LXR linux/net/bluetooth/hci

   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
   4
   5   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7   This program is free software; you can redistribute it and/or modify
   8   it under the terms of the GNU General Public License version 2 as
   9   published by the Free Software Foundation;
  10
  11   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22   SOFTWARE IS DISCLAIMED.
  23*/
  24
  25/* Bluetooth HCI connection handling. */
  26
  27#include <linux/export.h>
  28#include <linux/debugfs.h>
  29
  30#include <net/bluetooth/bluetooth.h>
  31#include <net/bluetooth/hci_core.h>
  32#include <net/bluetooth/l2cap.h>
  33
  34#include "hci_request.h"
  35#include "smp.h"
  36#include "a2mp.h"
  37
  38struct sco_param {
  39        u16 pkt_type;
  40        u16 max_latency;
  41        u8  retrans_effort;
  42};
  43
  44static const struct sco_param esco_param_cvsd[] = {
  45        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a,   0x01 }, /* S3 */
  46        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007,   0x01 }, /* S2 */
  47        { EDR_ESCO_MASK | ESCO_EV3,   0x0007,   0x01 }, /* S1 */
  48        { EDR_ESCO_MASK | ESCO_HV3,   0xffff,   0x01 }, /* D1 */
  49        { EDR_ESCO_MASK | ESCO_HV1,   0xffff,   0x01 }, /* D0 */
  50};
  51
  52static const struct sco_param sco_param_cvsd[] = {
  53        { EDR_ESCO_MASK | ESCO_HV3,   0xffff,   0xff }, /* D1 */
  54        { EDR_ESCO_MASK | ESCO_HV1,   0xffff,   0xff }, /* D0 */
  55};
  56
  57static const struct sco_param esco_param_msbc[] = {
  58        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d,   0x02 }, /* T2 */
  59        { EDR_ESCO_MASK | ESCO_EV3,   0x0008,   0x02 }, /* T1 */
  60};
  61
  62/* This function requires the caller holds hdev->lock */
  63static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
  64{
  65        struct hci_conn_params *params;
  66        struct hci_dev *hdev = conn->hdev;
  67        struct smp_irk *irk;
  68        bdaddr_t *bdaddr;
  69        u8 bdaddr_type;
  70
  71        bdaddr = &conn->dst;
  72        bdaddr_type = conn->dst_type;
  73
  74        /* Check if we need to convert to identity address */
  75        irk = hci_get_irk(hdev, bdaddr, bdaddr_type);
  76        if (irk) {
  77                bdaddr = &irk->bdaddr;
  78                bdaddr_type = irk->addr_type;
  79        }
  80
  81        params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
  82                                           bdaddr_type);
  83        if (!params || !params->explicit_connect)
  84                return;
  85
  86        /* The connection attempt was doing scan for new RPA, and is
  87         * in scan phase. If params are not associated with any other
  88         * autoconnect action, remove them completely. If they are, just unmark
  89         * them as waiting for connection, by clearing explicit_connect field.
  90         */
  91        params->explicit_connect = false;
  92
  93        list_del_init(&params->action);
  94
  95        switch (params->auto_connect) {
  96        case HCI_AUTO_CONN_EXPLICIT:
  97                hci_conn_params_del(hdev, bdaddr, bdaddr_type);
  98                /* return instead of break to avoid duplicate scan update */
  99                return;
 100        case HCI_AUTO_CONN_DIRECT:
 101        case HCI_AUTO_CONN_ALWAYS:
 102                list_add(&params->action, &hdev->pend_le_conns);
 103                break;
 104        case HCI_AUTO_CONN_REPORT:
 105                list_add(&params->action, &hdev->pend_le_reports);
 106                break;
 107        default:
 108                break;
 109        }
 110
 111        hci_update_background_scan(hdev);
 112}
 113
 114static void hci_conn_cleanup(struct hci_conn *conn)
 115{
 116        struct hci_dev *hdev = conn->hdev;
 117
 118        if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
 119                hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
 120
 121        hci_chan_list_flush(conn);
 122
 123        hci_conn_hash_del(hdev, conn);
 124
 125        if (hdev->notify)
 126                hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
 127
 128        hci_conn_del_sysfs(conn);
 129
 130        debugfs_remove_recursive(conn->debugfs);
 131
 132        hci_dev_put(hdev);
 133
 134        hci_conn_put(conn);
 135}
 136
 137static void le_scan_cleanup(struct work_struct *work)
 138{
 139        struct hci_conn *conn = container_of(work, struct hci_conn,
 140                                             le_scan_cleanup);
 141        struct hci_dev *hdev = conn->hdev;
 142        struct hci_conn *c = NULL;
 143
 144        BT_DBG("%s hcon %p", hdev->name, conn);
 145
 146        hci_dev_lock(hdev);
 147
 148        /* Check that the hci_conn is still around */
 149        rcu_read_lock();
 150        list_for_each_entry_rcu(c, &hdev->conn_hash.list, list) {
 151                if (c == conn)
 152                        break;
 153        }
 154        rcu_read_unlock();
 155
 156        if (c == conn) {
 157                hci_connect_le_scan_cleanup(conn);
 158                hci_conn_cleanup(conn);
 159        }
 160
 161        hci_dev_unlock(hdev);
 162        hci_dev_put(hdev);
 163        hci_conn_put(conn);
 164}
 165
 166static void hci_connect_le_scan_remove(struct hci_conn *conn)
 167{
 168        BT_DBG("%s hcon %p", conn->hdev->name, conn);
 169
 170        /* We can't call hci_conn_del/hci_conn_cleanup here since that
 171         * could deadlock with another hci_conn_del() call that's holding
 172         * hci_dev_lock and doing cancel_delayed_work_sync(&conn->disc_work).
 173         * Instead, grab temporary extra references to the hci_dev and
 174         * hci_conn and perform the necessary cleanup in a separate work
 175         * callback.
 176         */
 177
 178        hci_dev_hold(conn->hdev);
 179        hci_conn_get(conn);
 180
 181        /* Even though we hold a reference to the hdev, many other
 182         * things might get cleaned up meanwhile, including the hdev's
 183         * own workqueue, so we can't use that for scheduling.
