Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
[sfrench/cifs-2.6.git] / net / bluetooth / mgmt.c
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3
4    Copyright (C) 2010  Nokia Corporation
5    Copyright (C) 2011-2012 Intel Corporation
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License version 2 as
9    published by the Free Software Foundation;
10
11    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
12    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
14    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
15    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
16    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19
20    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
21    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
22    SOFTWARE IS DISCLAIMED.
23 */
24
25 /* Bluetooth HCI Management interface */
26
27 #include <linux/module.h>
28 #include <asm/unaligned.h>
29
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/mgmt.h>
33
34 #include "smp.h"
35
36 #define MGMT_VERSION    1
37 #define MGMT_REVISION   5
38
39 static const u16 mgmt_commands[] = {
40         MGMT_OP_READ_INDEX_LIST,
41         MGMT_OP_READ_INFO,
42         MGMT_OP_SET_POWERED,
43         MGMT_OP_SET_DISCOVERABLE,
44         MGMT_OP_SET_CONNECTABLE,
45         MGMT_OP_SET_FAST_CONNECTABLE,
46         MGMT_OP_SET_PAIRABLE,
47         MGMT_OP_SET_LINK_SECURITY,
48         MGMT_OP_SET_SSP,
49         MGMT_OP_SET_HS,
50         MGMT_OP_SET_LE,
51         MGMT_OP_SET_DEV_CLASS,
52         MGMT_OP_SET_LOCAL_NAME,
53         MGMT_OP_ADD_UUID,
54         MGMT_OP_REMOVE_UUID,
55         MGMT_OP_LOAD_LINK_KEYS,
56         MGMT_OP_LOAD_LONG_TERM_KEYS,
57         MGMT_OP_DISCONNECT,
58         MGMT_OP_GET_CONNECTIONS,
59         MGMT_OP_PIN_CODE_REPLY,
60         MGMT_OP_PIN_CODE_NEG_REPLY,
61         MGMT_OP_SET_IO_CAPABILITY,
62         MGMT_OP_PAIR_DEVICE,
63         MGMT_OP_CANCEL_PAIR_DEVICE,
64         MGMT_OP_UNPAIR_DEVICE,
65         MGMT_OP_USER_CONFIRM_REPLY,
66         MGMT_OP_USER_CONFIRM_NEG_REPLY,
67         MGMT_OP_USER_PASSKEY_REPLY,
68         MGMT_OP_USER_PASSKEY_NEG_REPLY,
69         MGMT_OP_READ_LOCAL_OOB_DATA,
70         MGMT_OP_ADD_REMOTE_OOB_DATA,
71         MGMT_OP_REMOVE_REMOTE_OOB_DATA,
72         MGMT_OP_START_DISCOVERY,
73         MGMT_OP_STOP_DISCOVERY,
74         MGMT_OP_CONFIRM_NAME,
75         MGMT_OP_BLOCK_DEVICE,
76         MGMT_OP_UNBLOCK_DEVICE,
77         MGMT_OP_SET_DEVICE_ID,
78         MGMT_OP_SET_ADVERTISING,
79         MGMT_OP_SET_BREDR,
80         MGMT_OP_SET_STATIC_ADDRESS,
81         MGMT_OP_SET_SCAN_PARAMS,
82         MGMT_OP_SET_SECURE_CONN,
83         MGMT_OP_SET_DEBUG_KEYS,
84         MGMT_OP_SET_PRIVACY,
85         MGMT_OP_LOAD_IRKS,
86 };
87
88 static const u16 mgmt_events[] = {
89         MGMT_EV_CONTROLLER_ERROR,
90         MGMT_EV_INDEX_ADDED,
91         MGMT_EV_INDEX_REMOVED,
92         MGMT_EV_NEW_SETTINGS,
93         MGMT_EV_CLASS_OF_DEV_CHANGED,
94         MGMT_EV_LOCAL_NAME_CHANGED,
95         MGMT_EV_NEW_LINK_KEY,
96         MGMT_EV_NEW_LONG_TERM_KEY,
97         MGMT_EV_DEVICE_CONNECTED,
98         MGMT_EV_DEVICE_DISCONNECTED,
99         MGMT_EV_CONNECT_FAILED,
100         MGMT_EV_PIN_CODE_REQUEST,
101         MGMT_EV_USER_CONFIRM_REQUEST,
102         MGMT_EV_USER_PASSKEY_REQUEST,
103         MGMT_EV_AUTH_FAILED,
104         MGMT_EV_DEVICE_FOUND,
105         MGMT_EV_DISCOVERING,
106         MGMT_EV_DEVICE_BLOCKED,
107         MGMT_EV_DEVICE_UNBLOCKED,
108         MGMT_EV_DEVICE_UNPAIRED,
109         MGMT_EV_PASSKEY_NOTIFY,
110         MGMT_EV_NEW_IRK,
111         MGMT_EV_NEW_CSRK,
112 };
113
114 #define CACHE_TIMEOUT   msecs_to_jiffies(2 * 1000)
115
116 #define hdev_is_powered(hdev) (test_bit(HCI_UP, &hdev->flags) && \
117                                 !test_bit(HCI_AUTO_OFF, &hdev->dev_flags))
118
119 struct pending_cmd {
120         struct list_head list;
121         u16 opcode;
122         int index;
123         void *param;
124         struct sock *sk;
125         void *user_data;
126 };
127
128 /* HCI to MGMT error code conversion table */
129 static u8 mgmt_status_table[] = {
130         MGMT_STATUS_SUCCESS,
131         MGMT_STATUS_UNKNOWN_COMMAND,    /* Unknown Command */
132         MGMT_STATUS_NOT_CONNECTED,      /* No Connection */
133         MGMT_STATUS_FAILED,             /* Hardware Failure */
134         MGMT_STATUS_CONNECT_FAILED,     /* Page Timeout */
135         MGMT_STATUS_AUTH_FAILED,        /* Authentication Failed */
136         MGMT_STATUS_AUTH_FAILED,        /* PIN or Key Missing */
137         MGMT_STATUS_NO_RESOURCES,       /* Memory Full */
138         MGMT_STATUS_TIMEOUT,            /* Connection Timeout */
139         MGMT_STATUS_NO_RESOURCES,       /* Max Number of Connections */
140         MGMT_STATUS_NO_RESOURCES,       /* Max Number of SCO Connections */
141         MGMT_STATUS_ALREADY_CONNECTED,  /* ACL Connection Exists */
142         MGMT_STATUS_BUSY,               /* Command Disallowed */
143         MGMT_STATUS_NO_RESOURCES,       /* Rejected Limited Resources */
144         MGMT_STATUS_REJECTED,           /* Rejected Security */
145         MGMT_STATUS_REJECTED,           /* Rejected Personal */
146         MGMT_STATUS_TIMEOUT,            /* Host Timeout */
147         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Feature */
148         MGMT_STATUS_INVALID_PARAMS,     /* Invalid Parameters */
149         MGMT_STATUS_DISCONNECTED,       /* OE User Ended Connection */
150         MGMT_STATUS_NO_RESOURCES,       /* OE Low Resources */
151         MGMT_STATUS_DISCONNECTED,       /* OE Power Off */
152         MGMT_STATUS_DISCONNECTED,       /* Connection Terminated */
153         MGMT_STATUS_BUSY,               /* Repeated Attempts */
154         MGMT_STATUS_REJECTED,           /* Pairing Not Allowed */
155         MGMT_STATUS_FAILED,             /* Unknown LMP PDU */
156         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported Remote Feature */
157         MGMT_STATUS_REJECTED,           /* SCO Offset Rejected */
158         MGMT_STATUS_REJECTED,           /* SCO Interval Rejected */
159         MGMT_STATUS_REJECTED,           /* Air Mode Rejected */
160         MGMT_STATUS_INVALID_PARAMS,     /* Invalid LMP Parameters */
161         MGMT_STATUS_FAILED,             /* Unspecified Error */
162         MGMT_STATUS_NOT_SUPPORTED,      /* Unsupported LMP Parameter Value */
163         MGMT_STATUS_FAILED,             /* Role Change Not Allowed */
164         MGMT_STATUS_TIMEOUT,            /* LMP Response Timeout */
165         MGMT_STATUS_FAILED,             /* LMP Error Transaction Collision */
166         MGMT_STATUS_FAILED,             /* LMP PDU Not Allowed */
167         MGMT_STATUS_REJECTED,           /* Encryption Mode Not Accepted */
168         MGMT_STATUS_FAILED,             /* Unit Link Key Used */
169         MGMT_STATUS_NOT_SUPPORTED,      /* QoS Not Supported */
170         MGMT_STATUS_TIMEOUT,            /* Instant Passed */
171         MGMT_STATUS_NOT_SUPPORTED,      /* Pairing Not Supported */
172         MGMT_STATUS_FAILED,             /* Transaction Collision */
173         MGMT_STATUS_INVALID_PARAMS,     /* Unacceptable Parameter */
174         MGMT_STATUS_REJECTED,           /* QoS Rejected */
175         MGMT_STATUS_NOT_SUPPORTED,      /* Classification Not Supported */
176         MGMT_STATUS_REJECTED,           /* Insufficient Security */
177         MGMT_STATUS_INVALID_PARAMS,     /* Parameter Out Of Range */
178         MGMT_STATUS_BUSY,               /* Role Switch Pending */
179         MGMT_STATUS_FAILED,             /* Slot Violation */
180         MGMT_STATUS_FAILED,             /* Role Switch Failed */
181         MGMT_STATUS_INVALID_PARAMS,     /* EIR Too Large */
182         MGMT_STATUS_NOT_SUPPORTED,      /* Simple Pairing Not Supported */
183         MGMT_STATUS_BUSY,               /* Host Busy Pairing */
184         MGMT_STATUS_REJECTED,           /* Rejected, No Suitable Channel */
185         MGMT_STATUS_BUSY,               /* Controller Busy */
186         MGMT_STATUS_INVALID_PARAMS,     /* Unsuitable Connection Interval */
187         MGMT_STATUS_TIMEOUT,            /* Directed Advertising Timeout */
188         MGMT_STATUS_AUTH_FAILED,        /* Terminated Due to MIC Failure */
189         MGMT_STATUS_CONNECT_FAILED,     /* Connection Establishment Failed */
190         MGMT_STATUS_CONNECT_FAILED,     /* MAC Connection Failed */
191 };
192
193 static u8 mgmt_status(u8 hci_status)
194 {
195         if (hci_status < ARRAY_SIZE(mgmt_status_table))
196                 return mgmt_status_table[hci_status];
197
198         return MGMT_STATUS_FAILED;
199 }
200
201 static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status)
202 {
203         struct sk_buff *skb;
204         struct mgmt_hdr *hdr;
205         struct mgmt_ev_cmd_status *ev;
206         int err;
207
208         BT_DBG("sock %p, index %u, cmd %u, status %u", sk, index, cmd, status);
209
210         skb = alloc_skb(sizeof(*hdr) + sizeof(*ev), GFP_KERNEL);
211         if (!skb)
212                 return -ENOMEM;
213
214         hdr = (void *) skb_put(skb, sizeof(*hdr));
215
216         hdr->opcode = cpu_to_le16(MGMT_EV_CMD_STATUS);
217         hdr->index = cpu_to_le16(index);
218         hdr->len = cpu_to_le16(sizeof(*ev));
219
220         ev = (void *) skb_put(skb, sizeof(*ev));
221         ev->status = status;
222         ev->opcode = cpu_to_le16(cmd);
223
224         err = sock_queue_rcv_skb(sk, skb);
225         if (err < 0)
226                 kfree_skb(skb);
227
228         return err;
229 }
230
231 static int cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status,
232                         void *rp, size_t rp_len)
233 {
234         struct sk_buff *skb;
235         struct mgmt_hdr *hdr;
236         struct mgmt_ev_cmd_complete *ev;
237         int err;
238
239         BT_DBG("sock %p", sk);
240
241         skb = alloc_skb(sizeof(*hdr) + sizeof(*ev) + rp_len, GFP_KERNEL);
242         if (!skb)
243                 return -ENOMEM;
244
245         hdr = (void *) skb_put(skb, sizeof(*hdr));
246
247         hdr->opcode = cpu_to_le16(MGMT_EV_CMD_COMPLETE);
248         hdr->index = cpu_to_le16(index);
249         hdr->len = cpu_to_le16(sizeof(*ev) + rp_len);
250
251         ev = (void *) skb_put(skb, sizeof(*ev) + rp_len);
252         ev->opcode = cpu_to_le16(cmd);
253         ev->status = status;
254
255         if (rp)
256                 memcpy(ev->data, rp, rp_len);
257
258         err = sock_queue_rcv_skb(sk, skb);
259         if (err < 0)
260                 kfree_skb(skb);
261
262         return err;
263 }
264
265 static int read_version(struct sock *sk, struct hci_dev *hdev, void *data,
266                         u16 data_len)
267 {
268         struct mgmt_rp_read_version rp;
269
270         BT_DBG("sock %p", sk);
271
272         rp.version = MGMT_VERSION;
273         rp.revision = cpu_to_le16(MGMT_REVISION);
274
275         return cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, 0, &rp,
276                             sizeof(rp));
277 }
278
279 static int read_commands(struct sock *sk, struct hci_dev *hdev, void *data,
280                          u16 data_len)
281 {
282         struct mgmt_rp_read_commands *rp;
283         const u16 num_commands = ARRAY_SIZE(mgmt_commands);
284         const u16 num_events = ARRAY_SIZE(mgmt_events);
285         __le16 *opcode;
286         size_t rp_size;
287         int i, err;
288
289         BT_DBG("sock %p", sk);
290
291         rp_size = sizeof(*rp) + ((num_commands + num_events) * sizeof(u16));
292
293         rp = kmalloc(rp_size, GFP_KERNEL);
294         if (!rp)
295                 return -ENOMEM;
296
297         rp->num_commands = cpu_to_le16(num_commands);
298         rp->num_events = cpu_to_le16(num_events);
299
300         for (i = 0, opcode = rp->opcodes; i < num_commands; i++, opcode++)
301                 put_unaligned_le16(mgmt_commands[i], opcode);
302
303         for (i = 0; i < num_events; i++, opcode++)
304                 put_unaligned_le16(mgmt_events[i], opcode);
305
306         err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_COMMANDS, 0, rp,
307                            rp_size);
308         kfree(rp);
309
310         return err;
311 }
312
313 static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
314                            u16 data_len)
315 {
316         struct mgmt_rp_read_index_list *rp;
317         struct hci_dev *d;
318         size_t rp_len;
319         u16 count;
320         int err;
321
322         BT_DBG("sock %p", sk);
323
324         read_lock(&hci_dev_list_lock);
325
326         count = 0;
327         list_for_each_entry(d, &hci_dev_list, list) {
328                 if (d->dev_type == HCI_BREDR)
329                         count++;
330         }
331
332         rp_len = sizeof(*rp) + (2 * count);
333         rp = kmalloc(rp_len, GFP_ATOMIC);
334         if (!rp) {
335                 read_unlock(&hci_dev_list_lock);
336                 return -ENOMEM;
337         }
338
339         count = 0;
340         list_for_each_entry(d, &hci_dev_list, list) {
341                 if (test_bit(HCI_SETUP, &d->dev_flags))
342                         continue;
343
344                 if (test_bit(HCI_USER_CHANNEL, &d->dev_flags))
345                         continue;
346
347                 if (d->dev_type == HCI_BREDR) {
348                         rp->index[count++] = cpu_to_le16(d->id);
349                         BT_DBG("Added hci%u", d->id);
350                 }
351         }
352
353         rp->num_controllers = cpu_to_le16(count);
354         rp_len = sizeof(*rp) + (2 * count);
355
356         read_unlock(&hci_dev_list_lock);
357
358         err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp,
359                            rp_len);
360
361         kfree(rp);
362
363         return err;
364 }
365
366 static u32 get_supported_settings(struct hci_dev *hdev)
367 {
368         u32 settings = 0;
369
370         settings |= MGMT_SETTING_POWERED;
371         settings |= MGMT_SETTING_PAIRABLE;
372         settings |= MGMT_SETTING_DEBUG_KEYS;
373
374         if (lmp_bredr_capable(hdev)) {
375                 settings |= MGMT_SETTING_CONNECTABLE;
376                 if (hdev->hci_ver >= BLUETOOTH_VER_1_2)
377                         settings |= MGMT_SETTING_FAST_CONNECTABLE;
378                 settings |= MGMT_SETTING_DISCOVERABLE;
379                 settings |= MGMT_SETTING_BREDR;
