1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3 
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6 
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10 
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24 
25 /* Bluetooth HCI Management interface */
26 
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/hci_sock.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35 
36 #include "hci_request.h"
37 #include "smp.h"
38 #include "mgmt_util.h"
39 #include "mgmt_config.h"
40 #include "msft.h"
41 #include "eir.h"
42 #include "aosp.h"
43 
44 #define MGMT_VERSION	1
45 #define MGMT_REVISION	22
46 
47 static const u16 mgmt_commands[] = {
48 	MGMT_OP_READ_INDEX_LIST,
49 	MGMT_OP_READ_INFO,
50 	MGMT_OP_SET_POWERED,
51 	MGMT_OP_SET_DISCOVERABLE,
52 	MGMT_OP_SET_CONNECTABLE,
53 	MGMT_OP_SET_FAST_CONNECTABLE,
54 	MGMT_OP_SET_BONDABLE,
55 	MGMT_OP_SET_LINK_SECURITY,
56 	MGMT_OP_SET_SSP,
57 	MGMT_OP_SET_HS,
58 	MGMT_OP_SET_LE,
59 	MGMT_OP_SET_DEV_CLASS,
60 	MGMT_OP_SET_LOCAL_NAME,
61 	MGMT_OP_ADD_UUID,
62 	MGMT_OP_REMOVE_UUID,
63 	MGMT_OP_LOAD_LINK_KEYS,
64 	MGMT_OP_LOAD_LONG_TERM_KEYS,
65 	MGMT_OP_DISCONNECT,
66 	MGMT_OP_GET_CONNECTIONS,
67 	MGMT_OP_PIN_CODE_REPLY,
68 	MGMT_OP_PIN_CODE_NEG_REPLY,
69 	MGMT_OP_SET_IO_CAPABILITY,
70 	MGMT_OP_PAIR_DEVICE,
71 	MGMT_OP_CANCEL_PAIR_DEVICE,
72 	MGMT_OP_UNPAIR_DEVICE,
73 	MGMT_OP_USER_CONFIRM_REPLY,
74 	MGMT_OP_USER_CONFIRM_NEG_REPLY,
75 	MGMT_OP_USER_PASSKEY_REPLY,
76 	MGMT_OP_USER_PASSKEY_NEG_REPLY,
77 	MGMT_OP_READ_LOCAL_OOB_DATA,
78 	MGMT_OP_ADD_REMOTE_OOB_DATA,
79 	MGMT_OP_REMOVE_REMOTE_OOB_DATA,
80 	MGMT_OP_START_DISCOVERY,
81 	MGMT_OP_STOP_DISCOVERY,
82 	MGMT_OP_CONFIRM_NAME,
83 	MGMT_OP_BLOCK_DEVICE,
84 	MGMT_OP_UNBLOCK_DEVICE,
85 	MGMT_OP_SET_DEVICE_ID,
86 	MGMT_OP_SET_ADVERTISING,
87 	MGMT_OP_SET_BREDR,
88 	MGMT_OP_SET_STATIC_ADDRESS,
89 	MGMT_OP_SET_SCAN_PARAMS,
90 	MGMT_OP_SET_SECURE_CONN,
91 	MGMT_OP_SET_DEBUG_KEYS,
92 	MGMT_OP_SET_PRIVACY,
93 	MGMT_OP_LOAD_IRKS,
94 	MGMT_OP_GET_CONN_INFO,
95 	MGMT_OP_GET_CLOCK_INFO,
96 	MGMT_OP_ADD_DEVICE,
97 	MGMT_OP_REMOVE_DEVICE,
98 	MGMT_OP_LOAD_CONN_PARAM,
99 	MGMT_OP_READ_UNCONF_INDEX_LIST,
100 	MGMT_OP_READ_CONFIG_INFO,
101 	MGMT_OP_SET_EXTERNAL_CONFIG,
102 	MGMT_OP_SET_PUBLIC_ADDRESS,
103 	MGMT_OP_START_SERVICE_DISCOVERY,
104 	MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
105 	MGMT_OP_READ_EXT_INDEX_LIST,
106 	MGMT_OP_READ_ADV_FEATURES,
107 	MGMT_OP_ADD_ADVERTISING,
108 	MGMT_OP_REMOVE_ADVERTISING,
109 	MGMT_OP_GET_ADV_SIZE_INFO,
110 	MGMT_OP_START_LIMITED_DISCOVERY,
111 	MGMT_OP_READ_EXT_INFO,
112 	MGMT_OP_SET_APPEARANCE,
113 	MGMT_OP_GET_PHY_CONFIGURATION,
114 	MGMT_OP_SET_PHY_CONFIGURATION,
115 	MGMT_OP_SET_BLOCKED_KEYS,
116 	MGMT_OP_SET_WIDEBAND_SPEECH,
117 	MGMT_OP_READ_CONTROLLER_CAP,
118 	MGMT_OP_READ_EXP_FEATURES_INFO,
119 	MGMT_OP_SET_EXP_FEATURE,
120 	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
121 	MGMT_OP_SET_DEF_SYSTEM_CONFIG,
122 	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
123 	MGMT_OP_SET_DEF_RUNTIME_CONFIG,
124 	MGMT_OP_GET_DEVICE_FLAGS,
125 	MGMT_OP_SET_DEVICE_FLAGS,
126 	MGMT_OP_READ_ADV_MONITOR_FEATURES,
127 	MGMT_OP_ADD_ADV_PATTERNS_MONITOR,
128 	MGMT_OP_REMOVE_ADV_MONITOR,
129 	MGMT_OP_ADD_EXT_ADV_PARAMS,
130 	MGMT_OP_ADD_EXT_ADV_DATA,
131 	MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI,
132 	MGMT_OP_SET_MESH_RECEIVER,
133 	MGMT_OP_MESH_READ_FEATURES,
134 	MGMT_OP_MESH_SEND,
135 	MGMT_OP_MESH_SEND_CANCEL,
136 };
137 
138 static const u16 mgmt_events[] = {
139 	MGMT_EV_CONTROLLER_ERROR,
140 	MGMT_EV_INDEX_ADDED,
141 	MGMT_EV_INDEX_REMOVED,
142 	MGMT_EV_NEW_SETTINGS,
143 	MGMT_EV_CLASS_OF_DEV_CHANGED,
144 	MGMT_EV_LOCAL_NAME_CHANGED,
145 	MGMT_EV_NEW_LINK_KEY,
146 	MGMT_EV_NEW_LONG_TERM_KEY,
147 	MGMT_EV_DEVICE_CONNECTED,
148 	MGMT_EV_DEVICE_DISCONNECTED,
149 	MGMT_EV_CONNECT_FAILED,
150 	MGMT_EV_PIN_CODE_REQUEST,
151 	MGMT_EV_USER_CONFIRM_REQUEST,
152 	MGMT_EV_USER_PASSKEY_REQUEST,
153 	MGMT_EV_AUTH_FAILED,
154 	MGMT_EV_DEVICE_FOUND,
155 	MGMT_EV_DISCOVERING,
156 	MGMT_EV_DEVICE_BLOCKED,
157 	MGMT_EV_DEVICE_UNBLOCKED,
158 	MGMT_EV_DEVICE_UNPAIRED,
159 	MGMT_EV_PASSKEY_NOTIFY,
160 	MGMT_EV_NEW_IRK,
161 	MGMT_EV_NEW_CSRK,
162 	MGMT_EV_DEVICE_ADDED,
163 	MGMT_EV_DEVICE_REMOVED,
164 	MGMT_EV_NEW_CONN_PARAM,
165 	MGMT_EV_UNCONF_INDEX_ADDED,
166 	MGMT_EV_UNCONF_INDEX_REMOVED,
167 	MGMT_EV_NEW_CONFIG_OPTIONS,
168 	MGMT_EV_EXT_INDEX_ADDED,
169 	MGMT_EV_EXT_INDEX_REMOVED,
170 	MGMT_EV_LOCAL_OOB_DATA_UPDATED,
171 	MGMT_EV_ADVERTISING_ADDED,
172 	MGMT_EV_ADVERTISING_REMOVED,
173 	MGMT_EV_EXT_INFO_CHANGED,
174 	MGMT_EV_PHY_CONFIGURATION_CHANGED,
175 	MGMT_EV_EXP_FEATURE_CHANGED,
176 	MGMT_EV_DEVICE_FLAGS_CHANGED,
177 	MGMT_EV_ADV_MONITOR_ADDED,
178 	MGMT_EV_ADV_MONITOR_REMOVED,
179 	MGMT_EV_CONTROLLER_SUSPEND,
180 	MGMT_EV_CONTROLLER_RESUME,
181 	MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
182 	MGMT_EV_ADV_MONITOR_DEVICE_LOST,
183 };
184 
185 static const u16 mgmt_untrusted_commands[] = {
186 	MGMT_OP_READ_INDEX_LIST,
187 	MGMT_OP_READ_INFO,
188 	MGMT_OP_READ_UNCONF_INDEX_LIST,
189 	MGMT_OP_READ_CONFIG_INFO,
190 	MGMT_OP_READ_EXT_INDEX_LIST,
191 	MGMT_OP_READ_EXT_INFO,
192 	MGMT_OP_READ_CONTROLLER_CAP,
193 	MGMT_OP_READ_EXP_FEATURES_INFO,
194 	MGMT_OP_READ_DEF_SYSTEM_CONFIG,
195 	MGMT_OP_READ_DEF_RUNTIME_CONFIG,
196 };
197 
198 static const u16 mgmt_untrusted_events[] = {
199 	MGMT_EV_INDEX_ADDED,
200 	MGMT_EV_INDEX_REMOVED,
201 	MGMT_EV_NEW_SETTINGS,
202 	MGMT_EV_CLASS_OF_DEV_CHANGED,
203 	MGMT_EV_LOCAL_NAME_CHANGED,
204 	MGMT_EV_UNCONF_INDEX_ADDED,
205 	MGMT_EV_UNCONF_INDEX_REMOVED,
206 	MGMT_EV_NEW_CONFIG_OPTIONS,
207 	MGMT_EV_EXT_INDEX_ADDED,
208 	MGMT_EV_EXT_INDEX_REMOVED,
209 	MGMT_EV_EXT_INFO_CHANGED,
210 	MGMT_EV_EXP_FEATURE_CHANGED,
211 };
212 
213 #define CACHE_TIMEOUT	msecs_to_jiffies(2 * 1000)
214 
215 #define ZERO_KEY "\x00\x00\x00\x00\x00\x00\x00\x00" \
216 		 "\x00\x00\x00\x00\x00\x00\x00\x00"
217 
218 /* HCI to MGMT error code conversion table */
219 static const u8 mgmt_status_table[] = {
220 	MGMT_STATUS_SUCCESS,
221 	MGMT_STATUS_UNKNOWN_COMMAND,	/* Unknown Command */
222 	MGMT_STATUS_NOT_CONNECTED,	/* No Connection */
223 	MGMT_STATUS_FAILED,		/* Hardware Failure */
224 	MGMT_STATUS_CONNECT_FAILED,	/* Page Timeout */
225 	MGMT_STATUS_AUTH_FAILED,	/* Authentication Failed */
226 	MGMT_STATUS_AUTH_FAILED,	/* PIN or Key Missing */
227 	MGMT_STATUS_NO_RESOURCES,	/* Memory Full */
228 	MGMT_STATUS_TIMEOUT,		/* Connection Timeout */
229 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of Connections */
230 	MGMT_STATUS_NO_RESOURCES,	/* Max Number of SCO Connections */
231 	MGMT_STATUS_ALREADY_CONNECTED,	/* ACL Connection Exists */
232 	MGMT_STATUS_BUSY,		/* Command Disallowed */
233 	MGMT_STATUS_NO_RESOURCES,	/* Rejected Limited Resources */
234 	MGMT_STATUS_REJECTED,		/* Rejected Security */
235 	MGMT_STATUS_REJECTED,		/* Rejected Personal */
236 	MGMT_STATUS_TIMEOUT,		/* Host Timeout */
237 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Feature */
238 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid Parameters */
239 	MGMT_STATUS_DISCONNECTED,	/* OE User Ended Connection */
240 	MGMT_STATUS_NO_RESOURCES,	/* OE Low Resources */
241 	MGMT_STATUS_DISCONNECTED,	/* OE Power Off */
242 	MGMT_STATUS_DISCONNECTED,	/* Connection Terminated */
243 	MGMT_STATUS_BUSY,		/* Repeated Attempts */
244 	MGMT_STATUS_REJECTED,		/* Pairing Not Allowed */
245 	MGMT_STATUS_FAILED,		/* Unknown LMP PDU */
246 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported Remote Feature */
247 	MGMT_STATUS_REJECTED,		/* SCO Offset Rejected */
248 	MGMT_STATUS_REJECTED,		/* SCO Interval Rejected */
249 	MGMT_STATUS_REJECTED,		/* Air Mode Rejected */
250 	MGMT_STATUS_INVALID_PARAMS,	/* Invalid LMP Parameters */
251 	MGMT_STATUS_FAILED,		/* Unspecified Error */
252 	MGMT_STATUS_NOT_SUPPORTED,	/* Unsupported LMP Parameter Value */
253 	MGMT_STATUS_FAILED,		/* Role Change Not Allowed */
254 	MGMT_STATUS_TIMEOUT,		/* LMP Response Timeout */
255 	MGMT_STATUS_FAILED,		/* LMP Error Transaction Collision */
256 	MGMT_STATUS_FAILED,		/* LMP PDU Not Allowed */
257 	MGMT_STATUS_REJECTED,		/* Encryption Mode Not Accepted */
258 	MGMT_STATUS_FAILED,		/* Unit Link Key Used */
259 	MGMT_STATUS_NOT_SUPPORTED,	/* QoS Not Supported */
260 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
261 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
262 	MGMT_STATUS_FAILED,		/* Transaction Collision */
263 	MGMT_STATUS_FAILED,		/* Reserved for future use */
264 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
265 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
266 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
267 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
268 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
269 	MGMT_STATUS_FAILED,		/* Reserved for future use */
270 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
271 	MGMT_STATUS_FAILED,		/* Reserved for future use */
272 	MGMT_STATUS_FAILED,		/* Slot Violation */
273 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
274 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
275 	MGMT_STATUS_NOT_SUPPORTED,	/* Simple Pairing Not Supported */
276 	MGMT_STATUS_BUSY,		/* Host Busy Pairing */
277 	MGMT_STATUS_REJECTED,		/* Rejected, No Suitable Channel */
278 	MGMT_STATUS_BUSY,		/* Controller Busy */
279 	MGMT_STATUS_INVALID_PARAMS,	/* Unsuitable Connection Interval */
280 	MGMT_STATUS_TIMEOUT,		/* Directed Advertising Timeout */
281 	MGMT_STATUS_AUTH_FAILED,	/* Terminated Due to MIC Failure */
282 	MGMT_STATUS_CONNECT_FAILED,	/* Connection Establishment Failed */
283 	MGMT_STATUS_CONNECT_FAILED,	/* MAC Connection Failed */
284 };
285 
mgmt_errno_status(int err)286 static u8 mgmt_errno_status(int err)
287 {
288 	switch (err) {
289 	case 0:
290 		return MGMT_STATUS_SUCCESS;
291 	case -EPERM:
292 		return MGMT_STATUS_REJECTED;
293 	case -EINVAL:
294 		return MGMT_STATUS_INVALID_PARAMS;
295 	case -EOPNOTSUPP:
296 		return MGMT_STATUS_NOT_SUPPORTED;
297 	case -EBUSY:
298 		return MGMT_STATUS_BUSY;
299 	case -ETIMEDOUT:
300 		return MGMT_STATUS_AUTH_FAILED;
301 	case -ENOMEM:
302 		return MGMT_STATUS_NO_RESOURCES;
303 	case -EISCONN:
304 		return MGMT_STATUS_ALREADY_CONNECTED;
305 	case -ENOTCONN:
306 		return MGMT_STATUS_DISCONNECTED;
307 	}
308 
309 	return MGMT_STATUS_FAILED;
310 }
311 
mgmt_status(int err)312 static u8 mgmt_status(int err)
313 {
314 	if (err < 0)
315 		return mgmt_errno_status(err);
316 
317 	if (err < ARRAY_SIZE(mgmt_status_table))
318 		return mgmt_status_table[err];
319 
320 	return MGMT_STATUS_FAILED;
321 }
322 
mgmt_index_event(u16 event,struct hci_dev * hdev,void * data,u16 len,int flag)323 static int mgmt_index_event(u16 event, struct hci_dev *hdev, void *data,
324 			    u16 len, int flag)
325 {
326 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
327 			       flag, NULL);
328 }
329 
mgmt_limited_event(u16 event,struct hci_dev * hdev,void * data,u16 len,int flag,struct sock * skip_sk)330 static int mgmt_limited_event(u16 event, struct hci_dev *hdev, void *data,
331 			      u16 len, int flag, struct sock *skip_sk)
332 {
333 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
334 			       flag, skip_sk);
335 }
336 
mgmt_event(u16 event,struct hci_dev * hdev,void * data,u16 len,struct sock * skip_sk)337 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 len,
338 		      struct sock *skip_sk)
339 {
340 	return mgmt_send_event(event, hdev, HCI_CHANNEL_CONTROL, data, len,
341 			       HCI_SOCK_TRUSTED, skip_sk);
342 }
343 
mgmt_event_skb(struct sk_buff * skb,struct sock * skip_sk)344 static int mgmt_event_skb(struct sk_buff *skb, struct sock *skip_sk)
345 {
346 	return mgmt_send_event_skb(HCI_CHANNEL_CONTROL, skb, HCI_SOCK_TRUSTED,
347 				   skip_sk);
348 }
349 
le_addr_type(u8 mgmt_addr_type)350 static u8 le_addr_type(u8 mgmt_addr_type)
351 {
352 	if (mgmt_addr_type == BDADDR_LE_PUBLIC)
353 		return ADDR_LE_DEV_PUBLIC;
354 	else
355 		return ADDR_LE_DEV_RANDOM;
356 }
357 
mgmt_fill_version_info(void * ver)358 void mgmt_fill_version_info(void *ver)
359 {
360 	struct mgmt_rp_read_version *rp = ver;
361 
362 	rp->version = MGMT_VERSION;
363 	rp->revision = cpu_to_le16(MGMT_REVISION);
364 }
365 
read_version(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)366 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
367 			u16 data_len)
368 {
369 	struct mgmt_rp_read_version rp;
370 
371 	bt_dev_dbg(hdev, "sock %p", sk);
372 
373 	mgmt_fill_version_info(&rp);
374 
375 	return mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0,
376 				 &rp, sizeof(rp));
377 }
378 
read_commands(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)379 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
380 			 u16 data_len)
381 {
382 	struct mgmt_rp_read_commands *rp;
383 	u16 num_commands, num_events;
384 	size_t rp_size;
385 	int i, err;
386 
387 	bt_dev_dbg(hdev, "sock %p", sk);
388 
389 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
390 		num_commands = ARRAY_SIZE(mgmt_commands);
391 		num_events = ARRAY_SIZE(mgmt_events);
392 	} else {
393 		num_commands = ARRAY_SIZE(mgmt_untrusted_commands);
394 		num_events = ARRAY_SIZE(mgmt_untrusted_events);
395 	}
396 
397 	rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
398 
399 	rp = kmalloc(rp_size, GFP_KERNEL);
400 	if (!rp)
401 		return -ENOMEM;
402 
403 	rp->num_commands = cpu_to_le16(num_commands);
404 	rp->num_events = cpu_to_le16(num_events);
405 
406 	if (hci_sock_test_flag(sk, HCI_SOCK_TRUSTED)) {
407 		__le16 *opcode = rp->opcodes;
408 
409 		for (i = 0; i < num_commands; i++, opcode++)
410 			put_unaligned_le16(mgmt_commands[i], opcode);
411 
412 		for (i = 0; i < num_events; i++, opcode++)
413 			put_unaligned_le16(mgmt_events[i], opcode);
414 	} else {
415 		__le16 *opcode = rp->opcodes;
416 
417 		for (i = 0; i < num_commands; i++, opcode++)
418 			put_unaligned_le16(mgmt_untrusted_commands[i], opcode);
419 
420 		for (i = 0; i < num_events; i++, opcode++)
421 			put_unaligned_le16(mgmt_untrusted_events[i], opcode);
422 	}
423 
424 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0,
425 				rp, rp_size);
426 	kfree(rp);
427 
428 	return err;
429 }
430 
read_index_list(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)431 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
432 			   u16 data_len)
433 {
434 	struct mgmt_rp_read_index_list *rp;
435 	struct hci_dev *d;
436 	size_t rp_len;
437 	u16 count;
438 	int err;
439 
440 	bt_dev_dbg(hdev, "sock %p", sk);
441 
442 	read_lock(&hci_dev_list_lock);
443 
444 	count = 0;
445 	list_for_each_entry(d, &hci_dev_list, list) {
446 		if (d->dev_type == HCI_PRIMARY &&
447 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED))
448 			count++;
449 	}
450 
451 	rp_len = sizeof(*rp) + (2 * count);
452 	rp = kmalloc(rp_len, GFP_ATOMIC);
453 	if (!rp) {
454 		read_unlock(&hci_dev_list_lock);
455 		return -ENOMEM;
456 	}
457 
458 	count = 0;
459 	list_for_each_entry(d, &hci_dev_list, list) {
460 		if (hci_dev_test_flag(d, HCI_SETUP) ||
461 		    hci_dev_test_flag(d, HCI_CONFIG) ||
462 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
463 			continue;
464 
465 		/* Devices marked as raw-only are neither configured
466 		 * nor unconfigured controllers.
467 		 */
468 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
469 			continue;
470 
471 		if (d->dev_type == HCI_PRIMARY &&
472 		    !hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
473 			rp->index[count++] = cpu_to_le16(d->id);
474 			bt_dev_dbg(hdev, "Added hci%u", d->id);
475 		}
476 	}
477 
478 	rp->num_controllers = cpu_to_le16(count);
479 	rp_len = sizeof(*rp) + (2 * count);
480 
481 	read_unlock(&hci_dev_list_lock);
482 
483 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST,
484 				0, rp, rp_len);
485 
486 	kfree(rp);
487 
488 	return err;
489 }
490 
read_unconf_index_list(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)491 static int read_unconf_index_list(struct sock *sk, struct hci_dev *hdev,
492 				  void *data, u16 data_len)
493 {
494 	struct mgmt_rp_read_unconf_index_list *rp;
495 	struct hci_dev *d;
496 	size_t rp_len;
497 	u16 count;
498 	int err;
499 
500 	bt_dev_dbg(hdev, "sock %p", sk);
501 
502 	read_lock(&hci_dev_list_lock);
503 
504 	count = 0;
505 	list_for_each_entry(d, &hci_dev_list, list) {
506 		if (d->dev_type == HCI_PRIMARY &&
507 		    hci_dev_test_flag(d, HCI_UNCONFIGURED))
508 			count++;
509 	}
510 
511 	rp_len = sizeof(*rp) + (2 * count);
512 	rp = kmalloc(rp_len, GFP_ATOMIC);
513 	if (!rp) {
514 		read_unlock(&hci_dev_list_lock);
515 		return -ENOMEM;
516 	}
517 
518 	count = 0;
519 	list_for_each_entry(d, &hci_dev_list, list) {
520 		if (hci_dev_test_flag(d, HCI_SETUP) ||
521 		    hci_dev_test_flag(d, HCI_CONFIG) ||
522 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
523 			continue;
524 
525 		/* Devices marked as raw-only are neither configured
526 		 * nor unconfigured controllers.
527 		 */
528 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
529 			continue;
530 
531 		if (d->dev_type == HCI_PRIMARY &&
532 		    hci_dev_test_flag(d, HCI_UNCONFIGURED)) {
533 			rp->index[count++] = cpu_to_le16(d->id);
534 			bt_dev_dbg(hdev, "Added hci%u", d->id);
535 		}
536 	}
537 
538 	rp->num_controllers = cpu_to_le16(count);
539 	rp_len = sizeof(*rp) + (2 * count);
540 
541 	read_unlock(&hci_dev_list_lock);
542 
543 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
544 				MGMT_OP_READ_UNCONF_INDEX_LIST, 0, rp, rp_len);
545 
546 	kfree(rp);
547 
548 	return err;
549 }
550 
read_ext_index_list(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)551 static int read_ext_index_list(struct sock *sk, struct hci_dev *hdev,
552 			       void *data, u16 data_len)
553 {
554 	struct mgmt_rp_read_ext_index_list *rp;
555 	struct hci_dev *d;
556 	u16 count;
557 	int err;
558 
559 	bt_dev_dbg(hdev, "sock %p", sk);
560 
561 	read_lock(&hci_dev_list_lock);
562 
563 	count = 0;
564 	list_for_each_entry(d, &hci_dev_list, list) {
565 		if (d->dev_type == HCI_PRIMARY || d->dev_type == HCI_AMP)
566 			count++;
567 	}
568 
569 	rp = kmalloc(struct_size(rp, entry, count), GFP_ATOMIC);
570 	if (!rp) {
571 		read_unlock(&hci_dev_list_lock);
572 		return -ENOMEM;
573 	}
574 
575 	count = 0;
576 	list_for_each_entry(d, &hci_dev_list, list) {
577 		if (hci_dev_test_flag(d, HCI_SETUP) ||
578 		    hci_dev_test_flag(d, HCI_CONFIG) ||
579 		    hci_dev_test_flag(d, HCI_USER_CHANNEL))
580 			continue;
581 
582 		/* Devices marked as raw-only are neither configured
583 		 * nor unconfigured controllers.
584 		 */
585 		if (test_bit(HCI_QUIRK_RAW_DEVICE, &d->quirks))
586 			continue;
587 
588 		if (d->dev_type == HCI_PRIMARY) {
589 			if (hci_dev_test_flag(d, HCI_UNCONFIGURED))
590 				rp->entry[count].type = 0x01;
591 			else
592 				rp->entry[count].type = 0x00;
593 		} else if (d->dev_type == HCI_AMP) {
594 			rp->entry[count].type = 0x02;
595 		} else {
596 			continue;
597 		}
598 
599 		rp->entry[count].bus = d->bus;
600 		rp->entry[count++].index = cpu_to_le16(d->id);
601 		bt_dev_dbg(hdev, "Added hci%u", d->id);
602 	}
603 
604 	rp->num_controllers = cpu_to_le16(count);
605 
606 	read_unlock(&hci_dev_list_lock);
607 
608 	/* If this command is called at least once, then all the
609 	 * default index and unconfigured index events are disabled
610 	 * and from now on only extended index events are used.
611 	 */
612 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INDEX_EVENTS);
613 	hci_sock_clear_flag(sk, HCI_MGMT_INDEX_EVENTS);
614 	hci_sock_clear_flag(sk, HCI_MGMT_UNCONF_INDEX_EVENTS);
615 
616 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
617 				MGMT_OP_READ_EXT_INDEX_LIST, 0, rp,
618 				struct_size(rp, entry, count));
619 
620 	kfree(rp);
621 
622 	return err;
623 }
624 
is_configured(struct hci_dev * hdev)625 static bool is_configured(struct hci_dev *hdev)
626 {
627 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
628 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
629 		return false;
630 
631 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
632 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
633 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
634 		return false;
635 
636 	return true;
637 }
638 
get_missing_options(struct hci_dev * hdev)639 static __le32 get_missing_options(struct hci_dev *hdev)
640 {
641 	u32 options = 0;
642 
643 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) &&
644 	    !hci_dev_test_flag(hdev, HCI_EXT_CONFIGURED))
645 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
646 
647 	if ((test_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks) ||
648 	     test_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks)) &&
649 	    !bacmp(&hdev->public_addr, BDADDR_ANY))
650 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
651 
652 	return cpu_to_le32(options);
653 }
654 
new_options(struct hci_dev * hdev,struct sock * skip)655 static int new_options(struct hci_dev *hdev, struct sock *skip)
656 {
657 	__le32 options = get_missing_options(hdev);
658 
659 	return mgmt_limited_event(MGMT_EV_NEW_CONFIG_OPTIONS, hdev, &options,
660 				  sizeof(options), HCI_MGMT_OPTION_EVENTS, skip);
661 }
662 
send_options_rsp(struct sock * sk,u16 opcode,struct hci_dev * hdev)663 static int send_options_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
664 {
665 	__le32 options = get_missing_options(hdev);
666 
667 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &options,
668 				 sizeof(options));
669 }
670 
read_config_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)671 static int read_config_info(struct sock *sk, struct hci_dev *hdev,
672 			    void *data, u16 data_len)
673 {
674 	struct mgmt_rp_read_config_info rp;
675 	u32 options = 0;
676 
677 	bt_dev_dbg(hdev, "sock %p", sk);
678 
679 	hci_dev_lock(hdev);
680 
681 	memset(&rp, 0, sizeof(rp));
682 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
683 
684 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
685 		options |= MGMT_OPTION_EXTERNAL_CONFIG;
686 
687 	if (hdev->set_bdaddr)
688 		options |= MGMT_OPTION_PUBLIC_ADDRESS;
689 
690 	rp.supported_options = cpu_to_le32(options);
691 	rp.missing_options = get_missing_options(hdev);
692 
693 	hci_dev_unlock(hdev);
694 
695 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONFIG_INFO, 0,
696 				 &rp, sizeof(rp));
697 }
698 
get_supported_phys(struct hci_dev * hdev)699 static u32 get_supported_phys(struct hci_dev *hdev)
700 {
701 	u32 supported_phys = 0;
702 
703 	if (lmp_bredr_capable(hdev)) {
704 		supported_phys |= MGMT_PHY_BR_1M_1SLOT;
705 
706 		if (hdev->features[0][0] & LMP_3SLOT)
707 			supported_phys |= MGMT_PHY_BR_1M_3SLOT;
708 
709 		if (hdev->features[0][0] & LMP_5SLOT)
710 			supported_phys |= MGMT_PHY_BR_1M_5SLOT;
711 
712 		if (lmp_edr_2m_capable(hdev)) {
713 			supported_phys |= MGMT_PHY_EDR_2M_1SLOT;
714 
715 			if (lmp_edr_3slot_capable(hdev))
716 				supported_phys |= MGMT_PHY_EDR_2M_3SLOT;
717 
718 			if (lmp_edr_5slot_capable(hdev))
719 				supported_phys |= MGMT_PHY_EDR_2M_5SLOT;
720 
721 			if (lmp_edr_3m_capable(hdev)) {
722 				supported_phys |= MGMT_PHY_EDR_3M_1SLOT;
723 
724 				if (lmp_edr_3slot_capable(hdev))
725 					supported_phys |= MGMT_PHY_EDR_3M_3SLOT;
726 
727 				if (lmp_edr_5slot_capable(hdev))
728 					supported_phys |= MGMT_PHY_EDR_3M_5SLOT;
729 			}
730 		}
731 	}
732 
733 	if (lmp_le_capable(hdev)) {
734 		supported_phys |= MGMT_PHY_LE_1M_TX;
735 		supported_phys |= MGMT_PHY_LE_1M_RX;
736 
737 		if (hdev->le_features[1] & HCI_LE_PHY_2M) {
738 			supported_phys |= MGMT_PHY_LE_2M_TX;
739 			supported_phys |= MGMT_PHY_LE_2M_RX;
740 		}
741 
742 		if (hdev->le_features[1] & HCI_LE_PHY_CODED) {
743 			supported_phys |= MGMT_PHY_LE_CODED_TX;
744 			supported_phys |= MGMT_PHY_LE_CODED_RX;
745 		}
746 	}
747 
748 	return supported_phys;
749 }
750 
get_selected_phys(struct hci_dev * hdev)751 static u32 get_selected_phys(struct hci_dev *hdev)
752 {
753 	u32 selected_phys = 0;
754 
755 	if (lmp_bredr_capable(hdev)) {
756 		selected_phys |= MGMT_PHY_BR_1M_1SLOT;
757 
758 		if (hdev->pkt_type & (HCI_DM3 | HCI_DH3))
759 			selected_phys |= MGMT_PHY_BR_1M_3SLOT;
760 
761 		if (hdev->pkt_type & (HCI_DM5 | HCI_DH5))
762 			selected_phys |= MGMT_PHY_BR_1M_5SLOT;
763 
764 		if (lmp_edr_2m_capable(hdev)) {
765 			if (!(hdev->pkt_type & HCI_2DH1))
766 				selected_phys |= MGMT_PHY_EDR_2M_1SLOT;
767 
768 			if (lmp_edr_3slot_capable(hdev) &&
769 			    !(hdev->pkt_type & HCI_2DH3))
770 				selected_phys |= MGMT_PHY_EDR_2M_3SLOT;
771 
772 			if (lmp_edr_5slot_capable(hdev) &&
773 			    !(hdev->pkt_type & HCI_2DH5))
774 				selected_phys |= MGMT_PHY_EDR_2M_5SLOT;
775 
776 			if (lmp_edr_3m_capable(hdev)) {
777 				if (!(hdev->pkt_type & HCI_3DH1))
778 					selected_phys |= MGMT_PHY_EDR_3M_1SLOT;
779 
780 				if (lmp_edr_3slot_capable(hdev) &&
781 				    !(hdev->pkt_type & HCI_3DH3))
782 					selected_phys |= MGMT_PHY_EDR_3M_3SLOT;
783 
784 				if (lmp_edr_5slot_capable(hdev) &&
785 				    !(hdev->pkt_type & HCI_3DH5))
786 					selected_phys |= MGMT_PHY_EDR_3M_5SLOT;
787 			}
788 		}
789 	}
790 
791 	if (lmp_le_capable(hdev)) {
792 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_1M)
793 			selected_phys |= MGMT_PHY_LE_1M_TX;
794 
795 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_1M)
796 			selected_phys |= MGMT_PHY_LE_1M_RX;
797 
798 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_2M)
799 			selected_phys |= MGMT_PHY_LE_2M_TX;
800 
801 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_2M)
802 			selected_phys |= MGMT_PHY_LE_2M_RX;
803 
804 		if (hdev->le_tx_def_phys & HCI_LE_SET_PHY_CODED)
805 			selected_phys |= MGMT_PHY_LE_CODED_TX;
806 
807 		if (hdev->le_rx_def_phys & HCI_LE_SET_PHY_CODED)
808 			selected_phys |= MGMT_PHY_LE_CODED_RX;
809 	}
810 
811 	return selected_phys;
812 }
813 
get_configurable_phys(struct hci_dev * hdev)814 static u32 get_configurable_phys(struct hci_dev *hdev)
815 {
816 	return (get_supported_phys(hdev) & ~MGMT_PHY_BR_1M_1SLOT &
817 		~MGMT_PHY_LE_1M_TX & ~MGMT_PHY_LE_1M_RX);
818 }
819 
get_supported_settings(struct hci_dev * hdev)820 static u32 get_supported_settings(struct hci_dev *hdev)
821 {
822 	u32 settings = 0;
823 
824 	settings |= MGMT_SETTING_POWERED;
825 	settings |= MGMT_SETTING_BONDABLE;
826 	settings |= MGMT_SETTING_DEBUG_KEYS;
827 	settings |= MGMT_SETTING_CONNECTABLE;
828 	settings |= MGMT_SETTING_DISCOVERABLE;
829 
830 	if (lmp_bredr_capable(hdev)) {
831 		if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
832 			settings |= MGMT_SETTING_FAST_CONNECTABLE;
833 		settings |= MGMT_SETTING_BREDR;
834 		settings |= MGMT_SETTING_LINK_SECURITY;
835 
836 		if (lmp_ssp_capable(hdev)) {
837 			settings |= MGMT_SETTING_SSP;
838 			if (IS_ENABLED(CONFIG_BT_HS))
839 				settings |= MGMT_SETTING_HS;
840 		}
841 
842 		if (lmp_sc_capable(hdev))
843 			settings |= MGMT_SETTING_SECURE_CONN;
844 
845 		if (test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
846 			     &hdev->quirks))
847 			settings |= MGMT_SETTING_WIDEBAND_SPEECH;
848 	}
849 
850 	if (lmp_le_capable(hdev)) {
851 		settings |= MGMT_SETTING_LE;
852 		settings |= MGMT_SETTING_SECURE_CONN;
853 		settings |= MGMT_SETTING_PRIVACY;
854 		settings |= MGMT_SETTING_STATIC_ADDRESS;
855 		settings |= MGMT_SETTING_ADVERTISING;
856 	}
857 
858 	if (test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks) ||
859 	    hdev->set_bdaddr)
860 		settings |= MGMT_SETTING_CONFIGURATION;
861 
862 	settings |= MGMT_SETTING_PHY_CONFIGURATION;
863 
864 	return settings;
865 }
866 
get_current_settings(struct hci_dev * hdev)867 static u32 get_current_settings(struct hci_dev *hdev)
868 {
869 	u32 settings = 0;
870 
871 	if (hdev_is_powered(hdev))
872 		settings |= MGMT_SETTING_POWERED;
873 
874 	if (hci_dev_test_flag(hdev, HCI_CONNECTABLE))
875 		settings |= MGMT_SETTING_CONNECTABLE;
876 
877 	if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
878 		settings |= MGMT_SETTING_FAST_CONNECTABLE;
879 
880 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
881 		settings |= MGMT_SETTING_DISCOVERABLE;
882 
883 	if (hci_dev_test_flag(hdev, HCI_BONDABLE))
884 		settings |= MGMT_SETTING_BONDABLE;
885 
886 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
887 		settings |= MGMT_SETTING_BREDR;
888 
889 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
890 		settings |= MGMT_SETTING_LE;
891 
892 	if (hci_dev_test_flag(hdev, HCI_LINK_SECURITY))
893 		settings |= MGMT_SETTING_LINK_SECURITY;
894 
895 	if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
896 		settings |= MGMT_SETTING_SSP;
897 
898 	if (hci_dev_test_flag(hdev, HCI_HS_ENABLED))
899 		settings |= MGMT_SETTING_HS;
900 
901 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
902 		settings |= MGMT_SETTING_ADVERTISING;
903 
904 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED))
905 		settings |= MGMT_SETTING_SECURE_CONN;
906 
907 	if (hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS))
908 		settings |= MGMT_SETTING_DEBUG_KEYS;
909 
910 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
911 		settings |= MGMT_SETTING_PRIVACY;
912 
913 	/* The current setting for static address has two purposes. The
914 	 * first is to indicate if the static address will be used and
915 	 * the second is to indicate if it is actually set.
916 	 *
917 	 * This means if the static address is not configured, this flag
918 	 * will never be set. If the address is configured, then if the
919 	 * address is actually used decides if the flag is set or not.
920 	 *
921 	 * For single mode LE only controllers and dual-mode controllers
922 	 * with BR/EDR disabled, the existence of the static address will
923 	 * be evaluated.
924 	 */
925 	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
926 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
927 	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
928 		if (bacmp(&hdev->static_addr, BDADDR_ANY))
929 			settings |= MGMT_SETTING_STATIC_ADDRESS;
930 	}
931 
932 	if (hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED))
933 		settings |= MGMT_SETTING_WIDEBAND_SPEECH;
934 
935 	return settings;
936 }
937 
pending_find(u16 opcode,struct hci_dev * hdev)938 static struct mgmt_pending_cmd *pending_find(u16 opcode, struct hci_dev *hdev)
939 {
940 	return mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
941 }
942 
mgmt_get_adv_discov_flags(struct hci_dev * hdev)943 u8 mgmt_get_adv_discov_flags(struct hci_dev *hdev)
944 {
945 	struct mgmt_pending_cmd *cmd;
946 
947 	/* If there's a pending mgmt command the flags will not yet have
948 	 * their final values, so check for this first.
949 	 */
950 	cmd = pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
951 	if (cmd) {
952 		struct mgmt_mode *cp = cmd->param;
953 		if (cp->val == 0x01)
954 			return LE_AD_GENERAL;
955 		else if (cp->val == 0x02)
956 			return LE_AD_LIMITED;
957 	} else {
958 		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
959 			return LE_AD_LIMITED;
960 		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
961 			return LE_AD_GENERAL;
962 	}
963 
964 	return 0;
965 }
966 
mgmt_get_connectable(struct hci_dev * hdev)967 bool mgmt_get_connectable(struct hci_dev *hdev)
968 {
969 	struct mgmt_pending_cmd *cmd;
970 
971 	/* If there's a pending mgmt command the flag will not yet have
972 	 * it's final value, so check for this first.
973 	 */
974 	cmd = pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
975 	if (cmd) {
976 		struct mgmt_mode *cp = cmd->param;
977 
978 		return cp->val;
979 	}
980 
981 	return hci_dev_test_flag(hdev, HCI_CONNECTABLE);
982 }
983 
service_cache_sync(struct hci_dev * hdev,void * data)984 static int service_cache_sync(struct hci_dev *hdev, void *data)
985 {
986 	hci_update_eir_sync(hdev);
987 	hci_update_class_sync(hdev);
988 
989 	return 0;
990 }
991 
service_cache_off(struct work_struct * work)992 static void service_cache_off(struct work_struct *work)
993 {
994 	struct hci_dev *hdev = container_of(work, struct hci_dev,
995 					    service_cache.work);
996 
997 	if (!hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
998 		return;
999 
1000 	hci_cmd_sync_queue(hdev, service_cache_sync, NULL, NULL);
1001 }
1002 
rpa_expired_sync(struct hci_dev * hdev,void * data)1003 static int rpa_expired_sync(struct hci_dev *hdev, void *data)
1004 {
1005 	/* The generation of a new RPA and programming it into the
1006 	 * controller happens in the hci_req_enable_advertising()
1007 	 * function.
1008 	 */
1009 	if (ext_adv_capable(hdev))
1010 		return hci_start_ext_adv_sync(hdev, hdev->cur_adv_instance);
1011 	else
1012 		return hci_enable_advertising_sync(hdev);
1013 }
1014 
rpa_expired(struct work_struct * work)1015 static void rpa_expired(struct work_struct *work)
1016 {
1017 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1018 					    rpa_expired.work);
1019 
1020 	bt_dev_dbg(hdev, "");
1021 
1022 	hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1023 
1024 	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING))
1025 		return;
1026 
1027 	hci_cmd_sync_queue(hdev, rpa_expired_sync, NULL, NULL);
1028 }
1029 
discov_off(struct work_struct * work)1030 static void discov_off(struct work_struct *work)
1031 {
1032 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1033 					    discov_off.work);
1034 
1035 	bt_dev_dbg(hdev, "");
1036 
1037 	hci_dev_lock(hdev);
1038 
1039 	/* When discoverable timeout triggers, then just make sure
1040 	 * the limited discoverable flag is cleared. Even in the case
1041 	 * of a timeout triggered from general discoverable, it is
1042 	 * safe to unconditionally clear the flag.
1043 	 */
1044 	hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1045 	hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1046 	hdev->discov_timeout = 0;
1047 
1048 	hci_update_discoverable(hdev);
1049 
1050 	mgmt_new_settings(hdev);
1051 
1052 	hci_dev_unlock(hdev);
1053 }
1054 
1055 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev);
1056 
mesh_send_complete(struct hci_dev * hdev,struct mgmt_mesh_tx * mesh_tx,bool silent)1057 static void mesh_send_complete(struct hci_dev *hdev,
1058 			       struct mgmt_mesh_tx *mesh_tx, bool silent)
1059 {
1060 	u8 handle = mesh_tx->handle;
1061 
1062 	if (!silent)
1063 		mgmt_event(MGMT_EV_MESH_PACKET_CMPLT, hdev, &handle,
1064 			   sizeof(handle), NULL);
1065 
1066 	mgmt_mesh_remove(mesh_tx);
1067 }
1068 
mesh_send_done_sync(struct hci_dev * hdev,void * data)1069 static int mesh_send_done_sync(struct hci_dev *hdev, void *data)
1070 {
1071 	struct mgmt_mesh_tx *mesh_tx;
1072 
1073 	hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
1074 	hci_disable_advertising_sync(hdev);
1075 	mesh_tx = mgmt_mesh_next(hdev, NULL);
1076 
1077 	if (mesh_tx)
1078 		mesh_send_complete(hdev, mesh_tx, false);
1079 
1080 	return 0;
1081 }
1082 
1083 static int mesh_send_sync(struct hci_dev *hdev, void *data);
1084 static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err);
mesh_next(struct hci_dev * hdev,void * data,int err)1085 static void mesh_next(struct hci_dev *hdev, void *data, int err)
1086 {
1087 	struct mgmt_mesh_tx *mesh_tx = mgmt_mesh_next(hdev, NULL);
1088 
1089 	if (!mesh_tx)
1090 		return;
1091 
1092 	err = hci_cmd_sync_queue(hdev, mesh_send_sync, mesh_tx,
1093 				 mesh_send_start_complete);
1094 
1095 	if (err < 0)
1096 		mesh_send_complete(hdev, mesh_tx, false);
1097 	else
1098 		hci_dev_set_flag(hdev, HCI_MESH_SENDING);
1099 }
1100 
mesh_send_done(struct work_struct * work)1101 static void mesh_send_done(struct work_struct *work)
1102 {
1103 	struct hci_dev *hdev = container_of(work, struct hci_dev,
1104 					    mesh_send_done.work);
1105 
1106 	if (!hci_dev_test_flag(hdev, HCI_MESH_SENDING))
1107 		return;
1108 
1109 	hci_cmd_sync_queue(hdev, mesh_send_done_sync, NULL, mesh_next);
1110 }
1111 
mgmt_init_hdev(struct sock * sk,struct hci_dev * hdev)1112 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
1113 {
1114 	if (hci_dev_test_flag(hdev, HCI_MGMT))
1115 		return;
1116 
1117 	BT_INFO("MGMT ver %d.%d", MGMT_VERSION, MGMT_REVISION);
1118 
1119 	INIT_DELAYED_WORK(&hdev->discov_off, discov_off);
1120 	INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
1121 	INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
1122 	INIT_DELAYED_WORK(&hdev->mesh_send_done, mesh_send_done);
1123 
1124 	/* Non-mgmt controlled devices get this bit set
1125 	 * implicitly so that pairing works for them, however
1126 	 * for mgmt we require user-space to explicitly enable
1127 	 * it
1128 	 */
1129 	hci_dev_clear_flag(hdev, HCI_BONDABLE);
1130 
1131 	hci_dev_set_flag(hdev, HCI_MGMT);
1132 }
1133 
read_controller_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)1134 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
1135 				void *data, u16 data_len)
1136 {
1137 	struct mgmt_rp_read_info rp;
1138 
1139 	bt_dev_dbg(hdev, "sock %p", sk);
1140 
1141 	hci_dev_lock(hdev);
1142 
1143 	memset(&rp, 0, sizeof(rp));
1144 
1145 	bacpy(&rp.bdaddr, &hdev->bdaddr);
1146 
1147 	rp.version = hdev->hci_ver;
1148 	rp.manufacturer = cpu_to_le16(hdev->manufacturer);
1149 
1150 	rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
1151 	rp.current_settings = cpu_to_le32(get_current_settings(hdev));
1152 
1153 	memcpy(rp.dev_class, hdev->dev_class, 3);
1154 
1155 	memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
1156 	memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
1157 
1158 	hci_dev_unlock(hdev);
1159 
1160 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
1161 				 sizeof(rp));
1162 }
1163 
append_eir_data_to_buf(struct hci_dev * hdev,u8 * eir)1164 static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
1165 {
1166 	u16 eir_len = 0;
1167 	size_t name_len;
1168 
1169 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1170 		eir_len = eir_append_data(eir, eir_len, EIR_CLASS_OF_DEV,
1171 					  hdev->dev_class, 3);
1172 
1173 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1174 		eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
1175 					  hdev->appearance);
1176 
1177 	name_len = strnlen(hdev->dev_name, sizeof(hdev->dev_name));
1178 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
1179 				  hdev->dev_name, name_len);
1180 
1181 	name_len = strnlen(hdev->short_name, sizeof(hdev->short_name));
1182 	eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
1183 				  hdev->short_name, name_len);
1184 
1185 	return eir_len;
1186 }
1187 
read_ext_controller_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)1188 static int read_ext_controller_info(struct sock *sk, struct hci_dev *hdev,
1189 				    void *data, u16 data_len)
1190 {
1191 	char buf[512];
1192 	struct mgmt_rp_read_ext_info *rp = (void *)buf;
1193 	u16 eir_len;
1194 
1195 	bt_dev_dbg(hdev, "sock %p", sk);
1196 
1197 	memset(&buf, 0, sizeof(buf));
1198 
1199 	hci_dev_lock(hdev);
1200 
1201 	bacpy(&rp->bdaddr, &hdev->bdaddr);
1202 
1203 	rp->version = hdev->hci_ver;
1204 	rp->manufacturer = cpu_to_le16(hdev->manufacturer);
1205 
1206 	rp->supported_settings = cpu_to_le32(get_supported_settings(hdev));
1207 	rp->current_settings = cpu_to_le32(get_current_settings(hdev));
1208 
1209 
1210 	eir_len = append_eir_data_to_buf(hdev, rp->eir);
1211 	rp->eir_len = cpu_to_le16(eir_len);
1212 
1213 	hci_dev_unlock(hdev);
1214 
1215 	/* If this command is called at least once, then the events
1216 	 * for class of device and local name changes are disabled
1217 	 * and only the new extended controller information event
1218 	 * is used.
