1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * BlueZ - Bluetooth protocol stack for Linux
4
 *
5
 * Copyright (C) 2021 Intel Corporation
6
 * Copyright 2023 NXP
7
 */
8

9
#include <linux/property.h>
10

11
#include <net/bluetooth/bluetooth.h>
12
#include <net/bluetooth/hci_core.h>
13
#include <net/bluetooth/mgmt.h>
14

15
#include "hci_codec.h"
16
#include "hci_debugfs.h"
17
#include "smp.h"
18
#include "eir.h"
19
#include "msft.h"
20
#include "aosp.h"
21
#include "leds.h"
22

23
static void hci_cmd_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode,
24
				  struct sk_buff *skb)
25
{
26
	bt_dev_dbg(hdev, "result 0x%2.2x", result);
27

28
	if (hdev->req_status != HCI_REQ_PEND)
29
		return;
30

31
	hdev->req_result = result;
32
	hdev->req_status = HCI_REQ_DONE;
33

34
	/* Free the request command so it is not used as response */
35
	kfree_skb(hdev->req_skb);
36
	hdev->req_skb = NULL;
37

38
	if (skb) {
39
		struct sock *sk = hci_skb_sk(skb);
40

41
		/* Drop sk reference if set */
42
		if (sk)
43
			sock_put(sk);
44

45
		hdev->req_rsp = skb_get(skb);
46
	}
47

48
	wake_up_interruptible(&hdev->req_wait_q);
49
}
50

51
struct sk_buff *hci_cmd_sync_alloc(struct hci_dev *hdev, u16 opcode, u32 plen,
52
				   const void *param, struct sock *sk)
53
{
54
	int len = HCI_COMMAND_HDR_SIZE + plen;
55
	struct hci_command_hdr *hdr;
56
	struct sk_buff *skb;
57

58
	skb = bt_skb_alloc(len, GFP_ATOMIC);
59
	if (!skb)
60
		return NULL;
61

62
	hdr = skb_put(skb, HCI_COMMAND_HDR_SIZE);
63
	hdr->opcode = cpu_to_le16(opcode);
64
	hdr->plen   = plen;
65

66
	if (plen)
67
		skb_put_data(skb, param, plen);
68

69
	bt_dev_dbg(hdev, "skb len %d", skb->len);
70

71
	hci_skb_pkt_type(skb) = HCI_COMMAND_PKT;
72
	hci_skb_opcode(skb) = opcode;
73

74
	/* Grab a reference if command needs to be associated with a sock (e.g.
75
	 * likely mgmt socket that initiated the command).
76
	 */
77
	if (sk) {
78
		hci_skb_sk(skb) = sk;
79
		sock_hold(sk);
80
	}
81

82
	return skb;
83
}
84

85
static void hci_cmd_sync_add(struct hci_request *req, u16 opcode, u32 plen,
86
			     const void *param, u8 event, struct sock *sk)
87
{
88
	struct hci_dev *hdev = req->hdev;
89
	struct sk_buff *skb;
90

91
	bt_dev_dbg(hdev, "opcode 0x%4.4x plen %d", opcode, plen);
92

93
	/* If an error occurred during request building, there is no point in
94
	 * queueing the HCI command. We can simply return.
95
	 */
96
	if (req->err)
97
		return;
98

99
	skb = hci_cmd_sync_alloc(hdev, opcode, plen, param, sk);
100
	if (!skb) {
101
		bt_dev_err(hdev, "no memory for command (opcode 0x%4.4x)",
102
			   opcode);
103
		req->err = -ENOMEM;
104
		return;
105
	}
106

107
	if (skb_queue_empty(&req->cmd_q))
108
		bt_cb(skb)->hci.req_flags |= HCI_REQ_START;
109

110
	hci_skb_event(skb) = event;
111

112
	skb_queue_tail(&req->cmd_q, skb);
113
}
114

115
static int hci_req_sync_run(struct hci_request *req)
116
{
117
	struct hci_dev *hdev = req->hdev;
118
	struct sk_buff *skb;
119
	unsigned long flags;
120

121
	bt_dev_dbg(hdev, "length %u", skb_queue_len(&req->cmd_q));
122

123
	/* If an error occurred during request building, remove all HCI
124
	 * commands queued on the HCI request queue.
125
	 */
126
	if (req->err) {
127
		skb_queue_purge(&req->cmd_q);
128
		return req->err;
129
	}
130

131
	/* Do not allow empty requests */
132
	if (skb_queue_empty(&req->cmd_q))
133
		return -ENODATA;
134

135
	skb = skb_peek_tail(&req->cmd_q);
136
	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
137
	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
138

139
	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
140
	skb_queue_splice_tail(&req->cmd_q, &hdev->cmd_q);
141
	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
142

143
	queue_work(hdev->workqueue, &hdev->cmd_work);
144

145
	return 0;
146
}
147

148
static void hci_request_init(struct hci_request *req, struct hci_dev *hdev)
149
{
150
	skb_queue_head_init(&req->cmd_q);
151
	req->hdev = hdev;
152
	req->err = 0;
153
}
154

155
/* This function requires the caller holds hdev->req_lock. */
156
struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
157
				  const void *param, u8 event, u32 timeout,
158
				  struct sock *sk)
159
{
160
	struct hci_request req;
161
	struct sk_buff *skb;
162
	int err = 0;
163

164
	bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
165

166
	hci_request_init(&req, hdev);
167

168
	hci_cmd_sync_add(&req, opcode, plen, param, event, sk);
169

170
	hdev->req_status = HCI_REQ_PEND;
171

172
	err = hci_req_sync_run(&req);
173
	if (err < 0)
174
		return ERR_PTR(err);
175

176
	err = wait_event_interruptible_timeout(hdev->req_wait_q,
177
					       hdev->req_status != HCI_REQ_PEND,
178
					       timeout);
179

180
	if (err == -ERESTARTSYS)
181
		return ERR_PTR(-EINTR);
182

183
	switch (hdev->req_status) {
184
	case HCI_REQ_DONE:
185
		err = -bt_to_errno(hdev->req_result);
186
		break;
187

188
	case HCI_REQ_CANCELED:
189
		err = -hdev->req_result;
190
		break;
191

192
	default:
193
		err = -ETIMEDOUT;
194
		break;
195
	}
196

197
	hdev->req_status = 0;
198
	hdev->req_result = 0;
199
	skb = hdev->req_rsp;
200
	hdev->req_rsp = NULL;
201

202
	bt_dev_dbg(hdev, "end: err %d", err);
203

204
	if (err < 0) {
205
		kfree_skb(skb);
206
		return ERR_PTR(err);
207
	}
208

209
	/* If command return a status event skb will be set to NULL as there are
210
	 * no parameters.
211
	 */
212
	if (!skb)
213
		return ERR_PTR(-ENODATA);
214

215
	return skb;
216
}
217
EXPORT_SYMBOL(__hci_cmd_sync_sk);
218

219
/* This function requires the caller holds hdev->req_lock. */
220
struct sk_buff *__hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
221
			       const void *param, u32 timeout)
222
{
223
	return __hci_cmd_sync_sk(hdev, opcode, plen, param, 0, timeout, NULL);
224
}
225
EXPORT_SYMBOL(__hci_cmd_sync);
226

227
/* Send HCI command and wait for command complete event */
228
struct sk_buff *hci_cmd_sync(struct hci_dev *hdev, u16 opcode, u32 plen,
229
			     const void *param, u32 timeout)
230
{
231
	struct sk_buff *skb;
232

233
	if (!test_bit(HCI_UP, &hdev->flags))
234
		return ERR_PTR(-ENETDOWN);
235

236
	bt_dev_dbg(hdev, "opcode 0x%4.4x plen %d", opcode, plen);
237

238
	hci_req_sync_lock(hdev);
239
	skb = __hci_cmd_sync(hdev, opcode, plen, param, timeout);
240
	hci_req_sync_unlock(hdev);
241

242
	return skb;
243
}
244
EXPORT_SYMBOL(hci_cmd_sync);
245

246
/* This function requires the caller holds hdev->req_lock. */
247
struct sk_buff *__hci_cmd_sync_ev(struct hci_dev *hdev, u16 opcode, u32 plen,
248
				  const void *param, u8 event, u32 timeout)
249
{
250
	return __hci_cmd_sync_sk(hdev, opcode, plen, param, event, timeout,
251
				 NULL);
252
}
253
EXPORT_SYMBOL(__hci_cmd_sync_ev);
254

255
/* This function requires the caller holds hdev->req_lock. */
256
int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
257
			     const void *param, u8 event, u32 timeout,
258
			     struct sock *sk)
259
{
260
	struct sk_buff *skb;
261
	u8 status;
262

263
	skb = __hci_cmd_sync_sk(hdev, opcode, plen, param, event, timeout, sk);
264

265
	/* If command return a status event, skb will be set to -ENODATA */
266
	if (skb == ERR_PTR(-ENODATA))
267
		return 0;
268

269
	if (IS_ERR(skb)) {
270
		if (!event)
271
			bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", opcode,
272
				   PTR_ERR(skb));
273
		return PTR_ERR(skb);
274
	}
275

276
	status = skb->data[0];
277

278
	kfree_skb(skb);
279

280
	return status;
281
}
282
EXPORT_SYMBOL(__hci_cmd_sync_status_sk);
283

284
int __hci_cmd_sync_status(struct hci_dev *hdev, u16 opcode, u32 plen,
285
			  const void *param, u32 timeout)
286
{
287
	return __hci_cmd_sync_status_sk(hdev, opcode, plen, param, 0, timeout,
288
					NULL);
289
}
290
EXPORT_SYMBOL(__hci_cmd_sync_status);
291

292
int hci_cmd_sync_status(struct hci_dev *hdev, u16 opcode, u32 plen,
293
			const void *param, u32 timeout)
294
{
295
	int err;
296

297
	hci_req_sync_lock(hdev);
298
	err = __hci_cmd_sync_status(hdev, opcode, plen, param, timeout);
299
	hci_req_sync_unlock(hdev);
300

301
	return err;
302
}
303
EXPORT_SYMBOL(hci_cmd_sync_status);
304

305
static void hci_cmd_sync_work(struct work_struct *work)
306
{
307
	struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_sync_work);
308

309
	bt_dev_dbg(hdev, "");
310

311
	/* Dequeue all entries and run them */
312
	while (1) {
313
		struct hci_cmd_sync_work_entry *entry;
314

315
		mutex_lock(&hdev->cmd_sync_work_lock);
316
		entry = list_first_entry_or_null(&hdev->cmd_sync_work_list,
317
						 struct hci_cmd_sync_work_entry,
318
						 list);
319
		if (entry)
320
			list_del(&entry->list);
321
		mutex_unlock(&hdev->cmd_sync_work_lock);
322

323
		if (!entry)
324
			break;
325

326
		bt_dev_dbg(hdev, "entry %p", entry);
327

328
		if (entry->func) {
329
			int err;
330

331
			hci_req_sync_lock(hdev);
332
			err = entry->func(hdev, entry->data);
333
			if (entry->destroy)
334
				entry->destroy(hdev, entry->data, err);
335
			hci_req_sync_unlock(hdev);
336
		}
337

338
		kfree(entry);
339
	}
340
}
341

342
static void hci_cmd_sync_cancel_work(struct work_struct *work)
343
{
344
	struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_sync_cancel_work);
345

346
	cancel_delayed_work_sync(&hdev->cmd_timer);
347
	cancel_delayed_work_sync(&hdev->ncmd_timer);
348
	atomic_set(&hdev->cmd_cnt, 1);
349

350
	wake_up_interruptible(&hdev->req_wait_q);
351
}
352

353
static int hci_scan_disable_sync(struct hci_dev *hdev);
354
static int scan_disable_sync(struct hci_dev *hdev, void *data)
355
{
356
	return hci_scan_disable_sync(hdev);
357
}
358

359
static int interleaved_inquiry_sync(struct hci_dev *hdev, void *data)
360
{
361
	return hci_inquiry_sync(hdev, DISCOV_INTERLEAVED_INQUIRY_LEN, 0);
362
}
363

364
static void le_scan_disable(struct work_struct *work)
365
{
366
	struct hci_dev *hdev = container_of(work, struct hci_dev,
367
					    le_scan_disable.work);
368
	int status;
369

370
	bt_dev_dbg(hdev, "");
371
	hci_dev_lock(hdev);
372

373
	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
374
		goto _return;
375

376
	status = hci_cmd_sync_queue(hdev, scan_disable_sync, NULL, NULL);
377
	if (status) {
378
		bt_dev_err(hdev, "failed to disable LE scan: %d", status);
379
		goto _return;
380
	}
381

382
	/* If we were running LE only scan, change discovery state. If
383
	 * we were running both LE and BR/EDR inquiry simultaneously,
384
	 * and BR/EDR inquiry is already finished, stop discovery,
385
	 * otherwise BR/EDR inquiry will stop discovery when finished.
386
	 * If we will resolve remote device name, do not change
387
	 * discovery state.
388
	 */
389

390
	if (hdev->discovery.type == DISCOV_TYPE_LE)
391
		goto discov_stopped;
392

393
	if (hdev->discovery.type != DISCOV_TYPE_INTERLEAVED)
394
		goto _return;
395

396
	if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
397
		if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
398
		    hdev->discovery.state != DISCOVERY_RESOLVING)
399
			goto discov_stopped;
400

401
		goto _return;
402
	}
403

404
	status = hci_cmd_sync_queue(hdev, interleaved_inquiry_sync, NULL, NULL);
405
	if (status) {
406
		bt_dev_err(hdev, "inquiry failed: status %d", status);
407
		goto discov_stopped;
408
	}
409

410
	goto _return;
411

412
discov_stopped:
413
	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
414

415
_return:
416
	hci_dev_unlock(hdev);
417
}
418

419
static int hci_le_set_scan_enable_sync(struct hci_dev *hdev, u8 val,
420
				       u8 filter_dup);
421

422
static int reenable_adv_sync(struct hci_dev *hdev, void *data)
423
{
424
	bt_dev_dbg(hdev, "");
425

426
	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
427
	    list_empty(&hdev->adv_instances))
428
		return 0;
429

430
	if (hdev->cur_adv_instance) {
431
		return hci_schedule_adv_instance_sync(hdev,
432
						      hdev->cur_adv_instance,
433
						      true);
434
	} else {
435
		if (ext_adv_capable(hdev)) {
436
			hci_start_ext_adv_sync(hdev, 0x00);
437
		} else {
438
			hci_update_adv_data_sync(hdev, 0x00);
439
			hci_update_scan_rsp_data_sync(hdev, 0x00);
440
			hci_enable_advertising_sync(hdev);
441
		}
442
	}
443

444
	return 0;
445
}
446

447
static void reenable_adv(struct work_struct *work)
448
{
449
	struct hci_dev *hdev = container_of(work, struct hci_dev,
450
					    reenable_adv_work);
451
	int status;
452

453
	bt_dev_dbg(hdev, "");
454

455
	hci_dev_lock(hdev);
456

457
	status = hci_cmd_sync_queue(hdev, reenable_adv_sync, NULL, NULL);
458
	if (status)
459
		bt_dev_err(hdev, "failed to reenable ADV: %d", status);
460

461
	hci_dev_unlock(hdev);
462
}
463

464
static void cancel_adv_timeout(struct hci_dev *hdev)
465
{
466
	if (hdev->adv_instance_timeout) {
467
		hdev->adv_instance_timeout = 0;
468
		cancel_delayed_work(&hdev->adv_instance_expire);
469
	}
470
}
471

472
/* For a single instance:
473
 * - force == true: The instance will be removed even when its remaining
474
 *   lifetime is not zero.
475
 * - force == false: the instance will be deactivated but kept stored unless
476
 *   the remaining lifetime is zero.
477
 *
478
 * For instance == 0x00:
479
 * - force == true: All instances will be removed regardless of their timeout
480
 *   setting.
481
 * - force == false: Only instances that have a timeout will be removed.
482
 */
483
int hci_clear_adv_instance_sync(struct hci_dev *hdev, struct sock *sk,
484
				u8 instance, bool force)
485
{
486
	struct adv_info *adv_instance, *n, *next_instance = NULL;
487
	int err;
488
	u8 rem_inst;
489

490
	/* Cancel any timeout concerning the removed instance(s). */
491
	if (!instance || hdev->cur_adv_instance == instance)
492
		cancel_adv_timeout(hdev);
493

494
	/* Get the next instance to advertise BEFORE we remove
495
	 * the current one. This can be the same instance again
496
	 * if there is only one instance.
497
	 */
498
	if (instance && hdev->cur_adv_instance == instance)
499
		next_instance = hci_get_next_instance(hdev, instance);
500

501
	if (instance == 0x00) {
502
		list_for_each_entry_safe(adv_instance, n, &hdev->adv_instances,
503
					 list) {
504
			if (!(force || adv_instance->timeout))
505
				continue;
506

507
			rem_inst = adv_instance->instance;
508
			err = hci_remove_adv_instance(hdev, rem_inst);
509
			if (!err)
510
				mgmt_advertising_removed(sk, hdev, rem_inst);
511
		}
512
	} else {
513
		adv_instance = hci_find_adv_instance(hdev, instance);
514

515
		if (force || (adv_instance && adv_instance->timeout &&
516
			      !adv_instance->remaining_time)) {
517
			/* Don't advertise a removed instance. */
518
			if (next_instance &&
519
			    next_instance->instance == instance)
520
				next_instance = NULL;
521

522
			err = hci_remove_adv_instance(hdev, instance);
523
			if (!err)
524
				mgmt_advertising_removed(sk, hdev, instance);
525
		}
526
	}
527

528
	if (!hdev_is_powered(hdev) || hci_dev_test_flag(hdev, HCI_ADVERTISING))
529
		return 0;
530

531
	if (next_instance && !ext_adv_capable(hdev))
532
		return hci_schedule_adv_instance_sync(hdev,
533
						      next_instance->instance,
534
						      false);
535

536
	return 0;
537
}
538

539
static int adv_timeout_expire_sync(struct hci_dev *hdev, void *data)
540
{
541
	u8 instance = *(u8 *)data;
542

543
	kfree(data);
544

545
	hci_clear_adv_instance_sync(hdev, NULL, instance, false);
546

547
	if (list_empty(&hdev->adv_instances))
548
		return hci_disable_advertising_sync(hdev);
549

550
	return 0;
551
}
552

553
static void adv_timeout_expire(struct work_struct *work)
554
{
555
	u8 *inst_ptr;
556
	struct hci_dev *hdev = container_of(work, struct hci_dev,
557
					    adv_instance_expire.work);
558

559
	bt_dev_dbg(hdev, "");
560

561
	hci_dev_lock(hdev);
562

563
	hdev->adv_instance_timeout = 0;
564

565
	if (hdev->cur_adv_instance == 0x00)
566
		goto unlock;
567

568
	inst_ptr = kmalloc(1, GFP_KERNEL);
569
	if (!inst_ptr)
570
		goto unlock;
571

572
	*inst_ptr = hdev->cur_adv_instance;
573
	hci_cmd_sync_queue(hdev, adv_timeout_expire_sync, inst_ptr, NULL);
574

575
unlock:
576
	hci_dev_unlock(hdev);
577
}
578

579
static bool is_interleave_scanning(struct hci_dev *hdev)
580
{
581
	return hdev->interleave_scan_state != INTERLEAVE_SCAN_NONE;
582
}
583

584
static int hci_passive_scan_sync(struct hci_dev *hdev);
585

586
static void interleave_scan_work(struct work_struct *work)
587
{
588
	struct hci_dev *hdev = container_of(work, struct hci_dev,
589
					    interleave_scan.work);
590
	unsigned long timeout;
591

592
	if (hdev->interleave_scan_state == INTERLEAVE_SCAN_ALLOWLIST) {
593
		timeout = msecs_to_jiffies(hdev->advmon_allowlist_duration);
594
	} else if (hdev->interleave_scan_state == INTERLEAVE_SCAN_NO_FILTER) {
595
		timeout = msecs_to_jiffies(hdev->advmon_no_filter_duration);
596
	} else {
597
		bt_dev_err(hdev, "unexpected error");
598
		return;
599
	}
600

601
	hci_passive_scan_sync(hdev);
602

603
	hci_dev_lock(hdev);
604

605
	switch (hdev->interleave_scan_state) {
606
	case INTERLEAVE_SCAN_ALLOWLIST:
607
		bt_dev_dbg(hdev, "next state: allowlist");
608
		hdev->interleave_scan_state = INTERLEAVE_SCAN_NO_FILTER;
609
		break;
610
	case INTERLEAVE_SCAN_NO_FILTER:
611
		bt_dev_dbg(hdev, "next state: no filter");
612
		hdev->interleave_scan_state = INTERLEAVE_SCAN_ALLOWLIST;
613
		break;
614
	case INTERLEAVE_SCAN_NONE:
615
		bt_dev_err(hdev, "unexpected error");
616
	}
617

618
	hci_dev_unlock(hdev);
619

620
	/* Don't continue interleaving if it was canceled */
621
	if (is_interleave_scanning(hdev))
622
		queue_delayed_work(hdev->req_workqueue,
623
				   &hdev->interleave_scan, timeout);
624
}
625

626
void hci_cmd_sync_init(struct hci_dev *hdev)
627
{
628
	INIT_WORK(&hdev->cmd_sync_work, hci_cmd_sync_work);
629
	INIT_LIST_HEAD(&hdev->cmd_sync_work_list);
630
	mutex_init(&hdev->cmd_sync_work_lock);
631
	mutex_init(&hdev->unregister_lock);
632

633
	INIT_WORK(&hdev->cmd_sync_cancel_work, hci_cmd_sync_cancel_work);
634
	INIT_WORK(&hdev->reenable_adv_work, reenable_adv);
635
	INIT_DELAYED_WORK(&hdev->le_scan_disable, le_scan_disable);
636
	INIT_DELAYED_WORK(&hdev->adv_instance_expire, adv_timeout_expire);
637
	INIT_DELAYED_WORK(&hdev->interleave_scan, interleave_scan_work);
638
}
639

640
static void _hci_cmd_sync_cancel_entry(struct hci_dev *hdev,
641
				       struct hci_cmd_sync_work_entry *entry,
642
				       int err)
643
{
644
	if (entry->destroy)
645
		entry->destroy(hdev, entry->data, err);
646

647
	list_del(&entry->list);
648
	kfree(entry);
649
}
650

651
void hci_cmd_sync_clear(struct hci_dev *hdev)
652
{
653
	struct hci_cmd_sync_work_entry *entry, *tmp;
654

655
	cancel_work_sync(&hdev->cmd_sync_work);
656
	cancel_work_sync(&hdev->reenable_adv_work);
657

658
	mutex_lock(&hdev->cmd_sync_work_lock);
659
	list_for_each_entry_safe(entry, tmp, &hdev->cmd_sync_work_list, list)
660
		_hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
661
	mutex_unlock(&hdev->cmd_sync_work_lock);
662
}
663

664
void hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
665
{
666
	bt_dev_dbg(hdev, "err 0x%2.2x", err);
667

668
	if (hdev->req_status == HCI_REQ_PEND) {
669
		hdev->req_result = err;
670
		hdev->req_status = HCI_REQ_CANCELED;
671

672
		queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work);
673
	}
674
}
675
EXPORT_SYMBOL(hci_cmd_sync_cancel);
676

677
/* Cancel ongoing command request synchronously:
678
 *
679
 * - Set result and mark status to HCI_REQ_CANCELED
680
 * - Wakeup command sync thread
681
 */
682
void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err)
683
{
684
	bt_dev_dbg(hdev, "err 0x%2.2x", err);
685

686
	if (hdev->req_status == HCI_REQ_PEND) {
687
		/* req_result is __u32 so error must be positive to be properly
688
		 * propagated.
689
		 */
690
		hdev->req_result = err < 0 ? -err : err;
691
		hdev->req_status = HCI_REQ_CANCELED;
692

693
		wake_up_interruptible(&hdev->req_wait_q);
694
	}
695
}
696
EXPORT_SYMBOL(hci_cmd_sync_cancel_sync);
697

698
/* Submit HCI command to be run in as cmd_sync_work:
699
 *
700
 * - hdev must _not_ be unregistered
701
 */
702
int hci_cmd_sync_submit(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
703
			void *data, hci_cmd_sync_work_destroy_t destroy)
704
{
705
	struct hci_cmd_sync_work_entry *entry;
706
	int err = 0;
707

708
	mutex_lock(&hdev->unregister_lock);
709
	if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
710
		err = -ENODEV;
711
		goto unlock;
712
	}
713

714
	entry = kmalloc(sizeof(*entry), GFP_KERNEL);
715
	if (!entry) {
716
		err = -ENOMEM;
717
		goto unlock;
718
	}
719
	entry->func = func;
720
	entry->data = data;
721
	entry->destroy = destroy;
722

723
	mutex_lock(&hdev->cmd_sync_work_lock);
724
	list_add_tail(&entry->list, &hdev->cmd_sync_work_list);
725
	mutex_unlock(&hdev->cmd_sync_work_lock);
726

727
	queue_work(hdev->req_workqueue, &hdev->cmd_sync_work);
728

729
unlock:
730
	mutex_unlock(&hdev->unregister_lock);
731
	return err;
732
}
733
EXPORT_SYMBOL(hci_cmd_sync_submit);
734

735
/* Queue HCI command:
736
 *
737
 * - hdev must be running
738
 */
739
int hci_cmd_sync_queue(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
740
		       void *data, hci_cmd_sync_work_destroy_t destroy)
741
{
742
	/* Only queue command if hdev is running which means it had been opened
743
	 * and is either on init phase or is already up.
744
	 */
745
	if (!test_bit(HCI_RUNNING, &hdev->flags))
746
		return -ENETDOWN;
747

748
	return hci_cmd_sync_submit(hdev, func, data, destroy);
749
}
750
EXPORT_SYMBOL(hci_cmd_sync_queue);
751

752
static struct hci_cmd_sync_work_entry *
753
_hci_cmd_sync_lookup_entry(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
754
			   void *data, hci_cmd_sync_work_destroy_t destroy)
755
{
756
	struct hci_cmd_sync_work_entry *entry, *tmp;
757

758
	list_for_each_entry_safe(entry, tmp, &hdev->cmd_sync_work_list, list) {
759
		if (func && entry->func != func)
760
			continue;
761

762
		if (data && entry->data != data)
763
			continue;
764

765
		if (destroy && entry->destroy != destroy)
766
			continue;
767

768
		return entry;
769
	}
770

771
	return NULL;
772
}
773

774
/* Queue HCI command entry once:
775
 *
776
 * - Lookup if an entry already exist and only if it doesn't creates a new entry
777
 *   and queue it.
778
 */
779
int hci_cmd_sync_queue_once(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
780
			    void *data, hci_cmd_sync_work_destroy_t destroy)
781
{
782
	if (hci_cmd_sync_lookup_entry(hdev, func, data, destroy))
783
		return 0;
784

785
	return hci_cmd_sync_queue(hdev, func, data, destroy);
786
}
787
EXPORT_SYMBOL(hci_cmd_sync_queue_once);
788

789
/* Run HCI command:
790
 *
791
 * - hdev must be running
792
 * - if on cmd_sync_work then run immediately otherwise queue
793
 */
794
int hci_cmd_sync_run(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
795
		     void *data, hci_cmd_sync_work_destroy_t destroy)
796
{
797
	/* Only queue command if hdev is running which means it had been opened
798
	 * and is either on init phase or is already up.
799
	 */
800
	if (!test_bit(HCI_RUNNING, &hdev->flags))
801
		return -ENETDOWN;
802

803
	/* If on cmd_sync_work then run immediately otherwise queue */
804
	if (current_work() == &hdev->cmd_sync_work)
805
		return func(hdev, data);
806

807
	return hci_cmd_sync_submit(hdev, func, data, destroy);
808
}
809
EXPORT_SYMBOL(hci_cmd_sync_run);
810

811
/* Run HCI command entry once:
812
 *
813
 * - Lookup if an entry already exist and only if it doesn't creates a new entry
814
 *   and run it.
815
 * - if on cmd_sync_work then run immediately otherwise queue
816
 */
817
int hci_cmd_sync_run_once(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
818
			  void *data, hci_cmd_sync_work_destroy_t destroy)
819
{
820
	if (hci_cmd_sync_lookup_entry(hdev, func, data, destroy))
821
		return 0;
822

823
	return hci_cmd_sync_run(hdev, func, data, destroy);
824
}
825
EXPORT_SYMBOL(hci_cmd_sync_run_once);
826

827
/* Lookup HCI command entry:
828
 *
829
 * - Return first entry that matches by function callback or data or
830
 *   destroy callback.
831
 */
832
struct hci_cmd_sync_work_entry *
833
hci_cmd_sync_lookup_entry(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
834
			  void *data, hci_cmd_sync_work_destroy_t destroy)
835
{
836
	struct hci_cmd_sync_work_entry *entry;
837

838
	mutex_lock(&hdev->cmd_sync_work_lock);
839
	entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
840
	mutex_unlock(&hdev->cmd_sync_work_lock);
841

842
	return entry;
843
}
844
EXPORT_SYMBOL(hci_cmd_sync_lookup_entry);
845

846
/* Cancel HCI command entry */
847
void hci_cmd_sync_cancel_entry(struct hci_dev *hdev,
848
			       struct hci_cmd_sync_work_entry *entry)
849
{
850
	mutex_lock(&hdev->cmd_sync_work_lock);
851
	_hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
852
	mutex_unlock(&hdev->cmd_sync_work_lock);
853
}
854
EXPORT_SYMBOL(hci_cmd_sync_cancel_entry);
855

856
/* Dequeue one HCI command entry:
857
 *
858
 * - Lookup and cancel first entry that matches.
859
 */
860
bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev,
861
			       hci_cmd_sync_work_func_t func,
862
			       void *data, hci_cmd_sync_work_destroy_t destroy)
863
{
864
	struct hci_cmd_sync_work_entry *entry;
865

866
	mutex_lock(&hdev->cmd_sync_work_lock);
867

868
	entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
869
	if (!entry) {
870
		mutex_unlock(&hdev->cmd_sync_work_lock);
871
		return false;
872
	}
873

874
	_hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
875

876
	mutex_unlock(&hdev->cmd_sync_work_lock);
877

878
	return true;
879
}
880
EXPORT_SYMBOL(hci_cmd_sync_dequeue_once);
881

882
/* Dequeue HCI command entry:
883
 *
884
 * - Lookup and cancel any entry that matches by function callback or data or
885
 *   destroy callback.
886
 */
887
bool hci_cmd_sync_dequeue(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
888
			  void *data, hci_cmd_sync_work_destroy_t destroy)
889
{
890
	struct hci_cmd_sync_work_entry *entry;
891
	bool ret = false;
892

893
	mutex_lock(&hdev->cmd_sync_work_lock);
894
	while ((entry = _hci_cmd_sync_lookup_entry(hdev, func, data,
895
						   destroy))) {
896
		_hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
897
		ret = true;
898
	}
899
	mutex_unlock(&hdev->cmd_sync_work_lock);
900

901
	return ret;
902
}
903
EXPORT_SYMBOL(hci_cmd_sync_dequeue);
904

905
int hci_update_eir_sync(struct hci_dev *hdev)
906
{
907
	struct hci_cp_write_eir cp;
908

909
	bt_dev_dbg(hdev, "");
910

911
	if (!hdev_is_powered(hdev))
912
		return 0;
913

914
	if (!lmp_ext_inq_capable(hdev))
915
		return 0;
916

917
	if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
918
		return 0;
919

920
	if (hci_dev_test_flag(hdev, HCI_SERVICE_CACHE))
921
		return 0;
922

923
	memset(&cp, 0, sizeof(cp));
924

925
	eir_create(hdev, cp.data);
926

927
	if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
928
		return 0;
929

930
	memcpy(hdev->eir, cp.data, sizeof(cp.data));
931

932
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp,
933
				     HCI_CMD_TIMEOUT);
934
}
935

936
static u8 get_service_classes(struct hci_dev *hdev)
937
{
938
	struct bt_uuid *uuid;
939
	u8 val = 0;
940

941
	list_for_each_entry(uuid, &hdev->uuids, list)
942
		val |= uuid->svc_hint;
943

944
	return val;
945
}
946

947
int hci_update_class_sync(struct hci_dev *hdev)
948
{
949
	u8 cod[3];
950

951
	bt_dev_dbg(hdev, "");
952

953
	if (!hdev_is_powered(hdev))
954
		return 0;
955

956
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
957
		return 0;
958

959
	if (hci_dev_test_flag(hdev, HCI_SERVICE_CACHE))
960
		return 0;
961

962
	cod[0] = hdev->minor_class;
963
	cod[1] = hdev->major_class;
964
	cod[2] = get_service_classes(hdev);
965

966
	if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
967
		cod[1] |= 0x20;
968

969
	if (memcmp(cod, hdev->dev_class, 3) == 0)
970
		return 0;
971

972
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_CLASS_OF_DEV,
973
				     sizeof(cod), cod, HCI_CMD_TIMEOUT);
974
}
975

976
static bool is_advertising_allowed(struct hci_dev *hdev, bool connectable)
977
{
978
	/* If there is no connection we are OK to advertise. */
979
	if (hci_conn_num(hdev, LE_LINK) == 0)
980
		return true;
981

982
	/* Check le_states if there is any connection in peripheral role. */
983
	if (hdev->conn_hash.le_num_peripheral > 0) {
984
		/* Peripheral connection state and non connectable mode
985
		 * bit 20.
986
		 */
987
		if (!connectable && !(hdev->le_states[2] & 0x10))
988
			return false;
989

990
		/* Peripheral connection state and connectable mode bit 38
991
		 * and scannable bit 21.
992
		 */
993
		if (connectable && (!(hdev->le_states[4] & 0x40) ||
994
				    !(hdev->le_states[2] & 0x20)))
995
			return false;
996
	}
997

998
	/* Check le_states if there is any connection in central role. */
999
	if (hci_conn_num(hdev, LE_LINK) != hdev->conn_hash.le_num_peripheral) {
1000
		/* Central connection state and non connectable mode bit 18. */
1001
		if (!connectable && !(hdev->le_states[2] & 0x02))
1002
			return false;
1003

1004
		/* Central connection state and connectable mode bit 35 and
1005
		 * scannable 19.
1006
		 */
1007
		if (connectable && (!(hdev->le_states[4] & 0x08) ||
1008
				    !(hdev->le_states[2] & 0x08)))
1009
			return false;
1010
	}
1011

1012
	return true;
1013
}
1014

1015
static bool adv_use_rpa(struct hci_dev *hdev, uint32_t flags)
1016
{
1017
	/* If privacy is not enabled don't use RPA */
1018
	if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
1019
		return false;
1020

1021
	/* If basic privacy mode is enabled use RPA */
1022
	if (!hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))
1023
		return true;
1024

1025
	/* If limited privacy mode is enabled don't use RPA if we're
1026
	 * both discoverable and bondable.
1027
	 */
1028
	if ((flags & MGMT_ADV_FLAG_DISCOV) &&
1029
	    hci_dev_test_flag(hdev, HCI_BONDABLE))
1030
		return false;
1031

1032
	/* We're neither bondable nor discoverable in the limited
1033
	 * privacy mode, therefore use RPA.
1034
	 */
1035
	return true;
1036
}
1037

