LXR linux/net/bluetooth/hci

   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (c) 2000-2001, 2010, Code Aurora Forum. All rights reserved.
   4
   5   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
   6
   7   This program is free software; you can redistribute it and/or modify
   8   it under the terms of the GNU General Public License version 2 as
   9   published by the Free Software Foundation;
  10
  11   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  12   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  13   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  14   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  15   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  16   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  17   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  18   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  19
  20   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  21   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  22   SOFTWARE IS DISCLAIMED.
  23*/
  24
  25/* Bluetooth HCI connection handling. */
  26
  27#include <linux/export.h>
  28#include <linux/debugfs.h>
  29
  30#include <net/bluetooth/bluetooth.h>
  31#include <net/bluetooth/hci_core.h>
  32#include <net/bluetooth/l2cap.h>
  33
  34#include "hci_request.h"
  35#include "smp.h"
  36#include "a2mp.h"
  37
  38struct sco_param {
  39        u16 pkt_type;
  40        u16 max_latency;
  41        u8  retrans_effort;
  42};
  43
  44static const struct sco_param esco_param_cvsd[] = {
  45        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000a,   0x01 }, /* S3 */
  46        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x0007,   0x01 }, /* S2 */
  47        { EDR_ESCO_MASK | ESCO_EV3,   0x0007,   0x01 }, /* S1 */
  48        { EDR_ESCO_MASK | ESCO_HV3,   0xffff,   0x01 }, /* D1 */
  49        { EDR_ESCO_MASK | ESCO_HV1,   0xffff,   0x01 }, /* D0 */
  50};
  51
  52static const struct sco_param sco_param_cvsd[] = {
  53        { EDR_ESCO_MASK | ESCO_HV3,   0xffff,   0xff }, /* D1 */
  54        { EDR_ESCO_MASK | ESCO_HV1,   0xffff,   0xff }, /* D0 */
  55};
  56
  57static const struct sco_param esco_param_msbc[] = {
  58        { EDR_ESCO_MASK & ~ESCO_2EV3, 0x000d,   0x02 }, /* T2 */
  59        { EDR_ESCO_MASK | ESCO_EV3,   0x0008,   0x02 }, /* T1 */
  60};
  61
  62static void hci_le_create_connection_cancel(struct hci_conn *conn)
  63{
  64        hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
  65}
  66
  67static void hci_acl_create_connection(struct hci_conn *conn)
  68{
  69        struct hci_dev *hdev = conn->hdev;
  70        struct inquiry_entry *ie;
  71        struct hci_cp_create_conn cp;
  72
  73        BT_DBG("hcon %p", conn);
  74
  75        conn->state = BT_CONNECT;
  76        conn->out = true;
  77        conn->role = HCI_ROLE_MASTER;
  78
  79        conn->attempt++;
  80
  81        conn->link_policy = hdev->link_policy;
  82
  83        memset(&cp, 0, sizeof(cp));
  84        bacpy(&cp.bdaddr, &conn->dst);
  85        cp.pscan_rep_mode = 0x02;
  86
  87        ie = hci_inquiry_cache_lookup(hdev, &conn->dst);
  88        if (ie) {
  89                if (inquiry_entry_age(ie) <= INQUIRY_ENTRY_AGE_MAX) {
  90                        cp.pscan_rep_mode = ie->data.pscan_rep_mode;
  91                        cp.pscan_mode     = ie->data.pscan_mode;
  92                        cp.clock_offset   = ie->data.clock_offset |
  93                                            cpu_to_le16(0x8000);
  94                }
  95
  96                memcpy(conn->dev_class, ie->data.dev_class, 3);
  97                if (ie->data.ssp_mode > 0)
  98                        set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);
  99        }
 100
 101        cp.pkt_type = cpu_to_le16(conn->pkt_type);
 102        if (lmp_rswitch_capable(hdev) && !(hdev->link_mode & HCI_LM_MASTER))
 103                cp.role_switch = 0x01;
 104        else
 105                cp.role_switch = 0x00;
 106
 107        hci_send_cmd(hdev, HCI_OP_CREATE_CONN, sizeof(cp), &cp);
 108}
 109
 110static void hci_acl_create_connection_cancel(struct hci_conn *conn)
 111{
 112        struct hci_cp_create_conn_cancel cp;
 113
 114        BT_DBG("hcon %p", conn);
 115
 116        if (conn->hdev->hci_ver < BLUETOOTH_VER_1_2)
 117                return;
 118
 119        bacpy(&cp.bdaddr, &conn->dst);
 120        hci_send_cmd(conn->hdev, HCI_OP_CREATE_CONN_CANCEL, sizeof(cp), &cp);
 121}
 122
 123static void hci_reject_sco(struct hci_conn *conn)
 124{
 125        struct hci_cp_reject_sync_conn_req cp;
 126
 127        cp.reason = HCI_ERROR_REJ_LIMITED_RESOURCES;
 128        bacpy(&cp.bdaddr, &conn->dst);
 129
 130        hci_send_cmd(conn->hdev, HCI_OP_REJECT_SYNC_CONN_REQ, sizeof(cp), &cp);
 131}
 132
 133int hci_disconnect(struct hci_conn *conn, __u8 reason)
 134{
 135        struct hci_cp_disconnect cp;
 136
 137        BT_DBG("hcon %p", conn);
 138
 139        /* When we are master of an established connection and it enters
 140         * the disconnect timeout, then go ahead and try to read the
 141         * current clock offset.  Processing of the result is done
 142         * within the event handling and hci_clock_offset_evt function.