380                 settings |= MGMT_SETTING_LINK_SECURITY;
381
382                 if (lmp_ssp_capable(hdev)) {
383                         settings |= MGMT_SETTING_SSP;
384                         settings |= MGMT_SETTING_HS;
385                 }
386
387                 if (lmp_sc_capable(hdev) ||
388                     test_bit(HCI_FORCE_SC, &hdev->dev_flags))
389                         settings |= MGMT_SETTING_SECURE_CONN;
390         }
391
392         if (lmp_le_capable(hdev)) {
393                 settings |= MGMT_SETTING_LE;
394                 settings |= MGMT_SETTING_ADVERTISING;
395                 settings |= MGMT_SETTING_PRIVACY;
396         }
397
398         return settings;
399 }
400
401 static u32 get_current_settings(struct hci_dev *hdev)
402 {
403         u32 settings = 0;
404
405         if (hdev_is_powered(hdev))
406                 settings |= MGMT_SETTING_POWERED;
407
408         if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
409                 settings |= MGMT_SETTING_CONNECTABLE;
410
411         if (test_bit(HCI_FAST_CONNECTABLE, &hdev->dev_flags))
412                 settings |= MGMT_SETTING_FAST_CONNECTABLE;
413
414         if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
415                 settings |= MGMT_SETTING_DISCOVERABLE;
416
417         if (test_bit(HCI_PAIRABLE, &hdev->dev_flags))
418                 settings |= MGMT_SETTING_PAIRABLE;
419
420         if (test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
421                 settings |= MGMT_SETTING_BREDR;
422
423         if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
424                 settings |= MGMT_SETTING_LE;
425
426         if (test_bit(HCI_LINK_SECURITY, &hdev->dev_flags))
427                 settings |= MGMT_SETTING_LINK_SECURITY;
428
429         if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
430                 settings |= MGMT_SETTING_SSP;
431
432         if (test_bit(HCI_HS_ENABLED, &hdev->dev_flags))
433                 settings |= MGMT_SETTING_HS;
434
435         if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
436                 settings |= MGMT_SETTING_ADVERTISING;
437
438         if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
439                 settings |= MGMT_SETTING_SECURE_CONN;
440
441         if (test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags))
442                 settings |= MGMT_SETTING_DEBUG_KEYS;
443
444         if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
445                 settings |= MGMT_SETTING_PRIVACY;
446
447         return settings;
448 }
449
450 #define PNP_INFO_SVCLASS_ID             0x1200
451
452 static u8 *create_uuid16_list(struct hci_dev *hdev, u8 *data, ptrdiff_t len)
453 {
454         u8 *ptr = data, *uuids_start = NULL;
455         struct bt_uuid *uuid;
456
457         if (len < 4)
458                 return ptr;
459
460         list_for_each_entry(uuid, &hdev->uuids, list) {
461                 u16 uuid16;
462
463                 if (uuid->size != 16)
464                         continue;
465
466                 uuid16 = get_unaligned_le16(&uuid->uuid[12]);
467                 if (uuid16 < 0x1100)
468                         continue;
469
470                 if (uuid16 == PNP_INFO_SVCLASS_ID)
471                         continue;
472
473                 if (!uuids_start) {
474                         uuids_start = ptr;
475                         uuids_start[0] = 1;
476                         uuids_start[1] = EIR_UUID16_ALL;
477                         ptr += 2;
478                 }
479
480                 /* Stop if not enough space to put next UUID */
481                 if ((ptr - data) + sizeof(u16) > len) {
482                         uuids_start[1] = EIR_UUID16_SOME;
483                         break;
484                 }
485
486                 *ptr++ = (uuid16 & 0x00ff);
487                 *ptr++ = (uuid16 & 0xff00) >> 8;
488                 uuids_start[0] += sizeof(uuid16);
489         }
490
491         return ptr;
492 }
493
494 static u8 *create_uuid32_list(struct hci_dev *hdev, u8 *data, ptrdiff_t len)
495 {
496         u8 *ptr = data, *uuids_start = NULL;
497         struct bt_uuid *uuid;
498
499         if (len < 6)
500                 return ptr;
501
502         list_for_each_entry(uuid, &hdev->uuids, list) {
503                 if (uuid->size != 32)
504                         continue;
505
506                 if (!uuids_start) {
507                         uuids_start = ptr;
508                         uuids_start[0] = 1;
509                         uuids_start[1] = EIR_UUID32_ALL;
510                         ptr += 2;
511                 }
512
513                 /* Stop if not enough space to put next UUID */
514                 if ((ptr - data) + sizeof(u32) > len) {
515                         uuids_start[1] = EIR_UUID32_SOME;
516                         break;
517                 }
518
519                 memcpy(ptr, &uuid->uuid[12], sizeof(u32));
520                 ptr += sizeof(u32);
521                 uuids_start[0] += sizeof(u32);
522         }
523
524         return ptr;
525 }
526
527 static u8 *create_uuid128_list(struct hci_dev *hdev, u8 *data, ptrdiff_t len)
528 {
529         u8 *ptr = data, *uuids_start = NULL;
530         struct bt_uuid *uuid;
531
532         if (len < 18)
533                 return ptr;
534
535         list_for_each_entry(uuid, &hdev->uuids, list) {
536                 if (uuid->size != 128)
537                         continue;
538
539                 if (!uuids_start) {
540                         uuids_start = ptr;
541                         uuids_start[0] = 1;
542                         uuids_start[1] = EIR_UUID128_ALL;
543                         ptr += 2;
544                 }
545
546                 /* Stop if not enough space to put next UUID */
547                 if ((ptr - data) + 16 > len) {
548                         uuids_start[1] = EIR_UUID128_SOME;
549                         break;
550                 }
551
552                 memcpy(ptr, uuid->uuid, 16);
553                 ptr += 16;
554                 uuids_start[0] += 16;
555         }
556
557         return ptr;
558 }
559
560 static struct pending_cmd *mgmt_pending_find(u16 opcode, struct hci_dev *hdev)
561 {
562         struct pending_cmd *cmd;
563
564         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
565                 if (cmd->opcode == opcode)
566                         return cmd;
567         }
568
569         return NULL;
570 }
571
572 static u8 create_scan_rsp_data(struct hci_dev *hdev, u8 *ptr)
573 {
574         u8 ad_len = 0;
575         size_t name_len;
576
577         name_len = strlen(hdev->dev_name);
578         if (name_len > 0) {
579                 size_t max_len = HCI_MAX_AD_LENGTH - ad_len - 2;
580
581                 if (name_len > max_len) {
582                         name_len = max_len;
583                         ptr[1] = EIR_NAME_SHORT;
584                 } else
585                         ptr[1] = EIR_NAME_COMPLETE;
586
587                 ptr[0] = name_len + 1;
588
589                 memcpy(ptr + 2, hdev->dev_name, name_len);
590
591                 ad_len += (name_len + 2);
592                 ptr += (name_len + 2);
593         }
594
595         return ad_len;
596 }
597
598 static void update_scan_rsp_data(struct hci_request *req)
599 {
600         struct hci_dev *hdev = req->hdev;
601         struct hci_cp_le_set_scan_rsp_data cp;
602         u8 len;
603
604         if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
605                 return;
606
607         memset(&cp, 0, sizeof(cp));
608
609         len = create_scan_rsp_data(hdev, cp.data);
610
611         if (hdev->scan_rsp_data_len == len &&
612             memcmp(cp.data, hdev->scan_rsp_data, len) == 0)
613                 return;
614
615         memcpy(hdev->scan_rsp_data, cp.data, sizeof(cp.data));
616         hdev->scan_rsp_data_len = len;
617
618         cp.length = len;
619
620         hci_req_add(req, HCI_OP_LE_SET_SCAN_RSP_DATA, sizeof(cp), &cp);
621 }
622
623 static u8 get_adv_discov_flags(struct hci_dev *hdev)
624 {
625         struct pending_cmd *cmd;
626
627         /* If there's a pending mgmt command the flags will not yet have
628          * their final values, so check for this first.
629          */
630         cmd = mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
631         if (cmd) {
632                 struct mgmt_mode *cp = cmd->param;
633                 if (cp->val == 0x01)
634                         return LE_AD_GENERAL;
635                 else if (cp->val == 0x02)
636                         return LE_AD_LIMITED;
637         } else {
638                 if (test_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags))
639                         return LE_AD_LIMITED;
640                 else if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
641                         return LE_AD_GENERAL;
642         }
643
644         return 0;
645 }
646
647 static u8 create_adv_data(struct hci_dev *hdev, u8 *ptr)
648 {
649         u8 ad_len = 0, flags = 0;
650
651         flags |= get_adv_discov_flags(hdev);
652
653         if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
654                 flags |= LE_AD_NO_BREDR;
655
656         if (flags) {
657                 BT_DBG("adv flags 0x%02x", flags);
658
659                 ptr[0] = 2;
660                 ptr[1] = EIR_FLAGS;
661                 ptr[2] = flags;
662
663                 ad_len += 3;
664                 ptr += 3;
665         }
666
667         if (hdev->adv_tx_power != HCI_TX_POWER_INVALID) {
668                 ptr[0] = 2;
669                 ptr[1] = EIR_TX_POWER;
670                 ptr[2] = (u8) hdev->adv_tx_power;
671
672                 ad_len += 3;
673                 ptr += 3;
674         }
675
676         return ad_len;
677 }
678
679 static void update_adv_data(struct hci_request *req)
680 {
681         struct hci_dev *hdev = req->hdev;
682         struct hci_cp_le_set_adv_data cp;
683         u8 len;
684
685         if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
686                 return;
687
688         memset(&cp, 0, sizeof(cp));
689
690         len = create_adv_data(hdev, cp.data);
691
692         if (hdev->adv_data_len == len &&
693             memcmp(cp.data, hdev->adv_data, len) == 0)
694                 return;
695
696         memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
697         hdev->adv_data_len = len;
698
699         cp.length = len;
700
701         hci_req_add(req, HCI_OP_LE_SET_ADV_DATA, sizeof(cp), &cp);
702 }
703
704 static void create_eir(struct hci_dev *hdev, u8 *data)
705 {
706         u8 *ptr = data;
707         size_t name_len;
708
709         name_len = strlen(hdev->dev_name);
710
711         if (name_len > 0) {
712                 /* EIR Data type */
713                 if (name_len > 48) {
714                         name_len = 48;
715                         ptr[1] = EIR_NAME_SHORT;
716                 } else
717                         ptr[1] = EIR_NAME_COMPLETE;
718
719                 /* EIR Data length */
720                 ptr[0] = name_len + 1;
721
722                 memcpy(ptr + 2, hdev->dev_name, name_len);
723
724                 ptr += (name_len + 2);
725         }
726
727         if (hdev->inq_tx_power != HCI_TX_POWER_INVALID) {
728                 ptr[0] = 2;
729                 ptr[1] = EIR_TX_POWER;
730                 ptr[2] = (u8) hdev->inq_tx_power;
731
732                 ptr += 3;
733         }
734
735         if (hdev->devid_source > 0) {
736                 ptr[0] = 9;
737                 ptr[1] = EIR_DEVICE_ID;
738
739                 put_unaligned_le16(hdev->devid_source, ptr + 2);
740                 put_unaligned_le16(hdev->devid_vendor, ptr + 4);
741                 put_unaligned_le16(hdev->devid_product, ptr + 6);
742                 put_unaligned_le16(hdev->devid_version, ptr + 8);
743
744                 ptr += 10;
745         }
746
747         ptr = create_uuid16_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));
748         ptr = create_uuid32_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));
749         ptr = create_uuid128_list(hdev, ptr, HCI_MAX_EIR_LENGTH - (ptr - data));
750 }
751
752 static void update_eir(struct hci_request *req)
753 {
754         struct hci_dev *hdev = req->hdev;
755         struct hci_cp_write_eir cp;
756
757         if (!hdev_is_powered(hdev))
758                 return;
759
760         if (!lmp_ext_inq_capable(hdev))
761                 return;
762
763         if (!test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
764                 return;
765
766         if (test_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
767                 return;
768
769         memset(&cp, 0, sizeof(cp));
770
771         create_eir(hdev, cp.data);
772
773         if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
774                 return;
775
776         memcpy(hdev->eir, cp.data, sizeof(cp.data));
777
778         hci_req_add(req, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
779 }
780
781 static u8 get_service_classes(struct hci_dev *hdev)
782 {
783         struct bt_uuid *uuid;
784         u8 val = 0;
785
786         list_for_each_entry(uuid, &hdev->uuids, list)
787                 val |= uuid->svc_hint;
788
789         return val;
790 }
791
792 static void update_class(struct hci_request *req)
793 {
794         struct hci_dev *hdev = req->hdev;
795         u8 cod[3];
796
797         BT_DBG("%s", hdev->name);
798
799         if (!hdev_is_powered(hdev))
800                 return;
801
802         if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
803                 return;
804
805         if (test_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
806                 return;
807
808         cod[0] = hdev->minor_class;
809         cod[1] = hdev->major_class;
810         cod[2] = get_service_classes(hdev);
811
812         if (test_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags))
813                 cod[1] |= 0x20;
814
815         if (memcmp(cod, hdev->dev_class, 3) == 0)
816                 return;
817
818         hci_req_add(req, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod);
819 }
820
821 static bool get_connectable(struct hci_dev *hdev)
822 {
823         struct pending_cmd *cmd;
824
825         /* If there's a pending mgmt command the flag will not yet have
826          * it's final value, so check for this first.