1219 	 */
1220 	hci_sock_set_flag(sk, HCI_MGMT_EXT_INFO_EVENTS);
1221 	hci_sock_clear_flag(sk, HCI_MGMT_DEV_CLASS_EVENTS);
1222 	hci_sock_clear_flag(sk, HCI_MGMT_LOCAL_NAME_EVENTS);
1223 
1224 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_EXT_INFO, 0, rp,
1225 				 sizeof(*rp) + eir_len);
1226 }
1227 
ext_info_changed(struct hci_dev * hdev,struct sock * skip)1228 static int ext_info_changed(struct hci_dev *hdev, struct sock *skip)
1229 {
1230 	char buf[512];
1231 	struct mgmt_ev_ext_info_changed *ev = (void *)buf;
1232 	u16 eir_len;
1233 
1234 	memset(buf, 0, sizeof(buf));
1235 
1236 	eir_len = append_eir_data_to_buf(hdev, ev->eir);
1237 	ev->eir_len = cpu_to_le16(eir_len);
1238 
1239 	return mgmt_limited_event(MGMT_EV_EXT_INFO_CHANGED, hdev, ev,
1240 				  sizeof(*ev) + eir_len,
1241 				  HCI_MGMT_EXT_INFO_EVENTS, skip);
1242 }
1243 
send_settings_rsp(struct sock * sk,u16 opcode,struct hci_dev * hdev)1244 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1245 {
1246 	__le32 settings = cpu_to_le32(get_current_settings(hdev));
1247 
1248 	return mgmt_cmd_complete(sk, hdev->id, opcode, 0, &settings,
1249 				 sizeof(settings));
1250 }
1251 
mgmt_advertising_added(struct sock * sk,struct hci_dev * hdev,u8 instance)1252 void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev, u8 instance)
1253 {
1254 	struct mgmt_ev_advertising_added ev;
1255 
1256 	ev.instance = instance;
1257 
1258 	mgmt_event(MGMT_EV_ADVERTISING_ADDED, hdev, &ev, sizeof(ev), sk);
1259 }
1260 
mgmt_advertising_removed(struct sock * sk,struct hci_dev * hdev,u8 instance)1261 void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
1262 			      u8 instance)
1263 {
1264 	struct mgmt_ev_advertising_removed ev;
1265 
1266 	ev.instance = instance;
1267 
1268 	mgmt_event(MGMT_EV_ADVERTISING_REMOVED, hdev, &ev, sizeof(ev), sk);
1269 }
1270 
cancel_adv_timeout(struct hci_dev * hdev)1271 static void cancel_adv_timeout(struct hci_dev *hdev)
1272 {
1273 	if (hdev->adv_instance_timeout) {
1274 		hdev->adv_instance_timeout = 0;
1275 		cancel_delayed_work(&hdev->adv_instance_expire);
1276 	}
1277 }
1278 
1279 /* This function requires the caller holds hdev->lock */
restart_le_actions(struct hci_dev * hdev)1280 static void restart_le_actions(struct hci_dev *hdev)
1281 {
1282 	struct hci_conn_params *p;
1283 
1284 	list_for_each_entry(p, &hdev->le_conn_params, list) {
1285 		/* Needed for AUTO_OFF case where might not "really"
1286 		 * have been powered off.
1287 		 */
1288 		list_del_init(&p->action);
1289 
1290 		switch (p->auto_connect) {
1291 		case HCI_AUTO_CONN_DIRECT:
1292 		case HCI_AUTO_CONN_ALWAYS:
1293 			list_add(&p->action, &hdev->pend_le_conns);
1294 			break;
1295 		case HCI_AUTO_CONN_REPORT:
1296 			list_add(&p->action, &hdev->pend_le_reports);
1297 			break;
1298 		default:
1299 			break;
1300 		}
1301 	}
1302 }
1303 
new_settings(struct hci_dev * hdev,struct sock * skip)1304 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1305 {
1306 	__le32 ev = cpu_to_le32(get_current_settings(hdev));
1307 
1308 	return mgmt_limited_event(MGMT_EV_NEW_SETTINGS, hdev, &ev,
1309 				  sizeof(ev), HCI_MGMT_SETTING_EVENTS, skip);
1310 }
1311 
mgmt_set_powered_complete(struct hci_dev * hdev,void * data,int err)1312 static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
1313 {
1314 	struct mgmt_pending_cmd *cmd = data;
1315 	struct mgmt_mode *cp;
1316 
1317 	/* Make sure cmd still outstanding. */
1318 	if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
1319 		return;
1320 
1321 	cp = cmd->param;
1322 
1323 	bt_dev_dbg(hdev, "err %d", err);
1324 
1325 	if (!err) {
1326 		if (cp->val) {
1327 			hci_dev_lock(hdev);
1328 			restart_le_actions(hdev);
1329 			hci_update_passive_scan(hdev);
1330 			hci_dev_unlock(hdev);
1331 		}
1332 
1333 		send_settings_rsp(cmd->sk, cmd->opcode, hdev);
1334 
1335 		/* Only call new_setting for power on as power off is deferred
1336 		 * to hdev->power_off work which does call hci_dev_do_close.
1337 		 */
1338 		if (cp->val)
1339 			new_settings(hdev, cmd->sk);
1340 	} else {
1341 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED,
1342 				mgmt_status(err));
1343 	}
1344 
1345 	mgmt_pending_remove(cmd);
1346 }
1347 
set_powered_sync(struct hci_dev * hdev,void * data)1348 static int set_powered_sync(struct hci_dev *hdev, void *data)
1349 {
1350 	struct mgmt_pending_cmd *cmd = data;
1351 	struct mgmt_mode *cp = cmd->param;
1352 
1353 	BT_DBG("%s", hdev->name);
1354 
1355 	return hci_set_powered_sync(hdev, cp->val);
1356 }
1357 
set_powered(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1358 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1359 		       u16 len)
1360 {
1361 	struct mgmt_mode *cp = data;
1362 	struct mgmt_pending_cmd *cmd;
1363 	int err;
1364 
1365 	bt_dev_dbg(hdev, "sock %p", sk);
1366 
1367 	if (cp->val != 0x00 && cp->val != 0x01)
1368 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1369 				       MGMT_STATUS_INVALID_PARAMS);
1370 
1371 	hci_dev_lock(hdev);
1372 
1373 	if (pending_find(MGMT_OP_SET_POWERED, hdev)) {
1374 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1375 				      MGMT_STATUS_BUSY);
1376 		goto failed;
1377 	}
1378 
1379 	if (!!cp->val == hdev_is_powered(hdev)) {
1380 		err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1381 		goto failed;
1382 	}
1383 
1384 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1385 	if (!cmd) {
1386 		err = -ENOMEM;
1387 		goto failed;
1388 	}
1389 
1390 	err = hci_cmd_sync_queue(hdev, set_powered_sync, cmd,
1391 				 mgmt_set_powered_complete);
1392 
1393 	if (err < 0)
1394 		mgmt_pending_remove(cmd);
1395 
1396 failed:
1397 	hci_dev_unlock(hdev);
1398 	return err;
1399 }
1400 
mgmt_new_settings(struct hci_dev * hdev)1401 int mgmt_new_settings(struct hci_dev *hdev)
1402 {
1403 	return new_settings(hdev, NULL);
1404 }
1405 
1406 struct cmd_lookup {
1407 	struct sock *sk;
1408 	struct hci_dev *hdev;
1409 	u8 mgmt_status;
1410 };
1411 
settings_rsp(struct mgmt_pending_cmd * cmd,void * data)1412 static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
1413 {
1414 	struct cmd_lookup *match = data;
1415 
1416 	send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1417 
1418 	list_del(&cmd->list);
1419 
1420 	if (match->sk == NULL) {
1421 		match->sk = cmd->sk;
1422 		sock_hold(match->sk);
1423 	}
1424 
1425 	mgmt_pending_free(cmd);
1426 }
1427 
cmd_status_rsp(struct mgmt_pending_cmd * cmd,void * data)1428 static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
1429 {
1430 	u8 *status = data;
1431 
1432 	mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1433 	mgmt_pending_remove(cmd);
1434 }
1435 
cmd_complete_rsp(struct mgmt_pending_cmd * cmd,void * data)1436 static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
1437 {
1438 	if (cmd->cmd_complete) {
1439 		u8 *status = data;
1440 
1441 		cmd->cmd_complete(cmd, *status);
1442 		mgmt_pending_remove(cmd);
1443 
1444 		return;
1445 	}
1446 
1447 	cmd_status_rsp(cmd, data);
1448 }
1449 
generic_cmd_complete(struct mgmt_pending_cmd * cmd,u8 status)1450 static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1451 {
1452 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1453 				 cmd->param, cmd->param_len);
1454 }
1455 
addr_cmd_complete(struct mgmt_pending_cmd * cmd,u8 status)1456 static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
1457 {
1458 	return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
1459 				 cmd->param, sizeof(struct mgmt_addr_info));
1460 }
1461 
mgmt_bredr_support(struct hci_dev * hdev)1462 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1463 {
1464 	if (!lmp_bredr_capable(hdev))
1465 		return MGMT_STATUS_NOT_SUPPORTED;
1466 	else if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1467 		return MGMT_STATUS_REJECTED;
1468 	else
1469 		return MGMT_STATUS_SUCCESS;
1470 }
1471 
mgmt_le_support(struct hci_dev * hdev)1472 static u8 mgmt_le_support(struct hci_dev *hdev)
1473 {
1474 	if (!lmp_le_capable(hdev))
1475 		return MGMT_STATUS_NOT_SUPPORTED;
1476 	else if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1477 		return MGMT_STATUS_REJECTED;
1478 	else
1479 		return MGMT_STATUS_SUCCESS;
1480 }
1481 
mgmt_set_discoverable_complete(struct hci_dev * hdev,void * data,int err)1482 static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
1483 					   int err)
1484 {
1485 	struct mgmt_pending_cmd *cmd = data;
1486 
1487 	bt_dev_dbg(hdev, "err %d", err);
1488 
1489 	/* Make sure cmd still outstanding. */
1490 	if (cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
1491 		return;
1492 
1493 	hci_dev_lock(hdev);
1494 
1495 	if (err) {
1496 		u8 mgmt_err = mgmt_status(err);
1497 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1498 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1499 		goto done;
1500 	}
1501 
1502 	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1503 	    hdev->discov_timeout > 0) {
1504 		int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1505 		queue_delayed_work(hdev->req_workqueue, &hdev->discov_off, to);
1506 	}
1507 
1508 	send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1509 	new_settings(hdev, cmd->sk);
1510 
1511 done:
1512 	mgmt_pending_remove(cmd);
1513 	hci_dev_unlock(hdev);
1514 }
1515 
set_discoverable_sync(struct hci_dev * hdev,void * data)1516 static int set_discoverable_sync(struct hci_dev *hdev, void *data)
1517 {
1518 	BT_DBG("%s", hdev->name);
1519 
1520 	return hci_update_discoverable_sync(hdev);
1521 }
1522 
set_discoverable(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1523 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1524 			    u16 len)
1525 {
1526 	struct mgmt_cp_set_discoverable *cp = data;
1527 	struct mgmt_pending_cmd *cmd;
1528 	u16 timeout;
1529 	int err;
1530 
1531 	bt_dev_dbg(hdev, "sock %p", sk);
1532 
1533 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1534 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1535 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1536 				       MGMT_STATUS_REJECTED);
1537 
1538 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1539 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1540 				       MGMT_STATUS_INVALID_PARAMS);
1541 
1542 	timeout = __le16_to_cpu(cp->timeout);
1543 
1544 	/* Disabling discoverable requires that no timeout is set,
1545 	 * and enabling limited discoverable requires a timeout.
1546 	 */
1547 	if ((cp->val == 0x00 && timeout > 0) ||
1548 	    (cp->val == 0x02 && timeout == 0))
1549 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1550 				       MGMT_STATUS_INVALID_PARAMS);
1551 
1552 	hci_dev_lock(hdev);
1553 
1554 	if (!hdev_is_powered(hdev) && timeout > 0) {
1555 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1556 				      MGMT_STATUS_NOT_POWERED);
1557 		goto failed;
1558 	}
1559 
1560 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1561 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1562 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1563 				      MGMT_STATUS_BUSY);
1564 		goto failed;
1565 	}
1566 
1567 	if (!hci_dev_test_flag(hdev, HCI_CONNECTABLE)) {
1568 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1569 				      MGMT_STATUS_REJECTED);
1570 		goto failed;
1571 	}
1572 
1573 	if (hdev->advertising_paused) {
1574 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1575 				      MGMT_STATUS_BUSY);
1576 		goto failed;
1577 	}
1578 
1579 	if (!hdev_is_powered(hdev)) {
1580 		bool changed = false;
1581 
1582 		/* Setting limited discoverable when powered off is
1583 		 * not a valid operation since it requires a timeout
1584 		 * and so no need to check HCI_LIMITED_DISCOVERABLE.
1585 		 */
1586 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_DISCOVERABLE)) {
1587 			hci_dev_change_flag(hdev, HCI_DISCOVERABLE);
1588 			changed = true;
1589 		}
1590 
1591 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1592 		if (err < 0)
1593 			goto failed;
1594 
1595 		if (changed)
1596 			err = new_settings(hdev, sk);
1597 
1598 		goto failed;
1599 	}
1600 
1601 	/* If the current mode is the same, then just update the timeout
1602 	 * value with the new value. And if only the timeout gets updated,
1603 	 * then no need for any HCI transactions.
1604 	 */
1605 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
1606 	    (cp->val == 0x02) == hci_dev_test_flag(hdev,
1607 						   HCI_LIMITED_DISCOVERABLE)) {
1608 		cancel_delayed_work(&hdev->discov_off);
1609 		hdev->discov_timeout = timeout;
1610 
1611 		if (cp->val && hdev->discov_timeout > 0) {
1612 			int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1613 			queue_delayed_work(hdev->req_workqueue,
1614 					   &hdev->discov_off, to);
1615 		}
1616 
1617 		err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1618 		goto failed;
1619 	}
1620 
1621 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1622 	if (!cmd) {
1623 		err = -ENOMEM;
1624 		goto failed;
1625 	}
1626 
1627 	/* Cancel any potential discoverable timeout that might be
1628 	 * still active and store new timeout value. The arming of
1629 	 * the timeout happens in the complete handler.
1630 	 */
1631 	cancel_delayed_work(&hdev->discov_off);
1632 	hdev->discov_timeout = timeout;
1633 
1634 	if (cp->val)
1635 		hci_dev_set_flag(hdev, HCI_DISCOVERABLE);
1636 	else
1637 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1638 
1639 	/* Limited discoverable mode */
1640 	if (cp->val == 0x02)
1641 		hci_dev_set_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1642 	else
1643 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1644 
1645 	err = hci_cmd_sync_queue(hdev, set_discoverable_sync, cmd,
1646 				 mgmt_set_discoverable_complete);
1647 
1648 	if (err < 0)
1649 		mgmt_pending_remove(cmd);
1650 
1651 failed:
1652 	hci_dev_unlock(hdev);
1653 	return err;
1654 }
1655 
mgmt_set_connectable_complete(struct hci_dev * hdev,void * data,int err)1656 static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
1657 					  int err)
1658 {
1659 	struct mgmt_pending_cmd *cmd = data;
1660 
1661 	bt_dev_dbg(hdev, "err %d", err);
1662 
1663 	/* Make sure cmd still outstanding. */
1664 	if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
1665 		return;
1666 
1667 	hci_dev_lock(hdev);
1668 
1669 	if (err) {
1670 		u8 mgmt_err = mgmt_status(err);
1671 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1672 		goto done;
1673 	}
1674 
1675 	send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1676 	new_settings(hdev, cmd->sk);
1677 
1678 done:
1679 	if (cmd)
1680 		mgmt_pending_remove(cmd);
1681 
1682 	hci_dev_unlock(hdev);
1683 }
1684 
set_connectable_update_settings(struct hci_dev * hdev,struct sock * sk,u8 val)1685 static int set_connectable_update_settings(struct hci_dev *hdev,
1686 					   struct sock *sk, u8 val)
1687 {
1688 	bool changed = false;
1689 	int err;
1690 
1691 	if (!!val != hci_dev_test_flag(hdev, HCI_CONNECTABLE))
1692 		changed = true;
1693 
1694 	if (val) {
1695 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1696 	} else {
1697 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1698 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1699 	}
1700 
1701 	err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1702 	if (err < 0)
1703 		return err;
1704 
1705 	if (changed) {
1706 		hci_update_scan(hdev);
1707 		hci_update_passive_scan(hdev);
1708 		return new_settings(hdev, sk);
1709 	}
1710 
1711 	return 0;
1712 }
1713 
set_connectable_sync(struct hci_dev * hdev,void * data)1714 static int set_connectable_sync(struct hci_dev *hdev, void *data)
1715 {
1716 	BT_DBG("%s", hdev->name);
1717 
1718 	return hci_update_connectable_sync(hdev);
1719 }
1720 
set_connectable(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1721 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1722 			   u16 len)
1723 {
1724 	struct mgmt_mode *cp = data;
1725 	struct mgmt_pending_cmd *cmd;
1726 	int err;
1727 
1728 	bt_dev_dbg(hdev, "sock %p", sk);
1729 
1730 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) &&
1731 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
1732 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1733 				       MGMT_STATUS_REJECTED);
1734 
1735 	if (cp->val != 0x00 && cp->val != 0x01)
1736 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1737 				       MGMT_STATUS_INVALID_PARAMS);
1738 
1739 	hci_dev_lock(hdev);
1740 
1741 	if (!hdev_is_powered(hdev)) {
1742 		err = set_connectable_update_settings(hdev, sk, cp->val);
1743 		goto failed;
1744 	}
1745 
1746 	if (pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1747 	    pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1748 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1749 				      MGMT_STATUS_BUSY);
1750 		goto failed;
1751 	}
1752 
1753 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1754 	if (!cmd) {
1755 		err = -ENOMEM;
1756 		goto failed;
1757 	}
1758 
1759 	if (cp->val) {
1760 		hci_dev_set_flag(hdev, HCI_CONNECTABLE);
1761 	} else {
1762 		if (hdev->discov_timeout > 0)
1763 			cancel_delayed_work(&hdev->discov_off);
1764 
1765 		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
1766 		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
1767 		hci_dev_clear_flag(hdev, HCI_CONNECTABLE);
1768 	}
1769 
1770 	err = hci_cmd_sync_queue(hdev, set_connectable_sync, cmd,
1771 				 mgmt_set_connectable_complete);
1772 
1773 	if (err < 0)
1774 		mgmt_pending_remove(cmd);
1775 
1776 failed:
1777 	hci_dev_unlock(hdev);
1778 	return err;
1779 }
1780 
set_bondable(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1781 static int set_bondable(struct sock *sk, struct hci_dev *hdev, void *data,
1782 			u16 len)
1783 {
1784 	struct mgmt_mode *cp = data;
1785 	bool changed;
1786 	int err;
1787 
1788 	bt_dev_dbg(hdev, "sock %p", sk);
1789 
1790 	if (cp->val != 0x00 && cp->val != 0x01)
1791 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BONDABLE,
1792 				       MGMT_STATUS_INVALID_PARAMS);
1793 
1794 	hci_dev_lock(hdev);
1795 
1796 	if (cp->val)
1797 		changed = !hci_dev_test_and_set_flag(hdev, HCI_BONDABLE);
1798 	else
1799 		changed = hci_dev_test_and_clear_flag(hdev, HCI_BONDABLE);
1800 
1801 	err = send_settings_rsp(sk, MGMT_OP_SET_BONDABLE, hdev);
1802 	if (err < 0)
1803 		goto unlock;
1804 
1805 	if (changed) {
1806 		/* In limited privacy mode the change of bondable mode
1807 		 * may affect the local advertising address.
1808 		 */
1809 		hci_update_discoverable(hdev);
1810 
1811 		err = new_settings(hdev, sk);
1812 	}
1813 
1814 unlock:
1815 	hci_dev_unlock(hdev);
1816 	return err;
1817 }
1818 
set_link_security(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1819 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1820 			     u16 len)
1821 {
1822 	struct mgmt_mode *cp = data;
1823 	struct mgmt_pending_cmd *cmd;
1824 	u8 val, status;
1825 	int err;
1826 
1827 	bt_dev_dbg(hdev, "sock %p", sk);
1828 
1829 	status = mgmt_bredr_support(hdev);
1830 	if (status)
1831 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1832 				       status);
1833 
1834 	if (cp->val != 0x00 && cp->val != 0x01)
1835 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1836 				       MGMT_STATUS_INVALID_PARAMS);
1837 
1838 	hci_dev_lock(hdev);
1839 
1840 	if (!hdev_is_powered(hdev)) {
1841 		bool changed = false;
1842 
1843 		if (!!cp->val != hci_dev_test_flag(hdev, HCI_LINK_SECURITY)) {
1844 			hci_dev_change_flag(hdev, HCI_LINK_SECURITY);
1845 			changed = true;
1846 		}
1847 
1848 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1849 		if (err < 0)
1850 			goto failed;
1851 
1852 		if (changed)
1853 			err = new_settings(hdev, sk);
1854 
1855 		goto failed;
1856 	}
1857 
1858 	if (pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1859 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1860 				      MGMT_STATUS_BUSY);
1861 		goto failed;
1862 	}
1863 
1864 	val = !!cp->val;
1865 
1866 	if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1867 		err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1868 		goto failed;
1869 	}
1870 
1871 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1872 	if (!cmd) {
1873 		err = -ENOMEM;
1874 		goto failed;
1875 	}
1876 
1877 	err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1878 	if (err < 0) {
1879 		mgmt_pending_remove(cmd);
1880 		goto failed;
1881 	}
1882 
1883 failed:
1884 	hci_dev_unlock(hdev);
1885 	return err;
1886 }
1887 
set_ssp_complete(struct hci_dev * hdev,void * data,int err)1888 static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
1889 {
1890 	struct cmd_lookup match = { NULL, hdev };
1891 	struct mgmt_pending_cmd *cmd = data;
1892 	struct mgmt_mode *cp = cmd->param;
1893 	u8 enable = cp->val;
1894 	bool changed;
1895 
1896 	/* Make sure cmd still outstanding. */
1897 	if (cmd != pending_find(MGMT_OP_SET_SSP, hdev))
1898 		return;
1899 
1900 	if (err) {
1901 		u8 mgmt_err = mgmt_status(err);
1902 
1903 		if (enable && hci_dev_test_and_clear_flag(hdev,
1904 							  HCI_SSP_ENABLED)) {
1905 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1906 			new_settings(hdev, NULL);
1907 		}
1908 
1909 		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
1910 				     &mgmt_err);
1911 		return;
1912 	}
1913 
1914 	if (enable) {
1915 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1916 	} else {
1917 		changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
1918 
1919 		if (!changed)
1920 			changed = hci_dev_test_and_clear_flag(hdev,
1921 							      HCI_HS_ENABLED);
1922 		else
1923 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1924 	}
1925 
1926 	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
1927 
1928 	if (changed)
1929 		new_settings(hdev, match.sk);
1930 
1931 	if (match.sk)
1932 		sock_put(match.sk);
1933 
1934 	hci_update_eir_sync(hdev);
1935 }
1936 
set_ssp_sync(struct hci_dev * hdev,void * data)1937 static int set_ssp_sync(struct hci_dev *hdev, void *data)
1938 {
1939 	struct mgmt_pending_cmd *cmd = data;
1940 	struct mgmt_mode *cp = cmd->param;
1941 	bool changed = false;
1942 	int err;
1943 
1944 	if (cp->val)
1945 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
1946 
1947 	err = hci_write_ssp_mode_sync(hdev, cp->val);
1948 
1949 	if (!err && changed)
1950 		hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
1951 
1952 	return err;
1953 }
1954 
set_ssp(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)1955 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1956 {
1957 	struct mgmt_mode *cp = data;
1958 	struct mgmt_pending_cmd *cmd;
1959 	u8 status;
1960 	int err;
1961 
1962 	bt_dev_dbg(hdev, "sock %p", sk);
1963 
1964 	status = mgmt_bredr_support(hdev);
1965 	if (status)
1966 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1967 
1968 	if (!lmp_ssp_capable(hdev))
1969 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1970 				       MGMT_STATUS_NOT_SUPPORTED);
1971 
1972 	if (cp->val != 0x00 && cp->val != 0x01)
1973 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1974 				       MGMT_STATUS_INVALID_PARAMS);
1975 
1976 	hci_dev_lock(hdev);
1977 
1978 	if (!hdev_is_powered(hdev)) {
1979 		bool changed;
1980 
1981 		if (cp->val) {
1982 			changed = !hci_dev_test_and_set_flag(hdev,
1983 							     HCI_SSP_ENABLED);
1984 		} else {
1985 			changed = hci_dev_test_and_clear_flag(hdev,
1986 							      HCI_SSP_ENABLED);
1987 			if (!changed)
1988 				changed = hci_dev_test_and_clear_flag(hdev,
1989 								      HCI_HS_ENABLED);
1990 			else
1991 				hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
1992 		}
1993 
1994 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1995 		if (err < 0)
1996 			goto failed;
1997 
1998 		if (changed)
1999 			err = new_settings(hdev, sk);
2000 
2001 		goto failed;
2002 	}
2003 
2004 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
2005 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2006 				      MGMT_STATUS_BUSY);
2007 		goto failed;
2008 	}
2009 
2010 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
2011 		err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
2012 		goto failed;
2013 	}
2014 
2015 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
2016 	if (!cmd)
2017 		err = -ENOMEM;
2018 	else
2019 		err = hci_cmd_sync_queue(hdev, set_ssp_sync, cmd,
2020 					 set_ssp_complete);
2021 
2022 	if (err < 0) {
2023 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
2024 				      MGMT_STATUS_FAILED);
2025 
2026 		if (cmd)
2027 			mgmt_pending_remove(cmd);
2028 	}
2029 
2030 failed:
2031 	hci_dev_unlock(hdev);
2032 	return err;
2033 }
2034 
set_hs(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2035 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2036 {
2037 	struct mgmt_mode *cp = data;
2038 	bool changed;
2039 	u8 status;
2040 	int err;
2041 
2042 	bt_dev_dbg(hdev, "sock %p", sk);
2043 
2044 	if (!IS_ENABLED(CONFIG_BT_HS))
2045 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2046 				       MGMT_STATUS_NOT_SUPPORTED);
2047 
2048 	status = mgmt_bredr_support(hdev);
2049 	if (status)
2050 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
2051 
2052 	if (!lmp_ssp_capable(hdev))
2053 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2054 				       MGMT_STATUS_NOT_SUPPORTED);
2055 
2056 	if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
2057 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2058 				       MGMT_STATUS_REJECTED);
2059 
2060 	if (cp->val != 0x00 && cp->val != 0x01)
2061 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2062 				       MGMT_STATUS_INVALID_PARAMS);
2063 
2064 	hci_dev_lock(hdev);
2065 
2066 	if (pending_find(MGMT_OP_SET_SSP, hdev)) {
2067 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2068 				      MGMT_STATUS_BUSY);
2069 		goto unlock;
2070 	}
2071 
2072 	if (cp->val) {
2073 		changed = !hci_dev_test_and_set_flag(hdev, HCI_HS_ENABLED);
2074 	} else {
2075 		if (hdev_is_powered(hdev)) {
2076 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
2077 					      MGMT_STATUS_REJECTED);
2078 			goto unlock;
2079 		}
2080 
2081 		changed = hci_dev_test_and_clear_flag(hdev, HCI_HS_ENABLED);
2082 	}
2083 
2084 	err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
2085 	if (err < 0)
2086 		goto unlock;
2087 
2088 	if (changed)
2089 		err = new_settings(hdev, sk);
2090 
2091 unlock:
2092 	hci_dev_unlock(hdev);
2093 	return err;
2094 }
2095 
set_le_complete(struct hci_dev * hdev,void * data,int err)2096 static void set_le_complete(struct hci_dev *hdev, void *data, int err)
2097 {
2098 	struct cmd_lookup match = { NULL, hdev };
2099 	u8 status = mgmt_status(err);
2100 
2101 	bt_dev_dbg(hdev, "err %d", err);
2102 
2103 	if (status) {
2104 		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
2105 							&status);
2106 		return;
2107 	}
2108 
2109 	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
2110 
2111 	new_settings(hdev, match.sk);
2112 
2113 	if (match.sk)
2114 		sock_put(match.sk);
2115 }
2116 
set_le_sync(struct hci_dev * hdev,void * data)2117 static int set_le_sync(struct hci_dev *hdev, void *data)
2118 {
2119 	struct mgmt_pending_cmd *cmd = data;
2120 	struct mgmt_mode *cp = cmd->param;
2121 	u8 val = !!cp->val;
2122 	int err;
2123 
2124 	if (!val) {
2125 		hci_clear_adv_instance_sync(hdev, NULL, 0x00, true);
2126 
2127 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
2128 			hci_disable_advertising_sync(hdev);
2129 
2130 		if (ext_adv_capable(hdev))
2131 			hci_remove_ext_adv_instance_sync(hdev, 0, cmd->sk);
2132 	} else {
2133 		hci_dev_set_flag(hdev, HCI_LE_ENABLED);
2134 	}
2135 
2136 	err = hci_write_le_host_supported_sync(hdev, val, 0);
2137 
2138 	/* Make sure the controller has a good default for
2139 	 * advertising data. Restrict the update to when LE
2140 	 * has actually been enabled. During power on, the
2141 	 * update in powered_update_hci will take care of it.
2142 	 */
2143 	if (!err && hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2144 		if (ext_adv_capable(hdev)) {
2145 			int status;
2146 
2147 			status = hci_setup_ext_adv_instance_sync(hdev, 0x00);
2148 			if (!status)
2149 				hci_update_scan_rsp_data_sync(hdev, 0x00);
2150 		} else {
2151 			hci_update_adv_data_sync(hdev, 0x00);
2152 			hci_update_scan_rsp_data_sync(hdev, 0x00);
2153 		}
2154 
2155 		hci_update_passive_scan(hdev);
2156 	}
2157 
2158 	return err;
2159 }
2160 
set_mesh_complete(struct hci_dev * hdev,void * data,int err)2161 static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
2162 {
2163 	struct mgmt_pending_cmd *cmd = data;
2164 	u8 status = mgmt_status(err);
2165 	struct sock *sk = cmd->sk;
2166 
2167 	if (status) {
2168 		mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev,
2169 				     cmd_status_rsp, &status);
2170 		return;
2171 	}
2172 
2173 	mgmt_pending_remove(cmd);
2174 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, 0, NULL, 0);
2175 }
2176 
set_mesh_sync(struct hci_dev * hdev,void * data)2177 static int set_mesh_sync(struct hci_dev *hdev, void *data)
2178 {
2179 	struct mgmt_pending_cmd *cmd = data;
2180 	struct mgmt_cp_set_mesh *cp = cmd->param;
2181 	size_t len = cmd->param_len;
2182 
2183 	memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
2184 
2185 	if (cp->enable)
2186 		hci_dev_set_flag(hdev, HCI_MESH);
2187 	else
2188 		hci_dev_clear_flag(hdev, HCI_MESH);
2189 
2190 	len -= sizeof(*cp);
2191 
2192 	/* If filters don't fit, forward all adv pkts */
2193 	if (len <= sizeof(hdev->mesh_ad_types))
2194 		memcpy(hdev->mesh_ad_types, cp->ad_types, len);
2195 
2196 	hci_update_passive_scan_sync(hdev);
2197 	return 0;
2198 }
2199 
set_mesh(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2200 static int set_mesh(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2201 {
2202 	struct mgmt_cp_set_mesh *cp = data;
2203 	struct mgmt_pending_cmd *cmd;
2204 	int err = 0;
2205 
2206 	bt_dev_dbg(hdev, "sock %p", sk);
2207 
2208 	if (!lmp_le_capable(hdev) ||
2209 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2210 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2211 				       MGMT_STATUS_NOT_SUPPORTED);
2212 
2213 	if (cp->enable != 0x00 && cp->enable != 0x01)
2214 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2215 				       MGMT_STATUS_INVALID_PARAMS);
2216 
2217 	hci_dev_lock(hdev);
2218 
2219 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_MESH_RECEIVER, hdev, data, len);
2220 	if (!cmd)
2221 		err = -ENOMEM;
2222 	else
2223 		err = hci_cmd_sync_queue(hdev, set_mesh_sync, cmd,
2224 					 set_mesh_complete);
2225 
2226 	if (err < 0) {
2227 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
2228 				      MGMT_STATUS_FAILED);
2229 
2230 		if (cmd)
2231 			mgmt_pending_remove(cmd);
2232 	}
2233 
2234 	hci_dev_unlock(hdev);
2235 	return err;
2236 }
2237 
mesh_send_start_complete(struct hci_dev * hdev,void * data,int err)2238 static void mesh_send_start_complete(struct hci_dev *hdev, void *data, int err)
2239 {
2240 	struct mgmt_mesh_tx *mesh_tx = data;
2241 	struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2242 	unsigned long mesh_send_interval;
2243 	u8 mgmt_err = mgmt_status(err);
2244 
2245 	/* Report any errors here, but don't report completion */
2246 
2247 	if (mgmt_err) {
2248 		hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
2249 		/* Send Complete Error Code for handle */
2250 		mesh_send_complete(hdev, mesh_tx, false);
2251 		return;
2252 	}
2253 
2254 	mesh_send_interval = msecs_to_jiffies((send->cnt) * 25);
2255 	queue_delayed_work(hdev->req_workqueue, &hdev->mesh_send_done,
2256 			   mesh_send_interval);
2257 }
2258 
mesh_send_sync(struct hci_dev * hdev,void * data)2259 static int mesh_send_sync(struct hci_dev *hdev, void *data)
2260 {
2261 	struct mgmt_mesh_tx *mesh_tx = data;
2262 	struct mgmt_cp_mesh_send *send = (void *)mesh_tx->param;
2263 	struct adv_info *adv, *next_instance;
2264 	u8 instance = hdev->le_num_of_adv_sets + 1;
2265 	u16 timeout, duration;
2266 	int err = 0;
2267 
2268 	if (hdev->le_num_of_adv_sets <= hdev->adv_instance_cnt)
2269 		return MGMT_STATUS_BUSY;
2270 
2271 	timeout = 1000;
2272 	duration = send->cnt * INTERVAL_TO_MS(hdev->le_adv_max_interval);
2273 	adv = hci_add_adv_instance(hdev, instance, 0,
2274 				   send->adv_data_len, send->adv_data,
2275 				   0, NULL,
2276 				   timeout, duration,
2277 				   HCI_ADV_TX_POWER_NO_PREFERENCE,
2278 				   hdev->le_adv_min_interval,
2279 				   hdev->le_adv_max_interval,
2280 				   mesh_tx->handle);
2281 
2282 	if (!IS_ERR(adv))
2283 		mesh_tx->instance = instance;
2284 	else
2285 		err = PTR_ERR(adv);
2286 
2287 	if (hdev->cur_adv_instance == instance) {
2288 		/* If the currently advertised instance is being changed then
2289 		 * cancel the current advertising and schedule the next
2290 		 * instance. If there is only one instance then the overridden
2291 		 * advertising data will be visible right away.
2292 		 */
2293 		cancel_adv_timeout(hdev);
2294 
2295 		next_instance = hci_get_next_instance(hdev, instance);
2296 		if (next_instance)
2297 			instance = next_instance->instance;
2298 		else
2299 			instance = 0;
2300 	} else if (hdev->adv_instance_timeout) {
2301 		/* Immediately advertise the new instance if no other, or
2302 		 * let it go naturally from queue if ADV is already happening
2303 		 */
2304 		instance = 0;
2305 	}
2306 
2307 	if (instance)
2308 		return hci_schedule_adv_instance_sync(hdev, instance, true);
2309 
2310 	return err;
2311 }
2312 
send_count(struct mgmt_mesh_tx * mesh_tx,void * data)2313 static void send_count(struct mgmt_mesh_tx *mesh_tx, void *data)
2314 {
2315 	struct mgmt_rp_mesh_read_features *rp = data;
2316 
2317 	if (rp->used_handles >= rp->max_handles)
2318 		return;
2319 
2320 	rp->handles[rp->used_handles++] = mesh_tx->handle;
2321 }
2322 
mesh_features(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2323 static int mesh_features(struct sock *sk, struct hci_dev *hdev,
2324 			 void *data, u16 len)
2325 {
2326 	struct mgmt_rp_mesh_read_features rp;
2327 
2328 	if (!lmp_le_capable(hdev) ||
2329 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2330 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_READ_FEATURES,
2331 				       MGMT_STATUS_NOT_SUPPORTED);
2332 
2333 	memset(&rp, 0, sizeof(rp));
2334 	rp.index = cpu_to_le16(hdev->id);
2335 	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2336 		rp.max_handles = MESH_HANDLES_MAX;
2337 
2338 	hci_dev_lock(hdev);
2339 
2340 	if (rp.max_handles)
2341 		mgmt_mesh_foreach(hdev, send_count, &rp, sk);
2342 
2343 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_MESH_READ_FEATURES, 0, &rp,
2344 			  rp.used_handles + sizeof(rp) - MESH_HANDLES_MAX);
2345 
2346 	hci_dev_unlock(hdev);
2347 	return 0;
2348 }
2349 
send_cancel(struct hci_dev * hdev,void * data)2350 static int send_cancel(struct hci_dev *hdev, void *data)
2351 {
2352 	struct mgmt_pending_cmd *cmd = data;
2353 	struct mgmt_cp_mesh_send_cancel *cancel = (void *)cmd->param;
2354 	struct mgmt_mesh_tx *mesh_tx;
2355 
2356 	if (!cancel->handle) {
2357 		do {
2358 			mesh_tx = mgmt_mesh_next(hdev, cmd->sk);
2359 
2360 			if (mesh_tx)
2361 				mesh_send_complete(hdev, mesh_tx, false);
2362 		} while (mesh_tx);
2363 	} else {
2364 		mesh_tx = mgmt_mesh_find(hdev, cancel->handle);
2365 
2366 		if (mesh_tx && mesh_tx->sk == cmd->sk)
2367 			mesh_send_complete(hdev, mesh_tx, false);
2368 	}
2369 
2370 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2371 			  0, NULL, 0);
2372 	mgmt_pending_free(cmd);
2373 
2374 	return 0;
2375 }
2376 
mesh_send_cancel(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2377 static int mesh_send_cancel(struct sock *sk, struct hci_dev *hdev,
2378 			    void *data, u16 len)
2379 {
2380 	struct mgmt_pending_cmd *cmd;
2381 	int err;
2382 
2383 	if (!lmp_le_capable(hdev) ||
2384 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2385 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2386 				       MGMT_STATUS_NOT_SUPPORTED);
2387 
2388 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2389 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2390 				       MGMT_STATUS_REJECTED);
2391 
2392 	hci_dev_lock(hdev);
2393 	cmd = mgmt_pending_new(sk, MGMT_OP_MESH_SEND_CANCEL, hdev, data, len);
2394 	if (!cmd)
2395 		err = -ENOMEM;
2396 	else
2397 		err = hci_cmd_sync_queue(hdev, send_cancel, cmd, NULL);
2398 
2399 	if (err < 0) {
2400 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND_CANCEL,
2401 				      MGMT_STATUS_FAILED);
2402 
2403 		if (cmd)
2404 			mgmt_pending_free(cmd);
2405 	}
2406 
2407 	hci_dev_unlock(hdev);
2408 	return err;
2409 }
2410 
mesh_send(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2411 static int mesh_send(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2412 {
2413 	struct mgmt_mesh_tx *mesh_tx;
2414 	struct mgmt_cp_mesh_send *send = data;
2415 	struct mgmt_rp_mesh_read_features rp;
2416 	bool sending;
2417 	int err = 0;
2418 
2419 	if (!lmp_le_capable(hdev) ||
2420 	    !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
2421 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2422 				       MGMT_STATUS_NOT_SUPPORTED);
2423 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) ||
2424 	    len <= MGMT_MESH_SEND_SIZE ||
2425 	    len > (MGMT_MESH_SEND_SIZE + 31))
2426 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2427 				       MGMT_STATUS_REJECTED);
2428 
2429 	hci_dev_lock(hdev);
2430 
2431 	memset(&rp, 0, sizeof(rp));
2432 	rp.max_handles = MESH_HANDLES_MAX;
2433 
2434 	mgmt_mesh_foreach(hdev, send_count, &rp, sk);
2435 
2436 	if (rp.max_handles <= rp.used_handles) {
2437 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2438 				      MGMT_STATUS_BUSY);
2439 		goto done;
2440 	}
2441 
2442 	sending = hci_dev_test_flag(hdev, HCI_MESH_SENDING);
2443 	mesh_tx = mgmt_mesh_add(sk, hdev, send, len);
2444 
2445 	if (!mesh_tx)
2446 		err = -ENOMEM;
2447 	else if (!sending)
2448 		err = hci_cmd_sync_queue(hdev, mesh_send_sync, mesh_tx,
2449 					 mesh_send_start_complete);
2450 
2451 	if (err < 0) {
2452 		bt_dev_err(hdev, "Send Mesh Failed %d", err);
2453 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
2454 				      MGMT_STATUS_FAILED);
2455 
2456 		if (mesh_tx) {
2457 			if (sending)
2458 				mgmt_mesh_remove(mesh_tx);
2459 		}
2460 	} else {
2461 		hci_dev_set_flag(hdev, HCI_MESH_SENDING);
2462 
2463 		mgmt_cmd_complete(sk, hdev->id, MGMT_OP_MESH_SEND, 0,
2464 				  &mesh_tx->handle, 1);
2465 	}
2466 
2467 done:
2468 	hci_dev_unlock(hdev);
2469 	return err;
2470 }
2471 
set_le(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2472 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2473 {
2474 	struct mgmt_mode *cp = data;
2475 	struct mgmt_pending_cmd *cmd;
2476 	int err;
2477 	u8 val, enabled;
2478 
2479 	bt_dev_dbg(hdev, "sock %p", sk);
2480 
2481 	if (!lmp_le_capable(hdev))
2482 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2483 				       MGMT_STATUS_NOT_SUPPORTED);
2484 
2485 	if (cp->val != 0x00 && cp->val != 0x01)
2486 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2487 				       MGMT_STATUS_INVALID_PARAMS);
2488 
2489 	/* Bluetooth single mode LE only controllers or dual-mode
2490 	 * controllers configured as LE only devices, do not allow
2491 	 * switching LE off. These have either LE enabled explicitly
2492 	 * or BR/EDR has been previously switched off.
2493 	 *
2494 	 * When trying to enable an already enabled LE, then gracefully
2495 	 * send a positive response. Trying to disable it however will
2496 	 * result into rejection.
2497 	 */
2498 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
2499 		if (cp->val == 0x01)
2500 			return send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2501 
2502 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2503 				       MGMT_STATUS_REJECTED);
2504 	}
2505 
2506 	hci_dev_lock(hdev);
2507 
2508 	val = !!cp->val;
2509 	enabled = lmp_host_le_capable(hdev);
2510 
2511 	if (!hdev_is_powered(hdev) || val == enabled) {
2512 		bool changed = false;
2513 
2514 		if (val != hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
2515 			hci_dev_change_flag(hdev, HCI_LE_ENABLED);
2516 			changed = true;
2517 		}
2518 
2519 		if (!val && hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
2520 			hci_dev_clear_flag(hdev, HCI_ADVERTISING);
2521 			changed = true;
2522 		}
2523 
2524 		err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
2525 		if (err < 0)
2526 			goto unlock;
2527 
2528 		if (changed)
2529 			err = new_settings(hdev, sk);
2530 
2531 		goto unlock;
2532 	}
2533 
2534 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
2535 	    pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
2536 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2537 				      MGMT_STATUS_BUSY);
2538 		goto unlock;
2539 	}
2540 
2541 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
2542 	if (!cmd)
2543 		err = -ENOMEM;
2544 	else
2545 		err = hci_cmd_sync_queue(hdev, set_le_sync, cmd,
2546 					 set_le_complete);
2547 
2548 	if (err < 0) {
2549 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
2550 				      MGMT_STATUS_FAILED);
2551 
2552 		if (cmd)
2553 			mgmt_pending_remove(cmd);
2554 	}
2555 
2556 unlock:
2557 	hci_dev_unlock(hdev);
2558 	return err;
2559 }
2560 
2561 /* This is a helper function to test for pending mgmt commands that can
2562  * cause CoD or EIR HCI commands. We can only allow one such pending
2563  * mgmt command at a time since otherwise we cannot easily track what
2564  * the current values are, will be, and based on that calculate if a new
2565  * HCI command needs to be sent and if yes with what value.
2566  */
pending_eir_or_class(struct hci_dev * hdev)2567 static bool pending_eir_or_class(struct hci_dev *hdev)
2568 {
2569 	struct mgmt_pending_cmd *cmd;
2570 
2571 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2572 		switch (cmd->opcode) {
2573 		case MGMT_OP_ADD_UUID:
2574 		case MGMT_OP_REMOVE_UUID:
2575 		case MGMT_OP_SET_DEV_CLASS:
2576 		case MGMT_OP_SET_POWERED:
2577 			return true;
2578 		}
2579 	}
2580 
2581 	return false;
2582 }
2583 
2584 static const u8 bluetooth_base_uuid[] = {
2585 			0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2586 			0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2587 };
2588 
get_uuid_size(const u8 * uuid)2589 static u8 get_uuid_size(const u8 *uuid)
2590 {
2591 	u32 val;
2592 
2593 	if (memcmp(uuid, bluetooth_base_uuid, 12))
2594 		return 128;
2595 
2596 	val = get_unaligned_le32(&uuid[12]);
2597 	if (val > 0xffff)
2598 		return 32;
2599 
2600 	return 16;
2601 }
2602 
mgmt_class_complete(struct hci_dev * hdev,void * data,int err)2603 static void mgmt_class_complete(struct hci_dev *hdev, void *data, int err)
2604 {
2605 	struct mgmt_pending_cmd *cmd = data;
2606 
2607 	bt_dev_dbg(hdev, "err %d", err);
2608 
2609 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
2610 			  mgmt_status(err), hdev->dev_class, 3);
2611 
2612 	mgmt_pending_free(cmd);
2613 }
2614 
add_uuid_sync(struct hci_dev * hdev,void * data)2615 static int add_uuid_sync(struct hci_dev *hdev, void *data)
2616 {
2617 	int err;
2618 
2619 	err = hci_update_class_sync(hdev);
2620 	if (err)
2621 		return err;
2622 
2623 	return hci_update_eir_sync(hdev);
2624 }
2625 
add_uuid(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2626 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2627 {
2628 	struct mgmt_cp_add_uuid *cp = data;
2629 	struct mgmt_pending_cmd *cmd;
2630 	struct bt_uuid *uuid;
2631 	int err;
2632 
2633 	bt_dev_dbg(hdev, "sock %p", sk);
2634 
2635 	hci_dev_lock(hdev);
2636 
2637 	if (pending_eir_or_class(hdev)) {
2638 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2639 				      MGMT_STATUS_BUSY);
2640 		goto failed;
2641 	}
2642 
2643 	uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2644 	if (!uuid) {
2645 		err = -ENOMEM;
2646 		goto failed;
2647 	}
2648 
2649 	memcpy(uuid->uuid, cp->uuid, 16);
2650 	uuid->svc_hint = cp->svc_hint;
2651 	uuid->size = get_uuid_size(cp->uuid);
2652 
2653 	list_add_tail(&uuid->list, &hdev->uuids);
2654 
2655 	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2656 	if (!cmd) {
2657 		err = -ENOMEM;
2658 		goto failed;
2659 	}
2660 
2661 	err = hci_cmd_sync_queue(hdev, add_uuid_sync, cmd, mgmt_class_complete);
2662 	if (err < 0) {
2663 		mgmt_pending_free(cmd);
2664 		goto failed;
2665 	}
2666 
2667 failed:
2668 	hci_dev_unlock(hdev);
2669 	return err;
2670 }
2671 
enable_service_cache(struct hci_dev * hdev)2672 static bool enable_service_cache(struct hci_dev *hdev)
2673 {
2674 	if (!hdev_is_powered(hdev))
2675 		return false;
2676 
2677 	if (!hci_dev_test_and_set_flag(hdev, HCI_SERVICE_CACHE)) {
2678 		queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2679 				   CACHE_TIMEOUT);
2680 		return true;
2681 	}
2682 
2683 	return false;
2684 }
2685 
remove_uuid_sync(struct hci_dev * hdev,void * data)2686 static int remove_uuid_sync(struct hci_dev *hdev, void *data)
2687 {
2688 	int err;
2689 
2690 	err = hci_update_class_sync(hdev);
2691 	if (err)
2692 		return err;
2693 
2694 	return hci_update_eir_sync(hdev);
2695 }
2696 
remove_uuid(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2697 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2698 		       u16 len)
2699 {
2700 	struct mgmt_cp_remove_uuid *cp = data;
2701 	struct mgmt_pending_cmd *cmd;
2702 	struct bt_uuid *match, *tmp;
2703 	static const u8 bt_uuid_any[] = {
2704 		0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
2705 	};
2706 	int err, found;
2707 
2708 	bt_dev_dbg(hdev, "sock %p", sk);
2709 
2710 	hci_dev_lock(hdev);
2711 
2712 	if (pending_eir_or_class(hdev)) {
2713 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2714 				      MGMT_STATUS_BUSY);
2715 		goto unlock;
2716 	}
2717 
2718 	if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2719 		hci_uuids_clear(hdev);
2720 
2721 		if (enable_service_cache(hdev)) {
2722 			err = mgmt_cmd_complete(sk, hdev->id,
2723 						MGMT_OP_REMOVE_UUID,
2724 						0, hdev->dev_class, 3);
2725 			goto unlock;
2726 		}
2727 
2728 		goto update_class;
2729 	}
2730 
2731 	found = 0;
2732 
2733 	list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2734 		if (memcmp(match->uuid, cp->uuid, 16) != 0)
2735 			continue;
2736 
2737 		list_del(&match->list);
2738 		kfree(match);
2739 		found++;
2740 	}
2741 
2742 	if (found == 0) {
2743 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2744 				      MGMT_STATUS_INVALID_PARAMS);
2745 		goto unlock;
2746 	}
2747 
2748 update_class:
2749 	cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2750 	if (!cmd) {
2751 		err = -ENOMEM;
2752 		goto unlock;
2753 	}
2754 
2755 	err = hci_cmd_sync_queue(hdev, remove_uuid_sync, cmd,
2756 				 mgmt_class_complete);
2757 	if (err < 0)
2758 		mgmt_pending_free(cmd);
2759 
2760 unlock:
2761 	hci_dev_unlock(hdev);
2762 	return err;
2763 }
2764 
set_class_sync(struct hci_dev * hdev,void * data)2765 static int set_class_sync(struct hci_dev *hdev, void *data)
2766 {
2767 	int err = 0;
2768 
2769 	if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE)) {
2770 		cancel_delayed_work_sync(&hdev->service_cache);
2771 		err = hci_update_eir_sync(hdev);
2772 	}
2773 
2774 	if (err)
2775 		return err;
2776 
2777 	return hci_update_class_sync(hdev);
2778 }
2779 
set_dev_class(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2780 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2781 			 u16 len)
2782 {
2783 	struct mgmt_cp_set_dev_class *cp = data;
2784 	struct mgmt_pending_cmd *cmd;
2785 	int err;
2786 
2787 	bt_dev_dbg(hdev, "sock %p", sk);
2788 
2789 	if (!lmp_bredr_capable(hdev))
2790 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2791 				       MGMT_STATUS_NOT_SUPPORTED);
2792 
2793 	hci_dev_lock(hdev);
2794 
2795 	if (pending_eir_or_class(hdev)) {
2796 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2797 				      MGMT_STATUS_BUSY);
2798 		goto unlock;
2799 	}
2800 
2801 	if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2802 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2803 				      MGMT_STATUS_INVALID_PARAMS);
2804 		goto unlock;
2805 	}
2806 
2807 	hdev->major_class = cp->major;
2808 	hdev->minor_class = cp->minor;
2809 
2810 	if (!hdev_is_powered(hdev)) {
2811 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2812 					hdev->dev_class, 3);
2813 		goto unlock;
2814 	}
2815 
2816 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2817 	if (!cmd) {
2818 		err = -ENOMEM;
2819 		goto unlock;
2820 	}
2821 
2822 	err = hci_cmd_sync_queue(hdev, set_class_sync, cmd,
2823 				 mgmt_class_complete);
2824 	if (err < 0)
2825 		mgmt_pending_free(cmd);
2826 
2827 unlock:
2828 	hci_dev_unlock(hdev);
2829 	return err;
2830 }
2831 
load_link_keys(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2832 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2833 			  u16 len)
2834 {
2835 	struct mgmt_cp_load_link_keys *cp = data;
2836 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
2837 				   sizeof(struct mgmt_link_key_info));
2838 	u16 key_count, expected_len;
2839 	bool changed;
2840 	int i;
2841 
2842 	bt_dev_dbg(hdev, "sock %p", sk);
2843 
2844 	if (!lmp_bredr_capable(hdev))
2845 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2846 				       MGMT_STATUS_NOT_SUPPORTED);
2847 
2848 	key_count = __le16_to_cpu(cp->key_count);
2849 	if (key_count > max_key_count) {
2850 		bt_dev_err(hdev, "load_link_keys: too big key_count value %u",
2851 			   key_count);
2852 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2853 				       MGMT_STATUS_INVALID_PARAMS);
2854 	}
2855 
2856 	expected_len = struct_size(cp, keys, key_count);
2857 	if (expected_len != len) {
2858 		bt_dev_err(hdev, "load_link_keys: expected %u bytes, got %u bytes",
2859 			   expected_len, len);
2860 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2861 				       MGMT_STATUS_INVALID_PARAMS);
2862 	}
2863 
2864 	if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2865 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2866 				       MGMT_STATUS_INVALID_PARAMS);
2867 
2868 	bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys,
2869 		   key_count);
2870 
2871 	for (i = 0; i < key_count; i++) {
2872 		struct mgmt_link_key_info *key = &cp->keys[i];
2873 
2874 		if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2875 			return mgmt_cmd_status(sk, hdev->id,
2876 					       MGMT_OP_LOAD_LINK_KEYS,
2877 					       MGMT_STATUS_INVALID_PARAMS);
2878 	}
2879 
2880 	hci_dev_lock(hdev);
2881 
2882 	hci_link_keys_clear(hdev);
2883 
2884 	if (cp->debug_keys)
2885 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
2886 	else
2887 		changed = hci_dev_test_and_clear_flag(hdev,
2888 						      HCI_KEEP_DEBUG_KEYS);
2889 
2890 	if (changed)
2891 		new_settings(hdev, NULL);
2892 
2893 	for (i = 0; i < key_count; i++) {
2894 		struct mgmt_link_key_info *key = &cp->keys[i];
2895 
2896 		if (hci_is_blocked_key(hdev,
2897 				       HCI_BLOCKED_KEY_TYPE_LINKKEY,
2898 				       key->val)) {
2899 			bt_dev_warn(hdev, "Skipping blocked link key for %pMR",
2900 				    &key->addr.bdaddr);
2901 			continue;
2902 		}
2903 
2904 		/* Always ignore debug keys and require a new pairing if
2905 		 * the user wants to use them.