1038
static int hci_set_random_addr_sync(struct hci_dev *hdev, bdaddr_t *rpa)
1039
{
1040
	/* If a random_addr has been set we're advertising or initiating an LE
1041
	 * connection we can't go ahead and change the random address at this
1042
	 * time. This is because the eventual initiator address used for the
1043
	 * subsequently created connection will be undefined (some
1044
	 * controllers use the new address and others the one we had
1045
	 * when the operation started).
1046
	 *
1047
	 * In this kind of scenario skip the update and let the random
1048
	 * address be updated at the next cycle.
1049
	 */
1050
	if (bacmp(&hdev->random_addr, BDADDR_ANY) &&
1051
	    (hci_dev_test_flag(hdev, HCI_LE_ADV) ||
1052
	    hci_lookup_le_connect(hdev))) {
1053
		bt_dev_dbg(hdev, "Deferring random address update");
1054
		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
1055
		return 0;
1056
	}
1057

1058
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_RANDOM_ADDR,
1059
				     6, rpa, HCI_CMD_TIMEOUT);
1060
}
1061

1062
int hci_update_random_address_sync(struct hci_dev *hdev, bool require_privacy,
1063
				   bool rpa, u8 *own_addr_type)
1064
{
1065
	int err;
1066

1067
	/* If privacy is enabled use a resolvable private address. If
1068
	 * current RPA has expired or there is something else than
1069
	 * the current RPA in use, then generate a new one.
1070
	 */
1071
	if (rpa) {
1072
		/* If Controller supports LL Privacy use own address type is
1073
		 * 0x03
1074
		 */
1075
		if (ll_privacy_capable(hdev))
1076
			*own_addr_type = ADDR_LE_DEV_RANDOM_RESOLVED;
1077
		else
1078
			*own_addr_type = ADDR_LE_DEV_RANDOM;
1079

1080
		/* Check if RPA is valid */
1081
		if (rpa_valid(hdev))
1082
			return 0;
1083

1084
		err = smp_generate_rpa(hdev, hdev->irk, &hdev->rpa);
1085
		if (err < 0) {
1086
			bt_dev_err(hdev, "failed to generate new RPA");
1087
			return err;
1088
		}
1089

1090
		err = hci_set_random_addr_sync(hdev, &hdev->rpa);
1091
		if (err)
1092
			return err;
1093

1094
		return 0;
1095
	}
1096

1097
	/* In case of required privacy without resolvable private address,
1098
	 * use an non-resolvable private address. This is useful for active
1099
	 * scanning and non-connectable advertising.
1100
	 */
1101
	if (require_privacy) {
1102
		bdaddr_t nrpa;
1103

1104
		while (true) {
1105
			/* The non-resolvable private address is generated
1106
			 * from random six bytes with the two most significant
1107
			 * bits cleared.
1108
			 */
1109
			get_random_bytes(&nrpa, 6);
1110
			nrpa.b[5] &= 0x3f;
1111

1112
			/* The non-resolvable private address shall not be
1113
			 * equal to the public address.
1114
			 */
1115
			if (bacmp(&hdev->bdaddr, &nrpa))
1116
				break;
1117
		}
1118

1119
		*own_addr_type = ADDR_LE_DEV_RANDOM;
1120

1121
		return hci_set_random_addr_sync(hdev, &nrpa);
1122
	}
1123

1124
	/* If forcing static address is in use or there is no public
1125
	 * address use the static address as random address (but skip
1126
	 * the HCI command if the current random address is already the
1127
	 * static one.
1128
	 *
1129
	 * In case BR/EDR has been disabled on a dual-mode controller
1130
	 * and a static address has been configured, then use that
1131
	 * address instead of the public BR/EDR address.
1132
	 */
1133
	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
1134
	    !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
1135
	    (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED) &&
1136
	     bacmp(&hdev->static_addr, BDADDR_ANY))) {
1137
		*own_addr_type = ADDR_LE_DEV_RANDOM;
1138
		if (bacmp(&hdev->static_addr, &hdev->random_addr))
1139
			return hci_set_random_addr_sync(hdev,
1140
							&hdev->static_addr);
1141
		return 0;
1142
	}
1143

1144
	/* Neither privacy nor static address is being used so use a
1145
	 * public address.
1146
	 */
1147
	*own_addr_type = ADDR_LE_DEV_PUBLIC;
1148

1149
	return 0;
1150
}
1151

1152
static int hci_disable_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance)
1153
{
1154
	struct hci_cp_le_set_ext_adv_enable *cp;
1155
	struct hci_cp_ext_adv_set *set;
1156
	u8 data[sizeof(*cp) + sizeof(*set) * 1];
1157
	u8 size;
1158
	struct adv_info *adv = NULL;
1159

1160
	/* If request specifies an instance that doesn't exist, fail */
1161
	if (instance > 0) {
1162
		adv = hci_find_adv_instance(hdev, instance);
1163
		if (!adv)
1164
			return -EINVAL;
1165

1166
		/* If not enabled there is nothing to do */
1167
		if (!adv->enabled)
1168
			return 0;
1169
	}
1170

1171
	memset(data, 0, sizeof(data));
1172

1173
	cp = (void *)data;
1174
	set = (void *)cp->data;
1175

1176
	/* Instance 0x00 indicates all advertising instances will be disabled */
1177
	cp->num_of_sets = !!instance;
1178
	cp->enable = 0x00;
1179

1180
	set->handle = adv ? adv->handle : instance;
1181

1182
	size = sizeof(*cp) + sizeof(*set) * cp->num_of_sets;
1183

1184
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE,
1185
				     size, data, HCI_CMD_TIMEOUT);
1186
}
1187

1188
static int hci_set_adv_set_random_addr_sync(struct hci_dev *hdev, u8 instance,
1189
					    bdaddr_t *random_addr)
1190
{
1191
	struct hci_cp_le_set_adv_set_rand_addr cp;
1192
	int err;
1193

1194
	if (!instance) {
1195
		/* Instance 0x00 doesn't have an adv_info, instead it uses
1196
		 * hdev->random_addr to track its address so whenever it needs
1197
		 * to be updated this also set the random address since
1198
		 * hdev->random_addr is shared with scan state machine.
1199
		 */
1200
		err = hci_set_random_addr_sync(hdev, random_addr);
1201
		if (err)
1202
			return err;
1203
	}
1204

1205
	memset(&cp, 0, sizeof(cp));
1206

1207
	cp.handle = instance;
1208
	bacpy(&cp.bdaddr, random_addr);
1209

1210
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
1211
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
1212
}
1213

1214
static int
1215
hci_set_ext_adv_params_sync(struct hci_dev *hdev, struct adv_info *adv,
1216
			    const struct hci_cp_le_set_ext_adv_params *cp,
1217
			    struct hci_rp_le_set_ext_adv_params *rp)
1218
{
1219
	struct sk_buff *skb;
1220

1221
	skb = __hci_cmd_sync(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(*cp),
1222
			     cp, HCI_CMD_TIMEOUT);
1223

1224
	/* If command return a status event, skb will be set to -ENODATA */
1225
	if (skb == ERR_PTR(-ENODATA))
1226
		return 0;
1227

1228
	if (IS_ERR(skb)) {
1229
		bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld",
1230
			   HCI_OP_LE_SET_EXT_ADV_PARAMS, PTR_ERR(skb));
1231
		return PTR_ERR(skb);
1232
	}
1233

1234
	if (skb->len != sizeof(*rp)) {
1235
		bt_dev_err(hdev, "Invalid response length for 0x%4.4x: %u",
1236
			   HCI_OP_LE_SET_EXT_ADV_PARAMS, skb->len);
1237
		kfree_skb(skb);
1238
		return -EIO;
1239
	}
1240

1241
	memcpy(rp, skb->data, sizeof(*rp));
1242
	kfree_skb(skb);
1243

1244
	if (!rp->status) {
1245
		hdev->adv_addr_type = cp->own_addr_type;
1246
		if (!cp->handle) {
1247
			/* Store in hdev for instance 0 */
1248
			hdev->adv_tx_power = rp->tx_power;
1249
		} else if (adv) {
1250
			adv->tx_power = rp->tx_power;
1251
		}
1252
	}
1253

1254
	return rp->status;
1255
}
1256

1257
static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance)
1258
{
1259
	DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length,
1260
		    HCI_MAX_EXT_AD_LENGTH);
1261
	u8 len;
1262
	struct adv_info *adv = NULL;
1263
	int err;
1264

1265
	if (instance) {
1266
		adv = hci_find_adv_instance(hdev, instance);
1267
		if (!adv || !adv->adv_data_changed)
1268
			return 0;
1269
	}
1270

1271
	len = eir_create_adv_data(hdev, instance, pdu->data,
1272
				  HCI_MAX_EXT_AD_LENGTH);
1273

1274
	pdu->length = len;
1275
	pdu->handle = adv ? adv->handle : instance;
1276
	pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE;
1277
	pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG;
1278

1279
	err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA,
1280
				    struct_size(pdu, data, len), pdu,
1281
				    HCI_CMD_TIMEOUT);
1282
	if (err)
1283
		return err;
1284

1285
	/* Update data if the command succeed */
1286
	if (adv) {
1287
		adv->adv_data_changed = false;
1288
	} else {
1289
		memcpy(hdev->adv_data, pdu->data, len);
1290
		hdev->adv_data_len = len;
1291
	}
1292

1293
	return 0;
1294
}
1295

1296
static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance)
1297
{
1298
	struct hci_cp_le_set_adv_data cp;
1299
	u8 len;
1300

1301
	memset(&cp, 0, sizeof(cp));
1302

1303
	len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data));
1304

1305
	/* There's nothing to do if the data hasn't changed */
1306
	if (hdev->adv_data_len == len &&
1307
	    memcmp(cp.data, hdev->adv_data, len) == 0)
1308
		return 0;
1309

1310
	memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
1311
	hdev->adv_data_len = len;
1312

1313
	cp.length = len;
1314

1315
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA,
1316
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
1317
}
1318

1319
int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance)
1320
{
1321
	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1322
		return 0;
1323

1324
	if (ext_adv_capable(hdev))
1325
		return hci_set_ext_adv_data_sync(hdev, instance);
1326

1327
	return hci_set_adv_data_sync(hdev, instance);
1328
}
1329

1330
int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance)
1331
{
1332
	struct hci_cp_le_set_ext_adv_params cp;
1333
	struct hci_rp_le_set_ext_adv_params rp;
1334
	bool connectable, require_privacy;
1335
	u32 flags;
1336
	bdaddr_t random_addr;
1337
	u8 own_addr_type;
1338
	int err;
1339
	struct adv_info *adv;
1340
	bool secondary_adv;
1341

1342
	if (instance > 0) {
1343
		adv = hci_find_adv_instance(hdev, instance);
1344
		if (!adv)
1345
			return -EINVAL;
1346
	} else {
1347
		adv = NULL;
1348
	}
1349

1350
	/* Updating parameters of an active instance will return a
1351
	 * Command Disallowed error, so we must first disable the
1352
	 * instance if it is active.
1353
	 */
1354
	if (adv) {
1355
		err = hci_disable_ext_adv_instance_sync(hdev, instance);
1356
		if (err)
1357
			return err;
1358
	}
1359

1360
	flags = hci_adv_instance_flags(hdev, instance);
1361

1362
	/* If the "connectable" instance flag was not set, then choose between
1363
	 * ADV_IND and ADV_NONCONN_IND based on the global connectable setting.
1364
	 */
1365
	connectable = (flags & MGMT_ADV_FLAG_CONNECTABLE) ||
1366
		      mgmt_get_connectable(hdev);
1367

1368
	if (!is_advertising_allowed(hdev, connectable))
1369
		return -EPERM;
1370

1371
	/* Set require_privacy to true only when non-connectable
1372
	 * advertising is used and it is not periodic.
1373
	 * In that case it is fine to use a non-resolvable private address.
1374
	 */
1375
	require_privacy = !connectable && !(adv && adv->periodic);
1376

1377
	err = hci_get_random_address(hdev, require_privacy,
1378
				     adv_use_rpa(hdev, flags), adv,
1379
				     &own_addr_type, &random_addr);
1380
	if (err < 0)
1381
		return err;
1382

1383
	memset(&cp, 0, sizeof(cp));
1384

1385
	if (adv) {
1386
		hci_cpu_to_le24(adv->min_interval, cp.min_interval);
1387
		hci_cpu_to_le24(adv->max_interval, cp.max_interval);
1388
		cp.tx_power = adv->tx_power;
1389
		cp.sid = adv->sid;
1390
	} else {
1391
		hci_cpu_to_le24(hdev->le_adv_min_interval, cp.min_interval);
1392
		hci_cpu_to_le24(hdev->le_adv_max_interval, cp.max_interval);
1393
		cp.tx_power = HCI_ADV_TX_POWER_NO_PREFERENCE;
1394
		cp.sid = 0x00;
1395
	}
1396

1397
	secondary_adv = (flags & MGMT_ADV_FLAG_SEC_MASK);
1398

1399
	if (connectable) {
1400
		if (secondary_adv)
1401
			cp.evt_properties = cpu_to_le16(LE_EXT_ADV_CONN_IND);
1402
		else
1403
			cp.evt_properties = cpu_to_le16(LE_LEGACY_ADV_IND);
1404
	} else if (hci_adv_instance_is_scannable(hdev, instance) ||
1405
		   (flags & MGMT_ADV_PARAM_SCAN_RSP)) {
1406
		if (secondary_adv)
1407
			cp.evt_properties = cpu_to_le16(LE_EXT_ADV_SCAN_IND);
1408
		else
1409
			cp.evt_properties = cpu_to_le16(LE_LEGACY_ADV_SCAN_IND);
1410
	} else {
1411
		if (secondary_adv)
1412
			cp.evt_properties = cpu_to_le16(LE_EXT_ADV_NON_CONN_IND);
1413
		else
1414
			cp.evt_properties = cpu_to_le16(LE_LEGACY_NONCONN_IND);
1415
	}
1416

1417
	/* If Own_Address_Type equals 0x02 or 0x03, the Peer_Address parameter
1418
	 * contains the peer’s Identity Address and the Peer_Address_Type
1419
	 * parameter contains the peer’s Identity Type (i.e., 0x00 or 0x01).
1420
	 * These parameters are used to locate the corresponding local IRK in
1421
	 * the resolving list; this IRK is used to generate their own address
1422
	 * used in the advertisement.
1423
	 */
1424
	if (own_addr_type == ADDR_LE_DEV_RANDOM_RESOLVED)
1425
		hci_copy_identity_address(hdev, &cp.peer_addr,
1426
					  &cp.peer_addr_type);
1427

1428
	cp.own_addr_type = own_addr_type;
1429
	cp.channel_map = hdev->le_adv_channel_map;
1430
	cp.handle = adv ? adv->handle : instance;
1431

1432
	if (flags & MGMT_ADV_FLAG_SEC_2M) {
1433
		cp.primary_phy = HCI_ADV_PHY_1M;
1434
		cp.secondary_phy = HCI_ADV_PHY_2M;
1435
	} else if (flags & MGMT_ADV_FLAG_SEC_CODED) {
1436
		cp.primary_phy = HCI_ADV_PHY_CODED;
1437
		cp.secondary_phy = HCI_ADV_PHY_CODED;
1438
	} else {
1439
		/* In all other cases use 1M */
1440
		cp.primary_phy = HCI_ADV_PHY_1M;
1441
		cp.secondary_phy = HCI_ADV_PHY_1M;
1442
	}
1443

1444
	err = hci_set_ext_adv_params_sync(hdev, adv, &cp, &rp);
1445
	if (err)
1446
		return err;
1447

1448
	/* Update adv data as tx power is known now */
1449
	err = hci_set_ext_adv_data_sync(hdev, cp.handle);
1450
	if (err)
1451
		return err;
1452

1453
	if ((own_addr_type == ADDR_LE_DEV_RANDOM ||
1454
	     own_addr_type == ADDR_LE_DEV_RANDOM_RESOLVED) &&
1455
	    bacmp(&random_addr, BDADDR_ANY)) {
1456
		/* Check if random address need to be updated */
1457
		if (adv) {
1458
			if (!bacmp(&random_addr, &adv->random_addr))
1459
				return 0;
1460
		} else {
1461
			if (!bacmp(&random_addr, &hdev->random_addr))
1462
				return 0;
1463
		}
1464

1465
		return hci_set_adv_set_random_addr_sync(hdev, instance,
1466
							&random_addr);
1467
	}
1468

1469
	return 0;
1470
}
1471

1472
static int hci_set_ext_scan_rsp_data_sync(struct hci_dev *hdev, u8 instance)
1473
{
1474
	DEFINE_FLEX(struct hci_cp_le_set_ext_scan_rsp_data, pdu, data, length,
1475
		    HCI_MAX_EXT_AD_LENGTH);
1476
	u8 len;
1477
	struct adv_info *adv = NULL;
1478
	int err;
1479

1480
	if (instance) {
1481
		adv = hci_find_adv_instance(hdev, instance);
1482
		if (!adv || !adv->scan_rsp_changed)
1483
			return 0;
1484
	}
1485

1486
	len = eir_create_scan_rsp(hdev, instance, pdu->data);
1487

1488
	pdu->handle = adv ? adv->handle : instance;
1489
	pdu->length = len;
1490
	pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE;
1491
	pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG;
1492

1493
	err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_SCAN_RSP_DATA,
1494
				    struct_size(pdu, data, len), pdu,
1495
				    HCI_CMD_TIMEOUT);
1496
	if (err)
1497
		return err;
1498

1499
	if (adv) {
1500
		adv->scan_rsp_changed = false;
1501
	} else {
1502
		memcpy(hdev->scan_rsp_data, pdu->data, len);
1503
		hdev->scan_rsp_data_len = len;
1504
	}
1505

1506
	return 0;
1507
}
1508

1509
static int __hci_set_scan_rsp_data_sync(struct hci_dev *hdev, u8 instance)
1510
{
1511
	struct hci_cp_le_set_scan_rsp_data cp;
1512
	u8 len;
1513

1514
	memset(&cp, 0, sizeof(cp));
1515

1516
	len = eir_create_scan_rsp(hdev, instance, cp.data);
1517

1518
	if (hdev->scan_rsp_data_len == len &&
1519
	    !memcmp(cp.data, hdev->scan_rsp_data, len))
1520
		return 0;
1521

1522
	memcpy(hdev->scan_rsp_data, cp.data, sizeof(cp.data));
1523
	hdev->scan_rsp_data_len = len;
1524

1525
	cp.length = len;
1526

1527
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_SCAN_RSP_DATA,
1528
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
1529
}
1530

1531
int hci_update_scan_rsp_data_sync(struct hci_dev *hdev, u8 instance)
1532
{
1533
	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
1534
		return 0;
1535

1536
	if (ext_adv_capable(hdev))
1537
		return hci_set_ext_scan_rsp_data_sync(hdev, instance);
1538

1539
	return __hci_set_scan_rsp_data_sync(hdev, instance);
1540
}
1541

1542
int hci_enable_ext_advertising_sync(struct hci_dev *hdev, u8 instance)
1543
{
1544
	struct hci_cp_le_set_ext_adv_enable *cp;
1545
	struct hci_cp_ext_adv_set *set;
1546
	u8 data[sizeof(*cp) + sizeof(*set) * 1];
1547
	struct adv_info *adv;
1548

1549
	if (instance > 0) {
1550
		adv = hci_find_adv_instance(hdev, instance);
1551
		if (!adv)
1552
			return -EINVAL;
1553
		/* If already enabled there is nothing to do */
1554
		if (adv->enabled)
1555
			return 0;
1556
	} else {
1557
		adv = NULL;
1558
	}
1559

1560
	cp = (void *)data;
1561
	set = (void *)cp->data;
1562

1563
	memset(cp, 0, sizeof(*cp));
1564

1565
	cp->enable = 0x01;
1566
	cp->num_of_sets = 0x01;
1567

1568
	memset(set, 0, sizeof(*set));
1569

1570
	set->handle = adv ? adv->handle : instance;
1571

1572
	/* Set duration per instance since controller is responsible for
1573
	 * scheduling it.
1574
	 */
1575
	if (adv && adv->timeout) {
1576
		u16 duration = adv->timeout * MSEC_PER_SEC;
1577

1578
		/* Time = N * 10 ms */
1579
		set->duration = cpu_to_le16(duration / 10);
1580
	}
1581

1582
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_ENABLE,
1583
				     sizeof(*cp) +
1584
				     sizeof(*set) * cp->num_of_sets,
1585
				     data, HCI_CMD_TIMEOUT);
1586
}
1587

1588
int hci_start_ext_adv_sync(struct hci_dev *hdev, u8 instance)
1589
{
1590
	int err;
1591

1592
	err = hci_setup_ext_adv_instance_sync(hdev, instance);
1593
	if (err)
1594
		return err;
1595

1596
	err = hci_set_ext_scan_rsp_data_sync(hdev, instance);
1597
	if (err)
1598
		return err;
1599

1600
	return hci_enable_ext_advertising_sync(hdev, instance);
1601
}
1602

1603
int hci_disable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
1604
{
1605
	struct hci_cp_le_set_per_adv_enable cp;
1606
	struct adv_info *adv = NULL;
1607

1608
	/* If periodic advertising already disabled there is nothing to do. */
1609
	adv = hci_find_adv_instance(hdev, instance);
1610
	if (!adv || !adv->periodic_enabled)
1611
		return 0;
1612

1613
	memset(&cp, 0, sizeof(cp));
1614

1615
	cp.enable = 0x00;
1616
	cp.handle = instance;
1617

1618
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE,
1619
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
1620
}
1621

1622
static int hci_set_per_adv_params_sync(struct hci_dev *hdev, u8 instance,
1623
				       u16 min_interval, u16 max_interval)
1624
{
1625
	struct hci_cp_le_set_per_adv_params cp;
1626

1627
	memset(&cp, 0, sizeof(cp));
1628

1629
	if (!min_interval)
1630
		min_interval = DISCOV_LE_PER_ADV_INT_MIN;
1631

1632
	if (!max_interval)
1633
		max_interval = DISCOV_LE_PER_ADV_INT_MAX;
1634

1635
	cp.handle = instance;
1636
	cp.min_interval = cpu_to_le16(min_interval);
1637
	cp.max_interval = cpu_to_le16(max_interval);
1638
	cp.periodic_properties = 0x0000;
1639

1640
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PER_ADV_PARAMS,
1641
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
1642
}
1643

1644
static int hci_set_per_adv_data_sync(struct hci_dev *hdev, u8 instance)
1645
{
1646
	DEFINE_FLEX(struct hci_cp_le_set_per_adv_data, pdu, data, length,
1647
		    HCI_MAX_PER_AD_LENGTH);
1648
	u8 len;
1649
	struct adv_info *adv = NULL;
1650

1651
	if (instance) {
1652
		adv = hci_find_adv_instance(hdev, instance);
1653
		if (!adv || !adv->periodic)
1654
			return 0;
1655
	}
1656

1657
	len = eir_create_per_adv_data(hdev, instance, pdu->data);
1658

1659
	pdu->length = len;
1660
	pdu->handle = adv ? adv->handle : instance;
1661
	pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE;
1662

1663
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PER_ADV_DATA,
1664
				     struct_size(pdu, data, len), pdu,
1665
				     HCI_CMD_TIMEOUT);
1666
}
1667

1668
static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance)
1669
{
1670
	struct hci_cp_le_set_per_adv_enable cp;
1671
	struct adv_info *adv = NULL;
1672

1673
	/* If periodic advertising already enabled there is nothing to do. */
1674
	adv = hci_find_adv_instance(hdev, instance);
1675
	if (adv && adv->periodic_enabled)
1676
		return 0;
1677

1678
	memset(&cp, 0, sizeof(cp));
1679

1680
	cp.enable = 0x01;
1681
	cp.handle = instance;
1682

1683
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PER_ADV_ENABLE,
1684
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
1685
}
1686

1687
/* Checks if periodic advertising data contains a Basic Announcement and if it
1688
 * does generates a Broadcast ID and add Broadcast Announcement.
1689
 */
1690
static int hci_adv_bcast_annoucement(struct hci_dev *hdev, struct adv_info *adv)
1691
{
1692
	u8 bid[3];
1693
	u8 ad[HCI_MAX_EXT_AD_LENGTH];
1694
	u8 len;
1695

1696
	/* Skip if NULL adv as instance 0x00 is used for general purpose
1697
	 * advertising so it cannot used for the likes of Broadcast Announcement
1698
	 * as it can be overwritten at any point.
1699
	 */
1700
	if (!adv)
1701
		return 0;
1702

1703
	/* Check if PA data doesn't contains a Basic Audio Announcement then
1704
	 * there is nothing to do.
1705
	 */
1706
	if (!eir_get_service_data(adv->per_adv_data, adv->per_adv_data_len,
1707
				  0x1851, NULL))
1708
		return 0;
1709

1710
	/* Check if advertising data already has a Broadcast Announcement since
1711
	 * the process may want to control the Broadcast ID directly and in that
1712
	 * case the kernel shall no interfere.
1713
	 */
1714
	if (eir_get_service_data(adv->adv_data, adv->adv_data_len, 0x1852,
1715
				 NULL))
1716
		return 0;
1717

1718
	/* Generate Broadcast ID */
1719
	get_random_bytes(bid, sizeof(bid));
1720
	len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
1721
	memcpy(ad + len, adv->adv_data, adv->adv_data_len);
1722
	hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len,
1723
				  ad, 0, NULL);
1724

1725
	return hci_update_adv_data_sync(hdev, adv->instance);
1726
}
1727

1728
int hci_start_per_adv_sync(struct hci_dev *hdev, u8 instance, u8 sid,
1729
			   u8 data_len, u8 *data, u32 flags, u16 min_interval,
1730
			   u16 max_interval, u16 sync_interval)
1731
{
1732
	struct adv_info *adv = NULL;
1733
	int err;
1734
	bool added = false;
1735

1736
	hci_disable_per_advertising_sync(hdev, instance);
1737

1738
	if (instance) {
1739
		adv = hci_find_adv_instance(hdev, instance);
1740
		if (adv) {
1741
			if (sid != HCI_SID_INVALID && adv->sid != sid) {
1742
				/* If the SID don't match attempt to find by
1743
				 * SID.
1744
				 */
1745
				adv = hci_find_adv_sid(hdev, sid);
1746
				if (!adv) {
1747
					bt_dev_err(hdev,
1748
						   "Unable to find adv_info");
1749
					return -EINVAL;
1750
				}
1751
			}
1752

1753
			/* Turn it into periodic advertising */
1754
			adv->periodic = true;
1755
			adv->per_adv_data_len = data_len;
1756
			if (data)
1757
				memcpy(adv->per_adv_data, data, data_len);
1758
			adv->flags = flags;
1759
		} else if (!adv) {
1760
			/* Create an instance if that could not be found */
1761
			adv = hci_add_per_instance(hdev, instance, sid, flags,
1762
						   data_len, data,
1763
						   sync_interval,
1764
						   sync_interval);
1765
			if (IS_ERR(adv))
1766
				return PTR_ERR(adv);
1767
			adv->pending = false;
1768
			added = true;
1769
		}
1770
	}
1771

1772
	/* Start advertising */
1773
	err = hci_start_ext_adv_sync(hdev, instance);
1774
	if (err < 0)
1775
		goto fail;
1776

1777
	err = hci_adv_bcast_annoucement(hdev, adv);
1778
	if (err < 0)
1779
		goto fail;
1780

1781
	err = hci_set_per_adv_params_sync(hdev, instance, min_interval,
1782
					  max_interval);
1783
	if (err < 0)
1784
		goto fail;
1785

1786
	err = hci_set_per_adv_data_sync(hdev, instance);
1787
	if (err < 0)
1788
		goto fail;
1789

1790
	err = hci_enable_per_advertising_sync(hdev, instance);
1791
	if (err < 0)
1792
		goto fail;
1793

1794
	return 0;
1795

1796
fail:
1797
	if (added)
1798
		hci_remove_adv_instance(hdev, instance);
1799

1800
	return err;
1801
}
1802

1803
static int hci_start_adv_sync(struct hci_dev *hdev, u8 instance)
1804
{
1805
	int err;
1806

1807
	if (ext_adv_capable(hdev))
1808
		return hci_start_ext_adv_sync(hdev, instance);
1809

1810
	err = hci_update_adv_data_sync(hdev, instance);
1811
	if (err)
1812
		return err;
1813

1814
	err = hci_update_scan_rsp_data_sync(hdev, instance);
1815
	if (err)
1816
		return err;
1817

1818
	return hci_enable_advertising_sync(hdev);
1819
}
1820

1821
int hci_enable_advertising_sync(struct hci_dev *hdev)
1822
{
1823
	struct adv_info *adv_instance;
1824
	struct hci_cp_le_set_adv_param cp;
1825
	u8 own_addr_type, enable = 0x01;
1826
	bool connectable;
1827
	u16 adv_min_interval, adv_max_interval;
1828
	u32 flags;
1829
	u8 status;
1830

1831
	if (ext_adv_capable(hdev))
1832
		return hci_enable_ext_advertising_sync(hdev,
1833
						       hdev->cur_adv_instance);
1834

1835
	flags = hci_adv_instance_flags(hdev, hdev->cur_adv_instance);
1836
	adv_instance = hci_find_adv_instance(hdev, hdev->cur_adv_instance);
1837

1838
	/* If the "connectable" instance flag was not set, then choose between
1839
	 * ADV_IND and ADV_NONCONN_IND based on the global connectable setting.
1840
	 */
1841
	connectable = (flags & MGMT_ADV_FLAG_CONNECTABLE) ||
1842
		      mgmt_get_connectable(hdev);
1843

1844
	if (!is_advertising_allowed(hdev, connectable))
1845
		return -EINVAL;
1846

1847
	status = hci_disable_advertising_sync(hdev);
1848
	if (status)
1849
		return status;
1850

1851
	/* Clear the HCI_LE_ADV bit temporarily so that the
1852
	 * hci_update_random_address knows that it's safe to go ahead
1853
	 * and write a new random address. The flag will be set back on
1854
	 * as soon as the SET_ADV_ENABLE HCI command completes.
1855
	 */
1856
	hci_dev_clear_flag(hdev, HCI_LE_ADV);
1857

1858
	/* Set require_privacy to true only when non-connectable
1859
	 * advertising is used. In that case it is fine to use a
1860
	 * non-resolvable private address.
1861
	 */
1862
	status = hci_update_random_address_sync(hdev, !connectable,
1863
						adv_use_rpa(hdev, flags),
1864
						&own_addr_type);
1865
	if (status)
1866
		return status;
1867

1868
	memset(&cp, 0, sizeof(cp));
1869

1870
	if (adv_instance) {
1871
		adv_min_interval = adv_instance->min_interval;
1872
		adv_max_interval = adv_instance->max_interval;
1873
	} else {
1874
		adv_min_interval = hdev->le_adv_min_interval;
1875
		adv_max_interval = hdev->le_adv_max_interval;
1876
	}
1877

1878
	if (connectable) {
1879
		cp.type = LE_ADV_IND;
1880
	} else {
1881
		if (hci_adv_instance_is_scannable(hdev, hdev->cur_adv_instance))
1882
			cp.type = LE_ADV_SCAN_IND;
1883
		else
1884
			cp.type = LE_ADV_NONCONN_IND;
1885

1886
		if (!hci_dev_test_flag(hdev, HCI_DISCOVERABLE) ||
1887
		    hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE)) {
1888
			adv_min_interval = DISCOV_LE_FAST_ADV_INT_MIN;
1889
			adv_max_interval = DISCOV_LE_FAST_ADV_INT_MAX;
1890
		}
1891
	}
1892

1893
	cp.min_interval = cpu_to_le16(adv_min_interval);
1894
	cp.max_interval = cpu_to_le16(adv_max_interval);
1895
	cp.own_address_type = own_addr_type;
1896
	cp.channel_map = hdev->le_adv_channel_map;
1897

1898
	status = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_PARAM,
1899
				       sizeof(cp), &cp, HCI_CMD_TIMEOUT);
1900
	if (status)
1901
		return status;
1902

1903
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_ENABLE,
1904
				     sizeof(enable), &enable, HCI_CMD_TIMEOUT);
1905
}
1906

1907
static int enable_advertising_sync(struct hci_dev *hdev, void *data)
1908
{
1909
	return hci_enable_advertising_sync(hdev);
1910
}
1911

1912
int hci_enable_advertising(struct hci_dev *hdev)
1913
{
1914
	if (!hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
1915
	    list_empty(&hdev->adv_instances))
1916
		return 0;
1917

1918
	return hci_cmd_sync_queue(hdev, enable_advertising_sync, NULL, NULL);
1919
}
1920

1921
int hci_remove_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance,
1922
				     struct sock *sk)
1923
{
1924
	int err;
1925

1926
	if (!ext_adv_capable(hdev))
1927
		return 0;
1928

1929
	err = hci_disable_ext_adv_instance_sync(hdev, instance);
1930
	if (err)
1931
		return err;
1932

1933
	/* If request specifies an instance that doesn't exist, fail */
1934
	if (instance > 0 && !hci_find_adv_instance(hdev, instance))
1935
		return -EINVAL;
1936

1937
	return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_REMOVE_ADV_SET,
1938
					sizeof(instance), &instance, 0,
1939
					HCI_CMD_TIMEOUT, sk);
1940
}
1941

1942
int hci_le_terminate_big_sync(struct hci_dev *hdev, u8 handle, u8 reason)
1943
{
1944
	struct hci_cp_le_term_big cp;
1945

1946
	memset(&cp, 0, sizeof(cp));
1947
	cp.handle = handle;
1948
	cp.reason = reason;
1949

1950
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_TERM_BIG,
1951
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
1952
}
1953

1954
int hci_schedule_adv_instance_sync(struct hci_dev *hdev, u8 instance,
1955
				   bool force)
1956
{
1957
	struct adv_info *adv = NULL;
1958
	u16 timeout;
1959

1960
	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) && !ext_adv_capable(hdev))
1961
		return -EPERM;
1962

1963
	if (hdev->adv_instance_timeout)
1964
		return -EBUSY;
1965

1966
	adv = hci_find_adv_instance(hdev, instance);
1967
	if (!adv)
1968
		return -ENOENT;
1969

1970
	/* A zero timeout means unlimited advertising. As long as there is
1971
	 * only one instance, duration should be ignored. We still set a timeout
1972
	 * in case further instances are being added later on.
1973
	 *
1974
	 * If the remaining lifetime of the instance is more than the duration
1975
	 * then the timeout corresponds to the duration, otherwise it will be
1976
	 * reduced to the remaining instance lifetime.
1977
	 */
1978
	if (adv->timeout == 0 || adv->duration <= adv->remaining_time)
1979
		timeout = adv->duration;
1980
	else
1981
		timeout = adv->remaining_time;
1982

1983
	/* The remaining time is being reduced unless the instance is being
1984
	 * advertised without time limit.
1985
	 */
1986
	if (adv->timeout)
1987
		adv->remaining_time = adv->remaining_time - timeout;
1988

1989
	/* Only use work for scheduling instances with legacy advertising */
1990
	if (!ext_adv_capable(hdev)) {
1991
		hdev->adv_instance_timeout = timeout;
1992
		queue_delayed_work(hdev->req_workqueue,
1993
				   &hdev->adv_instance_expire,
1994
				   secs_to_jiffies(timeout));
1995
	}
1996

1997
	/* If we're just re-scheduling the same instance again then do not
1998
	 * execute any HCI commands. This happens when a single instance is
1999
	 * being advertised.
2000
	 */
2001
	if (!force && hdev->cur_adv_instance == instance &&
2002
	    hci_dev_test_flag(hdev, HCI_LE_ADV))
2003
		return 0;
2004

2005
	hdev->cur_adv_instance = instance;
2006

2007
	return hci_start_adv_sync(hdev, instance);
2008
}
2009

2010
static int hci_clear_adv_sets_sync(struct hci_dev *hdev, struct sock *sk)
2011
{
2012
	int err;
2013