 184         */
 185        schedule_work(&conn->le_scan_cleanup);
 186}
 187
 188static void hci_acl_create_connection(struct hci_conn *conn)
 189{
 190        struct hci_dev *hdev = conn->hdev;
 191        struct inquiry_entry *ie;
 192        struct hci_cp_create_conn cp;
 193
 194        BT_DBG("hcon %p", conn);
 195
 196        conn->state = BT_CONNECT;
 197        conn->out = true;
 198        conn->role = HCI_ROLE_MASTER;
 199
 200        conn->attempt++;
 201
 202        conn->link_policy = hdev->link_policy;
 203
 204        memset(&cp, 0, sizeof(cp));
 205        bacpy(&cp.bdaddr, &conn->dst);
 206        cp.pscan_rep_mode = 0x02;
 207
 208        ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
 209        if (ie) {
 210                if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
 211                        cp.pscan_rep_mode = ie->data.pscan_rep_mode;
 212                        cp.pscan_mode     = ie->data.pscan_mode;
 213                        cp.clock_offset   = ie->data.clock_offset |
 214                                            cpu_to_le16(0x8000);
 215                }
 216
 217                memcpy(conn->dev_class, ie->data.dev_class, 3);
 218                if (ie->data.ssp_mode > 0)
 219                        set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
 220        }
 221
 222        cp.pkt_type = cpu_to_le16(conn->pkt_type);
 223        if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
 224                cp.role_switch = 0x01;
 225        else
 226                cp.role_switch = 0x00;
 227
 228        hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
 229}
 230
 231int hci_disconnect(struct hci_conn *conn, __u8 reason)
 232{
 233        BT_DBG("hcon %p", conn);
 234
 235        /* When we are master of an established connection and it enters
 236         * the disconnect timeout, then go ahead and try to read the
 237         * current clock offset.  Processing of the result is done
 238         * within the event handling and hci_clock_offset_evt function.
 239         */
 240        if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER &&
 241            (conn->state == BT_CONNECTED || conn->state == BT_CONFIG)) {
 242                struct hci_dev *hdev = conn->hdev;
 243                struct hci_cp_read_clock_offset clkoff_cp;
 244
 245                clkoff_cp.handle = cpu_to_le16(conn->handle);
 246                hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
 247                             &clkoff_cp);
 248        }
 249
 250        return hci_abort_conn(conn, reason);
 251}
 252
 253static void hci_add_sco(struct hci_conn *conn, __u16 handle)
 254{
 255        struct hci_dev *hdev = conn->hdev;
 256        struct hci_cp_add_sco cp;
 257
 258        BT_DBG("hcon %p", conn);
 259
 260        conn->state = BT_CONNECT;
 261        conn->out = true;
 262
 263        conn->attempt++;
 264
 265        cp.handle   = cpu_to_le16(handle);
 266        cp.pkt_type = cpu_to_le16(conn->pkt_type);
 267
 268        hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
 269}
 270
 271bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
 272{
 273        struct hci_dev *hdev = conn->hdev;
 274        struct hci_cp_setup_sync_conn cp;
 275        const struct sco_param *param;
 276
 277        BT_DBG("hcon %p", conn);
 278
 279        conn->state = BT_CONNECT;
 280        conn->out = true;
 281
 282        conn->attempt++;
 283
 284        cp.handle   = cpu_to_le16(handle);
 285
 286        cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
 287        cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
 288        cp.voice_setting  = cpu_to_le16(conn->setting);
 289
 290        switch (conn->setting & SCO_AIRMODE_MASK) {
 291        case SCO_AIRMODE_TRANSP:
 292                if (conn->attempt > ARRAY_SIZE(esco_param_msbc))
 293                        return false;
 294                param = &esco_param_msbc[conn->attempt - 1];
 295                break;
 296        case SCO_AIRMODE_CVSD:
 297                if (lmp_esco_capable(conn->link)) {
 298                        if (conn->attempt > ARRAY_SIZE(esco_param_cvsd))
 299                                return false;
 300                        param = &esco_param_cvsd[conn->attempt - 1];
 301                } else {
 302                        if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
 303                                return false;
 304                        param = &sco_param_cvsd[conn->attempt - 1];
 305                }
 306                break;
 307        default:
 308                return false;
 309        }
 310
 311        cp.retrans_effort = param->retrans_effort;
 312        cp.pkt_type = __cpu_to_le16(param->pkt_type);
 313        cp.max_latency = __cpu_to_le16(param->max_latency);
 314
 315        if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
 316                return false;
 317
 318        return true;
 319}
 320
 321u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
 322                      u16 to_multiplier)
 323{
 324        struct hci_dev *hdev = conn->hdev;
 325        struct hci_conn_params *params;
 326        struct hci_cp_le_conn_update cp;
 327
 328        hci_dev_lock(hdev);
 329
 330        params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
 331        if (params) {
 332                params->conn_min_interval = min;
 333                params->conn_max_interval = max;
 334                params->conn_latency = latency;
 335                params->supervision_timeout = to_multiplier;
 336        }
 337
 338        hci_dev_unlock(hdev);
 339
 340        memset(&cp, 0, sizeof(cp));
 341        cp.handle               = cpu_to_le16(conn->handle);
 342        cp.conn_interval_min    = cpu_to_le16(min);
 343        cp.conn_interval_max    = cpu_to_le16(max);
 344        cp.conn_latency         = cpu_to_le16(latency);
 345        cp.supervision_timeout  = cpu_to_le16(to_multiplier);
 346        cp.min_ce_len           = cpu_to_le16(0x0000);
 347        cp.max_ce_len           = cpu_to_le16(0x0000);
 348
 349        hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
 350
 351        if (params)
 352                return 0x01;
 353
 354        return 0x00;
 355}
 356
 357void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
 358                      __u8 ltk[16], __u8 key_size)
 359{
 360        struct hci_dev *hdev = conn->hdev;
 361        struct hci_cp_le_start_enc cp;
 362
 363        BT_DBG("hcon %p", conn);
 364
 365        memset(&cp, 0, sizeof(cp));
 366
 367        cp.handle = cpu_to_le16(conn->handle);
 368        cp.rand = rand;
 369        cp.ediv = ediv;
 370        memcpy(cp.ltk, ltk, key_size);
 371
 372        hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
 373}
 374
 375/* Device _must_ be locked */
 376void hci_sco_setup(struct hci_conn *conn, __u8 status)
 377{
 378        struct hci_conn *sco = conn->link;
 379
 380        if (!sco)
 381                return;
 382
 383        BT_DBG("hcon %p", conn);
 384
 385        if (!status) {
 386                if (lmp_esco_capable(conn->hdev))
 387                        hci_setup_sync(sco, conn->handle);
 388                else
 389                        hci_add_sco(sco, conn->handle);
 390        } else {
 391                hci_connect_cfm(sco, status);
 392                hci_conn_del(sco);
 393        }
 394}
 395
 396static void hci_conn_timeout(struct work_struct *work)
 397{
 398        struct hci_conn *conn = container_of(work, struct hci_conn,
 399                                             disc_work.work);
 400        int refcnt = atomic_read(&conn->refcnt);
 401
 402        BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
 403
 404        WARN_ON(refcnt < 0);
 405
 406        /* FIXME: It was observed that in pairing failed scenario, refcnt
 407         * drops below 0. Probably this is because l2cap_conn_del calls
 408         * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
 409         * dropped. After that loop hci_chan_del is called which also drops
 410         * conn. For now make sure that ACL is alive if refcnt is higher then 0,
 411         * otherwise drop it.