2906 		 */
2907 		if (key->type == HCI_LK_DEBUG_COMBINATION)
2908 			continue;
2909 
2910 		hci_add_link_key(hdev, NULL, &key->addr.bdaddr, key->val,
2911 				 key->type, key->pin_len, NULL);
2912 	}
2913 
2914 	mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2915 
2916 	hci_dev_unlock(hdev);
2917 
2918 	return 0;
2919 }
2920 
device_unpaired(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type,struct sock * skip_sk)2921 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2922 			   u8 addr_type, struct sock *skip_sk)
2923 {
2924 	struct mgmt_ev_device_unpaired ev;
2925 
2926 	bacpy(&ev.addr.bdaddr, bdaddr);
2927 	ev.addr.type = addr_type;
2928 
2929 	return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2930 			  skip_sk);
2931 }
2932 
unpair_device_complete(struct hci_dev * hdev,void * data,int err)2933 static void unpair_device_complete(struct hci_dev *hdev, void *data, int err)
2934 {
2935 	struct mgmt_pending_cmd *cmd = data;
2936 	struct mgmt_cp_unpair_device *cp = cmd->param;
2937 
2938 	if (!err)
2939 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
2940 
2941 	cmd->cmd_complete(cmd, err);
2942 	mgmt_pending_free(cmd);
2943 }
2944 
unpair_device_sync(struct hci_dev * hdev,void * data)2945 static int unpair_device_sync(struct hci_dev *hdev, void *data)
2946 {
2947 	struct mgmt_pending_cmd *cmd = data;
2948 	struct mgmt_cp_unpair_device *cp = cmd->param;
2949 	struct hci_conn *conn;
2950 
2951 	if (cp->addr.type == BDADDR_BREDR)
2952 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2953 					       &cp->addr.bdaddr);
2954 	else
2955 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
2956 					       le_addr_type(cp->addr.type));
2957 
2958 	if (!conn)
2959 		return 0;
2960 
2961 	return hci_abort_conn_sync(hdev, conn, HCI_ERROR_REMOTE_USER_TERM);
2962 }
2963 
unpair_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)2964 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2965 			 u16 len)
2966 {
2967 	struct mgmt_cp_unpair_device *cp = data;
2968 	struct mgmt_rp_unpair_device rp;
2969 	struct hci_conn_params *params;
2970 	struct mgmt_pending_cmd *cmd;
2971 	struct hci_conn *conn;
2972 	u8 addr_type;
2973 	int err;
2974 
2975 	memset(&rp, 0, sizeof(rp));
2976 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2977 	rp.addr.type = cp->addr.type;
2978 
2979 	if (!bdaddr_type_is_valid(cp->addr.type))
2980 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2981 					 MGMT_STATUS_INVALID_PARAMS,
2982 					 &rp, sizeof(rp));
2983 
2984 	if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2985 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2986 					 MGMT_STATUS_INVALID_PARAMS,
2987 					 &rp, sizeof(rp));
2988 
2989 	hci_dev_lock(hdev);
2990 
2991 	if (!hdev_is_powered(hdev)) {
2992 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2993 					MGMT_STATUS_NOT_POWERED, &rp,
2994 					sizeof(rp));
2995 		goto unlock;
2996 	}
2997 
2998 	if (cp->addr.type == BDADDR_BREDR) {
2999 		/* If disconnection is requested, then look up the
3000 		 * connection. If the remote device is connected, it
3001 		 * will be later used to terminate the link.
3002 		 *
3003 		 * Setting it to NULL explicitly will cause no
3004 		 * termination of the link.
3005 		 */
3006 		if (cp->disconnect)
3007 			conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
3008 						       &cp->addr.bdaddr);
3009 		else
3010 			conn = NULL;
3011 
3012 		err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
3013 		if (err < 0) {
3014 			err = mgmt_cmd_complete(sk, hdev->id,
3015 						MGMT_OP_UNPAIR_DEVICE,
3016 						MGMT_STATUS_NOT_PAIRED, &rp,
3017 						sizeof(rp));
3018 			goto unlock;
3019 		}
3020 
3021 		goto done;
3022 	}
3023 
3024 	/* LE address type */
3025 	addr_type = le_addr_type(cp->addr.type);
3026 
3027 	/* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
3028 	err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
3029 	if (err < 0) {
3030 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
3031 					MGMT_STATUS_NOT_PAIRED, &rp,
3032 					sizeof(rp));
3033 		goto unlock;
3034 	}
3035 
3036 	conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr, addr_type);
3037 	if (!conn) {
3038 		hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
3039 		goto done;
3040 	}
3041 
3042 
3043 	/* Defer clearing up the connection parameters until closing to
3044 	 * give a chance of keeping them if a repairing happens.
3045 	 */
3046 	set_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3047 
3048 	/* Disable auto-connection parameters if present */
3049 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, addr_type);
3050 	if (params) {
3051 		if (params->explicit_connect)
3052 			params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
3053 		else
3054 			params->auto_connect = HCI_AUTO_CONN_DISABLED;
3055 	}
3056 
3057 	/* If disconnection is not requested, then clear the connection
3058 	 * variable so that the link is not terminated.
3059 	 */
3060 	if (!cp->disconnect)
3061 		conn = NULL;
3062 
3063 done:
3064 	/* If the connection variable is set, then termination of the
3065 	 * link is requested.
3066 	 */
3067 	if (!conn) {
3068 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
3069 					&rp, sizeof(rp));
3070 		device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
3071 		goto unlock;
3072 	}
3073 
3074 	cmd = mgmt_pending_new(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
3075 			       sizeof(*cp));
3076 	if (!cmd) {
3077 		err = -ENOMEM;
3078 		goto unlock;
3079 	}
3080 
3081 	cmd->cmd_complete = addr_cmd_complete;
3082 
3083 	err = hci_cmd_sync_queue(hdev, unpair_device_sync, cmd,
3084 				 unpair_device_complete);
3085 	if (err < 0)
3086 		mgmt_pending_free(cmd);
3087 
3088 unlock:
3089 	hci_dev_unlock(hdev);
3090 	return err;
3091 }
3092 
disconnect(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3093 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
3094 		      u16 len)
3095 {
3096 	struct mgmt_cp_disconnect *cp = data;
3097 	struct mgmt_rp_disconnect rp;
3098 	struct mgmt_pending_cmd *cmd;
3099 	struct hci_conn *conn;
3100 	int err;
3101 
3102 	bt_dev_dbg(hdev, "sock %p", sk);
3103 
3104 	memset(&rp, 0, sizeof(rp));
3105 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
3106 	rp.addr.type = cp->addr.type;
3107 
3108 	if (!bdaddr_type_is_valid(cp->addr.type))
3109 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3110 					 MGMT_STATUS_INVALID_PARAMS,
3111 					 &rp, sizeof(rp));
3112 
3113 	hci_dev_lock(hdev);
3114 
3115 	if (!test_bit(HCI_UP, &hdev->flags)) {
3116 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3117 					MGMT_STATUS_NOT_POWERED, &rp,
3118 					sizeof(rp));
3119 		goto failed;
3120 	}
3121 
3122 	if (pending_find(MGMT_OP_DISCONNECT, hdev)) {
3123 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3124 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
3125 		goto failed;
3126 	}
3127 
3128 	if (cp->addr.type == BDADDR_BREDR)
3129 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
3130 					       &cp->addr.bdaddr);
3131 	else
3132 		conn = hci_conn_hash_lookup_le(hdev, &cp->addr.bdaddr,
3133 					       le_addr_type(cp->addr.type));
3134 
3135 	if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
3136 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
3137 					MGMT_STATUS_NOT_CONNECTED, &rp,
3138 					sizeof(rp));
3139 		goto failed;
3140 	}
3141 
3142 	cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
3143 	if (!cmd) {
3144 		err = -ENOMEM;
3145 		goto failed;
3146 	}
3147 
3148 	cmd->cmd_complete = generic_cmd_complete;
3149 
3150 	err = hci_disconnect(conn, HCI_ERROR_REMOTE_USER_TERM);
3151 	if (err < 0)
3152 		mgmt_pending_remove(cmd);
3153 
3154 failed:
3155 	hci_dev_unlock(hdev);
3156 	return err;
3157 }
3158 
link_to_bdaddr(u8 link_type,u8 addr_type)3159 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
3160 {
3161 	switch (link_type) {
3162 	case LE_LINK:
3163 		switch (addr_type) {
3164 		case ADDR_LE_DEV_PUBLIC:
3165 			return BDADDR_LE_PUBLIC;
3166 
3167 		default:
3168 			/* Fallback to LE Random address type */
3169 			return BDADDR_LE_RANDOM;
3170 		}
3171 
3172 	default:
3173 		/* Fallback to BR/EDR type */
3174 		return BDADDR_BREDR;
3175 	}
3176 }
3177 
get_connections(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)3178 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
3179 			   u16 data_len)
3180 {
3181 	struct mgmt_rp_get_connections *rp;
3182 	struct hci_conn *c;
3183 	int err;
3184 	u16 i;
3185 
3186 	bt_dev_dbg(hdev, "sock %p", sk);
3187 
3188 	hci_dev_lock(hdev);
3189 
3190 	if (!hdev_is_powered(hdev)) {
3191 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
3192 				      MGMT_STATUS_NOT_POWERED);
3193 		goto unlock;
3194 	}
3195 
3196 	i = 0;
3197 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
3198 		if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3199 			i++;
3200 	}
3201 
3202 	rp = kmalloc(struct_size(rp, addr, i), GFP_KERNEL);
3203 	if (!rp) {
3204 		err = -ENOMEM;
3205 		goto unlock;
3206 	}
3207 
3208 	i = 0;
3209 	list_for_each_entry(c, &hdev->conn_hash.list, list) {
3210 		if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
3211 			continue;
3212 		bacpy(&rp->addr[i].bdaddr, &c->dst);
3213 		rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
3214 		if (c->type == SCO_LINK || c->type == ESCO_LINK)
3215 			continue;
3216 		i++;
3217 	}
3218 
3219 	rp->conn_count = cpu_to_le16(i);
3220 
3221 	/* Recalculate length in case of filtered SCO connections, etc */
3222 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
3223 				struct_size(rp, addr, i));
3224 
3225 	kfree(rp);
3226 
3227 unlock:
3228 	hci_dev_unlock(hdev);
3229 	return err;
3230 }
3231 
send_pin_code_neg_reply(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_pin_code_neg_reply * cp)3232 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3233 				   struct mgmt_cp_pin_code_neg_reply *cp)
3234 {
3235 	struct mgmt_pending_cmd *cmd;
3236 	int err;
3237 
3238 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
3239 			       sizeof(*cp));
3240 	if (!cmd)
3241 		return -ENOMEM;
3242 
3243 	cmd->cmd_complete = addr_cmd_complete;
3244 
3245 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
3246 			   sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
3247 	if (err < 0)
3248 		mgmt_pending_remove(cmd);
3249 
3250 	return err;
3251 }
3252 
pin_code_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3253 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3254 			  u16 len)
3255 {
3256 	struct hci_conn *conn;
3257 	struct mgmt_cp_pin_code_reply *cp = data;
3258 	struct hci_cp_pin_code_reply reply;
3259 	struct mgmt_pending_cmd *cmd;
3260 	int err;
3261 
3262 	bt_dev_dbg(hdev, "sock %p", sk);
3263 
3264 	hci_dev_lock(hdev);
3265 
3266 	if (!hdev_is_powered(hdev)) {
3267 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3268 				      MGMT_STATUS_NOT_POWERED);
3269 		goto failed;
3270 	}
3271 
3272 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
3273 	if (!conn) {
3274 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3275 				      MGMT_STATUS_NOT_CONNECTED);
3276 		goto failed;
3277 	}
3278 
3279 	if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
3280 		struct mgmt_cp_pin_code_neg_reply ncp;
3281 
3282 		memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
3283 
3284 		bt_dev_err(hdev, "PIN code is not 16 bytes long");
3285 
3286 		err = send_pin_code_neg_reply(sk, hdev, &ncp);
3287 		if (err >= 0)
3288 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
3289 					      MGMT_STATUS_INVALID_PARAMS);
3290 
3291 		goto failed;
3292 	}
3293 
3294 	cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
3295 	if (!cmd) {
3296 		err = -ENOMEM;
3297 		goto failed;
3298 	}
3299 
3300 	cmd->cmd_complete = addr_cmd_complete;
3301 
3302 	bacpy(&reply.bdaddr, &cp->addr.bdaddr);
3303 	reply.pin_len = cp->pin_len;
3304 	memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
3305 
3306 	err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
3307 	if (err < 0)
3308 		mgmt_pending_remove(cmd);
3309 
3310 failed:
3311 	hci_dev_unlock(hdev);
3312 	return err;
3313 }
3314 
set_io_capability(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3315 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
3316 			     u16 len)
3317 {
3318 	struct mgmt_cp_set_io_capability *cp = data;
3319 
3320 	bt_dev_dbg(hdev, "sock %p", sk);
3321 
3322 	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
3323 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
3324 				       MGMT_STATUS_INVALID_PARAMS);
3325 
3326 	hci_dev_lock(hdev);
3327 
3328 	hdev->io_capability = cp->io_capability;
3329 
3330 	bt_dev_dbg(hdev, "IO capability set to 0x%02x", hdev->io_capability);
3331 
3332 	hci_dev_unlock(hdev);
3333 
3334 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0,
3335 				 NULL, 0);
3336 }
3337 
find_pairing(struct hci_conn * conn)3338 static struct mgmt_pending_cmd *find_pairing(struct hci_conn *conn)
3339 {
3340 	struct hci_dev *hdev = conn->hdev;
3341 	struct mgmt_pending_cmd *cmd;
3342 
3343 	list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
3344 		if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
3345 			continue;
3346 
3347 		if (cmd->user_data != conn)
3348 			continue;
3349 
3350 		return cmd;
3351 	}
3352 
3353 	return NULL;
3354 }
3355 
pairing_complete(struct mgmt_pending_cmd * cmd,u8 status)3356 static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
3357 {
3358 	struct mgmt_rp_pair_device rp;
3359 	struct hci_conn *conn = cmd->user_data;
3360 	int err;
3361 
3362 	bacpy(&rp.addr.bdaddr, &conn->dst);
3363 	rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
3364 
3365 	err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
3366 				status, &rp, sizeof(rp));
3367 
3368 	/* So we don't get further callbacks for this connection */
3369 	conn->connect_cfm_cb = NULL;
3370 	conn->security_cfm_cb = NULL;
3371 	conn->disconn_cfm_cb = NULL;
3372 
3373 	hci_conn_drop(conn);
3374 
3375 	/* The device is paired so there is no need to remove
3376 	 * its connection parameters anymore.
3377 	 */
3378 	clear_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags);
3379 
3380 	hci_conn_put(conn);
3381 
3382 	return err;
3383 }
3384 
mgmt_smp_complete(struct hci_conn * conn,bool complete)3385 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
3386 {
3387 	u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
3388 	struct mgmt_pending_cmd *cmd;
3389 
3390 	cmd = find_pairing(conn);
3391 	if (cmd) {
3392 		cmd->cmd_complete(cmd, status);
3393 		mgmt_pending_remove(cmd);
3394 	}
3395 }
3396 
pairing_complete_cb(struct hci_conn * conn,u8 status)3397 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
3398 {
3399 	struct mgmt_pending_cmd *cmd;
3400 
3401 	BT_DBG("status %u", status);
3402 
3403 	cmd = find_pairing(conn);
3404 	if (!cmd) {
3405 		BT_DBG("Unable to find a pending command");
3406 		return;
3407 	}
3408 
3409 	cmd->cmd_complete(cmd, mgmt_status(status));
3410 	mgmt_pending_remove(cmd);
3411 }
3412 
le_pairing_complete_cb(struct hci_conn * conn,u8 status)3413 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
3414 {
3415 	struct mgmt_pending_cmd *cmd;
3416 
3417 	BT_DBG("status %u", status);
3418 
3419 	if (!status)
3420 		return;
3421 
3422 	cmd = find_pairing(conn);
3423 	if (!cmd) {
3424 		BT_DBG("Unable to find a pending command");
3425 		return;
3426 	}
3427 
3428 	cmd->cmd_complete(cmd, mgmt_status(status));
3429 	mgmt_pending_remove(cmd);
3430 }
3431 
pair_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3432 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3433 		       u16 len)
3434 {
3435 	struct mgmt_cp_pair_device *cp = data;
3436 	struct mgmt_rp_pair_device rp;
3437 	struct mgmt_pending_cmd *cmd;
3438 	u8 sec_level, auth_type;
3439 	struct hci_conn *conn;
3440 	int err;
3441 
3442 	bt_dev_dbg(hdev, "sock %p", sk);
3443 
3444 	memset(&rp, 0, sizeof(rp));
3445 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
3446 	rp.addr.type = cp->addr.type;
3447 
3448 	if (!bdaddr_type_is_valid(cp->addr.type))
3449 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3450 					 MGMT_STATUS_INVALID_PARAMS,
3451 					 &rp, sizeof(rp));
3452 
3453 	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
3454 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3455 					 MGMT_STATUS_INVALID_PARAMS,
3456 					 &rp, sizeof(rp));
3457 
3458 	hci_dev_lock(hdev);
3459 
3460 	if (!hdev_is_powered(hdev)) {
3461 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3462 					MGMT_STATUS_NOT_POWERED, &rp,
3463 					sizeof(rp));
3464 		goto unlock;
3465 	}
3466 
3467 	if (hci_bdaddr_is_paired(hdev, &cp->addr.bdaddr, cp->addr.type)) {
3468 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3469 					MGMT_STATUS_ALREADY_PAIRED, &rp,
3470 					sizeof(rp));
3471 		goto unlock;
3472 	}
3473 
3474 	sec_level = BT_SECURITY_MEDIUM;
3475 	auth_type = HCI_AT_DEDICATED_BONDING;
3476 
3477 	if (cp->addr.type == BDADDR_BREDR) {
3478 		conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
3479 				       auth_type, CONN_REASON_PAIR_DEVICE);
3480 	} else {
3481 		u8 addr_type = le_addr_type(cp->addr.type);
3482 		struct hci_conn_params *p;
3483 
3484 		/* When pairing a new device, it is expected to remember
3485 		 * this device for future connections. Adding the connection
3486 		 * parameter information ahead of time allows tracking
3487 		 * of the peripheral preferred values and will speed up any
3488 		 * further connection establishment.
3489 		 *
3490 		 * If connection parameters already exist, then they
3491 		 * will be kept and this function does nothing.
3492 		 */
3493 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
3494 
3495 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
3496 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
3497 
3498 		conn = hci_connect_le_scan(hdev, &cp->addr.bdaddr, addr_type,
3499 					   sec_level, HCI_LE_CONN_TIMEOUT,
3500 					   CONN_REASON_PAIR_DEVICE);
3501 	}
3502 
3503 	if (IS_ERR(conn)) {
3504 		int status;
3505 
3506 		if (PTR_ERR(conn) == -EBUSY)
3507 			status = MGMT_STATUS_BUSY;
3508 		else if (PTR_ERR(conn) == -EOPNOTSUPP)
3509 			status = MGMT_STATUS_NOT_SUPPORTED;
3510 		else if (PTR_ERR(conn) == -ECONNREFUSED)
3511 			status = MGMT_STATUS_REJECTED;
3512 		else
3513 			status = MGMT_STATUS_CONNECT_FAILED;
3514 
3515 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3516 					status, &rp, sizeof(rp));
3517 		goto unlock;
3518 	}
3519 
3520 	if (conn->connect_cfm_cb) {
3521 		hci_conn_drop(conn);
3522 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
3523 					MGMT_STATUS_BUSY, &rp, sizeof(rp));
3524 		goto unlock;
3525 	}
3526 
3527 	cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
3528 	if (!cmd) {
3529 		err = -ENOMEM;
3530 		hci_conn_drop(conn);
3531 		goto unlock;
3532 	}
3533 
3534 	cmd->cmd_complete = pairing_complete;
3535 
3536 	/* For LE, just connecting isn't a proof that the pairing finished */
3537 	if (cp->addr.type == BDADDR_BREDR) {
3538 		conn->connect_cfm_cb = pairing_complete_cb;
3539 		conn->security_cfm_cb = pairing_complete_cb;
3540 		conn->disconn_cfm_cb = pairing_complete_cb;
3541 	} else {
3542 		conn->connect_cfm_cb = le_pairing_complete_cb;
3543 		conn->security_cfm_cb = le_pairing_complete_cb;
3544 		conn->disconn_cfm_cb = le_pairing_complete_cb;
3545 	}
3546 
3547 	conn->io_capability = cp->io_cap;
3548 	cmd->user_data = hci_conn_get(conn);
3549 
3550 	if ((conn->state == BT_CONNECTED || conn->state == BT_CONFIG) &&
3551 	    hci_conn_security(conn, sec_level, auth_type, true)) {
3552 		cmd->cmd_complete(cmd, 0);
3553 		mgmt_pending_remove(cmd);
3554 	}
3555 
3556 	err = 0;
3557 
3558 unlock:
3559 	hci_dev_unlock(hdev);
3560 	return err;
3561 }
3562 
abort_conn_sync(struct hci_dev * hdev,void * data)3563 static int abort_conn_sync(struct hci_dev *hdev, void *data)
3564 {
3565 	struct hci_conn *conn;
3566 	u16 handle = PTR_ERR(data);
3567 
3568 	conn = hci_conn_hash_lookup_handle(hdev, handle);
3569 	if (!conn)
3570 		return 0;
3571 
3572 	return hci_abort_conn_sync(hdev, conn, HCI_ERROR_REMOTE_USER_TERM);
3573 }
3574 
cancel_pair_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3575 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
3576 			      u16 len)
3577 {
3578 	struct mgmt_addr_info *addr = data;
3579 	struct mgmt_pending_cmd *cmd;
3580 	struct hci_conn *conn;
3581 	int err;
3582 
3583 	bt_dev_dbg(hdev, "sock %p", sk);
3584 
3585 	hci_dev_lock(hdev);
3586 
3587 	if (!hdev_is_powered(hdev)) {
3588 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3589 				      MGMT_STATUS_NOT_POWERED);
3590 		goto unlock;
3591 	}
3592 
3593 	cmd = pending_find(MGMT_OP_PAIR_DEVICE, hdev);
3594 	if (!cmd) {
3595 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3596 				      MGMT_STATUS_INVALID_PARAMS);
3597 		goto unlock;
3598 	}
3599 
3600 	conn = cmd->user_data;
3601 
3602 	if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
3603 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
3604 				      MGMT_STATUS_INVALID_PARAMS);
3605 		goto unlock;
3606 	}
3607 
3608 	cmd->cmd_complete(cmd, MGMT_STATUS_CANCELLED);
3609 	mgmt_pending_remove(cmd);
3610 
3611 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
3612 				addr, sizeof(*addr));
3613 
3614 	/* Since user doesn't want to proceed with the connection, abort any
3615 	 * ongoing pairing and then terminate the link if it was created
3616 	 * because of the pair device action.
3617 	 */
3618 	if (addr->type == BDADDR_BREDR)
3619 		hci_remove_link_key(hdev, &addr->bdaddr);
3620 	else
3621 		smp_cancel_and_remove_pairing(hdev, &addr->bdaddr,
3622 					      le_addr_type(addr->type));
3623 
3624 	if (conn->conn_reason == CONN_REASON_PAIR_DEVICE)
3625 		hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle),
3626 				   NULL);
3627 
3628 unlock:
3629 	hci_dev_unlock(hdev);
3630 	return err;
3631 }
3632 
user_pairing_resp(struct sock * sk,struct hci_dev * hdev,struct mgmt_addr_info * addr,u16 mgmt_op,u16 hci_op,__le32 passkey)3633 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
3634 			     struct mgmt_addr_info *addr, u16 mgmt_op,
3635 			     u16 hci_op, __le32 passkey)
3636 {
3637 	struct mgmt_pending_cmd *cmd;
3638 	struct hci_conn *conn;
3639 	int err;
3640 
3641 	hci_dev_lock(hdev);
3642 
3643 	if (!hdev_is_powered(hdev)) {
3644 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3645 					MGMT_STATUS_NOT_POWERED, addr,
3646 					sizeof(*addr));
3647 		goto done;
3648 	}
3649 
3650 	if (addr->type == BDADDR_BREDR)
3651 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
3652 	else
3653 		conn = hci_conn_hash_lookup_le(hdev, &addr->bdaddr,
3654 					       le_addr_type(addr->type));
3655 
3656 	if (!conn) {
3657 		err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3658 					MGMT_STATUS_NOT_CONNECTED, addr,
3659 					sizeof(*addr));
3660 		goto done;
3661 	}
3662 
3663 	if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3664 		err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3665 		if (!err)
3666 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3667 						MGMT_STATUS_SUCCESS, addr,
3668 						sizeof(*addr));
3669 		else
3670 			err = mgmt_cmd_complete(sk, hdev->id, mgmt_op,
3671 						MGMT_STATUS_FAILED, addr,
3672 						sizeof(*addr));
3673 
3674 		goto done;
3675 	}
3676 
3677 	cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3678 	if (!cmd) {
3679 		err = -ENOMEM;
3680 		goto done;
3681 	}
3682 
3683 	cmd->cmd_complete = addr_cmd_complete;
3684 
3685 	/* Continue with pairing via HCI */
3686 	if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3687 		struct hci_cp_user_passkey_reply cp;
3688 
3689 		bacpy(&cp.bdaddr, &addr->bdaddr);
3690 		cp.passkey = passkey;
3691 		err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3692 	} else
3693 		err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3694 				   &addr->bdaddr);
3695 
3696 	if (err < 0)
3697 		mgmt_pending_remove(cmd);
3698 
3699 done:
3700 	hci_dev_unlock(hdev);
3701 	return err;
3702 }
3703 
pin_code_neg_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3704 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3705 			      void *data, u16 len)
3706 {
3707 	struct mgmt_cp_pin_code_neg_reply *cp = data;
3708 
3709 	bt_dev_dbg(hdev, "sock %p", sk);
3710 
3711 	return user_pairing_resp(sk, hdev, &cp->addr,
3712 				MGMT_OP_PIN_CODE_NEG_REPLY,
3713 				HCI_OP_PIN_CODE_NEG_REPLY, 0);
3714 }
3715 
user_confirm_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3716 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3717 			      u16 len)
3718 {
3719 	struct mgmt_cp_user_confirm_reply *cp = data;
3720 
3721 	bt_dev_dbg(hdev, "sock %p", sk);
3722 
3723 	if (len != sizeof(*cp))
3724 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3725 				       MGMT_STATUS_INVALID_PARAMS);
3726 
3727 	return user_pairing_resp(sk, hdev, &cp->addr,
3728 				 MGMT_OP_USER_CONFIRM_REPLY,
3729 				 HCI_OP_USER_CONFIRM_REPLY, 0);
3730 }
3731 
user_confirm_neg_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3732 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3733 				  void *data, u16 len)
3734 {
3735 	struct mgmt_cp_user_confirm_neg_reply *cp = data;
3736 
3737 	bt_dev_dbg(hdev, "sock %p", sk);
3738 
3739 	return user_pairing_resp(sk, hdev, &cp->addr,
3740 				 MGMT_OP_USER_CONFIRM_NEG_REPLY,
3741 				 HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3742 }
3743 
user_passkey_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3744 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3745 			      u16 len)
3746 {
3747 	struct mgmt_cp_user_passkey_reply *cp = data;
3748 
3749 	bt_dev_dbg(hdev, "sock %p", sk);
3750 
3751 	return user_pairing_resp(sk, hdev, &cp->addr,
3752 				 MGMT_OP_USER_PASSKEY_REPLY,
3753 				 HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3754 }
3755 
user_passkey_neg_reply(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3756 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3757 				  void *data, u16 len)
3758 {
3759 	struct mgmt_cp_user_passkey_neg_reply *cp = data;
3760 
3761 	bt_dev_dbg(hdev, "sock %p", sk);
3762 
3763 	return user_pairing_resp(sk, hdev, &cp->addr,
3764 				 MGMT_OP_USER_PASSKEY_NEG_REPLY,
3765 				 HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3766 }
3767 
adv_expire_sync(struct hci_dev * hdev,u32 flags)3768 static int adv_expire_sync(struct hci_dev *hdev, u32 flags)
3769 {
3770 	struct adv_info *adv_instance;
3771 
3772 	adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
3773 	if (!adv_instance)
3774 		return 0;
3775 
3776 	/* stop if current instance doesn't need to be changed */
3777 	if (!(adv_instance->flags & flags))
3778 		return 0;
3779 
3780 	cancel_adv_timeout(hdev);
3781 
3782 	adv_instance = hci_get_next_instance(hdev, adv_instance->instance);
3783 	if (!adv_instance)
3784 		return 0;
3785 
3786 	hci_schedule_adv_instance_sync(hdev, adv_instance->instance, true);
3787 
3788 	return 0;
3789 }
3790 
name_changed_sync(struct hci_dev * hdev,void * data)3791 static int name_changed_sync(struct hci_dev *hdev, void *data)
3792 {
3793 	return adv_expire_sync(hdev, MGMT_ADV_FLAG_LOCAL_NAME);
3794 }
3795 
set_name_complete(struct hci_dev * hdev,void * data,int err)3796 static void set_name_complete(struct hci_dev *hdev, void *data, int err)
3797 {
3798 	struct mgmt_pending_cmd *cmd = data;
3799 	struct mgmt_cp_set_local_name *cp = cmd->param;
3800 	u8 status = mgmt_status(err);
3801 
3802 	bt_dev_dbg(hdev, "err %d", err);
3803 
3804 	if (cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
3805 		return;
3806 
3807 	if (status) {
3808 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3809 				status);
3810 	} else {
3811 		mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3812 				  cp, sizeof(*cp));
3813 
3814 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3815 			hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL);
3816 	}
3817 
3818 	mgmt_pending_remove(cmd);
3819 }
3820 
set_name_sync(struct hci_dev * hdev,void * data)3821 static int set_name_sync(struct hci_dev *hdev, void *data)
3822 {
3823 	if (lmp_bredr_capable(hdev)) {
3824 		hci_update_name_sync(hdev);
3825 		hci_update_eir_sync(hdev);
3826 	}
3827 
3828 	/* The name is stored in the scan response data and so
3829 	 * no need to update the advertising data here.
3830 	 */
3831 	if (lmp_le_capable(hdev) && hci_dev_test_flag(hdev, HCI_ADVERTISING))
3832 		hci_update_scan_rsp_data_sync(hdev, hdev->cur_adv_instance);
3833 
3834 	return 0;
3835 }
3836 
set_local_name(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3837 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3838 			  u16 len)
3839 {
3840 	struct mgmt_cp_set_local_name *cp = data;
3841 	struct mgmt_pending_cmd *cmd;
3842 	int err;
3843 
3844 	bt_dev_dbg(hdev, "sock %p", sk);
3845 
3846 	hci_dev_lock(hdev);
3847 
3848 	/* If the old values are the same as the new ones just return a
3849 	 * direct command complete event.
3850 	 */
3851 	if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3852 	    !memcmp(hdev->short_name, cp->short_name,
3853 		    sizeof(hdev->short_name))) {
3854 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3855 					data, len);
3856 		goto failed;
3857 	}
3858 
3859 	memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3860 
3861 	if (!hdev_is_powered(hdev)) {
3862 		memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3863 
3864 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3865 					data, len);
3866 		if (err < 0)
3867 			goto failed;
3868 
3869 		err = mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data,
3870 					 len, HCI_MGMT_LOCAL_NAME_EVENTS, sk);
3871 		ext_info_changed(hdev, sk);
3872 
3873 		goto failed;
3874 	}
3875 
3876 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3877 	if (!cmd)
3878 		err = -ENOMEM;
3879 	else
3880 		err = hci_cmd_sync_queue(hdev, set_name_sync, cmd,
3881 					 set_name_complete);
3882 
3883 	if (err < 0) {
3884 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3885 				      MGMT_STATUS_FAILED);
3886 
3887 		if (cmd)
3888 			mgmt_pending_remove(cmd);
3889 
3890 		goto failed;
3891 	}
3892 
3893 	memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3894 
3895 failed:
3896 	hci_dev_unlock(hdev);
3897 	return err;
3898 }
3899 
appearance_changed_sync(struct hci_dev * hdev,void * data)3900 static int appearance_changed_sync(struct hci_dev *hdev, void *data)
3901 {
3902 	return adv_expire_sync(hdev, MGMT_ADV_FLAG_APPEARANCE);
3903 }
3904 
set_appearance(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3905 static int set_appearance(struct sock *sk, struct hci_dev *hdev, void *data,
3906 			  u16 len)
3907 {
3908 	struct mgmt_cp_set_appearance *cp = data;
3909 	u16 appearance;
3910 	int err;
3911 
3912 	bt_dev_dbg(hdev, "sock %p", sk);
3913 
3914 	if (!lmp_le_capable(hdev))
3915 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_APPEARANCE,
3916 				       MGMT_STATUS_NOT_SUPPORTED);
3917 
3918 	appearance = le16_to_cpu(cp->appearance);
3919 
3920 	hci_dev_lock(hdev);
3921 
3922 	if (hdev->appearance != appearance) {
3923 		hdev->appearance = appearance;
3924 
3925 		if (hci_dev_test_flag(hdev, HCI_LE_ADV))
3926 			hci_cmd_sync_queue(hdev, appearance_changed_sync, NULL,
3927 					   NULL);
3928 
3929 		ext_info_changed(hdev, sk);
3930 	}
3931 
3932 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_APPEARANCE, 0, NULL,
3933 				0);
3934 
3935 	hci_dev_unlock(hdev);
3936 
3937 	return err;
3938 }
3939 
get_phy_configuration(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)3940 static int get_phy_configuration(struct sock *sk, struct hci_dev *hdev,
3941 				 void *data, u16 len)
3942 {
3943 	struct mgmt_rp_get_phy_configuration rp;
3944 
3945 	bt_dev_dbg(hdev, "sock %p", sk);
3946 
3947 	hci_dev_lock(hdev);
3948 
3949 	memset(&rp, 0, sizeof(rp));
3950 
3951 	rp.supported_phys = cpu_to_le32(get_supported_phys(hdev));
3952 	rp.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3953 	rp.configurable_phys = cpu_to_le32(get_configurable_phys(hdev));
3954 
3955 	hci_dev_unlock(hdev);
3956 
3957 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_PHY_CONFIGURATION, 0,
3958 				 &rp, sizeof(rp));
3959 }
3960 
mgmt_phy_configuration_changed(struct hci_dev * hdev,struct sock * skip)3961 int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
3962 {
3963 	struct mgmt_ev_phy_configuration_changed ev;
3964 
3965 	memset(&ev, 0, sizeof(ev));
3966 
3967 	ev.selected_phys = cpu_to_le32(get_selected_phys(hdev));
3968 
3969 	return mgmt_event(MGMT_EV_PHY_CONFIGURATION_CHANGED, hdev, &ev,
3970 			  sizeof(ev), skip);
3971 }
3972 
set_default_phy_complete(struct hci_dev * hdev,void * data,int err)3973 static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
3974 {
3975 	struct mgmt_pending_cmd *cmd = data;
3976 	struct sk_buff *skb = cmd->skb;
3977 	u8 status = mgmt_status(err);
3978 
3979 	if (cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
3980 		return;
3981 
3982 	if (!status) {
3983 		if (!skb)
3984 			status = MGMT_STATUS_FAILED;
3985 		else if (IS_ERR(skb))
3986 			status = mgmt_status(PTR_ERR(skb));
3987 		else
3988 			status = mgmt_status(skb->data[0]);
3989 	}
3990 
3991 	bt_dev_dbg(hdev, "status %d", status);
3992 
3993 	if (status) {
3994 		mgmt_cmd_status(cmd->sk, hdev->id,
3995 				MGMT_OP_SET_PHY_CONFIGURATION, status);
3996 	} else {
3997 		mgmt_cmd_complete(cmd->sk, hdev->id,
3998 				  MGMT_OP_SET_PHY_CONFIGURATION, 0,
3999 				  NULL, 0);
4000 
4001 		mgmt_phy_configuration_changed(hdev, cmd->sk);
4002 	}
4003 
4004 	if (skb && !IS_ERR(skb))
4005 		kfree_skb(skb);
4006 
4007 	mgmt_pending_remove(cmd);
4008 }
4009 
set_default_phy_sync(struct hci_dev * hdev,void * data)4010 static int set_default_phy_sync(struct hci_dev *hdev, void *data)
4011 {
4012 	struct mgmt_pending_cmd *cmd = data;
4013 	struct mgmt_cp_set_phy_configuration *cp = cmd->param;
4014 	struct hci_cp_le_set_default_phy cp_phy;
4015 	u32 selected_phys = __le32_to_cpu(cp->selected_phys);
4016 
4017 	memset(&cp_phy, 0, sizeof(cp_phy));
4018 
4019 	if (!(selected_phys & MGMT_PHY_LE_TX_MASK))
4020 		cp_phy.all_phys |= 0x01;
4021 
4022 	if (!(selected_phys & MGMT_PHY_LE_RX_MASK))
4023 		cp_phy.all_phys |= 0x02;
4024 
4025 	if (selected_phys & MGMT_PHY_LE_1M_TX)
4026 		cp_phy.tx_phys |= HCI_LE_SET_PHY_1M;
4027 
4028 	if (selected_phys & MGMT_PHY_LE_2M_TX)
4029 		cp_phy.tx_phys |= HCI_LE_SET_PHY_2M;
4030 
4031 	if (selected_phys & MGMT_PHY_LE_CODED_TX)
4032 		cp_phy.tx_phys |= HCI_LE_SET_PHY_CODED;
4033 
4034 	if (selected_phys & MGMT_PHY_LE_1M_RX)
4035 		cp_phy.rx_phys |= HCI_LE_SET_PHY_1M;
4036 
4037 	if (selected_phys & MGMT_PHY_LE_2M_RX)
4038 		cp_phy.rx_phys |= HCI_LE_SET_PHY_2M;
4039 
4040 	if (selected_phys & MGMT_PHY_LE_CODED_RX)
4041 		cp_phy.rx_phys |= HCI_LE_SET_PHY_CODED;
4042 
4043 	cmd->skb =  __hci_cmd_sync(hdev, HCI_OP_LE_SET_DEFAULT_PHY,
4044 				   sizeof(cp_phy), &cp_phy, HCI_CMD_TIMEOUT);
4045 
4046 	return 0;
4047 }
4048 
set_phy_configuration(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4049 static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
4050 				 void *data, u16 len)
4051 {
4052 	struct mgmt_cp_set_phy_configuration *cp = data;
4053 	struct mgmt_pending_cmd *cmd;
4054 	u32 selected_phys, configurable_phys, supported_phys, unconfigure_phys;
4055 	u16 pkt_type = (HCI_DH1 | HCI_DM1);
4056 	bool changed = false;
4057 	int err;
4058 
4059 	bt_dev_dbg(hdev, "sock %p", sk);
4060 
4061 	configurable_phys = get_configurable_phys(hdev);
4062 	supported_phys = get_supported_phys(hdev);
4063 	selected_phys = __le32_to_cpu(cp->selected_phys);
4064 
4065 	if (selected_phys & ~supported_phys)
4066 		return mgmt_cmd_status(sk, hdev->id,
4067 				       MGMT_OP_SET_PHY_CONFIGURATION,
4068 				       MGMT_STATUS_INVALID_PARAMS);
4069 
4070 	unconfigure_phys = supported_phys & ~configurable_phys;
4071 
4072 	if ((selected_phys & unconfigure_phys) != unconfigure_phys)
4073 		return mgmt_cmd_status(sk, hdev->id,
4074 				       MGMT_OP_SET_PHY_CONFIGURATION,
4075 				       MGMT_STATUS_INVALID_PARAMS);
4076 
4077 	if (selected_phys == get_selected_phys(hdev))
4078 		return mgmt_cmd_complete(sk, hdev->id,
4079 					 MGMT_OP_SET_PHY_CONFIGURATION,
4080 					 0, NULL, 0);
4081 
4082 	hci_dev_lock(hdev);
4083 
4084 	if (!hdev_is_powered(hdev)) {
4085 		err = mgmt_cmd_status(sk, hdev->id,
4086 				      MGMT_OP_SET_PHY_CONFIGURATION,
4087 				      MGMT_STATUS_REJECTED);
4088 		goto unlock;
4089 	}
4090 
4091 	if (pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) {
4092 		err = mgmt_cmd_status(sk, hdev->id,
4093 				      MGMT_OP_SET_PHY_CONFIGURATION,
4094 				      MGMT_STATUS_BUSY);
4095 		goto unlock;
4096 	}
4097 
4098 	if (selected_phys & MGMT_PHY_BR_1M_3SLOT)
4099 		pkt_type |= (HCI_DH3 | HCI_DM3);
4100 	else
4101 		pkt_type &= ~(HCI_DH3 | HCI_DM3);
4102 
4103 	if (selected_phys & MGMT_PHY_BR_1M_5SLOT)
4104 		pkt_type |= (HCI_DH5 | HCI_DM5);
4105 	else
4106 		pkt_type &= ~(HCI_DH5 | HCI_DM5);
4107 
4108 	if (selected_phys & MGMT_PHY_EDR_2M_1SLOT)
4109 		pkt_type &= ~HCI_2DH1;
4110 	else
4111 		pkt_type |= HCI_2DH1;
4112 
4113 	if (selected_phys & MGMT_PHY_EDR_2M_3SLOT)
4114 		pkt_type &= ~HCI_2DH3;
4115 	else
4116 		pkt_type |= HCI_2DH3;
4117 
4118 	if (selected_phys & MGMT_PHY_EDR_2M_5SLOT)
4119 		pkt_type &= ~HCI_2DH5;
4120 	else
4121 		pkt_type |= HCI_2DH5;
4122 
4123 	if (selected_phys & MGMT_PHY_EDR_3M_1SLOT)
4124 		pkt_type &= ~HCI_3DH1;
4125 	else
4126 		pkt_type |= HCI_3DH1;
4127 
4128 	if (selected_phys & MGMT_PHY_EDR_3M_3SLOT)
4129 		pkt_type &= ~HCI_3DH3;
4130 	else
4131 		pkt_type |= HCI_3DH3;
4132 
4133 	if (selected_phys & MGMT_PHY_EDR_3M_5SLOT)
4134 		pkt_type &= ~HCI_3DH5;
4135 	else
4136 		pkt_type |= HCI_3DH5;
4137 
4138 	if (pkt_type != hdev->pkt_type) {
4139 		hdev->pkt_type = pkt_type;
4140 		changed = true;
4141 	}
4142 
4143 	if ((selected_phys & MGMT_PHY_LE_MASK) ==
4144 	    (get_selected_phys(hdev) & MGMT_PHY_LE_MASK)) {
4145 		if (changed)
4146 			mgmt_phy_configuration_changed(hdev, sk);
4147 
4148 		err = mgmt_cmd_complete(sk, hdev->id,
4149 					MGMT_OP_SET_PHY_CONFIGURATION,
4150 					0, NULL, 0);
4151 
4152 		goto unlock;
4153 	}
4154 
4155 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
4156 			       len);
4157 	if (!cmd)
4158 		err = -ENOMEM;
4159 	else
4160 		err = hci_cmd_sync_queue(hdev, set_default_phy_sync, cmd,
4161 					 set_default_phy_complete);
4162 
4163 	if (err < 0) {
4164 		err = mgmt_cmd_status(sk, hdev->id,
4165 				      MGMT_OP_SET_PHY_CONFIGURATION,
4166 				      MGMT_STATUS_FAILED);
4167 
4168 		if (cmd)
4169 			mgmt_pending_remove(cmd);
4170 	}
4171 
4172 unlock:
4173 	hci_dev_unlock(hdev);
4174 
4175 	return err;
4176 }
4177 
set_blocked_keys(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4178 static int set_blocked_keys(struct sock *sk, struct hci_dev *hdev, void *data,
4179 			    u16 len)
4180 {
4181 	int err = MGMT_STATUS_SUCCESS;
4182 	struct mgmt_cp_set_blocked_keys *keys = data;
4183 	const u16 max_key_count = ((U16_MAX - sizeof(*keys)) /
4184 				   sizeof(struct mgmt_blocked_key_info));
4185 	u16 key_count, expected_len;
4186 	int i;
4187 
4188 	bt_dev_dbg(hdev, "sock %p", sk);
4189 
4190 	key_count = __le16_to_cpu(keys->key_count);
4191 	if (key_count > max_key_count) {
4192 		bt_dev_err(hdev, "too big key_count value %u", key_count);
4193 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4194 				       MGMT_STATUS_INVALID_PARAMS);
4195 	}
4196 
4197 	expected_len = struct_size(keys, keys, key_count);
4198 	if (expected_len != len) {
4199 		bt_dev_err(hdev, "expected %u bytes, got %u bytes",
4200 			   expected_len, len);
4201 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4202 				       MGMT_STATUS_INVALID_PARAMS);
4203 	}
4204 
4205 	hci_dev_lock(hdev);
4206 
4207 	hci_blocked_keys_clear(hdev);
4208 
4209 	for (i = 0; i < key_count; ++i) {
4210 		struct blocked_key *b = kzalloc(sizeof(*b), GFP_KERNEL);
4211 
4212 		if (!b) {
4213 			err = MGMT_STATUS_NO_RESOURCES;
4214 			break;
4215 		}
4216 
4217 		b->type = keys->keys[i].type;
4218 		memcpy(b->val, keys->keys[i].val, sizeof(b->val));
4219 		list_add_rcu(&b->list, &hdev->blocked_keys);
4220 	}
4221 	hci_dev_unlock(hdev);
4222 
4223 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_BLOCKED_KEYS,
4224 				err, NULL, 0);
4225 }
4226 
set_wideband_speech(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)4227 static int set_wideband_speech(struct sock *sk, struct hci_dev *hdev,
4228 			       void *data, u16 len)
4229 {
4230 	struct mgmt_mode *cp = data;
4231 	int err;
4232 	bool changed = false;
4233 
4234 	bt_dev_dbg(hdev, "sock %p", sk);
4235 
4236 	if (!test_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks))
4237 		return mgmt_cmd_status(sk, hdev->id,
4238 				       MGMT_OP_SET_WIDEBAND_SPEECH,
4239 				       MGMT_STATUS_NOT_SUPPORTED);
4240 
4241 	if (cp->val != 0x00 && cp->val != 0x01)
4242 		return mgmt_cmd_status(sk, hdev->id,
4243 				       MGMT_OP_SET_WIDEBAND_SPEECH,
4244 				       MGMT_STATUS_INVALID_PARAMS);
4245 
4246 	hci_dev_lock(hdev);
4247 
4248 	if (hdev_is_powered(hdev) &&
4249 	    !!cp->val != hci_dev_test_flag(hdev,
4250 					   HCI_WIDEBAND_SPEECH_ENABLED)) {
4251 		err = mgmt_cmd_status(sk, hdev->id,
4252 				      MGMT_OP_SET_WIDEBAND_SPEECH,
4253 				      MGMT_STATUS_REJECTED);
4254 		goto unlock;
4255 	}
4256 
4257 	if (cp->val)
4258 		changed = !hci_dev_test_and_set_flag(hdev,
4259 						   HCI_WIDEBAND_SPEECH_ENABLED);
4260 	else
4261 		changed = hci_dev_test_and_clear_flag(hdev,
4262 						   HCI_WIDEBAND_SPEECH_ENABLED);
4263 
4264 	err = send_settings_rsp(sk, MGMT_OP_SET_WIDEBAND_SPEECH, hdev);
4265 	if (err < 0)
4266 		goto unlock;
4267 
4268 	if (changed)
4269 		err = new_settings(hdev, sk);
4270 
4271 unlock:
4272 	hci_dev_unlock(hdev);
4273 	return err;
4274 }
4275 
read_controller_cap(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)4276 static int read_controller_cap(struct sock *sk, struct hci_dev *hdev,
4277 			       void *data, u16 data_len)
4278 {
4279 	char buf[20];
4280 	struct mgmt_rp_read_controller_cap *rp = (void *)buf;
4281 	u16 cap_len = 0;
4282 	u8 flags = 0;
4283 	u8 tx_power_range[2];
4284 
4285 	bt_dev_dbg(hdev, "sock %p", sk);
4286 
4287 	memset(&buf, 0, sizeof(buf));
4288 
4289 	hci_dev_lock(hdev);
4290 
4291 	/* When the Read Simple Pairing Options command is supported, then
4292 	 * the remote public key validation is supported.
