tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-net-2025-11-11' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

- hci_conn: Fix not cleaning up PA_LINK connections
- hci_event: Fix not handling PA Sync Lost event
- MGMT: cancel mesh send timer when hdev removed
- 6lowpan: reset link-local header on ipv6 recv path
- 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion
- L2CAP: export l2cap_chan_hold for modules
- 6lowpan: Don't hold spin lock over sleeping functions
- 6lowpan: add missing l2cap_chan_lock()
- btusb: reorder cleanup in btusb_disconnect to avoid UAF
- btrtl: Avoid loading the config file on security chips

* tag 'for-net-2025-11-11' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
Bluetooth: btrtl: Avoid loading the config file on security chips
Bluetooth: hci_event: Fix not handling PA Sync Lost event
Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections
Bluetooth: 6lowpan: add missing l2cap_chan_lock()
Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions
Bluetooth: L2CAP: export l2cap_chan_hold for modules
Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion
Bluetooth: 6lowpan: reset link-local header on ipv6 recv path
Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
Bluetooth: MGMT: cancel mesh send timer when hdev removed
====================

Link: https://patch.msgid.link/20251111141357.1983153-1-luiz.dentz@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 27bcc05b bb8336a5

+161 -85
+13 -11
drivers/bluetooth/btrtl.c
··· 50 50 51 51 #define RTL_CHIP_SUBVER (&(struct rtl_vendor_cmd) {{0x10, 0x38, 0x04, 0x28, 0x80}}) 52 52 #define RTL_CHIP_REV (&(struct rtl_vendor_cmd) {{0x10, 0x3A, 0x04, 0x28, 0x80}}) 53 - #define RTL_SEC_PROJ (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0x0D, 0x00, 0xb0}}) 53 + #define RTL_SEC_PROJ (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0xAD, 0x00, 0xb0}}) 54 54 55 55 #define RTL_PATCH_SNIPPETS 0x01 56 56 #define RTL_PATCH_DUMMY_HEADER 0x02 ··· 534 534 { 535 535 struct rtl_epatch_header_v2 *hdr; 536 536 int rc; 537 - u8 reg_val[2]; 538 537 u8 key_id; 539 538 u32 num_sections; 540 539 struct rtl_section *section; ··· 548 549 .len = btrtl_dev->fw_len - 7, /* Cut the tail */ 549 550 }; 550 551 551 - rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val); 552 - if (rc < 0) 553 - return -EIO; 554 - key_id = reg_val[0]; 555 - 556 - rtl_dev_dbg(hdev, "%s: key id %u", __func__, key_id); 557 - 558 - btrtl_dev->key_id = key_id; 552 + key_id = btrtl_dev->key_id; 559 553 560 554 hdr = rtl_iov_pull_data(&iov, sizeof(*hdr)); 561 555 if (!hdr) ··· 1062 1070 u16 hci_rev, lmp_subver; 1063 1071 u8 hci_ver, lmp_ver, chip_type = 0; 1064 1072 int ret; 1073 + int rc; 1074 + u8 key_id; 1065 1075 u8 reg_val[2]; 1066 1076 1067 1077 btrtl_dev = kzalloc(sizeof(*btrtl_dev), GFP_KERNEL); ··· 1174 1180 goto err_free; 1175 1181 } 1176 1182 1183 + rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val); 