mgmt.c 94.4 KB
Newer Older
1 2
/*
   BlueZ - Bluetooth protocol stack for Linux
3

4
   Copyright (C) 2010  Nokia Corporation
5
   Copyright (C) 2011-2012 Intel Corporation
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

/* Bluetooth HCI Management interface */

27
#include <linux/module.h>
28 29 30 31 32
#include <asm/unaligned.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/mgmt.h>
33
#include <net/bluetooth/smp.h>
34

35 36
bool enable_hs;

37
#define MGMT_VERSION	1
38
#define MGMT_REVISION	3
39

40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
static const u16 mgmt_commands[] = {
	MGMT_OP_READ_INDEX_LIST,
	MGMT_OP_READ_INFO,
	MGMT_OP_SET_POWERED,
	MGMT_OP_SET_DISCOVERABLE,
	MGMT_OP_SET_CONNECTABLE,
	MGMT_OP_SET_FAST_CONNECTABLE,
	MGMT_OP_SET_PAIRABLE,
	MGMT_OP_SET_LINK_SECURITY,
	MGMT_OP_SET_SSP,
	MGMT_OP_SET_HS,
	MGMT_OP_SET_LE,
	MGMT_OP_SET_DEV_CLASS,
	MGMT_OP_SET_LOCAL_NAME,
	MGMT_OP_ADD_UUID,
	MGMT_OP_REMOVE_UUID,
	MGMT_OP_LOAD_LINK_KEYS,
	MGMT_OP_LOAD_LONG_TERM_KEYS,
	MGMT_OP_DISCONNECT,
	MGMT_OP_GET_CONNECTIONS,
	MGMT_OP_PIN_CODE_REPLY,
	MGMT_OP_PIN_CODE_NEG_REPLY,
	MGMT_OP_SET_IO_CAPABILITY,
	MGMT_OP_PAIR_DEVICE,
	MGMT_OP_CANCEL_PAIR_DEVICE,
	MGMT_OP_UNPAIR_DEVICE,
	MGMT_OP_USER_CONFIRM_REPLY,
	MGMT_OP_USER_CONFIRM_NEG_REPLY,
	MGMT_OP_USER_PASSKEY_REPLY,
	MGMT_OP_USER_PASSKEY_NEG_REPLY,
	MGMT_OP_READ_LOCAL_OOB_DATA,
	MGMT_OP_ADD_REMOTE_OOB_DATA,
	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
	MGMT_OP_START_DISCOVERY,
	MGMT_OP_STOP_DISCOVERY,
	MGMT_OP_CONFIRM_NAME,
	MGMT_OP_BLOCK_DEVICE,
	MGMT_OP_UNBLOCK_DEVICE,
78
	MGMT_OP_SET_DEVICE_ID,
79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
};

static const u16 mgmt_events[] = {
	MGMT_EV_CONTROLLER_ERROR,
	MGMT_EV_INDEX_ADDED,
	MGMT_EV_INDEX_REMOVED,
	MGMT_EV_NEW_SETTINGS,
	MGMT_EV_CLASS_OF_DEV_CHANGED,
	MGMT_EV_LOCAL_NAME_CHANGED,
	MGMT_EV_NEW_LINK_KEY,
	MGMT_EV_NEW_LONG_TERM_KEY,
	MGMT_EV_DEVICE_CONNECTED,
	MGMT_EV_DEVICE_DISCONNECTED,
	MGMT_EV_CONNECT_FAILED,
	MGMT_EV_PIN_CODE_REQUEST,
	MGMT_EV_USER_CONFIRM_REQUEST,
	MGMT_EV_USER_PASSKEY_REQUEST,
	MGMT_EV_AUTH_FAILED,
	MGMT_EV_DEVICE_FOUND,
	MGMT_EV_DISCOVERING,
	MGMT_EV_DEVICE_BLOCKED,
	MGMT_EV_DEVICE_UNBLOCKED,
	MGMT_EV_DEVICE_UNPAIRED,
102
	MGMT_EV_PASSKEY_NOTIFY,
103 104
};

105 106 107 108 109 110 111 112
/*
 * These LE scan and inquiry parameters were chosen according to LE General
 * Discovery Procedure specification.
 */
#define LE_SCAN_TYPE			0x01
#define LE_SCAN_WIN			0x12
#define LE_SCAN_INT			0x12
#define LE_SCAN_TIMEOUT_LE_ONLY		10240	/* TGAP(gen_disc_scan_min) */
113
#define LE_SCAN_TIMEOUT_BREDR_LE	5120	/* TGAP(100)/2 */
114

A
Andre Guedes 已提交
115
#define INQUIRY_LEN_BREDR		0x08	/* TGAP(100) */
116
#define INQUIRY_LEN_BREDR_LE		0x04	/* TGAP(100)/2 */
A
Andre Guedes 已提交
117

118
#define CACHE_TIMEOUT	msecs_to_jiffies(2 * 1000)
119

120 121 122
#define hdev_is_powered(hdev) (test_bit(HCI_UP, &hdev->flags) && \
				!test_bit(HCI_AUTO_OFF, &hdev->dev_flags))

123 124
struct pending_cmd {
	struct list_head list;
125
	u16 opcode;
126
	int index;
127
	void *param;
128
	struct sock *sk;
129
	void *user_data;
130 131
};

132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196
/* HCI to MGMT error code conversion table */
static u8 mgmt_status_table[] = {
	MGMT_STATUS_SUCCESS,
	MGMT_STATUS_UNKNOWN_COMMAND,	/* Unknown Command */
	MGMT_STATUS_NOT_CONNECTED,	/* No Connection */
	MGMT_STATUS_FAILED,		/* Hardware Failure */
	MGMT_STATUS_CONNECT_FAILED,	/* Page Timeout */
	MGMT_STATUS_AUTH_FAILED,	/* Authentication Failed */
	MGMT_STATUS_NOT_PAIRED,		/* PIN or Key Missing */
	MGMT_STATUS_NO_RESOURCES,	/* Memory Full */
	MGMT_STATUS_TIMEOUT,		/* Connection Timeout */
	MGMT_STATUS_NO_RESOURCES,	/* Max Number of Connections */
	MGMT_STATUS_NO_RESOURCES,	/* Max Number of SCO Connections */
	MGMT_STATUS_ALREADY_CONNECTED,	/* ACL Connection Exists */
	MGMT_STATUS_BUSY,		/* Command Disallowed */
	MGMT_STATUS_NO_RESOURCES,	/* Rejected Limited Resources */
	MGMT_STATUS_REJECTED,		/* Rejected Security */
	MGMT_STATUS_REJECTED,		/* Rejected Personal */
	MGMT_STATUS_TIMEOUT,		/* Host Timeout */
	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Feature */
	MGMT_STATUS_INVALID_PARAMS,	/* Invalid Parameters */
	MGMT_STATUS_DISCONNECTED,	/* OE User Ended Connection */
	MGMT_STATUS_NO_RESOURCES,	/* OE Low Resources */
	MGMT_STATUS_DISCONNECTED,	/* OE Power Off */
	MGMT_STATUS_DISCONNECTED,	/* Connection Terminated */
	MGMT_STATUS_BUSY,		/* Repeated Attempts */
	MGMT_STATUS_REJECTED,		/* Pairing Not Allowed */
	MGMT_STATUS_FAILED,		/* Unknown LMP PDU */
	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Remote Feature */
	MGMT_STATUS_REJECTED,		/* SCO Offset Rejected */
	MGMT_STATUS_REJECTED,		/* SCO Interval Rejected */
	MGMT_STATUS_REJECTED,		/* Air Mode Rejected */
	MGMT_STATUS_INVALID_PARAMS,	/* Invalid LMP Parameters */
	MGMT_STATUS_FAILED,		/* Unspecified Error */
	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported LMP Parameter Value */
	MGMT_STATUS_FAILED,		/* Role Change Not Allowed */
	MGMT_STATUS_TIMEOUT,		/* LMP Response Timeout */
	MGMT_STATUS_FAILED,		/* LMP Error Transaction Collision */
	MGMT_STATUS_FAILED,		/* LMP PDU Not Allowed */
	MGMT_STATUS_REJECTED,		/* Encryption Mode Not Accepted */
	MGMT_STATUS_FAILED,		/* Unit Link Key Used */
	MGMT_STATUS_NOT_SUPPORTED,	/* QoS Not Supported */
	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
	MGMT_STATUS_FAILED,		/* Transaction Collision */
	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
	MGMT_STATUS_REJECTED,		/* QoS Rejected */
	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
	MGMT_STATUS_REJECTED,		/* Insufficient Security */
	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
	MGMT_STATUS_BUSY,		/* Role Switch Pending */
	MGMT_STATUS_FAILED,		/* Slot Violation */
	MGMT_STATUS_FAILED,		/* Role Switch Failed */
	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
	MGMT_STATUS_NOT_SUPPORTED,	/* Simple Pairing Not Supported */
	MGMT_STATUS_BUSY,		/* Host Busy Pairing */
	MGMT_STATUS_REJECTED,		/* Rejected, No Suitable Channel */
	MGMT_STATUS_BUSY,		/* Controller Busy */
	MGMT_STATUS_INVALID_PARAMS,	/* Unsuitable Connection Interval */
	MGMT_STATUS_TIMEOUT,		/* Directed Advertising Timeout */
	MGMT_STATUS_AUTH_FAILED,	/* Terminated Due to MIC Failure */
	MGMT_STATUS_CONNECT_FAILED,	/* Connection Establishment Failed */
	MGMT_STATUS_CONNECT_FAILED,	/* MAC Connection Failed */
};

197 198 199 200 201
bool mgmt_valid_hdev(struct hci_dev *hdev)
{
	return hdev->dev_type == HCI_BREDR;
}

202 203 204 205 206 207 208 209
static u8 mgmt_status(u8 hci_status)
{
	if (hci_status < ARRAY_SIZE(mgmt_status_table))
		return mgmt_status_table[hci_status];

	return MGMT_STATUS_FAILED;
}

210
static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status)
211 212 213 214
{
	struct sk_buff *skb;
	struct mgmt_hdr *hdr;
	struct mgmt_ev_cmd_status *ev;
215
	int err;
216

217
	BT_DBG("sock %p, index %u, cmd %u, status %u", sk, index, cmd, status);
218

219
	skb = alloc_skb(sizeof(*hdr) + sizeof(*ev), GFP_KERNEL);
220 221 222 223 224
	if (!skb)
		return -ENOMEM;

	hdr = (void *) skb_put(skb, sizeof(*hdr));

225
	hdr->opcode = __constant_cpu_to_le16(MGMT_EV_CMD_STATUS);
226
	hdr->index = cpu_to_le16(index);
227 228 229 230
	hdr->len = cpu_to_le16(sizeof(*ev));

	ev = (void *) skb_put(skb, sizeof(*ev));
	ev->status = status;
231
	ev->opcode = cpu_to_le16(cmd);
232

233 234
	err = sock_queue_rcv_skb(sk, skb);
	if (err < 0)
235 236
		kfree_skb(skb);

237
	return err;
238 239
}

240
static int cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status,
241
			void *rp, size_t rp_len)
242 243 244 245
{
	struct sk_buff *skb;
	struct mgmt_hdr *hdr;
	struct mgmt_ev_cmd_complete *ev;
246
	int err;
247 248 249

	BT_DBG("sock %p", sk);

250
	skb = alloc_skb(sizeof(*hdr) + sizeof(*ev) + rp_len, GFP_KERNEL);
251 252 253 254 255
	if (!skb)
		return -ENOMEM;

	hdr = (void *) skb_put(skb, sizeof(*hdr));

256
	hdr->opcode = __constant_cpu_to_le16(MGMT_EV_CMD_COMPLETE);
257
	hdr->index = cpu_to_le16(index);
258
	hdr->len = cpu_to_le16(sizeof(*ev) + rp_len);
259

260
	ev = (void *) skb_put(skb, sizeof(*ev) + rp_len);
261
	ev->opcode = cpu_to_le16(cmd);
262
	ev->status = status;
263 264 265

	if (rp)
		memcpy(ev->data, rp, rp_len);
266

267 268
	err = sock_queue_rcv_skb(sk, skb);
	if (err < 0)
269 270
		kfree_skb(skb);

271
	return err;
272 273
}

274 275
static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
			u16 data_len)
276 277 278 279 280 281
{
	struct mgmt_rp_read_version rp;

	BT_DBG("sock %p", sk);

	rp.version = MGMT_VERSION;
282
	rp.revision = __constant_cpu_to_le16(MGMT_REVISION);
283

284
	return cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0, &rp,
285
			    sizeof(rp));
286 287
}

288 289
static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
			 u16 data_len)
290 291
{
	struct mgmt_rp_read_commands *rp;
292 293
	const u16 num_commands = ARRAY_SIZE(mgmt_commands);
	const u16 num_events = ARRAY_SIZE(mgmt_events);
294
	__le16 *opcode;
295 296 297 298 299 300 301 302 303 304 305
	size_t rp_size;
	int i, err;

	BT_DBG("sock %p", sk);

	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));

	rp = kmalloc(rp_size, GFP_KERNEL);
	if (!rp)
		return -ENOMEM;

306 307
	rp->num_commands = __constant_cpu_to_le16(num_commands);
	rp->num_events = __constant_cpu_to_le16(num_events);
308 309 310 311 312 313 314

	for (i = 0, opcode = rp->opcodes; i < num_commands; i++, opcode++)
		put_unaligned_le16(mgmt_commands[i], opcode);

	for (i = 0; i < num_events; i++, opcode++)
		put_unaligned_le16(mgmt_events[i], opcode);

315
	err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0, rp,
316
			   rp_size);
317 318 319 320 321
	kfree(rp);

	return err;
}

322 323
static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
			   u16 data_len)
324 325
{
	struct mgmt_rp_read_index_list *rp;
326
	struct hci_dev *d;
327
	size_t rp_len;
328
	u16 count;
329
	int err;
330 331 332 333 334 335

	BT_DBG("sock %p", sk);

	read_lock(&hci_dev_list_lock);

	count = 0;
336 337 338 339
	list_for_each_entry(d, &hci_dev_list, list) {
		if (!mgmt_valid_hdev(d))
			continue;

340 341 342
		count++;
	}

343 344 345
	rp_len = sizeof(*rp) + (2 * count);
	rp = kmalloc(rp_len, GFP_ATOMIC);
	if (!rp) {
346
		read_unlock(&hci_dev_list_lock);
347
		return -ENOMEM;
348
	}
349

350
	count = 0;
351
	list_for_each_entry(d, &hci_dev_list, list) {
352
		if (test_bit(HCI_SETUP, &d->dev_flags))
353 354
			continue;

355 356 357
		if (!mgmt_valid_hdev(d))
			continue;

358
		rp->index[count++] = cpu_to_le16(d->id);
359 360 361
		BT_DBG("Added hci%u", d->id);
	}

362 363 364
	rp->num_controllers = cpu_to_le16(count);
	rp_len = sizeof(*rp) + (2 * count);

365 366
	read_unlock(&hci_dev_list_lock);

367
	err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp,
368
			   rp_len);
369

370 371 372
	kfree(rp);

	return err;
373 374
}

375 376 377 378 379 380 381
static u32 get_supported_settings(struct hci_dev *hdev)
{
	u32 settings = 0;

	settings |= MGMT_SETTING_POWERED;
	settings |= MGMT_SETTING_PAIRABLE;

382
	if (lmp_ssp_capable(hdev))
383 384
		settings |= MGMT_SETTING_SSP;

385
	if (lmp_bredr_capable(hdev)) {
386
		settings |= MGMT_SETTING_CONNECTABLE;
387 388
		if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
			settings |= MGMT_SETTING_FAST_CONNECTABLE;
389
		settings |= MGMT_SETTING_DISCOVERABLE;
390 391 392 393
		settings |= MGMT_SETTING_BREDR;
		settings |= MGMT_SETTING_LINK_SECURITY;
	}

394 395 396
	if (enable_hs)
		settings |= MGMT_SETTING_HS;