 412         */
 413        if (refcnt > 0)
 414                return;
 415
 416        /* LE connections in scanning state need special handling */
 417        if (conn->state == BT_CONNECT && conn->type == LE_LINK &&
 418            test_bit(HCI_CONN_SCANNING, &conn->flags)) {
 419                hci_connect_le_scan_remove(conn);
 420                return;
 421        }
 422
 423        hci_abort_conn(conn, hci_proto_disconn_ind(conn));
 424}
 425
 426/* Enter sniff mode */
 427static void hci_conn_idle(struct work_struct *work)
 428{
 429        struct hci_conn *conn = container_of(work, struct hci_conn,
 430                                             idle_work.work);
 431        struct hci_dev *hdev = conn->hdev;
 432
 433        BT_DBG("hcon %p mode %d", conn, conn->mode);
 434
 435        if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
 436                return;
 437
 438        if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
 439                return;
 440
 441        if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
 442                struct hci_cp_sniff_subrate cp;
 443                cp.handle             = cpu_to_le16(conn->handle);
 444                cp.max_latency        = cpu_to_le16(0);
 445                cp.min_remote_timeout = cpu_to_le16(0);
 446                cp.min_local_timeout  = cpu_to_le16(0);
 447                hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
 448        }
 449
 450        if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
 451                struct hci_cp_sniff_mode cp;
 452                cp.handle       = cpu_to_le16(conn->handle);
 453                cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
 454                cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
 455                cp.attempt      = cpu_to_le16(4);
 456                cp.timeout      = cpu_to_le16(1);
 457                hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
 458        }
 459}
 460
 461static void hci_conn_auto_accept(struct work_struct *work)
 462{
 463        struct hci_conn *conn = container_of(work, struct hci_conn,
 464                                             auto_accept_work.work);
 465
 466        hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
 467                     &conn->dst);
 468}
 469
 470static void le_conn_timeout(struct work_struct *work)
 471{
 472        struct hci_conn *conn = container_of(work, struct hci_conn,
 473                                             le_conn_timeout.work);
 474        struct hci_dev *hdev = conn->hdev;
 475
 476        BT_DBG("");
 477
 478        /* We could end up here due to having done directed advertising,
 479         * so clean up the state if necessary. This should however only
 480         * happen with broken hardware or if low duty cycle was used
 481         * (which doesn't have a timeout of its own).
 482         */
 483        if (conn->role == HCI_ROLE_SLAVE) {
 484                u8 enable = 0x00;
 485                hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
 486                             &enable);
 487                hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
 488                return;
 489        }
 490
 491        hci_abort_conn(conn, HCI_ERROR_REMOTE_USER_TERM);
 492}
 493
 494struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
 495                              u8 role)
 496{
 497        struct hci_conn *conn;
 498
 499        BT_DBG("%s dst %pMR", hdev->name, dst);
 500
 501        conn = kzalloc(sizeof(*conn), GFP_KERNEL);
 502        if (!conn)
 503                return NULL;
 504
 505        bacpy(&conn->dst, dst);
 506        bacpy(&conn->src, &hdev->bdaddr);
 507        conn->hdev  = hdev;
 508        conn->type  = type;
 509        conn->role  = role;
 510        conn->mode  = HCI_CM_ACTIVE;
 511        conn->state = BT_OPEN;
 512        conn->auth_type = HCI_AT_GENERAL_BONDING;
 513        conn->io_capability = hdev->io_capability;
 514        conn->remote_auth = 0xff;
 515        conn->key_type = 0xff;
 516        conn->rssi = HCI_RSSI_INVALID;
 517        conn->tx_power = HCI_TX_POWER_INVALID;
 518        conn->max_tx_power = HCI_TX_POWER_INVALID;
 519
 520        set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
 521        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
 522
 523        if (conn->role == HCI_ROLE_MASTER)
 524                conn->out = true;
 525
 526        switch (type) {
 527        case ACL_LINK:
 528                conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
 529                break;
 530        case LE_LINK:
 531                /* conn->src should reflect the local identity address */
 532                hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
 533                break;
 534        case SCO_LINK:
 535                if (lmp_esco_capable(hdev))
 536                        conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
 537                                        (hdev->esco_type & EDR_ESCO_MASK);
 538                else
 539                        conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
 540                break;
 541        case ESCO_LINK:
 542                conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
 543                break;
 544        }
 545
 546        skb_queue_head_init(&conn->data_q);
 547
 548        INIT_LIST_HEAD(&conn->chan_list);
 549
 550        INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
 551        INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
 552        INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
 553        INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
 554        INIT_WORK(&conn->le_scan_cleanup, le_scan_cleanup);
 555
 556        atomic_set(&conn->refcnt, 0);
 557
 558        hci_dev_hold(hdev);
 559
 560        hci_conn_hash_add(hdev, conn);
 561        if (hdev->notify)
 562                hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
 563
 564        hci_conn_init_sysfs(conn);
 565
 566        return conn;
 567}
 568
 569int hci_conn_del(struct hci_conn *conn)
 570{
 571        struct hci_dev *hdev = conn->hdev;
 572
 573        BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
 574
 575        cancel_delayed_work_sync(&conn->disc_work);
 576        cancel_delayed_work_sync(&conn->auto_accept_work);
 577        cancel_delayed_work_sync(&conn->idle_work);
 578
 579        if (conn->type == ACL_LINK) {
 580                struct hci_conn *sco = conn->link;
 581                if (sco)
 582                        sco->link = NULL;
 583
 584                /* Unacked frames */
 585                hdev->acl_cnt += conn->sent;
 586        } else if (conn->type == LE_LINK) {
 587                cancel_delayed_work(&conn->le_conn_timeout);
 588
 589                if (hdev->le_pkts)
 590                        hdev->le_cnt += conn->sent;
 591                else
 592                        hdev->acl_cnt += conn->sent;
 593        } else {
 594                struct hci_conn *acl = conn->link;
 595                if (acl) {
 596                        acl->link = NULL;
 597                        hci_conn_drop(acl);
 598                }
 599        }
 600
 601        if (conn->amp_mgr)
 602                amp_mgr_put(conn->amp_mgr);
 603
 604        skb_queue_purge(&conn->data_q);
 605
 606        /* Remove the connection from the list and cleanup its remaining
 607         * state. This is a separate function since for some cases like
 608         * BT_CONNECT_SCAN we *only* want the cleanup part without the
 609         * rest of hci_conn_del.