827          */
828         cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
829         if (cmd) {
830                 struct mgmt_mode *cp = cmd->param;
831                 return cp->val;
832         }
833
834         return test_bit(HCI_CONNECTABLE, &hdev->dev_flags);
835 }
836
837 static void enable_advertising(struct hci_request *req)
838 {
839         struct hci_dev *hdev = req->hdev;
840         struct hci_cp_le_set_adv_param cp;
841         u8 own_addr_type, enable = 0x01;
842         bool connectable;
843
844         /* Clear the HCI_ADVERTISING bit temporarily so that the
845          * hci_update_random_address knows that it's safe to go ahead
846          * and write a new random address. The flag will be set back on
847          * as soon as the SET_ADV_ENABLE HCI command completes.
848          */
849         clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
850
851         connectable = get_connectable(hdev);
852
853         /* Set require_privacy to true only when non-connectable
854          * advertising is used. In that case it is fine to use a
855          * non-resolvable private address.
856          */
857         if (hci_update_random_address(req, !connectable, &own_addr_type) < 0)
858                 return;
859
860         memset(&cp, 0, sizeof(cp));
861         cp.min_interval = cpu_to_le16(0x0800);
862         cp.max_interval = cpu_to_le16(0x0800);
863         cp.type = connectable ? LE_ADV_IND : LE_ADV_NONCONN_IND;
864         cp.own_address_type = own_addr_type;
865         cp.channel_map = hdev->le_adv_channel_map;
866
867         hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
868
869         hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
870 }
871
872 static void disable_advertising(struct hci_request *req)
873 {
874         u8 enable = 0x00;
875
876         hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
877 }
878
879 static void service_cache_off(struct work_struct *work)
880 {
881         struct hci_dev *hdev = container_of(work, struct hci_dev,
882                                             service_cache.work);
883         struct hci_request req;
884
885         if (!test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags))
886                 return;
887
888         hci_req_init(&req, hdev);
889
890         hci_dev_lock(hdev);
891
892         update_eir(&req);
893         update_class(&req);
894
895         hci_dev_unlock(hdev);
896
897         hci_req_run(&req, NULL);
898 }
899
900 static void rpa_expired(struct work_struct *work)
901 {
902         struct hci_dev *hdev = container_of(work, struct hci_dev,
903                                             rpa_expired.work);
904         struct hci_request req;
905
906         BT_DBG("");
907
908         set_bit(HCI_RPA_EXPIRED, &hdev->dev_flags);
909
910         if (!test_bit(HCI_ADVERTISING, &hdev->dev_flags) ||
911             hci_conn_num(hdev, LE_LINK) > 0)
912                 return;
913
914         /* The generation of a new RPA and programming it into the
915          * controller happens in the enable_advertising() function.
916          */
917
918         hci_req_init(&req, hdev);
919
920         disable_advertising(&req);
921         enable_advertising(&req);
922
923         hci_req_run(&req, NULL);
924 }
925
926 static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
927 {
928         if (test_and_set_bit(HCI_MGMT, &hdev->dev_flags))
929                 return;
930
931         INIT_DELAYED_WORK(&hdev->service_cache, service_cache_off);
932         INIT_DELAYED_WORK(&hdev->rpa_expired, rpa_expired);
933
934         /* Non-mgmt controlled devices get this bit set
935          * implicitly so that pairing works for them, however
936          * for mgmt we require user-space to explicitly enable
937          * it
938          */
939         clear_bit(HCI_PAIRABLE, &hdev->dev_flags);
940 }
941
942 static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
943                                 void *data, u16 data_len)
944 {
945         struct mgmt_rp_read_info rp;
946
947         BT_DBG("sock %p %s", sk, hdev->name);
948
949         hci_dev_lock(hdev);
950
951         memset(&rp, 0, sizeof(rp));
952
953         bacpy(&rp.bdaddr, &hdev->bdaddr);
954
955         rp.version = hdev->hci_ver;
956         rp.manufacturer = cpu_to_le16(hdev->manufacturer);
957
958         rp.supported_settings = cpu_to_le32(get_supported_settings(hdev));
959         rp.current_settings = cpu_to_le32(get_current_settings(hdev));
960
961         memcpy(rp.dev_class, hdev->dev_class, 3);
962
963         memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
964         memcpy(rp.short_name, hdev->short_name, sizeof(hdev->short_name));
965
966         hci_dev_unlock(hdev);
967
968         return cmd_complete(sk, hdev->id, MGMT_OP_READ_INFO, 0, &rp,
969                             sizeof(rp));
970 }
971
972 static void mgmt_pending_free(struct pending_cmd *cmd)
973 {
974         sock_put(cmd->sk);
975         kfree(cmd->param);
976         kfree(cmd);
977 }
978
979 static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
980                                             struct hci_dev *hdev, void *data,
981                                             u16 len)
982 {
983         struct pending_cmd *cmd;
984
985         cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
986         if (!cmd)
987                 return NULL;
988
989         cmd->opcode = opcode;
990         cmd->index = hdev->id;
991
992         cmd->param = kmalloc(len, GFP_KERNEL);
993         if (!cmd->param) {
994                 kfree(cmd);
995                 return NULL;
996         }
997
998         if (data)
999                 memcpy(cmd->param, data, len);
1000
1001         cmd->sk = sk;
1002         sock_hold(sk);
1003
1004         list_add(&cmd->list, &hdev->mgmt_pending);
1005
1006         return cmd;
1007 }
1008
1009 static void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
1010                                  void (*cb)(struct pending_cmd *cmd,
1011                                             void *data),
1012                                  void *data)
1013 {
1014         struct pending_cmd *cmd, *tmp;
1015
1016         list_for_each_entry_safe(cmd, tmp, &hdev->mgmt_pending, list) {
1017                 if (opcode > 0 && cmd->opcode != opcode)
1018                         continue;
1019
1020                 cb(cmd, data);
1021         }
1022 }
1023
1024 static void mgmt_pending_remove(struct pending_cmd *cmd)
1025 {
1026         list_del(&cmd->list);
1027         mgmt_pending_free(cmd);
1028 }
1029
1030 static int send_settings_rsp(struct sock *sk, u16 opcode, struct hci_dev *hdev)
1031 {
1032         __le32 settings = cpu_to_le32(get_current_settings(hdev));
1033
1034         return cmd_complete(sk, hdev->id, opcode, 0, &settings,
1035                             sizeof(settings));
1036 }
1037
1038 static void clean_up_hci_complete(struct hci_dev *hdev, u8 status)
1039 {
1040         BT_DBG("%s status 0x%02x", hdev->name, status);
1041
1042         if (hci_conn_count(hdev) == 0) {
1043                 cancel_delayed_work(&hdev->power_off);
1044                 queue_work(hdev->req_workqueue, &hdev->power_off.work);
1045         }
1046 }
1047
1048 static int clean_up_hci_state(struct hci_dev *hdev)
1049 {
1050         struct hci_request req;
1051         struct hci_conn *conn;
1052
1053         hci_req_init(&req, hdev);
1054
1055         if (test_bit(HCI_ISCAN, &hdev->flags) ||
1056             test_bit(HCI_PSCAN, &hdev->flags)) {
1057                 u8 scan = 0x00;
1058                 hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1059         }
1060
1061         if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
1062                 disable_advertising(&req);
1063
1064         if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
1065                 hci_req_add_le_scan_disable(&req);
1066         }
1067
1068         list_for_each_entry(conn, &hdev->conn_hash.list, list) {
1069                 struct hci_cp_disconnect dc;
1070                 struct hci_cp_reject_conn_req rej;
1071
1072                 switch (conn->state) {
1073                 case BT_CONNECTED:
1074                 case BT_CONFIG:
1075                         dc.handle = cpu_to_le16(conn->handle);
1076                         dc.reason = 0x15; /* Terminated due to Power Off */
1077                         hci_req_add(&req, HCI_OP_DISCONNECT, sizeof(dc), &dc);
1078                         break;
1079                 case BT_CONNECT:
1080                         if (conn->type == LE_LINK)
1081                                 hci_req_add(&req, HCI_OP_LE_CREATE_CONN_CANCEL,
1082                                             0, NULL);
1083                         else if (conn->type == ACL_LINK)
1084                                 hci_req_add(&req, HCI_OP_CREATE_CONN_CANCEL,
1085                                             6, &conn->dst);
1086                         break;
1087                 case BT_CONNECT2:
1088                         bacpy(&rej.bdaddr, &conn->dst);
1089                         rej.reason = 0x15; /* Terminated due to Power Off */
1090                         if (conn->type == ACL_LINK)
1091                                 hci_req_add(&req, HCI_OP_REJECT_CONN_REQ,
1092                                             sizeof(rej), &rej);
1093                         else if (conn->type == SCO_LINK)
1094                                 hci_req_add(&req, HCI_OP_REJECT_SYNC_CONN_REQ,
1095                                             sizeof(rej), &rej);
1096                         break;
1097                 }
1098         }
1099
1100         return hci_req_run(&req, clean_up_hci_complete);
1101 }
1102
1103 static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
1104                        u16 len)
1105 {
1106         struct mgmt_mode *cp = data;
1107         struct pending_cmd *cmd;
1108         int err;
1109
1110         BT_DBG("request for %s", hdev->name);
1111
1112         if (cp->val != 0x00 && cp->val != 0x01)
1113                 return cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1114                                   MGMT_STATUS_INVALID_PARAMS);
1115
1116         hci_dev_lock(hdev);
1117
1118         if (mgmt_pending_find(MGMT_OP_SET_POWERED, hdev)) {
1119                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_POWERED,
1120                                  MGMT_STATUS_BUSY);
1121                 goto failed;
1122         }
1123
1124         if (test_and_clear_bit(HCI_AUTO_OFF, &hdev->dev_flags)) {
1125                 cancel_delayed_work(&hdev->power_off);
1126
1127                 if (cp->val) {
1128                         mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev,
1129                                          data, len);
1130                         err = mgmt_powered(hdev, 1);
1131                         goto failed;
1132                 }
1133         }
1134
1135         if (!!cp->val == hdev_is_powered(hdev)) {
1136                 err = send_settings_rsp(sk, MGMT_OP_SET_POWERED, hdev);
1137                 goto failed;
1138         }
1139
1140         cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, hdev, data, len);
1141         if (!cmd) {
1142                 err = -ENOMEM;
1143                 goto failed;
1144         }
1145
1146         if (cp->val) {
1147                 queue_work(hdev->req_workqueue, &hdev->power_on);
1148                 err = 0;
1149         } else {
1150                 /* Disconnect connections, stop scans, etc */
1151                 err = clean_up_hci_state(hdev);
1152                 if (!err)
1153                         queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
1154                                            HCI_POWER_OFF_TIMEOUT);
1155
1156                 /* ENODATA means there were no HCI commands queued */
1157                 if (err == -ENODATA) {
1158                         cancel_delayed_work(&hdev->power_off);
1159                         queue_work(hdev->req_workqueue, &hdev->power_off.work);
1160                         err = 0;
1161                 }
1162         }
1163
1164 failed:
1165         hci_dev_unlock(hdev);
1166         return err;
1167 }
1168
1169 static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 data_len,
1170                       struct sock *skip_sk)
1171 {
1172         struct sk_buff *skb;
1173         struct mgmt_hdr *hdr;
1174
1175         skb = alloc_skb(sizeof(*hdr) + data_len, GFP_KERNEL);
1176         if (!skb)
1177                 return -ENOMEM;
1178
1179         hdr = (void *) skb_put(skb, sizeof(*hdr));
1180         hdr->opcode = cpu_to_le16(event);
1181         if (hdev)
1182                 hdr->index = cpu_to_le16(hdev->id);
1183         else
1184                 hdr->index = cpu_to_le16(MGMT_INDEX_NONE);
1185         hdr->len = cpu_to_le16(data_len);
1186
1187         if (data)
1188                 memcpy(skb_put(skb, data_len), data, data_len);
1189
1190         /* Time stamp */
1191         __net_timestamp(skb);
1192
1193         hci_send_to_control(skb, skip_sk);
1194         kfree_skb(skb);
1195
1196         return 0;
1197 }
1198
1199 static int new_settings(struct hci_dev *hdev, struct sock *skip)
1200 {
1201         __le32 ev;
1202
1203         ev = cpu_to_le32(get_current_settings(hdev));
1204
1205         return mgmt_event(MGMT_EV_NEW_SETTINGS, hdev, &ev, sizeof(ev), skip);
1206 }
1207
1208 struct cmd_lookup {
1209         struct sock *sk;
1210         struct hci_dev *hdev;
1211         u8 mgmt_status;
1212 };
1213
1214 static void settings_rsp(struct pending_cmd *cmd, void *data)
1215 {
1216         struct cmd_lookup *match = data;
1217
1218         send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
1219
1220         list_del(&cmd->list);
1221
1222         if (match->sk == NULL) {
1223                 match->sk = cmd->sk;
1224                 sock_hold(match->sk);
1225         }
1226
1227         mgmt_pending_free(cmd);
1228 }
1229
1230 static void cmd_status_rsp(struct pending_cmd *cmd, void *data)
1231 {
1232         u8 *status = data;
1233
1234         cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
1235         mgmt_pending_remove(cmd);
1236 }
1237
1238 static u8 mgmt_bredr_support(struct hci_dev *hdev)
1239 {
1240         if (!lmp_bredr_capable(hdev))
1241                 return MGMT_STATUS_NOT_SUPPORTED;
1242         else if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1243                 return MGMT_STATUS_REJECTED;
1244         else
1245                 return MGMT_STATUS_SUCCESS;
1246 }
1247
1248 static u8 mgmt_le_support(struct hci_dev *hdev)
1249 {
1250         if (!lmp_le_capable(hdev))
1251                 return MGMT_STATUS_NOT_SUPPORTED;
1252         else if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
1253                 return MGMT_STATUS_REJECTED;
1254         else
1255                 return MGMT_STATUS_SUCCESS;
1256 }
1257
1258 static void set_discoverable_complete(struct hci_dev *hdev, u8 status)
1259 {
1260         struct pending_cmd *cmd;
1261         struct mgmt_mode *cp;
1262         struct hci_request req;
1263         bool changed;
1264
1265         BT_DBG("status 0x%02x", status);
1266
1267         hci_dev_lock(hdev);
1268
1269         cmd = mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev);
1270         if (!cmd)
1271                 goto unlock;
1272
1273         if (status) {
1274                 u8 mgmt_err = mgmt_status(status);
1275                 cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1276                 clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1277                 goto remove_cmd;
1278         }
1279
1280         cp = cmd->param;
1281         if (cp->val) {
1282                 changed = !test_and_set_bit(HCI_DISCOVERABLE,
1283                                             &hdev->dev_flags);
1284
1285                 if (hdev->discov_timeout > 0) {
1286                         int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1287                         queue_delayed_work(hdev->workqueue, &hdev->discov_off,
1288                                            to);
1289                 }
1290         } else {
1291                 changed = test_and_clear_bit(HCI_DISCOVERABLE,
1292                                              &hdev->dev_flags);
1293         }
1294
1295         send_settings_rsp(cmd->sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1296
1297         if (changed)
1298                 new_settings(hdev, cmd->sk);
1299
1300         /* When the discoverable mode gets changed, make sure
1301          * that class of device has the limited discoverable
1302          * bit correctly set.
