1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3 
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI Management interface */
26 
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_sock.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "mgmt_util.h"
39 #include "mgmt_config.h"
40 #include "msft.h"
41 
42 #define MGMT_VERSION	1
43 #define MGMT_REVISION	21
44 
45 static const u16 mgmt_commands[] = {
46 	MGMT_OP_READ_INDEX_LIST,
47 	MGMT_OP_READ_INFO,
48 	MGMT_OP_SET_POWERED,
49 	MGMT_OP_SET_DISCOVERABLE,
50 	MGMT_OP_SET_CONNECTABLE,
51 	MGMT_OP_SET_FAST_CONNECTABLE,
52 	MGMT_OP_SET_BONDABLE,
53 	MGMT_OP_SET_LINK_SECURITY,
54 	MGMT_OP_SET_SSP,
55 	MGMT_OP_SET_HS,
56 	MGMT_OP_SET_LE,
57 	MGMT_OP_SET_DEV_CLASS,
58 	MGMT_OP_SET_LOCAL_NAME,
59 	MGMT_OP_ADD_UUID,
60 	MGMT_OP_REMOVE_UUID,
61 	MGMT_OP_LOAD_LINK_KEYS,
62 	MGMT_OP_LOAD_LONG_TERM_KEYS,
63 	MGMT_OP_DISCONNECT,
64 	MGMT_OP_GET_CONNECTIONS,
65 	MGMT_OP_PIN_CODE_REPLY,
66 	MGMT_OP_PIN_CODE_NEG_REPLY,
67 	MGMT_OP_SET_IO_CAPABILITY,
68 	MGMT_OP_PAIR_DEVICE,
69 	MGMT_OP_CANCEL_PAIR_DEVICE,
70 	MGMT_OP_UNPAIR_DEVICE,
71 	MGMT_OP_USER_CONFIRM_REPLY,
72 	MGMT_OP_USER_CONFIRM_NEG_REPLY,
73 	MGMT_OP_USER_PASSKEY_REPLY,
74 	MGMT_OP_USER_PASSKEY_NEG_REPLY,
75 	MGMT_OP_READ_LOCAL_OOB_DATA,
76 	MGMT_OP_ADD_REMOTE_OOB_DATA,
77 	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
78 	MGMT_OP_START_DISCOVERY,
79 	MGMT_OP_STOP_DISCOVERY,
80 	MGMT_OP_CONFIRM_NAME,
81 	MGMT_OP_BLOCK_DEVICE,
82 	MGMT_OP_UNBLOCK_DEVICE,
83 	MGMT_OP_SET_DEVICE_ID,
84 	MGMT_OP_SET_ADVERTISING,
85 	MGMT_OP_SET_BREDR,
86 	MGMT_OP_SET_STATIC_ADDRESS,
87 	MGMT_OP_SET_SCAN_PARAMS,
88 	MGMT_OP_SET_SECURE_CONN,
89 	MGMT_OP_SET_DEBUG_KEYS,
90 	MGMT_OP_SET_PRIVACY,
91 	MGMT_OP_LOAD_IRKS,
92 	MGMT_OP_GET_CONN_INFO,
93 	MGMT_OP_GET_CLOCK_INFO,
94 	MGMT_OP_ADD_DEVICE,
95 	MGMT_OP_REMOVE_DEVICE,
96 	MGMT_OP_LOAD_CONN_PARAM,
97 	MGMT_OP_READ_UNCONF_INDEX_LIST,
98 	MGMT_OP_READ_CONFIG_INFO,
99 	MGMT_OP_SET_EXTERNAL_CONFIG,
100 	MGMT_OP_SET_PUBLIC_ADDRESS,
101 	MGMT_OP_START_SERVICE_DISCOVERY,
102 	MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
103 	MGMT_OP_READ_EXT_INDEX_LIST,
104 	MGMT_OP_READ_ADV_FEATURES,
105 	MGMT_OP_ADD_ADVERTISING,
106 	MGMT_OP_REMOVE_ADVERTISING,
107 	MGMT_OP_GET_ADV_SIZE_INFO,
108 	MGMT_OP_START_LIMITED_DISCOVERY,
109 	MGMT_OP_READ_EXT_INFO,
110 	MGMT_OP_SET_APPEARANCE,
111 	MGMT_OP_GET_PHY_CONFIGURATION,
112 	MGMT_OP_SET_PHY_CONFIGURATION,
113 	MGMT_OP_SET_BLOCKED_KEYS,
114 	MGMT_OP_SET_WIDEBAND_SPEECH,
115 	MGMT_OP_READ_CONTROLLER_CAP,
116 	MGMT_OP_READ_EXP_FEATURES_INFO,
117 	MGMT_OP_SET_EXP_FEATURE,
118 	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
119 	MGMT_OP_SET_DEF_SYSTEM_CONFIG,
120 	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
121 	MGMT_OP_SET_DEF_RUNTIME_CONFIG,
122 	MGMT_OP_GET_DEVICE_FLAGS,
123 	MGMT_OP_SET_DEVICE_FLAGS,
124 	MGMT_OP_READ_ADV_MONITOR_FEATURES,
125 	MGMT_OP_ADD_ADV_PATTERNS_MONITOR,
126 	MGMT_OP_REMOVE_ADV_MONITOR,
127 	MGMT_OP_ADD_EXT_ADV_PARAMS,
128 	MGMT_OP_ADD_EXT_ADV_DATA,
129 	MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI,
130 };
131 
132 static const u16 mgmt_events[] = {
133 	MGMT_EV_CONTROLLER_ERROR,
134 	MGMT_EV_INDEX_ADDED,
135 	MGMT_EV_INDEX_REMOVED,
136 	MGMT_EV_NEW_SETTINGS,
137 	MGMT_EV_CLASS_OF_DEV_CHANGED,
138 	MGMT_EV_LOCAL_NAME_CHANGED,
139 	MGMT_EV_NEW_LINK_KEY,
140 	MGMT_EV_NEW_LONG_TERM_KEY,
141 	MGMT_EV_DEVICE_CONNECTED,
142 	MGMT_EV_DEVICE_DISCONNECTED,
143 	MGMT_EV_CONNECT_FAILED,
144 	MGMT_EV_PIN_CODE_REQUEST,
145 	MGMT_EV_USER_CONFIRM_REQUEST,
146 	MGMT_EV_USER_PASSKEY_REQUEST,
147 	MGMT_EV_AUTH_FAILED,
148 	MGMT_EV_DEVICE_FOUND,
149 	MGMT_EV_DISCOVERING,
150 	MGMT_EV_DEVICE_BLOCKED,
151 	MGMT_EV_DEVICE_UNBLOCKED,
152 	MGMT_EV_DEVICE_UNPAIRED,
153 	MGMT_EV_PASSKEY_NOTIFY,
154 	MGMT_EV_NEW_IRK,
155 	MGMT_EV_NEW_CSRK,
156 	MGMT_EV_DEVICE_ADDED,
157 	MGMT_EV_DEVICE_REMOVED,
158 	MGMT_EV_NEW_CONN_PARAM,
159 	MGMT_EV_UNCONF_INDEX_ADDED,
160 	MGMT_EV_UNCONF_INDEX_REMOVED,
161 	MGMT_EV_NEW_CONFIG_OPTIONS,
162 	MGMT_EV_EXT_INDEX_ADDED,
163 	MGMT_EV_EXT_INDEX_REMOVED,
164 	MGMT_EV_LOCAL_OOB_DATA_UPDATED,
165 	MGMT_EV_ADVERTISING_ADDED,
166 	MGMT_EV_ADVERTISING_REMOVED,
167 	MGMT_EV_EXT_INFO_CHANGED,
168 	MGMT_EV_PHY_CONFIGURATION_CHANGED,
169 	MGMT_EV_EXP_FEATURE_CHANGED,
170 	MGMT_EV_DEVICE_FLAGS_CHANGED,
171 	MGMT_EV_ADV_MONITOR_ADDED,
172 	MGMT_EV_ADV_MONITOR_REMOVED,
173 	MGMT_EV_CONTROLLER_SUSPEND,
174 	MGMT_EV_CONTROLLER_RESUME,
175 };
176 
177 static const u16 mgmt_untrusted_commands[] = {
178 	MGMT_OP_READ_INDEX_LIST,
179 	MGMT_OP_READ_INFO,
180 	MGMT_OP_READ_UNCONF_INDEX_LIST,
181 	MGMT_OP_READ_CONFIG_INFO,
182 	MGMT_OP_READ_EXT_INDEX_LIST,
183 	MGMT_OP_READ_EXT_INFO,
184 	MGMT_OP_READ_CONTROLLER_CAP,
185 	MGMT_OP_READ_EXP_FEATURES_INFO,
186 	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
187 	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
188 };
189 
190 static const u16 mgmt_untrusted_events[] = {
191 	MGMT_EV_INDEX_ADDED,
192 	MGMT_EV_INDEX_REMOVED,
193 	MGMT_EV_NEW_SETTINGS,
194 	MGMT_EV_CLASS_OF_DEV_CHANGED,
195 	MGMT_EV_LOCAL_NAME_CHANGED,
196 	MGMT_EV_UNCONF_INDEX_ADDED,
197 	MGMT_EV_UNCONF_INDEX_REMOVED,
198 	MGMT_EV_NEW_CONFIG_OPTIONS,
199 	MGMT_EV_EXT_INDEX_ADDED,
200 	MGMT_EV_EXT_INDEX_REMOVED,
201 	MGMT_EV_EXT_INFO_CHANGED,
202 	MGMT_EV_EXP_FEATURE_CHANGED,
203 };
204 
205 #define CACHE_TIMEOUT	msecs_to_jiffies(2 * 1000)
206 
207 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
208 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
209 
210 /* HCI to MGMT error code conversion table */
211 static const u8 mgmt_status_table[] = {
212 	MGMT_STATUS_SUCCESS,
213 	MGMT_STATUS_UNKNOWN_COMMAND,	/* Unknown Command */
214 	MGMT_STATUS_NOT_CONNECTED,	/* No Connection */
215 	MGMT_STATUS_FAILED,		/* Hardware Failure */
216 	MGMT_STATUS_CONNECT_FAILED,	/* Page Timeout */
217 	MGMT_STATUS_AUTH_FAILED,	/* Authentication Failed */
218 	MGMT_STATUS_AUTH_FAILED,	/* PIN or Key Missing */
219 	MGMT_STATUS_NO_RESOURCES,	/* Memory Full */
220 	MGMT_STATUS_TIMEOUT,		/* Connection Timeout */
221 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of Connections */
222 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of SCO Connections */
223 	MGMT_STATUS_ALREADY_CONNECTED,	/* ACL Connection Exists */
224 	MGMT_STATUS_BUSY,		/* Command Disallowed */
225 	MGMT_STATUS_NO_RESOURCES,	/* Rejected Limited Resources */
226 	MGMT_STATUS_REJECTED,		/* Rejected Security */
227 	MGMT_STATUS_REJECTED,		/* Rejected Personal */
228 	MGMT_STATUS_TIMEOUT,		/* Host Timeout */
229 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Feature */
230 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid Parameters */
231 	MGMT_STATUS_DISCONNECTED,	/* OE User Ended Connection */
232 	MGMT_STATUS_NO_RESOURCES,	/* OE Low Resources */
233 	MGMT_STATUS_DISCONNECTED,	/* OE Power Off */
234 	MGMT_STATUS_DISCONNECTED,	/* Connection Terminated */
235 	MGMT_STATUS_BUSY,		/* Repeated Attempts */
236 	MGMT_STATUS_REJECTED,		/* Pairing Not Allowed */
237 	MGMT_STATUS_FAILED,		/* Unknown LMP PDU */
238 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Remote Feature */
239 	MGMT_STATUS_REJECTED,		/* SCO Offset Rejected */
240 	MGMT_STATUS_REJECTED,		/* SCO Interval Rejected */
241 	MGMT_STATUS_REJECTED,		/* Air Mode Rejected */
242 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid LMP Parameters */
243 	MGMT_STATUS_FAILED,		/* Unspecified Error */
244 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported LMP Parameter Value */
245 	MGMT_STATUS_FAILED,		/* Role Change Not Allowed */
246 	MGMT_STATUS_TIMEOUT,		/* LMP Response Timeout */
247 	MGMT_STATUS_FAILED,		/* LMP Error Transaction Collision */
248 	MGMT_STATUS_FAILED,		/* LMP PDU Not Allowed */
249 	MGMT_STATUS_REJECTED,		/* Encryption Mode Not Accepted */
250 	MGMT_STATUS_FAILED,		/* Unit Link Key Used */
251 	MGMT_STATUS_NOT_SUPPORTED,	/* QoS Not Supported */
252 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
253 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
254 	MGMT_STATUS_FAILED,		/* Transaction Collision */
255 	MGMT_STATUS_FAILED,		/* Reserved for future use */
256 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
257 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
258 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
259 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
260 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
261 	MGMT_STATUS_FAILED,		/* Reserved for future use */
262 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
263 	MGMT_STATUS_FAILED,		/* Reserved for future use */
264 	MGMT_STATUS_FAILED,		/* Slot Violation */
265 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
266 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
267 	MGMT_STATUS_NOT_SUPPORTED,	/* Simple Pairing Not Supported */
268 	MGMT_STATUS_BUSY,		/* Host Busy Pairing */
269 	MGMT_STATUS_REJECTED,		/* Rejected, No Suitable Channel */
270 	MGMT_STATUS_BUSY,		/* Controller Busy */
271 	MGMT_STATUS_INVALID_PARAMS,	/* Unsuitable Connection Interval */
272 	MGMT_STATUS_TIMEOUT,		/* Directed Advertising Timeout */
273 	MGMT_STATUS_AUTH_FAILED,	/* Terminated Due to MIC Failure */
274 	MGMT_STATUS_CONNECT_FAILED,	/* Connection Establishment Failed */
275 	MGMT_STATUS_CONNECT_FAILED,	/* MAC Connection Failed */
276 };
277 
mgmt_status(u8 hci_status)278 static u8 mgmt_status(u8 hci_status)
279 {
280 	if (hci_status < ARRAY_SIZE(mgmt_status_table))
281 		return mgmt_status_table[hci_status];
282 
283 	return MGMT_STATUS_FAILED;
284 }
285 
mgmt_index_event(u16 event,struct hci_dev * hdev,void * data,u16 len,int flag)286 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
287 			    u16 len, int flag)
288 {
289 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
290 			       flag, NULL);
291 }
292 
mgmt_limited_event(u16 event,struct hci_dev * hdev,void * data,u16 len,int flag,struct sock * skip_sk)293 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
294 			      u16 len, int flag, struct sock *skip_sk)
295 {
296 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
297 			       flag, skip_sk);
298 }
299 
mgmt_event(u16 event,struct hci_dev * hdev,void * data,u16 len,struct sock * skip_sk)300 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
301 		      struct sock *skip_sk)
302 {
303 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
304 			       HCI_SOCK_TRUSTED, skip_sk);
305 }
306 
le_addr_type(u8 mgmt_addr_type)307 static u8 le_addr_type(u8 mgmt_addr_type)
308 {
309 	if (mgmt_addr_type == BDADDR_LE_PUBLIC)
310 		return ADDR_LE_DEV_PUBLIC;
311 	else
312 		return ADDR_LE_DEV_RANDOM;
313 }
314 
mgmt_fill_version_info(void * ver)315 void mgmt_fill_version_info(void *ver)
316 {
317 	struct mgmt_rp_read_version *rp = ver;
318 
319 	rp->version = MGMT_VERSION;
320 	rp->revision = cpu_to_le16(MGMT_REVISION);
321 }
322 
read_version(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)323 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
324 			u16 data_len)
325 {
326 	struct mgmt_rp_read_version rp;
327 
328 	bt_dev_dbg(hdev, "sock %p", sk);
329 
330 	mgmt_fill_version_info(&rp);
331 
332 	return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
333 				 &rp, sizeof(rp));
334 }
335 
read_commands(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)336 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
337 			 u16 data_len)
338 {
339 	struct mgmt_rp_read_commands *rp;
340 	u16 num_commands, num_events;
341 	size_t rp_size;
342 	int i, err;
343 
344 	bt_dev_dbg(hdev, "sock %p", sk);
345 
346 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
347 		num_commands = ARRAY_SIZE(mgmt_commands);
348 		num_events = ARRAY_SIZE(mgmt_events);
349 	} else {
350 		num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
351 		num_events = ARRAY_SIZE(mgmt_untrusted_events);
352 	}
353 
354 	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
355 
356 	rp = kmalloc(rp_size, GFP_KERNEL);
357 	if (!rp)
358 		return -ENOMEM;
359 
360 	rp->num_commands = cpu_to_le16(num_commands);
361 	rp->num_events = cpu_to_le16(num_events);
362 
363 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
364 		__le16 *opcode = rp->opcodes;
365 
366 		for (i = 0; i < num_commands; i++, opcode++)
367 			put_unaligned_le16(mgmt_commands[i], opcode);
368 
369 		for (i = 0; i < num_events; i++, opcode++)
370 			put_unaligned_le16(mgmt_events[i], opcode);
371 	} else {
372 		__le16 *opcode = rp->opcodes;
373 
374 		for (i = 0; i < num_commands; i++, opcode++)
375 			put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
376 
377 		for (i = 0; i < num_events; i++, opcode++)
378 			put_unaligned_le16(mgmt_untrusted_events[i], opcode);
379 	}
380 
381 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
382 				rp, rp_size);
383 	kfree(rp);
384 
385 	return err;
386 }
387 
read_index_list(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)388 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
389 			   u16 data_len)
390 {
391 	struct mgmt_rp_read_index_list *rp;
392 	struct hci_dev *d;
393 	size_t rp_len;
394 	u16 count;
395 	int err;
396 
397 	bt_dev_dbg(hdev, "sock %p", sk);
398 
399 	read_lock(&hci_dev_list_lock);
400 
401 	count = 0;
402 	list_for_each_entry(d, &hci_dev_list, list) {
403 		if (d->dev_type == HCI_PRIMARY &&
404 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED))
405 			count++;
406 	}
407 
408 	rp_len = sizeof(*rp) + (2 * count);
409 	rp = kmalloc(rp_len, GFP_ATOMIC);
410 	if (!rp) {
411 		read_unlock(&hci_dev_list_lock);
412 		return -ENOMEM;
413 	}
414 
415 	count = 0;
416 	list_for_each_entry(d, &hci_dev_list, list) {
417 		if (hci_dev_test_flag(d, HCI_SETUP) ||
418 		    hci_dev_test_flag(d, HCI_CONFIG) ||
419 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
420 			continue;
421 
422 		/* Devices marked as raw-only are neither configured
423 		 * nor unconfigured controllers.
424 		 */
425 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
426 			continue;
427 
428 		if (d->dev_type == HCI_PRIMARY &&
429 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
430 			rp->index[count++] = cpu_to_le16(d->id);
431 			bt_dev_dbg(hdev, "Added hci%u", d->id);
432 		}
433 	}
434 
435 	rp->num_controllers = cpu_to_le16(count);
436 	rp_len = sizeof(*rp) + (2 * count);
437 
438 	read_unlock(&hci_dev_list_lock);
439 
440 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
441 				0, rp, rp_len);
442 
443 	kfree(rp);
444 
445 	return err;
446 }
447 
read_unconf_index_list(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)448 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
449 				  void *data, u16 data_len)
450 {
451 	struct mgmt_rp_read_unconf_index_list *rp;
452 	struct hci_dev *d;
453 	size_t rp_len;
454 	u16 count;
455 	int err;
456 
457 	bt_dev_dbg(hdev, "sock %p", sk);
458 
459 	read_lock(&hci_dev_list_lock);
460 
461 	count = 0;
462 	list_for_each_entry(d, &hci_dev_list, list) {
463 		if (d->dev_type == HCI_PRIMARY &&
464 		    hci_dev_test_flag(d, HCI_UNCONFIGURED))
465 			count++;
466 	}
467 
468 	rp_len = sizeof(*rp) + (2 * count);
469 	rp = kmalloc(rp_len, GFP_ATOMIC);
470 	if (!rp) {
471 		read_unlock(&hci_dev_list_lock);
472 		return -ENOMEM;
473 	}
474 
475 	count = 0;
476 	list_for_each_entry(d, &hci_dev_list, list) {
477 		if (hci_dev_test_flag(d, HCI_SETUP) ||
478 		    hci_dev_test_flag(d, HCI_CONFIG) ||
479 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
480 			continue;
481 
482 		/* Devices marked as raw-only are neither configured
483 		 * nor unconfigured controllers.
484 		 */
485 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
486 			continue;
487 
488 		if (d->dev_type == HCI_PRIMARY &&
489 		    hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
490 			rp->index[count++] = cpu_to_le16(d->id);
491 			bt_dev_dbg(hdev, "Added hci%u", d->id);
492 		}
493 	}
494 
495 	rp->num_controllers = cpu_to_le16(count);
496 	rp_len = sizeof(*rp) + (2 * count);
497 
498 	read_unlock(&hci_dev_list_lock);
499 
500 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
501 				MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
502 
503 	kfree(rp);
504 
505 	return err;
506 }
507 
read_ext_index_list(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)508 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
509 			       void *data, u16 data_len)
510 {
511 	struct mgmt_rp_read_ext_index_list *rp;
512 	struct hci_dev *d;
513 	u16 count;
514 	int err;
515 
516 	bt_dev_dbg(hdev, "sock %p", sk);
517 
518 	read_lock(&hci_dev_list_lock);
519 
520 	count = 0;
521 	list_for_each_entry(d, &hci_dev_list, list) {
522 		if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
523 			count++;
524 	}
525 
526 	rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
527 	if (!rp) {
528 		read_unlock(&hci_dev_list_lock);
529 		return -ENOMEM;
530 	}
531 
532 	count = 0;
533 	list_for_each_entry(d, &hci_dev_list, list) {
534 		if (hci_dev_test_flag(d, HCI_SETUP) ||
535 		    hci_dev_test_flag(d, HCI_CONFIG) ||
536 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
537 			continue;
538 
539 		/* Devices marked as raw-only are neither configured
540 		 * nor unconfigured controllers.
541 		 */
542 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
543 			continue;
544 
545 		if (d->dev_type == HCI_PRIMARY) {
546 			if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
547 				rp->entry[count].type = 0x01;
548 			else
549 				rp->entry[count].type = 0x00;
550 		} else if (d->dev_type == HCI_AMP) {
551 			rp->entry[count].type = 0x02;
552 		} else {
553 			continue;
554 		}
555 
556 		rp->entry[count].bus = d->bus;
557 		rp->entry[count++].index = cpu_to_le16(d->id);
558 		bt_dev_dbg(hdev, "Added hci%u", d->id);
559 	}
560 
561 	rp->num_controllers = cpu_to_le16(count);
562 
563 	read_unlock(&hci_dev_list_lock);
564 
565 	/* If this command is called at least once, then all the
566 	 * default index and unconfigured index events are disabled
567 	 * and from now on only extended index events are used.
568 	 */
569 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
570 	hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
571 	hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
572 
573 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
574 				MGMT_OP_READ_EXT_INDEX_LIST, 0, rp,
575 				struct_size(rp, entry, count));
576 
577 	kfree(rp);
578 
579 	return err;
580 }
581 
is_configured(struct hci_dev * hdev)582 static bool is_configured(struct hci_dev *hdev)
583 {
584 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
585 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
586 		return false;
587 
588 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
589 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
590 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
591 		return false;
592 
593 	return true;
594 }
595 
get_missing_options(struct hci_dev * hdev)596 static __le32 get_missing_options(struct hci_dev *hdev)
597 {
598 	u32 options = 0;
599 
600 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
601 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
602 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
603 
604 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
605 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
606 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
607 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
608 
609 	return cpu_to_le32(options);
610 }
611 
new_options(struct hci_dev * hdev,struct sock * skip)612 static int new_options(struct hci_dev *hdev, struct sock *skip)
613 {
614 	__le32 options = get_missing_options(hdev);
615 
616 	return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
617 				  sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
618 }
619 
send_options_rsp(struct sock * sk,u16 opcode,struct hci_dev * hdev)620 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
621 {
622 	__le32 options = get_missing_options(hdev);
623 
624 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
625 				 sizeof(options));
626 }
627 
read_config_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)628 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
629 			    void *data, u16 data_len)
630 {
631 	struct mgmt_rp_read_config_info rp;
632 	u32 options = 0;
633 
634 	bt_dev_dbg(hdev, "sock %p", sk);
635 
636 	hci_dev_lock(hdev);
637 
638 	memset(&rp, 0, sizeof(rp));
639 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
640 
641 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
642 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
643 
644 	if (hdev->set_bdaddr)
645 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
646 
647 	rp.supported_options = cpu_to_le32(options);
648 	rp.missing_options = get_missing_options(hdev);
649 
650 	hci_dev_unlock(hdev);
651 
652 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
653 				 &rp, sizeof(rp));
654 }
655 
get_supported_phys(struct hci_dev * hdev)656 static u32 get_supported_phys(struct hci_dev *hdev)
657 {
658 	u32 supported_phys = 0;
659 
660 	if (lmp_bredr_capable(hdev)) {
661 		supported_phys |= MGMT_PHY_BR_1M_1SLOT;
662 
663 		if (hdev->features[0][0] & LMP_3SLOT)
664 			supported_phys |= MGMT_PHY_BR_1M_3SLOT;
665 
666 		if (hdev->features[0][0] & LMP_5SLOT)
667 			supported_phys |= MGMT_PHY_BR_1M_5SLOT;
668 
669 		if (lmp_edr_2m_capable(hdev)) {
670 			supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
671 
672 			if (lmp_edr_3slot_capable(hdev))
673 				supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
674 
675 			if (lmp_edr_5slot_capable(hdev))
676 				supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
677 
678 			if (lmp_edr_3m_capable(hdev)) {
679 				supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
680 
681 				if (lmp_edr_3slot_capable(hdev))
682 					supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
683 
684 				if (lmp_edr_5slot_capable(hdev))
685 					supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
686 			}
687 		}
688 	}
689 
690 	if (lmp_le_capable(hdev)) {
691 		supported_phys |= MGMT_PHY_LE_1M_TX;
692 		supported_phys |= MGMT_PHY_LE_1M_RX;
693 
694 		if (hdev->le_features[1] & HCI_LE_PHY_2M) {
695 			supported_phys |= MGMT_PHY_LE_2M_TX;
696 			supported_phys |= MGMT_PHY_LE_2M_RX;
697 		}
698 
699 		if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
700 			supported_phys |= MGMT_PHY_LE_CODED_TX;
701 			supported_phys |= MGMT_PHY_LE_CODED_RX;
702 		}
703 	}
704 
705 	return supported_phys;
706 }
707 
get_selected_phys(struct hci_dev * hdev)708 static u32 get_selected_phys(struct hci_dev *hdev)
709 {
710 	u32 selected_phys = 0;
711 
712 	if (lmp_bredr_capable(hdev)) {
713 		selected_phys |= MGMT_PHY_BR_1M_1SLOT;
714 
715 		if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
716 			selected_phys |= MGMT_PHY_BR_1M_3SLOT;
717 
718 		if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
719 			selected_phys |= MGMT_PHY_BR_1M_5SLOT;
720 
721 		if (lmp_edr_2m_capable(hdev)) {
722 			if (!(hdev->pkt_type & HCI_2DH1))
723 				selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
724 
725 			if (lmp_edr_3slot_capable(hdev) &&
726 			    !(hdev->pkt_type & HCI_2DH3))
727 				selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
728 
729 			if (lmp_edr_5slot_capable(hdev) &&
730 			    !(hdev->pkt_type & HCI_2DH5))
731 				selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
732 
733 			if (lmp_edr_3m_capable(hdev)) {
734 				if (!(hdev->pkt_type & HCI_3DH1))
735 					selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
736 
737 				if (lmp_edr_3slot_capable(hdev) &&
738 				    !(hdev->pkt_type & HCI_3DH3))
739 					selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
740 
741 				if (lmp_edr_5slot_capable(hdev) &&
742 				    !(hdev->pkt_type & HCI_3DH5))
743 					selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
744 			}
745 		}
746 	}
747 
748 	if (lmp_le_capable(hdev)) {
749 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
750 			selected_phys |= MGMT_PHY_LE_1M_TX;
751 
752 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
753 			selected_phys |= MGMT_PHY_LE_1M_RX;
754 
755 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
756 			selected_phys |= MGMT_PHY_LE_2M_TX;
757 
758 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
759 			selected_phys |= MGMT_PHY_LE_2M_RX;
760 
761 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
762 			selected_phys |= MGMT_PHY_LE_CODED_TX;
763 
764 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
765 			selected_phys |= MGMT_PHY_LE_CODED_RX;
766 	}
767 
768 	return selected_phys;
769 }
770 
get_configurable_phys(struct hci_dev * hdev)771 static u32 get_configurable_phys(struct hci_dev *hdev)
772 {
773 	return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
774 		~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
775 }
776 
get_supported_settings(struct hci_dev * hdev)777 static u32 get_supported_settings(struct hci_dev *hdev)
778 {
779 	u32 settings = 0;
780 
781 	settings |= MGMT_SETTING_POWERED;
782 	settings |= MGMT_SETTING_BONDABLE;
783 	settings |= MGMT_SETTING_DEBUG_KEYS;
784 	settings |= MGMT_SETTING_CONNECTABLE;
785 	settings |= MGMT_SETTING_DISCOVERABLE;
786 
787 	if (lmp_bredr_capable(hdev)) {
788 		if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
789 			settings |= MGMT_SETTING_FAST_CONNECTABLE;
790 		settings |= MGMT_SETTING_BREDR;
791 		settings |= MGMT_SETTING_LINK_SECURITY;
792 
793 		if (lmp_ssp_capable(hdev)) {
794 			settings |= MGMT_SETTING_SSP;
795 			if (IS_ENABLED(CONFIG_BT_HS))
796 				settings |= MGMT_SETTING_HS;
797 		}
798 
799 		if (lmp_sc_capable(hdev))
800 			settings |= MGMT_SETTING_SECURE_CONN;
801 
802 		if (test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
803 			     &hdev->quirks))
804 			settings |= MGMT_SETTING_WIDEBAND_SPEECH;
805 	}
806 
807 	if (lmp_le_capable(hdev)) {
808 		settings |= MGMT_SETTING_LE;
809 		settings |= MGMT_SETTING_SECURE_CONN;
810 		settings |= MGMT_SETTING_PRIVACY;
811 		settings |= MGMT_SETTING_STATIC_ADDRESS;
812 
813 		/* When the experimental feature for LL Privacy support is
814 		 * enabled, then advertising is no longer supported.
815 		 */
816 		if (!hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
817 			settings |= MGMT_SETTING_ADVERTISING;
818 	}
819 
820 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
821 	    hdev->set_bdaddr)
822 		settings |= MGMT_SETTING_CONFIGURATION;
823 
824 	settings |= MGMT_SETTING_PHY_CONFIGURATION;
825 
826 	return settings;
827 }
828 
get_current_settings(struct hci_dev * hdev)829 static u32 get_current_settings(struct hci_dev *hdev)
830 {
831 	u32 settings = 0;
832 
833 	if (hdev_is_powered(hdev))
834 		settings |= MGMT_SETTING_POWERED;
835 
836 	if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
837 		settings |= MGMT_SETTING_CONNECTABLE;
838 
839 	if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
840 		settings |= MGMT_SETTING_FAST_CONNECTABLE;
841 
842 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
843 		settings |= MGMT_SETTING_DISCOVERABLE;
844 
845 	if (hci_dev_test_flag(hdev, HCI_BONDABLE))
846 		settings |= MGMT_SETTING_BONDABLE;
847 
848 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
849 		settings |= MGMT_SETTING_BREDR;
850 
851 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
852 		settings |= MGMT_SETTING_LE;
853 
854 	if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
855 		settings |= MGMT_SETTING_LINK_SECURITY;
856 
857 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
858 		settings |= MGMT_SETTING_SSP;
859 
860 	if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
861 		settings |= MGMT_SETTING_HS;
862 
863 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
864 		settings |= MGMT_SETTING_ADVERTISING;
865 
866 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
867 		settings |= MGMT_SETTING_SECURE_CONN;
868 
869 	if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
870 		settings |= MGMT_SETTING_DEBUG_KEYS;
871 
872 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
873 		settings |= MGMT_SETTING_PRIVACY;
874 
875 	/* The current setting for static address has two purposes. The
876 	 * first is to indicate if the static address will be used and
877 	 * the second is to indicate if it is actually set.
878 	 *
879 	 * This means if the static address is not configured, this flag
880 	 * will never be set. If the address is configured, then if the
881 	 * address is actually used decides if the flag is set or not.
882 	 *
883 	 * For single mode LE only controllers and dual-mode controllers
884 	 * with BR/EDR disabled, the existence of the static address will
885 	 * be evaluated.
886 	 */
887 	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
888 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
889 	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
890 		if (bacmp(&hdev->static_addr, BDADDR_ANY))
891 			settings |= MGMT_SETTING_STATIC_ADDRESS;
892 	}
893 
894 	if (hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED))
895 		settings |= MGMT_SETTING_WIDEBAND_SPEECH;
896 
897 	return settings;
898 }
899 
pending_find(u16 opcode,struct hci_dev * hdev)900 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
901 {
902 	return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
903 }
904 
pending_find_data(u16 opcode,struct hci_dev * hdev,const void * data)905 static struct mgmt_pending_cmd *pending_find_data(u16 opcode,
906 						  struct hci_dev *hdev,
907 						  const void *data)
908 {
909 	return mgmt_pending_find_data(HCI_CHANNEL_CONTROL, opcode, hdev, data);
910 }
911 
mgmt_get_adv_discov_flags(struct hci_dev * hdev)912 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
913 {
914 	struct mgmt_pending_cmd *cmd;
915 
916 	/* If there's a pending mgmt command the flags will not yet have
917 	 * their final values, so check for this first.
918 	 */
919 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
920 	if (cmd) {
921 		struct mgmt_mode *cp = cmd->param;
922 		if (cp->val == 0x01)
923 			return LE_AD_GENERAL;
924 		else if (cp->val == 0x02)
925 			return LE_AD_LIMITED;
926 	} else {
927 		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
928 			return LE_AD_LIMITED;
929 		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
930 			return LE_AD_GENERAL;
931 	}
932 
933 	return 0;
934 }
935 
mgmt_get_connectable(struct hci_dev * hdev)936 bool mgmt_get_connectable(struct hci_dev *hdev)
937 {
938 	struct mgmt_pending_cmd *cmd;
939 
940 	/* If there's a pending mgmt command the flag will not yet have
941 	 * it's final value, so check for this first.
942 	 */
943 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
944 	if (cmd) {
945 		struct mgmt_mode *cp = cmd->param;
946 
947 		return cp->val;
948 	}
949 
950 	return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
951 }
952 
service_cache_off(struct work_struct * work)953 static void service_cache_off(struct work_struct *work)
954 {
955 	struct hci_dev *hdev = container_of(work, struct hci_dev,
956 					    service_cache.work);
957 	struct hci_request req;
958 
959 	if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
960 		return;
961 
962 	hci_req_init(&req, hdev);
963 
964 	hci_dev_lock(hdev);
965 
966 	__hci_req_update_eir(&req);
967 	__hci_req_update_class(&req);
968 
969 	hci_dev_unlock(hdev);
970 
971 	hci_req_run(&req, NULL);
972 }
973 
rpa_expired(struct work_struct * work)974 static void rpa_expired(struct work_struct *work)
975 {
976 	struct hci_dev *hdev = container_of(work, struct hci_dev,
977 					    rpa_expired.work);
978 	struct hci_request req;
979 
980 	bt_dev_dbg(hdev, "");
981 
982 	hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
983 
984 	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
985 		return;
986 
987 	/* The generation of a new RPA and programming it into the
988 	 * controller happens in the hci_req_enable_advertising()
989 	 * function.
990 	 */
991 	hci_req_init(&req, hdev);
992 	if (ext_adv_capable(hdev))
993 		__hci_req_start_ext_adv(&req, hdev->cur_adv_instance);
994 	else
995 		__hci_req_enable_advertising(&req);
996 	hci_req_run(&req, NULL);
997 }
998 
mgmt_init_hdev(struct sock * sk,struct hci_dev * hdev)999 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
1000 {
1001 	if (hci_dev_test_and_set_flag(hdev, HCI_MGMT))
1002 		return;
1003 
1004 	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
1005 	INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
1006 
1007 	/* Non-mgmt controlled devices get this bit set
1008 	 * implicitly so that pairing works for them, however
1009 	 * for mgmt we require user-space to explicitly enable
1010 	 * it
1011 	 */
1012 	hci_dev_clear_flag(hdev, HCI_BONDABLE);
1013 }
1014 
read_controller_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)1015 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
1016 				void *data, u16 data_len)
1017 {
1018 	struct mgmt_rp_read_info rp;
1019 
1020 	bt_dev_dbg(hdev, "sock %p", sk);
1021 
1022 	hci_dev_lock(hdev);
1023 
1024 	memset(&rp, 0, sizeof(rp));
1025 
1026 	bacpy(&rp.bdaddr, &hdev->bdaddr);
1027 
1028 	rp.version = hdev->hci_ver;
1029 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
1030 
1031 	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
1032 	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
1033 
1034 	memcpy(rp.dev_class, hdev->dev_class, 3);
1035 
1036 	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
1037 	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
1038 
1039 	hci_dev_unlock(hdev);
1040 
1041 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
1042 				 sizeof(rp));
1043 }
1044 
append_eir_data_to_buf(struct hci_dev * hdev,u8 * eir)1045 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
1046 {
1047 	u16 eir_len = 0;
1048 	size_t name_len;
1049 
1050 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1051 		eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1052 					  hdev->dev_class, 3);
1053 
1054 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1055 		eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1056 					  hdev->appearance);
1057 
1058 	name_len = strlen(hdev->dev_name);
1059 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1060 				  hdev->dev_name, name_len);
1061 
1062 	name_len = strlen(hdev->short_name);
1063 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1064 				  hdev->short_name, name_len);
1065 
1066 	return eir_len;
1067 }
1068 
read_ext_controller_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)1069 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1070 				    void *data, u16 data_len)
1071 {
1072 	char buf[512];
1073 	struct mgmt_rp_read_ext_info *rp = (void *)buf;
1074 	u16 eir_len;
1075 
1076 	bt_dev_dbg(hdev, "sock %p", sk);
1077 
1078 	memset(&buf, 0, sizeof(buf));
1079 
1080 	hci_dev_lock(hdev);
1081 
1082 	bacpy(&rp->bdaddr, &hdev->bdaddr);
1083 
1084 	rp->version = hdev->hci_ver;
1085 	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1086 
1087 	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1088 	rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1089 
1090 
1091 	eir_len = append_eir_data_to_buf(hdev, rp->eir);
1092 	rp->eir_len = cpu_to_le16(eir_len);
1093 
1094 	hci_dev_unlock(hdev);
1095 
1096 	/* If this command is called at least once, then the events
1097 	 * for class of device and local name changes are disabled
1098 	 * and only the new extended controller information event
1099 	 * is used.