 610         */
 611        hci_conn_cleanup(conn);
 612
 613        return 0;
 614}
 615
 616struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
 617{
 618        int use_src = bacmp(src, BDADDR_ANY);
 619        struct hci_dev *hdev = NULL, *d;
 620
 621        BT_DBG("%pMR -> %pMR", src, dst);
 622
 623        read_lock(&hci_dev_list_lock);
 624
 625        list_for_each_entry(d, &hci_dev_list, list) {
 626                if (!test_bit(HCI_UP, &d->flags) ||
 627                    hci_dev_test_flag(d, HCI_USER_CHANNEL) ||
 628                    d->dev_type != HCI_PRIMARY)
 629                        continue;
 630
 631                /* Simple routing:
 632                 *   No source address - find interface with bdaddr != dst
 633                 *   Source address    - find interface with bdaddr == src
 634                 */
 635
 636                if (use_src) {
 637                        bdaddr_t id_addr;
 638                        u8 id_addr_type;
 639
 640                        if (src_type == BDADDR_BREDR) {
 641                                if (!lmp_bredr_capable(d))
 642                                        continue;
 643                                bacpy(&id_addr, &d->bdaddr);
 644                                id_addr_type = BDADDR_BREDR;
 645                        } else {
 646                                if (!lmp_le_capable(d))
 647                                        continue;
 648
 649                                hci_copy_identity_address(d, &id_addr,
 650                                                          &id_addr_type);
 651
 652                                /* Convert from HCI to three-value type */
 653                                if (id_addr_type == ADDR_LE_DEV_PUBLIC)
 654                                        id_addr_type = BDADDR_LE_PUBLIC;
 655                                else
 656                                        id_addr_type = BDADDR_LE_RANDOM;
 657                        }
 658
 659                        if (!bacmp(&id_addr, src) && id_addr_type == src_type) {
 660                                hdev = d; break;
 661                        }
 662                } else {
 663                        if (bacmp(&d->bdaddr, dst)) {
 664                                hdev = d; break;
 665                        }
 666                }
 667        }
 668
 669        if (hdev)
 670                hdev = hci_dev_hold(hdev);
 671
 672        read_unlock(&hci_dev_list_lock);
 673        return hdev;
 674}
 675EXPORT_SYMBOL(hci_get_route);
 676
 677/* This function requires the caller holds hdev->lock */
 678void hci_le_conn_failed(struct hci_conn *conn, u8 status)
 679{
 680        struct hci_dev *hdev = conn->hdev;
 681        struct hci_conn_params *params;
 682
 683        params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
 684                                           conn->dst_type);
 685        if (params && params->conn) {
 686                hci_conn_drop(params->conn);
 687                hci_conn_put(params->conn);
 688                params->conn = NULL;
 689        }
 690
 691        conn->state = BT_CLOSED;
 692
 693        /* If the status indicates successful cancellation of
 694         * the attempt (i.e. Unkown Connection Id) there's no point of
 695         * notifying failure since we'll go back to keep trying to
 696         * connect. The only exception is explicit connect requests
 697         * where a timeout + cancel does indicate an actual failure.
 698         */
 699        if (status != HCI_ERROR_UNKNOWN_CONN_ID ||
 700            (params && params->explicit_connect))
 701                mgmt_connect_failed(hdev, &conn->dst, conn->type,
 702                                    conn->dst_type, status);
 703
 704        hci_connect_cfm(conn, status);
 705
 706        hci_conn_del(conn);
 707
 708        /* Since we may have temporarily stopped the background scanning in
 709         * favor of connection establishment, we should restart it.
 710         */
 711        hci_update_background_scan(hdev);
 712
 713        /* Re-enable advertising in case this was a failed connection
 714         * attempt as a peripheral.
 715         */
 716        hci_req_reenable_advertising(hdev);
 717}
 718
 719static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
 720{
 721        struct hci_conn *conn;
 722
 723        hci_dev_lock(hdev);
 724
 725        conn = hci_lookup_le_connect(hdev);
 726
 727        if (!status) {
 728                hci_connect_le_scan_cleanup(conn);
 729                goto done;
 730        }
 731
 732        bt_dev_err(hdev, "request failed to create LE connection: "
 733                   "status 0x%2.2x", status);
 734
 735        if (!conn)
 736                goto done;
 737
 738        hci_le_conn_failed(conn, status);
 739
 740done:
 741        hci_dev_unlock(hdev);
 742}
 743
 744static bool conn_use_rpa(struct hci_conn *conn)
 745{
 746        struct hci_dev *hdev = conn->hdev;
 747
 748        return hci_dev_test_flag(hdev, HCI_PRIVACY);
 749}
 750
 751static void hci_req_add_le_create_conn(struct hci_request *req,
 752                                       struct hci_conn *conn,
 753                                       bdaddr_t *direct_rpa)
 754{
 755        struct hci_cp_le_create_conn cp;
 756        struct hci_dev *hdev = conn->hdev;
 757        u8 own_addr_type;
 758
 759        /* If direct address was provided we use it instead of current
 760         * address.
 761         */
 762        if (direct_rpa) {
 763                if (bacmp(&req->hdev->random_addr, direct_rpa))
 764                        hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
 765                                                                direct_rpa);
 766
 767                /* direct address is always RPA */
 768                own_addr_type = ADDR_LE_DEV_RANDOM;
 769        } else {
 770                /* Update random address, but set require_privacy to false so
 771                 * that we never connect with an non-resolvable address.
 772                 */
 773                if (hci_update_random_address(req, false, conn_use_rpa(conn),
 774                                              &own_addr_type))
 775                        return;
 776        }
 777
 778        memset(&cp, 0, sizeof(cp));
 779
 780        /* Set window to be the same value as the interval to enable
 781         * continuous scanning.