4293 	 *
4294 	 * Alternatively, when Microsoft extensions are available, they can
4295 	 * indicate support for public key validation as well.
4296 	 */
4297 	if ((hdev->commands[41] & 0x08) || msft_curve_validity(hdev))
4298 		flags |= 0x01;	/* Remote public key validation (BR/EDR) */
4299 
4300 	flags |= 0x02;		/* Remote public key validation (LE) */
4301 
4302 	/* When the Read Encryption Key Size command is supported, then the
4303 	 * encryption key size is enforced.
4304 	 */
4305 	if (hdev->commands[20] & 0x10)
4306 		flags |= 0x04;	/* Encryption key size enforcement (BR/EDR) */
4307 
4308 	flags |= 0x08;		/* Encryption key size enforcement (LE) */
4309 
4310 	cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_SEC_FLAGS,
4311 				  &flags, 1);
4312 
4313 	/* When the Read Simple Pairing Options command is supported, then
4314 	 * also max encryption key size information is provided.
4315 	 */
4316 	if (hdev->commands[41] & 0x08)
4317 		cap_len = eir_append_le16(rp->cap, cap_len,
4318 					  MGMT_CAP_MAX_ENC_KEY_SIZE,
4319 					  hdev->max_enc_key_size);
4320 
4321 	cap_len = eir_append_le16(rp->cap, cap_len,
4322 				  MGMT_CAP_SMP_MAX_ENC_KEY_SIZE,
4323 				  SMP_MAX_ENC_KEY_SIZE);
4324 
4325 	/* Append the min/max LE tx power parameters if we were able to fetch
4326 	 * it from the controller
4327 	 */
4328 	if (hdev->commands[38] & 0x80) {
4329 		memcpy(&tx_power_range[0], &hdev->min_le_tx_power, 1);
4330 		memcpy(&tx_power_range[1], &hdev->max_le_tx_power, 1);
4331 		cap_len = eir_append_data(rp->cap, cap_len, MGMT_CAP_LE_TX_PWR,
4332 					  tx_power_range, 2);
4333 	}
4334 
4335 	rp->cap_len = cpu_to_le16(cap_len);
4336 
4337 	hci_dev_unlock(hdev);
4338 
4339 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_CONTROLLER_CAP, 0,
4340 				 rp, sizeof(*rp) + cap_len);
4341 }
4342 
4343 #ifdef CONFIG_BT_FEATURE_DEBUG
4344 /* d4992530-b9ec-469f-ab01-6c481c47da1c */
4345 static const u8 debug_uuid[16] = {
4346 	0x1c, 0xda, 0x47, 0x1c, 0x48, 0x6c, 0x01, 0xab,
4347 	0x9f, 0x46, 0xec, 0xb9, 0x30, 0x25, 0x99, 0xd4,
4348 };
4349 #endif
4350 
4351 /* 330859bc-7506-492d-9370-9a6f0614037f */
4352 static const u8 quality_report_uuid[16] = {
4353 	0x7f, 0x03, 0x14, 0x06, 0x6f, 0x9a, 0x70, 0x93,
4354 	0x2d, 0x49, 0x06, 0x75, 0xbc, 0x59, 0x08, 0x33,
4355 };
4356 
4357 /* a6695ace-ee7f-4fb9-881a-5fac66c629af */
4358 static const u8 offload_codecs_uuid[16] = {
4359 	0xaf, 0x29, 0xc6, 0x66, 0xac, 0x5f, 0x1a, 0x88,
4360 	0xb9, 0x4f, 0x7f, 0xee, 0xce, 0x5a, 0x69, 0xa6,
4361 };
4362 
4363 /* 671b10b5-42c0-4696-9227-eb28d1b049d6 */
4364 static const u8 le_simultaneous_roles_uuid[16] = {
4365 	0xd6, 0x49, 0xb0, 0xd1, 0x28, 0xeb, 0x27, 0x92,
4366 	0x96, 0x46, 0xc0, 0x42, 0xb5, 0x10, 0x1b, 0x67,
4367 };
4368 
4369 /* 15c0a148-c273-11ea-b3de-0242ac130004 */
4370 static const u8 rpa_resolution_uuid[16] = {
4371 	0x04, 0x00, 0x13, 0xac, 0x42, 0x02, 0xde, 0xb3,
4372 	0xea, 0x11, 0x73, 0xc2, 0x48, 0xa1, 0xc0, 0x15,
4373 };
4374 
4375 /* 6fbaf188-05e0-496a-9885-d6ddfdb4e03e */
4376 static const u8 iso_socket_uuid[16] = {
4377 	0x3e, 0xe0, 0xb4, 0xfd, 0xdd, 0xd6, 0x85, 0x98,
4378 	0x6a, 0x49, 0xe0, 0x05, 0x88, 0xf1, 0xba, 0x6f,
4379 };
4380 
4381 /* 2ce463d7-7a03-4d8d-bf05-5f24e8f36e76 */
4382 static const u8 mgmt_mesh_uuid[16] = {
4383 	0x76, 0x6e, 0xf3, 0xe8, 0x24, 0x5f, 0x05, 0xbf,
4384 	0x8d, 0x4d, 0x03, 0x7a, 0xd7, 0x63, 0xe4, 0x2c,
4385 };
4386 
read_exp_features_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)4387 static int read_exp_features_info(struct sock *sk, struct hci_dev *hdev,
4388 				  void *data, u16 data_len)
4389 {
4390 	struct mgmt_rp_read_exp_features_info *rp;
4391 	size_t len;
4392 	u16 idx = 0;
4393 	u32 flags;
4394 	int status;
4395 
4396 	bt_dev_dbg(hdev, "sock %p", sk);
4397 
4398 	/* Enough space for 7 features */
4399 	len = sizeof(*rp) + (sizeof(rp->features[0]) * 7);
4400 	rp = kzalloc(len, GFP_KERNEL);
4401 	if (!rp)
4402 		return -ENOMEM;
4403 
4404 #ifdef CONFIG_BT_FEATURE_DEBUG
4405 	if (!hdev) {
4406 		flags = bt_dbg_get() ? BIT(0) : 0;
4407 
4408 		memcpy(rp->features[idx].uuid, debug_uuid, 16);
4409 		rp->features[idx].flags = cpu_to_le32(flags);
4410 		idx++;
4411 	}
4412 #endif
4413 
4414 	if (hdev && hci_dev_le_state_simultaneous(hdev)) {
4415 		if (hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES))
4416 			flags = BIT(0);
4417 		else
4418 			flags = 0;
4419 
4420 		memcpy(rp->features[idx].uuid, le_simultaneous_roles_uuid, 16);
4421 		rp->features[idx].flags = cpu_to_le32(flags);
4422 		idx++;
4423 	}
4424 
4425 	if (hdev && ll_privacy_capable(hdev)) {
4426 		if (hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY))
4427 			flags = BIT(0) | BIT(1);
4428 		else
4429 			flags = BIT(1);
4430 
4431 		memcpy(rp->features[idx].uuid, rpa_resolution_uuid, 16);
4432 		rp->features[idx].flags = cpu_to_le32(flags);
4433 		idx++;
4434 	}
4435 
4436 	if (hdev && (aosp_has_quality_report(hdev) ||
4437 		     hdev->set_quality_report)) {
4438 		if (hci_dev_test_flag(hdev, HCI_QUALITY_REPORT))
4439 			flags = BIT(0);
4440 		else
4441 			flags = 0;
4442 
4443 		memcpy(rp->features[idx].uuid, quality_report_uuid, 16);
4444 		rp->features[idx].flags = cpu_to_le32(flags);
4445 		idx++;
4446 	}
4447 
4448 	if (hdev && hdev->get_data_path_id) {
4449 		if (hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED))
4450 			flags = BIT(0);
4451 		else
4452 			flags = 0;
4453 
4454 		memcpy(rp->features[idx].uuid, offload_codecs_uuid, 16);
4455 		rp->features[idx].flags = cpu_to_le32(flags);
4456 		idx++;
4457 	}
4458 
4459 	if (IS_ENABLED(CONFIG_BT_LE)) {
4460 		flags = iso_enabled() ? BIT(0) : 0;
4461 		memcpy(rp->features[idx].uuid, iso_socket_uuid, 16);
4462 		rp->features[idx].flags = cpu_to_le32(flags);
4463 		idx++;
4464 	}
4465 
4466 	if (hdev && lmp_le_capable(hdev)) {
4467 		if (hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL))
4468 			flags = BIT(0);
4469 		else
4470 			flags = 0;
4471 
4472 		memcpy(rp->features[idx].uuid, mgmt_mesh_uuid, 16);
4473 		rp->features[idx].flags = cpu_to_le32(flags);
4474 		idx++;
4475 	}
4476 
4477 	rp->feature_count = cpu_to_le16(idx);
4478 
4479 	/* After reading the experimental features information, enable
4480 	 * the events to update client on any future change.
4481 	 */
4482 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4483 
4484 	status = mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4485 				   MGMT_OP_READ_EXP_FEATURES_INFO,
4486 				   0, rp, sizeof(*rp) + (20 * idx));
4487 
4488 	kfree(rp);
4489 	return status;
4490 }
4491 
exp_ll_privacy_feature_changed(bool enabled,struct hci_dev * hdev,struct sock * skip)4492 static int exp_ll_privacy_feature_changed(bool enabled, struct hci_dev *hdev,
4493 					  struct sock *skip)
4494 {
4495 	struct mgmt_ev_exp_feature_changed ev;
4496 
4497 	memset(&ev, 0, sizeof(ev));
4498 	memcpy(ev.uuid, rpa_resolution_uuid, 16);
4499 	ev.flags = cpu_to_le32((enabled ? BIT(0) : 0) | BIT(1));
4500 
4501 	// Do we need to be atomic with the conn_flags?
4502 	if (enabled && privacy_mode_capable(hdev))
4503 		hdev->conn_flags |= HCI_CONN_FLAG_DEVICE_PRIVACY;
4504 	else
4505 		hdev->conn_flags &= ~HCI_CONN_FLAG_DEVICE_PRIVACY;
4506 
4507 	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4508 				  &ev, sizeof(ev),
4509 				  HCI_MGMT_EXP_FEATURE_EVENTS, skip);
4510 
4511 }
4512 
exp_feature_changed(struct hci_dev * hdev,const u8 * uuid,bool enabled,struct sock * skip)4513 static int exp_feature_changed(struct hci_dev *hdev, const u8 *uuid,
4514 			       bool enabled, struct sock *skip)
4515 {
4516 	struct mgmt_ev_exp_feature_changed ev;
4517 
4518 	memset(&ev, 0, sizeof(ev));
4519 	memcpy(ev.uuid, uuid, 16);
4520 	ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
4521 
4522 	return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
4523 				  &ev, sizeof(ev),
4524 				  HCI_MGMT_EXP_FEATURE_EVENTS, skip);
4525 }
4526 
4527 #define EXP_FEAT(_uuid, _set_func)	\
4528 {					\
4529 	.uuid = _uuid,			\
4530 	.set_func = _set_func,		\
4531 }
4532 
4533 /* The zero key uuid is special. Multiple exp features are set through it. */
set_zero_key_func(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_set_exp_feature * cp,u16 data_len)4534 static int set_zero_key_func(struct sock *sk, struct hci_dev *hdev,
4535 			     struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4536 {
4537 	struct mgmt_rp_set_exp_feature rp;
4538 
4539 	memset(rp.uuid, 0, 16);
4540 	rp.flags = cpu_to_le32(0);
4541 
4542 #ifdef CONFIG_BT_FEATURE_DEBUG
4543 	if (!hdev) {
4544 		bool changed = bt_dbg_get();
4545 
4546 		bt_dbg_set(false);
4547 
4548 		if (changed)
4549 			exp_feature_changed(NULL, ZERO_KEY, false, sk);
4550 	}
4551 #endif
4552 
4553 	if (hdev && use_ll_privacy(hdev) && !hdev_is_powered(hdev)) {
4554 		bool changed;
4555 
4556 		changed = hci_dev_test_and_clear_flag(hdev,
4557 						      HCI_ENABLE_LL_PRIVACY);
4558 		if (changed)
4559 			exp_feature_changed(hdev, rpa_resolution_uuid, false,
4560 					    sk);
4561 	}
4562 
4563 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4564 
4565 	return mgmt_cmd_complete(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
4566 				 MGMT_OP_SET_EXP_FEATURE, 0,
4567 				 &rp, sizeof(rp));
4568 }
4569 
4570 #ifdef CONFIG_BT_FEATURE_DEBUG
set_debug_func(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_set_exp_feature * cp,u16 data_len)4571 static int set_debug_func(struct sock *sk, struct hci_dev *hdev,
4572 			  struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4573 {
4574 	struct mgmt_rp_set_exp_feature rp;
4575 
4576 	bool val, changed;
4577 	int err;
4578 
4579 	/* Command requires to use the non-controller index */
4580 	if (hdev)
4581 		return mgmt_cmd_status(sk, hdev->id,
4582 				       MGMT_OP_SET_EXP_FEATURE,
4583 				       MGMT_STATUS_INVALID_INDEX);
4584 
4585 	/* Parameters are limited to a single octet */
4586 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4587 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4588 				       MGMT_OP_SET_EXP_FEATURE,
4589 				       MGMT_STATUS_INVALID_PARAMS);
4590 
4591 	/* Only boolean on/off is supported */
4592 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4593 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4594 				       MGMT_OP_SET_EXP_FEATURE,
4595 				       MGMT_STATUS_INVALID_PARAMS);
4596 
4597 	val = !!cp->param[0];
4598 	changed = val ? !bt_dbg_get() : bt_dbg_get();
4599 	bt_dbg_set(val);
4600 
4601 	memcpy(rp.uuid, debug_uuid, 16);
4602 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4603 
4604 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4605 
4606 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4607 				MGMT_OP_SET_EXP_FEATURE, 0,
4608 				&rp, sizeof(rp));
4609 
4610 	if (changed)
4611 		exp_feature_changed(hdev, debug_uuid, val, sk);
4612 
4613 	return err;
4614 }
4615 #endif
4616 
set_mgmt_mesh_func(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_set_exp_feature * cp,u16 data_len)4617 static int set_mgmt_mesh_func(struct sock *sk, struct hci_dev *hdev,
4618 			      struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4619 {
4620 	struct mgmt_rp_set_exp_feature rp;
4621 	bool val, changed;
4622 	int err;
4623 
4624 	/* Command requires to use the controller index */
4625 	if (!hdev)
4626 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4627 				       MGMT_OP_SET_EXP_FEATURE,
4628 				       MGMT_STATUS_INVALID_INDEX);
4629 
4630 	/* Changes can only be made when controller is powered down */
4631 	if (hdev_is_powered(hdev))
4632 		return mgmt_cmd_status(sk, hdev->id,
4633 				       MGMT_OP_SET_EXP_FEATURE,
4634 				       MGMT_STATUS_REJECTED);
4635 
4636 	/* Parameters are limited to a single octet */
4637 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4638 		return mgmt_cmd_status(sk, hdev->id,
4639 				       MGMT_OP_SET_EXP_FEATURE,
4640 				       MGMT_STATUS_INVALID_PARAMS);
4641 
4642 	/* Only boolean on/off is supported */
4643 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4644 		return mgmt_cmd_status(sk, hdev->id,
4645 				       MGMT_OP_SET_EXP_FEATURE,
4646 				       MGMT_STATUS_INVALID_PARAMS);
4647 
4648 	val = !!cp->param[0];
4649 
4650 	if (val) {
4651 		changed = !hci_dev_test_and_set_flag(hdev,
4652 						     HCI_MESH_EXPERIMENTAL);
4653 	} else {
4654 		hci_dev_clear_flag(hdev, HCI_MESH);
4655 		changed = hci_dev_test_and_clear_flag(hdev,
4656 						      HCI_MESH_EXPERIMENTAL);
4657 	}
4658 
4659 	memcpy(rp.uuid, mgmt_mesh_uuid, 16);
4660 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4661 
4662 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4663 
4664 	err = mgmt_cmd_complete(sk, hdev->id,
4665 				MGMT_OP_SET_EXP_FEATURE, 0,
4666 				&rp, sizeof(rp));
4667 
4668 	if (changed)
4669 		exp_feature_changed(hdev, mgmt_mesh_uuid, val, sk);
4670 
4671 	return err;
4672 }
4673 
set_rpa_resolution_func(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_set_exp_feature * cp,u16 data_len)4674 static int set_rpa_resolution_func(struct sock *sk, struct hci_dev *hdev,
4675 				   struct mgmt_cp_set_exp_feature *cp,
4676 				   u16 data_len)
4677 {
4678 	struct mgmt_rp_set_exp_feature rp;
4679 	bool val, changed;
4680 	int err;
4681 	u32 flags;
4682 
4683 	/* Command requires to use the controller index */
4684 	if (!hdev)
4685 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4686 				       MGMT_OP_SET_EXP_FEATURE,
4687 				       MGMT_STATUS_INVALID_INDEX);
4688 
4689 	/* Changes can only be made when controller is powered down */
4690 	if (hdev_is_powered(hdev))
4691 		return mgmt_cmd_status(sk, hdev->id,
4692 				       MGMT_OP_SET_EXP_FEATURE,
4693 				       MGMT_STATUS_REJECTED);
4694 
4695 	/* Parameters are limited to a single octet */
4696 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4697 		return mgmt_cmd_status(sk, hdev->id,
4698 				       MGMT_OP_SET_EXP_FEATURE,
4699 				       MGMT_STATUS_INVALID_PARAMS);
4700 
4701 	/* Only boolean on/off is supported */
4702 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4703 		return mgmt_cmd_status(sk, hdev->id,
4704 				       MGMT_OP_SET_EXP_FEATURE,
4705 				       MGMT_STATUS_INVALID_PARAMS);
4706 
4707 	val = !!cp->param[0];
4708 
4709 	if (val) {
4710 		changed = !hci_dev_test_and_set_flag(hdev,
4711 						     HCI_ENABLE_LL_PRIVACY);
4712 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
4713 
4714 		/* Enable LL privacy + supported settings changed */
4715 		flags = BIT(0) | BIT(1);
4716 	} else {
4717 		changed = hci_dev_test_and_clear_flag(hdev,
4718 						      HCI_ENABLE_LL_PRIVACY);
4719 
4720 		/* Disable LL privacy + supported settings changed */
4721 		flags = BIT(1);
4722 	}
4723 
4724 	memcpy(rp.uuid, rpa_resolution_uuid, 16);
4725 	rp.flags = cpu_to_le32(flags);
4726 
4727 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4728 
4729 	err = mgmt_cmd_complete(sk, hdev->id,
4730 				MGMT_OP_SET_EXP_FEATURE, 0,
4731 				&rp, sizeof(rp));
4732 
4733 	if (changed)
4734 		exp_ll_privacy_feature_changed(val, hdev, sk);
4735 
4736 	return err;
4737 }
4738 
set_quality_report_func(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_set_exp_feature * cp,u16 data_len)4739 static int set_quality_report_func(struct sock *sk, struct hci_dev *hdev,
4740 				   struct mgmt_cp_set_exp_feature *cp,
4741 				   u16 data_len)
4742 {
4743 	struct mgmt_rp_set_exp_feature rp;
4744 	bool val, changed;
4745 	int err;
4746 
4747 	/* Command requires to use a valid controller index */
4748 	if (!hdev)
4749 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4750 				       MGMT_OP_SET_EXP_FEATURE,
4751 				       MGMT_STATUS_INVALID_INDEX);
4752 
4753 	/* Parameters are limited to a single octet */
4754 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4755 		return mgmt_cmd_status(sk, hdev->id,
4756 				       MGMT_OP_SET_EXP_FEATURE,
4757 				       MGMT_STATUS_INVALID_PARAMS);
4758 
4759 	/* Only boolean on/off is supported */
4760 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4761 		return mgmt_cmd_status(sk, hdev->id,
4762 				       MGMT_OP_SET_EXP_FEATURE,
4763 				       MGMT_STATUS_INVALID_PARAMS);
4764 
4765 	hci_req_sync_lock(hdev);
4766 
4767 	val = !!cp->param[0];
4768 	changed = (val != hci_dev_test_flag(hdev, HCI_QUALITY_REPORT));
4769 
4770 	if (!aosp_has_quality_report(hdev) && !hdev->set_quality_report) {
4771 		err = mgmt_cmd_status(sk, hdev->id,
4772 				      MGMT_OP_SET_EXP_FEATURE,
4773 				      MGMT_STATUS_NOT_SUPPORTED);
4774 		goto unlock_quality_report;
4775 	}
4776 
4777 	if (changed) {
4778 		if (hdev->set_quality_report)
4779 			err = hdev->set_quality_report(hdev, val);
4780 		else
4781 			err = aosp_set_quality_report(hdev, val);
4782 
4783 		if (err) {
4784 			err = mgmt_cmd_status(sk, hdev->id,
4785 					      MGMT_OP_SET_EXP_FEATURE,
4786 					      MGMT_STATUS_FAILED);
4787 			goto unlock_quality_report;
4788 		}
4789 
4790 		if (val)
4791 			hci_dev_set_flag(hdev, HCI_QUALITY_REPORT);
4792 		else
4793 			hci_dev_clear_flag(hdev, HCI_QUALITY_REPORT);
4794 	}
4795 
4796 	bt_dev_dbg(hdev, "quality report enable %d changed %d", val, changed);
4797 
4798 	memcpy(rp.uuid, quality_report_uuid, 16);
4799 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4800 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4801 
4802 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_EXP_FEATURE, 0,
4803 				&rp, sizeof(rp));
4804 
4805 	if (changed)
4806 		exp_feature_changed(hdev, quality_report_uuid, val, sk);
4807 
4808 unlock_quality_report:
4809 	hci_req_sync_unlock(hdev);
4810 	return err;
4811 }
4812 
set_offload_codec_func(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_set_exp_feature * cp,u16 data_len)4813 static int set_offload_codec_func(struct sock *sk, struct hci_dev *hdev,
4814 				  struct mgmt_cp_set_exp_feature *cp,
4815 				  u16 data_len)
4816 {
4817 	bool val, changed;
4818 	int err;
4819 	struct mgmt_rp_set_exp_feature rp;
4820 
4821 	/* Command requires to use a valid controller index */
4822 	if (!hdev)
4823 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4824 				       MGMT_OP_SET_EXP_FEATURE,
4825 				       MGMT_STATUS_INVALID_INDEX);
4826 
4827 	/* Parameters are limited to a single octet */
4828 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4829 		return mgmt_cmd_status(sk, hdev->id,
4830 				       MGMT_OP_SET_EXP_FEATURE,
4831 				       MGMT_STATUS_INVALID_PARAMS);
4832 
4833 	/* Only boolean on/off is supported */
4834 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4835 		return mgmt_cmd_status(sk, hdev->id,
4836 				       MGMT_OP_SET_EXP_FEATURE,
4837 				       MGMT_STATUS_INVALID_PARAMS);
4838 
4839 	val = !!cp->param[0];
4840 	changed = (val != hci_dev_test_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED));
4841 
4842 	if (!hdev->get_data_path_id) {
4843 		return mgmt_cmd_status(sk, hdev->id,
4844 				       MGMT_OP_SET_EXP_FEATURE,
4845 				       MGMT_STATUS_NOT_SUPPORTED);
4846 	}
4847 
4848 	if (changed) {
4849 		if (val)
4850 			hci_dev_set_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4851 		else
4852 			hci_dev_clear_flag(hdev, HCI_OFFLOAD_CODECS_ENABLED);
4853 	}
4854 
4855 	bt_dev_info(hdev, "offload codecs enable %d changed %d",
4856 		    val, changed);
4857 
4858 	memcpy(rp.uuid, offload_codecs_uuid, 16);
4859 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4860 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4861 	err = mgmt_cmd_complete(sk, hdev->id,
4862 				MGMT_OP_SET_EXP_FEATURE, 0,
4863 				&rp, sizeof(rp));
4864 
4865 	if (changed)
4866 		exp_feature_changed(hdev, offload_codecs_uuid, val, sk);
4867 
4868 	return err;
4869 }
4870 
set_le_simultaneous_roles_func(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_set_exp_feature * cp,u16 data_len)4871 static int set_le_simultaneous_roles_func(struct sock *sk, struct hci_dev *hdev,
4872 					  struct mgmt_cp_set_exp_feature *cp,
4873 					  u16 data_len)
4874 {
4875 	bool val, changed;
4876 	int err;
4877 	struct mgmt_rp_set_exp_feature rp;
4878 
4879 	/* Command requires to use a valid controller index */
4880 	if (!hdev)
4881 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4882 				       MGMT_OP_SET_EXP_FEATURE,
4883 				       MGMT_STATUS_INVALID_INDEX);
4884 
4885 	/* Parameters are limited to a single octet */
4886 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4887 		return mgmt_cmd_status(sk, hdev->id,
4888 				       MGMT_OP_SET_EXP_FEATURE,
4889 				       MGMT_STATUS_INVALID_PARAMS);
4890 
4891 	/* Only boolean on/off is supported */
4892 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4893 		return mgmt_cmd_status(sk, hdev->id,
4894 				       MGMT_OP_SET_EXP_FEATURE,
4895 				       MGMT_STATUS_INVALID_PARAMS);
4896 
4897 	val = !!cp->param[0];
4898 	changed = (val != hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES));
4899 
4900 	if (!hci_dev_le_state_simultaneous(hdev)) {
4901 		return mgmt_cmd_status(sk, hdev->id,
4902 				       MGMT_OP_SET_EXP_FEATURE,
4903 				       MGMT_STATUS_NOT_SUPPORTED);
4904 	}
4905 
4906 	if (changed) {
4907 		if (val)
4908 			hci_dev_set_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4909 		else
4910 			hci_dev_clear_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES);
4911 	}
4912 
4913 	bt_dev_info(hdev, "LE simultaneous roles enable %d changed %d",
4914 		    val, changed);
4915 
4916 	memcpy(rp.uuid, le_simultaneous_roles_uuid, 16);
4917 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4918 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4919 	err = mgmt_cmd_complete(sk, hdev->id,
4920 				MGMT_OP_SET_EXP_FEATURE, 0,
4921 				&rp, sizeof(rp));
4922 
4923 	if (changed)
4924 		exp_feature_changed(hdev, le_simultaneous_roles_uuid, val, sk);
4925 
4926 	return err;
4927 }
4928 
4929 #ifdef CONFIG_BT_LE
set_iso_socket_func(struct sock * sk,struct hci_dev * hdev,struct mgmt_cp_set_exp_feature * cp,u16 data_len)4930 static int set_iso_socket_func(struct sock *sk, struct hci_dev *hdev,
4931 			       struct mgmt_cp_set_exp_feature *cp, u16 data_len)
4932 {
4933 	struct mgmt_rp_set_exp_feature rp;
4934 	bool val, changed = false;
4935 	int err;
4936 
4937 	/* Command requires to use the non-controller index */
4938 	if (hdev)
4939 		return mgmt_cmd_status(sk, hdev->id,
4940 				       MGMT_OP_SET_EXP_FEATURE,
4941 				       MGMT_STATUS_INVALID_INDEX);
4942 
4943 	/* Parameters are limited to a single octet */
4944 	if (data_len != MGMT_SET_EXP_FEATURE_SIZE + 1)
4945 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4946 				       MGMT_OP_SET_EXP_FEATURE,
4947 				       MGMT_STATUS_INVALID_PARAMS);
4948 
4949 	/* Only boolean on/off is supported */
4950 	if (cp->param[0] != 0x00 && cp->param[0] != 0x01)
4951 		return mgmt_cmd_status(sk, MGMT_INDEX_NONE,
4952 				       MGMT_OP_SET_EXP_FEATURE,
4953 				       MGMT_STATUS_INVALID_PARAMS);
4954 
4955 	val = cp->param[0] ? true : false;
4956 	if (val)
4957 		err = iso_init();
4958 	else
4959 		err = iso_exit();
4960 
4961 	if (!err)
4962 		changed = true;
4963 
4964 	memcpy(rp.uuid, iso_socket_uuid, 16);
4965 	rp.flags = cpu_to_le32(val ? BIT(0) : 0);
4966 
4967 	hci_sock_set_flag(sk, HCI_MGMT_EXP_FEATURE_EVENTS);
4968 
4969 	err = mgmt_cmd_complete(sk, MGMT_INDEX_NONE,
4970 				MGMT_OP_SET_EXP_FEATURE, 0,
4971 				&rp, sizeof(rp));
4972 
4973 	if (changed)
4974 		exp_feature_changed(hdev, iso_socket_uuid, val, sk);
4975 
4976 	return err;
4977 }
4978 #endif
4979 
4980 static const struct mgmt_exp_feature {
4981 	const u8 *uuid;
4982 	int (*set_func)(struct sock *sk, struct hci_dev *hdev,
4983 			struct mgmt_cp_set_exp_feature *cp, u16 data_len);
4984 } exp_features[] = {
4985 	EXP_FEAT(ZERO_KEY, set_zero_key_func),
4986 #ifdef CONFIG_BT_FEATURE_DEBUG
4987 	EXP_FEAT(debug_uuid, set_debug_func),
4988 #endif
4989 	EXP_FEAT(mgmt_mesh_uuid, set_mgmt_mesh_func),
4990 	EXP_FEAT(rpa_resolution_uuid, set_rpa_resolution_func),
4991 	EXP_FEAT(quality_report_uuid, set_quality_report_func),
4992 	EXP_FEAT(offload_codecs_uuid, set_offload_codec_func),
4993 	EXP_FEAT(le_simultaneous_roles_uuid, set_le_simultaneous_roles_func),
4994 #ifdef CONFIG_BT_LE
4995 	EXP_FEAT(iso_socket_uuid, set_iso_socket_func),
4996 #endif
4997 
4998 	/* end with a null feature */
4999 	EXP_FEAT(NULL, NULL)
5000 };
5001 
set_exp_feature(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)5002 static int set_exp_feature(struct sock *sk, struct hci_dev *hdev,
5003 			   void *data, u16 data_len)
5004 {
5005 	struct mgmt_cp_set_exp_feature *cp = data;
5006 	size_t i = 0;
5007 
5008 	bt_dev_dbg(hdev, "sock %p", sk);
5009 
5010 	for (i = 0; exp_features[i].uuid; i++) {
5011 		if (!memcmp(cp->uuid, exp_features[i].uuid, 16))
5012 			return exp_features[i].set_func(sk, hdev, cp, data_len);
5013 	}
5014 
5015 	return mgmt_cmd_status(sk, hdev ? hdev->id : MGMT_INDEX_NONE,
5016 			       MGMT_OP_SET_EXP_FEATURE,
5017 			       MGMT_STATUS_NOT_SUPPORTED);
5018 }
5019 
get_params_flags(struct hci_dev * hdev,struct hci_conn_params * params)5020 static u32 get_params_flags(struct hci_dev *hdev,
5021 			    struct hci_conn_params *params)
5022 {
5023 	u32 flags = hdev->conn_flags;
5024 
5025 	/* Devices using RPAs can only be programmed in the acceptlist if
5026 	 * LL Privacy has been enable otherwise they cannot mark
5027 	 * HCI_CONN_FLAG_REMOTE_WAKEUP.
5028 	 */
5029 	if ((flags & HCI_CONN_FLAG_REMOTE_WAKEUP) && !use_ll_privacy(hdev) &&
5030 	    hci_find_irk_by_addr(hdev, &params->addr, params->addr_type))
5031 		flags &= ~HCI_CONN_FLAG_REMOTE_WAKEUP;
5032 
5033 	return flags;
5034 }
5035 
get_device_flags(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)5036 static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
5037 			    u16 data_len)
5038 {
5039 	struct mgmt_cp_get_device_flags *cp = data;
5040 	struct mgmt_rp_get_device_flags rp;
5041 	struct bdaddr_list_with_flags *br_params;
5042 	struct hci_conn_params *params;
5043 	u32 supported_flags;
5044 	u32 current_flags = 0;
5045 	u8 status = MGMT_STATUS_INVALID_PARAMS;
5046 
5047 	bt_dev_dbg(hdev, "Get device flags %pMR (type 0x%x)\n",
5048 		   &cp->addr.bdaddr, cp->addr.type);
5049 
5050 	hci_dev_lock(hdev);
5051 
5052 	supported_flags = hdev->conn_flags;
5053 
5054 	memset(&rp, 0, sizeof(rp));
5055 
5056 	if (cp->addr.type == BDADDR_BREDR) {
5057 		br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
5058 							      &cp->addr.bdaddr,
5059 							      cp->addr.type);
5060 		if (!br_params)
5061 			goto done;
5062 
5063 		current_flags = br_params->flags;
5064 	} else {
5065 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5066 						le_addr_type(cp->addr.type));
5067 		if (!params)
5068 			goto done;
5069 
5070 		supported_flags = get_params_flags(hdev, params);
5071 		current_flags = params->flags;
5072 	}
5073 
5074 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
5075 	rp.addr.type = cp->addr.type;
5076 	rp.supported_flags = cpu_to_le32(supported_flags);
5077 	rp.current_flags = cpu_to_le32(current_flags);
5078 
5079 	status = MGMT_STATUS_SUCCESS;
5080 
5081 done:
5082 	hci_dev_unlock(hdev);
5083 
5084 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_DEVICE_FLAGS, status,
5085 				&rp, sizeof(rp));
5086 }
5087 
device_flags_changed(struct sock * sk,struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type,u32 supported_flags,u32 current_flags)5088 static void device_flags_changed(struct sock *sk, struct hci_dev *hdev,
5089 				 bdaddr_t *bdaddr, u8 bdaddr_type,
5090 				 u32 supported_flags, u32 current_flags)
5091 {
5092 	struct mgmt_ev_device_flags_changed ev;
5093 
5094 	bacpy(&ev.addr.bdaddr, bdaddr);
5095 	ev.addr.type = bdaddr_type;
5096 	ev.supported_flags = cpu_to_le32(supported_flags);
5097 	ev.current_flags = cpu_to_le32(current_flags);
5098 
5099 	mgmt_event(MGMT_EV_DEVICE_FLAGS_CHANGED, hdev, &ev, sizeof(ev), sk);
5100 }
5101 
set_device_flags(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5102 static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
5103 			    u16 len)
5104 {
5105 	struct mgmt_cp_set_device_flags *cp = data;
5106 	struct bdaddr_list_with_flags *br_params;
5107 	struct hci_conn_params *params;
5108 	u8 status = MGMT_STATUS_INVALID_PARAMS;
5109 	u32 supported_flags;
5110 	u32 current_flags = __le32_to_cpu(cp->current_flags);
5111 
5112 	bt_dev_dbg(hdev, "Set device flags %pMR (type 0x%x) = 0x%x",
5113 		   &cp->addr.bdaddr, cp->addr.type, current_flags);
5114 
5115 	// We should take hci_dev_lock() early, I think.. conn_flags can change
5116 	supported_flags = hdev->conn_flags;
5117 
5118 	if ((supported_flags | current_flags) != supported_flags) {
5119 		bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5120 			    current_flags, supported_flags);
5121 		goto done;
5122 	}
5123 
5124 	hci_dev_lock(hdev);
5125 
5126 	if (cp->addr.type == BDADDR_BREDR) {
5127 		br_params = hci_bdaddr_list_lookup_with_flags(&hdev->accept_list,
5128 							      &cp->addr.bdaddr,
5129 							      cp->addr.type);
5130 
5131 		if (br_params) {
5132 			br_params->flags = current_flags;
5133 			status = MGMT_STATUS_SUCCESS;
5134 		} else {
5135 			bt_dev_warn(hdev, "No such BR/EDR device %pMR (0x%x)",
5136 				    &cp->addr.bdaddr, cp->addr.type);
5137 		}
5138 
5139 		goto unlock;
5140 	}
5141 
5142 	params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
5143 					le_addr_type(cp->addr.type));
5144 	if (!params) {
5145 		bt_dev_warn(hdev, "No such LE device %pMR (0x%x)",
5146 			    &cp->addr.bdaddr, le_addr_type(cp->addr.type));
5147 		goto unlock;
5148 	}
5149 
5150 	supported_flags = get_params_flags(hdev, params);
5151 
5152 	if ((supported_flags | current_flags) != supported_flags) {
5153 		bt_dev_warn(hdev, "Bad flag given (0x%x) vs supported (0x%0x)",
5154 			    current_flags, supported_flags);
5155 		goto unlock;
5156 	}
5157 
5158 	params->flags = current_flags;
5159 	status = MGMT_STATUS_SUCCESS;
5160 
5161 	/* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY
5162 	 * has been set.
5163 	 */
5164 	if (params->flags & HCI_CONN_FLAG_DEVICE_PRIVACY)
5165 		hci_update_passive_scan(hdev);
5166 
5167 unlock:
5168 	hci_dev_unlock(hdev);
5169 
5170 done:
5171 	if (status == MGMT_STATUS_SUCCESS)
5172 		device_flags_changed(sk, hdev, &cp->addr.bdaddr, cp->addr.type,
5173 				     supported_flags, current_flags);
5174 
5175 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_FLAGS, status,
5176 				 &cp->addr, sizeof(cp->addr));
5177 }
5178 
mgmt_adv_monitor_added(struct sock * sk,struct hci_dev * hdev,u16 handle)5179 static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
5180 				   u16 handle)
5181 {
5182 	struct mgmt_ev_adv_monitor_added ev;
5183 
5184 	ev.monitor_handle = cpu_to_le16(handle);
5185 
5186 	mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, &ev, sizeof(ev), sk);
5187 }
5188 
mgmt_adv_monitor_removed(struct hci_dev * hdev,u16 handle)5189 void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
5190 {
5191 	struct mgmt_ev_adv_monitor_removed ev;
5192 	struct mgmt_pending_cmd *cmd;
5193 	struct sock *sk_skip = NULL;
5194 	struct mgmt_cp_remove_adv_monitor *cp;
5195 
5196 	cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
5197 	if (cmd) {
5198 		cp = cmd->param;
5199 
5200 		if (cp->monitor_handle)
5201 			sk_skip = cmd->sk;
5202 	}
5203 
5204 	ev.monitor_handle = cpu_to_le16(handle);
5205 
5206 	mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk_skip);
5207 }
5208 
read_adv_mon_features(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5209 static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
5210 				 void *data, u16 len)
5211 {
5212 	struct adv_monitor *monitor = NULL;
5213 	struct mgmt_rp_read_adv_monitor_features *rp = NULL;
5214 	int handle, err;
5215 	size_t rp_size = 0;
5216 	__u32 supported = 0;
5217 	__u32 enabled = 0;
5218 	__u16 num_handles = 0;
5219 	__u16 handles[HCI_MAX_ADV_MONITOR_NUM_HANDLES];
5220 
5221 	BT_DBG("request for %s", hdev->name);
5222 
5223 	hci_dev_lock(hdev);
5224 
5225 	if (msft_monitor_supported(hdev))
5226 		supported |= MGMT_ADV_MONITOR_FEATURE_MASK_OR_PATTERNS;
5227 
5228 	idr_for_each_entry(&hdev->adv_monitors_idr, monitor, handle)
5229 		handles[num_handles++] = monitor->handle;
5230 
5231 	hci_dev_unlock(hdev);
5232 
5233 	rp_size = sizeof(*rp) + (num_handles * sizeof(u16));
5234 	rp = kmalloc(rp_size, GFP_KERNEL);
5235 	if (!rp)
5236 		return -ENOMEM;
5237 
5238 	/* All supported features are currently enabled */
5239 	enabled = supported;
5240 
5241 	rp->supported_features = cpu_to_le32(supported);
5242 	rp->enabled_features = cpu_to_le32(enabled);
5243 	rp->max_num_handles = cpu_to_le16(HCI_MAX_ADV_MONITOR_NUM_HANDLES);
5244 	rp->max_num_patterns = HCI_MAX_ADV_MONITOR_NUM_PATTERNS;
5245 	rp->num_handles = cpu_to_le16(num_handles);
5246 	if (num_handles)
5247 		memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));
5248 
5249 	err = mgmt_cmd_complete(sk, hdev->id,
5250 				MGMT_OP_READ_ADV_MONITOR_FEATURES,
5251 				MGMT_STATUS_SUCCESS, rp, rp_size);
5252 
5253 	kfree(rp);
5254 
5255 	return err;
5256 }
5257 
mgmt_add_adv_patterns_monitor_complete(struct hci_dev * hdev,void * data,int status)5258 static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
5259 						   void *data, int status)
5260 {
5261 	struct mgmt_rp_add_adv_patterns_monitor rp;
5262 	struct mgmt_pending_cmd *cmd = data;
5263 	struct adv_monitor *monitor = cmd->user_data;
5264 
5265 	hci_dev_lock(hdev);
5266 
5267 	rp.monitor_handle = cpu_to_le16(monitor->handle);
5268 
5269 	if (!status) {
5270 		mgmt_adv_monitor_added(cmd->sk, hdev, monitor->handle);
5271 		hdev->adv_monitors_cnt++;
5272 		if (monitor->state == ADV_MONITOR_STATE_NOT_REGISTERED)
5273 			monitor->state = ADV_MONITOR_STATE_REGISTERED;
5274 		hci_update_passive_scan(hdev);
5275 	}
5276 
5277 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
5278 			  mgmt_status(status), &rp, sizeof(rp));
5279 	mgmt_pending_remove(cmd);
5280 
5281 	hci_dev_unlock(hdev);
5282 	bt_dev_dbg(hdev, "add monitor %d complete, status %d",
5283 		   rp.monitor_handle, status);
5284 }
5285 
mgmt_add_adv_patterns_monitor_sync(struct hci_dev * hdev,void * data)5286 static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
5287 {
5288 	struct mgmt_pending_cmd *cmd = data;
5289 	struct adv_monitor *monitor = cmd->user_data;
5290 
5291 	return hci_add_adv_monitor(hdev, monitor);
5292 }
5293 
__add_adv_patterns_monitor(struct sock * sk,struct hci_dev * hdev,struct adv_monitor * m,u8 status,void * data,u16 len,u16 op)5294 static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5295 				      struct adv_monitor *m, u8 status,
5296 				      void *data, u16 len, u16 op)
5297 {
5298 	struct mgmt_pending_cmd *cmd;
5299 	int err;
5300 
5301 	hci_dev_lock(hdev);
5302 
5303 	if (status)
5304 		goto unlock;
5305 
5306 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
5307 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5308 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
5309 	    pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
5310 		status = MGMT_STATUS_BUSY;
5311 		goto unlock;
5312 	}
5313 
5314 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
5315 	if (!cmd) {
5316 		status = MGMT_STATUS_NO_RESOURCES;
5317 		goto unlock;
5318 	}
5319 
5320 	cmd->user_data = m;
5321 	err = hci_cmd_sync_queue(hdev, mgmt_add_adv_patterns_monitor_sync, cmd,
5322 				 mgmt_add_adv_patterns_monitor_complete);
5323 	if (err) {
5324 		if (err == -ENOMEM)
5325 			status = MGMT_STATUS_NO_RESOURCES;
5326 		else
5327 			status = MGMT_STATUS_FAILED;
5328 
5329 		goto unlock;
5330 	}
5331 
5332 	hci_dev_unlock(hdev);
5333 
5334 	return 0;
5335 
5336 unlock:
5337 	hci_free_adv_monitor(hdev, m);
5338 	hci_dev_unlock(hdev);
5339 	return mgmt_cmd_status(sk, hdev->id, op, status);
5340 }
5341 
parse_adv_monitor_rssi(struct adv_monitor * m,struct mgmt_adv_rssi_thresholds * rssi)5342 static void parse_adv_monitor_rssi(struct adv_monitor *m,
5343 				   struct mgmt_adv_rssi_thresholds *rssi)
5344 {
5345 	if (rssi) {
5346 		m->rssi.low_threshold = rssi->low_threshold;
5347 		m->rssi.low_threshold_timeout =
5348 		    __le16_to_cpu(rssi->low_threshold_timeout);
5349 		m->rssi.high_threshold = rssi->high_threshold;
5350 		m->rssi.high_threshold_timeout =
5351 		    __le16_to_cpu(rssi->high_threshold_timeout);
5352 		m->rssi.sampling_period = rssi->sampling_period;
5353 	} else {
5354 		/* Default values. These numbers are the least constricting
5355 		 * parameters for MSFT API to work, so it behaves as if there
5356 		 * are no rssi parameter to consider. May need to be changed
5357 		 * if other API are to be supported.