1100 	 */
1101 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
1102 	hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1103 	hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1104 
1105 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
1106 				 sizeof(*rp) + eir_len);
1107 }
1108 
ext_info_changed(struct hci_dev * hdev,struct sock * skip)1109 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1110 {
1111 	char buf[512];
1112 	struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1113 	u16 eir_len;
1114 
1115 	memset(buf, 0, sizeof(buf));
1116 
1117 	eir_len = append_eir_data_to_buf(hdev, ev->eir);
1118 	ev->eir_len = cpu_to_le16(eir_len);
1119 
1120 	return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
1121 				  sizeof(*ev) + eir_len,
1122 				  HCI_MGMT_EXT_INFO_EVENTS, skip);
1123 }
1124 
send_settings_rsp(struct sock * sk,u16 opcode,struct hci_dev * hdev)1125 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1126 {
1127 	__le32 settings = cpu_to_le32(get_current_settings(hdev));
1128 
1129 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
1130 				 sizeof(settings));
1131 }
1132 
clean_up_hci_complete(struct hci_dev * hdev,u8 status,u16 opcode)1133 static void clean_up_hci_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1134 {
1135 	bt_dev_dbg(hdev, "status 0x%02x", status);
1136 
1137 	if (hci_conn_count(hdev) == 0) {
1138 		cancel_delayed_work(&hdev->power_off);
1139 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
1140 	}
1141 }
1142 
mgmt_advertising_added(struct sock * sk,struct hci_dev * hdev,u8 instance)1143 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1144 {
1145 	struct mgmt_ev_advertising_added ev;
1146 
1147 	ev.instance = instance;
1148 
1149 	mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
1150 }
1151 
mgmt_advertising_removed(struct sock * sk,struct hci_dev * hdev,u8 instance)1152 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1153 			      u8 instance)
1154 {
1155 	struct mgmt_ev_advertising_removed ev;
1156 
1157 	ev.instance = instance;
1158 
1159 	mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
1160 }
1161 
cancel_adv_timeout(struct hci_dev * hdev)1162 static void cancel_adv_timeout(struct hci_dev *hdev)
1163 {
1164 	if (hdev->adv_instance_timeout) {
1165 		hdev->adv_instance_timeout = 0;
1166 		cancel_delayed_work(&hdev->adv_instance_expire);
1167 	}
1168 }
1169 
clean_up_hci_state(struct hci_dev * hdev)1170 static int clean_up_hci_state(struct hci_dev *hdev)
1171 {
1172 	struct hci_request req;
1173 	struct hci_conn *conn;
1174 	bool discov_stopped;
1175 	int err;
1176 
1177 	hci_req_init(&req, hdev);
1178 
1179 	if (test_bit(HCI_ISCAN, &hdev->flags) ||
1180 	    test_bit(HCI_PSCAN, &hdev->flags)) {
1181 		u8 scan = 0x00;
1182 		hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1183 	}
1184 
1185 	hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, false);
1186 
1187 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
1188 		__hci_req_disable_advertising(&req);
1189 
1190 	discov_stopped = hci_req_stop_discovery(&req);
1191 
1192 	list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1193 		/* 0x15 == Terminated due to Power Off */
1194 		__hci_abort_conn(&req, conn, 0x15);
1195 	}
1196 
1197 	err = hci_req_run(&req, clean_up_hci_complete);
1198 	if (!err && discov_stopped)
1199 		hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
1200 
1201 	return err;
1202 }
1203 
set_powered(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1204 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1205 		       u16 len)
1206 {
1207 	struct mgmt_mode *cp = data;
1208 	struct mgmt_pending_cmd *cmd;
1209 	int err;
1210 
1211 	bt_dev_dbg(hdev, "sock %p", sk);
1212 
1213 	if (cp->val != 0x00 && cp->val != 0x01)
1214 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1215 				       MGMT_STATUS_INVALID_PARAMS);
1216 
1217 	hci_dev_lock(hdev);
1218 
1219 	if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1220 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1221 				      MGMT_STATUS_BUSY);
1222 		goto failed;
1223 	}
1224 
1225 	if (!!cp->val == hdev_is_powered(hdev)) {
1226 		err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1227 		goto failed;
1228 	}
1229 
1230 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1231 	if (!cmd) {
1232 		err = -ENOMEM;
1233 		goto failed;
1234 	}
1235 
1236 	if (cp->val) {
1237 		queue_work(hdev->req_workqueue, &hdev->power_on);
1238 		err = 0;
1239 	} else {
1240 		/* Disconnect connections, stop scans, etc */
1241 		err = clean_up_hci_state(hdev);
1242 		if (!err)
1243 			queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1244 					   HCI_POWER_OFF_TIMEOUT);
1245 
1246 		/* ENODATA means there were no HCI commands queued */
1247 		if (err == -ENODATA) {
1248 			cancel_delayed_work(&hdev->power_off);
1249 			queue_work(hdev->req_workqueue, &hdev->power_off.work);
1250 			err = 0;
1251 		}
1252 	}
1253 
1254 failed:
1255 	hci_dev_unlock(hdev);
1256 	return err;
1257 }
1258 
new_settings(struct hci_dev * hdev,struct sock * skip)1259 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1260 {
1261 	__le32 ev = cpu_to_le32(get_current_settings(hdev));
1262 
1263 	return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1264 				  sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1265 }
1266 
mgmt_new_settings(struct hci_dev * hdev)1267 int mgmt_new_settings(struct hci_dev *hdev)
1268 {
1269 	return new_settings(hdev, NULL);
1270 }
1271 
1272 struct cmd_lookup {
1273 	struct sock *sk;
1274 	struct hci_dev *hdev;
1275 	u8 mgmt_status;
1276 };
1277 
settings_rsp(struct mgmt_pending_cmd * cmd,void * data)1278 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1279 {
1280 	struct cmd_lookup *match = data;
1281 
1282 	send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1283 
1284 	list_del(&cmd->list);
1285 
1286 	if (match->sk == NULL) {
1287 		match->sk = cmd->sk;
1288 		sock_hold(match->sk);
1289 	}
1290 
1291 	mgmt_pending_free(cmd);
1292 }
1293 
cmd_status_rsp(struct mgmt_pending_cmd * cmd,void * data)1294 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1295 {
1296 	u8 *status = data;
1297 
1298 	mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1299 	mgmt_pending_remove(cmd);
1300 }
1301 
cmd_complete_rsp(struct mgmt_pending_cmd * cmd,void * data)1302 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1303 {
1304 	if (cmd->cmd_complete) {
1305 		u8 *status = data;
1306 
1307 		cmd->cmd_complete(cmd, *status);
1308 		mgmt_pending_remove(cmd);
1309 
1310 		return;
1311 	}
1312 
1313 	cmd_status_rsp(cmd, data);
1314 }
1315 
generic_cmd_complete(struct mgmt_pending_cmd * cmd,u8 status)1316 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1317 {
1318 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1319 				 cmd->param, cmd->param_len);
1320 }
1321 
addr_cmd_complete(struct mgmt_pending_cmd * cmd,u8 status)1322 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1323 {
1324 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1325 				 cmd->param, sizeof(struct mgmt_addr_info));
1326 }
1327 
mgmt_bredr_support(struct hci_dev * hdev)1328 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1329 {
1330 	if (!lmp_bredr_capable(hdev))
1331 		return MGMT_STATUS_NOT_SUPPORTED;
1332 	else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1333 		return MGMT_STATUS_REJECTED;
1334 	else
1335 		return MGMT_STATUS_SUCCESS;
1336 }
1337 
mgmt_le_support(struct hci_dev * hdev)1338 static u8 mgmt_le_support(struct hci_dev *hdev)
1339 {
1340 	if (!lmp_le_capable(hdev))
1341 		return MGMT_STATUS_NOT_SUPPORTED;
1342 	else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1343 		return MGMT_STATUS_REJECTED;
1344 	else
1345 		return MGMT_STATUS_SUCCESS;
1346 }
1347 
mgmt_set_discoverable_complete(struct hci_dev * hdev,u8 status)1348 void mgmt_set_discoverable_complete(struct hci_dev *hdev, u8 status)
1349 {
1350 	struct mgmt_pending_cmd *cmd;
1351 
1352 	bt_dev_dbg(hdev, "status 0x%02x", status);
1353 
1354 	hci_dev_lock(hdev);
1355 
1356 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
1357 	if (!cmd)
1358 		goto unlock;
1359 
1360 	if (status) {
1361 		u8 mgmt_err = mgmt_status(status);
1362 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1363 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1364 		goto remove_cmd;
1365 	}
1366 
1367 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1368 	    hdev->discov_timeout > 0) {
1369 		int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1370 		queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1371 	}
1372 
1373 	send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1374 	new_settings(hdev, cmd->sk);
1375 
1376 remove_cmd:
1377 	mgmt_pending_remove(cmd);
1378 
1379 unlock:
1380 	hci_dev_unlock(hdev);
1381 }
1382 
set_discoverable(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1383 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1384 			    u16 len)
1385 {
1386 	struct mgmt_cp_set_discoverable *cp = data;
1387 	struct mgmt_pending_cmd *cmd;
1388 	u16 timeout;
1389 	int err;
1390 
1391 	bt_dev_dbg(hdev, "sock %p", sk);
1392 
1393 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1394 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1395 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1396 				       MGMT_STATUS_REJECTED);
1397 
1398 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1399 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1400 				       MGMT_STATUS_INVALID_PARAMS);
1401 
1402 	timeout = __le16_to_cpu(cp->timeout);
1403 
1404 	/* Disabling discoverable requires that no timeout is set,
1405 	 * and enabling limited discoverable requires a timeout.
1406 	 */
1407 	if ((cp->val == 0x00 && timeout > 0) ||
1408 	    (cp->val == 0x02 && timeout == 0))
1409 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1410 				       MGMT_STATUS_INVALID_PARAMS);
1411 
1412 	hci_dev_lock(hdev);
1413 
1414 	if (!hdev_is_powered(hdev) && timeout > 0) {
1415 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1416 				      MGMT_STATUS_NOT_POWERED);
1417 		goto failed;
1418 	}
1419 
1420 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1421 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1422 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1423 				      MGMT_STATUS_BUSY);
1424 		goto failed;
1425 	}
1426 
1427 	if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1428 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1429 				      MGMT_STATUS_REJECTED);
1430 		goto failed;
1431 	}
1432 
1433 	if (hdev->advertising_paused) {
1434 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1435 				      MGMT_STATUS_BUSY);
1436 		goto failed;
1437 	}
1438 
1439 	if (!hdev_is_powered(hdev)) {
1440 		bool changed = false;
1441 
1442 		/* Setting limited discoverable when powered off is
1443 		 * not a valid operation since it requires a timeout
1444 		 * and so no need to check HCI_LIMITED_DISCOVERABLE.
1445 		 */
1446 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1447 			hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1448 			changed = true;
1449 		}
1450 
1451 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1452 		if (err < 0)
1453 			goto failed;
1454 
1455 		if (changed)
1456 			err = new_settings(hdev, sk);
1457 
1458 		goto failed;
1459 	}
1460 
1461 	/* If the current mode is the same, then just update the timeout
1462 	 * value with the new value. And if only the timeout gets updated,
1463 	 * then no need for any HCI transactions.
1464 	 */
1465 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1466 	    (cp->val == 0x02) == hci_dev_test_flag(hdev,
1467 						   HCI_LIMITED_DISCOVERABLE)) {
1468 		cancel_delayed_work(&hdev->discov_off);
1469 		hdev->discov_timeout = timeout;
1470 
1471 		if (cp->val && hdev->discov_timeout > 0) {
1472 			int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1473 			queue_delayed_work(hdev->req_workqueue,
1474 					   &hdev->discov_off, to);
1475 		}
1476 
1477 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1478 		goto failed;
1479 	}
1480 
1481 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1482 	if (!cmd) {
1483 		err = -ENOMEM;
1484 		goto failed;
1485 	}
1486 
1487 	/* Cancel any potential discoverable timeout that might be
1488 	 * still active and store new timeout value. The arming of
1489 	 * the timeout happens in the complete handler.
1490 	 */
1491 	cancel_delayed_work(&hdev->discov_off);
1492 	hdev->discov_timeout = timeout;
1493 
1494 	if (cp->val)
1495 		hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1496 	else
1497 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1498 
1499 	/* Limited discoverable mode */
1500 	if (cp->val == 0x02)
1501 		hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1502 	else
1503 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1504 
1505 	queue_work(hdev->req_workqueue, &hdev->discoverable_update);
1506 	err = 0;
1507 
1508 failed:
1509 	hci_dev_unlock(hdev);
1510 	return err;
1511 }
1512 
mgmt_set_connectable_complete(struct hci_dev * hdev,u8 status)1513 void mgmt_set_connectable_complete(struct hci_dev *hdev, u8 status)
1514 {
1515 	struct mgmt_pending_cmd *cmd;
1516 
1517 	bt_dev_dbg(hdev, "status 0x%02x", status);
1518 
1519 	hci_dev_lock(hdev);
1520 
1521 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1522 	if (!cmd)
1523 		goto unlock;
1524 
1525 	if (status) {
1526 		u8 mgmt_err = mgmt_status(status);
1527 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1528 		goto remove_cmd;
1529 	}
1530 
1531 	send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1532 	new_settings(hdev, cmd->sk);
1533 
1534 remove_cmd:
1535 	mgmt_pending_remove(cmd);
1536 
1537 unlock:
1538 	hci_dev_unlock(hdev);
1539 }
1540 
set_connectable_update_settings(struct hci_dev * hdev,struct sock * sk,u8 val)1541 static int set_connectable_update_settings(struct hci_dev *hdev,
1542 					   struct sock *sk, u8 val)
1543 {
1544 	bool changed = false;
1545 	int err;
1546 
1547 	if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1548 		changed = true;
1549 
1550 	if (val) {
1551 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1552 	} else {
1553 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1554 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1555 	}
1556 
1557 	err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1558 	if (err < 0)
1559 		return err;
1560 
1561 	if (changed) {
1562 		hci_req_update_scan(hdev);
1563 		hci_update_background_scan(hdev);
1564 		return new_settings(hdev, sk);
1565 	}
1566 
1567 	return 0;
1568 }
1569 
set_connectable(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1570 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1571 			   u16 len)
1572 {
1573 	struct mgmt_mode *cp = data;
1574 	struct mgmt_pending_cmd *cmd;
1575 	int err;
1576 
1577 	bt_dev_dbg(hdev, "sock %p", sk);
1578 
1579 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1580 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1581 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1582 				       MGMT_STATUS_REJECTED);
1583 
1584 	if (cp->val != 0x00 && cp->val != 0x01)
1585 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1586 				       MGMT_STATUS_INVALID_PARAMS);
1587 
1588 	hci_dev_lock(hdev);
1589 
1590 	if (!hdev_is_powered(hdev)) {
1591 		err = set_connectable_update_settings(hdev, sk, cp->val);
1592 		goto failed;
1593 	}
1594 
1595 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1596 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1597 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1598 				      MGMT_STATUS_BUSY);
1599 		goto failed;
1600 	}
1601 
1602 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1603 	if (!cmd) {
1604 		err = -ENOMEM;
1605 		goto failed;
1606 	}
1607 
1608 	if (cp->val) {
1609 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1610 	} else {
1611 		if (hdev->discov_timeout > 0)
1612 			cancel_delayed_work(&hdev->discov_off);
1613 
1614 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1615 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1616 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1617 	}
1618 
1619 	queue_work(hdev->req_workqueue, &hdev->connectable_update);
1620 	err = 0;
1621 
1622 failed:
1623 	hci_dev_unlock(hdev);
1624 	return err;
1625 }
1626 
set_bondable(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1627 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1628 			u16 len)
1629 {
1630 	struct mgmt_mode *cp = data;
1631 	bool changed;
1632 	int err;
1633 
1634 	bt_dev_dbg(hdev, "sock %p", sk);
1635 
1636 	if (cp->val != 0x00 && cp->val != 0x01)
1637 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1638 				       MGMT_STATUS_INVALID_PARAMS);
1639 
1640 	hci_dev_lock(hdev);
1641 
1642 	if (cp->val)
1643 		changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1644 	else
1645 		changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1646 
1647 	err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1648 	if (err < 0)
1649 		goto unlock;
1650 
1651 	if (changed) {
1652 		/* In limited privacy mode the change of bondable mode
1653 		 * may affect the local advertising address.
1654 		 */
1655 		if (hdev_is_powered(hdev) &&
1656 		    hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
1657 		    hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1658 		    hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))
1659 			queue_work(hdev->req_workqueue,
1660 				   &hdev->discoverable_update);
1661 
1662 		err = new_settings(hdev, sk);
1663 	}
1664 
1665 unlock:
1666 	hci_dev_unlock(hdev);
1667 	return err;
1668 }
1669 
set_link_security(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1670 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1671 			     u16 len)
1672 {
1673 	struct mgmt_mode *cp = data;
1674 	struct mgmt_pending_cmd *cmd;
1675 	u8 val, status;
1676 	int err;
1677 
1678 	bt_dev_dbg(hdev, "sock %p", sk);
1679 
1680 	status = mgmt_bredr_support(hdev);
1681 	if (status)
1682 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1683 				       status);
1684 
1685 	if (cp->val != 0x00 && cp->val != 0x01)
1686 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1687 				       MGMT_STATUS_INVALID_PARAMS);
1688 
1689 	hci_dev_lock(hdev);
1690 
1691 	if (!hdev_is_powered(hdev)) {
1692 		bool changed = false;
1693 
1694 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1695 			hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1696 			changed = true;
1697 		}
1698 
1699 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1700 		if (err < 0)
1701 			goto failed;
1702 
1703 		if (changed)
1704 			err = new_settings(hdev, sk);
1705 
1706 		goto failed;
1707 	}
1708 
1709 	if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1710 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1711 				      MGMT_STATUS_BUSY);
1712 		goto failed;
1713 	}
1714 
1715 	val = !!cp->val;
1716 
1717 	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1718 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1719 		goto failed;
1720 	}
1721 
1722 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1723 	if (!cmd) {
1724 		err = -ENOMEM;
1725 		goto failed;
1726 	}
1727 
1728 	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1729 	if (err < 0) {
1730 		mgmt_pending_remove(cmd);
1731 		goto failed;
1732 	}
1733 
1734 failed:
1735 	hci_dev_unlock(hdev);
1736 	return err;
1737 }
1738 
set_ssp(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1739 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1740 {
1741 	struct mgmt_mode *cp = data;
1742 	struct mgmt_pending_cmd *cmd;
1743 	u8 status;
1744 	int err;
1745 
1746 	bt_dev_dbg(hdev, "sock %p", sk);
1747 
1748 	status = mgmt_bredr_support(hdev);
1749 	if (status)
1750 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1751 
1752 	if (!lmp_ssp_capable(hdev))
1753 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1754 				       MGMT_STATUS_NOT_SUPPORTED);
1755 
1756 	if (cp->val != 0x00 && cp->val != 0x01)
1757 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1758 				       MGMT_STATUS_INVALID_PARAMS);
1759 
1760 	hci_dev_lock(hdev);
1761 
1762 	if (!hdev_is_powered(hdev)) {
1763 		bool changed;
1764 
1765 		if (cp->val) {
1766 			changed = !hci_dev_test_and_set_flag(hdev,
1767 							     HCI_SSP_ENABLED);
1768 		} else {
1769 			changed = hci_dev_test_and_clear_flag(hdev,
1770 							      HCI_SSP_ENABLED);
1771 			if (!changed)
1772 				changed = hci_dev_test_and_clear_flag(hdev,
1773 								      HCI_HS_ENABLED);
1774 			else
1775 				hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1776 		}
1777 
1778 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1779 		if (err < 0)
1780 			goto failed;
1781 
1782 		if (changed)
1783 			err = new_settings(hdev, sk);
1784 
1785 		goto failed;
1786 	}
1787 
1788 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1789 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1790 				      MGMT_STATUS_BUSY);
1791 		goto failed;
1792 	}
1793 
1794 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
1795 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1796 		goto failed;
1797 	}
1798 
1799 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
1800 	if (!cmd) {
1801 		err = -ENOMEM;
1802 		goto failed;
1803 	}
1804 
1805 	if (!cp->val && hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
1806 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
1807 			     sizeof(cp->val), &cp->val);
1808 
1809 	err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &cp->val);
1810 	if (err < 0) {
1811 		mgmt_pending_remove(cmd);
1812 		goto failed;
1813 	}
1814 
1815 failed:
1816 	hci_dev_unlock(hdev);
1817 	return err;
1818 }
1819 
set_hs(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1820 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1821 {
1822 	struct mgmt_mode *cp = data;
1823 	bool changed;
1824 	u8 status;
1825 	int err;
1826 
1827 	bt_dev_dbg(hdev, "sock %p", sk);
1828 
1829 	if (!IS_ENABLED(CONFIG_BT_HS))
1830 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1831 				       MGMT_STATUS_NOT_SUPPORTED);
1832 
1833 	status = mgmt_bredr_support(hdev);
1834 	if (status)
1835 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
1836 
1837 	if (!lmp_ssp_capable(hdev))
1838 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1839 				       MGMT_STATUS_NOT_SUPPORTED);
1840 
1841 	if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
1842 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1843 				       MGMT_STATUS_REJECTED);
1844 
1845 	if (cp->val != 0x00 && cp->val != 0x01)
1846 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1847 				       MGMT_STATUS_INVALID_PARAMS);
1848 
1849 	hci_dev_lock(hdev);
1850 
1851 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
1852 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1853 				      MGMT_STATUS_BUSY);
1854 		goto unlock;
1855 	}
1856 
1857 	if (cp->val) {
1858 		changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
1859 	} else {
1860 		if (hdev_is_powered(hdev)) {
1861 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1862 					      MGMT_STATUS_REJECTED);
1863 			goto unlock;
1864 		}
1865 
1866 		changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
1867 	}
1868 
1869 	err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
1870 	if (err < 0)
1871 		goto unlock;
1872 
1873 	if (changed)
1874 		err = new_settings(hdev, sk);
1875 
1876 unlock:
1877 	hci_dev_unlock(hdev);
1878 	return err;
1879 }
1880 
le_enable_complete(struct hci_dev * hdev,u8 status,u16 opcode)1881 static void le_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
1882 {
1883 	struct cmd_lookup match = { NULL, hdev };
1884 
1885 	hci_dev_lock(hdev);
1886 
1887 	if (status) {
1888 		u8 mgmt_err = mgmt_status(status);
1889 
1890 		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
1891 				     &mgmt_err);
1892 		goto unlock;
1893 	}
1894 
1895 	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
1896 
1897 	new_settings(hdev, match.sk);
1898 
1899 	if (match.sk)
1900 		sock_put(match.sk);
1901 
1902 	/* Make sure the controller has a good default for
1903 	 * advertising data. Restrict the update to when LE
1904 	 * has actually been enabled. During power on, the
1905 	 * update in powered_update_hci will take care of it.
1906 	 */
1907 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1908 		struct hci_request req;
1909 		hci_req_init(&req, hdev);
1910 		if (ext_adv_capable(hdev)) {
1911 			int err;
1912 
1913 			err = __hci_req_setup_ext_adv_instance(&req, 0x00);
1914 			if (!err)
1915 				__hci_req_update_scan_rsp_data(&req, 0x00);
1916 		} else {
1917 			__hci_req_update_adv_data(&req, 0x00);
1918 			__hci_req_update_scan_rsp_data(&req, 0x00);
1919 		}
1920 		hci_req_run(&req, NULL);
1921 		hci_update_background_scan(hdev);
1922 	}
1923 
1924 unlock:
1925 	hci_dev_unlock(hdev);
1926 }
1927 
set_le(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1928 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1929 {
1930 	struct mgmt_mode *cp = data;
1931 	struct hci_cp_write_le_host_supported hci_cp;
1932 	struct mgmt_pending_cmd *cmd;
1933 	struct hci_request req;
1934 	int err;
1935 	u8 val, enabled;
1936 
1937 	bt_dev_dbg(hdev, "sock %p", sk);
1938 
1939 	if (!lmp_le_capable(hdev))
1940 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1941 				       MGMT_STATUS_NOT_SUPPORTED);
1942 
1943 	if (cp->val != 0x00 && cp->val != 0x01)
1944 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1945 				       MGMT_STATUS_INVALID_PARAMS);
1946 
1947 	/* Bluetooth single mode LE only controllers or dual-mode
1948 	 * controllers configured as LE only devices, do not allow
1949 	 * switching LE off. These have either LE enabled explicitly
1950 	 * or BR/EDR has been previously switched off.
1951 	 *
1952 	 * When trying to enable an already enabled LE, then gracefully
1953 	 * send a positive response. Trying to disable it however will
1954 	 * result into rejection.
1955 	 */
1956 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1957 		if (cp->val == 0x01)
1958 			return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1959 
1960 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1961 				       MGMT_STATUS_REJECTED);
1962 	}
1963 
1964 	hci_dev_lock(hdev);
1965 
1966 	val = !!cp->val;
1967 	enabled = lmp_host_le_capable(hdev);
1968 
1969 	if (!val)
1970 		hci_req_clear_adv_instance(hdev, NULL, NULL, 0x00, true);
1971 
1972 	if (!hdev_is_powered(hdev) || val == enabled) {
1973 		bool changed = false;
1974 
1975 		if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1976 			hci_dev_change_flag(hdev, HCI_LE_ENABLED);
1977 			changed = true;
1978 		}
1979 
1980 		if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
1981 			hci_dev_clear_flag(hdev, HCI_ADVERTISING);
1982 			changed = true;
1983 		}
1984 
1985 		err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1986 		if (err < 0)
1987 			goto unlock;
1988 
1989 		if (changed)
1990 			err = new_settings(hdev, sk);
1991 
1992 		goto unlock;
1993 	}
1994 
1995 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
1996 	    pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
1997 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1998 				      MGMT_STATUS_BUSY);
1999 		goto unlock;
2000 	}
2001 
2002 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
2003 	if (!cmd) {
2004 		err = -ENOMEM;
2005 		goto unlock;
2006 	}
2007 
2008 	hci_req_init(&req, hdev);
2009 
2010 	memset(&hci_cp, 0, sizeof(hci_cp));
2011 
2012 	if (val) {
2013 		hci_cp.le = val;
2014 		hci_cp.simul = 0x00;
2015 	} else {
2016 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
2017 			__hci_req_disable_advertising(&req);
2018 
2019 		if (ext_adv_capable(hdev))
2020 			__hci_req_clear_ext_adv_sets(&req);
2021 	}
2022 
2023 	hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
2024 		    &hci_cp);
2025 
2026 	err = hci_req_run(&req, le_enable_complete);
2027 	if (err < 0)
2028 		mgmt_pending_remove(cmd);
2029 
2030 unlock:
2031 	hci_dev_unlock(hdev);
2032 	return err;
2033 }
2034 
2035 /* This is a helper function to test for pending mgmt commands that can
2036  * cause CoD or EIR HCI commands. We can only allow one such pending
2037  * mgmt command at a time since otherwise we cannot easily track what
2038  * the current values are, will be, and based on that calculate if a new
2039  * HCI command needs to be sent and if yes with what value.
2040  */
pending_eir_or_class(struct hci_dev * hdev)2041 static bool pending_eir_or_class(struct hci_dev *hdev)
2042 {
2043 	struct mgmt_pending_cmd *cmd;
2044 
2045 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2046 		switch (cmd->opcode) {
2047 		case MGMT_OP_ADD_UUID:
2048 		case MGMT_OP_REMOVE_UUID:
2049 		case MGMT_OP_SET_DEV_CLASS:
2050 		case MGMT_OP_SET_POWERED:
2051 			return true;
2052 		}
2053 	}
2054 
2055 	return false;
2056 }
2057 
2058 static const u8 bluetooth_base_uuid[] = {
2059 			0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2060 			0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2061 };
2062 
get_uuid_size(const u8 * uuid)2063 static u8 get_uuid_size(const u8 *uuid)
2064 {
2065 	u32 val;
2066 
2067 	if (memcmp(uuid, bluetooth_base_uuid, 12))
2068 		return 128;
2069 
2070 	val = get_unaligned_le32(&uuid[12]);
2071 	if (val > 0xffff)
2072 		return 32;
2073 
2074 	return 16;
2075 }
2076 
mgmt_class_complete(struct hci_dev * hdev,u16 mgmt_op,u8 status)2077 static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
2078 {
2079 	struct mgmt_pending_cmd *cmd;
2080 
2081 	hci_dev_lock(hdev);
2082 
2083 	cmd = pending_find(mgmt_op, hdev);
2084 	if (!cmd)
2085 		goto unlock;
2086 
2087 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
2088 			  mgmt_status(status), hdev->dev_class, 3);
2089 
2090 	mgmt_pending_remove(cmd);
2091 
2092 unlock:
2093 	hci_dev_unlock(hdev);
2094 }
2095 
add_uuid_complete(struct hci_dev * hdev,u8 status,u16 opcode)2096 static void add_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2097 {
2098 	bt_dev_dbg(hdev, "status 0x%02x", status);
2099 
2100 	mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
2101 }
2102 
add_uuid(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2103 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2104 {
2105 	struct mgmt_cp_add_uuid *cp = data;
2106 	struct mgmt_pending_cmd *cmd;
2107 	struct hci_request req;
2108 	struct bt_uuid *uuid;
2109 	int err;
2110 
2111 	bt_dev_dbg(hdev, "sock %p", sk);
2112 
2113 	hci_dev_lock(hdev);
2114 
2115 	if (pending_eir_or_class(hdev)) {
2116 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2117 				      MGMT_STATUS_BUSY);
2118 		goto failed;
2119 	}
2120 
2121 	uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2122 	if (!uuid) {
2123 		err = -ENOMEM;
2124 		goto failed;
2125 	}
2126 
2127 	memcpy(uuid->uuid, cp->uuid, 16);
2128 	uuid->svc_hint = cp->svc_hint;
2129 	uuid->size = get_uuid_size(cp->uuid);
2130 
2131 	list_add_tail(&uuid->list, &hdev->uuids);
2132 
2133 	hci_req_init(&req, hdev);
2134 
2135 	__hci_req_update_class(&req);
2136 	__hci_req_update_eir(&req);
2137 
2138 	err = hci_req_run(&req, add_uuid_complete);
2139 	if (err < 0) {
2140 		if (err != -ENODATA)
2141 			goto failed;
2142 
2143 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
2144 					hdev->dev_class, 3);
2145 		goto failed;
2146 	}
2147 
2148 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2149 	if (!cmd) {
2150 		err = -ENOMEM;
2151 		goto failed;
2152 	}
2153 
2154 	err = 0;
2155 
2156 failed:
2157 	hci_dev_unlock(hdev);
2158 	return err;
2159 }
2160 
enable_service_cache(struct hci_dev * hdev)2161 static bool enable_service_cache(struct hci_dev *hdev)
2162 {
2163 	if (!hdev_is_powered(hdev))
2164 		return false;
2165 
2166 	if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2167 		queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2168 				   CACHE_TIMEOUT);
2169 		return true;
2170 	}
2171 
2172 	return false;
2173 }
2174 
remove_uuid_complete(struct hci_dev * hdev,u8 status,u16 opcode)2175 static void remove_uuid_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2176 {
2177 	bt_dev_dbg(hdev, "status 0x%02x", status);
2178 
2179 	mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
2180 }
2181 
remove_uuid(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2182 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2183 		       u16 len)
2184 {
2185 	struct mgmt_cp_remove_uuid *cp = data;
2186 	struct mgmt_pending_cmd *cmd;
2187 	struct bt_uuid *match, *tmp;
2188 	u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
2189 	struct hci_request req;
2190 	int err, found;
2191 
2192 	bt_dev_dbg(hdev, "sock %p", sk);
2193 
2194 	hci_dev_lock(hdev);
2195 
2196 	if (pending_eir_or_class(hdev)) {
2197 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2198 				      MGMT_STATUS_BUSY);
2199 		goto unlock;
2200 	}
2201 
2202 	if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2203 		hci_uuids_clear(hdev);
2204 
2205 		if (enable_service_cache(hdev)) {
2206 			err = mgmt_cmd_complete(sk, hdev->id,
2207 						MGMT_OP_REMOVE_UUID,
2208 						0, hdev->dev_class, 3);
2209 			goto unlock;
2210 		}
2211 
2212 		goto update_class;
2213 	}
2214 
2215 	found = 0;
2216 
2217 	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2218 		if (memcmp(match->uuid, cp->uuid, 16) != 0)
2219 			continue;
2220 
2221 		list_del(&match->list);
2222 		kfree(match);
2223 		found++;
2224 	}
2225 
2226 	if (found == 0) {
2227 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2228 				      MGMT_STATUS_INVALID_PARAMS);
2229 		goto unlock;
2230 	}
2231 
2232 update_class:
2233 	hci_req_init(&req, hdev);
2234 
2235 	__hci_req_update_class(&req);
2236 	__hci_req_update_eir(&req);
2237 
2238 	err = hci_req_run(&req, remove_uuid_complete);
2239 	if (err < 0) {
2240 		if (err != -ENODATA)
2241 			goto unlock;
2242 
2243 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
2244 					hdev->dev_class, 3);
2245 		goto unlock;
2246 	}
2247 
2248 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2249 	if (!cmd) {
2250 		err = -ENOMEM;
2251 		goto unlock;
2252 	}
2253 
2254 	err = 0;
2255 
2256 unlock:
2257 	hci_dev_unlock(hdev);
2258 	return err;
2259 }
2260 
set_class_complete(struct hci_dev * hdev,u8 status,u16 opcode)2261 static void set_class_complete(struct hci_dev *hdev, u8 status, u16 opcode)
2262 {
2263 	bt_dev_dbg(hdev, "status 0x%02x", status);
2264 
2265 	mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
2266 }
2267 
set_dev_class(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2268 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2269 			 u16 len)
2270 {
2271 	struct mgmt_cp_set_dev_class *cp = data;
2272 	struct mgmt_pending_cmd *cmd;
2273 	struct hci_request req;
2274 	int err;
2275 
2276 	bt_dev_dbg(hdev, "sock %p", sk);
2277 
2278 	if (!lmp_bredr_capable(hdev))
2279 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2280 				       MGMT_STATUS_NOT_SUPPORTED);
2281 
2282 	hci_dev_lock(hdev);
2283 
2284 	if (pending_eir_or_class(hdev)) {
2285 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2286 				      MGMT_STATUS_BUSY);
2287 		goto unlock;
2288 	}
2289 
2290 	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2291 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2292 				      MGMT_STATUS_INVALID_PARAMS);
2293 		goto unlock;
2294 	}
2295 
2296 	hdev->major_class = cp->major;
2297 	hdev->minor_class = cp->minor;
2298 
2299 	if (!hdev_is_powered(hdev)) {
2300 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2301 					hdev->dev_class, 3);
2302 		goto unlock;
2303 	}
2304 
2305 	hci_req_init(&req, hdev);
2306 
2307 	if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2308 		hci_dev_unlock(hdev);
2309 		cancel_delayed_work_sync(&hdev->service_cache);
2310 		hci_dev_lock(hdev);
2311 		__hci_req_update_eir(&req);
2312 	}
2313 
2314 	__hci_req_update_class(&req);
2315 
2316 	err = hci_req_run(&req, set_class_complete);
2317 	if (err < 0) {
2318 		if (err != -ENODATA)
2319 			goto unlock;
2320 
2321 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2322 					hdev->dev_class, 3);
2323 		goto unlock;
2324 	}
2325 
2326 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2327 	if (!cmd) {
2328 		err = -ENOMEM;
2329 		goto unlock;
2330 	}
2331 
2332 	err = 0;
2333 
2334 unlock:
2335 	hci_dev_unlock(hdev);
2336 	return err;
2337 }
2338 
load_link_keys(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2339 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2340 			  u16 len)
2341 {
2342 	struct mgmt_cp_load_link_keys *cp = data;
2343 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2344 				   sizeof(struct mgmt_link_key_info));
2345 	u16 key_count, expected_len;
2346 	bool changed;
2347 	int i;
2348 
2349 	bt_dev_dbg(hdev, "sock %p", sk);
2350 
2351 	if (!lmp_bredr_capable(hdev))
2352 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2353 				       MGMT_STATUS_NOT_SUPPORTED);
2354 
2355 	key_count = __le16_to_cpu(cp->key_count);
2356 	if (key_count > max_key_count) {
2357 		bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2358 			   key_count);
2359 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2360 				       MGMT_STATUS_INVALID_PARAMS);
2361 	}
2362 
2363 	expected_len = struct_size(cp, keys, key_count);
2364 	if (expected_len != len) {
2365 		bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2366 			   expected_len, len);
2367 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2368 				       MGMT_STATUS_INVALID_PARAMS);
2369 	}
2370 
2371 	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2372 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2373 				       MGMT_STATUS_INVALID_PARAMS);
2374 
2375 	bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys,
2376 		   key_count);
2377 
2378 	for (i = 0; i < key_count; i++) {
2379 		struct mgmt_link_key_info *key = &cp->keys[i];
2380 
2381 		if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2382 			return mgmt_cmd_status(sk, hdev->id,
2383 					       MGMT_OP_LOAD_LINK_KEYS,
2384 					       MGMT_STATUS_INVALID_PARAMS);
2385 	}
2386 
2387 	hci_dev_lock(hdev);
2388 
2389 	hci_link_keys_clear(hdev);
2390 
2391 	if (cp->debug_keys)
2392 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2393 	else
2394 		changed = hci_dev_test_and_clear_flag(hdev,
2395 						      HCI_KEEP_DEBUG_KEYS);
2396 
2397 	if (changed)
2398 		new_settings(hdev, NULL);
2399 
2400 	for (i = 0; i < key_count; i++) {
2401 		struct mgmt_link_key_info *key = &cp->keys[i];
2402 
2403 		if (hci_is_blocked_key(hdev,
2404 				       HCI_BLOCKED_KEY_TYPE_LINKKEY,
2405 				       key->val)) {
2406 			bt_dev_warn(hdev, "Skipping blocked link key for %pMR",
2407 				    &key->addr.bdaddr);
2408 			continue;
2409 		}
2410 
2411 		/* Always ignore debug keys and require a new pairing if
2412 		 * the user wants to use them.
2413 		 */
2414 		if (key->type == HCI_LK_DEBUG_COMBINATION)
2415 			continue;
2416 
2417 		hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2418 				 key->type, key->pin_len, NULL);
2419 	}
2420 
2421 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2422 
2423 	hci_dev_unlock(hdev);
2424 
2425 	return 0;
2426 }
2427 
device_unpaired(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type,struct sock * skip_sk)2428 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2429 			   u8 addr_type, struct sock *skip_sk)
2430 {
2431 	struct mgmt_ev_device_unpaired ev;
2432 
2433 	bacpy(&ev.addr.bdaddr, bdaddr);
2434 	ev.addr.type = addr_type;
2435 
2436 	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2437 			  skip_sk);
2438 }
2439 
unpair_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2440 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2441 			 u16 len)
2442 {
2443 	struct mgmt_cp_unpair_device *cp = data;
2444 	struct mgmt_rp_unpair_device rp;
2445 	struct hci_conn_params *params;
2446 	struct mgmt_pending_cmd *cmd;
2447 	struct hci_conn *conn;
2448 	u8 addr_type;
2449 	int err;
2450 
2451 	memset(&rp, 0, sizeof(rp));
2452 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2453 	rp.addr.type = cp->addr.type;
2454 
2455 	if (!bdaddr_type_is_valid(cp->addr.type))
2456 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2457 					 MGMT_STATUS_INVALID_PARAMS,
2458 					 &rp, sizeof(rp));
2459 
2460 	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2461 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2462 					 MGMT_STATUS_INVALID_PARAMS,
2463 					 &rp, sizeof(rp));
2464 
2465 	hci_dev_lock(hdev);
2466 
2467 	if (!hdev_is_powered(hdev)) {
2468 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2469 					MGMT_STATUS_NOT_POWERED, &rp,
2470 					sizeof(rp));
2471 		goto unlock;
2472 	}
2473 
2474 	if (cp->addr.type == BDADDR_BREDR) {
2475 		/* If disconnection is requested, then look up the
2476 		 * connection. If the remote device is connected, it
2477 		 * will be later used to terminate the link.
2478 		 *
2479 		 * Setting it to NULL explicitly will cause no
2480 		 * termination of the link.
2481 		 */
2482 		if (cp->disconnect)
2483 			conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2484 						       &cp->addr.bdaddr);
2485 		else
2486 			conn = NULL;
2487 
2488 		err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2489 		if (err < 0) {
2490 			err = mgmt_cmd_complete(sk, hdev->id,
2491 						MGMT_OP_UNPAIR_DEVICE,
2492 						MGMT_STATUS_NOT_PAIRED, &rp,
2493 						sizeof(rp));
2494 			goto unlock;
2495 		}
2496 
2497 		goto done;
2498 	}
2499 
2500 	/* LE address type */
2501 	addr_type = le_addr_type(cp->addr.type);
2502 
2503 	/* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
2504 	err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
2505 	if (err < 0) {
2506 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2507 					MGMT_STATUS_NOT_PAIRED, &rp,
2508 					sizeof(rp));
2509 		goto unlock;
2510 	}
2511 
2512 	conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
2513 	if (!conn) {
2514 		hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2515 		goto done;
2516 	}
2517 
2518 
2519 	/* Defer clearing up the connection parameters until closing to
2520 	 * give a chance of keeping them if a repairing happens.
2521 	 */
2522 	set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2523 
2524 	/* Disable auto-connection parameters if present */
2525 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
2526 	if (params) {
2527 		if (params->explicit_connect)
2528 			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
2529 		else
2530 			params->auto_connect = HCI_AUTO_CONN_DISABLED;
2531 	}
2532 
2533 	/* If disconnection is not requested, then clear the connection
2534 	 * variable so that the link is not terminated.
2535 	 */
2536 	if (!cp->disconnect)
2537 		conn = NULL;
2538 
2539 done:
2540 	/* If the connection variable is set, then termination of the
2541 	 * link is requested.