2014
	if (!ext_adv_capable(hdev))
2015
		return 0;
2016

2017
	/* Disable instance 0x00 to disable all instances */
2018
	err = hci_disable_ext_adv_instance_sync(hdev, 0x00);
2019
	if (err)
2020
		return err;
2021

2022
	return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CLEAR_ADV_SETS,
2023
					0, NULL, 0, HCI_CMD_TIMEOUT, sk);
2024
}
2025

2026
static int hci_clear_adv_sync(struct hci_dev *hdev, struct sock *sk, bool force)
2027
{
2028
	struct adv_info *adv, *n;
2029

2030
	if (ext_adv_capable(hdev))
2031
		/* Remove all existing sets */
2032
		return hci_clear_adv_sets_sync(hdev, sk);
2033

2034
	/* This is safe as long as there is no command send while the lock is
2035
	 * held.
2036
	 */
2037
	hci_dev_lock(hdev);
2038

2039
	/* Cleanup non-ext instances */
2040
	list_for_each_entry_safe(adv, n, &hdev->adv_instances, list) {
2041
		u8 instance = adv->instance;
2042
		int err;
2043

2044
		if (!(force || adv->timeout))
2045
			continue;
2046

2047
		err = hci_remove_adv_instance(hdev, instance);
2048
		if (!err)
2049
			mgmt_advertising_removed(sk, hdev, instance);
2050
	}
2051

2052
	hci_dev_unlock(hdev);
2053

2054
	return 0;
2055
}
2056

2057
static int hci_remove_adv_sync(struct hci_dev *hdev, u8 instance,
2058
			       struct sock *sk)
2059
{
2060
	int err;
2061

2062
	/* If we use extended advertising, instance has to be removed first. */
2063
	if (ext_adv_capable(hdev))
2064
		return hci_remove_ext_adv_instance_sync(hdev, instance, sk);
2065

2066
	/* This is safe as long as there is no command send while the lock is
2067
	 * held.
2068
	 */
2069
	hci_dev_lock(hdev);
2070

2071
	err = hci_remove_adv_instance(hdev, instance);
2072
	if (!err)
2073
		mgmt_advertising_removed(sk, hdev, instance);
2074

2075
	hci_dev_unlock(hdev);
2076

2077
	return err;
2078
}
2079

2080
/* For a single instance:
2081
 * - force == true: The instance will be removed even when its remaining
2082
 *   lifetime is not zero.
2083
 * - force == false: the instance will be deactivated but kept stored unless
2084
 *   the remaining lifetime is zero.
2085
 *
2086
 * For instance == 0x00:
2087
 * - force == true: All instances will be removed regardless of their timeout
2088
 *   setting.
2089
 * - force == false: Only instances that have a timeout will be removed.
2090
 */
2091
int hci_remove_advertising_sync(struct hci_dev *hdev, struct sock *sk,
2092
				u8 instance, bool force)
2093
{
2094
	struct adv_info *next = NULL;
2095
	int err;
2096

2097
	/* Cancel any timeout concerning the removed instance(s). */
2098
	if (!instance || hdev->cur_adv_instance == instance)
2099
		cancel_adv_timeout(hdev);
2100

2101
	/* Get the next instance to advertise BEFORE we remove
2102
	 * the current one. This can be the same instance again
2103
	 * if there is only one instance.
2104
	 */
2105
	if (hdev->cur_adv_instance == instance)
2106
		next = hci_get_next_instance(hdev, instance);
2107

2108
	if (!instance) {
2109
		err = hci_clear_adv_sync(hdev, sk, force);
2110
		if (err)
2111
			return err;
2112
	} else {
2113
		struct adv_info *adv = hci_find_adv_instance(hdev, instance);
2114

2115
		if (force || (adv && adv->timeout && !adv->remaining_time)) {
2116
			/* Don't advertise a removed instance. */
2117
			if (next && next->instance == instance)
2118
				next = NULL;
2119

2120
			err = hci_remove_adv_sync(hdev, instance, sk);
2121
			if (err)
2122
				return err;
2123
		}
2124
	}
2125

2126
	if (!hdev_is_powered(hdev) || hci_dev_test_flag(hdev, HCI_ADVERTISING))
2127
		return 0;
2128

2129
	if (next && !ext_adv_capable(hdev))
2130
		hci_schedule_adv_instance_sync(hdev, next->instance, false);
2131

2132
	return 0;
2133
}
2134

2135
int hci_read_rssi_sync(struct hci_dev *hdev, __le16 handle)
2136
{
2137
	struct hci_cp_read_rssi cp;
2138

2139
	cp.handle = handle;
2140
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_RSSI,
2141
					sizeof(cp), &cp, HCI_CMD_TIMEOUT);
2142
}
2143

2144
int hci_read_clock_sync(struct hci_dev *hdev, struct hci_cp_read_clock *cp)
2145
{
2146
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_CLOCK,
2147
					sizeof(*cp), cp, HCI_CMD_TIMEOUT);
2148
}
2149

2150
int hci_read_tx_power_sync(struct hci_dev *hdev, __le16 handle, u8 type)
2151
{
2152
	struct hci_cp_read_tx_power cp;
2153

2154
	cp.handle = handle;
2155
	cp.type = type;
2156
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_TX_POWER,
2157
					sizeof(cp), &cp, HCI_CMD_TIMEOUT);
2158
}
2159

2160
int hci_disable_advertising_sync(struct hci_dev *hdev)
2161
{
2162
	u8 enable = 0x00;
2163

2164
	/* If controller is not advertising we are done. */
2165
	if (!hci_dev_test_flag(hdev, HCI_LE_ADV))
2166
		return 0;
2167

2168
	if (ext_adv_capable(hdev))
2169
		return hci_disable_ext_adv_instance_sync(hdev, 0x00);
2170

2171
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_ENABLE,
2172
				     sizeof(enable), &enable, HCI_CMD_TIMEOUT);
2173
}
2174

2175
static int hci_le_set_ext_scan_enable_sync(struct hci_dev *hdev, u8 val,
2176
					   u8 filter_dup)
2177
{
2178
	struct hci_cp_le_set_ext_scan_enable cp;
2179

2180
	memset(&cp, 0, sizeof(cp));
2181
	cp.enable = val;
2182

2183
	if (hci_dev_test_flag(hdev, HCI_MESH))
2184
		cp.filter_dup = LE_SCAN_FILTER_DUP_DISABLE;
2185
	else
2186
		cp.filter_dup = filter_dup;
2187

2188
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_SCAN_ENABLE,
2189
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
2190
}
2191

2192
static int hci_le_set_scan_enable_sync(struct hci_dev *hdev, u8 val,
2193
				       u8 filter_dup)
2194
{
2195
	struct hci_cp_le_set_scan_enable cp;
2196

2197
	if (use_ext_scan(hdev))
2198
		return hci_le_set_ext_scan_enable_sync(hdev, val, filter_dup);
2199

2200
	memset(&cp, 0, sizeof(cp));
2201
	cp.enable = val;
2202

2203
	if (val && hci_dev_test_flag(hdev, HCI_MESH))
2204
		cp.filter_dup = LE_SCAN_FILTER_DUP_DISABLE;
2205
	else
2206
		cp.filter_dup = filter_dup;
2207

2208
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_SCAN_ENABLE,
2209
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
2210
}
2211

2212
static int hci_le_set_addr_resolution_enable_sync(struct hci_dev *hdev, u8 val)
2213
{
2214
	if (!ll_privacy_capable(hdev))
2215
		return 0;
2216

2217
	/* If controller is not/already resolving we are done. */
2218
	if (val == hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION))
2219
		return 0;
2220

2221
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADDR_RESOLV_ENABLE,
2222
				     sizeof(val), &val, HCI_CMD_TIMEOUT);
2223
}
2224

2225
static int hci_scan_disable_sync(struct hci_dev *hdev)
2226
{
2227
	int err;
2228

2229
	/* If controller is not scanning we are done. */
2230
	if (!hci_dev_test_flag(hdev, HCI_LE_SCAN))
2231
		return 0;
2232

2233
	if (hdev->scanning_paused) {
2234
		bt_dev_dbg(hdev, "Scanning is paused for suspend");
2235
		return 0;
2236
	}
2237

2238
	err = hci_le_set_scan_enable_sync(hdev, LE_SCAN_DISABLE, 0x00);
2239
	if (err) {
2240
		bt_dev_err(hdev, "Unable to disable scanning: %d", err);
2241
		return err;
2242
	}
2243

2244
	return err;
2245
}
2246

2247
static bool scan_use_rpa(struct hci_dev *hdev)
2248
{
2249
	return hci_dev_test_flag(hdev, HCI_PRIVACY);
2250
}
2251

2252
static void hci_start_interleave_scan(struct hci_dev *hdev)
2253
{
2254
	hdev->interleave_scan_state = INTERLEAVE_SCAN_NO_FILTER;
2255
	queue_delayed_work(hdev->req_workqueue,
2256
			   &hdev->interleave_scan, 0);
2257
}
2258

2259
static void cancel_interleave_scan(struct hci_dev *hdev)
2260
{
2261
	bt_dev_dbg(hdev, "cancelling interleave scan");
2262

2263
	cancel_delayed_work_sync(&hdev->interleave_scan);
2264

2265
	hdev->interleave_scan_state = INTERLEAVE_SCAN_NONE;
2266
}
2267

2268
/* Return true if interleave_scan wasn't started until exiting this function,
2269
 * otherwise, return false
2270
 */
2271
static bool hci_update_interleaved_scan_sync(struct hci_dev *hdev)
2272
{
2273
	/* Do interleaved scan only if all of the following are true:
2274
	 * - There is at least one ADV monitor
2275
	 * - At least one pending LE connection or one device to be scanned for
2276
	 * - Monitor offloading is not supported
2277
	 * If so, we should alternate between allowlist scan and one without
2278
	 * any filters to save power.
2279
	 */
2280
	bool use_interleaving = hci_is_adv_monitoring(hdev) &&
2281
				!(list_empty(&hdev->pend_le_conns) &&
2282
				  list_empty(&hdev->pend_le_reports)) &&
2283
				hci_get_adv_monitor_offload_ext(hdev) ==
2284
				    HCI_ADV_MONITOR_EXT_NONE;
2285
	bool is_interleaving = is_interleave_scanning(hdev);
2286

2287
	if (use_interleaving && !is_interleaving) {
2288
		hci_start_interleave_scan(hdev);
2289
		bt_dev_dbg(hdev, "starting interleave scan");
2290
		return true;
2291
	}
2292

2293
	if (!use_interleaving && is_interleaving)
2294
		cancel_interleave_scan(hdev);
2295

2296
	return false;
2297
}
2298

2299
/* Removes connection to resolve list if needed.*/
2300
static int hci_le_del_resolve_list_sync(struct hci_dev *hdev,
2301
					bdaddr_t *bdaddr, u8 bdaddr_type)
2302
{
2303
	struct hci_cp_le_del_from_resolv_list cp;
2304
	struct bdaddr_list_with_irk *entry;
2305

2306
	if (!ll_privacy_capable(hdev))
2307
		return 0;
2308

2309
	/* Check if the IRK has been programmed */
2310
	entry = hci_bdaddr_list_lookup_with_irk(&hdev->le_resolv_list, bdaddr,
2311
						bdaddr_type);
2312
	if (!entry)
2313
		return 0;
2314

2315
	cp.bdaddr_type = bdaddr_type;
2316
	bacpy(&cp.bdaddr, bdaddr);
2317

2318
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_DEL_FROM_RESOLV_LIST,
2319
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
2320
}
2321

2322
static int hci_le_del_accept_list_sync(struct hci_dev *hdev,
2323
				       bdaddr_t *bdaddr, u8 bdaddr_type)
2324
{
2325
	struct hci_cp_le_del_from_accept_list cp;
2326
	int err;
2327

2328
	/* Check if device is on accept list before removing it */
2329
	if (!hci_bdaddr_list_lookup(&hdev->le_accept_list, bdaddr, bdaddr_type))
2330
		return 0;
2331

2332
	cp.bdaddr_type = bdaddr_type;
2333
	bacpy(&cp.bdaddr, bdaddr);
2334

2335
	/* Ignore errors when removing from resolving list as that is likely
2336
	 * that the device was never added.
2337
	 */
2338
	hci_le_del_resolve_list_sync(hdev, &cp.bdaddr, cp.bdaddr_type);
2339

2340
	err = __hci_cmd_sync_status(hdev, HCI_OP_LE_DEL_FROM_ACCEPT_LIST,
2341
				    sizeof(cp), &cp, HCI_CMD_TIMEOUT);
2342
	if (err) {
2343
		bt_dev_err(hdev, "Unable to remove from allow list: %d", err);
2344
		return err;
2345
	}
2346

2347
	bt_dev_dbg(hdev, "Remove %pMR (0x%x) from allow list", &cp.bdaddr,
2348
		   cp.bdaddr_type);
2349

2350
	return 0;
2351
}
2352

2353
struct conn_params {
2354
	bdaddr_t addr;
2355
	u8 addr_type;
2356
	hci_conn_flags_t flags;
2357
	u8 privacy_mode;
2358
};
2359

2360
/* Adds connection to resolve list if needed.
2361
 * Setting params to NULL programs local hdev->irk
2362
 */
2363
static int hci_le_add_resolve_list_sync(struct hci_dev *hdev,
2364
					struct conn_params *params)
2365
{
2366
	struct hci_cp_le_add_to_resolv_list cp;
2367
	struct smp_irk *irk;
2368
	struct bdaddr_list_with_irk *entry;
2369
	struct hci_conn_params *p;
2370

2371
	if (!ll_privacy_capable(hdev))
2372
		return 0;
2373

2374
	/* Attempt to program local identity address, type and irk if params is
2375
	 * NULL.
2376
	 */
2377
	if (!params) {
2378
		if (!hci_dev_test_flag(hdev, HCI_PRIVACY))
2379
			return 0;
2380

2381
		hci_copy_identity_address(hdev, &cp.bdaddr, &cp.bdaddr_type);
2382
		memcpy(cp.peer_irk, hdev->irk, 16);
2383
		goto done;
2384
	} else if (!(params->flags & HCI_CONN_FLAG_ADDRESS_RESOLUTION))
2385
		return 0;
2386

2387
	irk = hci_find_irk_by_addr(hdev, &params->addr, params->addr_type);
2388
	if (!irk)
2389
		return 0;
2390

2391
	/* Check if the IK has _not_ been programmed yet. */
2392
	entry = hci_bdaddr_list_lookup_with_irk(&hdev->le_resolv_list,
2393
						&params->addr,
2394
						params->addr_type);
2395
	if (entry)
2396
		return 0;
2397

2398
	cp.bdaddr_type = params->addr_type;
2399
	bacpy(&cp.bdaddr, &params->addr);
2400
	memcpy(cp.peer_irk, irk->val, 16);
2401

2402
	/* Default privacy mode is always Network */
2403
	params->privacy_mode = HCI_NETWORK_PRIVACY;
2404

2405
	rcu_read_lock();
2406
	p = hci_pend_le_action_lookup(&hdev->pend_le_conns,
2407
				      &params->addr, params->addr_type);
2408
	if (!p)
2409
		p = hci_pend_le_action_lookup(&hdev->pend_le_reports,
2410
					      &params->addr, params->addr_type);
2411
	if (p)
2412
		WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY);
2413
	rcu_read_unlock();
2414

2415
done:
2416
	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
2417
		memcpy(cp.local_irk, hdev->irk, 16);
2418
	else
2419
		memset(cp.local_irk, 0, 16);
2420

2421
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_ADD_TO_RESOLV_LIST,
2422
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
2423
}
2424

2425
/* Set Device Privacy Mode. */
2426
static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev,
2427
					struct conn_params *params)
2428
{
2429
	struct hci_cp_le_set_privacy_mode cp;
2430
	struct smp_irk *irk;
2431

2432
	if (!ll_privacy_capable(hdev) ||
2433
	    !(params->flags & HCI_CONN_FLAG_ADDRESS_RESOLUTION))
2434
		return 0;
2435

2436
	/* If device privacy mode has already been set there is nothing to do */
2437
	if (params->privacy_mode == HCI_DEVICE_PRIVACY)
2438
		return 0;
2439

2440
	/* Check if HCI_CONN_FLAG_DEVICE_PRIVACY has been set as it also
2441
	 * indicates that LL Privacy has been enabled and
2442
	 * HCI_OP_LE_SET_PRIVACY_MODE is supported.
2443
	 */
2444
	if (!(params->flags & HCI_CONN_FLAG_DEVICE_PRIVACY))
2445
		return 0;
2446

2447
	irk = hci_find_irk_by_addr(hdev, &params->addr, params->addr_type);
2448
	if (!irk)
2449
		return 0;
2450

2451
	memset(&cp, 0, sizeof(cp));
2452
	cp.bdaddr_type = irk->addr_type;
2453
	bacpy(&cp.bdaddr, &irk->bdaddr);
2454
	cp.mode = HCI_DEVICE_PRIVACY;
2455

2456
	/* Note: params->privacy_mode is not updated since it is a copy */
2457

2458
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE,
2459
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
2460
}
2461

2462
/* Adds connection to allow list if needed, if the device uses RPA (has IRK)
2463
 * this attempts to program the device in the resolving list as well and
2464
 * properly set the privacy mode.
2465
 */
2466
static int hci_le_add_accept_list_sync(struct hci_dev *hdev,
2467
				       struct conn_params *params,
2468
				       u8 *num_entries)
2469
{
2470
	struct hci_cp_le_add_to_accept_list cp;
2471
	int err;
2472

2473
	/* During suspend, only wakeable devices can be in acceptlist */
2474
	if (hdev->suspended &&
2475
	    !(params->flags & HCI_CONN_FLAG_REMOTE_WAKEUP)) {
2476
		hci_le_del_accept_list_sync(hdev, &params->addr,
2477
					    params->addr_type);
2478
		return 0;
2479
	}
2480

2481
	/* Select filter policy to accept all advertising */
2482
	if (*num_entries >= hdev->le_accept_list_size)
2483
		return -ENOSPC;
2484

2485
	/* Attempt to program the device in the resolving list first to avoid
2486
	 * having to rollback in case it fails since the resolving list is
2487
	 * dynamic it can probably be smaller than the accept list.
2488
	 */
2489
	err = hci_le_add_resolve_list_sync(hdev, params);
2490
	if (err) {
2491
		bt_dev_err(hdev, "Unable to add to resolve list: %d", err);
2492
		return err;
2493
	}
2494

2495
	/* Set Privacy Mode */
2496
	err = hci_le_set_privacy_mode_sync(hdev, params);
2497
	if (err) {
2498
		bt_dev_err(hdev, "Unable to set privacy mode: %d", err);
2499
		return err;
2500
	}
2501

2502
	/* Check if already in accept list */
2503
	if (hci_bdaddr_list_lookup(&hdev->le_accept_list, &params->addr,
2504
				   params->addr_type))
2505
		return 0;
2506

2507
	*num_entries += 1;
2508
	cp.bdaddr_type = params->addr_type;
2509
	bacpy(&cp.bdaddr, &params->addr);
2510

2511
	err = __hci_cmd_sync_status(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST,
2512
				    sizeof(cp), &cp, HCI_CMD_TIMEOUT);
2513
	if (err) {
2514
		bt_dev_err(hdev, "Unable to add to allow list: %d", err);
2515
		/* Rollback the device from the resolving list */
2516
		hci_le_del_resolve_list_sync(hdev, &cp.bdaddr, cp.bdaddr_type);
2517
		return err;
2518
	}
2519

2520
	bt_dev_dbg(hdev, "Add %pMR (0x%x) to allow list", &cp.bdaddr,
2521
		   cp.bdaddr_type);
2522

2523
	return 0;
2524
}
2525

2526
/* This function disables/pause all advertising instances */
2527
static int hci_pause_advertising_sync(struct hci_dev *hdev)
2528
{
2529
	int err;
2530
	int old_state;
2531

2532
	/* If controller is not advertising we are done. */
2533
	if (!hci_dev_test_flag(hdev, HCI_LE_ADV))
2534
		return 0;
2535

2536
	/* If already been paused there is nothing to do. */
2537
	if (hdev->advertising_paused)
2538
		return 0;
2539

2540
	bt_dev_dbg(hdev, "Pausing directed advertising");
2541

2542
	/* Stop directed advertising */
2543
	old_state = hci_dev_test_flag(hdev, HCI_ADVERTISING);
2544
	if (old_state) {
2545
		/* When discoverable timeout triggers, then just make sure
2546
		 * the limited discoverable flag is cleared. Even in the case
2547
		 * of a timeout triggered from general discoverable, it is
2548
		 * safe to unconditionally clear the flag.
2549
		 */
2550
		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
2551
		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
2552
		hdev->discov_timeout = 0;
2553
	}
2554

2555
	bt_dev_dbg(hdev, "Pausing advertising instances");
2556

2557
	/* Call to disable any advertisements active on the controller.
2558
	 * This will succeed even if no advertisements are configured.
2559
	 */
2560
	err = hci_disable_advertising_sync(hdev);
2561
	if (err)
2562
		return err;
2563

2564
	/* If we are using software rotation, pause the loop */
2565
	if (!ext_adv_capable(hdev))
2566
		cancel_adv_timeout(hdev);
2567

2568
	hdev->advertising_paused = true;
2569
	hdev->advertising_old_state = old_state;
2570

2571
	return 0;
2572
}
2573

2574
/* This function enables all user advertising instances */
2575
static int hci_resume_advertising_sync(struct hci_dev *hdev)
2576
{
2577
	struct adv_info *adv, *tmp;
2578
	int err;
2579

2580
	/* If advertising has not been paused there is nothing  to do. */
2581
	if (!hdev->advertising_paused)
2582
		return 0;
2583

2584
	/* Resume directed advertising */
2585
	hdev->advertising_paused = false;
2586
	if (hdev->advertising_old_state) {
2587
		hci_dev_set_flag(hdev, HCI_ADVERTISING);
2588
		hdev->advertising_old_state = 0;
2589
	}
2590

2591
	bt_dev_dbg(hdev, "Resuming advertising instances");
2592

2593
	if (ext_adv_capable(hdev)) {
2594
		/* Call for each tracked instance to be re-enabled */
2595
		list_for_each_entry_safe(adv, tmp, &hdev->adv_instances, list) {
2596
			err = hci_enable_ext_advertising_sync(hdev,
2597
							      adv->instance);
2598
			if (!err)
2599
				continue;
2600

2601
			/* If the instance cannot be resumed remove it */
2602
			hci_remove_ext_adv_instance_sync(hdev, adv->instance,
2603
							 NULL);
2604
		}
2605

2606
		/* If current advertising instance is set to instance 0x00
2607
		 * then we need to re-enable it.
2608
		 */
2609
		if (hci_dev_test_and_clear_flag(hdev, HCI_LE_ADV_0))
2610
			err = hci_enable_ext_advertising_sync(hdev, 0x00);
2611
	} else {
2612
		/* Schedule for most recent instance to be restarted and begin
2613
		 * the software rotation loop
2614
		 */
2615
		err = hci_schedule_adv_instance_sync(hdev,
2616
						     hdev->cur_adv_instance,
2617
						     true);
2618
	}
2619

2620
	hdev->advertising_paused = false;
2621

2622
	return err;
2623
}
2624

2625
static int hci_pause_addr_resolution(struct hci_dev *hdev)
2626
{
2627
	int err;
2628

2629
	if (!ll_privacy_capable(hdev))
2630
		return 0;
2631

2632
	if (!hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION))
2633
		return 0;
2634

2635
	/* Cannot disable addr resolution if scanning is enabled or
2636
	 * when initiating an LE connection.
2637
	 */
2638
	if (hci_dev_test_flag(hdev, HCI_LE_SCAN) ||
2639
	    hci_lookup_le_connect(hdev)) {
2640
		bt_dev_err(hdev, "Command not allowed when scan/LE connect");
2641
		return -EPERM;
2642
	}
2643

2644
	/* Cannot disable addr resolution if advertising is enabled. */
2645
	err = hci_pause_advertising_sync(hdev);
2646
	if (err) {
2647
		bt_dev_err(hdev, "Pause advertising failed: %d", err);
2648
		return err;
2649
	}
2650

2651
	err = hci_le_set_addr_resolution_enable_sync(hdev, 0x00);
2652
	if (err)
2653
		bt_dev_err(hdev, "Unable to disable Address Resolution: %d",
2654
			   err);
2655

2656
	/* Return if address resolution is disabled and RPA is not used. */
2657
	if (!err && scan_use_rpa(hdev))
2658
		return 0;
2659

2660
	hci_resume_advertising_sync(hdev);
2661
	return err;
2662
}
2663

2664
struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev,
2665
					     bool extended, struct sock *sk)
2666
{
2667
	u16 opcode = extended ? HCI_OP_READ_LOCAL_OOB_EXT_DATA :
2668
					HCI_OP_READ_LOCAL_OOB_DATA;
2669

2670
	return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk);
2671
}
2672

2673
static struct conn_params *conn_params_copy(struct list_head *list, size_t *n)
2674
{
2675
	struct hci_conn_params *params;
2676
	struct conn_params *p;
2677
	size_t i;
2678

2679
	rcu_read_lock();
2680

2681
	i = 0;
2682
	list_for_each_entry_rcu(params, list, action)
2683
		++i;
2684
	*n = i;
2685

2686
	rcu_read_unlock();
2687

2688
	p = kvcalloc(*n, sizeof(struct conn_params), GFP_KERNEL);
2689
	if (!p)
2690
		return NULL;
2691

2692
	rcu_read_lock();
2693

2694
	i = 0;
2695
	list_for_each_entry_rcu(params, list, action) {
2696
		/* Racing adds are handled in next scan update */
2697
		if (i >= *n)
2698
			break;
2699

2700
		/* No hdev->lock, but: addr, addr_type are immutable.
2701
		 * privacy_mode is only written by us or in
2702
		 * hci_cc_le_set_privacy_mode that we wait for.
2703
		 * We should be idempotent so MGMT updating flags
2704
		 * while we are processing is OK.
2705
		 */
2706
		bacpy(&p[i].addr, &params->addr);
2707
		p[i].addr_type = params->addr_type;
2708
		p[i].flags = READ_ONCE(params->flags);
2709
		p[i].privacy_mode = READ_ONCE(params->privacy_mode);
2710
		++i;
2711
	}
2712

2713
	rcu_read_unlock();
2714

2715
	*n = i;
2716
	return p;
2717
}
2718

2719
/* Clear LE Accept List */
2720
static int hci_le_clear_accept_list_sync(struct hci_dev *hdev)
2721
{
2722
	if (!(hdev->commands[26] & 0x80))
2723
		return 0;
2724

2725
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_CLEAR_ACCEPT_LIST, 0, NULL,
2726
				     HCI_CMD_TIMEOUT);
2727
}
2728

2729
/* Device must not be scanning when updating the accept list.
2730
 *
2731
 * Update is done using the following sequence:
2732
 *
2733
 * ll_privacy_capable((Disable Advertising) -> Disable Resolving List) ->
2734
 * Remove Devices From Accept List ->
2735
 * (has IRK && ll_privacy_capable(Remove Devices From Resolving List))->
2736
 * Add Devices to Accept List ->
2737
 * (has IRK && ll_privacy_capable(Remove Devices From Resolving List)) ->
2738
 * ll_privacy_capable(Enable Resolving List -> (Enable Advertising)) ->
2739
 * Enable Scanning
2740
 *
2741
 * In case of failure advertising shall be restored to its original state and
2742
 * return would disable accept list since either accept or resolving list could
2743
 * not be programmed.
2744
 *
2745
 */
2746
static u8 hci_update_accept_list_sync(struct hci_dev *hdev)
2747
{
2748
	struct conn_params *params;
2749
	struct bdaddr_list *b, *t;
2750
	u8 num_entries = 0;
2751
	bool pend_conn, pend_report;
2752
	u8 filter_policy;
2753
	size_t i, n;
2754
	int err;
2755

2756
	/* Pause advertising if resolving list can be used as controllers
2757
	 * cannot accept resolving list modifications while advertising.
2758
	 */
2759
	if (ll_privacy_capable(hdev)) {
2760
		err = hci_pause_advertising_sync(hdev);
2761
		if (err) {
2762
			bt_dev_err(hdev, "pause advertising failed: %d", err);
2763
			return 0x00;
2764
		}
2765
	}
2766

2767
	/* Disable address resolution while reprogramming accept list since
2768
	 * devices that do have an IRK will be programmed in the resolving list
2769
	 * when LL Privacy is enabled.
2770
	 */
2771
	err = hci_le_set_addr_resolution_enable_sync(hdev, 0x00);
2772
	if (err) {
2773
		bt_dev_err(hdev, "Unable to disable LL privacy: %d", err);
2774
		goto done;
2775
	}
2776

2777
	/* Force address filtering if PA Sync is in progress */
2778
	if (hci_dev_test_flag(hdev, HCI_PA_SYNC)) {
2779
		struct hci_conn *conn;
2780

2781
		conn = hci_conn_hash_lookup_create_pa_sync(hdev);
2782
		if (conn) {
2783
			struct conn_params pa;
2784

2785
			memset(&pa, 0, sizeof(pa));
2786

2787
			bacpy(&pa.addr, &conn->dst);
2788
			pa.addr_type = conn->dst_type;
2789

2790
			/* Clear first since there could be addresses left
2791
			 * behind.
2792
			 */
2793
			hci_le_clear_accept_list_sync(hdev);
2794

2795
			num_entries = 1;
2796
			err = hci_le_add_accept_list_sync(hdev, &pa,
2797
							  &num_entries);
2798
			goto done;
2799
		}
2800
	}
2801

2802
	/* Go through the current accept list programmed into the
2803
	 * controller one by one and check if that address is connected or is
2804
	 * still in the list of pending connections or list of devices to
2805
	 * report. If not present in either list, then remove it from
2806
	 * the controller.
2807
	 */
2808
	list_for_each_entry_safe(b, t, &hdev->le_accept_list, list) {
2809
		if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type))
2810
			continue;
2811

2812
		/* Pointers not dereferenced, no locks needed */
2813
		pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns,
2814
						      &b->bdaddr,
2815
						      b->bdaddr_type);
2816
		pend_report = hci_pend_le_action_lookup(&hdev->pend_le_reports,
2817
							&b->bdaddr,
2818
							b->bdaddr_type);
2819

2820
		/* If the device is not likely to connect or report,
2821
		 * remove it from the acceptlist.
2822
		 */
2823
		if (!pend_conn && !pend_report) {
2824
			hci_le_del_accept_list_sync(hdev, &b->bdaddr,
2825
						    b->bdaddr_type);
2826
			continue;
2827
		}
2828

2829
		num_entries++;
2830
	}
2831

2832
	/* Since all no longer valid accept list entries have been
2833
	 * removed, walk through the list of pending connections
2834
	 * and ensure that any new device gets programmed into
2835
	 * the controller.
2836
	 *
2837
	 * If the list of the devices is larger than the list of
2838
	 * available accept list entries in the controller, then
2839
	 * just abort and return filer policy value to not use the
2840
	 * accept list.
2841
	 *
2842
	 * The list and params may be mutated while we wait for events,
2843
	 * so make a copy and iterate it.
2844
	 */
2845

2846
	params = conn_params_copy(&hdev->pend_le_conns, &n);
2847
	if (!params) {
2848
		err = -ENOMEM;
2849
		goto done;
2850
	}
2851

2852
	for (i = 0; i < n; ++i) {
2853
		err = hci_le_add_accept_list_sync(hdev, &params[i],
2854
						  &num_entries);
2855
		if (err) {
2856
			kvfree(params);
2857
			goto done;
2858
		}
2859
	}
2860

2861
	kvfree(params);
2862

2863
	/* After adding all new pending connections, walk through
2864
	 * the list of pending reports and also add these to the
2865
	 * accept list if there is still space. Abort if space runs out.
2866
	 */
2867

2868
	params = conn_params_copy(&hdev->pend_le_reports, &n);
2869
	if (!params) {
2870
		err = -ENOMEM;
2871
		goto done;
2872
	}
2873

2874
	for (i = 0; i < n; ++i) {
2875
		err = hci_le_add_accept_list_sync(hdev, &params[i],
2876
						  &num_entries);
2877
		if (err) {
2878
			kvfree(params);
2879
			goto done;
2880
		}
2881
	}
2882

2883
	kvfree(params);
2884

2885
	/* Use the allowlist unless the following conditions are all true:
2886
	 * - We are not currently suspending
2887
	 * - There are 1 or more ADV monitors registered and it's not offloaded
2888
	 * - Interleaved scanning is not currently using the allowlist
2889
	 */
2890
	if (!idr_is_empty(&hdev->adv_monitors_idr) && !hdev->suspended &&
2891
	    hci_get_adv_monitor_offload_ext(hdev) == HCI_ADV_MONITOR_EXT_NONE &&
2892
	    hdev->interleave_scan_state != INTERLEAVE_SCAN_ALLOWLIST)
2893
		err = -EINVAL;
2894

2895
done:
2896
	filter_policy = err ? 0x00 : 0x01;
2897

2898
	/* Enable address resolution when LL Privacy is enabled. */
2899
	err = hci_le_set_addr_resolution_enable_sync(hdev, 0x01);
2900
	if (err)
2901
		bt_dev_err(hdev, "Unable to enable LL privacy: %d", err);
2902

2903
	/* Resume advertising if it was paused */
2904
	if (ll_privacy_capable(hdev))
2905
		hci_resume_advertising_sync(hdev);
2906

2907
	/* Select filter policy to use accept list */
2908
	return filter_policy;
2909
}
2910

2911
static void hci_le_scan_phy_params(struct hci_cp_le_scan_phy_params *cp,
2912
				   u8 type, u16 interval, u16 window)
2913
{
2914
	cp->type = type;
2915
	cp->interval = cpu_to_le16(interval);
2916
	cp->window = cpu_to_le16(window);
2917
}
2918

2919
static int hci_le_set_ext_scan_param_sync(struct hci_dev *hdev, u8 type,
2920
					  u16 interval, u16 window,
2921
					  u8 own_addr_type, u8 filter_policy)
2922
{
2923
	struct hci_cp_le_set_ext_scan_params *cp;
2924
	struct hci_cp_le_scan_phy_params *phy;
2925
	u8 data[sizeof(*cp) + sizeof(*phy) * 2];
2926
	u8 num_phy = 0x00;
2927

2928
	cp = (void *)data;
2929
	phy = (void *)cp->data;
2930

2931
	memset(data, 0, sizeof(data));
2932

2933
	cp->own_addr_type = own_addr_type;
2934
	cp->filter_policy = filter_policy;
2935

2936
	/* Check if PA Sync is in progress then select the PHY based on the
2937
	 * hci_conn.iso_qos.
2938
	 */
2939
	if (hci_dev_test_flag(hdev, HCI_PA_SYNC)) {
2940
		struct hci_cp_le_add_to_accept_list *sent;
2941

2942
		sent = hci_sent_cmd_data(hdev, HCI_OP_LE_ADD_TO_ACCEPT_LIST);
2943
		if (sent) {
2944
			struct hci_conn *conn;
2945

2946
			conn = hci_conn_hash_lookup_ba(hdev, PA_LINK,
2947
						       &sent->bdaddr);
2948
			if (conn) {
2949
				struct bt_iso_qos *qos = &conn->iso_qos;
2950