 782         */
 783        cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
 784        cp.scan_window = cp.scan_interval;
 785
 786        bacpy(&cp.peer_addr, &conn->dst);
 787        cp.peer_addr_type = conn->dst_type;
 788        cp.own_address_type = own_addr_type;
 789        cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
 790        cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
 791        cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
 792        cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
 793        cp.min_ce_len = cpu_to_le16(0x0000);
 794        cp.max_ce_len = cpu_to_le16(0x0000);
 795
 796        hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
 797
 798        conn->state = BT_CONNECT;
 799        clear_bit(HCI_CONN_SCANNING, &conn->flags);
 800}
 801
 802static void hci_req_directed_advertising(struct hci_request *req,
 803                                         struct hci_conn *conn)
 804{
 805        struct hci_dev *hdev = req->hdev;
 806        struct hci_cp_le_set_adv_param cp;
 807        u8 own_addr_type;
 808        u8 enable;
 809
 810        /* Clear the HCI_LE_ADV bit temporarily so that the
 811         * hci_update_random_address knows that it's safe to go ahead
 812         * and write a new random address. The flag will be set back on
 813         * as soon as the SET_ADV_ENABLE HCI command completes.
 814         */
 815        hci_dev_clear_flag(hdev, HCI_LE_ADV);
 816
 817        /* Set require_privacy to false so that the remote device has a
 818         * chance of identifying us.
 819         */
 820        if (hci_update_random_address(req, false, conn_use_rpa(conn),
 821                                      &own_addr_type) < 0)
 822                return;
 823
 824        memset(&cp, 0, sizeof(cp));
 825        cp.type = LE_ADV_DIRECT_IND;
 826        cp.own_address_type = own_addr_type;
 827        cp.direct_addr_type = conn->dst_type;
 828        bacpy(&cp.direct_addr, &conn->dst);
 829        cp.channel_map = hdev->le_adv_channel_map;
 830
 831        hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
 832
 833        enable = 0x01;
 834        hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
 835
 836        conn->state = BT_CONNECT;
 837}
 838
 839struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
 840                                u8 dst_type, u8 sec_level, u16 conn_timeout,
 841                                u8 role, bdaddr_t *direct_rpa)
 842{
 843        struct hci_conn_params *params;
 844        struct hci_conn *conn;
 845        struct smp_irk *irk;
 846        struct hci_request req;
 847        int err;
 848
 849        /* Let's make sure that le is enabled.*/
 850        if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
 851                if (lmp_le_capable(hdev))
 852                        return ERR_PTR(-ECONNREFUSED);
 853
 854                return ERR_PTR(-EOPNOTSUPP);
 855        }
 856
 857        /* Since the controller supports only one LE connection attempt at a
 858         * time, we return -EBUSY if there is any connection attempt running.
 859         */
 860        if (hci_lookup_le_connect(hdev))
 861                return ERR_PTR(-EBUSY);
 862
 863        /* If there's already a connection object but it's not in
 864         * scanning state it means it must already be established, in
 865         * which case we can't do anything else except report a failure
 866         * to connect.
 867         */
 868        conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
 869        if (conn && !test_bit(HCI_CONN_SCANNING, &conn->flags)) {
 870                return ERR_PTR(-EBUSY);
 871        }
 872
 873        /* When given an identity address with existing identity
 874         * resolving key, the connection needs to be established
 875         * to a resolvable random address.
 876         *
 877         * Storing the resolvable random address is required here
 878         * to handle connection failures. The address will later
 879         * be resolved back into the original identity address
 880         * from the connect request.
 881         */
 882        irk = hci_find_irk_by_addr(hdev, dst, dst_type);
 883        if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
 884                dst = &irk->rpa;
 885                dst_type = ADDR_LE_DEV_RANDOM;
 886        }
 887
 888        if (conn) {
 889                bacpy(&conn->dst, dst);
 890        } else {
 891                conn = hci_conn_add(hdev, LE_LINK, dst, role);
 892                if (!conn)
 893                        return ERR_PTR(-ENOMEM);
 894                hci_conn_hold(conn);
 895                conn->pending_sec_level = sec_level;
 896        }
 897
 898        conn->dst_type = dst_type;
 899        conn->sec_level = BT_SECURITY_LOW;
 900        conn->conn_timeout = conn_timeout;
 901
 902        hci_req_init(&req, hdev);
 903
 904        /* Disable advertising if we're active. For master role
 905         * connections most controllers will refuse to connect if
 906         * advertising is enabled, and for slave role connections we
 907         * anyway have to disable it in order to start directed
 908         * advertising.
 909         */
 910        if (hci_dev_test_flag(hdev, HCI_LE_ADV)) {
 911                u8 enable = 0x00;
 912                hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
 913                            &enable);
 914        }
 915
 916        /* If requested to connect as slave use directed advertising */
 917        if (conn->role == HCI_ROLE_SLAVE) {
 918                /* If we're active scanning most controllers are unable
 919                 * to initiate advertising. Simply reject the attempt.
 920                 */
 921                if (hci_dev_test_flag(hdev, HCI_LE_SCAN) &&
 922                    hdev->le_scan_type == LE_SCAN_ACTIVE) {
 923                        hci_req_purge(&req);
 924                        hci_conn_del(conn);
 925                        return ERR_PTR(-EBUSY);
 926                }
 927
 928                hci_req_directed_advertising(&req, conn);
 929                goto create_conn;
 930        }
 931
 932        params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
 933        if (params) {
 934                conn->le_conn_min_interval = params->conn_min_interval;
 935                conn->le_conn_max_interval = params->conn_max_interval;
 936                conn->le_conn_latency = params->conn_latency;
 937                conn->le_supv_timeout = params->supervision_timeout;
 938        } else {
 939                conn->le_conn_min_interval = hdev->le_conn_min_interval;
 940                conn->le_conn_max_interval = hdev->le_conn_max_interval;
 941                conn->le_conn_latency = hdev->le_conn_latency;
 942                conn->le_supv_timeout = hdev->le_supv_timeout;
 943        }
 944
 945        /* If controller is scanning, we stop it since some controllers are
 946         * not able to scan and connect at the same time. Also set the
 947         * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
 948         * handler for scan disabling knows to set the correct discovery
 949         * state.