2542 	 */
2543 	if (!conn) {
2544 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
2545 					&rp, sizeof(rp));
2546 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
2547 		goto unlock;
2548 	}
2549 
2550 	cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
2551 			       sizeof(*cp));
2552 	if (!cmd) {
2553 		err = -ENOMEM;
2554 		goto unlock;
2555 	}
2556 
2557 	cmd->cmd_complete = addr_cmd_complete;
2558 
2559 	err = hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
2560 	if (err < 0)
2561 		mgmt_pending_remove(cmd);
2562 
2563 unlock:
2564 	hci_dev_unlock(hdev);
2565 	return err;
2566 }
2567 
disconnect(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2568 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2569 		      u16 len)
2570 {
2571 	struct mgmt_cp_disconnect *cp = data;
2572 	struct mgmt_rp_disconnect rp;
2573 	struct mgmt_pending_cmd *cmd;
2574 	struct hci_conn *conn;
2575 	int err;
2576 
2577 	bt_dev_dbg(hdev, "sock %p", sk);
2578 
2579 	memset(&rp, 0, sizeof(rp));
2580 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2581 	rp.addr.type = cp->addr.type;
2582 
2583 	if (!bdaddr_type_is_valid(cp->addr.type))
2584 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2585 					 MGMT_STATUS_INVALID_PARAMS,
2586 					 &rp, sizeof(rp));
2587 
2588 	hci_dev_lock(hdev);
2589 
2590 	if (!test_bit(HCI_UP, &hdev->flags)) {
2591 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2592 					MGMT_STATUS_NOT_POWERED, &rp,
2593 					sizeof(rp));
2594 		goto failed;
2595 	}
2596 
2597 	if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
2598 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2599 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
2600 		goto failed;
2601 	}
2602 
2603 	if (cp->addr.type == BDADDR_BREDR)
2604 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2605 					       &cp->addr.bdaddr);
2606 	else
2607 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2608 					       le_addr_type(cp->addr.type));
2609 
2610 	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
2611 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2612 					MGMT_STATUS_NOT_CONNECTED, &rp,
2613 					sizeof(rp));
2614 		goto failed;
2615 	}
2616 
2617 	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
2618 	if (!cmd) {
2619 		err = -ENOMEM;
2620 		goto failed;
2621 	}
2622 
2623 	cmd->cmd_complete = generic_cmd_complete;
2624 
2625 	err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
2626 	if (err < 0)
2627 		mgmt_pending_remove(cmd);
2628 
2629 failed:
2630 	hci_dev_unlock(hdev);
2631 	return err;
2632 }
2633 
link_to_bdaddr(u8 link_type,u8 addr_type)2634 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
2635 {
2636 	switch (link_type) {
2637 	case LE_LINK:
2638 		switch (addr_type) {
2639 		case ADDR_LE_DEV_PUBLIC:
2640 			return BDADDR_LE_PUBLIC;
2641 
2642 		default:
2643 			/* Fallback to LE Random address type */
2644 			return BDADDR_LE_RANDOM;
2645 		}
2646 
2647 	default:
2648 		/* Fallback to BR/EDR type */
2649 		return BDADDR_BREDR;
2650 	}
2651 }
2652 
get_connections(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)2653 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
2654 			   u16 data_len)
2655 {
2656 	struct mgmt_rp_get_connections *rp;
2657 	struct hci_conn *c;
2658 	int err;
2659 	u16 i;
2660 
2661 	bt_dev_dbg(hdev, "sock %p", sk);
2662 
2663 	hci_dev_lock(hdev);
2664 
2665 	if (!hdev_is_powered(hdev)) {
2666 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
2667 				      MGMT_STATUS_NOT_POWERED);
2668 		goto unlock;
2669 	}
2670 
2671 	i = 0;
2672 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2673 		if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2674 			i++;
2675 	}
2676 
2677 	rp = kmalloc(struct_size(rp, addr, i), GFP_KERNEL);
2678 	if (!rp) {
2679 		err = -ENOMEM;
2680 		goto unlock;
2681 	}
2682 
2683 	i = 0;
2684 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
2685 		if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2686 			continue;
2687 		bacpy(&rp->addr[i].bdaddr, &c->dst);
2688 		rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
2689 		if (c->type == SCO_LINK || c->type == ESCO_LINK)
2690 			continue;
2691 		i++;
2692 	}
2693 
2694 	rp->conn_count = cpu_to_le16(i);
2695 
2696 	/* Recalculate length in case of filtered SCO connections, etc */
2697 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
2698 				struct_size(rp, addr, i));
2699 
2700 	kfree(rp);
2701 
2702 unlock:
2703 	hci_dev_unlock(hdev);
2704 	return err;
2705 }
2706 
send_pin_code_neg_reply(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_pin_code_neg_reply * cp)2707 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2708 				   struct mgmt_cp_pin_code_neg_reply *cp)
2709 {
2710 	struct mgmt_pending_cmd *cmd;
2711 	int err;
2712 
2713 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
2714 			       sizeof(*cp));
2715 	if (!cmd)
2716 		return -ENOMEM;
2717 
2718 	cmd->cmd_complete = addr_cmd_complete;
2719 
2720 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2721 			   sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
2722 	if (err < 0)
2723 		mgmt_pending_remove(cmd);
2724 
2725 	return err;
2726 }
2727 
pin_code_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2728 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2729 			  u16 len)
2730 {
2731 	struct hci_conn *conn;
2732 	struct mgmt_cp_pin_code_reply *cp = data;
2733 	struct hci_cp_pin_code_reply reply;
2734 	struct mgmt_pending_cmd *cmd;
2735 	int err;
2736 
2737 	bt_dev_dbg(hdev, "sock %p", sk);
2738 
2739 	hci_dev_lock(hdev);
2740 
2741 	if (!hdev_is_powered(hdev)) {
2742 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2743 				      MGMT_STATUS_NOT_POWERED);
2744 		goto failed;
2745 	}
2746 
2747 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
2748 	if (!conn) {
2749 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2750 				      MGMT_STATUS_NOT_CONNECTED);
2751 		goto failed;
2752 	}
2753 
2754 	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
2755 		struct mgmt_cp_pin_code_neg_reply ncp;
2756 
2757 		memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
2758 
2759 		bt_dev_err(hdev, "PIN code is not 16 bytes long");
2760 
2761 		err = send_pin_code_neg_reply(sk, hdev, &ncp);
2762 		if (err >= 0)
2763 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2764 					      MGMT_STATUS_INVALID_PARAMS);
2765 
2766 		goto failed;
2767 	}
2768 
2769 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
2770 	if (!cmd) {
2771 		err = -ENOMEM;
2772 		goto failed;
2773 	}
2774 
2775 	cmd->cmd_complete = addr_cmd_complete;
2776 
2777 	bacpy(&reply.bdaddr, &cp->addr.bdaddr);
2778 	reply.pin_len = cp->pin_len;
2779 	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
2780 
2781 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
2782 	if (err < 0)
2783 		mgmt_pending_remove(cmd);
2784 
2785 failed:
2786 	hci_dev_unlock(hdev);
2787 	return err;
2788 }
2789 
set_io_capability(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2790 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
2791 			     u16 len)
2792 {
2793 	struct mgmt_cp_set_io_capability *cp = data;
2794 
2795 	bt_dev_dbg(hdev, "sock %p", sk);
2796 
2797 	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
2798 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
2799 				       MGMT_STATUS_INVALID_PARAMS);
2800 
2801 	hci_dev_lock(hdev);
2802 
2803 	hdev->io_capability = cp->io_capability;
2804 
2805 	bt_dev_dbg(hdev, "IO capability set to 0x%02x", hdev->io_capability);
2806 
2807 	hci_dev_unlock(hdev);
2808 
2809 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
2810 				 NULL, 0);
2811 }
2812 
find_pairing(struct hci_conn * conn)2813 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
2814 {
2815 	struct hci_dev *hdev = conn->hdev;
2816 	struct mgmt_pending_cmd *cmd;
2817 
2818 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2819 		if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
2820 			continue;
2821 
2822 		if (cmd->user_data != conn)
2823 			continue;
2824 
2825 		return cmd;
2826 	}
2827 
2828 	return NULL;
2829 }
2830 
pairing_complete(struct mgmt_pending_cmd * cmd,u8 status)2831 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
2832 {
2833 	struct mgmt_rp_pair_device rp;
2834 	struct hci_conn *conn = cmd->user_data;
2835 	int err;
2836 
2837 	bacpy(&rp.addr.bdaddr, &conn->dst);
2838 	rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
2839 
2840 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
2841 				status, &rp, sizeof(rp));
2842 
2843 	/* So we don't get further callbacks for this connection */
2844 	conn->connect_cfm_cb = NULL;
2845 	conn->security_cfm_cb = NULL;
2846 	conn->disconn_cfm_cb = NULL;
2847 
2848 	hci_conn_drop(conn);
2849 
2850 	/* The device is paired so there is no need to remove
2851 	 * its connection parameters anymore.
2852 	 */
2853 	clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
2854 
2855 	hci_conn_put(conn);
2856 
2857 	return err;
2858 }
2859 
mgmt_smp_complete(struct hci_conn * conn,bool complete)2860 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2861 {
2862 	u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2863 	struct mgmt_pending_cmd *cmd;
2864 
2865 	cmd = find_pairing(conn);
2866 	if (cmd) {
2867 		cmd->cmd_complete(cmd, status);
2868 		mgmt_pending_remove(cmd);
2869 	}
2870 }
2871 
pairing_complete_cb(struct hci_conn * conn,u8 status)2872 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2873 {
2874 	struct mgmt_pending_cmd *cmd;
2875 
2876 	BT_DBG("status %u", status);
2877 
2878 	cmd = find_pairing(conn);
2879 	if (!cmd) {
2880 		BT_DBG("Unable to find a pending command");
2881 		return;
2882 	}
2883 
2884 	cmd->cmd_complete(cmd, mgmt_status(status));
2885 	mgmt_pending_remove(cmd);
2886 }
2887 
le_pairing_complete_cb(struct hci_conn * conn,u8 status)2888 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2889 {
2890 	struct mgmt_pending_cmd *cmd;
2891 
2892 	BT_DBG("status %u", status);
2893 
2894 	if (!status)
2895 		return;
2896 
2897 	cmd = find_pairing(conn);
2898 	if (!cmd) {
2899 		BT_DBG("Unable to find a pending command");
2900 		return;
2901 	}
2902 
2903 	cmd->cmd_complete(cmd, mgmt_status(status));
2904 	mgmt_pending_remove(cmd);
2905 }
2906 
pair_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2907 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2908 		       u16 len)
2909 {
2910 	struct mgmt_cp_pair_device *cp = data;
2911 	struct mgmt_rp_pair_device rp;
2912 	struct mgmt_pending_cmd *cmd;
2913 	u8 sec_level, auth_type;
2914 	struct hci_conn *conn;
2915 	int err;
2916 
2917 	bt_dev_dbg(hdev, "sock %p", sk);
2918 
2919 	memset(&rp, 0, sizeof(rp));
2920 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2921 	rp.addr.type = cp->addr.type;
2922 
2923 	if (!bdaddr_type_is_valid(cp->addr.type))
2924 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2925 					 MGMT_STATUS_INVALID_PARAMS,
2926 					 &rp, sizeof(rp));
2927 
2928 	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
2929 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2930 					 MGMT_STATUS_INVALID_PARAMS,
2931 					 &rp, sizeof(rp));
2932 
2933 	hci_dev_lock(hdev);
2934 
2935 	if (!hdev_is_powered(hdev)) {
2936 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2937 					MGMT_STATUS_NOT_POWERED, &rp,
2938 					sizeof(rp));
2939 		goto unlock;
2940 	}
2941 
2942 	if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
2943 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2944 					MGMT_STATUS_ALREADY_PAIRED, &rp,
2945 					sizeof(rp));
2946 		goto unlock;
2947 	}
2948 
2949 	sec_level = BT_SECURITY_MEDIUM;
2950 	auth_type = HCI_AT_DEDICATED_BONDING;
2951 
2952 	if (cp->addr.type == BDADDR_BREDR) {
2953 		conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2954 				       auth_type, CONN_REASON_PAIR_DEVICE);
2955 	} else {
2956 		u8 addr_type = le_addr_type(cp->addr.type);
2957 		struct hci_conn_params *p;
2958 
2959 		/* When pairing a new device, it is expected to remember
2960 		 * this device for future connections. Adding the connection
2961 		 * parameter information ahead of time allows tracking
2962 		 * of the peripheral preferred values and will speed up any
2963 		 * further connection establishment.
2964 		 *
2965 		 * If connection parameters already exist, then they
2966 		 * will be kept and this function does nothing.
2967 		 */
2968 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
2969 
2970 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
2971 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
2972 
2973 		conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr, addr_type,
2974 					   sec_level, HCI_LE_CONN_TIMEOUT,
2975 					   CONN_REASON_PAIR_DEVICE);
2976 	}
2977 
2978 	if (IS_ERR(conn)) {
2979 		int status;
2980 
2981 		if (PTR_ERR(conn) == -EBUSY)
2982 			status = MGMT_STATUS_BUSY;
2983 		else if (PTR_ERR(conn) == -EOPNOTSUPP)
2984 			status = MGMT_STATUS_NOT_SUPPORTED;
2985 		else if (PTR_ERR(conn) == -ECONNREFUSED)
2986 			status = MGMT_STATUS_REJECTED;
2987 		else
2988 			status = MGMT_STATUS_CONNECT_FAILED;
2989 
2990 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2991 					status, &rp, sizeof(rp));
2992 		goto unlock;
2993 	}
2994 
2995 	if (conn->connect_cfm_cb) {
2996 		hci_conn_drop(conn);
2997 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2998 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
2999 		goto unlock;
3000 	}
3001 
3002 	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
3003 	if (!cmd) {
3004 		err = -ENOMEM;
3005 		hci_conn_drop(conn);
3006 		goto unlock;
3007 	}
3008 
3009 	cmd->cmd_complete = pairing_complete;
3010 
3011 	/* For LE, just connecting isn't a proof that the pairing finished */
3012 	if (cp->addr.type == BDADDR_BREDR) {
3013 		conn->connect_cfm_cb = pairing_complete_cb;
3014 		conn->security_cfm_cb = pairing_complete_cb;
3015 		conn->disconn_cfm_cb = pairing_complete_cb;
3016 	} else {
3017 		conn->connect_cfm_cb = le_pairing_complete_cb;
3018 		conn->security_cfm_cb = le_pairing_complete_cb;
3019 		conn->disconn_cfm_cb = le_pairing_complete_cb;
3020 	}
3021 
3022 	conn->io_capability = cp->io_cap;
3023 	cmd->user_data = hci_conn_get(conn);
3024 
3025 	if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
3026 	    hci_conn_security(conn, sec_level, auth_type, true)) {
3027 		cmd->cmd_complete(cmd, 0);
3028 		mgmt_pending_remove(cmd);
3029 	}
3030 
3031 	err = 0;
3032 
3033 unlock:
3034 	hci_dev_unlock(hdev);
3035 	return err;
3036 }
3037 
cancel_pair_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3038 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3039 			      u16 len)
3040 {
3041 	struct mgmt_addr_info *addr = data;
3042 	struct mgmt_pending_cmd *cmd;
3043 	struct hci_conn *conn;
3044 	int err;
3045 
3046 	bt_dev_dbg(hdev, "sock %p", sk);
3047 
3048 	hci_dev_lock(hdev);
3049 
3050 	if (!hdev_is_powered(hdev)) {
3051 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3052 				      MGMT_STATUS_NOT_POWERED);
3053 		goto unlock;
3054 	}
3055 
3056 	cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3057 	if (!cmd) {
3058 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3059 				      MGMT_STATUS_INVALID_PARAMS);
3060 		goto unlock;
3061 	}
3062 
3063 	conn = cmd->user_data;
3064 
3065 	if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3066 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3067 				      MGMT_STATUS_INVALID_PARAMS);
3068 		goto unlock;
3069 	}
3070 
3071 	cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3072 	mgmt_pending_remove(cmd);
3073 
3074 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3075 				addr, sizeof(*addr));
3076 
3077 	/* Since user doesn't want to proceed with the connection, abort any
3078 	 * ongoing pairing and then terminate the link if it was created
3079 	 * because of the pair device action.
3080 	 */
3081 	if (addr->type == BDADDR_BREDR)
3082 		hci_remove_link_key(hdev, &addr->bdaddr);
3083 	else
3084 		smp_cancel_and_remove_pairing(hdev, &addr->bdaddr,
3085 					      le_addr_type(addr->type));
3086 
3087 	if (conn->conn_reason == CONN_REASON_PAIR_DEVICE)
3088 		hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
3089 
3090 unlock:
3091 	hci_dev_unlock(hdev);
3092 	return err;
3093 }
3094 
user_pairing_resp(struct sock * sk,struct hci_dev * hdev,struct mgmt_addr_info * addr,u16 mgmt_op,u16 hci_op,__le32 passkey)3095 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3096 			     struct mgmt_addr_info *addr, u16 mgmt_op,
3097 			     u16 hci_op, __le32 passkey)
3098 {
3099 	struct mgmt_pending_cmd *cmd;
3100 	struct hci_conn *conn;
3101 	int err;
3102 
3103 	hci_dev_lock(hdev);
3104 
3105 	if (!hdev_is_powered(hdev)) {
3106 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3107 					MGMT_STATUS_NOT_POWERED, addr,
3108 					sizeof(*addr));
3109 		goto done;
3110 	}
3111 
3112 	if (addr->type == BDADDR_BREDR)
3113 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3114 	else
3115 		conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
3116 					       le_addr_type(addr->type));
3117 
3118 	if (!conn) {
3119 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3120 					MGMT_STATUS_NOT_CONNECTED, addr,
3121 					sizeof(*addr));
3122 		goto done;
3123 	}
3124 
3125 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3126 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3127 		if (!err)
3128 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3129 						MGMT_STATUS_SUCCESS, addr,
3130 						sizeof(*addr));
3131 		else
3132 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3133 						MGMT_STATUS_FAILED, addr,
3134 						sizeof(*addr));
3135 
3136 		goto done;
3137 	}
3138 
3139 	cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3140 	if (!cmd) {
3141 		err = -ENOMEM;
3142 		goto done;
3143 	}
3144 
3145 	cmd->cmd_complete = addr_cmd_complete;
3146 
3147 	/* Continue with pairing via HCI */
3148 	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3149 		struct hci_cp_user_passkey_reply cp;
3150 
3151 		bacpy(&cp.bdaddr, &addr->bdaddr);
3152 		cp.passkey = passkey;
3153 		err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3154 	} else
3155 		err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3156 				   &addr->bdaddr);
3157 
3158 	if (err < 0)
3159 		mgmt_pending_remove(cmd);
3160 
3161 done:
3162 	hci_dev_unlock(hdev);
3163 	return err;
3164 }
3165 
pin_code_neg_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3166 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3167 			      void *data, u16 len)
3168 {
3169 	struct mgmt_cp_pin_code_neg_reply *cp = data;
3170 
3171 	bt_dev_dbg(hdev, "sock %p", sk);
3172 
3173 	return user_pairing_resp(sk, hdev, &cp->addr,
3174 				MGMT_OP_PIN_CODE_NEG_REPLY,
3175 				HCI_OP_PIN_CODE_NEG_REPLY, 0);
3176 }
3177 
user_confirm_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3178 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3179 			      u16 len)
3180 {
3181 	struct mgmt_cp_user_confirm_reply *cp = data;
3182 
3183 	bt_dev_dbg(hdev, "sock %p", sk);
3184 
3185 	if (len != sizeof(*cp))
3186 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3187 				       MGMT_STATUS_INVALID_PARAMS);
3188 
3189 	return user_pairing_resp(sk, hdev, &cp->addr,
3190 				 MGMT_OP_USER_CONFIRM_REPLY,
3191 				 HCI_OP_USER_CONFIRM_REPLY, 0);
3192 }
3193 
user_confirm_neg_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3194 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3195 				  void *data, u16 len)
3196 {
3197 	struct mgmt_cp_user_confirm_neg_reply *cp = data;
3198 
3199 	bt_dev_dbg(hdev, "sock %p", sk);
3200 
3201 	return user_pairing_resp(sk, hdev, &cp->addr,
3202 				 MGMT_OP_USER_CONFIRM_NEG_REPLY,
3203 				 HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3204 }
3205 
user_passkey_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3206 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3207 			      u16 len)
3208 {
3209 	struct mgmt_cp_user_passkey_reply *cp = data;
3210 
3211 	bt_dev_dbg(hdev, "sock %p", sk);
3212 
3213 	return user_pairing_resp(sk, hdev, &cp->addr,
3214 				 MGMT_OP_USER_PASSKEY_REPLY,
3215 				 HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3216 }
3217 
user_passkey_neg_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3218 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3219 				  void *data, u16 len)
3220 {
3221 	struct mgmt_cp_user_passkey_neg_reply *cp = data;
3222 
3223 	bt_dev_dbg(hdev, "sock %p", sk);
3224 
3225 	return user_pairing_resp(sk, hdev, &cp->addr,
3226 				 MGMT_OP_USER_PASSKEY_NEG_REPLY,
3227 				 HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3228 }
3229 
adv_expire(struct hci_dev * hdev,u32 flags)3230 static void adv_expire(struct hci_dev *hdev, u32 flags)
3231 {
3232 	struct adv_info *adv_instance;
3233 	struct hci_request req;
3234 	int err;
3235 
3236 	adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3237 	if (!adv_instance)
3238 		return;
3239 
3240 	/* stop if current instance doesn't need to be changed */
3241 	if (!(adv_instance->flags & flags))
3242 		return;
3243 
3244 	cancel_adv_timeout(hdev);
3245 
3246 	adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3247 	if (!adv_instance)
3248 		return;
3249 
3250 	hci_req_init(&req, hdev);
3251 	err = __hci_req_schedule_adv_instance(&req, adv_instance->instance,
3252 					      true);
3253 	if (err)
3254 		return;
3255 
3256 	hci_req_run(&req, NULL);
3257 }
3258 
set_name_complete(struct hci_dev * hdev,u8 status,u16 opcode)3259 static void set_name_complete(struct hci_dev *hdev, u8 status, u16 opcode)
3260 {
3261 	struct mgmt_cp_set_local_name *cp;
3262 	struct mgmt_pending_cmd *cmd;
3263 
3264 	bt_dev_dbg(hdev, "status 0x%02x", status);
3265 
3266 	hci_dev_lock(hdev);
3267 
3268 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
3269 	if (!cmd)
3270 		goto unlock;
3271 
3272 	cp = cmd->param;
3273 
3274 	if (status) {
3275 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3276 			        mgmt_status(status));
3277 	} else {
3278 		mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3279 				  cp, sizeof(*cp));
3280 
3281 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3282 			adv_expire(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3283 	}
3284 
3285 	mgmt_pending_remove(cmd);
3286 
3287 unlock:
3288 	hci_dev_unlock(hdev);
3289 }
3290 
set_local_name(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3291 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3292 			  u16 len)
3293 {
3294 	struct mgmt_cp_set_local_name *cp = data;
3295 	struct mgmt_pending_cmd *cmd;
3296 	struct hci_request req;
3297 	int err;
3298 
3299 	bt_dev_dbg(hdev, "sock %p", sk);
3300 
3301 	hci_dev_lock(hdev);
3302 
3303 	/* If the old values are the same as the new ones just return a
3304 	 * direct command complete event.
3305 	 */
3306 	if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3307 	    !memcmp(hdev->short_name, cp->short_name,
3308 		    sizeof(hdev->short_name))) {
3309 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3310 					data, len);
3311 		goto failed;
3312 	}
3313 
3314 	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3315 
3316 	if (!hdev_is_powered(hdev)) {
3317 		memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3318 
3319 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3320 					data, len);
3321 		if (err < 0)
3322 			goto failed;
3323 
3324 		err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3325 					 len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3326 		ext_info_changed(hdev, sk);
3327 
3328 		goto failed;
3329 	}
3330 
3331 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3332 	if (!cmd) {
3333 		err = -ENOMEM;
3334 		goto failed;
3335 	}
3336 
3337 	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3338 
3339 	hci_req_init(&req, hdev);
3340 
3341 	if (lmp_bredr_capable(hdev)) {
3342 		__hci_req_update_name(&req);
3343 		__hci_req_update_eir(&req);
3344 	}
3345 
3346 	/* The name is stored in the scan response data and so
3347 	 * no need to update the advertising data here.
3348 	 */
3349 	if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3350 		__hci_req_update_scan_rsp_data(&req, hdev->cur_adv_instance);
3351 
3352 	err = hci_req_run(&req, set_name_complete);
3353 	if (err < 0)
3354 		mgmt_pending_remove(cmd);
3355 
3356 failed:
3357 	hci_dev_unlock(hdev);
3358 	return err;
3359 }
3360 
set_appearance(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3361 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3362 			  u16 len)
3363 {
3364 	struct mgmt_cp_set_appearance *cp = data;
3365 	u16 appearance;
3366 	int err;
3367 
3368 	bt_dev_dbg(hdev, "sock %p", sk);
3369 
3370 	if (!lmp_le_capable(hdev))
3371 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3372 				       MGMT_STATUS_NOT_SUPPORTED);
3373 
3374 	appearance = le16_to_cpu(cp->appearance);
3375 
3376 	hci_dev_lock(hdev);
3377 
3378 	if (hdev->appearance != appearance) {
3379 		hdev->appearance = appearance;
3380 
3381 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3382 			adv_expire(hdev, MGMT_ADV_FLAG_APPEARANCE);
3383 
3384 		ext_info_changed(hdev, sk);
3385 	}
3386 
3387 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3388 				0);
3389 
3390 	hci_dev_unlock(hdev);
3391 
3392 	return err;
3393 }
3394 
get_phy_configuration(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3395 static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3396 				 void *data, u16 len)
3397 {
3398 	struct mgmt_rp_get_phy_configuration rp;
3399 
3400 	bt_dev_dbg(hdev, "sock %p", sk);
3401 
3402 	hci_dev_lock(hdev);
3403 
3404 	memset(&rp, 0, sizeof(rp));
3405 
3406 	rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3407 	rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3408 	rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3409 
3410 	hci_dev_unlock(hdev);
3411 
3412 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, 0,
3413 				 &rp, sizeof(rp));
3414 }
3415 
mgmt_phy_configuration_changed(struct hci_dev * hdev,struct sock * skip)3416 int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3417 {
3418 	struct mgmt_ev_phy_configuration_changed ev;
3419 
3420 	memset(&ev, 0, sizeof(ev));
3421 
3422 	ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3423 
3424 	return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, &ev,
3425 			  sizeof(ev), skip);
3426 }
3427 
set_default_phy_complete(struct hci_dev * hdev,u8 status,u16 opcode,struct sk_buff * skb)3428 static void set_default_phy_complete(struct hci_dev *hdev, u8 status,
3429 				     u16 opcode, struct sk_buff *skb)
3430 {
3431 	struct mgmt_pending_cmd *cmd;
3432 
3433 	bt_dev_dbg(hdev, "status 0x%02x", status);
3434 
3435 	hci_dev_lock(hdev);
3436 
3437 	cmd = pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev);
3438 	if (!cmd)
3439 		goto unlock;
3440 
3441 	if (status) {
3442 		mgmt_cmd_status(cmd->sk, hdev->id,
3443 				MGMT_OP_SET_PHY_CONFIGURATION,
3444 				mgmt_status(status));
3445 	} else {
3446 		mgmt_cmd_complete(cmd->sk, hdev->id,
3447 				  MGMT_OP_SET_PHY_CONFIGURATION, 0,
3448 				  NULL, 0);
3449 
3450 		mgmt_phy_configuration_changed(hdev, cmd->sk);
3451 	}
3452 
3453 	mgmt_pending_remove(cmd);
3454 
3455 unlock:
3456 	hci_dev_unlock(hdev);
3457 }
3458 
set_phy_configuration(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3459 static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3460 				 void *data, u16 len)
3461 {
3462 	struct mgmt_cp_set_phy_configuration *cp = data;
3463 	struct hci_cp_le_set_default_phy cp_phy;
3464 	struct mgmt_pending_cmd *cmd;
3465 	struct hci_request req;
3466 	u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
3467 	u16 pkt_type = (HCI_DH1 | HCI_DM1);
3468 	bool changed = false;
3469 	int err;
3470 
3471 	bt_dev_dbg(hdev, "sock %p", sk);
3472 
3473 	configurable_phys = get_configurable_phys(hdev);
3474 	supported_phys = get_supported_phys(hdev);
3475 	selected_phys = __le32_to_cpu(cp->selected_phys);
3476 
3477 	if (selected_phys & ~supported_phys)
3478 		return mgmt_cmd_status(sk, hdev->id,
3479 				       MGMT_OP_SET_PHY_CONFIGURATION,
3480 				       MGMT_STATUS_INVALID_PARAMS);
3481 
3482 	unconfigure_phys = supported_phys & ~configurable_phys;
3483 
3484 	if ((selected_phys & unconfigure_phys) != unconfigure_phys)
3485 		return mgmt_cmd_status(sk, hdev->id,
3486 				       MGMT_OP_SET_PHY_CONFIGURATION,
3487 				       MGMT_STATUS_INVALID_PARAMS);
3488 
3489 	if (selected_phys == get_selected_phys(hdev))
3490 		return mgmt_cmd_complete(sk, hdev->id,
3491 					 MGMT_OP_SET_PHY_CONFIGURATION,
3492 					 0, NULL, 0);
3493 
3494 	hci_dev_lock(hdev);
3495 
3496 	if (!hdev_is_powered(hdev)) {
3497 		err = mgmt_cmd_status(sk, hdev->id,
3498 				      MGMT_OP_SET_PHY_CONFIGURATION,
3499 				      MGMT_STATUS_REJECTED);
3500 		goto unlock;
3501 	}
3502 
3503 	if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
3504 		err = mgmt_cmd_status(sk, hdev->id,
3505 				      MGMT_OP_SET_PHY_CONFIGURATION,
3506 				      MGMT_STATUS_BUSY);
3507 		goto unlock;
3508 	}
3509 
3510 	if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
3511 		pkt_type |= (HCI_DH3 | HCI_DM3);
3512 	else
3513 		pkt_type &= ~(HCI_DH3 | HCI_DM3);
3514 
3515 	if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
3516 		pkt_type |= (HCI_DH5 | HCI_DM5);
3517 	else
3518 		pkt_type &= ~(HCI_DH5 | HCI_DM5);
3519 
3520 	if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
3521 		pkt_type &= ~HCI_2DH1;
3522 	else
3523 		pkt_type |= HCI_2DH1;
3524 
3525 	if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
3526 		pkt_type &= ~HCI_2DH3;
3527 	else
3528 		pkt_type |= HCI_2DH3;
3529 
3530 	if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
3531 		pkt_type &= ~HCI_2DH5;
3532 	else
3533 		pkt_type |= HCI_2DH5;
3534 
3535 	if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
3536 		pkt_type &= ~HCI_3DH1;
3537 	else
3538 		pkt_type |= HCI_3DH1;
3539 
3540 	if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
3541 		pkt_type &= ~HCI_3DH3;
3542 	else
3543 		pkt_type |= HCI_3DH3;
3544 
3545 	if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
3546 		pkt_type &= ~HCI_3DH5;
3547 	else
3548 		pkt_type |= HCI_3DH5;
3549 
3550 	if (pkt_type != hdev->pkt_type) {
3551 		hdev->pkt_type = pkt_type;
3552 		changed = true;
3553 	}
3554 
3555 	if ((selected_phys & MGMT_PHY_LE_MASK) ==
3556 	    (get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
3557 		if (changed)
3558 			mgmt_phy_configuration_changed(hdev, sk);
3559 
3560 		err = mgmt_cmd_complete(sk, hdev->id,
3561 					MGMT_OP_SET_PHY_CONFIGURATION,
3562 					0, NULL, 0);
3563 
3564 		goto unlock;
3565 	}
3566 
3567 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
3568 			       len);
3569 	if (!cmd) {
3570 		err = -ENOMEM;
3571 		goto unlock;
3572 	}
3573 
3574 	hci_req_init(&req, hdev);
3575 
3576 	memset(&cp_phy, 0, sizeof(cp_phy));
3577 
3578 	if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
3579 		cp_phy.all_phys |= 0x01;
3580 
3581 	if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
3582 		cp_phy.all_phys |= 0x02;
3583 
3584 	if (selected_phys & MGMT_PHY_LE_1M_TX)
3585 		cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
3586 
3587 	if (selected_phys & MGMT_PHY_LE_2M_TX)
3588 		cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
3589 
3590 	if (selected_phys & MGMT_PHY_LE_CODED_TX)
3591 		cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
3592 
3593 	if (selected_phys & MGMT_PHY_LE_1M_RX)
3594 		cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
3595 
3596 	if (selected_phys & MGMT_PHY_LE_2M_RX)
3597 		cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
3598 
3599 	if (selected_phys & MGMT_PHY_LE_CODED_RX)
3600 		cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
3601 
3602 	hci_req_add(&req, HCI_OP_LE_SET_DEFAULT_PHY, sizeof(cp_phy), &cp_phy);
3603 
3604 	err = hci_req_run_skb(&req, set_default_phy_complete);
3605 	if (err < 0)
3606 		mgmt_pending_remove(cmd);
3607 
3608 unlock:
3609 	hci_dev_unlock(hdev);
3610 
3611 	return err;
3612 }
3613 
set_blocked_keys(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3614 static int set_blocked_keys(struct sock *sk, struct hci_dev *hdev, void *data,
3615 			    u16 len)
3616 {
3617 	int err = MGMT_STATUS_SUCCESS;
3618 	struct mgmt_cp_set_blocked_keys *keys = data;
3619 	const u16 max_key_count = ((U16_MAX - sizeof(*keys)) /
3620 				   sizeof(struct mgmt_blocked_key_info));
3621 	u16 key_count, expected_len;
3622 	int i;
3623 
3624 	bt_dev_dbg(hdev, "sock %p", sk);
3625 
3626 	key_count = __le16_to_cpu(keys->key_count);
3627 	if (key_count > max_key_count) {
3628 		bt_dev_err(hdev, "too big key_count value %u", key_count);
3629 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3630 				       MGMT_STATUS_INVALID_PARAMS);
3631 	}
3632 
3633 	expected_len = struct_size(keys, keys, key_count);
3634 	if (expected_len != len) {
3635 		bt_dev_err(hdev, "expected %u bytes, got %u bytes",
3636 			   expected_len, len);
3637 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3638 				       MGMT_STATUS_INVALID_PARAMS);
3639 	}
3640 
3641 	hci_dev_lock(hdev);
3642 
3643 	hci_blocked_keys_clear(hdev);
3644 
3645 	for (i = 0; i < keys->key_count; ++i) {
3646 		struct blocked_key *b = kzalloc(sizeof(*b), GFP_KERNEL);
3647 
3648 		if (!b) {
3649 			err = MGMT_STATUS_NO_RESOURCES;
3650 			break;
3651 		}
3652 
3653 		b->type = keys->keys[i].type;
3654 		memcpy(b->val, keys->keys[i].val, sizeof(b->val));
3655 		list_add_rcu(&b->list, &hdev->blocked_keys);
3656 	}
3657 	hci_dev_unlock(hdev);
3658 
3659 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
3660 				err, NULL, 0);
3661 }
3662 
set_wideband_speech(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3663 static int set_wideband_speech(struct sock *sk, struct hci_dev *hdev,
3664 			       void *data, u16 len)
3665 {
3666 	struct mgmt_mode *cp = data;
3667 	int err;
3668 	bool changed = false;
3669 
3670 	bt_dev_dbg(hdev, "sock %p", sk);
3671 
3672 	if (!test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks))
3673 		return mgmt_cmd_status(sk, hdev->id,
3674 				       MGMT_OP_SET_WIDEBAND_SPEECH,
3675 				       MGMT_STATUS_NOT_SUPPORTED);
3676 
3677 	if (cp->val != 0x00 && cp->val != 0x01)
3678 		return mgmt_cmd_status(sk, hdev->id,
3679 				       MGMT_OP_SET_WIDEBAND_SPEECH,
3680 				       MGMT_STATUS_INVALID_PARAMS);
3681 
3682 	hci_dev_lock(hdev);
3683 
3684 	if (pending_find(MGMT_OP_SET_WIDEBAND_SPEECH, hdev)) {
3685 		err = mgmt_cmd_status(sk, hdev->id,
3686 				      MGMT_OP_SET_WIDEBAND_SPEECH,
3687 				      MGMT_STATUS_BUSY);
3688 		goto unlock;
3689 	}
3690 
3691 	if (hdev_is_powered(hdev) &&
3692 	    !!cp->val != hci_dev_test_flag(hdev,
3693 					   HCI_WIDEBAND_SPEECH_ENABLED)) {
3694 		err = mgmt_cmd_status(sk, hdev->id,
3695 				      MGMT_OP_SET_WIDEBAND_SPEECH,
3696 				      MGMT_STATUS_REJECTED);
3697 		goto unlock;
3698 	}
3699 
3700 	if (cp->val)
3701 		changed = !hci_dev_test_and_set_flag(hdev,
3702 						   HCI_WIDEBAND_SPEECH_ENABLED);
3703 	else
3704 		changed = hci_dev_test_and_clear_flag(hdev,
3705 						   HCI_WIDEBAND_SPEECH_ENABLED);
3706 
3707 	err = send_settings_rsp(sk, MGMT_OP_SET_WIDEBAND_SPEECH, hdev);
3708 	if (err < 0)
3709 		goto unlock;
3710 
3711 	if (changed)
3712 		err = new_settings(hdev, sk);
3713 
3714 unlock:
3715 	hci_dev_unlock(hdev);
3716 	return err;
3717 }
3718 
read_controller_cap(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)3719 static int read_controller_cap(struct sock *sk, struct hci_dev *hdev,
3720 			       void *data, u16 data_len)
3721 {
3722 	char buf[20];
3723 	struct mgmt_rp_read_controller_cap *rp = (void *)buf;
3724 	u16 cap_len = 0;
3725 	u8 flags = 0;
3726 	u8 tx_power_range[2];
3727 
3728 	bt_dev_dbg(hdev, "sock %p", sk);
3729 
3730 	memset(&buf, 0, sizeof(buf));
3731 
3732 	hci_dev_lock(hdev);
3733 
3734 	/* When the Read Simple Pairing Options command is supported, then
3735 	 * the remote public key validation is supported.
3736 	 *
3737 	 * Alternatively, when Microsoft extensions are available, they can
3738 	 * indicate support for public key validation as well.
3739 	 */
3740 	if ((hdev->commands[41] & 0x08) || msft_curve_validity(hdev))
3741 		flags |= 0x01;	/* Remote public key validation (BR/EDR) */
3742 
3743 	flags |= 0x02;		/* Remote public key validation (LE) */
3744 
3745 	/* When the Read Encryption Key Size command is supported, then the
3746 	 * encryption key size is enforced.
3747 	 */
3748 	if (hdev->commands[20] & 0x10)
3749 		flags |= 0x04;	/* Encryption key size enforcement (BR/EDR) */
3750 
3751 	flags |= 0x08;		/* Encryption key size enforcement (LE) */
3752 
3753 	cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_SEC_FLAGS,
3754 				  &flags, 1);
3755 
3756 	/* When the Read Simple Pairing Options command is supported, then
3757 	 * also max encryption key size information is provided.