2951
				if (qos->bcast.in.phy & BT_ISO_PHY_1M ||
2952
				    qos->bcast.in.phy & BT_ISO_PHY_2M) {
2953
					cp->scanning_phys |= LE_SCAN_PHY_1M;
2954
					hci_le_scan_phy_params(phy, type,
2955
							       interval,
2956
							       window);
2957
					num_phy++;
2958
					phy++;
2959
				}
2960

2961
				if (qos->bcast.in.phy & BT_ISO_PHY_CODED) {
2962
					cp->scanning_phys |= LE_SCAN_PHY_CODED;
2963
					hci_le_scan_phy_params(phy, type,
2964
							       interval * 3,
2965
							       window * 3);
2966
					num_phy++;
2967
					phy++;
2968
				}
2969

2970
				if (num_phy)
2971
					goto done;
2972
			}
2973
		}
2974
	}
2975

2976
	if (scan_1m(hdev) || scan_2m(hdev)) {
2977
		cp->scanning_phys |= LE_SCAN_PHY_1M;
2978
		hci_le_scan_phy_params(phy, type, interval, window);
2979
		num_phy++;
2980
		phy++;
2981
	}
2982

2983
	if (scan_coded(hdev)) {
2984
		cp->scanning_phys |= LE_SCAN_PHY_CODED;
2985
		hci_le_scan_phy_params(phy, type, interval * 3, window * 3);
2986
		num_phy++;
2987
		phy++;
2988
	}
2989

2990
done:
2991
	if (!num_phy)
2992
		return -EINVAL;
2993

2994
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_SCAN_PARAMS,
2995
				     sizeof(*cp) + sizeof(*phy) * num_phy,
2996
				     data, HCI_CMD_TIMEOUT);
2997
}
2998

2999
static int hci_le_set_scan_param_sync(struct hci_dev *hdev, u8 type,
3000
				      u16 interval, u16 window,
3001
				      u8 own_addr_type, u8 filter_policy)
3002
{
3003
	struct hci_cp_le_set_scan_param cp;
3004

3005
	if (use_ext_scan(hdev))
3006
		return hci_le_set_ext_scan_param_sync(hdev, type, interval,
3007
						      window, own_addr_type,
3008
						      filter_policy);
3009

3010
	memset(&cp, 0, sizeof(cp));
3011
	cp.type = type;
3012
	cp.interval = cpu_to_le16(interval);
3013
	cp.window = cpu_to_le16(window);
3014
	cp.own_address_type = own_addr_type;
3015
	cp.filter_policy = filter_policy;
3016

3017
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_SCAN_PARAM,
3018
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
3019
}
3020

3021
static int hci_start_scan_sync(struct hci_dev *hdev, u8 type, u16 interval,
3022
			       u16 window, u8 own_addr_type, u8 filter_policy,
3023
			       u8 filter_dup)
3024
{
3025
	int err;
3026

3027
	if (hdev->scanning_paused) {
3028
		bt_dev_dbg(hdev, "Scanning is paused for suspend");
3029
		return 0;
3030
	}
3031

3032
	err = hci_le_set_scan_param_sync(hdev, type, interval, window,
3033
					 own_addr_type, filter_policy);
3034
	if (err)
3035
		return err;
3036

3037
	return hci_le_set_scan_enable_sync(hdev, LE_SCAN_ENABLE, filter_dup);
3038
}
3039

3040
static int hci_passive_scan_sync(struct hci_dev *hdev)
3041
{
3042
	u8 own_addr_type;
3043
	u8 filter_policy;
3044
	u16 window, interval;
3045
	u8 filter_dups = LE_SCAN_FILTER_DUP_ENABLE;
3046
	int err;
3047

3048
	if (hdev->scanning_paused) {
3049
		bt_dev_dbg(hdev, "Scanning is paused for suspend");
3050
		return 0;
3051
	}
3052

3053
	err = hci_scan_disable_sync(hdev);
3054
	if (err) {
3055
		bt_dev_err(hdev, "disable scanning failed: %d", err);
3056
		return err;
3057
	}
3058

3059
	/* Set require_privacy to false since no SCAN_REQ are send
3060
	 * during passive scanning. Not using an non-resolvable address
3061
	 * here is important so that peer devices using direct
3062
	 * advertising with our address will be correctly reported
3063
	 * by the controller.
3064
	 */
3065
	if (hci_update_random_address_sync(hdev, false, scan_use_rpa(hdev),
3066
					   &own_addr_type))
3067
		return 0;
3068

3069
	if (hdev->enable_advmon_interleave_scan &&
3070
	    hci_update_interleaved_scan_sync(hdev))
3071
		return 0;
3072

3073
	bt_dev_dbg(hdev, "interleave state %d", hdev->interleave_scan_state);
3074

3075
	/* Adding or removing entries from the accept list must
3076
	 * happen before enabling scanning. The controller does
3077
	 * not allow accept list modification while scanning.
3078
	 */
3079
	filter_policy = hci_update_accept_list_sync(hdev);
3080

3081
	/* If suspended and filter_policy set to 0x00 (no acceptlist) then
3082
	 * passive scanning cannot be started since that would require the host
3083
	 * to be woken up to process the reports.
3084
	 */
3085
	if (hdev->suspended && !filter_policy) {
3086
		/* Check if accept list is empty then there is no need to scan
3087
		 * while suspended.
3088
		 */
3089
		if (list_empty(&hdev->le_accept_list))
3090
			return 0;
3091

3092
		/* If there are devices is the accept_list that means some
3093
		 * devices could not be programmed which in non-suspended case
3094
		 * means filter_policy needs to be set to 0x00 so the host needs
3095
		 * to filter, but since this is treating suspended case we
3096
		 * can ignore device needing host to filter to allow devices in
3097
		 * the acceptlist to be able to wakeup the system.
3098
		 */
3099
		filter_policy = 0x01;
3100
	}
3101

3102
	/* When the controller is using random resolvable addresses and
3103
	 * with that having LE privacy enabled, then controllers with
3104
	 * Extended Scanner Filter Policies support can now enable support
3105
	 * for handling directed advertising.
3106
	 *
3107
	 * So instead of using filter polices 0x00 (no acceptlist)
3108
	 * and 0x01 (acceptlist enabled) use the new filter policies
3109
	 * 0x02 (no acceptlist) and 0x03 (acceptlist enabled).
3110
	 */
3111
	if (hci_dev_test_flag(hdev, HCI_PRIVACY) &&
3112
	    (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY))
3113
		filter_policy |= 0x02;
3114

3115
	if (hdev->suspended) {
3116
		window = hdev->le_scan_window_suspend;
3117
		interval = hdev->le_scan_int_suspend;
3118
	} else if (hci_is_le_conn_scanning(hdev)) {
3119
		window = hdev->le_scan_window_connect;
3120
		interval = hdev->le_scan_int_connect;
3121
	} else if (hci_is_adv_monitoring(hdev)) {
3122
		window = hdev->le_scan_window_adv_monitor;
3123
		interval = hdev->le_scan_int_adv_monitor;
3124

3125
		/* Disable duplicates filter when scanning for advertisement
3126
		 * monitor for the following reasons.
3127
		 *
3128
		 * For HW pattern filtering (ex. MSFT), Realtek and Qualcomm
3129
		 * controllers ignore RSSI_Sampling_Period when the duplicates
3130
		 * filter is enabled.
3131
		 *
3132
		 * For SW pattern filtering, when we're not doing interleaved
3133
		 * scanning, it is necessary to disable duplicates filter,
3134
		 * otherwise hosts can only receive one advertisement and it's
3135
		 * impossible to know if a peer is still in range.
3136
		 */
3137
		filter_dups = LE_SCAN_FILTER_DUP_DISABLE;
3138
	} else {
3139
		window = hdev->le_scan_window;
3140
		interval = hdev->le_scan_interval;
3141
	}
3142

3143
	/* Disable all filtering for Mesh */
3144
	if (hci_dev_test_flag(hdev, HCI_MESH)) {
3145
		filter_policy = 0;
3146
		filter_dups = LE_SCAN_FILTER_DUP_DISABLE;
3147
	}
3148

3149
	bt_dev_dbg(hdev, "LE passive scan with acceptlist = %d", filter_policy);
3150

3151
	return hci_start_scan_sync(hdev, LE_SCAN_PASSIVE, interval, window,
3152
				   own_addr_type, filter_policy, filter_dups);
3153
}
3154

3155
/* This function controls the passive scanning based on hdev->pend_le_conns
3156
 * list. If there are pending LE connection we start the background scanning,
3157
 * otherwise we stop it in the following sequence:
3158
 *
3159
 * If there are devices to scan:
3160
 *
3161
 * Disable Scanning -> Update Accept List ->
3162
 * ll_privacy_capable((Disable Advertising) -> Disable Resolving List ->
3163
 * Update Resolving List -> Enable Resolving List -> (Enable Advertising)) ->
3164
 * Enable Scanning
3165
 *
3166
 * Otherwise:
3167
 *
3168
 * Disable Scanning
3169
 */
3170
int hci_update_passive_scan_sync(struct hci_dev *hdev)
3171
{
3172
	int err;
3173

3174
	if (!test_bit(HCI_UP, &hdev->flags) ||
3175
	    test_bit(HCI_INIT, &hdev->flags) ||
3176
	    hci_dev_test_flag(hdev, HCI_SETUP) ||
3177
	    hci_dev_test_flag(hdev, HCI_CONFIG) ||
3178
	    hci_dev_test_flag(hdev, HCI_AUTO_OFF) ||
3179
	    hci_dev_test_flag(hdev, HCI_UNREGISTER))
3180
		return 0;
3181

3182
	/* No point in doing scanning if LE support hasn't been enabled */
3183
	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3184
		return 0;
3185

3186
	/* If discovery is active don't interfere with it */
3187
	if (hdev->discovery.state != DISCOVERY_STOPPED)
3188
		return 0;
3189

3190
	/* Reset RSSI and UUID filters when starting background scanning
3191
	 * since these filters are meant for service discovery only.
3192
	 *
3193
	 * The Start Discovery and Start Service Discovery operations
3194
	 * ensure to set proper values for RSSI threshold and UUID
3195
	 * filter list. So it is safe to just reset them here.
3196
	 */
3197
	hci_discovery_filter_clear(hdev);
3198

3199
	bt_dev_dbg(hdev, "ADV monitoring is %s",
3200
		   hci_is_adv_monitoring(hdev) ? "on" : "off");
3201

3202
	if (!hci_dev_test_flag(hdev, HCI_MESH) &&
3203
	    list_empty(&hdev->pend_le_conns) &&
3204
	    list_empty(&hdev->pend_le_reports) &&
3205
	    !hci_is_adv_monitoring(hdev) &&
3206
	    !hci_dev_test_flag(hdev, HCI_PA_SYNC)) {
3207
		/* If there is no pending LE connections or devices
3208
		 * to be scanned for or no ADV monitors, we should stop the
3209
		 * background scanning.
3210
		 */
3211

3212
		bt_dev_dbg(hdev, "stopping background scanning");
3213

3214
		err = hci_scan_disable_sync(hdev);
3215
		if (err)
3216
			bt_dev_err(hdev, "stop background scanning failed: %d",
3217
				   err);
3218
	} else {
3219
		/* If there is at least one pending LE connection, we should
3220
		 * keep the background scan running.
3221
		 */
3222

3223
		/* If controller is connecting, we should not start scanning
3224
		 * since some controllers are not able to scan and connect at
3225
		 * the same time.
3226
		 */
3227
		if (hci_lookup_le_connect(hdev))
3228
			return 0;
3229

3230
		bt_dev_dbg(hdev, "start background scanning");
3231

3232
		err = hci_passive_scan_sync(hdev);
3233
		if (err)
3234
			bt_dev_err(hdev, "start background scanning failed: %d",
3235
				   err);
3236
	}
3237

3238
	return err;
3239
}
3240

3241
static int update_scan_sync(struct hci_dev *hdev, void *data)
3242
{
3243
	return hci_update_scan_sync(hdev);
3244
}
3245

3246
int hci_update_scan(struct hci_dev *hdev)
3247
{
3248
	return hci_cmd_sync_queue(hdev, update_scan_sync, NULL, NULL);
3249
}
3250

3251
static int update_passive_scan_sync(struct hci_dev *hdev, void *data)
3252
{
3253
	return hci_update_passive_scan_sync(hdev);
3254
}
3255

3256
int hci_update_passive_scan(struct hci_dev *hdev)
3257
{
3258
	/* Only queue if it would have any effect */
3259
	if (!test_bit(HCI_UP, &hdev->flags) ||
3260
	    test_bit(HCI_INIT, &hdev->flags) ||
3261
	    hci_dev_test_flag(hdev, HCI_SETUP) ||
3262
	    hci_dev_test_flag(hdev, HCI_CONFIG) ||
3263
	    hci_dev_test_flag(hdev, HCI_AUTO_OFF) ||
3264
	    hci_dev_test_flag(hdev, HCI_UNREGISTER))
3265
		return 0;
3266

3267
	return hci_cmd_sync_queue_once(hdev, update_passive_scan_sync, NULL,
3268
				       NULL);
3269
}
3270

3271
int hci_write_sc_support_sync(struct hci_dev *hdev, u8 val)
3272
{
3273
	int err;
3274

3275
	if (!bredr_sc_enabled(hdev) || lmp_host_sc_capable(hdev))
3276
		return 0;
3277

3278
	err = __hci_cmd_sync_status(hdev, HCI_OP_WRITE_SC_SUPPORT,
3279
				    sizeof(val), &val, HCI_CMD_TIMEOUT);
3280

3281
	if (!err) {
3282
		if (val) {
3283
			hdev->features[1][0] |= LMP_HOST_SC;
3284
			hci_dev_set_flag(hdev, HCI_SC_ENABLED);
3285
		} else {
3286
			hdev->features[1][0] &= ~LMP_HOST_SC;
3287
			hci_dev_clear_flag(hdev, HCI_SC_ENABLED);
3288
		}
3289
	}
3290

3291
	return err;
3292
}
3293

3294
int hci_write_ssp_mode_sync(struct hci_dev *hdev, u8 mode)
3295
{
3296
	int err;
3297

3298
	if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED) ||
3299
	    lmp_host_ssp_capable(hdev))
3300
		return 0;
3301

3302
	if (!mode && hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
3303
		__hci_cmd_sync_status(hdev, HCI_OP_WRITE_SSP_DEBUG_MODE,
3304
				      sizeof(mode), &mode, HCI_CMD_TIMEOUT);
3305
	}
3306

3307
	err = __hci_cmd_sync_status(hdev, HCI_OP_WRITE_SSP_MODE,
3308
				    sizeof(mode), &mode, HCI_CMD_TIMEOUT);
3309
	if (err)
3310
		return err;
3311

3312
	return hci_write_sc_support_sync(hdev, 0x01);
3313
}
3314

3315
int hci_write_le_host_supported_sync(struct hci_dev *hdev, u8 le, u8 simul)
3316
{
3317
	struct hci_cp_write_le_host_supported cp;
3318

3319
	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) ||
3320
	    !lmp_bredr_capable(hdev))
3321
		return 0;
3322

3323
	/* Check first if we already have the right host state
3324
	 * (host features set)
3325
	 */
3326
	if (le == lmp_host_le_capable(hdev) &&
3327
	    simul == lmp_host_le_br_capable(hdev))
3328
		return 0;
3329

3330
	memset(&cp, 0, sizeof(cp));
3331

3332
	cp.le = le;
3333
	cp.simul = simul;
3334

3335
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED,
3336
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
3337
}
3338

3339
static int hci_powered_update_adv_sync(struct hci_dev *hdev)
3340
{
3341
	struct adv_info *adv, *tmp;
3342
	int err;
3343

3344
	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3345
		return 0;
3346

3347
	/* If RPA Resolution has not been enable yet it means the
3348
	 * resolving list is empty and we should attempt to program the
3349
	 * local IRK in order to support using own_addr_type
3350
	 * ADDR_LE_DEV_RANDOM_RESOLVED (0x03).
3351
	 */
3352
	if (!hci_dev_test_flag(hdev, HCI_LL_RPA_RESOLUTION)) {
3353
		hci_le_add_resolve_list_sync(hdev, NULL);
3354
		hci_le_set_addr_resolution_enable_sync(hdev, 0x01);
3355
	}
3356

3357
	/* Make sure the controller has a good default for
3358
	 * advertising data. This also applies to the case
3359
	 * where BR/EDR was toggled during the AUTO_OFF phase.
3360
	 */
3361
	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
3362
	    list_empty(&hdev->adv_instances)) {
3363
		if (ext_adv_capable(hdev)) {
3364
			err = hci_setup_ext_adv_instance_sync(hdev, 0x00);
3365
			if (!err)
3366
				hci_update_scan_rsp_data_sync(hdev, 0x00);
3367
		} else {
3368
			err = hci_update_adv_data_sync(hdev, 0x00);
3369
			if (!err)
3370
				hci_update_scan_rsp_data_sync(hdev, 0x00);
3371
		}
3372

3373
		if (hci_dev_test_flag(hdev, HCI_ADVERTISING))
3374
			hci_enable_advertising_sync(hdev);
3375
	}
3376

3377
	/* Call for each tracked instance to be scheduled */
3378
	list_for_each_entry_safe(adv, tmp, &hdev->adv_instances, list)
3379
		hci_schedule_adv_instance_sync(hdev, adv->instance, true);
3380

3381
	return 0;
3382
}
3383

3384
static int hci_write_auth_enable_sync(struct hci_dev *hdev)
3385
{
3386
	u8 link_sec;
3387

3388
	link_sec = hci_dev_test_flag(hdev, HCI_LINK_SECURITY);
3389
	if (link_sec == test_bit(HCI_AUTH, &hdev->flags))
3390
		return 0;
3391

3392
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_AUTH_ENABLE,
3393
				     sizeof(link_sec), &link_sec,
3394
				     HCI_CMD_TIMEOUT);
3395
}
3396

3397
int hci_write_fast_connectable_sync(struct hci_dev *hdev, bool enable)
3398
{
3399
	struct hci_cp_write_page_scan_activity cp;
3400
	u8 type;
3401
	int err = 0;
3402

3403
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
3404
		return 0;
3405

3406
	if (hdev->hci_ver < BLUETOOTH_VER_1_2)
3407
		return 0;
3408

3409
	memset(&cp, 0, sizeof(cp));
3410

3411
	if (enable) {
3412
		type = PAGE_SCAN_TYPE_INTERLACED;
3413

3414
		/* 160 msec page scan interval */
3415
		cp.interval = cpu_to_le16(0x0100);
3416
	} else {
3417
		type = hdev->def_page_scan_type;
3418
		cp.interval = cpu_to_le16(hdev->def_page_scan_int);
3419
	}
3420

3421
	cp.window = cpu_to_le16(hdev->def_page_scan_window);
3422

3423
	if (__cpu_to_le16(hdev->page_scan_interval) != cp.interval ||
3424
	    __cpu_to_le16(hdev->page_scan_window) != cp.window) {
3425
		err = __hci_cmd_sync_status(hdev,
3426
					    HCI_OP_WRITE_PAGE_SCAN_ACTIVITY,
3427
					    sizeof(cp), &cp, HCI_CMD_TIMEOUT);
3428
		if (err)
3429
			return err;
3430
	}
3431

3432
	if (hdev->page_scan_type != type)
3433
		err = __hci_cmd_sync_status(hdev,
3434
					    HCI_OP_WRITE_PAGE_SCAN_TYPE,
3435
					    sizeof(type), &type,
3436
					    HCI_CMD_TIMEOUT);
3437

3438
	return err;
3439
}
3440

3441
static bool disconnected_accept_list_entries(struct hci_dev *hdev)
3442
{
3443
	struct bdaddr_list *b;
3444

3445
	list_for_each_entry(b, &hdev->accept_list, list) {
3446
		struct hci_conn *conn;
3447

3448
		conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &b->bdaddr);
3449
		if (!conn)
3450
			return true;
3451

3452
		if (conn->state != BT_CONNECTED && conn->state != BT_CONFIG)
3453
			return true;
3454
	}
3455

3456
	return false;
3457
}
3458

3459
static int hci_write_scan_enable_sync(struct hci_dev *hdev, u8 val)
3460
{
3461
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_SCAN_ENABLE,
3462
					    sizeof(val), &val,
3463
					    HCI_CMD_TIMEOUT);
3464
}
3465

3466
int hci_update_scan_sync(struct hci_dev *hdev)
3467
{
3468
	u8 scan;
3469

3470
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
3471
		return 0;
3472

3473
	if (!hdev_is_powered(hdev))
3474
		return 0;
3475

3476
	if (mgmt_powering_down(hdev))
3477
		return 0;
3478

3479
	if (hdev->scanning_paused)
3480
		return 0;
3481

3482
	if (hci_dev_test_flag(hdev, HCI_CONNECTABLE) ||
3483
	    disconnected_accept_list_entries(hdev))
3484
		scan = SCAN_PAGE;
3485
	else
3486
		scan = SCAN_DISABLED;
3487

3488
	if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
3489
		scan |= SCAN_INQUIRY;
3490

3491
	if (test_bit(HCI_PSCAN, &hdev->flags) == !!(scan & SCAN_PAGE) &&
3492
	    test_bit(HCI_ISCAN, &hdev->flags) == !!(scan & SCAN_INQUIRY))
3493
		return 0;
3494

3495
	return hci_write_scan_enable_sync(hdev, scan);
3496
}
3497

3498
int hci_update_name_sync(struct hci_dev *hdev, const u8 *name)
3499
{
3500
	struct hci_cp_write_local_name cp;
3501

3502
	memset(&cp, 0, sizeof(cp));
3503

3504
	memcpy(cp.name, name, sizeof(cp.name));
3505

3506
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_LOCAL_NAME,
3507
					    sizeof(cp), &cp,
3508
					    HCI_CMD_TIMEOUT);
3509
}
3510

3511
/* This function perform powered update HCI command sequence after the HCI init
3512
 * sequence which end up resetting all states, the sequence is as follows:
3513
 *
3514
 * HCI_SSP_ENABLED(Enable SSP)
3515
 * HCI_LE_ENABLED(Enable LE)
3516
 * HCI_LE_ENABLED(ll_privacy_capable(Add local IRK to Resolving List) ->
3517
 * Update adv data)
3518
 * Enable Authentication
3519
 * lmp_bredr_capable(Set Fast Connectable -> Set Scan Type -> Set Class ->
3520
 * Set Name -> Set EIR)
3521
 * HCI_FORCE_STATIC_ADDR | BDADDR_ANY && !HCI_BREDR_ENABLED (Set Static Address)
3522
 */
3523
int hci_powered_update_sync(struct hci_dev *hdev)
3524
{
3525
	int err;
3526

3527
	/* Register the available SMP channels (BR/EDR and LE) only when
3528
	 * successfully powering on the controller. This late
3529
	 * registration is required so that LE SMP can clearly decide if
3530
	 * the public address or static address is used.
3531
	 */
3532
	smp_register(hdev);
3533

3534
	err = hci_write_ssp_mode_sync(hdev, 0x01);
3535
	if (err)
3536
		return err;
3537

3538
	err = hci_write_le_host_supported_sync(hdev, 0x01, 0x00);
3539
	if (err)
3540
		return err;
3541

3542
	err = hci_powered_update_adv_sync(hdev);
3543
	if (err)
3544
		return err;
3545

3546
	err = hci_write_auth_enable_sync(hdev);
3547
	if (err)
3548
		return err;
3549

3550
	if (lmp_bredr_capable(hdev)) {
3551
		if (hci_dev_test_flag(hdev, HCI_FAST_CONNECTABLE))
3552
			hci_write_fast_connectable_sync(hdev, true);
3553
		else
3554
			hci_write_fast_connectable_sync(hdev, false);
3555
		hci_update_scan_sync(hdev);
3556
		hci_update_class_sync(hdev);
3557
		hci_update_name_sync(hdev, hdev->dev_name);
3558
		hci_update_eir_sync(hdev);
3559
	}
3560

3561
	/* If forcing static address is in use or there is no public
3562
	 * address use the static address as random address (but skip
3563
	 * the HCI command if the current random address is already the
3564
	 * static one.
3565
	 *
3566
	 * In case BR/EDR has been disabled on a dual-mode controller
3567
	 * and a static address has been configured, then use that
3568
	 * address instead of the public BR/EDR address.
3569
	 */
3570
	if (hci_dev_test_flag(hdev, HCI_FORCE_STATIC_ADDR) ||
3571
	    (!bacmp(&hdev->bdaddr, BDADDR_ANY) &&
3572
	    !hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))) {
3573
		if (bacmp(&hdev->static_addr, BDADDR_ANY))
3574
			return hci_set_random_addr_sync(hdev,
3575
							&hdev->static_addr);
3576
	}
3577

3578
	return 0;
3579
}
3580

3581
/**
3582
 * hci_dev_get_bd_addr_from_property - Get the Bluetooth Device Address
3583
 *				       (BD_ADDR) for a HCI device from
3584
 *				       a firmware node property.
3585
 * @hdev:	The HCI device
3586
 *
3587
 * Search the firmware node for 'local-bd-address'.
3588
 *
3589
 * All-zero BD addresses are rejected, because those could be properties
3590
 * that exist in the firmware tables, but were not updated by the firmware. For
3591
 * example, the DTS could define 'local-bd-address', with zero BD addresses.
3592
 */
3593
static void hci_dev_get_bd_addr_from_property(struct hci_dev *hdev)
3594
{
3595
	struct fwnode_handle *fwnode = dev_fwnode(hdev->dev.parent);
3596
	bdaddr_t ba;
3597
	int ret;
3598

3599
	ret = fwnode_property_read_u8_array(fwnode, "local-bd-address",
3600
					    (u8 *)&ba, sizeof(ba));
3601
	if (ret < 0 || !bacmp(&ba, BDADDR_ANY))
3602
		return;
3603

3604
	if (hci_test_quirk(hdev, HCI_QUIRK_BDADDR_PROPERTY_BROKEN))
3605
		baswap(&hdev->public_addr, &ba);
3606
	else
3607
		bacpy(&hdev->public_addr, &ba);
3608
}
3609

3610
struct hci_init_stage {
3611
	int (*func)(struct hci_dev *hdev);
3612
};
3613

3614
/* Run init stage NULL terminated function table */
3615
static int hci_init_stage_sync(struct hci_dev *hdev,
3616
			       const struct hci_init_stage *stage)
3617
{
3618
	size_t i;
3619

3620
	for (i = 0; stage[i].func; i++) {
3621
		int err;
3622

3623
		err = stage[i].func(hdev);
3624
		if (err)
3625
			return err;
3626
	}
3627

3628
	return 0;
3629
}
3630

3631
/* Read Local Version */
3632
static int hci_read_local_version_sync(struct hci_dev *hdev)
3633
{
3634
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCAL_VERSION,
3635
				     0, NULL, HCI_CMD_TIMEOUT);
3636
}
3637

3638
/* Read BD Address */
3639
static int hci_read_bd_addr_sync(struct hci_dev *hdev)
3640
{
3641
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_BD_ADDR,
3642
				     0, NULL, HCI_CMD_TIMEOUT);
3643
}
3644

3645
#define HCI_INIT(_func) \
3646
{ \
3647
	.func = _func, \
3648
}
3649

3650
static const struct hci_init_stage hci_init0[] = {
3651
	/* HCI_OP_READ_LOCAL_VERSION */
3652
	HCI_INIT(hci_read_local_version_sync),
3653
	/* HCI_OP_READ_BD_ADDR */
3654
	HCI_INIT(hci_read_bd_addr_sync),
3655
	{}
3656
};
3657

3658
int hci_reset_sync(struct hci_dev *hdev)
3659
{
3660
	int err;
3661

3662
	set_bit(HCI_RESET, &hdev->flags);
3663

3664
	err = __hci_cmd_sync_status(hdev, HCI_OP_RESET, 0, NULL,
3665
				    HCI_CMD_TIMEOUT);
3666
	if (err)
3667
		return err;
3668

3669
	return 0;
3670
}
3671

3672
static int hci_init0_sync(struct hci_dev *hdev)
3673
{
3674
	int err;
3675

3676
	bt_dev_dbg(hdev, "");
3677

3678
	/* Reset */
3679
	if (!hci_test_quirk(hdev, HCI_QUIRK_RESET_ON_CLOSE)) {
3680
		err = hci_reset_sync(hdev);
3681
		if (err)
3682
			return err;
3683
	}
3684

3685
	return hci_init_stage_sync(hdev, hci_init0);
3686
}
3687

3688
static int hci_unconf_init_sync(struct hci_dev *hdev)
3689
{
3690
	int err;
3691

3692
	if (hci_test_quirk(hdev, HCI_QUIRK_RAW_DEVICE))
3693
		return 0;
3694

3695
	err = hci_init0_sync(hdev);
3696
	if (err < 0)
3697
		return err;
3698

3699
	if (hci_dev_test_flag(hdev, HCI_SETUP))
3700
		hci_debugfs_create_basic(hdev);
3701

3702
	return 0;
3703
}
3704

3705
/* Read Local Supported Features. */
3706
static int hci_read_local_features_sync(struct hci_dev *hdev)
3707
{
3708
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCAL_FEATURES,
3709
				     0, NULL, HCI_CMD_TIMEOUT);
3710
}
3711

3712
/* BR Controller init stage 1 command sequence */
3713
static const struct hci_init_stage br_init1[] = {
3714
	/* HCI_OP_READ_LOCAL_FEATURES */
3715
	HCI_INIT(hci_read_local_features_sync),
3716
	/* HCI_OP_READ_LOCAL_VERSION */
3717
	HCI_INIT(hci_read_local_version_sync),
3718
	/* HCI_OP_READ_BD_ADDR */
3719
	HCI_INIT(hci_read_bd_addr_sync),
3720
	{}
3721
};
3722

3723
/* Read Local Commands */
3724
static int hci_read_local_cmds_sync(struct hci_dev *hdev)
3725
{
3726
	/* All Bluetooth 1.2 and later controllers should support the
3727
	 * HCI command for reading the local supported commands.
3728
	 *
3729
	 * Unfortunately some controllers indicate Bluetooth 1.2 support,
3730
	 * but do not have support for this command. If that is the case,
3731
	 * the driver can quirk the behavior and skip reading the local
3732
	 * supported commands.
3733
	 */
3734
	if (hdev->hci_ver > BLUETOOTH_VER_1_1 &&
3735
	    !hci_test_quirk(hdev, HCI_QUIRK_BROKEN_LOCAL_COMMANDS))
3736
		return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCAL_COMMANDS,
3737
					     0, NULL, HCI_CMD_TIMEOUT);
3738

3739
	return 0;
3740
}
3741

3742
static int hci_init1_sync(struct hci_dev *hdev)
3743
{
3744
	int err;
3745

3746
	bt_dev_dbg(hdev, "");
3747

3748
	/* Reset */
3749
	if (!hci_test_quirk(hdev, HCI_QUIRK_RESET_ON_CLOSE)) {
3750
		err = hci_reset_sync(hdev);
3751
		if (err)
3752
			return err;
3753
	}
3754

3755
	return hci_init_stage_sync(hdev, br_init1);
3756
}
3757

3758
/* Read Buffer Size (ACL mtu, max pkt, etc.) */
3759
static int hci_read_buffer_size_sync(struct hci_dev *hdev)
3760
{
3761
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_BUFFER_SIZE,
3762
				     0, NULL, HCI_CMD_TIMEOUT);
3763
}
3764

3765
/* Read Class of Device */
3766
static int hci_read_dev_class_sync(struct hci_dev *hdev)
3767
{
3768
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_CLASS_OF_DEV,
3769
				     0, NULL, HCI_CMD_TIMEOUT);
3770
}
3771

3772
/* Read Local Name */
3773
static int hci_read_local_name_sync(struct hci_dev *hdev)
3774
{
3775
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCAL_NAME,
3776
				     0, NULL, HCI_CMD_TIMEOUT);
3777
}
3778

3779
/* Read Voice Setting */
3780
static int hci_read_voice_setting_sync(struct hci_dev *hdev)
3781
{
3782
	if (!read_voice_setting_capable(hdev))
3783
		return 0;
3784

3785
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_VOICE_SETTING,
3786
				     0, NULL, HCI_CMD_TIMEOUT);
3787
}
3788

3789
/* Read Number of Supported IAC */
3790
static int hci_read_num_supported_iac_sync(struct hci_dev *hdev)
3791
{
3792
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_NUM_SUPPORTED_IAC,
3793
				     0, NULL, HCI_CMD_TIMEOUT);
3794
}
3795

3796
/* Read Current IAC LAP */
3797
static int hci_read_current_iac_lap_sync(struct hci_dev *hdev)
3798
{
3799
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_CURRENT_IAC_LAP,
3800
				     0, NULL, HCI_CMD_TIMEOUT);
3801
}
3802

3803
static int hci_set_event_filter_sync(struct hci_dev *hdev, u8 flt_type,
3804
				     u8 cond_type, bdaddr_t *bdaddr,
3805
				     u8 auto_accept)
3806
{
3807
	struct hci_cp_set_event_filter cp;
3808

3809
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
3810
		return 0;
3811

3812
	if (hci_test_quirk(hdev, HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL))
3813
		return 0;
3814

3815
	memset(&cp, 0, sizeof(cp));
3816
	cp.flt_type = flt_type;
3817

3818
	if (flt_type != HCI_FLT_CLEAR_ALL) {
3819
		cp.cond_type = cond_type;
3820
		bacpy(&cp.addr_conn_flt.bdaddr, bdaddr);
3821
		cp.addr_conn_flt.auto_accept = auto_accept;
3822
	}
3823

3824
	return __hci_cmd_sync_status(hdev, HCI_OP_SET_EVENT_FLT,
3825
				     flt_type == HCI_FLT_CLEAR_ALL ?
3826
				     sizeof(cp.flt_type) : sizeof(cp), &cp,
3827
				     HCI_CMD_TIMEOUT);
3828
}
3829

3830
static int hci_clear_event_filter_sync(struct hci_dev *hdev)
3831
{
3832
	if (!hci_dev_test_flag(hdev, HCI_EVENT_FILTER_CONFIGURED))
3833
		return 0;
3834

3835
	/* In theory the state machine should not reach here unless
3836
	 * a hci_set_event_filter_sync() call succeeds, but we do
3837
	 * the check both for parity and as a future reminder.
3838
	 */
3839
	if (hci_test_quirk(hdev, HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL))
3840
		return 0;
3841

3842
	return hci_set_event_filter_sync(hdev, HCI_FLT_CLEAR_ALL, 0x00,
3843
					 BDADDR_ANY, 0x00);
3844
}
3845

3846
/* Connection accept timeout ~20 secs */
3847
static int hci_write_ca_timeout_sync(struct hci_dev *hdev)
3848
{
3849
	__le16 param = cpu_to_le16(0x7d00);
3850

3851
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_CA_TIMEOUT,
3852
				     sizeof(param), &param, HCI_CMD_TIMEOUT);
3853
}
3854

3855
/* Enable SCO flow control if supported */
3856
static int hci_write_sync_flowctl_sync(struct hci_dev *hdev)
3857
{
3858
	struct hci_cp_write_sync_flowctl cp;
3859
	int err;
3860

3861
	/* Check if the controller supports SCO and HCI_OP_WRITE_SYNC_FLOWCTL */
3862
	if (!lmp_sco_capable(hdev) || !(hdev->commands[10] & BIT(4)) ||
3863
	    !hci_test_quirk(hdev, HCI_QUIRK_SYNC_FLOWCTL_SUPPORTED))
3864
		return 0;
3865