 950         */
 951        if (hci_dev_test_flag(hdev, HCI_LE_SCAN)) {
 952                hci_req_add_le_scan_disable(&req);
 953                hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
 954        }
 955
 956        hci_req_add_le_create_conn(&req, conn, direct_rpa);
 957
 958create_conn:
 959        err = hci_req_run(&req, create_le_conn_complete);
 960        if (err) {
 961                hci_conn_del(conn);
 962                return ERR_PTR(err);
 963        }
 964
 965        return conn;
 966}
 967
 968static bool is_connected(struct hci_dev *hdev, bdaddr_t *addr, u8 type)
 969{
 970        struct hci_conn *conn;
 971
 972        conn = hci_conn_hash_lookup_le(hdev, addr, type);
 973        if (!conn)
 974                return false;
 975
 976        if (conn->state != BT_CONNECTED)
 977                return false;
 978
 979        return true;
 980}
 981
 982/* This function requires the caller holds hdev->lock */
 983static int hci_explicit_conn_params_set(struct hci_dev *hdev,
 984                                        bdaddr_t *addr, u8 addr_type)
 985{
 986        struct hci_conn_params *params;
 987
 988        if (is_connected(hdev, addr, addr_type))
 989                return -EISCONN;
 990
 991        params = hci_conn_params_lookup(hdev, addr, addr_type);
 992        if (!params) {
 993                params = hci_conn_params_add(hdev, addr, addr_type);
 994                if (!params)
 995                        return -ENOMEM;
 996
 997                /* If we created new params, mark them to be deleted in
 998                 * hci_connect_le_scan_cleanup. It's different case than
 999                 * existing disabled params, those will stay after cleanup.
1000                 */

1001                params->auto_connect = HCI_AUTO_CONN_EXPLICIT;
1002        }
1003
1004        /* We're trying to connect, so make sure params are at pend_le_conns */
1005        if (params->auto_connect == HCI_AUTO_CONN_DISABLED ||
1006            params->auto_connect == HCI_AUTO_CONN_REPORT ||
1007            params->auto_connect == HCI_AUTO_CONN_EXPLICIT) {
1008                list_del_init(&params->action);
1009                list_add(&params->action, &hdev->pend_le_conns);
1010        }
1011
1012        params->explicit_connect = true;
1013
1014        BT_DBG("addr %pMR (type %u) auto_connect %u", addr, addr_type,
1015               params->auto_connect);
1016
1017        return 0;
1018}
1019
1020/* This function requires the caller holds hdev->lock */
1021struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
1022                                     u8 dst_type, u8 sec_level,
1023                                     u16 conn_timeout)
1024{
1025        struct hci_conn *conn;
1026
1027        /* Let's make sure that le is enabled.*/
1028        if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) {
1029                if (lmp_le_capable(hdev))
1030                        return ERR_PTR(-ECONNREFUSED);
1031
1032                return ERR_PTR(-EOPNOTSUPP);
1033        }
1034
1035        /* Some devices send ATT messages as soon as the physical link is
1036         * established. To be able to handle these ATT messages, the user-
1037         * space first establishes the connection and then starts the pairing
1038         * process.
1039         *
1040         * So if a hci_conn object already exists for the following connection
1041         * attempt, we simply update pending_sec_level and auth_type fields
1042         * and return the object found.
1043         */
1044        conn = hci_conn_hash_lookup_le(hdev, dst, dst_type);
1045        if (conn) {
1046                if (conn->pending_sec_level < sec_level)
1047                        conn->pending_sec_level = sec_level;
1048                goto done;
1049        }
1050
1051        BT_DBG("requesting refresh of dst_addr");
1052
1053        conn = hci_conn_add(hdev, LE_LINK, dst, HCI_ROLE_MASTER);
1054        if (!conn)
1055                return ERR_PTR(-ENOMEM);
1056
1057        if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0)
1058                return ERR_PTR(-EBUSY);
1059
1060        conn->state = BT_CONNECT;
1061        set_bit(HCI_CONN_SCANNING, &conn->flags);
1062        conn->dst_type = dst_type;
1063        conn->sec_level = BT_SECURITY_LOW;
1064        conn->pending_sec_level = sec_level;
1065        conn->conn_timeout = conn_timeout;
1066
1067        hci_update_background_scan(hdev);
1068
1069done:
1070        hci_conn_hold(conn);
1071        return conn;
1072}
1073
1074struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
1075                                 u8 sec_level, u8 auth_type)
1076{
1077        struct hci_conn *acl;
1078
1079        if (!hci_dev_test_flag(hdev, HCI_BREDR_ENABLED)) {
1080                if (lmp_bredr_capable(hdev))
1081                        return ERR_PTR(-ECONNREFUSED);
1082
1083                return ERR_PTR(-EOPNOTSUPP);
1084        }
1085
1086        acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
1087        if (!acl) {
1088                acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
1089                if (!acl)
1090                        return ERR_PTR(-ENOMEM);
1091        }
1092
1093        hci_conn_hold(acl);
1094
1095        if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
1096                acl->sec_level = BT_SECURITY_LOW;
1097                acl->pending_sec_level = sec_level;
1098                acl->auth_type = auth_type;
1099                hci_acl_create_connection(acl);
1100        }
1101
1102        return acl;
1103}
1104
1105struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
1106                                 __u16 setting)
1107{
1108        struct hci_conn *acl;
1109        struct hci_conn *sco;
1110
1111        acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
1112        if (IS_ERR(acl))
1113                return acl;
1114
1115        sco = hci_conn_hash_lookup_ba(hdev, type, dst);
1116        if (!sco) {
1117                sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
1118                if (!sco) {
1119                        hci_conn_drop(acl);
1120                        return ERR_PTR(-ENOMEM);
1121                }
1122        }
1123
1124        acl->link = sco;
1125        sco->link = acl;
1126
1127        hci_conn_hold(sco);
1128
1129        sco->setting = setting;
1130
1131        if (acl->state == BT_CONNECTED &&
1132            (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
1133                set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
1134                hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
1135
1136                if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
1137                        /* defer SCO setup until mode change completed */
1138                        set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
1139                        return sco;
1140                }
1141
1142                hci_sco_setup(acl, 0x00);
1143        }
1144
1145        return sco;
1146}
1147
1148/* Check link security requirement */
1149int hci_conn_check_link_mode(struct hci_conn *conn)
1150{
1151        BT_DBG("hcon %p", conn);
1152
1153        /* In Secure Connections Only mode, it is required that Secure
1154         * Connections is used and the link is encrypted with AES-CCM
1155         * using a P-256 authenticated combination key.
