_precalc_len(data_len: name_len) : 0) +
9631	eir_precalc_len(data_len: sizeof(conn->dev_class)));
9632
9633	ev = skb_put(skb, len: sizeof(*ev));
9634	bacpy(dst: &ev->addr.bdaddr, src: &conn->dst);
9635	ev->addr.type = link_to_bdaddr(link_type: conn->type, addr_type: conn->dst_type);
9636
9637	if (conn->out)
9638	flags |= MGMT_DEV_FOUND_INITIATED_CONN;
9639
9640	ev->flags = __cpu_to_le32(flags);
9641
9642	/* We must ensure that the EIR Data fields are ordered and
9643	* unique. Keep it simple for now and avoid the problem by not
9644	* adding any BR/EDR data to the LE adv.
9645	*/
9646	if (conn->le_adv_data_len > 0) {
9647	skb_put_data(skb, data: conn->le_adv_data, len: conn->le_adv_data_len);
9648	eir_len = conn->le_adv_data_len;
9649	} else {
9650	if (name)
9651	eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, data: name, data_len: name_len);
9652
9653	if (memcmp(p: conn->dev_class, q: "\0\0\0", size: sizeof(conn->dev_class)))
9654	eir_len += eir_skb_put_data(skb, EIR_CLASS_OF_DEV,
9655	data: conn->dev_class, data_len: sizeof(conn->dev_class));
9656	}
9657
9658	ev->eir_len = cpu_to_le16(eir_len);
9659
9660	mgmt_event_skb(skb, NULL);
9661	}
9662
9663	static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
9664	{
9665	struct sock **sk = data;
9666
9667	cmd->cmd_complete(cmd, 0);
9668
9669	*sk = cmd->sk;
9670	sock_hold(sk: *sk);
9671
9672	mgmt_pending_remove(cmd);
9673	}
9674
9675	static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
9676	{
9677	struct hci_dev *hdev = data;
9678	struct mgmt_cp_unpair_device *cp = cmd->param;
9679
9680	device_unpaired(hdev, bdaddr: &cp->addr.bdaddr, addr_type: cp->addr.type, skip_sk: cmd->sk);
9681
9682	cmd->cmd_complete(cmd, 0);
9683	mgmt_pending_remove(cmd);
9684	}
9685
9686	bool mgmt_powering_down(struct hci_dev *hdev)
9687	{
9688	struct mgmt_pending_cmd *cmd;
9689	struct mgmt_mode *cp;
9690
9691	if (hci_dev_test_flag(hdev, HCI_POWERING_DOWN))
9692	return true;
9693
9694	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9695	if (!cmd)
9696	return false;
9697
9698	cp = cmd->param;
9699	if (!cp->val)
9700	return true;
9701
9702	return false;
9703	}
9704
9705	void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
9706	u8 link_type, u8 addr_type, u8 reason,
9707	bool mgmt_connected)
9708	{
9709	struct mgmt_ev_device_disconnected ev;
9710	struct sock *sk = NULL;
9711
9712	if (!mgmt_connected)
9713	return;
9714
9715	if (link_type != ACL_LINK && link_type != LE_LINK)
9716	return;
9717
9718	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, cb: disconnect_rsp, data: &sk);
9719
9720	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
9721	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9722	ev.reason = reason;
9723
9724	/* Report disconnects due to suspend */
9725	if (hdev->suspended)
9726	ev.reason = MGMT_DEV_DISCONN_LOCAL_HOST_SUSPEND;
9727
9728	mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, data: &ev, len: sizeof(ev), skip_sk: sk);
9729
9730	if (sk)
9731	sock_put(sk);
9732
9733	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, cb: unpair_device_rsp,
9734	data: hdev);
9735	}
9736
9737	void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
9738	u8 link_type, u8 addr_type, u8 status)
9739	{
9740	u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
9741	struct mgmt_cp_disconnect *cp;
9742	struct mgmt_pending_cmd *cmd;
9743
9744	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, cb: unpair_device_rsp,
9745	data: hdev);
9746
9747	cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
9748	if (!cmd)
9749	return;
9750
9751	cp = cmd->param;
9752
9753	if (bacmp(ba1: bdaddr, ba2: &cp->addr.bdaddr))
9754	return;
9755
9756	if (cp->addr.type != bdaddr_type)
9757	return;
9758
9759	cmd->cmd_complete(cmd, mgmt_status(err: status));
9760	mgmt_pending_remove(cmd);
9761	}
9762
9763	void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9764	u8 addr_type, u8 status)
9765	{
9766	struct mgmt_ev_connect_failed ev;