1303          */
1304         hci_req_init(&req, hdev);
1305         update_class(&req);
1306         hci_req_run(&req, NULL);
1307
1308 remove_cmd:
1309         mgmt_pending_remove(cmd);
1310
1311 unlock:
1312         hci_dev_unlock(hdev);
1313 }
1314
1315 static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
1316                             u16 len)
1317 {
1318         struct mgmt_cp_set_discoverable *cp = data;
1319         struct pending_cmd *cmd;
1320         struct hci_request req;
1321         u16 timeout;
1322         u8 scan;
1323         int err;
1324
1325         BT_DBG("request for %s", hdev->name);
1326
1327         if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags) &&
1328             !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1329                 return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1330                                   MGMT_STATUS_REJECTED);
1331
1332         if (cp->val != 0x00 && cp->val != 0x01 && cp->val != 0x02)
1333                 return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1334                                   MGMT_STATUS_INVALID_PARAMS);
1335
1336         timeout = __le16_to_cpu(cp->timeout);
1337
1338         /* Disabling discoverable requires that no timeout is set,
1339          * and enabling limited discoverable requires a timeout.
1340          */
1341         if ((cp->val == 0x00 && timeout > 0) ||
1342             (cp->val == 0x02 && timeout == 0))
1343                 return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1344                                   MGMT_STATUS_INVALID_PARAMS);
1345
1346         hci_dev_lock(hdev);
1347
1348         if (!hdev_is_powered(hdev) && timeout > 0) {
1349                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1350                                  MGMT_STATUS_NOT_POWERED);
1351                 goto failed;
1352         }
1353
1354         if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1355             mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1356                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1357                                  MGMT_STATUS_BUSY);
1358                 goto failed;
1359         }
1360
1361         if (!test_bit(HCI_CONNECTABLE, &hdev->dev_flags)) {
1362                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
1363                                  MGMT_STATUS_REJECTED);
1364                 goto failed;
1365         }
1366
1367         if (!hdev_is_powered(hdev)) {
1368                 bool changed = false;
1369
1370                 /* Setting limited discoverable when powered off is
1371                  * not a valid operation since it requires a timeout
1372                  * and so no need to check HCI_LIMITED_DISCOVERABLE.
1373                  */
1374                 if (!!cp->val != test_bit(HCI_DISCOVERABLE, &hdev->dev_flags)) {
1375                         change_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1376                         changed = true;
1377                 }
1378
1379                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1380                 if (err < 0)
1381                         goto failed;
1382
1383                 if (changed)
1384                         err = new_settings(hdev, sk);
1385
1386                 goto failed;
1387         }
1388
1389         /* If the current mode is the same, then just update the timeout
1390          * value with the new value. And if only the timeout gets updated,
1391          * then no need for any HCI transactions.
1392          */
1393         if (!!cp->val == test_bit(HCI_DISCOVERABLE, &hdev->dev_flags) &&
1394             (cp->val == 0x02) == test_bit(HCI_LIMITED_DISCOVERABLE,
1395                                           &hdev->dev_flags)) {
1396                 cancel_delayed_work(&hdev->discov_off);
1397                 hdev->discov_timeout = timeout;
1398
1399                 if (cp->val && hdev->discov_timeout > 0) {
1400                         int to = msecs_to_jiffies(hdev->discov_timeout * 1000);
1401                         queue_delayed_work(hdev->workqueue, &hdev->discov_off,
1402                                            to);
1403                 }
1404
1405                 err = send_settings_rsp(sk, MGMT_OP_SET_DISCOVERABLE, hdev);
1406                 goto failed;
1407         }
1408
1409         cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, hdev, data, len);
1410         if (!cmd) {
1411                 err = -ENOMEM;
1412                 goto failed;
1413         }
1414
1415         /* Cancel any potential discoverable timeout that might be
1416          * still active and store new timeout value. The arming of
1417          * the timeout happens in the complete handler.
1418          */
1419         cancel_delayed_work(&hdev->discov_off);
1420         hdev->discov_timeout = timeout;
1421
1422         /* Limited discoverable mode */
1423         if (cp->val == 0x02)
1424                 set_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1425         else
1426                 clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1427
1428         hci_req_init(&req, hdev);
1429
1430         /* The procedure for LE-only controllers is much simpler - just
1431          * update the advertising data.
1432          */
1433         if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1434                 goto update_ad;
1435
1436         scan = SCAN_PAGE;
1437
1438         if (cp->val) {
1439                 struct hci_cp_write_current_iac_lap hci_cp;
1440
1441                 if (cp->val == 0x02) {
1442                         /* Limited discoverable mode */
1443                         hci_cp.num_iac = min_t(u8, hdev->num_iac, 2);
1444                         hci_cp.iac_lap[0] = 0x00;       /* LIAC */
1445                         hci_cp.iac_lap[1] = 0x8b;
1446                         hci_cp.iac_lap[2] = 0x9e;
1447                         hci_cp.iac_lap[3] = 0x33;       /* GIAC */
1448                         hci_cp.iac_lap[4] = 0x8b;
1449                         hci_cp.iac_lap[5] = 0x9e;
1450                 } else {
1451                         /* General discoverable mode */
1452                         hci_cp.num_iac = 1;
1453                         hci_cp.iac_lap[0] = 0x33;       /* GIAC */
1454                         hci_cp.iac_lap[1] = 0x8b;
1455                         hci_cp.iac_lap[2] = 0x9e;
1456                 }
1457
1458                 hci_req_add(&req, HCI_OP_WRITE_CURRENT_IAC_LAP,
1459                             (hci_cp.num_iac * 3) + 1, &hci_cp);
1460
1461                 scan |= SCAN_INQUIRY;
1462         } else {
1463                 clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1464         }
1465
1466         hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, sizeof(scan), &scan);
1467
1468 update_ad:
1469         update_adv_data(&req);
1470
1471         err = hci_req_run(&req, set_discoverable_complete);
1472         if (err < 0)
1473                 mgmt_pending_remove(cmd);
1474
1475 failed:
1476         hci_dev_unlock(hdev);
1477         return err;
1478 }
1479
1480 static void write_fast_connectable(struct hci_request *req, bool enable)
1481 {
1482         struct hci_dev *hdev = req->hdev;
1483         struct hci_cp_write_page_scan_activity acp;
1484         u8 type;
1485
1486         if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1487                 return;
1488
1489         if (hdev->hci_ver < BLUETOOTH_VER_1_2)
1490                 return;
1491
1492         if (enable) {
1493                 type = PAGE_SCAN_TYPE_INTERLACED;
1494
1495                 /* 160 msec page scan interval */
1496                 acp.interval = cpu_to_le16(0x0100);
1497         } else {
1498                 type = PAGE_SCAN_TYPE_STANDARD; /* default */
1499
1500                 /* default 1.28 sec page scan */
1501                 acp.interval = cpu_to_le16(0x0800);
1502         }
1503
1504         acp.window = cpu_to_le16(0x0012);
1505
1506         if (__cpu_to_le16(hdev->page_scan_interval) != acp.interval ||
1507             __cpu_to_le16(hdev->page_scan_window) != acp.window)
1508                 hci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
1509                             sizeof(acp), &acp);
1510
1511         if (hdev->page_scan_type != type)
1512                 hci_req_add(req, HCI_OP_WRITE_PAGE_SCAN_TYPE, 1, &type);
1513 }
1514
1515 static void set_connectable_complete(struct hci_dev *hdev, u8 status)
1516 {
1517         struct pending_cmd *cmd;
1518         struct mgmt_mode *cp;
1519         bool changed;
1520
1521         BT_DBG("status 0x%02x", status);
1522
1523         hci_dev_lock(hdev);
1524
1525         cmd = mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev);
1526         if (!cmd)
1527                 goto unlock;
1528
1529         if (status) {
1530                 u8 mgmt_err = mgmt_status(status);
1531                 cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
1532                 goto remove_cmd;
1533         }
1534
1535         cp = cmd->param;
1536         if (cp->val)
1537                 changed = !test_and_set_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1538         else
1539                 changed = test_and_clear_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1540
1541         send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1542
1543         if (changed)
1544                 new_settings(hdev, cmd->sk);
1545
1546 remove_cmd:
1547         mgmt_pending_remove(cmd);
1548
1549 unlock:
1550         hci_dev_unlock(hdev);
1551 }
1552
1553 static int set_connectable_update_settings(struct hci_dev *hdev,
1554                                            struct sock *sk, u8 val)
1555 {
1556         bool changed = false;
1557         int err;
1558
1559         if (!!val != test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
1560                 changed = true;
1561
1562         if (val) {
1563                 set_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1564         } else {
1565                 clear_bit(HCI_CONNECTABLE, &hdev->dev_flags);
1566                 clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1567         }
1568
1569         err = send_settings_rsp(sk, MGMT_OP_SET_CONNECTABLE, hdev);
1570         if (err < 0)
1571                 return err;
1572
1573         if (changed)
1574                 return new_settings(hdev, sk);
1575
1576         return 0;
1577 }
1578
1579 static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
1580                            u16 len)
1581 {
1582         struct mgmt_mode *cp = data;
1583         struct pending_cmd *cmd;
1584         struct hci_request req;
1585         u8 scan;
1586         int err;
1587
1588         BT_DBG("request for %s", hdev->name);
1589
1590         if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags) &&
1591             !test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1592                 return cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1593                                   MGMT_STATUS_REJECTED);
1594
1595         if (cp->val != 0x00 && cp->val != 0x01)
1596                 return cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1597                                   MGMT_STATUS_INVALID_PARAMS);
1598
1599         hci_dev_lock(hdev);
1600
1601         if (!hdev_is_powered(hdev)) {
1602                 err = set_connectable_update_settings(hdev, sk, cp->val);
1603                 goto failed;
1604         }
1605
1606         if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, hdev) ||
1607             mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) {
1608                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
1609                                  MGMT_STATUS_BUSY);
1610                 goto failed;
1611         }
1612
1613         cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, hdev, data, len);
1614         if (!cmd) {
1615                 err = -ENOMEM;
1616                 goto failed;
1617         }
1618
1619         hci_req_init(&req, hdev);
1620
1621         /* If BR/EDR is not enabled and we disable advertising as a
1622          * by-product of disabling connectable, we need to update the
1623          * advertising flags.