5358 		 */
5359 		m->rssi.low_threshold = -127;
5360 		m->rssi.low_threshold_timeout = 60;
5361 		m->rssi.high_threshold = -127;
5362 		m->rssi.high_threshold_timeout = 0;
5363 		m->rssi.sampling_period = 0;
5364 	}
5365 }
5366 
parse_adv_monitor_pattern(struct adv_monitor * m,u8 pattern_count,struct mgmt_adv_pattern * patterns)5367 static u8 parse_adv_monitor_pattern(struct adv_monitor *m, u8 pattern_count,
5368 				    struct mgmt_adv_pattern *patterns)
5369 {
5370 	u8 offset = 0, length = 0;
5371 	struct adv_pattern *p = NULL;
5372 	int i;
5373 
5374 	for (i = 0; i < pattern_count; i++) {
5375 		offset = patterns[i].offset;
5376 		length = patterns[i].length;
5377 		if (offset >= HCI_MAX_AD_LENGTH ||
5378 		    length > HCI_MAX_AD_LENGTH ||
5379 		    (offset + length) > HCI_MAX_AD_LENGTH)
5380 			return MGMT_STATUS_INVALID_PARAMS;
5381 
5382 		p = kmalloc(sizeof(*p), GFP_KERNEL);
5383 		if (!p)
5384 			return MGMT_STATUS_NO_RESOURCES;
5385 
5386 		p->ad_type = patterns[i].ad_type;
5387 		p->offset = patterns[i].offset;
5388 		p->length = patterns[i].length;
5389 		memcpy(p->value, patterns[i].value, p->length);
5390 
5391 		INIT_LIST_HEAD(&p->list);
5392 		list_add(&p->list, &m->patterns);
5393 	}
5394 
5395 	return MGMT_STATUS_SUCCESS;
5396 }
5397 
add_adv_patterns_monitor(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5398 static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
5399 				    void *data, u16 len)
5400 {
5401 	struct mgmt_cp_add_adv_patterns_monitor *cp = data;
5402 	struct adv_monitor *m = NULL;
5403 	u8 status = MGMT_STATUS_SUCCESS;
5404 	size_t expected_size = sizeof(*cp);
5405 
5406 	BT_DBG("request for %s", hdev->name);
5407 
5408 	if (len <= sizeof(*cp)) {
5409 		status = MGMT_STATUS_INVALID_PARAMS;
5410 		goto done;
5411 	}
5412 
5413 	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5414 	if (len != expected_size) {
5415 		status = MGMT_STATUS_INVALID_PARAMS;
5416 		goto done;
5417 	}
5418 
5419 	m = kzalloc(sizeof(*m), GFP_KERNEL);
5420 	if (!m) {
5421 		status = MGMT_STATUS_NO_RESOURCES;
5422 		goto done;
5423 	}
5424 
5425 	INIT_LIST_HEAD(&m->patterns);
5426 
5427 	parse_adv_monitor_rssi(m, NULL);
5428 	status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
5429 
5430 done:
5431 	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5432 					  MGMT_OP_ADD_ADV_PATTERNS_MONITOR);
5433 }
5434 
add_adv_patterns_monitor_rssi(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5435 static int add_adv_patterns_monitor_rssi(struct sock *sk, struct hci_dev *hdev,
5436 					 void *data, u16 len)
5437 {
5438 	struct mgmt_cp_add_adv_patterns_monitor_rssi *cp = data;
5439 	struct adv_monitor *m = NULL;
5440 	u8 status = MGMT_STATUS_SUCCESS;
5441 	size_t expected_size = sizeof(*cp);
5442 
5443 	BT_DBG("request for %s", hdev->name);
5444 
5445 	if (len <= sizeof(*cp)) {
5446 		status = MGMT_STATUS_INVALID_PARAMS;
5447 		goto done;
5448 	}
5449 
5450 	expected_size += cp->pattern_count * sizeof(struct mgmt_adv_pattern);
5451 	if (len != expected_size) {
5452 		status = MGMT_STATUS_INVALID_PARAMS;
5453 		goto done;
5454 	}
5455 
5456 	m = kzalloc(sizeof(*m), GFP_KERNEL);
5457 	if (!m) {
5458 		status = MGMT_STATUS_NO_RESOURCES;
5459 		goto done;
5460 	}
5461 
5462 	INIT_LIST_HEAD(&m->patterns);
5463 
5464 	parse_adv_monitor_rssi(m, &cp->rssi);
5465 	status = parse_adv_monitor_pattern(m, cp->pattern_count, cp->patterns);
5466 
5467 done:
5468 	return __add_adv_patterns_monitor(sk, hdev, m, status, data, len,
5469 					 MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI);
5470 }
5471 
mgmt_remove_adv_monitor_complete(struct hci_dev * hdev,void * data,int status)5472 static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
5473 					     void *data, int status)
5474 {
5475 	struct mgmt_rp_remove_adv_monitor rp;
5476 	struct mgmt_pending_cmd *cmd = data;
5477 	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5478 
5479 	hci_dev_lock(hdev);
5480 
5481 	rp.monitor_handle = cp->monitor_handle;
5482 
5483 	if (!status)
5484 		hci_update_passive_scan(hdev);
5485 
5486 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
5487 			  mgmt_status(status), &rp, sizeof(rp));
5488 	mgmt_pending_remove(cmd);
5489 
5490 	hci_dev_unlock(hdev);
5491 	bt_dev_dbg(hdev, "remove monitor %d complete, status %d",
5492 		   rp.monitor_handle, status);
5493 }
5494 
mgmt_remove_adv_monitor_sync(struct hci_dev * hdev,void * data)5495 static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
5496 {
5497 	struct mgmt_pending_cmd *cmd = data;
5498 	struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
5499 	u16 handle = __le16_to_cpu(cp->monitor_handle);
5500 
5501 	if (!handle)
5502 		return hci_remove_all_adv_monitor(hdev);
5503 
5504 	return hci_remove_single_adv_monitor(hdev, handle);
5505 }
5506 
remove_adv_monitor(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5507 static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
5508 			      void *data, u16 len)
5509 {
5510 	struct mgmt_pending_cmd *cmd;
5511 	int err, status;
5512 
5513 	hci_dev_lock(hdev);
5514 
5515 	if (pending_find(MGMT_OP_SET_LE, hdev) ||
5516 	    pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
5517 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
5518 	    pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
5519 		status = MGMT_STATUS_BUSY;
5520 		goto unlock;
5521 	}
5522 
5523 	cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
5524 	if (!cmd) {
5525 		status = MGMT_STATUS_NO_RESOURCES;
5526 		goto unlock;
5527 	}
5528 
5529 	err = hci_cmd_sync_queue(hdev, mgmt_remove_adv_monitor_sync, cmd,
5530 				 mgmt_remove_adv_monitor_complete);
5531 
5532 	if (err) {
5533 		mgmt_pending_remove(cmd);
5534 
5535 		if (err == -ENOMEM)
5536 			status = MGMT_STATUS_NO_RESOURCES;
5537 		else
5538 			status = MGMT_STATUS_FAILED;
5539 
5540 		goto unlock;
5541 	}
5542 
5543 	hci_dev_unlock(hdev);
5544 
5545 	return 0;
5546 
5547 unlock:
5548 	hci_dev_unlock(hdev);
5549 	return mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADV_MONITOR,
5550 			       status);
5551 }
5552 
read_local_oob_data_complete(struct hci_dev * hdev,void * data,int err)5553 static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
5554 {
5555 	struct mgmt_rp_read_local_oob_data mgmt_rp;
5556 	size_t rp_size = sizeof(mgmt_rp);
5557 	struct mgmt_pending_cmd *cmd = data;
5558 	struct sk_buff *skb = cmd->skb;
5559 	u8 status = mgmt_status(err);
5560 
5561 	if (!status) {
5562 		if (!skb)
5563 			status = MGMT_STATUS_FAILED;
5564 		else if (IS_ERR(skb))
5565 			status = mgmt_status(PTR_ERR(skb));
5566 		else
5567 			status = mgmt_status(skb->data[0]);
5568 	}
5569 
5570 	bt_dev_dbg(hdev, "status %d", status);
5571 
5572 	if (status) {
5573 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
5574 		goto remove;
5575 	}
5576 
5577 	memset(&mgmt_rp, 0, sizeof(mgmt_rp));
5578 
5579 	if (!bredr_sc_enabled(hdev)) {
5580 		struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
5581 
5582 		if (skb->len < sizeof(*rp)) {
5583 			mgmt_cmd_status(cmd->sk, hdev->id,
5584 					MGMT_OP_READ_LOCAL_OOB_DATA,
5585 					MGMT_STATUS_FAILED);
5586 			goto remove;
5587 		}
5588 
5589 		memcpy(mgmt_rp.hash192, rp->hash, sizeof(rp->hash));
5590 		memcpy(mgmt_rp.rand192, rp->rand, sizeof(rp->rand));
5591 
5592 		rp_size -= sizeof(mgmt_rp.hash256) + sizeof(mgmt_rp.rand256);
5593 	} else {
5594 		struct hci_rp_read_local_oob_ext_data *rp = (void *) skb->data;
5595 
5596 		if (skb->len < sizeof(*rp)) {
5597 			mgmt_cmd_status(cmd->sk, hdev->id,
5598 					MGMT_OP_READ_LOCAL_OOB_DATA,
5599 					MGMT_STATUS_FAILED);
5600 			goto remove;
5601 		}
5602 
5603 		memcpy(mgmt_rp.hash192, rp->hash192, sizeof(rp->hash192));
5604 		memcpy(mgmt_rp.rand192, rp->rand192, sizeof(rp->rand192));
5605 
5606 		memcpy(mgmt_rp.hash256, rp->hash256, sizeof(rp->hash256));
5607 		memcpy(mgmt_rp.rand256, rp->rand256, sizeof(rp->rand256));
5608 	}
5609 
5610 	mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5611 			  MGMT_STATUS_SUCCESS, &mgmt_rp, rp_size);
5612 
5613 remove:
5614 	if (skb && !IS_ERR(skb))
5615 		kfree_skb(skb);
5616 
5617 	mgmt_pending_free(cmd);
5618 }
5619 
read_local_oob_data_sync(struct hci_dev * hdev,void * data)5620 static int read_local_oob_data_sync(struct hci_dev *hdev, void *data)
5621 {
5622 	struct mgmt_pending_cmd *cmd = data;
5623 
5624 	if (bredr_sc_enabled(hdev))
5625 		cmd->skb = hci_read_local_oob_data_sync(hdev, true, cmd->sk);
5626 	else
5627 		cmd->skb = hci_read_local_oob_data_sync(hdev, false, cmd->sk);
5628 
5629 	if (IS_ERR(cmd->skb))
5630 		return PTR_ERR(cmd->skb);
5631 	else
5632 		return 0;
5633 }
5634 
read_local_oob_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)5635 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
5636 			       void *data, u16 data_len)
5637 {
5638 	struct mgmt_pending_cmd *cmd;
5639 	int err;
5640 
5641 	bt_dev_dbg(hdev, "sock %p", sk);
5642 
5643 	hci_dev_lock(hdev);
5644 
5645 	if (!hdev_is_powered(hdev)) {
5646 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5647 				      MGMT_STATUS_NOT_POWERED);
5648 		goto unlock;
5649 	}
5650 
5651 	if (!lmp_ssp_capable(hdev)) {
5652 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5653 				      MGMT_STATUS_NOT_SUPPORTED);
5654 		goto unlock;
5655 	}
5656 
5657 	cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
5658 	if (!cmd)
5659 		err = -ENOMEM;
5660 	else
5661 		err = hci_cmd_sync_queue(hdev, read_local_oob_data_sync, cmd,
5662 					 read_local_oob_data_complete);
5663 
5664 	if (err < 0) {
5665 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
5666 				      MGMT_STATUS_FAILED);
5667 
5668 		if (cmd)
5669 			mgmt_pending_free(cmd);
5670 	}
5671 
5672 unlock:
5673 	hci_dev_unlock(hdev);
5674 	return err;
5675 }
5676 
add_remote_oob_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5677 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5678 			       void *data, u16 len)
5679 {
5680 	struct mgmt_addr_info *addr = data;
5681 	int err;
5682 
5683 	bt_dev_dbg(hdev, "sock %p", sk);
5684 
5685 	if (!bdaddr_type_is_valid(addr->type))
5686 		return mgmt_cmd_complete(sk, hdev->id,
5687 					 MGMT_OP_ADD_REMOTE_OOB_DATA,
5688 					 MGMT_STATUS_INVALID_PARAMS,
5689 					 addr, sizeof(*addr));
5690 
5691 	hci_dev_lock(hdev);
5692 
5693 	if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
5694 		struct mgmt_cp_add_remote_oob_data *cp = data;
5695 		u8 status;
5696 
5697 		if (cp->addr.type != BDADDR_BREDR) {
5698 			err = mgmt_cmd_complete(sk, hdev->id,
5699 						MGMT_OP_ADD_REMOTE_OOB_DATA,
5700 						MGMT_STATUS_INVALID_PARAMS,
5701 						&cp->addr, sizeof(cp->addr));
5702 			goto unlock;
5703 		}
5704 
5705 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
5706 					      cp->addr.type, cp->hash,
5707 					      cp->rand, NULL, NULL);
5708 		if (err < 0)
5709 			status = MGMT_STATUS_FAILED;
5710 		else
5711 			status = MGMT_STATUS_SUCCESS;
5712 
5713 		err = mgmt_cmd_complete(sk, hdev->id,
5714 					MGMT_OP_ADD_REMOTE_OOB_DATA, status,
5715 					&cp->addr, sizeof(cp->addr));
5716 	} else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
5717 		struct mgmt_cp_add_remote_oob_ext_data *cp = data;
5718 		u8 *rand192, *hash192, *rand256, *hash256;
5719 		u8 status;
5720 
5721 		if (bdaddr_type_is_le(cp->addr.type)) {
5722 			/* Enforce zero-valued 192-bit parameters as
5723 			 * long as legacy SMP OOB isn't implemented.
5724 			 */
5725 			if (memcmp(cp->rand192, ZERO_KEY, 16) ||
5726 			    memcmp(cp->hash192, ZERO_KEY, 16)) {
5727 				err = mgmt_cmd_complete(sk, hdev->id,
5728 							MGMT_OP_ADD_REMOTE_OOB_DATA,
5729 							MGMT_STATUS_INVALID_PARAMS,
5730 							addr, sizeof(*addr));
5731 				goto unlock;
5732 			}
5733 
5734 			rand192 = NULL;
5735 			hash192 = NULL;
5736 		} else {
5737 			/* In case one of the P-192 values is set to zero,
5738 			 * then just disable OOB data for P-192.
5739 			 */
5740 			if (!memcmp(cp->rand192, ZERO_KEY, 16) ||
5741 			    !memcmp(cp->hash192, ZERO_KEY, 16)) {
5742 				rand192 = NULL;
5743 				hash192 = NULL;
5744 			} else {
5745 				rand192 = cp->rand192;
5746 				hash192 = cp->hash192;
5747 			}
5748 		}
5749 
5750 		/* In case one of the P-256 values is set to zero, then just
5751 		 * disable OOB data for P-256.
5752 		 */
5753 		if (!memcmp(cp->rand256, ZERO_KEY, 16) ||
5754 		    !memcmp(cp->hash256, ZERO_KEY, 16)) {
5755 			rand256 = NULL;
5756 			hash256 = NULL;
5757 		} else {
5758 			rand256 = cp->rand256;
5759 			hash256 = cp->hash256;
5760 		}
5761 
5762 		err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
5763 					      cp->addr.type, hash192, rand192,
5764 					      hash256, rand256);
5765 		if (err < 0)
5766 			status = MGMT_STATUS_FAILED;
5767 		else
5768 			status = MGMT_STATUS_SUCCESS;
5769 
5770 		err = mgmt_cmd_complete(sk, hdev->id,
5771 					MGMT_OP_ADD_REMOTE_OOB_DATA,
5772 					status, &cp->addr, sizeof(cp->addr));
5773 	} else {
5774 		bt_dev_err(hdev, "add_remote_oob_data: invalid len of %u bytes",
5775 			   len);
5776 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
5777 				      MGMT_STATUS_INVALID_PARAMS);
5778 	}
5779 
5780 unlock:
5781 	hci_dev_unlock(hdev);
5782 	return err;
5783 }
5784 
remove_remote_oob_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5785 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
5786 				  void *data, u16 len)
5787 {
5788 	struct mgmt_cp_remove_remote_oob_data *cp = data;
5789 	u8 status;
5790 	int err;
5791 
5792 	bt_dev_dbg(hdev, "sock %p", sk);
5793 
5794 	if (cp->addr.type != BDADDR_BREDR)
5795 		return mgmt_cmd_complete(sk, hdev->id,
5796 					 MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5797 					 MGMT_STATUS_INVALID_PARAMS,
5798 					 &cp->addr, sizeof(cp->addr));
5799 
5800 	hci_dev_lock(hdev);
5801 
5802 	if (!bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
5803 		hci_remote_oob_data_clear(hdev);
5804 		status = MGMT_STATUS_SUCCESS;
5805 		goto done;
5806 	}
5807 
5808 	err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr, cp->addr.type);
5809 	if (err < 0)
5810 		status = MGMT_STATUS_INVALID_PARAMS;
5811 	else
5812 		status = MGMT_STATUS_SUCCESS;
5813 
5814 done:
5815 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
5816 				status, &cp->addr, sizeof(cp->addr));
5817 
5818 	hci_dev_unlock(hdev);
5819 	return err;
5820 }
5821 
mgmt_start_discovery_complete(struct hci_dev * hdev,u8 status)5822 void mgmt_start_discovery_complete(struct hci_dev *hdev, u8 status)
5823 {
5824 	struct mgmt_pending_cmd *cmd;
5825 
5826 	bt_dev_dbg(hdev, "status %u", status);
5827 
5828 	hci_dev_lock(hdev);
5829 
5830 	cmd = pending_find(MGMT_OP_START_DISCOVERY, hdev);
5831 	if (!cmd)
5832 		cmd = pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev);
5833 
5834 	if (!cmd)
5835 		cmd = pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev);
5836 
5837 	if (cmd) {
5838 		cmd->cmd_complete(cmd, mgmt_status(status));
5839 		mgmt_pending_remove(cmd);
5840 	}
5841 
5842 	hci_dev_unlock(hdev);
5843 }
5844 
discovery_type_is_valid(struct hci_dev * hdev,uint8_t type,uint8_t * mgmt_status)5845 static bool discovery_type_is_valid(struct hci_dev *hdev, uint8_t type,
5846 				    uint8_t *mgmt_status)
5847 {
5848 	switch (type) {
5849 	case DISCOV_TYPE_LE:
5850 		*mgmt_status = mgmt_le_support(hdev);
5851 		if (*mgmt_status)
5852 			return false;
5853 		break;
5854 	case DISCOV_TYPE_INTERLEAVED:
5855 		*mgmt_status = mgmt_le_support(hdev);
5856 		if (*mgmt_status)
5857 			return false;
5858 		fallthrough;
5859 	case DISCOV_TYPE_BREDR:
5860 		*mgmt_status = mgmt_bredr_support(hdev);
5861 		if (*mgmt_status)
5862 			return false;
5863 		break;
5864 	default:
5865 		*mgmt_status = MGMT_STATUS_INVALID_PARAMS;
5866 		return false;
5867 	}
5868 
5869 	return true;
5870 }
5871 
start_discovery_complete(struct hci_dev * hdev,void * data,int err)5872 static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
5873 {
5874 	struct mgmt_pending_cmd *cmd = data;
5875 
5876 	if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
5877 	    cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
5878 	    cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
5879 		return;
5880 
5881 	bt_dev_dbg(hdev, "err %d", err);
5882 
5883 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
5884 			  cmd->param, 1);
5885 	mgmt_pending_remove(cmd);
5886 
5887 	hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED:
5888 				DISCOVERY_FINDING);
5889 }
5890 
start_discovery_sync(struct hci_dev * hdev,void * data)5891 static int start_discovery_sync(struct hci_dev *hdev, void *data)
5892 {
5893 	return hci_start_discovery_sync(hdev);
5894 }
5895 
start_discovery_internal(struct sock * sk,struct hci_dev * hdev,u16 op,void * data,u16 len)5896 static int start_discovery_internal(struct sock *sk, struct hci_dev *hdev,
5897 				    u16 op, void *data, u16 len)
5898 {
5899 	struct mgmt_cp_start_discovery *cp = data;
5900 	struct mgmt_pending_cmd *cmd;
5901 	u8 status;
5902 	int err;
5903 
5904 	bt_dev_dbg(hdev, "sock %p", sk);
5905 
5906 	hci_dev_lock(hdev);
5907 
5908 	if (!hdev_is_powered(hdev)) {
5909 		err = mgmt_cmd_complete(sk, hdev->id, op,
5910 					MGMT_STATUS_NOT_POWERED,
5911 					&cp->type, sizeof(cp->type));
5912 		goto failed;
5913 	}
5914 
5915 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
5916 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
5917 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5918 					&cp->type, sizeof(cp->type));
5919 		goto failed;
5920 	}
5921 
5922 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
5923 		err = mgmt_cmd_complete(sk, hdev->id, op, status,
5924 					&cp->type, sizeof(cp->type));
5925 		goto failed;
5926 	}
5927 
5928 	/* Can't start discovery when it is paused */
5929 	if (hdev->discovery_paused) {
5930 		err = mgmt_cmd_complete(sk, hdev->id, op, MGMT_STATUS_BUSY,
5931 					&cp->type, sizeof(cp->type));
5932 		goto failed;
5933 	}
5934 
5935 	/* Clear the discovery filter first to free any previously
5936 	 * allocated memory for the UUID list.
5937 	 */
5938 	hci_discovery_filter_clear(hdev);
5939 
5940 	hdev->discovery.type = cp->type;
5941 	hdev->discovery.report_invalid_rssi = false;
5942 	if (op == MGMT_OP_START_LIMITED_DISCOVERY)
5943 		hdev->discovery.limited = true;
5944 	else
5945 		hdev->discovery.limited = false;
5946 
5947 	cmd = mgmt_pending_add(sk, op, hdev, data, len);
5948 	if (!cmd) {
5949 		err = -ENOMEM;
5950 		goto failed;
5951 	}
5952 
5953 	err = hci_cmd_sync_queue(hdev, start_discovery_sync, cmd,
5954 				 start_discovery_complete);
5955 	if (err < 0) {
5956 		mgmt_pending_remove(cmd);
5957 		goto failed;
5958 	}
5959 
5960 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
5961 
5962 failed:
5963 	hci_dev_unlock(hdev);
5964 	return err;
5965 }
5966 
start_discovery(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5967 static int start_discovery(struct sock *sk, struct hci_dev *hdev,
5968 			   void *data, u16 len)
5969 {
5970 	return start_discovery_internal(sk, hdev, MGMT_OP_START_DISCOVERY,
5971 					data, len);
5972 }
5973 
start_limited_discovery(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5974 static int start_limited_discovery(struct sock *sk, struct hci_dev *hdev,
5975 				   void *data, u16 len)
5976 {
5977 	return start_discovery_internal(sk, hdev,
5978 					MGMT_OP_START_LIMITED_DISCOVERY,
5979 					data, len);
5980 }
5981 
start_service_discovery(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)5982 static int start_service_discovery(struct sock *sk, struct hci_dev *hdev,
5983 				   void *data, u16 len)
5984 {
5985 	struct mgmt_cp_start_service_discovery *cp = data;
5986 	struct mgmt_pending_cmd *cmd;
5987 	const u16 max_uuid_count = ((U16_MAX - sizeof(*cp)) / 16);
5988 	u16 uuid_count, expected_len;
5989 	u8 status;
5990 	int err;
5991 
5992 	bt_dev_dbg(hdev, "sock %p", sk);
5993 
5994 	hci_dev_lock(hdev);
5995 
5996 	if (!hdev_is_powered(hdev)) {
5997 		err = mgmt_cmd_complete(sk, hdev->id,
5998 					MGMT_OP_START_SERVICE_DISCOVERY,
5999 					MGMT_STATUS_NOT_POWERED,
6000 					&cp->type, sizeof(cp->type));
6001 		goto failed;
6002 	}
6003 
6004 	if (hdev->discovery.state != DISCOVERY_STOPPED ||
6005 	    hci_dev_test_flag(hdev, HCI_PERIODIC_INQ)) {
6006 		err = mgmt_cmd_complete(sk, hdev->id,
6007 					MGMT_OP_START_SERVICE_DISCOVERY,
6008 					MGMT_STATUS_BUSY, &cp->type,
6009 					sizeof(cp->type));
6010 		goto failed;
6011 	}
6012 
6013 	if (hdev->discovery_paused) {
6014 		err = mgmt_cmd_complete(sk, hdev->id,
6015 					MGMT_OP_START_SERVICE_DISCOVERY,
6016 					MGMT_STATUS_BUSY, &cp->type,
6017 					sizeof(cp->type));
6018 		goto failed;
6019 	}
6020 
6021 	uuid_count = __le16_to_cpu(cp->uuid_count);
6022 	if (uuid_count > max_uuid_count) {
6023 		bt_dev_err(hdev, "service_discovery: too big uuid_count value %u",
6024 			   uuid_count);
6025 		err = mgmt_cmd_complete(sk, hdev->id,
6026 					MGMT_OP_START_SERVICE_DISCOVERY,
6027 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
6028 					sizeof(cp->type));
6029 		goto failed;
6030 	}
6031 
6032 	expected_len = sizeof(*cp) + uuid_count * 16;
6033 	if (expected_len != len) {
6034 		bt_dev_err(hdev, "service_discovery: expected %u bytes, got %u bytes",
6035 			   expected_len, len);
6036 		err = mgmt_cmd_complete(sk, hdev->id,
6037 					MGMT_OP_START_SERVICE_DISCOVERY,
6038 					MGMT_STATUS_INVALID_PARAMS, &cp->type,
6039 					sizeof(cp->type));
6040 		goto failed;
6041 	}
6042 
6043 	if (!discovery_type_is_valid(hdev, cp->type, &status)) {
6044 		err = mgmt_cmd_complete(sk, hdev->id,
6045 					MGMT_OP_START_SERVICE_DISCOVERY,
6046 					status, &cp->type, sizeof(cp->type));
6047 		goto failed;
6048 	}
6049 
6050 	cmd = mgmt_pending_add(sk, MGMT_OP_START_SERVICE_DISCOVERY,
6051 			       hdev, data, len);
6052 	if (!cmd) {
6053 		err = -ENOMEM;
6054 		goto failed;
6055 	}
6056 
6057 	/* Clear the discovery filter first to free any previously
6058 	 * allocated memory for the UUID list.
6059 	 */
6060 	hci_discovery_filter_clear(hdev);
6061 
6062 	hdev->discovery.result_filtering = true;
6063 	hdev->discovery.type = cp->type;
6064 	hdev->discovery.rssi = cp->rssi;
6065 	hdev->discovery.uuid_count = uuid_count;
6066 
6067 	if (uuid_count > 0) {
6068 		hdev->discovery.uuids = kmemdup(cp->uuids, uuid_count * 16,
6069 						GFP_KERNEL);
6070 		if (!hdev->discovery.uuids) {
6071 			err = mgmt_cmd_complete(sk, hdev->id,
6072 						MGMT_OP_START_SERVICE_DISCOVERY,
6073 						MGMT_STATUS_FAILED,
6074 						&cp->type, sizeof(cp->type));
6075 			mgmt_pending_remove(cmd);
6076 			goto failed;
6077 		}
6078 	}
6079 
6080 	err = hci_cmd_sync_queue(hdev, start_discovery_sync, cmd,
6081 				 start_discovery_complete);
6082 	if (err < 0) {
6083 		mgmt_pending_remove(cmd);
6084 		goto failed;
6085 	}
6086 
6087 	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
6088 
6089 failed:
6090 	hci_dev_unlock(hdev);
6091 	return err;
6092 }
6093 
mgmt_stop_discovery_complete(struct hci_dev * hdev,u8 status)6094 void mgmt_stop_discovery_complete(struct hci_dev *hdev, u8 status)
6095 {
6096 	struct mgmt_pending_cmd *cmd;
6097 
6098 	bt_dev_dbg(hdev, "status %u", status);
6099 
6100 	hci_dev_lock(hdev);
6101 
6102 	cmd = pending_find(MGMT_OP_STOP_DISCOVERY, hdev);
6103 	if (cmd) {
6104 		cmd->cmd_complete(cmd, mgmt_status(status));
6105 		mgmt_pending_remove(cmd);
6106 	}
6107 
6108 	hci_dev_unlock(hdev);
6109 }
6110 
stop_discovery_complete(struct hci_dev * hdev,void * data,int err)6111 static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
6112 {
6113 	struct mgmt_pending_cmd *cmd = data;
6114 
6115 	if (cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
6116 		return;
6117 
6118 	bt_dev_dbg(hdev, "err %d", err);
6119 
6120 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
6121 			  cmd->param, 1);
6122 	mgmt_pending_remove(cmd);
6123 
6124 	if (!err)
6125 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
6126 }
6127 
stop_discovery_sync(struct hci_dev * hdev,void * data)6128 static int stop_discovery_sync(struct hci_dev *hdev, void *data)
6129 {
6130 	return hci_stop_discovery_sync(hdev);
6131 }
6132 
stop_discovery(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6133 static int stop_discovery(struct sock *sk, struct hci_dev *hdev, void *data,
6134 			  u16 len)
6135 {
6136 	struct mgmt_cp_stop_discovery *mgmt_cp = data;
6137 	struct mgmt_pending_cmd *cmd;
6138 	int err;
6139 
6140 	bt_dev_dbg(hdev, "sock %p", sk);
6141 
6142 	hci_dev_lock(hdev);
6143 
6144 	if (!hci_discovery_active(hdev)) {
6145 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
6146 					MGMT_STATUS_REJECTED, &mgmt_cp->type,
6147 					sizeof(mgmt_cp->type));
6148 		goto unlock;
6149 	}
6150 
6151 	if (hdev->discovery.type != mgmt_cp->type) {
6152 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_STOP_DISCOVERY,
6153 					MGMT_STATUS_INVALID_PARAMS,
6154 					&mgmt_cp->type, sizeof(mgmt_cp->type));
6155 		goto unlock;
6156 	}
6157 
6158 	cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, hdev, data, len);
6159 	if (!cmd) {
6160 		err = -ENOMEM;
6161 		goto unlock;
6162 	}
6163 
6164 	err = hci_cmd_sync_queue(hdev, stop_discovery_sync, cmd,
6165 				 stop_discovery_complete);
6166 	if (err < 0) {
6167 		mgmt_pending_remove(cmd);
6168 		goto unlock;
6169 	}
6170 
6171 	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
6172 
6173 unlock:
6174 	hci_dev_unlock(hdev);
6175 	return err;
6176 }
6177 
confirm_name(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6178 static int confirm_name(struct sock *sk, struct hci_dev *hdev, void *data,
6179 			u16 len)
6180 {
6181 	struct mgmt_cp_confirm_name *cp = data;
6182 	struct inquiry_entry *e;
6183 	int err;
6184 
6185 	bt_dev_dbg(hdev, "sock %p", sk);
6186 
6187 	hci_dev_lock(hdev);
6188 
6189 	if (!hci_discovery_active(hdev)) {
6190 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
6191 					MGMT_STATUS_FAILED, &cp->addr,
6192 					sizeof(cp->addr));
6193 		goto failed;
6194 	}
6195 
6196 	e = hci_inquiry_cache_lookup_unknown(hdev, &cp->addr.bdaddr);
6197 	if (!e) {
6198 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME,
6199 					MGMT_STATUS_INVALID_PARAMS, &cp->addr,
6200 					sizeof(cp->addr));
6201 		goto failed;
6202 	}
6203 
6204 	if (cp->name_known) {
6205 		e->name_state = NAME_KNOWN;
6206 		list_del(&e->list);
6207 	} else {
6208 		e->name_state = NAME_NEEDED;
6209 		hci_inquiry_cache_update_resolve(hdev, e);
6210 	}
6211 
6212 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_CONFIRM_NAME, 0,
6213 				&cp->addr, sizeof(cp->addr));
6214 
6215 failed:
6216 	hci_dev_unlock(hdev);
6217 	return err;
6218 }
6219 
block_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6220 static int block_device(struct sock *sk, struct hci_dev *hdev, void *data,
6221 			u16 len)
6222 {
6223 	struct mgmt_cp_block_device *cp = data;
6224 	u8 status;
6225 	int err;
6226 
6227 	bt_dev_dbg(hdev, "sock %p", sk);
6228 
6229 	if (!bdaddr_type_is_valid(cp->addr.type))
6230 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE,
6231 					 MGMT_STATUS_INVALID_PARAMS,
6232 					 &cp->addr, sizeof(cp->addr));
6233 
6234 	hci_dev_lock(hdev);
6235 
6236 	err = hci_bdaddr_list_add(&hdev->reject_list, &cp->addr.bdaddr,
6237 				  cp->addr.type);
6238 	if (err < 0) {
6239 		status = MGMT_STATUS_FAILED;
6240 		goto done;
6241 	}
6242 
6243 	mgmt_event(MGMT_EV_DEVICE_BLOCKED, hdev, &cp->addr, sizeof(cp->addr),
6244 		   sk);
6245 	status = MGMT_STATUS_SUCCESS;
6246 
6247 done:
6248 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_BLOCK_DEVICE, status,
6249 				&cp->addr, sizeof(cp->addr));
6250 
6251 	hci_dev_unlock(hdev);
6252 
6253 	return err;
6254 }
6255 
unblock_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6256 static int unblock_device(struct sock *sk, struct hci_dev *hdev, void *data,
6257 			  u16 len)
6258 {
6259 	struct mgmt_cp_unblock_device *cp = data;
6260 	u8 status;
6261 	int err;
6262 
6263 	bt_dev_dbg(hdev, "sock %p", sk);
6264 
6265 	if (!bdaddr_type_is_valid(cp->addr.type))
6266 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE,
6267 					 MGMT_STATUS_INVALID_PARAMS,
6268 					 &cp->addr, sizeof(cp->addr));
6269 
6270 	hci_dev_lock(hdev);
6271 
6272 	err = hci_bdaddr_list_del(&hdev->reject_list, &cp->addr.bdaddr,
6273 				  cp->addr.type);
6274 	if (err < 0) {
6275 		status = MGMT_STATUS_INVALID_PARAMS;
6276 		goto done;
6277 	}
6278 
6279 	mgmt_event(MGMT_EV_DEVICE_UNBLOCKED, hdev, &cp->addr, sizeof(cp->addr),
6280 		   sk);
6281 	status = MGMT_STATUS_SUCCESS;
6282 
6283 done:
6284 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNBLOCK_DEVICE, status,
6285 				&cp->addr, sizeof(cp->addr));
6286 
6287 	hci_dev_unlock(hdev);
6288 
6289 	return err;
6290 }
6291 
set_device_id_sync(struct hci_dev * hdev,void * data)6292 static int set_device_id_sync(struct hci_dev *hdev, void *data)
6293 {
6294 	return hci_update_eir_sync(hdev);
6295 }
6296 
set_device_id(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6297 static int set_device_id(struct sock *sk, struct hci_dev *hdev, void *data,
6298 			 u16 len)
6299 {
6300 	struct mgmt_cp_set_device_id *cp = data;
6301 	int err;
6302 	__u16 source;
6303 
6304 	bt_dev_dbg(hdev, "sock %p", sk);
6305 
6306 	source = __le16_to_cpu(cp->source);
6307 
6308 	if (source > 0x0002)
6309 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEVICE_ID,
6310 				       MGMT_STATUS_INVALID_PARAMS);
6311 
6312 	hci_dev_lock(hdev);
6313 
6314 	hdev->devid_source = source;
6315 	hdev->devid_vendor = __le16_to_cpu(cp->vendor);
6316 	hdev->devid_product = __le16_to_cpu(cp->product);
6317 	hdev->devid_version = __le16_to_cpu(cp->version);
6318 
6319 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_DEVICE_ID, 0,
6320 				NULL, 0);
6321 
6322 	hci_cmd_sync_queue(hdev, set_device_id_sync, NULL, NULL);
6323 
6324 	hci_dev_unlock(hdev);
6325 
6326 	return err;
6327 }
6328 
enable_advertising_instance(struct hci_dev * hdev,int err)6329 static void enable_advertising_instance(struct hci_dev *hdev, int err)
6330 {
6331 	if (err)
6332 		bt_dev_err(hdev, "failed to re-configure advertising %d", err);
6333 	else
6334 		bt_dev_dbg(hdev, "status %d", err);
6335 }
6336 
set_advertising_complete(struct hci_dev * hdev,void * data,int err)6337 static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
6338 {
6339 	struct cmd_lookup match = { NULL, hdev };
6340 	u8 instance;
6341 	struct adv_info *adv_instance;
6342 	u8 status = mgmt_status(err);
6343 
6344 	if (status) {
6345 		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
6346 				     cmd_status_rsp, &status);
6347 		return;
6348 	}
6349 
6350 	if (hci_dev_test_flag(hdev, HCI_LE_ADV))
6351 		hci_dev_set_flag(hdev, HCI_ADVERTISING);
6352 	else
6353 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
6354 
6355 	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
6356 			     &match);
6357 
6358 	new_settings(hdev, match.sk);
6359 
6360 	if (match.sk)
6361 		sock_put(match.sk);
6362 
6363 	/* If "Set Advertising" was just disabled and instance advertising was
6364 	 * set up earlier, then re-enable multi-instance advertising.
6365 	 */
6366 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
6367 	    list_empty(&hdev->adv_instances))
6368 		return;
6369 
6370 	instance = hdev->cur_adv_instance;
6371 	if (!instance) {
6372 		adv_instance = list_first_entry_or_null(&hdev->adv_instances,
6373 							struct adv_info, list);
6374 		if (!adv_instance)
6375 			return;
6376 
6377 		instance = adv_instance->instance;
6378 	}
6379 
6380 	err = hci_schedule_adv_instance_sync(hdev, instance, true);
6381 
6382 	enable_advertising_instance(hdev, err);
6383 }
6384 
set_adv_sync(struct hci_dev * hdev,void * data)6385 static int set_adv_sync(struct hci_dev *hdev, void *data)
6386 {
6387 	struct mgmt_pending_cmd *cmd = data;
6388 	struct mgmt_mode *cp = cmd->param;
6389 	u8 val = !!cp->val;
6390 
6391 	if (cp->val == 0x02)
6392 		hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6393 	else
6394 		hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6395 
6396 	cancel_adv_timeout(hdev);
6397 
6398 	if (val) {
6399 		/* Switch to instance "0" for the Set Advertising setting.
6400 		 * We cannot use update_[adv|scan_rsp]_data() here as the
6401 		 * HCI_ADVERTISING flag is not yet set.
6402 		 */
6403 		hdev->cur_adv_instance = 0x00;
6404 
6405 		if (ext_adv_capable(hdev)) {
6406 			hci_start_ext_adv_sync(hdev, 0x00);
6407 		} else {
6408 			hci_update_adv_data_sync(hdev, 0x00);
6409 			hci_update_scan_rsp_data_sync(hdev, 0x00);
6410 			hci_enable_advertising_sync(hdev);
6411 		}
6412 	} else {
6413 		hci_disable_advertising_sync(hdev);
6414 	}
6415 
6416 	return 0;
6417 }
6418 
set_advertising(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6419 static int set_advertising(struct sock *sk, struct hci_dev *hdev, void *data,
6420 			   u16 len)
6421 {
6422 	struct mgmt_mode *cp = data;
6423 	struct mgmt_pending_cmd *cmd;
6424 	u8 val, status;
6425 	int err;
6426 
6427 	bt_dev_dbg(hdev, "sock %p", sk);
6428 
6429 	status = mgmt_le_support(hdev);
6430 	if (status)
6431 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6432 				       status);
6433 
6434 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6435 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6436 				       MGMT_STATUS_INVALID_PARAMS);
6437 
6438 	if (hdev->advertising_paused)
6439 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6440 				       MGMT_STATUS_BUSY);
6441 
6442 	hci_dev_lock(hdev);
6443 
6444 	val = !!cp->val;
6445 
6446 	/* The following conditions are ones which mean that we should
6447 	 * not do any HCI communication but directly send a mgmt
6448 	 * response to user space (after toggling the flag if
6449 	 * necessary).
6450 	 */
6451 	if (!hdev_is_powered(hdev) ||
6452 	    (val == hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
6453 	     (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE)) ||
6454 	    hci_dev_test_flag(hdev, HCI_MESH) ||
6455 	    hci_conn_num(hdev, LE_LINK) > 0 ||
6456 	    (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6457 	     hdev->le_scan_type == LE_SCAN_ACTIVE)) {
6458 		bool changed;
6459 
6460 		if (cp->val) {
6461 			hdev->cur_adv_instance = 0x00;
6462 			changed = !hci_dev_test_and_set_flag(hdev, HCI_ADVERTISING);
6463 			if (cp->val == 0x02)
6464 				hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6465 			else
6466 				hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6467 		} else {
6468 			changed = hci_dev_test_and_clear_flag(hdev, HCI_ADVERTISING);
6469 			hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
6470 		}
6471 
6472 		err = send_settings_rsp(sk, MGMT_OP_SET_ADVERTISING, hdev);
6473 		if (err < 0)
6474 			goto unlock;
6475 
6476 		if (changed)
6477 			err = new_settings(hdev, sk);
6478 
6479 		goto unlock;
6480 	}
6481 
6482 	if (pending_find(MGMT_OP_SET_ADVERTISING, hdev) ||
6483 	    pending_find(MGMT_OP_SET_LE, hdev)) {
6484 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_ADVERTISING,
6485 				      MGMT_STATUS_BUSY);
6486 		goto unlock;
6487 	}
6488 
6489 	cmd = mgmt_pending_add(sk, MGMT_OP_SET_ADVERTISING, hdev, data, len);
6490 	if (!cmd)
6491 		err = -ENOMEM;
6492 	else
6493 		err = hci_cmd_sync_queue(hdev, set_adv_sync, cmd,
6494 					 set_advertising_complete);
6495 
6496 	if (err < 0 && cmd)
6497 		mgmt_pending_remove(cmd);
6498 
6499 unlock:
6500 	hci_dev_unlock(hdev);
6501 	return err;
6502 }
6503 
set_static_address(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6504 static int set_static_address(struct sock *sk, struct hci_dev *hdev,
6505 			      void *data, u16 len)
6506 {
6507 	struct mgmt_cp_set_static_address *cp = data;
6508 	int err;
6509 
6510 	bt_dev_dbg(hdev, "sock %p", sk);
6511 
6512 	if (!lmp_le_capable(hdev))
6513 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6514 				       MGMT_STATUS_NOT_SUPPORTED);
6515 
6516 	if (hdev_is_powered(hdev))
6517 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_STATIC_ADDRESS,
6518 				       MGMT_STATUS_REJECTED);
6519 
6520 	if (bacmp(&cp->bdaddr, BDADDR_ANY)) {
6521 		if (!bacmp(&cp->bdaddr, BDADDR_NONE))
6522 			return mgmt_cmd_status(sk, hdev->id,
6523 					       MGMT_OP_SET_STATIC_ADDRESS,
6524 					       MGMT_STATUS_INVALID_PARAMS);
6525 
6526 		/* Two most significant bits shall be set */
6527 		if ((cp->bdaddr.b[5] & 0xc0) != 0xc0)
6528 			return mgmt_cmd_status(sk, hdev->id,
6529 					       MGMT_OP_SET_STATIC_ADDRESS,
6530 					       MGMT_STATUS_INVALID_PARAMS);
6531 	}
6532 
6533 	hci_dev_lock(hdev);
6534 
6535 	bacpy(&hdev->static_addr, &cp->bdaddr);
6536 
6537 	err = send_settings_rsp(sk, MGMT_OP_SET_STATIC_ADDRESS, hdev);
6538 	if (err < 0)
6539 		goto unlock;
6540 
6541 	err = new_settings(hdev, sk);
6542 
6543 unlock:
6544 	hci_dev_unlock(hdev);
6545 	return err;
6546 }
6547 
set_scan_params(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6548 static int set_scan_params(struct sock *sk, struct hci_dev *hdev,
6549 			   void *data, u16 len)
6550 {
6551 	struct mgmt_cp_set_scan_params *cp = data;
6552 	__u16 interval, window;
6553 	int err;
6554 
6555 	bt_dev_dbg(hdev, "sock %p", sk);
6556 
6557 	if (!lmp_le_capable(hdev))
6558 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6559 				       MGMT_STATUS_NOT_SUPPORTED);
6560 
6561 	interval = __le16_to_cpu(cp->interval);
6562 
6563 	if (interval < 0x0004 || interval > 0x4000)
6564 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6565 				       MGMT_STATUS_INVALID_PARAMS);
6566 
6567 	window = __le16_to_cpu(cp->window);
6568 
6569 	if (window < 0x0004 || window > 0x4000)
6570 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6571 				       MGMT_STATUS_INVALID_PARAMS);
6572 
6573 	if (window > interval)
6574 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
6575 				       MGMT_STATUS_INVALID_PARAMS);
6576 
6577 	hci_dev_lock(hdev);
6578 
6579 	hdev->le_scan_interval = interval;
6580 	hdev->le_scan_window = window;
6581 
6582 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, 0,
6583 				NULL, 0);
6584 
6585 	/* If background scan is running, restart it so new parameters are
6586 	 * loaded.
6587 	 */
6588 	if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6589 	    hdev->discovery.state == DISCOVERY_STOPPED)
6590 		hci_update_passive_scan(hdev);
6591 
6592 	hci_dev_unlock(hdev);
6593 
6594 	return err;
6595 }
6596 
fast_connectable_complete(struct hci_dev * hdev,void * data,int err)6597 static void fast_connectable_complete(struct hci_dev *hdev, void *data, int err)
6598 {
6599 	struct mgmt_pending_cmd *cmd = data;
6600 
6601 	bt_dev_dbg(hdev, "err %d", err);
6602 
6603 	if (err) {
6604 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6605 				mgmt_status(err));
6606 	} else {
6607 		struct mgmt_mode *cp = cmd->param;
6608 
6609 		if (cp->val)
6610 			hci_dev_set_flag(hdev, HCI_FAST_CONNECTABLE);
6611 		else
6612 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6613 
6614 		send_settings_rsp(cmd->sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6615 		new_settings(hdev, cmd->sk);
6616 	}
6617 
6618 	mgmt_pending_free(cmd);
6619 }
6620 
write_fast_connectable_sync(struct hci_dev * hdev,void * data)6621 static int write_fast_connectable_sync(struct hci_dev *hdev, void *data)
6622 {
6623 	struct mgmt_pending_cmd *cmd = data;
6624 	struct mgmt_mode *cp = cmd->param;
6625 
6626 	return hci_write_fast_connectable_sync(hdev, cp->val);
6627 }
6628 
set_fast_connectable(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6629 static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
6630 				void *data, u16 len)
6631 {
6632 	struct mgmt_mode *cp = data;
6633 	struct mgmt_pending_cmd *cmd;
6634 	int err;
6635 
6636 	bt_dev_dbg(hdev, "sock %p", sk);
6637 
6638 	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) ||
6639 	    hdev->hci_ver < BLUETOOTH_VER_1_2)
6640 		return mgmt_cmd_status(sk, hdev->id,
6641 				       MGMT_OP_SET_FAST_CONNECTABLE,
6642 				       MGMT_STATUS_NOT_SUPPORTED);
6643 
6644 	if (cp->val != 0x00 && cp->val != 0x01)
6645 		return mgmt_cmd_status(sk, hdev->id,
6646 				       MGMT_OP_SET_FAST_CONNECTABLE,
6647 				       MGMT_STATUS_INVALID_PARAMS);
6648 
6649 	hci_dev_lock(hdev);
6650 
6651 	if (!!cp->val == hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE)) {
6652 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6653 		goto unlock;
6654 	}
6655 
6656 	if (!hdev_is_powered(hdev)) {
6657 		hci_dev_change_flag(hdev, HCI_FAST_CONNECTABLE);
6658 		err = send_settings_rsp(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev);
6659 		new_settings(hdev, sk);
6660 		goto unlock;
6661 	}
6662 
6663 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_FAST_CONNECTABLE, hdev, data,
6664 			       len);
6665 	if (!cmd)
6666 		err = -ENOMEM;
6667 	else
6668 		err = hci_cmd_sync_queue(hdev, write_fast_connectable_sync, cmd,
6669 					 fast_connectable_complete);
6670 
6671 	if (err < 0) {
6672 		mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
6673 				MGMT_STATUS_FAILED);
6674 
6675 		if (cmd)
6676 			mgmt_pending_free(cmd);
6677 	}
6678 
6679 unlock:
6680 	hci_dev_unlock(hdev);
6681 
6682 	return err;
6683 }
6684 
set_bredr_complete(struct hci_dev * hdev,void * data,int err)6685 static void set_bredr_complete(struct hci_dev *hdev, void *data, int err)
6686 {
6687 	struct mgmt_pending_cmd *cmd = data;
6688 
6689 	bt_dev_dbg(hdev, "err %d", err);
6690 
6691 	if (err) {
6692 		u8 mgmt_err = mgmt_status(err);
6693 
6694 		/* We need to restore the flag if related HCI commands
6695 		 * failed.
6696 		 */
6697 		hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
6698 
6699 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
6700 	} else {
6701 		send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
6702 		new_settings(hdev, cmd->sk);
6703 	}
6704 
6705 	mgmt_pending_free(cmd);
6706 }
6707 
set_bredr_sync(struct hci_dev * hdev,void * data)6708 static int set_bredr_sync(struct hci_dev *hdev, void *data)
6709 {
6710 	int status;
6711 
6712 	status = hci_write_fast_connectable_sync(hdev, false);
6713 
6714 	if (!status)
6715 		status = hci_update_scan_sync(hdev);
6716 
6717 	/* Since only the advertising data flags will change, there
6718 	 * is no need to update the scan response data.
6719 	 */
6720 	if (!status)
6721 		status = hci_update_adv_data_sync(hdev, hdev->cur_adv_instance);
6722 
6723 	return status;
6724 }
6725 
set_bredr(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6726 static int set_bredr(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
6727 {
6728 	struct mgmt_mode *cp = data;
6729 	struct mgmt_pending_cmd *cmd;
6730 	int err;
6731 
6732 	bt_dev_dbg(hdev, "sock %p", sk);
6733 
6734 	if (!lmp_bredr_capable(hdev) || !lmp_le_capable(hdev))
6735 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6736 				       MGMT_STATUS_NOT_SUPPORTED);
6737 
6738 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6739 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6740 				       MGMT_STATUS_REJECTED);
6741 
6742 	if (cp->val != 0x00 && cp->val != 0x01)
6743 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6744 				       MGMT_STATUS_INVALID_PARAMS);
6745 
6746 	hci_dev_lock(hdev);
6747 
6748 	if (cp->val == hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6749 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6750 		goto unlock;
6751 	}
6752 
6753 	if (!hdev_is_powered(hdev)) {
6754 		if (!cp->val) {
6755 			hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
6756 			hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
6757 			hci_dev_clear_flag(hdev, HCI_LINK_SECURITY);
6758 			hci_dev_clear_flag(hdev, HCI_FAST_CONNECTABLE);
6759 			hci_dev_clear_flag(hdev, HCI_HS_ENABLED);
6760 		}
6761 
6762 		hci_dev_change_flag(hdev, HCI_BREDR_ENABLED);
6763 
6764 		err = send_settings_rsp(sk, MGMT_OP_SET_BREDR, hdev);
6765 		if (err < 0)
6766 			goto unlock;
6767 
6768 		err = new_settings(hdev, sk);
6769 		goto unlock;
6770 	}
6771 
6772 	/* Reject disabling when powered on */
6773 	if (!cp->val) {
6774 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6775 				      MGMT_STATUS_REJECTED);
6776 		goto unlock;
6777 	} else {
6778 		/* When configuring a dual-mode controller to operate
6779 		 * with LE only and using a static address, then switching
6780 		 * BR/EDR back on is not allowed.
6781 		 *
6782 		 * Dual-mode controllers shall operate with the public
6783 		 * address as its identity address for BR/EDR and LE. So
6784 		 * reject the attempt to create an invalid configuration.
6785 		 *
6786 		 * The same restrictions applies when secure connections
6787 		 * has been enabled. For BR/EDR this is a controller feature
6788 		 * while for LE it is a host stack feature. This means that
6789 		 * switching BR/EDR back on when secure connections has been
6790 		 * enabled is not a supported transaction.
6791 		 */
6792 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6793 		    (bacmp(&hdev->static_addr, BDADDR_ANY) ||
6794 		     hci_dev_test_flag(hdev, HCI_SC_ENABLED))) {
6795 			err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6796 					      MGMT_STATUS_REJECTED);
6797 			goto unlock;
6798 		}
6799 	}
6800 
6801 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_BREDR, hdev, data, len);
6802 	if (!cmd)
6803 		err = -ENOMEM;
6804 	else
6805 		err = hci_cmd_sync_queue(hdev, set_bredr_sync, cmd,
6806 					 set_bredr_complete);
6807 
6808 	if (err < 0) {
6809 		mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_BREDR,
6810 				MGMT_STATUS_FAILED);
6811 		if (cmd)
6812 			mgmt_pending_free(cmd);
6813 
6814 		goto unlock;
6815 	}
6816 
6817 	/* We need to flip the bit already here so that
6818 	 * hci_req_update_adv_data generates the correct flags.