 143         */
 144        if (conn->type == ACL_LINK && conn->role == HCI_ROLE_MASTER) {
 145                struct hci_dev *hdev = conn->hdev;
 146                struct hci_cp_read_clock_offset clkoff_cp;
 147
 148                clkoff_cp.handle = cpu_to_le16(conn->handle);
 149                hci_send_cmd(hdev, HCI_OP_READ_CLOCK_OFFSET, sizeof(clkoff_cp),
 150                             &clkoff_cp);
 151        }
 152
 153        conn->state = BT_DISCONN;
 154
 155        cp.handle = cpu_to_le16(conn->handle);
 156        cp.reason = reason;
 157        return hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
 158}
 159
 160static void hci_amp_disconn(struct hci_conn *conn)
 161{
 162        struct hci_cp_disconn_phy_link cp;
 163
 164        BT_DBG("hcon %p", conn);
 165
 166        conn->state = BT_DISCONN;
 167
 168        cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
 169        cp.reason = hci_proto_disconn_ind(conn);
 170        hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
 171                     sizeof(cp), &cp);
 172}
 173
 174static void hci_add_sco(struct hci_conn *conn, __u16 handle)
 175{
 176        struct hci_dev *hdev = conn->hdev;
 177        struct hci_cp_add_sco cp;
 178
 179        BT_DBG("hcon %p", conn);
 180
 181        conn->state = BT_CONNECT;
 182        conn->out = true;
 183
 184        conn->attempt++;
 185
 186        cp.handle   = cpu_to_le16(handle);
 187        cp.pkt_type = cpu_to_le16(conn->pkt_type);
 188
 189        hci_send_cmd(hdev, HCI_OP_ADD_SCO, sizeof(cp), &cp);
 190}
 191
 192bool hci_setup_sync(struct hci_conn *conn, __u16 handle)
 193{
 194        struct hci_dev *hdev = conn->hdev;
 195        struct hci_cp_setup_sync_conn cp;
 196        const struct sco_param *param;
 197
 198        BT_DBG("hcon %p", conn);
 199
 200        conn->state = BT_CONNECT;
 201        conn->out = true;
 202
 203        conn->attempt++;
 204
 205        cp.handle   = cpu_to_le16(handle);
 206
 207        cp.tx_bandwidth   = cpu_to_le32(0x00001f40);
 208        cp.rx_bandwidth   = cpu_to_le32(0x00001f40);
 209        cp.voice_setting  = cpu_to_le16(conn->setting);
 210
 211        switch (conn->setting & SCO_AIRMODE_MASK) {
 212        case SCO_AIRMODE_TRANSP:
 213                if (conn->attempt > ARRAY_SIZE(esco_param_msbc))
 214                        return false;
 215                param = &esco_param_msbc[conn->attempt - 1];
 216                break;
 217        case SCO_AIRMODE_CVSD:
 218                if (lmp_esco_capable(conn->link)) {
 219                        if (conn->attempt > ARRAY_SIZE(esco_param_cvsd))
 220                                return false;
 221                        param = &esco_param_cvsd[conn->attempt - 1];
 222                } else {
 223                        if (conn->attempt > ARRAY_SIZE(sco_param_cvsd))
 224                                return false;
 225                        param = &sco_param_cvsd[conn->attempt - 1];
 226                }
 227                break;
 228        default:
 229                return false;
 230        }
 231
 232        cp.retrans_effort = param->retrans_effort;
 233        cp.pkt_type = __cpu_to_le16(param->pkt_type);
 234        cp.max_latency = __cpu_to_le16(param->max_latency);
 235
 236        if (hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp) < 0)
 237                return false;
 238
 239        return true;
 240}
 241
 242u8 hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max, u16 latency,
 243                      u16 to_multiplier)
 244{
 245        struct hci_dev *hdev = conn->hdev;
 246        struct hci_conn_params *params;
 247        struct hci_cp_le_conn_update cp;
 248
 249        hci_dev_lock(hdev);
 250
 251        params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
 252        if (params) {
 253                params->conn_min_interval = min;
 254                params->conn_max_interval = max;
 255                params->conn_latency = latency;
 256                params->supervision_timeout = to_multiplier;
 257        }
 258
 259        hci_dev_unlock(hdev);
 260
 261        memset(&cp, 0, sizeof(cp));
 262        cp.handle               = cpu_to_le16(conn->handle);
 263        cp.conn_interval_min    = cpu_to_le16(min);
 264        cp.conn_interval_max    = cpu_to_le16(max);
 265        cp.conn_latency         = cpu_to_le16(latency);
 266        cp.supervision_timeout  = cpu_to_le16(to_multiplier);
 267        cp.min_ce_len           = cpu_to_le16(0x0000);
 268        cp.max_ce_len           = cpu_to_le16(0x0000);
 269
 270        hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
 271
 272        if (params)
 273                return 0x01;
 274
 275        return 0x00;
 276}
 277
 278void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __le64 rand,
 279                      __u8 ltk[16])
 280{
 281        struct hci_dev *hdev = conn->hdev;
 282        struct hci_cp_le_start_enc cp;
 283
 284        BT_DBG("hcon %p", conn);
 285
 286        memset(&cp, 0, sizeof(cp));
 287
 288        cp.handle = cpu_to_le16(conn->handle);
 289        cp.rand = rand;
 290        cp.ediv = ediv;
 291        memcpy(cp.ltk, ltk, sizeof(cp.ltk));
 292
 293        hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
 294}
 295
 296/* Device _must_ be locked */
 297void hci_sco_setup(struct hci_conn *conn, __u8 status)
 298{
 299        struct hci_conn *sco = conn->link;
 300
 301        if (!sco)
 302                return;
 303
 304        BT_DBG("hcon %p", conn);
 305
 306        if (!status) {
 307                if (lmp_esco_capable(conn->hdev))
 308                        hci_setup_sync(sco, conn->handle);
 309                else
 310                        hci_add_sco(sco, conn->handle);
 311        } else {
 312                hci_proto_connect_cfm(sco, status);
 313                hci_conn_del(sco);
 314        }
 315}
 316
 317static void hci_conn_timeout(struct work_struct *work)
 318{
 319        struct hci_conn *conn = container_of(work, struct hci_conn,
 320                                             disc_work.work);
 321        int refcnt = atomic_read(&conn->refcnt);
 322
 323        BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
 324
 325        WARN_ON(refcnt < 0);
 326
 327        /* FIXME: It was observed that in pairing failed scenario, refcnt
 328         * drops below 0. Probably this is because l2cap_conn_del calls
 329         * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
 330         * dropped. After that loop hci_chan_del is called which also drops
 331         * conn. For now make sure that ACL is alive if refcnt is higher then 0,
 332         * otherwise drop it.