3866
	memset(&cp, 0, sizeof(cp));
3867
	cp.enable = 0x01;
3868

3869
	err = __hci_cmd_sync_status(hdev, HCI_OP_WRITE_SYNC_FLOWCTL,
3870
				    sizeof(cp), &cp, HCI_CMD_TIMEOUT);
3871
	if (!err)
3872
		hci_dev_set_flag(hdev, HCI_SCO_FLOWCTL);
3873

3874
	return err;
3875
}
3876

3877
/* BR Controller init stage 2 command sequence */
3878
static const struct hci_init_stage br_init2[] = {
3879
	/* HCI_OP_READ_BUFFER_SIZE */
3880
	HCI_INIT(hci_read_buffer_size_sync),
3881
	/* HCI_OP_READ_CLASS_OF_DEV */
3882
	HCI_INIT(hci_read_dev_class_sync),
3883
	/* HCI_OP_READ_LOCAL_NAME */
3884
	HCI_INIT(hci_read_local_name_sync),
3885
	/* HCI_OP_READ_VOICE_SETTING */
3886
	HCI_INIT(hci_read_voice_setting_sync),
3887
	/* HCI_OP_READ_NUM_SUPPORTED_IAC */
3888
	HCI_INIT(hci_read_num_supported_iac_sync),
3889
	/* HCI_OP_READ_CURRENT_IAC_LAP */
3890
	HCI_INIT(hci_read_current_iac_lap_sync),
3891
	/* HCI_OP_SET_EVENT_FLT */
3892
	HCI_INIT(hci_clear_event_filter_sync),
3893
	/* HCI_OP_WRITE_CA_TIMEOUT */
3894
	HCI_INIT(hci_write_ca_timeout_sync),
3895
	/* HCI_OP_WRITE_SYNC_FLOWCTL */
3896
	HCI_INIT(hci_write_sync_flowctl_sync),
3897
	{}
3898
};
3899

3900
static int hci_write_ssp_mode_1_sync(struct hci_dev *hdev)
3901
{
3902
	u8 mode = 0x01;
3903

3904
	if (!lmp_ssp_capable(hdev) || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
3905
		return 0;
3906

3907
	/* When SSP is available, then the host features page
3908
	 * should also be available as well. However some
3909
	 * controllers list the max_page as 0 as long as SSP
3910
	 * has not been enabled. To achieve proper debugging
3911
	 * output, force the minimum max_page to 1 at least.
3912
	 */
3913
	hdev->max_page = 0x01;
3914

3915
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_SSP_MODE,
3916
				     sizeof(mode), &mode, HCI_CMD_TIMEOUT);
3917
}
3918

3919
static int hci_write_eir_sync(struct hci_dev *hdev)
3920
{
3921
	struct hci_cp_write_eir cp;
3922

3923
	if (!lmp_ssp_capable(hdev) || hci_dev_test_flag(hdev, HCI_SSP_ENABLED))
3924
		return 0;
3925

3926
	memset(hdev->eir, 0, sizeof(hdev->eir));
3927
	memset(&cp, 0, sizeof(cp));
3928

3929
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp,
3930
				     HCI_CMD_TIMEOUT);
3931
}
3932

3933
static int hci_write_inquiry_mode_sync(struct hci_dev *hdev)
3934
{
3935
	u8 mode;
3936

3937
	if (!lmp_inq_rssi_capable(hdev) &&
3938
	    !hci_test_quirk(hdev, HCI_QUIRK_FIXUP_INQUIRY_MODE))
3939
		return 0;
3940

3941
	/* If Extended Inquiry Result events are supported, then
3942
	 * they are clearly preferred over Inquiry Result with RSSI
3943
	 * events.
3944
	 */
3945
	mode = lmp_ext_inq_capable(hdev) ? 0x02 : 0x01;
3946

3947
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_INQUIRY_MODE,
3948
				     sizeof(mode), &mode, HCI_CMD_TIMEOUT);
3949
}
3950

3951
static int hci_read_inq_rsp_tx_power_sync(struct hci_dev *hdev)
3952
{
3953
	if (!lmp_inq_tx_pwr_capable(hdev))
3954
		return 0;
3955

3956
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_INQ_RSP_TX_POWER,
3957
				     0, NULL, HCI_CMD_TIMEOUT);
3958
}
3959

3960
static int hci_read_local_ext_features_sync(struct hci_dev *hdev, u8 page)
3961
{
3962
	struct hci_cp_read_local_ext_features cp;
3963

3964
	if (!lmp_ext_feat_capable(hdev))
3965
		return 0;
3966

3967
	memset(&cp, 0, sizeof(cp));
3968
	cp.page = page;
3969

3970
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCAL_EXT_FEATURES,
3971
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
3972
}
3973

3974
static int hci_read_local_ext_features_1_sync(struct hci_dev *hdev)
3975
{
3976
	return hci_read_local_ext_features_sync(hdev, 0x01);
3977
}
3978

3979
/* HCI Controller init stage 2 command sequence */
3980
static const struct hci_init_stage hci_init2[] = {
3981
	/* HCI_OP_READ_LOCAL_COMMANDS */
3982
	HCI_INIT(hci_read_local_cmds_sync),
3983
	/* HCI_OP_WRITE_SSP_MODE */
3984
	HCI_INIT(hci_write_ssp_mode_1_sync),
3985
	/* HCI_OP_WRITE_EIR */
3986
	HCI_INIT(hci_write_eir_sync),
3987
	/* HCI_OP_WRITE_INQUIRY_MODE */
3988
	HCI_INIT(hci_write_inquiry_mode_sync),
3989
	/* HCI_OP_READ_INQ_RSP_TX_POWER */
3990
	HCI_INIT(hci_read_inq_rsp_tx_power_sync),
3991
	/* HCI_OP_READ_LOCAL_EXT_FEATURES */
3992
	HCI_INIT(hci_read_local_ext_features_1_sync),
3993
	/* HCI_OP_WRITE_AUTH_ENABLE */
3994
	HCI_INIT(hci_write_auth_enable_sync),
3995
	{}
3996
};
3997

3998
/* Read LE Buffer Size */
3999
static int hci_le_read_buffer_size_sync(struct hci_dev *hdev)
4000
{
4001
	/* Use Read LE Buffer Size V2 if supported */
4002
	if (iso_capable(hdev) && hdev->commands[41] & 0x20)
4003
		return __hci_cmd_sync_status(hdev,
4004
					     HCI_OP_LE_READ_BUFFER_SIZE_V2,
4005
					     0, NULL, HCI_CMD_TIMEOUT);
4006

4007
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_READ_BUFFER_SIZE,
4008
				     0, NULL, HCI_CMD_TIMEOUT);
4009
}
4010

4011
/* Read LE Local Supported Features */
4012
static int hci_le_read_local_features_sync(struct hci_dev *hdev)
4013
{
4014
	int err;
4015

4016
	err = __hci_cmd_sync_status(hdev, HCI_OP_LE_READ_LOCAL_FEATURES,
4017
				    0, NULL, HCI_CMD_TIMEOUT);
4018
	if (err)
4019
		return err;
4020

4021
	if (ll_ext_feature_capable(hdev) && hdev->commands[47] & BIT(2))
4022
		return __hci_cmd_sync_status(hdev,
4023
					     HCI_OP_LE_READ_ALL_LOCAL_FEATURES,
4024
					     0, NULL, HCI_CMD_TIMEOUT);
4025

4026
	return err;
4027
}
4028

4029
/* Read LE Supported States */
4030
static int hci_le_read_supported_states_sync(struct hci_dev *hdev)
4031
{
4032
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_READ_SUPPORTED_STATES,
4033
				     0, NULL, HCI_CMD_TIMEOUT);
4034
}
4035

4036
/* LE Controller init stage 2 command sequence */
4037
static const struct hci_init_stage le_init2[] = {
4038
	/* HCI_OP_LE_READ_LOCAL_FEATURES */
4039
	HCI_INIT(hci_le_read_local_features_sync),
4040
	/* HCI_OP_LE_READ_BUFFER_SIZE */
4041
	HCI_INIT(hci_le_read_buffer_size_sync),
4042
	/* HCI_OP_LE_READ_SUPPORTED_STATES */
4043
	HCI_INIT(hci_le_read_supported_states_sync),
4044
	{}
4045
};
4046

4047
static int hci_init2_sync(struct hci_dev *hdev)
4048
{
4049
	int err;
4050

4051
	bt_dev_dbg(hdev, "");
4052

4053
	err = hci_init_stage_sync(hdev, hci_init2);
4054
	if (err)
4055
		return err;
4056

4057
	if (lmp_bredr_capable(hdev)) {
4058
		err = hci_init_stage_sync(hdev, br_init2);
4059
		if (err)
4060
			return err;
4061
	} else {
4062
		hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
4063
	}
4064

4065
	if (lmp_le_capable(hdev)) {
4066
		err = hci_init_stage_sync(hdev, le_init2);
4067
		if (err)
4068
			return err;
4069
		/* LE-only controllers have LE implicitly enabled */
4070
		if (!lmp_bredr_capable(hdev))
4071
			hci_dev_set_flag(hdev, HCI_LE_ENABLED);
4072
	}
4073

4074
	return 0;
4075
}
4076

4077
static int hci_set_event_mask_sync(struct hci_dev *hdev)
4078
{
4079
	/* The second byte is 0xff instead of 0x9f (two reserved bits
4080
	 * disabled) since a Broadcom 1.2 dongle doesn't respond to the
4081
	 * command otherwise.
4082
	 */
4083
	u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
4084

4085
	/* CSR 1.1 dongles does not accept any bitfield so don't try to set
4086
	 * any event mask for pre 1.2 devices.
4087
	 */
4088
	if (hdev->hci_ver < BLUETOOTH_VER_1_2)
4089
		return 0;
4090

4091
	if (lmp_bredr_capable(hdev)) {
4092
		events[4] |= 0x01; /* Flow Specification Complete */
4093

4094
		/* Don't set Disconnect Complete and mode change when
4095
		 * suspended as that would wakeup the host when disconnecting
4096
		 * due to suspend.
4097
		 */
4098
		if (hdev->suspended) {
4099
			events[0] &= 0xef;
4100
			events[2] &= 0xf7;
4101
		}
4102
	} else {
4103
		/* Use a different default for LE-only devices */
4104
		memset(events, 0, sizeof(events));
4105
		events[1] |= 0x20; /* Command Complete */
4106
		events[1] |= 0x40; /* Command Status */
4107
		events[1] |= 0x80; /* Hardware Error */
4108

4109
		/* If the controller supports the Disconnect command, enable
4110
		 * the corresponding event. In addition enable packet flow
4111
		 * control related events.
4112
		 */
4113
		if (hdev->commands[0] & 0x20) {
4114
			/* Don't set Disconnect Complete when suspended as that
4115
			 * would wakeup the host when disconnecting due to
4116
			 * suspend.
4117
			 */
4118
			if (!hdev->suspended)
4119
				events[0] |= 0x10; /* Disconnection Complete */
4120
			events[2] |= 0x04; /* Number of Completed Packets */
4121
			events[3] |= 0x02; /* Data Buffer Overflow */
4122
		}
4123

4124
		/* If the controller supports the Read Remote Version
4125
		 * Information command, enable the corresponding event.
4126
		 */
4127
		if (hdev->commands[2] & 0x80)
4128
			events[1] |= 0x08; /* Read Remote Version Information
4129
					    * Complete
4130
					    */
4131

4132
		if (hdev->le_features[0] & HCI_LE_ENCRYPTION) {
4133
			events[0] |= 0x80; /* Encryption Change */
4134
			events[5] |= 0x80; /* Encryption Key Refresh Complete */
4135
		}
4136
	}
4137

4138
	if (lmp_inq_rssi_capable(hdev) ||
4139
	    hci_test_quirk(hdev, HCI_QUIRK_FIXUP_INQUIRY_MODE))
4140
		events[4] |= 0x02; /* Inquiry Result with RSSI */
4141

4142
	if (lmp_ext_feat_capable(hdev))
4143
		events[4] |= 0x04; /* Read Remote Extended Features Complete */
4144

4145
	if (lmp_esco_capable(hdev)) {
4146
		events[5] |= 0x08; /* Synchronous Connection Complete */
4147
		events[5] |= 0x10; /* Synchronous Connection Changed */
4148
	}
4149

4150
	if (lmp_sniffsubr_capable(hdev))
4151
		events[5] |= 0x20; /* Sniff Subrating */
4152

4153
	if (lmp_pause_enc_capable(hdev))
4154
		events[5] |= 0x80; /* Encryption Key Refresh Complete */
4155

4156
	if (lmp_ext_inq_capable(hdev))
4157
		events[5] |= 0x40; /* Extended Inquiry Result */
4158

4159
	if (lmp_no_flush_capable(hdev))
4160
		events[7] |= 0x01; /* Enhanced Flush Complete */
4161

4162
	if (lmp_lsto_capable(hdev))
4163
		events[6] |= 0x80; /* Link Supervision Timeout Changed */
4164

4165
	if (lmp_ssp_capable(hdev)) {
4166
		events[6] |= 0x01;	/* IO Capability Request */
4167
		events[6] |= 0x02;	/* IO Capability Response */
4168
		events[6] |= 0x04;	/* User Confirmation Request */
4169
		events[6] |= 0x08;	/* User Passkey Request */
4170
		events[6] |= 0x10;	/* Remote OOB Data Request */
4171
		events[6] |= 0x20;	/* Simple Pairing Complete */
4172
		events[7] |= 0x04;	/* User Passkey Notification */
4173
		events[7] |= 0x08;	/* Keypress Notification */
4174
		events[7] |= 0x10;	/* Remote Host Supported
4175
					 * Features Notification
4176
					 */
4177
	}
4178

4179
	if (lmp_le_capable(hdev))
4180
		events[7] |= 0x20;	/* LE Meta-Event */
4181

4182
	return __hci_cmd_sync_status(hdev, HCI_OP_SET_EVENT_MASK,
4183
				     sizeof(events), events, HCI_CMD_TIMEOUT);
4184
}
4185

4186
static int hci_read_stored_link_key_sync(struct hci_dev *hdev)
4187
{
4188
	struct hci_cp_read_stored_link_key cp;
4189

4190
	if (!(hdev->commands[6] & 0x20) ||
4191
	    hci_test_quirk(hdev, HCI_QUIRK_BROKEN_STORED_LINK_KEY))
4192
		return 0;
4193

4194
	memset(&cp, 0, sizeof(cp));
4195
	bacpy(&cp.bdaddr, BDADDR_ANY);
4196
	cp.read_all = 0x01;
4197

4198
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_STORED_LINK_KEY,
4199
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
4200
}
4201

4202
static int hci_setup_link_policy_sync(struct hci_dev *hdev)
4203
{
4204
	struct hci_cp_write_def_link_policy cp;
4205
	u16 link_policy = 0;
4206

4207
	if (!(hdev->commands[5] & 0x10))
4208
		return 0;
4209

4210
	memset(&cp, 0, sizeof(cp));
4211

4212
	if (lmp_rswitch_capable(hdev))
4213
		link_policy |= HCI_LP_RSWITCH;
4214
	if (lmp_hold_capable(hdev))
4215
		link_policy |= HCI_LP_HOLD;
4216
	if (lmp_sniff_capable(hdev))
4217
		link_policy |= HCI_LP_SNIFF;
4218
	if (lmp_park_capable(hdev))
4219
		link_policy |= HCI_LP_PARK;
4220

4221
	cp.policy = cpu_to_le16(link_policy);
4222

4223
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,
4224
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
4225
}
4226

4227
static int hci_read_page_scan_activity_sync(struct hci_dev *hdev)
4228
{
4229
	if (!(hdev->commands[8] & 0x01))
4230
		return 0;
4231

4232
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_PAGE_SCAN_ACTIVITY,
4233
				     0, NULL, HCI_CMD_TIMEOUT);
4234
}
4235

4236
static int hci_read_def_err_data_reporting_sync(struct hci_dev *hdev)
4237
{
4238
	if (!(hdev->commands[18] & 0x04) ||
4239
	    !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING) ||
4240
	    hci_test_quirk(hdev, HCI_QUIRK_BROKEN_ERR_DATA_REPORTING))
4241
		return 0;
4242

4243
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_DEF_ERR_DATA_REPORTING,
4244
				     0, NULL, HCI_CMD_TIMEOUT);
4245
}
4246

4247
static int hci_read_page_scan_type_sync(struct hci_dev *hdev)
4248
{
4249
	/* Some older Broadcom based Bluetooth 1.2 controllers do not
4250
	 * support the Read Page Scan Type command. Check support for
4251
	 * this command in the bit mask of supported commands.
4252
	 */
4253
	if (!(hdev->commands[13] & 0x01) ||
4254
	    hci_test_quirk(hdev, HCI_QUIRK_BROKEN_READ_PAGE_SCAN_TYPE))
4255
		return 0;
4256

4257
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_PAGE_SCAN_TYPE,
4258
				     0, NULL, HCI_CMD_TIMEOUT);
4259
}
4260

4261
/* Read features beyond page 1 if available */
4262
static int hci_read_local_ext_features_all_sync(struct hci_dev *hdev)
4263
{
4264
	u8 page;
4265
	int err;
4266

4267
	if (!lmp_ext_feat_capable(hdev))
4268
		return 0;
4269

4270
	for (page = 2; page < HCI_MAX_PAGES && page <= hdev->max_page;
4271
	     page++) {
4272
		err = hci_read_local_ext_features_sync(hdev, page);
4273
		if (err)
4274
			return err;
4275
	}
4276

4277
	return 0;
4278
}
4279

4280
/* HCI Controller init stage 3 command sequence */
4281
static const struct hci_init_stage hci_init3[] = {
4282
	/* HCI_OP_SET_EVENT_MASK */
4283
	HCI_INIT(hci_set_event_mask_sync),
4284
	/* HCI_OP_READ_STORED_LINK_KEY */
4285
	HCI_INIT(hci_read_stored_link_key_sync),
4286
	/* HCI_OP_WRITE_DEF_LINK_POLICY */
4287
	HCI_INIT(hci_setup_link_policy_sync),
4288
	/* HCI_OP_READ_PAGE_SCAN_ACTIVITY */
4289
	HCI_INIT(hci_read_page_scan_activity_sync),
4290
	/* HCI_OP_READ_DEF_ERR_DATA_REPORTING */
4291
	HCI_INIT(hci_read_def_err_data_reporting_sync),
4292
	/* HCI_OP_READ_PAGE_SCAN_TYPE */
4293
	HCI_INIT(hci_read_page_scan_type_sync),
4294
	/* HCI_OP_READ_LOCAL_EXT_FEATURES */
4295
	HCI_INIT(hci_read_local_ext_features_all_sync),
4296
	{}
4297
};
4298

4299
static int hci_le_set_event_mask_sync(struct hci_dev *hdev)
4300
{
4301
	u8 events[8];
4302

4303
	if (!lmp_le_capable(hdev))
4304
		return 0;
4305

4306
	memset(events, 0, sizeof(events));
4307

4308
	if (hdev->le_features[0] & HCI_LE_ENCRYPTION)
4309
		events[0] |= 0x10;	/* LE Long Term Key Request */
4310

4311
	/* If controller supports the Connection Parameters Request
4312
	 * Link Layer Procedure, enable the corresponding event.
4313
	 */
4314
	if (hdev->le_features[0] & HCI_LE_CONN_PARAM_REQ_PROC)
4315
		/* LE Remote Connection Parameter Request */
4316
		events[0] |= 0x20;
4317

4318
	/* If the controller supports the Data Length Extension
4319
	 * feature, enable the corresponding event.
4320
	 */
4321
	if (hdev->le_features[0] & HCI_LE_DATA_LEN_EXT)
4322
		events[0] |= 0x40;	/* LE Data Length Change */
4323

4324
	/* If the controller supports LL Privacy feature or LE Extended Adv,
4325
	 * enable the corresponding event.
4326
	 */
4327
	if (use_enhanced_conn_complete(hdev))
4328
		events[1] |= 0x02;	/* LE Enhanced Connection Complete */
4329

4330
	/* Mark Device Privacy if Privacy Mode is supported */
4331
	if (privacy_mode_capable(hdev))
4332
		hdev->conn_flags |= HCI_CONN_FLAG_DEVICE_PRIVACY;
4333

4334
	/* Mark Address Resolution if LL Privacy is supported */
4335
	if (ll_privacy_capable(hdev))
4336
		hdev->conn_flags |= HCI_CONN_FLAG_ADDRESS_RESOLUTION;
4337

4338
	/* Mark PAST if supported */
4339
	if (past_capable(hdev))
4340
		hdev->conn_flags |= HCI_CONN_FLAG_PAST;
4341

4342
	/* If the controller supports Extended Scanner Filter
4343
	 * Policies, enable the corresponding event.
4344
	 */
4345
	if (hdev->le_features[0] & HCI_LE_EXT_SCAN_POLICY)
4346
		events[1] |= 0x04;	/* LE Direct Advertising Report */
4347

4348
	/* If the controller supports Channel Selection Algorithm #2
4349
	 * feature, enable the corresponding event.
4350
	 */
4351
	if (hdev->le_features[1] & HCI_LE_CHAN_SEL_ALG2)
4352
		events[2] |= 0x08;	/* LE Channel Selection Algorithm */
4353

4354
	/* If the controller supports the LE Set Scan Enable command,
4355
	 * enable the corresponding advertising report event.
4356
	 */
4357
	if (hdev->commands[26] & 0x08)
4358
		events[0] |= 0x02;	/* LE Advertising Report */
4359

4360
	/* If the controller supports the LE Create Connection
4361
	 * command, enable the corresponding event.
4362
	 */
4363
	if (hdev->commands[26] & 0x10)
4364
		events[0] |= 0x01;	/* LE Connection Complete */
4365

4366
	/* If the controller supports the LE Connection Update
4367
	 * command, enable the corresponding event.
4368
	 */
4369
	if (hdev->commands[27] & 0x04)
4370
		events[0] |= 0x04;	/* LE Connection Update Complete */
4371

4372
	/* If the controller supports the LE Read Remote Used Features
4373
	 * command, enable the corresponding event.
4374
	 */
4375
	if (hdev->commands[27] & 0x20)
4376
		/* LE Read Remote Used Features Complete */
4377
		events[0] |= 0x08;
4378

4379
	/* If the controller supports the LE Read Local P-256
4380
	 * Public Key command, enable the corresponding event.
4381
	 */
4382
	if (hdev->commands[34] & 0x02)
4383
		/* LE Read Local P-256 Public Key Complete */
4384
		events[0] |= 0x80;
4385

4386
	/* If the controller supports the LE Generate DHKey
4387
	 * command, enable the corresponding event.
4388
	 */
4389
	if (hdev->commands[34] & 0x04)
4390
		events[1] |= 0x01;	/* LE Generate DHKey Complete */
4391

4392
	/* If the controller supports the LE Set Default PHY or
4393
	 * LE Set PHY commands, enable the corresponding event.
4394
	 */
4395
	if (hdev->commands[35] & (0x20 | 0x40))
4396
		events[1] |= 0x08;        /* LE PHY Update Complete */
4397

4398
	/* If the controller supports LE Set Extended Scan Parameters
4399
	 * and LE Set Extended Scan Enable commands, enable the
4400
	 * corresponding event.
4401
	 */
4402
	if (use_ext_scan(hdev))
4403
		events[1] |= 0x10;	/* LE Extended Advertising Report */
4404

4405
	/* If the controller supports the LE Extended Advertising
4406
	 * command, enable the corresponding event.
4407
	 */
4408
	if (ext_adv_capable(hdev))
4409
		events[2] |= 0x02;	/* LE Advertising Set Terminated */
4410

4411
	if (past_receiver_capable(hdev))
4412
		events[2] |= 0x80;	/* LE PAST Received */
4413

4414
	if (cis_capable(hdev)) {
4415
		events[3] |= 0x01;	/* LE CIS Established */
4416
		if (cis_peripheral_capable(hdev))
4417
			events[3] |= 0x02; /* LE CIS Request */
4418
	}
4419

4420
	if (bis_capable(hdev)) {
4421
		events[1] |= 0x20;	/* LE PA Report */
4422
		events[1] |= 0x40;	/* LE PA Sync Established */
4423
		events[1] |= 0x80;	/* LE PA Sync Lost */
4424
		events[3] |= 0x04;	/* LE Create BIG Complete */
4425
		events[3] |= 0x08;	/* LE Terminate BIG Complete */
4426
		events[3] |= 0x10;	/* LE BIG Sync Established */
4427
		events[3] |= 0x20;	/* LE BIG Sync Loss */
4428
		events[4] |= 0x02;	/* LE BIG Info Advertising Report */
4429
	}
4430

4431
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EVENT_MASK,
4432
				     sizeof(events), events, HCI_CMD_TIMEOUT);
4433
}
4434

4435
/* Read LE Advertising Channel TX Power */
4436
static int hci_le_read_adv_tx_power_sync(struct hci_dev *hdev)
4437
{
4438
	if ((hdev->commands[25] & 0x40) && !ext_adv_capable(hdev)) {
4439
		/* HCI TS spec forbids mixing of legacy and extended
4440
		 * advertising commands wherein READ_ADV_TX_POWER is
4441
		 * also included. So do not call it if extended adv
4442
		 * is supported otherwise controller will return
4443
		 * COMMAND_DISALLOWED for extended commands.
4444
		 */
4445
		return __hci_cmd_sync_status(hdev,
4446
					       HCI_OP_LE_READ_ADV_TX_POWER,
4447
					       0, NULL, HCI_CMD_TIMEOUT);
4448
	}
4449

4450
	return 0;
4451
}
4452

4453
/* Read LE Min/Max Tx Power*/
4454
static int hci_le_read_tx_power_sync(struct hci_dev *hdev)
4455
{
4456
	if (!(hdev->commands[38] & 0x80) ||
4457
	    hci_test_quirk(hdev, HCI_QUIRK_BROKEN_READ_TRANSMIT_POWER))
4458
		return 0;
4459

4460
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_READ_TRANSMIT_POWER,
4461
				     0, NULL, HCI_CMD_TIMEOUT);
4462
}
4463

4464
/* Read LE Accept List Size */
4465
static int hci_le_read_accept_list_size_sync(struct hci_dev *hdev)
4466
{
4467
	if (!(hdev->commands[26] & 0x40))
4468
		return 0;
4469

4470
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_READ_ACCEPT_LIST_SIZE,
4471
				     0, NULL, HCI_CMD_TIMEOUT);
4472
}
4473

4474
/* Read LE Resolving List Size */
4475
static int hci_le_read_resolv_list_size_sync(struct hci_dev *hdev)
4476
{
4477
	if (!(hdev->commands[34] & 0x40))
4478
		return 0;
4479

4480
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_READ_RESOLV_LIST_SIZE,
4481
				     0, NULL, HCI_CMD_TIMEOUT);
4482
}
4483

4484
/* Clear LE Resolving List */
4485
static int hci_le_clear_resolv_list_sync(struct hci_dev *hdev)
4486
{
4487
	if (!(hdev->commands[34] & 0x20))
4488
		return 0;
4489

4490
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_CLEAR_RESOLV_LIST, 0, NULL,
4491
				     HCI_CMD_TIMEOUT);
4492
}
4493

4494
/* Set RPA timeout */
4495
static int hci_le_set_rpa_timeout_sync(struct hci_dev *hdev)
4496
{
4497
	__le16 timeout = cpu_to_le16(hdev->rpa_timeout);
4498

4499
	if (!(hdev->commands[35] & 0x04) ||
4500
	    hci_test_quirk(hdev, HCI_QUIRK_BROKEN_SET_RPA_TIMEOUT))
4501
		return 0;
4502

4503
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_RPA_TIMEOUT,
4504
				     sizeof(timeout), &timeout,
4505
				     HCI_CMD_TIMEOUT);
4506
}
4507

4508
/* Read LE Maximum Data Length */
4509
static int hci_le_read_max_data_len_sync(struct hci_dev *hdev)
4510
{
4511
	if (!(hdev->le_features[0] & HCI_LE_DATA_LEN_EXT))
4512
		return 0;
4513

4514
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_READ_MAX_DATA_LEN, 0, NULL,
4515
				     HCI_CMD_TIMEOUT);
4516
}
4517

4518
/* Read LE Suggested Default Data Length */
4519
static int hci_le_read_def_data_len_sync(struct hci_dev *hdev)
4520
{
4521
	if (!(hdev->le_features[0] & HCI_LE_DATA_LEN_EXT))
4522
		return 0;
4523

4524
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_READ_DEF_DATA_LEN, 0, NULL,
4525
				     HCI_CMD_TIMEOUT);
4526
}
4527

4528
/* Read LE Number of Supported Advertising Sets */
4529
static int hci_le_read_num_support_adv_sets_sync(struct hci_dev *hdev)
4530
{
4531
	if (!ext_adv_capable(hdev))
4532
		return 0;
4533

4534
	return __hci_cmd_sync_status(hdev,
4535
				     HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
4536
				     0, NULL, HCI_CMD_TIMEOUT);
4537
}
4538

4539
/* Write LE Host Supported */
4540
static int hci_set_le_support_sync(struct hci_dev *hdev)
4541
{
4542
	struct hci_cp_write_le_host_supported cp;
4543

4544
	/* LE-only devices do not support explicit enablement */
4545
	if (!lmp_bredr_capable(hdev))
4546
		return 0;
4547

4548
	memset(&cp, 0, sizeof(cp));
4549

4550
	if (hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
4551
		cp.le = 0x01;
4552
		cp.simul = 0x00;
4553
	}
4554

4555
	if (cp.le == lmp_host_le_capable(hdev))
4556
		return 0;
4557

4558
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED,
4559
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
4560
}
4561

4562
/* LE Set Host Feature */
4563
static int hci_le_set_host_feature_sync(struct hci_dev *hdev)
4564
{
4565
	struct hci_cp_le_set_host_feature cp;
4566

4567
	if (!iso_capable(hdev))
4568
		return 0;
4569

4570
	memset(&cp, 0, sizeof(cp));
4571

4572
	/* Connected Isochronous Channels (Host Support) */
4573
	cp.bit_number = 32;
4574
	cp.bit_value = iso_enabled(hdev) ? 0x01 : 0x00;
4575

4576
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_HOST_FEATURE,
4577
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
4578
}
4579

4580
/* LE Controller init stage 3 command sequence */
4581
static const struct hci_init_stage le_init3[] = {
4582
	/* HCI_OP_LE_SET_EVENT_MASK */
4583
	HCI_INIT(hci_le_set_event_mask_sync),
4584
	/* HCI_OP_LE_READ_ADV_TX_POWER */
4585
	HCI_INIT(hci_le_read_adv_tx_power_sync),
4586
	/* HCI_OP_LE_READ_TRANSMIT_POWER */
4587
	HCI_INIT(hci_le_read_tx_power_sync),
4588
	/* HCI_OP_LE_READ_ACCEPT_LIST_SIZE */
4589
	HCI_INIT(hci_le_read_accept_list_size_sync),
4590
	/* HCI_OP_LE_CLEAR_ACCEPT_LIST */
4591
	HCI_INIT(hci_le_clear_accept_list_sync),
4592
	/* HCI_OP_LE_READ_RESOLV_LIST_SIZE */
4593
	HCI_INIT(hci_le_read_resolv_list_size_sync),
4594
	/* HCI_OP_LE_CLEAR_RESOLV_LIST */
4595
	HCI_INIT(hci_le_clear_resolv_list_sync),
4596
	/* HCI_OP_LE_SET_RPA_TIMEOUT */
4597
	HCI_INIT(hci_le_set_rpa_timeout_sync),
4598
	/* HCI_OP_LE_READ_MAX_DATA_LEN */
4599
	HCI_INIT(hci_le_read_max_data_len_sync),
4600
	/* HCI_OP_LE_READ_DEF_DATA_LEN */
4601
	HCI_INIT(hci_le_read_def_data_len_sync),
4602
	/* HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS */
4603
	HCI_INIT(hci_le_read_num_support_adv_sets_sync),
4604
	/* HCI_OP_WRITE_LE_HOST_SUPPORTED */
4605
	HCI_INIT(hci_set_le_support_sync),
4606
	/* HCI_OP_LE_SET_HOST_FEATURE */
4607
	HCI_INIT(hci_le_set_host_feature_sync),
4608
	{}
4609
};
4610

4611
static int hci_init3_sync(struct hci_dev *hdev)
4612
{
4613
	int err;
4614

4615
	bt_dev_dbg(hdev, "");
4616

4617
	err = hci_init_stage_sync(hdev, hci_init3);
4618
	if (err)
4619
		return err;
4620

4621
	if (lmp_le_capable(hdev))
4622
		return hci_init_stage_sync(hdev, le_init3);
4623

4624
	return 0;
4625
}
4626

4627
static int hci_delete_stored_link_key_sync(struct hci_dev *hdev)
4628
{
4629
	struct hci_cp_delete_stored_link_key cp;
4630

4631
	/* Some Broadcom based Bluetooth controllers do not support the
4632
	 * Delete Stored Link Key command. They are clearly indicating its
4633
	 * absence in the bit mask of supported commands.
4634
	 *
4635
	 * Check the supported commands and only if the command is marked
4636
	 * as supported send it. If not supported assume that the controller
4637
	 * does not have actual support for stored link keys which makes this
4638
	 * command redundant anyway.
4639
	 *
4640
	 * Some controllers indicate that they support handling deleting
4641
	 * stored link keys, but they don't. The quirk lets a driver
4642
	 * just disable this command.
4643
	 */
4644
	if (!(hdev->commands[6] & 0x80) ||
4645
	    hci_test_quirk(hdev, HCI_QUIRK_BROKEN_STORED_LINK_KEY))
4646
		return 0;
4647

4648
	memset(&cp, 0, sizeof(cp));
4649
	bacpy(&cp.bdaddr, BDADDR_ANY);
4650
	cp.delete_all = 0x01;
4651

4652
	return __hci_cmd_sync_status(hdev, HCI_OP_DELETE_STORED_LINK_KEY,
4653
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
4654
}
4655

4656
static int hci_set_event_mask_page_2_sync(struct hci_dev *hdev)
4657
{
4658
	u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
4659
	bool changed = false;
4660

4661
	/* Set event mask page 2 if the HCI command for it is supported */
4662
	if (!(hdev->commands[22] & 0x04))
4663
		return 0;
4664

4665
	/* If Connectionless Peripheral Broadcast central role is supported
4666
	 * enable all necessary events for it.
4667
	 */
4668
	if (lmp_cpb_central_capable(hdev)) {
4669
		events[1] |= 0x40;	/* Triggered Clock Capture */
4670
		events[1] |= 0x80;	/* Synchronization Train Complete */
4671
		events[2] |= 0x08;	/* Truncated Page Complete */
4672
		events[2] |= 0x20;	/* CPB Channel Map Change */
4673
		changed = true;
4674
	}
4675

4676
	/* If Connectionless Peripheral Broadcast peripheral role is supported
4677
	 * enable all necessary events for it.
4678
	 */
4679
	if (lmp_cpb_peripheral_capable(hdev)) {
4680
		events[2] |= 0x01;	/* Synchronization Train Received */
4681
		events[2] |= 0x02;	/* CPB Receive */
4682
		events[2] |= 0x04;	/* CPB Timeout */
4683
		events[2] |= 0x10;	/* Peripheral Page Response Timeout */
4684
		changed = true;
4685
	}
4686

4687
	/* Enable Authenticated Payload Timeout Expired event if supported */
4688
	if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) {
4689
		events[2] |= 0x80;
4690
		changed = true;
4691
	}
4692