1184 + if (rc < 0) 1185 + goto err_free; 1186 + 1187 + key_id = reg_val[0]; 1188 + btrtl_dev->key_id = key_id; 1189 + rtl_dev_info(hdev, "%s: key id %u", __func__, key_id); 1190 + 1177 1191 btrtl_dev->fw_len = -EIO; 1178 1192 if (lmp_subver == RTL_ROM_LMP_8852A && hci_rev == 0x000c) { 1179 1193 snprintf(fw_name, sizeof(fw_name), "%s_v2.bin", ··· 1204 1202 goto err_free; 1205 1203 } 1206 1204 1207 - if (btrtl_dev->ic_info->cfg_name) { 1205 + if (btrtl_dev->ic_info->cfg_name && !btrtl_dev->key_id) { 1208 1206 if (postfix) { 1209 1207 snprintf(cfg_name, sizeof(cfg_name), "%s-%s.bin", 1210 1208 btrtl_dev->ic_info->cfg_name, postfix);
+6 -7
drivers/bluetooth/btusb.c
··· 4361 4361 4362 4362 hci_unregister_dev(hdev); 4363 4363 4364 + if (data->oob_wake_irq) 4365 + device_init_wakeup(&data->udev->dev, false); 4366 + if (data->reset_gpio) 4367 + gpiod_put(data->reset_gpio); 4368 + 4364 4369 if (intf == data->intf) { 4365 4370 if (data->isoc) 4366 4371 usb_driver_release_interface(&btusb_driver, data->isoc); ··· 4376 4371 usb_driver_release_interface(&btusb_driver, data->diag); 4377 4372 usb_driver_release_interface(&btusb_driver, data->intf); 4378 4373 } else if (intf == data->diag) { 4379 - usb_driver_release_interface(&btusb_driver, data->intf); 4380 4374 if (data->isoc) 4381 4375 usb_driver_release_interface(&btusb_driver, data->isoc); 4376 + usb_driver_release_interface(&btusb_driver, data->intf); 4382 4377 } 4383 - 4384 - if (data->oob_wake_irq) 4385 - device_init_wakeup(&data->udev->dev, false); 4386 - 4387 - if (data->reset_gpio) 4388 - gpiod_put(data->reset_gpio); 4389 4378 4390 4379 hci_free_dev(hdev); 4391 4380 }
+5
include/net/bluetooth/hci.h
··· 2783 2783 __u8 data[]; 2784 2784 } __packed; 2785 2785 2786 + #define HCI_EV_LE_PA_SYNC_LOST 0x10 2787 + struct hci_ev_le_pa_sync_lost { 2788 + __le16 handle; 2789 + } __packed; 2790 + 2786 2791 #define LE_PA_DATA_COMPLETE 0x00 2787 2792 #define LE_PA_DATA_MORE_TO_COME 0x01 2788 2793 #define LE_PA_DATA_TRUNCATED 0x02
+79 -32
net/bluetooth/6lowpan.c
··· 53 53 static struct l2cap_chan *listen_chan; 54 54 static DEFINE_MUTEX(set_lock); 55 55 56 + enum { 57 + LOWPAN_PEER_CLOSING, 58 + LOWPAN_PEER_MAXBITS 59 + }; 60 + 56 61 struct lowpan_peer { 57 62 struct list_head list; 58 63 struct rcu_head rcu; ··· 66 61 /* peer addresses in various formats */ 67 62 unsigned char lladdr[ETH_ALEN]; 68 63 struct in6_addr peer_addr; 64 + 65 + DECLARE_BITMAP(flags, LOWPAN_PEER_MAXBITS); 69 66 }; 70 67 71 68 struct lowpan_btle_dev { ··· 296 289 local_skb->pkt_type = PACKET_HOST; 297 290 local_skb->dev = dev; 298 291 292 + skb_reset_mac_header(local_skb); 299 293 skb_set_transport_header(local_skb, sizeof(struct ipv6hdr)); 300 294 301 295 if (give_skb_to_upper(local_skb, dev) != NET_RX_SUCCESS) { ··· 927 919 928 920 BT_DBG("peer %p chan %p", peer, peer->chan); 929 921 922 + l2cap_chan_lock(peer->chan); 930 923 l2cap_chan_close(peer->chan, ENOENT); 