 333         */
 334        if (refcnt > 0)
 335                return;
 336
 337        switch (conn->state) {
 338        case BT_CONNECT:
 339        case BT_CONNECT2:
 340                if (conn->out) {
 341                        if (conn->type == ACL_LINK)
 342                                hci_acl_create_connection_cancel(conn);
 343                        else if (conn->type == LE_LINK)
 344                                hci_le_create_connection_cancel(conn);
 345                } else if (conn->type == SCO_LINK || conn->type == ESCO_LINK) {
 346                        hci_reject_sco(conn);
 347                }
 348                break;
 349        case BT_CONFIG:
 350        case BT_CONNECTED:
 351                if (conn->type == AMP_LINK) {
 352                        hci_amp_disconn(conn);
 353                } else {
 354                        __u8 reason = hci_proto_disconn_ind(conn);
 355                        hci_disconnect(conn, reason);
 356                }
 357                break;
 358        default:
 359                conn->state = BT_CLOSED;
 360                break;
 361        }
 362}
 363
 364/* Enter sniff mode */
 365static void hci_conn_idle(struct work_struct *work)
 366{
 367        struct hci_conn *conn = container_of(work, struct hci_conn,
 368                                             idle_work.work);
 369        struct hci_dev *hdev = conn->hdev;
 370
 371        BT_DBG("hcon %p mode %d", conn, conn->mode);
 372
 373        if (!lmp_sniff_capable(hdev) || !lmp_sniff_capable(conn))
 374                return;
 375
 376        if (conn->mode != HCI_CM_ACTIVE || !(conn->link_policy & HCI_LP_SNIFF))
 377                return;
 378
 379        if (lmp_sniffsubr_capable(hdev) && lmp_sniffsubr_capable(conn)) {
 380                struct hci_cp_sniff_subrate cp;
 381                cp.handle             = cpu_to_le16(conn->handle);
 382                cp.max_latency        = cpu_to_le16(0);
 383                cp.min_remote_timeout = cpu_to_le16(0);
 384                cp.min_local_timeout  = cpu_to_le16(0);
 385                hci_send_cmd(hdev, HCI_OP_SNIFF_SUBRATE, sizeof(cp), &cp);
 386        }
 387
 388        if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
 389                struct hci_cp_sniff_mode cp;
 390                cp.handle       = cpu_to_le16(conn->handle);
 391                cp.max_interval = cpu_to_le16(hdev->sniff_max_interval);
 392                cp.min_interval = cpu_to_le16(hdev->sniff_min_interval);
 393                cp.attempt      = cpu_to_le16(4);
 394                cp.timeout      = cpu_to_le16(1);
 395                hci_send_cmd(hdev, HCI_OP_SNIFF_MODE, sizeof(cp), &cp);
 396        }
 397}
 398
 399static void hci_conn_auto_accept(struct work_struct *work)
 400{
 401        struct hci_conn *conn = container_of(work, struct hci_conn,
 402                                             auto_accept_work.work);
 403
 404        hci_send_cmd(conn->hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
 405                     &conn->dst);
 406}
 407
 408static void le_conn_timeout(struct work_struct *work)
 409{
 410        struct hci_conn *conn = container_of(work, struct hci_conn,
 411                                             le_conn_timeout.work);
 412        struct hci_dev *hdev = conn->hdev;
 413
 414        BT_DBG("");
 415
 416        /* We could end up here due to having done directed advertising,
 417         * so clean up the state if necessary. This should however only
 418         * happen with broken hardware or if low duty cycle was used
 419         * (which doesn't have a timeout of its own).
 420         */
 421        if (conn->role == HCI_ROLE_SLAVE) {
 422                u8 enable = 0x00;
 423                hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
 424                             &enable);
 425                hci_le_conn_failed(conn, HCI_ERROR_ADVERTISING_TIMEOUT);
 426                return;
 427        }
 428
 429        hci_le_create_connection_cancel(conn);
 430}
 431
 432struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
 433                              u8 role)
 434{
 435        struct hci_conn *conn;
 436
 437        BT_DBG("%s dst %pMR", hdev->name, dst);
 438
 439        conn = kzalloc(sizeof(*conn), GFP_KERNEL);
 440        if (!conn)
 441                return NULL;
 442
 443        bacpy(&conn->dst, dst);
 444        bacpy(&conn->src, &hdev->bdaddr);
 445        conn->hdev  = hdev;
 446        conn->type  = type;
 447        conn->role  = role;
 448        conn->mode  = HCI_CM_ACTIVE;
 449        conn->state = BT_OPEN;
 450        conn->auth_type = HCI_AT_GENERAL_BONDING;
 451        conn->io_capability = hdev->io_capability;
 452        conn->remote_auth = 0xff;
 453        conn->key_type = 0xff;
 454        conn->rssi = HCI_RSSI_INVALID;
 455        conn->tx_power = HCI_TX_POWER_INVALID;
 456        conn->max_tx_power = HCI_TX_POWER_INVALID;
 457
 458        set_bit(HCI_CONN_POWER_SAVE, &conn->flags);
 459        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
 460
 461        if (conn->role == HCI_ROLE_MASTER)
 462                conn->out = true;
 463
 464        switch (type) {
 465        case ACL_LINK:
 466                conn->pkt_type = hdev->pkt_type & ACL_PTYPE_MASK;
 467                break;
 468        case LE_LINK:
 469                /* conn->src should reflect the local identity address */
 470                hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
 471                break;
 472        case SCO_LINK:
 473                if (lmp_esco_capable(hdev))
 474                        conn->pkt_type = (hdev->esco_type & SCO_ESCO_MASK) |
 475                                        (hdev->esco_type & EDR_ESCO_MASK);
 476                else
 477                        conn->pkt_type = hdev->pkt_type & SCO_PTYPE_MASK;
 478                break;
 479        case ESCO_LINK:
 480                conn->pkt_type = hdev->esco_type & ~EDR_ESCO_MASK;
 481                break;
 482        }
 483
 484        skb_queue_head_init(&conn->data_q);