6819 	 */
6820 	hci_dev_set_flag(hdev, HCI_BREDR_ENABLED);
6821 
6822 unlock:
6823 	hci_dev_unlock(hdev);
6824 	return err;
6825 }
6826 
set_secure_conn_complete(struct hci_dev * hdev,void * data,int err)6827 static void set_secure_conn_complete(struct hci_dev *hdev, void *data, int err)
6828 {
6829 	struct mgmt_pending_cmd *cmd = data;
6830 	struct mgmt_mode *cp;
6831 
6832 	bt_dev_dbg(hdev, "err %d", err);
6833 
6834 	if (err) {
6835 		u8 mgmt_err = mgmt_status(err);
6836 
6837 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
6838 		goto done;
6839 	}
6840 
6841 	cp = cmd->param;
6842 
6843 	switch (cp->val) {
6844 	case 0x00:
6845 		hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
6846 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6847 		break;
6848 	case 0x01:
6849 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6850 		hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6851 		break;
6852 	case 0x02:
6853 		hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6854 		hci_dev_set_flag(hdev, HCI_SC_ONLY);
6855 		break;
6856 	}
6857 
6858 	send_settings_rsp(cmd->sk, cmd->opcode, hdev);
6859 	new_settings(hdev, cmd->sk);
6860 
6861 done:
6862 	mgmt_pending_free(cmd);
6863 }
6864 
set_secure_conn_sync(struct hci_dev * hdev,void * data)6865 static int set_secure_conn_sync(struct hci_dev *hdev, void *data)
6866 {
6867 	struct mgmt_pending_cmd *cmd = data;
6868 	struct mgmt_mode *cp = cmd->param;
6869 	u8 val = !!cp->val;
6870 
6871 	/* Force write of val */
6872 	hci_dev_set_flag(hdev, HCI_SC_ENABLED);
6873 
6874 	return hci_write_sc_support_sync(hdev, val);
6875 }
6876 
set_secure_conn(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6877 static int set_secure_conn(struct sock *sk, struct hci_dev *hdev,
6878 			   void *data, u16 len)
6879 {
6880 	struct mgmt_mode *cp = data;
6881 	struct mgmt_pending_cmd *cmd;
6882 	u8 val;
6883 	int err;
6884 
6885 	bt_dev_dbg(hdev, "sock %p", sk);
6886 
6887 	if (!lmp_sc_capable(hdev) &&
6888 	    !hci_dev_test_flag(hdev, HCI_LE_ENABLED))
6889 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6890 				       MGMT_STATUS_NOT_SUPPORTED);
6891 
6892 	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
6893 	    lmp_sc_capable(hdev) &&
6894 	    !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
6895 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6896 				       MGMT_STATUS_REJECTED);
6897 
6898 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6899 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6900 				       MGMT_STATUS_INVALID_PARAMS);
6901 
6902 	hci_dev_lock(hdev);
6903 
6904 	if (!hdev_is_powered(hdev) || !lmp_sc_capable(hdev) ||
6905 	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
6906 		bool changed;
6907 
6908 		if (cp->val) {
6909 			changed = !hci_dev_test_and_set_flag(hdev,
6910 							     HCI_SC_ENABLED);
6911 			if (cp->val == 0x02)
6912 				hci_dev_set_flag(hdev, HCI_SC_ONLY);
6913 			else
6914 				hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6915 		} else {
6916 			changed = hci_dev_test_and_clear_flag(hdev,
6917 							      HCI_SC_ENABLED);
6918 			hci_dev_clear_flag(hdev, HCI_SC_ONLY);
6919 		}
6920 
6921 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6922 		if (err < 0)
6923 			goto failed;
6924 
6925 		if (changed)
6926 			err = new_settings(hdev, sk);
6927 
6928 		goto failed;
6929 	}
6930 
6931 	val = !!cp->val;
6932 
6933 	if (val == hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
6934 	    (cp->val == 0x02) == hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
6935 		err = send_settings_rsp(sk, MGMT_OP_SET_SECURE_CONN, hdev);
6936 		goto failed;
6937 	}
6938 
6939 	cmd = mgmt_pending_new(sk, MGMT_OP_SET_SECURE_CONN, hdev, data, len);
6940 	if (!cmd)
6941 		err = -ENOMEM;
6942 	else
6943 		err = hci_cmd_sync_queue(hdev, set_secure_conn_sync, cmd,
6944 					 set_secure_conn_complete);
6945 
6946 	if (err < 0) {
6947 		mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SECURE_CONN,
6948 				MGMT_STATUS_FAILED);
6949 		if (cmd)
6950 			mgmt_pending_free(cmd);
6951 	}
6952 
6953 failed:
6954 	hci_dev_unlock(hdev);
6955 	return err;
6956 }
6957 
set_debug_keys(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)6958 static int set_debug_keys(struct sock *sk, struct hci_dev *hdev,
6959 			  void *data, u16 len)
6960 {
6961 	struct mgmt_mode *cp = data;
6962 	bool changed, use_changed;
6963 	int err;
6964 
6965 	bt_dev_dbg(hdev, "sock %p", sk);
6966 
6967 	if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
6968 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_DEBUG_KEYS,
6969 				       MGMT_STATUS_INVALID_PARAMS);
6970 
6971 	hci_dev_lock(hdev);
6972 
6973 	if (cp->val)
6974 		changed = !hci_dev_test_and_set_flag(hdev, HCI_KEEP_DEBUG_KEYS);
6975 	else
6976 		changed = hci_dev_test_and_clear_flag(hdev,
6977 						      HCI_KEEP_DEBUG_KEYS);
6978 
6979 	if (cp->val == 0x02)
6980 		use_changed = !hci_dev_test_and_set_flag(hdev,
6981 							 HCI_USE_DEBUG_KEYS);
6982 	else
6983 		use_changed = hci_dev_test_and_clear_flag(hdev,
6984 							  HCI_USE_DEBUG_KEYS);
6985 
6986 	if (hdev_is_powered(hdev) && use_changed &&
6987 	    hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
6988 		u8 mode = (cp->val == 0x02) ? 0x01 : 0x00;
6989 		hci_send_cmd(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
6990 			     sizeof(mode), &mode);
6991 	}
6992 
6993 	err = send_settings_rsp(sk, MGMT_OP_SET_DEBUG_KEYS, hdev);
6994 	if (err < 0)
6995 		goto unlock;
6996 
6997 	if (changed)
6998 		err = new_settings(hdev, sk);
6999 
7000 unlock:
7001 	hci_dev_unlock(hdev);
7002 	return err;
7003 }
7004 
set_privacy(struct sock * sk,struct hci_dev * hdev,void * cp_data,u16 len)7005 static int set_privacy(struct sock *sk, struct hci_dev *hdev, void *cp_data,
7006 		       u16 len)
7007 {
7008 	struct mgmt_cp_set_privacy *cp = cp_data;
7009 	bool changed;
7010 	int err;
7011 
7012 	bt_dev_dbg(hdev, "sock %p", sk);
7013 
7014 	if (!lmp_le_capable(hdev))
7015 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
7016 				       MGMT_STATUS_NOT_SUPPORTED);
7017 
7018 	if (cp->privacy != 0x00 && cp->privacy != 0x01 && cp->privacy != 0x02)
7019 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
7020 				       MGMT_STATUS_INVALID_PARAMS);
7021 
7022 	if (hdev_is_powered(hdev))
7023 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PRIVACY,
7024 				       MGMT_STATUS_REJECTED);
7025 
7026 	hci_dev_lock(hdev);
7027 
7028 	/* If user space supports this command it is also expected to
7029 	 * handle IRKs. Therefore, set the HCI_RPA_RESOLVING flag.
7030 	 */
7031 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
7032 
7033 	if (cp->privacy) {
7034 		changed = !hci_dev_test_and_set_flag(hdev, HCI_PRIVACY);
7035 		memcpy(hdev->irk, cp->irk, sizeof(hdev->irk));
7036 		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
7037 		hci_adv_instances_set_rpa_expired(hdev, true);
7038 		if (cp->privacy == 0x02)
7039 			hci_dev_set_flag(hdev, HCI_LIMITED_PRIVACY);
7040 		else
7041 			hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
7042 	} else {
7043 		changed = hci_dev_test_and_clear_flag(hdev, HCI_PRIVACY);
7044 		memset(hdev->irk, 0, sizeof(hdev->irk));
7045 		hci_dev_clear_flag(hdev, HCI_RPA_EXPIRED);
7046 		hci_adv_instances_set_rpa_expired(hdev, false);
7047 		hci_dev_clear_flag(hdev, HCI_LIMITED_PRIVACY);
7048 	}
7049 
7050 	err = send_settings_rsp(sk, MGMT_OP_SET_PRIVACY, hdev);
7051 	if (err < 0)
7052 		goto unlock;
7053 
7054 	if (changed)
7055 		err = new_settings(hdev, sk);
7056 
7057 unlock:
7058 	hci_dev_unlock(hdev);
7059 	return err;
7060 }
7061 
irk_is_valid(struct mgmt_irk_info * irk)7062 static bool irk_is_valid(struct mgmt_irk_info *irk)
7063 {
7064 	switch (irk->addr.type) {
7065 	case BDADDR_LE_PUBLIC:
7066 		return true;
7067 
7068 	case BDADDR_LE_RANDOM:
7069 		/* Two most significant bits shall be set */
7070 		if ((irk->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7071 			return false;
7072 		return true;
7073 	}
7074 
7075 	return false;
7076 }
7077 
load_irks(struct sock * sk,struct hci_dev * hdev,void * cp_data,u16 len)7078 static int load_irks(struct sock *sk, struct hci_dev *hdev, void *cp_data,
7079 		     u16 len)
7080 {
7081 	struct mgmt_cp_load_irks *cp = cp_data;
7082 	const u16 max_irk_count = ((U16_MAX - sizeof(*cp)) /
7083 				   sizeof(struct mgmt_irk_info));
7084 	u16 irk_count, expected_len;
7085 	int i, err;
7086 
7087 	bt_dev_dbg(hdev, "sock %p", sk);
7088 
7089 	if (!lmp_le_capable(hdev))
7090 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7091 				       MGMT_STATUS_NOT_SUPPORTED);
7092 
7093 	irk_count = __le16_to_cpu(cp->irk_count);
7094 	if (irk_count > max_irk_count) {
7095 		bt_dev_err(hdev, "load_irks: too big irk_count value %u",
7096 			   irk_count);
7097 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7098 				       MGMT_STATUS_INVALID_PARAMS);
7099 	}
7100 
7101 	expected_len = struct_size(cp, irks, irk_count);
7102 	if (expected_len != len) {
7103 		bt_dev_err(hdev, "load_irks: expected %u bytes, got %u bytes",
7104 			   expected_len, len);
7105 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_IRKS,
7106 				       MGMT_STATUS_INVALID_PARAMS);
7107 	}
7108 
7109 	bt_dev_dbg(hdev, "irk_count %u", irk_count);
7110 
7111 	for (i = 0; i < irk_count; i++) {
7112 		struct mgmt_irk_info *key = &cp->irks[i];
7113 
7114 		if (!irk_is_valid(key))
7115 			return mgmt_cmd_status(sk, hdev->id,
7116 					       MGMT_OP_LOAD_IRKS,
7117 					       MGMT_STATUS_INVALID_PARAMS);
7118 	}
7119 
7120 	hci_dev_lock(hdev);
7121 
7122 	hci_smp_irks_clear(hdev);
7123 
7124 	for (i = 0; i < irk_count; i++) {
7125 		struct mgmt_irk_info *irk = &cp->irks[i];
7126 
7127 		if (hci_is_blocked_key(hdev,
7128 				       HCI_BLOCKED_KEY_TYPE_IRK,
7129 				       irk->val)) {
7130 			bt_dev_warn(hdev, "Skipping blocked IRK for %pMR",
7131 				    &irk->addr.bdaddr);
7132 			continue;
7133 		}
7134 
7135 		hci_add_irk(hdev, &irk->addr.bdaddr,
7136 			    le_addr_type(irk->addr.type), irk->val,
7137 			    BDADDR_ANY);
7138 	}
7139 
7140 	hci_dev_set_flag(hdev, HCI_RPA_RESOLVING);
7141 
7142 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_IRKS, 0, NULL, 0);
7143 
7144 	hci_dev_unlock(hdev);
7145 
7146 	return err;
7147 }
7148 
ltk_is_valid(struct mgmt_ltk_info * key)7149 static bool ltk_is_valid(struct mgmt_ltk_info *key)
7150 {
7151 	if (key->initiator != 0x00 && key->initiator != 0x01)
7152 		return false;
7153 
7154 	switch (key->addr.type) {
7155 	case BDADDR_LE_PUBLIC:
7156 		return true;
7157 
7158 	case BDADDR_LE_RANDOM:
7159 		/* Two most significant bits shall be set */
7160 		if ((key->addr.bdaddr.b[5] & 0xc0) != 0xc0)
7161 			return false;
7162 		return true;
7163 	}
7164 
7165 	return false;
7166 }
7167 
load_long_term_keys(struct sock * sk,struct hci_dev * hdev,void * cp_data,u16 len)7168 static int load_long_term_keys(struct sock *sk, struct hci_dev *hdev,
7169 			       void *cp_data, u16 len)
7170 {
7171 	struct mgmt_cp_load_long_term_keys *cp = cp_data;
7172 	const u16 max_key_count = ((U16_MAX - sizeof(*cp)) /
7173 				   sizeof(struct mgmt_ltk_info));
7174 	u16 key_count, expected_len;
7175 	int i, err;
7176 
7177 	bt_dev_dbg(hdev, "sock %p", sk);
7178 
7179 	if (!lmp_le_capable(hdev))
7180 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7181 				       MGMT_STATUS_NOT_SUPPORTED);
7182 
7183 	key_count = __le16_to_cpu(cp->key_count);
7184 	if (key_count > max_key_count) {
7185 		bt_dev_err(hdev, "load_ltks: too big key_count value %u",
7186 			   key_count);
7187 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7188 				       MGMT_STATUS_INVALID_PARAMS);
7189 	}
7190 
7191 	expected_len = struct_size(cp, keys, key_count);
7192 	if (expected_len != len) {
7193 		bt_dev_err(hdev, "load_keys: expected %u bytes, got %u bytes",
7194 			   expected_len, len);
7195 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS,
7196 				       MGMT_STATUS_INVALID_PARAMS);
7197 	}
7198 
7199 	bt_dev_dbg(hdev, "key_count %u", key_count);
7200 
7201 	for (i = 0; i < key_count; i++) {
7202 		struct mgmt_ltk_info *key = &cp->keys[i];
7203 
7204 		if (!ltk_is_valid(key))
7205 			return mgmt_cmd_status(sk, hdev->id,
7206 					       MGMT_OP_LOAD_LONG_TERM_KEYS,
7207 					       MGMT_STATUS_INVALID_PARAMS);
7208 	}
7209 
7210 	hci_dev_lock(hdev);
7211 
7212 	hci_smp_ltks_clear(hdev);
7213 
7214 	for (i = 0; i < key_count; i++) {
7215 		struct mgmt_ltk_info *key = &cp->keys[i];
7216 		u8 type, authenticated;
7217 
7218 		if (hci_is_blocked_key(hdev,
7219 				       HCI_BLOCKED_KEY_TYPE_LTK,
7220 				       key->val)) {
7221 			bt_dev_warn(hdev, "Skipping blocked LTK for %pMR",
7222 				    &key->addr.bdaddr);
7223 			continue;
7224 		}
7225 
7226 		switch (key->type) {
7227 		case MGMT_LTK_UNAUTHENTICATED:
7228 			authenticated = 0x00;
7229 			type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7230 			break;
7231 		case MGMT_LTK_AUTHENTICATED:
7232 			authenticated = 0x01;
7233 			type = key->initiator ? SMP_LTK : SMP_LTK_RESPONDER;
7234 			break;
7235 		case MGMT_LTK_P256_UNAUTH:
7236 			authenticated = 0x00;
7237 			type = SMP_LTK_P256;
7238 			break;
7239 		case MGMT_LTK_P256_AUTH:
7240 			authenticated = 0x01;
7241 			type = SMP_LTK_P256;
7242 			break;
7243 		case MGMT_LTK_P256_DEBUG:
7244 			authenticated = 0x00;
7245 			type = SMP_LTK_P256_DEBUG;
7246 			fallthrough;
7247 		default:
7248 			continue;
7249 		}
7250 
7251 		hci_add_ltk(hdev, &key->addr.bdaddr,
7252 			    le_addr_type(key->addr.type), type, authenticated,
7253 			    key->val, key->enc_size, key->ediv, key->rand);
7254 	}
7255 
7256 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LONG_TERM_KEYS, 0,
7257 			   NULL, 0);
7258 
7259 	hci_dev_unlock(hdev);
7260 
7261 	return err;
7262 }
7263 
get_conn_info_complete(struct hci_dev * hdev,void * data,int err)7264 static void get_conn_info_complete(struct hci_dev *hdev, void *data, int err)
7265 {
7266 	struct mgmt_pending_cmd *cmd = data;
7267 	struct hci_conn *conn = cmd->user_data;
7268 	struct mgmt_cp_get_conn_info *cp = cmd->param;
7269 	struct mgmt_rp_get_conn_info rp;
7270 	u8 status;
7271 
7272 	bt_dev_dbg(hdev, "err %d", err);
7273 
7274 	memcpy(&rp.addr, &cp->addr.bdaddr, sizeof(rp.addr));
7275 
7276 	status = mgmt_status(err);
7277 	if (status == MGMT_STATUS_SUCCESS) {
7278 		rp.rssi = conn->rssi;
7279 		rp.tx_power = conn->tx_power;
7280 		rp.max_tx_power = conn->max_tx_power;
7281 	} else {
7282 		rp.rssi = HCI_RSSI_INVALID;
7283 		rp.tx_power = HCI_TX_POWER_INVALID;
7284 		rp.max_tx_power = HCI_TX_POWER_INVALID;
7285 	}
7286 
7287 	mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, status,
7288 			  &rp, sizeof(rp));
7289 
7290 	mgmt_pending_free(cmd);
7291 }
7292 
get_conn_info_sync(struct hci_dev * hdev,void * data)7293 static int get_conn_info_sync(struct hci_dev *hdev, void *data)
7294 {
7295 	struct mgmt_pending_cmd *cmd = data;
7296 	struct mgmt_cp_get_conn_info *cp = cmd->param;
7297 	struct hci_conn *conn;
7298 	int err;
7299 	__le16   handle;
7300 
7301 	/* Make sure we are still connected */
7302 	if (cp->addr.type == BDADDR_BREDR)
7303 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7304 					       &cp->addr.bdaddr);
7305 	else
7306 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
7307 
7308 	if (!conn || conn->state != BT_CONNECTED)
7309 		return MGMT_STATUS_NOT_CONNECTED;
7310 
7311 	cmd->user_data = conn;
7312 	handle = cpu_to_le16(conn->handle);
7313 
7314 	/* Refresh RSSI each time */
7315 	err = hci_read_rssi_sync(hdev, handle);
7316 
7317 	/* For LE links TX power does not change thus we don't need to
7318 	 * query for it once value is known.
7319 	 */
7320 	if (!err && (!bdaddr_type_is_le(cp->addr.type) ||
7321 		     conn->tx_power == HCI_TX_POWER_INVALID))
7322 		err = hci_read_tx_power_sync(hdev, handle, 0x00);
7323 
7324 	/* Max TX power needs to be read only once per connection */
7325 	if (!err && conn->max_tx_power == HCI_TX_POWER_INVALID)
7326 		err = hci_read_tx_power_sync(hdev, handle, 0x01);
7327 
7328 	return err;
7329 }
7330 
get_conn_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)7331 static int get_conn_info(struct sock *sk, struct hci_dev *hdev, void *data,
7332 			 u16 len)
7333 {
7334 	struct mgmt_cp_get_conn_info *cp = data;
7335 	struct mgmt_rp_get_conn_info rp;
7336 	struct hci_conn *conn;
7337 	unsigned long conn_info_age;
7338 	int err = 0;
7339 
7340 	bt_dev_dbg(hdev, "sock %p", sk);
7341 
7342 	memset(&rp, 0, sizeof(rp));
7343 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7344 	rp.addr.type = cp->addr.type;
7345 
7346 	if (!bdaddr_type_is_valid(cp->addr.type))
7347 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7348 					 MGMT_STATUS_INVALID_PARAMS,
7349 					 &rp, sizeof(rp));
7350 
7351 	hci_dev_lock(hdev);
7352 
7353 	if (!hdev_is_powered(hdev)) {
7354 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7355 					MGMT_STATUS_NOT_POWERED, &rp,
7356 					sizeof(rp));
7357 		goto unlock;
7358 	}
7359 
7360 	if (cp->addr.type == BDADDR_BREDR)
7361 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7362 					       &cp->addr.bdaddr);
7363 	else
7364 		conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
7365 
7366 	if (!conn || conn->state != BT_CONNECTED) {
7367 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7368 					MGMT_STATUS_NOT_CONNECTED, &rp,
7369 					sizeof(rp));
7370 		goto unlock;
7371 	}
7372 
7373 	/* To avoid client trying to guess when to poll again for information we
7374 	 * calculate conn info age as random value between min/max set in hdev.
7375 	 */
7376 	conn_info_age = hdev->conn_info_min_age +
7377 			prandom_u32_max(hdev->conn_info_max_age -
7378 					hdev->conn_info_min_age);
7379 
7380 	/* Query controller to refresh cached values if they are too old or were
7381 	 * never read.
7382 	 */
7383 	if (time_after(jiffies, conn->conn_info_timestamp +
7384 		       msecs_to_jiffies(conn_info_age)) ||
7385 	    !conn->conn_info_timestamp) {
7386 		struct mgmt_pending_cmd *cmd;
7387 
7388 		cmd = mgmt_pending_new(sk, MGMT_OP_GET_CONN_INFO, hdev, data,
7389 				       len);
7390 		if (!cmd) {
7391 			err = -ENOMEM;
7392 		} else {
7393 			err = hci_cmd_sync_queue(hdev, get_conn_info_sync,
7394 						 cmd, get_conn_info_complete);
7395 		}
7396 
7397 		if (err < 0) {
7398 			mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7399 					  MGMT_STATUS_FAILED, &rp, sizeof(rp));
7400 
7401 			if (cmd)
7402 				mgmt_pending_free(cmd);
7403 
7404 			goto unlock;
7405 		}
7406 
7407 		conn->conn_info_timestamp = jiffies;
7408 	} else {
7409 		/* Cache is valid, just reply with values cached in hci_conn */
7410 		rp.rssi = conn->rssi;
7411 		rp.tx_power = conn->tx_power;
7412 		rp.max_tx_power = conn->max_tx_power;
7413 
7414 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CONN_INFO,
7415 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
7416 	}
7417 
7418 unlock:
7419 	hci_dev_unlock(hdev);
7420 	return err;
7421 }
7422 
get_clock_info_complete(struct hci_dev * hdev,void * data,int err)7423 static void get_clock_info_complete(struct hci_dev *hdev, void *data, int err)
7424 {
7425 	struct mgmt_pending_cmd *cmd = data;
7426 	struct mgmt_cp_get_clock_info *cp = cmd->param;
7427 	struct mgmt_rp_get_clock_info rp;
7428 	struct hci_conn *conn = cmd->user_data;
7429 	u8 status = mgmt_status(err);
7430 
7431 	bt_dev_dbg(hdev, "err %d", err);
7432 
7433 	memset(&rp, 0, sizeof(rp));
7434 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7435 	rp.addr.type = cp->addr.type;
7436 
7437 	if (err)
7438 		goto complete;
7439 
7440 	rp.local_clock = cpu_to_le32(hdev->clock);
7441 
7442 	if (conn) {
7443 		rp.piconet_clock = cpu_to_le32(conn->clock);
7444 		rp.accuracy = cpu_to_le16(conn->clock_accuracy);
7445 	}
7446 
7447 complete:
7448 	mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
7449 			  sizeof(rp));
7450 
7451 	mgmt_pending_free(cmd);
7452 }
7453 
get_clock_info_sync(struct hci_dev * hdev,void * data)7454 static int get_clock_info_sync(struct hci_dev *hdev, void *data)
7455 {
7456 	struct mgmt_pending_cmd *cmd = data;
7457 	struct mgmt_cp_get_clock_info *cp = cmd->param;
7458 	struct hci_cp_read_clock hci_cp;
7459 	struct hci_conn *conn;
7460 
7461 	memset(&hci_cp, 0, sizeof(hci_cp));
7462 	hci_read_clock_sync(hdev, &hci_cp);
7463 
7464 	/* Make sure connection still exists */
7465 	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
7466 	if (!conn || conn->state != BT_CONNECTED)
7467 		return MGMT_STATUS_NOT_CONNECTED;
7468 
7469 	cmd->user_data = conn;
7470 	hci_cp.handle = cpu_to_le16(conn->handle);
7471 	hci_cp.which = 0x01; /* Piconet clock */
7472 
7473 	return hci_read_clock_sync(hdev, &hci_cp);
7474 }
7475 
get_clock_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)7476 static int get_clock_info(struct sock *sk, struct hci_dev *hdev, void *data,
7477 								u16 len)
7478 {
7479 	struct mgmt_cp_get_clock_info *cp = data;
7480 	struct mgmt_rp_get_clock_info rp;
7481 	struct mgmt_pending_cmd *cmd;
7482 	struct hci_conn *conn;
7483 	int err;
7484 
7485 	bt_dev_dbg(hdev, "sock %p", sk);
7486 
7487 	memset(&rp, 0, sizeof(rp));
7488 	bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
7489 	rp.addr.type = cp->addr.type;
7490 
7491 	if (cp->addr.type != BDADDR_BREDR)
7492 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7493 					 MGMT_STATUS_INVALID_PARAMS,
7494 					 &rp, sizeof(rp));
7495 
7496 	hci_dev_lock(hdev);
7497 
7498 	if (!hdev_is_powered(hdev)) {
7499 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7500 					MGMT_STATUS_NOT_POWERED, &rp,
7501 					sizeof(rp));
7502 		goto unlock;
7503 	}
7504 
7505 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
7506 		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
7507 					       &cp->addr.bdaddr);
7508 		if (!conn || conn->state != BT_CONNECTED) {
7509 			err = mgmt_cmd_complete(sk, hdev->id,
7510 						MGMT_OP_GET_CLOCK_INFO,
7511 						MGMT_STATUS_NOT_CONNECTED,
7512 						&rp, sizeof(rp));
7513 			goto unlock;
7514 		}
7515 	} else {
7516 		conn = NULL;
7517 	}
7518 
7519 	cmd = mgmt_pending_new(sk, MGMT_OP_GET_CLOCK_INFO, hdev, data, len);
7520 	if (!cmd)
7521 		err = -ENOMEM;
7522 	else
7523 		err = hci_cmd_sync_queue(hdev, get_clock_info_sync, cmd,
7524 					 get_clock_info_complete);
7525 
7526 	if (err < 0) {
7527 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_CLOCK_INFO,
7528 					MGMT_STATUS_FAILED, &rp, sizeof(rp));
7529 
7530 		if (cmd)
7531 			mgmt_pending_free(cmd);
7532 	}
7533 
7534 
7535 unlock:
7536 	hci_dev_unlock(hdev);
7537 	return err;
7538 }
7539 
is_connected(struct hci_dev * hdev,bdaddr_t * addr,u8 type)7540 static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
7541 {
7542 	struct hci_conn *conn;
7543 
7544 	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, addr);
7545 	if (!conn)
7546 		return false;
7547 
7548 	if (conn->dst_type != type)
7549 		return false;
7550 
7551 	if (conn->state != BT_CONNECTED)
7552 		return false;
7553 
7554 	return true;
7555 }
7556 
7557 /* This function requires the caller holds hdev->lock */
hci_conn_params_set(struct hci_dev * hdev,bdaddr_t * addr,u8 addr_type,u8 auto_connect)7558 static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr,
7559 			       u8 addr_type, u8 auto_connect)
7560 {
7561 	struct hci_conn_params *params;
7562 
7563 	params = hci_conn_params_add(hdev, addr, addr_type);
7564 	if (!params)
7565 		return -EIO;
7566 
7567 	if (params->auto_connect == auto_connect)
7568 		return 0;
7569 
7570 	list_del_init(&params->action);
7571 
7572 	switch (auto_connect) {
7573 	case HCI_AUTO_CONN_DISABLED:
7574 	case HCI_AUTO_CONN_LINK_LOSS:
7575 		/* If auto connect is being disabled when we're trying to
7576 		 * connect to device, keep connecting.
7577 		 */
7578 		if (params->explicit_connect)
7579 			list_add(&params->action, &hdev->pend_le_conns);
7580 		break;
7581 	case HCI_AUTO_CONN_REPORT:
7582 		if (params->explicit_connect)
7583 			list_add(&params->action, &hdev->pend_le_conns);
7584 		else
7585 			list_add(&params->action, &hdev->pend_le_reports);
7586 		break;
7587 	case HCI_AUTO_CONN_DIRECT:
7588 	case HCI_AUTO_CONN_ALWAYS:
7589 		if (!is_connected(hdev, addr, addr_type))
7590 			list_add(&params->action, &hdev->pend_le_conns);
7591 		break;
7592 	}
7593 
7594 	params->auto_connect = auto_connect;
7595 
7596 	bt_dev_dbg(hdev, "addr %pMR (type %u) auto_connect %u",
7597 		   addr, addr_type, auto_connect);
7598 
7599 	return 0;
7600 }
7601 
device_added(struct sock * sk,struct hci_dev * hdev,bdaddr_t * bdaddr,u8 type,u8 action)7602 static void device_added(struct sock *sk, struct hci_dev *hdev,
7603 			 bdaddr_t *bdaddr, u8 type, u8 action)
7604 {
7605 	struct mgmt_ev_device_added ev;
7606 
7607 	bacpy(&ev.addr.bdaddr, bdaddr);
7608 	ev.addr.type = type;
7609 	ev.action = action;
7610 
7611 	mgmt_event(MGMT_EV_DEVICE_ADDED, hdev, &ev, sizeof(ev), sk);
7612 }
7613 
add_device_sync(struct hci_dev * hdev,void * data)7614 static int add_device_sync(struct hci_dev *hdev, void *data)
7615 {
7616 	return hci_update_passive_scan_sync(hdev);
7617 }
7618 
add_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)7619 static int add_device(struct sock *sk, struct hci_dev *hdev,
7620 		      void *data, u16 len)
7621 {
7622 	struct mgmt_cp_add_device *cp = data;
7623 	u8 auto_conn, addr_type;
7624 	struct hci_conn_params *params;
7625 	int err;
7626 	u32 current_flags = 0;
7627 	u32 supported_flags;
7628 
7629 	bt_dev_dbg(hdev, "sock %p", sk);
7630 
7631 	if (!bdaddr_type_is_valid(cp->addr.type) ||
7632 	    !bacmp(&cp->addr.bdaddr, BDADDR_ANY))
7633 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7634 					 MGMT_STATUS_INVALID_PARAMS,
7635 					 &cp->addr, sizeof(cp->addr));
7636 
7637 	if (cp->action != 0x00 && cp->action != 0x01 && cp->action != 0x02)
7638 		return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7639 					 MGMT_STATUS_INVALID_PARAMS,
7640 					 &cp->addr, sizeof(cp->addr));
7641 
7642 	hci_dev_lock(hdev);
7643 
7644 	if (cp->addr.type == BDADDR_BREDR) {
7645 		/* Only incoming connections action is supported for now */
7646 		if (cp->action != 0x01) {
7647 			err = mgmt_cmd_complete(sk, hdev->id,
7648 						MGMT_OP_ADD_DEVICE,
7649 						MGMT_STATUS_INVALID_PARAMS,
7650 						&cp->addr, sizeof(cp->addr));
7651 			goto unlock;
7652 		}
7653 
7654 		err = hci_bdaddr_list_add_with_flags(&hdev->accept_list,
7655 						     &cp->addr.bdaddr,
7656 						     cp->addr.type, 0);
7657 		if (err)
7658 			goto unlock;
7659 
7660 		hci_update_scan(hdev);
7661 
7662 		goto added;
7663 	}
7664 
7665 	addr_type = le_addr_type(cp->addr.type);
7666 
7667 	if (cp->action == 0x02)
7668 		auto_conn = HCI_AUTO_CONN_ALWAYS;
7669 	else if (cp->action == 0x01)
7670 		auto_conn = HCI_AUTO_CONN_DIRECT;
7671 	else
7672 		auto_conn = HCI_AUTO_CONN_REPORT;
7673 
7674 	/* Kernel internally uses conn_params with resolvable private
7675 	 * address, but Add Device allows only identity addresses.
7676 	 * Make sure it is enforced before calling
7677 	 * hci_conn_params_lookup.
7678 	 */
7679 	if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
7680 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7681 					MGMT_STATUS_INVALID_PARAMS,
7682 					&cp->addr, sizeof(cp->addr));
7683 		goto unlock;
7684 	}
7685 
7686 	/* If the connection parameters don't exist for this device,
7687 	 * they will be created and configured with defaults.
7688 	 */
7689 	if (hci_conn_params_set(hdev, &cp->addr.bdaddr, addr_type,
7690 				auto_conn) < 0) {
7691 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7692 					MGMT_STATUS_FAILED, &cp->addr,
7693 					sizeof(cp->addr));
7694 		goto unlock;
7695 	} else {
7696 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7697 						addr_type);
7698 		if (params)
7699 			current_flags = params->flags;
7700 	}
7701 
7702 	err = hci_cmd_sync_queue(hdev, add_device_sync, NULL, NULL);
7703 	if (err < 0)
7704 		goto unlock;
7705 
7706 added:
7707 	device_added(sk, hdev, &cp->addr.bdaddr, cp->addr.type, cp->action);
7708 	supported_flags = hdev->conn_flags;
7709 	device_flags_changed(NULL, hdev, &cp->addr.bdaddr, cp->addr.type,
7710 			     supported_flags, current_flags);
7711 
7712 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_DEVICE,
7713 				MGMT_STATUS_SUCCESS, &cp->addr,
7714 				sizeof(cp->addr));
7715 
7716 unlock:
7717 	hci_dev_unlock(hdev);
7718 	return err;
7719 }
7720 
device_removed(struct sock * sk,struct hci_dev * hdev,bdaddr_t * bdaddr,u8 type)7721 static void device_removed(struct sock *sk, struct hci_dev *hdev,
7722 			   bdaddr_t *bdaddr, u8 type)
7723 {
7724 	struct mgmt_ev_device_removed ev;
7725 
7726 	bacpy(&ev.addr.bdaddr, bdaddr);
7727 	ev.addr.type = type;
7728 
7729 	mgmt_event(MGMT_EV_DEVICE_REMOVED, hdev, &ev, sizeof(ev), sk);
7730 }
7731 
remove_device_sync(struct hci_dev * hdev,void * data)7732 static int remove_device_sync(struct hci_dev *hdev, void *data)
7733 {
7734 	return hci_update_passive_scan_sync(hdev);
7735 }
7736 
remove_device(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)7737 static int remove_device(struct sock *sk, struct hci_dev *hdev,
7738 			 void *data, u16 len)
7739 {
7740 	struct mgmt_cp_remove_device *cp = data;
7741 	int err;
7742 
7743 	bt_dev_dbg(hdev, "sock %p", sk);
7744 
7745 	hci_dev_lock(hdev);
7746 
7747 	if (bacmp(&cp->addr.bdaddr, BDADDR_ANY)) {
7748 		struct hci_conn_params *params;
7749 		u8 addr_type;
7750 
7751 		if (!bdaddr_type_is_valid(cp->addr.type)) {
7752 			err = mgmt_cmd_complete(sk, hdev->id,
7753 						MGMT_OP_REMOVE_DEVICE,
7754 						MGMT_STATUS_INVALID_PARAMS,
7755 						&cp->addr, sizeof(cp->addr));
7756 			goto unlock;
7757 		}
7758 
7759 		if (cp->addr.type == BDADDR_BREDR) {
7760 			err = hci_bdaddr_list_del(&hdev->accept_list,
7761 						  &cp->addr.bdaddr,
7762 						  cp->addr.type);
7763 			if (err) {
7764 				err = mgmt_cmd_complete(sk, hdev->id,
7765 							MGMT_OP_REMOVE_DEVICE,
7766 							MGMT_STATUS_INVALID_PARAMS,
7767 							&cp->addr,
7768 							sizeof(cp->addr));
7769 				goto unlock;
7770 			}
7771 
7772 			hci_update_scan(hdev);
7773 
7774 			device_removed(sk, hdev, &cp->addr.bdaddr,
7775 				       cp->addr.type);
7776 			goto complete;
7777 		}
7778 
7779 		addr_type = le_addr_type(cp->addr.type);
7780 
7781 		/* Kernel internally uses conn_params with resolvable private
7782 		 * address, but Remove Device allows only identity addresses.
7783 		 * Make sure it is enforced before calling
7784 		 * hci_conn_params_lookup.
7785 		 */
7786 		if (!hci_is_identity_address(&cp->addr.bdaddr, addr_type)) {
7787 			err = mgmt_cmd_complete(sk, hdev->id,
7788 						MGMT_OP_REMOVE_DEVICE,
7789 						MGMT_STATUS_INVALID_PARAMS,
7790 						&cp->addr, sizeof(cp->addr));
7791 			goto unlock;
7792 		}
7793 
7794 		params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
7795 						addr_type);
7796 		if (!params) {
7797 			err = mgmt_cmd_complete(sk, hdev->id,
7798 						MGMT_OP_REMOVE_DEVICE,
7799 						MGMT_STATUS_INVALID_PARAMS,
7800 						&cp->addr, sizeof(cp->addr));
7801 			goto unlock;
7802 		}
7803 
7804 		if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
7805 		    params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
7806 			err = mgmt_cmd_complete(sk, hdev->id,
7807 						MGMT_OP_REMOVE_DEVICE,
7808 						MGMT_STATUS_INVALID_PARAMS,
7809 						&cp->addr, sizeof(cp->addr));
7810 			goto unlock;
7811 		}
7812 
7813 		list_del(&params->action);
7814 		list_del(&params->list);
7815 		kfree(params);
7816 
7817 		device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type);
7818 	} else {
7819 		struct hci_conn_params *p, *tmp;
7820 		struct bdaddr_list *b, *btmp;
7821 
7822 		if (cp->addr.type) {
7823 			err = mgmt_cmd_complete(sk, hdev->id,
7824 						MGMT_OP_REMOVE_DEVICE,
7825 						MGMT_STATUS_INVALID_PARAMS,
7826 						&cp->addr, sizeof(cp->addr));
7827 			goto unlock;
7828 		}
7829 
7830 		list_for_each_entry_safe(b, btmp, &hdev->accept_list, list) {
7831 			device_removed(sk, hdev, &b->bdaddr, b->bdaddr_type);
7832 			list_del(&b->list);
7833 			kfree(b);
7834 		}
7835 
7836 		hci_update_scan(hdev);
7837 
7838 		list_for_each_entry_safe(p, tmp, &hdev->le_conn_params, list) {
7839 			if (p->auto_connect == HCI_AUTO_CONN_DISABLED)
7840 				continue;
7841 			device_removed(sk, hdev, &p->addr, p->addr_type);
7842 			if (p->explicit_connect) {
7843 				p->auto_connect = HCI_AUTO_CONN_EXPLICIT;
7844 				continue;
7845 			}
7846 			list_del(&p->action);
7847 			list_del(&p->list);
7848 			kfree(p);
7849 		}
7850 
7851 		bt_dev_dbg(hdev, "All LE connection parameters were removed");
7852 	}
7853 
7854 	hci_cmd_sync_queue(hdev, remove_device_sync, NULL, NULL);
7855 
7856 complete:
7857 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_DEVICE,
7858 				MGMT_STATUS_SUCCESS, &cp->addr,
7859 				sizeof(cp->addr));
7860 unlock:
7861 	hci_dev_unlock(hdev);
7862 	return err;
7863 }
7864 
load_conn_param(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)7865 static int load_conn_param(struct sock *sk, struct hci_dev *hdev, void *data,
7866 			   u16 len)
7867 {
7868 	struct mgmt_cp_load_conn_param *cp = data;
7869 	const u16 max_param_count = ((U16_MAX - sizeof(*cp)) /
7870 				     sizeof(struct mgmt_conn_param));
7871 	u16 param_count, expected_len;
7872 	int i;
7873 
7874 	if (!lmp_le_capable(hdev))
7875 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7876 				       MGMT_STATUS_NOT_SUPPORTED);
7877 
7878 	param_count = __le16_to_cpu(cp->param_count);
7879 	if (param_count > max_param_count) {
7880 		bt_dev_err(hdev, "load_conn_param: too big param_count value %u",
7881 			   param_count);
7882 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7883 				       MGMT_STATUS_INVALID_PARAMS);
7884 	}
7885 
7886 	expected_len = struct_size(cp, params, param_count);
7887 	if (expected_len != len) {
7888 		bt_dev_err(hdev, "load_conn_param: expected %u bytes, got %u bytes",
7889 			   expected_len, len);
7890 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM,
7891 				       MGMT_STATUS_INVALID_PARAMS);
7892 	}
7893 
7894 	bt_dev_dbg(hdev, "param_count %u", param_count);
7895 
7896 	hci_dev_lock(hdev);
7897 
7898 	hci_conn_params_clear_disabled(hdev);
7899 
7900 	for (i = 0; i < param_count; i++) {
7901 		struct mgmt_conn_param *param = &cp->params[i];
7902 		struct hci_conn_params *hci_param;
7903 		u16 min, max, latency, timeout;
7904 		u8 addr_type;
7905 
7906 		bt_dev_dbg(hdev, "Adding %pMR (type %u)", &param->addr.bdaddr,
7907 			   param->addr.type);
7908 
7909 		if (param->addr.type == BDADDR_LE_PUBLIC) {
7910 			addr_type = ADDR_LE_DEV_PUBLIC;
7911 		} else if (param->addr.type == BDADDR_LE_RANDOM) {
7912 			addr_type = ADDR_LE_DEV_RANDOM;
7913 		} else {
7914 			bt_dev_err(hdev, "ignoring invalid connection parameters");
7915 			continue;
7916 		}
7917 
7918 		min = le16_to_cpu(param->min_interval);
7919 		max = le16_to_cpu(param->max_interval);
7920 		latency = le16_to_cpu(param->latency);
7921 		timeout = le16_to_cpu(param->timeout);
7922 
7923 		bt_dev_dbg(hdev, "min 0x%04x max 0x%04x latency 0x%04x timeout 0x%04x",
7924 			   min, max, latency, timeout);
7925 
7926 		if (hci_check_conn_params(min, max, latency, timeout) < 0) {
7927 			bt_dev_err(hdev, "ignoring invalid connection parameters");
7928 			continue;
7929 		}
7930 
7931 		hci_param = hci_conn_params_add(hdev, &param->addr.bdaddr,
7932 						addr_type);
7933 		if (!hci_param) {
7934 			bt_dev_err(hdev, "failed to add connection parameters");
7935 			continue;
7936 		}
7937 
7938 		hci_param->conn_min_interval = min;
7939 		hci_param->conn_max_interval = max;
7940 		hci_param->conn_latency = latency;
7941 		hci_param->supervision_timeout = timeout;
7942 	}
7943 
7944 	hci_dev_unlock(hdev);
7945 
7946 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_LOAD_CONN_PARAM, 0,
7947 				 NULL, 0);
7948 }
7949 
set_external_config(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)7950 static int set_external_config(struct sock *sk, struct hci_dev *hdev,
7951 			       void *data, u16 len)
7952 {
7953 	struct mgmt_cp_set_external_config *cp = data;
7954 	bool changed;
7955 	int err;
7956 
7957 	bt_dev_dbg(hdev, "sock %p", sk);
7958 
7959 	if (hdev_is_powered(hdev))
7960 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7961 				       MGMT_STATUS_REJECTED);
7962 
7963 	if (cp->config != 0x00 && cp->config != 0x01)
7964 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7965 				         MGMT_STATUS_INVALID_PARAMS);
7966 
7967 	if (!test_bit(HCI_QUIRK_EXTERNAL_CONFIG, &hdev->quirks))
7968 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_EXTERNAL_CONFIG,
7969 				       MGMT_STATUS_NOT_SUPPORTED);
7970 
7971 	hci_dev_lock(hdev);
7972 
7973 	if (cp->config)
7974 		changed = !hci_dev_test_and_set_flag(hdev, HCI_EXT_CONFIGURED);
7975 	else
7976 		changed = hci_dev_test_and_clear_flag(hdev, HCI_EXT_CONFIGURED);
7977 
7978 	err = send_options_rsp(sk, MGMT_OP_SET_EXTERNAL_CONFIG, hdev);
7979 	if (err < 0)
7980 		goto unlock;
7981 
7982 	if (!changed)
7983 		goto unlock;
7984 
7985 	err = new_options(hdev, sk);
7986 
7987 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED) == is_configured(hdev)) {
7988 		mgmt_index_removed(hdev);
7989 
7990 		if (hci_dev_test_and_change_flag(hdev, HCI_UNCONFIGURED)) {
7991 			hci_dev_set_flag(hdev, HCI_CONFIG);
7992 			hci_dev_set_flag(hdev, HCI_AUTO_OFF);
7993 
7994 			queue_work(hdev->req_workqueue, &hdev->power_on);
7995 		} else {
7996 			set_bit(HCI_RAW, &hdev->flags);
7997 			mgmt_index_added(hdev);
7998 		}
7999 	}
8000 
8001 unlock:
8002 	hci_dev_unlock(hdev);
8003 	return err;
8004 }
8005 
set_public_address(struct sock * sk,struct hci_dev * hdev,void * data,u16 len)8006 static int set_public_address(struct sock *sk, struct hci_dev *hdev,
8007 			      void *data, u16 len)
8008 {
8009 	struct mgmt_cp_set_public_address *cp = data;
8010 	bool changed;
8011 	int err;
8012 
8013 	bt_dev_dbg(hdev, "sock %p", sk);
8014 
8015 	if (hdev_is_powered(hdev))
8016 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
8017 				       MGMT_STATUS_REJECTED);
8018 
8019 	if (!bacmp(&cp->bdaddr, BDADDR_ANY))
8020 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
8021 				       MGMT_STATUS_INVALID_PARAMS);
8022 
8023 	if (!hdev->set_bdaddr)
8024 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_PUBLIC_ADDRESS,
8025 				       MGMT_STATUS_NOT_SUPPORTED);
8026 
8027 	hci_dev_lock(hdev);
8028 
8029 	changed = !!bacmp(&hdev->public_addr, &cp->bdaddr);
8030 	bacpy(&hdev->public_addr, &cp->bdaddr);
8031 
8032 	err = send_options_rsp(sk, MGMT_OP_SET_PUBLIC_ADDRESS, hdev);
8033 	if (err < 0)
8034 		goto unlock;
8035 
8036 	if (!changed)
8037 		goto unlock;
8038 
8039 	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
8040 		err = new_options(hdev, sk);
8041 
8042 	if (is_configured(hdev)) {
8043 		mgmt_index_removed(hdev);
8044 
8045 		hci_dev_clear_flag(hdev, HCI_UNCONFIGURED);
8046 
8047 		hci_dev_set_flag(hdev, HCI_CONFIG);
8048 		hci_dev_set_flag(hdev, HCI_AUTO_OFF);
8049 
8050 		queue_work(hdev->req_workqueue, &hdev->power_on);
8051 	}
8052 
8053 unlock:
8054 	hci_dev_unlock(hdev);
8055 	return err;
8056 }
8057 
read_local_oob_ext_data_complete(struct hci_dev * hdev,void * data,int err)8058 static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
8059 					     int err)
8060 {
8061 	const struct mgmt_cp_read_local_oob_ext_data *mgmt_cp;
8062 	struct mgmt_rp_read_local_oob_ext_data *mgmt_rp;
8063 	u8 *h192, *r192, *h256, *r256;
8064 	struct mgmt_pending_cmd *cmd = data;
8065 	struct sk_buff *skb = cmd->skb;
8066 	u8 status = mgmt_status(err);
8067 	u16 eir_len;
8068 
8069 	if (cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
8070 		return;
8071 
8072 	if (!status) {
8073 		if (!skb)
8074 			status = MGMT_STATUS_FAILED;
8075 		else if (IS_ERR(skb))
8076 			status = mgmt_status(PTR_ERR(skb));
8077 		else
8078 			status = mgmt_status(skb->data[0]);
8079 	}
8080 
8081 	bt_dev_dbg(hdev, "status %u", status);
8082 
8083 	mgmt_cp = cmd->param;
8084 
8085 	if (status) {
8086 		status = mgmt_status(status);
8087 		eir_len = 0;
8088 
8089 		h192 = NULL;
8090 		r192 = NULL;
8091 		h256 = NULL;
8092 		r256 = NULL;
8093 	} else if (!bredr_sc_enabled(hdev)) {
8094 		struct hci_rp_read_local_oob_data *rp;
8095 
8096 		if (skb->len != sizeof(*rp)) {
8097 			status = MGMT_STATUS_FAILED;
8098 			eir_len = 0;
8099 		} else {
8100 			status = MGMT_STATUS_SUCCESS;
8101 			rp = (void *)skb->data;
8102 
8103 			eir_len = 5 + 18 + 18;
8104 			h192 = rp->hash;
8105 			r192 = rp->rand;
8106 			h256 = NULL;
8107 			r256 = NULL;
8108 		}
8109 	} else {
8110 		struct hci_rp_read_local_oob_ext_data *rp;
8111 
8112 		if (skb->len != sizeof(*rp)) {
8113 			status = MGMT_STATUS_FAILED;
8114 			eir_len = 0;
8115 		} else {
8116 			status = MGMT_STATUS_SUCCESS;
8117 			rp = (void *)skb->data;
8118 
8119 			if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
8120 				eir_len = 5 + 18 + 18;
8121 				h192 = NULL;
8122 				r192 = NULL;
8123 			} else {
8124 				eir_len = 5 + 18 + 18 + 18 + 18;
8125 				h192 = rp->hash192;
8126 				r192 = rp->rand192;
8127 			}
8128 
8129 			h256 = rp->hash256;
8130 			r256 = rp->rand256;
8131 		}
8132 	}
8133 
8134 	mgmt_rp = kmalloc(sizeof(*mgmt_rp) + eir_len, GFP_KERNEL);
8135 	if (!mgmt_rp)
8136 		goto done;
8137 
8138 	if (eir_len == 0)
8139 		goto send_rsp;
8140 
8141 	eir_len = eir_append_data(mgmt_rp->eir, 0, EIR_CLASS_OF_DEV,
8142 				  hdev->dev_class, 3);
8143 
8144 	if (h192 && r192) {
8145 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8146 					  EIR_SSP_HASH_C192, h192, 16);
8147 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8148 					  EIR_SSP_RAND_R192, r192, 16);
8149 	}
8150 
8151 	if (h256 && r256) {
8152 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8153 					  EIR_SSP_HASH_C256, h256, 16);
8154 		eir_len = eir_append_data(mgmt_rp->eir, eir_len,
8155 					  EIR_SSP_RAND_R256, r256, 16);
8156 	}
8157 
8158 send_rsp:
8159 	mgmt_rp->type = mgmt_cp->type;
8160 	mgmt_rp->eir_len = cpu_to_le16(eir_len);
8161 
8162 	err = mgmt_cmd_complete(cmd->sk, hdev->id,
8163 				MGMT_OP_READ_LOCAL_OOB_EXT_DATA, status,
8164 				mgmt_rp, sizeof(*mgmt_rp) + eir_len);
8165 	if (err < 0 || status)
8166 		goto done;
8167 
8168 	hci_sock_set_flag(cmd->sk, HCI_MGMT_OOB_DATA_EVENTS);
8169 
8170 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8171 				 mgmt_rp, sizeof(*mgmt_rp) + eir_len,
8172 				 HCI_MGMT_OOB_DATA_EVENTS, cmd->sk);
8173 done:
8174 	if (skb && !IS_ERR(skb))
8175 		kfree_skb(skb);
8176 
8177 	kfree(mgmt_rp);
8178 	mgmt_pending_remove(cmd);
8179 }
8180 
read_local_ssp_oob_req(struct hci_dev * hdev,struct sock * sk,struct mgmt_cp_read_local_oob_ext_data * cp)8181 static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
8182 				  struct mgmt_cp_read_local_oob_ext_data *cp)
8183 {
8184 	struct mgmt_pending_cmd *cmd;
8185 	int err;
8186 
8187 	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
8188 			       cp, sizeof(*cp));
8189 	if (!cmd)
8190 		return -ENOMEM;
8191 
8192 	err = hci_cmd_sync_queue(hdev, read_local_oob_data_sync, cmd,
8193 				 read_local_oob_ext_data_complete);
8194 
8195 	if (err < 0) {
8196 		mgmt_pending_remove(cmd);
8197 		return err;
8198 	}
8199 
8200 	return 0;
8201 }
8202 
read_local_oob_ext_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)8203 static int read_local_oob_ext_data(struct sock *sk, struct hci_dev *hdev,
8204 				   void *data, u16 data_len)
8205 {
8206 	struct mgmt_cp_read_local_oob_ext_data *cp = data;
8207 	struct mgmt_rp_read_local_oob_ext_data *rp;
8208 	size_t rp_len;
8209 	u16 eir_len;
8210 	u8 status, flags, role, addr[7], hash[16], rand[16];
8211 	int err;
8212 
8213 	bt_dev_dbg(hdev, "sock %p", sk);
8214 
8215 	if (hdev_is_powered(hdev)) {
8216 		switch (cp->type) {
8217 		case BIT(BDADDR_BREDR):
8218 			status = mgmt_bredr_support(hdev);
8219 			if (status)
8220 				eir_len = 0;
8221 			else
8222 				eir_len = 5;
8223 			break;
8224 		case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8225 			status = mgmt_le_support(hdev);
8226 			if (status)
8227 				eir_len = 0;
8228 			else
8229 				eir_len = 9 + 3 + 18 + 18 + 3;
8230 			break;
8231 		default:
8232 			status = MGMT_STATUS_INVALID_PARAMS;
8233 			eir_len = 0;
8234 			break;
8235 		}
8236 	} else {
8237 		status = MGMT_STATUS_NOT_POWERED;
8238 		eir_len = 0;
8239 	}
8240 
8241 	rp_len = sizeof(*rp) + eir_len;
8242 	rp = kmalloc(rp_len, GFP_ATOMIC);
8243 	if (!rp)
8244 		return -ENOMEM;
8245 
8246 	if (!status && !lmp_ssp_capable(hdev)) {
8247 		status = MGMT_STATUS_NOT_SUPPORTED;
8248 		eir_len = 0;
8249 	}
8250 
8251 	if (status)
8252 		goto complete;
8253 
8254 	hci_dev_lock(hdev);
8255 
8256 	eir_len = 0;
8257 	switch (cp->type) {
8258 	case BIT(BDADDR_BREDR):
8259 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
8260 			err = read_local_ssp_oob_req(hdev, sk, cp);
8261 			hci_dev_unlock(hdev);
8262 			if (!err)
8263 				goto done;
8264 
8265 			status = MGMT_STATUS_FAILED;
8266 			goto complete;
8267 		} else {
8268 			eir_len = eir_append_data(rp->eir, eir_len,
8269 						  EIR_CLASS_OF_DEV,
8270 						  hdev->dev_class, 3);
8271 		}
8272 		break;
8273 	case (BIT(BDADDR_LE_PUBLIC) | BIT(BDADDR_LE_RANDOM)):
8274 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
8275 		    smp_generate_oob(hdev, hash, rand) < 0) {
8276 			hci_dev_unlock(hdev);
8277 			status = MGMT_STATUS_FAILED;
8278 			goto complete;
8279 		}
8280 
8281 		/* This should return the active RPA, but since the RPA
8282 		 * is only programmed on demand, it is really hard to fill
8283 		 * this in at the moment. For now disallow retrieving
8284 		 * local out-of-band data when privacy is in use.