9767
9768	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
9769	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9770	ev.status = mgmt_status(err: status);
9771
9772	mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, data: &ev, len: sizeof(ev), NULL);
9773	}
9774
9775	void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
9776	{
9777	struct mgmt_ev_pin_code_request ev;
9778
9779	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
9780	ev.addr.type = BDADDR_BREDR;
9781	ev.secure = secure;
9782
9783	mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, data: &ev, len: sizeof(ev), NULL);
9784	}
9785
9786	void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9787	u8 status)
9788	{
9789	struct mgmt_pending_cmd *cmd;
9790
9791	cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
9792	if (!cmd)
9793	return;
9794
9795	cmd->cmd_complete(cmd, mgmt_status(err: status));
9796	mgmt_pending_remove(cmd);
9797	}
9798
9799	void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9800	u8 status)
9801	{
9802	struct mgmt_pending_cmd *cmd;
9803
9804	cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
9805	if (!cmd)
9806	return;
9807
9808	cmd->cmd_complete(cmd, mgmt_status(err: status));
9809	mgmt_pending_remove(cmd);
9810	}
9811
9812	int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9813	u8 link_type, u8 addr_type, u32 value,
9814	u8 confirm_hint)
9815	{
9816	struct mgmt_ev_user_confirm_request ev;
9817
9818	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9819
9820	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
9821	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9822	ev.confirm_hint = confirm_hint;
9823	ev.value = cpu_to_le32(value);
9824
9825	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, data: &ev, len: sizeof(ev),
9826	NULL);
9827	}
9828
9829	int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9830	u8 link_type, u8 addr_type)
9831	{
9832	struct mgmt_ev_user_passkey_request ev;
9833
9834	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9835
9836	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
9837	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9838
9839	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, data: &ev, len: sizeof(ev),
9840	NULL);
9841	}
9842
9843	static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9844	u8 link_type, u8 addr_type, u8 status,
9845	u8 opcode)
9846	{
9847	struct mgmt_pending_cmd *cmd;
9848
9849	cmd = pending_find(opcode, hdev);
9850	if (!cmd)
9851	return -ENOENT;
9852
9853	cmd->cmd_complete(cmd, mgmt_status(err: status));
9854	mgmt_pending_remove(cmd);
9855
9856	return 0;
9857	}
9858
9859	int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9860	u8 link_type, u8 addr_type, u8 status)
9861	{
9862	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9863	status, MGMT_OP_USER_CONFIRM_REPLY);
9864	}
9865
9866	int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9867	u8 link_type, u8 addr_type, u8 status)
9868	{
9869	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9870	status,
9871	MGMT_OP_USER_CONFIRM_NEG_REPLY);
9872	}
9873
9874	int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9875	u8 link_type, u8 addr_type, u8 status)
9876	{
9877	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9878	status, MGMT_OP_USER_PASSKEY_REPLY);
9879	}
9880
9881	int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9882	u8 link_type, u8 addr_type, u8 status)
9883	{
9884	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9885	status,
9886	MGMT_OP_USER_PASSKEY_NEG_REPLY);
9887	}
9888
9889	int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
9890	u8 link_type, u8 addr_type, u32 passkey,
9891	u8 entered)
9892	{
9893	struct mgmt_ev_passkey_notify ev;
9894
9895	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9896
9897	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
9898	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9899	ev.passkey = __cpu_to_le32(passkey);