3758 	 */
3759 	if (hdev->commands[41] & 0x08)
3760 		cap_len = eir_append_le16(rp->cap, cap_len,
3761 					  MGMT_CAP_MAX_ENC_KEY_SIZE,
3762 					  hdev->max_enc_key_size);
3763 
3764 	cap_len = eir_append_le16(rp->cap, cap_len,
3765 				  MGMT_CAP_SMP_MAX_ENC_KEY_SIZE,
3766 				  SMP_MAX_ENC_KEY_SIZE);
3767 
3768 	/* Append the min/max LE tx power parameters if we were able to fetch
3769 	 * it from the controller
3770 	 */
3771 	if (hdev->commands[38] & 0x80) {
3772 		memcpy(&tx_power_range[0], &hdev->min_le_tx_power, 1);
3773 		memcpy(&tx_power_range[1], &hdev->max_le_tx_power, 1);
3774 		cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_LE_TX_PWR,
3775 					  tx_power_range, 2);
3776 	}
3777 
3778 	rp->cap_len = cpu_to_le16(cap_len);
3779 
3780 	hci_dev_unlock(hdev);
3781 
3782 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONTROLLER_CAP, 0,
3783 				 rp, sizeof(*rp) + cap_len);
3784 }
3785 
3786 #ifdef CONFIG_BT_FEATURE_DEBUG
3787 /* d4992530-b9ec-469f-ab01-6c481c47da1c */
3788 static const u8 debug_uuid[16] = {
3789 	0x1c, 0xda, 0x47, 0x1c, 0x48, 0x6c, 0x01, 0xab,
3790 	0x9f, 0x46, 0xec, 0xb9, 0x30, 0x25, 0x99, 0xd4,
3791 };
3792 #endif
3793 
3794 /* 671b10b5-42c0-4696-9227-eb28d1b049d6 */
3795 static const u8 simult_central_periph_uuid[16] = {
3796 	0xd6, 0x49, 0xb0, 0xd1, 0x28, 0xeb, 0x27, 0x92,
3797 	0x96, 0x46, 0xc0, 0x42, 0xb5, 0x10, 0x1b, 0x67,
3798 };
3799 
3800 /* 15c0a148-c273-11ea-b3de-0242ac130004 */
3801 static const u8 rpa_resolution_uuid[16] = {
3802 	0x04, 0x00, 0x13, 0xac, 0x42, 0x02, 0xde, 0xb3,
3803 	0xea, 0x11, 0x73, 0xc2, 0x48, 0xa1, 0xc0, 0x15,
3804 };
3805 
read_exp_features_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)3806 static int read_exp_features_info(struct sock *sk, struct hci_dev *hdev,
3807 				  void *data, u16 data_len)
3808 {
3809 	char buf[62];	/* Enough space for 3 features */
3810 	struct mgmt_rp_read_exp_features_info *rp = (void *)buf;
3811 	u16 idx = 0;
3812 	u32 flags;
3813 
3814 	bt_dev_dbg(hdev, "sock %p", sk);
3815 
3816 	memset(&buf, 0, sizeof(buf));
3817 
3818 #ifdef CONFIG_BT_FEATURE_DEBUG
3819 	if (!hdev) {
3820 		flags = bt_dbg_get() ? BIT(0) : 0;
3821 
3822 		memcpy(rp->features[idx].uuid, debug_uuid, 16);
3823 		rp->features[idx].flags = cpu_to_le32(flags);
3824 		idx++;
3825 	}
3826 #endif
3827 
3828 	if (hdev) {
3829 		if (test_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks) &&
3830 		    (hdev->le_states[4] & 0x08) &&	/* Central */
3831 		    (hdev->le_states[4] & 0x40) &&	/* Peripheral */
3832 		    (hdev->le_states[3] & 0x10))	/* Simultaneous */
3833 			flags = BIT(0);
3834 		else
3835 			flags = 0;
3836 
3837 		memcpy(rp->features[idx].uuid, simult_central_periph_uuid, 16);
3838 		rp->features[idx].flags = cpu_to_le32(flags);
3839 		idx++;
3840 	}
3841 
3842 	if (hdev && use_ll_privacy(hdev)) {
3843 		if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
3844 			flags = BIT(0) | BIT(1);
3845 		else
3846 			flags = BIT(1);
3847 
3848 		memcpy(rp->features[idx].uuid, rpa_resolution_uuid, 16);
3849 		rp->features[idx].flags = cpu_to_le32(flags);
3850 		idx++;
3851 	}
3852 
3853 	rp->feature_count = cpu_to_le16(idx);
3854 
3855 	/* After reading the experimental features information, enable
3856 	 * the events to update client on any future change.
3857 	 */
3858 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
3859 
3860 	return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
3861 				 MGMT_OP_READ_EXP_FEATURES_INFO,
3862 				 0, rp, sizeof(*rp) + (20 * idx));
3863 }
3864 
exp_ll_privacy_feature_changed(bool enabled,struct hci_dev * hdev,struct sock * skip)3865 static int exp_ll_privacy_feature_changed(bool enabled, struct hci_dev *hdev,
3866 					  struct sock *skip)
3867 {
3868 	struct mgmt_ev_exp_feature_changed ev;
3869 
3870 	memset(&ev, 0, sizeof(ev));
3871 	memcpy(ev.uuid, rpa_resolution_uuid, 16);
3872 	ev.flags = cpu_to_le32((enabled ? BIT(0) : 0) | BIT(1));
3873 
3874 	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
3875 				  &ev, sizeof(ev),
3876 				  HCI_MGMT_EXP_FEATURE_EVENTS, skip);
3877 
3878 }
3879 
3880 #ifdef CONFIG_BT_FEATURE_DEBUG
exp_debug_feature_changed(bool enabled,struct sock * skip)3881 static int exp_debug_feature_changed(bool enabled, struct sock *skip)
3882 {
3883 	struct mgmt_ev_exp_feature_changed ev;
3884 
3885 	memset(&ev, 0, sizeof(ev));
3886 	memcpy(ev.uuid, debug_uuid, 16);
3887 	ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
3888 
3889 	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, NULL,
3890 				  &ev, sizeof(ev),
3891 				  HCI_MGMT_EXP_FEATURE_EVENTS, skip);
3892 }
3893 #endif
3894 
set_exp_feature(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)3895 static int set_exp_feature(struct sock *sk, struct hci_dev *hdev,
3896 			   void *data, u16 data_len)
3897 {
3898 	struct mgmt_cp_set_exp_feature *cp = data;
3899 	struct mgmt_rp_set_exp_feature rp;
3900 
3901 	bt_dev_dbg(hdev, "sock %p", sk);
3902 
3903 	if (!memcmp(cp->uuid, ZERO_KEY, 16)) {
3904 		memset(rp.uuid, 0, 16);
3905 		rp.flags = cpu_to_le32(0);
3906 
3907 #ifdef CONFIG_BT_FEATURE_DEBUG
3908 		if (!hdev) {
3909 			bool changed = bt_dbg_get();
3910 
3911 			bt_dbg_set(false);
3912 
3913 			if (changed)
3914 				exp_debug_feature_changed(false, sk);
3915 		}
3916 #endif
3917 
3918 		if (hdev && use_ll_privacy(hdev) && !hdev_is_powered(hdev)) {
3919 			bool changed = hci_dev_test_flag(hdev,
3920 							 HCI_ENABLE_LL_PRIVACY);
3921 
3922 			hci_dev_clear_flag(hdev, HCI_ENABLE_LL_PRIVACY);
3923 
3924 			if (changed)
3925 				exp_ll_privacy_feature_changed(false, hdev, sk);
3926 		}
3927 
3928 		hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
3929 
3930 		return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
3931 					 MGMT_OP_SET_EXP_FEATURE, 0,
3932 					 &rp, sizeof(rp));
3933 	}
3934 
3935 #ifdef CONFIG_BT_FEATURE_DEBUG
3936 	if (!memcmp(cp->uuid, debug_uuid, 16)) {
3937 		bool val, changed;
3938 		int err;
3939 
3940 		/* Command requires to use the non-controller index */
3941 		if (hdev)
3942 			return mgmt_cmd_status(sk, hdev->id,
3943 					       MGMT_OP_SET_EXP_FEATURE,
3944 					       MGMT_STATUS_INVALID_INDEX);
3945 
3946 		/* Parameters are limited to a single octet */
3947 		if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
3948 			return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
3949 					       MGMT_OP_SET_EXP_FEATURE,
3950 					       MGMT_STATUS_INVALID_PARAMS);
3951 
3952 		/* Only boolean on/off is supported */
3953 		if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
3954 			return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
3955 					       MGMT_OP_SET_EXP_FEATURE,
3956 					       MGMT_STATUS_INVALID_PARAMS);
3957 
3958 		val = !!cp->param[0];
3959 		changed = val ? !bt_dbg_get() : bt_dbg_get();
3960 		bt_dbg_set(val);
3961 
3962 		memcpy(rp.uuid, debug_uuid, 16);
3963 		rp.flags = cpu_to_le32(val ? BIT(0) : 0);
3964 
3965 		hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
3966 
3967 		err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
3968 					MGMT_OP_SET_EXP_FEATURE, 0,
3969 					&rp, sizeof(rp));
3970 
3971 		if (changed)
3972 			exp_debug_feature_changed(val, sk);
3973 
3974 		return err;
3975 	}
3976 #endif
3977 
3978 	if (!memcmp(cp->uuid, rpa_resolution_uuid, 16)) {
3979 		bool val, changed;
3980 		int err;
3981 		u32 flags;
3982 
3983 		/* Command requires to use the controller index */
3984 		if (!hdev)
3985 			return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
3986 					       MGMT_OP_SET_EXP_FEATURE,
3987 					       MGMT_STATUS_INVALID_INDEX);
3988 
3989 		/* Changes can only be made when controller is powered down */
3990 		if (hdev_is_powered(hdev))
3991 			return mgmt_cmd_status(sk, hdev->id,
3992 					       MGMT_OP_SET_EXP_FEATURE,
3993 					       MGMT_STATUS_REJECTED);
3994 
3995 		/* Parameters are limited to a single octet */
3996 		if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
3997 			return mgmt_cmd_status(sk, hdev->id,
3998 					       MGMT_OP_SET_EXP_FEATURE,
3999 					       MGMT_STATUS_INVALID_PARAMS);
4000 
4001 		/* Only boolean on/off is supported */
4002 		if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4003 			return mgmt_cmd_status(sk, hdev->id,
4004 					       MGMT_OP_SET_EXP_FEATURE,
4005 					       MGMT_STATUS_INVALID_PARAMS);
4006 
4007 		val = !!cp->param[0];
4008 
4009 		if (val) {
4010 			changed = !hci_dev_test_flag(hdev,
4011 						     HCI_ENABLE_LL_PRIVACY);
4012 			hci_dev_set_flag(hdev, HCI_ENABLE_LL_PRIVACY);
4013 			hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4014 
4015 			/* Enable LL privacy + supported settings changed */
4016 			flags = BIT(0) | BIT(1);
4017 		} else {
4018 			changed = hci_dev_test_flag(hdev,
4019 						    HCI_ENABLE_LL_PRIVACY);
4020 			hci_dev_clear_flag(hdev, HCI_ENABLE_LL_PRIVACY);
4021 
4022 			/* Disable LL privacy + supported settings changed */
4023 			flags = BIT(1);
4024 		}
4025 
4026 		memcpy(rp.uuid, rpa_resolution_uuid, 16);
4027 		rp.flags = cpu_to_le32(flags);
4028 
4029 		hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4030 
4031 		err = mgmt_cmd_complete(sk, hdev->id,
4032 					MGMT_OP_SET_EXP_FEATURE, 0,
4033 					&rp, sizeof(rp));
4034 
4035 		if (changed)
4036 			exp_ll_privacy_feature_changed(val, hdev, sk);
4037 
4038 		return err;
4039 	}
4040 
4041 	return mgmt_cmd_status(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4042 			       MGMT_OP_SET_EXP_FEATURE,
4043 			       MGMT_STATUS_NOT_SUPPORTED);
4044 }
4045 
4046 #define SUPPORTED_DEVICE_FLAGS() ((1U << HCI_CONN_FLAG_MAX) - 1)
4047 
get_device_flags(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)4048 static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
4049 			    u16 data_len)
4050 {
4051 	struct mgmt_cp_get_device_flags *cp = data;
4052 	struct mgmt_rp_get_device_flags rp;
4053 	struct bdaddr_list_with_flags *br_params;
4054 	struct hci_conn_params *params;
4055 	u32 supported_flags = SUPPORTED_DEVICE_FLAGS();
4056 	u32 current_flags = 0;
4057 	u8 status = MGMT_STATUS_INVALID_PARAMS;
4058 
4059 	bt_dev_dbg(hdev, "Get device flags %pMR (type 0x%x)\n",
4060 		   &cp->addr.bdaddr, cp->addr.type);
4061 
4062 	hci_dev_lock(hdev);
4063 
4064 	memset(&rp, 0, sizeof(rp));
4065 
4066 	if (cp->addr.type == BDADDR_BREDR) {
4067 		br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
4068 							      &cp->addr.bdaddr,
4069 							      cp->addr.type);
4070 		if (!br_params)
4071 			goto done;
4072 
4073 		current_flags = br_params->current_flags;
4074 	} else {
4075 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
4076 						le_addr_type(cp->addr.type));
4077 
4078 		if (!params)
4079 			goto done;
4080 
4081 		current_flags = params->current_flags;
4082 	}
4083 
4084 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
4085 	rp.addr.type = cp->addr.type;
4086 	rp.supported_flags = cpu_to_le32(supported_flags);
4087 	rp.current_flags = cpu_to_le32(current_flags);
4088 
4089 	status = MGMT_STATUS_SUCCESS;
4090 
4091 done:
4092 	hci_dev_unlock(hdev);
4093 
4094 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_DEVICE_FLAGS, status,
4095 				&rp, sizeof(rp));
4096 }
4097 
device_flags_changed(struct sock * sk,struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type,u32 supported_flags,u32 current_flags)4098 static void device_flags_changed(struct sock *sk, struct hci_dev *hdev,
4099 				 bdaddr_t *bdaddr, u8 bdaddr_type,
4100 				 u32 supported_flags, u32 current_flags)
4101 {
4102 	struct mgmt_ev_device_flags_changed ev;
4103 
4104 	bacpy(&ev.addr.bdaddr, bdaddr);
4105 	ev.addr.type = bdaddr_type;
4106 	ev.supported_flags = cpu_to_le32(supported_flags);
4107 	ev.current_flags = cpu_to_le32(current_flags);
4108 
4109 	mgmt_event(MGMT_EV_DEVICE_FLAGS_CHANGED, hdev, &ev, sizeof(ev), sk);
4110 }
4111 
set_device_flags(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4112 static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
4113 			    u16 len)
4114 {
4115 	struct mgmt_cp_set_device_flags *cp = data;
4116 	struct bdaddr_list_with_flags *br_params;
4117 	struct hci_conn_params *params;
4118 	u8 status = MGMT_STATUS_INVALID_PARAMS;
4119 	u32 supported_flags = SUPPORTED_DEVICE_FLAGS();
4120 	u32 current_flags = __le32_to_cpu(cp->current_flags);
4121 
4122 	bt_dev_dbg(hdev, "Set device flags %pMR (type 0x%x) = 0x%x",
4123 		   &cp->addr.bdaddr, cp->addr.type,
4124 		   __le32_to_cpu(current_flags));
4125 
4126 	if ((supported_flags | current_flags) != supported_flags) {
4127 		bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
4128 			    current_flags, supported_flags);
4129 		goto done;
4130 	}
4131 
4132 	hci_dev_lock(hdev);
4133 
4134 	if (cp->addr.type == BDADDR_BREDR) {
4135 		br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
4136 							      &cp->addr.bdaddr,
4137 							      cp->addr.type);
4138 
4139 		if (br_params) {
4140 			br_params->current_flags = current_flags;
4141 			status = MGMT_STATUS_SUCCESS;
4142 		} else {
4143 			bt_dev_warn(hdev, "No such BR/EDR device %pMR (0x%x)",
4144 				    &cp->addr.bdaddr, cp->addr.type);
4145 		}
4146 	} else {
4147 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
4148 						le_addr_type(cp->addr.type));
4149 		if (params) {
4150 			params->current_flags = current_flags;
4151 			status = MGMT_STATUS_SUCCESS;
4152 		} else {
4153 			bt_dev_warn(hdev, "No such LE device %pMR (0x%x)",
4154 				    &cp->addr.bdaddr,
4155 				    le_addr_type(cp->addr.type));
4156 		}
4157 	}
4158 
4159 done:
4160 	hci_dev_unlock(hdev);
4161 
4162 	if (status == MGMT_STATUS_SUCCESS)
4163 		device_flags_changed(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
4164 				     supported_flags, current_flags);
4165 
4166 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_FLAGS, status,
4167 				 &cp->addr, sizeof(cp->addr));
4168 }
4169 
mgmt_adv_monitor_added(struct sock * sk,struct hci_dev * hdev,u16 handle)4170 static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
4171 				   u16 handle)
4172 {
4173 	struct mgmt_ev_adv_monitor_added ev;
4174 
4175 	ev.monitor_handle = cpu_to_le16(handle);
4176 
4177 	mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, &ev, sizeof(ev), sk);
4178 }
4179 
mgmt_adv_monitor_removed(struct hci_dev * hdev,u16 handle)4180 void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
4181 {
4182 	struct mgmt_ev_adv_monitor_removed ev;
4183 	struct mgmt_pending_cmd *cmd;
4184 	struct sock *sk_skip = NULL;
4185 	struct mgmt_cp_remove_adv_monitor *cp;
4186 
4187 	cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
4188 	if (cmd) {
4189 		cp = cmd->param;
4190 
4191 		if (cp->monitor_handle)
4192 			sk_skip = cmd->sk;
4193 	}
4194 
4195 	ev.monitor_handle = cpu_to_le16(handle);
4196 
4197 	mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk_skip);
4198 }
4199 
read_adv_mon_features(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4200 static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
4201 				 void *data, u16 len)
4202 {
4203 	struct adv_monitor *monitor = NULL;
4204 	struct mgmt_rp_read_adv_monitor_features *rp = NULL;
4205 	int handle, err;
4206 	size_t rp_size = 0;
4207 	__u32 supported = 0;
4208 	__u32 enabled = 0;
4209 	__u16 num_handles = 0;
4210 	__u16 handles[HCI_MAX_ADV_MONITOR_NUM_HANDLES];
4211 
4212 	BT_DBG("request for %s", hdev->name);
4213 
4214 	hci_dev_lock(hdev);
4215 
4216 	if (msft_monitor_supported(hdev))
4217 		supported |= MGMT_ADV_MONITOR_FEATURE_MASK_OR_PATTERNS;
4218 
4219 	idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
4220 		handles[num_handles++] = monitor->handle;
4221 
4222 	hci_dev_unlock(hdev);
4223 
4224 	rp_size = sizeof(*rp) + (num_handles * sizeof(u16));
4225 	rp = kmalloc(rp_size, GFP_KERNEL);
4226 	if (!rp)
4227 		return -ENOMEM;
4228 
4229 	/* All supported features are currently enabled */
4230 	enabled = supported;
4231 
4232 	rp->supported_features = cpu_to_le32(supported);
4233 	rp->enabled_features = cpu_to_le32(enabled);
4234 	rp->max_num_handles = cpu_to_le16(HCI_MAX_ADV_MONITOR_NUM_HANDLES);
4235 	rp->max_num_patterns = HCI_MAX_ADV_MONITOR_NUM_PATTERNS;
4236 	rp->num_handles = cpu_to_le16(num_handles);
4237 	if (num_handles)
4238 		memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));
4239 
4240 	err = mgmt_cmd_complete(sk, hdev->id,
4241 				MGMT_OP_READ_ADV_MONITOR_FEATURES,
4242 				MGMT_STATUS_SUCCESS, rp, rp_size);
4243 
4244 	kfree(rp);
4245 
4246 	return err;
4247 }
4248 
mgmt_add_adv_patterns_monitor_complete(struct hci_dev * hdev,u8 status)4249 int mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, u8 status)
4250 {
4251 	struct mgmt_rp_add_adv_patterns_monitor rp;
4252 	struct mgmt_pending_cmd *cmd;
4253 	struct adv_monitor *monitor;
4254 	int err = 0;
4255 
4256 	hci_dev_lock(hdev);
4257 
4258 	cmd = pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev);
4259 	if (!cmd) {
4260 		cmd = pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev);
4261 		if (!cmd)
4262 			goto done;
4263 	}
4264 
4265 	monitor = cmd->user_data;
4266 	rp.monitor_handle = cpu_to_le16(monitor->handle);
4267 
4268 	if (!status) {
4269 		mgmt_adv_monitor_added(cmd->sk, hdev, monitor->handle);
4270 		hdev->adv_monitors_cnt++;
4271 		if (monitor->state == ADV_MONITOR_STATE_NOT_REGISTERED)
4272 			monitor->state = ADV_MONITOR_STATE_REGISTERED;
4273 		hci_update_background_scan(hdev);
4274 	}
4275 
4276 	err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
4277 				mgmt_status(status), &rp, sizeof(rp));
4278 	mgmt_pending_remove(cmd);
4279 
4280 done:
4281 	hci_dev_unlock(hdev);
4282 	bt_dev_dbg(hdev, "add monitor %d complete, status %u",
4283 		   rp.monitor_handle, status);
4284 
4285 	return err;
4286 }
4287 
__add_adv_patterns_monitor(struct sock * sk,struct hci_dev * hdev,struct adv_monitor * m,u8 status,void * data,u16 len,u16 op)4288 static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
4289 				      struct adv_monitor *m, u8 status,
4290 				      void *data, u16 len, u16 op)
4291 {
4292 	struct mgmt_rp_add_adv_patterns_monitor rp;
4293 	struct mgmt_pending_cmd *cmd;
4294 	int err;
4295 	bool pending;
4296 
4297 	hci_dev_lock(hdev);
4298 
4299 	if (status)
4300 		goto unlock;
4301 
4302 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
4303 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
4304 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
4305 	    pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
4306 		status = MGMT_STATUS_BUSY;
4307 		goto unlock;
4308 	}
4309 
4310 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
4311 	if (!cmd) {
4312 		status = MGMT_STATUS_NO_RESOURCES;
4313 		goto unlock;
4314 	}
4315 
4316 	cmd->user_data = m;
4317 	pending = hci_add_adv_monitor(hdev, m, &err);
4318 	if (err) {
4319 		if (err == -ENOSPC || err == -ENOMEM)
4320 			status = MGMT_STATUS_NO_RESOURCES;
4321 		else if (err == -EINVAL)
4322 			status = MGMT_STATUS_INVALID_PARAMS;
4323 		else
4324 			status = MGMT_STATUS_FAILED;
4325 
4326 		mgmt_pending_remove(cmd);
4327 		goto unlock;
4328 	}
4329 
4330 	if (!pending) {
4331 		mgmt_pending_remove(cmd);
4332 		rp.monitor_handle = cpu_to_le16(m->handle);
4333 		mgmt_adv_monitor_added(sk, hdev, m->handle);
4334 		m->state = ADV_MONITOR_STATE_REGISTERED;
4335 		hdev->adv_monitors_cnt++;
4336 
4337 		hci_dev_unlock(hdev);
4338 		return mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_SUCCESS,
4339 					 &rp, sizeof(rp));
4340 	}
4341 
4342 	hci_dev_unlock(hdev);
4343 
4344 	return 0;
4345 
4346 unlock:
4347 	hci_free_adv_monitor(hdev, m);
4348 	hci_dev_unlock(hdev);
4349 	return mgmt_cmd_status(sk, hdev->id, op, status);
4350 }
4351 
parse_adv_monitor_rssi(struct adv_monitor * m,struct mgmt_adv_rssi_thresholds * rssi)4352 static void parse_adv_monitor_rssi(struct adv_monitor *m,
4353 				   struct mgmt_adv_rssi_thresholds *rssi)
4354 {
4355 	if (rssi) {
4356 		m->rssi.low_threshold = rssi->low_threshold;
4357 		m->rssi.low_threshold_timeout =
4358 		    __le16_to_cpu(rssi->low_threshold_timeout);
4359 		m->rssi.high_threshold = rssi->high_threshold;
4360 		m->rssi.high_threshold_timeout =
4361 		    __le16_to_cpu(rssi->high_threshold_timeout);
4362 		m->rssi.sampling_period = rssi->sampling_period;
4363 	} else {
4364 		/* Default values. These numbers are the least constricting
4365 		 * parameters for MSFT API to work, so it behaves as if there
4366 		 * are no rssi parameter to consider. May need to be changed
4367 		 * if other API are to be supported.
4368 		 */
4369 		m->rssi.low_threshold = -127;
4370 		m->rssi.low_threshold_timeout = 60;
4371 		m->rssi.high_threshold = -127;
4372 		m->rssi.high_threshold_timeout = 0;
4373 		m->rssi.sampling_period = 0;
4374 	}
4375 }
4376 
parse_adv_monitor_pattern(struct adv_monitor * m,u8 pattern_count,struct mgmt_adv_pattern * patterns)4377 static u8 parse_adv_monitor_pattern(struct adv_monitor *m, u8 pattern_count,
4378 				    struct mgmt_adv_pattern *patterns)
4379 {
4380 	u8 offset = 0, length = 0;
4381 	struct adv_pattern *p = NULL;
4382 	int i;
4383 
4384 	for (i = 0; i < pattern_count; i++) {
4385 		offset = patterns[i].offset;
4386 		length = patterns[i].length;
4387 		if (offset >= HCI_MAX_AD_LENGTH ||
4388 		    length > HCI_MAX_AD_LENGTH ||
4389 		    (offset + length) > HCI_MAX_AD_LENGTH)
4390 			return MGMT_STATUS_INVALID_PARAMS;
4391 
4392 		p = kmalloc(sizeof(*p), GFP_KERNEL);
4393 		if (!p)
4394 			return MGMT_STATUS_NO_RESOURCES;
4395 
4396 		p->ad_type = patterns[i].ad_type;
4397 		p->offset = patterns[i].offset;
4398 		p->length = patterns[i].length;
4399 		memcpy(p->value, patterns[i].value, p->length);
4400 
4401 		INIT_LIST_HEAD(&p->list);
4402 		list_add(&p->list, &m->patterns);
4403 	}
4404 
4405 	return MGMT_STATUS_SUCCESS;
4406 }
4407 
add_adv_patterns_monitor(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4408 static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
4409 				    void *data, u16 len)
4410 {
4411 	struct mgmt_cp_add_adv_patterns_monitor *cp = data;
4412 	struct adv_monitor *m = NULL;
4413 	u8 status = MGMT_STATUS_SUCCESS;
4414 	size_t expected_size = sizeof(*cp);
4415 
4416 	BT_DBG("request for %s", hdev->name);
4417 
4418 	if (len <= sizeof(*cp)) {
4419 		status = MGMT_STATUS_INVALID_PARAMS;
4420 		goto done;
4421 	}
4422 
4423 	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
4424 	if (len != expected_size) {
4425 		status = MGMT_STATUS_INVALID_PARAMS;
4426 		goto done;
4427 	}
4428 
4429 	m = kzalloc(sizeof(*m), GFP_KERNEL);
4430 	if (!m) {
4431 		status = MGMT_STATUS_NO_RESOURCES;
4432 		goto done;
4433 	}
4434 
4435 	INIT_LIST_HEAD(&m->patterns);
4436 
4437 	parse_adv_monitor_rssi(m, NULL);
4438 	status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
4439 
4440 done:
4441 	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
4442 					  MGMT_OP_ADD_ADV_PATTERNS_MONITOR);
4443 }
4444 
add_adv_patterns_monitor_rssi(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4445 static int add_adv_patterns_monitor_rssi(struct sock *sk, struct hci_dev *hdev,
4446 					 void *data, u16 len)
4447 {
4448 	struct mgmt_cp_add_adv_patterns_monitor_rssi *cp = data;
4449 	struct adv_monitor *m = NULL;
4450 	u8 status = MGMT_STATUS_SUCCESS;
4451 	size_t expected_size = sizeof(*cp);
4452 
4453 	BT_DBG("request for %s", hdev->name);
4454 
4455 	if (len <= sizeof(*cp)) {
4456 		status = MGMT_STATUS_INVALID_PARAMS;
4457 		goto done;
4458 	}
4459 
4460 	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
4461 	if (len != expected_size) {
4462 		status = MGMT_STATUS_INVALID_PARAMS;
4463 		goto done;
4464 	}
4465 
4466 	m = kzalloc(sizeof(*m), GFP_KERNEL);
4467 	if (!m) {
4468 		status = MGMT_STATUS_NO_RESOURCES;
4469 		goto done;
4470 	}
4471 
4472 	INIT_LIST_HEAD(&m->patterns);
4473 
4474 	parse_adv_monitor_rssi(m, &cp->rssi);
4475 	status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
4476 
4477 done:
4478 	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
4479 					 MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI);
4480 }
4481 
mgmt_remove_adv_monitor_complete(struct hci_dev * hdev,u8 status)4482 int mgmt_remove_adv_monitor_complete(struct hci_dev *hdev, u8 status)
4483 {
4484 	struct mgmt_rp_remove_adv_monitor rp;
4485 	struct mgmt_cp_remove_adv_monitor *cp;
4486 	struct mgmt_pending_cmd *cmd;
4487 	int err = 0;
4488 
4489 	hci_dev_lock(hdev);
4490 
4491 	cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
4492 	if (!cmd)
4493 		goto done;
4494 
4495 	cp = cmd->param;
4496 	rp.monitor_handle = cp->monitor_handle;
4497 
4498 	if (!status)
4499 		hci_update_background_scan(hdev);
4500 
4501 	err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
4502 				mgmt_status(status), &rp, sizeof(rp));
4503 	mgmt_pending_remove(cmd);
4504 
4505 done:
4506 	hci_dev_unlock(hdev);
4507 	bt_dev_dbg(hdev, "remove monitor %d complete, status %u",
4508 		   rp.monitor_handle, status);
4509 
4510 	return err;
4511 }
4512 
remove_adv_monitor(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4513 static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
4514 			      void *data, u16 len)
4515 {
4516 	struct mgmt_cp_remove_adv_monitor *cp = data;
4517 	struct mgmt_rp_remove_adv_monitor rp;
4518 	struct mgmt_pending_cmd *cmd;
4519 	u16 handle = __le16_to_cpu(cp->monitor_handle);
4520 	int err, status;
4521 	bool pending;
4522 
4523 	BT_DBG("request for %s", hdev->name);
4524 	rp.monitor_handle = cp->monitor_handle;
4525 
4526 	hci_dev_lock(hdev);
4527 
4528 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
4529 	    pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
4530 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
4531 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
4532 		status = MGMT_STATUS_BUSY;
4533 		goto unlock;
4534 	}
4535 
4536 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
4537 	if (!cmd) {
4538 		status = MGMT_STATUS_NO_RESOURCES;
4539 		goto unlock;
4540 	}
4541 
4542 	if (handle)
4543 		pending = hci_remove_single_adv_monitor(hdev, handle, &err);
4544 	else
4545 		pending = hci_remove_all_adv_monitor(hdev, &err);
4546 
4547 	if (err) {
4548 		mgmt_pending_remove(cmd);
4549 
4550 		if (err == -ENOENT)
4551 			status = MGMT_STATUS_INVALID_INDEX;
4552 		else
4553 			status = MGMT_STATUS_FAILED;
4554 
4555 		goto unlock;
4556 	}
4557 
4558 	/* monitor can be removed without forwarding request to controller */
4559 	if (!pending) {
4560 		mgmt_pending_remove(cmd);
4561 		hci_dev_unlock(hdev);
4562 
4563 		return mgmt_cmd_complete(sk, hdev->id,
4564 					 MGMT_OP_REMOVE_ADV_MONITOR,
4565 					 MGMT_STATUS_SUCCESS,
4566 					 &rp, sizeof(rp));
4567 	}
4568 
4569 	hci_dev_unlock(hdev);
4570 	return 0;
4571 
4572 unlock:
4573 	hci_dev_unlock(hdev);
4574 	return mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADV_MONITOR,
4575 			       status);
4576 }
4577 
read_local_oob_data_complete(struct hci_dev * hdev,u8 status,u16 opcode,struct sk_buff * skb)4578 static void read_local_oob_data_complete(struct hci_dev *hdev, u8 status,
4579 				         u16 opcode, struct sk_buff *skb)
4580 {
4581 	struct mgmt_rp_read_local_oob_data mgmt_rp;
4582 	size_t rp_size = sizeof(mgmt_rp);
4583 	struct mgmt_pending_cmd *cmd;
4584 
4585 	bt_dev_dbg(hdev, "status %u", status);
4586 
4587 	cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev);
4588 	if (!cmd)
4589 		return;
4590 
4591 	if (status || !skb) {
4592 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4593 				status ? mgmt_status(status) : MGMT_STATUS_FAILED);
4594 		goto remove;
4595 	}
4596 
4597 	memset(&mgmt_rp, 0, sizeof(mgmt_rp));
4598 
4599 	if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
4600 		struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
4601 
4602 		if (skb->len < sizeof(*rp)) {
4603 			mgmt_cmd_status(cmd->sk, hdev->id,
4604 					MGMT_OP_READ_LOCAL_OOB_DATA,
4605 					MGMT_STATUS_FAILED);
4606 			goto remove;
4607 		}
4608 
4609 		memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
4610 		memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
4611 
4612 		rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
4613 	} else {
4614 		struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
4615 
4616 		if (skb->len < sizeof(*rp)) {
4617 			mgmt_cmd_status(cmd->sk, hdev->id,
4618 					MGMT_OP_READ_LOCAL_OOB_DATA,
4619 					MGMT_STATUS_FAILED);
4620 			goto remove;
4621 		}
4622 
4623 		memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
4624 		memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
4625 
4626 		memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
4627 		memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
4628 	}
4629 
4630 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4631 			  MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
4632 
4633 remove:
4634 	mgmt_pending_remove(cmd);
4635 }
4636 
read_local_oob_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)4637 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
4638 			       void *data, u16 data_len)
4639 {
4640 	struct mgmt_pending_cmd *cmd;
4641 	struct hci_request req;
4642 	int err;
4643 
4644 	bt_dev_dbg(hdev, "sock %p", sk);
4645 
4646 	hci_dev_lock(hdev);
4647 
4648 	if (!hdev_is_powered(hdev)) {
4649 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4650 				      MGMT_STATUS_NOT_POWERED);
4651 		goto unlock;
4652 	}
4653 
4654 	if (!lmp_ssp_capable(hdev)) {
4655 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4656 				      MGMT_STATUS_NOT_SUPPORTED);
4657 		goto unlock;
4658 	}
4659 
4660 	if (pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
4661 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
4662 				      MGMT_STATUS_BUSY);
4663 		goto unlock;
4664 	}
4665 
4666 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
4667 	if (!cmd) {
4668 		err = -ENOMEM;
4669 		goto unlock;
4670 	}
4671 
4672 	hci_req_init(&req, hdev);
4673 
4674 	if (bredr_sc_enabled(hdev))
4675 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
4676 	else
4677 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
4678 
4679 	err = hci_req_run_skb(&req, read_local_oob_data_complete);
4680 	if (err < 0)
4681 		mgmt_pending_remove(cmd);
4682 
4683 unlock:
4684 	hci_dev_unlock(hdev);
4685 	return err;
4686 }
4687 
add_remote_oob_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4688 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
4689 			       void *data, u16 len)
4690 {
4691 	struct mgmt_addr_info *addr = data;
4692 	int err;
4693 
4694 	bt_dev_dbg(hdev, "sock %p", sk);
4695 
4696 	if (!bdaddr_type_is_valid(addr->type))
4697 		return mgmt_cmd_complete(sk, hdev->id,
4698 					 MGMT_OP_ADD_REMOTE_OOB_DATA,
4699 					 MGMT_STATUS_INVALID_PARAMS,
4700 					 addr, sizeof(*addr));
4701 
4702 	hci_dev_lock(hdev);
4703 
4704 	if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
4705 		struct mgmt_cp_add_remote_oob_data *cp = data;
4706 		u8 status;
4707 
4708 		if (cp->addr.type != BDADDR_BREDR) {
4709 			err = mgmt_cmd_complete(sk, hdev->id,
4710 						MGMT_OP_ADD_REMOTE_OOB_DATA,
4711 						MGMT_STATUS_INVALID_PARAMS,
4712 						&cp->addr, sizeof(cp->addr));
4713 			goto unlock;
4714 		}
4715 
4716 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
4717 					      cp->addr.type, cp->hash,
4718 					      cp->rand, NULL, NULL);
4719 		if (err < 0)
4720 			status = MGMT_STATUS_FAILED;
4721 		else
4722 			status = MGMT_STATUS_SUCCESS;
4723 
4724 		err = mgmt_cmd_complete(sk, hdev->id,
4725 					MGMT_OP_ADD_REMOTE_OOB_DATA, status,
4726 					&cp->addr, sizeof(cp->addr));
4727 	} else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
4728 		struct mgmt_cp_add_remote_oob_ext_data *cp = data;
4729 		u8 *rand192, *hash192, *rand256, *hash256;
4730 		u8 status;
4731 
4732 		if (bdaddr_type_is_le(cp->addr.type)) {
4733 			/* Enforce zero-valued 192-bit parameters as
4734 			 * long as legacy SMP OOB isn't implemented.
4735 			 */
4736 			if (memcmp(cp->rand192, ZERO_KEY, 16) ||
4737 			    memcmp(cp->hash192, ZERO_KEY, 16)) {
4738 				err = mgmt_cmd_complete(sk, hdev->id,
4739 							MGMT_OP_ADD_REMOTE_OOB_DATA,
4740 							MGMT_STATUS_INVALID_PARAMS,
4741 							addr, sizeof(*addr));
4742 				goto unlock;
4743 			}
4744 
4745 			rand192 = NULL;
4746 			hash192 = NULL;
4747 		} else {
4748 			/* In case one of the P-192 values is set to zero,
4749 			 * then just disable OOB data for P-192.
4750 			 */
4751 			if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
4752 			    !memcmp(cp->hash192, ZERO_KEY, 16)) {
4753 				rand192 = NULL;
4754 				hash192 = NULL;
4755 			} else {
4756 				rand192 = cp->rand192;
4757 				hash192 = cp->hash192;
4758 			}
4759 		}
4760 
4761 		/* In case one of the P-256 values is set to zero, then just
4762 		 * disable OOB data for P-256.
4763 		 */
4764 		if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
4765 		    !memcmp(cp->hash256, ZERO_KEY, 16)) {
4766 			rand256 = NULL;
4767 			hash256 = NULL;
4768 		} else {
4769 			rand256 = cp->rand256;
4770 			hash256 = cp->hash256;
4771 		}
4772 
4773 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
4774 					      cp->addr.type, hash192, rand192,
4775 					      hash256, rand256);
4776 		if (err < 0)
4777 			status = MGMT_STATUS_FAILED;
4778 		else
4779 			status = MGMT_STATUS_SUCCESS;
4780 
4781 		err = mgmt_cmd_complete(sk, hdev->id,
4782 					MGMT_OP_ADD_REMOTE_OOB_DATA,
4783 					status, &cp->addr, sizeof(cp->addr));
4784 	} else {
4785 		bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
4786 			   len);
4787 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
4788 				      MGMT_STATUS_INVALID_PARAMS);
4789 	}
4790 
4791 unlock:
4792 	hci_dev_unlock(hdev);
4793 	return err;
4794 }
4795 
remove_remote_oob_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4796 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
4797 				  void *data, u16 len)
4798 {
4799 	struct mgmt_cp_remove_remote_oob_data *cp = data;
4800 	u8 status;
4801 	int err;
4802 
4803 	bt_dev_dbg(hdev, "sock %p", sk);
4804 
4805 	if (cp->addr.type != BDADDR_BREDR)
4806 		return mgmt_cmd_complete(sk, hdev->id,
4807 					 MGMT_OP_REMOVE_REMOTE_OOB_DATA,
4808 					 MGMT_STATUS_INVALID_PARAMS,
4809 					 &cp->addr, sizeof(cp->addr));
4810 
4811 	hci_dev_lock(hdev);
4812 
4813 	if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
4814 		hci_remote_oob_data_clear(hdev);
4815 		status = MGMT_STATUS_SUCCESS;
4816 		goto done;
4817 	}
4818 
4819 	err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
4820 	if (err < 0)
4821 		status = MGMT_STATUS_INVALID_PARAMS;
4822 	else
4823 		status = MGMT_STATUS_SUCCESS;
4824 
4825 done:
4826 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
4827 				status, &cp->addr, sizeof(cp->addr));
4828 
4829 	hci_dev_unlock(hdev);
4830 	return err;
4831 }
4832 
mgmt_start_discovery_complete(struct hci_dev * hdev,u8 status)4833 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
4834 {
4835 	struct mgmt_pending_cmd *cmd;
4836 
4837 	bt_dev_dbg(hdev, "status %u", status);
4838 
4839 	hci_dev_lock(hdev);
4840 
4841 	cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
4842 	if (!cmd)
4843 		cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
4844 
4845 	if (!cmd)
4846 		cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
4847 
4848 	if (cmd) {
4849 		cmd->cmd_complete(cmd, mgmt_status(status));
4850 		mgmt_pending_remove(cmd);
4851 	}
4852 
4853 	hci_dev_unlock(hdev);
4854 
4855 	/* Handle suspend notifier */
4856 	if (test_and_clear_bit(SUSPEND_UNPAUSE_DISCOVERY,
4857 			       hdev->suspend_tasks)) {
4858 		bt_dev_dbg(hdev, "Unpaused discovery");
4859 		wake_up(&hdev->suspend_wait_q);
4860 	}
4861 }
4862 
discovery_type_is_valid(struct hci_dev * hdev,uint8_t type,uint8_t * mgmt_status)4863 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
4864 				    uint8_t *mgmt_status)
4865 {
4866 	switch (type) {
4867 	case DISCOV_TYPE_LE:
4868 		*mgmt_status = mgmt_le_support(hdev);
4869 		if (*mgmt_status)
4870 			return false;
4871 		break;
4872 	case DISCOV_TYPE_INTERLEAVED:
4873 		*mgmt_status = mgmt_le_support(hdev);
4874 		if (*mgmt_status)
4875 			return false;
4876 		fallthrough;
4877 	case DISCOV_TYPE_BREDR:
4878 		*mgmt_status = mgmt_bredr_support(hdev);
4879 		if (*mgmt_status)
4880 			return false;
4881 		break;
4882 	default:
4883 		*mgmt_status = MGMT_STATUS_INVALID_PARAMS;
4884 		return false;
4885 	}
4886 
4887 	return true;
4888 }
4889 
start_discovery_internal(struct sock * sk,struct hci_dev * hdev,u16 op,void * data,u16 len)4890 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
4891 				    u16 op, void *data, u16 len)
4892 {
4893 	struct mgmt_cp_start_discovery *cp = data;
4894 	struct mgmt_pending_cmd *cmd;
4895 	u8 status;
4896 	int err;
4897 
4898 	bt_dev_dbg(hdev, "sock %p", sk);
4899 
4900 	hci_dev_lock(hdev);
4901 
4902 	if (!hdev_is_powered(hdev)) {
4903 		err = mgmt_cmd_complete(sk, hdev->id, op,
4904 					MGMT_STATUS_NOT_POWERED,
4905 					&cp->type, sizeof(cp->type));
4906 		goto failed;
4907 	}
4908 
4909 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
4910 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
4911 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
4912 					&cp->type, sizeof(cp->type));
4913 		goto failed;
4914 	}
4915 
4916 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
4917 		err = mgmt_cmd_complete(sk, hdev->id, op, status,
4918 					&cp->type, sizeof(cp->type));
4919 		goto failed;
4920 	}
4921 
4922 	/* Can't start discovery when it is paused */
4923 	if (hdev->discovery_paused) {
4924 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
4925 					&cp->type, sizeof(cp->type));
4926 		goto failed;
4927 	}
4928 
4929 	/* Clear the discovery filter first to free any previously
4930 	 * allocated memory for the UUID list.