 485
 486        INIT_LIST_HEAD(&conn->chan_list);
 487
 488        INIT_DELAYED_WORK(&conn->disc_work, hci_conn_timeout);
 489        INIT_DELAYED_WORK(&conn->auto_accept_work, hci_conn_auto_accept);
 490        INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
 491        INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
 492
 493        atomic_set(&conn->refcnt, 0);
 494
 495        hci_dev_hold(hdev);
 496
 497        hci_conn_hash_add(hdev, conn);
 498        if (hdev->notify)
 499                hdev->notify(hdev, HCI_NOTIFY_CONN_ADD);
 500
 501        hci_conn_init_sysfs(conn);
 502
 503        return conn;
 504}
 505
 506int hci_conn_del(struct hci_conn *conn)
 507{
 508        struct hci_dev *hdev = conn->hdev;
 509
 510        BT_DBG("%s hcon %p handle %d", hdev->name, conn, conn->handle);
 511
 512        cancel_delayed_work_sync(&conn->disc_work);
 513        cancel_delayed_work_sync(&conn->auto_accept_work);
 514        cancel_delayed_work_sync(&conn->idle_work);
 515
 516        if (conn->type == ACL_LINK) {
 517                struct hci_conn *sco = conn->link;
 518                if (sco)
 519                        sco->link = NULL;
 520
 521                /* Unacked frames */
 522                hdev->acl_cnt += conn->sent;
 523        } else if (conn->type == LE_LINK) {
 524                cancel_delayed_work(&conn->le_conn_timeout);
 525
 526                if (hdev->le_pkts)
 527                        hdev->le_cnt += conn->sent;
 528                else
 529                        hdev->acl_cnt += conn->sent;
 530        } else {
 531                struct hci_conn *acl = conn->link;
 532                if (acl) {
 533                        acl->link = NULL;
 534                        hci_conn_drop(acl);
 535                }
 536        }
 537
 538        hci_chan_list_flush(conn);
 539
 540        if (conn->amp_mgr)
 541                amp_mgr_put(conn->amp_mgr);
 542
 543        hci_conn_hash_del(hdev, conn);
 544        if (hdev->notify)
 545                hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
 546
 547        skb_queue_purge(&conn->data_q);
 548
 549        hci_conn_del_sysfs(conn);
 550
 551        debugfs_remove_recursive(conn->debugfs);
 552
 553        if (test_bit(HCI_CONN_PARAM_REMOVAL_PEND, &conn->flags))
 554                hci_conn_params_del(conn->hdev, &conn->dst, conn->dst_type);
 555
 556        hci_dev_put(hdev);
 557
 558        hci_conn_put(conn);
 559
 560        return 0;
 561}
 562
 563struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
 564{
 565        int use_src = bacmp(src, BDADDR_ANY);
 566        struct hci_dev *hdev = NULL, *d;
 567
 568        BT_DBG("%pMR -> %pMR", src, dst);
 569
 570        read_lock(&hci_dev_list_lock);
 571
 572        list_for_each_entry(d, &hci_dev_list, list) {
 573                if (!test_bit(HCI_UP, &d->flags) ||
 574                    test_bit(HCI_USER_CHANNEL, &d->dev_flags) ||
 575                    d->dev_type != HCI_BREDR)
 576                        continue;
 577
 578                /* Simple routing:
 579                 *   No source address - find interface with bdaddr != dst
 580                 *   Source address    - find interface with bdaddr == src
 581                 */
 582
 583                if (use_src) {
 584                        if (!bacmp(&d->bdaddr, src)) {
 585                                hdev = d; break;
 586                        }
 587                } else {
 588                        if (bacmp(&d->bdaddr, dst)) {
 589                                hdev = d; break;
 590                        }
 591                }
 592        }
 593
 594        if (hdev)
 595                hdev = hci_dev_hold(hdev);
 596
 597        read_unlock(&hci_dev_list_lock);
 598        return hdev;
 599}
 600EXPORT_SYMBOL(hci_get_route);
 601
 602/* This function requires the caller holds hdev->lock */
 603void hci_le_conn_failed(struct hci_conn *conn, u8 status)
 604{
 605        struct hci_dev *hdev = conn->hdev;
 606        struct hci_conn_params *params;
 607
 608        params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
 609                                           conn->dst_type);
 610        if (params && params->conn) {
 611                hci_conn_drop(params->conn);
 612                hci_conn_put(params->conn);
 613                params->conn = NULL;
 614        }
 615
 616        conn->state = BT_CLOSED;
 617
 618        mgmt_connect_failed(hdev, &conn->dst, conn->type, conn->dst_type,
 619                            status);
 620
 621        hci_proto_connect_cfm(conn, status);
 622
 623        hci_conn_del(conn);
 624
 625        /* Since we may have temporarily stopped the background scanning in
 626         * favor of connection establishment, we should restart it.
 627         */
 628        hci_update_background_scan(hdev);
 629
 630        /* Re-enable advertising in case this was a failed connection
 631         * attempt as a peripheral.
 632         */
 633        mgmt_reenable_advertising(hdev);
 634}
 635
 636static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
 637{
 638        struct hci_conn *conn;
 639
 640        if (status == 0)
 641                return;
 642
 643        BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
 644               status);
 645
 646        hci_dev_lock(hdev);
 647
 648        conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
 649        if (!conn)
 650                goto done;
 651
 652        hci_le_conn_failed(conn, status);
 653
 654done:
 655        hci_dev_unlock(hdev);
 656}
 657
 658static void hci_req_add_le_create_conn(struct hci_request *req,
 659                                       struct hci_conn *conn)
 660{
 661        struct hci_cp_le_create_conn cp;
 662        struct hci_dev *hdev = conn->hdev;
 663        u8 own_addr_type;
 664
 665        memset(&cp, 0, sizeof(cp));
 666
 667        /* Update random address, but set require_privacy to false so
 668         * that we never connect with an non-resolvable address.