9900	ev.entered = entered;
9901
9902	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, data: &ev, len: sizeof(ev), NULL);
9903	}
9904
9905	void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
9906	{
9907	struct mgmt_ev_auth_failed ev;
9908	struct mgmt_pending_cmd *cmd;
9909	u8 status = mgmt_status(err: hci_status);
9910
9911	bacpy(dst: &ev.addr.bdaddr, src: &conn->dst);
9912	ev.addr.type = link_to_bdaddr(link_type: conn->type, addr_type: conn->dst_type);
9913	ev.status = status;
9914
9915	cmd = find_pairing(conn);
9916
9917	mgmt_event(MGMT_EV_AUTH_FAILED, hdev: conn->hdev, data: &ev, len: sizeof(ev),
9918	skip_sk: cmd ? cmd->sk : NULL);
9919
9920	if (cmd) {
9921	cmd->cmd_complete(cmd, status);
9922	mgmt_pending_remove(cmd);
9923	}
9924	}
9925
9926	void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
9927	{
9928	struct cmd_lookup match = { NULL, hdev };
9929	bool changed;
9930
9931	if (status) {
9932	u8 mgmt_err = mgmt_status(err: status);
9933	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
9934	cb: cmd_status_rsp, data: &mgmt_err);
9935	return;
9936	}
9937
9938	if (test_bit(HCI_AUTH, &hdev->flags))
9939	changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
9940	else
9941	changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
9942
9943	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, cb: settings_rsp,
9944	data: &match);
9945
9946	if (changed)
9947	new_settings(hdev, skip: match.sk);
9948
9949	if (match.sk)
9950	sock_put(sk: match.sk);
9951	}
9952
9953	static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
9954	{
9955	struct cmd_lookup *match = data;
9956
9957	if (match->sk == NULL) {
9958	match->sk = cmd->sk;
9959	sock_hold(sk: match->sk);
9960	}
9961	}
9962
9963	void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
9964	u8 status)
9965	{
9966	struct cmd_lookup match = { NULL, hdev, mgmt_status(err: status) };
9967
9968	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, cb: sk_lookup, data: &match);
9969	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, cb: sk_lookup, data: &match);
9970	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, cb: sk_lookup, data: &match);
9971
9972	if (!status) {
9973	mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, data: dev_class,
9974	len: 3, flag: HCI_MGMT_DEV_CLASS_EVENTS, NULL);
9975	ext_info_changed(hdev, NULL);
9976	}
9977
9978	if (match.sk)
9979	sock_put(sk: match.sk);
9980	}
9981
9982	void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
9983	{
9984	struct mgmt_cp_set_local_name ev;
9985	struct mgmt_pending_cmd *cmd;
9986
9987	if (status)
9988	return;
9989
9990	memset(&ev, 0, sizeof(ev));
9991	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
9992	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
9993
9994	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
9995	if (!cmd) {
9996	memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
9997
9998	/* If this is a HCI command related to powering on the
9999	* HCI dev don't send any mgmt signals.
10000	*/
10001	if (hci_dev_test_flag(hdev, HCI_POWERING_DOWN))
10002	return;
10003
10004	if (pending_find(MGMT_OP_SET_POWERED, hdev))
10005	return;
10006	}
10007
10008	mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data: &ev, len: sizeof(ev),
10009	flag: HCI_MGMT_LOCAL_NAME_EVENTS, skip_sk: cmd ? cmd->sk : NULL);
10010	ext_info_changed(hdev, skip: cmd ? cmd->sk : NULL);
10011	}
10012
10013	static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
10014	{
10015	int i;
10016
10017	for (i = 0; i < uuid_count; i++) {
10018	if (!memcmp(p: uuid, q: uuids[i], size: 16))
10019	return true;
10020	}
10021
10022	return false;
10023	}
10024
10025	static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
10026	{
10027	u16 parsed = 0;
10028
10029	while (parsed < eir_len) {
10030	u8 field_len = eir[0];
10031	u8 uuid[16];
10032	int i;
10033
10034	if (field_len == 0)
10035	break;
10036
10037	if (eir_len - parsed < field_len + 1)