397
	if (lmp_le_capable(hdev))
398
		settings |= MGMT_SETTING_LE;
399 400 401 402 403 404 405 406

	return settings;
}

static u32 get_current_settings(struct hci_dev *hdev)
{
	u32 settings = 0;

407
	if (hdev_is_powered(hdev))
408 409
		settings |= MGMT_SETTING_POWERED;

410
	if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
411 412
		settings |= MGMT_SETTING_CONNECTABLE;

413
	if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
414 415
		settings |= MGMT_SETTING_DISCOVERABLE;

416
	if (test_bit(HCI_PAIRABLE, &hdev->dev_flags))
417 418
		settings |= MGMT_SETTING_PAIRABLE;

419
	if (lmp_bredr_capable(hdev))
420 421
		settings |= MGMT_SETTING_BREDR;

422
	if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
423 424
		settings |= MGMT_SETTING_LE;

425
	if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags))
426 427
		settings |= MGMT_SETTING_LINK_SECURITY;

428
	if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
429 430
		settings |= MGMT_SETTING_SSP;

431 432 433
	if (test_bit(HCI_HS_ENABLED, &hdev->dev_flags))
		settings |= MGMT_SETTING_HS;

434 435 436
	return settings;
}

437 438
#define PNP_INFO_SVCLASS_ID		0x1200

439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480
static u8 *create_uuid16_list(struct hci_dev *hdev, u8 *data, ptrdiff_t len)
{
	u8 *ptr = data, *uuids_start = NULL;
	struct bt_uuid *uuid;

	if (len < 4)
		return ptr;

	list_for_each_entry(uuid, &hdev->uuids, list) {
		u16 uuid16;

		if (uuid->size != 16)
			continue;

		uuid16 = get_unaligned_le16(&uuid->uuid[12]);
		if (uuid16 < 0x1100)
			continue;

		if (uuid16 == PNP_INFO_SVCLASS_ID)
			continue;

		if (!uuids_start) {
			uuids_start = ptr;
			uuids_start[0] = 1;
			uuids_start[1] = EIR_UUID16_ALL;
			ptr += 2;
		}

		/* Stop if not enough space to put next UUID */
		if ((ptr - data) + sizeof(u16) > len) {
			uuids_start[1] = EIR_UUID16_SOME;
			break;
		}

		*ptr++ = (uuid16 & 0x00ff);
		*ptr++ = (uuid16 & 0xff00) >> 8;
		uuids_start[0] += sizeof(uuid16);
	}

	return ptr;
}

481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513
static u8 *create_uuid32_list(struct hci_dev *hdev, u8 *data, ptrdiff_t len)
{
	u8 *ptr = data, *uuids_start = NULL;
	struct bt_uuid *uuid;

	if (len < 6)
		return ptr;

	list_for_each_entry(uuid, &hdev->uuids, list) {
		if (uuid->size != 32)
			continue;

		if (!uuids_start) {
			uuids_start = ptr;
			uuids_start[0] = 1;
			uuids_start[1] = EIR_UUID32_ALL;
			ptr += 2;
		}

		/* Stop if not enough space to put next UUID */
		if ((ptr - data) + sizeof(u32) > len) {
			uuids_start[1] = EIR_UUID32_SOME;
			break;
		}

		memcpy(ptr, &uuid->uuid[12], sizeof(u32));
		ptr += sizeof(u32);
		uuids_start[0] += sizeof(u32);
	}

	return ptr;
}

514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546
static u8 *create_uuid128_list(struct hci_dev *hdev, u8 *data, ptrdiff_t len)
{
	u8 *ptr = data, *uuids_start = NULL;
	struct bt_uuid *uuid;

	if (len < 18)
		return ptr;

	list_for_each_entry(uuid, &hdev->uuids, list) {
		if (uuid->size != 128)
			continue;

		if (!uuids_start) {
			uuids_start = ptr;
			uuids_start[0] = 1;
			uuids_start[1] = EIR_UUID128_ALL;
			ptr += 2;
		}

		/* Stop if not enough space to put next UUID */
		if ((ptr - data) + 16 > len) {
			uuids_start[1] = EIR_UUID128_SOME;
			break;
		}

		memcpy(ptr, uuid->uuid, 16);
		ptr += 16;
		uuids_start[0] += 16;
	}

	return ptr;
}

547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569
static void create_eir(struct hci_dev *hdev, u8 *data)
{
	u8 *ptr = data;
	size_t name_len;

	name_len = strlen(hdev->dev_name);

	if (name_len > 0) {
		/* EIR Data type */
		if (name_len > 48) {
			name_len = 48;
			ptr[1] = EIR_NAME_SHORT;
		} else
			ptr[1] = EIR_NAME_COMPLETE;

		/* EIR Data length */
		ptr[0] = name_len + 1;

		memcpy(ptr + 2, hdev->dev_name, name_len);

		ptr += (name_len + 2);
	}

570
	if (hdev->inq_tx_power != HCI_TX_POWER_INVALID) {
571 572 573 574 575 576 577
		ptr[0] = 2;
		ptr[1] = EIR_TX_POWER;
		ptr[2] = (u8) hdev->inq_tx_power;

		ptr += 3;
	}

578 579 580 581 582 583 584 585 586 587 588 589
	if (hdev->devid_source > 0) {
		ptr[0] = 9;
		ptr[1] = EIR_DEVICE_ID;

		put_unaligned_le16(hdev->devid_source, ptr + 2);
		put_unaligned_le16(hdev->devid_vendor, ptr + 4);
		put_unaligned_le16(hdev->devid_product, ptr + 6);
		put_unaligned_le16(hdev->devid_version, ptr + 8);

		ptr += 10;
	}

590
	ptr = create_uuid16_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));
591
	ptr = create_uuid32_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));
592
	ptr = create_uuid128_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));
593 594
}

595
static void update_eir(struct hci_request *req)
596
{
597
	struct hci_dev *hdev = req->hdev;
598 599
	struct hci_cp_write_eir cp;

600
	if (!hdev_is_powered(hdev))
601
		return;
602

603
	if (!lmp_ext_inq_capable(hdev))
604
		return;
605

606
	if (!test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
607
		return;
608

609
	if (test_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
610
		return;
611 612 613 614 615 616

	memset(&cp, 0, sizeof(cp));

	create_eir(hdev, cp.data);

	if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
617
		return;
618 619 620

	memcpy(hdev->eir, cp.data, sizeof(cp.data));

621
	hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
622 623 624 625 626 627 628 629 630 631 632 633 634
}

static u8 get_service_classes(struct hci_dev *hdev)
{
	struct bt_uuid *uuid;
	u8 val = 0;

	list_for_each_entry(uuid, &hdev->uuids, list)
		val |= uuid->svc_hint;

	return val;
}

635
static void update_class(struct hci_request *req)
636
{
637
	struct hci_dev *hdev = req->hdev;
638 639 640 641
	u8 cod[3];

	BT_DBG("%s", hdev->name);

642
	if (!hdev_is_powered(hdev))
643
		return;
644

645
	if (test_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
646
		return;
647 648 649 650 651 652

	cod[0] = hdev->minor_class;
	cod[1] = hdev->major_class;
	cod[2] = get_service_classes(hdev);

	if (memcmp(cod, hdev->dev_class, 3) == 0)
653
		return;
654

655
	hci_req_add(req, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod);
656 657
}

658 659 660
static void service_cache_off(struct work_struct *work)
{
	struct hci_dev *hdev = container_of(work, struct hci_dev,
661
					    service_cache.work);
662
	struct hci_request req;
663

664
	if (!test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
665 666
		return;

667 668
	hci_req_init(&req, hdev);

669 670
	hci_dev_lock(hdev);

671 672
	update_eir(&req);
	update_class(&req);
673 674

	hci_dev_unlock(hdev);
675 676

	hci_req_run(&req, NULL);
677 678
}

679
static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
680
{
681
	if (test_and_set_bit(HCI_MGMT, &hdev->dev_flags))
682 683
		return;

684
	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
685

686 687 688 689 690 691
	/* Non-mgmt controlled devices get this bit set
	 * implicitly so that pairing works for them, however
	 * for mgmt we require user-space to explicitly enable
	 * it
	 */
	clear_bit(HCI_PAIRABLE, &hdev->dev_flags);
692 693
}

694
static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
695
				void *data, u16 data_len)
696
{
697
	struct mgmt_rp_read_info rp;
698

699
	BT_DBG("sock %p %s", sk, hdev->name);
700

701
	hci_dev_lock(hdev);
702

703 704
	memset(&rp, 0, sizeof(rp));

705
	bacpy(&rp.bdaddr, &hdev->bdaddr);
706

707
	rp.version = hdev->hci_ver;
708
	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
709 710 711

	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
712

713
	memcpy(rp.dev_class, hdev->dev_class, 3);
714

715
	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
716
	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
717

718
	hci_dev_unlock(hdev);
719

720
	return cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
721
			    sizeof(rp));
722 723
}

724 725 726
static void mgmt_pending_free(struct pending_cmd *cmd)
{
	sock_put(cmd->sk);
727
	kfree(cmd->param);
728 729 730
	kfree(cmd);
}

731
static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
732 733
					    struct hci_dev *hdev, void *data,
					    u16 len)
734 735 736
{
	struct pending_cmd *cmd;

737
	cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
738
	if (!cmd)
739
		return NULL;
740 741

	cmd->opcode = opcode;
742
	cmd->index = hdev->id;
743

744
	cmd->param = kmalloc(len, GFP_KERNEL);
745
	if (!cmd->param) {
746
		kfree(cmd);
747
		return NULL;
748 749
	}

750 751
	if (data)
		memcpy(cmd->param, data, len);
752 753 754 755

	cmd->sk = sk;
	sock_hold(sk);

756
	list_add(&cmd->list, &hdev->mgmt_pending);
757

758
	return cmd;
759 760
}

761
static void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
762 763
				 void (*cb)(struct pending_cmd *cmd,
					    void *data),
764
				 void *data)
765
{
766
	struct pending_cmd *cmd, *tmp;
767

768
	list_for_each_entry_safe(cmd, tmp, &hdev->mgmt_pending, list) {
769
		if (opcode > 0 && cmd->opcode != opcode)
770 771 772 773 774 775
			continue;

		cb(cmd, data);
	}
}

776
static struct pending_cmd *mgmt_pending_find(u16 opcode, struct hci_dev *hdev)
777
{
778
	struct pending_cmd *cmd;
779

780
	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
781 782
		if (cmd->opcode == opcode)
			return cmd;
783 784 785 786 787
	}

	return NULL;
}

788
static void mgmt_pending_remove(struct pending_cmd *cmd)
789 790 791 792 793
{
	list_del(&cmd->list);
	mgmt_pending_free(cmd);
}

794
static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
795
{
796
	__le32 settings = cpu_to_le32(get_current_settings(hdev));
797

798
	return cmd_complete(sk, hdev->id, opcode, 0, &settings,
799
			    sizeof(settings));
800 801
}

802
static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
803
		       u16 len)
804
{
805
	struct mgmt_mode *cp = data;
806
	struct pending_cmd *cmd;
807
	int err;
808

809
	BT_DBG("request for %s", hdev->name);
810

811 812 813 814
	if (cp->val != 0x00 && cp->val != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
				  MGMT_STATUS_INVALID_PARAMS);

815
	hci_dev_lock(hdev);
816

817 818 819 820
	if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
		cancel_delayed_work(&hdev->power_off);

		if (cp->val) {
821 822 823
			mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev,
					 data, len);
			err = mgmt_powered(hdev, 1);
824 825 826 827
			goto failed;
		}
	}

828
	if (!!cp->val == hdev_is_powered(hdev)) {
829
		err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
830 831 832
		goto failed;
	}

833
	if (mgmt_pending_find(MGMT_OP_SET_POWERED, hdev)) {
834
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
835
				 MGMT_STATUS_BUSY);
836 837 838
		goto failed;
	}

839
	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
840 841
	if (!cmd) {
		err = -ENOMEM;
842
		goto failed;
843
	}
844

845
	if (cp->val)
846
		queue_work(hdev->req_workqueue, &hdev->power_on);
847
	else
848
		queue_work(hdev->req_workqueue, &hdev->power_off.work);
849

850
	err = 0;
851 852

failed:
853
	hci_dev_unlock(hdev);
854
	return err;
855 856
}

857 858
static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 data_len,
		      struct sock *skip_sk)
859 860 861 862
{
	struct sk_buff *skb;
	struct mgmt_hdr *hdr;

863
	skb = alloc_skb(sizeof(*hdr) + data_len, GFP_KERNEL);
864 865 866 867 868 869 870 871
	if (!skb)
		return -ENOMEM;

	hdr = (void *) skb_put(skb, sizeof(*hdr));
	hdr->opcode = cpu_to_le16(event);
	if (hdev)
		hdr->index = cpu_to_le16(hdev->id);
	else
872
		hdr->index = __constant_cpu_to_le16(MGMT_INDEX_NONE);
873 874 875 876 877
	hdr->len = cpu_to_le16(data_len);

	if (data)
		memcpy(skb_put(skb, data_len), data, data_len);

878 879 880
	/* Time stamp */
	__net_timestamp(skb);

881 882 883 884 885 886 887 888 889 890 891 892 893 894 895
	hci_send_to_control(skb, skip_sk);
	kfree_skb(skb);

	return 0;
}

static int new_settings(struct hci_dev *hdev, struct sock *skip)
{
	__le32 ev;

	ev = cpu_to_le32(get_current_settings(hdev));

	return mgmt_event(MGMT_EV_NEW_SETTINGS, hdev, &ev, sizeof(ev), skip);
}

896
static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
897
			    u16 len)
898
{
899
	struct mgmt_cp_set_discoverable *cp = data;
900
	struct pending_cmd *cmd;
901
	u16 timeout;
902 903 904
	u8 scan;
	int err;

905
	BT_DBG("request for %s", hdev->name);
906

907 908 909 910
	if (!lmp_bredr_capable(hdev))
		return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
				 MGMT_STATUS_NOT_SUPPORTED);

911 912 913 914
	if (cp->val != 0x00 && cp->val != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
				  MGMT_STATUS_INVALID_PARAMS);

915
	timeout = __le16_to_cpu(cp->timeout);
916
	if (!cp->val && timeout > 0)
917
		return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
918
				  MGMT_STATUS_INVALID_PARAMS);
919

920
	hci_dev_lock(hdev);
921

922
	if (!hdev_is_powered(hdev) && timeout > 0) {
923
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
924
				 MGMT_STATUS_NOT_POWERED);
925 926 927
		goto failed;
	}

928
	if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
929
	    mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
930
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
931
				 MGMT_STATUS_BUSY);
932 933 934
		goto failed;
	}

935
	if (!test_bit(HCI_CONNECTABLE, &hdev->dev_flags)) {
936
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
937
				 MGMT_STATUS_REJECTED);
938 939 940 941
		goto failed;
	}

	if (!hdev_is_powered(hdev)) {
942 943 944 945 946 947 948
		bool changed = false;

		if (!!cp->val != test_bit(HCI_DISCOVERABLE, &hdev->dev_flags)) {
			change_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
			changed = true;
		}

949
		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
950 951 952 953 954 955
		if (err < 0)
			goto failed;

		if (changed)
			err = new_settings(hdev, sk);

956 957 958 959
		goto failed;
	}

	if (!!cp->val == test_bit(HCI_DISCOVERABLE, &hdev->dev_flags)) {
960 961 962 963 964 965 966 967 968 969 970
		if (hdev->discov_timeout > 0) {
			cancel_delayed_work(&hdev->discov_off);
			hdev->discov_timeout = 0;
		}

		if (cp->val && timeout > 0) {
			hdev->discov_timeout = timeout;
			queue_delayed_work(hdev->workqueue, &hdev->discov_off,
				msecs_to_jiffies(hdev->discov_timeout * 1000));
		}

971
		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
972 973 974
		goto failed;
	}

975
	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
976 977
	if (!cmd) {
		err = -ENOMEM;
978
		goto failed;
979
	}
980 981 982

	scan = SCAN_PAGE;