1156         */
1157        if (hci_dev_test_flag(conn->hdev, HCI_SC_ONLY)) {
1158                if (!hci_conn_sc_enabled(conn) ||
1159                    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
1160                    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
1161                        return 0;
1162        }
1163
1164        if (hci_conn_ssp_enabled(conn) &&
1165            !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1166                return 0;
1167
1168        return 1;
1169}
1170
1171/* Authenticate remote device */
1172static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
1173{
1174        BT_DBG("hcon %p", conn);
1175
1176        if (conn->pending_sec_level > sec_level)
1177                sec_level = conn->pending_sec_level;
1178
1179        if (sec_level > conn->sec_level)
1180                conn->pending_sec_level = sec_level;
1181        else if (test_bit(HCI_CONN_AUTH, &conn->flags))
1182                return 1;
1183
1184        /* Make sure we preserve an existing MITM requirement*/
1185        auth_type |= (conn->auth_type & 0x01);
1186
1187        conn->auth_type = auth_type;
1188
1189        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
1190                struct hci_cp_auth_requested cp;
1191
1192                cp.handle = cpu_to_le16(conn->handle);
1193                hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
1194                             sizeof(cp), &cp);
1195
1196                /* If we're already encrypted set the REAUTH_PEND flag,
1197                 * otherwise set the ENCRYPT_PEND.
1198                 */
1199                if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1200                        set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
1201                else
1202                        set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
1203        }
1204
1205        return 0;
1206}
1207
1208/* Encrypt the the link */
1209static void hci_conn_encrypt(struct hci_conn *conn)
1210{
1211        BT_DBG("hcon %p", conn);
1212
1213        if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
1214                struct hci_cp_set_conn_encrypt cp;
1215                cp.handle  = cpu_to_le16(conn->handle);
1216                cp.encrypt = 0x01;
1217                hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
1218                             &cp);
1219        }
1220}
1221
1222/* Enable security */
1223int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
1224                      bool initiator)
1225{
1226        BT_DBG("hcon %p", conn);
1227
1228        if (conn->type == LE_LINK)
1229                return smp_conn_security(conn, sec_level);
1230
1231        /* For sdp we don't need the link key. */
1232        if (sec_level == BT_SECURITY_SDP)
1233                return 1;
1234
1235        /* For non 2.1 devices and low security level we don't need the link
1236           key. */
1237        if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
1238                return 1;
1239
1240        /* For other security levels we need the link key. */
1241        if (!test_bit(HCI_CONN_AUTH, &conn->flags))
1242                goto auth;
1243
1244        /* An authenticated FIPS approved combination key has sufficient
1245         * security for security level 4. */
1246        if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
1247            sec_level == BT_SECURITY_FIPS)
1248                goto encrypt;
1249
1250        /* An authenticated combination key has sufficient security for
1251           security level 3. */
1252        if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
1253             conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
1254            sec_level == BT_SECURITY_HIGH)
1255                goto encrypt;
1256
1257        /* An unauthenticated combination key has sufficient security for
1258           security level 1 and 2. */
1259        if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
1260             conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
1261            (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
1262                goto encrypt;
1263
1264        /* A combination key has always sufficient security for the security
1265           levels 1 or 2. High security level requires the combination key
1266           is generated using maximum PIN code length (16).
1267           For pre 2.1 units. */
1268        if (conn->key_type == HCI_LK_COMBINATION &&
1269            (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
1270             conn->pin_length == 16))
1271                goto encrypt;
1272
1273auth:
1274        if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1275                return 0;
1276
1277        if (initiator)
1278                set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1279
1280        if (!hci_conn_auth(conn, sec_level, auth_type))
1281                return 0;
1282
1283encrypt:
1284        if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1285                return 1;
1286
1287        hci_conn_encrypt(conn);
1288        return 0;
1289}
1290EXPORT_SYMBOL(hci_conn_security);
1291
1292/* Check secure link requirement */
1293int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1294{
1295        BT_DBG("hcon %p", conn);
1296
1297        /* Accept if non-secure or higher security level is required */
1298        if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1299                return 1;
1300
1301        /* Accept if secure or higher security level is already present */
1302        if (conn->sec_level == BT_SECURITY_HIGH ||
1303            conn->sec_level == BT_SECURITY_FIPS)
1304                return 1;
1305
1306        /* Reject not secure link */
1307        return 0;
1308}
1309EXPORT_SYMBOL(hci_conn_check_secure);
1310
1311/* Switch role */
1312int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1313{
1314        BT_DBG("hcon %p", conn);
1315
1316        if (role == conn->role)
1317                return 1;
1318
1319        if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1320                struct hci_cp_switch_role cp;
1321                bacpy(&cp.bdaddr, &conn->dst);
1322                cp.role = role;
1323                hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1324        }
1325
1326        return 0;
1327}
1328EXPORT_SYMBOL(hci_conn_switch_role);
1329
1330/* Enter active mode */
1331void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1332{
1333        struct hci_dev *hdev = conn->hdev;
1334
1335        BT_DBG("hcon %p mode %d", conn, conn->mode);
1336
1337        if (conn->mode != HCI_CM_SNIFF)
1338                goto timer;
1339
1340        if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1341                goto timer;
1342
1343        if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1344                struct hci_cp_exit_sniff_mode cp;
1345                cp.handle = cpu_to_le16(conn->handle);
1346                hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1347        }
1348
1349timer:
1350        if (hdev->idle_timeout > 0)
1351                queue_delayed_work(hdev->workqueue, &conn->idle_work,