4931 	 */
4932 	hci_discovery_filter_clear(hdev);
4933 
4934 	hdev->discovery.type = cp->type;
4935 	hdev->discovery.report_invalid_rssi = false;
4936 	if (op == MGMT_OP_START_LIMITED_DISCOVERY)
4937 		hdev->discovery.limited = true;
4938 	else
4939 		hdev->discovery.limited = false;
4940 
4941 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
4942 	if (!cmd) {
4943 		err = -ENOMEM;
4944 		goto failed;
4945 	}
4946 
4947 	cmd->cmd_complete = generic_cmd_complete;
4948 
4949 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
4950 	queue_work(hdev->req_workqueue, &hdev->discov_update);
4951 	err = 0;
4952 
4953 failed:
4954 	hci_dev_unlock(hdev);
4955 	return err;
4956 }
4957 
start_discovery(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4958 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
4959 			   void *data, u16 len)
4960 {
4961 	return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
4962 					data, len);
4963 }
4964 
start_limited_discovery(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4965 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
4966 				   void *data, u16 len)
4967 {
4968 	return start_discovery_internal(sk, hdev,
4969 					MGMT_OP_START_LIMITED_DISCOVERY,
4970 					data, len);
4971 }
4972 
service_discovery_cmd_complete(struct mgmt_pending_cmd * cmd,u8 status)4973 static int service_discovery_cmd_complete(struct mgmt_pending_cmd *cmd,
4974 					  u8 status)
4975 {
4976 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
4977 				 cmd->param, 1);
4978 }
4979 
start_service_discovery(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4980 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
4981 				   void *data, u16 len)
4982 {
4983 	struct mgmt_cp_start_service_discovery *cp = data;
4984 	struct mgmt_pending_cmd *cmd;
4985 	const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
4986 	u16 uuid_count, expected_len;
4987 	u8 status;
4988 	int err;
4989 
4990 	bt_dev_dbg(hdev, "sock %p", sk);
4991 
4992 	hci_dev_lock(hdev);
4993 
4994 	if (!hdev_is_powered(hdev)) {
4995 		err = mgmt_cmd_complete(sk, hdev->id,
4996 					MGMT_OP_START_SERVICE_DISCOVERY,
4997 					MGMT_STATUS_NOT_POWERED,
4998 					&cp->type, sizeof(cp->type));
4999 		goto failed;
5000 	}
5001 
5002 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
5003 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5004 		err = mgmt_cmd_complete(sk, hdev->id,
5005 					MGMT_OP_START_SERVICE_DISCOVERY,
5006 					MGMT_STATUS_BUSY, &cp->type,
5007 					sizeof(cp->type));
5008 		goto failed;
5009 	}
5010 
5011 	if (hdev->discovery_paused) {
5012 		err = mgmt_cmd_complete(sk, hdev->id,
5013 					MGMT_OP_START_SERVICE_DISCOVERY,
5014 					MGMT_STATUS_BUSY, &cp->type,
5015 					sizeof(cp->type));
5016 		goto failed;
5017 	}
5018 
5019 	uuid_count = __le16_to_cpu(cp->uuid_count);
5020 	if (uuid_count > max_uuid_count) {
5021 		bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
5022 			   uuid_count);
5023 		err = mgmt_cmd_complete(sk, hdev->id,
5024 					MGMT_OP_START_SERVICE_DISCOVERY,
5025 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
5026 					sizeof(cp->type));
5027 		goto failed;
5028 	}
5029 
5030 	expected_len = sizeof(*cp) + uuid_count * 16;
5031 	if (expected_len != len) {
5032 		bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
5033 			   expected_len, len);
5034 		err = mgmt_cmd_complete(sk, hdev->id,
5035 					MGMT_OP_START_SERVICE_DISCOVERY,
5036 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
5037 					sizeof(cp->type));
5038 		goto failed;
5039 	}
5040 
5041 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
5042 		err = mgmt_cmd_complete(sk, hdev->id,
5043 					MGMT_OP_START_SERVICE_DISCOVERY,
5044 					status, &cp->type, sizeof(cp->type));
5045 		goto failed;
5046 	}
5047 
5048 	cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
5049 			       hdev, data, len);
5050 	if (!cmd) {
5051 		err = -ENOMEM;
5052 		goto failed;
5053 	}
5054 
5055 	cmd->cmd_complete = service_discovery_cmd_complete;
5056 
5057 	/* Clear the discovery filter first to free any previously
5058 	 * allocated memory for the UUID list.
5059 	 */
5060 	hci_discovery_filter_clear(hdev);
5061 
5062 	hdev->discovery.result_filtering = true;
5063 	hdev->discovery.type = cp->type;
5064 	hdev->discovery.rssi = cp->rssi;
5065 	hdev->discovery.uuid_count = uuid_count;
5066 
5067 	if (uuid_count > 0) {
5068 		hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
5069 						GFP_KERNEL);
5070 		if (!hdev->discovery.uuids) {
5071 			err = mgmt_cmd_complete(sk, hdev->id,
5072 						MGMT_OP_START_SERVICE_DISCOVERY,
5073 						MGMT_STATUS_FAILED,
5074 						&cp->type, sizeof(cp->type));
5075 			mgmt_pending_remove(cmd);
5076 			goto failed;
5077 		}
5078 	}
5079 
5080 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
5081 	queue_work(hdev->req_workqueue, &hdev->discov_update);
5082 	err = 0;
5083 
5084 failed:
5085 	hci_dev_unlock(hdev);
5086 	return err;
5087 }
5088 
mgmt_stop_discovery_complete(struct hci_dev * hdev,u8 status)5089 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
5090 {
5091 	struct mgmt_pending_cmd *cmd;
5092 
5093 	bt_dev_dbg(hdev, "status %u", status);
5094 
5095 	hci_dev_lock(hdev);
5096 
5097 	cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
5098 	if (cmd) {
5099 		cmd->cmd_complete(cmd, mgmt_status(status));
5100 		mgmt_pending_remove(cmd);
5101 	}
5102 
5103 	hci_dev_unlock(hdev);
5104 
5105 	/* Handle suspend notifier */
5106 	if (test_and_clear_bit(SUSPEND_PAUSE_DISCOVERY, hdev->suspend_tasks)) {
5107 		bt_dev_dbg(hdev, "Paused discovery");
5108 		wake_up(&hdev->suspend_wait_q);
5109 	}
5110 }
5111 
stop_discovery(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5112 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
5113 			  u16 len)
5114 {
5115 	struct mgmt_cp_stop_discovery *mgmt_cp = data;
5116 	struct mgmt_pending_cmd *cmd;
5117 	int err;
5118 
5119 	bt_dev_dbg(hdev, "sock %p", sk);
5120 
5121 	hci_dev_lock(hdev);
5122 
5123 	if (!hci_discovery_active(hdev)) {
5124 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
5125 					MGMT_STATUS_REJECTED, &mgmt_cp->type,
5126 					sizeof(mgmt_cp->type));
5127 		goto unlock;
5128 	}
5129 
5130 	if (hdev->discovery.type != mgmt_cp->type) {
5131 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
5132 					MGMT_STATUS_INVALID_PARAMS,
5133 					&mgmt_cp->type, sizeof(mgmt_cp->type));
5134 		goto unlock;
5135 	}
5136 
5137 	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
5138 	if (!cmd) {
5139 		err = -ENOMEM;
5140 		goto unlock;
5141 	}
5142 
5143 	cmd->cmd_complete = generic_cmd_complete;
5144 
5145 	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
5146 	queue_work(hdev->req_workqueue, &hdev->discov_update);
5147 	err = 0;
5148 
5149 unlock:
5150 	hci_dev_unlock(hdev);
5151 	return err;
5152 }
5153 
confirm_name(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5154 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
5155 			u16 len)
5156 {
5157 	struct mgmt_cp_confirm_name *cp = data;
5158 	struct inquiry_entry *e;
5159 	int err;
5160 
5161 	bt_dev_dbg(hdev, "sock %p", sk);
5162 
5163 	hci_dev_lock(hdev);
5164 
5165 	if (!hci_discovery_active(hdev)) {
5166 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
5167 					MGMT_STATUS_FAILED, &cp->addr,
5168 					sizeof(cp->addr));
5169 		goto failed;
5170 	}
5171 
5172 	e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
5173 	if (!e) {
5174 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
5175 					MGMT_STATUS_INVALID_PARAMS, &cp->addr,
5176 					sizeof(cp->addr));
5177 		goto failed;
5178 	}
5179 
5180 	if (cp->name_known) {
5181 		e->name_state = NAME_KNOWN;
5182 		list_del(&e->list);
5183 	} else {
5184 		e->name_state = NAME_NEEDED;
5185 		hci_inquiry_cache_update_resolve(hdev, e);
5186 	}
5187 
5188 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
5189 				&cp->addr, sizeof(cp->addr));
5190 
5191 failed:
5192 	hci_dev_unlock(hdev);
5193 	return err;
5194 }
5195 
block_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5196 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
5197 			u16 len)
5198 {
5199 	struct mgmt_cp_block_device *cp = data;
5200 	u8 status;
5201 	int err;
5202 
5203 	bt_dev_dbg(hdev, "sock %p", sk);
5204 
5205 	if (!bdaddr_type_is_valid(cp->addr.type))
5206 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
5207 					 MGMT_STATUS_INVALID_PARAMS,
5208 					 &cp->addr, sizeof(cp->addr));
5209 
5210 	hci_dev_lock(hdev);
5211 
5212 	err = hci_bdaddr_list_add(&hdev->reject_list, &cp->addr.bdaddr,
5213 				  cp->addr.type);
5214 	if (err < 0) {
5215 		status = MGMT_STATUS_FAILED;
5216 		goto done;
5217 	}
5218 
5219 	mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
5220 		   sk);
5221 	status = MGMT_STATUS_SUCCESS;
5222 
5223 done:
5224 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
5225 				&cp->addr, sizeof(cp->addr));
5226 
5227 	hci_dev_unlock(hdev);
5228 
5229 	return err;
5230 }
5231 
unblock_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5232 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
5233 			  u16 len)
5234 {
5235 	struct mgmt_cp_unblock_device *cp = data;
5236 	u8 status;
5237 	int err;
5238 
5239 	bt_dev_dbg(hdev, "sock %p", sk);
5240 
5241 	if (!bdaddr_type_is_valid(cp->addr.type))
5242 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
5243 					 MGMT_STATUS_INVALID_PARAMS,
5244 					 &cp->addr, sizeof(cp->addr));
5245 
5246 	hci_dev_lock(hdev);
5247 
5248 	err = hci_bdaddr_list_del(&hdev->reject_list, &cp->addr.bdaddr,
5249 				  cp->addr.type);
5250 	if (err < 0) {
5251 		status = MGMT_STATUS_INVALID_PARAMS;
5252 		goto done;
5253 	}
5254 
5255 	mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
5256 		   sk);
5257 	status = MGMT_STATUS_SUCCESS;
5258 
5259 done:
5260 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
5261 				&cp->addr, sizeof(cp->addr));
5262 
5263 	hci_dev_unlock(hdev);
5264 
5265 	return err;
5266 }
5267 
set_device_id(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5268 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
5269 			 u16 len)
5270 {
5271 	struct mgmt_cp_set_device_id *cp = data;
5272 	struct hci_request req;
5273 	int err;
5274 	__u16 source;
5275 
5276 	bt_dev_dbg(hdev, "sock %p", sk);
5277 
5278 	source = __le16_to_cpu(cp->source);
5279 
5280 	if (source > 0x0002)
5281 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
5282 				       MGMT_STATUS_INVALID_PARAMS);
5283 
5284 	hci_dev_lock(hdev);
5285 
5286 	hdev->devid_source = source;
5287 	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
5288 	hdev->devid_product = __le16_to_cpu(cp->product);
5289 	hdev->devid_version = __le16_to_cpu(cp->version);
5290 
5291 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
5292 				NULL, 0);
5293 
5294 	hci_req_init(&req, hdev);
5295 	__hci_req_update_eir(&req);
5296 	hci_req_run(&req, NULL);
5297 
5298 	hci_dev_unlock(hdev);
5299 
5300 	return err;
5301 }
5302 
enable_advertising_instance(struct hci_dev * hdev,u8 status,u16 opcode)5303 static void enable_advertising_instance(struct hci_dev *hdev, u8 status,
5304 					u16 opcode)
5305 {
5306 	bt_dev_dbg(hdev, "status %u", status);
5307 }
5308 
set_advertising_complete(struct hci_dev * hdev,u8 status,u16 opcode)5309 static void set_advertising_complete(struct hci_dev *hdev, u8 status,
5310 				     u16 opcode)
5311 {
5312 	struct cmd_lookup match = { NULL, hdev };
5313 	struct hci_request req;
5314 	u8 instance;
5315 	struct adv_info *adv_instance;
5316 	int err;
5317 
5318 	hci_dev_lock(hdev);
5319 
5320 	if (status) {
5321 		u8 mgmt_err = mgmt_status(status);
5322 
5323 		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
5324 				     cmd_status_rsp, &mgmt_err);
5325 		goto unlock;
5326 	}
5327 
5328 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
5329 		hci_dev_set_flag(hdev, HCI_ADVERTISING);
5330 	else
5331 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
5332 
5333 	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
5334 			     &match);
5335 
5336 	new_settings(hdev, match.sk);
5337 
5338 	if (match.sk)
5339 		sock_put(match.sk);
5340 
5341 	/* Handle suspend notifier */
5342 	if (test_and_clear_bit(SUSPEND_PAUSE_ADVERTISING,
5343 			       hdev->suspend_tasks)) {
5344 		bt_dev_dbg(hdev, "Paused advertising");
5345 		wake_up(&hdev->suspend_wait_q);
5346 	} else if (test_and_clear_bit(SUSPEND_UNPAUSE_ADVERTISING,
5347 				      hdev->suspend_tasks)) {
5348 		bt_dev_dbg(hdev, "Unpaused advertising");
5349 		wake_up(&hdev->suspend_wait_q);
5350 	}
5351 
5352 	/* If "Set Advertising" was just disabled and instance advertising was
5353 	 * set up earlier, then re-enable multi-instance advertising.
5354 	 */
5355 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
5356 	    list_empty(&hdev->adv_instances))
5357 		goto unlock;
5358 
5359 	instance = hdev->cur_adv_instance;
5360 	if (!instance) {
5361 		adv_instance = list_first_entry_or_null(&hdev->adv_instances,
5362 							struct adv_info, list);
5363 		if (!adv_instance)
5364 			goto unlock;
5365 
5366 		instance = adv_instance->instance;
5367 	}
5368 
5369 	hci_req_init(&req, hdev);
5370 
5371 	err = __hci_req_schedule_adv_instance(&req, instance, true);
5372 
5373 	if (!err)
5374 		err = hci_req_run(&req, enable_advertising_instance);
5375 
5376 	if (err)
5377 		bt_dev_err(hdev, "failed to re-configure advertising");
5378 
5379 unlock:
5380 	hci_dev_unlock(hdev);
5381 }
5382 
set_advertising(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5383 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
5384 			   u16 len)
5385 {
5386 	struct mgmt_mode *cp = data;
5387 	struct mgmt_pending_cmd *cmd;
5388 	struct hci_request req;
5389 	u8 val, status;
5390 	int err;
5391 
5392 	bt_dev_dbg(hdev, "sock %p", sk);
5393 
5394 	status = mgmt_le_support(hdev);
5395 	if (status)
5396 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5397 				       status);
5398 
5399 	/* Enabling the experimental LL Privay support disables support for
5400 	 * advertising.
5401 	 */
5402 	if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
5403 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5404 				       MGMT_STATUS_NOT_SUPPORTED);
5405 
5406 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
5407 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5408 				       MGMT_STATUS_INVALID_PARAMS);
5409 
5410 	if (hdev->advertising_paused)
5411 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5412 				       MGMT_STATUS_BUSY);
5413 
5414 	hci_dev_lock(hdev);
5415 
5416 	val = !!cp->val;
5417 
5418 	/* The following conditions are ones which mean that we should
5419 	 * not do any HCI communication but directly send a mgmt
5420 	 * response to user space (after toggling the flag if
5421 	 * necessary).
5422 	 */
5423 	if (!hdev_is_powered(hdev) ||
5424 	    (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
5425 	     (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
5426 	    hci_conn_num(hdev, LE_LINK) > 0 ||
5427 	    (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
5428 	     hdev->le_scan_type == LE_SCAN_ACTIVE)) {
5429 		bool changed;
5430 
5431 		if (cp->val) {
5432 			hdev->cur_adv_instance = 0x00;
5433 			changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
5434 			if (cp->val == 0x02)
5435 				hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5436 			else
5437 				hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5438 		} else {
5439 			changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
5440 			hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5441 		}
5442 
5443 		err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
5444 		if (err < 0)
5445 			goto unlock;
5446 
5447 		if (changed)
5448 			err = new_settings(hdev, sk);
5449 
5450 		goto unlock;
5451 	}
5452 
5453 	if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
5454 	    pending_find(MGMT_OP_SET_LE, hdev)) {
5455 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
5456 				      MGMT_STATUS_BUSY);
5457 		goto unlock;
5458 	}
5459 
5460 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
5461 	if (!cmd) {
5462 		err = -ENOMEM;
5463 		goto unlock;
5464 	}
5465 
5466 	hci_req_init(&req, hdev);
5467 
5468 	if (cp->val == 0x02)
5469 		hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5470 	else
5471 		hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
5472 
5473 	cancel_adv_timeout(hdev);
5474 
5475 	if (val) {
5476 		/* Switch to instance "0" for the Set Advertising setting.
5477 		 * We cannot use update_[adv|scan_rsp]_data() here as the
5478 		 * HCI_ADVERTISING flag is not yet set.
5479 		 */
5480 		hdev->cur_adv_instance = 0x00;
5481 
5482 		if (ext_adv_capable(hdev)) {
5483 			__hci_req_start_ext_adv(&req, 0x00);
5484 		} else {
5485 			__hci_req_update_adv_data(&req, 0x00);
5486 			__hci_req_update_scan_rsp_data(&req, 0x00);
5487 			__hci_req_enable_advertising(&req);
5488 		}
5489 	} else {
5490 		__hci_req_disable_advertising(&req);
5491 	}
5492 
5493 	err = hci_req_run(&req, set_advertising_complete);
5494 	if (err < 0)
5495 		mgmt_pending_remove(cmd);
5496 
5497 unlock:
5498 	hci_dev_unlock(hdev);
5499 	return err;
5500 }
5501 
set_static_address(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5502 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
5503 			      void *data, u16 len)
5504 {
5505 	struct mgmt_cp_set_static_address *cp = data;
5506 	int err;
5507 
5508 	bt_dev_dbg(hdev, "sock %p", sk);
5509 
5510 	if (!lmp_le_capable(hdev))
5511 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
5512 				       MGMT_STATUS_NOT_SUPPORTED);
5513 
5514 	if (hdev_is_powered(hdev))
5515 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
5516 				       MGMT_STATUS_REJECTED);
5517 
5518 	if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
5519 		if (!bacmp(&cp->bdaddr, BDADDR_NONE))
5520 			return mgmt_cmd_status(sk, hdev->id,
5521 					       MGMT_OP_SET_STATIC_ADDRESS,
5522 					       MGMT_STATUS_INVALID_PARAMS);
5523 
5524 		/* Two most significant bits shall be set */
5525 		if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
5526 			return mgmt_cmd_status(sk, hdev->id,
5527 					       MGMT_OP_SET_STATIC_ADDRESS,
5528 					       MGMT_STATUS_INVALID_PARAMS);
5529 	}
5530 
5531 	hci_dev_lock(hdev);
5532 
5533 	bacpy(&hdev->static_addr, &cp->bdaddr);
5534 
5535 	err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
5536 	if (err < 0)
5537 		goto unlock;
5538 
5539 	err = new_settings(hdev, sk);
5540 
5541 unlock:
5542 	hci_dev_unlock(hdev);
5543 	return err;
5544 }
5545 
set_scan_params(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5546 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
5547 			   void *data, u16 len)
5548 {
5549 	struct mgmt_cp_set_scan_params *cp = data;
5550 	__u16 interval, window;
5551 	int err;
5552 
5553 	bt_dev_dbg(hdev, "sock %p", sk);
5554 
5555 	if (!lmp_le_capable(hdev))
5556 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
5557 				       MGMT_STATUS_NOT_SUPPORTED);
5558 
5559 	interval = __le16_to_cpu(cp->interval);
5560 
5561 	if (interval < 0x0004 || interval > 0x4000)
5562 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
5563 				       MGMT_STATUS_INVALID_PARAMS);
5564 
5565 	window = __le16_to_cpu(cp->window);
5566 
5567 	if (window < 0x0004 || window > 0x4000)
5568 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
5569 				       MGMT_STATUS_INVALID_PARAMS);
5570 
5571 	if (window > interval)
5572 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
5573 				       MGMT_STATUS_INVALID_PARAMS);
5574 
5575 	hci_dev_lock(hdev);
5576 
5577 	hdev->le_scan_interval = interval;
5578 	hdev->le_scan_window = window;
5579 
5580 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
5581 				NULL, 0);
5582 
5583 	/* If background scan is running, restart it so new parameters are
5584 	 * loaded.
5585 	 */
5586 	if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
5587 	    hdev->discovery.state == DISCOVERY_STOPPED) {
5588 		struct hci_request req;
5589 
5590 		hci_req_init(&req, hdev);
5591 
5592 		hci_req_add_le_scan_disable(&req, false);
5593 		hci_req_add_le_passive_scan(&req);
5594 
5595 		hci_req_run(&req, NULL);
5596 	}
5597 
5598 	hci_dev_unlock(hdev);
5599 
5600 	return err;
5601 }
5602 
fast_connectable_complete(struct hci_dev * hdev,u8 status,u16 opcode)5603 static void fast_connectable_complete(struct hci_dev *hdev, u8 status,
5604 				      u16 opcode)
5605 {
5606 	struct mgmt_pending_cmd *cmd;
5607 
5608 	bt_dev_dbg(hdev, "status 0x%02x", status);
5609 
5610 	hci_dev_lock(hdev);
5611 
5612 	cmd = pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev);
5613 	if (!cmd)
5614 		goto unlock;
5615 
5616 	if (status) {
5617 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5618 			        mgmt_status(status));
5619 	} else {
5620 		struct mgmt_mode *cp = cmd->param;
5621 
5622 		if (cp->val)
5623 			hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
5624 		else
5625 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
5626 
5627 		send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
5628 		new_settings(hdev, cmd->sk);
5629 	}
5630 
5631 	mgmt_pending_remove(cmd);
5632 
5633 unlock:
5634 	hci_dev_unlock(hdev);
5635 }
5636 
set_fast_connectable(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5637 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
5638 				void *data, u16 len)
5639 {
5640 	struct mgmt_mode *cp = data;
5641 	struct mgmt_pending_cmd *cmd;
5642 	struct hci_request req;
5643 	int err;
5644 
5645 	bt_dev_dbg(hdev, "sock %p", sk);
5646 
5647 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
5648 	    hdev->hci_ver < BLUETOOTH_VER_1_2)
5649 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5650 				       MGMT_STATUS_NOT_SUPPORTED);
5651 
5652 	if (cp->val != 0x00 && cp->val != 0x01)
5653 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5654 				       MGMT_STATUS_INVALID_PARAMS);
5655 
5656 	hci_dev_lock(hdev);
5657 
5658 	if (pending_find(MGMT_OP_SET_FAST_CONNECTABLE, hdev)) {
5659 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5660 				      MGMT_STATUS_BUSY);
5661 		goto unlock;
5662 	}
5663 
5664 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
5665 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
5666 					hdev);
5667 		goto unlock;
5668 	}
5669 
5670 	if (!hdev_is_powered(hdev)) {
5671 		hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
5672 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE,
5673 					hdev);
5674 		new_settings(hdev, sk);
5675 		goto unlock;
5676 	}
5677 
5678 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev,
5679 			       data, len);
5680 	if (!cmd) {
5681 		err = -ENOMEM;
5682 		goto unlock;
5683 	}
5684 
5685 	hci_req_init(&req, hdev);
5686 
5687 	__hci_req_write_fast_connectable(&req, cp->val);
5688 
5689 	err = hci_req_run(&req, fast_connectable_complete);
5690 	if (err < 0) {
5691 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
5692 				      MGMT_STATUS_FAILED);
5693 		mgmt_pending_remove(cmd);
5694 	}
5695 
5696 unlock:
5697 	hci_dev_unlock(hdev);
5698 
5699 	return err;
5700 }
5701 
set_bredr_complete(struct hci_dev * hdev,u8 status,u16 opcode)5702 static void set_bredr_complete(struct hci_dev *hdev, u8 status, u16 opcode)
5703 {
5704 	struct mgmt_pending_cmd *cmd;
5705 
5706 	bt_dev_dbg(hdev, "status 0x%02x", status);
5707 
5708 	hci_dev_lock(hdev);
5709 
5710 	cmd = pending_find(MGMT_OP_SET_BREDR, hdev);
5711 	if (!cmd)
5712 		goto unlock;
5713 
5714 	if (status) {
5715 		u8 mgmt_err = mgmt_status(status);
5716 
5717 		/* We need to restore the flag if related HCI commands
5718 		 * failed.
5719 		 */
5720 		hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
5721 
5722 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
5723 	} else {
5724 		send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
5725 		new_settings(hdev, cmd->sk);
5726 	}
5727 
5728 	mgmt_pending_remove(cmd);
5729 
5730 unlock:
5731 	hci_dev_unlock(hdev);
5732 }
5733 
set_bredr(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5734 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
5735 {
5736 	struct mgmt_mode *cp = data;
5737 	struct mgmt_pending_cmd *cmd;
5738 	struct hci_request req;
5739 	int err;
5740 
5741 	bt_dev_dbg(hdev, "sock %p", sk);
5742 
5743 	if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
5744 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5745 				       MGMT_STATUS_NOT_SUPPORTED);
5746 
5747 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
5748 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5749 				       MGMT_STATUS_REJECTED);
5750 
5751 	if (cp->val != 0x00 && cp->val != 0x01)
5752 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5753 				       MGMT_STATUS_INVALID_PARAMS);
5754 
5755 	hci_dev_lock(hdev);
5756 
5757 	if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
5758 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
5759 		goto unlock;
5760 	}
5761 
5762 	if (!hdev_is_powered(hdev)) {
5763 		if (!cp->val) {
5764 			hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
5765 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
5766 			hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
5767 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
5768 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
5769 		}
5770 
5771 		hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
5772 
5773 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
5774 		if (err < 0)
5775 			goto unlock;
5776 
5777 		err = new_settings(hdev, sk);
5778 		goto unlock;
5779 	}
5780 
5781 	/* Reject disabling when powered on */
5782 	if (!cp->val) {
5783 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5784 				      MGMT_STATUS_REJECTED);
5785 		goto unlock;
5786 	} else {
5787 		/* When configuring a dual-mode controller to operate
5788 		 * with LE only and using a static address, then switching
5789 		 * BR/EDR back on is not allowed.
5790 		 *
5791 		 * Dual-mode controllers shall operate with the public
5792 		 * address as its identity address for BR/EDR and LE. So
5793 		 * reject the attempt to create an invalid configuration.
5794 		 *
5795 		 * The same restrictions applies when secure connections
5796 		 * has been enabled. For BR/EDR this is a controller feature
5797 		 * while for LE it is a host stack feature. This means that
5798 		 * switching BR/EDR back on when secure connections has been
5799 		 * enabled is not a supported transaction.
5800 		 */
5801 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
5802 		    (bacmp(&hdev->static_addr, BDADDR_ANY) ||
5803 		     hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
5804 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5805 					      MGMT_STATUS_REJECTED);
5806 			goto unlock;
5807 		}
5808 	}
5809 
5810 	if (pending_find(MGMT_OP_SET_BREDR, hdev)) {
5811 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
5812 				      MGMT_STATUS_BUSY);
5813 		goto unlock;
5814 	}
5815 
5816 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_BREDR, hdev, data, len);
5817 	if (!cmd) {
5818 		err = -ENOMEM;
5819 		goto unlock;
5820 	}
5821 
5822 	/* We need to flip the bit already here so that
5823 	 * hci_req_update_adv_data generates the correct flags.
5824 	 */
5825 	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
5826 
5827 	hci_req_init(&req, hdev);
5828 
5829 	__hci_req_write_fast_connectable(&req, false);
5830 	__hci_req_update_scan(&req);
5831 
5832 	/* Since only the advertising data flags will change, there
5833 	 * is no need to update the scan response data.
5834 	 */
5835 	__hci_req_update_adv_data(&req, hdev->cur_adv_instance);
5836 
5837 	err = hci_req_run(&req, set_bredr_complete);
5838 	if (err < 0)
5839 		mgmt_pending_remove(cmd);
5840 
5841 unlock:
5842 	hci_dev_unlock(hdev);
5843 	return err;
5844 }
5845 
sc_enable_complete(struct hci_dev * hdev,u8 status,u16 opcode)5846 static void sc_enable_complete(struct hci_dev *hdev, u8 status, u16 opcode)
5847 {
5848 	struct mgmt_pending_cmd *cmd;
5849 	struct mgmt_mode *cp;
5850 
5851 	bt_dev_dbg(hdev, "status %u", status);
5852 
5853 	hci_dev_lock(hdev);
5854 
5855 	cmd = pending_find(MGMT_OP_SET_SECURE_CONN, hdev);
5856 	if (!cmd)
5857 		goto unlock;
5858 
5859 	if (status) {
5860 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
5861 			        mgmt_status(status));
5862 		goto remove;
5863 	}
5864 
5865 	cp = cmd->param;
5866 
5867 	switch (cp->val) {
5868 	case 0x00:
5869 		hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
5870 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
5871 		break;
5872 	case 0x01:
5873 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
5874 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
5875 		break;
5876 	case 0x02:
5877 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
5878 		hci_dev_set_flag(hdev, HCI_SC_ONLY);
5879 		break;
5880 	}
5881 
5882 	send_settings_rsp(cmd->sk, MGMT_OP_SET_SECURE_CONN, hdev);
5883 	new_settings(hdev, cmd->sk);
5884 
5885 remove:
5886 	mgmt_pending_remove(cmd);
5887 unlock:
5888 	hci_dev_unlock(hdev);
5889 }
5890 
set_secure_conn(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5891 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
5892 			   void *data, u16 len)
5893 {
5894 	struct mgmt_mode *cp = data;
5895 	struct mgmt_pending_cmd *cmd;
5896 	struct hci_request req;
5897 	u8 val;
5898 	int err;
5899 
5900 	bt_dev_dbg(hdev, "sock %p", sk);
5901 
5902 	if (!lmp_sc_capable(hdev) &&
5903 	    !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
5904 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
5905 				       MGMT_STATUS_NOT_SUPPORTED);
5906 
5907 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
5908 	    lmp_sc_capable(hdev) &&
5909 	    !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
5910 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
5911 				       MGMT_STATUS_REJECTED);
5912 
5913 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
5914 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
5915 				  MGMT_STATUS_INVALID_PARAMS);
5916 
5917 	hci_dev_lock(hdev);
5918 
5919 	if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
5920 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
5921 		bool changed;
5922 
5923 		if (cp->val) {
5924 			changed = !hci_dev_test_and_set_flag(hdev,
5925 							     HCI_SC_ENABLED);
5926 			if (cp->val == 0x02)
5927 				hci_dev_set_flag(hdev, HCI_SC_ONLY);
5928 			else
5929 				hci_dev_clear_flag(hdev, HCI_SC_ONLY);
5930 		} else {
5931 			changed = hci_dev_test_and_clear_flag(hdev,
5932 							      HCI_SC_ENABLED);
5933 			hci_dev_clear_flag(hdev, HCI_SC_ONLY);
5934 		}
5935 
5936 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
5937 		if (err < 0)
5938 			goto failed;
5939 
5940 		if (changed)
5941 			err = new_settings(hdev, sk);
5942 
5943 		goto failed;
5944 	}
5945 
5946 	if (pending_find(MGMT_OP_SET_SECURE_CONN, hdev)) {
5947 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
5948 				      MGMT_STATUS_BUSY);
5949 		goto failed;
5950 	}
5951 
5952 	val = !!cp->val;
5953 
5954 	if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
5955 	    (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
5956 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
5957 		goto failed;
5958 	}
5959 
5960 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
5961 	if (!cmd) {
5962 		err = -ENOMEM;
5963 		goto failed;
5964 	}
5965 
5966 	hci_req_init(&req, hdev);
5967 	hci_req_add(&req, HCI_OP_WRITE_SC_SUPPORT, 1, &val);
5968 	err = hci_req_run(&req, sc_enable_complete);
5969 	if (err < 0) {
5970 		mgmt_pending_remove(cmd);
5971 		goto failed;
5972 	}
5973 
5974 failed:
5975 	hci_dev_unlock(hdev);
5976 	return err;
5977 }
5978 
set_debug_keys(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5979 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
5980 			  void *data, u16 len)
5981 {
5982 	struct mgmt_mode *cp = data;
5983 	bool changed, use_changed;
5984 	int err;
5985 
5986 	bt_dev_dbg(hdev, "sock %p", sk);
5987 
5988 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
5989 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
5990 				       MGMT_STATUS_INVALID_PARAMS);
5991 
5992 	hci_dev_lock(hdev);
5993 
5994 	if (cp->val)
5995 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
5996 	else
5997 		changed = hci_dev_test_and_clear_flag(hdev,
5998 						      HCI_KEEP_DEBUG_KEYS);
5999 
6000 	if (cp->val == 0x02)
6001 		use_changed = !hci_dev_test_and_set_flag(hdev,
6002 							 HCI_USE_DEBUG_KEYS);
6003 	else
6004 		use_changed = hci_dev_test_and_clear_flag(hdev,
6005 							  HCI_USE_DEBUG_KEYS);
6006 
6007 	if (hdev_is_powered(hdev) && use_changed &&
6008 	    hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
6009 		u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
6010 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
6011 			     sizeof(mode), &mode);
6012 	}
6013 
6014 	err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
6015 	if (err < 0)
6016 		goto unlock;
6017 
6018 	if (changed)
6019 		err = new_settings(hdev, sk);
6020 
6021 unlock:
6022 	hci_dev_unlock(hdev);
6023 	return err;
6024 }
6025 
set_privacy(struct sock * sk,struct hci_dev * hdev,void * cp_data,u16 len)6026 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
6027 		       u16 len)
6028 {
6029 	struct mgmt_cp_set_privacy *cp = cp_data;
6030 	bool changed;
6031 	int err;
6032 
6033 	bt_dev_dbg(hdev, "sock %p", sk);
6034 
6035 	if (!lmp_le_capable(hdev))
6036 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
6037 				       MGMT_STATUS_NOT_SUPPORTED);
6038 
6039 	if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
6040 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
6041 				       MGMT_STATUS_INVALID_PARAMS);
6042 
6043 	if (hdev_is_powered(hdev))
6044 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
6045 				       MGMT_STATUS_REJECTED);
6046 
6047 	hci_dev_lock(hdev);
6048 
6049 	/* If user space supports this command it is also expected to
6050 	 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
6051 	 */
6052 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
6053 
6054 	if (cp->privacy) {
6055 		changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
6056 		memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
6057 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
6058 		hci_adv_instances_set_rpa_expired(hdev, true);
6059 		if (cp->privacy == 0x02)
6060 			hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
6061 		else
6062 			hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
6063 	} else {
6064 		changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
6065 		memset(hdev->irk, 0, sizeof(hdev->irk));
6066 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
6067 		hci_adv_instances_set_rpa_expired(hdev, false);
6068 		hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
6069 	}
6070 
6071 	err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
6072 	if (err < 0)
6073 		goto unlock;
6074 
6075 	if (changed)
6076 		err = new_settings(hdev, sk);
6077 
6078 unlock:
6079 	hci_dev_unlock(hdev);
6080 	return err;
6081 }
6082 
irk_is_valid(struct mgmt_irk_info * irk)6083 static bool irk_is_valid(struct mgmt_irk_info *irk)
6084 {
6085 	switch (irk->addr.type) {
6086 	case BDADDR_LE_PUBLIC:
6087 		return true;
6088 
6089 	case BDADDR_LE_RANDOM:
6090 		/* Two most significant bits shall be set */
6091 		if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
6092 			return false;
6093 		return true;
6094 	}
6095 
6096 	return false;
6097 }
6098 
load_irks(struct sock * sk,struct hci_dev * hdev,void * cp_data,u16 len)6099 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
6100 		     u16 len)
6101 {
6102 	struct mgmt_cp_load_irks *cp = cp_data;
6103 	const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
6104 				   sizeof(struct mgmt_irk_info));
6105 	u16 irk_count, expected_len;
6106 	int i, err;
6107 
6108 	bt_dev_dbg(hdev, "sock %p", sk);
6109 
6110 	if (!lmp_le_capable(hdev))
6111 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
6112 				       MGMT_STATUS_NOT_SUPPORTED);
6113 
6114 	irk_count = __le16_to_cpu(cp->irk_count);
6115 	if (irk_count > max_irk_count) {
6116 		bt_dev_err(hdev, "load_irks: too big irk_count value %u",
6117 			   irk_count);
6118 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
6119 				       MGMT_STATUS_INVALID_PARAMS);
6120 	}
6121 
6122 	expected_len = struct_size(cp, irks, irk_count);
6123 	if (expected_len != len) {
6124 		bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
6125 			   expected_len, len);
6126 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
6127 				       MGMT_STATUS_INVALID_PARAMS);
6128 	}
6129 
6130 	bt_dev_dbg(hdev, "irk_count %u", irk_count);
6131 
6132 	for (i = 0; i < irk_count; i++) {
6133 		struct mgmt_irk_info *key = &cp->irks[i];
6134 
6135 		if (!irk_is_valid(key))
6136 			return mgmt_cmd_status(sk, hdev->id,
6137 					       MGMT_OP_LOAD_IRKS,
6138 					       MGMT_STATUS_INVALID_PARAMS);
6139 	}
6140 
6141 	hci_dev_lock(hdev);
6142 
6143 	hci_smp_irks_clear(hdev);
6144 
6145 	for (i = 0; i < irk_count; i++) {
6146 		struct mgmt_irk_info *irk = &cp->irks[i];
6147 
6148 		if (hci_is_blocked_key(hdev,
6149 				       HCI_BLOCKED_KEY_TYPE_IRK,
6150 				       irk->val)) {
6151 			bt_dev_warn(hdev, "Skipping blocked IRK for %pMR",
6152 				    &irk->addr.bdaddr);
6153 			continue;
6154 		}
6155 
6156 		hci_add_irk(hdev, &irk->addr.bdaddr,
6157 			    le_addr_type(irk->addr.type), irk->val,
6158 			    BDADDR_ANY);
6159 	}
6160 
6161 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
6162 
6163 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
6164 
6165 	hci_dev_unlock(hdev);
6166 
6167 	return err;
6168 }
6169 
ltk_is_valid(struct mgmt_ltk_info * key)6170 static bool ltk_is_valid(struct mgmt_ltk_info *key)
6171 {
6172 	if (key->initiator != 0x00 && key->initiator != 0x01)
6173 		return false;
6174 
6175 	switch (key->addr.type) {
6176 	case BDADDR_LE_PUBLIC:
6177 		return true;
6178 
6179 	case BDADDR_LE_RANDOM:
6180 		/* Two most significant bits shall be set */
6181 		if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
6182 			return false;
6183 		return true;
6184 	}
6185 
6186 	return false;
6187 }
6188 
load_long_term_keys(struct sock * sk,struct hci_dev * hdev,void * cp_data,u16 len)6189 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
6190 			       void *cp_data, u16 len)
6191 {
6192 	struct mgmt_cp_load_long_term_keys *cp = cp_data;
6193 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
6194 				   sizeof(struct mgmt_ltk_info));
6195 	u16 key_count, expected_len;
6196 	int i, err;
6197 
6198 	bt_dev_dbg(hdev, "sock %p", sk);
6199 
6200 	if (!lmp_le_capable(hdev))
6201 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
6202 				       MGMT_STATUS_NOT_SUPPORTED);
6203 
6204 	key_count = __le16_to_cpu(cp->key_count);
6205 	if (key_count > max_key_count) {
6206 		bt_dev_err(hdev, "load_ltks: too big key_count value %u",
6207 			   key_count);
6208 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
6209 				       MGMT_STATUS_INVALID_PARAMS);
6210 	}
6211 
6212 	expected_len = struct_size(cp, keys, key_count);
6213 	if (expected_len != len) {
6214 		bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
6215 			   expected_len, len);
6216 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
6217 				       MGMT_STATUS_INVALID_PARAMS);
6218 	}
6219 
6220 	bt_dev_dbg(hdev, "key_count %u", key_count);
6221 
6222 	for (i = 0; i < key_count; i++) {
6223 		struct mgmt_ltk_info *key = &cp->keys[i];
6224 
6225 		if (!ltk_is_valid(key))
6226 			return mgmt_cmd_status(sk, hdev->id,
6227 					       MGMT_OP_LOAD_LONG_TERM_KEYS,
6228 					       MGMT_STATUS_INVALID_PARAMS);
6229 	}
6230 
6231 	hci_dev_lock(hdev);
6232 
6233 	hci_smp_ltks_clear(hdev);
6234 
6235 	for (i = 0; i < key_count; i++) {
6236 		struct mgmt_ltk_info *key = &cp->keys[i];
6237 		u8 type, authenticated;
6238 
6239 		if (hci_is_blocked_key(hdev,
6240 				       HCI_BLOCKED_KEY_TYPE_LTK,
6241 				       key->val)) {
6242 			bt_dev_warn(hdev, "Skipping blocked LTK for %pMR",
6243 				    &key->addr.bdaddr);
6244 			continue;
6245 		}
6246 
6247 		switch (key->type) {
6248 		case MGMT_LTK_UNAUTHENTICATED:
6249 			authenticated = 0x00;
6250 			type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
6251 			break;
6252 		case MGMT_LTK_AUTHENTICATED:
6253 			authenticated = 0x01;
6254 			type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
6255 			break;
6256 		case MGMT_LTK_P256_UNAUTH:
6257 			authenticated = 0x00;
6258 			type = SMP_LTK_P256;
6259 			break;
6260 		case MGMT_LTK_P256_AUTH:
6261 			authenticated = 0x01;
6262 			type = SMP_LTK_P256;
6263 			break;
6264 		case MGMT_LTK_P256_DEBUG:
6265 			authenticated = 0x00;
6266 			type = SMP_LTK_P256_DEBUG;
6267 			fallthrough;
6268 		default:
6269 			continue;
6270 		}
6271 
6272 		hci_add_ltk(hdev, &key->addr.bdaddr,
6273 			    le_addr_type(key->addr.type), type, authenticated,
6274 			    key->val, key->enc_size, key->ediv, key->rand);
6275 	}
6276 
6277 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
6278 			   NULL, 0);
6279 
6280 	hci_dev_unlock(hdev);
6281 
6282 	return err;
6283 }
6284 
conn_info_cmd_complete(struct mgmt_pending_cmd * cmd,u8 status)6285 static int conn_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
6286 {
6287 	struct hci_conn *conn = cmd->user_data;
6288 	struct mgmt_rp_get_conn_info rp;
6289 	int err;
6290 
6291 	memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
6292 
6293 	if (status == MGMT_STATUS_SUCCESS) {
6294 		rp.rssi = conn->rssi;
6295 		rp.tx_power = conn->tx_power;
6296 		rp.max_tx_power = conn->max_tx_power;
6297 	} else {
6298 		rp.rssi = HCI_RSSI_INVALID;
6299 		rp.tx_power = HCI_TX_POWER_INVALID;
6300 		rp.max_tx_power = HCI_TX_POWER_INVALID;
6301 	}
6302 
6303 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO,
6304 				status, &rp, sizeof(rp));
6305 
6306 	hci_conn_drop(conn);
6307 	hci_conn_put(conn);
6308 
6309 	return err;
6310 }
6311 
conn_info_refresh_complete(struct hci_dev * hdev,u8 hci_status,u16 opcode)6312 static void conn_info_refresh_complete(struct hci_dev *hdev, u8 hci_status,
6313 				       u16 opcode)
6314 {
6315 	struct hci_cp_read_rssi *cp;
6316 	struct mgmt_pending_cmd *cmd;
6317 	struct hci_conn *conn;
6318 	u16 handle;
6319 	u8 status;
6320 
6321 	bt_dev_dbg(hdev, "status 0x%02x", hci_status);
6322 
6323 	hci_dev_lock(hdev);
6324 
6325 	/* Commands sent in request are either Read RSSI or Read Transmit Power
6326 	 * Level so we check which one was last sent to retrieve connection
6327 	 * handle.  Both commands have handle as first parameter so it's safe to
6328 	 * cast data on the same command struct.