4693
	/* Some Broadcom based controllers indicate support for Set Event
4694
	 * Mask Page 2 command, but then actually do not support it. Since
4695
	 * the default value is all bits set to zero, the command is only
4696
	 * required if the event mask has to be changed. In case no change
4697
	 * to the event mask is needed, skip this command.
4698
	 */
4699
	if (!changed)
4700
		return 0;
4701

4702
	return __hci_cmd_sync_status(hdev, HCI_OP_SET_EVENT_MASK_PAGE_2,
4703
				     sizeof(events), events, HCI_CMD_TIMEOUT);
4704
}
4705

4706
/* Read local codec list if the HCI command is supported */
4707
static int hci_read_local_codecs_sync(struct hci_dev *hdev)
4708
{
4709
	if (hdev->commands[45] & 0x04)
4710
		hci_read_supported_codecs_v2(hdev);
4711
	else if (hdev->commands[29] & 0x20)
4712
		hci_read_supported_codecs(hdev);
4713

4714
	return 0;
4715
}
4716

4717
/* Read local pairing options if the HCI command is supported */
4718
static int hci_read_local_pairing_opts_sync(struct hci_dev *hdev)
4719
{
4720
	if (!(hdev->commands[41] & 0x08))
4721
		return 0;
4722

4723
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_LOCAL_PAIRING_OPTS,
4724
				     0, NULL, HCI_CMD_TIMEOUT);
4725
}
4726

4727
/* Get MWS transport configuration if the HCI command is supported */
4728
static int hci_get_mws_transport_config_sync(struct hci_dev *hdev)
4729
{
4730
	if (!mws_transport_config_capable(hdev))
4731
		return 0;
4732

4733
	return __hci_cmd_sync_status(hdev, HCI_OP_GET_MWS_TRANSPORT_CONFIG,
4734
				     0, NULL, HCI_CMD_TIMEOUT);
4735
}
4736

4737
/* Check for Synchronization Train support */
4738
static int hci_read_sync_train_params_sync(struct hci_dev *hdev)
4739
{
4740
	if (!lmp_sync_train_capable(hdev))
4741
		return 0;
4742

4743
	return __hci_cmd_sync_status(hdev, HCI_OP_READ_SYNC_TRAIN_PARAMS,
4744
				     0, NULL, HCI_CMD_TIMEOUT);
4745
}
4746

4747
/* Enable Secure Connections if supported and configured */
4748
static int hci_write_sc_support_1_sync(struct hci_dev *hdev)
4749
{
4750
	u8 support = 0x01;
4751

4752
	if (!hci_dev_test_flag(hdev, HCI_SSP_ENABLED) ||
4753
	    !bredr_sc_enabled(hdev))
4754
		return 0;
4755

4756
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_SC_SUPPORT,
4757
				     sizeof(support), &support,
4758
				     HCI_CMD_TIMEOUT);
4759
}
4760

4761
/* Set erroneous data reporting if supported to the wideband speech
4762
 * setting value
4763
 */
4764
static int hci_set_err_data_report_sync(struct hci_dev *hdev)
4765
{
4766
	struct hci_cp_write_def_err_data_reporting cp;
4767
	bool enabled = hci_dev_test_flag(hdev, HCI_WIDEBAND_SPEECH_ENABLED);
4768

4769
	if (!(hdev->commands[18] & 0x08) ||
4770
	    !(hdev->features[0][6] & LMP_ERR_DATA_REPORTING) ||
4771
	    hci_test_quirk(hdev, HCI_QUIRK_BROKEN_ERR_DATA_REPORTING))
4772
		return 0;
4773

4774
	if (enabled == hdev->err_data_reporting)
4775
		return 0;
4776

4777
	memset(&cp, 0, sizeof(cp));
4778
	cp.err_data_reporting = enabled ? ERR_DATA_REPORTING_ENABLED :
4779
				ERR_DATA_REPORTING_DISABLED;
4780

4781
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_DEF_ERR_DATA_REPORTING,
4782
				    sizeof(cp), &cp, HCI_CMD_TIMEOUT);
4783
}
4784

4785
static const struct hci_init_stage hci_init4[] = {
4786
	 /* HCI_OP_DELETE_STORED_LINK_KEY */
4787
	HCI_INIT(hci_delete_stored_link_key_sync),
4788
	/* HCI_OP_SET_EVENT_MASK_PAGE_2 */
4789
	HCI_INIT(hci_set_event_mask_page_2_sync),
4790
	/* HCI_OP_READ_LOCAL_CODECS */
4791
	HCI_INIT(hci_read_local_codecs_sync),
4792
	 /* HCI_OP_READ_LOCAL_PAIRING_OPTS */
4793
	HCI_INIT(hci_read_local_pairing_opts_sync),
4794
	 /* HCI_OP_GET_MWS_TRANSPORT_CONFIG */
4795
	HCI_INIT(hci_get_mws_transport_config_sync),
4796
	 /* HCI_OP_READ_SYNC_TRAIN_PARAMS */
4797
	HCI_INIT(hci_read_sync_train_params_sync),
4798
	/* HCI_OP_WRITE_SC_SUPPORT */
4799
	HCI_INIT(hci_write_sc_support_1_sync),
4800
	/* HCI_OP_WRITE_DEF_ERR_DATA_REPORTING */
4801
	HCI_INIT(hci_set_err_data_report_sync),
4802
	{}
4803
};
4804

4805
/* Set Suggested Default Data Length to maximum if supported */
4806
static int hci_le_set_write_def_data_len_sync(struct hci_dev *hdev)
4807
{
4808
	struct hci_cp_le_write_def_data_len cp;
4809

4810
	if (!(hdev->le_features[0] & HCI_LE_DATA_LEN_EXT))
4811
		return 0;
4812

4813
	memset(&cp, 0, sizeof(cp));
4814
	cp.tx_len = cpu_to_le16(hdev->le_max_tx_len);
4815
	cp.tx_time = cpu_to_le16(hdev->le_max_tx_time);
4816

4817
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_WRITE_DEF_DATA_LEN,
4818
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
4819
}
4820

4821
/* Set Default PHY parameters if command is supported, enables all supported
4822
 * PHYs according to the LE Features bits.
4823
 */
4824
static int hci_le_set_default_phy_sync(struct hci_dev *hdev)
4825
{
4826
	struct hci_cp_le_set_default_phy cp;
4827

4828
	if (!(hdev->commands[35] & 0x20)) {
4829
		/* If the command is not supported it means only 1M PHY is
4830
		 * supported.
4831
		 */
4832
		hdev->le_tx_def_phys = HCI_LE_SET_PHY_1M;
4833
		hdev->le_rx_def_phys = HCI_LE_SET_PHY_1M;
4834
		return 0;
4835
	}
4836

4837
	memset(&cp, 0, sizeof(cp));
4838
	cp.all_phys = 0x00;
4839
	cp.tx_phys = HCI_LE_SET_PHY_1M;
4840
	cp.rx_phys = HCI_LE_SET_PHY_1M;
4841

4842
	/* Enables 2M PHY if supported */
4843
	if (le_2m_capable(hdev)) {
4844
		cp.tx_phys |= HCI_LE_SET_PHY_2M;
4845
		cp.rx_phys |= HCI_LE_SET_PHY_2M;
4846
	}
4847

4848
	/* Enables Coded PHY if supported */
4849
	if (le_coded_capable(hdev)) {
4850
		cp.tx_phys |= HCI_LE_SET_PHY_CODED;
4851
		cp.rx_phys |= HCI_LE_SET_PHY_CODED;
4852
	}
4853

4854
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_DEFAULT_PHY,
4855
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
4856
}
4857

4858
static const struct hci_init_stage le_init4[] = {
4859
	/* HCI_OP_LE_WRITE_DEF_DATA_LEN */
4860
	HCI_INIT(hci_le_set_write_def_data_len_sync),
4861
	/* HCI_OP_LE_SET_DEFAULT_PHY */
4862
	HCI_INIT(hci_le_set_default_phy_sync),
4863
	{}
4864
};
4865

4866
static int hci_init4_sync(struct hci_dev *hdev)
4867
{
4868
	int err;
4869

4870
	bt_dev_dbg(hdev, "");
4871

4872
	err = hci_init_stage_sync(hdev, hci_init4);
4873
	if (err)
4874
		return err;
4875

4876
	if (lmp_le_capable(hdev))
4877
		return hci_init_stage_sync(hdev, le_init4);
4878

4879
	return 0;
4880
}
4881

4882
static int hci_init_sync(struct hci_dev *hdev)
4883
{
4884
	int err;
4885

4886
	err = hci_init1_sync(hdev);
4887
	if (err < 0)
4888
		return err;
4889

4890
	if (hci_dev_test_flag(hdev, HCI_SETUP))
4891
		hci_debugfs_create_basic(hdev);
4892

4893
	err = hci_init2_sync(hdev);
4894
	if (err < 0)
4895
		return err;
4896

4897
	err = hci_init3_sync(hdev);
4898
	if (err < 0)
4899
		return err;
4900

4901
	err = hci_init4_sync(hdev);
4902
	if (err < 0)
4903
		return err;
4904

4905
	/* This function is only called when the controller is actually in
4906
	 * configured state. When the controller is marked as unconfigured,
4907
	 * this initialization procedure is not run.
4908
	 *
4909
	 * It means that it is possible that a controller runs through its
4910
	 * setup phase and then discovers missing settings. If that is the
4911
	 * case, then this function will not be called. It then will only
4912
	 * be called during the config phase.
4913
	 *
4914
	 * So only when in setup phase or config phase, create the debugfs
4915
	 * entries and register the SMP channels.
4916
	 */
4917
	if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
4918
	    !hci_dev_test_flag(hdev, HCI_CONFIG))
4919
		return 0;
4920

4921
	if (hci_dev_test_and_set_flag(hdev, HCI_DEBUGFS_CREATED))
4922
		return 0;
4923

4924
	hci_debugfs_create_common(hdev);
4925

4926
	if (lmp_bredr_capable(hdev))
4927
		hci_debugfs_create_bredr(hdev);
4928

4929
	if (lmp_le_capable(hdev))
4930
		hci_debugfs_create_le(hdev);
4931

4932
	return 0;
4933
}
4934

4935
#define HCI_QUIRK_BROKEN(_quirk, _desc) { HCI_QUIRK_BROKEN_##_quirk, _desc }
4936

4937
static const struct {
4938
	unsigned long quirk;
4939
	const char *desc;
4940
} hci_broken_table[] = {
4941
	HCI_QUIRK_BROKEN(LOCAL_COMMANDS,
4942
			 "HCI Read Local Supported Commands not supported"),
4943
	HCI_QUIRK_BROKEN(STORED_LINK_KEY,
4944
			 "HCI Delete Stored Link Key command is advertised, "
4945
			 "but not supported."),
4946
	HCI_QUIRK_BROKEN(ERR_DATA_REPORTING,
4947
			 "HCI Read Default Erroneous Data Reporting command is "
4948
			 "advertised, but not supported."),
4949
	HCI_QUIRK_BROKEN(READ_TRANSMIT_POWER,
4950
			 "HCI Read Transmit Power Level command is advertised, "
4951
			 "but not supported."),
4952
	HCI_QUIRK_BROKEN(FILTER_CLEAR_ALL,
4953
			 "HCI Set Event Filter command not supported."),
4954
	HCI_QUIRK_BROKEN(ENHANCED_SETUP_SYNC_CONN,
4955
			 "HCI Enhanced Setup Synchronous Connection command is "
4956
			 "advertised, but not supported."),
4957
	HCI_QUIRK_BROKEN(SET_RPA_TIMEOUT,
4958
			 "HCI LE Set Random Private Address Timeout command is "
4959
			 "advertised, but not supported."),
4960
	HCI_QUIRK_BROKEN(EXT_CREATE_CONN,
4961
			 "HCI LE Extended Create Connection command is "
4962
			 "advertised, but not supported."),
4963
	HCI_QUIRK_BROKEN(WRITE_AUTH_PAYLOAD_TIMEOUT,
4964
			 "HCI WRITE AUTH PAYLOAD TIMEOUT command leads "
4965
			 "to unexpected SMP errors when pairing "
4966
			 "and will not be used."),
4967
	HCI_QUIRK_BROKEN(LE_CODED,
4968
			 "HCI LE Coded PHY feature bit is set, "
4969
			 "but its usage is not supported.")
4970
};
4971

4972
/* This function handles hdev setup stage:
4973
 *
4974
 * Calls hdev->setup
4975
 * Setup address if HCI_QUIRK_USE_BDADDR_PROPERTY is set.
4976
 */
4977
static int hci_dev_setup_sync(struct hci_dev *hdev)
4978
{
4979
	int ret = 0;
4980
	bool invalid_bdaddr;
4981
	size_t i;
4982

4983
	if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
4984
	    !hci_test_quirk(hdev, HCI_QUIRK_NON_PERSISTENT_SETUP))
4985
		return 0;
4986

4987
	bt_dev_dbg(hdev, "");
4988

4989
	hci_sock_dev_event(hdev, HCI_DEV_SETUP);
4990

4991
	if (hdev->setup)
4992
		ret = hdev->setup(hdev);
4993

4994
	for (i = 0; i < ARRAY_SIZE(hci_broken_table); i++) {
4995
		if (hci_test_quirk(hdev, hci_broken_table[i].quirk))
4996
			bt_dev_warn(hdev, "%s", hci_broken_table[i].desc);
4997
	}
4998

4999
	/* The transport driver can set the quirk to mark the
5000
	 * BD_ADDR invalid before creating the HCI device or in
5001
	 * its setup callback.
5002
	 */
5003
	invalid_bdaddr = hci_test_quirk(hdev, HCI_QUIRK_INVALID_BDADDR) ||
5004
			 hci_test_quirk(hdev, HCI_QUIRK_USE_BDADDR_PROPERTY);
5005
	if (!ret) {
5006
		if (hci_test_quirk(hdev, HCI_QUIRK_USE_BDADDR_PROPERTY) &&
5007
		    !bacmp(&hdev->public_addr, BDADDR_ANY))
5008
			hci_dev_get_bd_addr_from_property(hdev);
5009

5010
		if (invalid_bdaddr && bacmp(&hdev->public_addr, BDADDR_ANY) &&
5011
		    hdev->set_bdaddr) {
5012
			ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
5013
			if (!ret)
5014
				invalid_bdaddr = false;
5015
		}
5016
	}
5017

5018
	/* The transport driver can set these quirks before
5019
	 * creating the HCI device or in its setup callback.
5020
	 *
5021
	 * For the invalid BD_ADDR quirk it is possible that
5022
	 * it becomes a valid address if the bootloader does
5023
	 * provide it (see above).
5024
	 *
5025
	 * In case any of them is set, the controller has to
5026
	 * start up as unconfigured.
5027
	 */
5028
	if (hci_test_quirk(hdev, HCI_QUIRK_EXTERNAL_CONFIG) ||
5029
	    invalid_bdaddr)
5030
		hci_dev_set_flag(hdev, HCI_UNCONFIGURED);
5031

5032
	/* For an unconfigured controller it is required to
5033
	 * read at least the version information provided by
5034
	 * the Read Local Version Information command.
5035
	 *
5036
	 * If the set_bdaddr driver callback is provided, then
5037
	 * also the original Bluetooth public device address
5038
	 * will be read using the Read BD Address command.
5039
	 */
5040
	if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
5041
		return hci_unconf_init_sync(hdev);
5042

5043
	return ret;
5044
}
5045

5046
/* This function handles hdev init stage:
5047
 *
5048
 * Calls hci_dev_setup_sync to perform setup stage
5049
 * Calls hci_init_sync to perform HCI command init sequence
5050
 */
5051
static int hci_dev_init_sync(struct hci_dev *hdev)
5052
{
5053
	int ret;
5054

5055
	bt_dev_dbg(hdev, "");
5056

5057
	atomic_set(&hdev->cmd_cnt, 1);
5058
	set_bit(HCI_INIT, &hdev->flags);
5059

5060
	ret = hci_dev_setup_sync(hdev);
5061

5062
	if (hci_dev_test_flag(hdev, HCI_CONFIG)) {
5063
		/* If public address change is configured, ensure that
5064
		 * the address gets programmed. If the driver does not
5065
		 * support changing the public address, fail the power
5066
		 * on procedure.
5067
		 */
5068
		if (bacmp(&hdev->public_addr, BDADDR_ANY) &&
5069
		    hdev->set_bdaddr)
5070
			ret = hdev->set_bdaddr(hdev, &hdev->public_addr);
5071
		else
5072
			ret = -EADDRNOTAVAIL;
5073
	}
5074

5075
	if (!ret) {
5076
		if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
5077
		    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
5078
			ret = hci_init_sync(hdev);
5079
			if (!ret && hdev->post_init)
5080
				ret = hdev->post_init(hdev);
5081
		}
5082
	}
5083

5084
	/* If the HCI Reset command is clearing all diagnostic settings,
5085
	 * then they need to be reprogrammed after the init procedure
5086
	 * completed.
5087
	 */
5088
	if (hci_test_quirk(hdev, HCI_QUIRK_NON_PERSISTENT_DIAG) &&
5089
	    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
5090
	    hci_dev_test_flag(hdev, HCI_VENDOR_DIAG) && hdev->set_diag)
5091
		ret = hdev->set_diag(hdev, true);
5092

5093
	if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
5094
		msft_do_open(hdev);
5095
		aosp_do_open(hdev);
5096
	}
5097

5098
	clear_bit(HCI_INIT, &hdev->flags);
5099

5100
	return ret;
5101
}
5102

5103
int hci_dev_open_sync(struct hci_dev *hdev)
5104
{
5105
	int ret;
5106

5107
	bt_dev_dbg(hdev, "");
5108

5109
	if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
5110
		ret = -ENODEV;
5111
		goto done;
5112
	}
5113

5114
	if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
5115
	    !hci_dev_test_flag(hdev, HCI_CONFIG)) {
5116
		/* Check for rfkill but allow the HCI setup stage to
5117
		 * proceed (which in itself doesn't cause any RF activity).
5118
		 */
5119
		if (hci_dev_test_flag(hdev, HCI_RFKILLED)) {
5120
			ret = -ERFKILL;
5121
			goto done;
5122
		}
5123

5124
		/* Check for valid public address or a configured static
5125
		 * random address, but let the HCI setup proceed to
5126
		 * be able to determine if there is a public address
5127
		 * or not.
5128
		 *
5129
		 * In case of user channel usage, it is not important
5130
		 * if a public address or static random address is
5131
		 * available.
5132
		 */
5133
		if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
5134
		    !bacmp(&hdev->bdaddr, BDADDR_ANY) &&
5135
		    !bacmp(&hdev->static_addr, BDADDR_ANY)) {
5136
			ret = -EADDRNOTAVAIL;
5137
			goto done;
5138
		}
5139
	}
5140

5141
	if (test_bit(HCI_UP, &hdev->flags)) {
5142
		ret = -EALREADY;
5143
		goto done;
5144
	}
5145

5146
	if (hdev->open(hdev)) {
5147
		ret = -EIO;
5148
		goto done;
5149
	}
5150

5151
	hci_devcd_reset(hdev);
5152

5153
	set_bit(HCI_RUNNING, &hdev->flags);
5154
	hci_sock_dev_event(hdev, HCI_DEV_OPEN);
5155

5156
	ret = hci_dev_init_sync(hdev);
5157
	if (!ret) {
5158
		hci_dev_hold(hdev);
5159
		hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
5160
		hci_adv_instances_set_rpa_expired(hdev, true);
5161
		set_bit(HCI_UP, &hdev->flags);
5162
		hci_sock_dev_event(hdev, HCI_DEV_UP);
5163
		hci_leds_update_powered(hdev, true);
5164
		if (!hci_dev_test_flag(hdev, HCI_SETUP) &&
5165
		    !hci_dev_test_flag(hdev, HCI_CONFIG) &&
5166
		    !hci_dev_test_flag(hdev, HCI_UNCONFIGURED) &&
5167
		    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
5168
		    hci_dev_test_flag(hdev, HCI_MGMT)) {
5169
			ret = hci_powered_update_sync(hdev);
5170
			mgmt_power_on(hdev, ret);
5171
		}
5172
	} else {
5173
		/* Init failed, cleanup */
5174
		flush_work(&hdev->tx_work);
5175

5176
		/* Since hci_rx_work() is possible to awake new cmd_work
5177
		 * it should be flushed first to avoid unexpected call of
5178
		 * hci_cmd_work()
5179
		 */
5180
		flush_work(&hdev->rx_work);
5181
		flush_work(&hdev->cmd_work);
5182

5183
		skb_queue_purge(&hdev->cmd_q);
5184
		skb_queue_purge(&hdev->rx_q);
5185

5186
		if (hdev->flush)
5187
			hdev->flush(hdev);
5188

5189
		if (hdev->sent_cmd) {
5190
			cancel_delayed_work_sync(&hdev->cmd_timer);
5191
			kfree_skb(hdev->sent_cmd);
5192
			hdev->sent_cmd = NULL;
5193
		}
5194

5195
		if (hdev->req_skb) {
5196
			kfree_skb(hdev->req_skb);
5197
			hdev->req_skb = NULL;
5198
		}
5199

5200
		clear_bit(HCI_RUNNING, &hdev->flags);
5201
		hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
5202

5203
		hdev->close(hdev);
5204
		hdev->flags &= BIT(HCI_RAW);
5205
	}
5206

5207
done:
5208
	return ret;
5209
}
5210

5211
/* This function requires the caller holds hdev->lock */
5212
static void hci_pend_le_actions_clear(struct hci_dev *hdev)
5213
{
5214
	struct hci_conn_params *p;
5215

5216
	list_for_each_entry(p, &hdev->le_conn_params, list) {
5217
		hci_pend_le_list_del_init(p);
5218
		if (p->conn) {
5219
			hci_conn_drop(p->conn);
5220
			hci_conn_put(p->conn);
5221
			p->conn = NULL;
5222
		}
5223
	}
5224

5225
	BT_DBG("All LE pending actions cleared");
5226
}
5227

5228
static int hci_dev_shutdown(struct hci_dev *hdev)
5229
{
5230
	int err = 0;
5231
	/* Similar to how we first do setup and then set the exclusive access
5232
	 * bit for userspace, we must first unset userchannel and then clean up.
5233
	 * Otherwise, the kernel can't properly use the hci channel to clean up
5234
	 * the controller (some shutdown routines require sending additional
5235
	 * commands to the controller for example).
5236
	 */
5237
	bool was_userchannel =
5238
		hci_dev_test_and_clear_flag(hdev, HCI_USER_CHANNEL);
5239

5240
	if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
5241
	    test_bit(HCI_UP, &hdev->flags)) {
5242
		/* Execute vendor specific shutdown routine */
5243
		if (hdev->shutdown)
5244
			err = hdev->shutdown(hdev);
5245
	}
5246

5247
	if (was_userchannel)
5248
		hci_dev_set_flag(hdev, HCI_USER_CHANNEL);
5249

5250
	return err;
5251
}
5252

5253
int hci_dev_close_sync(struct hci_dev *hdev)
5254
{
5255
	bool auto_off;
5256
	int err = 0;
5257

5258
	bt_dev_dbg(hdev, "");
5259

5260
	if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
5261
		disable_delayed_work(&hdev->power_off);
5262
		disable_delayed_work(&hdev->ncmd_timer);
5263
		disable_delayed_work(&hdev->le_scan_disable);
5264
	} else {
5265
		cancel_delayed_work(&hdev->power_off);
5266
		cancel_delayed_work(&hdev->ncmd_timer);
5267
		cancel_delayed_work(&hdev->le_scan_disable);
5268
	}
5269

5270
	hci_cmd_sync_cancel_sync(hdev, ENODEV);
5271

5272
	cancel_interleave_scan(hdev);
5273

5274
	if (hdev->adv_instance_timeout) {
5275
		cancel_delayed_work_sync(&hdev->adv_instance_expire);
5276
		hdev->adv_instance_timeout = 0;
5277
	}
5278

5279
	err = hci_dev_shutdown(hdev);
5280

5281
	if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
5282
		cancel_delayed_work_sync(&hdev->cmd_timer);
5283
		return err;
5284
	}
5285

5286
	hci_leds_update_powered(hdev, false);
5287

5288
	/* Flush RX and TX works */
5289
	flush_work(&hdev->tx_work);
5290
	flush_work(&hdev->rx_work);
5291

5292
	if (hdev->discov_timeout > 0) {
5293
		hdev->discov_timeout = 0;
5294
		hci_dev_clear_flag(hdev, HCI_DISCOVERABLE);
5295
		hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
5296
	}
5297

5298
	if (hci_dev_test_and_clear_flag(hdev, HCI_SERVICE_CACHE))
5299
		cancel_delayed_work(&hdev->service_cache);
5300

5301
	if (hci_dev_test_flag(hdev, HCI_MGMT)) {
5302
		struct adv_info *adv_instance;
5303

5304
		cancel_delayed_work_sync(&hdev->rpa_expired);
5305

5306
		list_for_each_entry(adv_instance, &hdev->adv_instances, list)
5307
			cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
5308
	}
5309

5310
	/* Avoid potential lockdep warnings from the *_flush() calls by
5311
	 * ensuring the workqueue is empty up front.
5312
	 */
5313
	drain_workqueue(hdev->workqueue);
5314

5315
	hci_dev_lock(hdev);
5316

5317
	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
5318

5319
	auto_off = hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF);
5320

5321
	if (!auto_off && !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
5322
	    hci_dev_test_flag(hdev, HCI_MGMT))
5323
		__mgmt_power_off(hdev);
5324

5325
	hci_inquiry_cache_flush(hdev);
5326
	hci_pend_le_actions_clear(hdev);
5327
	hci_conn_hash_flush(hdev);
5328
	/* Prevent data races on hdev->smp_data or hdev->smp_bredr_data */
5329
	smp_unregister(hdev);
5330
	hci_dev_unlock(hdev);
5331

5332
	hci_sock_dev_event(hdev, HCI_DEV_DOWN);
5333

5334
	if (!hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) {
5335
		aosp_do_close(hdev);
5336
		msft_do_close(hdev);
5337
	}
5338

5339
	if (hdev->flush)
5340
		hdev->flush(hdev);
5341

5342
	/* Reset device */
5343
	skb_queue_purge(&hdev->cmd_q);
5344
	atomic_set(&hdev->cmd_cnt, 1);
5345
	if (hci_test_quirk(hdev, HCI_QUIRK_RESET_ON_CLOSE) &&
5346
	    !auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
5347
		set_bit(HCI_INIT, &hdev->flags);
5348
		hci_reset_sync(hdev);
5349
		clear_bit(HCI_INIT, &hdev->flags);
5350
	}
5351

5352
	/* flush cmd  work */
5353
	flush_work(&hdev->cmd_work);
5354

5355
	/* Drop queues */
5356
	skb_queue_purge(&hdev->rx_q);
5357
	skb_queue_purge(&hdev->cmd_q);
5358
	skb_queue_purge(&hdev->raw_q);
5359

5360
	/* Drop last sent command */
5361
	if (hdev->sent_cmd) {
5362
		cancel_delayed_work_sync(&hdev->cmd_timer);
5363
		kfree_skb(hdev->sent_cmd);
5364
		hdev->sent_cmd = NULL;
5365
	}
5366

5367
	/* Drop last request */
5368
	if (hdev->req_skb) {
5369
		kfree_skb(hdev->req_skb);
5370
		hdev->req_skb = NULL;
5371
	}
5372

5373
	clear_bit(HCI_RUNNING, &hdev->flags);
5374
	hci_sock_dev_event(hdev, HCI_DEV_CLOSE);
5375

5376
	/* After this point our queues are empty and no tasks are scheduled. */
5377
	hdev->close(hdev);
5378

5379
	/* Clear flags */
5380
	hdev->flags &= BIT(HCI_RAW);
5381
	hci_dev_clear_volatile_flags(hdev);
5382

5383
	memset(hdev->eir, 0, sizeof(hdev->eir));
5384
	memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
5385
	bacpy(&hdev->random_addr, BDADDR_ANY);
5386
	hci_codec_list_clear(&hdev->local_codecs);
5387

5388
	hci_dev_put(hdev);
5389
	return err;
5390
}
5391

5392
/* This function perform power on HCI command sequence as follows:
5393
 *
5394
 * If controller is already up (HCI_UP) performs hci_powered_update_sync
5395
 * sequence otherwise run hci_dev_open_sync which will follow with
5396
 * hci_powered_update_sync after the init sequence is completed.
5397
 */
5398
static int hci_power_on_sync(struct hci_dev *hdev)
5399
{
5400
	int err;
5401

5402
	if (test_bit(HCI_UP, &hdev->flags) &&
5403
	    hci_dev_test_flag(hdev, HCI_MGMT) &&
5404
	    hci_dev_test_and_clear_flag(hdev, HCI_AUTO_OFF)) {
5405
		cancel_delayed_work(&hdev->power_off);
5406
		return hci_powered_update_sync(hdev);
5407
	}
5408

5409
	err = hci_dev_open_sync(hdev);
5410
	if (err < 0)
5411
		return err;
5412

5413
	/* During the HCI setup phase, a few error conditions are
5414
	 * ignored and they need to be checked now. If they are still
5415
	 * valid, it is important to return the device back off.
5416
	 */
5417
	if (hci_dev_test_flag(hdev, HCI_RFKILLED) ||
5418
	    hci_dev_test_flag(hdev, HCI_UNCONFIGURED) ||
5419
	    (!bacmp(&hdev->bdaddr, BDADDR_ANY) &&
5420
	     !bacmp(&hdev->static_addr, BDADDR_ANY))) {
5421
		hci_dev_clear_flag(hdev, HCI_AUTO_OFF);
5422
		hci_dev_close_sync(hdev);
5423
	} else if (hci_dev_test_flag(hdev, HCI_AUTO_OFF)) {
5424
		queue_delayed_work(hdev->req_workqueue, &hdev->power_off,
5425
				   HCI_AUTO_OFF_TIMEOUT);
5426
	}
5427

5428
	if (hci_dev_test_and_clear_flag(hdev, HCI_SETUP)) {
5429
		/* For unconfigured devices, set the HCI_RAW flag
5430
		 * so that userspace can easily identify them.
5431
		 */
5432
		if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
5433
			set_bit(HCI_RAW, &hdev->flags);
5434

5435
		/* For fully configured devices, this will send
5436
		 * the Index Added event. For unconfigured devices,
5437
		 * it will send Unconfigued Index Added event.
5438
		 *
5439
		 * Devices with HCI_QUIRK_RAW_DEVICE are ignored
5440
		 * and no event will be send.
5441
		 */
5442
		mgmt_index_added(hdev);
5443
	} else if (hci_dev_test_and_clear_flag(hdev, HCI_CONFIG)) {
5444
		/* When the controller is now configured, then it
5445
		 * is important to clear the HCI_RAW flag.
5446
		 */
5447
		if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
5448
			clear_bit(HCI_RAW, &hdev->flags);
5449

5450
		/* Powering on the controller with HCI_CONFIG set only
5451
		 * happens with the transition from unconfigured to
5452
		 * configured. This will send the Index Added event.
5453
		 */
5454
		mgmt_index_added(hdev);
5455
	}
5456

5457
	return 0;
5458
}
5459

5460
static int hci_remote_name_cancel_sync(struct hci_dev *hdev, bdaddr_t *addr)
5461
{
5462
	struct hci_cp_remote_name_req_cancel cp;
5463

5464
	memset(&cp, 0, sizeof(cp));
5465
	bacpy(&cp.bdaddr, addr);
5466

5467
	return __hci_cmd_sync_status(hdev, HCI_OP_REMOTE_NAME_REQ_CANCEL,
5468
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
5469
}
5470

5471
int hci_stop_discovery_sync(struct hci_dev *hdev)
5472
{
5473
	struct discovery_state *d = &hdev->discovery;
5474
	struct inquiry_entry *e;
5475
	int err;
5476

5477
	bt_dev_dbg(hdev, "state %u", hdev->discovery.state);
5478

5479
	if (d->state == DISCOVERY_FINDING || d->state == DISCOVERY_STOPPING) {
5480
		if (test_bit(HCI_INQUIRY, &hdev->flags)) {
5481
			err = __hci_cmd_sync_status(hdev, HCI_OP_INQUIRY_CANCEL,
5482
						    0, NULL, HCI_CMD_TIMEOUT);
5483
			if (err)
5484
				return err;
5485
		}
5486

5487
		if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
5488
			cancel_delayed_work(&hdev->le_scan_disable);
5489

5490
			err = hci_scan_disable_sync(hdev);
5491
			if (err)
5492
				return err;
5493
		}
5494

5495
	} else {
5496
		err = hci_scan_disable_sync(hdev);
5497
		if (err)
5498
			return err;
5499
	}
5500

5501
	/* Resume advertising if it was paused */
5502
	if (ll_privacy_capable(hdev))
5503
		hci_resume_advertising_sync(hdev);
5504

5505
	/* No further actions needed for LE-only discovery */
5506
	if (d->type == DISCOV_TYPE_LE)
5507
		return 0;
5508

5509
	if (d->state == DISCOVERY_RESOLVING || d->state == DISCOVERY_STOPPING) {
5510
		e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY,
5511
						     NAME_PENDING);
5512
		if (!e)
5513
			return 0;
5514

5515
		/* Ignore cancel errors since it should interfere with stopping
5516
		 * of the discovery.
5517
		 */
5518
		hci_remote_name_cancel_sync(hdev, &e->data.bdaddr);
5519
	}
5520

5521
	return 0;
5522
}
5523

5524
static int hci_disconnect_sync(struct hci_dev *hdev, struct hci_conn *conn,
5525
			       u8 reason)
5526
{
5527
	struct hci_cp_disconnect cp;
5528

5529
	if (conn->type == BIS_LINK || conn->type == PA_LINK) {
5530
		/* This is a BIS connection, hci_conn_del will
5531
		 * do the necessary cleanup.
5532
		 */
5533
		hci_dev_lock(hdev);
5534
		hci_conn_failed(conn, reason);
5535
		hci_dev_unlock(hdev);
5536

5537
		return 0;
5538
	}
5539

5540
	memset(&cp, 0, sizeof(cp));
5541
	cp.handle = cpu_to_le16(conn->handle);
5542
	cp.reason = reason;
5543

5544
	/* Wait for HCI_EV_DISCONN_COMPLETE, not HCI_EV_CMD_STATUS, when the
5545
	 * reason is anything but HCI_ERROR_REMOTE_POWER_OFF. This reason is
5546
	 * used when suspending or powering off, where we don't want to wait
5547
	 * for the peer's response.
5548
	 */
5549
	if (reason != HCI_ERROR_REMOTE_POWER_OFF)
5550
		return __hci_cmd_sync_status_sk(hdev, HCI_OP_DISCONNECT,
5551
						sizeof(cp), &cp,
5552
						HCI_EV_DISCONN_COMPLETE,
5553
						HCI_CMD_TIMEOUT, NULL);
5554

5555
	return __hci_cmd_sync_status(hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp,
5556
				     HCI_CMD_TIMEOUT);
5557
}
5558

5559
static int hci_le_connect_cancel_sync(struct hci_dev *hdev,
5560
				      struct hci_conn *conn, u8 reason)
5561
{
5562
	/* Return reason if scanning since the connection shall probably be
5563
	 * cleanup directly.
5564
	 */
5565
	if (test_bit(HCI_CONN_SCANNING, &conn->flags))
5566
		return reason;
5567

5568
	if (conn->role == HCI_ROLE_SLAVE ||
5569
	    test_and_set_bit(HCI_CONN_CANCEL, &conn->flags))
5570
		return 0;
5571

5572
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_CREATE_CONN_CANCEL,
5573
				     0, NULL, HCI_CMD_TIMEOUT);
5574
}
5575