983
	if (cp->val)
984
		scan |= SCAN_INQUIRY;
985
	else
986
		cancel_delayed_work(&hdev->discov_off);
987 988 989

	err = hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
	if (err < 0)
990
		mgmt_pending_remove(cmd);
991

992
	if (cp->val)
993
		hdev->discov_timeout = timeout;
994

995
failed:
996
	hci_dev_unlock(hdev);
997 998 999
	return err;
}

1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019
static void set_connectable_complete(struct hci_dev *hdev, u8 status)
{
	struct pending_cmd *cmd;

	BT_DBG("status 0x%02x", status);

	hci_dev_lock(hdev);

	cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
	if (!cmd)
		goto unlock;

	send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);

	mgmt_pending_remove(cmd);

unlock:
	hci_dev_unlock(hdev);
}

1020
static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1021
			   u16 len)
1022
{
1023
	struct mgmt_mode *cp = data;
1024
	struct pending_cmd *cmd;
1025
	struct hci_request req;
1026 1027 1028
	u8 scan;
	int err;

1029
	BT_DBG("request for %s", hdev->name);
1030

1031 1032 1033 1034
	if (!lmp_bredr_capable(hdev))
		return cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
				  MGMT_STATUS_NOT_SUPPORTED);

1035 1036 1037 1038
	if (cp->val != 0x00 && cp->val != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
				  MGMT_STATUS_INVALID_PARAMS);

1039
	hci_dev_lock(hdev);
1040

1041
	if (!hdev_is_powered(hdev)) {
1042 1043 1044 1045 1046
		bool changed = false;

		if (!!cp->val != test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
			changed = true;

1047
		if (cp->val) {
1048
			set_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1049
		} else {
1050 1051 1052
			clear_bit(HCI_CONNECTABLE, &hdev->dev_flags);
			clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
		}
1053

1054
		err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1055 1056 1057 1058 1059 1060
		if (err < 0)
			goto failed;

		if (changed)
			err = new_settings(hdev, sk);

1061 1062 1063
		goto failed;
	}

1064
	if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1065
	    mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1066
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1067
				 MGMT_STATUS_BUSY);
1068 1069 1070
		goto failed;
	}

1071
	if (!!cp->val == test_bit(HCI_PSCAN, &hdev->flags)) {
1072
		err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1073 1074 1075
		goto failed;
	}

1076
	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1077 1078
	if (!cmd) {
		err = -ENOMEM;
1079
		goto failed;
1080
	}
1081

1082
	if (cp->val) {
1083
		scan = SCAN_PAGE;
1084
	} else {
1085 1086
		scan = 0;

1087
		if (test_bit(HCI_ISCAN, &hdev->flags) &&
1088
		    hdev->discov_timeout > 0)
1089 1090 1091
			cancel_delayed_work(&hdev->discov_off);
	}

1092 1093 1094 1095 1096
	hci_req_init(&req, hdev);

	hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);

	err = hci_req_run(&req, set_connectable_complete);
1097
	if (err < 0)
1098
		mgmt_pending_remove(cmd);
1099 1100

failed:
1101
	hci_dev_unlock(hdev);
1102 1103 1104
	return err;
}

1105
static int set_pairable(struct sock *sk, struct hci_dev *hdev, void *data,
1106
			u16 len)
1107
{
1108
	struct mgmt_mode *cp = data;
1109 1110
	int err;

1111
	BT_DBG("request for %s", hdev->name);
1112

1113 1114 1115 1116
	if (cp->val != 0x00 && cp->val != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_PAIRABLE,
				  MGMT_STATUS_INVALID_PARAMS);

1117
	hci_dev_lock(hdev);
1118 1119

	if (cp->val)
1120
		set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1121
	else
1122
		clear_bit(HCI_PAIRABLE, &hdev->dev_flags);
1123

1124
	err = send_settings_rsp(sk, MGMT_OP_SET_PAIRABLE, hdev);
1125 1126 1127
	if (err < 0)
		goto failed;

1128
	err = new_settings(hdev, sk);
1129 1130

failed:
1131
	hci_dev_unlock(hdev);
1132 1133 1134
	return err;
}

1135 1136
static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
			     u16 len)
1137 1138 1139
{
	struct mgmt_mode *cp = data;
	struct pending_cmd *cmd;
1140
	u8 val;
1141 1142
	int err;

1143
	BT_DBG("request for %s", hdev->name);
1144

1145 1146 1147 1148
	if (!lmp_bredr_capable(hdev))
		return cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
				  MGMT_STATUS_NOT_SUPPORTED);

1149 1150 1151 1152
	if (cp->val != 0x00 && cp->val != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
				  MGMT_STATUS_INVALID_PARAMS);

1153 1154
	hci_dev_lock(hdev);

1155
	if (!hdev_is_powered(hdev)) {
1156 1157 1158
		bool changed = false;

		if (!!cp->val != test_bit(HCI_LINK_SECURITY,
1159
					  &hdev->dev_flags)) {
1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170
			change_bit(HCI_LINK_SECURITY, &hdev->dev_flags);
			changed = true;
		}

		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
		if (err < 0)
			goto failed;

		if (changed)
			err = new_settings(hdev, sk);

1171 1172 1173 1174
		goto failed;
	}

	if (mgmt_pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1175
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1176
				 MGMT_STATUS_BUSY);
1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203
		goto failed;
	}

	val = !!cp->val;

	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
		goto failed;
	}

	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
	if (!cmd) {
		err = -ENOMEM;
		goto failed;
	}

	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
	if (err < 0) {
		mgmt_pending_remove(cmd);
		goto failed;
	}

failed:
	hci_dev_unlock(hdev);
	return err;
}

1204
static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1205 1206 1207
{
	struct mgmt_mode *cp = data;
	struct pending_cmd *cmd;
1208
	u8 val;
1209 1210
	int err;

1211
	BT_DBG("request for %s", hdev->name);
1212

1213 1214 1215
	if (!lmp_ssp_capable(hdev))
		return cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
				  MGMT_STATUS_NOT_SUPPORTED);
1216

1217 1218 1219 1220
	if (cp->val != 0x00 && cp->val != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
				  MGMT_STATUS_INVALID_PARAMS);

1221
	hci_dev_lock(hdev);
1222

1223 1224
	val = !!cp->val;

1225
	if (!hdev_is_powered(hdev)) {
1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239
		bool changed = false;

		if (val != test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
			change_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
			changed = true;
		}

		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
		if (err < 0)
			goto failed;

		if (changed)
			err = new_settings(hdev, sk);

1240 1241 1242 1243
		goto failed;
	}

	if (mgmt_pending_find(MGMT_OP_SET_SSP, hdev)) {
1244 1245
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
				 MGMT_STATUS_BUSY);
1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270
		goto failed;
	}

	if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags) == val) {
		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
		goto failed;
	}

	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
	if (!cmd) {
		err = -ENOMEM;
		goto failed;
	}

	err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, sizeof(val), &val);
	if (err < 0) {
		mgmt_pending_remove(cmd);
		goto failed;
	}

failed:
	hci_dev_unlock(hdev);
	return err;
}

1271
static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1272 1273 1274
{
	struct mgmt_mode *cp = data;

1275
	BT_DBG("request for %s", hdev->name);
1276

1277 1278
	if (!enable_hs)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1279
				  MGMT_STATUS_NOT_SUPPORTED);
1280

1281 1282 1283 1284
	if (cp->val != 0x00 && cp->val != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
				  MGMT_STATUS_INVALID_PARAMS);

1285 1286 1287 1288 1289
	if (cp->val)
		set_bit(HCI_HS_ENABLED, &hdev->dev_flags);
	else
		clear_bit(HCI_HS_ENABLED, &hdev->dev_flags);

1290
	return send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
1291 1292
}

1293
static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1294 1295 1296 1297 1298
{
	struct mgmt_mode *cp = data;
	struct hci_cp_write_le_host_supported hci_cp;
	struct pending_cmd *cmd;
	int err;
1299
	u8 val, enabled;
1300

1301
	BT_DBG("request for %s", hdev->name);
1302

1303 1304 1305
	if (!lmp_le_capable(hdev))
		return cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
				  MGMT_STATUS_NOT_SUPPORTED);
1306

1307 1308 1309 1310
	if (cp->val != 0x00 && cp->val != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
				  MGMT_STATUS_INVALID_PARAMS);

1311
	hci_dev_lock(hdev);
1312 1313

	val = !!cp->val;
1314
	enabled = lmp_host_le_capable(hdev);
1315

1316
	if (!hdev_is_powered(hdev) || val == enabled) {
1317 1318 1319 1320 1321 1322 1323 1324 1325
		bool changed = false;

		if (val != test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
			change_bit(HCI_LE_ENABLED, &hdev->dev_flags);
			changed = true;
		}

		err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
		if (err < 0)
1326
			goto unlock;
1327 1328 1329 1330

		if (changed)
			err = new_settings(hdev, sk);

1331
		goto unlock;
1332 1333 1334
	}

	if (mgmt_pending_find(MGMT_OP_SET_LE, hdev)) {
1335
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1336
				 MGMT_STATUS_BUSY);
1337
		goto unlock;
1338 1339 1340 1341 1342
	}

	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
	if (!cmd) {
		err = -ENOMEM;
1343
		goto unlock;
1344 1345 1346 1347 1348 1349
	}

	memset(&hci_cp, 0, sizeof(hci_cp));

	if (val) {
		hci_cp.le = val;
1350
		hci_cp.simul = lmp_le_br_capable(hdev);
1351 1352
	}

1353 1354
	err = hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
			   &hci_cp);
1355
	if (err < 0)
1356 1357
		mgmt_pending_remove(cmd);

1358 1359
unlock:
	hci_dev_unlock(hdev);
1360 1361 1362
	return err;
}

1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385
/* This is a helper function to test for pending mgmt commands that can
 * cause CoD or EIR HCI commands. We can only allow one such pending
 * mgmt command at a time since otherwise we cannot easily track what
 * the current values are, will be, and based on that calculate if a new
 * HCI command needs to be sent and if yes with what value.
 */
static bool pending_eir_or_class(struct hci_dev *hdev)
{
	struct pending_cmd *cmd;

	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
		switch (cmd->opcode) {
		case MGMT_OP_ADD_UUID:
		case MGMT_OP_REMOVE_UUID:
		case MGMT_OP_SET_DEV_CLASS:
		case MGMT_OP_SET_POWERED:
			return true;
		}
	}

	return false;
}

1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404
static const u8 bluetooth_base_uuid[] = {
			0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
			0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};

static u8 get_uuid_size(const u8 *uuid)
{
	u32 val;

	if (memcmp(uuid, bluetooth_base_uuid, 12))
		return 128;

	val = get_unaligned_le32(&uuid[12]);
	if (val > 0xffff)
		return 32;

	return 16;
}

1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430
static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
{
	struct pending_cmd *cmd;

	hci_dev_lock(hdev);

	cmd = mgmt_pending_find(mgmt_op, hdev);
	if (!cmd)
		goto unlock;

	cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(status),
		     hdev->dev_class, 3);

	mgmt_pending_remove(cmd);

unlock:
	hci_dev_unlock(hdev);
}

static void add_uuid_complete(struct hci_dev *hdev, u8 status)
{
	BT_DBG("status 0x%02x", status);

	mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
}

1431
static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1432
{
1433
	struct mgmt_cp_add_uuid *cp = data;
1434
	struct pending_cmd *cmd;
1435
	struct hci_request req;
1436 1437 1438
	struct bt_uuid *uuid;
	int err;

1439
	BT_DBG("request for %s", hdev->name);
1440

1441
	hci_dev_lock(hdev);
1442

1443
	if (pending_eir_or_class(hdev)) {
1444
		err = cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
1445
				 MGMT_STATUS_BUSY);
1446 1447 1448
		goto failed;
	}

1449
	uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
1450 1451 1452 1453 1454 1455
	if (!uuid) {
		err = -ENOMEM;
		goto failed;
	}

	memcpy(uuid->uuid, cp->uuid, 16);
1456
	uuid->svc_hint = cp->svc_hint;
1457
	uuid->size = get_uuid_size(cp->uuid);
1458

1459
	list_add_tail(&uuid->list, &hdev->uuids);
1460

1461
	hci_req_init(&req, hdev);
1462

1463 1464 1465
	update_class(&req);
	update_eir(&req);

1466 1467 1468 1469
	err = hci_req_run(&req, add_uuid_complete);
	if (err < 0) {
		if (err != -ENODATA)
			goto failed;
1470

1471
		err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
1472
				   hdev->dev_class, 3);
1473 1474 1475 1476
		goto failed;
	}

	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
1477
	if (!cmd) {
1478
		err = -ENOMEM;
1479 1480 1481 1482
		goto failed;
	}

	err = 0;
1483 1484

failed:
1485
	hci_dev_unlock(hdev);
1486 1487 1488
	return err;
}

1489 1490 1491 1492 1493 1494
static bool enable_service_cache(struct hci_dev *hdev)
{
	if (!hdev_is_powered(hdev))
		return false;

	if (!test_and_set_bit(HCI_SERVICE_CACHE, &hdev->dev_flags)) {
1495 1496
		queue_delayed_work(hdev->workqueue, &hdev->service_cache,
				   CACHE_TIMEOUT);
1497 1498 1499 1500 1501 1502
		return true;
	}

	return false;
}

1503 1504 1505 1506 1507 1508 1509
static void remove_uuid_complete(struct hci_dev *hdev, u8 status)
{
	BT_DBG("status 0x%02x", status);

	mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
}

1510
static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
1511
		       u16 len)
1512
{
1513
	struct mgmt_cp_remove_uuid *cp = data;
1514
	struct pending_cmd *cmd;
1515
	struct bt_uuid *match, *tmp;
1516
	u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
1517
	struct hci_request req;
1518 1519
	int err, found;

1520
	BT_DBG("request for %s", hdev->name);
1521

1522
	hci_dev_lock(hdev);
1523

1524
	if (pending_eir_or_class(hdev)) {
1525
		err = cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
1526
				 MGMT_STATUS_BUSY);
1527 1528 1529
		goto unlock;
	}

1530 1531
	if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
		err = hci_uuids_clear(hdev);
1532

1533
		if (enable_service_cache(hdev)) {
1534
			err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID,
1535
					   0, hdev->dev_class, 3);
1536 1537
			goto unlock;
		}
1538

1539
		goto update_class;
1540 1541 1542 1543
	}

	found = 0;

1544
	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
1545 1546 1547 1548
		if (memcmp(match->uuid, cp->uuid, 16) != 0)
			continue;

		list_del(&match->list);
1549
		kfree(match);
1550 1551 1552 1553
		found++;
	}

	if (found == 0) {
1554
		err = cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
1555
				 MGMT_STATUS_INVALID_PARAMS);
1556 1557 1558
		goto unlock;
	}

1559
update_class:
1560
	hci_req_init(&req, hdev);
1561

1562 1563 1564
	update_class(&req);
	update_eir(&req);

1565 1566 1567 1568
	err = hci_req_run(&req, remove_uuid_complete);
	if (err < 0) {
		if (err != -ENODATA)
			goto unlock;
1569

1570
		err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
1571
				   hdev->dev_class, 3);
1572 1573 1574 1575
		goto unlock;
	}

	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
1576
	if (!cmd) {
1577
		err = -ENOMEM;
1578 1579 1580 1581
		goto unlock;
	}

	err = 0;
1582 1583

unlock:
1584
	hci_dev_unlock(hdev);
1585 1586 1587
	return err;
}

1588 1589 1590 1591 1592 1593 1594
static void set_class_complete(struct hci_dev *hdev, u8 status)
{
	BT_DBG("status 0x%02x", status);

	mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
}

1595
static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
1596
			 u16 len)
1597
{
1598
	struct mgmt_cp_set_dev_class *cp = data;
1599
	struct pending_cmd *cmd;
1600
	struct hci_request req;
1601 1602
	int err;

1603
	BT_DBG("request for %s", hdev->name);
1604

1605 1606 1607
	if (!lmp_bredr_capable(hdev))
		return cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
				  MGMT_STATUS_NOT_SUPPORTED);
1608