 669         */
 670        if (hci_update_random_address(req, false, &own_addr_type))
 671                return;
 672
 673        cp.scan_interval = cpu_to_le16(hdev->le_scan_interval);
 674        cp.scan_window = cpu_to_le16(hdev->le_scan_window);
 675        bacpy(&cp.peer_addr, &conn->dst);
 676        cp.peer_addr_type = conn->dst_type;
 677        cp.own_address_type = own_addr_type;
 678        cp.conn_interval_min = cpu_to_le16(conn->le_conn_min_interval);
 679        cp.conn_interval_max = cpu_to_le16(conn->le_conn_max_interval);
 680        cp.conn_latency = cpu_to_le16(conn->le_conn_latency);
 681        cp.supervision_timeout = cpu_to_le16(conn->le_supv_timeout);
 682        cp.min_ce_len = cpu_to_le16(0x0000);
 683        cp.max_ce_len = cpu_to_le16(0x0000);
 684
 685        hci_req_add(req, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
 686
 687        conn->state = BT_CONNECT;
 688}
 689
 690static void hci_req_directed_advertising(struct hci_request *req,
 691                                         struct hci_conn *conn)
 692{
 693        struct hci_dev *hdev = req->hdev;
 694        struct hci_cp_le_set_adv_param cp;
 695        u8 own_addr_type;
 696        u8 enable;
 697
 698        /* Clear the HCI_LE_ADV bit temporarily so that the
 699         * hci_update_random_address knows that it's safe to go ahead
 700         * and write a new random address. The flag will be set back on
 701         * as soon as the SET_ADV_ENABLE HCI command completes.
 702         */
 703        clear_bit(HCI_LE_ADV, &hdev->dev_flags);
 704
 705        /* Set require_privacy to false so that the remote device has a
 706         * chance of identifying us.
 707         */
 708        if (hci_update_random_address(req, false, &own_addr_type) < 0)
 709                return;
 710
 711        memset(&cp, 0, sizeof(cp));
 712        cp.type = LE_ADV_DIRECT_IND;
 713        cp.own_address_type = own_addr_type;
 714        cp.direct_addr_type = conn->dst_type;
 715        bacpy(&cp.direct_addr, &conn->dst);
 716        cp.channel_map = hdev->le_adv_channel_map;
 717
 718        hci_req_add(req, HCI_OP_LE_SET_ADV_PARAM, sizeof(cp), &cp);
 719
 720        enable = 0x01;
 721        hci_req_add(req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable), &enable);
 722
 723        conn->state = BT_CONNECT;
 724}
 725
 726struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
 727                                u8 dst_type, u8 sec_level, u16 conn_timeout,
 728                                u8 role)
 729{
 730        struct hci_conn_params *params;
 731        struct hci_conn *conn;
 732        struct smp_irk *irk;
 733        struct hci_request req;
 734        int err;
 735
 736        /* Some devices send ATT messages as soon as the physical link is
 737         * established. To be able to handle these ATT messages, the user-
 738         * space first establishes the connection and then starts the pairing
 739         * process.
 740         *
 741         * So if a hci_conn object already exists for the following connection
 742         * attempt, we simply update pending_sec_level and auth_type fields
 743         * and return the object found.
 744         */
 745        conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
 746        if (conn) {
 747                conn->pending_sec_level = sec_level;
 748                goto done;
 749        }
 750
 751        /* Since the controller supports only one LE connection attempt at a
 752         * time, we return -EBUSY if there is any connection attempt running.
 753         */
 754        conn = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
 755        if (conn)
 756                return ERR_PTR(-EBUSY);
 757
 758        /* When given an identity address with existing identity
 759         * resolving key, the connection needs to be established
 760         * to a resolvable random address.
 761         *
 762         * This uses the cached random resolvable address from
 763         * a previous scan. When no cached address is available,
 764         * try connecting to the identity address instead.
 765         *
 766         * Storing the resolvable random address is required here
 767         * to handle connection failures. The address will later
 768         * be resolved back into the original identity address
 769         * from the connect request.
 770         */
 771        irk = hci_find_irk_by_addr(hdev, dst, dst_type);
 772        if (irk && bacmp(&irk->rpa, BDADDR_ANY)) {
 773                dst = &irk->rpa;
 774                dst_type = ADDR_LE_DEV_RANDOM;
 775        }
 776
 777        conn = hci_conn_add(hdev, LE_LINK, dst, role);
 778        if (!conn)
 779                return ERR_PTR(-ENOMEM);
 780
 781        conn->dst_type = dst_type;
 782        conn->sec_level = BT_SECURITY_LOW;
 783        conn->pending_sec_level = sec_level;
 784        conn->conn_timeout = conn_timeout;
 785
 786        hci_req_init(&req, hdev);
 787
 788        /* Disable advertising if we're active. For master role
 789         * connections most controllers will refuse to connect if
 790         * advertising is enabled, and for slave role connections we
 791         * anyway have to disable it in order to start directed
 792         * advertising.
 793         */
 794        if (test_bit(HCI_LE_ADV, &hdev->dev_flags)) {
 795                u8 enable = 0x00;
 796                hci_req_add(&req, HCI_OP_LE_SET_ADV_ENABLE, sizeof(enable),
 797                            &enable);
 798        }
 799
 800        /* If requested to connect as slave use directed advertising */
 801        if (conn->role == HCI_ROLE_SLAVE) {
 802                /* If we're active scanning most controllers are unable
 803                 * to initiate advertising. Simply reject the attempt.
 804                 */
 805                if (test_bit(HCI_LE_SCAN, &hdev->dev_flags) &&
 806                    hdev->le_scan_type == LE_SCAN_ACTIVE) {
 807                        skb_queue_purge(&req.cmd_q);
 808                        hci_conn_del(conn);
 809                        return ERR_PTR(-EBUSY);
 810                }
 811
 812                hci_req_directed_advertising(&req, conn);
 813                goto create_conn;
 814        }
 815
 816        params = hci_conn_params_lookup(hdev, &conn->dst, conn->dst_type);
 817        if (params) {
 818                conn->le_conn_min_interval = params->conn_min_interval;
 819                conn->le_conn_max_interval = params->conn_max_interval;
 820                conn->le_conn_latency = params->conn_latency;
 821                conn->le_supv_timeout = params->supervision_timeout;
 822        } else {
 823                conn->le_conn_min_interval = hdev->le_conn_min_interval;
 824                conn->le_conn_max_interval = hdev->le_conn_max_interval;
 825                conn->le_conn_latency = hdev->le_conn_latency;
 826                conn->le_supv_timeout = hdev->le_supv_timeout;
 827        }
 828
 829        /* If controller is scanning, we stop it since some controllers are
 830         * not able to scan and connect at the same time. Also set the
 831         * HCI_LE_SCAN_INTERRUPTED flag so that the command complete
 832         * handler for scan disabling knows to set the correct discovery
 833         * state.