5576
static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn,
5577
				   u8 reason)
5578
{
5579
	if (conn->type == LE_LINK)
5580
		return hci_le_connect_cancel_sync(hdev, conn, reason);
5581

5582
	if (conn->type == CIS_LINK) {
5583
		/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
5584
		 * page 1857:
5585
		 *
5586
		 * If this command is issued for a CIS on the Central and the
5587
		 * CIS is successfully terminated before being established,
5588
		 * then an HCI_LE_CIS_Established event shall also be sent for
5589
		 * this CIS with the Status Operation Cancelled by Host (0x44).
5590
		 */
5591
		if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
5592
			return hci_disconnect_sync(hdev, conn, reason);
5593

5594
		/* CIS with no Create CIS sent have nothing to cancel */
5595
		return HCI_ERROR_LOCAL_HOST_TERM;
5596
	}
5597

5598
	if (conn->type == BIS_LINK || conn->type == PA_LINK) {
5599
		/* There is no way to cancel a BIS without terminating the BIG
5600
		 * which is done later on connection cleanup.
5601
		 */
5602
		return 0;
5603
	}
5604

5605
	if (hdev->hci_ver < BLUETOOTH_VER_1_2)
5606
		return 0;
5607

5608
	/* Wait for HCI_EV_CONN_COMPLETE, not HCI_EV_CMD_STATUS, when the
5609
	 * reason is anything but HCI_ERROR_REMOTE_POWER_OFF. This reason is
5610
	 * used when suspending or powering off, where we don't want to wait
5611
	 * for the peer's response.
5612
	 */
5613
	if (reason != HCI_ERROR_REMOTE_POWER_OFF)
5614
		return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN_CANCEL,
5615
						6, &conn->dst,
5616
						HCI_EV_CONN_COMPLETE,
5617
						HCI_CMD_TIMEOUT, NULL);
5618

5619
	return __hci_cmd_sync_status(hdev, HCI_OP_CREATE_CONN_CANCEL,
5620
				     6, &conn->dst, HCI_CMD_TIMEOUT);
5621
}
5622

5623
static int hci_reject_sco_sync(struct hci_dev *hdev, struct hci_conn *conn,
5624
			       u8 reason)
5625
{
5626
	struct hci_cp_reject_sync_conn_req cp;
5627

5628
	memset(&cp, 0, sizeof(cp));
5629
	bacpy(&cp.bdaddr, &conn->dst);
5630
	cp.reason = reason;
5631

5632
	/* SCO rejection has its own limited set of
5633
	 * allowed error values (0x0D-0x0F).
5634
	 */
5635
	if (reason < 0x0d || reason > 0x0f)
5636
		cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
5637

5638
	return __hci_cmd_sync_status(hdev, HCI_OP_REJECT_SYNC_CONN_REQ,
5639
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
5640
}
5641

5642
static int hci_le_reject_cis_sync(struct hci_dev *hdev, struct hci_conn *conn,
5643
				  u8 reason)
5644
{
5645
	struct hci_cp_le_reject_cis cp;
5646

5647
	memset(&cp, 0, sizeof(cp));
5648
	cp.handle = cpu_to_le16(conn->handle);
5649
	cp.reason = reason;
5650

5651
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_REJECT_CIS,
5652
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
5653
}
5654

5655
static int hci_reject_conn_sync(struct hci_dev *hdev, struct hci_conn *conn,
5656
				u8 reason)
5657
{
5658
	struct hci_cp_reject_conn_req cp;
5659

5660
	if (conn->type == CIS_LINK)
5661
		return hci_le_reject_cis_sync(hdev, conn, reason);
5662

5663
	if (conn->type == BIS_LINK || conn->type == PA_LINK)
5664
		return -EINVAL;
5665

5666
	if (conn->type == SCO_LINK || conn->type == ESCO_LINK)
5667
		return hci_reject_sco_sync(hdev, conn, reason);
5668

5669
	memset(&cp, 0, sizeof(cp));
5670
	bacpy(&cp.bdaddr, &conn->dst);
5671
	cp.reason = reason;
5672

5673
	return __hci_cmd_sync_status(hdev, HCI_OP_REJECT_CONN_REQ,
5674
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
5675
}
5676

5677
int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
5678
{
5679
	int err = 0;
5680
	u16 handle = conn->handle;
5681
	bool disconnect = false;
5682
	struct hci_conn *c;
5683

5684
	switch (conn->state) {
5685
	case BT_CONNECTED:
5686
	case BT_CONFIG:
5687
		err = hci_disconnect_sync(hdev, conn, reason);
5688
		break;
5689
	case BT_CONNECT:
5690
		err = hci_connect_cancel_sync(hdev, conn, reason);
5691
		break;
5692
	case BT_CONNECT2:
5693
		err = hci_reject_conn_sync(hdev, conn, reason);
5694
		break;
5695
	case BT_OPEN:
5696
	case BT_BOUND:
5697
		break;
5698
	default:
5699
		disconnect = true;
5700
		break;
5701
	}
5702

5703
	hci_dev_lock(hdev);
5704

5705
	/* Check if the connection has been cleaned up concurrently */
5706
	c = hci_conn_hash_lookup_handle(hdev, handle);
5707
	if (!c || c != conn) {
5708
		err = 0;
5709
		goto unlock;
5710
	}
5711

5712
	/* Cleanup hci_conn object if it cannot be cancelled as it
5713
	 * likely means the controller and host stack are out of sync
5714
	 * or in case of LE it was still scanning so it can be cleanup
5715
	 * safely.
5716
	 */
5717
	if (disconnect) {
5718
		conn->state = BT_CLOSED;
5719
		hci_disconn_cfm(conn, reason);
5720
		hci_conn_del(conn);
5721
	} else {
5722
		hci_conn_failed(conn, reason);
5723
	}
5724

5725
unlock:
5726
	hci_dev_unlock(hdev);
5727
	return err;
5728
}
5729

5730
static int hci_disconnect_all_sync(struct hci_dev *hdev, u8 reason)
5731
{
5732
	struct list_head *head = &hdev->conn_hash.list;
5733
	struct hci_conn *conn;
5734

5735
	rcu_read_lock();
5736
	while ((conn = list_first_or_null_rcu(head, struct hci_conn, list))) {
5737
		/* Make sure the connection is not freed while unlocking */
5738
		conn = hci_conn_get(conn);
5739
		rcu_read_unlock();
5740
		/* Disregard possible errors since hci_conn_del shall have been
5741
		 * called even in case of errors had occurred since it would
5742
		 * then cause hci_conn_failed to be called which calls
5743
		 * hci_conn_del internally.
5744
		 */
5745
		hci_abort_conn_sync(hdev, conn, reason);
5746
		hci_conn_put(conn);
5747
		rcu_read_lock();
5748
	}
5749
	rcu_read_unlock();
5750

5751
	return 0;
5752
}
5753

5754
/* This function perform power off HCI command sequence as follows:
5755
 *
5756
 * Clear Advertising
5757
 * Stop Discovery
5758
 * Disconnect all connections
5759
 * hci_dev_close_sync
5760
 */
5761
static int hci_power_off_sync(struct hci_dev *hdev)
5762
{
5763
	int err;
5764

5765
	/* If controller is already down there is nothing to do */
5766
	if (!test_bit(HCI_UP, &hdev->flags))
5767
		return 0;
5768

5769
	hci_dev_set_flag(hdev, HCI_POWERING_DOWN);
5770

5771
	if (test_bit(HCI_ISCAN, &hdev->flags) ||
5772
	    test_bit(HCI_PSCAN, &hdev->flags)) {
5773
		err = hci_write_scan_enable_sync(hdev, 0x00);
5774
		if (err)
5775
			goto out;
5776
	}
5777

5778
	err = hci_clear_adv_sync(hdev, NULL, false);
5779
	if (err)
5780
		goto out;
5781

5782
	err = hci_stop_discovery_sync(hdev);
5783
	if (err)
5784
		goto out;
5785

5786
	/* Terminated due to Power Off */
5787
	err = hci_disconnect_all_sync(hdev, HCI_ERROR_REMOTE_POWER_OFF);
5788
	if (err)
5789
		goto out;
5790

5791
	err = hci_dev_close_sync(hdev);
5792

5793
out:
5794
	hci_dev_clear_flag(hdev, HCI_POWERING_DOWN);
5795
	return err;
5796
}
5797

5798
int hci_set_powered_sync(struct hci_dev *hdev, u8 val)
5799
{
5800
	if (val)
5801
		return hci_power_on_sync(hdev);
5802

5803
	return hci_power_off_sync(hdev);
5804
}
5805

5806
static int hci_write_iac_sync(struct hci_dev *hdev)
5807
{
5808
	struct hci_cp_write_current_iac_lap cp;
5809

5810
	if (!hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
5811
		return 0;
5812

5813
	memset(&cp, 0, sizeof(cp));
5814

5815
	if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE)) {
5816
		/* Limited discoverable mode */
5817
		cp.num_iac = min_t(u8, hdev->num_iac, 2);
5818
		cp.iac_lap[0] = 0x00;	/* LIAC */
5819
		cp.iac_lap[1] = 0x8b;
5820
		cp.iac_lap[2] = 0x9e;
5821
		cp.iac_lap[3] = 0x33;	/* GIAC */
5822
		cp.iac_lap[4] = 0x8b;
5823
		cp.iac_lap[5] = 0x9e;
5824
	} else {
5825
		/* General discoverable mode */
5826
		cp.num_iac = 1;
5827
		cp.iac_lap[0] = 0x33;	/* GIAC */
5828
		cp.iac_lap[1] = 0x8b;
5829
		cp.iac_lap[2] = 0x9e;
5830
	}
5831

5832
	return __hci_cmd_sync_status(hdev, HCI_OP_WRITE_CURRENT_IAC_LAP,
5833
				     (cp.num_iac * 3) + 1, &cp,
5834
				     HCI_CMD_TIMEOUT);
5835
}
5836

5837
int hci_update_discoverable_sync(struct hci_dev *hdev)
5838
{
5839
	int err = 0;
5840

5841
	if (hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
5842
		err = hci_write_iac_sync(hdev);
5843
		if (err)
5844
			return err;
5845

5846
		err = hci_update_scan_sync(hdev);
5847
		if (err)
5848
			return err;
5849

5850
		err = hci_update_class_sync(hdev);
5851
		if (err)
5852
			return err;
5853
	}
5854

5855
	/* Advertising instances don't use the global discoverable setting, so
5856
	 * only update AD if advertising was enabled using Set Advertising.
5857
	 */
5858
	if (hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
5859
		err = hci_update_adv_data_sync(hdev, 0x00);
5860
		if (err)
5861
			return err;
5862

5863
		/* Discoverable mode affects the local advertising
5864
		 * address in limited privacy mode.
5865
		 */
5866
		if (hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY)) {
5867
			if (ext_adv_capable(hdev))
5868
				err = hci_start_ext_adv_sync(hdev, 0x00);
5869
			else
5870
				err = hci_enable_advertising_sync(hdev);
5871
		}
5872
	}
5873

5874
	return err;
5875
}
5876

5877
static int update_discoverable_sync(struct hci_dev *hdev, void *data)
5878
{
5879
	return hci_update_discoverable_sync(hdev);
5880
}
5881

5882
int hci_update_discoverable(struct hci_dev *hdev)
5883
{
5884
	/* Only queue if it would have any effect */
5885
	if (hdev_is_powered(hdev) &&
5886
	    hci_dev_test_flag(hdev, HCI_ADVERTISING) &&
5887
	    hci_dev_test_flag(hdev, HCI_DISCOVERABLE) &&
5888
	    hci_dev_test_flag(hdev, HCI_LIMITED_PRIVACY))
5889
		return hci_cmd_sync_queue(hdev, update_discoverable_sync, NULL,
5890
					  NULL);
5891

5892
	return 0;
5893
}
5894

5895
int hci_update_connectable_sync(struct hci_dev *hdev)
5896
{
5897
	int err;
5898

5899
	err = hci_update_scan_sync(hdev);
5900
	if (err)
5901
		return err;
5902

5903
	/* If BR/EDR is not enabled and we disable advertising as a
5904
	 * by-product of disabling connectable, we need to update the
5905
	 * advertising flags.
5906
	 */
5907
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
5908
		err = hci_update_adv_data_sync(hdev, hdev->cur_adv_instance);
5909

5910
	/* Update the advertising parameters if necessary */
5911
	if (hci_dev_test_flag(hdev, HCI_ADVERTISING) ||
5912
	    !list_empty(&hdev->adv_instances)) {
5913
		if (ext_adv_capable(hdev))
5914
			err = hci_start_ext_adv_sync(hdev,
5915
						     hdev->cur_adv_instance);
5916
		else
5917
			err = hci_enable_advertising_sync(hdev);
5918

5919
		if (err)
5920
			return err;
5921
	}
5922

5923
	return hci_update_passive_scan_sync(hdev);
5924
}
5925

5926
int hci_inquiry_sync(struct hci_dev *hdev, u8 length, u8 num_rsp)
5927
{
5928
	const u8 giac[3] = { 0x33, 0x8b, 0x9e };
5929
	const u8 liac[3] = { 0x00, 0x8b, 0x9e };
5930
	struct hci_cp_inquiry cp;
5931

5932
	bt_dev_dbg(hdev, "");
5933

5934
	if (test_bit(HCI_INQUIRY, &hdev->flags))
5935
		return 0;
5936

5937
	hci_dev_lock(hdev);
5938
	hci_inquiry_cache_flush(hdev);
5939
	hci_dev_unlock(hdev);
5940

5941
	memset(&cp, 0, sizeof(cp));
5942

5943
	if (hdev->discovery.limited)
5944
		memcpy(&cp.lap, liac, sizeof(cp.lap));
5945
	else
5946
		memcpy(&cp.lap, giac, sizeof(cp.lap));
5947

5948
	cp.length = length;
5949
	cp.num_rsp = num_rsp;
5950

5951
	return __hci_cmd_sync_status(hdev, HCI_OP_INQUIRY,
5952
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
5953
}
5954

5955
static int hci_active_scan_sync(struct hci_dev *hdev, uint16_t interval)
5956
{
5957
	u8 own_addr_type;
5958
	/* Accept list is not used for discovery */
5959
	u8 filter_policy = 0x00;
5960
	/* Default is to enable duplicates filter */
5961
	u8 filter_dup = LE_SCAN_FILTER_DUP_ENABLE;
5962
	int err;
5963

5964
	bt_dev_dbg(hdev, "");
5965

5966
	/* If controller is scanning, it means the passive scanning is
5967
	 * running. Thus, we should temporarily stop it in order to set the
5968
	 * discovery scanning parameters.
5969
	 */
5970
	err = hci_scan_disable_sync(hdev);
5971
	if (err) {
5972
		bt_dev_err(hdev, "Unable to disable scanning: %d", err);
5973
		return err;
5974
	}
5975

5976
	cancel_interleave_scan(hdev);
5977

5978
	/* Pause address resolution for active scan and stop advertising if
5979
	 * privacy is enabled.
5980
	 */
5981
	err = hci_pause_addr_resolution(hdev);
5982
	if (err)
5983
		goto failed;
5984

5985
	/* All active scans will be done with either a resolvable private
5986
	 * address (when privacy feature has been enabled) or non-resolvable
5987
	 * private address.
5988
	 */
5989
	err = hci_update_random_address_sync(hdev, true, scan_use_rpa(hdev),
5990
					     &own_addr_type);
5991
	if (err < 0)
5992
		own_addr_type = ADDR_LE_DEV_PUBLIC;
5993

5994
	if (hci_is_adv_monitoring(hdev) ||
5995
	    (hci_test_quirk(hdev, HCI_QUIRK_STRICT_DUPLICATE_FILTER) &&
5996
	    hdev->discovery.result_filtering)) {
5997
		/* Duplicate filter should be disabled when some advertisement
5998
		 * monitor is activated, otherwise AdvMon can only receive one
5999
		 * advertisement for one peer(*) during active scanning, and
6000
		 * might report loss to these peers.
6001
		 *
6002
		 * If controller does strict duplicate filtering and the
6003
		 * discovery requires result filtering disables controller based
6004
		 * filtering since that can cause reports that would match the
6005
		 * host filter to not be reported.
6006
		 */
6007
		filter_dup = LE_SCAN_FILTER_DUP_DISABLE;
6008
	}
6009

6010
	err = hci_start_scan_sync(hdev, LE_SCAN_ACTIVE, interval,
6011
				  hdev->le_scan_window_discovery,
6012
				  own_addr_type, filter_policy, filter_dup);
6013
	if (!err)
6014
		return err;
6015

6016
failed:
6017
	/* Resume advertising if it was paused */
6018
	if (ll_privacy_capable(hdev))
6019
		hci_resume_advertising_sync(hdev);
6020

6021
	/* Resume passive scanning */
6022
	hci_update_passive_scan_sync(hdev);
6023
	return err;
6024
}
6025

6026
static int hci_start_interleaved_discovery_sync(struct hci_dev *hdev)
6027
{
6028
	int err;
6029

6030
	bt_dev_dbg(hdev, "");
6031

6032
	err = hci_active_scan_sync(hdev, hdev->le_scan_int_discovery * 2);
6033
	if (err)
6034
		return err;
6035

6036
	return hci_inquiry_sync(hdev, DISCOV_BREDR_INQUIRY_LEN, 0);
6037
}
6038

6039
int hci_start_discovery_sync(struct hci_dev *hdev)
6040
{
6041
	unsigned long timeout;
6042
	int err;
6043

6044
	bt_dev_dbg(hdev, "type %u", hdev->discovery.type);
6045

6046
	switch (hdev->discovery.type) {
6047
	case DISCOV_TYPE_BREDR:
6048
		return hci_inquiry_sync(hdev, DISCOV_BREDR_INQUIRY_LEN, 0);
6049
	case DISCOV_TYPE_INTERLEAVED:
6050
		/* When running simultaneous discovery, the LE scanning time
6051
		 * should occupy the whole discovery time sine BR/EDR inquiry
6052
		 * and LE scanning are scheduled by the controller.
6053
		 *
6054
		 * For interleaving discovery in comparison, BR/EDR inquiry
6055
		 * and LE scanning are done sequentially with separate
6056
		 * timeouts.
6057
		 */
6058
		if (hci_test_quirk(hdev, HCI_QUIRK_SIMULTANEOUS_DISCOVERY)) {
6059
			timeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT);
6060
			/* During simultaneous discovery, we double LE scan
6061
			 * interval. We must leave some time for the controller
6062
			 * to do BR/EDR inquiry.
6063
			 */
6064
			err = hci_start_interleaved_discovery_sync(hdev);
6065
			break;
6066
		}
6067

6068
		timeout = msecs_to_jiffies(hdev->discov_interleaved_timeout);
6069
		err = hci_active_scan_sync(hdev, hdev->le_scan_int_discovery);
6070
		break;
6071
	case DISCOV_TYPE_LE:
6072
		timeout = msecs_to_jiffies(DISCOV_LE_TIMEOUT);
6073
		err = hci_active_scan_sync(hdev, hdev->le_scan_int_discovery);
6074
		break;
6075
	default:
6076
		return -EINVAL;
6077
	}
6078

6079
	if (err)
6080
		return err;
6081

6082
	bt_dev_dbg(hdev, "timeout %u ms", jiffies_to_msecs(timeout));
6083

6084
	queue_delayed_work(hdev->req_workqueue, &hdev->le_scan_disable,
6085
			   timeout);
6086
	return 0;
6087
}
6088

6089
static void hci_suspend_monitor_sync(struct hci_dev *hdev)
6090
{
6091
	switch (hci_get_adv_monitor_offload_ext(hdev)) {
6092
	case HCI_ADV_MONITOR_EXT_MSFT:
6093
		msft_suspend_sync(hdev);
6094
		break;
6095
	default:
6096
		return;
6097
	}
6098
}
6099

6100
/* This function disables discovery and mark it as paused */
6101
static int hci_pause_discovery_sync(struct hci_dev *hdev)
6102
{
6103
	int old_state = hdev->discovery.state;
6104
	int err;
6105

6106
	/* If discovery already stopped/stopping/paused there nothing to do */
6107
	if (old_state == DISCOVERY_STOPPED || old_state == DISCOVERY_STOPPING ||
6108
	    hdev->discovery_paused)
6109
		return 0;
6110

6111
	hci_discovery_set_state(hdev, DISCOVERY_STOPPING);
6112
	err = hci_stop_discovery_sync(hdev);
6113
	if (err)
6114
		return err;
6115

6116
	hdev->discovery_paused = true;
6117
	hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
6118

6119
	return 0;
6120
}
6121

6122
static int hci_update_event_filter_sync(struct hci_dev *hdev)
6123
{
6124
	struct bdaddr_list_with_flags *b;
6125
	u8 scan = SCAN_DISABLED;
6126
	bool scanning = test_bit(HCI_PSCAN, &hdev->flags);
6127
	int err;
6128

6129
	if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED))
6130
		return 0;
6131

6132
	/* Some fake CSR controllers lock up after setting this type of
6133
	 * filter, so avoid sending the request altogether.
6134
	 */
6135
	if (hci_test_quirk(hdev, HCI_QUIRK_BROKEN_FILTER_CLEAR_ALL))
6136
		return 0;
6137

6138
	/* Always clear event filter when starting */
6139
	hci_clear_event_filter_sync(hdev);
6140

6141
	list_for_each_entry(b, &hdev->accept_list, list) {
6142
		if (!(b->flags & HCI_CONN_FLAG_REMOTE_WAKEUP))
6143
			continue;
6144

6145
		bt_dev_dbg(hdev, "Adding event filters for %pMR", &b->bdaddr);
6146

6147
		err =  hci_set_event_filter_sync(hdev, HCI_FLT_CONN_SETUP,
6148
						 HCI_CONN_SETUP_ALLOW_BDADDR,
6149
						 &b->bdaddr,
6150
						 HCI_CONN_SETUP_AUTO_ON);
6151
		if (err)
6152
			bt_dev_err(hdev, "Failed to set event filter for %pMR",
6153
				   &b->bdaddr);
6154
		else
6155
			scan = SCAN_PAGE;
6156
	}
6157

6158
	if (scan && !scanning)
6159
		hci_write_scan_enable_sync(hdev, scan);
6160
	else if (!scan && scanning)
6161
		hci_write_scan_enable_sync(hdev, scan);
6162

6163
	return 0;
6164
}
6165

6166
/* This function disables scan (BR and LE) and mark it as paused */
6167
static int hci_pause_scan_sync(struct hci_dev *hdev)
6168
{
6169
	if (hdev->scanning_paused)
6170
		return 0;
6171

6172
	/* Disable page scan if enabled */
6173
	if (test_bit(HCI_PSCAN, &hdev->flags))
6174
		hci_write_scan_enable_sync(hdev, SCAN_DISABLED);
6175

6176
	hci_scan_disable_sync(hdev);
6177

6178
	hdev->scanning_paused = true;
6179

6180
	return 0;
6181
}
6182

6183
/* This function performs the HCI suspend procedures in the follow order:
6184
 *
6185
 * Pause discovery (active scanning/inquiry)
6186
 * Pause Directed Advertising/Advertising
6187
 * Pause Scanning (passive scanning in case discovery was not active)
6188
 * Disconnect all connections
6189
 * Set suspend_status to BT_SUSPEND_DISCONNECT if hdev cannot wakeup
6190
 * otherwise:
6191
 * Update event mask (only set events that are allowed to wake up the host)
6192
 * Update event filter (with devices marked with HCI_CONN_FLAG_REMOTE_WAKEUP)
6193
 * Update passive scanning (lower duty cycle)
6194
 * Set suspend_status to BT_SUSPEND_CONFIGURE_WAKE
6195
 */
6196
int hci_suspend_sync(struct hci_dev *hdev)
6197
{
6198
	int err;
6199

6200
	/* If marked as suspended there nothing to do */
6201
	if (hdev->suspended)
6202
		return 0;
6203

6204
	/* Mark device as suspended */
6205
	hdev->suspended = true;
6206

6207
	/* Pause discovery if not already stopped */
6208
	hci_pause_discovery_sync(hdev);
6209

6210
	/* Pause other advertisements */
6211
	hci_pause_advertising_sync(hdev);
6212

6213
	/* Suspend monitor filters */
6214
	hci_suspend_monitor_sync(hdev);
6215

6216
	/* Prevent disconnects from causing scanning to be re-enabled */
6217
	hci_pause_scan_sync(hdev);
6218

6219
	if (hci_conn_count(hdev)) {
6220
		/* Soft disconnect everything (power off) */
6221
		err = hci_disconnect_all_sync(hdev, HCI_ERROR_REMOTE_POWER_OFF);
6222
		if (err) {
6223
			/* Set state to BT_RUNNING so resume doesn't notify */
6224
			hdev->suspend_state = BT_RUNNING;
6225
			hci_resume_sync(hdev);
6226
			return err;
6227
		}
6228

6229
		/* Update event mask so only the allowed event can wakeup the
6230
		 * host.
6231
		 */
6232
		hci_set_event_mask_sync(hdev);
6233
	}
6234

6235
	/* Only configure accept list if disconnect succeeded and wake
6236
	 * isn't being prevented.
6237
	 */
6238
	if (!hdev->wakeup || !hdev->wakeup(hdev)) {
6239
		hdev->suspend_state = BT_SUSPEND_DISCONNECT;
6240
		return 0;
6241
	}
6242

6243
	/* Unpause to take care of updating scanning params */
6244
	hdev->scanning_paused = false;
6245

6246
	/* Enable event filter for paired devices */
6247
	hci_update_event_filter_sync(hdev);
6248

6249
	/* Update LE passive scan if enabled */
6250
	hci_update_passive_scan_sync(hdev);
6251

6252
	/* Pause scan changes again. */
6253
	hdev->scanning_paused = true;
6254

6255
	hdev->suspend_state = BT_SUSPEND_CONFIGURE_WAKE;
6256

6257
	return 0;
6258
}
6259

6260
/* This function resumes discovery */
6261
static int hci_resume_discovery_sync(struct hci_dev *hdev)
6262
{
6263
	int err;
6264

6265
	/* If discovery not paused there nothing to do */
6266
	if (!hdev->discovery_paused)
6267
		return 0;
6268

6269
	hdev->discovery_paused = false;
6270

6271
	hci_discovery_set_state(hdev, DISCOVERY_STARTING);
6272

6273
	err = hci_start_discovery_sync(hdev);
6274

6275
	hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED :
6276
				DISCOVERY_FINDING);
6277

6278
	return err;
6279
}
6280

6281
static void hci_resume_monitor_sync(struct hci_dev *hdev)
6282
{
6283
	switch (hci_get_adv_monitor_offload_ext(hdev)) {
6284
	case HCI_ADV_MONITOR_EXT_MSFT:
6285
		msft_resume_sync(hdev);
6286
		break;
6287
	default:
6288
		return;
6289
	}
6290
}
6291

6292
/* This function resume scan and reset paused flag */
6293
static int hci_resume_scan_sync(struct hci_dev *hdev)
6294
{
6295
	if (!hdev->scanning_paused)
6296
		return 0;
6297

6298
	hdev->scanning_paused = false;
6299

6300
	hci_update_scan_sync(hdev);
6301

6302
	/* Reset passive scanning to normal */
6303
	hci_update_passive_scan_sync(hdev);
6304

6305
	return 0;
6306
}
6307

6308
/* This function performs the HCI suspend procedures in the follow order:
6309
 *
6310
 * Restore event mask
6311
 * Clear event filter
6312
 * Update passive scanning (normal duty cycle)
6313
 * Resume Directed Advertising/Advertising
6314
 * Resume discovery (active scanning/inquiry)
6315
 */
6316
int hci_resume_sync(struct hci_dev *hdev)
6317
{
6318
	/* If not marked as suspended there nothing to do */
6319
	if (!hdev->suspended)
6320
		return 0;
6321

6322
	hdev->suspended = false;
6323

6324
	/* Restore event mask */
6325
	hci_set_event_mask_sync(hdev);
6326

6327
	/* Clear any event filters and restore scan state */
6328
	hci_clear_event_filter_sync(hdev);
6329

6330
	/* Resume scanning */
6331
	hci_resume_scan_sync(hdev);
6332

6333
	/* Resume monitor filters */
6334
	hci_resume_monitor_sync(hdev);
6335

6336
	/* Resume other advertisements */
6337
	hci_resume_advertising_sync(hdev);
6338

6339
	/* Resume discovery */
6340
	hci_resume_discovery_sync(hdev);
6341

6342
	return 0;
6343
}
6344

6345
static bool conn_use_rpa(struct hci_conn *conn)
6346
{
6347
	struct hci_dev *hdev = conn->hdev;
6348

6349
	return hci_dev_test_flag(hdev, HCI_PRIVACY);
6350
}
6351

6352
static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev,
6353
						struct hci_conn *conn)
6354
{
6355
	struct hci_cp_le_set_ext_adv_params cp;
6356
	struct hci_rp_le_set_ext_adv_params rp;
6357
	int err;
6358
	bdaddr_t random_addr;
6359
	u8 own_addr_type;
6360

6361
	err = hci_update_random_address_sync(hdev, false, conn_use_rpa(conn),
6362
					     &own_addr_type);
6363
	if (err)
6364
		return err;
6365

6366
	/* Set require_privacy to false so that the remote device has a
6367
	 * chance of identifying us.
6368
	 */
6369
	err = hci_get_random_address(hdev, false, conn_use_rpa(conn), NULL,
6370
				     &own_addr_type, &random_addr);
6371
	if (err)
6372
		return err;
6373

6374
	memset(&cp, 0, sizeof(cp));
6375

6376
	cp.evt_properties = cpu_to_le16(LE_LEGACY_ADV_DIRECT_IND);
6377
	cp.channel_map = hdev->le_adv_channel_map;
6378
	cp.tx_power = HCI_TX_POWER_INVALID;
6379
	cp.primary_phy = HCI_ADV_PHY_1M;
6380
	cp.secondary_phy = HCI_ADV_PHY_1M;
6381
	cp.handle = 0x00; /* Use instance 0 for directed adv */
6382
	cp.own_addr_type = own_addr_type;
6383
	cp.peer_addr_type = conn->dst_type;
6384
	bacpy(&cp.peer_addr, &conn->dst);
6385

6386
	/* As per Core Spec 5.2 Vol 2, PART E, Sec 7.8.53, for
6387
	 * advertising_event_property LE_LEGACY_ADV_DIRECT_IND
6388
	 * does not supports advertising data when the advertising set already
6389
	 * contains some, the controller shall return erroc code 'Invalid
6390
	 * HCI Command Parameters(0x12).
6391
	 * So it is required to remove adv set for handle 0x00. since we use
6392
	 * instance 0 for directed adv.
6393
	 */
6394
	err = hci_remove_ext_adv_instance_sync(hdev, cp.handle, NULL);
6395
	if (err)
6396
		return err;
6397

6398
	err = hci_set_ext_adv_params_sync(hdev, NULL, &cp, &rp);
6399
	if (err)
6400
		return err;
6401

6402
	/* Update adv data as tx power is known now */
6403
	err = hci_set_ext_adv_data_sync(hdev, cp.handle);
6404
	if (err)
6405
		return err;
6406

6407
	/* Check if random address need to be updated */
6408
	if (own_addr_type == ADDR_LE_DEV_RANDOM &&
6409
	    bacmp(&random_addr, BDADDR_ANY) &&
6410
	    bacmp(&random_addr, &hdev->random_addr)) {
6411
		err = hci_set_adv_set_random_addr_sync(hdev, 0x00,
6412
						       &random_addr);
6413
		if (err)
6414
			return err;
6415
	}
6416

6417
	return hci_enable_ext_advertising_sync(hdev, 0x00);
6418
}
6419

6420
static int hci_le_directed_advertising_sync(struct hci_dev *hdev,
6421
					    struct hci_conn *conn)
6422
{
6423
	struct hci_cp_le_set_adv_param cp;
6424
	u8 status;
6425
	u8 own_addr_type;
6426
	u8 enable;
6427

6428
	if (ext_adv_capable(hdev))
6429
		return hci_le_ext_directed_advertising_sync(hdev, conn);
6430

6431
	/* Clear the HCI_LE_ADV bit temporarily so that the
6432
	 * hci_update_random_address knows that it's safe to go ahead
6433
	 * and write a new random address. The flag will be set back on
6434
	 * as soon as the SET_ADV_ENABLE HCI command completes.
6435
	 */
6436
	hci_dev_clear_flag(hdev, HCI_LE_ADV);
6437

6438
	/* Set require_privacy to false so that the remote device has a
6439
	 * chance of identifying us.
6440
	 */
6441
	status = hci_update_random_address_sync(hdev, false, conn_use_rpa(conn),
6442
						&own_addr_type);
6443
	if (status)
6444
		return status;
6445

6446
	memset(&cp, 0, sizeof(cp));
6447

6448
	/* Some controllers might reject command if intervals are not
6449
	 * within range for undirected advertising.
6450
	 * BCM20702A0 is known to be affected by this.
6451
	 */
6452
	cp.min_interval = cpu_to_le16(0x0020);
6453
	cp.max_interval = cpu_to_le16(0x0020);
6454

6455
	cp.type = LE_ADV_DIRECT_IND;
6456
	cp.own_address_type = own_addr_type;
6457
	cp.direct_addr_type = conn->dst_type;
6458
	bacpy(&cp.direct_addr, &conn->dst);
6459
	cp.channel_map = hdev->le_adv_channel_map;
6460

6461
	status = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_PARAM,
6462
				       sizeof(cp), &cp, HCI_CMD_TIMEOUT);
6463
	if (status)
6464
		return status;
6465

6466
	enable = 0x01;
6467

6468
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_ENABLE,
6469
				     sizeof(enable), &enable, HCI_CMD_TIMEOUT);
6470
}
6471

6472
static void set_ext_conn_params(struct hci_conn *conn,
6473
				struct hci_cp_le_ext_conn_param *p)
6474
{
6475
	struct hci_dev *hdev = conn->hdev;
6476

6477
	memset(p, 0, sizeof(*p));
6478

6479
	p->scan_interval = cpu_to_le16(hdev->le_scan_int_connect);
6480
	p->scan_window = cpu_to_le16(hdev->le_scan_window_connect);
6481
	p->conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
6482
	p->conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
6483
	p->conn_latency = cpu_to_le16(conn->le_conn_latency);
6484
	p->supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
6485
	p->min_ce_len = cpu_to_le16(0x0000);
6486
	p->max_ce_len = cpu_to_le16(0x0000);
6487
}
6488

6489
static int hci_le_ext_create_conn_sync(struct hci_dev *hdev,
6490
				       struct hci_conn *conn, u8 own_addr_type)
6491
{
6492
	struct hci_cp_le_ext_create_conn *cp;
6493
	struct hci_cp_le_ext_conn_param *p;
6494
	u8 data[sizeof(*cp) + sizeof(*p) * 3];
6495
	u32 plen;
6496

6497
	cp = (void *)data;
6498
	p = (void *)cp->data;
6499

6500
	memset(cp, 0, sizeof(*cp));
6501

6502
	bacpy(&cp->peer_addr, &conn->dst);
6503
	cp->peer_addr_type = conn->dst_type;
6504
	cp->own_addr_type = own_addr_type;
6505

6506
	plen = sizeof(*cp);
6507

6508
	if (scan_1m(hdev) && (conn->le_adv_phy == HCI_ADV_PHY_1M ||
6509
			      conn->le_adv_sec_phy == HCI_ADV_PHY_1M)) {
6510
		cp->phys |= LE_SCAN_PHY_1M;
6511
		set_ext_conn_params(conn, p);
6512