1352                                   msecs_to_jiffies(hdev->idle_timeout));
1353}
1354
1355/* Drop all connection on the device */
1356void hci_conn_hash_flush(struct hci_dev *hdev)
1357{
1358        struct hci_conn_hash *h = &hdev->conn_hash;
1359        struct hci_conn *c, *n;
1360
1361        BT_DBG("hdev %s", hdev->name);
1362
1363        list_for_each_entry_safe(c, n, &h->list, list) {
1364                c->state = BT_CLOSED;
1365
1366                hci_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1367                hci_conn_del(c);
1368        }
1369}
1370
1371/* Check pending connect attempts */
1372void hci_conn_check_pending(struct hci_dev *hdev)
1373{
1374        struct hci_conn *conn;
1375
1376        BT_DBG("hdev %s", hdev->name);
1377
1378        hci_dev_lock(hdev);
1379
1380        conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1381        if (conn)
1382                hci_acl_create_connection(conn);
1383
1384        hci_dev_unlock(hdev);
1385}
1386
1387static u32 get_link_mode(struct hci_conn *conn)
1388{
1389        u32 link_mode = 0;
1390
1391        if (conn->role == HCI_ROLE_MASTER)
1392                link_mode |= HCI_LM_MASTER;
1393
1394        if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1395                link_mode |= HCI_LM_ENCRYPT;
1396
1397        if (test_bit(HCI_CONN_AUTH, &conn->flags))
1398                link_mode |= HCI_LM_AUTH;
1399
1400        if (test_bit(HCI_CONN_SECURE, &conn->flags))
1401                link_mode |= HCI_LM_SECURE;
1402
1403        if (test_bit(HCI_CONN_FIPS, &conn->flags))
1404                link_mode |= HCI_LM_FIPS;
1405
1406        return link_mode;
1407}
1408
1409int hci_get_conn_list(void __user *arg)
1410{
1411        struct hci_conn *c;
1412        struct hci_conn_list_req req, *cl;
1413        struct hci_conn_info *ci;
1414        struct hci_dev *hdev;
1415        int n = 0, size, err;
1416
1417        if (copy_from_user(&req, arg, sizeof(req)))
1418                return -EFAULT;
1419
1420        if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1421                return -EINVAL;
1422
1423        size = sizeof(req) + req.conn_num * sizeof(*ci);
1424
1425        cl = kmalloc(size, GFP_KERNEL);
1426        if (!cl)
1427                return -ENOMEM;
1428
1429        hdev = hci_dev_get(req.dev_id);
1430        if (!hdev) {
1431                kfree(cl);
1432                return -ENODEV;
1433        }
1434
1435        ci = cl->conn_info;
1436
1437        hci_dev_lock(hdev);
1438        list_for_each_entry(c, &hdev->conn_hash.list, list) {
1439                bacpy(&(ci + n)->bdaddr, &c->dst);
1440                (ci + n)->handle = c->handle;
1441                (ci + n)->type  = c->type;
1442                (ci + n)->out   = c->out;
1443                (ci + n)->state = c->state;
1444                (ci + n)->link_mode = get_link_mode(c);
1445                if (++n >= req.conn_num)
1446                        break;
1447        }
1448        hci_dev_unlock(hdev);
1449
1450        cl->dev_id = hdev->id;
1451        cl->conn_num = n;
1452        size = sizeof(req) + n * sizeof(*ci);
1453
1454        hci_dev_put(hdev);
1455
1456        err = copy_to_user(arg, cl, size);
1457        kfree(cl);
1458
1459        return err ? -EFAULT : 0;
1460}
1461
1462int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1463{
1464        struct hci_conn_info_req req;
1465        struct hci_conn_info ci;
1466        struct hci_conn *conn;
1467        char __user *ptr = arg + sizeof(req);
1468
1469        if (copy_from_user(&req, arg, sizeof(req)))
1470                return -EFAULT;
1471
1472        hci_dev_lock(hdev);
1473        conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1474        if (conn) {
1475                bacpy(&ci.bdaddr, &conn->dst);
1476                ci.handle = conn->handle;
1477                ci.type  = conn->type;
1478                ci.out   = conn->out;
1479                ci.state = conn->state;
1480                ci.link_mode = get_link_mode(conn);
1481        }
1482        hci_dev_unlock(hdev);
1483
1484        if (!conn)
1485                return -ENOENT;
1486
1487        return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1488}
1489
1490int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1491{
1492        struct hci_auth_info_req req;
1493        struct hci_conn *conn;
1494
1495        if (copy_from_user(&req, arg, sizeof(req)))
1496                return -EFAULT;
1497
1498        hci_dev_lock(hdev);
1499        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1500        if (conn)
1501                req.type = conn->auth_type;
1502        hci_dev_unlock(hdev);
1503
1504        if (!conn)
1505                return -ENOENT;
1506
1507        return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1508}
1509
1510struct hci_chan *hci_chan_create(struct hci_conn *conn)
1511{
1512        struct hci_dev *hdev = conn->hdev;
1513        struct hci_chan *chan;
1514
1515        BT_DBG("%s hcon %p", hdev->name, conn);
1516
1517        if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1518                BT_DBG("Refusing to create new hci_chan");
1519                return NULL;
1520        }
1521
1522        chan = kzalloc(sizeof(*chan), GFP_KERNEL);
1523        if (!chan)
1524                return NULL;
1525
1526        chan->conn = hci_conn_get(conn);
1527        skb_queue_head_init(&chan->data_q);
1528        chan->state = BT_CONNECTED;
1529
1530        list_add_rcu(&chan->list, &conn->chan_list);
1531
1532        return chan;
1533}
1534
1535void hci_chan_del(struct hci_chan *chan)
1536{
1537        struct hci_conn *conn = chan->conn;
1538        struct hci_dev *hdev = conn->hdev;
1539
1540        BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1541
1542        list_del_rcu(&chan->list);
1543
1544        synchronize_rcu();
1545
1546        /* Prevent new hci_chan's to be created for this hci_conn */
1547        set_bit(HCI_CONN_DROP, &conn->flags);
1548
1549        hci_conn_put(conn);
1550
1551        skb_queue_purge(&chan->data_q);
1552        kfree(chan);
1553}
1554
1555void hci_chan_list_flush(struct hci_conn *conn)
1556{
1557        struct hci_chan *chan, *n;
1558
1559        BT_DBG("hcon %p", conn);
1560
1561        list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1562                hci_chan_del(chan);
1563}
1564
1565static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1566                                                 __u16 handle)
1567{
1568        struct hci_chan *hchan;
1569
1570        list_for_each_entry(hchan, &hcon->chan_list, list) {
1571                if (hchan->handle == handle)
1572                        return hchan;
1573        }
1574
1575        return NULL;
1576}
1577
1578struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1579{
1580        struct hci_conn_hash *h = &hdev->conn_hash;
1581        struct hci_conn *hcon;
1582        struct hci_chan *hchan = NULL;
1583
1584        rcu_read_lock();
1585
1586        list_for_each_entry_rcu(hcon, &h->list, list) {
1587                hchan = __hci_chan_lookup_handle(hcon, handle);
1588                if (hchan)
1589                        break;
1590        }
1591
1592        rcu_read_unlock();
1593
1594        return hchan;
1595}
1596