 834         */
 835        if (test_bit(HCI_LE_SCAN, &hdev->dev_flags)) {
 836                hci_req_add_le_scan_disable(&req);
 837                set_bit(HCI_LE_SCAN_INTERRUPTED, &hdev->dev_flags);
 838        }
 839
 840        hci_req_add_le_create_conn(&req, conn);
 841
 842create_conn:
 843        err = hci_req_run(&req, create_le_conn_complete);
 844        if (err) {
 845                hci_conn_del(conn);
 846                return ERR_PTR(err);
 847        }
 848
 849done:
 850        hci_conn_hold(conn);
 851        return conn;
 852}
 853
 854struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
 855                                 u8 sec_level, u8 auth_type)
 856{
 857        struct hci_conn *acl;
 858
 859        if (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags))
 860                return ERR_PTR(-EOPNOTSUPP);
 861
 862        acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
 863        if (!acl) {
 864                acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
 865                if (!acl)
 866                        return ERR_PTR(-ENOMEM);
 867        }
 868
 869        hci_conn_hold(acl);
 870
 871        if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
 872                acl->sec_level = BT_SECURITY_LOW;
 873                acl->pending_sec_level = sec_level;
 874                acl->auth_type = auth_type;
 875                hci_acl_create_connection(acl);
 876        }
 877
 878        return acl;
 879}
 880
 881struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
 882                                 __u16 setting)
 883{
 884        struct hci_conn *acl;
 885        struct hci_conn *sco;
 886
 887        acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
 888        if (IS_ERR(acl))
 889                return acl;
 890
 891        sco = hci_conn_hash_lookup_ba(hdev, type, dst);
 892        if (!sco) {
 893                sco = hci_conn_add(hdev, type, dst, HCI_ROLE_MASTER);
 894                if (!sco) {
 895                        hci_conn_drop(acl);
 896                        return ERR_PTR(-ENOMEM);
 897                }
 898        }
 899
 900        acl->link = sco;
 901        sco->link = acl;
 902
 903        hci_conn_hold(sco);
 904
 905        sco->setting = setting;
 906
 907        if (acl->state == BT_CONNECTED &&
 908            (sco->state == BT_OPEN || sco->state == BT_CLOSED)) {
 909                set_bit(HCI_CONN_POWER_SAVE, &acl->flags);
 910                hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_ON);
 911
 912                if (test_bit(HCI_CONN_MODE_CHANGE_PEND, &acl->flags)) {
 913                        /* defer SCO setup until mode change completed */
 914                        set_bit(HCI_CONN_SCO_SETUP_PEND, &acl->flags);
 915                        return sco;
 916                }
 917
 918                hci_sco_setup(acl, 0x00);
 919        }
 920
 921        return sco;
 922}
 923
 924/* Check link security requirement */
 925int hci_conn_check_link_mode(struct hci_conn *conn)
 926{
 927        BT_DBG("hcon %p", conn);
 928
 929        /* In Secure Connections Only mode, it is required that Secure
 930         * Connections is used and the link is encrypted with AES-CCM
 931         * using a P-256 authenticated combination key.
 932         */
 933        if (test_bit(HCI_SC_ONLY, &conn->hdev->flags)) {
 934                if (!hci_conn_sc_enabled(conn) ||
 935                    !test_bit(HCI_CONN_AES_CCM, &conn->flags) ||
 936                    conn->key_type != HCI_LK_AUTH_COMBINATION_P256)
 937                        return 0;
 938        }
 939
 940        if (hci_conn_ssp_enabled(conn) &&
 941            !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
 942                return 0;
 943
 944        return 1;
 945}
 946
 947/* Authenticate remote device */
 948static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
 949{
 950        BT_DBG("hcon %p", conn);
 951
 952        if (conn->pending_sec_level > sec_level)
 953                sec_level = conn->pending_sec_level;
 954
 955        if (sec_level > conn->sec_level)
 956                conn->pending_sec_level = sec_level;
 957        else if (test_bit(HCI_CONN_AUTH, &conn->flags))
 958                return 1;
 959
 960        /* Make sure we preserve an existing MITM requirement*/
 961        auth_type |= (conn->auth_type & 0x01);
 962
 963        conn->auth_type = auth_type;
 964
 965        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
 966                struct hci_cp_auth_requested cp;
 967
 968                cp.handle = cpu_to_le16(conn->handle);
 969                hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
 970                             sizeof(cp), &cp);
 971
 972                /* If we're already encrypted set the REAUTH_PEND flag,
 973                 * otherwise set the ENCRYPT_PEND.