6513
		p++;
6514
		plen += sizeof(*p);
6515
	}
6516

6517
	if (scan_2m(hdev) && (conn->le_adv_phy == HCI_ADV_PHY_2M ||
6518
			      conn->le_adv_sec_phy == HCI_ADV_PHY_2M)) {
6519
		cp->phys |= LE_SCAN_PHY_2M;
6520
		set_ext_conn_params(conn, p);
6521

6522
		p++;
6523
		plen += sizeof(*p);
6524
	}
6525

6526
	if (scan_coded(hdev) && (conn->le_adv_phy == HCI_ADV_PHY_CODED ||
6527
				 conn->le_adv_sec_phy == HCI_ADV_PHY_CODED)) {
6528
		cp->phys |= LE_SCAN_PHY_CODED;
6529
		set_ext_conn_params(conn, p);
6530

6531
		plen += sizeof(*p);
6532
	}
6533

6534
	return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_EXT_CREATE_CONN,
6535
					plen, data,
6536
					HCI_EV_LE_ENHANCED_CONN_COMPLETE,
6537
					conn->conn_timeout, NULL);
6538
}
6539

6540
static int hci_le_create_conn_sync(struct hci_dev *hdev, void *data)
6541
{
6542
	struct hci_cp_le_create_conn cp;
6543
	struct hci_conn_params *params;
6544
	u8 own_addr_type;
6545
	int err;
6546
	struct hci_conn *conn = data;
6547

6548
	if (!hci_conn_valid(hdev, conn))
6549
		return -ECANCELED;
6550

6551
	bt_dev_dbg(hdev, "conn %p", conn);
6552

6553
	clear_bit(HCI_CONN_SCANNING, &conn->flags);
6554
	conn->state = BT_CONNECT;
6555

6556
	/* If requested to connect as peripheral use directed advertising */
6557
	if (conn->role == HCI_ROLE_SLAVE) {
6558
		/* If we're active scanning and simultaneous roles is not
6559
		 * enabled simply reject the attempt.
6560
		 */
6561
		if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
6562
		    hdev->le_scan_type == LE_SCAN_ACTIVE &&
6563
		    !hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES)) {
6564
			hci_conn_del(conn);
6565
			return -EBUSY;
6566
		}
6567

6568
		/* Pause advertising while doing directed advertising. */
6569
		hci_pause_advertising_sync(hdev);
6570

6571
		err = hci_le_directed_advertising_sync(hdev, conn);
6572
		goto done;
6573
	}
6574

6575
	/* Disable advertising if simultaneous roles is not in use. */
6576
	if (!hci_dev_test_flag(hdev, HCI_LE_SIMULTANEOUS_ROLES))
6577
		hci_pause_advertising_sync(hdev);
6578

6579
	params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
6580
	if (params) {
6581
		conn->le_conn_min_interval = params->conn_min_interval;
6582
		conn->le_conn_max_interval = params->conn_max_interval;
6583
		conn->le_conn_latency = params->conn_latency;
6584
		conn->le_supv_timeout = params->supervision_timeout;
6585
	} else {
6586
		conn->le_conn_min_interval = hdev->le_conn_min_interval;
6587
		conn->le_conn_max_interval = hdev->le_conn_max_interval;
6588
		conn->le_conn_latency = hdev->le_conn_latency;
6589
		conn->le_supv_timeout = hdev->le_supv_timeout;
6590
	}
6591

6592
	/* If controller is scanning, we stop it since some controllers are
6593
	 * not able to scan and connect at the same time. Also set the
6594
	 * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
6595
	 * handler for scan disabling knows to set the correct discovery
6596
	 * state.
6597
	 */
6598
	if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
6599
		hci_scan_disable_sync(hdev);
6600
		hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
6601
	}
6602

6603
	/* Update random address, but set require_privacy to false so
6604
	 * that we never connect with an non-resolvable address.
6605
	 */
6606
	err = hci_update_random_address_sync(hdev, false, conn_use_rpa(conn),
6607
					     &own_addr_type);
6608
	if (err)
6609
		goto done;
6610
	/* Send command LE Extended Create Connection if supported */
6611
	if (use_ext_conn(hdev)) {
6612
		err = hci_le_ext_create_conn_sync(hdev, conn, own_addr_type);
6613
		goto done;
6614
	}
6615

6616
	memset(&cp, 0, sizeof(cp));
6617

6618
	cp.scan_interval = cpu_to_le16(hdev->le_scan_int_connect);
6619
	cp.scan_window = cpu_to_le16(hdev->le_scan_window_connect);
6620

6621
	bacpy(&cp.peer_addr, &conn->dst);
6622
	cp.peer_addr_type = conn->dst_type;
6623
	cp.own_address_type = own_addr_type;
6624
	cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
6625
	cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
6626
	cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
6627
	cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
6628
	cp.min_ce_len = cpu_to_le16(0x0000);
6629
	cp.max_ce_len = cpu_to_le16(0x0000);
6630

6631
	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E page 2261:
6632
	 *
6633
	 * If this event is unmasked and the HCI_LE_Connection_Complete event
6634
	 * is unmasked, only the HCI_LE_Enhanced_Connection_Complete event is
6635
	 * sent when a new connection has been created.
6636
	 */
6637
	err = __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CREATE_CONN,
6638
				       sizeof(cp), &cp,
6639
				       use_enhanced_conn_complete(hdev) ?
6640
				       HCI_EV_LE_ENHANCED_CONN_COMPLETE :
6641
				       HCI_EV_LE_CONN_COMPLETE,
6642
				       conn->conn_timeout, NULL);
6643

6644
done:
6645
	if (err == -ETIMEDOUT)
6646
		hci_le_connect_cancel_sync(hdev, conn, 0x00);
6647

6648
	/* Re-enable advertising after the connection attempt is finished. */
6649
	hci_resume_advertising_sync(hdev);
6650
	return err;
6651
}
6652

6653
int hci_le_create_cis_sync(struct hci_dev *hdev)
6654
{
6655
	DEFINE_FLEX(struct hci_cp_le_create_cis, cmd, cis, num_cis, 0x1f);
6656
	size_t aux_num_cis = 0;
6657
	struct hci_conn *conn;
6658
	u8 cig = BT_ISO_QOS_CIG_UNSET;
6659

6660
	/* The spec allows only one pending LE Create CIS command at a time. If
6661
	 * the command is pending now, don't do anything. We check for pending
6662
	 * connections after each CIS Established event.
6663
	 *
6664
	 * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
6665
	 * page 2566:
6666
	 *
6667
	 * If the Host issues this command before all the
6668
	 * HCI_LE_CIS_Established events from the previous use of the
6669
	 * command have been generated, the Controller shall return the
6670
	 * error code Command Disallowed (0x0C).
6671
	 *
6672
	 * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
6673
	 * page 2567:
6674
	 *
6675
	 * When the Controller receives the HCI_LE_Create_CIS command, the
6676
	 * Controller sends the HCI_Command_Status event to the Host. An
6677
	 * HCI_LE_CIS_Established event will be generated for each CIS when it
6678
	 * is established or if it is disconnected or considered lost before
6679
	 * being established; until all the events are generated, the command
6680
	 * remains pending.
6681
	 */
6682

6683
	hci_dev_lock(hdev);
6684

6685
	rcu_read_lock();
6686

6687
	/* Wait until previous Create CIS has completed */
6688
	list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
6689
		if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
6690
			goto done;
6691
	}
6692

6693
	/* Find CIG with all CIS ready */
6694
	list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
6695
		struct hci_conn *link;
6696

6697
		if (hci_conn_check_create_cis(conn))
6698
			continue;
6699

6700
		cig = conn->iso_qos.ucast.cig;
6701

6702
		list_for_each_entry_rcu(link, &hdev->conn_hash.list, list) {
6703
			if (hci_conn_check_create_cis(link) > 0 &&
6704
			    link->iso_qos.ucast.cig == cig &&
6705
			    link->state != BT_CONNECTED) {
6706
				cig = BT_ISO_QOS_CIG_UNSET;
6707
				break;
6708
			}
6709
		}
6710

6711
		if (cig != BT_ISO_QOS_CIG_UNSET)
6712
			break;
6713
	}
6714

6715
	if (cig == BT_ISO_QOS_CIG_UNSET)
6716
		goto done;
6717

6718
	list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
6719
		struct hci_cis *cis = &cmd->cis[aux_num_cis];
6720

6721
		if (hci_conn_check_create_cis(conn) ||
6722
		    conn->iso_qos.ucast.cig != cig)
6723
			continue;
6724

6725
		set_bit(HCI_CONN_CREATE_CIS, &conn->flags);
6726
		cis->acl_handle = cpu_to_le16(conn->parent->handle);
6727
		cis->cis_handle = cpu_to_le16(conn->handle);
6728
		aux_num_cis++;
6729

6730
		if (aux_num_cis >= cmd->num_cis)
6731
			break;
6732
	}
6733
	cmd->num_cis = aux_num_cis;
6734

6735
done:
6736
	rcu_read_unlock();
6737

6738
	hci_dev_unlock(hdev);
6739

6740
	if (!aux_num_cis)
6741
		return 0;
6742

6743
	/* Wait for HCI_LE_CIS_Established */
6744
	return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CREATE_CIS,
6745
					struct_size(cmd, cis, cmd->num_cis),
6746
					cmd, HCI_EVT_LE_CIS_ESTABLISHED,
6747
					conn->conn_timeout, NULL);
6748
}
6749

6750
int hci_le_remove_cig_sync(struct hci_dev *hdev, u8 handle)
6751
{
6752
	struct hci_cp_le_remove_cig cp;
6753

6754
	memset(&cp, 0, sizeof(cp));
6755
	cp.cig_id = handle;
6756

6757
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_REMOVE_CIG, sizeof(cp),
6758
				     &cp, HCI_CMD_TIMEOUT);
6759
}
6760

6761
int hci_le_big_terminate_sync(struct hci_dev *hdev, u8 handle)
6762
{
6763
	struct hci_cp_le_big_term_sync cp;
6764

6765
	memset(&cp, 0, sizeof(cp));
6766
	cp.handle = handle;
6767

6768
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_BIG_TERM_SYNC,
6769
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
6770
}
6771

6772
int hci_le_pa_terminate_sync(struct hci_dev *hdev, u16 handle)
6773
{
6774
	struct hci_cp_le_pa_term_sync cp;
6775

6776
	memset(&cp, 0, sizeof(cp));
6777
	cp.handle = cpu_to_le16(handle);
6778

6779
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_PA_TERM_SYNC,
6780
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
6781
}
6782

6783
int hci_get_random_address(struct hci_dev *hdev, bool require_privacy,
6784
			   bool use_rpa, struct adv_info *adv_instance,
6785
			   u8 *own_addr_type, bdaddr_t *rand_addr)
6786
{
6787
	int err;
6788

6789
	bacpy(rand_addr, BDADDR_ANY);
6790

6791
	/* If privacy is enabled use a resolvable private address. If
6792
	 * current RPA has expired then generate a new one.
6793
	 */
6794
	if (use_rpa) {
6795
		/* If Controller supports LL Privacy use own address type is
6796
		 * 0x03
6797
		 */
6798
		if (ll_privacy_capable(hdev))
6799
			*own_addr_type = ADDR_LE_DEV_RANDOM_RESOLVED;
6800
		else
6801
			*own_addr_type = ADDR_LE_DEV_RANDOM;
6802

6803
		if (adv_instance) {
6804
			if (adv_rpa_valid(adv_instance))
6805
				return 0;
6806
		} else {
6807
			if (rpa_valid(hdev))
6808
				return 0;
6809
		}
6810

6811
		err = smp_generate_rpa(hdev, hdev->irk, &hdev->rpa);
6812
		if (err < 0) {
6813
			bt_dev_err(hdev, "failed to generate new RPA");
6814
			return err;
6815
		}
6816

6817
		bacpy(rand_addr, &hdev->rpa);
6818

6819
		return 0;
6820
	}
6821

6822
	/* In case of required privacy without resolvable private address,
6823
	 * use an non-resolvable private address. This is useful for
6824
	 * non-connectable advertising.
6825
	 */
6826
	if (require_privacy) {
6827
		bdaddr_t nrpa;
6828

6829
		while (true) {
6830
			/* The non-resolvable private address is generated
6831
			 * from random six bytes with the two most significant
6832
			 * bits cleared.
6833
			 */
6834
			get_random_bytes(&nrpa, 6);
6835
			nrpa.b[5] &= 0x3f;
6836

6837
			/* The non-resolvable private address shall not be
6838
			 * equal to the public address.
6839
			 */
6840
			if (bacmp(&hdev->bdaddr, &nrpa))
6841
				break;
6842
		}
6843

6844
		*own_addr_type = ADDR_LE_DEV_RANDOM;
6845
		bacpy(rand_addr, &nrpa);
6846

6847
		return 0;
6848
	}
6849

6850
	/* No privacy, use the current address */
6851
	hci_copy_identity_address(hdev, rand_addr, own_addr_type);
6852

6853
	return 0;
6854
}
6855

6856
static int _update_adv_data_sync(struct hci_dev *hdev, void *data)
6857
{
6858
	u8 instance = PTR_UINT(data);
6859

6860
	return hci_update_adv_data_sync(hdev, instance);
6861
}
6862

6863
int hci_update_adv_data(struct hci_dev *hdev, u8 instance)
6864
{
6865
	return hci_cmd_sync_queue(hdev, _update_adv_data_sync,
6866
				  UINT_PTR(instance), NULL);
6867
}
6868

6869
static int hci_acl_create_conn_sync(struct hci_dev *hdev, void *data)
6870
{
6871
	struct hci_conn *conn = data;
6872
	struct inquiry_entry *ie;
6873
	struct hci_cp_create_conn cp;
6874
	int err;
6875

6876
	if (!hci_conn_valid(hdev, conn))
6877
		return -ECANCELED;
6878

6879
	/* Many controllers disallow HCI Create Connection while it is doing
6880
	 * HCI Inquiry. So we cancel the Inquiry first before issuing HCI Create
6881
	 * Connection. This may cause the MGMT discovering state to become false
6882
	 * without user space's request but it is okay since the MGMT Discovery
6883
	 * APIs do not promise that discovery should be done forever. Instead,
6884
	 * the user space monitors the status of MGMT discovering and it may
6885
	 * request for discovery again when this flag becomes false.
6886
	 */
6887
	if (test_bit(HCI_INQUIRY, &hdev->flags)) {
6888
		err = __hci_cmd_sync_status(hdev, HCI_OP_INQUIRY_CANCEL, 0,
6889
					    NULL, HCI_CMD_TIMEOUT);
6890
		if (err)
6891
			bt_dev_warn(hdev, "Failed to cancel inquiry %d", err);
6892
	}
6893

6894
	conn->state = BT_CONNECT;
6895
	conn->out = true;
6896
	conn->role = HCI_ROLE_MASTER;
6897

6898
	conn->attempt++;
6899

6900
	conn->link_policy = hdev->link_policy;
6901

6902
	memset(&cp, 0, sizeof(cp));
6903
	bacpy(&cp.bdaddr, &conn->dst);
6904
	cp.pscan_rep_mode = 0x02;
6905

6906
	ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
6907
	if (ie) {
6908
		if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
6909
			cp.pscan_rep_mode = ie->data.pscan_rep_mode;
6910
			cp.pscan_mode     = ie->data.pscan_mode;
6911
			cp.clock_offset   = ie->data.clock_offset |
6912
					    cpu_to_le16(0x8000);
6913
		}
6914

6915
		memcpy(conn->dev_class, ie->data.dev_class, 3);
6916
	}
6917

6918
	cp.pkt_type = cpu_to_le16(conn->pkt_type);
6919
	if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
6920
		cp.role_switch = 0x01;
6921
	else
6922
		cp.role_switch = 0x00;
6923

6924
	return __hci_cmd_sync_status_sk(hdev, HCI_OP_CREATE_CONN,
6925
					sizeof(cp), &cp,
6926
					HCI_EV_CONN_COMPLETE,
6927
					conn->conn_timeout, NULL);
6928
}
6929

6930
int hci_connect_acl_sync(struct hci_dev *hdev, struct hci_conn *conn)
6931
{
6932
	return hci_cmd_sync_queue_once(hdev, hci_acl_create_conn_sync, conn,
6933
				       NULL);
6934
}
6935

6936
static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
6937
{
6938
	struct hci_conn *conn = data;
6939

6940
	bt_dev_dbg(hdev, "err %d", err);
6941

6942
	if (err == -ECANCELED)
6943
		return;
6944

6945
	hci_dev_lock(hdev);
6946

6947
	if (!hci_conn_valid(hdev, conn))
6948
		goto done;
6949

6950
	if (!err) {
6951
		hci_connect_le_scan_cleanup(conn, 0x00);
6952
		goto done;
6953
	}
6954

6955
	/* Check if connection is still pending */
6956
	if (conn != hci_lookup_le_connect(hdev))
6957
		goto done;
6958

6959
	/* Flush to make sure we send create conn cancel command if needed */
6960
	flush_delayed_work(&conn->le_conn_timeout);
6961
	hci_conn_failed(conn, bt_status(err));
6962

6963
done:
6964
	hci_dev_unlock(hdev);
6965
}
6966

6967
int hci_connect_le_sync(struct hci_dev *hdev, struct hci_conn *conn)
6968
{
6969
	return hci_cmd_sync_queue_once(hdev, hci_le_create_conn_sync, conn,
6970
				       create_le_conn_complete);
6971
}
6972

6973
int hci_cancel_connect_sync(struct hci_dev *hdev, struct hci_conn *conn)
6974
{
6975
	if (conn->state != BT_OPEN)
6976
		return -EINVAL;
6977

6978
	switch (conn->type) {
6979
	case ACL_LINK:
6980
		return !hci_cmd_sync_dequeue_once(hdev,
6981
						  hci_acl_create_conn_sync,
6982
						  conn, NULL);
6983
	case LE_LINK:
6984
		return !hci_cmd_sync_dequeue_once(hdev, hci_le_create_conn_sync,
6985
						  conn, create_le_conn_complete);
6986
	}
6987

6988
	return -ENOENT;
6989
}
6990

6991
int hci_le_conn_update_sync(struct hci_dev *hdev, struct hci_conn *conn,
6992
			    struct hci_conn_params *params)
6993
{
6994
	struct hci_cp_le_conn_update cp;
6995

6996
	memset(&cp, 0, sizeof(cp));
6997
	cp.handle		= cpu_to_le16(conn->handle);
6998
	cp.conn_interval_min	= cpu_to_le16(params->conn_min_interval);
6999
	cp.conn_interval_max	= cpu_to_le16(params->conn_max_interval);
7000
	cp.conn_latency		= cpu_to_le16(params->conn_latency);
7001
	cp.supervision_timeout	= cpu_to_le16(params->supervision_timeout);
7002
	cp.min_ce_len		= cpu_to_le16(0x0000);
7003
	cp.max_ce_len		= cpu_to_le16(0x0000);
7004

7005
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_CONN_UPDATE,
7006
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
7007
}
7008

7009
static void create_pa_complete(struct hci_dev *hdev, void *data, int err)
7010
{
7011
	struct hci_conn *conn = data;
7012
	struct hci_conn *pa_sync;
7013

7014
	bt_dev_dbg(hdev, "err %d", err);
7015

7016
	if (err == -ECANCELED)
7017
		return;
7018

7019
	hci_dev_lock(hdev);
7020

7021
	if (hci_conn_valid(hdev, conn))
7022
		clear_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags);
7023

7024
	if (!err)
7025
		goto unlock;
7026

7027
	/* Add connection to indicate PA sync error */
7028
	pa_sync = hci_conn_add_unset(hdev, PA_LINK, BDADDR_ANY, 0,
7029
				     HCI_ROLE_SLAVE);
7030

7031
	if (IS_ERR(pa_sync))
7032
		goto unlock;
7033

7034
	set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags);
7035

7036
	/* Notify iso layer */
7037
	hci_connect_cfm(pa_sync, bt_status(err));
7038

7039
unlock:
7040
	hci_dev_unlock(hdev);
7041
}
7042

7043
static int hci_le_past_params_sync(struct hci_dev *hdev, struct hci_conn *conn,
7044
				   struct hci_conn *acl, struct bt_iso_qos *qos)
7045
{
7046
	struct hci_cp_le_past_params cp;
7047
	int err;
7048

7049
	memset(&cp, 0, sizeof(cp));
7050
	cp.handle = cpu_to_le16(acl->handle);
7051
	/* An HCI_LE_Periodic_Advertising_Sync_Transfer_Received event is sent
7052
	 * to the Host. HCI_LE_Periodic_Advertising_Report events will be
7053
	 * enabled with duplicate filtering enabled.
7054
	 */
7055
	cp.mode = 0x03;
7056
	cp.skip = cpu_to_le16(qos->bcast.skip);
7057
	cp.sync_timeout = cpu_to_le16(qos->bcast.sync_timeout);
7058
	cp.cte_type = qos->bcast.sync_cte_type;
7059

7060
	/* HCI_LE_PAST_PARAMS command returns a command complete event so it
7061
	 * cannot wait for HCI_EV_LE_PAST_RECEIVED.
7062
	 */
7063
	err = __hci_cmd_sync_status(hdev, HCI_OP_LE_PAST_PARAMS,
7064
				    sizeof(cp), &cp, HCI_CMD_TIMEOUT);
7065
	if (err)
7066
		return err;
7067

7068
	/* Wait for HCI_EV_LE_PAST_RECEIVED event */
7069
	return __hci_cmd_sync_status_sk(hdev, HCI_OP_NOP, 0, NULL,
7070
					HCI_EV_LE_PAST_RECEIVED,
7071
					conn->conn_timeout, NULL);
7072
}
7073

7074
static int hci_le_pa_create_sync(struct hci_dev *hdev, void *data)
7075
{
7076
	struct hci_cp_le_pa_create_sync cp;
7077
	struct hci_conn *conn = data, *le;
7078
	struct bt_iso_qos *qos = &conn->iso_qos;
7079
	int err;
7080

7081
	if (!hci_conn_valid(hdev, conn))
7082
		return -ECANCELED;
7083

7084
	if (conn->sync_handle != HCI_SYNC_HANDLE_INVALID)
7085
		return -EINVAL;
7086

7087
	if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC))
7088
		return -EBUSY;
7089

7090
	/* Stop scanning if SID has not been set and active scanning is enabled
7091
	 * so we use passive scanning which will be scanning using the allow
7092
	 * list programmed to contain only the connection address.
7093
	 */
7094
	if (conn->sid == HCI_SID_INVALID &&
7095
	    hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
7096
		hci_scan_disable_sync(hdev);
7097
		hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
7098
		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
7099
	}
7100

7101
	/* Mark HCI_CONN_CREATE_PA_SYNC so hci_update_passive_scan_sync can
7102
	 * program the address in the allow list so PA advertisements can be
7103
	 * received.
7104
	 */
7105
	set_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags);
7106

7107
	hci_update_passive_scan_sync(hdev);
7108

7109
	/* Check if PAST is possible:
7110
	 *
7111
	 * 1. Check if an ACL connection with the destination address exists
7112
	 * 2. Check if that HCI_CONN_FLAG_PAST has been set which indicates that
7113
	 *    user really intended to use PAST.
7114
	 */
7115
	le = hci_conn_hash_lookup_le(hdev, &conn->dst, conn->dst_type);
7116
	if (le) {
7117
		struct hci_conn_params *params;
7118

7119
		params = hci_conn_params_lookup(hdev, &le->dst, le->dst_type);
7120
		if (params && params->flags & HCI_CONN_FLAG_PAST) {
7121
			err = hci_le_past_params_sync(hdev, conn, le, qos);
7122
			if (!err)
7123
				goto done;
7124
		}
7125
	}
7126

7127
	/* SID has not been set listen for HCI_EV_LE_EXT_ADV_REPORT to update
7128
	 * it.
7129
	 */
7130
	if (conn->sid == HCI_SID_INVALID) {
7131
		err = __hci_cmd_sync_status_sk(hdev, HCI_OP_NOP, 0, NULL,
7132
					       HCI_EV_LE_EXT_ADV_REPORT,
7133
					       conn->conn_timeout, NULL);
7134
		if (err == -ETIMEDOUT)
7135
			goto done;
7136
	}
7137

7138
	memset(&cp, 0, sizeof(cp));
7139
	cp.options = qos->bcast.options;
7140
	cp.sid = conn->sid;
7141
	cp.addr_type = conn->dst_type;
7142
	bacpy(&cp.addr, &conn->dst);
7143
	cp.skip = cpu_to_le16(qos->bcast.skip);
7144
	cp.sync_timeout = cpu_to_le16(qos->bcast.sync_timeout);
7145
	cp.sync_cte_type = qos->bcast.sync_cte_type;
7146

7147
	/* The spec allows only one pending LE Periodic Advertising Create
7148
	 * Sync command at a time so we forcefully wait for PA Sync Established
7149
	 * event since cmd_work can only schedule one command at a time.
7150
	 *
7151
	 * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
7152
	 * page 2493:
7153
	 *
7154
	 * If the Host issues this command when another HCI_LE_Periodic_
7155
	 * Advertising_Create_Sync command is pending, the Controller shall
7156
	 * return the error code Command Disallowed (0x0C).
7157
	 */
7158
	err = __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_PA_CREATE_SYNC,
7159
				       sizeof(cp), &cp,
7160
				       HCI_EV_LE_PA_SYNC_ESTABLISHED,
7161
				       conn->conn_timeout, NULL);
7162
	if (err == -ETIMEDOUT)
7163
		__hci_cmd_sync_status(hdev, HCI_OP_LE_PA_CREATE_SYNC_CANCEL,
7164
				      0, NULL, HCI_CMD_TIMEOUT);
7165

7166
done:
7167
	hci_dev_clear_flag(hdev, HCI_PA_SYNC);
7168

7169
	/* Update passive scan since HCI_PA_SYNC flag has been cleared */
7170
	hci_update_passive_scan_sync(hdev);
7171

7172
	return err;
7173
}
7174

7175
int hci_connect_pa_sync(struct hci_dev *hdev, struct hci_conn *conn)
7176
{
7177
	return hci_cmd_sync_queue_once(hdev, hci_le_pa_create_sync, conn,
7178
				       create_pa_complete);
7179
}
7180

7181
static void create_big_complete(struct hci_dev *hdev, void *data, int err)
7182
{
7183
	struct hci_conn *conn = data;
7184

7185
	bt_dev_dbg(hdev, "err %d", err);
7186

7187
	if (err == -ECANCELED)
7188
		return;
7189

7190
	if (hci_conn_valid(hdev, conn))
7191
		clear_bit(HCI_CONN_CREATE_BIG_SYNC, &conn->flags);
7192
}
7193

7194
static int hci_le_big_create_sync(struct hci_dev *hdev, void *data)
7195
{
7196
	DEFINE_FLEX(struct hci_cp_le_big_create_sync, cp, bis, num_bis, 0x11);
7197
	struct hci_conn *conn = data;
7198
	struct bt_iso_qos *qos = &conn->iso_qos;
7199
	int err;
7200

7201
	if (!hci_conn_valid(hdev, conn))
7202
		return -ECANCELED;
7203

7204
	set_bit(HCI_CONN_CREATE_BIG_SYNC, &conn->flags);
7205

7206
	memset(cp, 0, sizeof(*cp));
7207
	cp->handle = qos->bcast.big;
7208
	cp->sync_handle = cpu_to_le16(conn->sync_handle);
7209
	cp->encryption = qos->bcast.encryption;
7210
	memcpy(cp->bcode, qos->bcast.bcode, sizeof(cp->bcode));
7211
	cp->mse = qos->bcast.mse;
7212
	cp->timeout = cpu_to_le16(qos->bcast.timeout);
7213
	cp->num_bis = conn->num_bis;
7214
	memcpy(cp->bis, conn->bis, conn->num_bis);
7215

7216
	/* The spec allows only one pending LE BIG Create Sync command at
7217
	 * a time, so we forcefully wait for BIG Sync Established event since
7218
	 * cmd_work can only schedule one command at a time.
7219
	 *
7220
	 * BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
7221
	 * page 2586:
7222
	 *
7223
	 * If the Host sends this command when the Controller is in the
7224
	 * process of synchronizing to any BIG, i.e. the HCI_LE_BIG_Sync_
7225
	 * Established event has not been generated, the Controller shall
7226
	 * return the error code Command Disallowed (0x0C).
7227
	 */
7228
	err = __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_BIG_CREATE_SYNC,
7229
				       struct_size(cp, bis, cp->num_bis), cp,
7230
				       HCI_EVT_LE_BIG_SYNC_ESTABLISHED,
7231
				       conn->conn_timeout, NULL);
7232
	if (err == -ETIMEDOUT)
7233
		hci_le_big_terminate_sync(hdev, cp->handle);
7234

7235
	return err;
7236
}
7237

7238
int hci_connect_big_sync(struct hci_dev *hdev, struct hci_conn *conn)
7239
{
7240
	return hci_cmd_sync_queue_once(hdev, hci_le_big_create_sync, conn,
7241
				       create_big_complete);
7242
}
7243

7244
struct past_data {
7245
	struct hci_conn *conn;
7246
	struct hci_conn *le;
7247
};
7248

7249
static void past_complete(struct hci_dev *hdev, void *data, int err)
7250
{
7251
	struct past_data *past = data;
7252

7253
	bt_dev_dbg(hdev, "err %d", err);
7254

7255
	kfree(past);
7256
}
7257

7258
static int hci_le_past_set_info_sync(struct hci_dev *hdev, void *data)
7259
{
7260
	struct past_data *past = data;
7261
	struct hci_cp_le_past_set_info cp;
7262

7263
	hci_dev_lock(hdev);
7264

7265
	if (!hci_conn_valid(hdev, past->conn) ||
7266
	    !hci_conn_valid(hdev, past->le)) {
7267
		hci_dev_unlock(hdev);
7268
		return -ECANCELED;
7269
	}
7270

7271
	memset(&cp, 0, sizeof(cp));
7272
	cp.handle = cpu_to_le16(past->le->handle);
7273
	cp.adv_handle = past->conn->iso_qos.bcast.bis;
7274

7275
	hci_dev_unlock(hdev);
7276

7277
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_PAST_SET_INFO,
7278
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
7279
}
7280

7281
static int hci_le_past_sync(struct hci_dev *hdev, void *data)
7282
{
7283
	struct past_data *past = data;
7284
	struct hci_cp_le_past cp;
7285

7286
	hci_dev_lock(hdev);
7287

7288
	if (!hci_conn_valid(hdev, past->conn) ||
7289
	    !hci_conn_valid(hdev, past->le)) {
7290
		hci_dev_unlock(hdev);
7291
		return -ECANCELED;
7292
	}
7293

7294
	memset(&cp, 0, sizeof(cp));
7295
	cp.handle = cpu_to_le16(past->le->handle);
7296
	cp.sync_handle = cpu_to_le16(past->conn->sync_handle);
7297

7298
	hci_dev_unlock(hdev);
7299

7300
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_PAST,
7301
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
7302
}
7303

7304
int hci_past_sync(struct hci_conn *conn, struct hci_conn *le)
7305
{
7306
	struct past_data *data;
7307
	int err;
7308

7309
	if (conn->type != BIS_LINK && conn->type != PA_LINK)
7310
		return -EINVAL;
7311

7312
	if (!past_sender_capable(conn->hdev))
7313
		return -EOPNOTSUPP;
7314

7315
	data = kmalloc(sizeof(*data), GFP_KERNEL);
7316
	if (!data)
7317
		return -ENOMEM;
7318

7319
	data->conn = conn;
7320
	data->le = le;
7321

7322
	if (conn->role == HCI_ROLE_MASTER)
7323
		err = hci_cmd_sync_queue_once(conn->hdev,
7324
					      hci_le_past_set_info_sync, data,
7325
					      past_complete);
7326
	else
7327
		err = hci_cmd_sync_queue_once(conn->hdev, hci_le_past_sync,
7328
					      data, past_complete);
7329

7330
	if (err)
7331
		kfree(data);
7332

7333
	return err;
7334
}
7335

7336
static void le_read_features_complete(struct hci_dev *hdev, void *data, int err)
7337
{
7338
	struct hci_conn *conn = data;
7339

7340
	bt_dev_dbg(hdev, "err %d", err);
7341

7342
	if (err == -ECANCELED)
7343
		return;
7344

7345
	hci_conn_drop(conn);
7346
}
7347

7348
static int hci_le_read_all_remote_features_sync(struct hci_dev *hdev,
7349
						void *data)
7350
{
7351
	struct hci_conn *conn = data;
7352
	struct hci_cp_le_read_all_remote_features cp;
7353

7354
	memset(&cp, 0, sizeof(cp));
7355
	cp.handle = cpu_to_le16(conn->handle);
7356
	cp.pages = 10; /* Attempt to read all pages */
7357

7358
	/* Wait for HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE event otherwise
7359
	 * hci_conn_drop may run prematurely causing a disconnection.
7360
	 */
7361
	return __hci_cmd_sync_status_sk(hdev,
7362
					HCI_OP_LE_READ_ALL_REMOTE_FEATURES,
7363
					sizeof(cp), &cp,
7364
					HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE,
7365
					HCI_CMD_TIMEOUT, NULL);
7366

7367
	return __hci_cmd_sync_status(hdev, HCI_OP_LE_READ_ALL_REMOTE_FEATURES,
7368
				     sizeof(cp), &cp, HCI_CMD_TIMEOUT);
7369
}
7370

7371
static int hci_le_read_remote_features_sync(struct hci_dev *hdev, void *data)
7372
{
7373
	struct hci_conn *conn = data;
7374
	struct hci_cp_le_read_remote_features cp;
7375

7376
	if (!hci_conn_valid(hdev, conn))
7377
		return -ECANCELED;
7378

7379
	/* Check if LL Extended Feature Set is supported and
7380
	 * HCI_OP_LE_READ_ALL_REMOTE_FEATURES is supported then use that to read
7381
	 * all features.
7382
	 */
7383
	if (ll_ext_feature_capable(hdev) && hdev->commands[47] & BIT(3))
7384
		return hci_le_read_all_remote_features_sync(hdev, data);
7385

7386
	memset(&cp, 0, sizeof(cp));
7387
	cp.handle = cpu_to_le16(conn->handle);
7388

7389
	/* Wait for HCI_EV_LE_REMOTE_FEAT_COMPLETE event otherwise
7390
	 * hci_conn_drop may run prematurely causing a disconnection.
7391
	 */
7392
	return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_READ_REMOTE_FEATURES,
7393
					sizeof(cp), &cp,
7394
					HCI_EV_LE_REMOTE_FEAT_COMPLETE,
7395
					HCI_CMD_TIMEOUT, NULL);
7396
}
7397

7398
int hci_le_read_remote_features(struct hci_conn *conn)
7399
{
7400
	struct hci_dev *hdev = conn->hdev;
7401
	int err;
7402

7403
	/* The remote features procedure is defined for central
7404
	 * role only. So only in case of an initiated connection
7405
	 * request the remote features.
7406
	 *
7407
	 * If the local controller supports peripheral-initiated features
7408
	 * exchange, then requesting the remote features in peripheral
7409
	 * role is possible. Otherwise just transition into the
7410
	 * connected state without requesting the remote features.
7411
	 */
7412
	if (conn->out || (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
7413
		err = hci_cmd_sync_queue_once(hdev,
7414
					      hci_le_read_remote_features_sync,
7415
					      hci_conn_hold(conn),
7416
					      le_read_features_complete);
7417
	else
7418
		err = -EOPNOTSUPP;
7419

7420
	return err;
7421
}
7422

7423