1609
	hci_dev_lock(hdev);
1610

1611 1612 1613 1614 1615
	if (pending_eir_or_class(hdev)) {
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
				 MGMT_STATUS_BUSY);
		goto unlock;
	}
1616

1617 1618 1619 1620 1621
	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
				 MGMT_STATUS_INVALID_PARAMS);
		goto unlock;
	}
1622

1623 1624 1625
	hdev->major_class = cp->major;
	hdev->minor_class = cp->minor;

1626
	if (!hdev_is_powered(hdev)) {
1627
		err = cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
1628
				   hdev->dev_class, 3);
1629 1630 1631
		goto unlock;
	}

1632 1633
	hci_req_init(&req, hdev);

1634
	if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags)) {
1635 1636 1637
		hci_dev_unlock(hdev);
		cancel_delayed_work_sync(&hdev->service_cache);
		hci_dev_lock(hdev);
1638
		update_eir(&req);
1639
	}
1640

1641 1642
	update_class(&req);

1643 1644 1645 1646
	err = hci_req_run(&req, set_class_complete);
	if (err < 0) {
		if (err != -ENODATA)
			goto unlock;
1647

1648
		err = cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
1649
				   hdev->dev_class, 3);
1650 1651 1652 1653
		goto unlock;
	}

	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
1654
	if (!cmd) {
1655
		err = -ENOMEM;
1656 1657 1658 1659
		goto unlock;
	}

	err = 0;
1660

1661
unlock:
1662
	hci_dev_unlock(hdev);
1663 1664 1665
	return err;
}

1666
static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
1667
			  u16 len)
1668
{
1669
	struct mgmt_cp_load_link_keys *cp = data;
1670
	u16 key_count, expected_len;
1671
	int i;
1672

1673
	key_count = __le16_to_cpu(cp->key_count);
1674

1675 1676
	expected_len = sizeof(*cp) + key_count *
					sizeof(struct mgmt_link_key_info);
1677
	if (expected_len != len) {
1678
		BT_ERR("load_link_keys: expected %u bytes, got %u bytes",
1679
		       len, expected_len);
1680
		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
1681
				  MGMT_STATUS_INVALID_PARAMS);
1682 1683
	}

1684 1685 1686 1687
	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
				  MGMT_STATUS_INVALID_PARAMS);

1688
	BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys,
1689
	       key_count);
1690

1691 1692 1693 1694 1695 1696 1697 1698
	for (i = 0; i < key_count; i++) {
		struct mgmt_link_key_info *key = &cp->keys[i];

		if (key->addr.type != BDADDR_BREDR)
			return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
					  MGMT_STATUS_INVALID_PARAMS);
	}

1699
	hci_dev_lock(hdev);
1700 1701 1702

	hci_link_keys_clear(hdev);

1703
	set_bit(HCI_LINK_KEYS, &hdev->dev_flags);
1704 1705

	if (cp->debug_keys)
1706
		set_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
1707
	else
1708
		clear_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
1709

1710
	for (i = 0; i < key_count; i++) {
1711
		struct mgmt_link_key_info *key = &cp->keys[i];
1712

1713
		hci_add_link_key(hdev, NULL, 0, &key->addr.bdaddr, key->val,
1714
				 key->type, key->pin_len);
1715 1716
	}

1717
	cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
1718

1719
	hci_dev_unlock(hdev);
1720

1721
	return 0;
1722 1723
}

1724
static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
1725
			   u8 addr_type, struct sock *skip_sk)
1726 1727 1728 1729 1730 1731 1732
{
	struct mgmt_ev_device_unpaired ev;

	bacpy(&ev.addr.bdaddr, bdaddr);
	ev.addr.type = addr_type;

	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
1733
			  skip_sk);
1734 1735
}

1736
static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
1737
			 u16 len)
1738
{
1739 1740
	struct mgmt_cp_unpair_device *cp = data;
	struct mgmt_rp_unpair_device rp;
1741 1742
	struct hci_cp_disconnect dc;
	struct pending_cmd *cmd;
1743 1744 1745
	struct hci_conn *conn;
	int err;

1746
	memset(&rp, 0, sizeof(rp));
1747 1748
	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
	rp.addr.type = cp->addr.type;
1749

1750 1751 1752 1753 1754
	if (!bdaddr_type_is_valid(cp->addr.type))
		return cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
				    MGMT_STATUS_INVALID_PARAMS,
				    &rp, sizeof(rp));

1755 1756 1757 1758 1759
	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
		return cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
				    MGMT_STATUS_INVALID_PARAMS,
				    &rp, sizeof(rp));

1760 1761
	hci_dev_lock(hdev);

1762
	if (!hdev_is_powered(hdev)) {
1763
		err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
1764
				   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
1765 1766 1767
		goto unlock;
	}

1768
	if (cp->addr.type == BDADDR_BREDR)
1769 1770 1771
		err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
	else
		err = hci_remove_ltk(hdev, &cp->addr.bdaddr);
1772

1773
	if (err < 0) {
1774
		err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
1775
				   MGMT_STATUS_NOT_PAIRED, &rp, sizeof(rp));
1776 1777 1778
		goto unlock;
	}

1779
	if (cp->disconnect) {
1780
		if (cp->addr.type == BDADDR_BREDR)
1781
			conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
1782
						       &cp->addr.bdaddr);
1783 1784
		else
			conn = hci_conn_hash_lookup_ba(hdev, LE_LINK,
1785
						       &cp->addr.bdaddr);
1786 1787 1788
	} else {
		conn = NULL;
	}
1789

1790
	if (!conn) {
1791
		err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
1792
				   &rp, sizeof(rp));
1793
		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
1794 1795
		goto unlock;
	}
1796

1797
	cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
1798
			       sizeof(*cp));
1799 1800 1801
	if (!cmd) {
		err = -ENOMEM;
		goto unlock;
1802 1803
	}

1804
	dc.handle = cpu_to_le16(conn->handle);
1805 1806 1807 1808 1809
	dc.reason = 0x13; /* Remote User Terminated Connection */
	err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
	if (err < 0)
		mgmt_pending_remove(cmd);

1810
unlock:
1811
	hci_dev_unlock(hdev);
1812 1813 1814
	return err;
}

1815
static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
1816
		      u16 len)
1817
{
1818
	struct mgmt_cp_disconnect *cp = data;
1819
	struct mgmt_rp_disconnect rp;
1820
	struct hci_cp_disconnect dc;
1821
	struct pending_cmd *cmd;
1822 1823 1824 1825 1826
	struct hci_conn *conn;
	int err;

	BT_DBG("");

1827 1828 1829 1830
	memset(&rp, 0, sizeof(rp));
	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
	rp.addr.type = cp->addr.type;

1831
	if (!bdaddr_type_is_valid(cp->addr.type))
1832 1833 1834
		return cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
				    MGMT_STATUS_INVALID_PARAMS,
				    &rp, sizeof(rp));
1835

1836
	hci_dev_lock(hdev);
1837 1838

	if (!test_bit(HCI_UP, &hdev->flags)) {
1839 1840
		err = cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
				   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
1841 1842 1843
		goto failed;
	}

1844
	if (mgmt_pending_find(MGMT_OP_DISCONNECT, hdev)) {
1845 1846
		err = cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
				   MGMT_STATUS_BUSY, &rp, sizeof(rp));
1847 1848 1849
		goto failed;
	}

1850
	if (cp->addr.type == BDADDR_BREDR)
1851 1852
		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
					       &cp->addr.bdaddr);
1853 1854
	else
		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
1855

1856
	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
1857 1858
		err = cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
				   MGMT_STATUS_NOT_CONNECTED, &rp, sizeof(rp));
1859 1860 1861
		goto failed;
	}

1862
	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
1863 1864
	if (!cmd) {
		err = -ENOMEM;
1865
		goto failed;
1866
	}
1867

1868
	dc.handle = cpu_to_le16(conn->handle);
1869
	dc.reason = HCI_ERROR_REMOTE_USER_TERM;
1870 1871 1872

	err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
	if (err < 0)
1873
		mgmt_pending_remove(cmd);
1874 1875

failed:
1876
	hci_dev_unlock(hdev);
1877 1878 1879
	return err;
}

1880
static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
1881 1882 1883
{
	switch (link_type) {
	case LE_LINK:
1884 1885
		switch (addr_type) {
		case ADDR_LE_DEV_PUBLIC:
1886
			return BDADDR_LE_PUBLIC;
1887

1888
		default:
1889
			/* Fallback to LE Random address type */
1890
			return BDADDR_LE_RANDOM;
1891
		}
1892

1893
	default:
1894
		/* Fallback to BR/EDR type */
1895
		return BDADDR_BREDR;
1896 1897 1898
	}
}

1899 1900
static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
			   u16 data_len)
1901 1902
{
	struct mgmt_rp_get_connections *rp;
1903
	struct hci_conn *c;
1904
	size_t rp_len;
1905 1906
	int err;
	u16 i;
1907 1908 1909

	BT_DBG("");

1910
	hci_dev_lock(hdev);
1911

1912
	if (!hdev_is_powered(hdev)) {
1913
		err = cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
1914
				 MGMT_STATUS_NOT_POWERED);
1915 1916 1917
		goto unlock;
	}

1918
	i = 0;
1919 1920
	list_for_each_entry(c, &hdev->conn_hash.list, list) {
		if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
1921
			i++;
1922 1923
	}

1924
	rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
1925
	rp = kmalloc(rp_len, GFP_KERNEL);
1926
	if (!rp) {
1927 1928 1929 1930 1931
		err = -ENOMEM;
		goto unlock;
	}

	i = 0;
1932
	list_for_each_entry(c, &hdev->conn_hash.list, list) {
1933 1934
		if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
			continue;
1935
		bacpy(&rp->addr[i].bdaddr, &c->dst);
1936
		rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
1937
		if (c->type == SCO_LINK || c->type == ESCO_LINK)
1938 1939 1940 1941
			continue;
		i++;
	}

1942
	rp->conn_count = cpu_to_le16(i);
1943

1944 1945
	/* Recalculate length in case of filtered SCO connections, etc */
	rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
1946

1947
	err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
1948
			   rp_len);
1949

1950
	kfree(rp);
1951 1952

unlock:
1953
	hci_dev_unlock(hdev);
1954 1955 1956
	return err;
}

1957
static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
1958
				   struct mgmt_cp_pin_code_neg_reply *cp)
1959 1960 1961 1962
{
	struct pending_cmd *cmd;
	int err;

1963
	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
1964
			       sizeof(*cp));
1965 1966 1967
	if (!cmd)
		return -ENOMEM;

1968
	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
1969
			   sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
1970 1971 1972 1973 1974 1975
	if (err < 0)
		mgmt_pending_remove(cmd);

	return err;
}

1976
static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
1977
			  u16 len)
1978
{
1979
	struct hci_conn *conn;
1980
	struct mgmt_cp_pin_code_reply *cp = data;
1981
	struct hci_cp_pin_code_reply reply;
1982
	struct pending_cmd *cmd;
1983 1984 1985 1986
	int err;

	BT_DBG("");

1987
	hci_dev_lock(hdev);
1988

1989
	if (!hdev_is_powered(hdev)) {
1990
		err = cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
1991
				 MGMT_STATUS_NOT_POWERED);
1992 1993 1994
		goto failed;
	}

1995
	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
1996
	if (!conn) {
1997
		err = cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
1998
				 MGMT_STATUS_NOT_CONNECTED);
1999 2000 2001 2002
		goto failed;
	}

	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
2003 2004 2005
		struct mgmt_cp_pin_code_neg_reply ncp;

		memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
2006 2007 2008

		BT_ERR("PIN code is not 16 bytes long");

2009
		err = send_pin_code_neg_reply(sk, hdev, &ncp);
2010
		if (err >= 0)
2011
			err = cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2012
					 MGMT_STATUS_INVALID_PARAMS);
2013 2014 2015 2016

		goto failed;
	}

2017
	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
2018 2019
	if (!cmd) {
		err = -ENOMEM;
2020
		goto failed;
2021
	}
2022

2023
	bacpy(&reply.bdaddr, &cp->addr.bdaddr);
2024
	reply.pin_len = cp->pin_len;
2025
	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
2026 2027 2028

	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
	if (err < 0)
2029
		mgmt_pending_remove(cmd);
2030 2031

failed:
2032
	hci_dev_unlock(hdev);
2033 2034 2035
	return err;
}

2036 2037
static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
			     u16 len)
2038
{
2039
	struct mgmt_cp_set_io_capability *cp = data;
2040 2041 2042

	BT_DBG("");

2043
	hci_dev_lock(hdev);
2044 2045 2046 2047

	hdev->io_capability = cp->io_capability;

	BT_DBG("%s IO capability set to 0x%02x", hdev->name,
2048
	       hdev->io_capability);
2049

2050
	hci_dev_unlock(hdev);
2051

2052 2053
	return cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0, NULL,
			    0);
2054 2055
}

2056
static struct pending_cmd *find_pairing(struct hci_conn *conn)
2057 2058
{
	struct hci_dev *hdev = conn->hdev;
2059
	struct pending_cmd *cmd;
2060

2061
	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078
		if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
			continue;

		if (cmd->user_data != conn)
			continue;

		return cmd;
	}

	return NULL;
}

static void pairing_complete(struct pending_cmd *cmd, u8 status)
{
	struct mgmt_rp_pair_device rp;
	struct hci_conn *conn = cmd->user_data;

2079
	bacpy(&rp.addr.bdaddr, &conn->dst);
2080
	rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
2081

2082
	cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE, status,
2083
		     &rp, sizeof(rp));
2084 2085 2086 2087 2088 2089 2090 2091

	/* So we don't get further callbacks for this connection */
	conn->connect_cfm_cb = NULL;
	conn->security_cfm_cb = NULL;
	conn->disconn_cfm_cb = NULL;

	hci_conn_put(conn);

2092
	mgmt_pending_remove(cmd);
2093 2094 2095 2096 2097 2098 2099 2100 2101
}

static void pairing_complete_cb(struct hci_conn *conn, u8 status)
{
	struct pending_cmd *cmd;

	BT_DBG("status %u", status);

	cmd = find_pairing(conn);
2102
	if (!cmd)
2103
		BT_DBG("Unable to find a pending command");
2104
	else
2105
		pairing_complete(cmd, mgmt_status(status));
2106 2107
}

2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123
static void le_connect_complete_cb(struct hci_conn *conn, u8 status)
{
	struct pending_cmd *cmd;

	BT_DBG("status %u", status);

	if (!status)
		return;

	cmd = find_pairing(conn);
	if (!cmd)
		BT_DBG("Unable to find a pending command");
	else
		pairing_complete(cmd, mgmt_status(status));
}

2124
static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2125
		       u16 len)
2126
{
2127
	struct mgmt_cp_pair_device *cp = data;
2128
	struct mgmt_rp_pair_device rp;
2129 2130 2131 2132 2133 2134 2135
	struct pending_cmd *cmd;
	u8 sec_level, auth_type;
	struct hci_conn *conn;
	int err;

	BT_DBG("");

2136 2137 2138 2139
	memset(&rp, 0, sizeof(rp));
	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
	rp.addr.type = cp->addr.type;

2140 2141 2142 2143 2144
	if (!bdaddr_type_is_valid(cp->addr.type))
		return cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
				    MGMT_STATUS_INVALID_PARAMS,
				    &rp, sizeof(rp));

2145
	hci_dev_lock(hdev);
2146

2147
	if (!hdev_is_powered(hdev)) {
2148 2149
		err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
				   MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
2150 2151 2152
		goto unlock;
	}

2153 2154
	sec_level = BT_SECURITY_MEDIUM;
	if (cp->io_cap == 0x03)
2155
		auth_type = HCI_AT_DEDICATED_BONDING;
2156
	else
2157 2158
		auth_type = HCI_AT_DEDICATED_BONDING_MITM;

2159
	if (cp->addr.type == BDADDR_BREDR)
2160 2161
		conn = hci_connect(hdev, ACL_LINK, &cp->addr.bdaddr,
				   cp->addr.type, sec_level, auth_type);
2162
	else
2163 2164
		conn = hci_connect(hdev, LE_LINK, &cp->addr.bdaddr,
				   cp->addr.type, sec_level, auth_type);
2165