924 + l2cap_chan_unlock(peer->chan); 931 925 932 926 return 0; 933 927 } ··· 966 956 } 967 957 968 958 static int get_l2cap_conn(char *buf, bdaddr_t *addr, u8 *addr_type, 969 - struct l2cap_conn **conn) 959 + struct l2cap_conn **conn, bool disconnect) 970 960 { 971 961 struct hci_conn *hcon; 972 962 struct hci_dev *hdev; 963 + int le_addr_type; 973 964 int n; 974 965 975 966 n = sscanf(buf, "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx %hhu", ··· 981 970 if (n < 7) 982 971 return -EINVAL; 983 972 973 + if (disconnect) { 974 + /* The "disconnect" debugfs command has used different address 975 + * type constants than "connect" since 2015. Let's retain that 976 + * for now even though it's obviously buggy... 977 + */ 978 + *addr_type += 1; 979 + } 980 + 981 + switch (*addr_type) { 982 + case BDADDR_LE_PUBLIC: 983 + le_addr_type = ADDR_LE_DEV_PUBLIC; 984 + break; 985 + case BDADDR_LE_RANDOM: 986 + le_addr_type = ADDR_LE_DEV_RANDOM; 987 + break; 988 + default: 989 + return -EINVAL; 990 + } 991 + 984 992 /* The LE_PUBLIC address type is ignored because of BDADDR_ANY */ 985 993 hdev = hci_get_route(addr, BDADDR_ANY, BDADDR_LE_PUBLIC); 986 994 if (!hdev) 987 995 return -ENOENT; 988 996 989 997 hci_dev_lock(hdev); 990 - hcon = hci_conn_hash_lookup_le(hdev, addr, *addr_type); 998 + hcon = hci_conn_hash_lookup_le(hdev, addr, le_addr_type); 991 999 hci_dev_unlock(hdev); 992 1000 hci_dev_put(hdev); 993 1001 ··· 1023 993 static void disconnect_all_peers(void) 1024 994 { 1025 995 struct lowpan_btle_dev *entry; 1026 - struct lowpan_peer *peer, *tmp_peer, *new_peer; 1027 - struct list_head peers; 996 + struct lowpan_peer *peer; 997 + int nchans; 1028 998 1029 - INIT_LIST_HEAD(&peers); 1030 - 1031 - /* We make a separate list of peers as the close_cb() will 1032 - * modify the device peers list so it is better not to mess 1033 - * with the same list at the same time. 999 + /* l2cap_chan_close() cannot be called from RCU, and lock ordering 1000 + * chan->lock > devices_lock prevents taking write side lock, so copy 1001 + * then close. 1034 1002 */ 1035 1003 1036 1004 rcu_read_lock(); 1037 - 1038 - list_for_each_entry_rcu(entry, &bt_6lowpan_devices, list) { 1039 - list_for_each_entry_rcu(peer, &entry->peers, list) { 1040 - new_peer = kmalloc(sizeof(*new_peer), GFP_ATOMIC); 1041 - if (!new_peer) 1042 - break; 1043 - 1044 - new_peer->chan = peer->chan; 1045 - INIT_LIST_HEAD(&new_peer->list); 1046 - 1047 - list_add(&new_peer->list, &peers); 1048 - } 1049 - } 1050 - 1005 + list_for_each_entry_rcu(entry, &bt_6lowpan_devices, list) 1006 + list_for_each_entry_rcu(peer, &entry->peers, list) 1007 + clear_bit(LOWPAN_PEER_CLOSING, peer->flags); 1051 1008 rcu_read_unlock(); 1052 1009 1053 - spin_lock(&devices_lock); 1054 - list_for_each_entry_safe(peer, tmp_peer, &peers, list) { 1055 - l2cap_chan_close(peer->chan, ENOENT); 1010 + do { 1011 + struct l2cap_chan *chans[32]; 