6329 	 *
6330 	 * First command sent is always Read RSSI and we fail only if it fails.
6331 	 * In other case we simply override error to indicate success as we
6332 	 * already remembered if TX power value is actually valid.
6333 	 */
6334 	cp = hci_sent_cmd_data(hdev, HCI_OP_READ_RSSI);
6335 	if (!cp) {
6336 		cp = hci_sent_cmd_data(hdev, HCI_OP_READ_TX_POWER);
6337 		status = MGMT_STATUS_SUCCESS;
6338 	} else {
6339 		status = mgmt_status(hci_status);
6340 	}
6341 
6342 	if (!cp) {
6343 		bt_dev_err(hdev, "invalid sent_cmd in conn_info response");
6344 		goto unlock;
6345 	}
6346 
6347 	handle = __le16_to_cpu(cp->handle);
6348 	conn = hci_conn_hash_lookup_handle(hdev, handle);
6349 	if (!conn) {
6350 		bt_dev_err(hdev, "unknown handle (%u) in conn_info response",
6351 			   handle);
6352 		goto unlock;
6353 	}
6354 
6355 	cmd = pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn);
6356 	if (!cmd)
6357 		goto unlock;
6358 
6359 	cmd->cmd_complete(cmd, status);
6360 	mgmt_pending_remove(cmd);
6361 
6362 unlock:
6363 	hci_dev_unlock(hdev);
6364 }
6365 
get_conn_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6366 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
6367 			 u16 len)
6368 {
6369 	struct mgmt_cp_get_conn_info *cp = data;
6370 	struct mgmt_rp_get_conn_info rp;
6371 	struct hci_conn *conn;
6372 	unsigned long conn_info_age;
6373 	int err = 0;
6374 
6375 	bt_dev_dbg(hdev, "sock %p", sk);
6376 
6377 	memset(&rp, 0, sizeof(rp));
6378 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
6379 	rp.addr.type = cp->addr.type;
6380 
6381 	if (!bdaddr_type_is_valid(cp->addr.type))
6382 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6383 					 MGMT_STATUS_INVALID_PARAMS,
6384 					 &rp, sizeof(rp));
6385 
6386 	hci_dev_lock(hdev);
6387 
6388 	if (!hdev_is_powered(hdev)) {
6389 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6390 					MGMT_STATUS_NOT_POWERED, &rp,
6391 					sizeof(rp));
6392 		goto unlock;
6393 	}
6394 
6395 	if (cp->addr.type == BDADDR_BREDR)
6396 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
6397 					       &cp->addr.bdaddr);
6398 	else
6399 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
6400 
6401 	if (!conn || conn->state != BT_CONNECTED) {
6402 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6403 					MGMT_STATUS_NOT_CONNECTED, &rp,
6404 					sizeof(rp));
6405 		goto unlock;
6406 	}
6407 
6408 	if (pending_find_data(MGMT_OP_GET_CONN_INFO, hdev, conn)) {
6409 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6410 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
6411 		goto unlock;
6412 	}
6413 
6414 	/* To avoid client trying to guess when to poll again for information we
6415 	 * calculate conn info age as random value between min/max set in hdev.
6416 	 */
6417 	conn_info_age = hdev->conn_info_min_age +
6418 			prandom_u32_max(hdev->conn_info_max_age -
6419 					hdev->conn_info_min_age);
6420 
6421 	/* Query controller to refresh cached values if they are too old or were
6422 	 * never read.
6423 	 */
6424 	if (time_after(jiffies, conn->conn_info_timestamp +
6425 		       msecs_to_jiffies(conn_info_age)) ||
6426 	    !conn->conn_info_timestamp) {
6427 		struct hci_request req;
6428 		struct hci_cp_read_tx_power req_txp_cp;
6429 		struct hci_cp_read_rssi req_rssi_cp;
6430 		struct mgmt_pending_cmd *cmd;
6431 
6432 		hci_req_init(&req, hdev);
6433 		req_rssi_cp.handle = cpu_to_le16(conn->handle);
6434 		hci_req_add(&req, HCI_OP_READ_RSSI, sizeof(req_rssi_cp),
6435 			    &req_rssi_cp);
6436 
6437 		/* For LE links TX power does not change thus we don't need to
6438 		 * query for it once value is known.
6439 		 */
6440 		if (!bdaddr_type_is_le(cp->addr.type) ||
6441 		    conn->tx_power == HCI_TX_POWER_INVALID) {
6442 			req_txp_cp.handle = cpu_to_le16(conn->handle);
6443 			req_txp_cp.type = 0x00;
6444 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
6445 				    sizeof(req_txp_cp), &req_txp_cp);
6446 		}
6447 
6448 		/* Max TX power needs to be read only once per connection */
6449 		if (conn->max_tx_power == HCI_TX_POWER_INVALID) {
6450 			req_txp_cp.handle = cpu_to_le16(conn->handle);
6451 			req_txp_cp.type = 0x01;
6452 			hci_req_add(&req, HCI_OP_READ_TX_POWER,
6453 				    sizeof(req_txp_cp), &req_txp_cp);
6454 		}
6455 
6456 		err = hci_req_run(&req, conn_info_refresh_complete);
6457 		if (err < 0)
6458 			goto unlock;
6459 
6460 		cmd = mgmt_pending_add(sk, MGMT_OP_GET_CONN_INFO, hdev,
6461 				       data, len);
6462 		if (!cmd) {
6463 			err = -ENOMEM;
6464 			goto unlock;
6465 		}
6466 
6467 		hci_conn_hold(conn);
6468 		cmd->user_data = hci_conn_get(conn);
6469 		cmd->cmd_complete = conn_info_cmd_complete;
6470 
6471 		conn->conn_info_timestamp = jiffies;
6472 	} else {
6473 		/* Cache is valid, just reply with values cached in hci_conn */
6474 		rp.rssi = conn->rssi;
6475 		rp.tx_power = conn->tx_power;
6476 		rp.max_tx_power = conn->max_tx_power;
6477 
6478 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
6479 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
6480 	}
6481 
6482 unlock:
6483 	hci_dev_unlock(hdev);
6484 	return err;
6485 }
6486 
clock_info_cmd_complete(struct mgmt_pending_cmd * cmd,u8 status)6487 static int clock_info_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
6488 {
6489 	struct hci_conn *conn = cmd->user_data;
6490 	struct mgmt_rp_get_clock_info rp;
6491 	struct hci_dev *hdev;
6492 	int err;
6493 
6494 	memset(&rp, 0, sizeof(rp));
6495 	memcpy(&rp.addr, cmd->param, sizeof(rp.addr));
6496 
6497 	if (status)
6498 		goto complete;
6499 
6500 	hdev = hci_dev_get(cmd->index);
6501 	if (hdev) {
6502 		rp.local_clock = cpu_to_le32(hdev->clock);
6503 		hci_dev_put(hdev);
6504 	}
6505 
6506 	if (conn) {
6507 		rp.piconet_clock = cpu_to_le32(conn->clock);
6508 		rp.accuracy = cpu_to_le16(conn->clock_accuracy);
6509 	}
6510 
6511 complete:
6512 	err = mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
6513 				sizeof(rp));
6514 
6515 	if (conn) {
6516 		hci_conn_drop(conn);
6517 		hci_conn_put(conn);
6518 	}
6519 
6520 	return err;
6521 }
6522 
get_clock_info_complete(struct hci_dev * hdev,u8 status,u16 opcode)6523 static void get_clock_info_complete(struct hci_dev *hdev, u8 status, u16 opcode)
6524 {
6525 	struct hci_cp_read_clock *hci_cp;
6526 	struct mgmt_pending_cmd *cmd;
6527 	struct hci_conn *conn;
6528 
6529 	bt_dev_dbg(hdev, "status %u", status);
6530 
6531 	hci_dev_lock(hdev);
6532 
6533 	hci_cp = hci_sent_cmd_data(hdev, HCI_OP_READ_CLOCK);
6534 	if (!hci_cp)
6535 		goto unlock;
6536 
6537 	if (hci_cp->which) {
6538 		u16 handle = __le16_to_cpu(hci_cp->handle);
6539 		conn = hci_conn_hash_lookup_handle(hdev, handle);
6540 	} else {
6541 		conn = NULL;
6542 	}
6543 
6544 	cmd = pending_find_data(MGMT_OP_GET_CLOCK_INFO, hdev, conn);
6545 	if (!cmd)
6546 		goto unlock;
6547 
6548 	cmd->cmd_complete(cmd, mgmt_status(status));
6549 	mgmt_pending_remove(cmd);
6550 
6551 unlock:
6552 	hci_dev_unlock(hdev);
6553 }
6554 
get_clock_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6555 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
6556 			 u16 len)
6557 {
6558 	struct mgmt_cp_get_clock_info *cp = data;
6559 	struct mgmt_rp_get_clock_info rp;
6560 	struct hci_cp_read_clock hci_cp;
6561 	struct mgmt_pending_cmd *cmd;
6562 	struct hci_request req;
6563 	struct hci_conn *conn;
6564 	int err;
6565 
6566 	bt_dev_dbg(hdev, "sock %p", sk);
6567 
6568 	memset(&rp, 0, sizeof(rp));
6569 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
6570 	rp.addr.type = cp->addr.type;
6571 
6572 	if (cp->addr.type != BDADDR_BREDR)
6573 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
6574 					 MGMT_STATUS_INVALID_PARAMS,
6575 					 &rp, sizeof(rp));
6576 
6577 	hci_dev_lock(hdev);
6578 
6579 	if (!hdev_is_powered(hdev)) {
6580 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
6581 					MGMT_STATUS_NOT_POWERED, &rp,
6582 					sizeof(rp));
6583 		goto unlock;
6584 	}
6585 
6586 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
6587 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
6588 					       &cp->addr.bdaddr);
6589 		if (!conn || conn->state != BT_CONNECTED) {
6590 			err = mgmt_cmd_complete(sk, hdev->id,
6591 						MGMT_OP_GET_CLOCK_INFO,
6592 						MGMT_STATUS_NOT_CONNECTED,
6593 						&rp, sizeof(rp));
6594 			goto unlock;
6595 		}
6596 	} else {
6597 		conn = NULL;
6598 	}
6599 
6600 	cmd = mgmt_pending_add(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
6601 	if (!cmd) {
6602 		err = -ENOMEM;
6603 		goto unlock;
6604 	}
6605 
6606 	cmd->cmd_complete = clock_info_cmd_complete;
6607 
6608 	hci_req_init(&req, hdev);
6609 
6610 	memset(&hci_cp, 0, sizeof(hci_cp));
6611 	hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
6612 
6613 	if (conn) {
6614 		hci_conn_hold(conn);
6615 		cmd->user_data = hci_conn_get(conn);
6616 
6617 		hci_cp.handle = cpu_to_le16(conn->handle);
6618 		hci_cp.which = 0x01; /* Piconet clock */
6619 		hci_req_add(&req, HCI_OP_READ_CLOCK, sizeof(hci_cp), &hci_cp);
6620 	}
6621 
6622 	err = hci_req_run(&req, get_clock_info_complete);
6623 	if (err < 0)
6624 		mgmt_pending_remove(cmd);
6625 
6626 unlock:
6627 	hci_dev_unlock(hdev);
6628 	return err;
6629 }
6630 
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)6631 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
6632 {
6633 	struct hci_conn *conn;
6634 
6635 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
6636 	if (!conn)
6637 		return false;
6638 
6639 	if (conn->dst_type != type)
6640 		return false;
6641 
6642 	if (conn->state != BT_CONNECTED)
6643 		return false;
6644 
6645 	return true;
6646 }
6647 
6648 /* This function requires the caller holds hdev->lock */
hci_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type,u8 auto_connect)6649 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
6650 			       u8 addr_type, u8 auto_connect)
6651 {
6652 	struct hci_conn_params *params;
6653 
6654 	params = hci_conn_params_add(hdev, addr, addr_type);
6655 	if (!params)
6656 		return -EIO;
6657 
6658 	if (params->auto_connect == auto_connect)
6659 		return 0;
6660 
6661 	list_del_init(&params->action);
6662 
6663 	switch (auto_connect) {
6664 	case HCI_AUTO_CONN_DISABLED:
6665 	case HCI_AUTO_CONN_LINK_LOSS:
6666 		/* If auto connect is being disabled when we're trying to
6667 		 * connect to device, keep connecting.
6668 		 */
6669 		if (params->explicit_connect)
6670 			list_add(&params->action, &hdev->pend_le_conns);
6671 		break;
6672 	case HCI_AUTO_CONN_REPORT:
6673 		if (params->explicit_connect)
6674 			list_add(&params->action, &hdev->pend_le_conns);
6675 		else
6676 			list_add(&params->action, &hdev->pend_le_reports);
6677 		break;
6678 	case HCI_AUTO_CONN_DIRECT:
6679 	case HCI_AUTO_CONN_ALWAYS:
6680 		if (!is_connected(hdev, addr, addr_type))
6681 			list_add(&params->action, &hdev->pend_le_conns);
6682 		break;
6683 	}
6684 
6685 	params->auto_connect = auto_connect;
6686 
6687 	bt_dev_dbg(hdev, "addr %pMR (type %u) auto_connect %u",
6688 		   addr, addr_type, auto_connect);
6689 
6690 	return 0;
6691 }
6692 
device_added(struct sock * sk,struct hci_dev * hdev,bdaddr_t * bdaddr,u8 type,u8 action)6693 static void device_added(struct sock *sk, struct hci_dev *hdev,
6694 			 bdaddr_t *bdaddr, u8 type, u8 action)
6695 {
6696 	struct mgmt_ev_device_added ev;
6697 
6698 	bacpy(&ev.addr.bdaddr, bdaddr);
6699 	ev.addr.type = type;
6700 	ev.action = action;
6701 
6702 	mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
6703 }
6704 
add_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6705 static int add_device(struct sock *sk, struct hci_dev *hdev,
6706 		      void *data, u16 len)
6707 {
6708 	struct mgmt_cp_add_device *cp = data;
6709 	u8 auto_conn, addr_type;
6710 	struct hci_conn_params *params;
6711 	int err;
6712 	u32 current_flags = 0;
6713 
6714 	bt_dev_dbg(hdev, "sock %p", sk);
6715 
6716 	if (!bdaddr_type_is_valid(cp->addr.type) ||
6717 	    !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
6718 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6719 					 MGMT_STATUS_INVALID_PARAMS,
6720 					 &cp->addr, sizeof(cp->addr));
6721 
6722 	if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
6723 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6724 					 MGMT_STATUS_INVALID_PARAMS,
6725 					 &cp->addr, sizeof(cp->addr));
6726 
6727 	hci_dev_lock(hdev);
6728 
6729 	if (cp->addr.type == BDADDR_BREDR) {
6730 		/* Only incoming connections action is supported for now */
6731 		if (cp->action != 0x01) {
6732 			err = mgmt_cmd_complete(sk, hdev->id,
6733 						MGMT_OP_ADD_DEVICE,
6734 						MGMT_STATUS_INVALID_PARAMS,
6735 						&cp->addr, sizeof(cp->addr));
6736 			goto unlock;
6737 		}
6738 
6739 		err = hci_bdaddr_list_add_with_flags(&hdev->accept_list,
6740 						     &cp->addr.bdaddr,
6741 						     cp->addr.type, 0);
6742 		if (err)
6743 			goto unlock;
6744 
6745 		hci_req_update_scan(hdev);
6746 
6747 		goto added;
6748 	}
6749 
6750 	addr_type = le_addr_type(cp->addr.type);
6751 
6752 	if (cp->action == 0x02)
6753 		auto_conn = HCI_AUTO_CONN_ALWAYS;
6754 	else if (cp->action == 0x01)
6755 		auto_conn = HCI_AUTO_CONN_DIRECT;
6756 	else
6757 		auto_conn = HCI_AUTO_CONN_REPORT;
6758 
6759 	/* Kernel internally uses conn_params with resolvable private
6760 	 * address, but Add Device allows only identity addresses.
6761 	 * Make sure it is enforced before calling
6762 	 * hci_conn_params_lookup.
6763 	 */
6764 	if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
6765 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6766 					MGMT_STATUS_INVALID_PARAMS,
6767 					&cp->addr, sizeof(cp->addr));
6768 		goto unlock;
6769 	}
6770 
6771 	/* If the connection parameters don't exist for this device,
6772 	 * they will be created and configured with defaults.
6773 	 */
6774 	if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
6775 				auto_conn) < 0) {
6776 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6777 					MGMT_STATUS_FAILED, &cp->addr,
6778 					sizeof(cp->addr));
6779 		goto unlock;
6780 	} else {
6781 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
6782 						addr_type);
6783 		if (params)
6784 			current_flags = params->current_flags;
6785 	}
6786 
6787 	hci_update_background_scan(hdev);
6788 
6789 added:
6790 	device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
6791 	device_flags_changed(NULL, hdev, &cp->addr.bdaddr, cp->addr.type,
6792 			     SUPPORTED_DEVICE_FLAGS(), current_flags);
6793 
6794 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
6795 				MGMT_STATUS_SUCCESS, &cp->addr,
6796 				sizeof(cp->addr));
6797 
6798 unlock:
6799 	hci_dev_unlock(hdev);
6800 	return err;
6801 }
6802 
device_removed(struct sock * sk,struct hci_dev * hdev,bdaddr_t * bdaddr,u8 type)6803 static void device_removed(struct sock *sk, struct hci_dev *hdev,
6804 			   bdaddr_t *bdaddr, u8 type)
6805 {
6806 	struct mgmt_ev_device_removed ev;
6807 
6808 	bacpy(&ev.addr.bdaddr, bdaddr);
6809 	ev.addr.type = type;
6810 
6811 	mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
6812 }
6813 
remove_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6814 static int remove_device(struct sock *sk, struct hci_dev *hdev,
6815 			 void *data, u16 len)
6816 {
6817 	struct mgmt_cp_remove_device *cp = data;
6818 	int err;
6819 
6820 	bt_dev_dbg(hdev, "sock %p", sk);
6821 
6822 	hci_dev_lock(hdev);
6823 
6824 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
6825 		struct hci_conn_params *params;
6826 		u8 addr_type;
6827 
6828 		if (!bdaddr_type_is_valid(cp->addr.type)) {
6829 			err = mgmt_cmd_complete(sk, hdev->id,
6830 						MGMT_OP_REMOVE_DEVICE,
6831 						MGMT_STATUS_INVALID_PARAMS,
6832 						&cp->addr, sizeof(cp->addr));
6833 			goto unlock;
6834 		}
6835 
6836 		if (cp->addr.type == BDADDR_BREDR) {
6837 			err = hci_bdaddr_list_del(&hdev->accept_list,
6838 						  &cp->addr.bdaddr,
6839 						  cp->addr.type);
6840 			if (err) {
6841 				err = mgmt_cmd_complete(sk, hdev->id,
6842 							MGMT_OP_REMOVE_DEVICE,
6843 							MGMT_STATUS_INVALID_PARAMS,
6844 							&cp->addr,
6845 							sizeof(cp->addr));
6846 				goto unlock;
6847 			}
6848 
6849 			hci_req_update_scan(hdev);
6850 
6851 			device_removed(sk, hdev, &cp->addr.bdaddr,
6852 				       cp->addr.type);
6853 			goto complete;
6854 		}
6855 
6856 		addr_type = le_addr_type(cp->addr.type);
6857 
6858 		/* Kernel internally uses conn_params with resolvable private
6859 		 * address, but Remove Device allows only identity addresses.
6860 		 * Make sure it is enforced before calling
6861 		 * hci_conn_params_lookup.
6862 		 */
6863 		if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
6864 			err = mgmt_cmd_complete(sk, hdev->id,
6865 						MGMT_OP_REMOVE_DEVICE,
6866 						MGMT_STATUS_INVALID_PARAMS,
6867 						&cp->addr, sizeof(cp->addr));
6868 			goto unlock;
6869 		}
6870 
6871 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
6872 						addr_type);
6873 		if (!params) {
6874 			err = mgmt_cmd_complete(sk, hdev->id,
6875 						MGMT_OP_REMOVE_DEVICE,
6876 						MGMT_STATUS_INVALID_PARAMS,
6877 						&cp->addr, sizeof(cp->addr));
6878 			goto unlock;
6879 		}
6880 
6881 		if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
6882 		    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
6883 			err = mgmt_cmd_complete(sk, hdev->id,
6884 						MGMT_OP_REMOVE_DEVICE,
6885 						MGMT_STATUS_INVALID_PARAMS,
6886 						&cp->addr, sizeof(cp->addr));
6887 			goto unlock;
6888 		}
6889 
6890 		list_del(&params->action);
6891 		list_del(&params->list);
6892 		kfree(params);
6893 		hci_update_background_scan(hdev);
6894 
6895 		device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
6896 	} else {
6897 		struct hci_conn_params *p, *tmp;
6898 		struct bdaddr_list *b, *btmp;
6899 
6900 		if (cp->addr.type) {
6901 			err = mgmt_cmd_complete(sk, hdev->id,
6902 						MGMT_OP_REMOVE_DEVICE,
6903 						MGMT_STATUS_INVALID_PARAMS,
6904 						&cp->addr, sizeof(cp->addr));
6905 			goto unlock;
6906 		}
6907 
6908 		list_for_each_entry_safe(b, btmp, &hdev->accept_list, list) {
6909 			device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
6910 			list_del(&b->list);
6911 			kfree(b);
6912 		}
6913 
6914 		hci_req_update_scan(hdev);
6915 
6916 		list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
6917 			if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
6918 				continue;
6919 			device_removed(sk, hdev, &p->addr, p->addr_type);
6920 			if (p->explicit_connect) {
6921 				p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
6922 				continue;
6923 			}
6924 			list_del(&p->action);
6925 			list_del(&p->list);
6926 			kfree(p);
6927 		}
6928 
6929 		bt_dev_dbg(hdev, "All LE connection parameters were removed");
6930 
6931 		hci_update_background_scan(hdev);
6932 	}
6933 
6934 complete:
6935 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
6936 				MGMT_STATUS_SUCCESS, &cp->addr,
6937 				sizeof(cp->addr));
6938 unlock:
6939 	hci_dev_unlock(hdev);
6940 	return err;
6941 }
6942 
load_conn_param(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6943 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
6944 			   u16 len)
6945 {
6946 	struct mgmt_cp_load_conn_param *cp = data;
6947 	const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
6948 				     sizeof(struct mgmt_conn_param));
6949 	u16 param_count, expected_len;
6950 	int i;
6951 
6952 	if (!lmp_le_capable(hdev))
6953 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
6954 				       MGMT_STATUS_NOT_SUPPORTED);
6955 
6956 	param_count = __le16_to_cpu(cp->param_count);
6957 	if (param_count > max_param_count) {
6958 		bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
6959 			   param_count);
6960 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
6961 				       MGMT_STATUS_INVALID_PARAMS);
6962 	}
6963 
6964 	expected_len = struct_size(cp, params, param_count);
6965 	if (expected_len != len) {
6966 		bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
6967 			   expected_len, len);
6968 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
6969 				       MGMT_STATUS_INVALID_PARAMS);
6970 	}
6971 
6972 	bt_dev_dbg(hdev, "param_count %u", param_count);
6973 
6974 	hci_dev_lock(hdev);
6975 
6976 	hci_conn_params_clear_disabled(hdev);
6977 
6978 	for (i = 0; i < param_count; i++) {
6979 		struct mgmt_conn_param *param = &cp->params[i];
6980 		struct hci_conn_params *hci_param;
6981 		u16 min, max, latency, timeout;
6982 		u8 addr_type;
6983 
6984 		bt_dev_dbg(hdev, "Adding %pMR (type %u)", &param->addr.bdaddr,
6985 			   param->addr.type);
6986 
6987 		if (param->addr.type == BDADDR_LE_PUBLIC) {
6988 			addr_type = ADDR_LE_DEV_PUBLIC;
6989 		} else if (param->addr.type == BDADDR_LE_RANDOM) {
6990 			addr_type = ADDR_LE_DEV_RANDOM;
6991 		} else {
6992 			bt_dev_err(hdev, "ignoring invalid connection parameters");
6993 			continue;
6994 		}
6995 
6996 		min = le16_to_cpu(param->min_interval);
6997 		max = le16_to_cpu(param->max_interval);
6998 		latency = le16_to_cpu(param->latency);
6999 		timeout = le16_to_cpu(param->timeout);
7000 
7001 		bt_dev_dbg(hdev, "min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
7002 			   min, max, latency, timeout);
7003 
7004 		if (hci_check_conn_params(min, max, latency, timeout) < 0) {
7005 			bt_dev_err(hdev, "ignoring invalid connection parameters");
7006 			continue;
7007 		}
7008 
7009 		hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
7010 						addr_type);
7011 		if (!hci_param) {
7012 			bt_dev_err(hdev, "failed to add connection parameters");
7013 			continue;
7014 		}
7015 
7016 		hci_param->conn_min_interval = min;
7017 		hci_param->conn_max_interval = max;
7018 		hci_param->conn_latency = latency;
7019 		hci_param->supervision_timeout = timeout;
7020 	}
7021 
7022 	hci_dev_unlock(hdev);
7023 
7024 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
7025 				 NULL, 0);
7026 }
7027 
set_external_config(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)7028 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
7029 			       void *data, u16 len)
7030 {
7031 	struct mgmt_cp_set_external_config *cp = data;
7032 	bool changed;
7033 	int err;
7034 
7035 	bt_dev_dbg(hdev, "sock %p", sk);
7036 
7037 	if (hdev_is_powered(hdev))
7038 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7039 				       MGMT_STATUS_REJECTED);
7040 
7041 	if (cp->config != 0x00 && cp->config != 0x01)
7042 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7043 				         MGMT_STATUS_INVALID_PARAMS);
7044 
7045 	if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
7046 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7047 				       MGMT_STATUS_NOT_SUPPORTED);
7048 
7049 	hci_dev_lock(hdev);
7050 
7051 	if (cp->config)
7052 		changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
7053 	else
7054 		changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
7055 
7056 	err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
7057 	if (err < 0)
7058 		goto unlock;
7059 
7060 	if (!changed)
7061 		goto unlock;
7062 
7063 	err = new_options(hdev, sk);
7064 
7065 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
7066 		mgmt_index_removed(hdev);
7067 
7068 		if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
7069 			hci_dev_set_flag(hdev, HCI_CONFIG);
7070 			hci_dev_set_flag(hdev, HCI_AUTO_OFF);
7071 
7072 			queue_work(hdev->req_workqueue, &hdev->power_on);
7073 		} else {
7074 			set_bit(HCI_RAW, &hdev->flags);
7075 			mgmt_index_added(hdev);
7076 		}
7077 	}
7078 
7079 unlock:
7080 	hci_dev_unlock(hdev);
7081 	return err;
7082 }
7083 
set_public_address(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)7084 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
7085 			      void *data, u16 len)
7086 {
7087 	struct mgmt_cp_set_public_address *cp = data;
7088 	bool changed;
7089 	int err;
7090 
7091 	bt_dev_dbg(hdev, "sock %p", sk);
7092 
7093 	if (hdev_is_powered(hdev))
7094 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7095 				       MGMT_STATUS_REJECTED);
7096 
7097 	if (!bacmp(&cp->bdaddr, BDADDR_ANY))
7098 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7099 				       MGMT_STATUS_INVALID_PARAMS);
7100 
7101 	if (!hdev->set_bdaddr)
7102 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
7103 				       MGMT_STATUS_NOT_SUPPORTED);
7104 
7105 	hci_dev_lock(hdev);
7106 
7107 	changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
7108 	bacpy(&hdev->public_addr, &cp->bdaddr);
7109 
7110 	err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
7111 	if (err < 0)
7112 		goto unlock;
7113 
7114 	if (!changed)
7115 		goto unlock;
7116 
7117 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
7118 		err = new_options(hdev, sk);
7119 
7120 	if (is_configured(hdev)) {
7121 		mgmt_index_removed(hdev);
7122 
7123 		hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
7124 
7125 		hci_dev_set_flag(hdev, HCI_CONFIG);
7126 		hci_dev_set_flag(hdev, HCI_AUTO_OFF);
7127 
7128 		queue_work(hdev->req_workqueue, &hdev->power_on);
7129 	}
7130 
7131 unlock:
7132 	hci_dev_unlock(hdev);
7133 	return err;
7134 }
7135 
read_local_oob_ext_data_complete(struct hci_dev * hdev,u8 status,u16 opcode,struct sk_buff * skb)7136 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, u8 status,
7137 					     u16 opcode, struct sk_buff *skb)
7138 {
7139 	const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
7140 	struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
7141 	u8 *h192, *r192, *h256, *r256;
7142 	struct mgmt_pending_cmd *cmd;
7143 	u16 eir_len;
7144 	int err;
7145 
7146 	bt_dev_dbg(hdev, "status %u", status);
7147 
7148 	cmd = pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev);
7149 	if (!cmd)
7150 		return;
7151 
7152 	mgmt_cp = cmd->param;
7153 
7154 	if (status) {
7155 		status = mgmt_status(status);
7156 		eir_len = 0;
7157 
7158 		h192 = NULL;
7159 		r192 = NULL;
7160 		h256 = NULL;
7161 		r256 = NULL;
7162 	} else if (opcode == HCI_OP_READ_LOCAL_OOB_DATA) {
7163 		struct hci_rp_read_local_oob_data *rp;
7164 
7165 		if (skb->len != sizeof(*rp)) {
7166 			status = MGMT_STATUS_FAILED;
7167 			eir_len = 0;
7168 		} else {
7169 			status = MGMT_STATUS_SUCCESS;
7170 			rp = (void *)skb->data;
7171 
7172 			eir_len = 5 + 18 + 18;
7173 			h192 = rp->hash;
7174 			r192 = rp->rand;
7175 			h256 = NULL;
7176 			r256 = NULL;
7177 		}
7178 	} else {
7179 		struct hci_rp_read_local_oob_ext_data *rp;
7180 
7181 		if (skb->len != sizeof(*rp)) {
7182 			status = MGMT_STATUS_FAILED;
7183 			eir_len = 0;
7184 		} else {
7185 			status = MGMT_STATUS_SUCCESS;
7186 			rp = (void *)skb->data;
7187 
7188 			if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
7189 				eir_len = 5 + 18 + 18;
7190 				h192 = NULL;
7191 				r192 = NULL;
7192 			} else {
7193 				eir_len = 5 + 18 + 18 + 18 + 18;
7194 				h192 = rp->hash192;
7195 				r192 = rp->rand192;
7196 			}
7197 
7198 			h256 = rp->hash256;
7199 			r256 = rp->rand256;
7200 		}
7201 	}
7202 
7203 	mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
7204 	if (!mgmt_rp)
7205 		goto done;
7206 
7207 	if (eir_len == 0)
7208 		goto send_rsp;
7209 
7210 	eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
7211 				  hdev->dev_class, 3);
7212 
7213 	if (h192 && r192) {
7214 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
7215 					  EIR_SSP_HASH_C192, h192, 16);
7216 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
7217 					  EIR_SSP_RAND_R192, r192, 16);
7218 	}
7219 
7220 	if (h256 && r256) {
7221 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
7222 					  EIR_SSP_HASH_C256, h256, 16);
7223 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
7224 					  EIR_SSP_RAND_R256, r256, 16);
7225 	}
7226 
7227 send_rsp:
7228 	mgmt_rp->type = mgmt_cp->type;
7229 	mgmt_rp->eir_len = cpu_to_le16(eir_len);
7230 
7231 	err = mgmt_cmd_complete(cmd->sk, hdev->id,
7232 				MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
7233 				mgmt_rp, sizeof(*mgmt_rp) + eir_len);
7234 	if (err < 0 || status)
7235 		goto done;
7236 
7237 	hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
7238 
7239 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
7240 				 mgmt_rp, sizeof(*mgmt_rp) + eir_len,
7241 				 HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
7242 done:
7243 	kfree(mgmt_rp);
7244 	mgmt_pending_remove(cmd);
7245 }
7246 
read_local_ssp_oob_req(struct hci_dev * hdev,struct sock * sk,struct mgmt_cp_read_local_oob_ext_data * cp)7247 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
7248 				  struct mgmt_cp_read_local_oob_ext_data *cp)
7249 {
7250 	struct mgmt_pending_cmd *cmd;
7251 	struct hci_request req;
7252 	int err;
7253 
7254 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
7255 			       cp, sizeof(*cp));
7256 	if (!cmd)
7257 		return -ENOMEM;
7258 
7259 	hci_req_init(&req, hdev);
7260 
7261 	if (bredr_sc_enabled(hdev))
7262 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_EXT_DATA, 0, NULL);
7263 	else
7264 		hci_req_add(&req, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
7265 
7266 	err = hci_req_run_skb(&req, read_local_oob_ext_data_complete);
7267 	if (err < 0) {
7268 		mgmt_pending_remove(cmd);
7269 		return err;
7270 	}
7271 
7272 	return 0;
7273 }
7274 
read_local_oob_ext_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)7275 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
7276 				   void *data, u16 data_len)
7277 {
7278 	struct mgmt_cp_read_local_oob_ext_data *cp = data;
7279 	struct mgmt_rp_read_local_oob_ext_data *rp;
7280 	size_t rp_len;
7281 	u16 eir_len;
7282 	u8 status, flags, role, addr[7], hash[16], rand[16];
7283 	int err;
7284 
7285 	bt_dev_dbg(hdev, "sock %p", sk);
7286 
7287 	if (hdev_is_powered(hdev)) {
7288 		switch (cp->type) {
7289 		case BIT(BDADDR_BREDR):
7290 			status = mgmt_bredr_support(hdev);
7291 			if (status)
7292 				eir_len = 0;
7293 			else
7294 				eir_len = 5;
7295 			break;
7296 		case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
7297 			status = mgmt_le_support(hdev);
7298 			if (status)
7299 				eir_len = 0;
7300 			else
7301 				eir_len = 9 + 3 + 18 + 18 + 3;
7302 			break;
7303 		default:
7304 			status = MGMT_STATUS_INVALID_PARAMS;
7305 			eir_len = 0;
7306 			break;
7307 		}
7308 	} else {
7309 		status = MGMT_STATUS_NOT_POWERED;
7310 		eir_len = 0;
7311 	}
7312 
7313 	rp_len = sizeof(*rp) + eir_len;
7314 	rp = kmalloc(rp_len, GFP_ATOMIC);
7315 	if (!rp)
7316 		return -ENOMEM;
7317 
7318 	if (status)
7319 		goto complete;
7320 
7321 	hci_dev_lock(hdev);
7322 
7323 	eir_len = 0;
7324 	switch (cp->type) {
7325 	case BIT(BDADDR_BREDR):
7326 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
7327 			err = read_local_ssp_oob_req(hdev, sk, cp);
7328 			hci_dev_unlock(hdev);
7329 			if (!err)
7330 				goto done;
7331 
7332 			status = MGMT_STATUS_FAILED;
7333 			goto complete;
7334 		} else {
7335 			eir_len = eir_append_data(rp->eir, eir_len,
7336 						  EIR_CLASS_OF_DEV,
7337 						  hdev->dev_class, 3);
7338 		}
7339 		break;
7340 	case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
7341 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
7342 		    smp_generate_oob(hdev, hash, rand) < 0) {
7343 			hci_dev_unlock(hdev);
7344 			status = MGMT_STATUS_FAILED;
7345 			goto complete;
7346 		}
7347 
7348 		/* This should return the active RPA, but since the RPA
7349 		 * is only programmed on demand, it is really hard to fill
7350 		 * this in at the moment. For now disallow retrieving
7351 		 * local out-of-band data when privacy is in use.