1624          */
1625         if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags)) {
1626                 if (!cp->val) {
1627                         clear_bit(HCI_LIMITED_DISCOVERABLE, &hdev->dev_flags);
1628                         clear_bit(HCI_DISCOVERABLE, &hdev->dev_flags);
1629                 }
1630                 update_adv_data(&req);
1631         } else if (cp->val != test_bit(HCI_PSCAN, &hdev->flags)) {
1632                 if (cp->val) {
1633                         scan = SCAN_PAGE;
1634                 } else {
1635                         scan = 0;
1636
1637                         if (test_bit(HCI_ISCAN, &hdev->flags) &&
1638                             hdev->discov_timeout > 0)
1639                                 cancel_delayed_work(&hdev->discov_off);
1640                 }
1641
1642                 hci_req_add(&req, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
1643         }
1644
1645         /* If we're going from non-connectable to connectable or
1646          * vice-versa when fast connectable is enabled ensure that fast
1647          * connectable gets disabled. write_fast_connectable won't do
1648          * anything if the page scan parameters are already what they
1649          * should be.
1650          */
1651         if (cp->val || test_bit(HCI_FAST_CONNECTABLE, &hdev->dev_flags))
1652                 write_fast_connectable(&req, false);
1653
1654         if (test_bit(HCI_ADVERTISING, &hdev->dev_flags) &&
1655             hci_conn_num(hdev, LE_LINK) == 0) {
1656                 disable_advertising(&req);
1657                 enable_advertising(&req);
1658         }
1659
1660         err = hci_req_run(&req, set_connectable_complete);
1661         if (err < 0) {
1662                 mgmt_pending_remove(cmd);
1663                 if (err == -ENODATA)
1664                         err = set_connectable_update_settings(hdev, sk,
1665                                                               cp->val);
1666                 goto failed;
1667         }
1668
1669 failed:
1670         hci_dev_unlock(hdev);
1671         return err;
1672 }
1673
1674 static int set_pairable(struct sock *sk, struct hci_dev *hdev, void *data,
1675                         u16 len)
1676 {
1677         struct mgmt_mode *cp = data;
1678         bool changed;
1679         int err;
1680
1681         BT_DBG("request for %s", hdev->name);
1682
1683         if (cp->val != 0x00 && cp->val != 0x01)
1684                 return cmd_status(sk, hdev->id, MGMT_OP_SET_PAIRABLE,
1685                                   MGMT_STATUS_INVALID_PARAMS);
1686
1687         hci_dev_lock(hdev);
1688
1689         if (cp->val)
1690                 changed = !test_and_set_bit(HCI_PAIRABLE, &hdev->dev_flags);
1691         else
1692                 changed = test_and_clear_bit(HCI_PAIRABLE, &hdev->dev_flags);
1693
1694         err = send_settings_rsp(sk, MGMT_OP_SET_PAIRABLE, hdev);
1695         if (err < 0)
1696                 goto unlock;
1697
1698         if (changed)
1699                 err = new_settings(hdev, sk);
1700
1701 unlock:
1702         hci_dev_unlock(hdev);
1703         return err;
1704 }
1705
1706 static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
1707                              u16 len)
1708 {
1709         struct mgmt_mode *cp = data;
1710         struct pending_cmd *cmd;
1711         u8 val, status;
1712         int err;
1713
1714         BT_DBG("request for %s", hdev->name);
1715
1716         status = mgmt_bredr_support(hdev);
1717         if (status)
1718                 return cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1719                                   status);
1720
1721         if (cp->val != 0x00 && cp->val != 0x01)
1722                 return cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1723                                   MGMT_STATUS_INVALID_PARAMS);
1724
1725         hci_dev_lock(hdev);
1726
1727         if (!hdev_is_powered(hdev)) {
1728                 bool changed = false;
1729
1730                 if (!!cp->val != test_bit(HCI_LINK_SECURITY,
1731                                           &hdev->dev_flags)) {
1732                         change_bit(HCI_LINK_SECURITY, &hdev->dev_flags);
1733                         changed = true;
1734                 }
1735
1736                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1737                 if (err < 0)
1738                         goto failed;
1739
1740                 if (changed)
1741                         err = new_settings(hdev, sk);
1742
1743                 goto failed;
1744         }
1745
1746         if (mgmt_pending_find(MGMT_OP_SET_LINK_SECURITY, hdev)) {
1747                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
1748                                  MGMT_STATUS_BUSY);
1749                 goto failed;
1750         }
1751
1752         val = !!cp->val;
1753
1754         if (test_bit(HCI_AUTH, &hdev->flags) == val) {
1755                 err = send_settings_rsp(sk, MGMT_OP_SET_LINK_SECURITY, hdev);
1756                 goto failed;
1757         }
1758
1759         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LINK_SECURITY, hdev, data, len);
1760         if (!cmd) {
1761                 err = -ENOMEM;
1762                 goto failed;
1763         }
1764
1765         err = hci_send_cmd(hdev, HCI_OP_WRITE_AUTH_ENABLE, sizeof(val), &val);
1766         if (err < 0) {
1767                 mgmt_pending_remove(cmd);
1768                 goto failed;
1769         }
1770
1771 failed:
1772         hci_dev_unlock(hdev);
1773         return err;
1774 }
1775
1776 static int set_ssp(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1777 {
1778         struct mgmt_mode *cp = data;
1779         struct pending_cmd *cmd;
1780         u8 status;
1781         int err;
1782
1783         BT_DBG("request for %s", hdev->name);
1784
1785         status = mgmt_bredr_support(hdev);
1786         if (status)
1787                 return cmd_status(sk, hdev->id, MGMT_OP_SET_SSP, status);
1788
1789         if (!lmp_ssp_capable(hdev))
1790                 return cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1791                                   MGMT_STATUS_NOT_SUPPORTED);
1792
1793         if (cp->val != 0x00 && cp->val != 0x01)
1794                 return cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1795                                   MGMT_STATUS_INVALID_PARAMS);
1796
1797         hci_dev_lock(hdev);
1798
1799         if (!hdev_is_powered(hdev)) {
1800                 bool changed;
1801
1802                 if (cp->val) {
1803                         changed = !test_and_set_bit(HCI_SSP_ENABLED,
1804                                                     &hdev->dev_flags);
1805                 } else {
1806                         changed = test_and_clear_bit(HCI_SSP_ENABLED,
1807                                                      &hdev->dev_flags);
1808                         if (!changed)
1809                                 changed = test_and_clear_bit(HCI_HS_ENABLED,
1810                                                              &hdev->dev_flags);
1811                         else
1812                                 clear_bit(HCI_HS_ENABLED, &hdev->dev_flags);
1813                 }
1814
1815                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1816                 if (err < 0)
1817                         goto failed;
1818
1819                 if (changed)
1820                         err = new_settings(hdev, sk);
1821
1822                 goto failed;
1823         }
1824
1825         if (mgmt_pending_find(MGMT_OP_SET_SSP, hdev) ||
1826             mgmt_pending_find(MGMT_OP_SET_HS, hdev)) {
1827                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_SSP,
1828                                  MGMT_STATUS_BUSY);
1829                 goto failed;
1830         }
1831
1832         if (!!cp->val == test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
1833                 err = send_settings_rsp(sk, MGMT_OP_SET_SSP, hdev);
1834                 goto failed;
1835         }
1836
1837         cmd = mgmt_pending_add(sk, MGMT_OP_SET_SSP, hdev, data, len);
1838         if (!cmd) {
1839                 err = -ENOMEM;
1840                 goto failed;
1841         }
1842
1843         err = hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &cp->val);
1844         if (err < 0) {
1845                 mgmt_pending_remove(cmd);
1846                 goto failed;
1847         }
1848
1849 failed:
1850         hci_dev_unlock(hdev);
1851         return err;
1852 }
1853
1854 static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1855 {
1856         struct mgmt_mode *cp = data;
1857         bool changed;
1858         u8 status;
1859         int err;
1860
1861         BT_DBG("request for %s", hdev->name);
1862
1863         status = mgmt_bredr_support(hdev);
1864         if (status)
1865                 return cmd_status(sk, hdev->id, MGMT_OP_SET_HS, status);
1866
1867         if (!lmp_ssp_capable(hdev))
1868                 return cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1869                                   MGMT_STATUS_NOT_SUPPORTED);
1870
1871         if (!test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
1872                 return cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1873                                   MGMT_STATUS_REJECTED);
1874
1875         if (cp->val != 0x00 && cp->val != 0x01)
1876                 return cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1877                                   MGMT_STATUS_INVALID_PARAMS);
1878
1879         hci_dev_lock(hdev);
1880
1881         if (cp->val) {
1882                 changed = !test_and_set_bit(HCI_HS_ENABLED, &hdev->dev_flags);
1883         } else {
1884                 if (hdev_is_powered(hdev)) {
1885                         err = cmd_status(sk, hdev->id, MGMT_OP_SET_HS,
1886                                          MGMT_STATUS_REJECTED);
1887                         goto unlock;
1888                 }
1889
1890                 changed = test_and_clear_bit(HCI_HS_ENABLED, &hdev->dev_flags);
1891         }
1892
1893         err = send_settings_rsp(sk, MGMT_OP_SET_HS, hdev);
1894         if (err < 0)
1895                 goto unlock;
1896
1897         if (changed)
1898                 err = new_settings(hdev, sk);
1899
1900 unlock:
1901         hci_dev_unlock(hdev);
1902         return err;
1903 }
1904
1905 static void le_enable_complete(struct hci_dev *hdev, u8 status)
1906 {
1907         struct cmd_lookup match = { NULL, hdev };
1908
1909         if (status) {
1910                 u8 mgmt_err = mgmt_status(status);
1911
1912                 mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
1913                                      &mgmt_err);
1914                 return;
1915         }
1916
1917         mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
1918
1919         new_settings(hdev, match.sk);
1920
1921         if (match.sk)
1922                 sock_put(match.sk);
1923
1924         /* Make sure the controller has a good default for
1925          * advertising data. Restrict the update to when LE
1926          * has actually been enabled. During power on, the
1927          * update in powered_update_hci will take care of it.
1928          */
1929         if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
1930                 struct hci_request req;
1931
1932                 hci_dev_lock(hdev);
1933
1934                 hci_req_init(&req, hdev);
1935                 update_adv_data(&req);
1936                 update_scan_rsp_data(&req);
1937                 hci_req_run(&req, NULL);
1938
1939                 hci_dev_unlock(hdev);
1940         }
1941 }
1942
1943 static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
1944 {
1945         struct mgmt_mode *cp = data;
1946         struct hci_cp_write_le_host_supported hci_cp;
1947         struct pending_cmd *cmd;
1948         struct hci_request req;
1949         int err;
1950         u8 val, enabled;
1951
1952         BT_DBG("request for %s", hdev->name);
1953
1954         if (!lmp_le_capable(hdev))
1955                 return cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1956                                   MGMT_STATUS_NOT_SUPPORTED);
1957
1958         if (cp->val != 0x00 && cp->val != 0x01)
1959                 return cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1960                                   MGMT_STATUS_INVALID_PARAMS);
1961
1962         /* LE-only devices do not allow toggling LE on/off */
1963         if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
1964                 return cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1965                                   MGMT_STATUS_REJECTED);
1966
1967         hci_dev_lock(hdev);
1968
1969         val = !!cp->val;
1970         enabled = lmp_host_le_capable(hdev);
1971
1972         if (!hdev_is_powered(hdev) || val == enabled) {
1973                 bool changed = false;
1974
1975                 if (val != test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
1976                         change_bit(HCI_LE_ENABLED, &hdev->dev_flags);
1977                         changed = true;
1978                 }
1979
1980                 if (!val && test_bit(HCI_ADVERTISING, &hdev->dev_flags)) {
1981                         clear_bit(HCI_ADVERTISING, &hdev->dev_flags);
1982                         changed = true;
1983                 }
1984
1985                 err = send_settings_rsp(sk, MGMT_OP_SET_LE, hdev);
1986                 if (err < 0)
1987                         goto unlock;
1988
1989                 if (changed)
1990                         err = new_settings(hdev, sk);
1991
1992                 goto unlock;
1993         }
1994
1995         if (mgmt_pending_find(MGMT_OP_SET_LE, hdev) ||
1996             mgmt_pending_find(MGMT_OP_SET_ADVERTISING, hdev)) {
1997                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_LE,
1998                                  MGMT_STATUS_BUSY);
1999                 goto unlock;
2000         }
2001
2002         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LE, hdev, data, len);
2003         if (!cmd) {
2004                 err = -ENOMEM;
2005                 goto unlock;
2006         }
2007
2008         hci_req_init(&req, hdev);
2009
2010         memset(&hci_cp, 0, sizeof(hci_cp));
2011
2012         if (val) {
2013                 hci_cp.le = val;
2014                 hci_cp.simul = lmp_le_br_capable(hdev);
2015         } else {
2016                 if (test_bit(HCI_ADVERTISING, &hdev->dev_flags))
2017                         disable_advertising(&req);
2018         }
2019
2020         hci_req_add(&req, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
2021                     &hci_cp);
2022
2023         err = hci_req_run(&req, le_enable_complete);
2024         if (err < 0)
2025                 mgmt_pending_remove(cmd);
2026
2027 unlock:
2028         hci_dev_unlock(hdev);
2029         return err;
2030 }
2031
2032 /* This is a helper function to test for pending mgmt commands that can
2033  * cause CoD or EIR HCI commands. We can only allow one such pending
2034  * mgmt command at a time since otherwise we cannot easily track what
2035  * the current values are, will be, and based on that calculate if a new
2036  * HCI command needs to be sent and if yes with what value.