8285 		 *
8286 		 * Returning the identity address will not help here since
8287 		 * pairing happens before the identity resolving key is
8288 		 * known and thus the connection establishment happens
8289 		 * based on the RPA and not the identity address.
8290 		 */
8291 		if (hci_dev_test_flag(hdev, HCI_PRIVACY)) {
8292 			hci_dev_unlock(hdev);
8293 			status = MGMT_STATUS_REJECTED;
8294 			goto complete;
8295 		}
8296 
8297 		if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
8298 		   !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
8299 		   (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
8300 		    bacmp(&hdev->static_addr, BDADDR_ANY))) {
8301 			memcpy(addr, &hdev->static_addr, 6);
8302 			addr[6] = 0x01;
8303 		} else {
8304 			memcpy(addr, &hdev->bdaddr, 6);
8305 			addr[6] = 0x00;
8306 		}
8307 
8308 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_BDADDR,
8309 					  addr, sizeof(addr));
8310 
8311 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
8312 			role = 0x02;
8313 		else
8314 			role = 0x01;
8315 
8316 		eir_len = eir_append_data(rp->eir, eir_len, EIR_LE_ROLE,
8317 					  &role, sizeof(role));
8318 
8319 		if (hci_dev_test_flag(hdev, HCI_SC_ENABLED)) {
8320 			eir_len = eir_append_data(rp->eir, eir_len,
8321 						  EIR_LE_SC_CONFIRM,
8322 						  hash, sizeof(hash));
8323 
8324 			eir_len = eir_append_data(rp->eir, eir_len,
8325 						  EIR_LE_SC_RANDOM,
8326 						  rand, sizeof(rand));
8327 		}
8328 
8329 		flags = mgmt_get_adv_discov_flags(hdev);
8330 
8331 		if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
8332 			flags |= LE_AD_NO_BREDR;
8333 
8334 		eir_len = eir_append_data(rp->eir, eir_len, EIR_FLAGS,
8335 					  &flags, sizeof(flags));
8336 		break;
8337 	}
8338 
8339 	hci_dev_unlock(hdev);
8340 
8341 	hci_sock_set_flag(sk, HCI_MGMT_OOB_DATA_EVENTS);
8342 
8343 	status = MGMT_STATUS_SUCCESS;
8344 
8345 complete:
8346 	rp->type = cp->type;
8347 	rp->eir_len = cpu_to_le16(eir_len);
8348 
8349 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_EXT_DATA,
8350 				status, rp, sizeof(*rp) + eir_len);
8351 	if (err < 0 || status)
8352 		goto done;
8353 
8354 	err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
8355 				 rp, sizeof(*rp) + eir_len,
8356 				 HCI_MGMT_OOB_DATA_EVENTS, sk);
8357 
8358 done:
8359 	kfree(rp);
8360 
8361 	return err;
8362 }
8363 
get_supported_adv_flags(struct hci_dev * hdev)8364 static u32 get_supported_adv_flags(struct hci_dev *hdev)
8365 {
8366 	u32 flags = 0;
8367 
8368 	flags |= MGMT_ADV_FLAG_CONNECTABLE;
8369 	flags |= MGMT_ADV_FLAG_DISCOV;
8370 	flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
8371 	flags |= MGMT_ADV_FLAG_MANAGED_FLAGS;
8372 	flags |= MGMT_ADV_FLAG_APPEARANCE;
8373 	flags |= MGMT_ADV_FLAG_LOCAL_NAME;
8374 	flags |= MGMT_ADV_PARAM_DURATION;
8375 	flags |= MGMT_ADV_PARAM_TIMEOUT;
8376 	flags |= MGMT_ADV_PARAM_INTERVALS;
8377 	flags |= MGMT_ADV_PARAM_TX_POWER;
8378 	flags |= MGMT_ADV_PARAM_SCAN_RSP;
8379 
8380 	/* In extended adv TX_POWER returned from Set Adv Param
8381 	 * will be always valid.
8382 	 */
8383 	if (hdev->adv_tx_power != HCI_TX_POWER_INVALID || ext_adv_capable(hdev))
8384 		flags |= MGMT_ADV_FLAG_TX_POWER;
8385 
8386 	if (ext_adv_capable(hdev)) {
8387 		flags |= MGMT_ADV_FLAG_SEC_1M;
8388 		flags |= MGMT_ADV_FLAG_HW_OFFLOAD;
8389 		flags |= MGMT_ADV_FLAG_CAN_SET_TX_POWER;
8390 
8391 		if (hdev->le_features[1] & HCI_LE_PHY_2M)
8392 			flags |= MGMT_ADV_FLAG_SEC_2M;
8393 
8394 		if (hdev->le_features[1] & HCI_LE_PHY_CODED)
8395 			flags |= MGMT_ADV_FLAG_SEC_CODED;
8396 	}
8397 
8398 	return flags;
8399 }
8400 
read_adv_features(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)8401 static int read_adv_features(struct sock *sk, struct hci_dev *hdev,
8402 			     void *data, u16 data_len)
8403 {
8404 	struct mgmt_rp_read_adv_features *rp;
8405 	size_t rp_len;
8406 	int err;
8407 	struct adv_info *adv_instance;
8408 	u32 supported_flags;
8409 	u8 *instance;
8410 
8411 	bt_dev_dbg(hdev, "sock %p", sk);
8412 
8413 	if (!lmp_le_capable(hdev))
8414 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
8415 				       MGMT_STATUS_REJECTED);
8416 
8417 	hci_dev_lock(hdev);
8418 
8419 	rp_len = sizeof(*rp) + hdev->adv_instance_cnt;
8420 	rp = kmalloc(rp_len, GFP_ATOMIC);
8421 	if (!rp) {
8422 		hci_dev_unlock(hdev);
8423 		return -ENOMEM;
8424 	}
8425 
8426 	supported_flags = get_supported_adv_flags(hdev);
8427 
8428 	rp->supported_flags = cpu_to_le32(supported_flags);
8429 	rp->max_adv_data_len = HCI_MAX_AD_LENGTH;
8430 	rp->max_scan_rsp_len = HCI_MAX_AD_LENGTH;
8431 	rp->max_instances = hdev->le_num_of_adv_sets;
8432 	rp->num_instances = hdev->adv_instance_cnt;
8433 
8434 	instance = rp->instance;
8435 	list_for_each_entry(adv_instance, &hdev->adv_instances, list) {
8436 		/* Only instances 1-le_num_of_adv_sets are externally visible */
8437 		if (adv_instance->instance <= hdev->adv_instance_cnt) {
8438 			*instance = adv_instance->instance;
8439 			instance++;
8440 		} else {
8441 			rp->num_instances--;
8442 			rp_len--;
8443 		}
8444 	}
8445 
8446 	hci_dev_unlock(hdev);
8447 
8448 	err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_READ_ADV_FEATURES,
8449 				MGMT_STATUS_SUCCESS, rp, rp_len);
8450 
8451 	kfree(rp);
8452 
8453 	return err;
8454 }
8455 
calculate_name_len(struct hci_dev * hdev)8456 static u8 calculate_name_len(struct hci_dev *hdev)
8457 {
8458 	u8 buf[HCI_MAX_SHORT_NAME_LENGTH + 3];
8459 
8460 	return eir_append_local_name(hdev, buf, 0);
8461 }
8462 
tlv_data_max_len(struct hci_dev * hdev,u32 adv_flags,bool is_adv_data)8463 static u8 tlv_data_max_len(struct hci_dev *hdev, u32 adv_flags,
8464 			   bool is_adv_data)
8465 {
8466 	u8 max_len = HCI_MAX_AD_LENGTH;
8467 
8468 	if (is_adv_data) {
8469 		if (adv_flags & (MGMT_ADV_FLAG_DISCOV |
8470 				 MGMT_ADV_FLAG_LIMITED_DISCOV |
8471 				 MGMT_ADV_FLAG_MANAGED_FLAGS))
8472 			max_len -= 3;
8473 
8474 		if (adv_flags & MGMT_ADV_FLAG_TX_POWER)
8475 			max_len -= 3;
8476 	} else {
8477 		if (adv_flags & MGMT_ADV_FLAG_LOCAL_NAME)
8478 			max_len -= calculate_name_len(hdev);
8479 
8480 		if (adv_flags & (MGMT_ADV_FLAG_APPEARANCE))
8481 			max_len -= 4;
8482 	}
8483 
8484 	return max_len;
8485 }
8486 
flags_managed(u32 adv_flags)8487 static bool flags_managed(u32 adv_flags)
8488 {
8489 	return adv_flags & (MGMT_ADV_FLAG_DISCOV |
8490 			    MGMT_ADV_FLAG_LIMITED_DISCOV |
8491 			    MGMT_ADV_FLAG_MANAGED_FLAGS);
8492 }
8493 
tx_power_managed(u32 adv_flags)8494 static bool tx_power_managed(u32 adv_flags)
8495 {
8496 	return adv_flags & MGMT_ADV_FLAG_TX_POWER;
8497 }
8498 
name_managed(u32 adv_flags)8499 static bool name_managed(u32 adv_flags)
8500 {
8501 	return adv_flags & MGMT_ADV_FLAG_LOCAL_NAME;
8502 }
8503 
appearance_managed(u32 adv_flags)8504 static bool appearance_managed(u32 adv_flags)
8505 {
8506 	return adv_flags & MGMT_ADV_FLAG_APPEARANCE;
8507 }
8508 
tlv_data_is_valid(struct hci_dev * hdev,u32 adv_flags,u8 * data,u8 len,bool is_adv_data)8509 static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
8510 			      u8 len, bool is_adv_data)
8511 {
8512 	int i, cur_len;
8513 	u8 max_len;
8514 
8515 	max_len = tlv_data_max_len(hdev, adv_flags, is_adv_data);
8516 
8517 	if (len > max_len)
8518 		return false;
8519 
8520 	/* Make sure that the data is correctly formatted. */
8521 	for (i = 0; i < len; i += (cur_len + 1)) {
8522 		cur_len = data[i];
8523 
8524 		if (!cur_len)
8525 			continue;
8526 
8527 		if (data[i + 1] == EIR_FLAGS &&
8528 		    (!is_adv_data || flags_managed(adv_flags)))
8529 			return false;
8530 
8531 		if (data[i + 1] == EIR_TX_POWER && tx_power_managed(adv_flags))
8532 			return false;
8533 
8534 		if (data[i + 1] == EIR_NAME_COMPLETE && name_managed(adv_flags))
8535 			return false;
8536 
8537 		if (data[i + 1] == EIR_NAME_SHORT && name_managed(adv_flags))
8538 			return false;
8539 
8540 		if (data[i + 1] == EIR_APPEARANCE &&
8541 		    appearance_managed(adv_flags))
8542 			return false;
8543 
8544 		/* If the current field length would exceed the total data
8545 		 * length, then it's invalid.
8546 		 */
8547 		if (i + cur_len >= len)
8548 			return false;
8549 	}
8550 
8551 	return true;
8552 }
8553 
requested_adv_flags_are_valid(struct hci_dev * hdev,u32 adv_flags)8554 static bool requested_adv_flags_are_valid(struct hci_dev *hdev, u32 adv_flags)
8555 {
8556 	u32 supported_flags, phy_flags;
8557 
8558 	/* The current implementation only supports a subset of the specified
8559 	 * flags. Also need to check mutual exclusiveness of sec flags.
8560 	 */
8561 	supported_flags = get_supported_adv_flags(hdev);
8562 	phy_flags = adv_flags & MGMT_ADV_FLAG_SEC_MASK;
8563 	if (adv_flags & ~supported_flags ||
8564 	    ((phy_flags && (phy_flags ^ (phy_flags & -phy_flags)))))
8565 		return false;
8566 
8567 	return true;
8568 }
8569 
adv_busy(struct hci_dev * hdev)8570 static bool adv_busy(struct hci_dev *hdev)
8571 {
8572 	return pending_find(MGMT_OP_SET_LE, hdev);
8573 }
8574 
add_adv_complete(struct hci_dev * hdev,struct sock * sk,u8 instance,int err)8575 static void add_adv_complete(struct hci_dev *hdev, struct sock *sk, u8 instance,
8576 			     int err)
8577 {
8578 	struct adv_info *adv, *n;
8579 
8580 	bt_dev_dbg(hdev, "err %d", err);
8581 
8582 	hci_dev_lock(hdev);
8583 
8584 	list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
8585 		u8 instance;
8586 
8587 		if (!adv->pending)
8588 			continue;
8589 
8590 		if (!err) {
8591 			adv->pending = false;
8592 			continue;
8593 		}
8594 
8595 		instance = adv->instance;
8596 
8597 		if (hdev->cur_adv_instance == instance)
8598 			cancel_adv_timeout(hdev);
8599 
8600 		hci_remove_adv_instance(hdev, instance);
8601 		mgmt_advertising_removed(sk, hdev, instance);
8602 	}
8603 
8604 	hci_dev_unlock(hdev);
8605 }
8606 
add_advertising_complete(struct hci_dev * hdev,void * data,int err)8607 static void add_advertising_complete(struct hci_dev *hdev, void *data, int err)
8608 {
8609 	struct mgmt_pending_cmd *cmd = data;
8610 	struct mgmt_cp_add_advertising *cp = cmd->param;
8611 	struct mgmt_rp_add_advertising rp;
8612 
8613 	memset(&rp, 0, sizeof(rp));
8614 
8615 	rp.instance = cp->instance;
8616 
8617 	if (err)
8618 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8619 				mgmt_status(err));
8620 	else
8621 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8622 				  mgmt_status(err), &rp, sizeof(rp));
8623 
8624 	add_adv_complete(hdev, cmd->sk, cp->instance, err);
8625 
8626 	mgmt_pending_free(cmd);
8627 }
8628 
add_advertising_sync(struct hci_dev * hdev,void * data)8629 static int add_advertising_sync(struct hci_dev *hdev, void *data)
8630 {
8631 	struct mgmt_pending_cmd *cmd = data;
8632 	struct mgmt_cp_add_advertising *cp = cmd->param;
8633 
8634 	return hci_schedule_adv_instance_sync(hdev, cp->instance, true);
8635 }
8636 
add_advertising(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)8637 static int add_advertising(struct sock *sk, struct hci_dev *hdev,
8638 			   void *data, u16 data_len)
8639 {
8640 	struct mgmt_cp_add_advertising *cp = data;
8641 	struct mgmt_rp_add_advertising rp;
8642 	u32 flags;
8643 	u8 status;
8644 	u16 timeout, duration;
8645 	unsigned int prev_instance_cnt;
8646 	u8 schedule_instance = 0;
8647 	struct adv_info *adv, *next_instance;
8648 	int err;
8649 	struct mgmt_pending_cmd *cmd;
8650 
8651 	bt_dev_dbg(hdev, "sock %p", sk);
8652 
8653 	status = mgmt_le_support(hdev);
8654 	if (status)
8655 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8656 				       status);
8657 
8658 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8659 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8660 				       MGMT_STATUS_INVALID_PARAMS);
8661 
8662 	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
8663 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8664 				       MGMT_STATUS_INVALID_PARAMS);
8665 
8666 	flags = __le32_to_cpu(cp->flags);
8667 	timeout = __le16_to_cpu(cp->timeout);
8668 	duration = __le16_to_cpu(cp->duration);
8669 
8670 	if (!requested_adv_flags_are_valid(hdev, flags))
8671 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8672 				       MGMT_STATUS_INVALID_PARAMS);
8673 
8674 	hci_dev_lock(hdev);
8675 
8676 	if (timeout && !hdev_is_powered(hdev)) {
8677 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8678 				      MGMT_STATUS_REJECTED);
8679 		goto unlock;
8680 	}
8681 
8682 	if (adv_busy(hdev)) {
8683 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8684 				      MGMT_STATUS_BUSY);
8685 		goto unlock;
8686 	}
8687 
8688 	if (!tlv_data_is_valid(hdev, flags, cp->data, cp->adv_data_len, true) ||
8689 	    !tlv_data_is_valid(hdev, flags, cp->data + cp->adv_data_len,
8690 			       cp->scan_rsp_len, false)) {
8691 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8692 				      MGMT_STATUS_INVALID_PARAMS);
8693 		goto unlock;
8694 	}
8695 
8696 	prev_instance_cnt = hdev->adv_instance_cnt;
8697 
8698 	adv = hci_add_adv_instance(hdev, cp->instance, flags,
8699 				   cp->adv_data_len, cp->data,
8700 				   cp->scan_rsp_len,
8701 				   cp->data + cp->adv_data_len,
8702 				   timeout, duration,
8703 				   HCI_ADV_TX_POWER_NO_PREFERENCE,
8704 				   hdev->le_adv_min_interval,
8705 				   hdev->le_adv_max_interval, 0);
8706 	if (IS_ERR(adv)) {
8707 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8708 				      MGMT_STATUS_FAILED);
8709 		goto unlock;
8710 	}
8711 
8712 	/* Only trigger an advertising added event if a new instance was
8713 	 * actually added.
8714 	 */
8715 	if (hdev->adv_instance_cnt > prev_instance_cnt)
8716 		mgmt_advertising_added(sk, hdev, cp->instance);
8717 
8718 	if (hdev->cur_adv_instance == cp->instance) {
8719 		/* If the currently advertised instance is being changed then
8720 		 * cancel the current advertising and schedule the next
8721 		 * instance. If there is only one instance then the overridden
8722 		 * advertising data will be visible right away.
8723 		 */
8724 		cancel_adv_timeout(hdev);
8725 
8726 		next_instance = hci_get_next_instance(hdev, cp->instance);
8727 		if (next_instance)
8728 			schedule_instance = next_instance->instance;
8729 	} else if (!hdev->adv_instance_timeout) {
8730 		/* Immediately advertise the new instance if no other
8731 		 * instance is currently being advertised.
8732 		 */
8733 		schedule_instance = cp->instance;
8734 	}
8735 
8736 	/* If the HCI_ADVERTISING flag is set or the device isn't powered or
8737 	 * there is no instance to be advertised then we have no HCI
8738 	 * communication to make. Simply return.
8739 	 */
8740 	if (!hdev_is_powered(hdev) ||
8741 	    hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
8742 	    !schedule_instance) {
8743 		rp.instance = cp->instance;
8744 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
8745 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8746 		goto unlock;
8747 	}
8748 
8749 	/* We're good to go, update advertising data, parameters, and start
8750 	 * advertising.
8751 	 */
8752 	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_ADVERTISING, hdev, data,
8753 			       data_len);
8754 	if (!cmd) {
8755 		err = -ENOMEM;
8756 		goto unlock;
8757 	}
8758 
8759 	cp->instance = schedule_instance;
8760 
8761 	err = hci_cmd_sync_queue(hdev, add_advertising_sync, cmd,
8762 				 add_advertising_complete);
8763 	if (err < 0)
8764 		mgmt_pending_free(cmd);
8765 
8766 unlock:
8767 	hci_dev_unlock(hdev);
8768 
8769 	return err;
8770 }
8771 
add_ext_adv_params_complete(struct hci_dev * hdev,void * data,int err)8772 static void add_ext_adv_params_complete(struct hci_dev *hdev, void *data,
8773 					int err)
8774 {
8775 	struct mgmt_pending_cmd *cmd = data;
8776 	struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8777 	struct mgmt_rp_add_ext_adv_params rp;
8778 	struct adv_info *adv;
8779 	u32 flags;
8780 
8781 	BT_DBG("%s", hdev->name);
8782 
8783 	hci_dev_lock(hdev);
8784 
8785 	adv = hci_find_adv_instance(hdev, cp->instance);
8786 	if (!adv)
8787 		goto unlock;
8788 
8789 	rp.instance = cp->instance;
8790 	rp.tx_power = adv->tx_power;
8791 
8792 	/* While we're at it, inform userspace of the available space for this
8793 	 * advertisement, given the flags that will be used.
8794 	 */
8795 	flags = __le32_to_cpu(cp->flags);
8796 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8797 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8798 
8799 	if (err) {
8800 		/* If this advertisement was previously advertising and we
8801 		 * failed to update it, we signal that it has been removed and
8802 		 * delete its structure
8803 		 */
8804 		if (!adv->pending)
8805 			mgmt_advertising_removed(cmd->sk, hdev, cp->instance);
8806 
8807 		hci_remove_adv_instance(hdev, cp->instance);
8808 
8809 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8810 				mgmt_status(err));
8811 	} else {
8812 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8813 				  mgmt_status(err), &rp, sizeof(rp));
8814 	}
8815 
8816 unlock:
8817 	if (cmd)
8818 		mgmt_pending_free(cmd);
8819 
8820 	hci_dev_unlock(hdev);
8821 }
8822 
add_ext_adv_params_sync(struct hci_dev * hdev,void * data)8823 static int add_ext_adv_params_sync(struct hci_dev *hdev, void *data)
8824 {
8825 	struct mgmt_pending_cmd *cmd = data;
8826 	struct mgmt_cp_add_ext_adv_params *cp = cmd->param;
8827 
8828 	return hci_setup_ext_adv_instance_sync(hdev, cp->instance);
8829 }
8830 
add_ext_adv_params(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)8831 static int add_ext_adv_params(struct sock *sk, struct hci_dev *hdev,
8832 			      void *data, u16 data_len)
8833 {
8834 	struct mgmt_cp_add_ext_adv_params *cp = data;
8835 	struct mgmt_rp_add_ext_adv_params rp;
8836 	struct mgmt_pending_cmd *cmd = NULL;
8837 	struct adv_info *adv;
8838 	u32 flags, min_interval, max_interval;
8839 	u16 timeout, duration;
8840 	u8 status;
8841 	s8 tx_power;
8842 	int err;
8843 
8844 	BT_DBG("%s", hdev->name);
8845 
8846 	status = mgmt_le_support(hdev);
8847 	if (status)
8848 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8849 				       status);
8850 
8851 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
8852 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8853 				       MGMT_STATUS_INVALID_PARAMS);
8854 
8855 	/* The purpose of breaking add_advertising into two separate MGMT calls
8856 	 * for params and data is to allow more parameters to be added to this
8857 	 * structure in the future. For this reason, we verify that we have the
8858 	 * bare minimum structure we know of when the interface was defined. Any
8859 	 * extra parameters we don't know about will be ignored in this request.
8860 	 */
8861 	if (data_len < MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE)
8862 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8863 				       MGMT_STATUS_INVALID_PARAMS);
8864 
8865 	flags = __le32_to_cpu(cp->flags);
8866 
8867 	if (!requested_adv_flags_are_valid(hdev, flags))
8868 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8869 				       MGMT_STATUS_INVALID_PARAMS);
8870 
8871 	hci_dev_lock(hdev);
8872 
8873 	/* In new interface, we require that we are powered to register */
8874 	if (!hdev_is_powered(hdev)) {
8875 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8876 				      MGMT_STATUS_REJECTED);
8877 		goto unlock;
8878 	}
8879 
8880 	if (adv_busy(hdev)) {
8881 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8882 				      MGMT_STATUS_BUSY);
8883 		goto unlock;
8884 	}
8885 
8886 	/* Parse defined parameters from request, use defaults otherwise */
8887 	timeout = (flags & MGMT_ADV_PARAM_TIMEOUT) ?
8888 		  __le16_to_cpu(cp->timeout) : 0;
8889 
8890 	duration = (flags & MGMT_ADV_PARAM_DURATION) ?
8891 		   __le16_to_cpu(cp->duration) :
8892 		   hdev->def_multi_adv_rotation_duration;
8893 
8894 	min_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8895 		       __le32_to_cpu(cp->min_interval) :
8896 		       hdev->le_adv_min_interval;
8897 
8898 	max_interval = (flags & MGMT_ADV_PARAM_INTERVALS) ?
8899 		       __le32_to_cpu(cp->max_interval) :
8900 		       hdev->le_adv_max_interval;
8901 
8902 	tx_power = (flags & MGMT_ADV_PARAM_TX_POWER) ?
8903 		   cp->tx_power :
8904 		   HCI_ADV_TX_POWER_NO_PREFERENCE;
8905 
8906 	/* Create advertising instance with no advertising or response data */
8907 	adv = hci_add_adv_instance(hdev, cp->instance, flags, 0, NULL, 0, NULL,
8908 				   timeout, duration, tx_power, min_interval,
8909 				   max_interval, 0);
8910 
8911 	if (IS_ERR(adv)) {
8912 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_PARAMS,
8913 				      MGMT_STATUS_FAILED);
8914 		goto unlock;
8915 	}
8916 
8917 	/* Submit request for advertising params if ext adv available */
8918 	if (ext_adv_capable(hdev)) {
8919 		cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_PARAMS, hdev,
8920 				       data, data_len);
8921 		if (!cmd) {
8922 			err = -ENOMEM;
8923 			hci_remove_adv_instance(hdev, cp->instance);
8924 			goto unlock;
8925 		}
8926 
8927 		err = hci_cmd_sync_queue(hdev, add_ext_adv_params_sync, cmd,
8928 					 add_ext_adv_params_complete);
8929 		if (err < 0)
8930 			mgmt_pending_free(cmd);
8931 	} else {
8932 		rp.instance = cp->instance;
8933 		rp.tx_power = HCI_ADV_TX_POWER_NO_PREFERENCE;
8934 		rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
8935 		rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
8936 		err = mgmt_cmd_complete(sk, hdev->id,
8937 					MGMT_OP_ADD_EXT_ADV_PARAMS,
8938 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
8939 	}
8940 
8941 unlock:
8942 	hci_dev_unlock(hdev);
8943 
8944 	return err;
8945 }
8946 
add_ext_adv_data_complete(struct hci_dev * hdev,void * data,int err)8947 static void add_ext_adv_data_complete(struct hci_dev *hdev, void *data, int err)
8948 {
8949 	struct mgmt_pending_cmd *cmd = data;
8950 	struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8951 	struct mgmt_rp_add_advertising rp;
8952 
8953 	add_adv_complete(hdev, cmd->sk, cp->instance, err);
8954 
8955 	memset(&rp, 0, sizeof(rp));
8956 
8957 	rp.instance = cp->instance;
8958 
8959 	if (err)
8960 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
8961 				mgmt_status(err));
8962 	else
8963 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
8964 				  mgmt_status(err), &rp, sizeof(rp));
8965 
8966 	mgmt_pending_free(cmd);
8967 }
8968 
add_ext_adv_data_sync(struct hci_dev * hdev,void * data)8969 static int add_ext_adv_data_sync(struct hci_dev *hdev, void *data)
8970 {
8971 	struct mgmt_pending_cmd *cmd = data;
8972 	struct mgmt_cp_add_ext_adv_data *cp = cmd->param;
8973 	int err;
8974 
8975 	if (ext_adv_capable(hdev)) {
8976 		err = hci_update_adv_data_sync(hdev, cp->instance);
8977 		if (err)
8978 			return err;
8979 
8980 		err = hci_update_scan_rsp_data_sync(hdev, cp->instance);
8981 		if (err)
8982 			return err;
8983 
8984 		return hci_enable_ext_advertising_sync(hdev, cp->instance);
8985 	}
8986 
8987 	return hci_schedule_adv_instance_sync(hdev, cp->instance, true);
8988 }
8989 
add_ext_adv_data(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)8990 static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
8991 			    u16 data_len)
8992 {
8993 	struct mgmt_cp_add_ext_adv_data *cp = data;
8994 	struct mgmt_rp_add_ext_adv_data rp;
8995 	u8 schedule_instance = 0;
8996 	struct adv_info *next_instance;
8997 	struct adv_info *adv_instance;
8998 	int err = 0;
8999 	struct mgmt_pending_cmd *cmd;
9000 
9001 	BT_DBG("%s", hdev->name);
9002 
9003 	hci_dev_lock(hdev);
9004 
9005 	adv_instance = hci_find_adv_instance(hdev, cp->instance);
9006 
9007 	if (!adv_instance) {
9008 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9009 				      MGMT_STATUS_INVALID_PARAMS);
9010 		goto unlock;
9011 	}
9012 
9013 	/* In new interface, we require that we are powered to register */
9014 	if (!hdev_is_powered(hdev)) {
9015 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9016 				      MGMT_STATUS_REJECTED);
9017 		goto clear_new_instance;
9018 	}
9019 
9020 	if (adv_busy(hdev)) {
9021 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9022 				      MGMT_STATUS_BUSY);
9023 		goto clear_new_instance;
9024 	}
9025 
9026 	/* Validate new data */
9027 	if (!tlv_data_is_valid(hdev, adv_instance->flags, cp->data,
9028 			       cp->adv_data_len, true) ||
9029 	    !tlv_data_is_valid(hdev, adv_instance->flags, cp->data +
9030 			       cp->adv_data_len, cp->scan_rsp_len, false)) {
9031 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9032 				      MGMT_STATUS_INVALID_PARAMS);
9033 		goto clear_new_instance;
9034 	}
9035 
9036 	/* Set the data in the advertising instance */
9037 	hci_set_adv_instance_data(hdev, cp->instance, cp->adv_data_len,
9038 				  cp->data, cp->scan_rsp_len,
9039 				  cp->data + cp->adv_data_len);
9040 
9041 	/* If using software rotation, determine next instance to use */
9042 	if (hdev->cur_adv_instance == cp->instance) {
9043 		/* If the currently advertised instance is being changed
9044 		 * then cancel the current advertising and schedule the
9045 		 * next instance. If there is only one instance then the
9046 		 * overridden advertising data will be visible right
9047 		 * away
9048 		 */
9049 		cancel_adv_timeout(hdev);
9050 
9051 		next_instance = hci_get_next_instance(hdev, cp->instance);
9052 		if (next_instance)
9053 			schedule_instance = next_instance->instance;
9054 	} else if (!hdev->adv_instance_timeout) {
9055 		/* Immediately advertise the new instance if no other
9056 		 * instance is currently being advertised.
9057 		 */
9058 		schedule_instance = cp->instance;
9059 	}
9060 
9061 	/* If the HCI_ADVERTISING flag is set or there is no instance to
9062 	 * be advertised then we have no HCI communication to make.
9063 	 * Simply return.
9064 	 */
9065 	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) || !schedule_instance) {
9066 		if (adv_instance->pending) {
9067 			mgmt_advertising_added(sk, hdev, cp->instance);
9068 			adv_instance->pending = false;
9069 		}
9070 		rp.instance = cp->instance;
9071 		err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
9072 					MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9073 		goto unlock;
9074 	}
9075 
9076 	cmd = mgmt_pending_new(sk, MGMT_OP_ADD_EXT_ADV_DATA, hdev, data,
9077 			       data_len);
9078 	if (!cmd) {
9079 		err = -ENOMEM;
9080 		goto clear_new_instance;
9081 	}
9082 
9083 	err = hci_cmd_sync_queue(hdev, add_ext_adv_data_sync, cmd,
9084 				 add_ext_adv_data_complete);
9085 	if (err < 0) {
9086 		mgmt_pending_free(cmd);
9087 		goto clear_new_instance;
9088 	}
9089 
9090 	/* We were successful in updating data, so trigger advertising_added
9091 	 * event if this is an instance that wasn't previously advertising. If
9092 	 * a failure occurs in the requests we initiated, we will remove the
9093 	 * instance again in add_advertising_complete
9094 	 */
9095 	if (adv_instance->pending)
9096 		mgmt_advertising_added(sk, hdev, cp->instance);
9097 
9098 	goto unlock;
9099 
9100 clear_new_instance:
9101 	hci_remove_adv_instance(hdev, cp->instance);
9102 
9103 unlock:
9104 	hci_dev_unlock(hdev);
9105 
9106 	return err;
9107 }
9108 
remove_advertising_complete(struct hci_dev * hdev,void * data,int err)9109 static void remove_advertising_complete(struct hci_dev *hdev, void *data,
9110 					int err)
9111 {
9112 	struct mgmt_pending_cmd *cmd = data;
9113 	struct mgmt_cp_remove_advertising *cp = cmd->param;
9114 	struct mgmt_rp_remove_advertising rp;
9115 
9116 	bt_dev_dbg(hdev, "err %d", err);
9117 
9118 	memset(&rp, 0, sizeof(rp));
9119 	rp.instance = cp->instance;
9120 
9121 	if (err)
9122 		mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
9123 				mgmt_status(err));
9124 	else
9125 		mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
9126 				  MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9127 
9128 	mgmt_pending_free(cmd);
9129 }
9130 
remove_advertising_sync(struct hci_dev * hdev,void * data)9131 static int remove_advertising_sync(struct hci_dev *hdev, void *data)
9132 {
9133 	struct mgmt_pending_cmd *cmd = data;
9134 	struct mgmt_cp_remove_advertising *cp = cmd->param;
9135 	int err;
9136 
9137 	err = hci_remove_advertising_sync(hdev, cmd->sk, cp->instance, true);
9138 	if (err)
9139 		return err;
9140 
9141 	if (list_empty(&hdev->adv_instances))
9142 		err = hci_disable_advertising_sync(hdev);
9143 
9144 	return err;
9145 }
9146 
remove_advertising(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)9147 static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
9148 			      void *data, u16 data_len)
9149 {
9150 	struct mgmt_cp_remove_advertising *cp = data;
9151 	struct mgmt_pending_cmd *cmd;
9152 	int err;
9153 
9154 	bt_dev_dbg(hdev, "sock %p", sk);
9155 
9156 	hci_dev_lock(hdev);
9157 
9158 	if (cp->instance && !hci_find_adv_instance(hdev, cp->instance)) {
9159 		err = mgmt_cmd_status(sk, hdev->id,
9160 				      MGMT_OP_REMOVE_ADVERTISING,
9161 				      MGMT_STATUS_INVALID_PARAMS);
9162 		goto unlock;
9163 	}
9164 
9165 	if (pending_find(MGMT_OP_SET_LE, hdev)) {
9166 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9167 				      MGMT_STATUS_BUSY);
9168 		goto unlock;
9169 	}
9170 
9171 	if (list_empty(&hdev->adv_instances)) {
9172 		err = mgmt_cmd_status(sk, hdev->id, MGMT_OP_REMOVE_ADVERTISING,
9173 				      MGMT_STATUS_INVALID_PARAMS);
9174 		goto unlock;
9175 	}
9176 
9177 	cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_ADVERTISING, hdev, data,
9178 			       data_len);
9179 	if (!cmd) {
9180 		err = -ENOMEM;
9181 		goto unlock;
9182 	}
9183 
9184 	err = hci_cmd_sync_queue(hdev, remove_advertising_sync, cmd,
9185 				 remove_advertising_complete);
9186 	if (err < 0)
9187 		mgmt_pending_free(cmd);
9188 
9189 unlock:
9190 	hci_dev_unlock(hdev);
9191 
9192 	return err;
9193 }
9194 
get_adv_size_info(struct sock * sk,struct hci_dev * hdev,void * data,u16 data_len)9195 static int get_adv_size_info(struct sock *sk, struct hci_dev *hdev,
9196 			     void *data, u16 data_len)
9197 {
9198 	struct mgmt_cp_get_adv_size_info *cp = data;
9199 	struct mgmt_rp_get_adv_size_info rp;
9200 	u32 flags, supported_flags;
9201 
9202 	bt_dev_dbg(hdev, "sock %p", sk);
9203 
9204 	if (!lmp_le_capable(hdev))
9205 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9206 				       MGMT_STATUS_REJECTED);
9207 
9208 	if (cp->instance < 1 || cp->instance > hdev->le_num_of_adv_sets)
9209 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9210 				       MGMT_STATUS_INVALID_PARAMS);
9211 
9212 	flags = __le32_to_cpu(cp->flags);
9213 
9214 	/* The current implementation only supports a subset of the specified
9215 	 * flags.
9216 	 */
9217 	supported_flags = get_supported_adv_flags(hdev);
9218 	if (flags & ~supported_flags)
9219 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9220 				       MGMT_STATUS_INVALID_PARAMS);
9221 
9222 	rp.instance = cp->instance;
9223 	rp.flags = cp->flags;
9224 	rp.max_adv_data_len = tlv_data_max_len(hdev, flags, true);
9225 	rp.max_scan_rsp_len = tlv_data_max_len(hdev, flags, false);
9226 
9227 	return mgmt_cmd_complete(sk, hdev->id, MGMT_OP_GET_ADV_SIZE_INFO,
9228 				 MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
9229 }
9230 
9231 static const struct hci_mgmt_handler mgmt_handlers[] = {
9232 	{ NULL }, /* 0x0000 (no command) */
9233 	{ read_version,            MGMT_READ_VERSION_SIZE,
9234 						HCI_MGMT_NO_HDEV |
9235 						HCI_MGMT_UNTRUSTED },
9236 	{ read_commands,           MGMT_READ_COMMANDS_SIZE,
9237 						HCI_MGMT_NO_HDEV |
9238 						HCI_MGMT_UNTRUSTED },
9239 	{ read_index_list,         MGMT_READ_INDEX_LIST_SIZE,
9240 						HCI_MGMT_NO_HDEV |
9241 						HCI_MGMT_UNTRUSTED },
9242 	{ read_controller_info,    MGMT_READ_INFO_SIZE,
9243 						HCI_MGMT_UNTRUSTED },
9244 	{ set_powered,             MGMT_SETTING_SIZE },
9245 	{ set_discoverable,        MGMT_SET_DISCOVERABLE_SIZE },
9246 	{ set_connectable,         MGMT_SETTING_SIZE },
9247 	{ set_fast_connectable,    MGMT_SETTING_SIZE },
9248 	{ set_bondable,            MGMT_SETTING_SIZE },
9249 	{ set_link_security,       MGMT_SETTING_SIZE },
9250 	{ set_ssp,                 MGMT_SETTING_SIZE },
9251 	{ set_hs,                  MGMT_SETTING_SIZE },
9252 	{ set_le,                  MGMT_SETTING_SIZE },
9253 	{ set_dev_class,           MGMT_SET_DEV_CLASS_SIZE },
9254 	{ set_local_name,          MGMT_SET_LOCAL_NAME_SIZE },
9255 	{ add_uuid,                MGMT_ADD_UUID_SIZE },
9256 	{ remove_uuid,             MGMT_REMOVE_UUID_SIZE },
9257 	{ load_link_keys,          MGMT_LOAD_LINK_KEYS_SIZE,
9258 						HCI_MGMT_VAR_LEN },
9259 	{ load_long_term_keys,     MGMT_LOAD_LONG_TERM_KEYS_SIZE,
9260 						HCI_MGMT_VAR_LEN },
9261 	{ disconnect,              MGMT_DISCONNECT_SIZE },
9262 	{ get_connections,         MGMT_GET_CONNECTIONS_SIZE },
9263 	{ pin_code_reply,          MGMT_PIN_CODE_REPLY_SIZE },
9264 	{ pin_code_neg_reply,      MGMT_PIN_CODE_NEG_REPLY_SIZE },
9265 	{ set_io_capability,       MGMT_SET_IO_CAPABILITY_SIZE },
9266 	{ pair_device,             MGMT_PAIR_DEVICE_SIZE },
9267 	{ cancel_pair_device,      MGMT_CANCEL_PAIR_DEVICE_SIZE },
9268 	{ unpair_device,           MGMT_UNPAIR_DEVICE_SIZE },
9269 	{ user_confirm_reply,      MGMT_USER_CONFIRM_REPLY_SIZE },
9270 	{ user_confirm_neg_reply,  MGMT_USER_CONFIRM_NEG_REPLY_SIZE },
9271 	{ user_passkey_reply,      MGMT_USER_PASSKEY_REPLY_SIZE },
9272 	{ user_passkey_neg_reply,  MGMT_USER_PASSKEY_NEG_REPLY_SIZE },
9273 	{ read_local_oob_data,     MGMT_READ_LOCAL_OOB_DATA_SIZE },
9274 	{ add_remote_oob_data,     MGMT_ADD_REMOTE_OOB_DATA_SIZE,
9275 						HCI_MGMT_VAR_LEN },
9276 	{ remove_remote_oob_data,  MGMT_REMOVE_REMOTE_OOB_DATA_SIZE },
9277 	{ start_discovery,         MGMT_START_DISCOVERY_SIZE },
9278 	{ stop_discovery,          MGMT_STOP_DISCOVERY_SIZE },
9279 	{ confirm_name,            MGMT_CONFIRM_NAME_SIZE },
9280 	{ block_device,            MGMT_BLOCK_DEVICE_SIZE },
9281 	{ unblock_device,          MGMT_UNBLOCK_DEVICE_SIZE },
9282 	{ set_device_id,           MGMT_SET_DEVICE_ID_SIZE },
9283 	{ set_advertising,         MGMT_SETTING_SIZE },
9284 	{ set_bredr,               MGMT_SETTING_SIZE },
9285 	{ set_static_address,      MGMT_SET_STATIC_ADDRESS_SIZE },
9286 	{ set_scan_params,         MGMT_SET_SCAN_PARAMS_SIZE },
9287 	{ set_secure_conn,         MGMT_SETTING_SIZE },
9288 	{ set_debug_keys,          MGMT_SETTING_SIZE },
9289 	{ set_privacy,             MGMT_SET_PRIVACY_SIZE },
9290 	{ load_irks,               MGMT_LOAD_IRKS_SIZE,
9291 						HCI_MGMT_VAR_LEN },
9292 	{ get_conn_info,           MGMT_GET_CONN_INFO_SIZE },
9293 	{ get_clock_info,          MGMT_GET_CLOCK_INFO_SIZE },
9294 	{ add_device,              MGMT_ADD_DEVICE_SIZE },
9295 	{ remove_device,           MGMT_REMOVE_DEVICE_SIZE },
9296 	{ load_conn_param,         MGMT_LOAD_CONN_PARAM_SIZE,
9297 						HCI_MGMT_VAR_LEN },
9298 	{ read_unconf_index_list,  MGMT_READ_UNCONF_INDEX_LIST_SIZE,
9299 						HCI_MGMT_NO_HDEV |
9300 						HCI_MGMT_UNTRUSTED },
9301 	{ read_config_info,        MGMT_READ_CONFIG_INFO_SIZE,
9302 						HCI_MGMT_UNCONFIGURED |
9303 						HCI_MGMT_UNTRUSTED },
9304 	{ set_external_config,     MGMT_SET_EXTERNAL_CONFIG_SIZE,
9305 						HCI_MGMT_UNCONFIGURED },
9306 	{ set_public_address,      MGMT_SET_PUBLIC_ADDRESS_SIZE,
9307 						HCI_MGMT_UNCONFIGURED },
9308 	{ start_service_discovery, MGMT_START_SERVICE_DISCOVERY_SIZE,
9309 						HCI_MGMT_VAR_LEN },
9310 	{ read_local_oob_ext_data, MGMT_READ_LOCAL_OOB_EXT_DATA_SIZE },
9311 	{ read_ext_index_list,     MGMT_READ_EXT_INDEX_LIST_SIZE,
9312 						HCI_MGMT_NO_HDEV |
9313 						HCI_MGMT_UNTRUSTED },
9314 	{ read_adv_features,       MGMT_READ_ADV_FEATURES_SIZE },
9315 	{ add_advertising,	   MGMT_ADD_ADVERTISING_SIZE,
9316 						HCI_MGMT_VAR_LEN },
9317 	{ remove_advertising,	   MGMT_REMOVE_ADVERTISING_SIZE },
9318 	{ get_adv_size_info,       MGMT_GET_ADV_SIZE_INFO_SIZE },
9319 	{ start_limited_discovery, MGMT_START_DISCOVERY_SIZE },
9320 	{ read_ext_controller_info,MGMT_READ_EXT_INFO_SIZE,
9321 						HCI_MGMT_UNTRUSTED },
9322 	{ set_appearance,	   MGMT_SET_APPEARANCE_SIZE },
9323 	{ get_phy_configuration,   MGMT_GET_PHY_CONFIGURATION_SIZE },
9324 	{ set_phy_configuration,   MGMT_SET_PHY_CONFIGURATION_SIZE },
9325 	{ set_blocked_keys,	   MGMT_OP_SET_BLOCKED_KEYS_SIZE,
9326 						HCI_MGMT_VAR_LEN },
9327 	{ set_wideband_speech,	   MGMT_SETTING_SIZE },
9328 	{ read_controller_cap,     MGMT_READ_CONTROLLER_CAP_SIZE,
9329 						HCI_MGMT_UNTRUSTED },
9330 	{ read_exp_features_info,  MGMT_READ_EXP_FEATURES_INFO_SIZE,
9331 						HCI_MGMT_UNTRUSTED |
9332 						HCI_MGMT_HDEV_OPTIONAL },
9333 	{ set_exp_feature,         MGMT_SET_EXP_FEATURE_SIZE,
9334 						HCI_MGMT_VAR_LEN |
9335 						HCI_MGMT_HDEV_OPTIONAL },
9336 	{ read_def_system_config,  MGMT_READ_DEF_SYSTEM_CONFIG_SIZE,
9337 						HCI_MGMT_UNTRUSTED },
9338 	{ set_def_system_config,   MGMT_SET_DEF_SYSTEM_CONFIG_SIZE,
9339 						HCI_MGMT_VAR_LEN },
9340 	{ read_def_runtime_config, MGMT_READ_DEF_RUNTIME_CONFIG_SIZE,
9341 						HCI_MGMT_UNTRUSTED },
9342 	{ set_def_runtime_config,  MGMT_SET_DEF_RUNTIME_CONFIG_SIZE,
9343 						HCI_MGMT_VAR_LEN },
9344 	{ get_device_flags,        MGMT_GET_DEVICE_FLAGS_SIZE },
9345 	{ set_device_flags,        MGMT_SET_DEVICE_FLAGS_SIZE },
9346 	{ read_adv_mon_features,   MGMT_READ_ADV_MONITOR_FEATURES_SIZE },
9347 	{ add_adv_patterns_monitor,MGMT_ADD_ADV_PATTERNS_MONITOR_SIZE,
9348 						HCI_MGMT_VAR_LEN },
9349 	{ remove_adv_monitor,      MGMT_REMOVE_ADV_MONITOR_SIZE },
9350 	{ add_ext_adv_params,      MGMT_ADD_EXT_ADV_PARAMS_MIN_SIZE,
9351 						HCI_MGMT_VAR_LEN },
9352 	{ add_ext_adv_data,        MGMT_ADD_EXT_ADV_DATA_SIZE,
9353 						HCI_MGMT_VAR_LEN },
9354 	{ add_adv_patterns_monitor_rssi,
9355 				   MGMT_ADD_ADV_PATTERNS_MONITOR_RSSI_SIZE },
9356 	{ set_mesh,                MGMT_SET_MESH_RECEIVER_SIZE,
9357 						HCI_MGMT_VAR_LEN },
9358 	{ mesh_features,           MGMT_MESH_READ_FEATURES_SIZE },
9359 	{ mesh_send,               MGMT_MESH_SEND_SIZE,
9360 						HCI_MGMT_VAR_LEN },
9361 	{ mesh_send_cancel,        MGMT_MESH_SEND_CANCEL_SIZE },
9362 };
9363 
mgmt_index_added(struct hci_dev * hdev)9364 void mgmt_index_added(struct hci_dev *hdev)
9365 {
9366 	struct mgmt_ev_ext_index ev;
9367 
9368 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9369 		return;
9370 
9371 	switch (hdev->dev_type) {
9372 	case HCI_PRIMARY:
9373 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9374 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_ADDED, hdev,
9375 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
9376 			ev.type = 0x01;
9377 		} else {
9378 			mgmt_index_event(MGMT_EV_INDEX_ADDED, hdev, NULL, 0,
9379 					 HCI_MGMT_INDEX_EVENTS);
9380 			ev.type = 0x00;
9381 		}
9382 		break;
9383 	case HCI_AMP:
9384 		ev.type = 0x02;
9385 		break;
9386 	default:
9387 		return;
9388 	}
9389 
9390 	ev.bus = hdev->bus;
9391 
9392 	mgmt_index_event(MGMT_EV_EXT_INDEX_ADDED, hdev, &ev, sizeof(ev),
9393 			 HCI_MGMT_EXT_INDEX_EVENTS);
9394 }
9395 
mgmt_index_removed(struct hci_dev * hdev)9396 void mgmt_index_removed(struct hci_dev *hdev)
9397 {
9398 	struct mgmt_ev_ext_index ev;
9399 	u8 status = MGMT_STATUS_INVALID_INDEX;
9400 
9401 	if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
9402 		return;
9403 
9404 	switch (hdev->dev_type) {
9405 	case HCI_PRIMARY:
9406 		mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
9407 
9408 		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
9409 			mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev,
9410 					 NULL, 0, HCI_MGMT_UNCONF_INDEX_EVENTS);
9411 			ev.type = 0x01;
9412 		} else {
9413 			mgmt_index_event(MGMT_EV_INDEX_REMOVED, hdev, NULL, 0,
9414 					 HCI_MGMT_INDEX_EVENTS);
9415 			ev.type = 0x00;
9416 		}
9417 		break;
9418 	case HCI_AMP:
9419 		ev.type = 0x02;
9420 		break;
9421 	default:
9422 		return;
9423 	}
9424 
9425 	ev.bus = hdev->bus;
9426 
9427 	mgmt_index_event(MGMT_EV_EXT_INDEX_REMOVED, hdev, &ev, sizeof(ev),
9428 			 HCI_MGMT_EXT_INDEX_EVENTS);
9429 
9430 	/* Cancel any remaining timed work */
9431 	if (!hci_dev_test_flag(hdev, HCI_MGMT))
9432 		return;
9433 	cancel_delayed_work_sync(&hdev->discov_off);
9434 	cancel_delayed_work_sync(&hdev->service_cache);
9435 	cancel_delayed_work_sync(&hdev->rpa_expired);
9436 }
9437 
mgmt_power_on(struct hci_dev * hdev,int err)9438 void mgmt_power_on(struct hci_dev *hdev, int err)
9439 {
9440 	struct cmd_lookup match = { NULL, hdev };
9441 
9442 	bt_dev_dbg(hdev, "err %d", err);
9443 
9444 	hci_dev_lock(hdev);
9445 
9446 	if (!err) {
9447 		restart_le_actions(hdev);
9448 		hci_update_passive_scan(hdev);
9449 	}
9450 
9451 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
9452 
9453 	new_settings(hdev, match.sk);
9454 
9455 	if (match.sk)
9456 		sock_put(match.sk);
9457 
9458 	hci_dev_unlock(hdev);
9459 }
9460 
__mgmt_power_off(struct hci_dev * hdev)9461 void __mgmt_power_off(struct hci_dev *hdev)
9462 {
9463 	struct cmd_lookup match = { NULL, hdev };
9464 	u8 status, zero_cod[] = { 0, 0, 0 };
9465 
9466 	mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
9467 
9468 	/* If the power off is because of hdev unregistration let
9469 	 * use the appropriate INVALID_INDEX status. Otherwise use
9470 	 * NOT_POWERED. We cover both scenarios here since later in
9471 	 * mgmt_index_removed() any hci_conn callbacks will have already
9472 	 * been triggered, potentially causing misleading DISCONNECTED
9473 	 * status responses.