 974                 */
 975                if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
 976                        set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
 977                else
 978                        set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
 979        }
 980
 981        return 0;
 982}
 983
 984/* Encrypt the the link */
 985static void hci_conn_encrypt(struct hci_conn *conn)
 986{
 987        BT_DBG("hcon %p", conn);
 988
 989        if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags)) {
 990                struct hci_cp_set_conn_encrypt cp;
 991                cp.handle  = cpu_to_le16(conn->handle);
 992                cp.encrypt = 0x01;
 993                hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
 994                             &cp);
 995        }
 996}
 997
 998/* Enable security */
 999int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
1000                      bool initiator)

1001{
1002        BT_DBG("hcon %p", conn);
1003
1004        if (conn->type == LE_LINK)
1005                return smp_conn_security(conn, sec_level);
1006
1007        /* For sdp we don't need the link key. */
1008        if (sec_level == BT_SECURITY_SDP)
1009                return 1;
1010
1011        /* For non 2.1 devices and low security level we don't need the link
1012           key. */
1013        if (sec_level == BT_SECURITY_LOW && !hci_conn_ssp_enabled(conn))
1014                return 1;
1015
1016        /* For other security levels we need the link key. */
1017        if (!test_bit(HCI_CONN_AUTH, &conn->flags))
1018                goto auth;
1019
1020        /* An authenticated FIPS approved combination key has sufficient
1021         * security for security level 4. */
1022        if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
1023            sec_level == BT_SECURITY_FIPS)
1024                goto encrypt;
1025
1026        /* An authenticated combination key has sufficient security for
1027           security level 3. */
1028        if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
1029             conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
1030            sec_level == BT_SECURITY_HIGH)
1031                goto encrypt;
1032
1033        /* An unauthenticated combination key has sufficient security for
1034           security level 1 and 2. */
1035        if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
1036             conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
1037            (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
1038                goto encrypt;
1039
1040        /* A combination key has always sufficient security for the security
1041           levels 1 or 2. High security level requires the combination key
1042           is generated using maximum PIN code length (16).
1043           For pre 2.1 units. */
1044        if (conn->key_type == HCI_LK_COMBINATION &&
1045            (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
1046             conn->pin_length == 16))
1047                goto encrypt;
1048
1049auth:
1050        if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
1051                return 0;
1052
1053        if (initiator)
1054                set_bit(HCI_CONN_AUTH_INITIATOR, &conn->flags);
1055
1056        if (!hci_conn_auth(conn, sec_level, auth_type))
1057                return 0;
1058
1059encrypt:
1060        if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1061                return 1;
1062
1063        hci_conn_encrypt(conn);
1064        return 0;
1065}
1066EXPORT_SYMBOL(hci_conn_security);
1067
1068/* Check secure link requirement */
1069int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
1070{
1071        BT_DBG("hcon %p", conn);
1072
1073        /* Accept if non-secure or higher security level is required */
1074        if (sec_level != BT_SECURITY_HIGH && sec_level != BT_SECURITY_FIPS)
1075                return 1;
1076
1077        /* Accept if secure or higher security level is already present */
1078        if (conn->sec_level == BT_SECURITY_HIGH ||
1079            conn->sec_level == BT_SECURITY_FIPS)
1080                return 1;
1081
1082        /* Reject not secure link */
1083        return 0;
1084}
1085EXPORT_SYMBOL(hci_conn_check_secure);
1086
1087/* Switch role */
1088int hci_conn_switch_role(struct hci_conn *conn, __u8 role)
1089{
1090        BT_DBG("hcon %p", conn);
1091
1092        if (role == conn->role)
1093                return 1;
1094
1095        if (!test_and_set_bit(HCI_CONN_RSWITCH_PEND, &conn->flags)) {
1096                struct hci_cp_switch_role cp;
1097                bacpy(&cp.bdaddr, &conn->dst);
1098                cp.role = role;
1099                hci_send_cmd(conn->hdev, HCI_OP_SWITCH_ROLE, sizeof(cp), &cp);
1100        }
1101
1102        return 0;
1103}
1104EXPORT_SYMBOL(hci_conn_switch_role);
1105
1106/* Enter active mode */
1107void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active)
1108{
1109        struct hci_dev *hdev = conn->hdev;
1110
1111        BT_DBG("hcon %p mode %d", conn, conn->mode);
1112
1113        if (conn->mode != HCI_CM_SNIFF)
1114                goto timer;
1115
1116        if (!test_bit(HCI_CONN_POWER_SAVE, &conn->flags) && !force_active)
1117                goto timer;
1118
1119        if (!test_and_set_bit(HCI_CONN_MODE_CHANGE_PEND, &conn->flags)) {
1120                struct hci_cp_exit_sniff_mode cp;
1121                cp.handle = cpu_to_le16(conn->handle);
1122                hci_send_cmd(hdev, HCI_OP_EXIT_SNIFF_MODE, sizeof(cp), &cp);
1123        }
1124
1125timer:
1126        if (hdev->idle_timeout > 0)
1127                queue_delayed_work(hdev->workqueue, &conn->idle_work,
1128                                   msecs_to_jiffies(hdev->idle_timeout));
1129}
1130
1131/* Drop all connection on the device */
1132void hci_conn_hash_flush(struct hci_dev *hdev)
1133{
1134        struct hci_conn_hash *h = &hdev->conn_hash;
1135        struct hci_conn *c, *n;
1136
1137        BT_DBG("hdev %s", hdev->name);
1138
1139        list_for_each_entry_safe(c, n, &h->list, list) {
1140                c->state = BT_CLOSED;
1141
1142                hci_proto_disconn_cfm(c, HCI_ERROR_LOCAL_HOST_TERM);
1143                hci_conn_del(c);
1144        }
1145}
1146
1147/* Check pending connect attempts */
1148void hci_conn_check_pending(struct hci_dev *hdev)
1149{
1150        struct hci_conn *conn;
1151
1152        BT_DBG("hdev %s", hdev->name);
1153
1154        hci_dev_lock(hdev);
1155