2037  */
2038 static bool pending_eir_or_class(struct hci_dev *hdev)
2039 {
2040         struct pending_cmd *cmd;
2041
2042         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2043                 switch (cmd->opcode) {
2044                 case MGMT_OP_ADD_UUID:
2045                 case MGMT_OP_REMOVE_UUID:
2046                 case MGMT_OP_SET_DEV_CLASS:
2047                 case MGMT_OP_SET_POWERED:
2048                         return true;
2049                 }
2050         }
2051
2052         return false;
2053 }
2054
2055 static const u8 bluetooth_base_uuid[] = {
2056                         0xfb, 0x34, 0x9b, 0x5f, 0x80, 0x00, 0x00, 0x80,
2057                         0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2058 };
2059
2060 static u8 get_uuid_size(const u8 *uuid)
2061 {
2062         u32 val;
2063
2064         if (memcmp(uuid, bluetooth_base_uuid, 12))
2065                 return 128;
2066
2067         val = get_unaligned_le32(&uuid[12]);
2068         if (val > 0xffff)
2069                 return 32;
2070
2071         return 16;
2072 }
2073
2074 static void mgmt_class_complete(struct hci_dev *hdev, u16 mgmt_op, u8 status)
2075 {
2076         struct pending_cmd *cmd;
2077
2078         hci_dev_lock(hdev);
2079
2080         cmd = mgmt_pending_find(mgmt_op, hdev);
2081         if (!cmd)
2082                 goto unlock;
2083
2084         cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(status),
2085                      hdev->dev_class, 3);
2086
2087         mgmt_pending_remove(cmd);
2088
2089 unlock:
2090         hci_dev_unlock(hdev);
2091 }
2092
2093 static void add_uuid_complete(struct hci_dev *hdev, u8 status)
2094 {
2095         BT_DBG("status 0x%02x", status);
2096
2097         mgmt_class_complete(hdev, MGMT_OP_ADD_UUID, status);
2098 }
2099
2100 static int add_uuid(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
2101 {
2102         struct mgmt_cp_add_uuid *cp = data;
2103         struct pending_cmd *cmd;
2104         struct hci_request req;
2105         struct bt_uuid *uuid;
2106         int err;
2107
2108         BT_DBG("request for %s", hdev->name);
2109
2110         hci_dev_lock(hdev);
2111
2112         if (pending_eir_or_class(hdev)) {
2113                 err = cmd_status(sk, hdev->id, MGMT_OP_ADD_UUID,
2114                                  MGMT_STATUS_BUSY);
2115                 goto failed;
2116         }
2117
2118         uuid = kmalloc(sizeof(*uuid), GFP_KERNEL);
2119         if (!uuid) {
2120                 err = -ENOMEM;
2121                 goto failed;
2122         }
2123
2124         memcpy(uuid->uuid, cp->uuid, 16);
2125         uuid->svc_hint = cp->svc_hint;
2126         uuid->size = get_uuid_size(cp->uuid);
2127
2128         list_add_tail(&uuid->list, &hdev->uuids);
2129
2130         hci_req_init(&req, hdev);
2131
2132         update_class(&req);
2133         update_eir(&req);
2134
2135         err = hci_req_run(&req, add_uuid_complete);
2136         if (err < 0) {
2137                 if (err != -ENODATA)
2138                         goto failed;
2139
2140                 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_UUID, 0,
2141                                    hdev->dev_class, 3);
2142                 goto failed;
2143         }
2144
2145         cmd = mgmt_pending_add(sk, MGMT_OP_ADD_UUID, hdev, data, len);
2146         if (!cmd) {
2147                 err = -ENOMEM;
2148                 goto failed;
2149         }
2150
2151         err = 0;
2152
2153 failed:
2154         hci_dev_unlock(hdev);
2155         return err;
2156 }
2157
2158 static bool enable_service_cache(struct hci_dev *hdev)
2159 {
2160         if (!hdev_is_powered(hdev))
2161                 return false;
2162
2163         if (!test_and_set_bit(HCI_SERVICE_CACHE, &hdev->dev_flags)) {
2164                 queue_delayed_work(hdev->workqueue, &hdev->service_cache,
2165                                    CACHE_TIMEOUT);
2166                 return true;
2167         }
2168
2169         return false;
2170 }
2171
2172 static void remove_uuid_complete(struct hci_dev *hdev, u8 status)
2173 {
2174         BT_DBG("status 0x%02x", status);
2175
2176         mgmt_class_complete(hdev, MGMT_OP_REMOVE_UUID, status);
2177 }
2178
2179 static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
2180                        u16 len)
2181 {
2182         struct mgmt_cp_remove_uuid *cp = data;
2183         struct pending_cmd *cmd;
2184         struct bt_uuid *match, *tmp;
2185         u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
2186         struct hci_request req;
2187         int err, found;
2188
2189         BT_DBG("request for %s", hdev->name);
2190
2191         hci_dev_lock(hdev);
2192
2193         if (pending_eir_or_class(hdev)) {
2194                 err = cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2195                                  MGMT_STATUS_BUSY);
2196                 goto unlock;
2197         }
2198
2199         if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
2200                 hci_uuids_clear(hdev);
2201
2202                 if (enable_service_cache(hdev)) {
2203                         err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2204                                            0, hdev->dev_class, 3);
2205                         goto unlock;
2206                 }
2207
2208                 goto update_class;
2209         }
2210
2211         found = 0;
2212
2213         list_for_each_entry_safe(match, tmp, &hdev->uuids, list) {
2214                 if (memcmp(match->uuid, cp->uuid, 16) != 0)
2215                         continue;
2216
2217                 list_del(&match->list);
2218                 kfree(match);
2219                 found++;
2220         }
2221
2222         if (found == 0) {
2223                 err = cmd_status(sk, hdev->id, MGMT_OP_REMOVE_UUID,
2224                                  MGMT_STATUS_INVALID_PARAMS);
2225                 goto unlock;
2226         }
2227
2228 update_class:
2229         hci_req_init(&req, hdev);
2230
2231         update_class(&req);
2232         update_eir(&req);
2233
2234         err = hci_req_run(&req, remove_uuid_complete);
2235         if (err < 0) {
2236                 if (err != -ENODATA)
2237                         goto unlock;
2238
2239                 err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_UUID, 0,
2240                                    hdev->dev_class, 3);
2241                 goto unlock;
2242         }
2243
2244         cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_UUID, hdev, data, len);
2245         if (!cmd) {
2246                 err = -ENOMEM;
2247                 goto unlock;
2248         }
2249
2250         err = 0;
2251
2252 unlock:
2253         hci_dev_unlock(hdev);
2254         return err;
2255 }
2256
2257 static void set_class_complete(struct hci_dev *hdev, u8 status)
2258 {
2259         BT_DBG("status 0x%02x", status);
2260
2261         mgmt_class_complete(hdev, MGMT_OP_SET_DEV_CLASS, status);
2262 }
2263
2264 static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
2265                          u16 len)
2266 {
2267         struct mgmt_cp_set_dev_class *cp = data;
2268         struct pending_cmd *cmd;
2269         struct hci_request req;
2270         int err;
2271
2272         BT_DBG("request for %s", hdev->name);
2273
2274         if (!lmp_bredr_capable(hdev))
2275                 return cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2276                                   MGMT_STATUS_NOT_SUPPORTED);
2277
2278         hci_dev_lock(hdev);
2279
2280         if (pending_eir_or_class(hdev)) {
2281                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2282                                  MGMT_STATUS_BUSY);
2283                 goto unlock;
2284         }
2285
2286         if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
2287                 err = cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
2288                                  MGMT_STATUS_INVALID_PARAMS);
2289                 goto unlock;
2290         }
2291
2292         hdev->major_class = cp->major;
2293         hdev->minor_class = cp->minor;
2294
2295         if (!hdev_is_powered(hdev)) {
2296                 err = cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2297                                    hdev->dev_class, 3);
2298                 goto unlock;
2299         }
2300
2301         hci_req_init(&req, hdev);
2302
2303         if (test_and_clear_bit(HCI_SERVICE_CACHE, &hdev->dev_flags)) {
2304                 hci_dev_unlock(hdev);
2305                 cancel_delayed_work_sync(&hdev->service_cache);
2306                 hci_dev_lock(hdev);
2307                 update_eir(&req);
2308         }
2309
2310         update_class(&req);
2311
2312         err = hci_req_run(&req, set_class_complete);
2313         if (err < 0) {
2314                 if (err != -ENODATA)
2315                         goto unlock;
2316
2317                 err = cmd_complete(sk, hdev->id, MGMT_OP_SET_DEV_CLASS, 0,
2318                                    hdev->dev_class, 3);
2319                 goto unlock;
2320         }
2321
2322         cmd = mgmt_pending_add(sk, MGMT_OP_SET_DEV_CLASS, hdev, data, len);
2323         if (!cmd) {
2324                 err = -ENOMEM;
2325                 goto unlock;
2326         }
2327
2328         err = 0;
2329
2330 unlock:
2331         hci_dev_unlock(hdev);
2332         return err;
2333 }
2334
2335 static int load_link_keys(struct sock *sk, struct hci_dev *hdev, void *data,
2336                           u16 len)
2337 {
2338         struct mgmt_cp_load_link_keys *cp = data;
2339         u16 key_count, expected_len;
2340         bool changed;
2341         int i;
2342
2343         BT_DBG("request for %s", hdev->name);
2344
2345         if (!lmp_bredr_capable(hdev))
2346                 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2347                                   MGMT_STATUS_NOT_SUPPORTED);
2348
2349         key_count = __le16_to_cpu(cp->key_count);
2350
2351         expected_len = sizeof(*cp) + key_count *
2352                                         sizeof(struct mgmt_link_key_info);
2353         if (expected_len != len) {
2354                 BT_ERR("load_link_keys: expected %u bytes, got %u bytes",
2355                        expected_len, len);
2356                 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2357                                   MGMT_STATUS_INVALID_PARAMS);
2358         }
2359
2360         if (cp->debug_keys != 0x00 && cp->debug_keys != 0x01)
2361                 return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2362                                   MGMT_STATUS_INVALID_PARAMS);
2363
2364         BT_DBG("%s debug_keys %u key_count %u", hdev->name, cp->debug_keys,
2365                key_count);
2366
2367         for (i = 0; i < key_count; i++) {
2368                 struct mgmt_link_key_info *key = &cp->keys[i];
2369
2370                 if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
2371                         return cmd_status(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS,
2372                                           MGMT_STATUS_INVALID_PARAMS);
2373         }
2374
2375         hci_dev_lock(hdev);
2376
2377         hci_link_keys_clear(hdev);
2378
2379         if (cp->debug_keys)
2380                 changed = !test_and_set_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
2381         else
2382                 changed = test_and_clear_bit(HCI_DEBUG_KEYS, &hdev->dev_flags);
2383
2384         if (changed)
2385                 new_settings(hdev, NULL);
2386
2387         for (i = 0; i < key_count; i++) {
2388                 struct mgmt_link_key_info *key = &cp->keys[i];
2389
2390                 hci_add_link_key(hdev, NULL, 0, &key->addr.bdaddr, key->val,
2391                                  key->type, key->pin_len);
2392         }
2393
2394         cmd_complete(sk, hdev->id, MGMT_OP_LOAD_LINK_KEYS, 0, NULL, 0);
2395
2396         hci_dev_unlock(hdev);
2397
2398         return 0;
2399 }
2400
2401 static int device_unpaired(struct hci_dev *hdev, bdaddr_t *bdaddr,
2402                            u8 addr_type, struct sock *skip_sk)
2403 {
2404         struct mgmt_ev_device_unpaired ev;
2405
2406         bacpy(&ev.addr.bdaddr, bdaddr);
2407         ev.addr.type = addr_type;
2408
2409         return mgmt_event(MGMT_EV_DEVICE_UNPAIRED, hdev, &ev, sizeof(ev),
2410                           skip_sk);
2411 }
2412
2413 static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2414                          u16 len)
2415 {
2416         struct mgmt_cp_unpair_device *cp = data;
2417         struct mgmt_rp_unpair_device rp;
2418         struct hci_cp_disconnect dc;
2419         struct pending_cmd *cmd;
2420         struct hci_conn *conn;
2421         int err;
2422
2423         memset(&rp, 0, sizeof(rp));
2424         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2425         rp.addr.type = cp->addr.type;
2426
2427         if (!bdaddr_type_is_valid(cp->addr.type))
2428                 return cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2429                                     MGMT_STATUS_INVALID_PARAMS,
2430                                     &rp, sizeof(rp));
2431
2432         if (cp->disconnect != 0x00 && cp->disconnect != 0x01)
2433                 return cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2434                                     MGMT_STATUS_INVALID_PARAMS,
2435                                     &rp, sizeof(rp));
2436
2437         hci_dev_lock(hdev);
2438
2439         if (!hdev_is_powered(hdev)) {
2440                 err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2441                                    MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
2442                 goto unlock;
2443         }
2444
2445         if (cp->addr.type == BDADDR_BREDR) {
2446                 err = hci_remove_link_key(hdev, &cp->addr.bdaddr);
2447         } else {
2448                 u8 addr_type;
2449
2450                 if (cp->addr.type == BDADDR_LE_PUBLIC)
2451                         addr_type = ADDR_LE_DEV_PUBLIC;
2452                 else
2453                         addr_type = ADDR_LE_DEV_RANDOM;
2454
2455                 hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
2456
2457                 hci_conn_params_del(hdev, &cp->addr.bdaddr, addr_type);
2458
2459                 err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
2460         }
2461
2462         if (err < 0) {
2463                 err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
2464                                    MGMT_STATUS_NOT_PAIRED, &rp, sizeof(rp));
2465                 goto unlock;
2466         }
2467
2468         if (cp->disconnect) {
2469                 if (cp->addr.type == BDADDR_BREDR)
2470                         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2471                                                        &cp->addr.bdaddr);
2472                 else
2473                         conn = hci_conn_hash_lookup_ba(hdev, LE_LINK,
2474                                                        &cp->addr.bdaddr);
2475         } else {
2476                 conn = NULL;
2477         }
2478
2479         if (!conn) {
2480                 err = cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, 0,
2481                                    &rp, sizeof(rp));