9474 	 */
9475 	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
9476 		status = MGMT_STATUS_INVALID_INDEX;
9477 	else
9478 		status = MGMT_STATUS_NOT_POWERED;
9479 
9480 	mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
9481 
9482 	if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
9483 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
9484 				   zero_cod, sizeof(zero_cod),
9485 				   HCI_MGMT_DEV_CLASS_EVENTS, NULL);
9486 		ext_info_changed(hdev, NULL);
9487 	}
9488 
9489 	new_settings(hdev, match.sk);
9490 
9491 	if (match.sk)
9492 		sock_put(match.sk);
9493 }
9494 
mgmt_set_powered_failed(struct hci_dev * hdev,int err)9495 void mgmt_set_powered_failed(struct hci_dev *hdev, int err)
9496 {
9497 	struct mgmt_pending_cmd *cmd;
9498 	u8 status;
9499 
9500 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9501 	if (!cmd)
9502 		return;
9503 
9504 	if (err == -ERFKILL)
9505 		status = MGMT_STATUS_RFKILLED;
9506 	else
9507 		status = MGMT_STATUS_FAILED;
9508 
9509 	mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_POWERED, status);
9510 
9511 	mgmt_pending_remove(cmd);
9512 }
9513 
mgmt_new_link_key(struct hci_dev * hdev,struct link_key * key,bool persistent)9514 void mgmt_new_link_key(struct hci_dev *hdev, struct link_key *key,
9515 		       bool persistent)
9516 {
9517 	struct mgmt_ev_new_link_key ev;
9518 
9519 	memset(&ev, 0, sizeof(ev));
9520 
9521 	ev.store_hint = persistent;
9522 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
9523 	ev.key.addr.type = BDADDR_BREDR;
9524 	ev.key.type = key->type;
9525 	memcpy(ev.key.val, key->val, HCI_LINK_KEY_SIZE);
9526 	ev.key.pin_len = key->pin_len;
9527 
9528 	mgmt_event(MGMT_EV_NEW_LINK_KEY, hdev, &ev, sizeof(ev), NULL);
9529 }
9530 
mgmt_ltk_type(struct smp_ltk * ltk)9531 static u8 mgmt_ltk_type(struct smp_ltk *ltk)
9532 {
9533 	switch (ltk->type) {
9534 	case SMP_LTK:
9535 	case SMP_LTK_RESPONDER:
9536 		if (ltk->authenticated)
9537 			return MGMT_LTK_AUTHENTICATED;
9538 		return MGMT_LTK_UNAUTHENTICATED;
9539 	case SMP_LTK_P256:
9540 		if (ltk->authenticated)
9541 			return MGMT_LTK_P256_AUTH;
9542 		return MGMT_LTK_P256_UNAUTH;
9543 	case SMP_LTK_P256_DEBUG:
9544 		return MGMT_LTK_P256_DEBUG;
9545 	}
9546 
9547 	return MGMT_LTK_UNAUTHENTICATED;
9548 }
9549 
mgmt_new_ltk(struct hci_dev * hdev,struct smp_ltk * key,bool persistent)9550 void mgmt_new_ltk(struct hci_dev *hdev, struct smp_ltk *key, bool persistent)
9551 {
9552 	struct mgmt_ev_new_long_term_key ev;
9553 
9554 	memset(&ev, 0, sizeof(ev));
9555 
9556 	/* Devices using resolvable or non-resolvable random addresses
9557 	 * without providing an identity resolving key don't require
9558 	 * to store long term keys. Their addresses will change the
9559 	 * next time around.
9560 	 *
9561 	 * Only when a remote device provides an identity address
9562 	 * make sure the long term key is stored. If the remote
9563 	 * identity is known, the long term keys are internally
9564 	 * mapped to the identity address. So allow static random
9565 	 * and public addresses here.
9566 	 */
9567 	if (key->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9568 	    (key->bdaddr.b[5] & 0xc0) != 0xc0)
9569 		ev.store_hint = 0x00;
9570 	else
9571 		ev.store_hint = persistent;
9572 
9573 	bacpy(&ev.key.addr.bdaddr, &key->bdaddr);
9574 	ev.key.addr.type = link_to_bdaddr(LE_LINK, key->bdaddr_type);
9575 	ev.key.type = mgmt_ltk_type(key);
9576 	ev.key.enc_size = key->enc_size;
9577 	ev.key.ediv = key->ediv;
9578 	ev.key.rand = key->rand;
9579 
9580 	if (key->type == SMP_LTK)
9581 		ev.key.initiator = 1;
9582 
9583 	/* Make sure we copy only the significant bytes based on the
9584 	 * encryption key size, and set the rest of the value to zeroes.
9585 	 */
9586 	memcpy(ev.key.val, key->val, key->enc_size);
9587 	memset(ev.key.val + key->enc_size, 0,
9588 	       sizeof(ev.key.val) - key->enc_size);
9589 
9590 	mgmt_event(MGMT_EV_NEW_LONG_TERM_KEY, hdev, &ev, sizeof(ev), NULL);
9591 }
9592 
mgmt_new_irk(struct hci_dev * hdev,struct smp_irk * irk,bool persistent)9593 void mgmt_new_irk(struct hci_dev *hdev, struct smp_irk *irk, bool persistent)
9594 {
9595 	struct mgmt_ev_new_irk ev;
9596 
9597 	memset(&ev, 0, sizeof(ev));
9598 
9599 	ev.store_hint = persistent;
9600 
9601 	bacpy(&ev.rpa, &irk->rpa);
9602 	bacpy(&ev.irk.addr.bdaddr, &irk->bdaddr);
9603 	ev.irk.addr.type = link_to_bdaddr(LE_LINK, irk->addr_type);
9604 	memcpy(ev.irk.val, irk->val, sizeof(irk->val));
9605 
9606 	mgmt_event(MGMT_EV_NEW_IRK, hdev, &ev, sizeof(ev), NULL);
9607 }
9608 
mgmt_new_csrk(struct hci_dev * hdev,struct smp_csrk * csrk,bool persistent)9609 void mgmt_new_csrk(struct hci_dev *hdev, struct smp_csrk *csrk,
9610 		   bool persistent)
9611 {
9612 	struct mgmt_ev_new_csrk ev;
9613 
9614 	memset(&ev, 0, sizeof(ev));
9615 
9616 	/* Devices using resolvable or non-resolvable random addresses
9617 	 * without providing an identity resolving key don't require
9618 	 * to store signature resolving keys. Their addresses will change
9619 	 * the next time around.
9620 	 *
9621 	 * Only when a remote device provides an identity address
9622 	 * make sure the signature resolving key is stored. So allow
9623 	 * static random and public addresses here.
9624 	 */
9625 	if (csrk->bdaddr_type == ADDR_LE_DEV_RANDOM &&
9626 	    (csrk->bdaddr.b[5] & 0xc0) != 0xc0)
9627 		ev.store_hint = 0x00;
9628 	else
9629 		ev.store_hint = persistent;
9630 
9631 	bacpy(&ev.key.addr.bdaddr, &csrk->bdaddr);
9632 	ev.key.addr.type = link_to_bdaddr(LE_LINK, csrk->bdaddr_type);
9633 	ev.key.type = csrk->type;
9634 	memcpy(ev.key.val, csrk->val, sizeof(csrk->val));
9635 
9636 	mgmt_event(MGMT_EV_NEW_CSRK, hdev, &ev, sizeof(ev), NULL);
9637 }
9638 
mgmt_new_conn_param(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 bdaddr_type,u8 store_hint,u16 min_interval,u16 max_interval,u16 latency,u16 timeout)9639 void mgmt_new_conn_param(struct hci_dev *hdev, bdaddr_t *bdaddr,
9640 			 u8 bdaddr_type, u8 store_hint, u16 min_interval,
9641 			 u16 max_interval, u16 latency, u16 timeout)
9642 {
9643 	struct mgmt_ev_new_conn_param ev;
9644 
9645 	if (!hci_is_identity_address(bdaddr, bdaddr_type))
9646 		return;
9647 
9648 	memset(&ev, 0, sizeof(ev));
9649 	bacpy(&ev.addr.bdaddr, bdaddr);
9650 	ev.addr.type = link_to_bdaddr(LE_LINK, bdaddr_type);
9651 	ev.store_hint = store_hint;
9652 	ev.min_interval = cpu_to_le16(min_interval);
9653 	ev.max_interval = cpu_to_le16(max_interval);
9654 	ev.latency = cpu_to_le16(latency);
9655 	ev.timeout = cpu_to_le16(timeout);
9656 
9657 	mgmt_event(MGMT_EV_NEW_CONN_PARAM, hdev, &ev, sizeof(ev), NULL);
9658 }
9659 
mgmt_device_connected(struct hci_dev * hdev,struct hci_conn * conn,u8 * name,u8 name_len)9660 void mgmt_device_connected(struct hci_dev *hdev, struct hci_conn *conn,
9661 			   u8 *name, u8 name_len)
9662 {
9663 	struct sk_buff *skb;
9664 	struct mgmt_ev_device_connected *ev;
9665 	u16 eir_len = 0;
9666 	u32 flags = 0;
9667 
9668 	/* allocate buff for LE or BR/EDR adv */
9669 	if (conn->le_adv_data_len > 0)
9670 		skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9671 				     sizeof(*ev) + conn->le_adv_data_len);
9672 	else
9673 		skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_CONNECTED,
9674 				     sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0) +
9675 				     eir_precalc_len(sizeof(conn->dev_class)));
9676 
9677 	ev = skb_put(skb, sizeof(*ev));
9678 	bacpy(&ev->addr.bdaddr, &conn->dst);
9679 	ev->addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9680 
9681 	if (conn->out)
9682 		flags |= MGMT_DEV_FOUND_INITIATED_CONN;
9683 
9684 	ev->flags = __cpu_to_le32(flags);
9685 
9686 	/* We must ensure that the EIR Data fields are ordered and
9687 	 * unique. Keep it simple for now and avoid the problem by not
9688 	 * adding any BR/EDR data to the LE adv.
9689 	 */
9690 	if (conn->le_adv_data_len > 0) {
9691 		skb_put_data(skb, conn->le_adv_data, conn->le_adv_data_len);
9692 		eir_len = conn->le_adv_data_len;
9693 	} else {
9694 		if (name)
9695 			eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
9696 
9697 		if (memcmp(conn->dev_class, "\0\0\0", sizeof(conn->dev_class)))
9698 			eir_len += eir_skb_put_data(skb, EIR_CLASS_OF_DEV,
9699 						    conn->dev_class, sizeof(conn->dev_class));
9700 	}
9701 
9702 	ev->eir_len = cpu_to_le16(eir_len);
9703 
9704 	mgmt_event_skb(skb, NULL);
9705 }
9706 
disconnect_rsp(struct mgmt_pending_cmd * cmd,void * data)9707 static void disconnect_rsp(struct mgmt_pending_cmd *cmd, void *data)
9708 {
9709 	struct sock **sk = data;
9710 
9711 	cmd->cmd_complete(cmd, 0);
9712 
9713 	*sk = cmd->sk;
9714 	sock_hold(*sk);
9715 
9716 	mgmt_pending_remove(cmd);
9717 }
9718 
unpair_device_rsp(struct mgmt_pending_cmd * cmd,void * data)9719 static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
9720 {
9721 	struct hci_dev *hdev = data;
9722 	struct mgmt_cp_unpair_device *cp = cmd->param;
9723 
9724 	device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
9725 
9726 	cmd->cmd_complete(cmd, 0);
9727 	mgmt_pending_remove(cmd);
9728 }
9729 
mgmt_powering_down(struct hci_dev * hdev)9730 bool mgmt_powering_down(struct hci_dev *hdev)
9731 {
9732 	struct mgmt_pending_cmd *cmd;
9733 	struct mgmt_mode *cp;
9734 
9735 	cmd = pending_find(MGMT_OP_SET_POWERED, hdev);
9736 	if (!cmd)
9737 		return false;
9738 
9739 	cp = cmd->param;
9740 	if (!cp->val)
9741 		return true;
9742 
9743 	return false;
9744 }
9745 
mgmt_device_disconnected(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 reason,bool mgmt_connected)9746 void mgmt_device_disconnected(struct hci_dev *hdev, bdaddr_t *bdaddr,
9747 			      u8 link_type, u8 addr_type, u8 reason,
9748 			      bool mgmt_connected)
9749 {
9750 	struct mgmt_ev_device_disconnected ev;
9751 	struct sock *sk = NULL;
9752 
9753 	/* The connection is still in hci_conn_hash so test for 1
9754 	 * instead of 0 to know if this is the last one.
9755 	 */
9756 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
9757 		cancel_delayed_work(&hdev->power_off);
9758 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
9759 	}
9760 
9761 	if (!mgmt_connected)
9762 		return;
9763 
9764 	if (link_type != ACL_LINK && link_type != LE_LINK)
9765 		return;
9766 
9767 	mgmt_pending_foreach(MGMT_OP_DISCONNECT, hdev, disconnect_rsp, &sk);
9768 
9769 	bacpy(&ev.addr.bdaddr, bdaddr);
9770 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9771 	ev.reason = reason;
9772 
9773 	/* Report disconnects due to suspend */
9774 	if (hdev->suspended)
9775 		ev.reason = MGMT_DEV_DISCONN_LOCAL_HOST_SUSPEND;
9776 
9777 	mgmt_event(MGMT_EV_DEVICE_DISCONNECTED, hdev, &ev, sizeof(ev), sk);
9778 
9779 	if (sk)
9780 		sock_put(sk);
9781 
9782 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9783 			     hdev);
9784 }
9785 
mgmt_disconnect_failed(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9786 void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
9787 			    u8 link_type, u8 addr_type, u8 status)
9788 {
9789 	u8 bdaddr_type = link_to_bdaddr(link_type, addr_type);
9790 	struct mgmt_cp_disconnect *cp;
9791 	struct mgmt_pending_cmd *cmd;
9792 
9793 	mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
9794 			     hdev);
9795 
9796 	cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
9797 	if (!cmd)
9798 		return;
9799 
9800 	cp = cmd->param;
9801 
9802 	if (bacmp(bdaddr, &cp->addr.bdaddr))
9803 		return;
9804 
9805 	if (cp->addr.type != bdaddr_type)
9806 		return;
9807 
9808 	cmd->cmd_complete(cmd, mgmt_status(status));
9809 	mgmt_pending_remove(cmd);
9810 }
9811 
mgmt_connect_failed(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9812 void mgmt_connect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
9813 			 u8 addr_type, u8 status)
9814 {
9815 	struct mgmt_ev_connect_failed ev;
9816 
9817 	/* The connection is still in hci_conn_hash so test for 1
9818 	 * instead of 0 to know if this is the last one.
9819 	 */
9820 	if (mgmt_powering_down(hdev) && hci_conn_count(hdev) == 1) {
9821 		cancel_delayed_work(&hdev->power_off);
9822 		queue_work(hdev->req_workqueue, &hdev->power_off.work);
9823 	}
9824 
9825 	bacpy(&ev.addr.bdaddr, bdaddr);
9826 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9827 	ev.status = mgmt_status(status);
9828 
9829 	mgmt_event(MGMT_EV_CONNECT_FAILED, hdev, &ev, sizeof(ev), NULL);
9830 }
9831 
mgmt_pin_code_request(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 secure)9832 void mgmt_pin_code_request(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 secure)
9833 {
9834 	struct mgmt_ev_pin_code_request ev;
9835 
9836 	bacpy(&ev.addr.bdaddr, bdaddr);
9837 	ev.addr.type = BDADDR_BREDR;
9838 	ev.secure = secure;
9839 
9840 	mgmt_event(MGMT_EV_PIN_CODE_REQUEST, hdev, &ev, sizeof(ev), NULL);
9841 }
9842 
mgmt_pin_code_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 status)9843 void mgmt_pin_code_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9844 				  u8 status)
9845 {
9846 	struct mgmt_pending_cmd *cmd;
9847 
9848 	cmd = pending_find(MGMT_OP_PIN_CODE_REPLY, hdev);
9849 	if (!cmd)
9850 		return;
9851 
9852 	cmd->cmd_complete(cmd, mgmt_status(status));
9853 	mgmt_pending_remove(cmd);
9854 }
9855 
mgmt_pin_code_neg_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 status)9856 void mgmt_pin_code_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9857 				      u8 status)
9858 {
9859 	struct mgmt_pending_cmd *cmd;
9860 
9861 	cmd = pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, hdev);
9862 	if (!cmd)
9863 		return;
9864 
9865 	cmd->cmd_complete(cmd, mgmt_status(status));
9866 	mgmt_pending_remove(cmd);
9867 }
9868 
mgmt_user_confirm_request(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u32 value,u8 confirm_hint)9869 int mgmt_user_confirm_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9870 			      u8 link_type, u8 addr_type, u32 value,
9871 			      u8 confirm_hint)
9872 {
9873 	struct mgmt_ev_user_confirm_request ev;
9874 
9875 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9876 
9877 	bacpy(&ev.addr.bdaddr, bdaddr);
9878 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9879 	ev.confirm_hint = confirm_hint;
9880 	ev.value = cpu_to_le32(value);
9881 
9882 	return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, hdev, &ev, sizeof(ev),
9883 			  NULL);
9884 }
9885 
mgmt_user_passkey_request(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type)9886 int mgmt_user_passkey_request(struct hci_dev *hdev, bdaddr_t *bdaddr,
9887 			      u8 link_type, u8 addr_type)
9888 {
9889 	struct mgmt_ev_user_passkey_request ev;
9890 
9891 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9892 
9893 	bacpy(&ev.addr.bdaddr, bdaddr);
9894 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9895 
9896 	return mgmt_event(MGMT_EV_USER_PASSKEY_REQUEST, hdev, &ev, sizeof(ev),
9897 			  NULL);
9898 }
9899 
user_pairing_resp_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status,u8 opcode)9900 static int user_pairing_resp_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9901 				      u8 link_type, u8 addr_type, u8 status,
9902 				      u8 opcode)
9903 {
9904 	struct mgmt_pending_cmd *cmd;
9905 
9906 	cmd = pending_find(opcode, hdev);
9907 	if (!cmd)
9908 		return -ENOENT;
9909 
9910 	cmd->cmd_complete(cmd, mgmt_status(status));
9911 	mgmt_pending_remove(cmd);
9912 
9913 	return 0;
9914 }
9915 
mgmt_user_confirm_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9916 int mgmt_user_confirm_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9917 				     u8 link_type, u8 addr_type, u8 status)
9918 {
9919 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9920 					  status, MGMT_OP_USER_CONFIRM_REPLY);
9921 }
9922 
mgmt_user_confirm_neg_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9923 int mgmt_user_confirm_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9924 					 u8 link_type, u8 addr_type, u8 status)
9925 {
9926 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9927 					  status,
9928 					  MGMT_OP_USER_CONFIRM_NEG_REPLY);
9929 }
9930 
mgmt_user_passkey_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9931 int mgmt_user_passkey_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9932 				     u8 link_type, u8 addr_type, u8 status)
9933 {
9934 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9935 					  status, MGMT_OP_USER_PASSKEY_REPLY);
9936 }
9937 
mgmt_user_passkey_neg_reply_complete(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 status)9938 int mgmt_user_passkey_neg_reply_complete(struct hci_dev *hdev, bdaddr_t *bdaddr,
9939 					 u8 link_type, u8 addr_type, u8 status)
9940 {
9941 	return user_pairing_resp_complete(hdev, bdaddr, link_type, addr_type,
9942 					  status,
9943 					  MGMT_OP_USER_PASSKEY_NEG_REPLY);
9944 }
9945 
mgmt_user_passkey_notify(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u32 passkey,u8 entered)9946 int mgmt_user_passkey_notify(struct hci_dev *hdev, bdaddr_t *bdaddr,
9947 			     u8 link_type, u8 addr_type, u32 passkey,
9948 			     u8 entered)
9949 {
9950 	struct mgmt_ev_passkey_notify ev;
9951 
9952 	bt_dev_dbg(hdev, "bdaddr %pMR", bdaddr);
9953 
9954 	bacpy(&ev.addr.bdaddr, bdaddr);
9955 	ev.addr.type = link_to_bdaddr(link_type, addr_type);
9956 	ev.passkey = __cpu_to_le32(passkey);
9957 	ev.entered = entered;
9958 
9959 	return mgmt_event(MGMT_EV_PASSKEY_NOTIFY, hdev, &ev, sizeof(ev), NULL);
9960 }
9961 
mgmt_auth_failed(struct hci_conn * conn,u8 hci_status)9962 void mgmt_auth_failed(struct hci_conn *conn, u8 hci_status)
9963 {
9964 	struct mgmt_ev_auth_failed ev;
9965 	struct mgmt_pending_cmd *cmd;
9966 	u8 status = mgmt_status(hci_status);
9967 
9968 	bacpy(&ev.addr.bdaddr, &conn->dst);
9969 	ev.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
9970 	ev.status = status;
9971 
9972 	cmd = find_pairing(conn);
9973 
9974 	mgmt_event(MGMT_EV_AUTH_FAILED, conn->hdev, &ev, sizeof(ev),
9975 		    cmd ? cmd->sk : NULL);
9976 
9977 	if (cmd) {
9978 		cmd->cmd_complete(cmd, status);
9979 		mgmt_pending_remove(cmd);
9980 	}
9981 }
9982 
mgmt_auth_enable_complete(struct hci_dev * hdev,u8 status)9983 void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
9984 {
9985 	struct cmd_lookup match = { NULL, hdev };
9986 	bool changed;
9987 
9988 	if (status) {
9989 		u8 mgmt_err = mgmt_status(status);
9990 		mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
9991 				     cmd_status_rsp, &mgmt_err);
9992 		return;
9993 	}
9994 
9995 	if (test_bit(HCI_AUTH, &hdev->flags))
9996 		changed = !hci_dev_test_and_set_flag(hdev, HCI_LINK_SECURITY);
9997 	else
9998 		changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
9999 
10000 	mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
10001 			     &match);
10002 
10003 	if (changed)
10004 		new_settings(hdev, match.sk);
10005 
10006 	if (match.sk)
10007 		sock_put(match.sk);
10008 }
10009 
sk_lookup(struct mgmt_pending_cmd * cmd,void * data)10010 static void sk_lookup(struct mgmt_pending_cmd *cmd, void *data)
10011 {
10012 	struct cmd_lookup *match = data;
10013 
10014 	if (match->sk == NULL) {
10015 		match->sk = cmd->sk;
10016 		sock_hold(match->sk);
10017 	}
10018 }
10019 
mgmt_set_class_of_dev_complete(struct hci_dev * hdev,u8 * dev_class,u8 status)10020 void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
10021 				    u8 status)
10022 {
10023 	struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
10024 
10025 	mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
10026 	mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
10027 	mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
10028 
10029 	if (!status) {
10030 		mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
10031 				   3, HCI_MGMT_DEV_CLASS_EVENTS, NULL);
10032 		ext_info_changed(hdev, NULL);
10033 	}
10034 
10035 	if (match.sk)
10036 		sock_put(match.sk);
10037 }
10038 
mgmt_set_local_name_complete(struct hci_dev * hdev,u8 * name,u8 status)10039 void mgmt_set_local_name_complete(struct hci_dev *hdev, u8 *name, u8 status)
10040 {
10041 	struct mgmt_cp_set_local_name ev;
10042 	struct mgmt_pending_cmd *cmd;
10043 
10044 	if (status)
10045 		return;
10046 
10047 	memset(&ev, 0, sizeof(ev));
10048 	memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
10049 	memcpy(ev.short_name, hdev->short_name, HCI_MAX_SHORT_NAME_LENGTH);
10050 
10051 	cmd = pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
10052 	if (!cmd) {
10053 		memcpy(hdev->dev_name, name, sizeof(hdev->dev_name));
10054 
10055 		/* If this is a HCI command related to powering on the
10056 		 * HCI dev don't send any mgmt signals.
10057 		 */
10058 		if (pending_find(MGMT_OP_SET_POWERED, hdev))
10059 			return;
10060 	}
10061 
10062 	mgmt_limited_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev, sizeof(ev),
10063 			   HCI_MGMT_LOCAL_NAME_EVENTS, cmd ? cmd->sk : NULL);
10064 	ext_info_changed(hdev, cmd ? cmd->sk : NULL);
10065 }
10066 
has_uuid(u8 * uuid,u16 uuid_count,u8 (* uuids)[16])10067 static inline bool has_uuid(u8 *uuid, u16 uuid_count, u8 (*uuids)[16])
10068 {
10069 	int i;
10070 
10071 	for (i = 0; i < uuid_count; i++) {
10072 		if (!memcmp(uuid, uuids[i], 16))
10073 			return true;
10074 	}
10075 
10076 	return false;
10077 }
10078 
eir_has_uuids(u8 * eir,u16 eir_len,u16 uuid_count,u8 (* uuids)[16])10079 static bool eir_has_uuids(u8 *eir, u16 eir_len, u16 uuid_count, u8 (*uuids)[16])
10080 {
10081 	u16 parsed = 0;
10082 
10083 	while (parsed < eir_len) {
10084 		u8 field_len = eir[0];
10085 		u8 uuid[16];
10086 		int i;
10087 
10088 		if (field_len == 0)
10089 			break;
10090 
10091 		if (eir_len - parsed < field_len + 1)
10092 			break;
10093 
10094 		switch (eir[1]) {
10095 		case EIR_UUID16_ALL:
10096 		case EIR_UUID16_SOME:
10097 			for (i = 0; i + 3 <= field_len; i += 2) {
10098 				memcpy(uuid, bluetooth_base_uuid, 16);
10099 				uuid[13] = eir[i + 3];
10100 				uuid[12] = eir[i + 2];
10101 				if (has_uuid(uuid, uuid_count, uuids))
10102 					return true;
10103 			}
10104 			break;
10105 		case EIR_UUID32_ALL:
10106 		case EIR_UUID32_SOME:
10107 			for (i = 0; i + 5 <= field_len; i += 4) {
10108 				memcpy(uuid, bluetooth_base_uuid, 16);
10109 				uuid[15] = eir[i + 5];
10110 				uuid[14] = eir[i + 4];
10111 				uuid[13] = eir[i + 3];
10112 				uuid[12] = eir[i + 2];
10113 				if (has_uuid(uuid, uuid_count, uuids))
10114 					return true;
10115 			}
10116 			break;
10117 		case EIR_UUID128_ALL:
10118 		case EIR_UUID128_SOME:
10119 			for (i = 0; i + 17 <= field_len; i += 16) {
10120 				memcpy(uuid, eir + i + 2, 16);
10121 				if (has_uuid(uuid, uuid_count, uuids))
10122 					return true;
10123 			}
10124 			break;
10125 		}
10126 
10127 		parsed += field_len + 1;
10128 		eir += field_len + 1;
10129 	}
10130 
10131 	return false;
10132 }
10133 
restart_le_scan(struct hci_dev * hdev)10134 static void restart_le_scan(struct hci_dev *hdev)
10135 {
10136 	/* If controller is not scanning we are done. */
10137 	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
10138 		return;
10139 
10140 	if (time_after(jiffies + DISCOV_LE_RESTART_DELAY,
10141 		       hdev->discovery.scan_start +
10142 		       hdev->discovery.scan_duration))
10143 		return;
10144 
10145 	queue_delayed_work(hdev->req_workqueue, &hdev->le_scan_restart,
10146 			   DISCOV_LE_RESTART_DELAY);
10147 }
10148 
is_filter_match(struct hci_dev * hdev,s8 rssi,u8 * eir,u16 eir_len,u8 * scan_rsp,u8 scan_rsp_len)10149 static bool is_filter_match(struct hci_dev *hdev, s8 rssi, u8 *eir,
10150 			    u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len)
10151 {
10152 	/* If a RSSI threshold has been specified, and
10153 	 * HCI_QUIRK_STRICT_DUPLICATE_FILTER is not set, then all results with
10154 	 * a RSSI smaller than the RSSI threshold will be dropped. If the quirk
10155 	 * is set, let it through for further processing, as we might need to
10156 	 * restart the scan.
10157 	 *
10158 	 * For BR/EDR devices (pre 1.2) providing no RSSI during inquiry,
10159 	 * the results are also dropped.
10160 	 */
10161 	if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10162 	    (rssi == HCI_RSSI_INVALID ||
10163 	    (rssi < hdev->discovery.rssi &&
10164 	     !test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks))))
10165 		return  false;
10166 
10167 	if (hdev->discovery.uuid_count != 0) {
10168 		/* If a list of UUIDs is provided in filter, results with no
10169 		 * matching UUID should be dropped.
10170 		 */
10171 		if (!eir_has_uuids(eir, eir_len, hdev->discovery.uuid_count,
10172 				   hdev->discovery.uuids) &&
10173 		    !eir_has_uuids(scan_rsp, scan_rsp_len,
10174 				   hdev->discovery.uuid_count,
10175 				   hdev->discovery.uuids))
10176 			return false;
10177 	}
10178 
10179 	/* If duplicate filtering does not report RSSI changes, then restart
10180 	 * scanning to ensure updated result with updated RSSI values.
10181 	 */
10182 	if (test_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks)) {
10183 		restart_le_scan(hdev);
10184 
10185 		/* Validate RSSI value against the RSSI threshold once more. */
10186 		if (hdev->discovery.rssi != HCI_RSSI_INVALID &&
10187 		    rssi < hdev->discovery.rssi)
10188 			return false;
10189 	}
10190 
10191 	return true;
10192 }
10193 
mgmt_adv_monitor_device_lost(struct hci_dev * hdev,u16 handle,bdaddr_t * bdaddr,u8 addr_type)10194 void mgmt_adv_monitor_device_lost(struct hci_dev *hdev, u16 handle,
10195 				  bdaddr_t *bdaddr, u8 addr_type)
10196 {
10197 	struct mgmt_ev_adv_monitor_device_lost ev;
10198 
10199 	ev.monitor_handle = cpu_to_le16(handle);
10200 	bacpy(&ev.addr.bdaddr, bdaddr);
10201 	ev.addr.type = addr_type;
10202 
10203 	mgmt_event(MGMT_EV_ADV_MONITOR_DEVICE_LOST, hdev, &ev, sizeof(ev),
10204 		   NULL);
10205 }
10206 
mgmt_send_adv_monitor_device_found(struct hci_dev * hdev,struct sk_buff * skb,struct sock * skip_sk,u16 handle)10207 static void mgmt_send_adv_monitor_device_found(struct hci_dev *hdev,
10208 					       struct sk_buff *skb,
10209 					       struct sock *skip_sk,
10210 					       u16 handle)
10211 {
10212 	struct sk_buff *advmon_skb;
10213 	size_t advmon_skb_len;
10214 	__le16 *monitor_handle;
10215 
10216 	if (!skb)
10217 		return;
10218 
10219 	advmon_skb_len = (sizeof(struct mgmt_ev_adv_monitor_device_found) -
10220 			  sizeof(struct mgmt_ev_device_found)) + skb->len;
10221 	advmon_skb = mgmt_alloc_skb(hdev, MGMT_EV_ADV_MONITOR_DEVICE_FOUND,
10222 				    advmon_skb_len);
10223 	if (!advmon_skb)
10224 		return;
10225 
10226 	/* ADV_MONITOR_DEVICE_FOUND is similar to DEVICE_FOUND event except
10227 	 * that it also has 'monitor_handle'. Make a copy of DEVICE_FOUND and
10228 	 * store monitor_handle of the matched monitor.
10229 	 */
10230 	monitor_handle = skb_put(advmon_skb, sizeof(*monitor_handle));
10231 	*monitor_handle = cpu_to_le16(handle);
10232 	skb_put_data(advmon_skb, skb->data, skb->len);
10233 
10234 	mgmt_event_skb(advmon_skb, skip_sk);
10235 }
10236 
mgmt_adv_monitor_device_found(struct hci_dev * hdev,bdaddr_t * bdaddr,bool report_device,struct sk_buff * skb,struct sock * skip_sk)10237 static void mgmt_adv_monitor_device_found(struct hci_dev *hdev,
10238 					  bdaddr_t *bdaddr, bool report_device,
10239 					  struct sk_buff *skb,
10240 					  struct sock *skip_sk)
10241 {
10242 	struct monitored_device *dev, *tmp;
10243 	bool matched = false;
10244 	bool notified = false;
10245 
10246 	/* We have received the Advertisement Report because:
10247 	 * 1. the kernel has initiated active discovery
10248 	 * 2. if not, we have pend_le_reports > 0 in which case we are doing
10249 	 *    passive scanning
10250 	 * 3. if none of the above is true, we have one or more active
10251 	 *    Advertisement Monitor
10252 	 *
10253 	 * For case 1 and 2, report all advertisements via MGMT_EV_DEVICE_FOUND
10254 	 * and report ONLY one advertisement per device for the matched Monitor
10255 	 * via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10256 	 *
10257 	 * For case 3, since we are not active scanning and all advertisements
10258 	 * received are due to a matched Advertisement Monitor, report all
10259 	 * advertisements ONLY via MGMT_EV_ADV_MONITOR_DEVICE_FOUND event.
10260 	 */
10261 	if (report_device && !hdev->advmon_pend_notify) {
10262 		mgmt_event_skb(skb, skip_sk);
10263 		return;
10264 	}
10265 
10266 	hdev->advmon_pend_notify = false;
10267 
10268 	list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices, list) {
10269 		if (!bacmp(&dev->bdaddr, bdaddr)) {
10270 			matched = true;
10271 
10272 			if (!dev->notified) {
10273 				mgmt_send_adv_monitor_device_found(hdev, skb,
10274 								   skip_sk,
10275 								   dev->handle);
10276 				notified = true;
10277 				dev->notified = true;
10278 			}
10279 		}
10280 
10281 		if (!dev->notified)
10282 			hdev->advmon_pend_notify = true;
10283 	}
10284 
10285 	if (!report_device &&
10286 	    ((matched && !notified) || !msft_monitor_supported(hdev))) {
10287 		/* Handle 0 indicates that we are not active scanning and this
10288 		 * is a subsequent advertisement report for an already matched
10289 		 * Advertisement Monitor or the controller offloading support
10290 		 * is not available.
10291 		 */
10292 		mgmt_send_adv_monitor_device_found(hdev, skb, skip_sk, 0);
10293 	}
10294 
10295 	if (report_device)
10296 		mgmt_event_skb(skb, skip_sk);
10297 	else
10298 		kfree_skb(skb);
10299 }
10300 
mesh_device_found(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type,s8 rssi,u32 flags,u8 * eir,u16 eir_len,u8 * scan_rsp,u8 scan_rsp_len,u64 instant)10301 static void mesh_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr,
10302 			      u8 addr_type, s8 rssi, u32 flags, u8 *eir,
10303 			      u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10304 			      u64 instant)
10305 {
10306 	struct sk_buff *skb;
10307 	struct mgmt_ev_mesh_device_found *ev;
10308 	int i, j;
10309 
10310 	if (!hdev->mesh_ad_types[0])
10311 		goto accepted;
10312 
10313 	/* Scan for requested AD types */
10314 	if (eir_len > 0) {
10315 		for (i = 0; i + 1 < eir_len; i += eir[i] + 1) {
10316 			for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10317 				if (!hdev->mesh_ad_types[j])
10318 					break;
10319 
10320 				if (hdev->mesh_ad_types[j] == eir[i + 1])
10321 					goto accepted;
10322 			}
10323 		}
10324 	}
10325 
10326 	if (scan_rsp_len > 0) {
10327 		for (i = 0; i + 1 < scan_rsp_len; i += scan_rsp[i] + 1) {
10328 			for (j = 0; j < sizeof(hdev->mesh_ad_types); j++) {
10329 				if (!hdev->mesh_ad_types[j])
10330 					break;
10331 
10332 				if (hdev->mesh_ad_types[j] == scan_rsp[i + 1])
10333 					goto accepted;
10334 			}
10335 		}
10336 	}
10337 
10338 	return;
10339 
10340 accepted:
10341 	skb = mgmt_alloc_skb(hdev, MGMT_EV_MESH_DEVICE_FOUND,
10342 			     sizeof(*ev) + eir_len + scan_rsp_len);
10343 	if (!skb)
10344 		return;
10345 
10346 	ev = skb_put(skb, sizeof(*ev));
10347 
10348 	bacpy(&ev->addr.bdaddr, bdaddr);
10349 	ev->addr.type = link_to_bdaddr(LE_LINK, addr_type);
10350 	ev->rssi = rssi;
10351 	ev->flags = cpu_to_le32(flags);
10352 	ev->instant = cpu_to_le64(instant);
10353 
10354 	if (eir_len > 0)
10355 		/* Copy EIR or advertising data into event */
10356 		skb_put_data(skb, eir, eir_len);
10357 
10358 	if (scan_rsp_len > 0)
10359 		/* Append scan response data to event */
10360 		skb_put_data(skb, scan_rsp, scan_rsp_len);
10361 
10362 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10363 
10364 	mgmt_event_skb(skb, NULL);
10365 }
10366 
mgmt_device_found(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,u8 * dev_class,s8 rssi,u32 flags,u8 * eir,u16 eir_len,u8 * scan_rsp,u8 scan_rsp_len,u64 instant)10367 void mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10368 		       u8 addr_type, u8 *dev_class, s8 rssi, u32 flags,
10369 		       u8 *eir, u16 eir_len, u8 *scan_rsp, u8 scan_rsp_len,
10370 		       u64 instant)
10371 {
10372 	struct sk_buff *skb;
10373 	struct mgmt_ev_device_found *ev;
10374 	bool report_device = hci_discovery_active(hdev);
10375 
10376 	if (hci_dev_test_flag(hdev, HCI_MESH) && link_type == LE_LINK)
10377 		mesh_device_found(hdev, bdaddr, addr_type, rssi, flags,
10378 				  eir, eir_len, scan_rsp, scan_rsp_len,
10379 				  instant);
10380 
10381 	/* Don't send events for a non-kernel initiated discovery. With
10382 	 * LE one exception is if we have pend_le_reports > 0 in which
10383 	 * case we're doing passive scanning and want these events.
10384 	 */
10385 	if (!hci_discovery_active(hdev)) {
10386 		if (link_type == ACL_LINK)
10387 			return;
10388 		if (link_type == LE_LINK && !list_empty(&hdev->pend_le_reports))
10389 			report_device = true;
10390 		else if (!hci_is_adv_monitoring(hdev))
10391 			return;
10392 	}
10393 
10394 	if (hdev->discovery.result_filtering) {
10395 		/* We are using service discovery */
10396 		if (!is_filter_match(hdev, rssi, eir, eir_len, scan_rsp,
10397 				     scan_rsp_len))
10398 			return;
10399 	}
10400 
10401 	if (hdev->discovery.limited) {
10402 		/* Check for limited discoverable bit */
10403 		if (dev_class) {
10404 			if (!(dev_class[1] & 0x20))
10405 				return;
10406 		} else {
10407 			u8 *flags = eir_get_data(eir, eir_len, EIR_FLAGS, NULL);
10408 			if (!flags || !(flags[0] & LE_AD_LIMITED))
10409 				return;
10410 		}
10411 	}
10412 
10413 	/* Allocate skb. The 5 extra bytes are for the potential CoD field */
10414 	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10415 			     sizeof(*ev) + eir_len + scan_rsp_len + 5);
10416 	if (!skb)
10417 		return;
10418 
10419 	ev = skb_put(skb, sizeof(*ev));
10420 
10421 	/* In case of device discovery with BR/EDR devices (pre 1.2), the
10422 	 * RSSI value was reported as 0 when not available. This behavior
10423 	 * is kept when using device discovery. This is required for full
10424 	 * backwards compatibility with the API.
10425 	 *
10426 	 * However when using service discovery, the value 127 will be
10427 	 * returned when the RSSI is not available.
10428 	 */
10429 	if (rssi == HCI_RSSI_INVALID && !hdev->discovery.report_invalid_rssi &&
10430 	    link_type == ACL_LINK)
10431 		rssi = 0;
10432 
10433 	bacpy(&ev->addr.bdaddr, bdaddr);
10434 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
10435 	ev->rssi = rssi;
10436 	ev->flags = cpu_to_le32(flags);
10437 
10438 	if (eir_len > 0)
10439 		/* Copy EIR or advertising data into event */
10440 		skb_put_data(skb, eir, eir_len);
10441 
10442 	if (dev_class && !eir_get_data(eir, eir_len, EIR_CLASS_OF_DEV, NULL)) {
10443 		u8 eir_cod[5];
10444 
10445 		eir_len += eir_append_data(eir_cod, 0, EIR_CLASS_OF_DEV,
10446 					   dev_class, 3);
10447 		skb_put_data(skb, eir_cod, sizeof(eir_cod));
10448 	}
10449 
10450 	if (scan_rsp_len > 0)
10451 		/* Append scan response data to event */
10452 		skb_put_data(skb, scan_rsp, scan_rsp_len);
10453 
10454 	ev->eir_len = cpu_to_le16(eir_len + scan_rsp_len);
10455 
10456 	mgmt_adv_monitor_device_found(hdev, bdaddr, report_device, skb, NULL);
10457 }
10458 
mgmt_remote_name(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 link_type,u8 addr_type,s8 rssi,u8 * name,u8 name_len)10459 void mgmt_remote_name(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
10460 		      u8 addr_type, s8 rssi, u8 *name, u8 name_len)
10461 {
10462 	struct sk_buff *skb;
10463 	struct mgmt_ev_device_found *ev;
10464 	u16 eir_len = 0;
10465 	u32 flags = 0;
10466 
10467 	skb = mgmt_alloc_skb(hdev, MGMT_EV_DEVICE_FOUND,
10468 			     sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0));
10469 
10470 	ev = skb_put(skb, sizeof(*ev));
10471 	bacpy(&ev->addr.bdaddr, bdaddr);
10472 	ev->addr.type = link_to_bdaddr(link_type, addr_type);
10473 	ev->rssi = rssi;
10474 
10475 	if (name)
10476 		eir_len += eir_skb_put_data(skb, EIR_NAME_COMPLETE, name, name_len);
10477 	else
10478 		flags = MGMT_DEV_FOUND_NAME_REQUEST_FAILED;
10479 
10480 	ev->eir_len = cpu_to_le16(eir_len);
10481 	ev->flags = cpu_to_le32(flags);
10482 
10483 	mgmt_event_skb(skb, NULL);
10484 }
10485 
mgmt_discovering(struct hci_dev * hdev,u8 discovering)10486 void mgmt_discovering(struct hci_dev *hdev, u8 discovering)
10487 {
10488 	struct mgmt_ev_discovering ev;
10489 
10490 	bt_dev_dbg(hdev, "discovering %u", discovering);
10491 
10492 	memset(&ev, 0, sizeof(ev));
10493 	ev.type = hdev->discovery.type;
10494 	ev.discovering = discovering;
10495 
10496 	mgmt_event(MGMT_EV_DISCOVERING, hdev, &ev, sizeof(ev), NULL);
10497 }
10498 
mgmt_suspending(struct hci_dev * hdev,u8 state)10499 void mgmt_suspending(struct hci_dev *hdev, u8 state)
10500 {
10501 	struct mgmt_ev_controller_suspend ev;
10502 
10503 	ev.suspend_state = state;
10504 	mgmt_event(MGMT_EV_CONTROLLER_SUSPEND, hdev, &ev, sizeof(ev), NULL);
10505 }
10506 
mgmt_resuming(struct hci_dev * hdev,u8 reason,bdaddr_t * bdaddr,u8 addr_type)10507 void mgmt_resuming(struct hci_dev *hdev, u8 reason, bdaddr_t *bdaddr,
10508 		   u8 addr_type)
10509 {
10510 	struct mgmt_ev_controller_resume ev;
10511 
10512 	ev.wake_reason = reason;
10513 	if (bdaddr) {
10514 		bacpy(&ev.addr.bdaddr, bdaddr);
10515 		ev.addr.type = addr_type;
10516 	} else {
10517 		memset(&ev.addr, 0, sizeof(ev.addr));
10518 	}
10519 
10520 	mgmt_event(MGMT_EV_CONTROLLER_RESUME, hdev, &ev, sizeof(ev), NULL);
10521 }
10522 
10523 static struct hci_mgmt_chan chan = {
10524 	.channel	= HCI_CHANNEL_CONTROL,
10525 	.handler_count	= ARRAY_SIZE(mgmt_handlers),
10526 	.handlers	= mgmt_handlers,
10527 	.hdev_init	= mgmt_init_hdev,
10528 };
10529 
mgmt_init(void)10530 int mgmt_init(void)
10531 {
10532 	return hci_mgmt_chan_register(&chan);
10533 }
10534 
mgmt_exit(void)10535 void mgmt_exit(void)
10536 {
10537 	hci_mgmt_chan_unregister(&chan);
10538 }
10539 
mgmt_cleanup(struct sock * sk)10540 void mgmt_cleanup(struct sock *sk)
10541 {
10542 	struct mgmt_mesh_tx *mesh_tx;
10543 	struct hci_dev *hdev;
10544 
10545 	read_lock(&hci_dev_list_lock);
10546 
10547 	list_for_each_entry(hdev, &hci_dev_list, list) {
10548 		do {
10549 			mesh_tx = mgmt_mesh_next(hdev, sk);
10550 
10551 			if (mesh_tx)
10552 				mesh_send_complete(hdev, mesh_tx, true);
10553 		} while (mesh_tx);
10554 	}
10555 
10556 	read_unlock(&hci_dev_list_lock);
10557 }
10558