1156        conn = hci_conn_hash_lookup_state(hdev, ACL_LINK, BT_CONNECT2);
1157        if (conn)
1158                hci_acl_create_connection(conn);
1159
1160        hci_dev_unlock(hdev);
1161}
1162
1163static u32 get_link_mode(struct hci_conn *conn)
1164{
1165        u32 link_mode = 0;
1166
1167        if (conn->role == HCI_ROLE_MASTER)
1168                link_mode |= HCI_LM_MASTER;
1169
1170        if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
1171                link_mode |= HCI_LM_ENCRYPT;
1172
1173        if (test_bit(HCI_CONN_AUTH, &conn->flags))
1174                link_mode |= HCI_LM_AUTH;
1175
1176        if (test_bit(HCI_CONN_SECURE, &conn->flags))
1177                link_mode |= HCI_LM_SECURE;
1178
1179        if (test_bit(HCI_CONN_FIPS, &conn->flags))
1180                link_mode |= HCI_LM_FIPS;
1181
1182        return link_mode;
1183}
1184
1185int hci_get_conn_list(void __user *arg)
1186{
1187        struct hci_conn *c;
1188        struct hci_conn_list_req req, *cl;
1189        struct hci_conn_info *ci;
1190        struct hci_dev *hdev;
1191        int n = 0, size, err;
1192
1193        if (copy_from_user(&req, arg, sizeof(req)))
1194                return -EFAULT;
1195
1196        if (!req.conn_num || req.conn_num > (PAGE_SIZE * 2) / sizeof(*ci))
1197                return -EINVAL;
1198
1199        size = sizeof(req) + req.conn_num * sizeof(*ci);
1200
1201        cl = kmalloc(size, GFP_KERNEL);
1202        if (!cl)
1203                return -ENOMEM;
1204
1205        hdev = hci_dev_get(req.dev_id);
1206        if (!hdev) {
1207                kfree(cl);
1208                return -ENODEV;
1209        }
1210
1211        ci = cl->conn_info;
1212
1213        hci_dev_lock(hdev);
1214        list_for_each_entry(c, &hdev->conn_hash.list, list) {
1215                bacpy(&(ci + n)->bdaddr, &c->dst);
1216                (ci + n)->handle = c->handle;
1217                (ci + n)->type  = c->type;
1218                (ci + n)->out   = c->out;
1219                (ci + n)->state = c->state;
1220                (ci + n)->link_mode = get_link_mode(c);
1221                if (++n >= req.conn_num)
1222                        break;
1223        }
1224        hci_dev_unlock(hdev);
1225
1226        cl->dev_id = hdev->id;
1227        cl->conn_num = n;
1228        size = sizeof(req) + n * sizeof(*ci);
1229
1230        hci_dev_put(hdev);
1231
1232        err = copy_to_user(arg, cl, size);
1233        kfree(cl);
1234
1235        return err ? -EFAULT : 0;
1236}
1237
1238int hci_get_conn_info(struct hci_dev *hdev, void __user *arg)
1239{
1240        struct hci_conn_info_req req;
1241        struct hci_conn_info ci;
1242        struct hci_conn *conn;
1243        char __user *ptr = arg + sizeof(req);
1244
1245        if (copy_from_user(&req, arg, sizeof(req)))
1246                return -EFAULT;
1247
1248        hci_dev_lock(hdev);
1249        conn = hci_conn_hash_lookup_ba(hdev, req.type, &req.bdaddr);
1250        if (conn) {
1251                bacpy(&ci.bdaddr, &conn->dst);
1252                ci.handle = conn->handle;
1253                ci.type  = conn->type;
1254                ci.out   = conn->out;
1255                ci.state = conn->state;
1256                ci.link_mode = get_link_mode(conn);
1257        }
1258        hci_dev_unlock(hdev);
1259
1260        if (!conn)
1261                return -ENOENT;
1262
1263        return copy_to_user(ptr, &ci, sizeof(ci)) ? -EFAULT : 0;
1264}
1265
1266int hci_get_auth_info(struct hci_dev *hdev, void __user *arg)
1267{
1268        struct hci_auth_info_req req;
1269        struct hci_conn *conn;
1270
1271        if (copy_from_user(&req, arg, sizeof(req)))
1272                return -EFAULT;
1273
1274        hci_dev_lock(hdev);
1275        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &req.bdaddr);
1276        if (conn)
1277                req.type = conn->auth_type;
1278        hci_dev_unlock(hdev);
1279
1280        if (!conn)
1281                return -ENOENT;
1282
1283        return copy_to_user(arg, &req, sizeof(req)) ? -EFAULT : 0;
1284}
1285
1286struct hci_chan *hci_chan_create(struct hci_conn *conn)
1287{
1288        struct hci_dev *hdev = conn->hdev;
1289        struct hci_chan *chan;
1290
1291        BT_DBG("%s hcon %p", hdev->name, conn);
1292
1293        if (test_bit(HCI_CONN_DROP, &conn->flags)) {
1294                BT_DBG("Refusing to create new hci_chan");
1295                return NULL;
1296        }
1297
1298        chan = kzalloc(sizeof(*chan), GFP_KERNEL);
1299        if (!chan)
1300                return NULL;
1301
1302        chan->conn = hci_conn_get(conn);
1303        skb_queue_head_init(&chan->data_q);
1304        chan->state = BT_CONNECTED;
1305
1306        list_add_rcu(&chan->list, &conn->chan_list);
1307
1308        return chan;
1309}
1310
1311void hci_chan_del(struct hci_chan *chan)
1312{
1313        struct hci_conn *conn = chan->conn;
1314        struct hci_dev *hdev = conn->hdev;
1315
1316        BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
1317
1318        list_del_rcu(&chan->list);
1319
1320        synchronize_rcu();
1321
1322        /* Prevent new hci_chan's to be created for this hci_conn */
1323        set_bit(HCI_CONN_DROP, &conn->flags);
1324
1325        hci_conn_put(conn);
1326
1327        skb_queue_purge(&chan->data_q);
1328        kfree(chan);
1329}
1330
1331void hci_chan_list_flush(struct hci_conn *conn)
1332{
1333        struct hci_chan *chan, *n;
1334
1335        BT_DBG("hcon %p", conn);
1336
1337        list_for_each_entry_safe(chan, n, &conn->chan_list, list)
1338                hci_chan_del(chan);
1339}
1340
1341static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
1342                                                 __u16 handle)
1343{
1344        struct hci_chan *hchan;
1345
1346        list_for_each_entry(hchan, &hcon->chan_list, list) {
1347                if (hchan->handle == handle)
1348                        return hchan;
1349        }
1350
1351        return NULL;
1352}
1353
1354struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
1355{
1356        struct hci_conn_hash *h = &hdev->conn_hash;
1357        struct hci_conn *hcon;
1358        struct hci_chan *hchan = NULL;
1359
1360        rcu_read_lock();
1361
1362        list_for_each_entry_rcu(hcon, &h->list, list) {
1363                hchan = __hci_chan_lookup_handle(hcon, handle);
1364                if (hchan)
1365                        break;
1366        }
1367
1368        rcu_read_unlock();
1369
1370        return hchan;
1371}
1372