2166
	if (IS_ERR(conn)) {
2167 2168 2169 2170 2171 2172 2173
		int status;

		if (PTR_ERR(conn) == -EBUSY)
			status = MGMT_STATUS_BUSY;
		else
			status = MGMT_STATUS_CONNECT_FAILED;

2174
		err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2175
				   status, &rp,
2176
				   sizeof(rp));
2177 2178 2179 2180 2181
		goto unlock;
	}

	if (conn->connect_cfm_cb) {
		hci_conn_put(conn);
2182
		err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2183
				   MGMT_STATUS_BUSY, &rp, sizeof(rp));
2184 2185 2186
		goto unlock;
	}

2187
	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
2188 2189 2190 2191 2192 2193
	if (!cmd) {
		err = -ENOMEM;
		hci_conn_put(conn);
		goto unlock;
	}

2194
	/* For LE, just connecting isn't a proof that the pairing finished */
2195
	if (cp->addr.type == BDADDR_BREDR)
2196
		conn->connect_cfm_cb = pairing_complete_cb;
2197 2198
	else
		conn->connect_cfm_cb = le_connect_complete_cb;
2199

2200 2201 2202 2203 2204 2205
	conn->security_cfm_cb = pairing_complete_cb;
	conn->disconn_cfm_cb = pairing_complete_cb;
	conn->io_capability = cp->io_cap;
	cmd->user_data = conn;

	if (conn->state == BT_CONNECTED &&
2206
	    hci_conn_security(conn, sec_level, auth_type))
2207 2208 2209 2210 2211
		pairing_complete(cmd, 0);

	err = 0;

unlock:
2212
	hci_dev_unlock(hdev);
2213 2214 2215
	return err;
}

2216 2217
static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
			      u16 len)
2218
{
2219
	struct mgmt_addr_info *addr = data;
2220 2221 2222 2223 2224 2225 2226 2227
	struct pending_cmd *cmd;
	struct hci_conn *conn;
	int err;

	BT_DBG("");

	hci_dev_lock(hdev);

2228
	if (!hdev_is_powered(hdev)) {
2229
		err = cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2230
				 MGMT_STATUS_NOT_POWERED);
2231 2232 2233
		goto unlock;
	}

2234 2235
	cmd = mgmt_pending_find(MGMT_OP_PAIR_DEVICE, hdev);
	if (!cmd) {
2236
		err = cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2237
				 MGMT_STATUS_INVALID_PARAMS);
2238 2239 2240 2241 2242 2243
		goto unlock;
	}

	conn = cmd->user_data;

	if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
2244
		err = cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2245
				 MGMT_STATUS_INVALID_PARAMS);
2246 2247 2248 2249 2250
		goto unlock;
	}

	pairing_complete(cmd, MGMT_STATUS_CANCELLED);

2251
	err = cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
2252
			   addr, sizeof(*addr));
2253 2254 2255 2256 2257
unlock:
	hci_dev_unlock(hdev);
	return err;
}

2258
static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
2259 2260
			     bdaddr_t *bdaddr, u8 type, u16 mgmt_op,
			     u16 hci_op, __le32 passkey)
2261 2262
{
	struct pending_cmd *cmd;
2263
	struct hci_conn *conn;
2264 2265
	int err;

2266
	hci_dev_lock(hdev);
2267

2268
	if (!hdev_is_powered(hdev)) {
2269
		err = cmd_status(sk, hdev->id, mgmt_op,
2270
				 MGMT_STATUS_NOT_POWERED);
2271
		goto done;
2272 2273
	}

2274
	if (type == BDADDR_BREDR)
2275 2276
		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, bdaddr);
	else
2277
		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, bdaddr);
2278 2279

	if (!conn) {
2280
		err = cmd_status(sk, hdev->id, mgmt_op,
2281
				 MGMT_STATUS_NOT_CONNECTED);
2282 2283
		goto done;
	}
2284

2285
	if (type == BDADDR_LE_PUBLIC || type == BDADDR_LE_RANDOM) {
2286
		/* Continue with pairing via SMP */
2287 2288 2289
		err = smp_user_confirm_reply(conn, mgmt_op, passkey);

		if (!err)
2290
			err = cmd_status(sk, hdev->id, mgmt_op,
2291
					 MGMT_STATUS_SUCCESS);
2292
		else
2293
			err = cmd_status(sk, hdev->id, mgmt_op,
2294
					 MGMT_STATUS_FAILED);
2295 2296 2297 2298

		goto done;
	}

2299
	cmd = mgmt_pending_add(sk, mgmt_op, hdev, bdaddr, sizeof(*bdaddr));
2300 2301
	if (!cmd) {
		err = -ENOMEM;
2302
		goto done;
2303 2304
	}

2305
	/* Continue with pairing via HCI */
2306 2307 2308 2309 2310 2311 2312 2313 2314
	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
		struct hci_cp_user_passkey_reply cp;

		bacpy(&cp.bdaddr, bdaddr);
		cp.passkey = passkey;
		err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
	} else
		err = hci_send_cmd(hdev, hci_op, sizeof(*bdaddr), bdaddr);

2315 2316
	if (err < 0)
		mgmt_pending_remove(cmd);
2317

2318
done:
2319
	hci_dev_unlock(hdev);
2320 2321 2322
	return err;
}

2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334
static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
			      void *data, u16 len)
{
	struct mgmt_cp_pin_code_neg_reply *cp = data;

	BT_DBG("");

	return user_pairing_resp(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
				MGMT_OP_PIN_CODE_NEG_REPLY,
				HCI_OP_PIN_CODE_NEG_REPLY, 0);
}

2335 2336
static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
			      u16 len)
2337
{
2338
	struct mgmt_cp_user_confirm_reply *cp = data;
2339 2340 2341 2342

	BT_DBG("");

	if (len != sizeof(*cp))
2343
		return cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
2344
				  MGMT_STATUS_INVALID_PARAMS);
2345

2346
	return user_pairing_resp(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
2347 2348
				 MGMT_OP_USER_CONFIRM_REPLY,
				 HCI_OP_USER_CONFIRM_REPLY, 0);
2349 2350
}

2351
static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
2352
				  void *data, u16 len)
2353
{
2354
	struct mgmt_cp_user_confirm_neg_reply *cp = data;
2355 2356 2357

	BT_DBG("");

2358
	return user_pairing_resp(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
2359 2360
				 MGMT_OP_USER_CONFIRM_NEG_REPLY,
				 HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
2361 2362
}

2363 2364
static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
			      u16 len)
2365
{
2366
	struct mgmt_cp_user_passkey_reply *cp = data;
2367 2368 2369

	BT_DBG("");

2370
	return user_pairing_resp(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
2371 2372
				 MGMT_OP_USER_PASSKEY_REPLY,
				 HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
2373 2374
}

2375
static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
2376
				  void *data, u16 len)
2377
{
2378
	struct mgmt_cp_user_passkey_neg_reply *cp = data;
2379 2380 2381

	BT_DBG("");

2382
	return user_pairing_resp(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
2383 2384
				 MGMT_OP_USER_PASSKEY_NEG_REPLY,
				 HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
2385 2386
}

2387
static void update_name(struct hci_request *req)
2388
{
2389
	struct hci_dev *hdev = req->hdev;
2390 2391
	struct hci_cp_write_local_name cp;

2392
	memcpy(cp.name, hdev->dev_name, sizeof(cp.name));
2393

2394
	hci_req_add(req, HCI_OP_WRITE_LOCAL_NAME, sizeof(cp), &cp);
2395 2396
}

2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424
static void set_name_complete(struct hci_dev *hdev, u8 status)
{
	struct mgmt_cp_set_local_name *cp;
	struct pending_cmd *cmd;

	BT_DBG("status 0x%02x", status);

	hci_dev_lock(hdev);

	cmd = mgmt_pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
	if (!cmd)
		goto unlock;

	cp = cmd->param;

	if (status)
		cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
			   mgmt_status(status));
	else
		cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
			     cp, sizeof(*cp));

	mgmt_pending_remove(cmd);

unlock:
	hci_dev_unlock(hdev);
}

2425
static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
2426
			  u16 len)
2427
{
2428
	struct mgmt_cp_set_local_name *cp = data;
2429
	struct pending_cmd *cmd;
2430
	struct hci_request req;
2431 2432 2433 2434
	int err;

	BT_DBG("");

2435
	hci_dev_lock(hdev);
2436

2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447
	/* If the old values are the same as the new ones just return a
	 * direct command complete event.
	 */
	if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
	    !memcmp(hdev->short_name, cp->short_name,
		    sizeof(hdev->short_name))) {
		err = cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
				   data, len);
		goto failed;
	}

2448
	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
2449

2450
	if (!hdev_is_powered(hdev)) {
2451
		memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
2452 2453

		err = cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
2454
				   data, len);
2455 2456 2457 2458
		if (err < 0)
			goto failed;

		err = mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data, len,
2459
				 sk);
2460

2461 2462 2463
		goto failed;
	}

2464
	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
2465 2466 2467 2468 2469
	if (!cmd) {
		err = -ENOMEM;
		goto failed;
	}

2470 2471
	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));

2472
	hci_req_init(&req, hdev);
2473 2474 2475 2476 2477 2478 2479 2480 2481

	if (lmp_bredr_capable(hdev)) {
		update_name(&req);
		update_eir(&req);
	}

	if (lmp_le_capable(hdev))
		hci_update_ad(&req);

2482
	err = hci_req_run(&req, set_name_complete);
2483 2484 2485 2486
	if (err < 0)
		mgmt_pending_remove(cmd);

failed:
2487
	hci_dev_unlock(hdev);
2488 2489 2490
	return err;
}

2491
static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
2492
			       void *data, u16 data_len)
2493 2494 2495 2496
{
	struct pending_cmd *cmd;
	int err;

2497
	BT_DBG("%s", hdev->name);
2498

2499
	hci_dev_lock(hdev);
2500

2501
	if (!hdev_is_powered(hdev)) {
2502
		err = cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
2503
				 MGMT_STATUS_NOT_POWERED);
2504 2505 2506
		goto unlock;
	}

2507
	if (!lmp_ssp_capable(hdev)) {
2508
		err = cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
2509
				 MGMT_STATUS_NOT_SUPPORTED);
2510 2511 2512
		goto unlock;
	}

2513
	if (mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
2514
		err = cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
2515
				 MGMT_STATUS_BUSY);
2516 2517 2518
		goto unlock;
	}

2519
	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
2520 2521 2522 2523 2524 2525 2526 2527 2528 2529
	if (!cmd) {
		err = -ENOMEM;
		goto unlock;
	}

	err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
	if (err < 0)
		mgmt_pending_remove(cmd);

unlock:
2530
	hci_dev_unlock(hdev);
2531 2532 2533
	return err;
}

2534
static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
2535
			       void *data, u16 len)
2536
{
2537
	struct mgmt_cp_add_remote_oob_data *cp = data;
2538
	u8 status;
2539 2540
	int err;

2541
	BT_DBG("%s ", hdev->name);
2542

2543
	hci_dev_lock(hdev);
2544

2545
	err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr, cp->hash,
2546
				      cp->randomizer);
2547
	if (err < 0)
2548
		status = MGMT_STATUS_FAILED;
2549
	else
2550
		status = MGMT_STATUS_SUCCESS;
2551

2552
	err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA, status,
2553
			   &cp->addr, sizeof(cp->addr));
2554

2555
	hci_dev_unlock(hdev);
2556 2557 2558
	return err;
}

2559
static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
2560
				  void *data, u16 len)
2561
{
2562
	struct mgmt_cp_remove_remote_oob_data *cp = data;
2563
	u8 status;
2564 2565
	int err;

2566
	BT_DBG("%s", hdev->name);
2567

2568
	hci_dev_lock(hdev);
2569

2570
	err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr);
2571
	if (err < 0)
2572
		status = MGMT_STATUS_INVALID_PARAMS;
2573
	else
2574
		status = MGMT_STATUS_SUCCESS;
2575

2576
	err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
2577
			   status, &cp->addr, sizeof(cp->addr));
2578

2579
	hci_dev_unlock(hdev);
2580 2581 2582
	return err;
}

2583 2584 2585 2586 2587 2588 2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599
int mgmt_interleaved_discovery(struct hci_dev *hdev)
{
	int err;

	BT_DBG("%s", hdev->name);

	hci_dev_lock(hdev);

	err = hci_do_inquiry(hdev, INQUIRY_LEN_BREDR_LE);
	if (err < 0)
		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);

	hci_dev_unlock(hdev);

	return err;
}

2600
static int start_discovery(struct sock *sk, struct hci_dev *hdev,
2601
			   void *data, u16 len)
2602
{
2603
	struct mgmt_cp_start_discovery *cp = data;
2604 2605 2606
	struct pending_cmd *cmd;
	int err;

2607
	BT_DBG("%s", hdev->name);
2608

2609
	hci_dev_lock(hdev);
2610

2611
	if (!hdev_is_powered(hdev)) {
2612
		err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
2613
				 MGMT_STATUS_NOT_POWERED);
2614 2615 2616
		goto failed;
	}

2617 2618 2619 2620 2621 2622
	if (test_bit(HCI_PERIODIC_INQ, &hdev->dev_flags)) {
		err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
				 MGMT_STATUS_BUSY);
		goto failed;
	}

2623
	if (hdev->discovery.state != DISCOVERY_STOPPED) {
2624
		err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
2625
				 MGMT_STATUS_BUSY);
2626 2627 2628
		goto failed;
	}

2629
	cmd = mgmt_pending_add(sk, MGMT_OP_START_DISCOVERY, hdev, NULL, 0);
2630 2631 2632 2633 2634
	if (!cmd) {
		err = -ENOMEM;
		goto failed;
	}

A
Andre Guedes 已提交
2635 2636 2637
	hdev->discovery.type = cp->type;

	switch (hdev->discovery.type) {
2638
	case DISCOV_TYPE_BREDR:
2639 2640 2641 2642 2643 2644 2645 2646
		if (!lmp_bredr_capable(hdev)) {
			err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
					 MGMT_STATUS_NOT_SUPPORTED);
			mgmt_pending_remove(cmd);
			goto failed;
		}

		err = hci_do_inquiry(hdev, INQUIRY_LEN_BREDR);
2647 2648 2649
		break;

	case DISCOV_TYPE_LE:
2650 2651 2652 2653 2654 2655 2656 2657 2658
		if (!lmp_host_le_capable(hdev)) {
			err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
					 MGMT_STATUS_NOT_SUPPORTED);
			mgmt_pending_remove(cmd);
			goto failed;
		}

		err = hci_le_scan(hdev, LE_SCAN_TYPE, LE_SCAN_INT,
				  LE_SCAN_WIN, LE_SCAN_TIMEOUT_LE_ONLY);
2659 2660
		break;

2661
	case DISCOV_TYPE_INTERLEAVED:
2662 2663 2664 2665 2666 2667 2668 2669 2670
		if (!lmp_host_le_capable(hdev) || !lmp_bredr_capable(hdev)) {
			err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
					 MGMT_STATUS_NOT_SUPPORTED);
			mgmt_pending_remove(cmd);
			goto failed;
		}

		err = hci_le_scan(hdev, LE_SCAN_TYPE, LE_SCAN_INT, LE_SCAN_WIN,
				  LE_SCAN_TIMEOUT_BREDR_LE);
2671 2672
		break;

2673
	default:
2674 2675 2676 2677
		err = cmd_status(sk, hdev->id, MGMT_OP_START_DISCOVERY,
				 MGMT_STATUS_INVALID_PARAMS);
		mgmt_pending_remove(cmd);
		goto failed;
2678
	}
2679