1012 + int i; 1056 1013 1057 - list_del_rcu(&peer->list); 1058 - kfree_rcu(peer, rcu); 1059 - } 1060 - spin_unlock(&devices_lock); 1014 + nchans = 0; 1015 + 1016 + spin_lock(&devices_lock); 1017 + 1018 + list_for_each_entry_rcu(entry, &bt_6lowpan_devices, list) { 1019 + list_for_each_entry_rcu(peer, &entry->peers, list) { 1020 + if (test_and_set_bit(LOWPAN_PEER_CLOSING, 1021 + peer->flags)) 1022 + continue; 1023 + 1024 + l2cap_chan_hold(peer->chan); 1025 + chans[nchans++] = peer->chan; 1026 + 1027 + if (nchans >= ARRAY_SIZE(chans)) 1028 + goto done; 1029 + } 1030 + } 1031 + 1032 + done: 1033 + spin_unlock(&devices_lock); 1034 + 1035 + for (i = 0; i < nchans; ++i) { 1036 + l2cap_chan_lock(chans[i]); 1037 + l2cap_chan_close(chans[i], ENOENT); 1038 + l2cap_chan_unlock(chans[i]); 1039 + l2cap_chan_put(chans[i]); 1040 + } 1041 + } while (nchans); 1061 1042 } 1062 1043 1063 1044 struct set_enable { ··· 1091 1050 1092 1051 mutex_lock(&set_lock); 1093 1052 if (listen_chan) { 1053 + l2cap_chan_lock(listen_chan); 1094 1054 l2cap_chan_close(listen_chan, 0); 1055 + l2cap_chan_unlock(listen_chan); 1095 1056 l2cap_chan_put(listen_chan); 1096 1057 } 1097 1058 ··· 1146 1103 buf[buf_size] = '\0'; 1147 1104 1148 1105 if (memcmp(buf, "connect ", 8) == 0) { 1149 - ret = get_l2cap_conn(&buf[8], &addr, &addr_type, &conn); 1106 + ret = get_l2cap_conn(&buf[8], &addr, &addr_type, &conn, false); 1150 1107 if (ret == -EINVAL) 1151 1108 return ret; 1152 1109 1153 1110 mutex_lock(&set_lock); 1154 1111 if (listen_chan) { 1112 + l2cap_chan_lock(listen_chan); 1155 1113 l2cap_chan_close(listen_chan, 0); 1114 + l2cap_chan_unlock(listen_chan); 1156 1115 l2cap_chan_put(listen_chan); 1157 1116 listen_chan = NULL; 1158 1117 } ··· 1185 1140 } 1186 1141 1187 1142 if (memcmp(buf, "disconnect ", 11) == 0) { 1188 - ret = get_l2cap_conn(&buf[11], &addr, &addr_type, &conn); 1143 + ret = get_l2cap_conn(&buf[11], &addr, &addr_type, &conn, true); 1189 1144 if (ret < 0) 1190 1145 return ret; 1191 1146 ··· 1316 1271 debugfs_remove(lowpan_control_debugfs); 1317 1272 1318 1273 if (listen_chan) { 1274 + l2cap_chan_lock(listen_chan); 1319 1275 l2cap_chan_close(listen_chan, 0); 1276 + l2cap_chan_unlock(listen_chan); 1320 1277 l2cap_chan_put(listen_chan); 1321 1278 } 1322 1279
+19 -14
net/bluetooth/hci_conn.c
··· 769 769 d->count++; 770 770 } 771 771 772 - static int hci_le_big_terminate(struct hci_dev *hdev, u8 big, struct hci_conn *conn) 772 + static int hci_le_big_terminate(struct hci_dev *hdev, struct hci_conn *conn) 773 773 { 774 774 struct iso_list_data *d; 775 775 int ret; 776 776 777 - bt_dev_dbg(hdev, "big 0x%2.2x sync_handle 0x%4.4x", big, conn->sync_handle); 777 + bt_dev_dbg(hdev, "hcon %p big 0x%2.2x sync_handle 0x%4.4x", conn, 778 + conn->iso_qos.bcast.big, conn->sync_handle); 778 779 779 780 d = kzalloc(sizeof(*d), GFP_KERNEL); 780 781 if (!d) 781 782 return -ENOMEM; 782 783 783 - d->big = big; 784 + d->big = conn->iso_qos.bcast.big; 784 785 d->sync_handle = conn->sync_handle; 785 786 786 - if (test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) { 787 + if (conn->type == PA_LINK && 788 + test_and_clear_bit(HCI_CONN_PA_SYNC, &conn->flags)) { 787 789 hci_conn_hash_list_flag(hdev, find_bis, PA_LINK, 788 790 HCI_CONN_PA_SYNC, d); 789 791 ··· 802 800 if (!d->count) 803 801 d->big_sync_term = true; 804 802 } 803 + 804 + if (!d->pa_sync_term && !d->big_sync_term) 805 + return 0; 805 806 806 807 ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d, 807 808 terminate_big_destroy); ··· 857 852 858 853 hci_le_terminate_big(hdev, conn); 859 854 } else { 860 - hci_le_big_terminate(hdev, conn->iso_qos.bcast.big, 861 - conn); 855 + hci_le_big_terminate(hdev, conn); 862 856 } 863 857 } 864 858 ··· 998 994 conn->mtu = hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu; 999 995 break; 1000 996 case CIS_LINK: 1001 - case BIS_LINK: 1002 - case PA_LINK: 1003 997 /* conn->src should reflect the local identity address */ 1004 998 hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1005 999 1006 - /* set proper cleanup function */ 1007 - if (!bacmp(dst, BDADDR_ANY)) 1008 - conn->cleanup = bis_cleanup; 1009 - else if (conn->role == HCI_ROLE_MASTER) 1000 + if (conn->role == HCI_ROLE_MASTER) 1010 1001 conn->cleanup = cis_cleanup; 1011 1002 1012 - conn->mtu = hdev->iso_mtu ? hdev->iso_mtu : 1013 - hdev->le_mtu ? hdev->le_mtu : hdev->acl_mtu; 1003 + conn->mtu = hdev->iso_mtu; 1004 + break; 1005 + case PA_LINK: 1006 + case BIS_LINK: 1007 + /* conn->src should reflect the local identity address */ 1008 + hci_copy_identity_address(hdev, &conn->src, &conn->src_type); 1009 + conn->cleanup = bis_cleanup; 1010 + conn->mtu = hdev->iso_mtu; 1014 1011 break; 1015 1012 case SCO_LINK: 1016 1013 if (lmp_esco_capable(hdev))
+36 -20
net/bluetooth/hci_event.c
··· 5843 5843 le16_to_cpu(ev->supervision_timeout)); 5844 5844 } 5845 5845 5846 + static void hci_le_pa_sync_lost_evt(struct hci_dev *hdev, void *data, 5847 + struct sk_buff *skb) 5848 + { 5849 + struct hci_ev_le_pa_sync_lost *ev = data; 5850 + u16 handle = le16_to_cpu(ev->handle); 5851 + struct hci_conn *conn; 5852 + 5853 + bt_dev_dbg(hdev, "sync handle 0x%4.4x", handle); 5854 + 5855 + hci_dev_lock(hdev); 5856 + 5857 + /* Delete the pa sync connection */ 5858 + conn = hci_conn_hash_lookup_pa_sync_handle(hdev, handle); 5859 + if (conn) { 5860 + clear_bit(HCI_CONN_BIG_SYNC, &conn->flags); 5861 + clear_bit(HCI_CONN_PA_SYNC, &conn->flags); 5862 + hci_disconn_cfm(conn, HCI_ERROR_REMOTE_USER_TERM); 5863 + hci_conn_del(conn); 5864 + } 5865 + 5866 + hci_dev_unlock(hdev); 5867 + } 5868 + 5846 5869 static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, void *data, 5847 5870 struct sk_buff *skb) 5848 5871 { ··· 7024 7001 continue; 7025 7002 } 7026 7003 7027 - if (ev->status != 0x42) { 7004 + if (ev->status != 0x42) 7028 7005 /* Mark PA sync as established */ 7029 7006 set_bit(HCI_CONN_PA_SYNC, &bis->flags); 7030 - /* Reset cleanup callback of PA Sync so it doesn't 7031 - * terminate the sync when deleting the connection. 