2482                 device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, sk);
2483                 goto unlock;
2484         }
2485
2486         cmd = mgmt_pending_add(sk, MGMT_OP_UNPAIR_DEVICE, hdev, cp,
2487                                sizeof(*cp));
2488         if (!cmd) {
2489                 err = -ENOMEM;
2490                 goto unlock;
2491         }
2492
2493         dc.handle = cpu_to_le16(conn->handle);
2494         dc.reason = 0x13; /* Remote User Terminated Connection */
2495         err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
2496         if (err < 0)
2497                 mgmt_pending_remove(cmd);
2498
2499 unlock:
2500         hci_dev_unlock(hdev);
2501         return err;
2502 }
2503
2504 static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
2505                       u16 len)
2506 {
2507         struct mgmt_cp_disconnect *cp = data;
2508         struct mgmt_rp_disconnect rp;
2509         struct hci_cp_disconnect dc;
2510         struct pending_cmd *cmd;
2511         struct hci_conn *conn;
2512         int err;
2513
2514         BT_DBG("");
2515
2516         memset(&rp, 0, sizeof(rp));
2517         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2518         rp.addr.type = cp->addr.type;
2519
2520         if (!bdaddr_type_is_valid(cp->addr.type))
2521                 return cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2522                                     MGMT_STATUS_INVALID_PARAMS,
2523                                     &rp, sizeof(rp));
2524
2525         hci_dev_lock(hdev);
2526
2527         if (!test_bit(HCI_UP, &hdev->flags)) {
2528                 err = cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2529                                    MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
2530                 goto failed;
2531         }
2532
2533         if (mgmt_pending_find(MGMT_OP_DISCONNECT, hdev)) {
2534                 err = cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2535                                    MGMT_STATUS_BUSY, &rp, sizeof(rp));
2536                 goto failed;
2537         }
2538
2539         if (cp->addr.type == BDADDR_BREDR)
2540                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK,
2541                                                &cp->addr.bdaddr);
2542         else
2543                 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
2544
2545         if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
2546                 err = cmd_complete(sk, hdev->id, MGMT_OP_DISCONNECT,
2547                                    MGMT_STATUS_NOT_CONNECTED, &rp, sizeof(rp));
2548                 goto failed;
2549         }
2550
2551         cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, hdev, data, len);
2552         if (!cmd) {
2553                 err = -ENOMEM;
2554                 goto failed;
2555         }
2556
2557         dc.handle = cpu_to_le16(conn->handle);
2558         dc.reason = HCI_ERROR_REMOTE_USER_TERM;
2559
2560         err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
2561         if (err < 0)
2562                 mgmt_pending_remove(cmd);
2563
2564 failed:
2565         hci_dev_unlock(hdev);
2566         return err;
2567 }
2568
2569 static u8 link_to_bdaddr(u8 link_type, u8 addr_type)
2570 {
2571         switch (link_type) {
2572         case LE_LINK:
2573                 switch (addr_type) {
2574                 case ADDR_LE_DEV_PUBLIC:
2575                         return BDADDR_LE_PUBLIC;
2576
2577                 default:
2578                         /* Fallback to LE Random address type */
2579                         return BDADDR_LE_RANDOM;
2580                 }
2581
2582         default:
2583                 /* Fallback to BR/EDR type */
2584                 return BDADDR_BREDR;
2585         }
2586 }
2587
2588 static int get_connections(struct sock *sk, struct hci_dev *hdev, void *data,
2589                            u16 data_len)
2590 {
2591         struct mgmt_rp_get_connections *rp;
2592         struct hci_conn *c;
2593         size_t rp_len;
2594         int err;
2595         u16 i;
2596
2597         BT_DBG("");
2598
2599         hci_dev_lock(hdev);
2600
2601         if (!hdev_is_powered(hdev)) {
2602                 err = cmd_status(sk, hdev->id, MGMT_OP_GET_CONNECTIONS,
2603                                  MGMT_STATUS_NOT_POWERED);
2604                 goto unlock;
2605         }
2606
2607         i = 0;
2608         list_for_each_entry(c, &hdev->conn_hash.list, list) {
2609                 if (test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2610                         i++;
2611         }
2612
2613         rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2614         rp = kmalloc(rp_len, GFP_KERNEL);
2615         if (!rp) {
2616                 err = -ENOMEM;
2617                 goto unlock;
2618         }
2619
2620         i = 0;
2621         list_for_each_entry(c, &hdev->conn_hash.list, list) {
2622                 if (!test_bit(HCI_CONN_MGMT_CONNECTED, &c->flags))
2623                         continue;
2624                 bacpy(&rp->addr[i].bdaddr, &c->dst);
2625                 rp->addr[i].type = link_to_bdaddr(c->type, c->dst_type);
2626                 if (c->type == SCO_LINK || c->type == ESCO_LINK)
2627                         continue;
2628                 i++;
2629         }
2630
2631         rp->conn_count = cpu_to_le16(i);
2632
2633         /* Recalculate length in case of filtered SCO connections, etc */
2634         rp_len = sizeof(*rp) + (i * sizeof(struct mgmt_addr_info));
2635
2636         err = cmd_complete(sk, hdev->id, MGMT_OP_GET_CONNECTIONS, 0, rp,
2637                            rp_len);
2638
2639         kfree(rp);
2640
2641 unlock:
2642         hci_dev_unlock(hdev);
2643         return err;
2644 }
2645
2646 static int send_pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
2647                                    struct mgmt_cp_pin_code_neg_reply *cp)
2648 {
2649         struct pending_cmd *cmd;
2650         int err;
2651
2652         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, hdev, cp,
2653                                sizeof(*cp));
2654         if (!cmd)
2655                 return -ENOMEM;
2656
2657         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
2658                            sizeof(cp->addr.bdaddr), &cp->addr.bdaddr);
2659         if (err < 0)
2660                 mgmt_pending_remove(cmd);
2661
2662         return err;
2663 }
2664
2665 static int pin_code_reply(struct sock *sk, struct hci_dev *hdev, void *data,
2666                           u16 len)
2667 {
2668         struct hci_conn *conn;
2669         struct mgmt_cp_pin_code_reply *cp = data;
2670         struct hci_cp_pin_code_reply reply;
2671         struct pending_cmd *cmd;
2672         int err;
2673
2674         BT_DBG("");
2675
2676         hci_dev_lock(hdev);
2677
2678         if (!hdev_is_powered(hdev)) {
2679                 err = cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2680                                  MGMT_STATUS_NOT_POWERED);
2681                 goto failed;
2682         }
2683
2684         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->addr.bdaddr);
2685         if (!conn) {
2686                 err = cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2687                                  MGMT_STATUS_NOT_CONNECTED);
2688                 goto failed;
2689         }
2690
2691         if (conn->pending_sec_level == BT_SECURITY_HIGH && cp->pin_len != 16) {
2692                 struct mgmt_cp_pin_code_neg_reply ncp;
2693
2694                 memcpy(&ncp.addr, &cp->addr, sizeof(ncp.addr));
2695
2696                 BT_ERR("PIN code is not 16 bytes long");
2697
2698                 err = send_pin_code_neg_reply(sk, hdev, &ncp);
2699                 if (err >= 0)
2700                         err = cmd_status(sk, hdev->id, MGMT_OP_PIN_CODE_REPLY,
2701                                          MGMT_STATUS_INVALID_PARAMS);
2702
2703                 goto failed;
2704         }
2705
2706         cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, hdev, data, len);
2707         if (!cmd) {
2708                 err = -ENOMEM;
2709                 goto failed;
2710         }
2711
2712         bacpy(&reply.bdaddr, &cp->addr.bdaddr);
2713         reply.pin_len = cp->pin_len;
2714         memcpy(reply.pin_code, cp->pin_code, sizeof(reply.pin_code));
2715
2716         err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
2717         if (err < 0)
2718                 mgmt_pending_remove(cmd);
2719
2720 failed:
2721         hci_dev_unlock(hdev);
2722         return err;
2723 }
2724
2725 static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
2726                              u16 len)
2727 {
2728         struct mgmt_cp_set_io_capability *cp = data;
2729
2730         BT_DBG("");
2731
2732         hci_dev_lock(hdev);
2733
2734         hdev->io_capability = cp->io_capability;
2735
2736         BT_DBG("%s IO capability set to 0x%02x", hdev->name,
2737                hdev->io_capability);
2738
2739         hci_dev_unlock(hdev);
2740
2741         return cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY, 0, NULL,
2742                             0);
2743 }
2744
2745 static struct pending_cmd *find_pairing(struct hci_conn *conn)
2746 {
2747         struct hci_dev *hdev = conn->hdev;
2748         struct pending_cmd *cmd;
2749
2750         list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
2751                 if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
2752                         continue;
2753
2754                 if (cmd->user_data != conn)
2755                         continue;
2756
2757                 return cmd;
2758         }
2759
2760         return NULL;
2761 }
2762
2763 static void pairing_complete(struct pending_cmd *cmd, u8 status)
2764 {
2765         struct mgmt_rp_pair_device rp;
2766         struct hci_conn *conn = cmd->user_data;
2767
2768         bacpy(&rp.addr.bdaddr, &conn->dst);
2769         rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
2770
2771         cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE, status,
2772                      &rp, sizeof(rp));
2773
2774         /* So we don't get further callbacks for this connection */
2775         conn->connect_cfm_cb = NULL;
2776         conn->security_cfm_cb = NULL;
2777         conn->disconn_cfm_cb = NULL;
2778
2779         hci_conn_drop(conn);
2780
2781         mgmt_pending_remove(cmd);
2782 }
2783
2784 void mgmt_smp_complete(struct hci_conn *conn, bool complete)
2785 {
2786         u8 status = complete ? MGMT_STATUS_SUCCESS : MGMT_STATUS_FAILED;
2787         struct pending_cmd *cmd;
2788
2789         cmd = find_pairing(conn);
2790         if (cmd)
2791                 pairing_complete(cmd, status);
2792 }
2793
2794 static void pairing_complete_cb(struct hci_conn *conn, u8 status)
2795 {
2796         struct pending_cmd *cmd;
2797
2798         BT_DBG("status %u", status);
2799
2800         cmd = find_pairing(conn);
2801         if (!cmd)
2802                 BT_DBG("Unable to find a pending command");
2803         else
2804                 pairing_complete(cmd, mgmt_status(status));
2805 }
2806
2807 static void le_pairing_complete_cb(struct hci_conn *conn, u8 status)
2808 {
2809         struct pending_cmd *cmd;
2810
2811         BT_DBG("status %u", status);
2812
2813         if (!status)
2814                 return;
2815
2816         cmd = find_pairing(conn);
2817         if (!cmd)
2818                 BT_DBG("Unable to find a pending command");
2819         else
2820                 pairing_complete(cmd, mgmt_status(status));
2821 }
2822
2823 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2824                        u16 len)
2825 {
2826         struct mgmt_cp_pair_device *cp = data;
2827         struct mgmt_rp_pair_device rp;
2828         struct pending_cmd *cmd;
2829         u8 sec_level, auth_type;
2830         struct hci_conn *conn;
2831         int err;
2832
2833         BT_DBG("");
2834
2835         memset(&rp, 0, sizeof(rp));
2836         bacpy(&rp.addr.bdaddr, &cp->addr.bdaddr);
2837         rp.addr.type = cp->addr.type;
2838
2839         if (!bdaddr_type_is_valid(cp->addr.type))
2840                 return cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2841                                     MGMT_STATUS_INVALID_PARAMS,
2842                                     &rp, sizeof(rp));
2843
2844         hci_dev_lock(hdev);
2845
2846         if (!hdev_is_powered(hdev)) {
2847                 err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2848                                    MGMT_STATUS_NOT_POWERED, &rp, sizeof(rp));
2849                 goto unlock;
2850         }
2851
2852         sec_level = BT_SECURITY_MEDIUM;
2853         if (cp->io_cap == 0x03)
2854                 auth_type = HCI_AT_DEDICATED_BONDING;
2855         else
2856                 auth_type = HCI_AT_DEDICATED_BONDING_MITM;
2857
2858         if (cp->addr.type == BDADDR_BREDR) {
2859                 conn = hci_connect_acl(hdev, &cp->addr.bdaddr, sec_level,
2860                                        auth_type);
2861         } else {
2862                 u8 addr_type;
2863
2864                 /* Convert from L2CAP channel address type to HCI address type
2865                  */
2866                 if (cp->addr.type == BDADDR_LE_PUBLIC)
2867                         addr_type = ADDR_LE_DEV_PUBLIC;
2868                 else
2869                         addr_type = ADDR_LE_DEV_RANDOM;
2870
2871                 conn = hci_connect_le(hdev, &cp->addr.bdaddr, addr_type,
2872                                       sec_level, auth_type);
2873         }
2874
2875         if (IS_ERR(conn)) {
2876                 int status;
2877
2878                 if (PTR_ERR(conn) == -EBUSY)
2879                         status = MGMT_STATUS_BUSY;
2880                 else
2881                         status = MGMT_STATUS_CONNECT_FAILED;
2882
2883                 err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2884                                    status, &rp,
2885                                    sizeof(rp));
2886                 goto unlock;
2887         }
2888
2889         if (conn->connect_cfm_cb) {
2890                 hci_conn_drop(conn);
2891                 err = cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
2892                                    MGMT_STATUS_BUSY, &rp, sizeof(rp));
2893                 goto unlock;
2894         }
2895
2896         cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, hdev, data, len);
2897         if (!cmd) {
2898                 err = -ENOMEM;
2899                 hci_conn_drop(conn);
2900                 goto unlock;
2901         }
2902
2903         /* For LE, just connecting isn't a proof that the pairing finished */
2904         if (cp->addr.type == BDADDR_BREDR) {
2905                 conn->connect_cfm_cb = pairing_complete_cb;
2906                 conn->security_cfm_cb = pairing_complete_cb;
2907                 conn->disconn_cfm_cb = pairing_complete_cb;
2908         } else {
2909                 conn->connect_cfm_cb = le_pairing_complete_cb;
2910                 conn->security_cfm_cb = le_pairing_complete_cb;
2911                 conn->disconn_cfm_cb = le_pairing_complete_cb;
2912         }
2913
2914         conn->io_capability = cp->io_cap;
2915         cmd->user_data = conn;
2916