2680 2681
	if (err < 0)
		mgmt_pending_remove(cmd);
2682 2683
	else
		hci_discovery_set_state(hdev, DISCOVERY_STARTING);
2684 2685

failed:
2686
	hci_dev_unlock(hdev);
2687 2688 2689
	return err;
}

2690
static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
2691
			  u16 len)
2692
{
2693
	struct mgmt_cp_stop_discovery *mgmt_cp = data;
2694
	struct pending_cmd *cmd;
2695 2696
	struct hci_cp_remote_name_req_cancel cp;
	struct inquiry_entry *e;
2697 2698
	int err;

2699
	BT_DBG("%s", hdev->name);
2700

2701
	hci_dev_lock(hdev);
2702

2703
	if (!hci_discovery_active(hdev)) {
2704
		err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
2705 2706
				   MGMT_STATUS_REJECTED, &mgmt_cp->type,
				   sizeof(mgmt_cp->type));
2707 2708 2709 2710
		goto unlock;
	}

	if (hdev->discovery.type != mgmt_cp->type) {
2711
		err = cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
2712 2713
				   MGMT_STATUS_INVALID_PARAMS, &mgmt_cp->type,
				   sizeof(mgmt_cp->type));
2714
		goto unlock;
2715 2716
	}

2717
	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, NULL, 0);
2718 2719
	if (!cmd) {
		err = -ENOMEM;
2720 2721 2722
		goto unlock;
	}

2723 2724
	switch (hdev->discovery.state) {
	case DISCOVERY_FINDING:
2725 2726 2727 2728 2729
		if (test_bit(HCI_INQUIRY, &hdev->flags))
			err = hci_cancel_inquiry(hdev);
		else
			err = hci_cancel_le_scan(hdev);

2730 2731 2732 2733
		break;

	case DISCOVERY_RESOLVING:
		e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,
2734
						     NAME_PENDING);
2735
		if (!e) {
2736
			mgmt_pending_remove(cmd);
2737 2738 2739 2740 2741 2742 2743
			err = cmd_complete(sk, hdev->id,
					   MGMT_OP_STOP_DISCOVERY, 0,
					   &mgmt_cp->type,
					   sizeof(mgmt_cp->type));
			hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
			goto unlock;
		}
2744

2745 2746 2747 2748 2749 2750 2751 2752 2753
		bacpy(&cp.bdaddr, &e->data.bdaddr);
		err = hci_send_cmd(hdev, HCI_OP_REMOTE_NAME_REQ_CANCEL,
				   sizeof(cp), &cp);

		break;

	default:
		BT_DBG("unknown discovery state %u", hdev->discovery.state);
		err = -EFAULT;
2754 2755 2756 2757
	}

	if (err < 0)
		mgmt_pending_remove(cmd);
2758 2759
	else
		hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
2760

2761
unlock:
2762
	hci_dev_unlock(hdev);
2763 2764 2765
	return err;
}

2766
static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
2767
			u16 len)
2768
{
2769
	struct mgmt_cp_confirm_name *cp = data;
2770 2771 2772
	struct inquiry_entry *e;
	int err;

2773
	BT_DBG("%s", hdev->name);
2774 2775 2776

	hci_dev_lock(hdev);

2777
	if (!hci_discovery_active(hdev)) {
2778
		err = cmd_status(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
2779
				 MGMT_STATUS_FAILED);
2780 2781 2782
		goto failed;
	}

2783
	e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
2784
	if (!e) {
2785
		err = cmd_status(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
2786
				 MGMT_STATUS_INVALID_PARAMS);
2787 2788 2789 2790 2791 2792 2793 2794
		goto failed;
	}

	if (cp->name_known) {
		e->name_state = NAME_KNOWN;
		list_del(&e->list);
	} else {
		e->name_state = NAME_NEEDED;
2795
		hci_inquiry_cache_update_resolve(hdev, e);
2796 2797
	}

2798 2799
	err = cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0, &cp->addr,
			   sizeof(cp->addr));
2800 2801 2802 2803 2804 2805

failed:
	hci_dev_unlock(hdev);
	return err;
}

2806
static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
2807
			u16 len)
2808
{
2809
	struct mgmt_cp_block_device *cp = data;
2810
	u8 status;
2811 2812
	int err;

2813
	BT_DBG("%s", hdev->name);
2814

2815
	if (!bdaddr_type_is_valid(cp->addr.type))
2816 2817 2818
		return cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
				    MGMT_STATUS_INVALID_PARAMS,
				    &cp->addr, sizeof(cp->addr));
2819

2820
	hci_dev_lock(hdev);
2821

2822
	err = hci_blacklist_add(hdev, &cp->addr.bdaddr, cp->addr.type);
2823
	if (err < 0)
2824
		status = MGMT_STATUS_FAILED;
2825
	else
2826
		status = MGMT_STATUS_SUCCESS;
2827

2828
	err = cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
2829
			   &cp->addr, sizeof(cp->addr));
2830

2831
	hci_dev_unlock(hdev);
2832 2833 2834 2835

	return err;
}

2836
static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
2837
			  u16 len)
2838
{
2839
	struct mgmt_cp_unblock_device *cp = data;
2840
	u8 status;
2841 2842
	int err;

2843
	BT_DBG("%s", hdev->name);
2844

2845
	if (!bdaddr_type_is_valid(cp->addr.type))
2846 2847 2848
		return cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
				    MGMT_STATUS_INVALID_PARAMS,
				    &cp->addr, sizeof(cp->addr));
2849

2850
	hci_dev_lock(hdev);
2851

2852
	err = hci_blacklist_del(hdev, &cp->addr.bdaddr, cp->addr.type);
2853
	if (err < 0)
2854
		status = MGMT_STATUS_INVALID_PARAMS;
2855
	else
2856
		status = MGMT_STATUS_SUCCESS;
2857

2858
	err = cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
2859
			   &cp->addr, sizeof(cp->addr));
2860

2861
	hci_dev_unlock(hdev);
2862 2863 2864 2865

	return err;
}

2866 2867 2868 2869
static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
			 u16 len)
{
	struct mgmt_cp_set_device_id *cp = data;
2870
	struct hci_request req;
2871
	int err;
2872
	__u16 source;
2873 2874 2875

	BT_DBG("%s", hdev->name);

2876 2877 2878 2879 2880 2881
	source = __le16_to_cpu(cp->source);

	if (source > 0x0002)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
				  MGMT_STATUS_INVALID_PARAMS);

2882 2883
	hci_dev_lock(hdev);

2884
	hdev->devid_source = source;
2885 2886 2887 2888 2889 2890
	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
	hdev->devid_product = __le16_to_cpu(cp->product);
	hdev->devid_version = __le16_to_cpu(cp->version);

	err = cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0, NULL, 0);

2891 2892 2893
	hci_req_init(&req, hdev);
	update_eir(&req);
	hci_req_run(&req, NULL);
2894 2895 2896 2897 2898 2899

	hci_dev_unlock(hdev);

	return err;
}

2900 2901 2902 2903 2904 2905 2906 2907 2908 2909 2910 2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925
static void fast_connectable_complete(struct hci_dev *hdev, u8 status)
{
	struct pending_cmd *cmd;

	BT_DBG("status 0x%02x", status);

	hci_dev_lock(hdev);

	cmd = mgmt_pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev);
	if (!cmd)
		goto unlock;

	if (status) {
		cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
			   mgmt_status(status));
	} else {
		send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
		new_settings(hdev, cmd->sk);
	}

	mgmt_pending_remove(cmd);

unlock:
	hci_dev_unlock(hdev);
}

2926
static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
2927
				void *data, u16 len)
2928
{
2929
	struct mgmt_mode *cp = data;
2930
	struct hci_cp_write_page_scan_activity acp;
2931 2932
	struct pending_cmd *cmd;
	struct hci_request req;
2933 2934 2935
	u8 type;
	int err;

2936
	BT_DBG("%s", hdev->name);
2937

2938
	if (!lmp_bredr_capable(hdev) || hdev->hci_ver < BLUETOOTH_VER_1_2)
2939 2940 2941
		return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
				  MGMT_STATUS_NOT_SUPPORTED);

2942 2943 2944 2945
	if (cp->val != 0x00 && cp->val != 0x01)
		return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
				  MGMT_STATUS_INVALID_PARAMS);

2946
	if (!hdev_is_powered(hdev))
2947
		return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
2948
				  MGMT_STATUS_NOT_POWERED);
2949 2950

	if (!test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
2951
		return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
2952
				  MGMT_STATUS_REJECTED);
2953 2954 2955

	hci_dev_lock(hdev);

2956
	if (cp->val) {
2957
		type = PAGE_SCAN_TYPE_INTERLACED;
2958

2959 2960
		/* 160 msec page scan interval */
		acp.interval = __constant_cpu_to_le16(0x0100);
2961 2962
	} else {
		type = PAGE_SCAN_TYPE_STANDARD;	/* default */
2963 2964 2965

		/* default 1.28 sec page scan */
		acp.interval = __constant_cpu_to_le16(0x0800);
2966 2967
	}

2968 2969
	/* default 11.25 msec page scan window */
	acp.window = __constant_cpu_to_le16(0x0012);
2970

2971 2972 2973 2974 2975
	cmd = mgmt_pending_add(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev,
			       data, len);
	if (!cmd) {
		err = -ENOMEM;
		goto unlock;
2976 2977
	}

2978 2979 2980 2981 2982 2983
	hci_req_init(&req, hdev);

	hci_req_add(&req, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY, sizeof(acp), &acp);
	hci_req_add(&req, HCI_OP_WRITE_PAGE_SCAN_TYPE, 1, &type);

	err = hci_req_run(&req, fast_connectable_complete);
2984
	if (err < 0) {
2985
		err = cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
2986
				 MGMT_STATUS_FAILED);
2987
		mgmt_pending_remove(cmd);
2988 2989
	}

2990
unlock:
2991
	hci_dev_unlock(hdev);
2992

2993 2994 2995
	return err;
}

2996 2997
static bool ltk_is_valid(struct mgmt_ltk_info *key)
{
2998 2999
	if (key->authenticated != 0x00 && key->authenticated != 0x01)
		return false;
3000 3001
	if (key->master != 0x00 && key->master != 0x01)
		return false;
3002 3003
	if (!bdaddr_type_is_le(key->addr.type))
		return false;
3004 3005 3006
	return true;
}

3007
static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
3008
			       void *cp_data, u16 len)
3009 3010 3011
{
	struct mgmt_cp_load_long_term_keys *cp = cp_data;
	u16 key_count, expected_len;
3012
	int i, err;
3013

3014
	key_count = __le16_to_cpu(cp->key_count);
3015 3016 3017 3018 3019

	expected_len = sizeof(*cp) + key_count *
					sizeof(struct mgmt_ltk_info);
	if (expected_len != len) {
		BT_ERR("load_keys: expected %u bytes, got %u bytes",
3020
		       len, expected_len);
3021
		return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
3022
				  MGMT_STATUS_INVALID_PARAMS);
3023 3024
	}

3025
	BT_DBG("%s key_count %u", hdev->name, key_count);
3026

3027 3028 3029
	for (i = 0; i < key_count; i++) {
		struct mgmt_ltk_info *key = &cp->keys[i];

3030
		if (!ltk_is_valid(key))
3031 3032 3033 3034 3035
			return cmd_status(sk, hdev->id,
					  MGMT_OP_LOAD_LONG_TERM_KEYS,
					  MGMT_STATUS_INVALID_PARAMS);
	}

3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048
	hci_dev_lock(hdev);

	hci_smp_ltks_clear(hdev);

	for (i = 0; i < key_count; i++) {
		struct mgmt_ltk_info *key = &cp->keys[i];
		u8 type;

		if (key->master)
			type = HCI_SMP_LTK;
		else
			type = HCI_SMP_LTK_SLAVE;

3049
		hci_add_ltk(hdev, &key->addr.bdaddr,
3050
			    bdaddr_to_le(key->addr.type),
3051 3052
			    type, 0, key->authenticated, key->val,
			    key->enc_size, key->ediv, key->rand);
3053 3054
	}

3055 3056 3057
	err = cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
			   NULL, 0);

3058 3059
	hci_dev_unlock(hdev);

3060
	return err;
3061 3062
}

3063
static const struct mgmt_handler {
3064 3065
	int (*func) (struct sock *sk, struct hci_dev *hdev, void *data,
		     u16 data_len);
3066 3067
	bool var_len;
	size_t data_len;
3068 3069
} mgmt_handlers[] = {
	{ NULL }, /* 0x0000 (no command) */
3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108
	{ read_version,           false, MGMT_READ_VERSION_SIZE },
	{ read_commands,          false, MGMT_READ_COMMANDS_SIZE },
	{ read_index_list,        false, MGMT_READ_INDEX_LIST_SIZE },
	{ read_controller_info,   false, MGMT_READ_INFO_SIZE },
	{ set_powered,            false, MGMT_SETTING_SIZE },
	{ set_discoverable,       false, MGMT_SET_DISCOVERABLE_SIZE },
	{ set_connectable,        false, MGMT_SETTING_SIZE },
	{ set_fast_connectable,   false, MGMT_SETTING_SIZE },
	{ set_pairable,           false, MGMT_SETTING_SIZE },
	{ set_link_security,      false, MGMT_SETTING_SIZE },
	{ set_ssp,                false, MGMT_SETTING_SIZE },
	{ set_hs,                 false, MGMT_SETTING_SIZE },
	{ set_le,                 false, MGMT_SETTING_SIZE },
	{ set_dev_class,          false, MGMT_SET_DEV_CLASS_SIZE },
	{ set_local_name,         false, MGMT_SET_LOCAL_NAME_SIZE },
	{ add_uuid,               false, MGMT_ADD_UUID_SIZE },
	{ remove_uuid,            false, MGMT_REMOVE_UUID_SIZE },
	{ load_link_keys,         true,  MGMT_LOAD_LINK_KEYS_SIZE },
	{ load_long_term_keys,    true,  MGMT_LOAD_LONG_TERM_KEYS_SIZE },
	{ disconnect,             false, MGMT_DISCONNECT_SIZE },
	{ get_connections,        false, MGMT_GET_CONNECTIONS_SIZE },
	{ pin_code_reply,         false, MGMT_PIN_CODE_REPLY_SIZE },
	{ pin_code_neg_reply,     false, MGMT_PIN_CODE_NEG_REPLY_SIZE },
	{ set_io_capability,      false, MGMT_SET_IO_CAPABILITY_SIZE },
	{ pair_device,            false, MGMT_PAIR_DEVICE_SIZE },
	{ cancel_pair_device,     false, MGMT_CANCEL_PAIR_DEVICE_SIZE },
	{ unpair_device,          false, MGMT_UNPAIR_DEVICE_SIZE },
	{ user_confirm_reply,     false, MGMT_USER_CONFIRM_REPLY_SIZE },
	{ user_confirm_neg_reply, false, MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
	{ user_passkey_reply,     false, MGMT_USER_PASSKEY_REPLY_SIZE },
	{ user_passkey_neg_reply, false, MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
	{ read_local_oob_data,    false, MGMT_READ_LOCAL_OOB_DATA_SIZE },
	{ add_remote_oob_data,    false, MGMT_ADD_REMOTE_OOB_DATA_SIZE },
	{ remove_remote_oob_data, false, MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
	{ start_discovery,        false, MGMT_START_DISCOVERY_SIZE },
	{ stop_discovery,         false, MGMT_STOP_DISCOVERY_SIZE },
	{ confirm_name,           false, MGMT_CONFIRM_NAME_SIZE },
	{ block_device,           false, MGMT_BLOCK_DEVICE_SIZE },
	{ unblock_device,         false, MGMT_UNBLOCK_DEVICE_SIZE },
3109
	{ set_device_id,          false, MGMT_SET_DEVICE_ID_SIZE },
3110 3111 3112
};


3113 3114
int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
{
3115 3116
	void *buf;
	u8 *cp;
3117
	struct mgmt_hdr *hdr;
3118
	u16 opcode, index, len;
3119
	struct hci_dev *hdev = NULL;
3120
	const struct mgmt_handler *handler;
3121 3122 3123 3124 3125 3126 3127
	int err;

	BT_DBG("got %zu bytes", msglen);

	if (msglen < sizeof(*hdr))
		return -EINVAL;