10038	break;
10039
10040	switch (eir[1]) {
10041	case EIR_UUID16_ALL:
10042	case EIR_UUID16_SOME:
10043	for (i = 0; i + 3 <= field_len; i += 2) {
10044	memcpy(uuid, bluetooth_base_uuid, 16);
10045	uuid[13] = eir[i + 3];
10046	uuid[12] = eir[i + 2];
10047	if (has_uuid(uuid, uuid_count, uuids))
10048	return true;
10049	}
10050	break;
10051	case EIR_UUID32_ALL:
10052	case EIR_UUID32_SOME:
10053	for (i = 0; i + 5 <= field_len; i += 4) {
10054	memcpy(uuid, bluetooth_base_uuid, 16);
10055	uuid[15] = eir[i + 5];
10056	uuid[14] = eir[i + 4];
10057	uuid[13] = eir[i + 3];
10058	uuid[12] = eir[i + 2];
10059	if (has_uuid(uuid, uuid_count, uuids))
10060	return true;
10061	}
10062	break;
10063	case EIR_UUID128_ALL:
10064	case EIR_UUID128_SOME:
10065	for (i = 0; i + 17 <= field_len; i += 16) {
10066	memcpy(uuid, eir + i + 2, 16);
10067	if (has_uuid(uuid, uuid_count, uuids))
10068	return true;
10069	}
10070	break;
10071	}
10072
10073	parsed += field_len + 1;
10074	eir += field_len + 1;
10075	}
10076
10077	return false;
10078	}
10079
10080	static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
10081	u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
10082	{
10083	/* If a RSSI threshold has been specified, and
10084	* HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
10085	* a RSSI smaller than the RSSI threshold will be dropped. If the quirk
10086	* is set, let it through for further processing, as we might need to
10087	* restart the scan.
10088	*
10089	* For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
10090	* the results are also dropped.
10091	*/
10092	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10093	(rssi == HCI_RSSI_INVALID ||
10094	(rssi < hdev->discovery.rssi &&
10095	!test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
10096	return false;
10097
10098	if (hdev->discovery.uuid_count != 0) {
10099	/* If a list of UUIDs is provided in filter, results with no
10100	* matching UUID should be dropped.
10101	*/
10102	if (!eir_has_uuids(eir, eir_len, uuid_count: hdev->discovery.uuid_count,
10103	uuids: hdev->discovery.uuids) &&
10104	!eir_has_uuids(eir: scan_rsp, eir_len: scan_rsp_len,
10105	uuid_count: hdev->discovery.uuid_count,
10106	uuids: hdev->discovery.uuids))
10107	return false;
10108	}
10109
10110	/* If duplicate filtering does not report RSSI changes, then restart
10111	* scanning to ensure updated result with updated RSSI values.
10112	*/
10113	if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
10114	/* Validate RSSI value against the RSSI threshold once more. */
10115	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10116	rssi < hdev->discovery.rssi)
10117	return false;
10118	}
10119
10120	return true;
10121	}
10122
10123	void mgmt_adv_monitor_device_lost(struct hci_dev *hdev, u16 handle,
10124	bdaddr_t *bdaddr, u8 addr_type)
10125	{
10126	struct mgmt_ev_adv_monitor_device_lost ev;
10127
10128	ev.monitor_handle = cpu_to_le16(handle);
10129	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
10130	ev.addr.type = addr_type;
10131
10132	mgmt_event(MGMT_EV_ADV_MONITOR_DEVICE_LOST, hdev, data: &ev, len: sizeof(ev),
10133	NULL);
10134	}
10135
10136	static void mgmt_send_adv_monitor_device_found(struct hci_dev *hdev,
10137	struct sk_buff *skb,
10138	struct sock *skip_sk,
10139	u16 handle)
10140	{
10141	struct sk_buff *advmon_skb;
10142	size_t advmon_skb_len;
10143	__le16 *monitor_handle;
10144
10145	if (!skb)
10146	return;
10147
10148	advmon_skb_len = (sizeof(struct mgmt_ev_adv_monitor_device_found) -
10149	sizeof(struct mgmt_ev_device_found)) + skb->len;
10150	advmon_skb = mgmt_alloc_skb(hdev, MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
10151	size: advmon_skb_len);
10152	if (!advmon_skb)
10153	return;
10154
10155	/* ADV_MONITOR_DEVICE_FOUND is similar to DEVICE_FOUND event except
10156	* that it also has 'monitor_handle'. Make a copy of DEVICE_FOUND and
10157	* store monitor_handle of the matched monitor.