7032 - */ 7033 - conn->cleanup = NULL; 7034 - } 7035 7007 7036 7008 bis->sync_handle = conn->sync_handle; 7037 7009 bis->iso_qos.bcast.big = ev->handle; ··· 7069 7051 struct sk_buff *skb) 7070 7052 { 7071 7053 struct hci_evt_le_big_sync_lost *ev = data; 7072 - struct hci_conn *bis, *conn; 7073 - bool mgmt_conn; 7054 + struct hci_conn *bis; 7055 + bool mgmt_conn = false; 7074 7056 7075 7057 bt_dev_dbg(hdev, "big handle 0x%2.2x", ev->handle); 7076 7058 7077 7059 hci_dev_lock(hdev); 7078 7060 7079 - /* Delete the pa sync connection */ 7080 - bis = hci_conn_hash_lookup_pa_sync_big_handle(hdev, ev->handle); 7081 - if (bis) { 7082 - conn = hci_conn_hash_lookup_pa_sync_handle(hdev, 7083 - bis->sync_handle); 7084 - if (conn) 7085 - hci_conn_del(conn); 7086 - } 7087 - 7088 7061 /* Delete each bis connection */ 7089 7062 while ((bis = hci_conn_hash_lookup_big_state(hdev, ev->handle, 7090 7063 BT_CONNECTED, 7091 7064 HCI_ROLE_SLAVE))) { 7092 - mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, &bis->flags); 7093 - mgmt_device_disconnected(hdev, &bis->dst, bis->type, bis->dst_type, 7094 - ev->reason, mgmt_conn); 7065 + if (!mgmt_conn) { 7066 + mgmt_conn = test_and_clear_bit(HCI_CONN_MGMT_CONNECTED, 7067 + &bis->flags); 7068 + mgmt_device_disconnected(hdev, &bis->dst, bis->type, 7069 + bis->dst_type, ev->reason, 7070 + mgmt_conn); 7071 + } 7095 7072 7096 7073 clear_bit(HCI_CONN_BIG_SYNC, &bis->flags); 7097 7074 hci_disconn_cfm(bis, ev->reason); ··· 7200 7187 hci_le_per_adv_report_evt, 7201 7188 sizeof(struct hci_ev_le_per_adv_report), 7202 7189 HCI_MAX_EVENT_SIZE), 7190 + /* [0x10 = HCI_EV_LE_PA_SYNC_LOST] */ 7191 + HCI_LE_EV(HCI_EV_LE_PA_SYNC_LOST, hci_le_pa_sync_lost_evt, 7192 + sizeof(struct hci_ev_le_pa_sync_lost)), 7203 7193 /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */ 7204 7194 HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt, 7205 7195 sizeof(struct hci_evt_le_ext_adv_set_term)),
+1 -1
net/bluetooth/hci_sync.c
··· 6999 6999 7000 7000 hci_dev_lock(hdev); 7001 7001 7002 - if (!hci_conn_valid(hdev, conn)) 7002 + if (hci_conn_valid(hdev, conn)) 7003 7003 clear_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags); 7004 7004 7005 7005 if (!err)
+1
net/bluetooth/l2cap_core.c
··· 497 497 498 498 kref_get(&c->kref); 499 499 } 500 + EXPORT_SYMBOL_GPL(l2cap_chan_hold); 500 501 501 502 struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c) 502 503 {
+1
net/bluetooth/mgmt.c
··· 9497 9497 cancel_delayed_work_sync(&hdev->discov_off); 9498 9498 cancel_delayed_work_sync(&hdev->service_cache); 9499 9499 cancel_delayed_work_sync(&hdev->rpa_expired); 9500 + cancel_delayed_work_sync(&hdev->mesh_send_done); 9500 9501 } 9501 9502 9502 9503 void mgmt_power_on(struct hci_dev *hdev, int err)