3128
	buf = kmalloc(msglen, GFP_KERNEL);
3129 3130 3131 3132 3133 3134 3135 3136
	if (!buf)
		return -ENOMEM;

	if (memcpy_fromiovec(buf, msg->msg_iov, msglen)) {
		err = -EFAULT;
		goto done;
	}

3137
	hdr = buf;
3138 3139 3140
	opcode = __le16_to_cpu(hdr->opcode);
	index = __le16_to_cpu(hdr->index);
	len = __le16_to_cpu(hdr->len);
3141 3142 3143 3144 3145 3146

	if (len != msglen - sizeof(*hdr)) {
		err = -EINVAL;
		goto done;
	}

3147
	if (index != MGMT_INDEX_NONE) {
3148 3149 3150
		hdev = hci_dev_get(index);
		if (!hdev) {
			err = cmd_status(sk, index, opcode,
3151
					 MGMT_STATUS_INVALID_INDEX);
3152 3153 3154 3155
			goto done;
		}
	}

3156
	if (opcode >= ARRAY_SIZE(mgmt_handlers) ||
3157
	    mgmt_handlers[opcode].func == NULL) {
3158
		BT_DBG("Unknown op %u", opcode);
3159
		err = cmd_status(sk, index, opcode,
3160
				 MGMT_STATUS_UNKNOWN_COMMAND);
3161 3162 3163 3164
		goto done;
	}

	if ((hdev && opcode < MGMT_OP_READ_INFO) ||
3165
	    (!hdev && opcode >= MGMT_OP_READ_INFO)) {
3166
		err = cmd_status(sk, index, opcode,
3167
				 MGMT_STATUS_INVALID_INDEX);
3168
		goto done;
3169 3170
	}

3171 3172 3173
	handler = &mgmt_handlers[opcode];

	if ((handler->var_len && len < handler->data_len) ||
3174
	    (!handler->var_len && len != handler->data_len)) {
3175
		err = cmd_status(sk, index, opcode,
3176
				 MGMT_STATUS_INVALID_PARAMS);
3177 3178 3179
		goto done;
	}

3180 3181 3182 3183 3184
	if (hdev)
		mgmt_init_hdev(sk, hdev);

	cp = buf + sizeof(*hdr);

3185
	err = handler->func(sk, hdev, cp, len);
3186 3187 3188
	if (err < 0)
		goto done;

3189 3190 3191
	err = msglen;

done:
3192 3193 3194
	if (hdev)
		hci_dev_put(hdev);

3195 3196 3197
	kfree(buf);
	return err;
}
3198

3199 3200 3201 3202 3203 3204 3205 3206
static void cmd_status_rsp(struct pending_cmd *cmd, void *data)
{
	u8 *status = data;

	cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
	mgmt_pending_remove(cmd);
}

3207
int mgmt_index_added(struct hci_dev *hdev)
3208
{
3209 3210 3211
	if (!mgmt_valid_hdev(hdev))
		return -ENOTSUPP;

3212
	return mgmt_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0, NULL);
3213 3214
}

3215
int mgmt_index_removed(struct hci_dev *hdev)
3216
{
3217
	u8 status = MGMT_STATUS_INVALID_INDEX;
3218

3219 3220 3221
	if (!mgmt_valid_hdev(hdev))
		return -ENOTSUPP;

3222
	mgmt_pending_foreach(0, hdev, cmd_status_rsp, &status);
3223

3224
	return mgmt_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0, NULL);
3225 3226
}

3227
struct cmd_lookup {
3228
	struct sock *sk;
3229
	struct hci_dev *hdev;
3230
	u8 mgmt_status;
3231 3232
};

3233
static void settings_rsp(struct pending_cmd *cmd, void *data)
3234
{
3235
	struct cmd_lookup *match = data;
3236

3237
	send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
3238 3239 3240 3241 3242 3243 3244 3245 3246

	list_del(&cmd->list);

	if (match->sk == NULL) {
		match->sk = cmd->sk;
		sock_hold(match->sk);
	}

	mgmt_pending_free(cmd);
3247
}
3248

3249
static void set_bredr_scan(struct hci_request *req)
3250
{
3251
	struct hci_dev *hdev = req->hdev;
3252 3253 3254 3255 3256 3257 3258
	u8 scan = 0;

	if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
		scan |= SCAN_PAGE;
	if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
		scan |= SCAN_INQUIRY;

3259 3260
	if (scan)
		hci_req_add(req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
3261 3262
}

3263 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274 3275 3276 3277 3278 3279 3280
static void powered_complete(struct hci_dev *hdev, u8 status)
{
	struct cmd_lookup match = { NULL, hdev };

	BT_DBG("status 0x%02x", status);

	hci_dev_lock(hdev);

	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);

	new_settings(hdev, match.sk);

	hci_dev_unlock(hdev);

	if (match.sk)
		sock_put(match.sk);
}

3281
static int powered_update_hci(struct hci_dev *hdev)
3282
{
3283
	struct hci_request req;
3284
	u8 link_sec;
3285

3286 3287
	hci_req_init(&req, hdev);

3288 3289 3290
	if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags) &&
	    !lmp_host_ssp_capable(hdev)) {
		u8 ssp = 1;
3291

3292
		hci_req_add(&req, HCI_OP_WRITE_SSP_MODE, 1, &ssp);
3293
	}
3294

3295 3296
	if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
		struct hci_cp_write_le_host_supported cp;
3297

3298 3299
		cp.le = 1;
		cp.simul = lmp_le_br_capable(hdev);
3300

3301 3302 3303 3304 3305
		/* Check first if we already have the right
		 * host state (host features set)
		 */
		if (cp.le != lmp_host_le_capable(hdev) ||
		    cp.simul != lmp_host_le_br_capable(hdev))
3306 3307
			hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED,
				    sizeof(cp), &cp);
3308
	}
3309

3310 3311
	link_sec = test_bit(HCI_LINK_SECURITY, &hdev->dev_flags);
	if (link_sec != test_bit(HCI_AUTH, &hdev->flags))
3312 3313
		hci_req_add(&req, HCI_OP_WRITE_AUTH_ENABLE,
			    sizeof(link_sec), &link_sec);
3314

3315
	if (lmp_bredr_capable(hdev)) {
3316 3317
		set_bredr_scan(&req);
		update_class(&req);
3318
		update_name(&req);
3319
		update_eir(&req);
3320
	}
3321

3322
	return hci_req_run(&req, powered_complete);
3323
}
3324

3325 3326 3327
int mgmt_powered(struct hci_dev *hdev, u8 powered)
{
	struct cmd_lookup match = { NULL, hdev };
3328 3329
	u8 status_not_powered = MGMT_STATUS_NOT_POWERED;
	u8 zero_cod[] = { 0, 0, 0 };
3330
	int err;
3331

3332 3333 3334 3335
	if (!test_bit(HCI_MGMT, &hdev->dev_flags))
		return 0;

	if (powered) {
3336 3337
		if (powered_update_hci(hdev) == 0)
			return 0;
3338

3339 3340 3341
		mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp,
				     &match);
		goto new_settings;
3342 3343
	}

3344 3345 3346 3347 3348 3349 3350 3351
	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
	mgmt_pending_foreach(0, hdev, cmd_status_rsp, &status_not_powered);

	if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0)
		mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
			   zero_cod, sizeof(zero_cod), NULL);

new_settings:
3352
	err = new_settings(hdev, match.sk);
3353 3354 3355 3356

	if (match.sk)
		sock_put(match.sk);

3357
	return err;
3358
}
3359

3360
int mgmt_discoverable(struct hci_dev *hdev, u8 discoverable)
3361
{
3362
	struct cmd_lookup match = { NULL, hdev };
3363 3364
	bool changed = false;
	int err = 0;
3365

3366 3367 3368 3369 3370 3371 3372
	if (discoverable) {
		if (!test_and_set_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
			changed = true;
	} else {
		if (test_and_clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
			changed = true;
	}
3373

3374
	mgmt_pending_foreach(MGMT_OP_SET_DISCOVERABLE, hdev, settings_rsp,
3375
			     &match);
3376

3377 3378
	if (changed)
		err = new_settings(hdev, match.sk);
3379

3380 3381 3382
	if (match.sk)
		sock_put(match.sk);

3383
	return err;
3384
}
3385

3386
int mgmt_connectable(struct hci_dev *hdev, u8 connectable)
3387
{
3388
	struct pending_cmd *cmd;
3389 3390
	bool changed = false;
	int err = 0;
3391

3392 3393 3394 3395 3396 3397 3398
	if (connectable) {
		if (!test_and_set_bit(HCI_CONNECTABLE, &hdev->dev_flags))
			changed = true;
	} else {
		if (test_and_clear_bit(HCI_CONNECTABLE, &hdev->dev_flags))
			changed = true;
	}
3399

3400
	cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
3401

3402
	if (changed)
3403
		err = new_settings(hdev, cmd ? cmd->sk : NULL);
3404

3405
	return err;
3406
}
3407

3408
int mgmt_write_scan_failed(struct hci_dev *hdev, u8 scan, u8 status)
3409
{
3410 3411
	u8 mgmt_err = mgmt_status(status);

3412
	if (scan & SCAN_PAGE)
3413
		mgmt_pending_foreach(MGMT_OP_SET_CONNECTABLE, hdev,
3414
				     cmd_status_rsp, &mgmt_err);
3415 3416

	if (scan & SCAN_INQUIRY)
3417
		mgmt_pending_foreach(MGMT_OP_SET_DISCOVERABLE, hdev,
3418
				     cmd_status_rsp, &mgmt_err);
3419 3420 3421 3422

	return 0;
}

3423 3424
int mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
		      bool persistent)
3425
{
3426
	struct mgmt_ev_new_link_key ev;
3427

3428
	memset(&ev, 0, sizeof(ev));
3429

3430
	ev.store_hint = persistent;
3431
	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
3432
	ev.key.addr.type = BDADDR_BREDR;
3433
	ev.key.type = key->type;
3434
	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
3435
	ev.key.pin_len = key->pin_len;
3436

3437
	return mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
3438
}
3439

3440 3441 3442 3443 3444 3445 3446 3447
int mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, u8 persistent)
{
	struct mgmt_ev_new_long_term_key ev;

	memset(&ev, 0, sizeof(ev));

	ev.store_hint = persistent;
	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
3448
	ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
3449 3450 3451 3452 3453 3454 3455 3456 3457 3458
	ev.key.authenticated = key->authenticated;
	ev.key.enc_size = key->enc_size;
	ev.key.ediv = key->ediv;

	if (key->type == HCI_SMP_LTK)
		ev.key.master = 1;

	memcpy(ev.key.rand, key->rand, sizeof(key->rand));
	memcpy(ev.key.val, key->val, sizeof(key->val));

3459 3460
	return mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev),
			  NULL);
3461 3462
}

3463
int mgmt_device_connected(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
3464 3465
			  u8 addr_type, u32 flags, u8 *name, u8 name_len,
			  u8 *dev_class)
3466
{
3467 3468 3469
	char buf[512];
	struct mgmt_ev_device_connected *ev = (void *) buf;
	u16 eir_len = 0;
3470

3471
	bacpy(&ev->addr.bdaddr, bdaddr);
3472
	ev->addr.type = link_to_bdaddr(link_type, addr_type);
3473

3474
	ev->flags = __cpu_to_le32(flags);
3475

3476 3477
	if (name_len > 0)
		eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE,
3478
					  name, name_len);
3479 3480

	if (dev_class && memcmp(dev_class, "\0\0\0", 3) != 0)
3481
		eir_len = eir_append_data(ev->eir, eir_len,
3482
					  EIR_CLASS_OF_DEV, dev_class, 3);
3483

3484
	ev->eir_len = cpu_to_le16(eir_len);
3485 3486

	return mgmt_event(MGMT_EV_DEVICE_CONNECTED, hdev, buf,
3487
			  sizeof(*ev) + eir_len, NULL);
3488 3489
}

3490 3491
static void disconnect_rsp(struct pending_cmd *cmd, void *data)
{
3492
	struct mgmt_cp_disconnect *cp = cmd->param;
3493
	struct sock **sk = data;
3494
	struct mgmt_rp_disconnect rp;
3495

3496 3497
	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
	rp.addr.type = cp->addr.type;
3498

3499
	cmd_complete(cmd->sk, cmd->index, MGMT_OP_DISCONNECT, 0, &rp,
3500
		     sizeof(rp));
3501 3502 3503 3504

	*sk = cmd->sk;
	sock_hold(*sk);

3505
	mgmt_pending_remove(cmd);
3506 3507
}

3508
static void unpair_device_rsp(struct pending_cmd *cmd, void *data)
3509
{
3510
	struct hci_dev *hdev = data;
3511 3512
	struct mgmt_cp_unpair_device *cp = cmd->param;
	struct mgmt_rp_unpair_device rp;
3513 3514

	memset(&rp, 0, sizeof(rp));
3515 3516
	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
	rp.addr.type = cp->addr.type;
3517

3518 3519
	device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);

3520
	cmd_complete(cmd->sk, cmd->index, cmd->opcode, 0, &rp, sizeof(rp));
3521 3522 3523 3524

	mgmt_pending_remove(cmd);
}

3525
int mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
3526
			     u8 link_type, u8 addr_type, u8 reason)
3527
{
3528
	struct mgmt_ev_device_disconnected ev;
3529 3530 3531
	struct sock *sk = NULL;
	int err;

3532
	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
3533

3534 3535 3536
	bacpy(&ev.addr.bdaddr, bdaddr);
	ev.addr.type = link_to_bdaddr(link_type, addr_type);
	ev.reason = reason;
3537

3538
	err = mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev),
3539
			 sk);
3540 3541

	if (sk)
3542
		sock_put(sk);
3543

3544
	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
3545
			     hdev);
3546

3547 3548 3549
	return err;
}

3550
int mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
3551
			   u8 link_type, u8 addr_type, u8 status)
3552
{
3553
	struct mgmt_rp_disconnect rp;
3554 3555 3556
	struct pending_cmd *cmd;
	int err;

3557 3558 3559
	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
			     hdev);

3560
	cmd = mgmt_pending_find(MGMT_OP_DISCONNECT, hdev);
3561 3562 3563
	if (!cmd)
		return -ENOENT;

3564
	bacpy(&rp.addr.bdaddr, bdaddr);
3565
	rp.addr.type = link_to_bdaddr(link_type, addr_type);
3566

3567
	err = cmd_complete(cmd->sk, cmd->index, MGMT_OP_DISCONNECT,
3568
			   mgmt_status(status), &rp, sizeof(rp));
3569

3570
	mgmt_pending_remove(cmd);
3571 3572

	return err;
3573
}
3574

3575
int mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
3576
			u8 addr_type, u8 status)
3577 3578 3579
{
	struct mgmt_ev_connect_failed ev;

3580
	bacpy(&ev.addr.bdaddr, bdaddr);
3581
	ev.addr.type = link_to_bdaddr(link_type, addr_type);
3582
	ev.status = mgmt_status(status);
3583

3584
	return mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
3585
}
3586

3587
int mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
3588 3589 3590
{
	struct mgmt_ev_pin_code_request ev;

3591
	bacpy(&ev.addr.bdaddr, bdaddr);
3592
	ev.addr.type = BDADDR_BREDR;
3593
	ev.secure = secure;
3594

3595
	return mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev),
3596
			  NULL);
3597 3598
}

3599
int mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
3600
				 u8 status)
3601 3602
{
	struct pending_cmd *cmd;
3603
	struct mgmt_rp_pin_code_reply rp;
3604 3605
	int err;

3606
	cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
3607 3608 3609
	if (!cmd)
		return -ENOENT;

3610
	bacpy(&rp.addr.bdaddr, bdaddr);
3611
	rp.addr.type = BDADDR_BREDR;
3612

3613
	err = cmd_complete(cmd->sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3614
			   mgmt_status(status), &rp, sizeof(rp));
3615

3616
	mgmt_pending_remove(cmd);
3617 3618 3619 3620

	return err;
}

3621
int mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
3622
				     u8 status)
3623 3624
{
	struct pending_cmd *cmd;
3625
	struct mgmt_rp_pin_code_reply rp;
3626 3627
	int err;