10158	*/
10159	monitor_handle = skb_put(skb: advmon_skb, len: sizeof(*monitor_handle));
10160	*monitor_handle = cpu_to_le16(handle);
10161	skb_put_data(skb: advmon_skb, data: skb->data, len: skb->len);
10162
10163	mgmt_event_skb(skb: advmon_skb, skip_sk);
10164	}
10165
10166	static void mgmt_adv_monitor_device_found(struct hci_dev *hdev,
10167	bdaddr_t *bdaddr, bool report_device,
10168	struct sk_buff *skb,
10169	struct sock *skip_sk)
10170	{
10171	struct monitored_device *dev, *tmp;
10172	bool matched = false;
10173	bool notified = false;
10174
10175	/* We have received the Advertisement Report because:
10176	* 1. the kernel has initiated active discovery
10177	* 2. if not, we have pend_le_reports > 0 in which case we are doing
10178	* passive scanning
10179	* 3. if none of the above is true, we have one or more active
10180	* Advertisement Monitor
10181	*
10182	* For case 1 and 2, report all advertisements via MGMT_EV_DEVICE_FOUND
10183	* and report ONLY one advertisement per device for the matched Monitor
10184	* via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10185	*
10186	* For case 3, since we are not active scanning and all advertisements
10187	* received are due to a matched Advertisement Monitor, report all
10188	* advertisements ONLY via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10189	*/
10190	if (report_device && !hdev->advmon_pend_notify) {
10191	mgmt_event_skb(skb, skip_sk);
10192	return;
10193	}
10194
10195	hdev->advmon_pend_notify = false;
10196
10197	list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices, list) {
10198	if (!bacmp(ba1: &dev->bdaddr, ba2: bdaddr)) {
10199	matched = true;
10200
10201	if (!dev->notified) {
10202	mgmt_send_adv_monitor_device_found(hdev, skb,
10203	skip_sk,
10204	handle: dev->handle);
10205	notified = true;
10206	dev->notified = true;
10207	}
10208	}
10209
10210	if (!dev->notified)
10211	hdev->advmon_pend_notify = true;
10212	}
10213
10214	if (!report_device &&
10215	((matched && !notified) || !msft_monitor_supported(hdev))) {
10216	/* Handle 0 indicates that we are not active scanning and this
10217	* is a subsequent advertisement report for an already matched
10218	* Advertisement Monitor or the controller offloading support
10219	* is not available.
10220	*/
10221	mgmt_send_adv_monitor_device_found(hdev, skb, skip_sk, handle: 0);
10222	}
10223
10224	if (report_device)
10225	mgmt_event_skb(skb, skip_sk);
10226	else
10227	kfree_skb(skb);
10228	}
10229
10230	static void mesh_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr,
10231	u8 addr_type, s8 rssi, u32 flags, u8 *eir,
10232	u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10233	u64 instant)
10234	{
10235	struct sk_buff *skb;
10236	struct mgmt_ev_mesh_device_found *ev;
10237	int i, j;
10238
10239	if (!hdev->mesh_ad_types[0])
10240	goto accepted;
10241
10242	/* Scan for requested AD types */
10243	if (eir_len > 0) {
10244	for (i = 0; i + 1 < eir_len; i += eir[i] + 1) {
10245	for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10246	if (!hdev->mesh_ad_types[j])
10247	break;
10248
10249	if (hdev->mesh_ad_types[j] == eir[i + 1])
10250	goto accepted;
10251	}
10252	}
10253	}
10254
10255	if (scan_rsp_len > 0) {
10256	for (i = 0; i + 1 < scan_rsp_len; i += scan_rsp[i] + 1) {