7352 		 *
7353 		 * Returning the identity address will not help here since
7354 		 * pairing happens before the identity resolving key is
7355 		 * known and thus the connection establishment happens
7356 		 * based on the RPA and not the identity address.
7357 		 */
7358 		if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
7359 			hci_dev_unlock(hdev);
7360 			status = MGMT_STATUS_REJECTED;
7361 			goto complete;
7362 		}
7363 
7364 		if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
7365 		   !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
7366 		   (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
7367 		    bacmp(&hdev->static_addr, BDADDR_ANY))) {
7368 			memcpy(addr, &hdev->static_addr, 6);
7369 			addr[6] = 0x01;
7370 		} else {
7371 			memcpy(addr, &hdev->bdaddr, 6);
7372 			addr[6] = 0x00;
7373 		}
7374 
7375 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
7376 					  addr, sizeof(addr));
7377 
7378 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
7379 			role = 0x02;
7380 		else
7381 			role = 0x01;
7382 
7383 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
7384 					  &role, sizeof(role));
7385 
7386 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
7387 			eir_len = eir_append_data(rp->eir, eir_len,
7388 						  EIR_LE_SC_CONFIRM,
7389 						  hash, sizeof(hash));
7390 
7391 			eir_len = eir_append_data(rp->eir, eir_len,
7392 						  EIR_LE_SC_RANDOM,
7393 						  rand, sizeof(rand));
7394 		}
7395 
7396 		flags = mgmt_get_adv_discov_flags(hdev);
7397 
7398 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
7399 			flags |= LE_AD_NO_BREDR;
7400 
7401 		eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
7402 					  &flags, sizeof(flags));
7403 		break;
7404 	}
7405 
7406 	hci_dev_unlock(hdev);
7407 
7408 	hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
7409 
7410 	status = MGMT_STATUS_SUCCESS;
7411 
7412 complete:
7413 	rp->type = cp->type;
7414 	rp->eir_len = cpu_to_le16(eir_len);
7415 
7416 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
7417 				status, rp, sizeof(*rp) + eir_len);
7418 	if (err < 0 || status)
7419 		goto done;
7420 
7421 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
7422 				 rp, sizeof(*rp) + eir_len,
7423 				 HCI_MGMT_OOB_DATA_EVENTS, sk);
7424 
7425 done:
7426 	kfree(rp);
7427 
7428 	return err;
7429 }
7430 
get_supported_adv_flags(struct hci_dev * hdev)7431 static u32 get_supported_adv_flags(struct hci_dev *hdev)
7432 {
7433 	u32 flags = 0;
7434 
7435 	flags |= MGMT_ADV_FLAG_CONNECTABLE;
7436 	flags |= MGMT_ADV_FLAG_DISCOV;
7437 	flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
7438 	flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
7439 	flags |= MGMT_ADV_FLAG_APPEARANCE;
7440 	flags |= MGMT_ADV_FLAG_LOCAL_NAME;
7441 	flags |= MGMT_ADV_PARAM_DURATION;
7442 	flags |= MGMT_ADV_PARAM_TIMEOUT;
7443 	flags |= MGMT_ADV_PARAM_INTERVALS;
7444 	flags |= MGMT_ADV_PARAM_TX_POWER;
7445 	flags |= MGMT_ADV_PARAM_SCAN_RSP;
7446 
7447 	/* In extended adv TX_POWER returned from Set Adv Param
7448 	 * will be always valid.
7449 	 */
7450 	if ((hdev->adv_tx_power != HCI_TX_POWER_INVALID) ||
7451 	    ext_adv_capable(hdev))
7452 		flags |= MGMT_ADV_FLAG_TX_POWER;
7453 
7454 	if (ext_adv_capable(hdev)) {
7455 		flags |= MGMT_ADV_FLAG_SEC_1M;
7456 		flags |= MGMT_ADV_FLAG_HW_OFFLOAD;
7457 		flags |= MGMT_ADV_FLAG_CAN_SET_TX_POWER;
7458 
7459 		if (hdev->le_features[1] & HCI_LE_PHY_2M)
7460 			flags |= MGMT_ADV_FLAG_SEC_2M;
7461 
7462 		if (hdev->le_features[1] & HCI_LE_PHY_CODED)
7463 			flags |= MGMT_ADV_FLAG_SEC_CODED;
7464 	}
7465 
7466 	return flags;
7467 }
7468 
read_adv_features(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)7469 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
7470 			     void *data, u16 data_len)
7471 {
7472 	struct mgmt_rp_read_adv_features *rp;
7473 	size_t rp_len;
7474 	int err;
7475 	struct adv_info *adv_instance;
7476 	u32 supported_flags;
7477 	u8 *instance;
7478 
7479 	bt_dev_dbg(hdev, "sock %p", sk);
7480 
7481 	if (!lmp_le_capable(hdev))
7482 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
7483 				       MGMT_STATUS_REJECTED);
7484 
7485 	/* Enabling the experimental LL Privay support disables support for
7486 	 * advertising.
7487 	 */
7488 	if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
7489 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
7490 				       MGMT_STATUS_NOT_SUPPORTED);
7491 
7492 	hci_dev_lock(hdev);
7493 
7494 	rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
7495 	rp = kmalloc(rp_len, GFP_ATOMIC);
7496 	if (!rp) {
7497 		hci_dev_unlock(hdev);
7498 		return -ENOMEM;
7499 	}
7500 
7501 	supported_flags = get_supported_adv_flags(hdev);
7502 
7503 	rp->supported_flags = cpu_to_le32(supported_flags);
7504 	rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
7505 	rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
7506 	rp->max_instances = hdev->le_num_of_adv_sets;
7507 	rp->num_instances = hdev->adv_instance_cnt;
7508 
7509 	instance = rp->instance;
7510 	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
7511 		*instance = adv_instance->instance;
7512 		instance++;
7513 	}
7514 
7515 	hci_dev_unlock(hdev);
7516 
7517 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
7518 				MGMT_STATUS_SUCCESS, rp, rp_len);
7519 
7520 	kfree(rp);
7521 
7522 	return err;
7523 }
7524 
calculate_name_len(struct hci_dev * hdev)7525 static u8 calculate_name_len(struct hci_dev *hdev)
7526 {
7527 	u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 3];
7528 
7529 	return append_local_name(hdev, buf, 0);
7530 }
7531 
tlv_data_max_len(struct hci_dev * hdev,u32 adv_flags,bool is_adv_data)7532 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
7533 			   bool is_adv_data)
7534 {
7535 	u8 max_len = HCI_MAX_AD_LENGTH;
7536 
7537 	if (is_adv_data) {
7538 		if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
7539 				 MGMT_ADV_FLAG_LIMITED_DISCOV |
7540 				 MGMT_ADV_FLAG_MANAGED_FLAGS))
7541 			max_len -= 3;
7542 
7543 		if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
7544 			max_len -= 3;
7545 	} else {
7546 		if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
7547 			max_len -= calculate_name_len(hdev);
7548 
7549 		if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
7550 			max_len -= 4;
7551 	}
7552 
7553 	return max_len;
7554 }
7555 
flags_managed(u32 adv_flags)7556 static bool flags_managed(u32 adv_flags)
7557 {
7558 	return adv_flags & (MGMT_ADV_FLAG_DISCOV |
7559 			    MGMT_ADV_FLAG_LIMITED_DISCOV |
7560 			    MGMT_ADV_FLAG_MANAGED_FLAGS);
7561 }
7562 
tx_power_managed(u32 adv_flags)7563 static bool tx_power_managed(u32 adv_flags)
7564 {
7565 	return adv_flags & MGMT_ADV_FLAG_TX_POWER;
7566 }
7567 
name_managed(u32 adv_flags)7568 static bool name_managed(u32 adv_flags)
7569 {
7570 	return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
7571 }
7572 
appearance_managed(u32 adv_flags)7573 static bool appearance_managed(u32 adv_flags)
7574 {
7575 	return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
7576 }
7577 
tlv_data_is_valid(struct hci_dev * hdev,u32 adv_flags,u8 * data,u8 len,bool is_adv_data)7578 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
7579 			      u8 len, bool is_adv_data)
7580 {
7581 	int i, cur_len;
7582 	u8 max_len;
7583 
7584 	max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
7585 
7586 	if (len > max_len)
7587 		return false;
7588 
7589 	/* Make sure that the data is correctly formatted. */
7590 	for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
7591 		cur_len = data[i];
7592 
7593 		if (!cur_len)
7594 			continue;
7595 
7596 		if (data[i + 1] == EIR_FLAGS &&
7597 		    (!is_adv_data || flags_managed(adv_flags)))
7598 			return false;
7599 
7600 		if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
7601 			return false;
7602 
7603 		if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
7604 			return false;
7605 
7606 		if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
7607 			return false;
7608 
7609 		if (data[i + 1] == EIR_APPEARANCE &&
7610 		    appearance_managed(adv_flags))
7611 			return false;
7612 
7613 		/* If the current field length would exceed the total data
7614 		 * length, then it's invalid.
7615 		 */
7616 		if (i + cur_len >= len)
7617 			return false;
7618 	}
7619 
7620 	return true;
7621 }
7622 
requested_adv_flags_are_valid(struct hci_dev * hdev,u32 adv_flags)7623 static bool requested_adv_flags_are_valid(struct hci_dev *hdev, u32 adv_flags)
7624 {
7625 	u32 supported_flags, phy_flags;
7626 
7627 	/* The current implementation only supports a subset of the specified
7628 	 * flags. Also need to check mutual exclusiveness of sec flags.
7629 	 */
7630 	supported_flags = get_supported_adv_flags(hdev);
7631 	phy_flags = adv_flags & MGMT_ADV_FLAG_SEC_MASK;
7632 	if (adv_flags & ~supported_flags ||
7633 	    ((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
7634 		return false;
7635 
7636 	return true;
7637 }
7638 
adv_busy(struct hci_dev * hdev)7639 static bool adv_busy(struct hci_dev *hdev)
7640 {
7641 	return (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
7642 		pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
7643 		pending_find(MGMT_OP_SET_LE, hdev) ||
7644 		pending_find(MGMT_OP_ADD_EXT_ADV_PARAMS, hdev) ||
7645 		pending_find(MGMT_OP_ADD_EXT_ADV_DATA, hdev));
7646 }
7647 
add_advertising_complete(struct hci_dev * hdev,u8 status,u16 opcode)7648 static void add_advertising_complete(struct hci_dev *hdev, u8 status,
7649 				     u16 opcode)
7650 {
7651 	struct mgmt_pending_cmd *cmd;
7652 	struct mgmt_cp_add_advertising *cp;
7653 	struct mgmt_rp_add_advertising rp;
7654 	struct adv_info *adv_instance, *n;
7655 	u8 instance;
7656 
7657 	bt_dev_dbg(hdev, "status %u", status);
7658 
7659 	hci_dev_lock(hdev);
7660 
7661 	cmd = pending_find(MGMT_OP_ADD_ADVERTISING, hdev);
7662 	if (!cmd)
7663 		cmd = pending_find(MGMT_OP_ADD_EXT_ADV_DATA, hdev);
7664 
7665 	list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances, list) {
7666 		if (!adv_instance->pending)
7667 			continue;
7668 
7669 		if (!status) {
7670 			adv_instance->pending = false;
7671 			continue;
7672 		}
7673 
7674 		instance = adv_instance->instance;
7675 
7676 		if (hdev->cur_adv_instance == instance)
7677 			cancel_adv_timeout(hdev);
7678 
7679 		hci_remove_adv_instance(hdev, instance);
7680 		mgmt_advertising_removed(cmd ? cmd->sk : NULL, hdev, instance);
7681 	}
7682 
7683 	if (!cmd)
7684 		goto unlock;
7685 
7686 	cp = cmd->param;
7687 	rp.instance = cp->instance;
7688 
7689 	if (status)
7690 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
7691 				mgmt_status(status));
7692 	else
7693 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
7694 				  mgmt_status(status), &rp, sizeof(rp));
7695 
7696 	mgmt_pending_remove(cmd);
7697 
7698 unlock:
7699 	hci_dev_unlock(hdev);
7700 }
7701 
add_advertising(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)7702 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
7703 			   void *data, u16 data_len)
7704 {
7705 	struct mgmt_cp_add_advertising *cp = data;
7706 	struct mgmt_rp_add_advertising rp;
7707 	u32 flags;
7708 	u8 status;
7709 	u16 timeout, duration;
7710 	unsigned int prev_instance_cnt = hdev->adv_instance_cnt;
7711 	u8 schedule_instance = 0;
7712 	struct adv_info *next_instance;
7713 	int err;
7714 	struct mgmt_pending_cmd *cmd;
7715 	struct hci_request req;
7716 
7717 	bt_dev_dbg(hdev, "sock %p", sk);
7718 
7719 	status = mgmt_le_support(hdev);
7720 	if (status)
7721 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7722 				       status);
7723 
7724 	/* Enabling the experimental LL Privay support disables support for
7725 	 * advertising.
7726 	 */
7727 	if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
7728 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7729 				       MGMT_STATUS_NOT_SUPPORTED);
7730 
7731 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
7732 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7733 				       MGMT_STATUS_INVALID_PARAMS);
7734 
7735 	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
7736 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7737 				       MGMT_STATUS_INVALID_PARAMS);
7738 
7739 	flags = __le32_to_cpu(cp->flags);
7740 	timeout = __le16_to_cpu(cp->timeout);
7741 	duration = __le16_to_cpu(cp->duration);
7742 
7743 	if (!requested_adv_flags_are_valid(hdev, flags))
7744 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7745 				       MGMT_STATUS_INVALID_PARAMS);
7746 
7747 	hci_dev_lock(hdev);
7748 
7749 	if (timeout && !hdev_is_powered(hdev)) {
7750 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7751 				      MGMT_STATUS_REJECTED);
7752 		goto unlock;
7753 	}
7754 
7755 	if (adv_busy(hdev)) {
7756 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7757 				      MGMT_STATUS_BUSY);
7758 		goto unlock;
7759 	}
7760 
7761 	if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
7762 	    !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
7763 			       cp->scan_rsp_len, false)) {
7764 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7765 				      MGMT_STATUS_INVALID_PARAMS);
7766 		goto unlock;
7767 	}
7768 
7769 	err = hci_add_adv_instance(hdev, cp->instance, flags,
7770 				   cp->adv_data_len, cp->data,
7771 				   cp->scan_rsp_len,
7772 				   cp->data + cp->adv_data_len,
7773 				   timeout, duration,
7774 				   HCI_ADV_TX_POWER_NO_PREFERENCE,
7775 				   hdev->le_adv_min_interval,
7776 				   hdev->le_adv_max_interval);
7777 	if (err < 0) {
7778 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7779 				      MGMT_STATUS_FAILED);
7780 		goto unlock;
7781 	}
7782 
7783 	/* Only trigger an advertising added event if a new instance was
7784 	 * actually added.
7785 	 */
7786 	if (hdev->adv_instance_cnt > prev_instance_cnt)
7787 		mgmt_advertising_added(sk, hdev, cp->instance);
7788 
7789 	if (hdev->cur_adv_instance == cp->instance) {
7790 		/* If the currently advertised instance is being changed then
7791 		 * cancel the current advertising and schedule the next
7792 		 * instance. If there is only one instance then the overridden
7793 		 * advertising data will be visible right away.
7794 		 */
7795 		cancel_adv_timeout(hdev);
7796 
7797 		next_instance = hci_get_next_instance(hdev, cp->instance);
7798 		if (next_instance)
7799 			schedule_instance = next_instance->instance;
7800 	} else if (!hdev->adv_instance_timeout) {
7801 		/* Immediately advertise the new instance if no other
7802 		 * instance is currently being advertised.
7803 		 */
7804 		schedule_instance = cp->instance;
7805 	}
7806 
7807 	/* If the HCI_ADVERTISING flag is set or the device isn't powered or
7808 	 * there is no instance to be advertised then we have no HCI
7809 	 * communication to make. Simply return.
7810 	 */
7811 	if (!hdev_is_powered(hdev) ||
7812 	    hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
7813 	    !schedule_instance) {
7814 		rp.instance = cp->instance;
7815 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7816 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
7817 		goto unlock;
7818 	}
7819 
7820 	/* We're good to go, update advertising data, parameters, and start
7821 	 * advertising.
7822 	 */
7823 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
7824 			       data_len);
7825 	if (!cmd) {
7826 		err = -ENOMEM;
7827 		goto unlock;
7828 	}
7829 
7830 	hci_req_init(&req, hdev);
7831 
7832 	err = __hci_req_schedule_adv_instance(&req, schedule_instance, true);
7833 
7834 	if (!err)
7835 		err = hci_req_run(&req, add_advertising_complete);
7836 
7837 	if (err < 0) {
7838 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7839 				      MGMT_STATUS_FAILED);
7840 		mgmt_pending_remove(cmd);
7841 	}
7842 
7843 unlock:
7844 	hci_dev_unlock(hdev);
7845 
7846 	return err;
7847 }
7848 
add_ext_adv_params_complete(struct hci_dev * hdev,u8 status,u16 opcode)7849 static void add_ext_adv_params_complete(struct hci_dev *hdev, u8 status,
7850 					u16 opcode)
7851 {
7852 	struct mgmt_pending_cmd *cmd;
7853 	struct mgmt_cp_add_ext_adv_params *cp;
7854 	struct mgmt_rp_add_ext_adv_params rp;
7855 	struct adv_info *adv_instance;
7856 	u32 flags;
7857 
7858 	BT_DBG("%s", hdev->name);
7859 
7860 	hci_dev_lock(hdev);
7861 
7862 	cmd = pending_find(MGMT_OP_ADD_EXT_ADV_PARAMS, hdev);
7863 	if (!cmd)
7864 		goto unlock;
7865 
7866 	cp = cmd->param;
7867 	adv_instance = hci_find_adv_instance(hdev, cp->instance);
7868 	if (!adv_instance)
7869 		goto unlock;
7870 
7871 	rp.instance = cp->instance;
7872 	rp.tx_power = adv_instance->tx_power;
7873 
7874 	/* While we're at it, inform userspace of the available space for this
7875 	 * advertisement, given the flags that will be used.
7876 	 */
7877 	flags = __le32_to_cpu(cp->flags);
7878 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
7879 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
7880 
7881 	if (status) {
7882 		/* If this advertisement was previously advertising and we
7883 		 * failed to update it, we signal that it has been removed and
7884 		 * delete its structure
7885 		 */
7886 		if (!adv_instance->pending)
7887 			mgmt_advertising_removed(cmd->sk, hdev, cp->instance);
7888 
7889 		hci_remove_adv_instance(hdev, cp->instance);
7890 
7891 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
7892 				mgmt_status(status));
7893 
7894 	} else {
7895 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
7896 				  mgmt_status(status), &rp, sizeof(rp));
7897 	}
7898 
7899 unlock:
7900 	if (cmd)
7901 		mgmt_pending_remove(cmd);
7902 
7903 	hci_dev_unlock(hdev);
7904 }
7905 
add_ext_adv_params(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)7906 static int add_ext_adv_params(struct sock *sk, struct hci_dev *hdev,
7907 			      void *data, u16 data_len)
7908 {
7909 	struct mgmt_cp_add_ext_adv_params *cp = data;
7910 	struct mgmt_rp_add_ext_adv_params rp;
7911 	struct mgmt_pending_cmd *cmd = NULL;
7912 	struct adv_info *adv_instance;
7913 	struct hci_request req;
7914 	u32 flags, min_interval, max_interval;
7915 	u16 timeout, duration;
7916 	u8 status;
7917 	s8 tx_power;
7918 	int err;
7919 
7920 	BT_DBG("%s", hdev->name);
7921 
7922 	status = mgmt_le_support(hdev);
7923 	if (status)
7924 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
7925 				       status);
7926 
7927 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
7928 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
7929 				       MGMT_STATUS_INVALID_PARAMS);
7930 
7931 	/* The purpose of breaking add_advertising into two separate MGMT calls
7932 	 * for params and data is to allow more parameters to be added to this
7933 	 * structure in the future. For this reason, we verify that we have the
7934 	 * bare minimum structure we know of when the interface was defined. Any
7935 	 * extra parameters we don't know about will be ignored in this request.
7936 	 */
7937 	if (data_len < MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE)
7938 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
7939 				       MGMT_STATUS_INVALID_PARAMS);
7940 
7941 	flags = __le32_to_cpu(cp->flags);
7942 
7943 	if (!requested_adv_flags_are_valid(hdev, flags))
7944 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
7945 				       MGMT_STATUS_INVALID_PARAMS);
7946 
7947 	hci_dev_lock(hdev);
7948 
7949 	/* In new interface, we require that we are powered to register */
7950 	if (!hdev_is_powered(hdev)) {
7951 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
7952 				      MGMT_STATUS_REJECTED);
7953 		goto unlock;
7954 	}
7955 
7956 	if (adv_busy(hdev)) {
7957 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
7958 				      MGMT_STATUS_BUSY);
7959 		goto unlock;
7960 	}
7961 
7962 	/* Parse defined parameters from request, use defaults otherwise */
7963 	timeout = (flags & MGMT_ADV_PARAM_TIMEOUT) ?
7964 		  __le16_to_cpu(cp->timeout) : 0;
7965 
7966 	duration = (flags & MGMT_ADV_PARAM_DURATION) ?
7967 		   __le16_to_cpu(cp->duration) :
7968 		   hdev->def_multi_adv_rotation_duration;
7969 
7970 	min_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
7971 		       __le32_to_cpu(cp->min_interval) :
7972 		       hdev->le_adv_min_interval;
7973 
7974 	max_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
7975 		       __le32_to_cpu(cp->max_interval) :
7976 		       hdev->le_adv_max_interval;
7977 
7978 	tx_power = (flags & MGMT_ADV_PARAM_TX_POWER) ?
7979 		   cp->tx_power :
7980 		   HCI_ADV_TX_POWER_NO_PREFERENCE;
7981 
7982 	/* Create advertising instance with no advertising or response data */
7983 	err = hci_add_adv_instance(hdev, cp->instance, flags,
7984 				   0, NULL, 0, NULL, timeout, duration,
7985 				   tx_power, min_interval, max_interval);
7986 
7987 	if (err < 0) {
7988 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
7989 				      MGMT_STATUS_FAILED);
7990 		goto unlock;
7991 	}
7992 
7993 	/* Submit request for advertising params if ext adv available */
7994 	if (ext_adv_capable(hdev)) {
7995 		hci_req_init(&req, hdev);
7996 		adv_instance = hci_find_adv_instance(hdev, cp->instance);
7997 
7998 		/* Updating parameters of an active instance will return a
7999 		 * Command Disallowed error, so we must first disable the
8000 		 * instance if it is active.
8001 		 */
8002 		if (!adv_instance->pending)
8003 			__hci_req_disable_ext_adv_instance(&req, cp->instance);
8004 
8005 		__hci_req_setup_ext_adv_instance(&req, cp->instance);
8006 
8007 		err = hci_req_run(&req, add_ext_adv_params_complete);
8008 
8009 		if (!err)
8010 			cmd = mgmt_pending_add(sk, MGMT_OP_ADD_EXT_ADV_PARAMS,
8011 					       hdev, data, data_len);
8012 		if (!cmd) {
8013 			err = -ENOMEM;
8014 			hci_remove_adv_instance(hdev, cp->instance);
8015 			goto unlock;
8016 		}
8017 
8018 	} else {
8019 		rp.instance = cp->instance;
8020 		rp.tx_power = HCI_ADV_TX_POWER_NO_PREFERENCE;
8021 		rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8022 		rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8023 		err = mgmt_cmd_complete(sk, hdev->id,
8024 					MGMT_OP_ADD_EXT_ADV_PARAMS,
8025 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8026 	}
8027 
8028 unlock:
8029 	hci_dev_unlock(hdev);
8030 
8031 	return err;
8032 }
8033 
add_ext_adv_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)8034 static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
8035 			    u16 data_len)
8036 {
8037 	struct mgmt_cp_add_ext_adv_data *cp = data;
8038 	struct mgmt_rp_add_ext_adv_data rp;
8039 	u8 schedule_instance = 0;
8040 	struct adv_info *next_instance;
8041 	struct adv_info *adv_instance;
8042 	int err = 0;
8043 	struct mgmt_pending_cmd *cmd;
8044 	struct hci_request req;
8045 
8046 	BT_DBG("%s", hdev->name);
8047 
8048 	hci_dev_lock(hdev);
8049 
8050 	adv_instance = hci_find_adv_instance(hdev, cp->instance);
8051 
8052 	if (!adv_instance) {
8053 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8054 				      MGMT_STATUS_INVALID_PARAMS);
8055 		goto unlock;
8056 	}
8057 
8058 	/* In new interface, we require that we are powered to register */
8059 	if (!hdev_is_powered(hdev)) {
8060 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8061 				      MGMT_STATUS_REJECTED);
8062 		goto clear_new_instance;
8063 	}
8064 
8065 	if (adv_busy(hdev)) {
8066 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8067 				      MGMT_STATUS_BUSY);
8068 		goto clear_new_instance;
8069 	}
8070 
8071 	/* Validate new data */
8072 	if (!tlv_data_is_valid(hdev, adv_instance->flags, cp->data,
8073 			       cp->adv_data_len, true) ||
8074 	    !tlv_data_is_valid(hdev, adv_instance->flags, cp->data +
8075 			       cp->adv_data_len, cp->scan_rsp_len, false)) {
8076 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8077 				      MGMT_STATUS_INVALID_PARAMS);
8078 		goto clear_new_instance;
8079 	}
8080 
8081 	/* Set the data in the advertising instance */
8082 	hci_set_adv_instance_data(hdev, cp->instance, cp->adv_data_len,
8083 				  cp->data, cp->scan_rsp_len,
8084 				  cp->data + cp->adv_data_len);
8085 
8086 	/* We're good to go, update advertising data, parameters, and start
8087 	 * advertising.
8088 	 */
8089 
8090 	hci_req_init(&req, hdev);
8091 
8092 	hci_req_add(&req, HCI_OP_READ_LOCAL_NAME, 0, NULL);
8093 
8094 	if (ext_adv_capable(hdev)) {
8095 		__hci_req_update_adv_data(&req, cp->instance);
8096 		__hci_req_update_scan_rsp_data(&req, cp->instance);
8097 		__hci_req_enable_ext_advertising(&req, cp->instance);
8098 
8099 	} else {
8100 		/* If using software rotation, determine next instance to use */
8101 
8102 		if (hdev->cur_adv_instance == cp->instance) {
8103 			/* If the currently advertised instance is being changed
8104 			 * then cancel the current advertising and schedule the
8105 			 * next instance. If there is only one instance then the
8106 			 * overridden advertising data will be visible right
8107 			 * away
8108 			 */
8109 			cancel_adv_timeout(hdev);
8110 
8111 			next_instance = hci_get_next_instance(hdev,
8112 							      cp->instance);
8113 			if (next_instance)
8114 				schedule_instance = next_instance->instance;
8115 		} else if (!hdev->adv_instance_timeout) {
8116 			/* Immediately advertise the new instance if no other
8117 			 * instance is currently being advertised.
8118 			 */
8119 			schedule_instance = cp->instance;
8120 		}
8121 
8122 		/* If the HCI_ADVERTISING flag is set or there is no instance to
8123 		 * be advertised then we have no HCI communication to make.
8124 		 * Simply return.
8125 		 */
8126 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
8127 		    !schedule_instance) {
8128 			if (adv_instance->pending) {
8129 				mgmt_advertising_added(sk, hdev, cp->instance);
8130 				adv_instance->pending = false;
8131 			}
8132 			rp.instance = cp->instance;
8133 			err = mgmt_cmd_complete(sk, hdev->id,
8134 						MGMT_OP_ADD_EXT_ADV_DATA,
8135 						MGMT_STATUS_SUCCESS, &rp,
8136 						sizeof(rp));
8137 			goto unlock;
8138 		}
8139 
8140 		err = __hci_req_schedule_adv_instance(&req, schedule_instance,
8141 						      true);
8142 	}
8143 
8144 	cmd = mgmt_pending_add(sk, MGMT_OP_ADD_EXT_ADV_DATA, hdev, data,
8145 			       data_len);
8146 	if (!cmd) {
8147 		err = -ENOMEM;
8148 		goto clear_new_instance;
8149 	}
8150 
8151 	if (!err)
8152 		err = hci_req_run(&req, add_advertising_complete);
8153 
8154 	if (err < 0) {
8155 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
8156 				      MGMT_STATUS_FAILED);
8157 		mgmt_pending_remove(cmd);
8158 		goto clear_new_instance;
8159 	}
8160 
8161 	/* We were successful in updating data, so trigger advertising_added
8162 	 * event if this is an instance that wasn't previously advertising. If
8163 	 * a failure occurs in the requests we initiated, we will remove the
8164 	 * instance again in add_advertising_complete
8165 	 */
8166 	if (adv_instance->pending)
8167 		mgmt_advertising_added(sk, hdev, cp->instance);
8168 
8169 	goto unlock;
8170 
8171 clear_new_instance:
8172 	hci_remove_adv_instance(hdev, cp->instance);
8173 
8174 unlock:
8175 	hci_dev_unlock(hdev);
8176 
8177 	return err;
8178 }
8179 
remove_advertising_complete(struct hci_dev * hdev,u8 status,u16 opcode)8180 static void remove_advertising_complete(struct hci_dev *hdev, u8 status,
8181 					u16 opcode)
8182 {
8183 	struct mgmt_pending_cmd *cmd;
8184 	struct mgmt_cp_remove_advertising *cp;
8185 	struct mgmt_rp_remove_advertising rp;
8186 
8187 	bt_dev_dbg(hdev, "status %u", status);
8188 
8189 	hci_dev_lock(hdev);
8190 
8191 	/* A failure status here only means that we failed to disable
8192 	 * advertising. Otherwise, the advertising instance has been removed,
8193 	 * so report success.
8194 	 */
8195 	cmd = pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev);
8196 	if (!cmd)
8197 		goto unlock;
8198 
8199 	cp = cmd->param;
8200 	rp.instance = cp->instance;
8201 
8202 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, MGMT_STATUS_SUCCESS,
8203 			  &rp, sizeof(rp));
8204 	mgmt_pending_remove(cmd);
8205 
8206 unlock:
8207 	hci_dev_unlock(hdev);
8208 }
8209 
remove_advertising(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)8210 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
8211 			      void *data, u16 data_len)
8212 {
8213 	struct mgmt_cp_remove_advertising *cp = data;
8214 	struct mgmt_rp_remove_advertising rp;
8215 	struct mgmt_pending_cmd *cmd;
8216 	struct hci_request req;
8217 	int err;
8218 
8219 	bt_dev_dbg(hdev, "sock %p", sk);
8220 
8221 	/* Enabling the experimental LL Privay support disables support for
8222 	 * advertising.
8223 	 */
8224 	if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
8225 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
8226 				       MGMT_STATUS_NOT_SUPPORTED);
8227 
8228 	hci_dev_lock(hdev);
8229 
8230 	if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
8231 		err = mgmt_cmd_status(sk, hdev->id,
8232 				      MGMT_OP_REMOVE_ADVERTISING,
8233 				      MGMT_STATUS_INVALID_PARAMS);
8234 		goto unlock;
8235 	}
8236 
8237 	if (pending_find(MGMT_OP_ADD_ADVERTISING, hdev) ||
8238 	    pending_find(MGMT_OP_REMOVE_ADVERTISING, hdev) ||
8239 	    pending_find(MGMT_OP_SET_LE, hdev)) {
8240 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
8241 				      MGMT_STATUS_BUSY);
8242 		goto unlock;
8243 	}
8244 
8245 	if (list_empty(&hdev->adv_instances)) {
8246 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
8247 				      MGMT_STATUS_INVALID_PARAMS);
8248 		goto unlock;
8249 	}
8250 
8251 	hci_req_init(&req, hdev);
8252 
8253 	/* If we use extended advertising, instance is disabled and removed */
8254 	if (ext_adv_capable(hdev)) {
8255 		__hci_req_disable_ext_adv_instance(&req, cp->instance);
8256 		__hci_req_remove_ext_adv_instance(&req, cp->instance);
8257 	}
8258 
8259 	hci_req_clear_adv_instance(hdev, sk, &req, cp->instance, true);
8260 
8261 	if (list_empty(&hdev->adv_instances))
8262 		__hci_req_disable_advertising(&req);
8263 
8264 	/* If no HCI commands have been collected so far or the HCI_ADVERTISING
8265 	 * flag is set or the device isn't powered then we have no HCI
8266 	 * communication to make. Simply return.
8267 	 */
8268 	if (skb_queue_empty(&req.cmd_q) ||
8269 	    !hdev_is_powered(hdev) ||
8270 	    hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
8271 		hci_req_purge(&req);
8272 		rp.instance = cp->instance;
8273 		err = mgmt_cmd_complete(sk, hdev->id,
8274 					MGMT_OP_REMOVE_ADVERTISING,
8275 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8276 		goto unlock;
8277 	}
8278 
8279 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
8280 			       data_len);
8281 	if (!cmd) {
8282 		err = -ENOMEM;
8283 		goto unlock;
8284 	}
8285 
8286 	err = hci_req_run(&req, remove_advertising_complete);
8287 	if (err < 0)
8288 		mgmt_pending_remove(cmd);
8289 
8290 unlock:
8291 	hci_dev_unlock(hdev);
8292 
8293 	return err;
8294 }
8295 
get_adv_size_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)8296 static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
8297 			     void *data, u16 data_len)
8298 {
8299 	struct mgmt_cp_get_adv_size_info *cp = data;
8300 	struct mgmt_rp_get_adv_size_info rp;
8301 	u32 flags, supported_flags;
8302 	int err;
8303 
8304 	bt_dev_dbg(hdev, "sock %p", sk);
8305 
8306 	if (!lmp_le_capable(hdev))
8307 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
8308 				       MGMT_STATUS_REJECTED);
8309 
8310 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8311 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
8312 				       MGMT_STATUS_INVALID_PARAMS);
8313 
8314 	flags = __le32_to_cpu(cp->flags);
8315 
8316 	/* The current implementation only supports a subset of the specified
8317 	 * flags.