3628
	cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
3629 3630 3631
	if (!cmd)
		return -ENOENT;

3632
	bacpy(&rp.addr.bdaddr, bdaddr);
3633
	rp.addr.type = BDADDR_BREDR;
3634

3635
	err = cmd_complete(cmd->sk, hdev->id, MGMT_OP_PIN_CODE_NEG_REPLY,
3636
			   mgmt_status(status), &rp, sizeof(rp));
3637

3638
	mgmt_pending_remove(cmd);
3639 3640 3641

	return err;
}
3642

3643
int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
3644 3645
			      u8 link_type, u8 addr_type, __le32 value,
			      u8 confirm_hint)
3646 3647 3648
{
	struct mgmt_ev_user_confirm_request ev;

3649
	BT_DBG("%s", hdev->name);
3650

3651
	bacpy(&ev.addr.bdaddr, bdaddr);
3652
	ev.addr.type = link_to_bdaddr(link_type, addr_type);
3653
	ev.confirm_hint = confirm_hint;
3654
	ev.value = value;
3655

3656
	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
3657
			  NULL);
3658 3659
}

3660
int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
3661
			      u8 link_type, u8 addr_type)
3662 3663 3664 3665 3666
{
	struct mgmt_ev_user_passkey_request ev;

	BT_DBG("%s", hdev->name);

3667
	bacpy(&ev.addr.bdaddr, bdaddr);
3668
	ev.addr.type = link_to_bdaddr(link_type, addr_type);
3669 3670

	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
3671
			  NULL);
3672 3673
}

3674
static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
3675 3676
				      u8 link_type, u8 addr_type, u8 status,
				      u8 opcode)
3677 3678 3679 3680 3681
{
	struct pending_cmd *cmd;
	struct mgmt_rp_user_confirm_reply rp;
	int err;

3682
	cmd = mgmt_pending_find(opcode, hdev);
3683 3684 3685
	if (!cmd)
		return -ENOENT;

3686
	bacpy(&rp.addr.bdaddr, bdaddr);
3687
	rp.addr.type = link_to_bdaddr(link_type, addr_type);
3688
	err = cmd_complete(cmd->sk, hdev->id, opcode, mgmt_status(status),
3689
			   &rp, sizeof(rp));
3690

3691
	mgmt_pending_remove(cmd);
3692 3693 3694 3695

	return err;
}

3696
int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
3697
				     u8 link_type, u8 addr_type, u8 status)
3698
{
3699
	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
3700
					  status, MGMT_OP_USER_CONFIRM_REPLY);
3701 3702
}

3703
int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
3704
					 u8 link_type, u8 addr_type, u8 status)
3705
{
3706
	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
3707 3708
					  status,
					  MGMT_OP_USER_CONFIRM_NEG_REPLY);
3709
}
3710

3711
int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
3712
				     u8 link_type, u8 addr_type, u8 status)
3713
{
3714
	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
3715
					  status, MGMT_OP_USER_PASSKEY_REPLY);
3716 3717
}

3718
int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
3719
					 u8 link_type, u8 addr_type, u8 status)
3720
{
3721
	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
3722 3723
					  status,
					  MGMT_OP_USER_PASSKEY_NEG_REPLY);
3724 3725
}

3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739 3740 3741
int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
			     u8 link_type, u8 addr_type, u32 passkey,
			     u8 entered)
{
	struct mgmt_ev_passkey_notify ev;

	BT_DBG("%s", hdev->name);

	bacpy(&ev.addr.bdaddr, bdaddr);
	ev.addr.type = link_to_bdaddr(link_type, addr_type);
	ev.passkey = __cpu_to_le32(passkey);
	ev.entered = entered;

	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
}

3742
int mgmt_auth_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
3743
		     u8 addr_type, u8 status)
3744 3745 3746
{
	struct mgmt_ev_auth_failed ev;

3747
	bacpy(&ev.addr.bdaddr, bdaddr);
3748
	ev.addr.type = link_to_bdaddr(link_type, addr_type);
3749
	ev.status = mgmt_status(status);
3750

3751
	return mgmt_event(MGMT_EV_AUTH_FAILED, hdev, &ev, sizeof(ev), NULL);
3752
}
3753

3754 3755 3756
int mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
{
	struct cmd_lookup match = { NULL, hdev };
3757 3758
	bool changed = false;
	int err = 0;
3759 3760 3761 3762

	if (status) {
		u8 mgmt_err = mgmt_status(status);
		mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
3763
				     cmd_status_rsp, &mgmt_err);
3764 3765 3766
		return 0;
	}

3767 3768 3769 3770 3771 3772 3773 3774
	if (test_bit(HCI_AUTH, &hdev->flags)) {
		if (!test_and_set_bit(HCI_LINK_SECURITY, &hdev->dev_flags))
			changed = true;
	} else {
		if (test_and_clear_bit(HCI_LINK_SECURITY, &hdev->dev_flags))
			changed = true;
	}

3775
	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
3776
			     &match);
3777

3778 3779
	if (changed)
		err = new_settings(hdev, match.sk);
3780 3781 3782 3783 3784 3785 3786

	if (match.sk)
		sock_put(match.sk);

	return err;
}

3787
static void clear_eir(struct hci_request *req)
3788
{
3789
	struct hci_dev *hdev = req->hdev;
3790 3791
	struct hci_cp_write_eir cp;

3792
	if (!lmp_ext_inq_capable(hdev))
3793
		return;
3794

3795 3796
	memset(hdev->eir, 0, sizeof(hdev->eir));

3797 3798
	memset(&cp, 0, sizeof(cp));

3799
	hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
3800 3801
}

3802
int mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
3803 3804
{
	struct cmd_lookup match = { NULL, hdev };
3805
	struct hci_request req;
3806 3807
	bool changed = false;
	int err = 0;
3808 3809 3810

	if (status) {
		u8 mgmt_err = mgmt_status(status);
3811 3812

		if (enable && test_and_clear_bit(HCI_SSP_ENABLED,
3813
						 &hdev->dev_flags))
3814 3815
			err = new_settings(hdev, NULL);

3816 3817
		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
				     &mgmt_err);
3818 3819 3820 3821 3822 3823 3824 3825 3826 3827

		return err;
	}

	if (enable) {
		if (!test_and_set_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
			changed = true;
	} else {
		if (test_and_clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
			changed = true;
3828 3829 3830 3831
	}

	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);

3832 3833
	if (changed)
		err = new_settings(hdev, match.sk);
3834

3835
	if (match.sk)
3836 3837
		sock_put(match.sk);

3838 3839
	hci_req_init(&req, hdev);

3840
	if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
3841
		update_eir(&req);
3842
	else
3843 3844 3845
		clear_eir(&req);

	hci_req_run(&req, NULL);
3846

3847 3848 3849
	return err;
}

3850
static void sk_lookup(struct pending_cmd *cmd, void *data)
3851 3852 3853 3854 3855 3856 3857 3858 3859
{
	struct cmd_lookup *match = data;

	if (match->sk == NULL) {
		match->sk = cmd->sk;
		sock_hold(match->sk);
	}
}

3860
int mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
3861
				   u8 status)
3862
{
3863 3864
	struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
	int err = 0;
3865

3866 3867 3868
	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
3869 3870

	if (!status)
3871 3872
		err = mgmt_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
				 3, NULL);
3873 3874 3875

	if (match.sk)
		sock_put(match.sk);
3876 3877 3878 3879

	return err;
}

3880
int mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
3881 3882
{
	struct mgmt_cp_set_local_name ev;
3883
	struct pending_cmd *cmd;
3884

3885 3886
	if (status)
		return 0;
3887 3888 3889

	memset(&ev, 0, sizeof(ev));
	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
3890
	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
3891

3892
	cmd = mgmt_pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
3893 3894
	if (!cmd) {
		memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
3895

3896 3897 3898 3899 3900
		/* If this is a HCI command related to powering on the
		 * HCI dev don't send any mgmt signals.
		 */
		if (mgmt_pending_find(MGMT_OP_SET_POWERED, hdev))
			return 0;
3901
	}
3902

3903 3904
	return mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
			  cmd ? cmd->sk : NULL);
3905
}
3906

3907
int mgmt_read_local_oob_data_reply_complete(struct hci_dev *hdev, u8 *hash,
3908
					    u8 *randomizer, u8 status)
3909 3910 3911 3912
{
	struct pending_cmd *cmd;
	int err;

3913
	BT_DBG("%s status %u", hdev->name, status);
3914

3915
	cmd = mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev);
3916 3917 3918 3919
	if (!cmd)
		return -ENOENT;

	if (status) {
3920 3921
		err = cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
				 mgmt_status(status));
3922 3923 3924 3925 3926 3927
	} else {
		struct mgmt_rp_read_local_oob_data rp;

		memcpy(rp.hash, hash, sizeof(rp.hash));
		memcpy(rp.randomizer, randomizer, sizeof(rp.randomizer));

3928
		err = cmd_complete(cmd->sk, hdev->id,
3929 3930
				   MGMT_OP_READ_LOCAL_OOB_DATA, 0, &rp,
				   sizeof(rp));
3931 3932 3933 3934 3935 3936
	}

	mgmt_pending_remove(cmd);

	return err;
}
3937

3938 3939 3940 3941 3942 3943 3944 3945 3946 3947
int mgmt_le_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
{
	struct cmd_lookup match = { NULL, hdev };
	bool changed = false;
	int err = 0;

	if (status) {
		u8 mgmt_err = mgmt_status(status);

		if (enable && test_and_clear_bit(HCI_LE_ENABLED,
3948
						 &hdev->dev_flags))
3949
			err = new_settings(hdev, NULL);
3950

3951 3952
		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
				     &mgmt_err);
3953 3954 3955 3956 3957 3958 3959 3960 3961 3962 3963 3964 3965 3966 3967 3968 3969 3970 3971 3972 3973 3974 3975

		return err;
	}

	if (enable) {
		if (!test_and_set_bit(HCI_LE_ENABLED, &hdev->dev_flags))
			changed = true;
	} else {
		if (test_and_clear_bit(HCI_LE_ENABLED, &hdev->dev_flags))
			changed = true;
	}

	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);

	if (changed)
		err = new_settings(hdev, match.sk);

	if (match.sk)
		sock_put(match.sk);

	return err;
}

3976
int mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
3977 3978
		      u8 addr_type, u8 *dev_class, s8 rssi, u8 cfm_name, u8
		      ssp, u8 *eir, u16 eir_len)
3979
{
3980 3981
	char buf[512];
	struct mgmt_ev_device_found *ev = (void *) buf;
3982
	size_t ev_size;
3983

3984 3985
	/* Leave 5 bytes for a potential CoD field */
	if (sizeof(*ev) + eir_len + 5 > sizeof(buf))
3986 3987
		return -EINVAL;

3988 3989
	memset(buf, 0, sizeof(buf));

3990
	bacpy(&ev->addr.bdaddr, bdaddr);
3991
	ev->addr.type = link_to_bdaddr(link_type, addr_type);
3992
	ev->rssi = rssi;
3993
	if (cfm_name)
3994
		ev->flags |= __constant_cpu_to_le32(MGMT_DEV_FOUND_CONFIRM_NAME);
3995
	if (!ssp)
3996
		ev->flags |= __constant_cpu_to_le32(MGMT_DEV_FOUND_LEGACY_PAIRING);
3997

3998
	if (eir_len > 0)
3999
		memcpy(ev->eir, eir, eir_len);
4000

4001 4002
	if (dev_class && !eir_has_data_type(ev->eir, eir_len, EIR_CLASS_OF_DEV))
		eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
4003
					  dev_class, 3);
4004

4005
	ev->eir_len = cpu_to_le16(eir_len);
4006
	ev_size = sizeof(*ev) + eir_len;
4007

4008
	return mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL);
4009
}
4010

4011
int mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
4012
		     u8 addr_type, s8 rssi, u8 *name, u8 name_len)
4013
{
4014 4015 4016
	struct mgmt_ev_device_found *ev;
	char buf[sizeof(*ev) + HCI_MAX_NAME_LENGTH + 2];
	u16 eir_len;
4017

4018
	ev = (struct mgmt_ev_device_found *) buf;
4019

4020 4021 4022
	memset(buf, 0, sizeof(buf));

	bacpy(&ev->addr.bdaddr, bdaddr);
4023
	ev->addr.type = link_to_bdaddr(link_type, addr_type);
4024 4025 4026
	ev->rssi = rssi;

	eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name,
4027
				  name_len);
4028

4029
	ev->eir_len = cpu_to_le16(eir_len);
4030

4031
	return mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev,
4032
			  sizeof(*ev) + eir_len, NULL);
4033
}
4034

4035
int mgmt_start_discovery_failed(struct hci_dev *hdev, u8 status)
4036 4037
{
	struct pending_cmd *cmd;
4038
	u8 type;
4039 4040
	int err;

4041 4042
	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);

4043
	cmd = mgmt_pending_find(MGMT_OP_START_DISCOVERY, hdev);
4044 4045 4046
	if (!cmd)
		return -ENOENT;

4047 4048 4049
	type = hdev->discovery.type;

	err = cmd_complete(cmd->sk, hdev->id, cmd->opcode, mgmt_status(status),
4050
			   &type, sizeof(type));
4051 4052 4053 4054 4055
	mgmt_pending_remove(cmd);

	return err;
}

4056 4057 4058 4059 4060 4061 4062 4063 4064
int mgmt_stop_discovery_failed(struct hci_dev *hdev, u8 status)
{
	struct pending_cmd *cmd;
	int err;

	cmd = mgmt_pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
	if (!cmd)
		return -ENOENT;

4065
	err = cmd_complete(cmd->sk, hdev->id, cmd->opcode, mgmt_status(status),
4066
			   &hdev->discovery.type, sizeof(hdev->discovery.type));
4067 4068 4069 4070 4071
	mgmt_pending_remove(cmd);

	return err;
}

4072
int mgmt_discovering(struct hci_dev *hdev, u8 discovering)
4073
{
4074
	struct mgmt_ev_discovering ev;
4075 4076
	struct pending_cmd *cmd;

4077 4078
	BT_DBG("%s discovering %u", hdev->name, discovering);

4079
	if (discovering)
4080
		cmd = mgmt_pending_find(MGMT_OP_START_DISCOVERY, hdev);
4081
	else
4082
		cmd = mgmt_pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
4083 4084

	if (cmd != NULL) {
4085 4086
		u8 type = hdev->discovery.type;

4087 4088
		cmd_complete(cmd->sk, hdev->id, cmd->opcode, 0, &type,
			     sizeof(type));
4089 4090 4091
		mgmt_pending_remove(cmd);
	}

4092 4093 4094 4095 4096
	memset(&ev, 0, sizeof(ev));
	ev.type = hdev->discovery.type;
	ev.discovering = discovering;

	return mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
4097
}
4098

4099
int mgmt_device_blocked(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4100 4101 4102 4103
{
	struct pending_cmd *cmd;
	struct mgmt_ev_device_blocked ev;

4104
	cmd = mgmt_pending_find(MGMT_OP_BLOCK_DEVICE, hdev);
4105

4106 4107
	bacpy(&ev.addr.bdaddr, bdaddr);
	ev.addr.type = type;
4108

4109
	return mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &ev, sizeof(ev),
4110
			  cmd ? cmd->sk : NULL);
4111 4112
}

4113
int mgmt_device_unblocked(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
4114 4115 4116 4117
{
	struct pending_cmd *cmd;
	struct mgmt_ev_device_unblocked ev;

4118
	cmd = mgmt_pending_find(MGMT_OP_UNBLOCK_DEVICE, hdev);
4119

4120 4121
	bacpy(&ev.addr.bdaddr, bdaddr);
	ev.addr.type = type;
4122

4123
	return mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &ev, sizeof(ev),
4124
			  cmd ? cmd->sk : NULL);
4125
}
4126 4127 4128

module_param(enable_hs, bool, 0644);
MODULE_PARM_DESC(enable_hs, "Enable High Speed support");