10257	for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10258	if (!hdev->mesh_ad_types[j])
10259	break;
10260
10261	if (hdev->mesh_ad_types[j] == scan_rsp[i + 1])
10262	goto accepted;
10263	}
10264	}
10265	}
10266
10267	return;
10268
10269	accepted:
10270	skb = mgmt_alloc_skb(hdev, MGMT_EV_MESH_DEVICE_FOUND,
10271	size: sizeof(*ev) + eir_len + scan_rsp_len);
10272	if (!skb)
10273	return;
10274
10275	ev = skb_put(skb, len: sizeof(*ev));
10276
10277	bacpy(dst: &ev->addr.bdaddr, src: bdaddr);
10278	ev->addr.type = link_to_bdaddr(LE_LINK, addr_type);
10279	ev->rssi = rssi;
10280	ev->flags = cpu_to_le32(flags);
10281	ev->instant = cpu_to_le64(instant);
10282
10283	if (eir_len > 0)
10284	/* Copy EIR or advertising data into event */
10285	skb_put_data(skb, data: eir, len: eir_len);
10286
10287	if (scan_rsp_len > 0)
10288	/* Append scan response data to event */
10289	skb_put_data(skb, data: scan_rsp, len: scan_rsp_len);
10290
10291	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10292
10293	mgmt_event_skb(skb, NULL);
10294	}
10295
10296	void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10297	u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
10298	u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10299	u64 instant)
10300	{
10301	struct sk_buff *skb;
10302	struct mgmt_ev_device_found *ev;
10303	bool report_device = hci_discovery_active(hdev);
10304
10305	if (hci_dev_test_flag(hdev, HCI_MESH) && link_type == LE_LINK)
10306	mesh_device_found(hdev, bdaddr, addr_type, rssi, flags,
10307	eir, eir_len, scan_rsp, scan_rsp_len,
10308	instant);
10309
10310	/* Don't send events for a non-kernel initiated discovery. With
10311	* LE one exception is if we have pend_le_reports > 0 in which
10312	* case we're doing passive scanning and want these events.
10313	*/
10314	if (!hci_discovery_active(hdev)) {
10315	if (link_type == ACL_LINK)
10316	return;
10317	if (link_type == LE_LINK && !list_empty(head: &hdev->pend_le_reports))
10318	report_device = true;
10319	else if (!hci_is_adv_monitoring(hdev))
10320	return;
10321	}
10322
10323	if (hdev->discovery.result_filtering) {
10324	/* We are using service discovery */
10325	if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
10326	scan_rsp_len))
10327	return;
10328	}
10329
10330	if (hdev->discovery.limited) {
10331	/* Check for limited discoverable bit */
10332	if (dev_class) {
10333	if (!(dev_class[1] & 0x20))
10334	return;
10335	} else {
10336	u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
10337	if (!flags || !(flags[0] & LE_AD_LIMITED))
10338	return;
10339	}
10340	}
10341
10342	/* Allocate skb. The 5 extra bytes are for the potential CoD field */
10343	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10344	size: sizeof(*ev) + eir_len + scan_rsp_len + 5);
10345	if (!skb)
10346	return;
10347
10348	ev = skb_put(skb, len: sizeof(*ev));
10349
10350	/* In case of device discovery with BR/EDR devices (pre 1.2), the
10351	* RSSI value was reported as 0 when not available. This behavior
10352	* is kept when using device discovery. This is required for full
10353	* backwards compatibility with the API.
10354	*
10355	* However when using service discovery, the value 127 will be
10356	* returned when the RSSI is not available.