2917         if (conn->state == BT_CONNECTED &&
2918             hci_conn_security(conn, sec_level, auth_type))
2919                 pairing_complete(cmd, 0);
2920
2921         err = 0;
2922
2923 unlock:
2924         hci_dev_unlock(hdev);
2925         return err;
2926 }
2927
2928 static int cancel_pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
2929                               u16 len)
2930 {
2931         struct mgmt_addr_info *addr = data;
2932         struct pending_cmd *cmd;
2933         struct hci_conn *conn;
2934         int err;
2935
2936         BT_DBG("");
2937
2938         hci_dev_lock(hdev);
2939
2940         if (!hdev_is_powered(hdev)) {
2941                 err = cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2942                                  MGMT_STATUS_NOT_POWERED);
2943                 goto unlock;
2944         }
2945
2946         cmd = mgmt_pending_find(MGMT_OP_PAIR_DEVICE, hdev);
2947         if (!cmd) {
2948                 err = cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2949                                  MGMT_STATUS_INVALID_PARAMS);
2950                 goto unlock;
2951         }
2952
2953         conn = cmd->user_data;
2954
2955         if (bacmp(&addr->bdaddr, &conn->dst) != 0) {
2956                 err = cmd_status(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE,
2957                                  MGMT_STATUS_INVALID_PARAMS);
2958                 goto unlock;
2959         }
2960
2961         pairing_complete(cmd, MGMT_STATUS_CANCELLED);
2962
2963         err = cmd_complete(sk, hdev->id, MGMT_OP_CANCEL_PAIR_DEVICE, 0,
2964                            addr, sizeof(*addr));
2965 unlock:
2966         hci_dev_unlock(hdev);
2967         return err;
2968 }
2969
2970 static int user_pairing_resp(struct sock *sk, struct hci_dev *hdev,
2971                              struct mgmt_addr_info *addr, u16 mgmt_op,
2972                              u16 hci_op, __le32 passkey)
2973 {
2974         struct pending_cmd *cmd;
2975         struct hci_conn *conn;
2976         int err;
2977
2978         hci_dev_lock(hdev);
2979
2980         if (!hdev_is_powered(hdev)) {
2981                 err = cmd_complete(sk, hdev->id, mgmt_op,
2982                                    MGMT_STATUS_NOT_POWERED, addr,
2983                                    sizeof(*addr));
2984                 goto done;
2985         }
2986
2987         if (addr->type == BDADDR_BREDR)
2988                 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &addr->bdaddr);
2989         else
2990                 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &addr->bdaddr);
2991
2992         if (!conn) {
2993                 err = cmd_complete(sk, hdev->id, mgmt_op,
2994                                    MGMT_STATUS_NOT_CONNECTED, addr,
2995                                    sizeof(*addr));
2996                 goto done;
2997         }
2998
2999         if (addr->type == BDADDR_LE_PUBLIC || addr->type == BDADDR_LE_RANDOM) {
3000                 /* Continue with pairing via SMP */
3001                 err = smp_user_confirm_reply(conn, mgmt_op, passkey);
3002
3003                 if (!err)
3004                         err = cmd_complete(sk, hdev->id, mgmt_op,
3005                                            MGMT_STATUS_SUCCESS, addr,
3006                                            sizeof(*addr));
3007                 else
3008                         err = cmd_complete(sk, hdev->id, mgmt_op,
3009                                            MGMT_STATUS_FAILED, addr,
3010                                            sizeof(*addr));
3011
3012                 goto done;
3013         }
3014
3015         cmd = mgmt_pending_add(sk, mgmt_op, hdev, addr, sizeof(*addr));
3016         if (!cmd) {
3017                 err = -ENOMEM;
3018                 goto done;
3019         }
3020
3021         /* Continue with pairing via HCI */
3022         if (hci_op == HCI_OP_USER_PASSKEY_REPLY) {
3023                 struct hci_cp_user_passkey_reply cp;
3024
3025                 bacpy(&cp.bdaddr, &addr->bdaddr);
3026                 cp.passkey = passkey;
3027                 err = hci_send_cmd(hdev, hci_op, sizeof(cp), &cp);
3028         } else
3029                 err = hci_send_cmd(hdev, hci_op, sizeof(addr->bdaddr),
3030                                    &addr->bdaddr);
3031
3032         if (err < 0)
3033                 mgmt_pending_remove(cmd);
3034
3035 done:
3036         hci_dev_unlock(hdev);
3037         return err;
3038 }
3039
3040 static int pin_code_neg_reply(struct sock *sk, struct hci_dev *hdev,
3041                               void *data, u16 len)
3042 {
3043         struct mgmt_cp_pin_code_neg_reply *cp = data;
3044
3045         BT_DBG("");
3046
3047         return user_pairing_resp(sk, hdev, &cp->addr,
3048                                 MGMT_OP_PIN_CODE_NEG_REPLY,
3049                                 HCI_OP_PIN_CODE_NEG_REPLY, 0);
3050 }
3051
3052 static int user_confirm_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3053                               u16 len)
3054 {
3055         struct mgmt_cp_user_confirm_reply *cp = data;
3056
3057         BT_DBG("");
3058
3059         if (len != sizeof(*cp))
3060                 return cmd_status(sk, hdev->id, MGMT_OP_USER_CONFIRM_REPLY,
3061                                   MGMT_STATUS_INVALID_PARAMS);
3062
3063         return user_pairing_resp(sk, hdev, &cp->addr,
3064                                  MGMT_OP_USER_CONFIRM_REPLY,
3065                                  HCI_OP_USER_CONFIRM_REPLY, 0);
3066 }
3067
3068 static int user_confirm_neg_reply(struct sock *sk, struct hci_dev *hdev,
3069                                   void *data, u16 len)
3070 {
3071         struct mgmt_cp_user_confirm_neg_reply *cp = data;
3072
3073         BT_DBG("");
3074
3075         return user_pairing_resp(sk, hdev, &cp->addr,
3076                                  MGMT_OP_USER_CONFIRM_NEG_REPLY,
3077                                  HCI_OP_USER_CONFIRM_NEG_REPLY, 0);
3078 }
3079
3080 static int user_passkey_reply(struct sock *sk, struct hci_dev *hdev, void *data,
3081                               u16 len)
3082 {
3083         struct mgmt_cp_user_passkey_reply *cp = data;
3084
3085         BT_DBG("");
3086
3087         return user_pairing_resp(sk, hdev, &cp->addr,
3088                                  MGMT_OP_USER_PASSKEY_REPLY,
3089                                  HCI_OP_USER_PASSKEY_REPLY, cp->passkey);
3090 }
3091
3092 static int user_passkey_neg_reply(struct sock *sk, struct hci_dev *hdev,
3093                                   void *data, u16 len)
3094 {
3095         struct mgmt_cp_user_passkey_neg_reply *cp = data;
3096
3097         BT_DBG("");
3098
3099         return user_pairing_resp(sk, hdev, &cp->addr,
3100                                  MGMT_OP_USER_PASSKEY_NEG_REPLY,
3101                                  HCI_OP_USER_PASSKEY_NEG_REPLY, 0);
3102 }
3103
3104 static void update_name(struct hci_request *req)
3105 {
3106         struct hci_dev *hdev = req->hdev;
3107         struct hci_cp_write_local_name cp;
3108
3109         memcpy(cp.name, hdev->dev_name, sizeof(cp.name));
3110
3111         hci_req_add(req, HCI_OP_WRITE_LOCAL_NAME, sizeof(cp), &cp);
3112 }
3113
3114 static void set_name_complete(struct hci_dev *hdev, u8 status)
3115 {
3116         struct mgmt_cp_set_local_name *cp;
3117         struct pending_cmd *cmd;
3118
3119         BT_DBG("status 0x%02x", status);
3120
3121         hci_dev_lock(hdev);
3122
3123         cmd = mgmt_pending_find(MGMT_OP_SET_LOCAL_NAME, hdev);
3124         if (!cmd)
3125                 goto unlock;
3126
3127         cp = cmd->param;
3128
3129         if (status)
3130                 cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
3131                            mgmt_status(status));
3132         else
3133                 cmd_complete(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3134                              cp, sizeof(*cp));
3135
3136         mgmt_pending_remove(cmd);
3137
3138 unlock:
3139         hci_dev_unlock(hdev);
3140 }
3141
3142 static int set_local_name(struct sock *sk, struct hci_dev *hdev, void *data,
3143                           u16 len)
3144 {
3145         struct mgmt_cp_set_local_name *cp = data;
3146         struct pending_cmd *cmd;
3147         struct hci_request req;
3148         int err;
3149
3150         BT_DBG("");
3151
3152         hci_dev_lock(hdev);
3153
3154         /* If the old values are the same as the new ones just return a
3155          * direct command complete event.
3156          */
3157         if (!memcmp(hdev->dev_name, cp->name, sizeof(hdev->dev_name)) &&
3158             !memcmp(hdev->short_name, cp->short_name,
3159                     sizeof(hdev->short_name))) {
3160                 err = cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3161                                    data, len);
3162                 goto failed;
3163         }
3164
3165         memcpy(hdev->short_name, cp->short_name, sizeof(hdev->short_name));
3166
3167         if (!hdev_is_powered(hdev)) {
3168                 memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3169
3170                 err = cmd_complete(sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, 0,
3171                                    data, len);
3172                 if (err < 0)
3173                         goto failed;
3174
3175                 err = mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, data, len,
3176                                  sk);
3177
3178                 goto failed;
3179         }
3180
3181         cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, hdev, data, len);
3182         if (!cmd) {
3183                 err = -ENOMEM;
3184                 goto failed;
3185         }
3186
3187         memcpy(hdev->dev_name, cp->name, sizeof(hdev->dev_name));
3188
3189         hci_req_init(&req, hdev);
3190
3191         if (lmp_bredr_capable(hdev)) {
3192                 update_name(&req);
3193                 update_eir(&req);
3194         }
3195
3196         /* The name is stored in the scan response data and so
3197          * no need to udpate the advertising data here.
3198          */
3199         if (lmp_le_capable(hdev))
3200                 update_scan_rsp_data(&req);
3201
3202         err = hci_req_run(&req, set_name_complete);
3203         if (err < 0)
3204                 mgmt_pending_remove(cmd);
3205
3206 failed:
3207         hci_dev_unlock(hdev);
3208         return err;
3209 }
3210
3211 static int read_local_oob_data(struct sock *sk, struct hci_dev *hdev,
3212                                void *data, u16 data_len)
3213 {
3214         struct pending_cmd *cmd;
3215         int err;
3216
3217         BT_DBG("%s", hdev->name);
3218
3219         hci_dev_lock(hdev);
3220
3221         if (!hdev_is_powered(hdev)) {
3222                 err = cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3223                                  MGMT_STATUS_NOT_POWERED);
3224                 goto unlock;
3225         }
3226
3227         if (!lmp_ssp_capable(hdev)) {
3228                 err = cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3229                                  MGMT_STATUS_NOT_SUPPORTED);
3230                 goto unlock;
3231         }
3232
3233         if (mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, hdev)) {
3234                 err = cmd_status(sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
3235                                  MGMT_STATUS_BUSY);
3236                 goto unlock;
3237         }
3238
3239         cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, hdev, NULL, 0);
3240         if (!cmd) {
3241                 err = -ENOMEM;
3242                 goto unlock;
3243         }
3244
3245         if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
3246                 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_EXT_DATA,
3247                                    0, NULL);
3248         else
3249                 err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
3250
3251         if (err < 0)
3252                 mgmt_pending_remove(cmd);
3253
3254 unlock:
3255         hci_dev_unlock(hdev);
3256         return err;
3257 }
3258
3259 static int add_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3260                                void *data, u16 len)
3261 {
3262         int err;
3263
3264         BT_DBG("%s ", hdev->name);
3265
3266         hci_dev_lock(hdev);
3267
3268         if (len == MGMT_ADD_REMOTE_OOB_DATA_SIZE) {
3269                 struct mgmt_cp_add_remote_oob_data *cp = data;
3270                 u8 status;
3271
3272                 err = hci_add_remote_oob_data(hdev, &cp->addr.bdaddr,
3273                                               cp->hash, cp->randomizer);
3274                 if (err < 0)
3275                         status = MGMT_STATUS_FAILED;
3276                 else
3277                         status = MGMT_STATUS_SUCCESS;
3278
3279                 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3280                                    status, &cp->addr, sizeof(cp->addr));
3281         } else if (len == MGMT_ADD_REMOTE_OOB_EXT_DATA_SIZE) {
3282                 struct mgmt_cp_add_remote_oob_ext_data *cp = data;
3283                 u8 status;
3284
3285                 err = hci_add_remote_oob_ext_data(hdev, &cp->addr.bdaddr,
3286                                                   cp->hash192,
3287                                                   cp->randomizer192,
3288                                                   cp->hash256,
3289                                                   cp->randomizer256);
3290                 if (err < 0)
3291                         status = MGMT_STATUS_FAILED;
3292                 else
3293                         status = MGMT_STATUS_SUCCESS;
3294
3295                 err = cmd_complete(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3296                                    status, &cp->addr, sizeof(cp->addr));
3297         } else {
3298                 BT_ERR("add_remote_oob_data: invalid length of %u bytes", len);
3299                 err = cmd_status(sk, hdev->id, MGMT_OP_ADD_REMOTE_OOB_DATA,
3300                                  MGMT_STATUS_INVALID_PARAMS);
3301         }
3302
3303         hci_dev_unlock(hdev);
3304         return err;
3305 }
3306
3307 static int remove_remote_oob_data(struct sock *sk, struct hci_dev *hdev,
3308                                   void *data, u16 len)
3309 {
3310         struct mgmt_cp_remove_remote_oob_data *cp = data;
3311         u8 status;
3312         int err;
3313
3314         BT_DBG("%s", hdev->name);
3315
3316         hci_dev_lock(hdev);
3317
3318         err = hci_remove_remote_oob_data(hdev, &cp->addr.bdaddr);
3319         if (err < 0)
3320                 status = MGMT_STATUS_INVALID_PARAMS;
3321         else
3322                 status = MGMT_STATUS_SUCCESS;
3323
3324         err = cmd_complete(sk, hdev->id, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
3325                            status, &cp->addr, sizeof(cp->addr));
3326
3327         hci_dev_unlock(hdev);
3328         return err;
3329 }
3330
3331 static int mgmt_start_discovery_failed(struct hci_dev *hdev, u8 status)
3332 {
3333         struct pending_cmd *cmd;
3334         u8 type;
3335         int err;
3336
3337         hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
3338