8318 	 */
8319 	supported_flags = get_supported_adv_flags(hdev);
8320 	if (flags & ~supported_flags)
8321 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
8322 				       MGMT_STATUS_INVALID_PARAMS);
8323 
8324 	rp.instance = cp->instance;
8325 	rp.flags = cp->flags;
8326 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8327 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8328 
8329 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
8330 				MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8331 
8332 	return err;
8333 }
8334 
8335 static const struct hci_mgmt_handler mgmt_handlers[] = {
8336 	{ NULL }, /* 0x0000 (no command) */
8337 	{ read_version,            MGMT_READ_VERSION_SIZE,
8338 						HCI_MGMT_NO_HDEV |
8339 						HCI_MGMT_UNTRUSTED },
8340 	{ read_commands,           MGMT_READ_COMMANDS_SIZE,
8341 						HCI_MGMT_NO_HDEV |
8342 						HCI_MGMT_UNTRUSTED },
8343 	{ read_index_list,         MGMT_READ_INDEX_LIST_SIZE,
8344 						HCI_MGMT_NO_HDEV |
8345 						HCI_MGMT_UNTRUSTED },
8346 	{ read_controller_info,    MGMT_READ_INFO_SIZE,
8347 						HCI_MGMT_UNTRUSTED },
8348 	{ set_powered,             MGMT_SETTING_SIZE },
8349 	{ set_discoverable,        MGMT_SET_DISCOVERABLE_SIZE },
8350 	{ set_connectable,         MGMT_SETTING_SIZE },
8351 	{ set_fast_connectable,    MGMT_SETTING_SIZE },
8352 	{ set_bondable,            MGMT_SETTING_SIZE },
8353 	{ set_link_security,       MGMT_SETTING_SIZE },
8354 	{ set_ssp,                 MGMT_SETTING_SIZE },
8355 	{ set_hs,                  MGMT_SETTING_SIZE },
8356 	{ set_le,                  MGMT_SETTING_SIZE },
8357 	{ set_dev_class,           MGMT_SET_DEV_CLASS_SIZE },
8358 	{ set_local_name,          MGMT_SET_LOCAL_NAME_SIZE },
8359 	{ add_uuid,                MGMT_ADD_UUID_SIZE },
8360 	{ remove_uuid,             MGMT_REMOVE_UUID_SIZE },
8361 	{ load_link_keys,          MGMT_LOAD_LINK_KEYS_SIZE,
8362 						HCI_MGMT_VAR_LEN },
8363 	{ load_long_term_keys,     MGMT_LOAD_LONG_TERM_KEYS_SIZE,
8364 						HCI_MGMT_VAR_LEN },
8365 	{ disconnect,              MGMT_DISCONNECT_SIZE },
8366 	{ get_connections,         MGMT_GET_CONNECTIONS_SIZE },
8367 	{ pin_code_reply,          MGMT_PIN_CODE_REPLY_SIZE },
8368 	{ pin_code_neg_reply,      MGMT_PIN_CODE_NEG_REPLY_SIZE },
8369 	{ set_io_capability,       MGMT_SET_IO_CAPABILITY_SIZE },
8370 	{ pair_device,             MGMT_PAIR_DEVICE_SIZE },
8371 	{ cancel_pair_device,      MGMT_CANCEL_PAIR_DEVICE_SIZE },
8372 	{ unpair_device,           MGMT_UNPAIR_DEVICE_SIZE },
8373 	{ user_confirm_reply,      MGMT_USER_CONFIRM_REPLY_SIZE },
8374 	{ user_confirm_neg_reply,  MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
8375 	{ user_passkey_reply,      MGMT_USER_PASSKEY_REPLY_SIZE },
8376 	{ user_passkey_neg_reply,  MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
8377 	{ read_local_oob_data,     MGMT_READ_LOCAL_OOB_DATA_SIZE },
8378 	{ add_remote_oob_data,     MGMT_ADD_REMOTE_OOB_DATA_SIZE,
8379 						HCI_MGMT_VAR_LEN },
8380 	{ remove_remote_oob_data,  MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
8381 	{ start_discovery,         MGMT_START_DISCOVERY_SIZE },
8382 	{ stop_discovery,          MGMT_STOP_DISCOVERY_SIZE },
8383 	{ confirm_name,            MGMT_CONFIRM_NAME_SIZE },
8384 	{ block_device,            MGMT_BLOCK_DEVICE_SIZE },
8385 	{ unblock_device,          MGMT_UNBLOCK_DEVICE_SIZE },
8386 	{ set_device_id,           MGMT_SET_DEVICE_ID_SIZE },
8387 	{ set_advertising,         MGMT_SETTING_SIZE },
8388 	{ set_bredr,               MGMT_SETTING_SIZE },
8389 	{ set_static_address,      MGMT_SET_STATIC_ADDRESS_SIZE },
8390 	{ set_scan_params,         MGMT_SET_SCAN_PARAMS_SIZE },
8391 	{ set_secure_conn,         MGMT_SETTING_SIZE },
8392 	{ set_debug_keys,          MGMT_SETTING_SIZE },
8393 	{ set_privacy,             MGMT_SET_PRIVACY_SIZE },
8394 	{ load_irks,               MGMT_LOAD_IRKS_SIZE,
8395 						HCI_MGMT_VAR_LEN },
8396 	{ get_conn_info,           MGMT_GET_CONN_INFO_SIZE },
8397 	{ get_clock_info,          MGMT_GET_CLOCK_INFO_SIZE },
8398 	{ add_device,              MGMT_ADD_DEVICE_SIZE },
8399 	{ remove_device,           MGMT_REMOVE_DEVICE_SIZE },
8400 	{ load_conn_param,         MGMT_LOAD_CONN_PARAM_SIZE,
8401 						HCI_MGMT_VAR_LEN },
8402 	{ read_unconf_index_list,  MGMT_READ_UNCONF_INDEX_LIST_SIZE,
8403 						HCI_MGMT_NO_HDEV |
8404 						HCI_MGMT_UNTRUSTED },
8405 	{ read_config_info,        MGMT_READ_CONFIG_INFO_SIZE,
8406 						HCI_MGMT_UNCONFIGURED |
8407 						HCI_MGMT_UNTRUSTED },
8408 	{ set_external_config,     MGMT_SET_EXTERNAL_CONFIG_SIZE,
8409 						HCI_MGMT_UNCONFIGURED },
8410 	{ set_public_address,      MGMT_SET_PUBLIC_ADDRESS_SIZE,
8411 						HCI_MGMT_UNCONFIGURED },
8412 	{ start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
8413 						HCI_MGMT_VAR_LEN },
8414 	{ read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
8415 	{ read_ext_index_list,     MGMT_READ_EXT_INDEX_LIST_SIZE,
8416 						HCI_MGMT_NO_HDEV |
8417 						HCI_MGMT_UNTRUSTED },
8418 	{ read_adv_features,       MGMT_READ_ADV_FEATURES_SIZE },
8419 	{ add_advertising,	   MGMT_ADD_ADVERTISING_SIZE,
8420 						HCI_MGMT_VAR_LEN },
8421 	{ remove_advertising,	   MGMT_REMOVE_ADVERTISING_SIZE },
8422 	{ get_adv_size_info,       MGMT_GET_ADV_SIZE_INFO_SIZE },
8423 	{ start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
8424 	{ read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
8425 						HCI_MGMT_UNTRUSTED },
8426 	{ set_appearance,	   MGMT_SET_APPEARANCE_SIZE },
8427 	{ get_phy_configuration,   MGMT_GET_PHY_CONFIGURATION_SIZE },
8428 	{ set_phy_configuration,   MGMT_SET_PHY_CONFIGURATION_SIZE },
8429 	{ set_blocked_keys,	   MGMT_OP_SET_BLOCKED_KEYS_SIZE,
8430 						HCI_MGMT_VAR_LEN },
8431 	{ set_wideband_speech,	   MGMT_SETTING_SIZE },
8432 	{ read_controller_cap,     MGMT_READ_CONTROLLER_CAP_SIZE,
8433 						HCI_MGMT_UNTRUSTED },
8434 	{ read_exp_features_info,  MGMT_READ_EXP_FEATURES_INFO_SIZE,
8435 						HCI_MGMT_UNTRUSTED |
8436 						HCI_MGMT_HDEV_OPTIONAL },
8437 	{ set_exp_feature,         MGMT_SET_EXP_FEATURE_SIZE,
8438 						HCI_MGMT_VAR_LEN |
8439 						HCI_MGMT_HDEV_OPTIONAL },
8440 	{ read_def_system_config,  MGMT_READ_DEF_SYSTEM_CONFIG_SIZE,
8441 						HCI_MGMT_UNTRUSTED },
8442 	{ set_def_system_config,   MGMT_SET_DEF_SYSTEM_CONFIG_SIZE,
8443 						HCI_MGMT_VAR_LEN },
8444 	{ read_def_runtime_config, MGMT_READ_DEF_RUNTIME_CONFIG_SIZE,
8445 						HCI_MGMT_UNTRUSTED },
8446 	{ set_def_runtime_config,  MGMT_SET_DEF_RUNTIME_CONFIG_SIZE,
8447 						HCI_MGMT_VAR_LEN },
8448 	{ get_device_flags,        MGMT_GET_DEVICE_FLAGS_SIZE },
8449 	{ set_device_flags,        MGMT_SET_DEVICE_FLAGS_SIZE },
8450 	{ read_adv_mon_features,   MGMT_READ_ADV_MONITOR_FEATURES_SIZE },
8451 	{ add_adv_patterns_monitor,MGMT_ADD_ADV_PATTERNS_MONITOR_SIZE,
8452 						HCI_MGMT_VAR_LEN },
8453 	{ remove_adv_monitor,      MGMT_REMOVE_ADV_MONITOR_SIZE },
8454 	{ add_ext_adv_params,      MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE,
8455 						HCI_MGMT_VAR_LEN },
8456 	{ add_ext_adv_data,        MGMT_ADD_EXT_ADV_DATA_SIZE,
8457 						HCI_MGMT_VAR_LEN },
8458 	{ add_adv_patterns_monitor_rssi,
8459 				   MGMT_ADD_ADV_PATTERNS_MONITOR_RSSI_SIZE,
8460 						HCI_MGMT_VAR_LEN },
8461 };
8462 
mgmt_index_added(struct hci_dev * hdev)8463 void mgmt_index_added(struct hci_dev *hdev)
8464 {
8465 	struct mgmt_ev_ext_index ev;
8466 
8467 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
8468 		return;
8469 
8470 	switch (hdev->dev_type) {
8471 	case HCI_PRIMARY:
8472 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
8473 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev,
8474 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
8475 			ev.type = 0x01;
8476 		} else {
8477 			mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0,
8478 					 HCI_MGMT_INDEX_EVENTS);
8479 			ev.type = 0x00;
8480 		}
8481 		break;
8482 	case HCI_AMP:
8483 		ev.type = 0x02;
8484 		break;
8485 	default:
8486 		return;
8487 	}
8488 
8489 	ev.bus = hdev->bus;
8490 
8491 	mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, &ev, sizeof(ev),
8492 			 HCI_MGMT_EXT_INDEX_EVENTS);
8493 }
8494 
mgmt_index_removed(struct hci_dev * hdev)8495 void mgmt_index_removed(struct hci_dev *hdev)
8496 {
8497 	struct mgmt_ev_ext_index ev;
8498 	u8 status = MGMT_STATUS_INVALID_INDEX;
8499 
8500 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
8501 		return;
8502 
8503 	switch (hdev->dev_type) {
8504 	case HCI_PRIMARY:
8505 		mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
8506 
8507 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
8508 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
8509 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
8510 			ev.type = 0x01;
8511 		} else {
8512 			mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0,
8513 					 HCI_MGMT_INDEX_EVENTS);
8514 			ev.type = 0x00;
8515 		}
8516 		break;
8517 	case HCI_AMP:
8518 		ev.type = 0x02;
8519 		break;
8520 	default:
8521 		return;
8522 	}
8523 
8524 	ev.bus = hdev->bus;
8525 
8526 	mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, &ev, sizeof(ev),
8527 			 HCI_MGMT_EXT_INDEX_EVENTS);
8528 }
8529 
8530 /* This function requires the caller holds hdev->lock */
restart_le_actions(struct hci_dev * hdev)8531 static void restart_le_actions(struct hci_dev *hdev)
8532 {
8533 	struct hci_conn_params *p;
8534 
8535 	list_for_each_entry(p, &hdev->le_conn_params, list) {
8536 		/* Needed for AUTO_OFF case where might not "really"
8537 		 * have been powered off.
8538 		 */
8539 		list_del_init(&p->action);
8540 
8541 		switch (p->auto_connect) {
8542 		case HCI_AUTO_CONN_DIRECT:
8543 		case HCI_AUTO_CONN_ALWAYS:
8544 			list_add(&p->action, &hdev->pend_le_conns);
8545 			break;
8546 		case HCI_AUTO_CONN_REPORT:
8547 			list_add(&p->action, &hdev->pend_le_reports);
8548 			break;
8549 		default:
8550 			break;
8551 		}
8552 	}
8553 }
8554 
mgmt_power_on(struct hci_dev * hdev,int err)8555 void mgmt_power_on(struct hci_dev *hdev, int err)
8556 {
8557 	struct cmd_lookup match = { NULL, hdev };
8558 
8559 	bt_dev_dbg(hdev, "err %d", err);
8560 
8561 	hci_dev_lock(hdev);
8562 
8563 	if (!err) {
8564 		restart_le_actions(hdev);
8565 		hci_update_background_scan(hdev);
8566 	}
8567 
8568 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
8569 
8570 	new_settings(hdev, match.sk);
8571 
8572 	if (match.sk)
8573 		sock_put(match.sk);
8574 
8575 	hci_dev_unlock(hdev);
8576 }
8577 
__mgmt_power_off(struct hci_dev * hdev)8578 void __mgmt_power_off(struct hci_dev *hdev)
8579 {
8580 	struct cmd_lookup match = { NULL, hdev };
8581 	u8 status, zero_cod[] = { 0, 0, 0 };
8582 
8583 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
8584 
8585 	/* If the power off is because of hdev unregistration let
8586 	 * use the appropriate INVALID_INDEX status. Otherwise use
8587 	 * NOT_POWERED. We cover both scenarios here since later in
8588 	 * mgmt_index_removed() any hci_conn callbacks will have already
8589 	 * been triggered, potentially causing misleading DISCONNECTED
8590 	 * status responses.
8591 	 */
8592 	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
8593 		status = MGMT_STATUS_INVALID_INDEX;
8594 	else
8595 		status = MGMT_STATUS_NOT_POWERED;
8596 
8597 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
8598 
8599 	if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
8600 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
8601 				   zero_cod, sizeof(zero_cod),
8602 				   HCI_MGMT_DEV_CLASS_EVENTS, NULL);
8603 		ext_info_changed(hdev, NULL);
8604 	}
8605 
8606 	new_settings(hdev, match.sk);
8607 
8608 	if (match.sk)
8609 		sock_put(match.sk);
8610 }
8611 
mgmt_set_powered_failed(struct hci_dev * hdev,int err)8612 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
8613 {
8614 	struct mgmt_pending_cmd *cmd;
8615 	u8 status;
8616 
8617 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
8618 	if (!cmd)
8619 		return;
8620 
8621 	if (err == -ERFKILL)
8622 		status = MGMT_STATUS_RFKILLED;
8623 	else
8624 		status = MGMT_STATUS_FAILED;
8625 
8626 	mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
8627 
8628 	mgmt_pending_remove(cmd);
8629 }
8630 
mgmt_new_link_key(struct hci_dev * hdev,struct link_key * key,bool persistent)8631 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
8632 		       bool persistent)
8633 {
8634 	struct mgmt_ev_new_link_key ev;
8635 
8636 	memset(&ev, 0, sizeof(ev));
8637 
8638 	ev.store_hint = persistent;
8639 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
8640 	ev.key.addr.type = BDADDR_BREDR;
8641 	ev.key.type = key->type;
8642 	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
8643 	ev.key.pin_len = key->pin_len;
8644 
8645 	mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
8646 }
8647 
mgmt_ltk_type(struct smp_ltk * ltk)8648 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
8649 {
8650 	switch (ltk->type) {
8651 	case SMP_LTK:
8652 	case SMP_LTK_RESPONDER:
8653 		if (ltk->authenticated)
8654 			return MGMT_LTK_AUTHENTICATED;
8655 		return MGMT_LTK_UNAUTHENTICATED;
8656 	case SMP_LTK_P256:
8657 		if (ltk->authenticated)
8658 			return MGMT_LTK_P256_AUTH;
8659 		return MGMT_LTK_P256_UNAUTH;
8660 	case SMP_LTK_P256_DEBUG:
8661 		return MGMT_LTK_P256_DEBUG;
8662 	}
8663 
8664 	return MGMT_LTK_UNAUTHENTICATED;
8665 }
8666 
mgmt_new_ltk(struct hci_dev * hdev,struct smp_ltk * key,bool persistent)8667 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
8668 {
8669 	struct mgmt_ev_new_long_term_key ev;
8670 
8671 	memset(&ev, 0, sizeof(ev));
8672 
8673 	/* Devices using resolvable or non-resolvable random addresses
8674 	 * without providing an identity resolving key don't require
8675 	 * to store long term keys. Their addresses will change the
8676 	 * next time around.
8677 	 *
8678 	 * Only when a remote device provides an identity address
8679 	 * make sure the long term key is stored. If the remote
8680 	 * identity is known, the long term keys are internally
8681 	 * mapped to the identity address. So allow static random
8682 	 * and public addresses here.
8683 	 */
8684 	if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
8685 	    (key->bdaddr.b[5] & 0xc0) != 0xc0)
8686 		ev.store_hint = 0x00;
8687 	else
8688 		ev.store_hint = persistent;
8689 
8690 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
8691 	ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
8692 	ev.key.type = mgmt_ltk_type(key);
8693 	ev.key.enc_size = key->enc_size;
8694 	ev.key.ediv = key->ediv;
8695 	ev.key.rand = key->rand;
8696 
8697 	if (key->type == SMP_LTK)
8698 		ev.key.initiator = 1;
8699 
8700 	/* Make sure we copy only the significant bytes based on the
8701 	 * encryption key size, and set the rest of the value to zeroes.
8702 	 */
8703 	memcpy(ev.key.val, key->val, key->enc_size);
8704 	memset(ev.key.val + key->enc_size, 0,
8705 	       sizeof(ev.key.val) - key->enc_size);
8706 
8707 	mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
8708 }
8709 
mgmt_new_irk(struct hci_dev * hdev,struct smp_irk * irk,bool persistent)8710 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
8711 {
8712 	struct mgmt_ev_new_irk ev;
8713 
8714 	memset(&ev, 0, sizeof(ev));
8715 
8716 	ev.store_hint = persistent;
8717 
8718 	bacpy(&ev.rpa, &irk->rpa);
8719 	bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
8720 	ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
8721 	memcpy(ev.irk.val, irk->val, sizeof(irk->val));
8722 
8723 	mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
8724 }
8725 
mgmt_new_csrk(struct hci_dev * hdev,struct smp_csrk * csrk,bool persistent)8726 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
8727 		   bool persistent)
8728 {
8729 	struct mgmt_ev_new_csrk ev;
8730 
8731 	memset(&ev, 0, sizeof(ev));
8732 
8733 	/* Devices using resolvable or non-resolvable random addresses
8734 	 * without providing an identity resolving key don't require
8735 	 * to store signature resolving keys. Their addresses will change
8736 	 * the next time around.
8737 	 *
8738 	 * Only when a remote device provides an identity address
8739 	 * make sure the signature resolving key is stored. So allow
8740 	 * static random and public addresses here.
8741 	 */
8742 	if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
8743 	    (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
8744 		ev.store_hint = 0x00;
8745 	else
8746 		ev.store_hint = persistent;
8747 
8748 	bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
8749 	ev.key.addr.type = link_to_bdaddr(LE_LINK, csrk->bdaddr_type);
8750 	ev.key.type = csrk->type;
8751 	memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
8752 
8753 	mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
8754 }
8755 
mgmt_new_conn_param(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type,u8 store_hint,u16 min_interval,u16 max_interval,u16 latency,u16 timeout)8756 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
8757 			 u8 bdaddr_type, u8 store_hint, u16 min_interval,
8758 			 u16 max_interval, u16 latency, u16 timeout)
8759 {
8760 	struct mgmt_ev_new_conn_param ev;
8761 
8762 	if (!hci_is_identity_address(bdaddr, bdaddr_type))
8763 		return;
8764 
8765 	memset(&ev, 0, sizeof(ev));
8766 	bacpy(&ev.addr.bdaddr, bdaddr);
8767 	ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
8768 	ev.store_hint = store_hint;
8769 	ev.min_interval = cpu_to_le16(min_interval);
8770 	ev.max_interval = cpu_to_le16(max_interval);
8771 	ev.latency = cpu_to_le16(latency);
8772 	ev.timeout = cpu_to_le16(timeout);
8773 
8774 	mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
8775 }
8776 
mgmt_device_connected(struct hci_dev * hdev,struct hci_conn * conn,u8 * name,u8 name_len)8777 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
8778 			   u8 *name, u8 name_len)
8779 {
8780 	char buf[512];
8781 	struct mgmt_ev_device_connected *ev = (void *) buf;
8782 	u16 eir_len = 0;
8783 	u32 flags = 0;
8784 
8785 	bacpy(&ev->addr.bdaddr, &conn->dst);
8786 	ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
8787 
8788 	if (conn->out)
8789 		flags |= MGMT_DEV_FOUND_INITIATED_CONN;
8790 
8791 	ev->flags = __cpu_to_le32(flags);
8792 
8793 	/* We must ensure that the EIR Data fields are ordered and
8794 	 * unique. Keep it simple for now and avoid the problem by not
8795 	 * adding any BR/EDR data to the LE adv.
8796 	 */
8797 	if (conn->le_adv_data_len > 0) {
8798 		memcpy(&ev->eir[eir_len],
8799 		       conn->le_adv_data, conn->le_adv_data_len);
8800 		eir_len = conn->le_adv_data_len;
8801 	} else {
8802 		if (name_len > 0)
8803 			eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE,
8804 						  name, name_len);
8805 
8806 		if (memcmp(conn->dev_class, "\0\0\0", 3) != 0)
8807 			eir_len = eir_append_data(ev->eir, eir_len,
8808 						  EIR_CLASS_OF_DEV,
8809 						  conn->dev_class, 3);
8810 	}
8811 
8812 	ev->eir_len = cpu_to_le16(eir_len);
8813 
8814 	mgmt_event(MGMT_EV_DEVICE_CONNECTED, hdev, buf,
8815 		    sizeof(*ev) + eir_len, NULL);
8816 }
8817 
disconnect_rsp(struct mgmt_pending_cmd * cmd,void * data)8818 static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
8819 {
8820 	struct sock **sk = data;
8821 
8822 	cmd->cmd_complete(cmd, 0);
8823 
8824 	*sk = cmd->sk;
8825 	sock_hold(*sk);
8826 
8827 	mgmt_pending_remove(cmd);
8828 }
8829 
unpair_device_rsp(struct mgmt_pending_cmd * cmd,void * data)8830 static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
8831 {
8832 	struct hci_dev *hdev = data;
8833 	struct mgmt_cp_unpair_device *cp = cmd->param;
8834 
8835 	device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
8836 
8837 	cmd->cmd_complete(cmd, 0);
8838 	mgmt_pending_remove(cmd);
8839 }
8840 
mgmt_powering_down(struct hci_dev * hdev)8841 bool mgmt_powering_down(struct hci_dev *hdev)
8842 {
8843 	struct mgmt_pending_cmd *cmd;
8844 	struct mgmt_mode *cp;
8845 
8846 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
8847 	if (!cmd)
8848 		return false;
8849 
8850 	cp = cmd->param;
8851 	if (!cp->val)
8852 		return true;
8853 
8854 	return false;
8855 }
8856 
mgmt_device_disconnected(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 reason,bool mgmt_connected)8857 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
8858 			      u8 link_type, u8 addr_type, u8 reason,
8859 			      bool mgmt_connected)
8860 {
8861 	struct mgmt_ev_device_disconnected ev;
8862 	struct sock *sk = NULL;
8863 
8864 	/* The connection is still in hci_conn_hash so test for 1
8865 	 * instead of 0 to know if this is the last one.
8866 	 */
8867 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
8868 		cancel_delayed_work(&hdev->power_off);
8869 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
8870 	}
8871 
8872 	if (!mgmt_connected)
8873 		return;
8874 
8875 	if (link_type != ACL_LINK && link_type != LE_LINK)
8876 		return;
8877 
8878 	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
8879 
8880 	bacpy(&ev.addr.bdaddr, bdaddr);
8881 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
8882 	ev.reason = reason;
8883 
8884 	/* Report disconnects due to suspend */
8885 	if (hdev->suspended)
8886 		ev.reason = MGMT_DEV_DISCONN_LOCAL_HOST_SUSPEND;
8887 
8888 	mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
8889 
8890 	if (sk)
8891 		sock_put(sk);
8892 
8893 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
8894 			     hdev);
8895 }
8896 
mgmt_disconnect_failed(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)8897 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
8898 			    u8 link_type, u8 addr_type, u8 status)
8899 {
8900 	u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
8901 	struct mgmt_cp_disconnect *cp;
8902 	struct mgmt_pending_cmd *cmd;
8903 
8904 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
8905 			     hdev);
8906 
8907 	cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
8908 	if (!cmd)
8909 		return;
8910 
8911 	cp = cmd->param;
8912 
8913 	if (bacmp(bdaddr, &cp->addr.bdaddr))
8914 		return;
8915 
8916 	if (cp->addr.type != bdaddr_type)
8917 		return;
8918 
8919 	cmd->cmd_complete(cmd, mgmt_status(status));
8920 	mgmt_pending_remove(cmd);
8921 }
8922 
mgmt_connect_failed(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)8923 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
8924 			 u8 addr_type, u8 status)
8925 {
8926 	struct mgmt_ev_connect_failed ev;
8927 
8928 	/* The connection is still in hci_conn_hash so test for 1
8929 	 * instead of 0 to know if this is the last one.
8930 	 */
8931 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
8932 		cancel_delayed_work(&hdev->power_off);
8933 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
8934 	}
8935 
8936 	bacpy(&ev.addr.bdaddr, bdaddr);
8937 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
8938 	ev.status = mgmt_status(status);
8939 
8940 	mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
8941 }
8942 
mgmt_pin_code_request(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 secure)8943 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
8944 {
8945 	struct mgmt_ev_pin_code_request ev;
8946 
8947 	bacpy(&ev.addr.bdaddr, bdaddr);
8948 	ev.addr.type = BDADDR_BREDR;
8949 	ev.secure = secure;
8950 
8951 	mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
8952 }
8953 
mgmt_pin_code_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 status)8954 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
8955 				  u8 status)
8956 {
8957 	struct mgmt_pending_cmd *cmd;
8958 
8959 	cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
8960 	if (!cmd)
8961 		return;
8962 
8963 	cmd->cmd_complete(cmd, mgmt_status(status));
8964 	mgmt_pending_remove(cmd);
8965 }
8966 
mgmt_pin_code_neg_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 status)8967 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
8968 				      u8 status)
8969 {
8970 	struct mgmt_pending_cmd *cmd;
8971 
8972 	cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
8973 	if (!cmd)
8974 		return;
8975 
8976 	cmd->cmd_complete(cmd, mgmt_status(status));
8977 	mgmt_pending_remove(cmd);
8978 }
8979 
mgmt_user_confirm_request(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u32 value,u8 confirm_hint)8980 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
8981 			      u8 link_type, u8 addr_type, u32 value,
8982 			      u8 confirm_hint)
8983 {
8984 	struct mgmt_ev_user_confirm_request ev;
8985 
8986 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
8987 
8988 	bacpy(&ev.addr.bdaddr, bdaddr);
8989 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
8990 	ev.confirm_hint = confirm_hint;
8991 	ev.value = cpu_to_le32(value);
8992 
8993 	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
8994 			  NULL);
8995 }
8996 
mgmt_user_passkey_request(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type)8997 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
8998 			      u8 link_type, u8 addr_type)
8999 {
9000 	struct mgmt_ev_user_passkey_request ev;
9001 
9002 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9003 
9004 	bacpy(&ev.addr.bdaddr, bdaddr);
9005 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9006 
9007 	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
9008 			  NULL);
9009 }
9010 
user_pairing_resp_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status,u8 opcode)9011 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9012 				      u8 link_type, u8 addr_type, u8 status,
9013 				      u8 opcode)
9014 {
9015 	struct mgmt_pending_cmd *cmd;
9016 
9017 	cmd = pending_find(opcode, hdev);
9018 	if (!cmd)
9019 		return -ENOENT;
9020 
9021 	cmd->cmd_complete(cmd, mgmt_status(status));
9022 	mgmt_pending_remove(cmd);
9023 
9024 	return 0;
9025 }
9026 
mgmt_user_confirm_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9027 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9028 				     u8 link_type, u8 addr_type, u8 status)
9029 {
9030 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9031 					  status, MGMT_OP_USER_CONFIRM_REPLY);
9032 }
9033 
mgmt_user_confirm_neg_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9034 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9035 					 u8 link_type, u8 addr_type, u8 status)
9036 {
9037 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9038 					  status,
9039 					  MGMT_OP_USER_CONFIRM_NEG_REPLY);
9040 }
9041 
mgmt_user_passkey_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9042 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9043 				     u8 link_type, u8 addr_type, u8 status)
9044 {
9045 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9046 					  status, MGMT_OP_USER_PASSKEY_REPLY);
9047 }
9048 
mgmt_user_passkey_neg_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9049 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9050 					 u8 link_type, u8 addr_type, u8 status)
9051 {
9052 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9053 					  status,
9054 					  MGMT_OP_USER_PASSKEY_NEG_REPLY);
9055 }
9056 
mgmt_user_passkey_notify(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u32 passkey,u8 entered)9057 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
9058 			     u8 link_type, u8 addr_type, u32 passkey,
9059 			     u8 entered)
9060 {
9061 	struct mgmt_ev_passkey_notify ev;
9062 
9063 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9064 
9065 	bacpy(&ev.addr.bdaddr, bdaddr);
9066 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9067 	ev.passkey = __cpu_to_le32(passkey);
9068 	ev.entered = entered;
9069 
9070 	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
9071 }
9072 
mgmt_auth_failed(struct hci_conn * conn,u8 hci_status)9073 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
9074 {
9075 	struct mgmt_ev_auth_failed ev;
9076 	struct mgmt_pending_cmd *cmd;
9077 	u8 status = mgmt_status(hci_status);
9078 
9079 	bacpy(&ev.addr.bdaddr, &conn->dst);
9080 	ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9081 	ev.status = status;
9082 
9083 	cmd = find_pairing(conn);
9084 
9085 	mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
9086 		    cmd ? cmd->sk : NULL);
9087 
9088 	if (cmd) {
9089 		cmd->cmd_complete(cmd, status);
9090 		mgmt_pending_remove(cmd);
9091 	}
9092 }
9093 
mgmt_auth_enable_complete(struct hci_dev * hdev,u8 status)9094 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
9095 {
9096 	struct cmd_lookup match = { NULL, hdev };
9097 	bool changed;
9098 
9099 	if (status) {
9100 		u8 mgmt_err = mgmt_status(status);
9101 		mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
9102 				     cmd_status_rsp, &mgmt_err);
9103 		return;
9104 	}
9105 
9106 	if (test_bit(HCI_AUTH, &hdev->flags))
9107 		changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
9108 	else
9109 		changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
9110 
9111 	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
9112 			     &match);
9113 
9114 	if (changed)
9115 		new_settings(hdev, match.sk);
9116 
9117 	if (match.sk)
9118 		sock_put(match.sk);
9119 }
9120 
clear_eir(struct hci_request * req)9121 static void clear_eir(struct hci_request *req)
9122 {
9123 	struct hci_dev *hdev = req->hdev;
9124 	struct hci_cp_write_eir cp;
9125 
9126 	if (!lmp_ext_inq_capable(hdev))
9127 		return;
9128 
9129 	memset(hdev->eir, 0, sizeof(hdev->eir));
9130 
9131 	memset(&cp, 0, sizeof(cp));
9132 
9133 	hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
9134 }
9135 
mgmt_ssp_enable_complete(struct hci_dev * hdev,u8 enable,u8 status)9136 void mgmt_ssp_enable_complete(struct hci_dev *hdev, u8 enable, u8 status)
9137 {
9138 	struct cmd_lookup match = { NULL, hdev };
9139 	struct hci_request req;
9140 	bool changed = false;
9141 
9142 	if (status) {
9143 		u8 mgmt_err = mgmt_status(status);
9144 
9145 		if (enable && hci_dev_test_and_clear_flag(hdev,
9146 							  HCI_SSP_ENABLED)) {
9147 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
9148 			new_settings(hdev, NULL);
9149 		}
9150 
9151 		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
9152 				     &mgmt_err);
9153 		return;
9154 	}
9155 
9156 	if (enable) {
9157 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
9158 	} else {
9159 		changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
9160 		if (!changed)
9161 			changed = hci_dev_test_and_clear_flag(hdev,
9162 							      HCI_HS_ENABLED);
9163 		else
9164 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
9165 	}
9166 
9167 	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
9168 
9169 	if (changed)
9170 		new_settings(hdev, match.sk);
9171 
9172 	if (match.sk)
9173 		sock_put(match.sk);
9174 
9175 	hci_req_init(&req, hdev);
9176 
9177 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
9178 		if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS))
9179 			hci_req_add(&req, HCI_OP_WRITE_SSP_DEBUG_MODE,
9180 				    sizeof(enable), &enable);
9181 		__hci_req_update_eir(&req);
9182 	} else {
9183 		clear_eir(&req);
9184 	}
9185 
9186 	hci_req_run(&req, NULL);
9187 }
9188 
sk_lookup(struct mgmt_pending_cmd * cmd,void * data)9189 static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
9190 {
9191 	struct cmd_lookup *match = data;
9192 
9193 	if (match->sk == NULL) {
9194 		match->sk = cmd->sk;
9195 		sock_hold(match->sk);
9196 	}
9197 }
9198 
mgmt_set_class_of_dev_complete(struct hci_dev * hdev,u8 * dev_class,u8 status)9199 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
9200 				    u8 status)
9201 {
9202 	struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
9203 
9204 	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
9205 	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
9206 	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
9207 
9208 	if (!status) {
9209 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
9210 				   3, HCI_MGMT_DEV_CLASS_EVENTS, NULL);
9211 		ext_info_changed(hdev, NULL);
9212 	}
9213 
9214 	if (match.sk)
9215 		sock_put(match.sk);
9216 }
9217 
mgmt_set_local_name_complete(struct hci_dev * hdev,u8 * name,u8 status)9218 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
9219 {
9220 	struct mgmt_cp_set_local_name ev;
9221 	struct mgmt_pending_cmd *cmd;
9222 
9223 	if (status)
9224 		return;
9225 
9226 	memset(&ev, 0, sizeof(ev));
9227 	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
9228 	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
9229 
9230 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
9231 	if (!cmd) {
9232 		memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
9233 
9234 		/* If this is a HCI command related to powering on the
9235 		 * HCI dev don't send any mgmt signals.
9236 		 */
9237 		if (pending_find(MGMT_OP_SET_POWERED, hdev))
9238 			return;
9239 	}
9240 
9241 	mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
9242 			   HCI_MGMT_LOCAL_NAME_EVENTS, cmd ? cmd->sk : NULL);
9243 	ext_info_changed(hdev, cmd ? cmd->sk : NULL);
9244 }
9245 
has_uuid(u8 * uuid,u16 uuid_count,u8 (* uuids)[16])9246 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
9247 {
9248 	int i;
9249 
9250 	for (i = 0; i < uuid_count; i++) {
9251 		if (!memcmp(uuid, uuids[i], 16))
9252 			return true;
9253 	}
9254 
9255 	return false;
9256 }
9257 
eir_has_uuids(u8 * eir,u16 eir_len,u16 uuid_count,u8 (* uuids)[16])9258 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
9259 {
9260 	u16 parsed = 0;
9261 
9262 	while (parsed < eir_len) {
9263 		u8 field_len = eir[0];
9264 		u8 uuid[16];
9265 		int i;
9266 
9267 		if (field_len == 0)
9268 			break;
9269 
9270 		if (eir_len - parsed < field_len + 1)
9271 			break;
9272 
9273 		switch (eir[1]) {
9274 		case EIR_UUID16_ALL:
9275 		case EIR_UUID16_SOME:
9276 			for (i = 0; i + 3 <= field_len; i += 2) {
9277 				memcpy(uuid, bluetooth_base_uuid, 16);
9278 				uuid[13] = eir[i + 3];
9279 				uuid[12] = eir[i + 2];
9280 				if (has_uuid(uuid, uuid_count, uuids))
9281 					return true;
9282 			}
9283 			break;
9284 		case EIR_UUID32_ALL:
9285 		case EIR_UUID32_SOME:
9286 			for (i = 0; i + 5 <= field_len; i += 4) {
9287 				memcpy(uuid, bluetooth_base_uuid, 16);
9288 				uuid[15] = eir[i + 5];
9289 				uuid[14] = eir[i + 4];
9290 				uuid[13] = eir[i + 3];
9291 				uuid[12] = eir[i + 2];
9292 				if (has_uuid(uuid, uuid_count, uuids))
9293 					return true;
9294 			}
9295 			break;
9296 		case EIR_UUID128_ALL:
9297 		case EIR_UUID128_SOME:
9298 			for (i = 0; i + 17 <= field_len; i += 16) {
9299 				memcpy(uuid, eir + i + 2, 16);
9300 				if (has_uuid(uuid, uuid_count, uuids))
9301 					return true;
9302 			}
9303 			break;
9304 		}
9305 
9306 		parsed += field_len + 1;
9307 		eir += field_len + 1;
9308 	}
9309 
9310 	return false;
9311 }
9312 
restart_le_scan(struct hci_dev * hdev)9313 static void restart_le_scan(struct hci_dev *hdev)
9314 {
9315 	/* If controller is not scanning we are done. */
9316 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
9317 		return;
9318 
9319 	if (time_after(jiffies + DISCOV_LE_RESTART_DELAY,
9320 		       hdev->discovery.scan_start +
9321 		       hdev->discovery.scan_duration))
9322 		return;
9323 
9324 	queue_delayed_work(hdev->req_workqueue, &hdev->le_scan_restart,
9325 			   DISCOV_LE_RESTART_DELAY);
9326 }
9327 
is_filter_match(struct hci_dev * hdev,s8 rssi,u8 * eir,u16 eir_len,u8 * scan_rsp,u8 scan_rsp_len)9328 static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
9329 			    u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
9330 {
9331 	/* If a RSSI threshold has been specified, and
9332 	 * HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
9333 	 * a RSSI smaller than the RSSI threshold will be dropped. If the quirk
9334 	 * is set, let it through for further processing, as we might need to
9335 	 * restart the scan.
9336 	 *
9337 	 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
9338 	 * the results are also dropped.
9339 	 */
9340 	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
9341 	    (rssi == HCI_RSSI_INVALID ||
9342 	    (rssi < hdev->discovery.rssi &&
9343 	     !test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
9344 		return  false;
9345 
9346 	if (hdev->discovery.uuid_count != 0) {
9347 		/* If a list of UUIDs is provided in filter, results with no
9348 		 * matching UUID should be dropped.
9349 		 */
9350 		if (!eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count,
9351 				   hdev->discovery.uuids) &&
9352 		    !eir_has_uuids(scan_rsp, scan_rsp_len,
9353 				   hdev->discovery.uuid_count,
9354 				   hdev->discovery.uuids))
9355 			return false;
9356 	}
9357 
9358 	/* If duplicate filtering does not report RSSI changes, then restart
9359 	 * scanning to ensure updated result with updated RSSI values.
9360 	 */
9361 	if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
9362 		restart_le_scan(hdev);
9363 
9364 		/* Validate RSSI value against the RSSI threshold once more. */
9365 		if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
9366 		    rssi < hdev->discovery.rssi)
9367 			return false;
9368 	}
9369 
9370 	return true;
9371 }
9372 
mgmt_device_found(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 * dev_class,s8 rssi,u32 flags,u8 * eir,u16 eir_len,u8 * scan_rsp,u8 scan_rsp_len)9373 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9374 		       u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
9375 		       u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
9376 {
9377 	char buf[512];
9378 	struct mgmt_ev_device_found *ev = (void *)buf;
9379 	size_t ev_size;
9380 
9381 	/* Don't send events for a non-kernel initiated discovery. With
9382 	 * LE one exception is if we have pend_le_reports > 0 in which
9383 	 * case we're doing passive scanning and want these events.
9384 	 */
9385 	if (!hci_discovery_active(hdev)) {
9386 		if (link_type == ACL_LINK)
9387 			return;
9388 		if (link_type == LE_LINK &&
9389 		    list_empty(&hdev->pend_le_reports) &&
9390 		    !hci_is_adv_monitoring(hdev)) {
9391 			return;
9392 		}
9393 	}
9394 
9395 	if (hdev->discovery.result_filtering) {
9396 		/* We are using service discovery */
9397 		if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
9398 				     scan_rsp_len))
9399 			return;
9400 	}
9401 
9402 	if (hdev->discovery.limited) {
9403 		/* Check for limited discoverable bit */
9404 		if (dev_class) {
9405 			if (!(dev_class[1] & 0x20))
9406 				return;
9407 		} else {
9408 			u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
9409 			if (!flags || !(flags[0] & LE_AD_LIMITED))
9410 				return;
9411 		}
9412 	}
9413 
9414 	/* Make sure that the buffer is big enough. The 5 extra bytes
9415 	 * are for the potential CoD field.
9416 	 */
9417 	if (sizeof(*ev) + eir_len + scan_rsp_len + 5 > sizeof(buf))
9418 		return;
9419 
9420 	memset(buf, 0, sizeof(buf));
9421 
9422 	/* In case of device discovery with BR/EDR devices (pre 1.2), the
9423 	 * RSSI value was reported as 0 when not available. This behavior
9424 	 * is kept when using device discovery. This is required for full
9425 	 * backwards compatibility with the API.
9426 	 *
9427 	 * However when using service discovery, the value 127 will be
9428 	 * returned when the RSSI is not available.
9429 	 */
9430 	if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
9431 	    link_type == ACL_LINK)
9432 		rssi = 0;
9433 
9434 	bacpy(&ev->addr.bdaddr, bdaddr);
9435 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
9436 	ev->rssi = rssi;
9437 	ev->flags = cpu_to_le32(flags);
9438 
9439 	if (eir_len > 0)
9440 		/* Copy EIR or advertising data into event */
9441 		memcpy(ev->eir, eir, eir_len);
9442 
9443 	if (dev_class && !eir_get_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
9444 				       NULL))
9445 		eir_len = eir_append_data(ev->eir, eir_len, EIR_CLASS_OF_DEV,
9446 					  dev_class, 3);
9447 
9448 	if (scan_rsp_len > 0)
9449 		/* Append scan response data to event */
9450 		memcpy(ev->eir + eir_len, scan_rsp, scan_rsp_len);
9451 
9452 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
9453 	ev_size = sizeof(*ev) + eir_len + scan_rsp_len;
9454 
9455 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, ev_size, NULL);
9456 }
9457 
mgmt_remote_name(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,s8 rssi,u8 * name,u8 name_len)9458 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9459 		      u8 addr_type, s8 rssi, u8 *name, u8 name_len)
9460 {
9461 	struct mgmt_ev_device_found *ev;
9462 	char buf[sizeof(*ev) + HCI_MAX_NAME_LENGTH + 2];
9463 	u16 eir_len;
9464 
9465 	ev = (struct mgmt_ev_device_found *) buf;
9466 
9467 	memset(buf, 0, sizeof(buf));
9468 
9469 	bacpy(&ev->addr.bdaddr, bdaddr);
9470 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
9471 	ev->rssi = rssi;
9472 
9473 	eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE, name,
9474 				  name_len);
9475 
9476 	ev->eir_len = cpu_to_le16(eir_len);
9477 
9478 	mgmt_event(MGMT_EV_DEVICE_FOUND, hdev, ev, sizeof(*ev) + eir_len, NULL);
9479 }
9480 
mgmt_discovering(struct hci_dev * hdev,u8 discovering)9481 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
9482 {
9483 	struct mgmt_ev_discovering ev;
9484 
9485 	bt_dev_dbg(hdev, "discovering %u", discovering);
9486 
9487 	memset(&ev, 0, sizeof(ev));
9488 	ev.type = hdev->discovery.type;
9489 	ev.discovering = discovering;
9490 
9491 	mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
9492 }
9493 
mgmt_suspending(struct hci_dev * hdev,u8 state)9494 void mgmt_suspending(struct hci_dev *hdev, u8 state)
9495 {
9496 	struct mgmt_ev_controller_suspend ev;
9497 
9498 	ev.suspend_state = state;
9499 	mgmt_event(MGMT_EV_CONTROLLER_SUSPEND, hdev, &ev, sizeof(ev), NULL);
9500 }
9501 
mgmt_resuming(struct hci_dev * hdev,u8 reason,bdaddr_t * bdaddr,u8 addr_type)9502 void mgmt_resuming(struct hci_dev *hdev, u8 reason, bdaddr_t *bdaddr,
9503 		   u8 addr_type)
9504 {
9505 	struct mgmt_ev_controller_resume ev;
9506 
9507 	ev.wake_reason = reason;
9508 	if (bdaddr) {
9509 		bacpy(&ev.addr.bdaddr, bdaddr);
9510 		ev.addr.type = addr_type;
9511 	} else {
9512 		memset(&ev.addr, 0, sizeof(ev.addr));
9513 	}
9514 
9515 	mgmt_event(MGMT_EV_CONTROLLER_RESUME, hdev, &ev, sizeof(ev), NULL);
9516 }
9517 
9518 static struct hci_mgmt_chan chan = {
9519 	.channel	= HCI_CHANNEL_CONTROL,
9520 	.handler_count	= ARRAY_SIZE(mgmt_handlers),
9521 	.handlers	= mgmt_handlers,
9522 	.hdev_init	= mgmt_init_hdev,
9523 };
9524 
mgmt_init(void)9525 int mgmt_init(void)
9526 {
9527 	return hci_mgmt_chan_register(&chan);
9528 }
9529 
mgmt_exit(void)9530 void mgmt_exit(void)
9531 {
9532 	hci_mgmt_chan_unregister(&chan);
9533 }
9534