10357	*/
10358	if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
10359	link_type == ACL_LINK)
10360	rssi = 0;
10361
10362	bacpy(dst: &ev->addr.bdaddr, src: bdaddr);
10363	ev->addr.type = link_to_bdaddr(link_type, addr_type);
10364	ev->rssi = rssi;
10365	ev->flags = cpu_to_le32(flags);
10366
10367	if (eir_len > 0)
10368	/* Copy EIR or advertising data into event */
10369	skb_put_data(skb, data: eir, len: eir_len);
10370
10371	if (dev_class && !eir_get_data(eir, eir_len, EIR_CLASS_OF_DEV, NULL)) {
10372	u8 eir_cod[5];
10373
10374	eir_len += eir_append_data(eir: eir_cod, eir_len: 0, EIR_CLASS_OF_DEV,
10375	data: dev_class, data_len: 3);
10376	skb_put_data(skb, data: eir_cod, len: sizeof(eir_cod));
10377	}
10378
10379	if (scan_rsp_len > 0)
10380	/* Append scan response data to event */
10381	skb_put_data(skb, data: scan_rsp, len: scan_rsp_len);
10382
10383	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10384
10385	mgmt_adv_monitor_device_found(hdev, bdaddr, report_device, skb, NULL);
10386	}
10387
10388	void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10389	u8 addr_type, s8 rssi, u8 *name, u8 name_len)
10390	{
10391	struct sk_buff *skb;
10392	struct mgmt_ev_device_found *ev;
10393	u16 eir_len = 0;
10394	u32 flags = 0;
10395
10396	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10397	size: sizeof(*ev) + (name ? eir_precalc_len(data_len: name_len) : 0));
10398
10399	ev = skb_put(skb, len: sizeof(*ev));
10400	bacpy(dst: &ev->addr.bdaddr, src: bdaddr);
10401	ev->addr.type = link_to_bdaddr(link_type, addr_type);
10402	ev->rssi = rssi;
10403
10404	if (name)
10405	eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, data: name, data_len: name_len);
10406	else
10407	flags = MGMT_DEV_FOUND_NAME_REQUEST_FAILED;
10408
10409	ev->eir_len = cpu_to_le16(eir_len);
10410	ev->flags = cpu_to_le32(flags);
10411
10412	mgmt_event_skb(skb, NULL);
10413	}
10414
10415	void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
10416	{
10417	struct mgmt_ev_discovering ev;
10418
10419	bt_dev_dbg(hdev, "discovering %u", discovering);
10420
10421	memset(&ev, 0, sizeof(ev));
10422	ev.type = hdev->discovery.type;
10423	ev.discovering = discovering;
10424
10425	mgmt_event(MGMT_EV_DISCOVERING, hdev, data: &ev, len: sizeof(ev), NULL);
10426	}
10427
10428	void mgmt_suspending(struct hci_dev *hdev, u8 state)
10429	{
10430	struct mgmt_ev_controller_suspend ev;
10431
10432	ev.suspend_state = state;
10433	mgmt_event(MGMT_EV_CONTROLLER_SUSPEND, hdev, data: &ev, len: sizeof(ev), NULL);
10434	}
10435
10436	void mgmt_resuming(struct hci_dev *hdev, u8 reason, bdaddr_t *bdaddr,
10437	u8 addr_type)
10438	{
10439	struct mgmt_ev_controller_resume ev;
10440
10441	ev.wake_reason = reason;
10442	if (bdaddr) {
10443	bacpy(dst: &ev.addr.bdaddr, src: bdaddr);
10444	ev.addr.type = addr_type;
10445	} else {
10446	memset(&ev.addr, 0, sizeof(ev.addr));
10447	}
10448
10449	mgmt_event(MGMT_EV_CONTROLLER_RESUME, hdev, data: &ev, len: sizeof(ev), NULL);
10450	}
10451
10452	static struct hci_mgmt_chan chan = {
10453	.channel = HCI_CHANNEL_CONTROL,
10454	.handler_count = ARRAY_SIZE(mgmt_handlers),
10455	.handlers = mgmt_handlers,
10456	.hdev_init = mgmt_init_hdev,
10457	};
10458
10459	int mgmt_init(void)
10460	{
10461	return hci_mgmt_chan_register(c: &chan);
10462	}
10463
10464	void mgmt_exit(void)
10465	{
10466	hci_mgmt_chan_unregister(c: &chan);
10467	}
10468
10469	void mgmt_cleanup(struct sock *sk)
10470	{
10471	struct mgmt_mesh_tx *mesh_tx;
10472	struct hci_dev *hdev;
10473
10474	read_lock(&hci_dev_list_lock);
10475
10476	list_for_each_entry(hdev, &hci_dev_list, list) {
10477	do {
10478	mesh_tx = mgmt_mesh_next(hdev, sk);
10479
10480	if (mesh_tx)
10481	mesh_send_complete(hdev, mesh_tx, silent: true);
10482	} while (mesh_tx);
10483	}
10484
10485	read_unlock(&hci_dev_list_lock);
10486	}
10487